Friday Squid Blogging: Counterfeit Squid

Goya is facing a $5 million lawsuit; the plaintiff is claiming its canned octopus is really squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 13, 2016 at 4:14 PM • 196 Comments

Comments

AnuraMay 13, 2016 4:38 PM

False labeling is a huge problem with seafood. There are so many varieties that look and taste the same, that it's very difficult for consumers to tell the difference. I used to work in the seafood department of the grocery store and what we would label in the case as "Red Snapper" would come in a box labeled "Pacific Rockfish".

I don't remember what we sold as tilapia, but it wasn't tilapia.

Of course, I didn't know any better. I don't really eat fish, and the location didn't sell a lot of fish so I wasn't about to start (we would have fish sitting out in the case for a week before selling/tossing, when it took 1-3 days to even reach the store in the first place).

TatütataMay 13, 2016 5:25 PM

I don't remember what we sold as tilapia, but it wasn't tilapia.

When you see how Tilapia is raised in the Mekong delta, you may think that a certain four letter word would be a more appropriate designation...

Latin names are commonly used in the fish trade, but this doesn't preempt fraud, especially when rare deep-sea species are passed for bass or cod...

TatütataMay 13, 2016 6:02 PM

And even though I could imagine tilapia being passed off for something else, I can't imagine why one would ever want to pass off fish AS tilapia.

AnuraMay 13, 2016 6:18 PM

@Tatütata

It's possible I'm mistaken, and that it was the other way around. I wasn't long out of high school, and had many years of binge drinking ahead of me at the time.

M WelinderMay 13, 2016 7:44 PM

Another SWIFT attack on a bank is hitting the news. No-one seems to
want to name the bank which is just described as a "commercial bank".

GodelMay 13, 2016 8:06 PM

Major security flaw found in 7-Zip file archive program for Windows. Upgrade to version 16 ASAP.

Nick PMay 13, 2016 8:58 PM

@ Godel

It's worse than it appears. John Nagle pointed out that a compression program pretty much needs a read and write privilege to operate. Nothing more really. No excuse for not sandboxing or restricting these suckers by default. On top of it, the website doesn't support HTTPS or have signatures for executables.

Great archival tool despite security that's lacking. :)

chris lMay 13, 2016 9:02 PM

Physical security is a lot like encryption- you can invent a system that you can't defeat, but someone else might be able to find a way. According to a NYTimes story, there was a Russian conspiracy to swap out urine samples from the "tamper evident" bottles that they used.

From the pictures, it looks like the bottles and caps are marked with matching serial numbers, and the whole setup is designed to cause visible damage. There's a ratcheting metal ring that sits inside the cap and slides over ramps on the bottle. Presumably someone figured out a way to keep the spring loaded so the teeth would pull up over the ramps while unscrewing the caps.

tyrMay 13, 2016 9:35 PM


OT video recommend

I ran into this one on thoughtmaybe, it seems there's
a bizarre background to commercial exploitation of
sand. Some truly odd bits like Dubai stockpiling it
to make more Dubai, and Singapore stealing it from
the neighbors to expand their real estate. Jokes of
"selling sand to Arabs" turn out to be not jokes.

I was wondering about the link between desert sand
and the amazing collapse of three buildings on 9/11.
Given the usual shenanigans of construction and the
crooked deals done. You don't suppose someone did a
substitution into the concrete mix to save a few
bucks. Sorry for the diversion but sometimes odd
bits show up on the net that are worth wasting a
little time on. The Florida episode is priceless.

Can You Guess My NameMay 13, 2016 10:59 PM

There are a couple of interesting stories out today.

Ars, as usual, covers them best.

http://arstechnica.com/information-technology/2016/05/1b-bangladesh-hackers-implicated-in-attack-on-vietnamese-bank-sony-hack/

http://arstechnica.com/security/2016/05/breach-of-nulled-io-crime-forum-could-cause-a-world-of-pain-for-members/


So... if North Korea was behind the Bangladeshian hack, and a similar attack on a Vietnamese bank...

What else is China's well trained attack dog going out there and doing??

And, what might they do in the future?


Poor Vietnam. Not Stalinist Communist enough for them.

If they do that with their friends. What, on earth, might they do to their enemies?

Or, what might they have already done?

I think, this is one of those situations, where people can look in the past, and to the future. And do the math.


But, isn't every sick of fear & security. :-)


And, it is true. NK is really, really bad at what they are trying to do here.

Why else leave such stupid forensic clues tying their systems together?


Bad is not the new normal. Bad has always been the normal.


I do wonder, however, if the very same forensic clues were not left in more sensitive hacks of this last year. But, classified.

Of course, for you conspiracy theorists out there. There could be some dark party really in control of things, setting nations up like this. First, getting people to rely on basic forensic clues in attribution data, then using it to put whatever signature of whatever nation they want on the attack.


But, the whole "cry wolf" problem with conspiracy theories. It does not resonate so well, when the wolf really comes along.


I would, however, turn to look at this other attack, exposing the secret dealings of these criminal groups. Think about all of the hassle caused just by temporarily taking control of a pedophile site on the dark net. Or, of all the complaints about 'parallel reconstruction'. Which is probably far more endemic and old then how it has been raised in the recent past.


So, someone does to them, as they do to others.

And guess what. Criminal cases galore.

Sounds like a pretty good idea, to me.


Disclaimer: These are "devil advocate" opinions. They do not necessarily reflect the true opinions of the faceless individual making them. They are posited for thinking purposes. Yes, thinking. Turn off your tv. Turn off your music. Shut down your computer. And spend some time thinking.

So, you know, you do not have to spend all your nights sleepless, because you spent all day... not thinking at all.


Tex WillerMay 13, 2016 11:10 PM

@Can You Guess My Name
well, Rumpelstiltskin, I got news for you.

It's not China or it's "well trained attack dog" that's doing any hacking. The hacking is done from US and UK who use the news media to feed you the story you are just repeating here.

cestlevieMay 13, 2016 11:15 PM

UC students' suit claims Google scanned accounts without permission
http://www.mercurynews.com/business/ci_29888996/uc-students-suit-claims-google-scanned-accounts-without

SAN JOSE -- Legal action against Google by four UC Berkeley students has ballooned into two lawsuits by 890 U.S. college students and alumni alleging the firm harvested their data for commercial gain without their consent.

But the students' claims may be derailed by a dispute over whether they should file their cases individually, rather than as a group.

Hundreds of U.S. college students and alumni in 21 states joined the original lawsuit filed in January by the four Berkeley students. On April 29, another 180 filed a separate lawsuit making the same claim: that Google's Apps for Education, which provided them with official university email accounts to use for school and personal communication, allowed Google until April 2014 to scan their emails without their consent for advertising purposes.

Mr. OlestraMay 14, 2016 1:25 AM

@Bob

Just rebrand oilfish as cleansefish and sell it as a natural organic bowel cleanser. Problem solved, and a fortune minted.

Tommie KreierMay 14, 2016 6:19 AM

A Russian guy went around the subway taking photos of complete strangers to test whether he could find their personal profiles in social networks using only facial recognition. The answer is yes, he can.

His blog (in Russian): https://birdinflight.com/ru/vdohnovenie/fotoproect/06042016-face-big-data.html

People have taken it further and have started uncovering the real-life identities of porn actresses using the same technique in the Russian social network VK.

Post quantum cryptographyMay 14, 2016 10:48 AM

To send the Stasi permanently dark and reclaim our electronic civil rights, isn't the future plan - taking decades - simply (?):

1. The default Firefox transitioning to the hardened Firefox ESR with Tor button built in by design for a) browsing in the 'clear' or b) on the Tor network

2. Scaling up the Tor network to accommodate the bulk of daily internet traffic

3. Transitioning all websites to .onions (Phase 2), following completion of the transition of the majority of websites to https via mechanisms like the EFF 'Lets Encrypt' initiative (Phase 1)

4. Utilising hybrid quantum computer-resistant encryption for the Tor Browser & network, via: widespread use of NTRUEncrypt in the key exchange protocol for forward secrecy; and a ntor+curve25519+sha3 handshake

5. Widespread availability of stateless computer hardware e.g. http://blog.invisiblethings.org/papers/2015/state_harmful.pdf

As Tor developers correctly assume, the spook adversaries are recording and storing all encrypted traffic in the present - and possibly taking complete snapshots of the Tor network at different times - waiting for quantum computer availability to decrypt it all.

But they can, and will, be stumped by these new algorithms. That is, until their cryptanalytic techniques further improve in the future e.g. breaking onion keys in real time by compromising the ntor authentication online.

At any rate, we should be looking to quantum-safe forward secrecy in the not-too-distant future. If this can be coupled with stateless hardware as outlined by Qubes developers, then the 'going dark' rhetoric might actually have some basis in reality. Let's hope.

As an aside, it is notable that symmetric encryption will not be drastically affected by Shor's algorithm (yes Grover's algorithm is a problem), but AES-256 will still render 2^128 post-quantum security e.g. for your full disk encryption and other needs. Further, public-key encryption using McEliece lattice techniques appear to be resilient against quantum computers. All is not lost.

For Debian users, recommend you consider Codecrypt and stay ahead of the curve. As Debian notes:

https://packages.debian.org/sid/codecrypt

Codecrypt is a quantum-computer-resistant cryptography tool that can be used to encrypt, decrypt, sign and verify documents and communications in a manner similar to GnuPG or PGP.

Clive et al. should read this paper and please use your genius to advance this and help make it commonplace in modern protocols:

http://pqcrypto.eu.org/docs/initial-recommendations.pdf

rMay 14, 2016 12:24 PM

@nick P,

I don't see how am isolated compression routine would require read access... One or two pipes or sockets should do the trick just like a writing to a tape.

Nick PMay 14, 2016 12:56 PM

@ r

It reads data out of files to transform it then write it into one or more new files. Hence, read access to at least those files.

Paul McCryptneyMay 14, 2016 5:58 PM

Dianne was quizzical
Studied metaphysical masters of the past
Late nights all alone with her Mein Kampf
Ohhhh-oh-oh-oh
Burr (inhaling crazy gas
While fingering his wrinkled ass)
Calls her on the phone
"Can you help me start up a Fourth Reich
Right here at home?"

Now as you're logging onto the net
The Gestapo's right behind

Bang, bang, Feinstein's Silver Hammer
Comes down upon your heads
Bang, bang, Feinstein's Silver Hammer
Gives hardons to the Feds

(We return you now to our regularly scheduled surveillance.)

Fun with numbersMay 14, 2016 6:02 PM

Surveillance state and other criminals: Winning!!!

Democracy and healthy internet based economy: Outlook grim.

Why a staggering number of Americans have stopped using the Internet the way they used to

"Nearly one in two Internet users say privacy and security concerns have now stopped them from doing basic things online — such as posting to social networks, expressing opinions in forums or even buying things from websites, according to a new government survey released Friday.

This chilling effect, pulled out of a survey of 41,000 U.S. households who use the Internet, show the insecurity of the Web is beginning to have consequences that stretch beyond the direct fall-out of an individual losing personal data in breach. The research suggests some consumers are reaching a tipping point where they feel they can no longer trust using the Internet for everyday activities."

tyrMay 14, 2016 11:07 PM


It doesn't get much darker than the inside of Comeys
head. His latest epic is to decide that viral police
videos have made police afraid to do their jobs.
I would like for him to detail for us just what he
thinks their job is, if the viral videos are of them
breaking the law with impunity as they wreak havoc
on children, the mentally ill, and ordinary folk.
I've never seen a viral video of them doing what
they are supposed to be doing.

Why the vast discrepancy in the mind of our senior
officer ? Could it be the same kind of ignorance he
is famous for in the crypto community ?

Winston SmithMay 15, 2016 12:47 AM

The realization that the Republic and the Constitution are an illusion is painful. The west has devolved into a "plutocratic corporatocracy"... a made-up phrase to describe rule by the wealthiest corporations.

It's time to colonize the galaxy with adventurous and enterprising personalities not easily distracted by Kim Kardashian's new outfit. Now to find my Rocinante...

The following are just a few (non sequitur) winning articles.

----------------------------------------------------------------

Winner "Topical" award: "Hidden Microphones Exposed As Part of Government Surveillance Program In The Bay Area"

http://sanfrancisco.cbslocal.com/2016/05/13/hidden-microphones-exposed-as-part-of-government-surveillance-program-in-the-bay-area/

----------------------------------------------------------------


Winner "Not Surprising" award: "Surprise! NSA data will soon routinely be used for domestic policing that has nothing to do with terrorism"

https://www.washingtonpost.com/news/the-watch/wp/2016/03/10/surprise-nsa-data-will-soon-routinely-be-used-for-domestic-policing-that-has-nothing-to-do-with-terrorism/

----------------------------------------------------------------

Winner "Because I Said So" award: "The US government can brand you a terrorist based on a Facebook post. We can't let them make up the rules"

http://www.theguardian.com/commentisfree/2014/aug/30/terrorist-watch-list-rules-innocent-people

----------------------------------------------------------------

Winner "Prescient" award: The Constitution in the National Surveillance State - (Yale Law School, Public Law Working Paper No. 168, dated 2008)

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1141524

DroneMay 15, 2016 3:03 AM

Linksys WRT routers won’t block open source firmware despite FCC rules.

Read the full article at Ars:

http://arstechnica.com/information-technology/2016/05/linksys-wrt-routers-wont-block-open-source-firmware-despite-fcc-rules/

My brief take-away:

* FCC restrictions go into effect on 02 June in the U.S.

* Linksys working with Marvell and OpenWrt on a solution. OpenWrt currently doesn't see any other router manufacturers other than Linksys making this effort.

* Apparently the solution allows custom firmware, but locks-out access to RF controls (e.g., output power, band-plan, radar-detect/DFS, etc.)

* TP-Link still says they will block custom firmware (they suck).

* It seems not all Linksys routers will support custom firmware, but models numbers starting with "WRT..." will support it.

* Did you know Linksys is owned by Belkin? They used to be owned by Cisco - right?

* It seems to me that eventually custom firmware won't (for the most part) be restricted other than locking out your control over RF parameters.

* Smuggled unrestricted routers will become the new Crack.

* FCC will jail you for life if you are caught three times with a router that has a hacked radio.

BytopiaMay 15, 2016 5:04 AM

Why a staggering number of Americans have stopped using the Internet the way they used to

[...]

But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

I like the Freudian slip in this formulation.

ThothMay 15, 2016 5:11 AM

@Post quantum cryptography
Crypto isn't the only tool in the box. Hardware, software and operations security with the ability to wield influence, resource, time, willpower, knowledge and intentions. There are more than it seems that one needs to be secure.

TOR has been shown to be weak these days and the Stasis and Enchelons are capable of penetrating it. @Clive Robinson mentiomed about fleet broadcast style to hide metadata but apparently the preferrable method of communications is still a point to point route instead of multicast or broadcast due to efficiency of a point to point system.

PQC ciphers are still in their infancy and not recommended for use and for now modulus maths and discrete logs are still OK because the NSA are using a Public Key based algorithm called Firefly and if they are OK to use Public Key algos, it still seems OK for us. The ICs always have the best and it is good to keep an eye on what they use.

It is seemingly very easy to suggest and while I and a few others are in the middle of security project implementations, even a seemingly outdated TripleDES on software crypto libraries are still mind boggling which I just experienced a nasty bite from the Java JCE yet again with it's many hidden tripwires.

Qubes wishlist of stateless hardware might be difficult as how are you going to verify a blackbox ?

The state of crypto ia still in a mess with the bulk of issue not about high assurance NSA or NATO level security bit the simple stuff like messy documentations, bad coding style with poor commenting, bad GUI interface and usability, coding without thinking of possible glitches in mind... it's the small nitty gritty things we are stuck with for 50 years but haven't cleaned it up yet.

Take small steps at a time to up security and fix the mess in terms of code libraries, correctness of execution, proper documentations, usable interfaces and use cases before we talk about the big things lime PQC, Data diodes and the lokes of NSA or NATO style cool toys.

ianfMay 15, 2016 5:11 AM

[11 May 2016 11:57 PM]
Adrian Kosmaczewski @akosma

we’ve reached the point in mankind history where every. single. piece. of. software. is. broken.
not even a webpage without bugs, crashes…

and this is not a problem of technology. it’s not react vs FP vs JS vs shit vs more shit. we just don’t take the time to do things right.

everything is a race to get more bugs out fast. the agile manifesto forgot to value “features and stability over bugs and crap” on the list.

seriously, i’m tired. it’s all hypocrisy all around. “oh yes QA is important!” “oh yes we are agile!” “oh yes we score 12 in the joel test!”

and people keep working in open spaces, managers keep turning scrum into a command & control game, devs keep lowering their eyes.

we don’t need a friggin’ manifesto, developers. we just need YOU to say NO. it could all change if you just said NO to crap.

[May 12] Elland @elland

@akosma please let this be your next talk. „Say no to shit“ :D

Adrian Kosmaczewski @akosma

@elland it’s a good idea, indeed. i’m hyperventilating here. I can’t watch a webpage without a crash, can’t work without a reboot, wth.

vixentael @vixentael

@akosma 'everything is broken'

Graham Lee @iwasleeg

@akosma everything you said in this thread is true.

Steven R. Baker @srbaker

@akosma I wonder if small iterations are part of the problem: why bother getting it right, if you can fix it soon in the next iteration?

"continuous delivery" is definitely part of this as well.

Anna Williams @annasonIT

@akosma More work for me though. I find I spend a lot of time training people how to work around them :-)

Graham Lee @iwasleeg

@srbaker @akosma quickly converging on adequacy is much cheaper than designing for quality.

Adrian Kosmaczewski @akosma

I’ve expanded these thoughts in @Medium: “Developers, Learn To Say No.

Stuart Osborne @Englishbobster

@akosma time to change our view on handling errors then? Let it crash @elixirlang

More here:
https://medium.com/@akosma/developers-learn-to-say-no-777fe571b38d

ThothMay 15, 2016 6:20 AM

@ianf
Theoretically saying No would be useful bit realistically the rotten industry itself is all about time to market and how fast you can make a quick buck with less than half baked product. Same goes to security products as well. I frequently say No to my boss and that doesn't always goes well but I still stick to my principles. A risk to my job indeed.

65535May 15, 2016 6:48 AM

@ Paul McCryptney and Winston Smith

“Dianne [Feinstein] was quizzical
Studied metaphysical masters of the past
Late nights all alone with her Mein Kampf
Ohhhh-oh-oh-oh
Burr (inhaling crazy gas
While fingering his wrinkled ass)
Calls her on the phone
"Can you help me start up a Fourth Reich
Right here at home?"
“Now as you're logging onto the net
The Gestapo's right behind”
“Bang, bang, Feinstein's Silver Hammer
Comes down upon your heads
Bang, bang, Feinstein's Silver Hammer
Gives hardons to the Feds” –Paul McCryptney

Good one!

You are referring to the Stacked Senate judiciary committee hearing on Fisa 702 reauthorization, May 10, 2016.

http://www.c-span.org/video/?409335-1/senate-judiciary-committee-holds-hearing-fisa-reauthorization

Feinstein has been entrenched in the US Senate for 24 years.

“[Feinstein ]she has served in the Senate since 1992.“ – wikipedia

https://en.wikipedia.org/wiki/Dianne_Feinstein

Emptywheel notes that contrary to the hearing line of BS the actual number of Backdoor US citizen searches could be quantified and released to the public – but would reveal the FBI and DEA’s parallel construction methods – and probably the spying on defense attorneys and privacy advocates..

https://www.emptywheel.net/2016/05/10/the-us-person-back-door-search-number-doj-could-publish-immediately/

Feinstein's Mask has slipped. She clearly seems to represent the Intelligence Community and their K-street money bundlers – rather than her California voters.

01:59:52 into hearing

Elizabeth "Liza" Goitein

“Any agency that comes across -- across threat information should share that information. Agencies should work together to address the threat. What the Fourth Amendment can not tolerate is the government collecting information, communications without a warrant with the intent of mining it for use in criminal cases against Americans. “

[Feinstein cuts her off and becomes a Constitutional Scholar]

FEINSTEIN: “Whoa, whoa. That's where you and I differ. I think that all of the data is collected lawfully. I don't believe it's collected unlawfully.”

Just because Senator Feinstein is a Senator who collects a great deal of money from the Intelligence Community and their lobbyist’s doesn’t make Ms. Feinstein Supreme Court Judge or Constitutional Expert!

I listened to the entire two hour Senate hearing on the reauthorization of 702 and it is good example of political stacking.

Of the five people in front of the Senate committee three were Pro-702 spying advocates with only two anti-spying advocates.

Pro spying advocates:
• Matthew G. Olsen Director (Former) National Counterterrorism Center
• Kenneth L. Wainstein Adviser (Former) White House->Homeland Security and Counterterrorism
• Rachel L. Brand Member Privacy and Civil Liberties Oversight Board [who seems to be the head saboteur of PCLOB or “P-Club”]

Anti-spying advocates:
• Elizabeth "Liza" Goitein Co-Director Brennan Center for Justice at NYU School of Law->Liberty and National Security Program
• David Medine Chair Privacy and Civil Liberties Oversight Board [Who seems to crumble at the end of his testimony]

Pro-Spying Advocates of the Senate Committee:

Richard Blumenthal U.S. Senator [D] Connecticut
Chris Coons U.S. Senator [D] Delaware
John Cornyn U.S. Senator [R] Texas
Dianne Feinstein U.S. Senator [D] California
Chuck Grassley U.S. Senator [R] Iowa
Amy KlobucharU.S. Senator [D] Minnesota
Thom Tillis U.S. Senator [R] North Carolina
Sheldon Whitehouse U.S. Senator [D] Rhode Island

Anti-spying Senators:

Al Franken U.S. Senator [D] Minnesota [possibly anti-spying]
Patrick J. Leahy U.S. Senator [D] Vermont

David Medine and Elizbeth Goitien point out the illegal nature on the UPSTREAM and PRISM warrantless searches of American Communications for average vice crimes and out right fishing expeditions by the FBI and DEA.

[Extensive and worthwhile text of Warrantless Searches legal problems presented in public]

David Medine:

"…Section 702 has two components, PRISM and Upstream. In PRISM the government collects the contents of targets' emails and other communications from electronic communications providers. While the targets are non-U.S. persons, from time to time those non-U.S. persons communicate with Americans… as a result, the government is collecting large quantities of Americans' communications. These are incidental communications because the U.S. persons are not the targets, but these are not inadvertent because it's known in advance that Americans' communications will be collected."

“In contrast, the Upstream program the government gets access to the telecommunications backbone, over which some telephone and Internet communications transit, and collect the contents of emails and phone calls. By using about collection, the government doesn't look just in the header of to and from of an email, but it also scans the contents of the email for a targeted selector… As a result, if Liza and I were communicating by email and I sent her a message with an email address from my uncle in Turkey so she has a place to stay when traveling to Turkey. If it turns out that my uncle's email address is one of the 94,000 selectors currently on target in 702 program, my email to Liza could be picked up and copied into an NSA database, even though neither one of us is suspected of wrongdoing. And even my uncle might not be suspected of wrongdoing and may simply have valuable foreign intelligence information.

"If this program is to continue, it should have privacy and civil liberties, particularly where U.S. persons are implicated. Accordingly, I recommend three legislative changes… First, many of the communications collected under 702 have nothing to do with terrorism or crime. They can include family photographs, love letters, personal financial matters, discussions of physical and mental health, and political and religious exchanges… U.S. persons' queries of that database are therefore capable of revealing a significant slice of an American's personal life. This is particularly the case for Americans who correspond frequently with foreigners, including relatives, friends and business associates.

"Since no warrant was every issued for these communications, which are covered by the Fourth Amendment, there should be some form of protection. Before querying these databases for a U.S. person identifier, intelligence agencies and the FBI should be required to submit a U.S. person identifier queries to the FISA Court for approval other than in exigent circumstances. Most important here is that there be an impartial life-tenured federal judge has the final say over whether Americans' personal communications are collected and reviewed.
Second, Upstream and about communications raise two potential concerns. One is the collection of purely domestic communications American-to-American. And the other is over collection of communications. Building on the recommendations put forward in PCLOB's 702 report, as technology evolves, the government should be required to elevate -- evaluate the effectiveness of screening of domestic communications, and also should determine ways of separating out various types of about communications so we can have policy decisions as to whether all of them should be collected.

"Third, a large number of U.S. persons' incidental communications are collected under 702, as I've mentioned. But how many? In order to have an informed democratic debate about the scope of this program, it's important that citizens and members of Congress know how many Americans' communications are being implicated in this program.

"I have no reason to doubt that the government has encountered difficulties in quantifying the number of U.S. persons' records it incidentally collects. Nevertheless, I urge this committee to require all agencies collecting information under Section 702 to develop a manageable way to gather statistics and provide them to Congress on a regular basis...

[Emptywheel indicates the numbers are already provided by the FBI to the Justice Department and should be made public – See Empywheel’s posts]

“The minimization procedures call for the deletion of innocent Americans' information upon discovery to determine whether it has any foreign intelligence value. But what the board's report found is that in fact information is never deleted. It sits in the databases for five years or sometimes longer… And so the minimization doesn't really address the privacy concerns of incidentally collected communications, again where there's been no warrant at all in the process. And when the government shifts its attention from the non-U.S. person to the Americans' communication, there should be court approval in that exchange… in Title III there has been a warrant before the information was collected. In the United States we simply can't read people's emails and listen to their phone call without court approval. And the same should be true when the government shifts its attention to Americans under this program.

“Thank you, Senator Feinstein. One of the things that our board discovered in our 702 investigation was, as -- my board member Brand indicated, that the FBI routinely looks into 702 databases, and not just in investigations, but even in assessments when the FBI has absolutely no suspicion of wrongdoing, but they're just sort of entitled to poke around and see if something is going on, they nonetheless access -- query the 702 database. But the FBI's minimization procedures weren't transparent about that process… Sure. On the side of having a query, as I mentioned earlier, under the fourth amendment, the government is now accessing Americans' personal communications. And I did want to clarify one point earlier. This program does not just target terrorists. I think it might be a very different situation if the only focus was terrorists. This program targets anyone with foreign intelligence value. It could be a completely innocent businessman or anyone else out of the country who has that information… And so we have an American talking to someone who is potentially innocent of any wrongdoing and yet capturing that American's communications. It could be a love letter. It could be a business transaction. But all those are being captured. The question is when we shift our attention to those communications, should we have court approval?"

“If I could also add on the classification front? One of the things the board experienced in preparing its report is that we found some facts about the 702 Program that we thought could be made public without harming national security. Senator, as with -- I would recommend three legislative changes. One is require the government to estimate the number of Americans' communications that are intercepted under 702 [Empywheels point]; second is tighten up the upstream about collection process; and third is to require court approval for queries of Americans' information under 702… following up on Senator Whitehouse's point, is there has been no warrant issues for these collections. And when the attention shifts to Americans' communications that are collected over a five year period with any of 90 plus thousand other people outside the United States, I think it becomes a moment when the fourth amendment would require court approval.

"We invited a former judge from the Fifth Court to testify about his experiences. And he said how frustrating it was as a judge to only hear one side… We invited a former judge from the Fifth Court to testify about his experiences. And he said how frustrating it was as a judge to only hear one side. He said in his normal civil or criminal docket he hears one side make an argument, sounds pretty persuasive. Then the other side makes an argument, that sounds pretty persuasive too. And the judge's rule is to reconcile those competing views… he only heard one side. And that led the board to ultimately recommend that there be another side, particularly in cases having novel, legal or technological considerations like programmatic approvals up to 15 or 702.
“I think it would be useful to require by legislation that the Director of National Intelligence report annually to the Congress on the number of Americans' communications that are incidentally collected and the methodology used to do that, because that's an important part in this reauthorization process of evaluating but also on an ongoing basis, how the program is operating. [No notification to Defense Attorneys ] Notification of criminal defendants… [The European Problem] I think also is, it would eliminate the question of querying that information, because I think it's a large amount of information over five years that's -- that's collected. I'd add that this -- our report on 702, I think, has also been helpful for Europeans as well."

Elizabeth "Liza" Goitein does a very good job of articulating the warrantless search problem:

"...Our nation faces real threats from international terrorism. Your challenge and your responsibility is to ensure that these threats are addressed not only effectively, but in the way that's consistent with the Constitution, the privacy interests of law-abiding individuals, and our nation's economic interests… Section 702 in its current form does not accomplish those aims. Technological advances have revolutionized communications. People are communicating at a scale that was unimaginable just a few years ago. International phone calls, which were once difficult and expensive, as I remember, are now as simple as tapping a screen. And the Internet offers countless additional means of international communication. Globalization makes these exchanges as necessary as they are easy… As a result, the amount of information about Americans that the NSA intercepts, even when targeting foreigners overseas, has exploded. But instead of shoring up safeguards for ordinary Americans and foreigners who communicate internationally, section 702 did the opposite. It eliminated the requirement of an individual court order to collect communications between foreign targets and Americans. It also eliminated the requirement that the target be affiliated with a foreign power or terrorist group.

"The government today can target any foreigner overseas, regardless of whether he poses any threat to the United States and obtain his communications with Americans. While the government must certify that acquiring foreign intelligence is one of its purposes, the law defines foreign intelligence broadly enough to include conversations about current events… Moreover, the government has interpreted the law to allow collection of communications, not just to and from the target, but about the target. This legal fee change underlies the NSA's upstream collection program whereby a huge proportion of communications flowing into and out of the United States are scanned for selectors associated with designated foreigners and picked up… Using upstream collection and PRISM, which obtains stored emails from U.S. companies, the NSA collects more than 250 million Internet communications a year. That undoubtedly includes millions if not tens of millions of Americans' emails. And as we know, wholly domestic communications are included as well. To call this kind of mass collection targeted elevates form over substance. There are deep constitutional concerns with this surveillance. The Fourth Amendment may not apply to foreigners overseas. But when a law is designed to collect communications between foreigners and Americans, the Fourth Amendment is very much in play. And when the FBI searches through those communications for evidence to use against Americans in criminal cases, and then fails to notify the defendants how it obtained the evidence, it drives a hole the size of Fort Meade through the Fourth Amendment.

"Constitutional concerns aside the mass collection of communications comes with significant risks and harms. The OPM fiasco reminded us how vulnerable government databases are to foreign governments and other hackers. And any massive database that contains sensitive information about Americans carries with it the risk of abuse or negligent mishandling by this or some future administration. Overbroad surveillance also threatens our economic interests by impairing the legal and practical ability of U.S. technology companies to do business with customers overseas. We're told that these risks are justified because Section 702 has helped to stop terrorist plots. But the question isn't just whether Section 702 is useful. We must also ask whether effective surveillance can be conducted in a manner that's less intrusive with fewer costs to our liberties… One final point. Within constitutional bounds set by the courts, Americans should be able to decide for themselves how much surveillance is too much. But to do that we need information

[No response from the Intelligence Community]

"Five years after Sen. Wyden first requested an estimate of the number of American communications collected under Section 702, we're still waiting. Congress and the public need this basic information for the democratic process to work. I think that -- thank you. I think to understand what's so disturbing about backdoor searches you have to look at what comes before them… to fit its way into the foreign intelligence exception, as it's called, to the Fourth Amendment, and in order to avoid getting a warrant or getting an individual FISA order, the government has to certify to the FISA Court not only that it's targeting a foreigner, not an American; not only that it has a foreign intelligence purpose; but also that it's not doing any reverse targeting, which means it has no intent to target any particular known Americans.
Then having made that certification, as soon as the data is obtained, all three agencies can sort through the data, looking for the communications of the very particular known Americans in which the government just disclaimed any interest. And the FBI doesn't even need a foreign intelligence purpose to do it. The FBI can search for evidence in criminal cases that have no national security or foreign intelligence component whatsoever.

[Bait and switch tactic by the Intelligence Community]

"So this is a bait and switch that undermines the spirit, if not the letter of the reverse targeting prohibition. And more important, it undermines the purpose of that prohibition, which is to ensure that Section 702 doesn't become an end run around the Fourth Amendment requirement and around the FISA Court's -- the FISA's individual warrant order requirement when an American is a target… And I would note one more thing, which is that the president's Review Group on Intelligence and Communication Technologies, which included a former deputy director and acting director of the CIA, the former chief Counterterrorism adviser to President George W. Bush recommended a warrant to search Americans' communications… were trying to protect Americans from warrantless surveillance. And that's what closing the backdoor is about.

[Poor to zero minimization of Americans conversations]

"I think that there's this idea that if the government has collected the information lawfully, it should be able to use it for any legitimate government purpose. And whatever treat that may have in other context is clearly not the case with Section 702 because Congress has required minimization… Minimization is the opposite of you can use it for any purpose you want. And constitutionally it's not the case either because the reasonableness inquiry includes an assessment of whether the safeguards on Americans' data are sufficient… But in general investigations progress from using less intrusive means to using more intrusive means. At the beginning of the investigation you may just have a tip and you want to figure out whether to pursue that tip or not do anything… you'll start by doing a query of databases to see what you already know and see if it's worth pursuing. Then, as the investigation proceeds, you may develop enough information to satisfy probable cause requirement for a search warrant or a wiretap or so forth… at the very initial stages of the investigation, you typically don't have much information and that's why you do a query to then require the government to compile more information in order to start with a less intrusive means. That just doesn't make sense to me, but Mr. Wainstein and Mr. Olsen may have more insight into that.

[Cut off by Senators on the privacy issues]

"Would you mind if I speak to the privacy issue a little bit as a representative of the Civil Liberties community here? I would hope that this Committee would take note of the fact that the privacy community is unanimously behind the requirement of a warrant because it is our considered opinion that this is far more protective of privacy to require a warrant than to allow carrying (ph) of that data… I think that search itself is the violation of the fourth amendment rights. I know Mr. Olsen said there is no evidence of abuse of backdoor searches. Backdoor searches are the abuse. It's a warrantless search of Americans' communications that were gathered based on a representation that the government was not targeting Americans… a search of data that the government is required by law and by the Fourth Amendment to minimize the use and access to U.S. person information… I believe that Section 702 goes much further than it needs to go in order to accomplish the aims that I think we all want to see accomplished. And I would point out that some of the cases, in fact all of the cases that have been made public relating to Section 702 successes, are cases in which the surveillance, the Section 702 surveillance, was of a known or suspected terrorist, or someone known or suspected to have ties to terrorism."

"… while these are certainly evidence of you know Section 702 working, they do not support the idea that Section 702 needs to be...[cut off mid sentence]… the Brennan Center's position is that the only way to secure the constitutional validity of Section 702 is to have an individual order when the government collects communications between a foreign target and an American… there are many, many other steps that could be taken to improve Section 702. That includes closing the backdoor search loophole. It includes narrowing the definition of foreign intelligence, narrowing the pool of people who can be targeted. so it's not just any foreigner overseas."

[Failure to notify Defense Attorneys]

“…ensuring that notice is given any time that Section 702 evidence is used in court or evidence derived from Section 702 is used in legal proceedings… I've heard this from former national security division attorneys, as getting to yes. And that's not the role of the judiciary. I think part of that was that when there wasn't another party there, the court wasn't in the role of being a neutral adjudicator between two sides. And therefore, if the court said no to the government, the court effectively became the other side. I think that was a very uncomfortable role for the court and I think it made the court more inclined to try to move toward yes.

[No numbers on how many American conversations are searched]

"…therefore, if the court said no to the government, the court effectively became the other side. I think that was a very uncomfortable role for the court and I think it made the court more inclined to try to move toward yes. With respect to the queries, we don't have numbers of how many times the FBI runs the U.S. persons queries of the data because the FBI doesn't track those. The FBI, however, is by far, you know from the board's reports, the most active and frequent U.S. person querier. And so, it's important to get that information… you know, the FBI would have trouble figuring out who is a U.S. person in order to track these queries. The NSA does it. The CIA does it. They're able to track the queries. I think the FBI should be able to as well… one quick point that I was hoping to get in when Senator Whitehouse was talking about the incidental collection idea -- there is one very important distinction between the cases that have upheld the incidental collection of people who are in communications with a target and what we're seeing with Section 702."

"In those cases, under Title III of criminal warrants, there was not only strict minimization procedures which was mentioned but there was also a warrant in the beginning to target the original suspect and the courts have emphasized the importance of that warrant at the front end because that provides them vicarious protection to people in contact with the target and narrows the pool of people who can be collected on…the distinction is not so much between foreign and domestic, but in terms of the nature of the case, but in terms of who the target is. So, if the target is foreign, then there can be a warrantless collection… if the government is trying to build a case against an American, if the American is the target, then if it's a foreign intelligence case they go to the FISA Court and they get an individualized order. If it's a criminal case, they go to a magistrate and they get a warrant. And that distinction is very easy to make, whether someone is an American or not.

[Rights mot honored in actual cases]

"... that appears to be being honored in the breach, is what I would say. I mean, it has been -- for a while it was not honored at all. And then about three years ago, there was apparently a change in policy, but we've been -- there have only been eight notifications in the last three years. And that's, I guess, the backdrop of hundreds of terrorism and national security prosecutions, dozens of material support prosecutions… there is definitely concern that the FBI is voiding the requirements, perhaps by a creative definition, perhaps by parallel construction, which is re-creating the evidence using less controversial tools or methods, perhaps both that, you know, it's very easy to clear this up, for the department to simply release its policies for how it interprets the notification requirement. But the government has been fighting tooth and nail against FOIA requests to get those policies… that's another area where this committee could be helpful to pry those loose… Senator Wyden initially asked for an estimate for, I think, I heard him used the word "ballpark" at one point. That should be possible. And with a couple of the programs, it should be fairly straightforward. There's -- with PRISM, it's a little trickier but that's why the civil liberties community has offered to work with the intelligence community to try to find a privacy protective way of generating the estimates. So, it should be possible… I think it's vital, because I hear public statements by officials over and over that this program is targeted at foreigners and that the collection of Americans' communications is incidental. These are terms of art with very specific legal meanings, but most Americans are not lawyers… when they hear this, they will reasonably assume that Americans' communications that -- not many Americans' communications are collected. So I think having this estimate is important to pierce through the legalese and give Americans a truer sense of what the program entails, which they need in order to make their own decision and participate in the democratic process.

[Feinstein attacks Goitein]

“…when they hear this, they will reasonably assume that Americans' communications that -- not many Americans' communications are collected. So I think having this estimate is important to pierce through the legalese and give Americans a truer sense of what the program entails, which they need in order to make their own decision and participate in the democratic process. Opposition to backdoor searches is not call to rebuild the wall… Backdoor search is when the FBI or any other agency targets a U.S. person for a search of data that was collected under Section 702, which is supposed to be targeted against foreigners overseas… the data is searching its unminimized (ph) form. So the FBI gets raw data, the NSA, the CIA get raw data and they search that raw data using U.S. person's identifiers. That's what I'm referring to as backdoor searches. I'm happy to call it U.S. person queries and trying to address USA -- a U.S. person query is not calling to rebuild the wall. Any agency that comes across -- across threat information should share that information. Agencies should work together to address the threat. What the Fourth Amendment can not tolerate is the government collecting information, communications without a warrant with the intent of mining it for use in criminal cases against Americans.

FEINSTEIN: Whoa, whoa. That's where you and I differ. I think that all of the data is collected lawfully. I don't believe it's collected unlawfully.

[back to Goitein]

"…it's not that simple, because collection and then how the data is treated are both parts of the same scheme that's evaluated for its constitutionality. And what makes the collection at the front end lawful -- and Judge Bates has said this on the FISA court -- what makes it lawful to collect without a warrant is, in part, restrictions on how that data can be used on the back end… I do think there are situations in which having oversight and rules and policies about procedures for how searches are done, all those things, there are cases where that's absolutely vital."

"When you're talking about a warrant and the basic requirement of getting a warrant to access Americans' communications, you cannot substitute procedures for a warrant. And to quote Justice Roberts in the Riley case, which required a warrant to search cellphones, the founders did not fight a revolution to gain the right to government agency protocols..."

http://www.c-span.org/video/?409335-1/senate-judiciary-committee-holds-hearing-fisa-reauthorization

Clive RobinsonMay 15, 2016 7:13 AM

@ Chris l,

Physical security is a lot like encryption you can invent a system that you can't defeat, but someone else might be able to find a way.

Those bottles sound much like other medical security devices...

Hospital is no place for a person with an inventive / hinky mind to be, especialy if like me you regard a hospital bed bay as a prison cell almost equivalent to solitary confinement...

When you get taken to hospital they try --for good reason-- to identify you and any allergies etc. Thus you end up with a couple of "tamper evident" wrist bands, similar but less decorative than those used for concerts and festivals. By habit where they can they put the identity band on your left wrist and allergies on the right wrist.

This is like catnip to an inventive mind... How to get the allergies band to the left wrist and the ID to the right, without breaking them or leaving evidence you have tammpered with them, importantly "within the constraints" of your bay/cell... My record so far is 3mins with a piece of stiff plastic from a strip of pills for the "paper only" wrist band. Essentialy you use the plastick to saw through the glue, whilst not damaging the paper, it's exactly the same technique I use for opening the side ot envelopes...

Prior to those they had self locking press studs on plastic bands, which with a little warm water (cup of tea) would stretch enough to slide over your hand, but that is cheating in this game. If you look at the studs they have three or four plastic fingers that spring back after being pushed over a pin with a cone shaped top. The cone pushes the fingers back as it goes point first and they snap back behind the bottom flat of the cone. These devices are injection molded which means even though the fingers are in a resesed well there is a hole where you can get at them with the point of a safety pin, and sufficient "slop" in the design that with patience you can work the fingers back and get the cone backwards. In essence very similar to picking a lock, I got that down to about a minute per band.

This locking finger design is also used in other devices. When you have one of quite a large range of non infectious chronic illnesses you have to take drugs that interupt the --complex-- clotting cycle, which is problematic when you need some kind of invasive proceadure. Thus you come off one set of meds --rat poison-- for injections of anticoagulants like heparin. As these come in "premeasured doses" in quite small disposable glass syringes, there is a "reuse by drug addicts" issue. Thus the glass syringe comes in an outer transparent casing that does several things. When you depress the plunger it releases a spring loaded outer sheath around the needle that locks at the end of it's travel, --which only happens when you pull the needle out of you-- the plunger likewise locks down at the end of the travel and a couple of other things. This plastic sheath is made of shatter proof acrylic or similar and has internal ridges that will shatter the glass if you try to crack the plastic sheath open.

From the description it sounds secure, and to most examining it it looks secure. But... to a person with a "hinky mind" it looks like a puzzle to occupy a mind that has been forced to not have things to occupy it by the nature of the solitary confinement. After about thirty seconds of looking and thinking, five minutes to go and steal the soft plastic cap of a nurses Bic-Biro and another five minutes of exploring I had it all in pieces. After putting it all back together a couple of times, I got the disassembly down to just under a minute. And for fun to see the look on one of the nurses faces, I filled the syringe with black coffee, and put it all together again, but cut the needle off for safety reasons.

The nurse looked genuinely shocked, when I told her how easy it was And then showed her with the trusty biro top [1]. She obviously mentioned it to others because I had a visit from one of the managers in the pharmacy and the director of nursing who wanted to see for themselves --it turns out these safe and (in)secure syringes are significantly more expensive than the old ones, not just in price but storage costs etc-- and the next time I was in for an op a few weeks later there was no sign of the plastic sheathed syringes.

I blaim my sister for my "hinky thinking"[2], and I find it nearly impossible to look at anything and think "If you did this..."

[1] The Bic-Biro pen and the paper clip are probably the lock-pickers ideal "innocuous" pocket contents. Forget those expensive "pick-kits" not only is it a crime to either carry or own them in many jurisdictions, going the extra few inches to learn how to make your own picks and torque levers will teach you many other skills usefull in you life, nefarious or saintly.

[2] My sister belatedly realised what she had been like, and thus sought solance in being a "born again..." type (rather than carrying on being a Bourn type). Last time I checked it had not changed her, as Terry Pratchet so amusingly put it seldom does "The leopard change it's shorts" (quite deliberate misquote of Jeremiah 13:23 for those who find themselves re-birthed).

Clive RobinsonMay 15, 2016 7:46 AM

@ tyr,

I was wondering about the link between desert sand and the amazing collapse of three buildings on 9/11.

As for the "Twin Towers", there is absolutly no conspiracy about why they colapsed. The reason is well known to most architectural types.

The design was a new inovation to get around certain limiting things such as lifts that could not work more than a certain number of floor reliably due to the limitations of the materials available at the project inception.

Essentially it was a central slender core, that would like a radio mast not be self supporting. Instead of guys that you see on radio masts they used the idea of "box section strengthaning" that is the core was guyed up by the external walls in tension and the floors forming the box section with the core in compression much like the idea behind the rims, hubs and wires on a pushbike wheel, turned on it's side and stacked up to form a tower. Whilst the design did alow for moderate explosions it did not considered was what would happen if a hundred tonnes or so of aircraft full of fuel smashed into it at a few hundred miles an hour (even though a plane had flown into the Empire State building within living memory of the architects of the Twin Towers). I realised why the first tower had colapsed, and had the difficult task of explaining why it happened a few moments later to my tempory boss who was over from the US...

As for the un-hit tower, the reason for it's colapse is strongly suspected, and some say that there is a cover up to "protect the guilty" over "signing off" on certain building modifications by a tennent without proper structural analysis. If true then that tower would have in all probability colapsed at some point in the future without any terrorist activity. The fact there was six months before hand a curiouse insurance setup for a "double payout" claim against the insurance has caused speculation that others knew that colapse was likely and therefor sort to profit by it by double insuring[1]... the truth or falshood of this is unlikely to be ever known.

[1] google "Larry A. Silverstein" to see what various people have to aledge / say on the matter.

Self Censor for CareerMay 15, 2016 8:07 AM

“If you’re an ambitious young national security operative — or an old one, for that matter — go scrub your Facebook page. For on Thursday, James Clapper, the director of national intelligence, signed into force a new measure allowing the government to examine the public social media sites of individuals seeking clearances to view classified information.
Those guidelines include, for example, allegiance to the United States, sexual behavior, drug and alcohol use, criminal conduct, and financial considerations.

The policy’s definition of what constitutes “public information” includes information available to the public by purchase.

The policy applies to both new applications for security clearances and periodic reviews of individuals already granted one. So with that in mind, it’s probably a good idea for the denizens of the national security state to carry out a social media deep clean.”

More prudently NEVER post anything online when logged-in. Make your friends and family aware of your positions and ask their cooperation. Avoid IoT tracking devices too. Assume your cell phone is being monitored at work.
https://foreignpolicy.com/2016/05/13/feds-will-facebook-stalk-you-before-you-get-top-secret-clearance/

JamesMay 15, 2016 8:17 AM

Anyone have any comments on how easy it will be steal Passwords for the new Password saver which is part of the Skylake Firmware?

Or the really clever idea that all who use Windows 10 should give our primary Windows Password to Microsoft to keep and use as part of their Windows Store, and to protect us from losing our Windows PW.

ThothMay 15, 2016 8:51 AM

@Clive Robinson
re: Hospital tags on wrist
You could sneak in an RF reader and see if you can sniff anything off them. More and more of these tags are equipped with RF capabilities and it do be fun if you can do something interesting to them while you are bored :D .

rMay 15, 2016 8:55 AM

@clive,

Hospital is a place for hinky minds, I raise you top surgeons.

Maybe they shouldn't take risks, and certainly nobody else at the hospital should be allowed to think like that: but a surgeon may just save a life thinking freely.

Chemical ShrimpMay 15, 2016 10:45 AM

@Clive

Well done for keeping the mind entertained. Get well soon.

albertMay 15, 2016 10:49 AM

@Clive,

"...there is absolutly no conspiracy about why they colapsed. The reason is well known to most architectural types...."

Nothing is absolute. Provide a link to those 'architectural types'. The buildings were designed to handle a strike by a 707.

Your 'explanation' is pure speculation.

Here's a fact:

I watched a video of molten metal pouring out of the corner of one of the towers. It was yellow, fading to orange, and remained orange for 4 or 6 stories. I used to work in an aluminum foundry and I worked with the stuff, so I'm an expert. Aluminum cannot glow yellow. At night, you -might- see a dull red glow, but in sunlight, it would appear silvery, like mercury. Since 'investigation' has shown that the steel beams couldn't have melted, what was that stream pouring out of the building?

It was molten steel.

What do the 'experts' say about this?

. .. . .. --- ....

TatütataMay 15, 2016 12:39 PM

Clive,

When I land in hospital (luckily only twice up to now, excepting my birth) I'm way too busy acting like a sick dog to even think about hacking wristbands. Anyway, over here they only fit you one, bearing only your name and a bar code.

I'm looking forward to reading reports on how to switch the toe label from one foot to the other, just to see the puzzled look on the pathologist's face.

Who?May 15, 2016 1:09 PM

@ Godel

Major security flaw found in 7-Zip file archive program for Windows. Upgrade to version 16 ASAP.

@ Nick P

It's worse than it appears. John Nagle pointed out that a compression program pretty much needs a read and write privilege to operate. Nothing more really. No excuse for not sandboxing or restricting these suckers by default. On top of it, the website doesn't support HTTPS or have signatures for executables.

Great archival tool despite security that's lacking. :)

There is a perfect tool to achieve this goal in the form of a system call:

http://man.openbsd.org/OpenBSD-current/man2/pledge.2

pledge(2), previously known as tame(2), should be a standard system call. We will see what happens out of the OpenBSD world in the next years.

Nick PMay 15, 2016 1:23 PM

@ Who?

Pledge is useful but far from perfect. The work on SELinux and SEBSD shows that truly isolating and applying security policy to programs across the board requires changes all over the OS. That just drops function calls far as I'm aware. One needs mandatory access controls (eg SMACK, SELinux) or capabilities (eg Capsicum) to get best results. Alternatively, people could compile these with Softbound+CETS, SAFEcode, or Code-pointer Integrity. Trying those on as many critical, C apps is one of my steady recommendations elsewhere as you trade some performance for difficulty of achieving perfection. Increasing CPU speed by 10-40% seems easier than writing code without 0-days. ;)

Gerard van VoorenMay 15, 2016 1:53 PM

@ Nick P / Who?,

"It's worse than it appears. John Nagle pointed out that a compression program pretty much needs a read and write privilege to operate. Nothing more really."

Reply:

"pledge(2), previously known as tame(2), should be a standard system call. We will see what happens out of the OpenBSD world in the next years."

Reply:

"Pledge is useful but far from perfect. The work on SELinux and SEBSD shows that truly isolating and applying security policy to programs across the board requires changes all over the OS."

In this case Pledge would suffice IMO. If you only allow read() and write() how much more can you escalate? The problems with SExyz is it's complexity and that it doesn't work on Windows. Pledge is ridiculously simple. I think it will enhance security by a order of magnitude with only a few LOC.

Gerard van VoorenMay 15, 2016 2:00 PM

Edit my comment: I am talking in general about zipping/unzipping here. I don't know *anything* about the specific vulnerability.

Nick PMay 15, 2016 2:19 PM

@ Gerard

Pledge is fine as a start. I promoted it back when its predecessor was called systrace and removed from OpenBSD IIRC. I told them that was a bad idea as syscall restriction was "ridiculously simple" to implement in kernel. I don't think I used those specific words but said about the same thing. I also praised the developers on Hacker News for a clean deployment.

Yet, the ability to make a syscall isn't the end of errors. The file accessed, the arguments passed, the patterns of access affect on system code, and so on all come into play. That's why MAC and "trusted" OS features control that stuff. Also remember that the whole concept of return-oriented programming was to abuse access to code that was already there. Privilege restriction, including syscalls, is always a first step rather than only step.

Note: If you doubt extra risks, suggest on mailing list OpenBSD team turn off all other mitigations for apps and read their responses. ;)

"The problems with SExyz is it's complexity"

Some of it is inherent in what it takes to catch all the bypasses apps can do in various parts of the kernel. Other parts are specific to its strategy (Type Enforcement) and tooling. It's why I mentioned SMACK. Another is RSBAC. I'm not sure how thorough they are vs SELinux. I haven't evaluated the guts of them like I did SELinux a while back. It's based on Flask, which was thorough.

Most are shifting to capability model like Capsicum. Already supported in FreeBSD, DragonflyBSD, Linux, and Mac OS X.

"that it doesn't work on Windows"

That's not a drawback: Windows apps have to use tools made for Windows, not Linux and BSD. Microsoft never created a comparable MAC tool. So, we don't have one. What they did do is add many similar features in their kernel for sandboxing plus Mandatory Integrity Control. Here's you two papers, basic and deep, showing how those Windows protections work and often don't work due to clever bypasses located far from protection mechanisms. The first shows some kinds of issues I allude to above when you don't intercept and check things all over the place according to one, consistent policy.

rMay 15, 2016 2:22 PM

@albert,

A cutting torch works by oxidizing iron and then burning the oxide... Could oxidation of the steel have played a role?

Nick PMay 15, 2016 2:25 PM

@ Gerard

I just remembered there were attacks on systrace due to concurrency issues in kernel that its system call interposition couldn't handled. Here's the page with plenty of links. They were mitigated in the MAC frameworks since they had the instrumentation everywhere to do so.

NobodyMay 15, 2016 3:03 PM


@albert

There are plenty of disturbing things about the events of 9/11, but molten steel pouring out of a jet fuel fire is not one of them. In a building of any height, convection chimneys will pull air in with great force, making the fuel into a giant blowtorch. It is trivial to melt steel with burning oil, which you can see for yourself on youtube, where hobbyists use spent motor oil to do sandcasting. The most disturbing thing about 9/11 to me was the lying scumbag Condasleeza Rice saying "No one could have imagined terrorists using airplanes as weapons." You can look up Bojinka for yourself and do the math from there. For those who are slow to connect dots, she was briefed not just on the Bojinka plot and the infamous August daily, but the threat in Europe during the summer. The fact that she chose to lie about about it indicates that the talking points were prepared in advance. She is much smarter than this lie would tend to make her appear. Either way, what cannot be incompetence must be malice.

Nick PMay 15, 2016 3:09 PM

@ Grauhut

We can keep it simple these days as there's a condensed version: Consensus 911. Personally, the evidence destruction, forged documents, insider trading, and war games should be enough to blow official story and imprison quite a few people. I liken it to Enron destroying almost all their financial records, picking a set of what's left, not going to prison for that, and then being declared innocent on basis of those cherry-picked documents.

It's how key claims of official story were created and counterpoints refuted. Shows zero source integrity and some felonies from start. Regardless of other data, independent investigation (esp GAO) with full access and prosecution authority makes sense already. I'd also revoke statute of limitations for this as it all connects to mass murder.

albertMay 15, 2016 3:32 PM

@r,

"...A cutting torch works by oxidizing iron and then burning the oxide... Could oxidation of the steel have played a role?..."

No. I would take many years for those steel columns to oxidize enough to fall apart. Not even with the short period of time of burning jet fuel.


"...In oxy-fuel cutting, a torch is used to heat metal to its kindling temperature. A stream of oxygen is then trained on the metal, burning it into a metal oxide that flows out of the kerf as slag..." - wiki.

Of course, steel can be cut by simply melting it, that's sloppy, and for thicker sections, the steel can re-weld itself. Iron oxide doesn't. That blast of oxygen blows most everything away, and leaves a fairly clean cut. The slag is easily chipped away.

Oxy-gas torches use pure oxygen, which enables steel-melting temperatures.

Look up thermite. It carries its own oxygen in the form of iron oxide. You could try pouring molten aluminum on rusted steel, but I doubt you'll get a thermite reaction. Both need to be fine particles. Thermite is very nasty stuff. Like a solid fuel rocket, you can't shut it down. It's the road to hell.

@Nobody,

No official reports said there was molten steel. The fact that the fire was oxygen-starved (as can be seen in the videos), contra-indicates 'convection' chimneys, and consequently, steel-melting temperatures. The molten steel was pouring out from the corner of the building, well away from the fire.

"...what cannot be incompetence must be malice...." Indeed!

Did you read the FBI agents memo about the guys taking flying lessons? Competence at the field level; malice up the chain...

"..."No one could have imagined terrorists using airplanes as weapons."...". That's the -job- of the security system. To imagine such scenarios, and work out interdiction and mitigation plans.

@Nick P, @Grauhut,

The only gov't agency I trust is the NTSB. We have no other agencies with their level of competence and honesty. Why? Because they only -report-. The are toothless, and therefore, harmless.

To (hopefully) summarize: Nine eleven, stinks to high heaven.

. .. . .. --- ....

GrauhutMay 15, 2016 3:33 PM

@Tyr "Desert sand"

Imho "Holy (Weaponry) Steel" is more interesting...

"Bethlehem Steel: Builder and Arsenal of America
by Kenneth Warren

In the late 19th century, rails from Bethlehem Steel helped build the United States into the world's foremost economy. During the 1890s, Bethlehem became America's leading supplier of heavy armaments, and by 1914, it had pioneered new methods of structural steel manufacture that transformed urban skylines. Demand for its war materials during World War I provided the finance for Bethlehem to become the world's second-largest steel maker. As late as 1974, the company achieved record earnings of $342 million. But in the 1980s and 1990s, through wildly fluctuating times, losses outweighed gains, and Bethlehem struggled to downsize and reinvest in newer technologies. By 2001, in financial collapse, it reluctantly filed for Chapter 11 bankruptcy"

https://books.google.de/books?id=fbrSRvxCQUcC

And deeply intermangled with financial and political power.

https://books.google.de/books?id=4xjPb6mCLSIC&pg=PA38&dq=bethlehem+steel+untermyer


"In 1967, the [Bethlehem Steel] company lost its bid to provide the steel for the original World Trade Center. The contracts, a single one of which was for 50,000 tons of steel, went to competitors in Seattle, St. Louis, New York and Illinois."

https://en.wikipedia.org/wiki/Bethlehem_Steel

"Ever since Bethlehem lost that contract, Bethlehem has not been the same and got worse and worse every year. The final straw was right after the World Trade Center collapsed and so did Bethlehem. Would the World Trade Center have collapsed if it was Bethlehem Steel? Would Bethlehem Steel have collapsed if they got the contract for the World Trade Center? Those are two questions that no one will ever know. Very symbolic."

https://sites.lafayette.edu/vast265-sp12/steelopedia/q-z/world-trade-center-contract-and-bethlehem/

Big symbols, big steel, big money, big arsenals, big new econ bancrupties, big evidence, big bang...


Maybe steel and sand are more interconnected, since the former Bethlehem Steel plant is now the Sands Casino. :)

GrauhutMay 15, 2016 3:52 PM

@Nick "I liken it to Enron destroying almost all their financial records"

Of cause. And we shouldn't forget MCI World(Surveillance)Com! :)

Worldcom were the guys that bought MFS, Metropolitan Fiber Systems, the three letter club that built the Frankfurt fiber ring. When they offered MAE Frankfurt and nobody wanted to exchange data there, a national alternative was set up, DeCIX, part of NSA Upstream today via BND. I know this part of our internet history very intimately. I was was part of it as an assistant in an ISP company in the same building.

The whole high tech industry was broken in these years, 9/11 was a welcome reset. Whoever did it. ;)

MrCMay 15, 2016 6:05 PM

@ Parker Sales: Care to back that up with specifics? Assuming there is a valid basis for your naked criticism, it would be most edifying to see a detailed analysis of how a crypto project goes wrong. So, please, tell us what specifically is wrong with codecrypt.

k15May 15, 2016 6:21 PM

You want to report a vulnerability to the right people, only you don't know the right people, and the gatekeepers are doing this exuberant "Oh, but we are the Wrong, Wrong! people!" song and dance, ...what's that about?

tyrMay 15, 2016 8:15 PM

@Clive, et al

I'd still like to know how a correctly constructed
building that was not struck by an airliner decided
to fall down by itself just like the other two did.

I can see burning aluminum melting steel because of
the aircraft incident. However I worked construction
and concrete that is correctly made doesn't turn into
dust unless you hit it with a Nuke.

Most of the steel for WW1 came from the excessive
RR tracklaying being done previously. See Railroad
Signatures across the Northwest, fascinating book
and an amazing amount of trackage, and casualty
figures among passengers and RR workers that were
appalling.


Clive RobinsonMay 15, 2016 8:34 PM

@ Albert,

The twin towers were not designed to survive the crash of an aircraft full of fuel (as the colapse of both fully demonstrated).

It was a design that allowed for an impact of a 707 in terms of mass coming to a rest at nominal room temprature (which is what happened). But the dirty little secret that got brushed over was that it was not designed for the subsequent fire... In fact as the records show the NY fire codes back in 1970 were more than adiquate to deal with such a fire but... the design got dispensation to reduce the weight so had dramaticaly reduced fire protection on the steel support structure... hence the subsiquent pancaking of the floors and the outward bowing of the 60 steel support structure in each external wall. As the velocity increased the "diesel effect" would have happened with cloth, paper etc igniting and added to the super sonic preasure wave going down the inside of the building. Some estimates would have put the resulting wind speeds around the base of the towers at around 500MPH which would like an explosion turned any small lose items into kinetic weapons and dust into an almost pyroplastic type cloud, which would account for the loud supersonic like booms on the colapses.

Further whilst it is true that aviation fuel when burning from a puddle etc does not get hot enough to melt steel into a liquid, it does get well above 1200 degrees at which point steel is "as soft as taffy" and streteches and bends very easily, hence alowing the rapid start pancaking of the floors.

But whilst aviation fuel on it's own burning from a puddle may not get hot enough, there are other burn conditions where it will. One such is where the fuel is super heated without an oxidizing agent (such as oxygen) and is then sprayed into a flue or other chimney where the oxygen is likewise super heated. The result is a burn capable of bringing steel up to it's own compustion temprature as you see in certain types of cutting torch. At such tempratures aluminium it's self burns very easily and quite exothermicaly in the presence of an oxidizing chemical and will further react with chemicals that are released from concrete at those extream tempratures, thus I very much doubt that there would have been molten aluminium around, unless it had some how puddled in a lower temprature area.

Oh and for people unaware of it even PTFE used as wiring insulation / nonstick material makes a good oxidizer at sufficient temprature. It is known as "flare material" when mixed with aluminium and used in two or three stage Fuel Air Explosives (FAE / FAX) used in thermobaric "bunker buster bombs". The material produces soot and aluninium fluoride and rather more heat than the equivalent weight of iron oxide aluminium thermite.

I don't remember seeing the liquid you refer to in the live broadcast at the time, and I certainly have not been inclined to watch the recorded footage, so I can not pass comment on what it looked like or might or might not have been. Part of my reticence on this might be that one of the 9/11 aircraft victimes worked at the same company as I did.

RichardMay 16, 2016 4:07 AM

@ 65535
Thanks for the detailed review of the Senate testimony related to the U.S. Governments current illegal surveillance.

Sadly, when we get into this level of detailed review of who may or may not be legally targeted, we completely miss the forest for the trees, and fail to properly focus on the fundamental issue, which is ubiquitous full time data collection and surveillance.

The critical Constitutional issue that the government is willfully ignoring (and clearly does not want to address) is the critical role that the Fourth Dimension (time) plays in interpretation of the Fourth Amendment to the U.S. Constitution.

For almost 240 years now, the interpretation has been crystal clear --> FIRST you get the Warrant specifying exactly WHERE you want to search - and WHAT you are looking for - THEN [AFTERWARDS] you are allowed to do the search.

First our Big Brother Government collects EVERYTHING they can possibly get their hands on through a massive program of bulk data collection direct from Internet backbones. Contrary to what has been implied, this is NOT, just 'harmless metadata' - instead they are archiving EVERYTHING using the NSA equivalent of a giant "internet DVR" - and for any internal network data that this might miss, the Government has passed draconian laws that require others like Google, Apple, AT&T, Verizon, etc. to do their dirty work for them by archiving several years of every users private emails, facebook posts, or other data - YEARS.

The truly scary thing about this is that then, any time the government wants to go after someone, they can retro-actively figure out whatever lame excuse that they feel they need (or don't need) to give them legal authority to un-cork whatever surveillance data they want, from whenever they want, for ANY purpose they want.

The Orwellian result of this is that we now effectively live in a police state with ubiquitous 100% cradle-to-grave full time surveillance on the personal data of every American. - because any time the Government chooses they can just warm up Mr. Peabody's Verizon Wayback Machine, or that great big NSA Internet TVO, and just replay everything you ever posted, or said in a private message - EVERYTHING.

65535May 16, 2016 5:49 AM

@Richard

“Contrary to what has been implied, this is NOT, just 'harmless metadata' - instead they are archiving EVERYTHING using the NSA equivalent of a giant "internet DVR"-Richard

That is a good description. The average Jane/Joe can understand it.

“The truly scary thing about this is that then, any time the government wants to go after someone, they can retro-actively figure out whatever lame excuse that they feel they need (or don't need) to give them legal authority to un-cork whatever surveillance data they want, from whenever they want, for ANY purpose they want… The Orwellian result of this is that we now effectively live in a police state with ubiquitous 100% cradle-to-grave full time surveillance on the personal data of every American.”- Richard

I agree. That is approximately where we are now. With the changes in rule 41 we are in a quasi-state of Martial Law.

“Recent headlines warn that the government now has greater authority to hack your computers, in and outside the US. Changes to federal criminal court procedures known as Rule 41 are to blame; they vastly expand how and whom the FBI can legally hack.” Wired.

https://www.wired.com/2016/05/history-fbis-hacking/

I will note that the “one way mirror” effect where the government hides behind a one-way mirror to control the pubic is growing. This turns democracy on its head. That cannot be tolerated.

I think it will take more governmental leaks and possibly a constitutional showdown between the IC/LE/up to the Presidential level, to avoid complete Marshal Law. That is with a capital M - with police checkpoints everywhere and Defense Attorney’s bugged all the time.

It’s very disturbing to note that the US Supreme Court help construct the draconian changes to rule 41 => making the public’s distrust in the Government and the Supreme Court higher each day. Things will end badly if the governments spying is not reversed.

Dirk PraetMay 16, 2016 9:07 AM

@ 65535, @ Richard

Contrary to what has been implied, this is NOT, just 'harmless metadata' ...

The 'harmless metadata' myth propagated by Feinstein & co. totally went out of the window the moment former NSA and CIA Director Michael Haydn formally declared that "We kill people based on metadata". Even a troglodyte should be able to understand the ramifications of such a statement.

albertMay 16, 2016 9:15 AM

@Clive,
You points are a mixture of facts and speculation, designed to 'explain' the collapse. When the aircraft hit the building, the fuel ignited and burned using available oxygen from the air in and around the building. The fire was oxygen starved, as videos clearly showed.
.
I've heard -no- explanation for molten steel exiting from a corner far removed from the fire.
.
It had to be thermite.
.
Everything else is BS.
. .. . .. --- ....

CallMeLateForSupperMay 16, 2016 10:34 AM

Mildly engaging read on a serious subject.

"Who Will Own Your Data If the Tech Bubble Bursts?

"Imagine that Silicon Valley’s nightmare comes true: The bubble bursts. Unicorns fall to their knees. The tech giants that once fought to attract talented developers with mini-golf and craft beer scramble to put out fires.

"This is the setting of a cyber-doomsday scenario developed by researchers at Berkeley’s Center for Long-Term Cybersecurity and published last month. They gamed out five different scenarios based on current trends in online security—and this one is by far the most alarming."

http://www.theatlantic.com/technology/archive/2016/05/what-happens-to-your-data-if-the-tech-bubble-bursts/482622/

Bumble BeeMay 16, 2016 11:18 AM

Here's another one, also too old for high school. Some even older boyfriend dude starts showing up at the Y with a gun, it's time to split.

Mob. Big money. Corrupt justice system.

ScaredMay 16, 2016 11:29 AM

Martha Steward enters the 21st century?:
http://killyourphone.com/
I just saw this link, looks like the page has been up for a couple of years.
Doesn't a phone increase its transmit power until it has a connection? "Kill your phone" might be truer than the author thinks. They'll kill the battery for sure.

Slime Mold with MustardMay 16, 2016 2:37 PM

@ Clive Robinson

Thank you for pointing out the salient issue. I have never heard from any credible source that any steel melted . The steel floor supports ("joists") softened and bent enough to pull away from the vertical supports. Although the designers claimed the WTCs were built to withstand the impact of a 707, no one has produced the calculations from which that claim was made.

@ albert

Could you post a link to the video you reference? We may not see this issue identically at this point, but I decline to be narrow minded.

If the video includes people trying to fly, please so indicate. I need to fetch a bottle of hard stuff before I can watch that again.

Slime Mold with MustardMay 16, 2016 3:58 PM

Since February, The Transportation Security Administration has saved 4000 American Airlines customers from horrific deaths at the hands of crazed terrorists at Chicago's O'Hare Airport alone. Similar effort are underway in Atlanta. Their clever method is to make lines so long people miss their flights.

Their line about budget cuts is bullshit. The TSA budget is 9% higher than it was in 2007 and its workforce 4.3% larger. Of course, circumstances must be taken into account, such as the 22 airports that have since ditched the TSA (why would they do that?). There has been a growth in traffic. Who would not be overwhelmed by a 2.6% increase in their workload?

I travel a lot. Nowadays, I will drive 1200 miles if I have the time.

Dan3264May 16, 2016 6:01 PM

@Clive Robinson,
By "hinky mind" you mean "awesome mind", right? I came across a game that might be appealing to you. It is a text-based graphics game where the game lets you alter some of the code in each level. But not all of it. You have to make each level winnable before you can beat the level. I like it a lot.

RichardMay 16, 2016 6:06 PM

@ Dirk Praet
"The 'harmless metadata' myth propagated by Feinstein & co. totally went out of the window the moment former NSA and CIA Director Michael Haydn formally declared that "We kill people based on metadata"...

For me, it was the moment in James Clapper's testimony when he was asked flat out if the NSA was engaged in bulk data collection of any data from American citizens other than metadata? - and he dipped his head and touched his temple (in a classic "I'm lying" poker tell) and dissembled "Not wittingly"

-- translation, "We collect ABSOLUTELY EVERYTHING, but say it's 'not wittingly', because the analysts only actually LOOK at the really good stuff after it gets kicked out by our automated system."

Even if we make the generous assumption that whenever the NSA gets a hit and want to dig deeper, that they usually, sometimes, sorta, at least try to get a retroactive rubber-stamp authorization from some lap-dog FISA Court judge before they fire up their giant Internet Wayback-Machine DVR and dip into the FULL [not-just-metadata] archive - even then - THIS SETUP IS FLATLY ILLEGAL UNDER THE FOURTH AMENDMENT."

The forth amendment makes is clear - FIRST you get a warrant -- THEN you do your search.

When the Government seeks to bulk collect EVERYTHING they can get their hands on FIRST - with the later intention to search through it at their leisure and look for the JUICY STUFF - then ONLY bother to obtain a warrant AFTER THEY FIND SOMETHING - they are violating both the spirit and letter of the forth amendment and committing EXACTLY the kinds of totalitarian abuses that our founding fathers were trying to protect us from.

Interestingly, as I write this, yet another warrantless search case is winding it's way through the Supreme Court (Birchfield v. North Dakota) questioning the long accepted doctrine of "implied consent" in DUI cases. The argument before the court is whether making someone blow through a breath-a-lyzer constitutes a search requiring that a magistrate or judge issue a warrant in advance. This on the heals of another case, where the Supreme Court already ruled that a warrant IS generally required to get a blood sample.

Despite the fact that much of the judicial debate in both these cases has centered on the criticality of getting a timely BAC sample, so far as I can tell, no one has proposed what I would call the "Clapper solution" - that of just figuring out some way of secretly taking a damn sample without asking, then getting a judge to bless the situation later.

This is because, as I said previously, such an approach would violate 240 years of previous Fourth Amendment law, which requires FIRST getting a warrant, THEN collecting your evidence.

The Feds have been getting a free ride on this based on National Security grounds, but I would predict that as they seek to expand this abomination into routine drug cases, they are going to run into trouble.

If there is any justice in the world, some of the fine justice department folks who have cut corners with treasonous crap like "parallel construction" (which destroy every shred of trust and integrity our legal system was once intended to embody), might even end up as cell mates of some of the drug dealers they have sent to prison (while those folks are waiting for their convictions obtained with tainted evidence to be overturned).

Don't get me wrong here - I have no love for drug dealers - It's just that I have even less love for those who would use our Constitution as toilet paper.

albertMay 16, 2016 6:08 PM

@Slime...,

I'd like to, but that was 15 years ago. I didn't save any of that stuff. There were no flying people in it. If you google 'thermite' '911' there'll be a shipload of links.

The history books will record it just as the State presented it.

See https://fas.org/blogs/secrecy/2016/05/archivist-record/ for an example of how history is manufactured by omission.

Sorry I brought it up.

. .. . .. --- ....


ThothMay 16, 2016 6:42 PM

@all
The importance of properly combined hardware and software security when it comes to encrypting datasets is paramount. When subjected under duress and coercion to decrypt properly secured datasets, you can shrug your shoulders.

The combination of a tamper resistant hardware secured key (protected with counter base hardware pin entry tries) mix with a user symmetric key (possibly a secret shared user symmetric key) mix together either with XOR-ing the keymats from the user and hardware key fragments or by some cryptographic means could allow a person to have a method to cope with pressure under duress.

The user could release a pre-programmed self-destruct pin code to trip a tamper detecting circuit in the hardware to destroy the hardware keymat which would render the decryption impossible even if the user keymats are known.

The Groggybox format I have created also includes no possible mean of measuring a proper decryption due to not having an explicit checksum or MAC to verify decryption thus making the supplying of a bogus key to decrypt the encrypted file very much similar and hard to tell from the decryption with correct keys. Groggybox is meant for implememtation on tamper resistant secure hardware (e.g. smart cards and HSMs) to protect the critical crypto functions and to protect the hardware key and allow safe self-destruct of hardware key when a duress pin code is fed or upon a limited wrong pin try attempt.

Link: http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/

Dirk PraetMay 16, 2016 7:31 PM

@ Thoth

Groggybox is meant for implememtation on tamper resistant secure hardware (e.g. smart cards and HSMs) to protect the critical crypto functions and to protect the hardware key and allow safe self-destruct of hardware key when a duress pin code is fed or upon a limited wrong pin try attempt.

Which still leaves us with 18 U.S. Code § 1519 on destruction, alteration, or falsification of records in federal investigations and bankruptcy, which can earn one up to 20 years in jail. The solution would also require a mechanism to allow some form of reasonable doubt or plausible deniability to the defendant that he did not in fact deliberately type in a wrong passcode that triggered hardware key or data destruction.

The Rawls case is pretty chilling in that the feds can now apparently use a 1789 statute (AWA) to indefinitely imprison a person without even being charged. That's like Guantanamo for US citizens.

Nick PMay 16, 2016 8:29 PM

@ albert

"The only gov't agency I trust is the NTSB. We have no other agencies with their level of competence and honesty. Why? Because they only -report-. The are toothless, and therefore, harmless."

Look up the GAO. Same thing. They rip the government agencies new assholes on regular basis. They also reported about issues with NSA mass surveillance before the Snowden leaks. The Congress they reported it to did nothing. Per GAO, they didn't even read the reports. Least GAO did their job.

@ Dirk Praet

"The Rawls case is pretty chilling in that the feds can now apparently use a 1789 statute (AWA) to indefinitely imprison a person without even being charged. "

I've assumed they've been able to do that since the Patriot Act was created. The only question was what crap they would use to explain it away.

ThothMay 16, 2016 9:55 PM

@Dirk Praet
How would they know if the cryptographic key was the same in the first place ? Most of these so-called "Cyber Forensics" are base on deduction and guesswork although the literature strictly educates on scientific proofs but not everything can produce the required hard evidence and that is even more tricky in secure hardware where there is a ton of things that can trigger a zeroize of the entire hardware.

The specifications did include not one but a few mechanisms in it's design for plausible crypto key deniability which is central to it's design (instead of filesystem deniability from the Truecrypt approach because people are simply bad at falsifying their hidden volumes).

The entire format is linked below and can be abit messy.

Crypto Key Deniability mechanism includes:
- No correct way of splitting keys. User supplied keys (called Supplementary Key) can be split and secret shared beyond the control of the format in the user's own way. The user's Supplementary Key is mixed with the Hardware Key (via AES encrypting the HW Key with the SK to make use of hardware based DPA and SPA protection from powerline side-channel attacks) if the user specifies during the creation to use the HWKey + SKey mixture technique which will derive the final KEK to decrypt the DEK which will finally decrypt the data content. The resulting file format does not store how the key is derived so any combination can be used during decryption. If a secret share scheme were used, the user must implement it on their own outside the system.

- No usage of explicit checksums or MAC. An implicit and optional checksum is capable which is derived by SHA-256 of the data content and then using the final KEK from whatever user mixture technique and will be used to decrypt the implicit and optional SHA-256 checksum and compared against the decrypted data content. To make the SHA-256 implicit checksum plausible, it is used as a mandatory 32 byte padding (for the ciphertext of the SHA-256 checksum) inside together with the encrypted DEKs so that it is hard to tell if an implicit optional SHA-256 encrypted checksum is used. If implicit encrypted checksum is not enabled, a random 32 byte must be used in it's place. Put it simply the 32 byte padding acts as a "hidden volume" for the optional implicit encrypted checksum which cannot be differentiated.

- Flags are controlled in the system to not leak too much metadata including the non-existence of obvious flags regarding critical security mechanisms in place (e.g. optional implicit checksum and key mixture methods).

In order to proof that a self-destruct have been initiated, you have to know the existence of the internal state of the crypto hardware and the only way to know is via a valid user authentication into the hardware. If you are presented with a secure hardware that has keys that cannot decrypt a file or is in a newly initialized state, that does not make you immediately culpable for zeroizing the hardware unless you directly reveal that the pin provided is a self-destruct pin and you have deliberately carried out such an action. When an adversary enters a (possibly self-destruct) pin, the adversary must know the keys and the hardware state in advance (which is highly unlikely as it is tamper resistant) and also know the hardware state after the entry of the pin and the difference.

Because the previous state of the secure hardware is not known to thew adversary, thus it cannot be easily provided that the later state of the hardware it is in when the adversary enters the pin code to unlock the hardware has a changed of security state and the exact changes of the security state can be restricted from the legitimate user and adversary by not providing obvious details.

Link: https://github.com/thotheolh/groggybox/blob/master/doc/GroggyBoxFileFormat.md

tyrMay 16, 2016 11:50 PM


@the usual suspects.

Hacker News has a nice chilling effect article.
Apparently checking up on elections is disaproved
of if you do pentestings.


http://www.antipope.org/charlie/blog-static/

This is a must read if you've ever been involved
in modern management science issues. You probably
thought it was just random nuttiness. Turns out
to be deliberate. Fixing a lack of backups by the
brick the system was a bit excessive !!

@Clive

WTC 7 is the one that interests me. No airplanes,
no fires, and fell just like the other two did.
The only possibility that makes any sense is a
resonance condition but that still implies sub-
standard concrete mix or some engineering wet
dream of trying something new and unusual. Last
time I saw that, was an engineer who inverted the
slurry seal process on a road. Usually rock/gravel
goes on last over the slurry. By putting the
stuff on last it was lovely until it got wet.
At that point it became like grease and took a
hundred yards to stop a car on it. So out comes
the heavy equipment and claws up the surface
with heater scarifier to ruin the new road enough
to make it usable again.

ianfMay 17, 2016 2:33 AM


From the So What Else Is New Department:

THE GUARDIAN reports

Even basic phone logs can reveal deeply personal information, researchers find Stanford study shows how details gleaned from telephone ‘metadata’ by National Security Agency pose a threat to privacy of ordinary citizens

http://gu.com/p/4j96d

WaelMay 17, 2016 4:30 AM

@ianf,

From the So What Else Is New Department: [...] pose a threat to privacy of ordinary citizens

From the hairsplitting uninformed schmuck department: How many kinds of citizens are there?

If ordinary citizens experience extraordinary rendition, does that change their status to extraordinary citizens?

ThothMay 17, 2016 10:02 AM

@keiner
I believe it would have been worse for foreigners if they refused to decrypt drives due to not being a US citizen ?

Visiting US is on top of my personal black list way above North Korea. That's how bad the "liberty" of US have rotted.

Make it a point to never carry a hard drive or any form of obvious storage (except your smartphone since it is an in-built and be prepared to unlock it). If you want anything, host a server on a RPi (Gen 1 or 2 but never on a Gen 3) and setup a one time use SSH account to login to download your presentation slides or whatever materials you need over the SSH channel.

The server can be sitting on the DMZ of your network's edge and use a dynamic IP like DynDNS or host an encrypted torrent file or some shared file easily accessible on public domain.

keinerMay 17, 2016 10:44 AM

...not willing to buy a not-so-smart-phone yet.

When my decision making process on this topic is finished, I think this nonsense-hype will already be over :-D

Bumble BeeMay 17, 2016 10:53 AM

@r

Rubber hoes got ya spooked?

What goes around comes around, eventually. Sometimes after I see these "mental health therapist" gals, I hear rumors that they become paranoid and think the CIA is after them or something like that. Maybe so. They serve the general non-military public, they're up to no good, and they were dumb enough to rent space through some deal with the county on the VA campus which is in a slightly different law enforcement jurisdiction than the rest of the city.

According to the sheriff's office, the VA recommends their arch-competitor, (as far as I know for no other reason than that it's off their jurisdiction.)

Meanwhile the entire county is on drugs, and even the police station has a vending machine in the lobby that serves coffee that gives way more rush than caffeine alone could possibly do. After you drink that coffee, and you are high as a kite, the cops will goad you into doing or saying something rash enough that they can trump up some kind of felony charge for it.

Nick PMay 17, 2016 11:21 AM

@ keiner

"Even the Soviet Union appears friendly nowadays compared to US-standards "

You've clearly not followed the surveillance and civil liberties situation in Russia. It's still scarier.

@ Wael

Use this reference instead for extraordinary rendition. Or both. More impact. :)

FavishamMay 17, 2016 11:21 AM

@ albert

"The only gov't agency I trust is the NTSB. We have no other agencies with their level of competence and honesty. Why? Because they only -report-. The are toothless, and therefore, harmless."

And that, of course, is why NTSB got the hook when TWA 800 went down by No Man's Island, and Kallstrom horned in to take over. And why the whole remarkably humongous debris field from Flight 93 got cordoned off and none of the eyewitness testimony about the white jet made it into the commission report. Ask the MITRE moles about that.

Clive RobinsonMay 17, 2016 11:28 AM

@ Slime Mould...,

All that is realy know was that the analysis was done on a computer in 1964... A look in the appropriate history books will tell you about the capabilities of the computers back then when memory was around 10USD/byte, and CPU's were running at clock frequencies sufficiently low you could find them a couple of times over on an AM radio.

In all honesty it would have been pushed to do a static weighted moments analysis let alone a full on dynamic modal analysis we do these days. So... I very much doubt that a fuel fire analysis was done.

You could also look up what the quality of steel was at the time of the construction, as others have noted it was "lower cost than rail road iron" from Bethlehem... This suggests that the quality might not be as high as those used in the computer program.

Then when you add the dispensation that allowed considerably less fire cladding due to it's weight... I would say that any program run several years befor hand was compleatly irrelevant.

We will probably never know what actually happened, the plane cargo manifests have had things said about their reliability etc.

However with questions hanging over the steel quality, and over the lack of fire cladding, is their realy any need to look further untill those has been properly investigated?

@ tyr,

The colapse of the third building could be due to a large number of things, bearing in mind some analysis indicates winds due to the colapsing twin towers could be in or above the 500MPH range around them with strange vortex patterns it could have been blown or sucked sufficiently to cause it's unbalanced loading to become an issue.

The simple fact is that one of the tenents decided to re-model the interior with thousands of tonnes of concrete, cutting out of floors and support members and several other things...

It's obvious from the double insurance issue that somebody either new or suspected that the WTC had structural issues.

The question is I guess what they suspected / new and how, and why it's not been as prevalent in peoples minds as you would think.

We also do not know as much about structures as we pretend. If you look into the history of architecture there are a very greate number of "disasters" that our lack of knowledge alowed to happen. You go have a chat with structural engineers about "leading edge designs", even today we are finding "metal fatigue" shows up where we don't expect it...

As an engineer I've had leading edge design prototypes blow up in my face, when experience and theory say it should not. I've also had the opposite, of things I would not be in the same room as when the switch is thrown the first time working better than even the most confident predicted...

So whilst I can not rule out "black helicopters loaded with thermite invisable to TV cameras" I would consider basic human failings a long way in front of such ideas.

I'm also on record here of my low oppinion of forensics because they try to argue from effect to cause, which is not the way science works for good reason. And as we have seen with "hair tests", "bullet metal composition tests" and a whole load more, many forensic prognostications are tainted in all sorts of ways by those with a lack of independence that is frankly astonishing...

albertMay 17, 2016 11:30 AM

@tyr,
You might try: wtc7.net

You'd think, in an act of terrorism, that impartial investigators would be allowed immediate and unfettered access to the site and debris. This most definitely not the case with WTC and OK city. NIST was not allowed access, and was given a small, selected batch of beams to examine. OK city debris was trucked away and buried in a guarded site, protected by barbed wire fences. WTC debris was shipped to China.

Had there not been criticism and conspiracy theories, I doubt any investigation would have been done.

Clearly, as has been discussed here many times, we have a government that cannot be trusted. All we can do is attempt to sift through facts and lies, and try to find the ugly truth.
...........

@Nick P,
Yes, I should acknowledge the GAO. I should have mentioned the CRS as well (though they are weighted a little towards the status quo). Both do fine work, by any comparison.
............

You guys know I value understatement.

It's all very disappointing.
. .. . .. --- ....

Nick PMay 17, 2016 12:15 PM

@ Bytopia

There's the general problems. There's the recent activities. Even billionaires aren't safe as seen here. Vladimir Gusinsky's "confrontation with the Kremlin" section here has good examples of the crap government opposition goes through in Russia. You will rarely if ever see something like that in the U.S.. Really light-handed stuff by comparison with most opponents still publishing and making money.

So, Russia is a terrible place to be for civil liberties or privacy. Much, much worse than the U.S. by far. That said, the U.S. is getting worse all the time on a variety of issues. So, it's not the best democracy to be in for these things either. What is or isn't is currently a moving target.

WaelMay 17, 2016 1:08 PM

@Nick P,

Use this reference instead for extraordinary rendition. Or both. More impact. :)

I'll have to watch the movie. Given how Hollywood loves to portray Arabs and Muslims, I won't be surprised if "Anwar" comes out to be a villain. I don't remember a single Hollywood movie that painted a positive picture of either Arabs or Muslims. If you know of any, send me a link...

rMay 17, 2016 1:19 PM

@wael,

"I don't remember a single Hollywood movie that painted a positive picture of either Arabs or Muslims."

While I don't have exact references for you at this time, let me make these points:

Do you mean merely only in recent living memory? E.g. nothing from the 90's on???

Also, keeping in mind that referencing Hollywood in such a way is almost derogatory I am almost certain that you specifically mean both popular and mainstream productions.

I would agree, Hollywood in the sense you are using is a bunch of drug dealing gossip artists selling sensationalism to bend reality and ideology to their pocket. I refuse to believe however; that that statement is true knowing their past romantic views on both the area, people and history of technically either or.

With respect to living memory, I'm sure a qualifying lovers story could be written in and around the current war in Syria like Romeo and Juliet. Maybe someone should try their hand at it, could make for a decent independent film.

Nick PMay 17, 2016 1:26 PM

@ Wael

Whether he's innocent or guilty is part of movie's suspense. You should definitely watch it is all I'll say.

WaelMay 17, 2016 1:30 PM

@Clive Robinson, @albert, @tyr...

I'm also on record here of my low oppinion of forensics because they try to argue from effect to cause, which is not the way science works for good reason

How else would you do forensics? Isn't that how R. Feynman uncovered the reason behind the space shuttle tragic accident?

I don't believe forensics is as simple as you portray it. Investigators find possibilities then check them out. If done right, going from cause to effect shouldn't give different results than going from effect to cause (which happens to be the only information we have.) it's similar to the difference between deriving a formula and proving it!

As for Tower 7, go ask Larry about the 7 Billion he collected.

WaelMay 17, 2016 1:35 PM

@r,

Also, keeping in mind that referencing Hollywood in such a way is almost derogatory I am almost certain that you specifically mean both popular and mainstream productions.

How so?

Dirk PraetMay 17, 2016 5:10 PM

@ Wael, @ r

I don't remember a single Hollywood movie that painted a positive picture of either Arabs or Muslims.

"Lawrence of Arabia" and "Kingdom of Heaven" come to mind. But I guess it's fair to say only Germans score worse.

@ Nobody in the Wheelhouse, @Slime Mold

Never fret, our glorious TSA now has those long lines "under control".

The episode in which security theater further devolves into security vaudeville.

albertMay 17, 2016 5:45 PM

@Wael,

I'm a fan of Feynman. I believe he was a brilliant scientist, and perhaps the last great physicist. The fact that he sounded like a longshoreman made him even cooler:)

The cause of the disaster was the leaking of hot gases from a booster rocket. It was visible on ground-based telescopes. Experts believed leaking seals were to blame.

What Feynman -did- do was to expose NASAs foot dragging on national television, with brilliantly simple demonstration that folks could understand. He made it impossible for anyone to ignore the issue.

An unfortunate example of what can happen when bureaucrats run science programs.

. .. . .. --- ....

rMay 17, 2016 6:33 PM

@dirk,

Thank you, I couldn't remember the names of the good oldies.

We watched magic carpet with Lucille ball the other day...
But yeah, like I said probably highly inaccurate embellished and overly romantic view of the area/times/culture/people but still positive regardless and a nice movie to watch with your girl.

@wael,

I have family in Hollywood, my family is multi/'racial'/ multiethnic and multinational... But to your point: not part of the 'Hollywood' you mention.

Also, 'how so?'

The same way saying "Muslims.", "Blacks.", or "Women."
is a derogatory way of framing things. It's a simplification and a generalization and it's wrong.

There might be truth in your complaint, but you have to understand it might be crap and it might be a creative outlet and it might even be protected by free speech and influence the social stratum we all exist in... But what it really says if that there's a lack of quality scripts. Get to writing brother, change the portrayed image... Nobody's going to portray what you love and are passionate about in a more loving our passionate way than you.

Hollywood sells fantasy, if you want nonfiction you're going to have a hard time with television in general. They're to a point, a participatory system but you've got to be LOUD. This is the age of YouTube and startups don't be frustrated about not being heard cuz really hardly any of us are... Look at the current elections if you don't think we're not all pissed about something.

Sorry, wrong forum... "we're" might be a little over generalized for some of you.

P.S.
If I'm out of line, tell me I'm trying to work through what I see as a misperception about a culture I'm an extraneous part of.
Something Wael, that irritates me personally is all these anti bullying campaigns... Nobody gave a damn when I was in school now it's not enough to be pretty so the 'yuppies' get skewed with now too cuz they're not rich or flashy enough. TRAGIC. :)

rMay 17, 2016 6:47 PM

@wael

I love my girlfriend, she is definitely my better half...

Malcolm X
Ali

And a recent method man film, of course those are African Americans not Arabs as you requested not are they ethnic Muslims but they are good, strong and very humbly portrayed Muslim Americans in my eyes.

WaelMay 17, 2016 7:09 PM

@r,

I have family in Hollywood, my family is multi/'racial'/ multiethnic and multinational... But to your point: not part of the 'Hollywood' you mention.

I'm talking about the movies -- not about the city!

AnuraMay 17, 2016 7:24 PM

@Wael

I suspect you have to get away from action films. Sayid in Lost is the only Muslim character that comes to mind off the top of my head, and of course his background is that he would torture people for the Iraqi government so that's probably a bad example.

RichardMay 17, 2016 7:31 PM

@albert
"An unfortunate example of what can happen when bureaucrats run science programs."

No truer words were ever spoken - but characterizing NASA's actions during the Challenger investigation as "foot dragging" is a bit of an understatement. What was going on was more of a full-on sweep-this-under-the-rug cover up.

Frank Borman once famously characterized the Apollo One fire as a, "Failure of Imagination" - referring to the fact that they were just blindsided by something that they completely failed to anticipate could even happen. These days it seems incredible that they could have missed the fire danger posed by a high pressure pure oxygen atmosphere, but given the speed with which they were working, something was bound to fall through the cracks.

But both the Challenger and Columbia Disasters where due to just plain old fashioned human stupidity. NASA knew the issues. In each case engineers had evaluated and given correct assessments of the danger, but were ignored by bean counter political hacks who made technical decisions based political factors.

Feynman's genius was in recognizing the root cause when he saw it, and knowing bullshit when he heard it. NASA wanted to bury the truth in a mountain of irrelevant data to hide the simple fact that they had been warned by the contractor that hot gas blow-by could result in catastrophic failure at low temperatures, with all kinds of nice charts and graphs that predicted quite accurately what would happen - I.E. you launch at this temperature, Challenger Explodes.

A bean counter manager overrode the contractors no-launch recommendation (actually intimidated Morton Thiokol into withdrawing it). The rest is tragic history, they launched, the Challenger exploded, just as Roger Boisjoly (the engineer at Thiokol) said it would.

All the arm waving NASA was doing during the Challenger investigation were designed to bury this simple fundamental fact in a mountain of B.S. - right up until Feynman's simple demonstration re-focused the panel discussion where it needed to be.

Columbia was even worse - Once again, the engineers had it right, they had video of foam chunks slamming into the spacecraft during launch and raised the alarm, but did the bean counters schedule an on orbit spacewalk to investigate? No. -and the excuse was basically that "we probably couldn't have done anything anyway" - which is absolute B.S. They could have rendezvoused with the ISS or, gone into low-consumables mode, and waited for a rescue mission (from the Russians if NASA was too stupid and bureaucratic to get it done) - but what the bean counter manager tasked with the decision DID decide to do was nothing - NOTHING. NASA's inability to safely manage the Shuttle program, is one reason the program was allowed to fade prematurely into the sunset, dispite the huge problems this cause to the U.S. Space Program by eliminating our only available heavy launch capability before a replacement could be brought online.

rMay 17, 2016 8:16 PM

@wael,

"I'm talking about the movies -- not about the city!"

Are you sure?

Is Sony Pictures 'Hollywood' ???
They're based in Culver city according to wiki.

Are the actors and actresses 'Hollywood' ???
What about if they commute in from the greater Los Angeles area?

Are the writers?

But the people who live there aren't... Interesting.

Hopefully you can see the refractive dilemma I'm trying to paint for you about verbal assertions.

My gf catches me in them all the time, according to her I'm sexist... which I really resent when she says it cuz I believe I was raised by a feminist parent to be fair and just.

rMay 17, 2016 8:52 PM

@wael, anura,

By extension, it would be okay for me to refer to Wael as Jewish or a Greek as an Arab... I am very big on knowing if someone is Lebanese, Armenian or Iranian exactly because of the generalization he is making. Maybe it's harmless when applied to 'Hollywood' but chances are someone will find such gross overgeneralizations and assumptions to be offensive, Wael should?(too harsh/dual use) understand this.

And what's the deal with him not recognizing the film about Malcolm X?
Is there some unspoken context behind him not realising the great Muslim leaders we've had on this country? Was he making an && not an || statement with...

""Hollywood loves to portray Arabs and Muslims""

""I don't remember a single Hollywood movie that painted a positive picture of either Arabs or Muslims.""

Whatever video playlist you're watching needs to be changed, the loopiness of long cycle repetitive media absorption leads to loopiness of the brain.

I am proof.
I've got jello on the brain.

tyrMay 17, 2016 10:19 PM


@Wael

Try Wind and the Lion. You don't get much better
than the Rif leader.

Movie stereotypes have been a problem because the
industry was begun to swindle children and never
grew out of it.

My major complaint is the lack of access to material
that isn't USA centric. Bollywood and Nigerian
movies. Music is the same way. the copyright wars
are all about control of access (propaganda traps).

Feynman was a real scientist, not some jackass a
smock and a degree whose life revolves around
grants and papers published.

Man a Machine by La Mettrie is up at gutenberg.org.
Julien was a Feynman of his day. #52090. easy to
see why Frederick liked him.

@Clive

I had a mechanical engineer friend who was appalled
that civil engineering only did static analysis on
structures. He was quite unkind about the level of
imagination poverty it implied. The Gothics were
done using the build bigger until it catastrophically
fails as a method. Seems like we haven't moved much
past that set of ideas.

So what do you think of the spooks accidentally
destroying their only copy of the torture report?

Obviously an easy mistake to make...: ^ )

Nick PMay 17, 2016 10:42 PM

@ Wael

Re Arabs with positive portrayal

You never watched Aladdin or 13th Warrior? :P Here's you a start.

keinerMay 18, 2016 1:51 AM

@Nick P

...ask Mr. Snowden.

If I had the choice between the USA and Russia, I would choose nothing...

WaelMay 18, 2016 3:21 AM

Seems I have a few movies to watch... Late reply, but my head is about to explode from tinnitus... None of the previous reccomendations worked.

@r,

No offense intended. Perhaps I should have not used the word "Hollywood" without loss of meaning.

@Nick P, @tyr,

My list of "to watch" movies expanded.

@Anura,

My list of "to watch" movies shrunk again ;)

@Dirk Praet,

I don't know why, but I never opted to watch Lawrence of Arabia. Maybe some day... Kingdom of heaven, I'm not sure I've seen it.

But I guess it's fair to say only Germans score worse.

Not if the movie is German. I watched Max Schmeling. It changed my perception about him. Nice movie!

@Clive Robinson,

Hope you're doing well...

SmokeyMay 18, 2016 4:04 AM

On the topic of good USA government organizations, I believe the National Park Service deserves recognition. Likewise, both the US Geological Survey and the National Oceanic and Atmospheric Administration have made great contributions to the world. I say this as a foreigner who appreciates their global impact.

Clive RobinsonMay 18, 2016 8:29 AM

@ Wael,

Late reply, but my head is about to explode from tinnitus...

I Know that feeling :-(

However the hosp do not know what the cause of the prob is... So they have gone into "best guess mode" with a combination of things on of which is Labyrinthitis... Which along with my tinitus make's my head not "ring like a bell" but more like "the claper that actually rings the bell" like mad...

And due to actually blacking out in Accident and emergancy (according to their paperwork) I also have a whiplash injury on the left side and can not lift my head to sit up. Whilst I know about coming to at some point laid out on a trolly in resus, I only remember some of the conversation. So there is maybe half an hour missing from my memory. And some memories I don't want from later the only I can get away with mentioning here whithout making others feel queasy is puking on the CT machine as they could not get me out fast enough when the inertia sickness got the better of me.

Anyway I'll let you know if they find anything of use...

re:LCNMay 18, 2016 8:42 AM

https://www.theguardian.com/technology/2016/may/17/findface-face-recognition-app-end-public-anonymity-vkontakte

> Kabakov imagines a world where cameras fix you looking at, say, a stereo in a shop, the retailer finds your identity, and then targets you with marketing for stereos in the subsequent days.

In future, the designers imagine a world where people walking past you on the street could find your social network profile by sneaking a photograph of you, and shops, advertisers and the police could pick your face out of crowds and track you down via social networks.

Is he an idiot? I fail to see why someone'd think of that as of a good idea, unless A LOT of money is involved.

Nick PMay 18, 2016 9:25 AM

@ keiner

You can't prove a rule with an exception. Snowden's situation is irrelevant to the experience of the average American or Russian dissenter.

ianfMay 18, 2016 10:39 AM


@ Clive,
              to lift your spirits in the maw of the NHS, see that your recent puking on the CT machine as they could not get you out fast enough when the inertia sickness got the better of you as a form of end-user feedback to the CT machine designers, to make provisions for… (med-gear-spec-speak) supine client's stomach effluvia speedy egress, or something. Because they surely tested other deployment aspects of it, bar in-situ defecating and puking. So you inadvertently performed a valuable, unscheduled test instance for their TO-DO list.

    Other than that, I can only recommend you the "All That Jazz" movie from 1979… it's a Broadway producer's vision of his own (kitschy, but oh-so-engrossing) musical-comedy demise with a virginal, angel-like figure of The Reaper played by Jessica Lange. I know of no better uplifting, unsentimental treatment of death.

WaelMay 18, 2016 11:04 AM

@Clive Robinson,

Which along with my tinitus make's my head not "ring like a bell" but more like "the claper that actually rings the bell" like mad...

I hear you (barely.) Quasimodo relocated inside my skull. The only option is a head transplant, since I can't evict the bell-ringing Hunchback ph**er out of 'me skull'. Question is: what are you gonna do about your Quasimodo?

Anyway I'll let you know if they find anything of use...

Whatever you do, don't go for the head transplant. You don't want waste the light you saw a while back ;) Great movie, by the way.

albertMay 18, 2016 12:13 PM

@Richard, et al,

For those of you who are not familiar with Feynman:

https://en.wikipedia.org/wiki/Richard_Feynman

The guy knew he was dying of cancer when he made that presentation, and he did it against the advice of his doctor and family. He could have 'taken it easy' instead.

Apollo One. Unknown to me until now, pure oxygen was used throughout the Gemini and Apollo programs. Such an accident was bound to happen, and 'minor' incidents -did- happen prior to A1. Cost overruns, shoddy design, bureaucratic infighting, test and emergency procedures inadequate and dangerous...a rush job.

@Clive, Wael,

Time to find a -good- homeopath. Clive, UK no problem; Wael, don't know where you reside; in the US, it's hard; we are totally controlled by Big Pharma.

. .. . .. --- ....

LCNMay 18, 2016 3:12 PM

The Lost Planet, Planet "X"

So I was watching parks and recreation last night, and the main hero(ine) in the show caught an eavesdropper news agent and exposed her to the group of legitimate news journalists.

She is not imagined as an incredibly clever character, but as limited, intentionally, for comedic effect.

But she did a really, really good job with exposing and trapping the lady.

And it is very plausible many could do exactly that.

Problem is, that is a football game. Many watch, many played, many participant. And all find the game exciting.

As a very non football player or fan (I rely, instead on my good looks and gigantic ...), I do not even begin to try and fake talking to them. Like I was one of them or had superior knowledge.


But this is not the case for armchair spectators of the most converse.

We can all be spectotores. And nothing is going on here.


Likewise, mysterious Planet X. Recently rumored to have been discovered. Proven doom for some folks. "Recently rumored" is not an adjective which causes people who care about what they put their confidence in and how they meter it, normally flock around.


The "Planet X" here is some unknown third party muckracking around in things. Maybe it has parts of it which pose as this or that.

But it is an old, strong octopus. And that of the spiritual and so invisible kind.

albertMay 18, 2016 4:34 PM

@Bumble Bee, etc.

Rule Number One: NEVER talk to the police! You do not have to answer any questions posed to you in a police interview. You must have a lawyer* present, and definitely discuss any advice he gives you regarding questions you don't want to answer.

ANY lawyer will tell you this. NEVER talk to the police!

"Govern yourselves accordingly" - see PopeHat.com for police interview horror stories.

---------
* a good criminal lawyer, not your brother-in-law, the real estate lawyer.

LCNMay 18, 2016 6:45 PM

Spy Chief: Foreign Hackers May Be Targeting Presidential Candidates

https://politics.slashdot.org/story/16/05/18/2034244/spy-chief-foreign-hackers-may-be-targeting-presidential-candidates


A senior U.S. intelligence official told NBC News that they are "most worried about Trump, who has no experience with government computer systems or protocols." Foreign hacking against American political candidates is nothing new, Clapper said. Prior to the 2008 presidential election, Chinese cyber spies had targeted the presidential campaigns of then Sen. Obama and Sen. John McCain in order to read emails and policy papers.

They are more worried about Trump keeping proper security, then Clinton. Despite that Clinton has as the most "legitimate" negative raised by the opposition conservatives, exactly her safeguarding of secret data.

Are they dumb, or are they trying to signal the public about their positive view of Clinton in terms of computer security over Trump?

Also, by making such basic security concerns public, they give themselves cover for getting close to Trump's campaign. Probably to lay down surveillance on Trump and associates.

But, remember when Bush was in power and the demonstrations in Europe. Trump's foreign policy viewpoints are very possibly very unfriendly even to allies. Who may see reason to try and figure out his weakenesses and beliefs, to try and control him.


Employers Struggle To Find Workers Who Can Pass A Drug Test

https://news.slashdot.org/story/16/05/18/0036249/employers-struggle-to-find-workers-who-can-pass-a-drug-test?sbsrc=md

Because, Americans. They have to have excuses for off shoring.

Pot smoking software developers are a terrible problem, as the history of crazy anti-pot smoking propaganda shows. For instance, when Colorado legalized pot, some governmental forces there spent tens of millions of dollars on a gerbil cage artistic Public Service Announcement campaign. They create life size gerbil cages with water holder and all, and put them in parks where teenagers congregate.

Because, no one is sorry about decades of seriously screwed up lying about the drug.

Instead, they drank the kool aid they are selling.

Developer Of Anonymous Tor Software Dodges FBI, Leaves US

https://yro.slashdot.org/story/16/05/18/0433214/developer-of-anonymous-tor-software-dodges-fbi-leaves-us

FBI agents are currently trying to subpoena one of Tor's core software developers to testify in a criminal hacking investigation, CNNMoney has learned. But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system -- and expose Tor users around the world to potential spying. That's why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany. "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening," she said in an exclusive interview with CNNMoney.

She is, obviously, very right to have done so, and for exactly those very reasons.

Leave free speech to the Portugese, the FBI and US Government believe. There is no more place for it here, then in China, Saudi Arabia, or North Korea.

ThothMay 18, 2016 6:54 PM

@LCN
re: Foreign hackers targetting pres. candidates.

Similarly the US Govt is equally guilty of illegally hacking and disrupting other nation states and conducting espionage on other allied nations as we see from leaks released by Edward Snowden and Manning's diplomatic cable leaks. It's just all international business and fair games.

ThothMay 18, 2016 7:05 PM

@LCN
re: Core developer of TOR leaves US for Germany

And I wouldn't be surprise US agents would have contacted their BND servants in Germany to help them out and also send US agents to Germany for her ? It's looking grim for security development ans research considering the US can strike at any portion of the world to get what they want.

A more robust and distributed development lifecycle with security in mind should be the default but mist development do not concern themselves with nation state meddling.

PGP signatures on software and warrant canaries may not be enough to protect a project from nation state meddling.

LCNMay 18, 2016 9:15 PM

@Thoth

And I wouldn't be surprise US agents would have contacted their BND servants in Germany to help them out and also send US agents to Germany for her ? It's looking grim for security development ans research considering the US can strike at any portion of the world to get what they want.

Maybe, but FBI is way more local. And CIA/NSA may work with FBI, but they have strong walls between them.

They depend on FBI for security, but sharing secrets is something else.

That is equivalent to giving away money for nothing.

I do not think either the CIA or NSA have a problem getting through iphones of older models (or new), lol, or getting people via Tor.


Corporate, economic espionage is here to stay. It will only get worse. It is true, though, the US is way, way better then either China or Russia on intelligence.

But they did do this in the open. So, that is very weird.

Maybe just a really, really bad deal. Because BND and the US intel were sharing. And "we need them more then they need us".


tyrMay 18, 2016 9:22 PM


@Thoth

Wot no S100 buss edge connector !!

If it won't do the catch fire and burn trick it
isn't a 6502.

@Tinninitus

It's a bitch and then the nerves die, apparently it is
the ringdown of auditory nerves dying. Ugly side
effects until your brain sorts out the inputs again.
Modern guns have a nasty habit of causing these kind
of problems (explosion shock waves and sonic booms)
are a nasty combination for unprotected ears.

Get better we need you around .

LCNMay 18, 2016 10:56 PM

@Thoth

Similarly the US Govt is equally guilty of illegally hacking and disrupting other nation states and conducting espionage on other allied nations as we see from leaks released by Edward Snowden and Manning's diplomatic cable leaks. It's just all international business and fair games.

Yep.

I do think they are boy scouts compared to China, though, when it comes to that. But, as I said in the last response, this is the way the future is going. I certainly see it as global. I work in the area, in the States, and been seeing this heavily since the 2000s, from China.

But, here's one deal about the US. They, we, are the superpower. So, not a fan of either domestic or foreign infiltration of our elected and unelected officials.

Everyone knows there is intense lobbying and foreign powers have powerful influence.

They can certainly maximize that influence by getting secret vulnerabilities and desires via hacking.

Blackmail just one right person, you can get whatever signed you need.

A more robust and distributed development lifecycle with security in mind should be the default but mist development do not concern themselves with nation state meddling.

Unless you are a defense contractor and some types of infrastructure, you certainly do not have the money to protect against nation state level adversaries.

Tons of companies can't even find the money to have the most basic of security....

PGP signatures on software and warrant canaries may not be enough to protect a project from nation state meddling.

It means jack.

Years ago we saw monkey.org (a security site) get compromised, and backdoored. The build system went on ahead, signed the new release, and put it online.

The added signature only aided the cover for the backdoor.

'Oh, it is signed, Safe!'


Nick PMay 19, 2016 12:00 AM

@ Thoth

Here's my assessment of Tor developer situation.

@ LCN

"I do think they are boy scouts compared to China, though, when it comes to that."

That's funny given the data collected on the Chinese hacks going back decades with it mostly run of the mill shit due to lots of labor to dig for 0-days. The Equation Group, likely NSA, was on another level in how they operated. I think the comparison is the opposite.

"Years ago we saw monkey.org (a security site) get compromised, and backdoored. The build system went on ahead, signed the new release, and put it online."

Yep. Thoth and I both push for high-assurance security... pieces of it if nothing else... to be adopted to counter that. It's the only thing that works consistently in special cases and more often in general case. Lessons learned from the past show us certain methods must be used with subversion countered throughout lifecycle. I gave some relevant links here and Wheeler's on SCM is here. I enumerate some of the practices and areas of concern I always looked for here.

Clive RobinsonMay 19, 2016 1:41 AM

@ tyr,

If it won't do the catch fire and burn trick it isn't a 6502.

Man is this never going to die of old age, before the only people who know the truth do...

http://apple2.org.za/gswv/a2zine/GS.WorldView/v2000/Oct/Articles/6800,_6502,_and_Apple_I_in_BYTE.txt

HCF was a joke name, for an "undocumented test instruction" that rapidly cycled the address bus through all 65536 addresses. Some say "catch fire" comes from "It's running so fast it must think it's tail's on fire"... Similar "test instructions" appeared in other 8bit processors. Oh even the 80286 managed to have a couple of "HFC" instructions in it...

There was however the "Poke and Die" memory location that a well known 8bit computer suffered from, but that as they say is another story and the two should not be conflated.

ThothMay 19, 2016 3:16 AM

@LCN
re: Germany & USA & China.

Thing is China looks up to Germany and trust and trades a lot with Germans. The Chinese are a huge fan of German stuff and especially when it comes to IC chips, they do lots of business for Infineon and Infineon sees a lot of it's security and non-security IC chips sold to the Chinese.

Now looking at the other side, the Germans and the US despite the Angela Merkell phone spying incidents and the collusion of the BND with NSA to collect information on their Chanellor, Angela Merkel and her ministers, they are still good friends on the international level.

I am thinking that the picture looks like this on the ground:

China Germany USA

It's a double back stab !!!

Given the German's position of trust with the Chinese and the close ties of the US and German, Germans could give Chinese the information they want and the US can obtain the information on the Chinese from the Germans. Germany seems to be a nice spy exchange center for both the Chinese and US to get whatever deals they want.

I might be wrong that the entire German Govt wants to work for the US (except for the BND) with the rest of the Germans warm with the Chinese.

Who knows ...

re: Higher assurance environment and Digital Signatures
Digital signatures only means you wrote some byte codes or some form of representation of your expression. It does not mean a secure application whatsoever and many of us should by now realize that digital signatures are not all too important because you can sign a bunch of codes and what executes is a buggy system with many holes, it only tricks uneducated people into using a potentially dangerous system.

We (me, @Nick P, @Figureitout and @Markus Ottela) are trying to work on practical and usable solutions for increasing the assurance and security of systems. Some of us are targetting very high assurance system (the rest of the 3 of them) while I am targetting an assurance sufficient for more common systems (smart cards and HSMs) to get higher assurance security to more people and to a wider audience making them feel security isn't as what they imagine of the bad command line interface and manual byte codes.

I take a more graduated and incremental approach to security and assurance preferring to make security more usable and accessible to the general public on a higher assurance platform (e.g. hardware secured encryptors and hardware secure execution environments). Once that is done, more higher assurance techniques like ensuring each execution process monitored by a trusted CPU can come into play later once everyone's security bars have been raised.

HystorianMay 19, 2016 8:43 AM

@Clive Robinson, @tyr
>> If it won't do the catch fire and burn trick it isn't a 6502.
> Man is this never going to die of old age, before the only people who know the truth do...

I recall first seeing HCF described in an hysterically amusing book yclept "The Devil's DP Dictionary"
by one Stan Kelly-Bootle
which well predates the article linked to by Clive.

Hyly recommended reading.

albertMay 19, 2016 10:10 AM

@Thoth, et.al.,

A 'dis-integrated' (love that:) 6502!

This is below-absolute-zero cool.

Evil Mad Scientists Labs is now bookmarked, along with a few really worthwhile sites (like this one).

BTW, shouldn't that read 'DIC6502'?

Love it, but I'm more of a Z80 man. Who wants to do a DICZ80?

. .. . .. --- ....

albertMay 19, 2016 10:31 AM

@Jack,

I watched the first part of the video, but there were so many errors and omissions that I gave up.

For an example of factual research in UFO phenomena, see:

http://www.ufohastings.com/

Often, folks mistake the gov't fetish for secrecy with 'conspiracy'. Conspiracies require secrecy, but keeping secrets isn't necessarily a conspiracy*, unless the goal is to hide illegal activity.

---------
* I always use the legal definition of the word, else it becomes another meaningless label (useful only for personal attacks).

. .. . .. --- ....

LCNMay 19, 2016 10:49 AM

@albert

On definition of "conspiracy" -- you can stick to verbiage which is socially defined, but that does not mean language is adequate. This is why we often go back and look at the etymology of words. Or look and appreciate foreign viewpoints of 'the very same thing'.

So, for instance, "conspiracy" is keeping secrets between multiple people, and operating together in secret. It is identical to "secret USA", and you can call it "conspiracy" or not, but it still is. You have to maintain the conspiracy.

Any civilization advanced enough to get here would, by default, not be seen by anyone, unless they wanted to be seen.

We are carbon based life forms, they likely would be robotic, and made of substances far more adaptable then carbon, substances which could keep their biological form even in non-or-pseudo material forms (think "fire" and "wind").

LCNMay 19, 2016 11:07 AM

@Nick P

And the Equation Group stuff was truly bad ass. And you know that was relatively throwaway tech. They used it in the most high risk environment of an anti-virus vendor. So, tip of the iceberg. We never would have even known about this if they did not use it on super paranoid, global AV leader Kaspersky...

I definitely believe the report Schneier recently posted about having heard how scared someone who would know was about being fully, deeply compromised... just as we are so fully and deeply compromising them.

China did suck up 'mostly run of the mill' stuff, but they sucked up everything. They were loud and hardly bothered to cover their tracks. All quietish now on the eastern front. Now, the western front is not.

@Thoth

Well, I like Germany, I like China. I am watching the German BND cases, to see what all else comes out of it.

Everybody is friends.

I think a problem is that if Corporation X is cheating, from Nation X... then how can Nation Y not also cheat for their Corporation Y?

Really, I view this ultimately, as not core to national relationships. It is a troubling aspect, however, and one which must be controlled. But, it is difficult to regulate.

However, I do believe the treaty between the US and China is working.

I also believe the treaties between the US and some other allies (like five eyes) is held in place.

But how do you prove and maintain that?


It is kind of like with gaming. We all game together. Play cards, monopoly, whatever. Starcraft. But, cheating has to be controlled out of the game, or it destroys everything.


rMay 19, 2016 1:56 PM

@Albert,

I showed a guy that glorious 6502 yesterday because we were talking about the c64's 6510?

He told me there's 3 6502s inside of one of the disk drives and that they were reprogrammable, he's slightly older than I. I got to have fun with Apple][s but hardly any c64s outside of maybe color coding and buck Rodgers.

I love that disintegrated chip, that's so cool.

WaelMay 19, 2016 5:23 PM

@Clive Robinson, @Nick P, @ianf,

Put simply "If you feel 541t it's probably because your 541t is not up to par".

Kewl!

|\|()|/\| ! (_)|\||}35|257@|\||} where the 5xpression 5#17#3@|} came from :)

Btw, did you mean "5#1t"? You misspell even in 1337? I wonder if a puff of medical 420 could help ;)

Interesting research!

Nick PMay 19, 2016 6:06 PM

@ Clive

I'm closely following these given I have the terrible Crohn's disease. Really a symptom of a larger problem where my immune system tries to attack my body in various ways. So, the normal stomach problems of my type plus that effect means it gives me plenty unpleasant moments. Now, if the research works out, the stomach and maybe some mental problems of autistics might be a microbiome change away. I considered experimenting but I'm quite worried about auto-immune effect. Seeing what it does to me, I can only wonder how immune system will react when someone else's shit capsule is floating in there.

Not sure if it would damage me with long-term issues or the problem would work its way out somehow. ;)

Nick PMay 19, 2016 6:58 PM

@ All

I found two things, one I'd seen before, that are hilarious parodies of programmers. The first, Why Specs Matter, is a brief take on why you want your references to be perfect by dividing the world into morons, assholes, and experts. The second, Real Programmers, is a long rant on what being a real programmer is. Hint: You're probably one of those "Quiche Eaters" like Niklaus Wirth if you're not inputing assembler or Fortran into a front panel with hex. To start with...

Dirk PraetMay 19, 2016 7:12 PM

@ Nick P

I'm closely following these given I have the terrible Crohn's disease.

Have you tried medicinal marihuana yet?

@ Thoth

How to use two low quality RNG to form into a stronger RNG.

Thanks for that pointer!

@ Tyr

Modern guns have a nasty habit of causing these kind of problems (explosion shock waves and sonic booms) are a nasty combination for unprotected ears.

The effect of years of attending Motörhead gigs in the front rows should not be underestimated either. Many old friends of mine are suffering from tinitus too.

@ Wael, @ Clive

The only option is a head transplant

Some Italian neurosurgeon called Sergio Canavero has announced to the Times of India that he will be performing such an operation on a Chinese patient in December 2017. In somewhat related news, the first successful penis transplantation in the US was performed on a Massachusetts man last week.

Nick PMay 19, 2016 7:51 PM

@ Dirk

"Have you tried medicinal marihuana yet? "

You serious? I thought it was illegal in almost every state around me. Sure, I'll try it if they'll prescribe it. :)

"In somewhat related news, the first successful penis transplantation in the US was performed on a Massachusetts man last week."

Incidentally, this is probably the beginning of a new, terrifying practice in organ, black markets. ;)

ThothMay 19, 2016 8:43 PM

@Nick P
Once you get onto those medical marijuana, I can imagine you starting to see RISC-V and microkernel designs everywhere you go :P

@all
How to take down a drone with a non-lethal gun ... I mean hacking gun. The idea is to load software with hacking capabilities into the "gun" and point and radiate commands to try and hack a drone. Sounds interesting but that means you have to assume there are tonnes of protocol hacks loaded into the "gun" to be able to hack all sorts of commercial drones.

Link: http://arstechnica.com/information-technology/2016/05/dronebuster-will-let-you-point-and-shoot-command-hacks-at-pesky-drones/

WaelMay 19, 2016 9:07 PM

@Nick P,

I found two things, one I'd seen before, that are hilarious

Classic! I remember one of them as wee, the other "rings a bell" ;)

Some Italian neurosurgeon called Sergio Canaver...

Followed the link a level down and got to watch Dr. White's "monkey head" transfer. Pretty gross. Poor monkeys... Do you think humans deserve the same treatment if a substantially more advanced alien race captures our little blue rock? Why do we do things to less advanced creatures that we wouldn't accept for ourselves?

@+145,

1337? Haven't you ever used a calculator!? :-P

@Clive Robinson,

I misspelled "understand" as well. Now we're even.


A long time ago. But what's the operation? Given your choice of handle and your rhetoric question, would you have recognized a response addressed to @10 as an address to you?

Nick PMay 19, 2016 9:33 PM

@ Thoth

Oh, in that case, I'm definitely visiting the supplier to find out what the (censored) was in my weed.

@ Wael

Yes, I saw that video in the past. That was so horrible I'd almost think the person should be in jail and such experiments banned. We know monkey's can think a bit and feel plenty. Plenty similarities to us even the religious often agree with. So, imagine what they felt in an unnecessary experiment where every sensory perception changed, massive neural confusion existed, and probably quite a bit of pain/stress. That's just torture, man. Didn't really teach us shit we couldn't have guessed.

Nah, I think we need to put those experiments way off into the future once we know more about brains and neural interfaces. Plus, do basic science on lesser animals with less potential to suffer/understand or whose minds are screwed up by nature already. Shrews come to mind given they're hyper, anxious assholes from adulthood on. I have fewer qualms experimenting on selfish assholes. ;)

ThothMay 19, 2016 9:52 PM

@Nick P
Indeed there are tonnes of unknown chemicals we take in daily without knowing and the manufacturers and suppliers keep quiet about.

One good example is milk bought from China :) .

WaelMay 19, 2016 10:24 PM

@Dirk Praet,

I botched the last post. Forgot your name, transposed two responses, misspelled stuff, and who knows what else...

You seem to have a strange fascination with the medical field.

Nick PMay 19, 2016 10:29 PM

@ Wael

Yhou seems to have A strainge fascinashin with adherince 2 formel Englihs.

WaelMay 19, 2016 10:29 PM

@Thoth,

One good example is milk bought from China :) .

Apparently you haven't looked at the ingredients listed on a regular milk bottle from the US! Try it sometime.

People all over most of the world are likely ingesting Chinese human DNA. Impress me and guess how! And this isn't a joke.

WaelMay 19, 2016 10:34 PM

@Nick P,

Yhou seems to have A strainge fascinashin with adherince 2 formel Englihs.

You're goddamn right! I's grammar will rock your world ;)

Clive RobinsonMay 20, 2016 2:27 AM

@ Nick P,

On "Real Programers -v- Savoury Tart Consumers".

You could hardly tell RPs from Heavy Metal Jocks when looking at neck and shoulders. Because RPs used KSRs not the wimpy VDUs of STCs.

The use of KSRs "lid up" was a good way to get tinitus and at the same time not hear the phone or the boss shouting, and taught you to concentrate not just on what you were typing into it but also on where your fingers were, a 1/4 horsepower motor and worm drive can make your pinky look like a diagram for a zipper in less than 0.15 Secs. It also made you self reliant because due to the motor and clutch noise "nobody can hear you scream" for help, or hear your body hit the floor...

As they say "Those where the days, my friend..." (RPs never sing they leave that live/sing in harmony nonsense to the STCs ;-)

Clive RobinsonMay 20, 2016 2:46 AM

@ Thoth,

Once you get onto those medical marijuana, I can imagine you starting to see RISC-V and microkernel designs everywhere you go :P

I doubt it, I'm reliably informed by those that have that "you don't go anywhere" on marijuana exept to the cookie jar or fridge due to the "munchies".

It's the combined effect of "mind freeing and munchies" that make the use of marijuana so wanted by cancer and other chronic pain sufferes. Dr's tend to think in "pain relief" only, not the endless mental tourture and slow starvation due to amongst other things the pain relief opiates that are the only thing they have been alowed to prescribe in the past.

Having seen several friends die of cancer I've witnessed first hand what the suffering can be like. As has been said before "You wouldn't do that to a dog so why do it to a human?"...

Dirk PraetMay 20, 2016 6:30 AM

@ Wael

You seem to have a strange fascination with the medical field.

My best friend is a nurse and both transplants just happened to show up in my RSS feeds yesterday. The head transplant immediately made me think of a particularly spooky X-Files episode.

@ Thoth

One good example is milk bought from China

I suppose you're referring to the melamine scandal ? Chinese authorities cracked down quite hard on these criminals: two people were executed, one given a suspended death penalty, three receiving life imprisonment, two others receiving 15-year jail terms, and seven local government officials, as well as the Director of the Administration of Quality Supervision, Inspection and Quarantine (AQSIQ), being fired or forced to resign.

@ Thoth, @ Clive

Once you get onto those medical marijuana, I can imagine you starting to see RISC-V and microkernel designs everywhere you go

That would be more of an LSD thing. Mary Jane is about giggles and munchies. My 80-year old mom recently enquired about it having been suffering for years from horrible pains caused by a chronic nerve infection in her spine. Being maxed out on her current pain killers, she had refused a morphine prescription, wanting to check out some alternatives like acupuncture and marijuana instead. Which she had found out about on Google.

It was a rather hilarious conversation when she brought it up at the family dinner table. While my sister was looking at her as if she had gone stark raving mad, my 17-year old niece offered some unexpected advice in saying that weed does not work with all types of pain but that it was definitely worth giving it a shot as, if nothing else, it would most probably offer stress relief and improve her overall mood. Which kinda raised eyebrows with everybody present. My sister later that evening called me back asking if there was any way to get into her smart phone.

WaelMay 20, 2016 10:38 AM

@Yum,

Human hair soy sauce? Quite the delicacy.

Much more common than you think! Next time, look for L-cysteine on the ingredients list of what you eat. Hair, the barber collects, is never put to waste!

Clive RobinsonMay 20, 2016 1:12 PM

@ Wael,

Next time, look for L-cysteine on the ingredients list of what you eat.

Yup E920 / E921 pops up every where you'ld least expect.... but it's derived from quite a few places including the bits of animals like chickens, pigs and cows you'ld rather not think about.

In bread it all goes back to something called the Chorelywood process (I think I might have mentioned it before) which is a method used in nearly all industrial bread making. It is used as a "reducing agent" the benefits of which are all to do with speeding up the proces and improving machinability by reducing mixing time, dough elasticity and proofing time. Oh and don't forget the silicon oil they squirt into the "loaf tins" to ensure the cooked bread comes out easily without sticking, deforming or tearing...

But the hair also comes from other places like India as well. And it has been said in the past (see Israeli news) that it has come from corpses as well...

Thus if you are Jewish, Muslim, Jane, Hindu or several other faiths eating most "ready sliced" bread is effectivly a "no no" religion wise (as for Christians well eating of the flesh of others is at best frowned upon). So no sarnies for lunch unless your bread is home baked with flour not from the US or Canada (where L-Cystien amongst other things is sometimes added at the millers).

In many places, you won't find it on the ingredients list because surprise surprise it's neither an ingredient or additive, but a "processing agent". Processing agents come in all shapes and flavours from the enzimes added to the "apple pulp" to get 20% more liquid in supposadly naturaly pressed apple juice, which makrs it usless to use in jam making as the pectin gets destroyed. Oh speaking of freshly squeezed... That tangy orange juice, could be down to the nitric acid used as a processing agent. This sort of nonsense is what the big agro-chem and industrial scale producers give back handers to politicos for...

And you lot wonder why I do so much home cooking...

[1] http://www.rexbakery.com/tag/chorleywood-process/

[2] https://www.independent.co.uk/life-style/food-and-drink/features/the-shocking-truth-about-bread-413156.html

WaelMay 20, 2016 2:07 PM

@Clive Robinson,

I try to bake my own bread (pita and baguettes) when I have the chance. I check the ingredients on the things I buy.

One thing I noticed while in Tokyo is that the list of ingredients on products is minimal. I got a cake from 7-Eleven there, and it had only flour, sugar, butter, baking powder, water, milk, and salt. There were no ingredients that I couldn't pronounce. a similar cake in the US has 10 times the list of ingredients. Most of them are "chemicals", and that's on top of the GMO basic ingredients, and polluted water, and the hormone saturated milk, too... All baked in a lead-laced pan made in the factory of the world; China ;)

And they wonder why our health is deteriorating...

LevellerMay 20, 2016 3:08 PM

On Ed Snowden's collection:
Danny Witwer, "...this is what we call an orgy of evidence. Do you know how many of these I've had as a homicide detective?...none."
Minority Report movie script, Philip K. Dick; Witwer played by Colin Farrell
Stop the game. Show me the path of communication. STFU

Did you ever look at the history of OpenSSL vulnerability patches and wonder why they still exist in time and space? Me too.

Lack of a useful standard library PRNG is proof of the industry's despondency. What creates flaws gives people jobs. Did you ever wonder why routers still have WEP security as an option? Me too. It goes on and on.

And BTW, it was Eloi Vanderbeken that proved the effects of CALEA in routers, not Snowden. Commenting on Snowden is like commenting on a commenter.

[http://www.theregister.co.uk/2014/01/06/hacker_backdoors_linksys_netgear_cisco_and_other_routers/]
Eloi Vanderbeken - link now nationally blocked
use this:
http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/

"Vanderbeken says the backdoor is confirmed in devices from Cisco (under both Cisco and Linksys brands, the latter since offloaded to Belkin), Netgear, Diamond, LevelOne and OpenWAG. According to a post on HackerNews, the common link between the vulnerable devices is that they were manufactured under contract by Sercomm.

Trying to access a Linksys WAG200G device for which he'd forgotten the password, Vanderbeken noticed the device was listening on Port 32764, an undocumented service noted by other users. Reverse engineering the MIPS code the device's firmware is written in, he says he located a way to send commands to the router without being authenticated as an administrator.

In particular, the backdoor allowed him to brute-force a factory reset without providing a password – meaning that on his next login, he had access to everything.

Vanderbeken's proof-of-concept python code includes reporting on whether the device it's running against is vulnerable or not."

The other Intel programs were long known about. So, you mean a technologist and author of applied cryptography didn't realize the trench coats in the closet? Okay then. Since the State Dept. and FTC doesn't approach authors of security and cryptography ever.

rMay 20, 2016 5:33 PM

@dirk

When the spinal graft news initially came out on /. (Preceding the most recent news) part of the discussion drifted into the conceptual reality of there being no head transplants as of yet: only body transplants. A great transplant would require removal of the brain in reference to any individual.

@Wael,
You do have my sympathies for the persistent pain/disruption you must be having. I have ringing in my ears from jackhammers chop saws and guns but thankfully it has thus far only added to my obnoxious and irritating presence.

I saw something that said the chemical in magic mushrooms, er one of them is 90% active in the auditory nerves.

I'm uncertain if there have been any treatments resulting yet from the therapy/application but seeing the comanifestation of depression in tinnitus sufferers such as yourself it may have viable holistic applications imb.

Dig around a little, the British were studying them in controlled settings as late as 2010.

rMay 20, 2016 6:00 PM

@wael,
Oh haha, other than the fact the wiki on tinnitus specifically states that serotonin may be implicated in certain cases. Things like psilocybin or tryptophan or SSRI/SSDRIs and other sources of serotonergic activities could prove to be highly counter productive.

Still worth reading up on if you're not afraid of natural medicines. I now that taking aspirin for years on end led me to minor ringing and headaches too, I had to quit taking it.

WaelMay 20, 2016 7:04 PM

@r,

Still worth reading up on if you're not afraid of natural medicines.

It's my first choice.

10May 20, 2016 10:59 PM

@41/14

Sum of digits? The operation I referred to was a simple digital calculator being turned upside-down. A '4' was an 'h' long before a '#' ever was, as far as I can tell

WaelMay 21, 2016 12:07 AM

@10,

A '4' was an 'h' long before a '#' ever was, as far as I can tell

True, long time ago, like I said. Used it first on a Casio like this one. It's a museum item now!!!

Clive RobinsonMay 21, 2016 2:19 AM

@ Wael,

Speaking of electronic calculators[1] my first "programable" calculator was the Sinclair Cambridge,

http://www.vintagecalculators.com/html/camb__programmable.html

I still have it and all the programing books, sleave and external "wall wart" mains power unit. It was actually very expensive thus was my "main Xmas" present back in 1977 when I was teenager, it helped a lot at college, but the "games" programs were very limited to what you could do.

The big problem with it was the "pregnant bulge" for the PP9 battery. The casing was obviously originaly designed for AA or AAA cells and a quick rework had to be done. Whilst the outer battery cover had some strength, it was not sufficient and pulled against the sleeve if used. Worse though was the black internal battery holder, this was made with the same sort of plastic you find in "fruit punnets" and other throw away food packaging.

I'm told that they are "collectors items" and occasionaly come up for sale on Ebay. However I keep mine for sentimental reasons as the following year I became an orphan.

[1] The name Calculator like Typewriter and Computer were originaly job descriptions not the names of inanimate objects. There was an old old joke based on this, about a husband running away from his wife with what we would now call his Personal Assistant or Secretary. Basicaly he sends her a letter with the punch line of "I am sitting here with my Typewriter on my knee composing this letter...". Having seen some early typewriters it would not be to far fetched to think of "a ninty pound model" that you would find most uncomfortable on your knee if you were caught doing it ;-)

Wesley ParishMay 21, 2016 2:22 AM

@Nick P

re: Incidentally, this is probably the beginning of a new, terrifying practice in organ, black markets. ;)

As prefigured by Rod Stewart in Maggie May:

You stole my heart and that's what really hurt

You stole my heart I couldn't leave you if I tried

Or find myself a rock and roll band that needs a helpin' hand

You stole my heart but I love you anyway

I'm not sure you've read it but someone once wrote a story about the arms trade with interested aliens for AntipodeanSF. He ended on the note that it would become really interesting when they started wanting legs.

Clive RobinsonMay 21, 2016 2:40 AM

@ Wesley Parish,

I'm not sure you've read it but someone once wrote a story about the arms trade with interested aliens for AntipodeanSF.

That "someone" wouldn't be you by any chance? I've read atleast one of your other stories (about an unfortubate wearwolf).

The most famous "Organlegging" stories in SF are the Larry Niven "Gill Hamilton long arm of the law" and Flatlander series from back in the mid 70's.

WaelMay 21, 2016 2:58 AM

@Clive Robinson,

Speaking of electronic calculators[1] my first "programable" calculator was the Sinclair Cambridge...

I still have my commodore 128 with the separate 1571 external drive. Before I was able to afford the disk drive, I had to save my programs on audio cassette tape. I got it from Crazy Eddie. No longer have the Vic 16 nor the Vic 20. Spent a couple of summers playing with them. One time I visited a few friends and stayed over night. The lottery jackpot at that time was several tens millions of dollars. Long story short, I told my friends I had a program that can predict future wining numbers with a probability of 1%. I generated a few numbers and wrote them on a paper (about ten sets.) then asked my friends to buy the tickets, since I couldn't afford them. When they left to work, one of them left his numbers at home. The drawing happened when he was outside, so I replaced the numbers on the papers with the winning numbers and put it back in its original place. You can guess the look on his face when he came back ;)

1977 when I was teenager, it helped a lot at college, but the "games" programs were very limited to what you could do.

We must be from the same generation then! Used to program mostly games. Entered the programs in hex, and used a program to "poke" the values in.

Latter on, in life, I built a few Compaq "luggables" from spare and surplus parts then sold them.

ianfMay 21, 2016 12:21 PM


Said Thoth Theoretically saying NO would be useful but realistically the rotten industry itself is all about time to market and how fast you can make a quick buck with less than half baked product.

You probably heard this a hundred times (give or take a magnitude); I used it on a few occasions myself: “a manager asks an engineer to make The Widget fast, well and cheap. The engineer replies: pick any two of these.” Seemed to be working for about a typical project leader's detail attention span of 5 minutes.

[…] and later,

Thoth: “Visiting US is on top of my personal black list way above North Korea. That's how bad the "liberty" of US have rotted.

I share your sentiment… and the resolve. I once planned to travel across the USA, see the famous landmarks, but I suppose I'll have to content myself with the National Geographic's DVDs instead (which are pretty good). Also, in "Stranger on a train" Jenny Diski already traversed that route for me.


ADMINISTRIVIA @ 65535's 29.6kB diatribe addressed to Paul McCryptney and Winston Smith

WTF did you think this is, some limitless Congressional Record into which you can transcribe any bible you cribbed, and get away with it? http://justpaste.it the drivel the next time and post the link here.


@ Clive Robinson

being laid up in hospital… is like catnip to an inventive mind... How to switch the right-hand-allergies and the left-hand-ID bands (thus confusing whole echelons of nurses and, per chance, later, morgue personnel).

Hilarious indeed. Reverse of my preventing the ID mixup by stamping the bottom of just-newborn daughter (both cheeks) with a

    LASTNAME • COPYRIGHT
    CITY • COUNTRY

red ink stamp that I kept from my photographer days. Piece of family lore now, but, alas, no photos.


@ albert
              I'm not going to be drawn into these inane some on the ground abetted Al-Qaida in the clouds with bringing down the WTC towers conspiracy theories, but I need to point out a few apparently non-obvious fallacies floating around here. Because, when you counter alleged "pure speculation" of Clive's with this “fact: watched a video of molten metal pouring out of the corner of one of the towers…, it is neither a fact, nor even a factoid, but a pure BIASED INTERPRETATIVE CONJECTURE at best.

You so wanted to have an logic explanation for what you saw on a grainy video, and, being an expert on molten metals (never mind pouring out of Boeing-stricken skyscrapers), you immediately JUST KNEW WHAT HAPPENED. Nothing else could do it. A little knowledge is more dangerous than no knowledge, because it easily leads one astray into the make-believe land of "I have a hammer, so everything looks like nails to me."

    Honest, were I the USG, I'd immediately have conscripted you as THE Official Authoritative & Sole Final Nine Eleven Truth Arbiter, save the taxpayers a bundle by not having any special investigative commissions, etc. (That didn't happen, right? There's the wasteful GWB governmental spending for you—if there ever was a better example).

[…] It had to be thermite.
Everything else is BS.

The termites did it? Atta boys! That was at least novel. You should patent that remote sensing capability.


Clearly, you don't know a.n.y.t.h.i.n.g. about building (verb) complexity, yet profess to be an expert on structural rigidity of skyscrapers that dared to fold when you expected them to stand tall (and no, I don't know anything about such either, which is why I merely call BS on those so deserving, and do not emit simplistic event theories of my own).

Moreover (cc: tyr), we've been through the demise of WTC, incl. the WTC7 at least once before, so please read this description of the 1978 CityCorp near-fail for comparison purposes. Then learn to live with the fact that no one is ever going to get a 1000% guaranteed satisfactory reason for why the Ground Zero towers fell so fast and in that fashion (it's called attaining maturity). Because, to gain that level of knowledge would require at least a to-scale empirical airborne demolition of like objects under controlled conditions, to compare with what already has been learned about it.
BTW: my corroborative info source was—the book, not the excerpts of—"American Ground: Unbuilding the World Trade Center" by William Langewiesche, who was invited by the Port Authority to observe the salvage phase… a journalist and a pilot, not a structural engineer, but a fresh eye & sharp pen wielder all the same (later much criticized by the "New York Finest" for reporting about flattened fire engines trucks full of designer jeans inside).


BTW. The 1982 "Real Programmers" rant recommended here carries the full title of "Real Programmers Don't Use Pascal," and is posted at countless sites on the web, e.g. the above one that's much more readable than the monospaced ASCII version. Having started with interpreted Basic, I wasn't keen on compiled anything, thus never went there. I must confess, however, to once buying this particular "Elementary Pascal" volume solely on the strength of OBVIOUS CREATIVITY of its concept/ title… don't recall reading it, still have it. Come to think of, it would not surprise me if that title inspired the much later, and rightfully famous, Britney Spears' Guide to Semiconductor Physics.

    Speaking of which… this blog could use some celeb pixie dust… could Bruce perhaps ask the IBM to foot the bill for a once-a-year, say, guest editorship of Kim Kardashian on Security?

WaelMay 21, 2016 1:02 PM

@ianf,

WTF did you think this is, some limitless Congressional Record...

LOL... Right! It's a bit on the lengthy side.

http://justpaste.it the drivel the next time and post the link here.

Italy again! Either your OPSEC is shot, or you're pretty devious. Perhaps both!

WaelMay 21, 2016 7:58 PM

@Clive Robinson,

Bad timing?

Au contraire! Perfect timing. You were on record, more than once, stating:

I'm also on record here of my low oppinion of forensics because they try to argue from effect to cause...

How would you attack this "mystery" without going from effect to cause? Do you think the copilot dropped his still lit Sheesha in the lavatory after the pilot commanded him to change its water? That would be going from cause to effect!

Wesley ParishMay 22, 2016 1:53 AM

@Clive Robinson

That "someone" wouldn't be you by any chance?

No, sadly not. The organlegging story starts out like any other humdrum across-the-borderline arms-trade story, until the last sentence. It was then I cracked up. I'd thought I'd got most unlikely twist with To Bear Arms (which I wrote in anger at the Sandy Hook massacre):
http://pandora.nla.gov.au/pan/10063/20130404-0048/www.antisf.com.au/the-stories/to-bear-arms.html

and he comes along and tips me on my head!!! It's titled The Arms Dealer
http://pandora.nla.gov.au/pan/10063/20150105-1329/www.antisf.com.au/the-stories/the-arms-dealer.html

Absolutely brilliant!

The werewolf story you're thinking of is probably How Fluffy Ruined My Reputation
http://pandora.nla.gov.au/pan/10063/20141108-0001/www.antisf.com.au/the-stories/how-fluffy-ruined-my-reputation.html

Clive RobinsonMay 22, 2016 4:20 AM

@ Wael,

How would you attack this "mystery" without going from effect to cause?

The simple answer is to gather all available data as a first step, the second is to present the data in a time ordered sequence where possible. Thirdly without multiplying hypothesis present one or more posible explinations that fit the known data at each step of the time line.

Do you think the copilot dropped his still lit Sheesha in the lavatory after the pilot commanded him to change its water?

Whilst I would not rule it out of the collection and timelining of data there would need to be physical evidence of it found to even start on such a theory. Firstly the sheesha and charcoal have certain detectable characteristics when burnt together that would leave trace inside the hookah and fabric of the aircraft. Also the hookah would not or should not be inside the human occupied areas of the aircraft these days.

But you've already fallen into a trap of multiplying hypothesis with the "smoke in the toilet" being an indicator of the origin of the fire. All you actually know is that it has been indicated a series of ACAR messages were received from the aircraft, nothing more.

Without knowing previous ACAR messages from the aircraft going back over a considerable period of time of previous flights and maintenance logs, we don't know if the smoke detector was faulty or not. It is far from unknown for passangers and possibly aircrew to use wet toilet paper to block the holes in smoke detectors so they can have a smoke. As you are probably aware sensitive exposed electronics tend not to respond well to either water or very high humidity. Thus it would not be unreasonable to indicate that those mesages did not indicate a fire or smoke in the toilet but a faulty sensor, or a person interfering with the detector in some way.

But on the assumption the sensor was working, you also need to know if there were other working sensors in other parts of the passenger compartment etc. If there were not then the smoke detected could have come from an entirely different part of the aircraft and was somehow ducted into that toilet. Then you would have to figure out why that toilet and not others. There is a possability that it's door was broken and the door was thus stuck open making the smoke detector in it effectively not "the toilet smoke detector" but "a passenger compartment detector".

These are all part of the investigatory method, in the same way "Testing Techniques" are all part of finding and fixing faults in equipment. You try not to make assumptions at any stage and just follow the timeline and the data on it to rule in or rule out posabilities that effect what you would see in the timeline data.

Eventually you get to senario testing time which is where it can all go horribly wrong, because the data you have to work with is generaly not even close to what you need. If you have the time and other resources the prefered way of doing things is the way weather forcasts are made. You start of with a --hopefuly-- known state that you put in a simulator, you then make a series of small changes and run the simulator over and over again making further small changes. Those simulations that do not get close to the data on the time line count in a negative way those that do a positive way after a thousand or so runs you can say in X% of the simulations change Y had an indicitive effect. This helps build up an idea of what happened, but the problem with this is "The butterflies wings effect". That is in many cases the senario is to sensitive to it's input conditions early on thus little can be made of the senarios. In which case you are forced into the doubtfull proceadure of arguing back from effect to cause with a very low probability of success. An honest investigator would indicate in their report that at each step there was a range of alternative causes for the effect and somehow rank them in a non controversial way, and thus indicate that the actual course of events prior to a given point are likely to remain unknown indefinitely.

Clive RobinsonMay 22, 2016 4:26 AM

@ Wesley Parish,

The werewolf story you're thinking of is probably How Fluffy Ruined My Reputation.

Yes, that's the one, it's a twist on one of those male nightmare senarios, where a bloke wakes up with his arm under his beer goggles chosen partner of the night, and would rather chew his arm off than wake the partner up...

WaelMay 22, 2016 4:52 AM

@Clive Robinson,

gather all available data as a first step...

Agreed. That's the correct thing to do.

But you've already fallen into a trap of multiplying hypothesis with the "smoke in the toilet" being an indicator of the origin of the fire.

There are several possibilities: an explosion or catastrophic malfunction that caused sensors to detect fathom events, the fire or smoke isn't the cause, ... But you're correct! A small sample (of choice, perhaps to amplify certain directions) isn't sufficient to root cause the event. Three minutes from "smoke detection"' to "crash" is too short a period for mechanical failure and maybe too long for a bomb (as BBC reported.) I have fallen in no trap because I don't take news reports at face value, generally speaking.

... or a person interfering with the detector in some way.

Reasonable possibility.

There is a possability that it's door was broken and the door was thus stuck open making the smoke detector in it effectively not "the toilet smoke detector" but "a passenger compartment detector".

Also possible.

You try not to make assumptions at any stage and just follow the timeline and the data on it to rule in or rule out posabilities that effect what you would see in the timeline data.

If that's why you have low opinion of forensics, then I agree. Good explanation.

WaelMay 22, 2016 5:18 AM

@Clive Robinson,

If you don't have a scanner or want to listen in to remote places, you may go to LiveATC.com and listen to plane/tower communications. There is also an iOS and an Android application called ATCLive ... Many frequencies and there is an archive as well to "go back in time"...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.