Friday Squid Blogging: President Squid

New children's book.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 25, 2016 at 4:28 PM • 153 Comments

Comments

Jonathan WilsonMarch 25, 2016 6:07 PM

A congresswoman from California has introduced a bill that would require ID checks when buying prepaid phones and SIM cards:
https://www.congress.gov/bill/114th-congress/house-bill/4886
http://www.zdnet.com/article/california-lawmaker-wants-to-crack-down-on-pre-paid-burner-phones/

Other countries (like Australia and various countries in Europe) have already tightened rules and already require such ID checks when activating a mobile SIM card.

Is this new bill a good idea or not?

Sancho_PMarch 25, 2016 6:58 PM

@Jonathan Wilson

Not really, because the really bad guys have stolen phones and SIMs.
We have that system in Spain.
Also we have plenty poor guys and gals here to buy them legally and “have it lost” for some bucks.

rMarch 25, 2016 7:11 PM

@scared,

I laughed long and hard over their unrestrained teenage outburst when I saw that last night.

Clive RobinsonMarch 25, 2016 8:47 PM

@ Jonathan Wilson,

Is this new bill a good idea or not?

It's actually of no interest to the authorities who buys the phones... Because it's two fold purpose is firstly it shifts the blaim from the politicos to the retailers, and secondly via fines etc it raises usefull income.

Basicaly most Gov's have a revenue problem, as "big business" are not paying tax... and because these businesses "feather the nests" of these politicos, there is little political incentive to get tough with enforcment. But... there is also only a limited rise in personal tax the citizens will swallow befor not voting for them. Which means other revenue sources have to be developed to get the money to bribe the voters with...

Thus the revenue rasing model is moving to property tax and fines etc in a minimal cost impact way.

Such retail legislation is almost always there because it is an "easy sell" to the citizens, whilst raising usefull cash with big fines. Of course there is another benificial effect, it reduces the cost of policing whilst also giving "contract largess" to bidders to run the backend databases etc, which means kick backs into party campaign coffers as well as lucrative nest feathering work should the voters not elect the politicos back for another term.

@ Scared,

Microsoft kills 'inappropriate' AI chatbot

This falls nicely into the "you couldn't make it up if you tried" department ;-)

Back in the 1980's the first speach output chips were comming onto the market. Basically the had a list of words stored in ROM fed to a D-A converter and a speaker. A company I was working for was "loaned" one for "evaluation". Almost the first thing one of the engineers found out was how to get it to say not whole words but just parts of them and string them together. One engineer (Nigel) sat there one lunch time with the volume right down getting the timings just right. He then turned the volume up all the way and hit the return key. The disembodied female voice then said in a robotic way very loudly "F**k off", as Nigel sat there with a childish grin on his face.

Over the years I've seen all sorts of new tech get in the hands of nerdy type engineers and in almost every case where it's possible they have tried to "get the tech to behave badly" for "school boy sniggers".

It's one of those "No 541t Sherlock", "Duh" or "Seriously what did you expect" moments. And there is little or nothing you can do about it as evidenced by the lesson of Lego Managment. Axcording to Meggan Fox, they had came up with the idea for a virtual Lego builder software which would --if it had ever got out the door in time-- have been a serious rival for MineCraft. But it did not get out the door anywhere near on time due to the "willy issue".

Managment mindfull of their "family friendly image" and guessing what certain types might do had put in the specification a requirment that users could not make p3n1s shaped objects or other related body parts... So they tried to make the software detect such attempts. It took many many wasted manhours of time before managment finally realised what they had been told from day one was true "children are smarter than computers, and if there is any way, and there always is, they will find and exploit it"...

So when Lego Universe finally went live they had a team of "dong detecting" human moderators give every creation the once over. Within a year the cost of the moderators led to Lego Universe being taken down...

Jonathan WilsonMarch 25, 2016 8:54 PM

In regards to the cellphone ID bill, it wouldn't surprise me if AT&T, TracFone, Verizon, T-Mobile, Sprint and the others who sell the prepaid phones/SIMs/plans lobby against the bill.

WhiskerInMenloMarch 25, 2016 10:17 PM

I have heard numerous times recently that so and so was known to law enforcement
at one level or another. Is this not a predictable consequences of bulk data collection?
Connectivity graphs place anyone darn close to anyone else.

Listen with care -- what and why were these people known for. Was
anything actionable in the list?

Hindsight is 20/20. Hindsight is being used to justify more and more
without obtaining anything actionable.

Some things are just difficult to discover but once discovered easy to demonstrate.


CuriousMarch 26, 2016 1:45 AM

"Apple Pulls Back iOS 9.3 Upgrade for Some Older Devices"
http://www.nbcnews.com/tech/tech-news/apple-pulls-back-ios-9-3-upgrade-some-older-devices-n545546

"After reports that people were having trouble updating to the new iOS 9.3, Apple has said that it will "temporarily pull back" the upgrade for the iPhone 5S, iPad Air and earlier versions of those devices."

"Owners of these older devices won't have to wait too long for a fix. Apple says it will release a bug-free version sometime in the next few days that will skip the problematic password step."

I thought maybe this required password input sounded like something odd, but maybe that's just me.

This had me thinking. I am not a security researcher or anything so take the following with a grain of salt so to speak; imagine if Apple were to hardcode a user's older password into an OS, in such a way it became a special personalized backdoor. Does this sound silly?

Clive RobinsonMarch 26, 2016 3:09 AM

@ WhiskerInMenlo,

I have heard numerous times recently that so and so was known to law enforcement at one level or another.

It rather depends on what the person writting the article etc thinks "Known to" means.

The police in many places keep records of what they do down to the most mundane details. That is if you ask a police man for directions he puts in his notbook that it happened, if the interaction was more serious then it would end up in the station logs etc including your name etc where known. These days much of this ends up in a database. But other information gets recorded like car registrations etc, and the time place etc gets recorded.

Many years ago in the UK a local council member was proposed to go onto an oversight committee. The police said no as he was known to them. It turns out his car registration had been noted in close vicinity to a brothel on many occasions and the police had assumed that he was a regular "customer of the house". What it actually was, was that his sister lived in that road and he used to go over to dinner there every week.

Also criminals on mass are not the brightest bunch of people walking the planet, they "big it up" and "flash the cash" and basicaly give away the fact they have committed a crime to others they think are part of their crowd. Forgetting that by definition such people are untrustworthy and "gossip spreads". Police officers get to hear this gossip and record it. Something like eight out of ten cases that get solved are because the criminal themselves "flapped their gums". So even if you are not a criminal you can by way of gossip become "a known associate" of criminals, even though you may be entirely innocent of any crime.

The problem with the latest "robo cop" personal CCTV is that rather more details get recorded auromaticaly. You ask a policeman for directions, and your face gets on camera, facial recognition can then fill in the blanks etc.

Very soon "not" being known to the police" will be a minor miracle, and not as it once was a sign of disrepute. But societal perceptions as usual lags a long way behind the actual reality of life. Thus journalists can make people think you are guilty with such phrases as "helping the police with their enquires", "known to the police" "the police have a record of them" etc etc. I guess at some point journalists will use "not known" as an indicator of "something to hide" thus imply guilty as hell...

NSA Privacy Officer #1March 26, 2016 3:30 AM

1. Find alternatives to Photoshop and Acrobat. Pronto.

http://www.theregister.co.uk/2016/03/22/adobe_will_track_users_across_devices_with_new_coop_project/

The goal, said Adobe Target Director Kevin Lindsay, is to "provide the ability, through all our marketing solutions, for marketers to be able to market to their consumers as people rather than as separate devices. Typically this is viewed as a cross-device problem. How do I take this group of devices and treat them as the person they actually represent?”

Adobe's solution is to create a "co-op" from the businesses using its marketing solutions.

"Each of these brands has a piece of the puzzle," said Lindsay. "Take two brands that will be members of the Adobe co-op. One brand sees a login, another doesn’t. The co-op communicates one piece of data alone, that those two devices are linked. The co-op can link up to 1.2 billion devices worldwide."

How?

http://www.adobe.com/news-room/pressreleases/201603/032216AdobeCrossDeviceMarketing.html

Co-op members will give Adobe access to cryptographically hashed login IDs and HTTP header data, which fully hides a consumer’s identity. Adobe processes this data to create groups of devices (“device clusters”) used by an unknown person or household. Adobe will then surface these groups of devices through its digital marketing solutions, so Co-op members can measure, segment, target and advertise directly to individuals across all of their devices.

http://blogs.adobe.com/conversations/2016/03/privacy-by-design.html

If I have three devices, but I have only logged in to the airline site on two of those three devices (say my phone and my laptop), the airline won’t recognize me on my third device (my tablet). This is where the Co-op comes into play. If I have logged in to other Co-op member sites from my tablet, Adobe will associate all three of my devices with the same individual (but we still won’t know it’s me personally). We call this association a “device cluster.” We will make the association between the devices and then pass that device cluster only to companies participating in the Co-op who have seen my device.


2. NSA Freaks 'Privacy Officer':

https://theintercept.com/2016/03/24/we-asked-nsas-privacy-officer-if-u-s-spying-powers-are-safe-with-donald-trump-heres-what-she-said/

Becky Richards, who was appointed to the newly created position in January 2014, insists the “checks and balances” on the intelligence community are strong — to protect employees so they can brainstorm new ideas without fear of reprisal, while also being properly monitored to prevent abuse.

...

“No matter who becomes president of the United States, you would want these exact same constraints in place?” she asked.

After grimacing and laughing, Richard replied: “I mean, you certainly — you want to keep your intelligence community as un-politicized as possible.”

NSA has “checks and balances associated with how we do business,” Richards said. She listed multiple government partners responsible for keeping an eye on the NSA, including Congress, the independent Privacy and Civil Liberties Oversight Board, the Director of National Intelligence, and the Department of Justice.

...

After the New York Times revealed Bush authorized bulk wiretapping of Americans’ communications, security expert and cryptographer Bruce Schneier wrote: “If the president can ignore laws regulating surveillance and wiretapping, why is Congress bothering to debate reauthorizing certain provisions of the Patriot Act? Any debate over laws is predicated on the belief that the executive branch will follow the law.”

Nor has the system of check and balances necessarily assuaged privacy concerns. “Any trust that people have in the current system of checks and balances totally falls apart when you consider, down the road, we do not know who will be in office or how they will interpret their authority,” said Amie Stepanovich, U.S. policy director for the digital rights group Access Now. “ We don’t need trust, or a system of non-compulsory oversight. We need laws and regulations on the books.”


3. FBI busted for telling porkies (we know now that they simply wanted a legal precedent):

https://www.emptywheel.net/2016/03/23/on-february-16-doj-got-a-warrant-to-open-an-iphone-6-using-cellebrite/

As a number of outlets are reporting, the Israeli security firm Cellebrite is the source the FBI is using to attempt to break into Syed Rizwan Farook’s phone.

Israel’s Cellebrite, a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation’s attempt to unlock an iPhone used by one of the San Bernardino, California shooters, theYedioth Ahronoth newspaper reported on Wednesday.

If Cellebrite succeeds, then the FBI will no longer need the help of Apple Inc, the Israeli daily said, citing unnamed industry sources.

Cellebrite officials declined to comment on the matter.

According to the narrative the government is currently telling, it means 33 days after DOJ obtained an All Writs Act on February 16 ordering Apple to help unlock Farook’s phone, and 108 days after FBI first seized the phone on December 3 — during which entire period the FBI now claims they were diligently researching how to crack the phone — on March 20, Cellebrite contacted the FBI out of the blue and told them they can help.

Another weeks of lies, mistruths and mispokes from our rogue criminal government. Cue the great seers:

Mother do you think they'll drop the bomb?
Mother do you think they'll like this song?
Mother do you think they'll try to break my balls?
Mother should I build the wall?
Mother should I run for president?
Mother should I trust the government?
Mother will they put me in the firing line?
Mother am I really dying?

Hush now baby, baby, dont you cry.
Mother's gonna make all your nightmares come true.................

Clive RobinsonMarch 26, 2016 4:47 AM

For those with a little time on their hands tommorow,

http://www.bbc.co.uk/news/technology-34312697

It's a relatively simple cryptanalysis challenge. Some answers can be guessed without doing the hard part, if you have the "General" knowledge and thus avoid getting into a red queens race ;-)

WaelMarch 26, 2016 4:59 AM

@Clive Robinson,

For those with a little time on their hands tommorow,

Or: For those who wish to pass the test and get recruited by GCHQ ;)

Clive RobinsonMarch 26, 2016 7:32 AM

@ Wael,

Or: For those who wish to pass the test and get recruited by GCHQ ;)

Been there looked down on that, like "vomit of the cat"

As I've mentioned in the past I associated with those (DWS) who considered themselves vastly superior to SIS (MI6) Plod (Met Police) the "rough trade" of MI5 and what they called GCHQ would probably get me baned by the Moderator if I repeated it, as for other parts of the UK IC well you can read between the lines. Historicaly it all goes back to the times of the Radio Security Service setup in the 1930's and the resulting inter service rivalry during and long after WWII.

And to be honest I regarded most of them as how do I put politely "effetes" who regarded bad puns in long dead "Classics" languages as being a mark of high sophistication... They were like a "frat club" stuck in the 1800's. With self absorption and the avility to plat bridge apparently being major requirments at managment levels. Ian Fleming used to poke fun at them by asigning what he saw as their worst characteristics to the likes of those doing "planning" for the bad guys. He even got the names for his villains directly from the membership lists of "clubs" they had joined. Cubby Brockly further embelished this in the movies, with the strange "pussy stroking" behaviour, improbable execution method, latent homosexuality etc of the villains.

heislerMarch 26, 2016 9:40 AM

I learned today that DNA can be used as a fractal radio antenna. How far away are biological distributed computing mesh networks? If a synthetic virus can hijack our cells and cause our own bodies to produce these things, how long will it be until our own bodies surveil us? Will they record and distribute our thoughts? Will everywhere, right up to the stratosphere and possibly even space be covered in shedded skin cell spies? It seems to me that a Borg-style hive mind is not just likely, but inevitable.

Nick PMarch 26, 2016 10:14 AM

@ Wael

"Or: For those who wish to pass the test and get recruited by GCHQ ;)"

Case in point: "The Male" that got banned here. Haha.

FedBizOpps FFP (40): Garrucha supplies for Torquemada ComeyMarch 26, 2016 11:26 AM

There's one taboo issue in this whole contrived business of FBI conscripting Apple to sabotage its own work. Under the principle of lex posterior derogat priori, the All Writs Act is superseded by a well-articulated body of law protecting citizens from state overreach. Considering this kind of routine overreach for political repression,

https://www.muckrock.com/news/archives/2016/mar/25/fbi-files-food-not-bombs/

which is bred into FBI's sick DNA, You're going to let them shred the Fifth Amendment and arbitrarily interfere with your privacy, family, home and correspondence by seizing and manipulating your NAND? These assholes lack the judgment to use Funbrain.

WaelMarch 26, 2016 12:18 PM

@Nick P,

"The Male" that got banned here.

I kept reading about "The Male" but never got the full story... I don't think I followed it through.

Which Topia? DIS Topia!March 26, 2016 12:24 PM

@NSA Privacy Officer #1
RE: Find alternatives to Photoshop and Acrobat.

Gimp. Any Photoslop user who says Gimp can't cut it (a) never heard of plugins and (b) couldn't draw water from a bucket.

As for Hey Dopey Crackrobat, my God, does that even need a reply?

And don't forget that wonder of the ages: Flash.

Pretty sure a Venn diagram of the ethics of Adobe executives and Mexican drug cartel kingpins would have a major overlap.

Thomas_HMarch 26, 2016 3:10 PM

A somewhat more amusing way to find examples of unsecured VNC connections:

http://vncroulette.com/
El Reg article

The site displays screenshots of the systems together with their IP address. There's people's desktops, commercial and industrial log-in screens, but also all open control systems for various machinery (e.g. a Danish? temperature control system for cooling cells).

@Clive:
Various people have voiced the opinion that Microsoft's experiment actually went (horribly) right: she reacts exactly like a rebellious and provocative teen of below average intelligence would.

tyrMarch 26, 2016 3:53 PM


@Clive

If Tay radicalizes the Mail one of the last pillars of
democratic debate will be ruined.

Bruce SchneierMarch 26, 2016 4:23 PM

"You made Hacker News in an unexpected way. Never realized you wrote on expert systems."

It must be a different Bruce.

Nick PMarch 26, 2016 4:45 PM

@ Bruce

The bottom said Bruce Schneier, President of Counterpane Systems. Not only another one but in same company or same name. Wilder than most coincidences. :)

TatütataMarch 26, 2016 6:11 PM

The Guardian stuff is pretty trivial.

The "code" for "challenge five" uses the first letter of the abbreviations of the elements as coded by their order in the periodic table.

Puzzle #1 is hex coded rot13 ASCII. The message is:

"We're all mad here. I'm mad. You're mad." "How do you know I'm mad?" said Alice. "You must be," said the Cat, "or you wouldn't have come here.

The numbers strings for puzzle #2 are:
15282621145123799597874
463616673363655410497101
8544849082773393975011
757860634958382480599466
81557665489480862045694
55380471171904239315
967452691

(Extracted using OCR, accuracy not guaranteed)

The digits around the pentagon read clockwise, beginning with the "1" set outside, are 10838.

My hunch for the third puzzle is some kind of binary representation.


Clive RobinsonMarch 26, 2016 7:20 PM

@ Bruce,

One to add to your "real world effects" cyber-attacks list,

http://www.theregister.co.uk/2016/03/24/water_utility_hacked/

Lest people think "what harm" in the UK there have been a couple of incidents where "chemical accidents" at water treatment plants has caused entire drinking water supply systems to be shut down and flushed out and customers supplied with bottled water or provided with tankers in the street, at costs that would make your eyes water...

JacobMarch 26, 2016 9:19 PM

During our first 200 years, US law enforcement techniques and methods were not shielded by an evidentiary privilege. Why now?

A treatise, by Texas Judge S.W. Smith, on the historical perspective that has led to privileged FBI techniques, and the ability to claim that investivative methods are secret.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2740075

Read the PDF.

WaelMarch 26, 2016 10:08 PM

@Clive Robinson, CC: @ianf,


Ian Fleming used to poke fun at them by asigning what he saw as their worst characteristics to the likes of those doing "planning" for the bad guys.

That's the reason I asked if the guy who likes to force feed us Chai is a fan of James Bond :)

65535March 27, 2016 12:05 AM

@ NSA Privacy Officer #1

“1. Find alternatives to Photoshop and Acrobat. Pronto.How?"
http://www.adobe.com/news-room/pressreleases/201603/032216AdobeCrossDeviceMarketing.html

I don’t like what adobe is doing. It’s almost like a group of racketeers dealing in personal information [medical or legal].

Further, I would suspect that selling that information to the Fed’s would be more profitable than advertising revenue.

Last, a don’t really see how adobe’s so called “Co-Op” will work with just hashes and cookies. Many people realize it is bad policy to use the same password across many sites [as Brian Krebs notes].

I suspect that some other form additional information is needed such as browser fingerprinting, email or IM to and from mapping, business purchase records or possible the sound above the hearing range to be pickup up by microphones/speakers.

And, certain information such as “hashes” would be more valuable than cookies leading to slanted market for transactions. What is adobe’s game?

@ Jonathan Wilson

“A congresswoman from California has introduced a bill that would require ID checks when buying prepaid phones and SIM cards:”
https://www.congress.gov/bill/114th-congress/house-bill/4886

http://www.zdnet.com/article/california-lawmaker-wants-to-crack-down-on-pre-paid-burner-phones/

This appears to be what Clive is hinting at – a regulation and fine game [in addition to an invasion of privacy]. From talking with friends and neighbors, the bulk of cheap phone sales are to minors or below who need to contact their parents for various reasons like car rides and telling parents where children are [this is just my personal observation].

Further, labeling a low cost phone as a burner phone has its problems [what constitutes a low cost burner phone?] sees the Obama program for low-cost/burner phone program [started before Obama's time]
http://thinkprogress.org/politics/2012/09/27/924011/the-truth-about-the-obama-phone/

I don’t buy the “anti-terrorist” theme because it has been played too often. I don’t like the idea of the Fed’s getting more information on children [from my perspective].

Ergo SumMarch 27, 2016 6:17 AM

How do you defend yourself when cops commit perjury?

Video surveillance, of course...

There is an irony in this story... Due to an earlier break in to the house, the cops actually recommended that the guy install a camera to catch the thief...

Clive RobinsonMarch 27, 2016 9:12 AM

@ Ergo Sum,

How do you defend yourself when cops commit perjury?

Video, only looks in one direction, which might be why the cops wanted him to walk backwards, as most "personal cams" face towards where the wearer is looking.

He was lucky in this case he had panoramic coverage of him and the cops, importantly the "tape" was under his control. You would be amazed at just how many CCTV cameras --apparently-- malfunction when cops are dealing with people in public places, totaly coverd by many CCTV cameras...

The question now is how the cops are going to get outof it, obviously his son is open to charges of filing false reports and wasting police time, and no doubt they will find several others.

He will also need to "check his tail lights" etc for years to come, and make sure he and his family are never alone anywhere were they might suddenly be found committing all manner of offences...

The trouble is these sort of cops "Know they are in the right" which means "they know he's a bad'un" thus "his time will come"...

Even if it does get to court and the police oficers amazingly get custodial sentances, they won't serve them because "it will be putting their lives at risk to put them in with the prison population"...

NigelMarch 27, 2016 9:22 AM

@ 65535, "I suspect that some other form additional information is needed such as browser fingerprinting, email or IM to and from mapping,"

If I understand this correctly, what they're doing is tagging that additionally needed information back on to our web browsing sessions, in the form of a "hash", which leads to our personal data housed in a datastore, presumably only they can get to (i.e. Amazon cloud).

albertMarch 27, 2016 10:54 AM

@&hffff,

"...Further, I would suspect that selling that information to the Fed’s would be more profitable than advertising revenue...."
The Feds won't pay for anything they can get for free.
.
"...Find alternatives to Photoshop and Acrobat..."
Linux has good alternatives for dealing with .pdfs, and Gimp is decent for photo editing. Granted, Photoshop may be an industry standard, but one shouldn't be using ones work computer for personal stuff, should one?
.
"...a regulation and fine game..."
Disposable mobiles have other uses, like visiting foreign guests (legal ones:) here for internships, rotations, etc. The text of the proposed bill is not available yet, so I don't have details, but it looks like Po'Folks without drivers licenses, credit cards, or checking accounts will have to provide their SS numbers to random goobers in party stores. Great.

I hate to be so cynical, but the telcos look to profit on this, and the crooks will use fake IDs (which they likely have already..hello!). Those with heavenly aspirations can use their legit ID.

Like most so-called 'legislation', this bill is not well thought out*

Have a nice day, @&o177777
-----------------
*polite speak for BS
. .. . .. --- ....

AndrewWMarch 27, 2016 11:59 AM

Tatütata puzzle 3 is Morse code, but i cxant work out puzzle 2
Anyone any idea. I'm also not sure how to use (or in what order) the 5 numbers , also is the pentagon a clue

Nick PMarch 27, 2016 12:35 PM

@ All

I previously reported Archipelago project was doing a 45-65nm FPGA with open bitstream and HW code. It was just a paper, though. Good news is they have a Github now. Someone just sent me the link. Any hardware people here feel free to look at their files for your impressions. Right now, I think they're doing work on multiply-accumulators and maybe memory.

Boston StupidMarch 27, 2016 1:08 PM

This week in white man's welfare, dumbshit cops cowering in their bunkerized stations thrill to the existential threat of Anarchist Extremism. Anti-capitalists! Anti-globalists! Conspiracy theories! Paper Terrorism, the [gasp] filing of frivolous documents! Also CYBER. [It's a noun, Who knew! Apparently a technical term for morons running servlets as root]

https://privacysos.org/app/uploads/2016/03/BRIC-Quarterly-Threat-Assessment-2015-Q4-NP.pdf

The threat matrix. [pro tip: say it in a deep voice]

Among the highlights: some prize pidgin cop English using creative grammar for rectal feeding of the party line: "Inspired attacks often prove more difficult to detect, as they are usually conducted by individuals or small groups who have little communication with established extremist groups or do so through encrypted means in order to conceal their activity." Diagram that sentence, for shits & grins. Or just read it like cops do, the way Fido hears "Blah blah blah Fido! Blah blah Fido blah!" ...Encrypted means....!!

And look, awww, they even got their own little fake classmarks, just like real spooks! (U//NP)! The extra slash really makes it pop, doesn't it? Back in the vault at Langley, NP stands for Numbskull Police.

TatütataMarch 27, 2016 1:55 PM

Challenge three is Caesar cipher with shift of 3 resulting in the following bad pun (spacing added):

UP HIS SLEEVIES

Challenge five results in the following sentence (it was essentially an editing job with a bit of scripting):

The periodic table is a tabular arrangement of the chemical elements organised on the basis of their atomic numbers, electron configurations, and recurring chemical properties. We've used it to create a cipher by using the initial letters of the elements but two letters can't be used. What are they? [punctuation and spacing added]

And the solution is : J, Q

I should have seen Puzzle 3, as I'm proficient in Morse:

Off with their heads

For Puzzle 2, I note that there are in all 145 digits, whereas there are 5 around the pentagon. A kind of key arrangement?

I'll have to go back to doing the dishes. Anything but that.

Ergo SumMarch 27, 2016 2:45 PM

@Clive...

You would be amazed at just how many CCTV cameras --apparently-- malfunction when cops are dealing with people in public places, totaly coverd by many CCTV cameras...

Unfortunately, I am not amazed at all. One of my relatives did get into trouble with LEOs out of all places, in Texas. And yes, the CCTV did malfunction just in the area where the activities had taken place. Let's just say that the relative didn't do anything wrong, but ended up with a sentence based on the LEOs report and testifying in court.

I have a few chosen words for the TX LEOs, but let's not go there...

TatütataMarch 27, 2016 3:35 PM

@Keiner:

What does the USA have to do with the IWCT? I thought they weren't a member.

The event is embarrassing in another aspect. The Hague is home to many international organisations, amongst which the European Patent Office in the borough of Rijswijk. It is by far the city's largest IO employer.

The EPO has gone rogue under latest president, with a medieval labour policy. Union leaders have been sacked on fabricated charges, phones and computers are bugged throughout, and a Blackwater-style operator called "Control Risk" is in charge of "security" and conducts "interrogations".

The Union has sued the EPO before national courts, arguing that there is no other forum where they can be heard. The first and second Dutch instances accepted the argument and assumed jurisdiction, and decided in favour of the Union.

The EPO doesn't consider itself to be bound by ANY national decision, and on top of that the previous Dutch minister of Justice specifically instructed his officials not to implement the judgement!

The case is now before the Netherlands supreme court ("Cassatie").

An EPO VP declared in so many words in a TV interview that it would disregard the supreme court decision if it ever came down against them.

The Dutch government is quite embarrassed, as the scope of the case goes way beyond the EPO, also affecting the immunity of every IO in their country, including the International Court.

EuromonkeyMarch 27, 2016 4:35 PM

@JW

Its over due! We have this shit registration (as well as biometric passports) because the us "forced" us todo so, i had a mild laugh when i got my first sim in us, same when i saw first time an us passport. What a hypocricy!

65535March 27, 2016 4:44 PM

@ Nigel

“If I understand this correctly, what they're doing is tagging that additionally needed information back on to our web browsing sessions, in the form of a "hash", which leads to our personal data housed in a datastore, presumably only they can get to (i.e. Amazon cloud).”

It is not clear what “additional” information is and exactly how the process works.

[adobe]

“Let’s go back to my travel example above. If I have three devices, but I have only logged in to the airline site on two of those three devices (say my phone and my laptop), the airline won’t recognize me on my third device (my tablet). This is where the Co-op comes into play. If I have logged in to other Co-op member sites from my tablet, Adobe will associate all three of my devices with the same individual (but we still won’t know it’s me personally). We call this association a “device cluster.” We will make the association between the devices and then pass that device cluster only to companies participating in the Co-op who have seen my device.”

http://blogs.adobe.com/conversations/2016/03/privacy-by-design.html

There is considerable ambiguity in abobe’s statement.

I am assuming that that Adobe is using the HTTP/HTTPS header including IP and other metadata in conjunction with the “airline” password/hash to “associate” or “individualize” the data from two devices and someway associate all three devices to one individual – to repeat, exactly how it is done is not clear.

I assume the airline password/hash and individual name is the individual identifier and to “associate” the third device [or fourth, fifth and so on] some other internet communication device or transmission company my have that airline password/hash captured and the "new device" is pooled together from multiple sources to map-out one single individual's device[s] usage. Btw, the airline data can be quite exact and I am sure all purchase of airline tickets tracked by the Feds.

I don’t like it because it sounds like a mini-version of the NSA Utah facility. Further, with business records such as credit card information or other business records the “individual” can be de-anonymized located and mailed ads [akin to the famous Target teen pregnancy case were Target correctly identified a pregnant teenager and directly mailed her ads for child products].

I really don’t like it. This is an invasion of privacy.

anonMarch 27, 2016 4:57 PM

Well, just saw an article where they used Walmart security cams to identify a guy who was buying a tracfone, followed the sale to a register, and found a charge card.

Are they really already reviewing cam footage for these sales, or parallel construction ?.

And then you go and use 2 factor authentication to log into email, and link your fone id , and your email account anyway.....


And now they are getting your DNA samples from private companies..

http://phys.org/news/2016-03-law-private-dna-databases.html

TatütataMarch 27, 2016 5:35 PM

Thanks P.O.L. for the clarification.

I obviously lost track of how many IOs there are in Holland.

The error does not necessarily invalidate my point, though: Mrs. Hartmann was apprehended on a lawn in an open area. Where does the jurisdiction of that IO begin? And where does the Dutch jurisdiction end? Is she kept in a Dutch prison in Scheveningen?

Clive RobinsonMarch 27, 2016 6:44 PM

@ Nick P, Coincidence,

This has a certain weirdness about it.

We know from what Bruce has said on this blog in the past others have misappropriated his work and pretended it was their own.

We now have a body of work with Bruce's name on that he indicates is not his work...

In the first case it is easy to see why some one might take anothers work as their own if they thought they could get away with it.

But in the second case it is harder to see what the gain would be by putting anothers name to the work.

I guess we need a subject matter expert to go over it and see if the work's actual author can be identified, or if there is something wrong with the work in some way.

It is all most odd to put it mildly.

65535March 27, 2016 7:04 PM

@ anon

Yes, Walmart has one of the major “camera” spy stores around. I had a dispute of the number of items I purchased at a Walmart. I got the manager to review the till video two days later and it proved I did not pick up one bag of items.

I am sure Walmat records phone sales such a Tacfone and others. From my observations Sears is another spy store. If you look carefully in walls of craftsman department you can see small cameras.

Home depot [particularly] in the tool and other high dollar areas is highly camera’d. Same goes for Lowes and certain drug/sundry chain stores like CVS and so on.

Also, Disney Land and other large amusement parks are full of cameras. I would not doubt that large stadiums are the same.

To the DNA thing, it is well known that police jails and prisons take DNA. It’s sad there is a high probability of Hospitals and doctors [offices] probably will be compelled to hand over DNA to the Feds.

Clive RobinsonMarch 27, 2016 7:34 PM

@ Bruce,

Having had a quick scan around it appears that the original refrence was to a 1992 paper about "Drools" that are an OOrule based extention of the Rete Algorithm.

    Schneier,B.(1992). The Rete matching algorithm: A description of the pattern- matching algorithm underlying Drools.

Published in "AI Expert"...

It's quoted or given as a refrence in a number of books and articles as can be seen by the search "Scneier b rete drools".

Reading through the Dr Dobb's article makes me suspicious of the editing process (or lack there of).

tyrMarch 27, 2016 8:16 PM


What I find just as strange as mis attribution is
the reappearance of Dr. Dobbs. I have a complete
set squirreled away in the archives until they
disappeared up their own rear in a great leap
forward way back before '02.

Since todays paradigm is no longer 'running light
without overbyte' hardly seems like the old version.

@Clive

I once ran into a science journal that re-printed
some of Erwin Schrodingers work and attributed it
to an arab sounding name. Turned out later they
were notorious for such bizarrities, but too
high priced for them to be well known. In these
days of phoney diplomas and real work being too
hard to interest the young, there's probably a
lot more of this around than anyone wants to
know about.

There is also the possibility that someone who has
a grudge against Bruce sees this as an opportunity
to engage in disinfo. Trying that against people
who know how to use grep would be horribly dumb
and counterproductive.

:-)March 27, 2016 8:18 PM

Doesn't all this talk want to make you go out and be someone ???

Raise a family and look to the future as it were a bright star on the horizon.

:-)

NigelMarch 27, 2016 9:06 PM

@ 65535

"I am assuming that that Adobe is using the HTTP/HTTPS header including IP and other metadata in conjunction with the “airline” password/hash to “associate” or “individualize” the data from two devices and someway associate all three devices to one individual – to repeat, exactly how it is done is not clear."

Co-Ops, i.e. their marketing cloud customers, are who's who in their businesses, house a lot of personal data, and paid large sums of money for the priviledge to be part of the service. Passing of the "hash" (if I understand it correctly) appears to be a clever bypass to circumvent legal gimmericks surrounding other people's personal data, but as a result it needs to leak that "hash" in transit.

65535March 28, 2016 6:06 AM

@ Clive
‘It's quoted or given as a refrence in a number of books and articles as can be seen by the search "Scneier b rete drools".’

It’s even noted in Wikipedia

[Wikipedia]

https://en.wikipedia.org/wiki/Rete_algorithm

https://en.wikipedia.org/wiki/Rete_algorithm#External_links

External links
Rete Algorithm explained Bruce Schneier, Dr. Dobb's Journal

[next]

@ Nigel

“Co-Ops, i.e. their marketing cloud customers, are who's who in their businesses, house a lot of personal data, and paid large sums of money for the priviledge to be part of the service. Passing of the "hash" (if I understand it correctly) appears to be a clever bypass to circumvent legal gimmericks surrounding other people's personal data, but as a result it needs to leak that "hash" in transit.”

Good observation! The bypass stinks. It is an invasion of privacy in total.

Clive RobinsonMarch 28, 2016 6:55 AM

@ 65535,

It’s even noted in Wikipedia

Yes with a link back to the Dr Dobbs page.

I had a quick go at tracking the original author/paper down further.

But looking for more info on the "Schneier,B." appears to come back only to "Our Bruce" (if he will forgive the possessive ;) However I also remember Bruce commenting in the past how rare his last name is in internet searches.

So having qyickly failed on that I tried tracking down "AI Expert". After working out the paper in question would have been in Volume 7 I could only find indexes for the first six volumes after a quick search.

So as it was getting late UK time and the clocks having just changed to BST I called it a night.

It might make a good "Sluthing Competition" to track down either the 92 paper PDF/Postscript file, or a bioagraphy on the Author.

After all the little Easter Sunday diversion I found from the BBC only lasted a very very short time befor the answers were posted here, it looks like this blogs readers need a harder "real world" challenge ;-)

There's a puppy in my MRAP, Want to see?March 28, 2016 9:37 AM

As we have the conversation about the role of encryption in today's modern society, it is important to consider our law enforcement professionals as stakeholders in key technological decisions.

For example, if you're a child-molester cop raping children under color of law, encrypting your porno thumb drives would be advisable.

http://www.blacklistednews.com/Cop_Who_Filmed_Himself_Raping_Children_On_Duty%2C_Found_Dead/50065/0/38/38/Y/M.html

A comprehensive assessment of The Equities must balance national security with the crucial national policy objective of impunity for our chomos in blue.

Nick PMarch 28, 2016 11:00 AM

@ Clive Robinson

His popularity is hurting the search here as he's predictably going to be all the search results for "Bruce Schneier." The article noted that the other Schneier has a B.S. in physics and M.S. in computer science. This guy matched that.

So, we have three possibilities I'm seeing: he's distancing himself from it, he forgot he wrote it back in 1992, or the editor misattributed to him with his correct information. I'm going with bad editing to give him the benefit of the doubt.

Nick PMarch 28, 2016 11:35 AM

@ Clive

I decided to take up your offer just out of insatiable curiosity to see who wrote a good article on RETE. Plus the challenge of using Google-fu to accomplish something. I eventually found the publication here by Miller Freeman. I don't recall him from my old AI research. There is a group with mixed reviews.

I think what's interesting is that ACM tracks it up to 1991. I don't know if that means it's totally gone in 1991 or ACM no longer categorizes it. If it's gone in 1991, then it's interesting that all kinds of people are citing a 1992 article. One commenter in the group characterizes it as evangelistic of basically BS AI. So, another possibility emerges that someone involved in that outfit was struggling, via Dr Dobbs, to bring in attention and revenue by using Bruce Schneier's name. Did his name have that marketing value back in 1992?

Miller Freeman had some hard times in these publications. After AI Expert fell, Miller Freeman started Intelligent Enterprises. That lasted many years until it shut down the hybrid company from CMP and Miller Freeman's merger. The website was to stay up. It mysteriously leads to Information Week. All weird.

However, I think I figured the truth out while smoking hash peppered with some mushrooms I found in a field. I was able to see time as if it were a spatial dimension. Bruce was living up the AI boom buying ABC Thinking Machines supercomputers, fine dining, driving nice cars, and telling DARPA intelligent robots were just around the corner. He had built a model on the clusters that was close to answering P vs NP plus modeling a comprehensive index of crypto algorithms and protocols. AI Winter came, all funding dried up, and anyone whose name was attached to AI would have no career. So, he issued pre-DMCA takedowns to all journals with his name, bought rights to 1992 issue of AI Expert to keep it off market, put P vs NP on hold, turned his algorithm/protocol collection into a book, and a rock star in crypto was born. Later wrote a biography called Secrets and Lies: How I Dodged AI Winter "Like A Boss!"

I'm not sure what the probability is. It's non-zero, though. That might mean something.

CoincidenceMarch 28, 2016 11:58 AM

@Clive Robinson
@All

I too was considering the accuracy of the Dr. Dobb's article but then I came across this:

Third Conference on CLIPS Proceedings (Electronic Version) (September 12–14, 1994)

On page 247 of that PDF it says:

Schneier, Bruce, “The Rete Matching Algorithm,” AI Expert, December 1992, pg 24-29

That collection of documents from the conference was published just two years after the article was allegedly written by Bruce. From that I conclude that this wasn't an editorial problem of Dr. Dobb's but a direct quote from the journal itself.

AI Expert is no longer in publication and I've not been able to find any scanned copies of the original however I believe that, more probably than not, the original would also cite Bruce Schneier.

For those reasons I'm inclined to Nick P's viewpoint:

So, we have three possibilities I'm seeing: he's distancing himself from it, he forgot he wrote it back in 1992, or the editor misattributed to him with his correct information. I'm going with bad editing to give him the benefit of the doubt.

'The Rete Matching Algorithm' does seems very unlike any of Bruce's other works and it's written in a somewhat different style. It's also not in his area of expertise and nor does Bruce's name appear (in connection to this article) on any of the major academic databases; but then again the main databases don't have any reference to 'The Rete Matching Algorithm'.

CoincidenceMarch 28, 2016 12:06 PM

It does leave two interesting questions in my mind: why has the correct author never come forward to get the name corrected (unless he was also called Bruce Schneier) or why the 'real' (i.e. this one) Bruce Schneier never contacted the publisher (assuming he was aware of the article) to have his name removed.

Nick PMarch 28, 2016 12:53 PM

@ Coincidence

Yeah, to be clear, I thought the editorial problem was with AI Expert publication. Maybe others to some degree for not fact checking. Not sure whether to push that angle. Any undergrad could've written the article itself, though.

JacobMarch 28, 2016 5:08 PM

Poem-based encryption during WWII.

It seems to me that if a British spy observed a major mobilization of Wehrmacht Brigades, getting ready for a spring offensive, until the message is composed, transmitted and decipherd back in London, it would have been winter already.

http://www.darthnull.org/2016/03/27/poem-codes

CuriousMarch 28, 2016 5:45 PM

From Twitter:
"The government has now successfully accessed the data stored on Farook’s iPhone."

A quote from a ruling dated 28. March apparently.

John OzyMarch 28, 2016 6:12 PM

@:-), aka, Ghost in the Shell Smiley Face character (or some reference quite less clever)

Doesn't all this talk want to make you go out and be someone ???
Raise a family and look to the future as it were a bright star on the horizon.
:-)


I will bite, taking this as a bit of an existentialist question.

This is an interesting forum, because users can create whatever nick they so choose. They also have a variety of threats in posting. If they "are someone", then they would have specific details which could reveal their real name. Especially as discussions here tend to revolve around highly obscure matters of technical security. This is besides what is possible via ordinary automated linguistic analysis.

Economy wise, it is not in anyone's best interest to make such revelations. But, this is difficult to do when speaking on these topics.

Threats are varied. There are literally nation state threats to them. Perhaps China does not like them, even if they never say anything which could capture the ire of Five Eyes. Or France. Or Germany. Or Russia. Or Iran. Or, practically any nation with too much money and too much time on their hands. It does not matter even what their politics are. Nor how law abiding of citizens they are. They could still stand a good chance of hitting the eye of ire of some nation, merely by something they say. Or interest.

Then, there are amateur and criminal hackers.

Despite this, there are numerous verbose and regular posters who keep to the same nick. And I dare say, it would be impossible - unless they wanted otherwise to be so - to track any of them back merely by what they post here.

Examples of verbose, regular posters even span the gamut. Some examples: Clive Robinson, Nick P, Skeptical, tyr. Quite a few others.

I think, though, what you mean by "be someone" is quite different. I believe you mean "make a name for yourself". Good security people sometimes, albeit rarely, wish to make a name for their selves. Usually, they want to be two or three rings away from those who do.

They should not be so insecure, nor so weak willed, as to consider themselves "non-existent" merely because they do not "have a name for themselves".

"Being someone" is quite a different matter.

Many believe they "are" "someone" and most assuredly, are not. Even if they "are" in some limited contexts, death makes nobodies of all.

The wise surely should find it painfully difficult not to make a name for their selves.

That they are already so much of "being", their true challenge is "being" and being invisible.

Like God.

And like good spies.

Those who are nothing but account for themselves as being something, on the other hand, never grapple with such issues.

So, they can not comprehend such glory found in hidden corners of the world.

They are not giants. So, they know nothing of what it is like to be a giant and try and get along in a world in which they certainly do not fit.


From somewhere online.

We like to think that raccoons are just little scavengers. They're sneaky trash cats that take our stuff, and we don't think for a second about how the raccoons see us. They watch as we work 60-hour weeks and force ourselves to stop sleeping when we still really want to be sleeping in order to go do more work. And we do this to produce the stuff that then becomes free and available for the raccoons to take whenever they please, usually while we finally get to sleep after all that work. All the while, we consider our species to be the pinnacle of the animal kingdom because we have more heart attacks from stress than any of the others.
So, who is doing better? Us or raccoons?


And, consider the wisdom of the 90s twentysomethings who found places to retire, without cash, as well illustrated in this video.

https://www.youtube.com/watch?v=mBt4HlcDUDw


Who is better off? The twentysomething or other age who is certainly "someone", always?

Or those poor things that struggle to "be someone" and never quite make it? So, they see their own selves in others? Others not "being someone"?

If you are not someone, then maybe you are not really alive?

This is what happens when people live by rules which are unrealistic and only set people up to fail as gross hypocrites.

Do this, and do that.

Or else, you will not live. Or else, you are not someone.


Such people also tend to view other people without empathy. As cartoon shells. Not as people. So, they tend to do gross wrongs to other people.

Because in their eyes, like their own selves, others are "not someone".

So, they bomb them and torture them and cheat them and condemn them unfairly so they can justify their malicious actions.

VMarch 28, 2016 7:24 PM

@ Daniel

Did the FBI get the decrypted data or just the data? The court filing doesn't say.

ThothMarch 28, 2016 7:30 PM

@Daniel
I am guessing that FBI had already planned everything out from setting up the traps to make Apple look like a villian in front of the public to hiring Cellebrite to break into the iPhone.

I am guessing they might already have cooperation with Cellebrite or some other parties and already knew how to get in while at the same time they want to set a precedent (knowingly that people will protest) and also to take the time to shame and entrap Apple.

Notice that the argument the Feds mount against Apple is actually vey well thought out and planned. They did their homework and studied very carefully (and probably also had external expert help on the ossue and advice) before attacking Apple.

Noting that iPhone 5C is a not a Secure Enclave protected phone, it is highly likely that the protrction is much lower but if the speculation of a weakness across both Secure Enclave and non-Secure Enclave phones, that can be a possibility as well.

If you have secrets, your Secure Enclave, Knox, TrustZone won't be helping you that much. Better off using paper and pencil one time pads or a HSM which paper and pencil one time pads are easier and more available for mere mortals.

John OzyMarch 28, 2016 9:59 PM

On the FBI vs Apple Case Current Conclusion

What most likely happened is quite simple: the FBI offered their partner(s) a bounty to crack the phone. One of their partners succeeded.

Why? Because this is how it actually works in the real world.

Both in terms of bounties being offered to trusted firms, and in terms of taking a few months to finally be able to take that bounty.


Clive RobinsonMarch 29, 2016 1:22 AM

@ Jacob,

Poem-based encryption during WWII.

They have quite a nasty history to them...

It was due to a rivalry between the British "Secret Service" and Churchill's SOE. The Secret Service knew full well that poem --double transposition[1]-- codes were very far from secure, but their complicated usage made them appear secure. Thus they foisted them on SOE who in turn pushed them onto the "free forces" of the occupied nations. The results were quite horiffic.

Such interservice rivalry caused significant harm then and still does today. Any attempts at bureaucratic solutions has historically always failed (Bush and the DHS being one more example for history).

But there is also a wider harm to society. The primary use for security classifications is not as you would think, protection of secrets vital to the state... But "over classification" that gets used as cover to hide hideously obvious mistakes from examination and thus attribution and appropriate sanction. It also has a flip side with secretly changing the classification of material such that sanction can be brought against those who displease those further up the chain of command.

You can see this obstructive and malicious behaciour still happening with the various "Freedom of Information" schemes around the world.

[1] One significant problem with multiple transposition codes, is the result is still a transposition and that it's complexity does not of necesity increase with each transposition, it can infact decrease. Further the nature of the transposition can be quite easily worked out from the length of the message, and the shorter the message the worse this problem is, thus the easier it is to crypto analyze. Further if you have numerous different messages from the same operator of the same lengths it can be used to more easily determine the key word lengths etc. But the most grevious fault of just using transpositions is that it in no way changes the message statistics thus a simple letter frequency count will reveal it for what it is "an anagram". The position of the "a sin to err" letters helps analyze the grid information which can be further checked by "standard tri-grams" [2][3].

[2] Leo Marks actually trained many of "the girls" to break poem codes to fix not just the indecipherables where the poem was known and in English, but also the indecipherables of the unknown French Language Poems of the "Free French" traffic they handled, so they could be corrected and thus remove the need for dangerous re-transmissions.

[3] It was known that a moderately experienced German Radio Security Service officer could in many cases analyze a message faster than the SOE radio operator could get it to the agent to decode. It was this that raised suspicions with Leo Marks that a large part of the SOE agent network was completely compromised. He then confirmed this by sending deliberate indeciphables that the German RSS officers successfully decoded and responded to, a feat that would have been beyond the SOE agents abilities...

Clive RobinsonMarch 29, 2016 2:48 AM

Re: FBI vacating

It is already known that the FBI have effectively lied in their submissions to the Court (Marcy Wheeler over at EmptyWheel has shown that).

The chances are that the FBI knew that this had become sufficiently well known that Apple would have pushed it at the next court hearing. Thus the FBI had to push out the "Emergancy Escape Exit" in a hurry to save what would have been a humiliating result in court.

The thing is we are not going to be told by the FBI anything other than what was in the court filling. The court are not going to test the varacity of what the FBI have said, so I would assume that it is a pack of lies, unless it can be independently verified...

The most obvious explination for the whole DOJ/FBI behaviour was "to get Apple" one way or another and hurt them as badly as possible, for not Kowtowing "to the man". Thus setup a "none are to big" example to others as to what's going to happen if the don't touch their toes when told.

Unfortunately for the DOJ/FBI Apple "called them" so they have folded rather than show their hand. But they have not even lost realy they have quite badly tarnished Apple's reputation. Further this "parting shot" whilst probably a pack of lies by the FBI will cause Apple further harm, which I suspect is what it is designed to do.

Thus the public perception is, as was said in the article linked to above,

    Not only does Apple need to recover from the inevitable PR debacle, but it must also work to secure its devices against an attack method that could be aired in public as court evidence.

The thing is Apple can not show that there is "no attack" thus that there is nothing to fix. Further even if there was not an attack available to the FBI the game has changed for Apple.

It is safe to assume that Apple's code is far from perfect, therefore there may / may not be an exploitable bug. For most people ROI limits the effort they will put into "an uknown investigation", it is after all the reason that the "leading edge is the bleeding edge" saying exists. However the perception has now changed from "unknown" to "known" thus "the prize is not just obtainable, it's within reach", thus the extra effort will now almost certainly be put in because of the value of the prize. So even if currently there is no exploit the FBI could use there very soon will be and there will be quite public noise about it, such is the nature of such things that have been hyped / pumped to the max.

Thus Apple get hurt, and the FBI gets a tool, and more political leverage for the next skirmish. Not the "Big Win" they and the psychos in the DOJ wanted but better than a draw or lose they were otherwise rapidly heading into.

The trick now is for the HiTec community not just Silicon Valley, to start digging realy hard and hold the DOJ/FBI feet to the fire, so that firstly any lies the DOJ/FBI have made get brought into the light of day, and any "bugs / vectors" likewise become sufficiently known that they become fixed.

But as I've all ready indicated, the public need other technical measures to move the security end points beyond the reach of "wire taps" and other hidden surveillance. Such that the only way for the investigators to get at data is by presenting a warrant directly to the people they are investigating. Thus redressing the "equity of arms" that existed back less than a hundred years ago.

History shows that if we do not redress the balance between state and citizens, we will head into an unhappy future. A future that the likes of Bentham's Panoptican was designed to do only to those who were actually guilty of crimes that society in general felt were crimes that required punishment.

Back in the times of the founding fathers privacy was in effect a given, a simple walk down an empty street or footpath was all that was required. It was so commonplace it was not commented on or thought about much. To the founding fathers "papers" unlike today represented both the storage and communication of information. We know this because of the way they investigated the securing of their "papers" by encryption, not just from the prying eyes of rivals and spys gaining access to papers in homes and locked draws, but also the machianations of the post master general and other officialdom for sealed papers placed in transit with the postal service or couriers. Which at the time was the only means of communicating "out of direct sight" of each other and others.

JacobMarch 29, 2016 7:07 AM

@Clive

1.Thanks for the background details on the poem-based encryption.

2. Local police civil forfeiture:
When I ran into some articles last year about this abominable practice of local police across the US, it looked like highway robbery par excellence (they cited a case whereby a southern state police stopped a truck driver on a highway for a check, asked him if he carried cash on him, and when he said yes they took all it (it was many thousands of dollars) and sent him to his way).

People who got robbed by police up to $5K had discovered that legal proceedings to try to retrieve the confiscated monies costed more than that, so they gave up trying.

And all that money did not go to the local government - it went to the police station who robbed the citizens to pay for coffee machines, water coolers, TV and other station social functions.

ThothMarch 29, 2016 7:22 AM

@Clive Robinson,all
These are all the signs of a failing Goverement and it's system. The Chinese saying that officialdom breeds thieves with power are more deadly than the ordinary thieves is very true. Given power that cannot be effectively checked and balanced leads to abuse. Abuse leads to people being suppressed. Suppression leads to social problems and then bloodshed. From all the histories of humanity across all culture, the direction these abusive Governments are heading to is self destruction.

If we look at the ups and downs of societies and civilisations, it seems as if it is going down a seemingly dangerous path.

The best is to look dull and boring. Blend in as much and not stand out. This same applies to security where the best technique in my opinion for now is hiding and blending in terms of using whatever the environment provides.

ianfMarch 29, 2016 9:10 AM


@ Daniel “Yep, the FBI got in.

How EXACTLY do you know that for a fact? Because the FBI, a known truth-teller, and an AUTHORITY THAT'S LEGALLY FORBIDDEN TO LIE to tax-paying public, SAID SO?


@ Vdid the FBI get the decrypted data or just the data?

Mighty Speedy a Gonzalez you are, too, with jumping that FBI shark to inquire as to the type of their alleged swag. Perhaps you should write to your Congressman to introduce a bill to compel the FBI to disclose the contents of that iBone in order to justify the tax-payers expense incurred for the alleged breaking of it? (someone has to control the spooks).


@ Thoth “is guessing that FBI had already planned everything out, from setting up the traps to make Apple look like a villain in front of the public…

Nice guess, but leading nowhere. Because if all that was just a ploy by the FBI to make Apple look bad in the eyes of the public, then it was a particularly badly conjured up ploy. Just consider this: the US Federal Authority FBI tried to force The Global Commercial Enterprise Apple to give away its Crown Jewels—AND FAILED MISERABLY. Apple now has no other recourse than to harden the software, make its firmware impervious to any future attempts to compel it to "cooperate" with the USG. So, whatever the FBI's (self-claimed) current gain, it will soon be nullified by updates to—if not complete rewrites of—key Apple's iOS firmwares. Or do you really think that Apple will just count their blessings this time and do nothing rhetorical question.


@ Clive Robinson Re: FBI vacating […] It is already known that the FBI have effectively lied in their submissions to the Court

Strange how you seem to deny here prevailing conclusion that whatever the FBI claims, it must be TheTRUTH™ ;-))


[…] “The thing is we are not going to be told by the FBI anything other than what was in the court filling. The court are not going to test the veracity of what the FBI have said, so I would assume that it is a pack of lies

Just so. See the @ NotYouAgain portion of my previous reply… don't want to repeat myself.


unless it can be independently verified...

    What US bodies of authority above the FBI would you envision able, capable of, and WILLING to conduct such a theoretical did-FBI-lie-or-not inquiry?

That said, I don't buy your theory of this whole brouhaha having been designed by DoJ/FBI to humiliate Apple (in the eyes of public opinion), because, when one weights the outcome, what harm has it done to Apple's reputation in the eyes of its customers for standing up to the Man?


[Apple] now must secure its devices against an attack method that could be aired in public as court evidence.

How is that near-future "dividend" of this case NOT to future disadvantage to any snooping authorities, incl. the DoJ/ USG?


The thing is Apple can not show that there is "no attack" thus that there is nothing to fix. Further even if there was not an attack available to the FBI the game has changed for Apple.

This is probably logical, but, together with the rest of your reasoning about perceptions and whatnot, oh-so-convoluted a construct, that it is beyond understanding for anyone but specialized lawyers (and yourself… perhaps you also can prove non-existence of black holes because nobody has seen them). In the end, however, the issue boils down to a simple WHAT HAS THE FBI WON?

Assuming Apple now hardens the software (while not softening the hardware), perhaps to the point of "throwing away the keys," to prevent ever again being put in this position, how would that help the LE? At best the FBI has a line into one particular subset of Apple's phones, but for how long? At worst, they have nothing, and keep quiet about it.


The trick now is to hold the DOJ/FBI feet to the fire, so that firstly any lies the DOJ/FBI have made get brought into the light of day, and any "bugs / vectors" likewise become sufficiently known that they become fixed.

Yes, because the Hi-Tech community in Silly Valley is known for its MORAL CRUSADES, its propensity time and again to prove the USG to be lying bastards. And worse. Kidding! ;-))


@ Clive Re: In the US the Police steal more than burglars do (cc: Jacob)

And all in the name of prevention of crime! Frankly, I don't understand how any American (affected or yet unaffected by this civil forfeiture policy) can live with such a gross injustice as this incentivizing the police to steal from citizens for their own gain. One of the reasons I no longer travel to the US, and advise others to forego it as well.

["Civil forfeiture" a.k.a. legalized stealing previously in this blog]

JacobMarch 29, 2016 10:01 AM

A couple of years ago this board ran a discussion about TrueCrypt - how much trust we could extend to that program, the mystery surrounding its developers, and the possoble reasons for its demise.

An invistigating reporter, with a supporting team, has spent a couple of years tracing the man behing TC origin - and found him. Amazing story.

https://mastermind.atavist.com/he-always-had-a-dark-side

P.S. this is part 3 of the 3-part series. The other 2 parts about the man are elsewhere on that site.

SkepticalMarch 29, 2016 11:48 AM


@Clive:

The chances are that the FBI knew that this had become sufficiently well known that Apple would have pushed it at the next court hearing. Thus the FBI had to push out the "Emergancy Escape Exit" in a hurry to save what would have been a humiliating result in court.

So the theory is that the "FBI" (not the US Attorney directing the case, not the AUSAs running the case) already had a way into the phone, but deliberately lied about it. And this as part of a scheme to deter others from defying requests for assistance by ultimately compelling Apple to do so by court order.

Allow me to give you two reasons why that theory is utterly absurd and not worth a moment of additional consideration on your part.

1 - Believe it or not, large multinational companies are not terrified by the prospect of litigation. Especially not when it offers significant marketing and branding opportunities. Nor is the Department of Justice ignorant of that fact.

2 - Should the court have ruled in the DoJ's favor, the consequence would be little more than that other federal magistrates would consider the reasoning of that ruling when making their own. That's it.

Let me propose an alternative theory: The FBI was unable to open the phone; they requested assistance; Apple refused, as they have elsewhere. What does the Department of Justice do next? They seek a court order - also as they have elsewhere. Motions are filed. Hearings are scheduled. Time ticks along. Efforts to crack the phone continue throughout - though with greater resources, no doubt, given the prize presented by this instance. And, lo and behold, a solution was at last found.

That's it. The rest is the chatter that pours forth when the chattering classes find a familiar subject that they love to discuss, some marketing and PR on Apple's part, and some careful politics by politicians. Federal prosecutors and federal agents committing perjury for this? Laughable.

As to:

Back in the times of the founding fathers privacy was in effect a given, a simple walk down an empty street or footpath was all that was required. It was so commonplace it was not commented on or thought about much. To the founding fathers "papers" unlike today represented both the storage and communication of information.

In the late 18th century you would have had considerably less privacy than you do today. Your walk down a street would be observed by a dozen people (if a small community) and many more (in a larger community). Neighbors were well known to each other; strangers were conspicuous. People gossip; people talk. Did you purchase a particular remedy from someone? Had you inquired as to a particular subject? Were you rushing to and from the outdoor toilet? Were you speaking quietly with someone?


DanielMarch 29, 2016 1:35 PM

I don't know if it is worth the effort to clear up the confusion about my post but I'll try.

When I visited the thread the top post was by user "Curious" which quoted from Twitter. My post was meant to buttress his by providing a link to an actual news article. Thus my "yep, they go it in" was shorthand for "Yes, Curious is right. That is what the news media is reporting." Unfortunately, as sometimes happens, someone posted in-between my post and the post by Curious and that man-in-the-middle post was a whale of a post, so the context was lost.

I have no idea if the FBI got in or not. As I said, I am suspicious about the whole thing. We may never know the full truth.

MarkHMarch 29, 2016 4:02 PM

@Figureitout:

No, the article does not say that its subject is an author of Truecrypt ... only, that some have speculated that he might be.

Nothing conclusive at all.

MarkHMarch 29, 2016 4:06 PM

PS For the sake of clarity, the article DOES identify its subject as an author of an encryption package, on which TrueCrypt is said to be based.

Nick PMarch 29, 2016 4:56 PM

@ MarkH

He made E4M that TrueCrypt is based on. Allegedly distributed it illegally. His code was in the first version. We need more concrete stuff on the identity of the TrueCrypt developers. We can say he contributed to its code and existence, though.

Clive RobinsonMarch 29, 2016 5:02 PM

@ SoWhatDidYouExpect,

William Hague: Brussels attacks mean we must destroy crypto ASAP

William Hague was once leader of the UK Conservative party and did not do to well in the job. Later he did the reverse step and became Foreign Minister, and did not do well there either... (hence the Syrian mess). Oh and he claims that in his younger days as a "Drayman" delivering beer he used to drink 14 pints a day...

Now he's just an I "have bean" pretending to be a "party grande"... supporting the current Home Office Minister Theresa May MP is probably not the best idea he has ever come up with... Let's just say it does not show much rationality, especially when he makes it clear he has not got a clue how the Belgian Terrorists communicated.

The best guess so far is that it was by word of mouth as "Nuclear Family Members"... Marcy Wheeler over onEmptyWheel has a few thingds to say about Nuclear Families and Terrorism.

CCMarch 29, 2016 5:09 PM

As a public service to readers we display skeptical's authoritarian-follower fellatio ad absurdum, closed-captioned for the hard-of-groveling:

"Federal prosecutors and federal agents committing perjury for this? Laughable...

[...Laughable, I say. Ha! I say again, Ha! Federal agents only lie 95% of the time, and this case is clearly less important than convicting some stumpjumper who dynamited a beaver dam."]

https://www.washingtonpost.com/local/crime/fbi-overstated-forensic-hair-matches-in-nearly-all-criminal-trials-for-decades/2015/04/18/39c8d8c6-e515-11e4-b510-962fcfabc310_story.html

John OzyMarch 29, 2016 5:16 PM

@Skeptical wrote, in previous thread on FBI vs Apple

This is part of the unintended, and long-term, consequence of refusing to provide certain assistance to the US Government: you dramatically increase the incentives of the US Government, and many others, to find ways to break your security that ultimately leave everyone worse off relative to the state of affairs had assistance been furnished.

I advise this, and have been told by you this is 'counter productive to my aims'. I had to point out to you that I am not against US intelligence. In fact, I am for good intelligence by any nation. I am simply against bad intelligence.

The reason why this method is better is because it raises the bar of sophistication to 'top nation state level'. Like with bitcoin, where currency is produced by effort, there are areas in technology where security is provided by raising the level of sophistication to one which is impossible for everyday people to perform on their own.

A good example of this is in anti-counterfeiting methods employed in real currency technology, or in driver's license or passport technology.

Nuclear weapons are another case.

In fact, controlled technology, its' self, is an excellent example. This is exactly how it is performed in military and intelligence hardware.

In none of these cases does any manufacturer intentionally weaken nor put in backdoor access to their products.

No, instead, they constantly attempt to improve their security.

This does mean DHS, for instance, and the Department of Commerce has to have divisions specific to try and prevent the transmission and sale of controlled products. It also means there has to be sophisticated counterintelligence employed in order to prevent theft of such technology by foreign spies.

It means the Secret Service has to continue to investigate and work against counterfeit currency.

And so on.

But, in no case does it work that anyone is paid for making it easy to have universal control of said product.

That is very much a key point. The left hand actually can not work against the right hand in such a security controlled product "economy". It is then like the house of a strongman being divided against it.

We certainly have seen this strategy used to horrible effect in the history of software.

We have seen software intentionally weakened, often covertly, by government. Only to later have those weaknesses exploited for terrible effect. Against both government and civilians.

So, it is much more then "just", "maybe someone will one day break the universal 'golden key' access system built into all American hardware and software".

Indeed, there are multiple other profound reasons why this is a terrible course of action. And so, why, multiple leaders or former leaders in the field of technology intelligence have been against these strategies proposed by the DoJ.

Two major ones:

1. It will eventually mean all encryption technology is offshored. To put it in the way one fmr intel leader put it recently.

Yes, he did point out 'this involves looking a few moves ahead'. I think this is why many are missing just how serious this is. Besides that they are dabbling in areas far out of their own experience and knowledge set.

2. The very strongly, globally broadcast efforts are extreme anti-propaganda by the "US Government" against US software and hardware.

This is abysmal strategy.

It reverses all positive PR efforts.

It is against both US business and against intelligence efforts.

It hurts US businesses because the "American Government" is telling all other nations that US business software and hardware products are unsafe for them to use.

It hurts US intelligence - and really, every legitimate national intelligence of any nation, including, perhaps foremost, counter-terrorist intelligence - broadcasting to those already most wary and suspicious that all US hardware and software products are unsafe.

I believe, this too, is not understood, clearly, by the DoJ. They do not have concerns about US business, and if they hurt other intelligence agencies, what do they care? First of all, DoJ is not even really an intelligence agency, that is one tiny fiefdom in some of their comparatively tiny divisions.

Evil conspiracy? No, simply poorly evolved or designed organization. As usual. "Economically", it is not in their best interests to have such concerns. They will certainly say otherwise. They may even believe otherwise.

Legal speak wise, this is a profound conflict of interest.

Technically, this assessment is going to otherwise be over their heads, because this method of ascertaining motives is involved in intelligence and security analysis. It is an analysis which is distantly related to "conflict of interest", but only distantly. It is another species of practice entirely.


Regarding this just recent post:
https://www.schneier.com/blog/archives/2016/03/friday_squid_bl_519.html#c6720380

You actually speak the truth on some matters, and that with what appears to be actual professional knowledge.

I actually agree with you on most of these points you make there, and I am not ashamed to state so.

I certainly would prefer to side more with Clive there, as I believe Clive is an incredible contributor. But, it is also true that Clive often presents alternative viewpoints for thinking purposes.

That Clive effectively, directly or indirectly, coaxed out such a response from you, I do regard is his doing.


However, in terms of your argument, which is excessively callous to a narcissistic level, calling large groups of people "the chattering classes"? This would be actually where you are in very many, if not most, of your viewpoints.

For instance, I can tell you that the ultimate way "things will work out" is that these efforts by the DoJ will be set aside. Instead, the pre-existing model as mentioned, above, of relying on increased sophistication, instead, will be taken.

Why? Because it is simply the best course of action, and the action most roundly utilized across the board.

It is in such a way that there will be pundits high in government, and all over government, making these exact same arguments.

After all, consider, how many governmental organizations are familiar, already, with exactly these strategies?

I listed the Secret Service, DHS, the Department of Commerce. I listed how counter-intelligence revolves around these aims, which include a wide variety of agencies. I could go and list on and on and on how this strategy is utilized by certainly every major governmental agency. Even the DoJ is relying on this manner of strategy, in some quarters.

Governmental leading individuals and organizations in technical intelligence and security here are largely 'not the DoJ', by quite a distance.

These are powerhouse organizations with considerable invested resources in pre-existing strategies. Including direct strategies of finding security vulnerabilities in existing products.

But, you also take bad stances on countless other matters. You take a sort of 'low level diplomat' level of stances. Where you believe one thing, say one thing, but what people really are doing is something else entirely.

For instance, what you believe is going on in the Middle East and North Africa is deeply incorrect. On the surface, certainly, this is what appearances are given. But, assuming those are the real, long term strategies are absurd. I would say you are a flower child in those regards, unaware of the grim realities actually really involved.

In this case, you are attempting to constantly cheerlead the DoJ in whatever course of action they take, regardless of how temporary and pig headed it is. The course of events will inevitably change, and it will be better for all. And exactly contrary to what some in government have been so relentlessly cheerleading, for so long.


As for the case of the DoJ now offshorting their vulnerability farming.

The Israeli firm low balled them and it was made sure that this price was well publicized.

I definitely am Israeli intelligence friend, though I have also spied against them, frankly. It is not like such sensitive work can be offshored to China or India. And, it certainly is in Israel's best interest to try and get as much American governmental business in the area of bounties for vulnerabilities as possible.

If they can win more then "just the DoJ", then they might get the CIA DST, NSA, and Military signals intelligence to also offshore to them.

Ten thousand dollars is pennies on the dollar for what any of them have to pay for, on shore. And Israeli intelligence well knows it.

Gaining stronger market share is invaluable intelligence for them.

Unfortunately, the US will also be bound to not supply bounty requests to that firm which are entirely honest. Like any such partnership, disinformation must be thoroughly liberally mixed in.

And, frankly, the DoJ is kind of the dunce in these matters. They are saving pennies while losing dollars. Where their intelligence competitors have far more powerful of budgets and resources. Which includes good advisement.

Ultimately, the DoJ and FBI need to be re-organized. Whether this is in five years or ten, does not matter.

These sorts of glaring deficiencies make that inevitability very clear.

Sancho_PMarch 29, 2016 5:47 PM

@Clive Robinson (re 29, 2:48 AM, FBI vacating)

I guess the damage to Apple, if any, will be minor.
Old devices were not designed with security against state actors in mind.
Apple never sold their phones as being “absolutely secure, top for criminal, dissident and terrorist use”.
They sell functional, stylish high end phones with reasonable security to the masses.
The fact that worldwide only one specialized company was able to help the FBI to crack the old model is a pro, not a con. It’s safe to assume Apple knows how to break into the 5x and 6x, in SW [1] and HW.

On the other hand, to sell new phones Apple need new features and more distance to competitors. While most customers simply do not comprehend that security is a never ending process, media attention and “expert opinion” of extra (security) features will call Apple fanboys (and fangirls) to the counter, just to own “the better phone”.

Apple will adapt.
Thanks to Tim Cook’s firm resistance customers will trust in Apple’s integrity.
And thanks to Mr. Comey Apple will go on securing their new devices.

[1]
Very likely the request for the fbiOS is buried forever.

Nick PMarch 29, 2016 7:06 PM

@ anyone with kernel-coding experience

I just found a very interesting paper:

Nested Kernel: An Operating System Architecture for Intra-Kernel, Privilege Separation

My mental simplification of the situation that usually works is "memory attack on kernel code = they attack anything in memory." The typical response is an expensive transformation of monolithic code to safe/secure or more often a microkernel architecture. This kind of risk is in the threat model of Nested Kernel. They claim to counter it by using an abstraction around memory access that runs in kernel mode plus write-protect on kernel code or data. They say everything else, despite being in kernel mode, is untrusted. And they ported FreeBSD 9 to it.

Now that's a big claim and/or result. :) It's worth a more concrete evaluation to see exactly what this might stop. I'm bringing some attention to it in a few places to see what various people think.

Note: It has John Criswell's name on it. Likely means it's based on or will include similar tech to the SVA-OS work I previously posted.

ThothMarch 29, 2016 7:41 PM

@Jacob, Figureitout, MarkH, Nick P
re: Truecrypt's true author
Article give a suggestion. The concrete evidence would be difficult as these would require signing keys and coding styles to be checked. Just like with the creator of Bitcoin, the media loves to speculate and nake a fuss. What is interesting is Truecrypt as a project held out for a long time and that is admirable. Not many open source crypto project had the luxury of such long life and userbase. Now we have a few choices of encryption with CipherShed, VeraCryp, TCPlay and ZuluCrypt as the more prominent ones that are rising up in popularity. Backup copies of TrueCrypt software and source codes are also being downloaded from various sources.

These Truecrypt deriviatives that have inherited the DNA of Truecrypt have a major weakness of handling security sensitive keymats and encryption in software. We need to move beyond simply software implementations of encryption and keymat handling.

I have been working on creating a specification in the background to unify Truecrypt's plausible deniability, PGP's and miniLock's capability of sending over the web with multiple recipients and also a simple cryptographic keystore capability for secure key storage all designed to be implemented on smart card. Instead of Truecrypt's plausibly deniable volume, it does plausible deniability of crypto keys by allowing splitting keys and does not have explicut checksums to indicate correct decryption thus making using any decrypting even with errors look plausible. The creation of a ubiquitious single format with multiple use case specification is still in the making and still actively being edited by me.

NikoMarch 29, 2016 8:00 PM

This shows that at least one of the fears about fbiOS was completely unfounded, that it would seriously disrupt Apple's profits. Some on here were talking about billions in losses and even went as far as to call it corporate suicide. When the FBI proved to the world how insecure iPhones are, Apple's stock price actually went up. If investors thought there was even a possibility this would affect sales, Apple's stock price should have taken a hit.

Dirk PraetMarch 29, 2016 8:27 PM

@ Skeptical, @ Clive

Allow me to give you two reasons why that theory is utterly absurd and not worth a moment of additional consideration on your part.

What's with the tone? You seem to have become increasingly belittling lately. I get it that you are upset by the personal insults regularly made by a person constantly switching his alias here, but I believe folks like @Clive, @Nick P., myself and others in general treat you with professional courtesy however much we do or do not agree with you.

What does the Department of Justice do next? They seek a court order - also as they have elsewhere. Motions are filed. Hearings are scheduled. Time ticks along. Efforts to crack the phone continue throughout ...

I believe the AWA clearly stipulates that the government should first have exhausted all other possibilities before soliciting Apple under that statute. They obviously hadn't done that before seeking a court's assistance.

Federal prosecutors and federal agents committing perjury for this? Laughable.

Comey did at some point formally declare under oath that they needed Apple to get in. Whether or not he was doing a Clapper remains to be seen, but either he was lying or he made a total *ss out of himself in front of that audience. Neither of which adds to his credibility.

In the late 18th century you would have had considerably less privacy than you do today.

People are still gossiping all over the place. These days, one may find anonymity hiding in the masses, but never before in history has our privacy been under greater pressure with our computers, phones, watches, TV's, utility meters and even refrigerators and toilet seats spying on us 24/7. That statement is just not correct.

NikoMarch 29, 2016 11:39 PM

@dirk

Actually, the All Writs Act is rather short. Here's the entirety of it below. There's definitely no "first exhaust all other possibilities" language embedded in the statute.


(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.

FigureitoutMarch 29, 2016 11:46 PM

MarkH
--I should've said "potential" author, I assumed an over 500+ ranking on HN means people checked the title and link for clickbait before I read it later (I'm sick of not knowing who wrote truecrypt...); that's what I get for hurrying over lunch.

ianf
--Sorry lol that looked like clickbait initially.

Thoth
--I'd put my vote on VeraCrypt (for crypto on Windows, so it's all info I didn't care about being copied, just needed backups), it's been very nice to use besides GPT support. The meat of the code is Truecrypt features which is ported from E4M which were probably somewhat derived from books etc, regardless pretty sick.

RE: groggybox
--Nice 2 features if they work. I think I may incorporate an SD card for my thing (want to support as much hardware as possible, so LCD's etc.) and it'd be nice to have these features somehow.

Clive RobinsonMarch 29, 2016 11:58 PM

@ Nick P,

My mental simplification of the situation that usually works is "memory attack on kernel code = they attack anything in memory."

What they appear to be claiming id something I've been banging on about for ages which is you can use the MMU as a security gate to issolate processes from the kernel and other process.

If you think back to the prisons architecture, I had already considered this and moved on further.

The key essence was that the MMU formed the prison in that it was not under the process's control nor could it be (unlike this papers design, see bugs in X86 MMU making it Turing compleate).

Further I isolated the process kernal interface through the MMU via "letterbox buffers". As far as the process was concerned the kernal it had was tiny (I got one version down to a few bytes) because the bulk of the functionality was on the otherside of the MMU and the MMU was controled by this not the process.

I will dig through the paper later today and let you know what I find that's actually new or original.

Nick PMarch 30, 2016 12:31 AM

@ Figureitout

"I assumed an over 500+ ranking on HN means people checked the title and link for clickbait "

The ranking is independent of such metrics. It's best to look at the comments for things like clickbait. The link will go up based on votes. More critical commenters see it. They'll usually mention something like that. Moderators like "dang" will often address it before you even see it. The posts on La Roux inspired several title changes far as I can tell by the comments. Matter of fact, HN's commentary and moderation has me looking at the comments before the article as a partial test of whether it's worth reading. They spot problems quickly without Slashdot/Youtube-style bullshit. They do have biases, though, which I've made a habit of countering.

Btw, reading it all the way through was worth it as far as correlations go: Matthew Green tweeted that Truecrypt caved around same time he got busted. I always suspected it was an underground person, privacy-obsessed richfolk, or classified op pushing Truecrypt development. Things like that correlation are just too interesting given such suspicions. Peaks the interest in next articles. :)

"The meat of the code is Truecrypt features which is ported from E4M which were probably somewhat derived from books etc, regardless pretty sick."

He and the Truecrypt developers did a pretty amazing job for people outside high-assurance. It's one of few things on NSA's shitlist in the leaks. One doesn't get better props in OSS software.

@ Clive Robinson

Oh, I see similarities in the use of MMU isolation. ;) It's more a question of whether it can actually restrict kernel code the way they want. A custom design taking it further? Sure. This one? Not so sure. Still worth determining given a non-x86 implementation that's still pretty traditional (and UNIX compatible) might avoid any issues found in it. Hope you enjoy the read at the least as it's different.

WaelMarch 30, 2016 12:42 AM

@Nick P, @Clive Robinson,

I just found a very interesting paper:

Very interesting it is!

Critical information protection design principles, e.g., fail- safe defaults, complete mediation, least privilege, and least common mechanism [34, 40, 41], have been well known for several decades.

From principles to applications of principles. Sounds like a good start ;)

The nested kernel architecture partitions and reorganizes a monolithic kernel into two privilege domains: the nested kernel and the outer kernel.

I haven't had time to read the entire paper. Initial scanning leads me to believe they're creating a third privilege ring. As you may know, the X86 architecture defined four rings of privileges: Ring 0, Ring 1, Ring 2, and Ring 3. Most modern Operating Systems today utilize two distinct rings or privilege levels: Kernel Mode and User mode. The intention of ring 1 and ring 2 were for device drivers, ring 0 was for kernel, and ring 3 for applications. Virtualization "effectively" put a ring -1 for the VMM, Ring 0 for kernel and ring 3 for applications. Basically we're back to realizing that two rings aren't sufficient. Nesting kernels with MMU enforcing privileges is equivalent to adding or using a third ring. Pretty good paper. Seems C-v-P may get a second life as I agree with @Clive Robinson's "prison" comment!

Clive RobinsonMarch 30, 2016 1:15 AM

@ Niko,

When the FBI proved to the world how insecure iPhones are...

Actualy you have your thinking backwards, what the DOJ/FBI have done is demonstrate just how good Apple and it's security are at protecting privacy, in it's newer phones if a user uses it correctly.

Thats why "Apple's stock price actually went up". The investors are expecting FanBois to see through the FUD of the DOJ/FBI vacating. So when you say

If investors thought there was even a possibility this would affect sales, Apple's stock price should have taken a hit.

You left the word "negatively" out after sales.

The reason investors have given it the thumbs up is because "fbiOS" is dead (for now). And along with it a permanent mandated security hole.

Which means Apple will be able to continue to enhance their security in hardware etc, and privacy conscious owners of older iPhone's are expected to upgrade to newer hardware.

Thus the investors see in the short term Apple's sales of newer "hardware security" iPhones will be "positively" effected.

Clive RobinsonMarch 30, 2016 1:33 AM

@ Niko,

Actually, the All Writs Act is rather short.

Importantly you forgot to mention what date it was signed on and what subsequent legislation changed it, and how "case law" further clipped it's wings.

The AWA is an example of "overly broad legislation" and in general the response of the judiciary is to impose "safety limits" on such legislation to prevent abuse equivalent to enslavement or unjust punishment. Especially where "no wrong" has been commited by the party the state wishes to compel. Thus you have the notion of "undue burden" which has a "reasonableness test" from which other tests arise.

It's the way the law worked for over a thousand years, but now some people who lack certain human traits want to throw out the idea the judiciary has the freedom to ensure fairness and "equity of arms" thus justice.

CuriousMarch 30, 2016 3:09 AM

Rowhammer related (flipping bits in memory)

Blogpost: (No title)
http://csiblog.balabit.com/blog-posts/exprtlk-daniel-gruss

I hope any any OS related remedies don't create new vulnerabilities, or make exploitation of OS easier (think government sanctioned hacking). As if rearranging how OS works with memory, created standards for anyone hacking OS's for purpose of tampering or surveillance.

LarsMarch 30, 2016 3:35 AM

"Which means Apple will be able to continue to enhance their security in hardware etc, and privacy conscious owners of older iPhone's are expected to upgrade to newer hardware."

It's a win, win outcome for both DoJ and Apple, as deterence is served by the Law while "the investors" poured their money back into Apple. But if history is any indication of future, things may change in a hurry.

Clive RobinsonMarch 30, 2016 4:26 AM

@ Curious,

New York has cop cars disguised as taxis:

It won't take long for them to be sniffed out...

Before I had to go to NY many years ago, I asked advice from somebody I knew whoe lived there a large part of the time (she was a fashion accessory designer).

Well various bits of advice included how to get around including what means at various times of the day.

I remember her choice use of language when it came to certain of her fellow NewYorkers (the police being one) and their habits, however she had the taxi drivers down to a tee. Even though it's getting on for a couple of generations later it's hard to think things will have changed much. Especialy from the lawyers comment of,

    and fuels community suspicion of cabs which already have a bad reputation in the community.

Lets just say the taxi drivers might start out as individuals but they kind of get squeased into a certain type with strong almost family relations, with a sense of turf protection that makes a "she lion with cubs" look tame in comparison.

Thus I give it a week before a new cab or driver is known to not be part of the family as it were. Especially from the way they are reported as being driven. Such information being valuable, then I suspect the more advanced criminals will not only know them but get reports about where they are etc...

ianfMarch 30, 2016 4:54 AM


Best [Guardian] summary so far of likely consequences of the fizzled-out fedwannafuckiOS case:

[…] attempt to take this to the public backfired spectacularly. Maybe the FBI thought they were going to garner sympathy from the public because the underlying case involved a deceased terrorist [since when is a de-facto postal shooting an act of terrorism, even if the perps liked to think of themselves this way?—ed.] and a deplorable crime, but they sorely mistook the public’s reaction when it eventually was clear that the FBI’s demand would put the security of millions of innocent people’s phones in danger. (To give you an idea of how bad the public criticism of the FBI got, even the Wall Street Journal’s editorial board wrote off the FBI’s handling of the case.

    [We shouldn't be] surprised if justice department instead attempts to keep future cases sealed from all but Apple’s lawyers, denying the public the right to even know that court battles are going on for as long as possible. Or perhaps they’ll go to the ultra-secret Foreign Intelligence Surveillance court and demand the same thing, where they’re even more likely to be able to argue with no opposing side present and will all but ensure the public won’t find out what happened for years.
[… Still,] there is no other way to look at this than as a win for Apple and for the hundreds of millions of people who rely on encryption to protect their private information. But there is no doubt we’ll be back in this situation again soon. The only question is when.


The Guardian | Opinion | Trevor Timm @trevortimm | http://gu.com/p/4tve4

ThothMarch 30, 2016 6:16 AM

@all
Apple with all it's wealth and power should really look into security microkernels instead of monolithic BSD kernels and Unix variants. Apple tried to introduce a super super system root of sorts that a normal root cannot access but there are tonnes of ways around it. Definibg as many security rings but without a correctly implemented safeguard is pointless. A small secure TCB is the way to go.

They should really give the Redox OS a good look since this microkernel OS is a working microkernel OS with GUI amd a very focused effort.

Link: http://www.theregister.co.uk/2016/03/30/apple_os_x_rootless/

Dirk PraetMarch 30, 2016 9:30 AM

@ Niko

Actually, the All Writs Act is rather short. Here's the entirety of it below. There's definitely no "first exhaust all other possibilities" language embedded in the statute.

I stand corrected in that the AWA itself indeed does not contain such a clause. However, in US v. New York Telephone Co. - the case referred to by the FBI in applying the AWA to the SB phone unlocking - Judge White decreed that a non-involved third party's assistance could only be compelled under "appropriate conditions". Although since, some different interpretations have shown up, it is now generally held in jurisprudence that exhausting all other possibilities first is one of these appropriate conditions for the AWA to apply. I've recently read a good lawfare.com article about that, but I just can't seem to find it back.

This shows that at least one of the fears about fbiOS was completely unfounded, that it would seriously disrupt Apple's profits.

I fail to see the logic behind the non-creation of fbiOS proving that the creation thereof would not impact Apple sales. Apple stood its ground, and its users are probably quite confident that they will eventually plug the hole the FBI now seems to have found. They have already filed a motion for the FBI to come clean about the method used.

Pariah state USAMarch 30, 2016 10:54 AM

Charged with no crime; imprisoned for failing to submit to maximally invasive interference with his privacy

http://www.metro.us/philadelphia/police-sergeant-fired-over-encrypted-hard-drives/zsJojh---GNjiLjsmaBZ0s/
https://pbs.twimg.com/media/CevIfsJWsAEZVQV.jpg

CCPR-illegal rights derogation improperly predicated on prior lex generalis, the All Writs Act. This state has clearly decided it doesn't need legitimacy or responsible sovereignty when it can get by on coercion. The US government has sunk to Turkmenistan's level. It's time to knock it over.

Nick PMarch 30, 2016 12:25 PM

@ Wael

"From principles to applications of principles. Sounds like a good start ;)"

Actually rare in security presentations or papers. So, I like seeing it.

"Basically we're back to realizing that two rings aren't sufficient. Nesting kernels with MMU enforcing privileges is equivalent to adding or using a third ring. Pretty good paper. "

Yeah. There are precedents here. The systems that inspired Intel's rings had 8 rings. STOP used at least four of them for kernel, trusted OS components, untrusted (or less) components, and apps. VAX Security Kernel had problem that VMS used plenty rings. They used ring compression to make two rings one. The security kernels' internal organization was many self-contained layers. They didn't know a way to reliably enforce isolation past interface checks. The capability and object systems contained them at a modular level with varying performance and usability.

So, it's one of the old lessons of POLA internally being rediscovered. The clever part is, like with SVA, they narrow it down to some small software and hardware component. Seems too good to be true but their other methods were pretty good. Many of Criswell's works need a bunch of peer review by breakers of all kinds given it's so practical. This one especially as eliminating kernel mode risks with just 1,900 lines of changes is pretty wild claim.

DanielMarch 30, 2016 3:04 PM

@Bruce and/or Moderator.

I suggest that you enforce a word limit on the comments. Several posts in this thread are more than 1000 words. John Ozy comment above is over 1500 words. 1500 words is not really a comment by any definition of that word; it is a full on paper. Theses 'walls of text" make reading the comment section difficult.

My two cents.

John OzyMarch 30, 2016 3:20 PM

@Daniel

Didn't like something I said in it? Feel free to say so.

I made three posts. Two short, one long. In the long post, I fleshed out concepts that I had not seen fleshed out anywhere before. Most of that was the top most part of the article. It was sophistication versus back dooring of code.

I considered stopping there, and responding to some other points of Skeptical in a separate post, but I decided against it.

Which would have left me with three smaller posts.

But, frankly, I think the material is simply not material you are familiar with. So, for you, it is just a "wall of text". For maybe a very few readers, they might find some value of someone fleshing out the concept of 'sophistication model of security versus backdoor model of security'.

I have literally decades of experience in these related fields.

And, there are posters here who do not even work professionally in computer security.

I think copying and pasting someone's post to measure word count, to make a complaint is pretty strange. If I did not write something which you found issue or error with.

Nick PMarch 30, 2016 4:09 PM

@ Daniel

They'd just post several comments in succession. Also, Bruce et al would have to implement a whitelist for Clive Robinson. This would require identification and authentication functionality. It would have to be disguised to maintain the blog's current style. One little feature snowballing into a huge project they have little time for.

So, it's unlikely.

Clive RobinsonMarch 30, 2016 5:28 PM

@ tyr,

It took a long time for the FCC to wake up to SDR, the EU was there way before it.

The thing is the "every device is a monitor" idea is "verboten", due to the way radio licensing legislation was written. Back a century ago it was not to stop illegal transmissions --it was assumed the authorities could easily deal with those-- but to stop illegal reception. A bit like "insider trading" legislation...

Thus you are in most jurisdictions even in the ISM bands committing a criminal offense if you pick up a radio transmission not intended for you. Thus using your WiFi receiver to find "vacant" channels by receiving signals in the channel you are checking is technically illegal... Likewise tuning you domestic broadcast receiver into "Pirate Radio" transmissions, is OK if you don't know it's a Pirate, but Illegal if you do know it's a Pirate...

Thus in the radio world actively checking for illegal or unintentional emmisions is illegal unless you have a licence to do so...

It shows just how fast technology outstrips both legislation and the sociatal model the legislation made sense in.

The law has this notion of things being agnostic to use thus the "controling mind" is what is prosecuted. Even in the cases of animals going nuts etc the law looks for the "controling mind" and when found applies "reasonableness tests" to decide if the actions taken were negligent, deficient etc. It's one of the problems with driverless cars if there is "an accident" who is the controling mind... In theory it's the bod writing the product specification.

As was observed by the Dickensian Beedle Mr Bumble on being told the Law regarded him as being in charge of his wife and her actions, "If the law supposes that, the law is an ass - an idiot!"...

NikoMarch 30, 2016 6:19 PM

I don't know why users assume that Apple will fix this vulnerability. How does Apple fix a vulnerability if it doesn't even know what the vulnerability is? As for finding out from the FBI, the FBI itself might not know what the vulnerability is. Assuming the FBI does know, I would be completely shocked if Comey volunteered that information to Apple. By motion, I guess you're referring to either a FOIA request or a possible discovery motion in the Brooklyn case. A FOIA request would almost certainly be denied for a number of reasons. On the Brooklyn case, assuming the FBI knows what the vulnerability is, I'm guessing here, but would expect the FBI either to classify the method(exempting it from legal discovery) or to back down from the case, rather than reveal the method to Apple.

ThothMarch 30, 2016 6:31 PM

@Pariah state USA
Failure or resistant to decrypt is quite mildnof a behaviour. I wonder what they would do to him of he self-destruct the encryption keys rendering the ciphertext irrecoverable... would they jail him or execute him for protecting himself ?

The Orweillian State has arrived is strong because the people of the land allows it to be. It is a little too late to turn back. Soon, every nation would want to be or have taken the same footsteps.

Good thing he stood up for his rights.

Dirk PraetMarch 30, 2016 8:07 PM

@ Thoth, @ Jacob, @ Figureitout, @ MarkH, @ Nick P, @ Clive, @ Wael

Re. TrueCrypt

I don't know if any of you guys saw this NYT article called "How ISIS Built the Machinery of Terror Under Europe’s Gaze". Apparently, certain Da'esh (IS) operators in Europe used TrueCrypt and a Turkish data storage site to communicate with handlers in Syria. Following the article, there was a very interesting exchange on Twitter between some of the usual suspects like Matthew Green, Christopher Soghoian, Runa Sandvik and the like.

Point in case: how do you serve an AWA warrant on, or build exceptional access into a product that has been discontinued, no apparent backdoors have been found in during an extensive audit, downloads of which have known signatures and is written by a team of developers you don't even know?

@ Thoth

Re. Groggybox

Cool stuff, mate.

WaelMarch 30, 2016 8:14 PM

@Dirk Praet,

I don't know if any of you guys saw this NYT article

I clicked the link 17 million times until my skull stack blew up!

Dirk PraetMarch 30, 2016 8:29 PM

@ Wael

I clicked the link 17 million times until my skull stack blew up!

Cr*p. Got the link wrong again. Here it is.

FigureitoutMarch 30, 2016 11:49 PM

Nick P
--Yeah normally they're pretty good. I don't click a lot but the truecrypt title got me. It's a pretty good investigation, mostly from the internet lol.

Dirk Praet
how do you serve an AWA warrant on
--Maybe ask your buddy Rolf eh? He'll give you a proposal. BTW, quit drinking and writing, screwing up links in the pub eh? :p

WaelMarch 31, 2016 12:11 AM

@Figureitout, @Dirk Praet,

BTW, quit drinking and writing, screwing up links in the pub eh? :p

Yea! What's up with that?

Seems we have to go through the containers tutorial one more time.

Tea, my friend, goes into one of these; Vodka goes into one of these. The containers may look the same after a sh*ty day, but don't drink and link!

CuriousMarch 31, 2016 12:34 AM

Here's an idea:

Imagine the FBI or House chairman on behalf of the FBI, telling Apple, that FBI intend to solicit/buy an exploit to break into that (any) iPhone, and asks of Apple to not/never fix the exploit because law, and that then Apple forever pretends it doesn't know of the exploit and would maybe be prevented by law to ever fixing it (or until told otherwise, or agreeing to a delay).

This is a silly idea isn't it?

CuriousMarch 31, 2016 12:36 AM

To moderator:

There was a typo in my last sentence, I hope you can please correct it for me:
It should instead read: "This is a silly idea isn't it?"

CuriousMarch 31, 2016 12:39 AM

To moderator:

Ugh, sry another typo. The last word in the first paragraph.
It was supposed to read "agreeing to a delay" and not "dealy".

Clive RobinsonMarch 31, 2016 1:20 AM

@ Wael,

Seems we have to go through the containers tutorial one more time.

Are you doing a "Paul Daniels"?

He used to use "forward" and "backward" refrencing in his magic act when doing television recordings. That way the shows editors had to use his whole act or none of it. The usual result was he got his entire act in at the expense of others. Thus viewers through seeing more of him thought more of him thus he became famous, unlike the others who they saw little of...

WaelMarch 31, 2016 1:50 AM

@Clive Robinson,

Are you doing a "Paul Daniels"?

I heard of him just now from you. He died a couple of weeks ago, probably that's what brought him to your mind.

The usual result was he got his entire act in at the expense of others.

Thanks for the remark, I've got to be more careful!

The usual result was he got his entire act in at the expense of others

Lighthearted and never meant to denigrate anyone.

Thus viewers through seeing more of him thought more of him thus he became famous,

I have a few vices, like most people. But vanity isn't one of them. I see you are right though... @Dirk Praet, @Figureitout: forgive me.

Clive RobinsonMarch 31, 2016 5:08 AM

@ Wael,

Thanks for the remark, I've got to be more careful!

Hold your horses it was ment as a light hearted joke, not a critisism, in the same vein as the "containers" joke you had, had[1] with Figureitout.

[1] I hate repeate tense connectives "you did didn't you" being yet another, for some reason it feals worse with past tense.

ianfMarch 31, 2016 6:00 AM


Memorable quote of the day
[The Guardian]

Annie Machon, ex-MI5:

    “GCHQ has prostituted itself to the NSA to the tune of million of dollars with no accountability or oversight - they tell the NSA ‘we can do stuff you can’t do’. We live in an endemic surveillance state now. Politicians say ‘we know the intelligence agencies are working within the law and protecting, not eroding, our freedoms’. But politicians don’t have a bastard clue what spies can get away with and Britain is the least accountable of all the western intelligence agencies.” […]

24 Oct 2014 @ http://gu.com/p/42mfd

We have been warned, again.

Dirk PraetMarch 31, 2016 7:45 AM

@ Wael, @Figureitout, @ Clive

BTW, quit drinking and writing, screwing up links in the pub eh?

My bad, but I actually don't ever touch alcohol during the week. Only after sunset on Friday and Saturday evenings. Probably a momentary lapse of focus, I suppose. But what's with this weberisation of comments here ? 8-)

Nick PMarch 31, 2016 10:51 AM

@ Figureitout

"Yeah normally they're pretty good. I don't click a lot but the truecrypt title got me. It's a pretty good investigation, mostly from the internet lol."

Yeah, I was enjoying reading it. I agree it has a bit too much filler. It's mostly good, though, as it captures the people involved and brings their experiences to our mind in detail. I think many commenters there didn't realize not everything is PowerPoint slideshows or tech writeups. ;)

The Bond villain reference seems spot on given the only person that went to his house said it was an empty space with a desk and a bunch of computers. Did that sound familiar?.

JacobMarch 31, 2016 5:43 PM

Chris Soghoian has some interesting tweets today:

1. Who needs Snowden when you have LinkedIn?
People detailing their experience with past NatSec operations, including subverting products, tapping undersea fiber cables and carrying user data from AT&T to the NSA.

I bet all of this will be cleaned up pronto.

2. RIP Reddit's warrant canary that was in effect since 2015. Responding to a question, they replied that they couldn't talk about that.

FigureitoutApril 1, 2016 12:17 AM

Wael
--Thought you were talking about containers w/ respect to memory, should've known. :p

Dirk Praet
--But but I got a proposal for you... :p

Nick P
--Yeah it's familiar I guess.

tyrApril 1, 2016 4:23 AM


@Clive

I hear that. I think what saves the modern era from
drowning in its own noise is the inverse square law.
That and most aren't running next to some of the
higher powered systems. We knocked an entire nations
microwave system out with the harmonics from a VHF
independent sideband rig, you wouldn't think you
could get any harmonic power that far apart. The
microwave links were up at 8 gig. The worst mess
the FCC ever did was to stop enforcing on the CB
band. There were some interesting experimentals
running in this area, one guy was talking to the
southern states by hooking a military final amp
onto his CB and using a big directional antenna.
It played havoc with the local televisions. So
a software radio is probably a really bad idea in
the inappropriate hands.

Nick PApril 1, 2016 11:49 AM

@ Bruce, Clive, Wael, Dirk, Thoth

In probably April prank, Wikipedia just launched a Telnet gateway to their services to let you re-live BBS days with modern content. Open a terminal, then type:

telnet telnet.wmflabs.org

If you're not multilingual like Dirk, you might want to start by typing "use en.wikipedia.org." Then type name of article or whatever. I haven't loaded images or videos up yet. That should be interesting. :)

Note: Someone with a sniffer should measure the size of content coming in over Telnet versus the website. Interesting efficiency exercise.

Nick PApril 1, 2016 1:29 PM

re telnet

Someone on Hacker News sent me a link to a server re-creating the 1980's experience with old programs, BASIC files, games, text art, and more. Site is here. I recommend you skip that for now to go straight to terminal with telnet telehack.com command. Then, type the star wars command you see on the list. I know Wael and Figureitout especially will love result. It's *amazing* work. I had to force myself to kill the session to get back to more important stuff haha.

WaelApril 1, 2016 4:29 PM

@Nick P,

RE: telnet... Someone on Hacker News sent me a link

Pretty impressive! You need this to go along with the nostalgic terminal... Some people had too much time on their hands.

WaelApril 1, 2016 5:59 PM

@Figureitout,

Thought you were talking about containers w/ respect to memory...

Trust (at least in my case) but verify. With other: use "default deny", "check at the gate", and of course "compartmentalizations" which is implemented as a "container" ;)

WaelApril 1, 2016 6:22 PM

@ianf,

Something strange happened. If you remember I ordered some Raspberry Pi 3 systems a while back. I was expecting to recieve them, but instead I found a refund on my credit card for the amount I paid, and they never replied to my email as to why they "cancelled" the order. Hopefully the same won't happen with the C.H.I.P. deal.

Is that you

Oh, no! Not I. I will survive!

I suspect that you will be soon

Oh, no! I was in the first submarine. Instead of a periscope, they had a kaleidoscope. "We're surrounded." -- Steven Wright

FigureitoutApril 2, 2016 8:57 PM

Nick P RE: telehack
--Yeah it was fun; nice to "hack" when there's no consequences (screw the stress). rootkit.exe wouldn't run for me though, said it couldn't on host cpu...huh I thought it was virtual :p

Wael
--I operate on don't care mostly these days lol, not gonna play those games much anymore lol (not going to continuously clean an HDD w/ hidden chunks of inaccessible flash w/ all my toolchains and configurations every goddamn time, open up 20 encrypted containers w/in each other just to access my long password for my boring email, I'll live w/ the malware until it's unlivable. And checking up on someone's bs, if you lie it'll get out eventually someway), except being silly occasionally (harmlessly silly). Get to the good sh*t, code, circuits, algorithms, protocols.

And it's hard when you've leaked thru some of your compartments in emergencies and otherwise, mixing up accounts on PC's etc. to get something done. Sometimes best container is to not care and unplug your modem and live in the moment b/c you can't prepare for it all.

Nick PApril 3, 2016 12:38 AM

@ Figureitout

"except being silly occasionally (harmlessly silly). Get to the good sh*t, code, circuits, algorithms, protocols.

And it's hard when you've leaked thru some of your compartments in emergencies and otherwise, mixing up accounts on PC's etc. to get something done"

I see you're truly figuring it out. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.