Friday Squid Blogging: Beautiful Squid Sculpture

Two years ago, I posted a photograph of a beautiful giant bronze squid sculpture by Kirk McGuire. He has a new sculpture: a squid table base. it's also beautiful.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 10, 2016 at 4:38 PM • 198 Comments

Comments

DanielJune 10, 2016 6:00 PM

Internet gurus meet to discuss how to make the web more anonymous from the ground up.

www.nytimes.com/2016/06/08/technology/the-webs-creator-looks-to-reinvent-it.html?

Bruce, where you at this event?

Milo M.June 10, 2016 6:07 PM

Risks Digest points to this fabrication-time attack:

http://catless.ncl.ac.uk/Risks/29.55.html#subj14

https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

"In a study that won the “best paper” award at last week’s IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory."

The paper:

http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf?token=N4pJSSoqL4kE4V4JXpTwx7qDRX4%3D

Nick PJune 10, 2016 6:26 PM

@ Milo M.

It's actually a design-time attack that could theoretically be done during fab time as well. They note in the paper that doing it at fab time, esp to design wighout source, would be extremely hard. So, they just stuck with non-fabrication attack for proof of concept.

Hard to say what levrl of risk is for fab time attack. Besides, this can be mitigated at design time with pre-verified, cell libraries. All you do is check to make sure they're what's in use.

Jonathan WilsonJune 10, 2016 7:02 PM

Someone has started up a service whereby landlords can require prospective tenants to hand over their social media logins
https://www.washingtonpost.com/news/the-intersect/wp/2016/06/09/creepy-startup-will-help-landlords-employers-and-online-dates-strip-mine-intimate-data-from-your-facebook-page/

It was bad enough that employers started doing invasive checks like this but now landlords are getting in on it too? If I have no social media accounts will that mean I cant rent a house now?

ThothJune 10, 2016 7:33 PM

@Jonathan Wilson
That matter would be best brought up in front of the European Court of Justice to effectively settle the legality of such business practices of invasive checks.

The best thing is to keep a distance from any sort of social media (for those of us who are "paranoid") for our own good.

name.withheld.for.obvious.reasonsJune 10, 2016 10:41 PM

--Draft Research Proposal--

Theoretical, and Operational Security;

    Governance. Legal, Policy, and Technological GAP analysis of the United States of America. An exploration of U.S. institutions and supporting analysis to further the understanding of the National Security State

Preface
The growing "National Security State" as causative in forming or shaping law, policy, and societal institutions is explored in detail. A cost/benefit analysis is provided, a GAP analysis is included to provide a wider view to understand what can be differentiated from a strict strategic and/or cost/benefit analysis of U.S. governmental (federal, state, local, etc.) institutions/systems.

The new "National Security State" born from the "War on Terror"[1] claims primacy and afforded aegis in both political and operational forms consisting of constraints and exceptions broadly as realized by U.S. policy. Transitioning resources, priorities, and will/psychology remains the purvey of the political class regarding stated policies.

Political control of the theoretical and operational space is the exercise constituting the U.S. "National Security State" which remains, for now, a tool of a "political will". Ahead, in terms of year(s), an extreme risk of controls currently managed by political means will be transmogrified into a "technocratic" only system--sans the bureaucrats. (Will this be the near future--or it might this be the case today.)


[1] Suggest the term "Acceptance of Ignorance as Knowledge and Wisdom" replace the "War on Terror" as the contextual lexicon for "fighting the unknown, unknowingly)

TAO InsideJune 11, 2016 12:08 AM

@Milo

It would be foolish to assume the spies haven't already backdoored Intel and AMD chips since disclosures already prove they have subverted networking products for years.

Remember their famous 'TAO Inside' slides? Experts have noted that the easiest way to subvert security of anybody you like is to place operatives, analysts or agents inside U.S. companies to facilitate surreptitious or covert access to keying material, compromise microcode updates etc rather than waste time with brute-force decryption, zero-days and so on.

What encrypted material? It simply doesn't exist under this model.

If necessary, you shut companies up with a NSL that promises decades of cruel and unusual solitary confinement (National Security! I repeat, National Security!), but this sabotage could easily be done in a covert manner. It is notable developers like those at BSD don't trust the cryptographic security of Intel chips. Apparently the "Let's Make America Great Again" blueprint (when was it ever great?) has hit a few bumps in the road.

The real question is: how will Intel survive in X years time when it is conclusively proven that NSA and friends have backdoored their products for a decade or more?

Snowden Mark II disclosures from an insider could drive them into the ground and help facilitate a BDS movement of any tech product made in the US.

AshleeJune 11, 2016 2:38 AM

Is it normal to purchase a NEW Windows system, never connect to wireless, never use blue-tooth or anything else for that matter, not connect to the Internet or a LAN in any way, and discover several "Mesh Networking" applications installed?

Clive RobinsonJune 11, 2016 4:03 AM

@ TAO Inside,

The real question is: how will Intel survive in X years time when it is conclusively proven that NSA and friends have backdoored their products for a decade or more?

I suspect that Intel will be around at least until masively parallel low power RISC multi-CPU architectures start to make significant initial/run/lifetime cost savings at equal ComputePower as Intels current CPU architectures.

The majority of people don't currently care what the NSA et al do because they assume "Bad happens to Others, not them" on the "First they came for...." principle. The problem is that the IC/LEO orgs are trying to build an "information time machine" with collect it all, thus a photo of you picking your nose at six will be grounds to make a public example of you whilst old women sit knitting and jearing at your getting the chop.

So the question is "Who's chips will the cautious people use?" with the further one of "How cautious do you have to be?".

I've been thinking on these problems for a number of years long before Ed Snowden etc poped up. In essence you can not trust any chip thus to use them you have to mitigate them in some way. That is you need to constrain their ability to communicate outwards. Further you also need to set them up in a system such that when they switch from helper to traitor you catch them in the act.

I've discussed this on this blog in the past, but I get the feeling that most don't understand the need for such systems and how long they will take to develop, thus handing the advantage to those who will seek to make examples of them etc.

CallMeLateForSupperJune 11, 2016 10:07 AM

Some movement on the so-called Snoopers' Charter on June 7th:

"The U.K. House of Commons on Tuesday passed a controversial bill giving spy agencies the power to engage in bulk surveillance and computer hacking." "[...] passed by a vote of 444 to 69. Debate over the proposed law now moves to House of Lords."

"The version of the bill passed Tuesday states that companies can only be asked to remove encryption that they themselves have put in place and if doing so is technically feasible and not unduly expensive."

(EMPHASIS mine)
"The bill states that the GOVERNMENT WILL likely REIMBURSE communications companies, including mobile operators, for the cost of complying with the new legal obligations, such as the REQUIREMENT TO RETAIN RECORDS OF ALL THE WEBSITES ITS CUSTOMERS VISIT for at least a year."

http://www.bloomberg.com/news/articles/2016-06-08/u-k-commons-passes-controversial-snooper-s-charter-bill

Clive RobinsonJune 11, 2016 10:18 AM

@ TAO Inside,

In another of those "hacker news" coincidences, the following article on the issues of Intel ME and why it's to late to get it out of their newer CPU's,

http://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me

The last paragraph about alternative CPUs to use, is similar to a list I've mentioned previously. The trick however is how to use them to check each other for any indication of "turning traitor". Many years ago the NYC telephone company developed a system that some time later the NASA adopted to detect faults. We now tend to call the method "voting circuits", and it works as well for security as it does for faults.

However making this usable for more general computing and thus act as a mitigation stratagy against subversion at the lower levels of the computing stack, requires a little thought. Which I've already done, and talked about here a couple of years ago.

So I've laid some foundations, we just have to wait whilst the rest of the world catches up and "makes it there own" as usual...

MikeAJune 11, 2016 11:00 AM

While a hardware infiltration is certainly "sexy" and scary, wouldn't the low-hanging fruit be the other 17 or so layers between the CPU and any code that a normal person can vet? Especially in these days when the APIs for those layers are so fluid that one has no choice but to "upgrade" to the latest and gratest (sic) version of every library and framework.

Yes, OpenBSD on fully-verified open CPU design fabbed by saints in a well-watched facility and guarded through the entire supply chain by annointed Warriors of Freedom _might_ be less susceptible to such attacks, but it also won't be able to read a growing percentage of email, or access the vast majority of the web, including all the banking sites. And visiting your bank branch (if you can find it) to get cash will almost certainly put you "on the list".

Also, @Jonathon Wilson: "Thornhill" sounds familiar. Watch out for crop-dusters with machine-guns.

GrauhutJune 11, 2016 11:39 AM

No one could have imagined this! :)

Microsoft Visual Studio 2015 Update 2 cpp compiler auto-injects telemetry spyware code into other peoples programs.

"Recently Reddit user "sammiesdog" posted claims that Visual Studio's C++ compiler was automatically adding function calls to Microsoft's telemetry services. The screenshot accompanying their post showed how a simple 5 line CPP file produced an assembly language file that included a function call titled “telemetry_main_invoke_trigger”."

https://www.infoq.com/news/2016/06/visual-cpp-telemetry

Clive RobinsonJune 11, 2016 1:27 PM

@ Grauhut,

No one could have imagined this! :)

Hey, are you not supposed to use sarcasm tags for Micro$haft not smileys ;-)

There are also rumours about the .Net framework as well.

Stupidity like this by Micro$haft is not new, but this time it crosses a legal line, which no US EULA is going to get tolerated by an EU court...

Look at it this way, you develop bespoke software for proffesional use such as Doctor's and Lawyer's. You as just another developer don't know about this Micro$haft back door, which for arguments sake means your software hemorages confidential client information. Who legaly is to blaim and wgo is the court going to go after...

CallMeLateForSupperJune 11, 2016 1:49 PM

IRS seems to think it finally has all its duck lined up.

"IRS Re-Enables ‘Get Transcript’ Feature"
http://krebsonsecurity.com/2016/06/irs-re-enables-get-transcript-feature/
"So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? [...] the visitor needs to supply a Social Security number (SSN) and have the following:

1) immediate access to your email account to receive a confirmation code;
name, birthdate, mailing address, and filing status from your most recent tax return;

2) an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;

3) a mobile phone number with your name on the account."


That last rule, 3), is decidedly not helpful to persons who either have no mobile phone or use a pre-paid phone.

It's another face of the unfriendly, rigid structure problem that @Jonathan Wilson referred to above when he wrote, "If I have no social media accounts will that mean I cant rent a house now?"

RichardJune 11, 2016 3:37 PM

@ Winston Smith
"-- which, of course, extends to their support of our current (and growing) dystopian surveillance state:"

“Here comes the candle to light you to bed..."

CallMeLateForSupperJune 11, 2016 4:01 PM

Who says the State of Oklahoma is a sleepy backwater, lulled by the wind whistling down the plain, roused only by the occasional tornado ... or eight? By dang, it is nothin' shy of a trend-setter in the widely used - and widely despised - practice of Civil Asset Forfeiture:

"The Oklahoma Department of Public Safety has purchased several devices capable of seizing funds loaded on to prepaid debit cards to aid troopers in roadside seizures of suspected drug-trafficking proceeds."

http://kgou.org/post/new-front-civil-forfeiture-devices-seize-funds-prepaid-cards

Said the public information officer for the Oklahoma Highway Patrol,
"If we have reasonable suspicion to believe there’s a crime being committed, we’re going to investigate that. If someone has 300 cards taped up and hidden inside the dash of a vehicle, we’re going to check that.”

And if someone has just 2 cards "taped up and hidden"??? Or in a pocket? What number of cards would not be suspicious?

“But if the person has proof that it belongs to him for legitimate reasons, there’s nothing going to happen. We won’t seize it.”

What would prove ownership and legitimacy?? Should everyone always carry paycheck stubs? Credit references? "Honey, turn around and go back home. I think we forgot to pack the Financial Documents File."

rJune 11, 2016 4:15 PM

@Steven

'VMware has you' was an omen, everything since is just a matter of target[ing] selection where 'rootkits' are concerned.


I came here to offer up the same link you did and...

http://m.slashdot.org/story/312187

From last week to expand on the threats to computation from eavesdropping.

"Researchers turn smart phone vibration motor into microphone - to spy on you"

RichardJune 11, 2016 4:29 PM

@ Grauhut
No one could have imagined this! :)

Microsoft Visual Studio 2015 Update 2 cpp compiler auto-injects telemetry spyware code into other peoples programs.

Actually it was imagined quite a while back.

Ken Thompson famously showed that this kind of compiler malware attack has been possible since about 10 minutes after they hacked together the first C compiler.

here's a good link to a thread here on schneier.com that discusses the threat presented by compiler malware, and some possible tricks to detect it:

I have also seen reports of similar proof-of-concept hacks done to GCC to cause it to generate malware infected binaries.

Sadly, these tricks are only applicable to compilers which try to propagate malware by injecting malware generating code into other compilers, which isn't the behavior being described in this case.

Plus, the detection method requires that the compiler in question be compiled multiple times itself, which would not be possible, since Microsoft's compiler source code isn't available.

With Microsoft you just have more of a "trust... but don't expect to verify" model - which apparently isn't such a great idea.

rJune 11, 2016 5:02 PM

@callmelate,

What would prove ownership and legitimacy?? Should everyone always carry paycheck stubs? Credit references? "Honey, turn around and go back home. I think we forgot to pack the Financial Documents File."

There be crooks along them there roads.

Brought your pay stub? Social security card? Birth certificate??? EXPECT identity thieves to pilfer your car window and dash while you stop for gas.
Have a problem with criminals and LEO eyeballing your pockets???

Go buy a gun, the criminals wear badges too as per Dominican examples.

Maybe a 'getaway' drone is in order.

RichardJune 11, 2016 5:14 PM

@ Bob
How well does Qubes OS deal with Intel ME security issues?

Qubes relies on the xen hypervisor, which can be attacked in lots of ways if you can get to the machines underlying firmware at ANY level (BIOS, AMT, ME, etc.), and sadly BIOS hack-ability is a HUGE issue, since most motherboards do an absolutely crappy job securing the BIOS.

https://www.schneier.com/blog/archives/2015/03/bios_hacking.html

CallMeLateForSupperJune 11, 2016 5:39 PM

Interesting potential authentication tool.

"To address this problem of physical-world security, physicists from the Universities of Luxembourg, Ljubljana, and Vienna have developed a technique for producing unique and unclonable patterns that can be applied to valuable objects for the purpose of authentication. While even fingerprints can be copied and used to spoof biometric security systems, these cheaply-produced reflective patterns cannot be faked."

Of course, that last claim should have "yet" appended.

Be advised, I tried to access the paper linked to in the article but the site rebuffed my NoScript-and-PrivacyBadger-fortified Firefox. (sigh)

https://motherboard.vice.com/read/physicists-foil-forgers-with-unclonable-reflective-patterns

Bumble BeeJune 11, 2016 6:10 PM

@CallMeLateForSupper

Lol I'm full I just had a can of beans.

<!>Error

Nature.com is currently experiencing technical difficulties, please try back later.

Bumble BeeJune 11, 2016 6:25 PM

And I really hate Chicago. It costs $40 to park for two hours, you can't get a bus ticket, you don't dare leave your car anywhere while you ride the bus or train, and when I was there, Pee Wee's hot dog stand was out of business and the mob ordered one of their associates to shoot at me.

Not to mention the garbage doesn't get picked up on time and the school district is bankrupt, edjamacating yet another generation of hell-raisers.

Bob FJune 11, 2016 6:29 PM

@ Richard

Open Source BIOS projects don't seem to be advancing with any speed. I wonder if bios virus scanners might be a more practical solution to the problem until secure bios become a reality.

Or, would it be possible to install a dip switch on the motherboard to prevent writing to the bios?

Bumble BeeJune 11, 2016 6:48 PM

@Bob F

Re open source BIOS

Of course not. The Chicago mob bosses don't allow anything to advance that they don't have a back door to.

The NSA, FBI, DEA, Congress et al just hang the rest of us out to dry.

Jonathan WilsonJune 11, 2016 6:59 PM

In regards to the Microsoft Visual C++ telemetry issue there is a statement on Reddit from one of the Visual C++ team explaining things:
https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/d30dmvu

There is also this Visual C++ suggestion I filed
https://visualstudio.uservoice.com/forums/121579-visual-studio-2015/suggestions/14780409-publish-telemetry-cpp-and-telemetrydefault-cpp
suggesting that Microsoft publish the actual code for this feature (I disassembled the compiled .obj file in IDA Pro and couldn't see anything to suggest that its doing anything other than what Microsoft says it does but publishing the source files will answer the question once and for all and I see no reason they couldn't do that)

The PastJune 11, 2016 8:26 PM

Or, would it be possible to install a dip switch on the motherboard to prevent writing to the bios?

No. I mean, inventing nuclear weapons, now *that*, humanity is capable of technologically.

@BB thanks for clearing it up for me, now I grok

Winston SmithJune 11, 2016 8:28 PM

@Richard said, “Here comes the candle to light you to bed..."

We are indeed all condemned. I didn't note the EFF on the Bilderberg map. Or any similar organization. And, for what it's worth, grassroots evangelism is difficult: people think you're a bit of a looney for taking the time to use PGP for routine conversations, or expressing disdain for the common sentiment, "I'm not doing anything wrong, so it doesn't bother me." So disappointing; off we go into the limitless darkness of an Orwellian rabbit hole.

Mint ConditionJune 11, 2016 9:24 PM

Secure computers?? Hell, I'm still wondering why I can't have a hosts file that accepts wildcards. ^o^

RichardJune 11, 2016 9:26 PM

@ Bob F

Open Source BIOS projects don't seem to be advancing with any speed. I wonder if bios virus scanners might be a more practical solution to the problem until secure bios become a reality.

Or, would it be possible to install a dip switch on the motherboard to prevent writing to the bios?

Modern hardware which is dependent on proprietary binary 'blobs' to initialize the chipsets are a big problem for the open source BIOS folks, since they have decided that embedding code that you don't have any way to review defeats the whole purpose.

A BIOS virus scanner would only be useful if the BIOS chip could be removed and scanned externally, because an O.S. based scan could be subverted by the very malware it was scanning to detect.

Motherboard designers could accomplish this very simply by using a standard low capacity MicroSD device for the BIOS. A few ARM SOC type mini-boards boot from MicroSD, but I don't know of a single modern PC style Intel or AMD motherboard which has a socketed BIOS.

A write protect jumper or switch is a GREAT idea but ONLY if it is implemented properly.

I have some personal experience with this. After mysterious flash memory corruption issues on one commercial product I worked with, the customer demanded just such a feature. I was a bit suspicious when this added 'feature' showed up in the next build without a re-spin of the hardware.

Can you guess what the problem was? To provide this so-called 'hardware write protect' our SOFTWARE folks simply re-purposed an IO port dip switch configuration jumper that was being read on boot up as a 'write-protect' option, and had the firmware check this before allowing updates.

But because our problem was being caused by the firmware code improperly setting some pins during read operation causing the flash to access in write mode corrupting data, the useless 'software write-protect' provided by reading a stupid switch DID NOTHING.

So, lesson learned - In order to be effective, a proper 'BIOS write-protect' switch or jumper, would need to be implemented in HARDWARE, using a flash chip which provides a physical write disable pin. Software methods which try to simply read the setting of a switch or jumper and disable the write routines in the BIOS would be no more effective than the current BIOS software security options, since all an attacker would have to do to access write mode in the hardware would be to write their own flash driver. This was EXACTLY the method used by the researchers to bypass the BIOS write protect of the motherboards in the forum thread that I linked.

Bumble BeeJune 11, 2016 9:30 PM

@ The Past, Winston Smith

Re nuclear proliferation

Good grief. That knowledge is already in the hands of the worst of terrorists and criminals. Stop torturing the rest of us for it.

All I know about nuclear weapons comes from Tom Clancy. I'm only slightly kidding. Actually Dark Sun by Richard Rhodes if I recall correctly.

And yet I talk here about filling up helium balloons and foreigners come out of the woodwork asking me face to face all kinds of questions about top secret nuclear shit I wouldn't have a clue about. I have to call B.S. on that.

Just let the people have secure computers already and use your good old-fashioned gumshoeing skills to investigate crimes whereof you have obtained probable cause by legitimate means.

GlomarJune 11, 2016 9:40 PM

@stine

That's really cool. Had a discrete math professor demonstrating Set once and I din't pay enough attention. Everyone is wondering what the polynomial method can be applied to. Cryptanalysis, making sense of Big Data as you mentioned...

oopsJune 11, 2016 10:23 PM

Interesting angle on the security Charlie Foxtrot of the Clinton emails

( https://informedvote2016.wordpress.com/2016/03/18/do-i-really-need-to-worry-about-hillarys-emails-yes-she-will-be-indicted-full-form/ )

in Guccifer's plea agreement,

https://cryptome.org/2016/05/lazar-guccifer-028-031.pdf

esp. "14. Defendant's cooperation," since Guccifer watched SAP go by and intelligence identities get burned as HRC swanned around pretending to be in charge of CIA's Benghazi armory.

https://www.rt.com/usa/complete-emails-guccifer-clinton-554/

SebastianJune 11, 2016 11:02 PM

Under My Skin: The New Frontier Of Digital Implants

Steven Melendez 06.11.16 6:00 AM

""Biohackers" are putting microchips and magnets in their bodies for everything from unlocking the front door to detecting moon earthquakes."

"Tim Shank can guarantee he’ll never leave home without his keys. Why? His house keys are located inside his body.

Shank, the president of the Minneapolis futurist group TwinCities+, has a chip installed in his hand that can communicate electronically with his front door and tell it to unlock itself. His wife has one, too.

"You have mental checklists as you’re coming and going out of your home," Shank says. "One of those things is my wallet, keys, all those things I have with me. Once you start to eliminate all those things, you start to see all the mind space it actually clears not to have to worry about them."

In fact, Shank has several chips in his hand, including a near field communication (NFC) chip like the ones used in Apple Pay and similar systems, which stores a virtual business card with contact information for TwinCities+. "[For] people with Android phones, I can just tap their phone with my hand, right over the chip, and it will send that information to their phone," he says. In the past, he’s also used a chip to store a bitcoin wallet.

Shank is one of a growing number of "biohackers" who implant hardware ranging from microchips to magnets inside their bodies."

Full article:

https://www.fastcompany.com/3059769/ive-got-you-under-my-skin-the-new-frontier-of-digital-implants

GlomarJune 11, 2016 11:06 PM

@oops

1. Benghazi was unfortunate - it happened on Obama and Clinton's watch. That horse is dead.

2. 9/11 happened on W's and Powell's watch - very unfortunate.

3. The 1983 Beirut barracks bombings happened on Reagan and Schultz watch. very unfortunate.

4. the USS Cole attack happened just before the 200 election on Bill Clinton's watch.

5.etc etc tired of turning these things into political grist.

6. Hillary's email a non issue. Against internal policy not law. Colin Powell had a private email server, but it wasn't against the rules then. C Manning didn't leak her emails in Cablegate so they were secure enough until their release due to the Republican witch hunt

Tired of hearing about it here.

65535June 11, 2016 11:18 PM

@ Grauhut

“Microsoft Visual Studio 2015 Update 2 cpp compiler auto-injects telemetry spyware code into other peoples programs.”

I read the reddit thread and this move by M$ stinks like an open sewer. This is an undocumented piece of code in a "Release To Market" version of VS 2015. That took diabolical preparation!

“Strangely, I found a call to "__telemetry_main_invoke_trigger". I definitely did not have that call in my source code (I only had a main() function that returns 0!). I try to find it within Microsoft's documentation; it's nowhere to be found. The source code for this function from Microsoft is unavailable.

“I look more online; it seems Microsoft has implemented new telemetry "features" in Microsoft 10. The OS phones home with personal app usage data. But, Microsoft gives no information about how to use Visual Studio to remove this feature from your code…” –sammiesdog

https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/d2x0k80

“Undocumented features in an IDE are not welcome. Ever.” –cs2501x

https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/d43nyb2

That is an understatement!

It’s time for business and lawyers to get “unhooked” from M$ products for good.

I am doubtful any of M$ updates can be trusted any more. It would take a good disassembler or very good de-complier and a good security expert to vet all the PE’s and blobs M$ pushes down to its users.

@ Clive Robinson

“Look at it this way, you develop bespoke software for proffesional use such as Doctor's and Lawyer's. You as just another developer don't know about this Micro$haft back door, which for arguments sake means your software hemorages confidential client information. Who legaly is to blaim and wgo is the court going to go after...”

That is the point I have been making since the Snowden revelations. Once a major country broadly weaponizes the internet and various critical parts thereof, Doctors, lawyers, judges are going to get spied upon – there is no practical alternative. The spying is so broad as to ensnare All users.

Lawyers and Judges require confidentiality or the legal system doesn’t work.

As Clive has pointed out the same goes for politicians such as the British MP’s buing M$ Orifice 365 and its ability to phone home or phone the NSA and the ability go copy sensitive documents to the cloud for an unknown length of time – democracy will not function under such spying. This spying has gone too far.

We the sheepleJune 12, 2016 12:10 AM

@Ashlee

From my quick read, I don't think that is normal - but a Win Fan Boy will surely answer your question in the next day or so.

Can I channel Richard Stallman for a moment and remind you that Windows is pure malware? He said recently:

What kinds of programs constitute malware? Operating systems, first of all. Windows snoops on users, shackles users and, on mobiles, censors apps; it also has a universal back door that allows Microsoft to remotely impose software changes. Microsoft sabotages Windows users by showing security holes to the NSA before fixing them.

Remember that Microshaft's privacy notice compels it to spy on everything you do:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.

Free yourself and start here:

https://linuxmint.com/download.php or
http://www.ubuntu.com/download/desktop or
https://www.debian.org/distrib/ or
https://software.opensuse.org/132/en or
https://getfedora.org/en/workstation/download/ or if really paranoid
https://www.qubes-os.org/downloads/

PS Despite the FUD that 'Richard' (Markov bot?) was spreading here the other day, Linux Mint isos can be checked with PGP and they are not solely reliant on MD5 to verify authenticity.

SHA256 checksums and cryptographic signatures are available for each file, and (main developer) Clem's public key is easily found.

Clive RobinsonJune 12, 2016 2:02 AM

@ r,

"Researchers turn smart phone vibration motor into microphone - to spy on you"

Dag nabit, thart be 'nother wun of der dam bidirectional transducer thingies rattin' yous all out again

I keep saying it and I guess some people are starting to "listen and think, then exploit".

The thing that puzzles me is engineers have known about this problem for years, after all it's been known that DC motors are also DC Generatots for well over a century due to some bloke called Faraday. And further use the same principles as moving coil speakers and microphones... You would have thought the "duality" was obvious... In fact I raised it yet again for the umpteenth time a few days ago on the another side channel thread,

https://www.schneier.com/blog/archives/2016/06/another_side-ch.html#c6725831

I've not read the /. thread (I don't use javascript) so I don't know what's been said there, but...

    If you young whipper snappers had listened and applied yourselves more in high school physics classes then you would know all about it (whats the tag for turning off "Grumpy old git" mode? ;-)

RichardJune 12, 2016 2:18 AM

@ oops

I don't normally respond to overtly partisan political garbage - but as Bernie says, I'm really tired of hearing about these damn emails.

Both Colin Powell and Condoleezza Rice, as well as a half dozen other prominent officials in the bush administration, used private emails.

Of course, you probably have been listening to the carefully orchestrated FOX news propaganda campaign, which features idiot commentators splattering spittle all over themselves while ranting really intelligent observations like...

"Yeh, but da Hillery caze is difrent becuz she had her own server!!!!!"

So let's look at that shall we?

Yes is WAS different - Different, because unlike the government's own servers, and many others, no one has been able to show that Hillary's private server was EVER hacked - the Sidney Blumenthal emails were hacked FROM HIS AOL ACCOUNT - NOT FROM HILLARY'S EMAIL SERVER.

Which is clear from this quote from the link you posted:

"Guccifer was credited with hacking the AOL email account of Blumenthal last week, though the authenticity of the emails has not been verified."

Now, in fairness, I know that this simple fact may have escaped your attention if you have only been paying attention to FOX news and the neocon pinhead blog-o-sphere, since they have chosen to deliberately misrepresent this as proving that 'Hillary's emails WERE hacked!' - when in fact all it 'proves' is that AOL was hacked.

Also note that Blumenthal just a former advisor, not an insider at the time, and as such didn't have access to information that was particularly sensitive, and in any case, had he sent the emails in question to Hillary at a dot.gov account, IT WOULD NOT HAVE CHANGED ANYTHING - since the emails were hacked from HIS AOL email account NOT HER SERVER.

Which coincidentally ALSO proves that if you are REALLY serious about going after those who have endangered national security by using private email for government business, you should probably go arrest Colin Powell and Condoleezza Rice first - because, based on this incident it's clear that they were endangering the country much more by using private email servers which they had no control over -- EXACTLY LIKE SIDNEY BLUMENTHAL DID.

Also interesting was the fact that in the Blumenthal emails, the demonstrations were indeed mentioned as being significant, as well as the importance of the attack on the CIA compound.

Now that more information has come out, it's pretty clear that the CIA was the main target, and that the CIA was almost certainly operating under the cover of state department diplomatic visas

-- but Hillary could not defend herself by telling America this dark little diplomatic secret, because although everyone does this, it NEVER gets admitted in public.

I suspect that if she had her druthers, Hillary might have yanked her people the hell out of Libya, since the situation was so unstable, but without a diplomatic mission - no diplomatic visas - and that would have made the CIA's job much harder - and put the CIA personnel in a much more precarious and dangerous situation.

If you have seen the film Benghazi, you know that if we really want to raise questions, we should probably start with the actions of the senior CIA station chief on site in ordering his security staff not to attempt to help in the first moments after the attack started.

As this information came to light, Hillary could have easily tossed the CIA under the buss, but instead kept her security oath and said NOTHING about the CIA's actions (or lack thereof).

In fact, we did not even hear about the CIA's involvement till more than a year after the attack, and then only because some of the security personnel recounted the events of that night.

Compare that to the Bush administration instantly throwing Valerie Plame under the buss, endangering her life, and ruining her career, just because she wouldn't help him spin lies to justify his illegal war.

Clive RobinsonJune 12, 2016 2:40 AM

@ Glomar,

There was a copyright????

Yup and royalties, it made Hitler a very wealthy man, and although it's hard to find out, he had relatives that were still getting the cheques.

RichardJune 12, 2016 3:17 AM

@ We the sheeple
PS Despite the FUD that 'Richard' (Markov bot?) was spreading here the other day, Linux Mint isos can be checked with PGP and they are not solely reliant on MD5 to verify authenticity.


Before you cast Fear, Uncertainty, and Doubt on my credibility...

Here is what the Mint download page looked like when I reported the MD5 issue:

https://web.archive.org/web/20160421085530/https://www.linuxmint.com/edition.php?id=204

Then, after I called them out on the stupidity of offering up a totally broken cryptographic hash (MD5) to validate downloads...

And HERE is what it looks like now:

https://www.linuxmint.com/edition.php?id=204

Wow! - NOW IT'S COMPLETLY DIFFERENT - it would appear that (purely coincidentally I'm sure) they have NOW dumped the MD5s and added PGP signatures.
-

Fixing a long standing security issue with authenticating the Mint ISOs - GOOD.

Attacking the guy who reported the problem and encouraged them to do it - BAD.

ianfJune 12, 2016 4:18 AM


@ Clive Robinson wrote: “Mein Kampf royalties made Hitler a very wealthy man

Hitler's wealth was in large part due to royalties on [millions upon millions of] Reich stamps with his portrait on, less due to the ~10M copies of the book printed up to 1945 (all editions; previously I saw a figure of ~12M, but recall it being a result of statistical derivation from a set of narrow figures). Acc. to Wiki, 240000 copies were sold prior to 1933, and after that the 3 German mass editions can't but have been heavily discounted, so no big royalty percentages either.

As for “relatives getting cheques”… hold it right there, pardner… Hitler died intestate, without a testament, therefore the copyright automatically ended up with BRD state of Bavaria, which prevented further reissuing of it. So where would those copyright cheques come from? Would the book's postwar Arab, Turkish and/or Indian publishers—places where it was most popular (figures)—VOLUNTARILY SEND IN ROYALTIES to Eva Braun's nieces, or obscure descendants of his mother's aunts, rhetorical questions – or you cough up verifiable sources to the contrary.

ianfJune 12, 2016 5:23 AM


@ Glomar sarcastically asserts that “modern copyright law is solely for the benefit of the creators and artists.

Wrong analysis… there was nothing modern about it, quite the contrary, old copyright laws applied here. Modern would be to extend the copyright, hence, in this case, the state of Bavaria's no-republishing of "Mein Kampf" prerogative, further, if not indefinitely – as is being enacted in the USA with the Mickey Mouse Protection Act - its copyright in force until 2047 (no typo), and then we shall see…

    FAST FORWARD A COUPLE CENTURIES: the creative cliques look askance at our times' pigheaded copyright stupidity, publishers hoarding rights without [needing to] exploit them, which essentially buries works in all perpetuity, esp. for their authors' contemporaries – for whom these works were created in the first place.

CzernoJune 12, 2016 5:52 AM

Re: Mein Kampf copyright and royalties thereof.

ICBW but I think I read that the late Herr Hitler's rights and properties were seized (sequestered) by the Länder and or central state of Western Germany as per specific legislation after Germany's defeat. Of course, in the former DDR (East Germany) there was not even a need for legislation, everything was stolen by the Soviets.

In any case after the war no parent/heir could benefit from sales of Mein Kampf in Germany and most of Europe, at least. Maybe in America ?

Comrade MajorJune 12, 2016 6:09 AM

@Richard

So, lesson learned - In order to be effective, a proper 'BIOS write-protect' switch or jumper, would need to be implemented in HARDWARE, using a flash chip which provides a physical write disable pin.

You are right. All this "BIOS write-protect" switches doesn't block flash writing, its only ASK flash chip (software in it, I think) not to rewrite memory.

Clive RobinsonJune 12, 2016 8:05 AM

@ ianf,

Hitler died intestate, without a testament

Hitler made a will and a political statment, so did not die intestate by any of the definitions I'm aware of. Atleast three copies were made and sent out with messengers who were captured in the British and US zones. The US has two along with Hitler's marriage certificate, which they had published in newspapers and later put on display (there are images available on line if you want to look at them).

In his "Private Testiment" (personal will) aside from acknowledging his marriage (but not to whom) he had provision for, his surviving brothers and sisters and wifes mother instructing Martin Bohrmon to take that "which is necessary for the maintainance of a small bourgeois household". Further his housekeeper and some of his faithful co-wokers.

He also gave gifts of sentemental value to others. The remainder of his fortune was supposadly destined for the "Nationalsozialistische Deutsche Arbeiterpartei" (NSDAP) which is now more commonly known as the Nazi Party. It's here things get complicated as it was effectively dissoled in 1945 just over five months after Hitler commited suicide.

There have been several accounts of what happened given over the years but they all vary in detail, even these days it still makes news,

http://www.dailymail.co.uk/news/article-2670017/Adolf-Hitler-stashed-3-6billion-Swiss-banks.html

Oh from the figures given there from the tax records and copyright payments of the "wedding gift" copies of the book, for which he would have received full copyright you can be sure, you will see that the monies alone would as I said have made him a wealthy man.

Oopsie-daisyJune 12, 2016 8:22 AM

Oops, indeed! An errant post brought out the Hillary social-media glavlit in full force. Multiple personas! Nice plan: deny everything and hope nobody reads the links, one of which is long and prodigiously thorough. Also, good precis of the slogans for Dem dopes:

- I'm tired. Meticulously focus-grouped for morons.

- It's Sidney's fault. Jerk got on Hillary's secure government email from his stupid old-guy AOL and... Oh, wait.

- But but but she never got hacked. This one is hilarious. They didn't have to hack her, she didn't set up SSL for months. She was emailing plaintext. With no password.

- Internal policy not law. RTF the links and mansplain that.

- What about them? Everybody intentionally circumvented the law with insecure servers under their control... Oh wait.

- Fox News, Fox News, Fox News. And, evidently, those wholly-owned subsidiaries of their sprawling media empire,

https://informedvote2016.wordpress.com/2016/03/18/do-i-really-need-to-worry-about-hillarys-emails-yes-she-will-be-indicted-full-form/

https://cryptome.org/2016/05/lazar-guccifer-028-031.pdf

https://www.rt.com/usa/complete-emails-guccifer-clinton-554/

Hey, since you're here helping mansplain it all to us, holy shit, Cannon really stepped on his crank in his latest damned-emails post. Somebody better tell him to stop helping. He laid out all the appalling facts ever so nicely. But in bullshitting his way out of them, his know-it-all shtik catastrophically failed because he doesn't know the difference between a CIA officer and CIA agent. He says Drumheller's not CIA any more, so there. And Moussa Kousssa's a foreigner, so there. Of course Moussa Kousssa's a foreigner. The question is, Is he an agent? Big, big difference. What if Moussa Kousssa had a good thing going as an bigmouthed agent of influence till some clown burned him in an unencrypted email? Welcome to Supermax.

For you and me anyway. Only CIA nomenklatura get away with stuff like that. Cheney, Hillary, et al. So Cannon's right about big picture: Hillary's going to get away with it. She's CIA's hood ornament. She's made.

ianfJune 12, 2016 8:31 AM


Says Daniel: “Internet gurus meet to discuss how to make the web more anonymous from the ground up.

That wasn't the intent of that [NYT] “Decentralized Web Summit” recently held in San Francisco. Its goal was to open up a public discussion on how to wrestle back control of the Web (and, by implication, most of the Internet) from the few commercial and state actors that now effectively "own it."

It's early days yet, I'm waiting for more extensive coverage of the summit's themes/ topics/ workshops, but I don't think the subject of "greater safeguards for anonymity" was near its agenda. But I'm glad that something like that has started to happen, and, if I read the summits's coffee dregs right, the "leading consensus" there was that the road to the next web goes via peer-to-peer route—even if the peers in reality would reside inside humongous commercial "clouds," rather than in past-times PC towers entirely in their owners' hands.

    The key to "restarting" the web appears to lie in first agreeing on a unobtrusive, affordable and infinitely scalable micropayments structure that would benefit content creators without each separately signing-up subscribers (=typical current sign-up ratio being 10000 free to 2 paying visitors), and the users accepting the metered-tier charges just as we do with e.g. TV cable plans. I.e. payments within reason, and for what we know we've ogled etc ourselves. And then to build up a parallel NEXTWEB that works acc. to the new principles, because today's Internet giants won't voluntarily give up what works for them. That means persuading you–and–you–and you–too to delete your Fuckfacebook account, among other things.

But, as I said, let's wait and see what the http-boffins come up with this time around. Expect the NEXTWEB URLs to begin with scheme "next://" ;-))

AlanSJune 12, 2016 9:45 AM

The Intercept proovides Snowden documents to Scottish investigative journalists: Scots police had access to GCHQ spy programme

As part of MILKWHITE, GCHQ made vast amounts of metadata available to MI5, the Metropolitan Police, Her Majesty’s Revenue and Customs, the Serious Organized Crime Agency (now the National Crime Agency) and the Police Service of Northern Ireland, as well as the eight former Scottish police forces.

Tinky-winkyJune 12, 2016 9:48 AM

Thanks, Daniel and Glomar, for alerting me to this email business, which kind of bored me for a long time. But really, it's fascinating, as your detailed explanation suggests!

There are so many facts:

http://www.thompsontimeline.com/The_Clinton_Email_Scandal_Timeline

And so much corruption and lawlessness:

https://medium.com/soapbox-dc/12-red-flags-in-clintons-email-setup-da8966760f7d

Why? Why? Why? I got so confused. Then my foreign intel friends explained it to me. It's really very simple!

DoS is infested with CIA moles. They use the Clinton Foundation as CIA's new slush fund for off-budget foreign dictator payoffs. Puppet rulers pay dues to the CIA spooks who keep them in power, and CIA spends the money on guns and bombs for ISIS and domestic Gladio attacks. Bill runs the foundation and Hillary hides it for him. The slush fund's perps all use lawyer Beth Wilkinson, who framed Tim McVeigh for what the government did in OKC on Clinton's watch.

Clive RobinsonJune 12, 2016 10:20 AM

@ ianf,

It is not clear from your posting style, if this is your view or quoted from somewhere,

The key to "restarting" the web appears to lie in first agreeing on a unobtrusive, affordable and infinitely scalable micropayments structure that would benefit content creators without each separately signing-up subscribers...

I'm going to asume it's a quote or a rehash, because I doubt you actually belive such payment systems will happen in any time frame that you or I would call the rest of our lives.

The problem is that whilst we don't think so the Internet is "free of restraint" in the context of royalties and other revenue.

Thus as long as there is no restraint it costs nothing to "duplicate abd make available" from another place.

You can see this with a certain Scientific Document site somewhere outside of US Jurisdiction. A company that effectivly steals the IP from both the science paper authors and the US Gov that was paying for their research, went to court to try and protect their crime based cartel. The result was lots of legal fees and a fairly impotent judge saying that the domain name now in effect belongs to the company. Did that certain Scientific Document site close down or was in any other way effected. No of course it was not and the last time I looked it was still up and running. So at the very best it was a pyric victory for the IP stealing company and their criminal cartel.

As long as there are places beyond regulation for political or other reasons, then copying and making available from second, third, fourth etc sites will continue.

Untill that stops happening such things as micropayments even nanopayments will be doomed to fail.

Thus I see the first step in getting content fees is going to be a vary serious balkanisation of the Internet, which will in effect destroy it, so what ever Phoenix that arises from the ashes of that bonfire of the vanities funeral pyre, it will be an entirely different beast.

As for small content suppliers it will never pay, as those cartels will not go away. They will eventually get their "content control chips" to ensure the balkanisation, and at that point consumer prices will rise significantly, and those who will have to pay fees to get their content included that there will be huge administration fees or similar way beyond what their work will ever be worth. We know this from past behaviour that "middle men with legislation" are the new "robber barrons" creating faux markets and seaking vast rents to artificialy control any real market that might otherwise arise.

Gerard van VoorenJune 12, 2016 10:55 AM

@ ianf,

About the Decentralized Web Summit. It appears to me that the participants all have their own software stacks, each in different stages of progress, probably incompatible and written in various programming languages. If the goal is to have one new url scheme and to bundle these software stacks together, there has to be a lot of "convincing power". For instance IPFS is written in Go and is peer to peer. Tor is written in C and uses the onion scheme. IPFS is meant to be permanent (with hashes) and faster than the speed of light where Tors goal is anonymity. This are only two of the couple of dozen software stacks. I like the idea of bundling though and it could be interesting.

Bumble BeeJune 12, 2016 11:36 AM

@ Winston Smith

Re PGP encryption

I don't use PGP. It's not because I don't think it's a good idea in principle or because I have nothing to hide.

It's just that I have not been able to use it successfully to date. Whenever I try to set up PGP keys, if my computer system isn't hacked, the keys are beaten, stolen, robbed, drugged, or rubber-hosed out of me. Repeatedly. Year after year.

Remember I live in Chicago mob territory, which includes at least all of U.S. and Canada. Another cartel rules Mexico, Belize, Panama, etc. on south to Colombia. They're all in it together. I'm so sick of the 10x caffeinated "100% Colombian" coffee they sell here in the U.S. I literally want to puke because one cup of it is enough to give you kidney failure. "Decaf" coffee on the other hand is usually adulterated with some other bladder-irritating chemical, or else it's really just the usual 10x caffeinated stuff doped with a sedative.

And Vladimir Putin rules Europe, poisoning his enemies with polonium and so forth. It is the BRICS style of rule. There is no rule of law anywhere in the world anymore.

keinerJune 12, 2016 11:51 AM

RE: "Powered by DuckDuckGo"

- I had recently two totally unrelated incidences of computers excessively trying to contact Microsoft telemetry sites, one computer with PC-BSD 10, one with a openSUSE Tumbleweed. In both cases, the only application running was

Firefox (latest version in each case) with noscript, cipherfox and betterprivacy Add-ons,

and duckduckgo (default search engine), startpage SSL and google as search engines.

The first incidence I had no idea, how this came, but the second time somebody had pointed out, that duckduckgo is re-selling BING, infamous Microsoft piece of eeehm...

The second case resolved immediately by removing the duckduckgo search engine from the browser.

Subsequently DNS requests "only" indicated contact with opensuse and google telemetry....

So: duckduckgo is evil. It's a hidden Microsoft trojan exploiting OS's other than Windows.

Clive RobinsonJune 12, 2016 11:59 AM

@ AlanS,

Agh yes the "Feret" has one or two interesting posts to this blog. This one avout circumventing IMSI catchers in Scotish Prison's should be of interest to many,

https://theferret.scot/imsi-catcher-trial-scottish-prison-service/

Whilst the use of 4G by smartphones and only 2G & 3G by the IMSI is one fairly obvious work around there will be others.

The issue that lets IMSI Catchers work is also it's weakness, and one I'm fairly sure those that sell these expensive and invasive devices leave out of their sales talks etc.

The fact that the Scotish Prisons Authorities are talking about moving from a fixed point system to a number of mobile systems is a significant tell as to what could be going on with as little as cardboard and tinfoil and even just bits of carefully positioned wire. I'm fairly sure there are those that will either "sell the information" to criminals or are criminals sufficiently smart as to where to find Amateur Radio or WiFi information and be able to use a calculator or just paper and pencil ruler a couple of pins and bit of string etc to make the required bit and pieces.

As for phones not being able to avoid IMSI Catchers, it's actually not quite true. Whilst it is for most "Servive Provider SIMS" there are "Engineering SIMS" that can turn a phone into a "Test Instrument" that the criminals can get hold of relatively easily, which would enable them to quickly trackdown any mobile IMSI Catchers, in the same way as those TAO "Find Fix and Finish" wetwork devices, something the Prison Authorities realy should consider as it's their staff or subcontracter staff that could end up being "Finished" rather permanently.

When it comes to technology the more select criminals even the ones that occasionaly get caught are way way ahead of the likes of both the LEO and IC organisations in both deployment and circumvention techniques (hence the FBI trying it on with Apple, or paying large sums to university students/staff for TOR exploits etc).

It's been that way for over a century and is likely to remain so for some time. After all it was the Mafia that "buged" the FBI years before the FBI worked out what was going on. As for the CIA, lets just say that their mastery of technology does not have anything close to the impresion they like to give. Much of it comes from companies who's main interest is protecting their profits, not inovating technology. Even the NSA we can see from the TAO Catalogue are not actually that far up the technology food chain.

Whilst the FBI has smartened up a bit, the usual cost of resources means that they try short cuts like trying to blackmail kids and people with families. And that's not served them well so they still go after the "low hanging fruit" or go way beyond entrapment to "Create Terrorists" from those who can not deal with life let alone manage simple resources like bus fare so have little or no chance with even the simple technology required to make a detonator etc.

It's not to hard to see that even with help the LEO and IC agencies are still floundering like fish out of water when it comes to exploiting technology. We hear the "sipping from a fire hose" metaphor being used. As some one else pointed out "You can gather all the grass you want but if you don't have the brightness to make hay, all you end up with is a stinking mess". Which is a fairly apt description of 9/11 and the Boston Marathon, the middle east, oh and a couple of hundred other things, we have heard about (so how many are there they have managed to keep the lid on).

The one thing the IC and LEO orgs have woken up to is that they are due to consumerism in a "golden age". Which is due in the main to "People don't think of the consequences when consuming", they do silly things because others do and don't think of the significant cost tommorow only what appears "Free Today". But that is changing, people are starting to come out of their child like trance, they see their own children Cyber harresed / bullied / sexploited / demeaned and in many other ways have their lives upset. The children themselves are learning about the technology whilst even in pre-school and certainly in junior school. Within a few years Computer Literacy will be at or above the "three R's" status, and they will also learn about the darkside of technology and take the time to protect themselves. At which point these fire hydrants the IC and LEO orgs currently have no way to handle, will start to dry up, and they know it, but more importantly the politico's are starting to wake up as well. What we saw in the Common's is possibly the last summit for the LEO's they will not find the future MP's or Minister's so keen to pass such legislation.

As for the IC orgs, as I've said before they see themselves as a "brotherhood beholdent only to themselves" and thus above not just the law but the elected legislators. This is not something that is longterm stable, which way it will go I have no idea but as has been observed long ago "The tree of liberty needs to be refreshed from time to time with the blood of patriots and tyrants", lets hope it's mainly the tyrants blood.

Bumble BeeJune 12, 2016 2:48 PM

@Clive

Oh of course I couldn't deal with life, handle bus fare, or make a bomb with a detonator.

By U.S. Code I am a "legally adjudicated mental defective." That means by law I cannot own a firearm, handle explosives, work in the U.S., own or rent a home, get married or have any intimate relationship of my own free will, or leave the country. I am considered legally outside the protection of the law, and fair game for any violent acts that would otherwise be crimes. I have to subsist on a meager disability payment most of which is stolen or robbed each month.

At the slightest provocation I am locked up and forcibly injected with major tranquilizers.

The Right ProtectionJune 12, 2016 4:21 PM

@CMajor

You are right. All this "BIOS write-protect" switches doesn't block flash writing, its only ASK flash chip (software in it, I think) not to rewrite memory.

You are wrong, in a never say never way. Are you asserting that never in the history of humankind has an actually enforcing BIOS write-protect switch been implemented? Somehow I am skeptical. To alternately phrase it, it's like the difference between an 'airplane' mode wifi kill switch that, like you point out, is often just an 'ask' switch to an OS you have faith in the purity of. But it's pretty easy to implement a physically interrupting switch to the power of the pcie(or whatever) daughterboard or antenna. Actually I just hope you are wrong, that all along those bios write protect jumpers weren't just as worthless as floppy disk write protect tabs.

Lord of M.I.T.June 12, 2016 4:28 PM

@ianf, daniel

The key to "restarting" the web appears to lie in first agreeing on a unobtrusive, affordable and infinitely scalable micropayments structure that would benefit content creators without each separately signing-up subscribers...

That is the 'key' to what Sir Tim wants to sell us (mad props for the hypertext thing to whoever really invented that, it's awesome). The 'key' is competition from the field of home servers. If the server persecution by ISPs was abandoned as it should be in a non-totalitarian state, we would see hundreds of bitcoin and dogecoin forks sprout up overnight, and this lack of micropayments shit would disappear. Likewise a thousand other creative solutions would drown out the establishments utter crap like some sort of biblical vengeance. 140 character limit, holy fuck.

Clive RobinsonJune 12, 2016 4:50 PM

@ Bumble Bee,

Oh of course I couldn't deal with life, handle bus fare, or make a bomb with a detonator.

Yet strangely you can post coherently here... And I'm assuming that you are currently not a terorist and probably like the vast majority of Americans have no intention of being one either.

But you are fed up of the "legal" situation you are in, which supprisingly I can understand from what you say it sounds like what goes on in the UK.

In the UK there is a catch 22 situation, not being legaly alowed to work with others or drive, ride a push bike. Due to "health and safety" reasons, you are not only a danger to yourself but others, thus an employer can not get insurance to cover you. If you find work but don't inform the employer in the correct manner, then you are instantly guilty of fraud (which in the UK gets treated worse as a crime than going around robing people at gun/knife point). If you do inform the potential employer correctly by giving them your full medical history, then not only do you lose your privacy you don't get a job. But the current Gov insists that if their "payed by results" edudicators find you fit to work[1] then they immediately cut you off from all social payments. You then have to take the Gov to court, without any kind of legal aid and present your case against the frequent lies[2] presented to the court as facts. If you are lucky enough to win, the Gov Dept then finds every excuse not to pay the moneys the court has awarded you[3]. Then the psychopath ministers in charge having been directed by a coroners court to make and report on the numbers of people killing themselves --because of the state they were put in by the Dept-- fiddled the figures in effect saying if the people were not actively receiving benifits that they should not be included in the report...

The UK likes to paint it's self as a very liberal country, friend to all that does not alow it's citizens to fall by the wayside etc. It's a real shock to many people when they find out the truth of what the current "Posh Boy's" ideology actually is and how it effects ten percent or so of those who are considered "of working age". Oh part of the ideology is the "inverse Robin Hood" of steal from the poor to give to the rich, so the status gap can be drasticaly increased. It makes me sad to think that in the long distant past I actually voted for their party. Since then I've actually looked and learned and wised up, which is why I would rather put a Gov Minister on a Bonfire come Nov 5th than a straw effergy of what was arguably the last man to enter Parliment with honest intentions (his name Guy Fawks, look him up in Wiki to see why he had honest intentions ;-)

[1] In one case I'm aware of a very physicaly disabled person with carer attended for an assesment that was on a second floor, with no way for the person to get up there. The company (ATOS) marked them down as failing to attend. Despite considerable proof having been previously provided in writing to both the Gov Dept and ATOS[4], the person apparently failed to make the assesment center aware of their needs...

[2] Another case I'm aware of agaib ATOS staff abused a disabled person and had security guards try to throw them out of rhe assesment center, when the disabled person refused the security guards stole their personal effects and threw them into the street in a very high crime area (Balham London) to get the disabled person to leave, shortly there after the person colapsed in the street and was admitted to hospital. But apparently acording to ATOS none of it happened despite there being an audio recording verifying what the person said.

In another case ATOS sent in to the court evidence that claimed that they had repeatedly phoned the person and left messages. But they also included in their evidence bundle letters pre dating the earliest of the supposed calls from the person clearly indicating that due to a hearing deficiency they had no phone and could only be contacted by letter. Unsuprisingly the court was not impressed and found for the person...

[3] In that case even though the person won their case against the Gov Dept, the department did not do what the court told them to do... It actually took the fact that the person turned up to the Dept offices with a Balif to get them to do some of what the court ordered.

[4] Even though doing "medical assesments" ATOS was and still is an engineering company designing amongst other things ticketing machines for transport companies using the Phillips now NXP MiFare smart card system. Thus they recruited any medical staff they could get their hands on often as temporary minimum wage staff. Many of these were the likes of low grade nurses that could not get work else where, and Drs from other parts of Europe and the world who's language skills were insufficient to get work in the UK for safety reasons. Oh and some of the staff mostly "nurses" had resigned their jobs rather than get fired for the likes of gross inconpetence. ATOS liked these staff because they could be relied on to find people fit for work even though they obviously were not to any kind of independent medical examiner.

Theorized ConspiratorsJune 12, 2016 5:05 PM

@BB

And Vladimir Putin rules Europe, poisoning his enemies with polonium and so forth.

While I dig your machiavellian take on geopolitics, I think you lost me here. I've always presumed Vlad was as afraid of being poisoned by the KGB and drug off to GITMO as much as anybody. Focus on the puppet masters, not the puppets.

rJune 12, 2016 5:40 PM

@Bumble Bee

Is there any chance for a re-evaluation?

I don't want to pry too much but you do have my condolences. My brother-in-law is severely handicapped and over the years has had multiple run-ins with police due to 'escapes'.

He's not lucid though, but most often very pleasant and fun to incorporate into our daily lives.

The news in our area earlier this year showed us pictures of some family keeping their autistic 'reality-impaired' son in a dog kennel for "safety???".

I hope your signee? is fair and just.

nopeJune 12, 2016 6:00 PM

@keiner

Do more research about DNS & SSL?

If you are being accurate with the recognition of these symptoms, this could be an interesting scenario...

Firefox (latest version in each case) with noscript, cipherfox and betterprivacy Add-ons

Sadly, your conclusion is clearly flawed.

Is it the web-browser, the script-blocker/interpreter, another addon, the unstable operating system, or could it somehow be that the non-executable hyper-text is causing all of your problems..?

I greatly doubt the latter.

keinerJune 12, 2016 6:28 PM

The DNS requests for MS telemetry subsided directly after uninstalling duckduckgo.

Only page opened in the latter case was the management page of my router (also running DNS).

What exactly do you mean by " the non-executable hyper-text"?

Would love to see a "stable" OS in your opinion. Windows? Why should a non-MS OS contact MS telemetry over and over again?

In the latter case: With only one client on the network, I ended up with 70,000 states, 2 days later 90,000 states, 1 hour after a reboot I had more than 1000 states with MS telemetry (router is blocking contact to many of these sites via a BLOCK rule).

I don't get where the OS (Linux) should be involved here. Would love to learn more.

LongStoryShortJune 12, 2016 7:19 PM

What exactly do you mean by " the non-executable hyper-text"?

Who wouldn't love to see a "stable" OS within their lifetime!?

My point now is - that is irrelevant. A hyper textual markup language should theoretically have no possible impact upon assurance and integrity issues.

If some specific versions of visual representations via formatted-text are contributing to the further erosion of trust, well then; why or why not..?

Clive RobinsonJune 12, 2016 7:25 PM

@ The Right Protection,

You are wrong, in a never say never way.

If you check on the data sheets of many "Flash" and "EEPROM" memory devices, --which Comrade Major is refering to-- you will not find either a "read" or "write" line as you do for the more traditional Bytewide static RAM etc.

What you find is a "chip select" and serial data clock, and a protocol by which you write in a command to read or write a byte or block of upto 2500 bytes on one or more bi-directional data pins.

These style of chips which are quite common and can be found in "memory cards", "USB Thumb Drives" and similar do not have a /write_enable, thus write disable if pulled high line. Whilst the "memory cards" and some "USB Thumb Drives" might have a "write protect switch" it is usually just a status line going back to either the system the memory card is connected to or to the microcontroler on the USB device. In either case it is "advisory only" to software, not "hardware enforceable" to the actuall memory chips.

Thus you actually have to check not just the type of Flash memory used on a motherboard but it's specific part number, as well as tracing out any "write disable" jumper, if there is one (which is unlikely these days).

Back in times past the "bytewide" memory format was common as it was pin for pin compatible with either battery backed up RAM used for storing the BIOS settings or PROM in DIL (for socket) or SMD format. As a /write line was part of the Bytewide spec for RAM a write disable jumper --might-- have worked at the hardware level with some Bytewide Flash parts. If there are no write disable jumpers on the motherboard, then it's a moot question as to what type of Flash / EEPROM it is.

These days other formats of Flash chip are sometimes used as they take up less PCB "real estate" and will work with a bus controler to get serial content from the Flash into the parallel format of the system RAM. It rather depends on the CPU family, who manufactures it and the various bus support chips around it.

For my sins in the past I've designed embedded system motherboards where I used a small microcontroler to control the reset circuit of the main CPU as well as doing a "bootloder" function from serial Flash chips to RAM, RTC and "brown out", and provide a couple of serial interfaces and upto four Memory Card interfaces. This arangment alowed a "control terminal" to have a great deal of control over how the system started up, including control over other hardware using a Forth compatible CPU independent program, much like that found in Sun and IBM systems.

ThothJune 12, 2016 7:35 PM

@Bumble Bee
re: PGP encryption

If you are worried about hacking exploits against PGP keys, you can use a smart card to store the PGP keys via the OpenPGP applet for smart cards.

If you are troubled by it's usability, I am working on a PGP alternative called GroggyBox which merges features of Truecrypt and PGP by guving you the ability to deny possession of secret keys (as oppose to Truecrypt's deniability of content possession - which is quite obvious) and the capability of PGP to send secured files to multiple recipients all done with the secure confines of a smart card hardware.

Of course a user friendly client application would also be highly important so new users wouldn't need to scratch their heads too hard to use strong crypto.

Current progress of that project is still under development and progressing at a healthy pace with basic encryption and decryption processing.

It will be ready when I decide to annouce a stable release.

Link: https://github.com/thotheolh/groggybox

Bumble BeeJune 12, 2016 8:21 PM

@ Thoth

We're way behind in the U.S. Smart cards are not in fashion here and in fact they are considered Eurotrash by the Chicago mob, in other words, a tempting target for mob associates to rob and steal. Smart card readers are almost impossible to obtain here, too. The same goes for them.

Smart cards and smart card readers are totally out of the question in the U.S. Using them or talking about them or ordering them online or downloading drivers or programming tools for them is like flashing $100 bills in a poor neighborhood in some lawless third-world country.

Gentry KnowleJune 12, 2016 9:01 PM

The Intel P4 architecture had the memory hole exploit, and considering the US nuke control system is still using old systems requiring the ongoing manufacture of floppy disks at extraordinary cost, one might assume anything newer is not trusted to meet the same security requirements, perhaps backed up by knowledge of possible hardware based exploits on more recent architectures.

Even if one could secure BIOS write with effective hardware switch, the boot process of many operating systems is exploitable, and sometimes using the very own system files to subvert the boot process. Win XP for example can be forced to overwrite or modify the behavior of it's system files during startup with a simple text file, allowing corruption and write to System Volume Information, MBR corruption and more disturbing actions with a little more effort. Newer windows versions would not be much different from a brief analysis. Other operating systems are also susceptible to shell and file permissions exploits, though some versions seem a little more robust and physical access maybe required to alter file permissions and user privileges. This is why read-only OS distros have their advantages, assuming some parties do not possess currently working exploits to uncloak their anonymity protections, though easily negated by cheap burner WIFI cards and the ease of acquiring anonymous access to random wireless networks and finally a hammer to help retire cheap WIFI cards or dongles.

RichardJune 12, 2016 9:35 PM

@ Clive Robinson

If there is a design requirement for this feature, there are still lots of chips which provide a hardware write protect pin, though it does limit the available options in some cases.

Even tiny 8 pin serial flash chips like the W25Q128FV SPI Flash provide a WP pin:

1 /CS I
2 DO (IO1)
3 /WP (IO2)
4 GND
5 DI (IO0)
6 CLK I
7 /HOLD or /RESET I/O
8 VCC

...but due to the limited number of pins, there are tradeoffs, and the fastest Quad SPI IO mode can't be used when using the WP pin because pin 3 is dual purposed between Write Protect and IO2.

This chip may be too small for a modern PC bios (16 Megabytes), and for a PC bios you would want a parallel IO flash anyway, but it does show that hardware write protect is available even on chips with very limited pin counts.

On parallel chips that lack an explicit write protect pin, you can generally work around this by blocking the Write Enable pin (for chips with RE and WE) or forcing a READ level to the R/W pin (for chips where Read/Write is selected by a single pin).

So hardware limitations are a POOR EXCUSE.

I think the REAL reason we don't see hardware jumpers or switches is that manufactures want to ship half-baked buggy crapware, and fix it later - so they try to make updates as easy as possible FOR THEMSELVES (and security be damned).

RichardJune 12, 2016 10:42 PM

@Gentry Knowle

Even if one could secure BIOS write with effective hardware switch, the boot process of many operating systems is exploitable, and sometimes using the very own system files to subvert the boot process.

Yes, of course you can infect the boot process, and yes this is true even with a hardware BIOS write protect jumper, but you are missing the point.

The point IS if you ARE infected, but the BIOS is still secure because of that hardware jumper, then all you have to do is just re-image the hard drive and EVERYTHING IS FINE AGAIN.

The point IS (on the other hand) if you DON'T secure the BIOS, even that perfectly secure TAILS O.S. session that you are talking about running from READ ONLY DVD MEDIA WILL NOT BE SECURE.

Not secure because during some previous less secure session, a BIOS trojan could have dug in like a tick, rendering your P.C. forever compromised.

Modern programmers are so monumentally incompetent that they can't seem to write ANYTHING in less than several gigabytes of code, INCLUDING modern PC BIOS and boot code, and with that HUGE juicy flash chip available, a very sophisticated stuxnet like malware capable of adapting to and compromising ANY O.S. would be a cakewalk for a sophisticated adversary.

In fact, with Intel's latests and greatest chips with Intel Active Management Technology (AMT), the attacker wouldn't even have to bother with complex malware code, since Intel has done pretty much ALL the work for them. AMT allows hidden Intel code running below the O.S. with it's own network stack to sit back and monitor ALL operations taking place on your system - RAM and other Storage Device IO, Video and GPU, Network Traffic - EVERYTHING.

So if you care about system security, not letting your BIOS get compromised is kind of important.

Home Email Server LoverJune 12, 2016 11:46 PM

@Richard

Also note that Blumenthal just a former advisor, not an insider at the time, and as such didn't have access to information that was particularly sensitive, and in any case, had he sent the emails in question to Hillary at a dot.gov account, IT WOULD NOT HAVE CHANGED ANYTHING - since the emails were hacked from HIS AOL email account NOT HER SERVER.

I may not know the details of this hacking business, but outside of hacking, I think the simple and straightforward issue is that presumably using a .gov destination address would have initiated an automated system of data retention in accordance with the current administrative policies of the USG. Wheras by going to hillary directly, whether by utilizing her home email server, or just having a chat at a coffeeshop, no such record keeping of government affairs would happen, unless and until an arbitrary subsequent time of Hillary's choosing.

Of course in the post-911 orwellian world of big money mainstream media in the U.S., the simple issues that common voters could make easy enough sense of will be twisted and spun and distorted until people don't care until they start starving or otherwise overtly suffering.

Home Email Server LoverJune 12, 2016 11:52 PM

@Richard


Which coincidentally ALSO proves that if you are REALLY serious about going after those who have endangered national security by using private email for government business, you should probably go arrest Colin Powell and Condoleezza Rice first - because, based on this incident it's clear that they were endangering the country much more by using private email servers which they had no control over

I think you aren't giving enough consideration to the evolution of the internet and it's array of communication tools, combined with the evolution of understanding (spec. Snowden). Likewise I presume that Colin Powell and Condoleezza Rice probably know vastly more than Snowden or any of us about just how secure or insecure their servers were. You are absolutely right to invoke them in Hillary's defense, but it only counts for so much. Hillary must also contend with the fact that there was a whole lot more precedent on this government email policy business in 2013 than there was in 2005 or whenever. That's like centuries in internet time.

ThothJune 13, 2016 12:45 AM

@Bumble Bee
The Eurotrash is most likely the Chip-and-PIN implementation which by itself the EMV standards are known to have legacy issues and flaws.

A sweeping statement applied across the board on all smart cards is not true if the implementation is robust. It is like saying all cats are black in colour which is untrue.

Most people think of smart cards as a card with contact or contactless feature requiring a reader but there are other types like a USB/CCID token (i.e. Yubico security keys) and more innovative card form factor that transforms into USB/CCID tokens (i.e. Ledger's HW.1 tokens). Some provide even more assured protection by supplying a touchscreen to ensure secure display and PIN entry (i.e. Ledger's Blue hardware) which I am currently giving them feedbacks and advises.

Some of them even have HSM functions (i.e. Smartcard-HSM).

It is much better than having communications in the clear or software keys which makes you even more vulnerable and tasty anyway.

Note: USB/CCID is not the USB Mass Storage but a Smart Card protocol over USB interface that implements the ISO standard ISO-7816-12:2005 standard. Modern OSes (Linux, Windows, Apple, BSD ...) supports smart card standards and for Windows users, it is already out of the box without needing any drivers and for the Nixes and BSDs you need to download the PCSC and CCID libraries to install and you have access to any smart card capable or USB/CCID capable devices.

Links:
- https://www.yubico.com
- http://www.smartcard-hsm.com
- https://www.ledgerwallet.com/products
- https://www.ledgerwallet.com/products/9-ledger-blue

ThothJune 13, 2016 12:52 AM

@Richard
You can either use a TPM for secure boot (I know it has all the bad rep and myths about backdoors and closed source) or you can just use the good old Amish lifestyle of moving away from electronics as much as possible and use paper and pencil ciphers for crypto and send analog paper and pencil letters.

If you want more technologically advanced communication vs. pencil and paper, build your own radio from scratch and operate your own ham radio :) .

@all
Maybe our current age is too technologically reliant and we have to anticipate and learn to de-couple ourselves from technology so as to be able to survive one day technology breaks down or becomes too untrusted for use ?

Good olde self-sufficiency :D .

Home Email Server LoverJune 13, 2016 2:53 AM

You can either use a TPM for secure boot (I know it has all the bad rep and myths about backdoors and closed source) or you can just use the good old Amish lifestyle

What would be nice would be if the theorized secure boot for raspberry pi ever materialized. I netsearched within the last year, and ran across a dusty years old mention that the closed signed binary GPU blobish bootloader thing 'could' (with broadcom or whoever's blessing/signing) be modified to allow a secure boot for the raspberry pi. I.e. user gets to trust/untrust arbitrary keys they can use to sign their own kernels and prevent unsigned kernels from booting etc. I find it extraordinarily suspicious in the wake of Snowden that such a thing seems to have been relegated to unpursued oblivion. Maybe it'll materialize someday soon. Godspeed.

Clive RobinsonJune 13, 2016 3:59 AM

@ All,

I woke this morning to hear the news of the lone gunman in Florida that has shot or injured 100 people. I understand that this is the worst lone gunman incident in the US.

For the friends, familes and loved ones of those dead and injured, I feel for you, and offer my condolences. Further I hope that you be granted the peace and time to grieve without your tragic loss becoming a political football and an excuse for knee-jerk legislation, media circus or worse.

Clive RobinsonJune 13, 2016 4:48 AM

@ Richard,

If there is a design requirement for this feature...

There is the rub especialy with FMCE, every component not included in the design removes not just it's direct cost, but it's PCB routing, real estate and insertion costs, reduction in reliability costs plus for the likes of jumpers configuration cost and attendent support costs.

In a highly price sensitive market where profits are in the low percentages, every fraction of a cent makes a difference in units sold and thus there may be no profit on the first twenty five to a hundred thousand units as setup and production costs get amortized.

I know that it feals like,

... the REAL reason we don't see hardware jumpers or switches is that manufactures want to ship half-baked buggy crapware, and fix it later - so they try to make updates as easy as possible FOR THEMSELVES (and security be damned).

Having worked for a number of years ib FMCE at the sharp end --design--, I can assure you that in general back then the reality was getting to market quickly at a sufficiently low cost that you make sufficient profit to move rapidly to the next "must have" in consumer ratings.

I also know that things have changed and at certain consumer point there is no profit to be made at certain technology cost points. In the past that would have ment that such hardware would have not been made, and is still the case for component part manufacturing. However with finished systems such as laptops, it became possible to "cross subsidise" and effectively sell the system hardware at zero or negative profit, and make profit on software or other aspects. This started with Games Consoles and later Printers. It has moved on to the point where the "Google Game" of turning the users into a revenue stream has bitten in hard (see the three nasties Lenovo got caught doing in 2015 to both their consumer and professional product ranges). But in effect Micro$haft has killed that with forced installs of Win10 they have "stolen the ball" and are running hard with it. Likewise Intel with it's hidden function managment systems at greater than Ring0 privilege. You are as a consumer caught between a rock and a hard place, and your soul has been stolen one way or another.

Thus if you want "security" enough people will have to stump up 15-25% more for the hardware. Which coincidently is about the price premium you would have to pay if you were a system builder buying in component parts without the apparent "user commoditization" features...

You woukd think that as has been said before "Pays your money and makes your choice, of what's on offer at that price, you want extras you gota pay for them" still applies. Sorry but the answer is no, we are to far beyond that tipping point, your only option as I've been saying --for the last half decade or so here-- is "mitigation", as there are no foundations on which you can rely to build your castle.

The simplest mitigation is simply not to play but that makes you a "career limited ludite" as far as the majority are concerned. The next level is to "energy gap" a system for your personal and private activities and use strong encryption at all times. You then use a sacrificial machine for your public persona, that has no hard drives etc. Then there are further layers of mitigation above that but they are beyond the abilities of by far the majority of current security "gurus" etc as it requires real engineering ability and considerable investment in manufacturing.

ThothJune 13, 2016 5:05 AM

@Home Email Server Lover
Security features would usually require closed source NDAs and an extra NDA wouldn't be all too nice for the designers of PRi as their goal is for an open and cheap development platform.

The NXP's FRDM-K64F ARM development board as this board includes access to security features including hardware accelerated crypto but it seems to be missing trusted boot in the documentations.

What you are referring to is the TrustZone's trusted boot feature which you may consider the Samsung Artik 5 and 10 series boards (they come with full ARM TrustZone capabilities) and also a Samsung Secure Element for secure and tamper-resistant key storage to provision and manage keys to the Artik 5 / 10 ARM processors. This means you not only have TrustZone for trusted boot, you have a tamper-resistant key store as well all on the same development board.

Links:
- http://www.nxp.com/products/software-and-tools/hardware-development-tools/freedom-development-boards/freedom-development-platform-for-kinetis-k64-k63-and-k24-mcus:FRDM-K64F
- https://www.artik.io/modules/
- http://www.digikey.com/product-detail/en/samsung-semiconductor-inc/SIP-KITNXB001/1510-1316-ND/5825102
- http://www.digikey.com/product-detail/en/samsung-semiconductor-inc/SIP-KITNXC001/1510-1317-ND/5825103

Wesley ParishJune 13, 2016 5:15 AM

@ianf, usual suspects

re insane inane postmortem copyright extensions: didn't your mother ever tell you you should never sign a contract in which your death makes some other person richer? Ie, gives them an incentive for killing you? Eg, life insurance?

http://antisf.com/the-stories/postmortem-copyright

Or to quote a joke of Arthur C Clarke's, re-issued in one of his books, the one that's buried beneath all the others:

"Whew," said the man in pajamas. "I just had a terrible dream. I dreamed my wife had poisoned me for the insurance."

"Oh," said the other man, not much interested, "and where do you think you are now?"

Dirk PraetJune 13, 2016 7:05 AM

For those interested in (US) electronic suveillance law: "It's too complicated: the technological implications of ip-based communications on content/non-content distinctions and the third party doctrine" (draft), by Steven Bellovin, Matt Blaze, Susan Landau and Stephanie Pell.

ABSTRACT:

For more than forty years, electronic surveillance law in the United States developed under constitutional and statutory regimes that, given the technology of the day, distinguished content from metadata with ease and certainty. The stability of these legal regimes and the distinctions they facilitated was enabled by the relative stability of these types of data in the traditional telephone network and their obviousness to users. But what happens to these legal frameworks when they confront the Internet? The Internet’s complex architecture creates a communication environment where any given individual unit of data may change its status -from content to non-content or visa-versa —as it progresses Internet’s layered network stack while traveling from sender to recipient. The unstable, transient status of data traversing the Internet is compounded by the fact that the content or non-content status of any individual unit of data may also depend upon where in the network that unit resides when the question is asked. In this IP-based communications environment, the once-stable legal distinction between content and non-content has steadily eroded to the point of collapse, destroying in its wake any meaningful application of the third party doctrine. Simply put, the world of Katz and Smith and the corresponding statutes that codify the content/non-content distinction and the third party doctrine are no longer capable of accounting for and regulating law enforcement access to data in an IP-mediated communications environment. Building on a deep technical analysis of the Internet architecture, we define new terms, communicative content, architectural content, and architectural metadata, that better reflect the structure of the Internet, and use them to explain why and how we now find ourselves bereft of the once reliable support these foundational legal structures provided. Ultimately, we demonstrate the urgent need for development of new rules and principles capable of regulating law enforcement access to IP-based communications data.

80 pages, but well worth the read.

Cattle futuresJune 13, 2016 9:35 AM

Permanent-government glavlit continues with dwindling credibility as Home Email Server Lover cherry-picks factoids climate-denier style. As a public service the links below set out the facts that jurors in an independent judiciary would consider, ordered by level of detail,

https://medium.com/soapbox-dc/12-red-flags-in-clintons-email-setup-da8966760f7d

https://informedvote2016.wordpress.com/2016/03/18/do-i-really-need-to-worry-about-hillarys-emails-yes-she-will-be-indicted-full-form/

http://www.thompsontimeline.com/The_Clinton_Email_Scandal_Timeline

But of course Lynch will not indict, as she has already been tantalized with the Vice-Presidency. The election's over, CIA has voted.

rJune 13, 2016 11:03 AM

@Richard,

Incase anyone else missed this,

Yes, of course you can infect the boot process, and yes this is true even with a hardware BIOS write protect jumper, but you are missing the point.

The point IS if you ARE infected, but the BIOS is still secure because of that hardware jumper, then all you have to do is just re-image the hard drive and EVERYTHING IS FINE AGAIN.

The point IS (on the other hand) if you DON'T secure the BIOS, even that perfectly secure TAILS O.S. session that you are talking about running from READ ONLY DVD MEDIA WILL NOT BE SECURE.

Not secure because during some previous less secure session, a BIOS trojan could have dug in like a tick, rendering your P.C. forever compromised.

This is NOT an accurate statement,

https://www.it.slashdot.org/story/09/08/01/1658258/apple-keyboard-firmware-hack-demonstrated
https://www.wired.com/2015/02/nsa-firmware-hacking/
http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
http://hackaday.com/2013/12/29/hacking-sd-card-flash-memory-controllers/

http://www.infoworld.com/article/2611198/endpoint-protection/researchers-demo-exploits-that-bypass-windows-8-secure-boot.html

Hardware persistant firmware subversion is a much larger attack surface than merely 'BIOS'.

I'm sure there's other examples around including cdrom/dvdrom/blueray firmware, maybe touchpad firmware, wifi & hotspot(cellular) dongles ETC.

Last night there was a nice episode of Nova on PBS covering much of the current state of affairs with software security and weaponization including PLC subversion.

A WP pin on 'BIOS' is but a small piece of the security puzzle, we need unilateral enforcement of such policies: whitelisting, signing, proofs, audits, verification and the implementation of deterministic builds. All of these are just pieces of the software problem, the hardware problem is lightyears ahead of anything i can touch on mentally.

Things I didn't touch on are remote ethernet attacks ala broadcom/intel and videocard trojans [non-firmware, loadable fpga? trojans].

If you see WWW as the 'world wide web' you're confused: it's the wild, WILD west.

Clive RobinsonJune 13, 2016 1:10 PM

@ Bruce,

is might be of interest,

https://eprint.iacr.org/2016/596.pdf

Put simply the authors of the paper have used relatively modern prime and pump cach/memory timing attacks to recover keys from Amazon cloud servers. In the area they chose (South America East) they found that over 50% of users had not updated their crypto libraries to prevent or even limit older attacks.

@ Nick P,

How good is your memory?

You may remember one of my main objections to the cloud was the lack of security and vulnerability to crypto attacks, which does not happen on your own private networks and systems if you have issolated them sufficiently. Which attack history has taught us most don't hence the problems RSA had with their token seeds being stolen and quite a few CA's getting hacked and faux certificates illicitly generated and used to do MITM attacks against major services by represive regimes.

The above cash/memory attack against cloud servers can be carried out in one of two ways,

1, Bulk Collect then identify.
2, Enumerate, identify and target.

Whilst the first way belongs to the "collect it all" mentality, it carries a higher risk of discovery. The second is the prefered route for targeted attacks as it can be considerably less noisy thus less likely to be detected.

The problem for the second method is the Enumerate and identify.

Which if you remember far enough back was a method I identified with TCP Time Stamp Enumeration.

A carefull use of what looks like a "script kiddy" ping attack or similar will enable via the TCP Time Stamp attackers to work out which traffic streams come from which individual server mainboard as it detects the "Delta-Freq of the main XTAL which is common to all CPU's and cores on the mainboard.

My original idea at the time was that the TCP Time Stamp could be used by your higher class hacker to,

1, Identify "Honey pot" traps using VM techniques to make a single hardware instance appear to be a whole network. Thus a hacker with a nice new Zero Day could identify places where not to "use it and loose it".

2, Identify web services using shared hardware, where by an attacker could find other less secure instances on the same hardware and get a toe into the server to do other cache etc timing attacks.

I also mentioned at the time I had reached out to some of the more senior Honeynet project people and they were not interested (Golden Goose / NIH Syndrome yet again). I wonder if they will start to wake up ;-)

Clive RobinsonJune 13, 2016 1:27 PM

@ r,

Almost a tiebreak on the cloud cache attack paper :-)

With regards,

I'm sure there's other examples around including cdrom/dvdrom/blueray firmware, maybe touchpad firmware, wifi & hotspot(cellular) dongles ETC.

There was of course the Apple Batteries... And even USB printers.

And a whole lot yet to be invented, which brings to mind IoT... :-(

Gunfighters Motorcycle Club™June 13, 2016 2:00 PM

Gee, Why would a psychopathic mass murderer pose in a NYPD shirt? Guess ISIS was his second-choice way to kill anybody he wanted. Difference is, ISIS doesn't get away with it like cops do, some new poor bastard every shift. This one's just more proof that competent security analysis should forget so-called terror and focus on the real threat, cops.

rJune 13, 2016 3:11 PM

@Clive,

Almost, you got me beat both in timing and response.

Touché on the battery and usb printer response, in retrospect those are a MASSIVE oversight on my part (battery in particular, printer/router not so much due to physical detachment).

I can imagine some very evil batteries falsifying charge%, bringing a system down (under false pretenses) and then bringing a shadow system back up in it's place(maybe to mine a forced hibernation file etc). I know the battery prom's aren't THAT big but still it's a pretty sweet spot to lay in waiting.

It seems to me that 'prom' when wired appropriately may just so happen to illustrate a contradiction in terms and maybe one of those redherring oxymorons we hear about.

rrrrJune 13, 2016 3:14 PM

@Clive,

Additionally on the topic of hacked battery prom's and connected printers...

A Hacked UPS could present similar options.

RichardJune 13, 2016 5:57 PM

@ Home Email Server Lover

You have raised a number of interesting points.

Yes, the issue of whether or not Sid's emails should have been 'captured' for posterity or not is at the crux of this complaint involving Hillary's use of a private server - and the simple answer to this is NO this is NOT an issue for her.

Not an issue because, once again, even if she had ALSO used a dot.gov address, Sid could have still legally sent this to her private email address instead of her dot.gov email, so nothing would have changed a bit.

I say this because Blumenthal was himself not acting in an official capacity, and therefor not bound to using a dot.gov account at his end, and more significantly, he was ALSO not bound to send it to to Hillary on HER dot.gov account even if she had possessed one

So, I have no doubt whatsoever that Blumenthal would have STILL used her 'private' account for this communication (and done so with perfect legality). This happens thousands of times a day with other federal officials who STILL are free to ALSO have a private email in addition to their dot.gov account.

So, once again, just as was the case of the question of whether or not the emails would have been hacked, had Hillary had a dot.gov account (they still would have since they are hacked at the AOL end) - in this case, on the question of whether the emails would have had a better chance of being captured for posterity - we have the SAME result - nothing would have changed had Hillary had a dot.gov account - NOTHING.

Private citizens can send their government officials an email on their public email, or their private email, or their "dot.gov" email, or their SETI extra-terrestrial email - and say ANYTHING - so we can't reasonably hold the official in question responsible for this UNLESS they then reply and attempt to TRANSACT GOVERNMENT BUSINESS though these un-official and insecure channels WHICH DID NOT HAPPEN IN THIS CASE.

So, those claiming that somehow this is the 'smoking gun' proving that Hillary's private server 'broke the law' are pretty much full of shit.

So, get over it folks. Seriously, get over it. I know that Ken Starr just-grab-on-and-neva-let-go pit bull style attacks on the Clintons are now a conditioned Pavlovian response for the die-hard dead-ender Republican faithful, but seriously, on this one, "there is no there, there".

"Likewise I presume that Colin Powell and Condoleezza Rice probably know vastly more than Snowden or any of us about just how secure or insecure their servers were."

Thanks for that one, I laughed so hard I almost coughed up my spleen.

Colon Powell wouldn't know the difference between a Hacker using a DNS attack on an IP protocol stack, and Condoleeza Rice suffering from PMS while attacking a stack of flapjacks.

These folks thought of themselves as lords of creation, who were "reshaping the geopolitical landscape of the middle east" (us 'lords of creation' likes to use wurdz like 'geopolitical' it makes us sound sooooooo smart) - so they wouldn't bother boning up on technical details - those are for geeks and 'analysts' (whom they obviously don't respect very much).

If you really want to get an idea how smart they really were, toodle on over to the PBS website and watch the Frontline documentary the-secret-history-of-isis.

Home Email Server LoverJune 13, 2016 6:03 PM

@Thoth

Security features would usually require closed source NDAs and an extra NDA wouldn't be all too nice for the designers of PRi as their goal is for an open and cheap development platform.

Not this one. As I recall from the forum thread, it was simply a matter of adding a little hook into the GPU bootstrap binary blob. Very very standard stuff. User needs to be able to trust or untrust keys, then some code needs to be able to verify that the kernel about to be booted has a valid signature. It doesn't get more vanilla than that. No secret sauce here, just braindead straightforward programming of a computer to make it do what you specifically want it to do.

And do you not see your contradiction in pointing out the openness nature of the rpi platform? The only reason they live with a closed binary blob for the GPU is short term and tactical. I'm pretty sure they overtly have a mission of eliminating all such closed parts eventually (down to the molecules). This is by no means a situation you can lump in with general industry stupidies. This is a very specific, very high profile thing (or rather, ought to be high profile, but very curiously has been relegated to the dustbin of history)

Bumble BeeJune 13, 2016 6:59 PM

Re: "legally adjudicated mental defective"

That disappeared from Google. 18 USC 922 (d)(4) and (g)(4).

It's incredibly dense. You have to read title 18 USC both sections 922 and 925 in their entirety including the notes to make sense of it.

It's still not constitutional because homosexuality is still considered a mental illness in the U.S. although nowadays it is called "bipolar" ("bi-," get it?) or "schizophrenia." Somewhat like they called Alan Turing an "invert" as a euphemism for "pervert."

The knee-jerk response to the gay nightclub shooting is of course to strengthen "gun control" laws to prevent guns from falling into the hands of LGBT people. But of course the media and lawmakers can't say it just like that.

Dirk PraetJune 13, 2016 7:04 PM

@ Clive

I woke this morning to hear the news of the lone gunman in Florida that has shot or injured 100 people. I understand that this is the worst lone gunman incident in the US.

Meanwhile, we have learned that the shooter had been under investigation by the FBI twice and was deemed no security hazard. I would be quite interested in seeing their expert analysis of a man who was said to be a mentally unstable, violent bigot and a maniac both by his ex-wife and former co-workers. That such a person could buy an automatic rifle no questions asked can only happen in the US and banana republics.

hal9000June 13, 2016 7:35 PM

Justice Dep't is suing the City of Seattle and its Department Seattle City Light to prevent them from releasing information about FBI surveillance cameras in response to requests under the Washington State Public Records Act.

These are video cameras that FBI has installed on existing utility structures (such as a power poles) in some locations around Seattle.

U.S. Justice Department sues Seattle to keep the FBI surveillance camera program secret
https://twitter.com/MikeScarcella/status/742470150243377152

Although this is technically (supposedly) not "mass surveillance" because the document (at above link) explains that:

"Every FBI pole camera is associated with a particular subject or particular
investigation and is installed in relatively close proximity to where the subject is believed to be or will be located, such as a residence, business, or frequented location."

RichardJune 13, 2016 8:55 PM

@ r

This is NOT an accurate statement.

Hardware persistant firmware subversion is a much larger attack surface than merely 'BIOS'.

Yes, thanks for the correction, I originally mentioned several other attack vectors, but edited it out, since several other infection vectors were already mentioned, and my main point was that the existence of all these other attack vectors is NOT a good excuse to throw your hands up and say that, since there are so many other threats, we can't possibly be secure anyway, so let's just ignore BIOS security.

I did screw up by saying "just re-image the hard drive" since this is not generally true unless you go to extraordinary lengths to insure your storage devices (and any other flash upgradeable devices) can't be infected, which, as you pointed out, currently is just as hard to do (or harder) as finding a motherboard with a secure BIOS.

These devices could ALSO be secured, just like the PC's BIOS flash chip by simply adding a simple hardware jumper that actually blocks flash updates using a physical jumper on the write-protect pin.

But this isn't what we will get. What we will get is a lame-ass crypto signature scheme that allows those with the resources to beg-borrow-steal-or-DEMAND the master password able to continue to compromise computers at will.

This will work fine until the next Snowden steals the NSA's master password list and sells it to hackers on darknet.

Then everyone could wake up one fine morning to find every hard drive on the planet has been nuked.

If I were a manufacture, I would NOT put my faith solely in software methods, no matter how secure they are touted to be.

The best approach would combine multiple layers of security, a software signature on the flash image (if desired) to protect the manufacture by preventing the user from loading unauthorized code, and a physical jumper to protect the user from malicious software from doing updates against the users will, should the manufacturer's master key be compromised.

rJune 13, 2016 10:06 PM

@Richard,

I agree whole-heartedly, my apologies for poking at you over your statement.
Firmware signing methods make me nervous, we've had enough problems with the existing certificate issuing system and I'm uncertain that any forthcoming implementations would be any more secure than what happened to say... Sony's SPE[?].

Maybe firmware itself is the problem, creating eddy's where directly executable code can stagnate and hide may be a bad model imb.

whatever happened to lba[0]||chs[0,0,1] ?
adding complexity to already problematic environments in all likelyhood may only complicate the issue :P

I'm interested to get coreboot running on my t61p, as soon as i can get the solder joints/traces fixed anyways, I'm thinking about trying to bake it?

Miss DemeanorJune 13, 2016 10:13 PM

Richard at 5:57 is fully indoctrinated with his Dear Leader's talking points, which dictate, blame it all on Blumenthal, then quickly veer off the thin ice back to 'Republicans are worse' handwaving.

Richard has not been instructed how to reconcile Title 18 U.S. Code § 1924, removal and retention of documents at an unauthorized location, with HRC's email June 17th 2011, 8:21: “If they can’t, turn into nonpaper w no identifying heading and send nonsecure” and her subsequent removal of born-classified (TS/SAP) and intelligence sources and methods to uncertified and uncleared contractor Platte River Networks.

https://informedvote2016.wordpress.com/2016/03/18/do-i-really-need-to-worry-about-hillarys-emails-yes-she-will-be-indicted-full-form/

Let's make it easy for Richard. Hillary will get away with it because she has been CIA nomenklatura ever since Cord Meyer recruited Bill and put him to work importing Contra drugs through Mena Airport.

MrCJune 13, 2016 11:13 PM

@ Hillary Clinton E-mail Astro-turfer:

Please knock it off. This isn't a place a political conversation, except for where political policy impacts security. Moreover, around here we're accustomed to professional NSA sock-puppets who can at least articulate a coherent point from time to time. You can't. Please go away.

GlomarJune 14, 2016 12:14 AM

I second @ MrC and it's really interesting to ponder who actually reads and monitors this blog (the ones who don't post) any way

Here it comes:

America needs to rethink national security apparatus
By Matt A. Mayer

http://www.cnn.com/2016/06/13/opinions/orlando-attack-security-reform-mayer/

"Our ability to detect and to stop future attacks increasingly will depend upon overcoming the limitations encryption puts on law enforcement"

Show me that Manteen used encryption. They're spewing this sh## with no evidence and egg on there faces:

The article does question the shooter being investigated twice by FBI and being placed and then taken off the terrorism watch list...I mean really I thought once you end up on one of those lists it's impossible to get off - no transparency and no appeal, hearing or due process with the only indication if you try to board a flight.

Wesley ParishJune 14, 2016 1:37 AM

Interesting concerning the Orlando massacre. Like the earlier one in California, the guy waited until his operation was under way before declaring his "allegiance" - whatever he meant by that - to Islamic State.

I get the impression that it's more of an attention-seeking action, declaring "allegiance", because otherwise the media would ignore it - I mean, just another few people got shot by a crazed gun-worshipping zealot/psychotic? It's only worth page seven or eight! Oh hang, he was a pterorist? No, cancel that, it's front-page news!!!

I think the problem is US-centric, and has absolutely nothing to do with anyone or anything outside its borders. When a presidential candidate is permitted to make public homophobic statements and publish them widely, and furthermore is permitted to make inflammatory Islamophobic statements as matter-of-course, is there any surprise that some Muslim who isn't exactly centred on his local Muslim community, decides to lash out? It's an all-American shooting, just like the Oklahoma bombing was an all-American bombing. Just like the shooting down of Iranian Air Flight 655 was an all-American massacre, just like Owl Creek and Wounded Knee massacres were all-American massacres, just like the Pequot war was an all-American massacre. Have I missed anyone out? Oh, dear, the My Lai massacre ....

ThothJune 14, 2016 1:46 AM

@Clive Robinson
re: Cloud Cache Attack

If they are a little more serious about their security (enterprise security), the better option is to use Amazon's CloudHSM (Safenet HSM offering services).

Another way is to host their own HSM and get their Cloud services link to their own HSMs but that would mean a good ton of cash and investments unless as I mentioned in the brackets, it's enterprises that require some form of compliance.

keinerJune 14, 2016 2:06 AM

The USA is a typical failed state, as it has NEVER in his history managed to enforce the state's monopoly on the use of force. All these weapons everywhere are a clear indication of this fact.

Unfortunately at the same time the USA is the strongest bully in the classroom. And they never really grew up to the responsibility they have by this. Really hard times ahead.

Wesley ParishJune 14, 2016 2:13 AM

@Glomar

Of course! I've never denied that.

My point is this: that the root of this sort of tragedy is to be found in the United States of America, not elsewhere, and the sooner that is realized, and means, ways, methods, whathaveyou, are worked out to prevent it, the better.

It's the same thing as problem solving in programming: you find out what the problem is, then solve it, not something else.

Gerard van VoorenJune 14, 2016 2:18 AM

@ Glamar,

"Our ability to detect and to stop future attacks increasingly will depend upon overcoming the limitations encryption puts on law enforcement"

Of course politicians and LEO's always want more. They are greedy people, and they do it "to protect" well mostly their own interests / budgets.

This attack -when being called a terrorist attack- showed -again- that Snowden was right. Where did the NSA stopped / prevented this? With all their abilities and massive amounts of data and analysts they probably still didn't have a clue.

The same is going on in France now.

Yet they want more. They are greedy. They don't give a damn about human rights nor laws. The only thing they care about is their own interests.

What they should do is calm the situation down. Remove the polarization and the hate.

GlomarJune 14, 2016 2:20 AM

@ Wesley

Colonel Reginald Dyer and the Jallianwala Bagh massacre, 379 identified dead with approximately 1,100 wounded.

The US isn't the only nation that suffers from historical amnesia. And wrongdoing is always in the past, but "we don't do that anymore."

Gerard van VoorenJune 14, 2016 2:27 AM

@ keiner,

"Unfortunately at the same time the USA is the strongest bully in the classroom. And they never really grew up to the responsibility they have by this. Really hard times ahead."

Yeah, let's vote Trump.

ianfJune 14, 2016 4:32 AM


Demands Glomar: “Show me that [the Orlando gay shooter] Omar Manteen used encryption!

Isn't it enough that (on CNN at least) he looked pea-in-a-pod to Ed Snowden? Bit less beard, and there's your connection between terrorism and treason.


Meanwhile, Wesley Parish has centered in on the pterorist's [no typo] motive: (1)‍ ‍“is there any surprise that some Muslim who isn't exactly centred on his local Muslim community, decides to lash out?;” then follows it up with this (2)‍ ‍in-depth exegesis-analysis-synthesis: “the root of this sort of tragedy is to be found in the USA, not elsewhere, and the sooner that is realized, and means, ways, methods, whathaveyou, are worked out to prevent it, the better.”

(1) latest intel has Omar lashing out at gays instead, not as sexy a speculative motive as your own.

Ad (2), the Yanks had better hurry up then, invent and deploy Reverse Time's Arrow, rewind it back to just prior to the first Colonial massacre of 1539, then restart friendly-friendly-like [no typo, the Spaniards upstaged the Anglos, whose first "Indians-dead deed," the Paspahegh Massacre, only dates back to 1610, three years after the first settlement there].


[… finding a solution to that root above] “is the same thing as problem solving in programming: you find out what the problem is, then solve it, not something else.

    Oh, how I l.u.r.v.e all Ye Magnificent Java and C Programmers with your Logickal Algorithmic Solutions to Everything (which, btw. is "42").

Bumble BeeJune 14, 2016 4:36 AM

@Glomar

Re: "we don't do that anymore."

More apropos my previous comment, it's an old scam. "Bipolar" used to be called "manic/depressive" -- shoot someone up covertly with certain street drugs and call them "manic" and in withdrawal they are "depressive." Ta da, a "diagnosis."

"Schizophrenia" is even worse. Combine the drugging with gaslighting tricks (that's a movie reference) and call the victim "paranoid." A lot of things you can do to make someone paranoid. Unfortunately, despite all the "research" at renowned facilities such as Maryland Psychiatric Research Center (Spring Grove Hospital Center on Google Maps), none of it has any scientific basis whatsoever beyond outdated Freudian notions of dementia praecox and the cruel experiments performed by Nazi doctors on Jews and LGBT people during the Holocaust.

The Greek letter Psi is the devil's pitchfork of psychiatry.

Wesley ParishJune 14, 2016 6:00 AM

@ianf

Precisely what are you trying to say? I'm not sure that you've said anything at all.

The thing I fear is that the US will use this sort of incident to a: spy and repress more domestically, b: extend its draconian will further into its coalition of the willing/ship of fools, and c: lash out more at nations with a Muslim majority.

Muslims are the only socio-religious group who are not permitted religious solidarity; they are perhaps the most cohesive of all such groups, hard as that may be to believe what with the Sunni-Shi'a hostility.

You in that efflatus above seem to be the prime example of finding out the problem and solving something entirely different.

@Glomar

You think I'm not aware of that massacre? Here's one for you - Kohat, 1924. A friend of the family had to leave there in a hurry - at ten years of age - and never returned. Islands and Mountains was his most important contribution to the world. Have you ever sung it?

Clive RobinsonJune 14, 2016 7:14 AM

@ ianf,

latest intel has Omar lashing out at gays instead, not as sexy a speculative motive as your own.

I guess it depends on your news source... But it's been reported in the UK that he was seen regularly drinking in that bar...

So it's anybodies guess as to what a supposed fundementalist Muslim was doing drinking alcohol in a gay bar. There is also a story circulating that the FBI put him on the watch list, then took him off again so they could entrap him, and turn him into another patsy. If that was the FBI plan, then it's gone horribly wrong.

Personaly I'd rather people did not guess and start digging out hard facts, and the last people you'ld want doing that are the FBI... Which makes life a bit awkward at best. Thus this is showing all the signs this is going to turn into yet another conspiracy story.

Which is not going to help the family, friends and loved ones of those unfortunatly targeted by him.

Dirk PraetJune 14, 2016 8:10 AM

@ r

Sounds like your typical trump fan, no?

I fail to see how questioning the sanity of US gun laws and the disastrous FBI assessment of Omar Mateen makes me a Trump fan.

@ Clive, @ ianf

So it's anybodies guess as to what a supposed fundementalist Muslim was doing drinking alcohol in a gay bar.

Repressed homosexuality. It's more common than people think, especially in cultures where being gay is an absolute no-no. FBI's own J. Edgar Hoover was a cross-dresser. Another fine example is Kevin Spacey's neighbour in "American Beauty".

GlomarJune 14, 2016 8:15 AM

@ purple

f the political...

Mostly I agree but, mass shootings affect people's physical security and the political fallout impacts privacy and computer security, so these discussions aren't entirely irrelevant. The latest from Hillary (who I'll vote for regardless of her position on privacy and mass surveillance) on Twitter:

"If you’re too dangerous to get on a plane, you're too dangerous to buy a gun in America."

i.e. If you're too suspicious to get on a plane (like Ted Kenedy and all the others on that list in error) then you're too suspicious for any legal rights. I do believe that if a pipe bomb is deemed a weapon of mass destruction than so should an AR-15. Of course any gun control measures that would possibly be enacted will no doubt grandfather all the existing assault rifles out there, so the problem will persist for quite some time to come. And if the gov tried to collect the ones out there, then god only knows the response of 2nd Ammendment fanatics. Lastly there is also the push to hang it all on the mentally ill in order to deflect action away from gun control, when most gun violence is perpetrated by evil or angry but sane individuals. God forbid we should punish law abiding citizens, even though everyone is law abiding until their first act of gun violence.

rJune 14, 2016 9:51 AM

@Dirk,

Not you lol, I suppose I am usually vague and ill-expressed.

I meant the shooter (in reference to your "biggot, etc").

ianfJune 14, 2016 10:40 AM

Gerard van Vooren: […]
With all [its] abilities and massive amounts of data and analysts, they [=the NSA] probably still don't have a clue.‍ (1)
The same is going on in France now.‍ (2)
Yet they want more.‍ (3)
They are greedy.‍ (4)
They don't give a damn about human rights or laws.‍ (5)
The only thing they care about is their own interests.‍ (6)
What [=the NSA and/ or the French politicians] should do is calm the situation down.‍ (7)
Remove the polarization and the hate.‍ (8)

Let me assuage some of your unease:

  1. Assuming the [whoever they might be] had a clue (in this case of the Orlando shooter's intentions, which so far as is known, he has not communicated in advance to anyone), how would you have expected the whoever-they-be to handle it properly: would that be by directing a couple of SWAT Apache helis to the club instead of the dozens of police cars while the shooting already was in progress? If the question is too rhetorical for you, perhaps you could just tell us WHAT HAS TO BE the correct response pattern to future yet to be detected lone-wolf crimes.
  2. Maybe the French, being French, will come up with some alternative meta-solution.
  3. Wanting more is a generic human instinct that also applies to institutions governed by humans.
  4. Being greedy is a human and institutional condition that we've long been collectively warned against (also the Third Deadly Sin—of covetousness/ avarice/ greed—for which we'll be punished in Hell by “being boiled alive in oil. Bear in mind that it's the finest, most luxurious boiling oil that money can buy, but it's still boiling.”)
  5. That's disputable… I'd say they do give lots of damns about the laws, HOW THEY INTERPRET THEM, and theirs [=the politicians with the NSA in their employ, say] is the interpretative prerogative, because we, the electorate, have acquiesced to it.
  6. True, people's interests as they interpret them on our behalf, while also not being averse to lining their own pockets. Sometimes they get these priorities wrong, and then they go to prison for that, but oftentimes not.
  7. Yes, full agreement, calm the situation down, serve blanket D-notices to the yellow press and other mass-media to print recipes instead, even at the risk of then being accused of "suppressing the truth" and/or hatching plots to turn some individuals into patsies for as yet undefined bigger plots (never mind that some patsies then rebel in angst). Or something.
  8. Worthy goals both, except for the t.e.e.n.y-w.e.e.n.y detail of nobody having developed a political anti-polarizing filter yet; and as for that your mandated removal of hate, let me be the first to cast the ballot for you getting that posh EU Commissioner post of (provisional title) Tsar of Love Over Hate. Because nothing short of despotic rule in the name of greater good will do here.

    I trust that the above provides enough of a Tasty! New! Thought-Fodder for you to continue the good work of shovering us with wishful WHAT NEEDS TO BE DONE platitudes even in the future.

    PS. This is what I was trying to say, Wesley Parish, except I didn't have the time to deal piecemeal with all of the esteemed you

    Addendum @ Dirk Praet: we'll never know the motive (or trigger; or whatever) of that or any other suddenly expired mass-murderer's, so there's no point in speculating about it either. Even were we to arrive at some Reason-By-Consensus, it's not like that would "come in handy" at the "next occasion." As rational (we think) human beings, thoroughly saturated with liberal and secular values to the core (most of us: live and let live), collectively we are unwilling to fathom the existence of irrationality, and the instinct of be-it-destructive self-sacrifice (in this case e.g. "I am nobody, so I'll show you all that I am not").

      [BTW. this recent book review explains it in greater detail, while underlining that it is not solely the Left's inability to grasp irrational spiritual dimensions, AND NOT SOLELY OF ISLAM-tainted "deeds" either.]

    Bumble BeeJune 14, 2016 12:02 PM

    @ r, also Clive

    Sorry didn't see your earlier responses; they were way up the page. No, no one signs my name or handles my money except for myself. Also I own and drive a car. That is excluded from the resources I am allowed to own while receiving government assistance.

    However, for all practical purposes, "adjudicated mental defective" is for life in the United States and there is no effective way to appeal for a reconsideration.

    Obama is on TV right now pushing for even more onerous red-light district style gun control. The birthers are wrong; he's not from Kenya; he's born in Hawaii, raised in Chicago, and the Chicago mob thinks nothing of perpetrating a mass shooting solely for political purposes.

    Lol some of the Feds are really pissed off at me right now. BTW, Obama hates transgender people and by his executive orders they are called by their unwanted gender throughout not only the military but also the civilian branches of the federal government ... (e.g
    Chelsea Manning, who was somewhat set up as a stooge to help perpetuate the notion that all LGBT are criminals if not mentally ill. Was she drugged/blackmailed out of the secrets she is accused of betraying?)

    Stupor MundiJune 14, 2016 12:05 PM

    Interesting attempt to suppress discussion of a large-scale security failure as 'partisan political garbage.' One would think a discussants on a security weblog would not be too bashful to bring up successful circumvention of the stringent procedures used for classified national security information. Details of foreign and public collection of the data exposed - executive diplomatic decisions and state secrets - are central to this weblog's concerns. We have a data breach comparable in scope to Chelsea Manning's cablegate disclosures, exposed in real time for years. But our new friends are shouting it down as 'politics' or as Republican attacks, policing the discourse by invoking party-line epistemic closure. The Guccifer disclosures that Wikileaks is curating reveal a lot about the permanent government, the real government, especially for people who will never cast a vote in the US.

    oopsJune 14, 2016 2:29 PM

    @Glomar, Nobody said it was OK. Powell had 2 emails retroactively classified and nothing at the TS or collateral level. Rice's immediate staff received 10. None of it bore classmarks at the time.

    http://i2.cdn.turner.com/cnn/2016/images/02/04/memo.pdf

    They didn't get indicted - but then, they didn't burn any agents, blow any Special Access Programs, or give up thousands of emails with classified sensitive national security information to the guy who snagged Miss Maine's titpics.

    https://cryptome.org/2014/01/guccifer-cryptome.htm

    LongBadTunnelJune 14, 2016 4:57 PM

    Microsoft is closing this bug because the US government now can get access through Windows 10, I guess?

    'BadTunnel' Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years
    http://www.forbes.com/sites/thomasbrewster/2016/06/14/microsoft-badtunnel-big-brother-windows-vulnerability/

    Microsoft MSFT -0.64% is today closing off a vulnerability that one Chinese researcher claims has “probably the widest impact in the history of Windows.” Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

    According to Yang Yu, founder of Tencent’s Xuanwu Lab, the bug can be exploited silently with a “near-perfect success rate”, as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target’s web use, granting the hacker ”Big Brother power”, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft’s bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

    namelessJune 14, 2016 5:00 PM

    @Glomar

    "Why was it ok for Colin Powell and Condoleeza Rice to have private email servers? And handle classified material on those private servers?"

    Because it does not matter so much what you do, but what kind of yarn the media spins from what you do.

    The media is, in general, like a gigantic megaphone or advertising agency that has a lot of power.

    Sexual LibertyJune 14, 2016 5:47 PM

    @WesleyP

    I think the problem is US-centric, and has absolutely nothing to do with anyone or anything outside its borders. When a presidential candidate is permitted to make public homophobic statements and publish them widely, and furthermore is permitted to make inflammatory Islamophobic statements as matter-of-course,

    I don't think humankind's vast and well documented history of sexual persecution is particularly US-centric and unrelated to the rest of the globe. Trump, while clearly a psyop, in these ways is not so very different from many other politicians of many countries. I call that a symptom of a global problem, not a us-centric problem.

    While I consider myself not to be on the side of those who are fueled by the persecution of 'sexual deviance' that does not involve (uninvited or harmful) force or coercion, I tend to look at the Orlando massacre through a cold perspective of surprise mainly at last years SCOTUS ruling, more than surprise at the massacre. The SCOTUS ruling seems to presumably be an amazingly beautiful and unexpected (to me) fundamental and radical reshaping of human society. But outside of recent events, contrasting it with the attitudes of sexual persecution that remain outside of the US, I expect there will be many more instances of violence before the persecution becomes more a historical thing, than something we deal with in the present.

    And a footnote- please be careful about the use of the word 'homophobic'. I don't think the real issue is phobia, so much as a tendency towards bullying pariahs (if it wasn't homosexuality, the 'homophobics' would find a dozen other traits to bully)

    ThothJune 14, 2016 7:25 PM

    @When security becomes too cumbersome for it's classification levels or designated levels of security, end users wouldn't like it and may shun from it.

    Obamaberry is gone and now it is called the Obamadroid. The DISA have re-provisioned Obama with a hardened version of Samsung Galaxy S4 with Samsung KNOX (approved for use up to RESTRICTED level by US DOD) and now Obama is complaining about the security lockdowns on the phone hindering him too much.

    It seems the phone is using encrypted VoIP (likely the Mikey-Sakke protocol published by GCHQ) for secure voice via US Govt secure switchboards.

    What the US Govt could have done is get Samsung to offer a framework API for extended software defined cryptography (or via built-in hardware crypto engine) for the phone's modem so that all GSM calls can be specifically encrypted a second time with software/hardware NSA Suite A and B algorithms which will allow secure GSM calls instead of just secure VoIP over fixed routing.

    Obama compares his new Obamadroid to an infant's toy phone as his presidential phone is more locked down than most other DISA issued smartphones.

    Link: http://arstechnica.com/information-technology/2016/06/goodbye-obamaberry-hello-obamadroid/

    Dirk PraetJune 14, 2016 7:28 PM

    @ ianf

    we'll never know the motive (or trigger; or whatever) of that or any other suddenly expired mass-murderer's, so there's no point in speculating about it either.

    True, but Da'esh (IS) claiming responsibility for a horrible act perpetrated by a deranged closeted homosexual instead of a lion mujahid would be beyond ironic.

    Also worth noting is that, just like Mateen, the *sshole who killed a police commander and his wife near Paris yesterday, was also known to LE and had already previously been convicted of terrorism.

    tyrJune 14, 2016 7:28 PM


    As I have heard.
    The shooter was a security company employee.
    A registered Democrat.
    A frequenter of gay nightclubs.
    Had a florida firearms liscense.
    And the FBI interviewed him twice because someone
    turned him in.

    The whole episode stinks to high heaven as well.
    People who can do that kind of shooting are rare
    as hel and most of that type have no interest in
    doing anything remotely similar.

    Interestingly Rubio who has been anathema to gays
    in the legal arena is now expressing empathy and
    sympathy.

    You'd think the folks who inherited J Edgars Tutu
    would be more on the ball protecting their own.

    @Dirk

    Nice paper, thanks.

    Nick PJune 14, 2016 7:53 PM

    @ Thoth

    That video was funny. Glad to see my President make me laugh on occasion instead of call him a scumbag. :) The Sectera they mention in related link has Type 1 hardware, EMSEC and milspec protections. They always fail to mention that in comparisons. Plus, Windows CE was so simple vs iOS or Android that isolating/hardening it was nothing. Cryptophone people took same route.

    Additionally, it comes out of the program I mentioned a while back: Commercial Solutions for Classified. It's the one that drops the effective EAL to EAL1+ far as I can figure. Evaluated for 90 days. Security racing to rock bottom is quite an understatement.

    Bumble BeeJune 14, 2016 8:40 PM

    @ Stupor Mundi

    I am not trying to minimize or excuse anything. That's Manning's attorney's job. Transsexualism is actually very rare for all the media attention it garners, and so are leaks on such a massive and damaging scale. People need to be OUT and blackmail-proof when they have some kind of sensitive position with the government like that.

    @ all

    Not to change the subject, but one more strike against Chicago. It is home to the unorthodox so-called "coldwater" or "freshwater" or "Austrian" school of economics which has incurred the wrath of the Federal Reserve by replacing John Maynard Keynes with Ludwig von Mises as its cult idol. Mainly they are goldbugs and they advocate not only precious metals (delivered straight to the home of the elderly and defenseless) but higher interest rates, "full reserve banking" rather than fractional reserve banking, and other scams of that nature. Puts Helicopter Ben and Auntie Yellen to shame.

    And now I can't type anymore because my phone says "Español (EE.UU.)" and keeps trying to suggest Spanish words.

    ThothJune 14, 2016 9:36 PM

    @Nick P
    They (DOD/DARPA) should really look into upgrading that old monster (Sectera phones) and use something more modern. My recent link to Wind River's Rocket RTOS kernel being open sourced into the Zephyr Project under The Linux Foundation's care would be even more simpler to handle than Windows CE (since it is a micro/nanokernel) compared to Window's monolithic kernel.

    On top of that, I do suggest they use a tamper resistant ARM chip offering like the NXP's i.MX7 series for the CPU as it contains tamper resistant features + TrustZone and hardeware crypto which I have been pushing for a more assured smartphone once combined with appropriate microkernels for the Secure/Insecure World OSes (i.e. Zephyr).

    To make the COTS phone more usable, Android services can be implemented as daemons running on the microkernel OSes (thinking along the line of Blackberry's QNX and smartphone). This will take the good part of the Blackberry's more assured OS and tamper resistant ARM chip from NXP into a little more secure smartphone.

    Anything more secure would require an SCIF room with appropriate environment and equipment to handle something like TS/SCI classifications but for a COTS mobile security solution, those I mentioned should suffice probably up to Confidential level in my opinion.

    In fact, if they want a more assured phone, the ARM chip would have to be thrown out for a tamper resistant FPGA like Altera or Xilinx implementing NSA certified soft core implementation for multi-application and red/black separation on NSA approved FPGAs and then use some custom micro/nanokernel of their own to manage the soft cores and applications but that would mean high cost for manufacturing, maintenance ... etc ... just like the Sectera which requires massive support and budget just to operate a couple of these devices and this would be ugly for the yearly COMSEC budget and maintenance manpower from a high level point of view.

    ianfJune 14, 2016 11:42 PM


    Do remember @Anon10, that just because the CNN said that XY “was radicalized by foreign Islamist views” doesn't make it so. BTW. quit using the shooter's name, both he and it should fall into oblivion.

    If you want to really fix this problem, you have to look at the Middle East.

    Yeah, that's a viable strategy… let's first look at, then have the Big Protector state act in order to fix that ME problem once and for all… because, unlike earlier attempts, this time it will work FOR SURE.

    BTW. while on the subject… how is that your deep ME insight different from this no less deep conclusion of Jeff Halper's (2010; emphasis mine):

      […] “What is happening in Iraq and Afghanistan and Pakistan and Iran, what is happening with Al-Qaeda, the whole alienation of the West from the Muslim world in general – all that comes out of the Israel-Palestine conflict. That’s the symbolic epicenter…

    Nick PJune 15, 2016 12:02 AM

    @ ianf

    "quit using the shooter's name, both he and it should fall into oblivion"

    Finally, a statement from you I can agree with wholeheartedly. It's what I tell them all to do in these situations. They or the organization wants to be remembered. Deny them that. Never mention their names. Maybe add insults. Maybe take down others with it slipping that they talked and betrayed their own. Smear the individual & organization. If captured, put them with violent offenders in prison to ensure they understand unjust violence.

    And from there, with nothing said about attacker by name, our media should show love for the families and anyone that did something especially heroic. Focus on them briefly. Then, move on to reducing the stuff that kills six digits a year like what the white, Christian parents feed their kids, spray on their lawns, or get drivers' licenses for. ;)

    ianfJune 15, 2016 10:27 AM


    If that by Blivion unveiled intel of the Orlando shooter father's long being in cahoots with the CIA is true (I wouldn't call him the clickbaïty "asset" though—reserved for agents), then, apart from earlier mentioned POTENTIAL revenge motive of “repressed homosexuality” for a "reason," we now also have to consider the presence of ME(?) custom(?) of “avenging of honor by blood” for another "reason." ?What? honor – don't ask me.

    By analogy, we'd be dealing with the same set of cultural pressures as in the case of [film character] Said in the wonderful 2005 Dutch/ Palestinian/ Israeli/ French/ German film coproduction Paradise Now – a gem of a movie that (1)‍ ‍managed to get made at all; (2)‍ ‍grappled with the contagious topic of suicide bombings in Israel in a fashion that won support of large swaths of both Arab and Israeli public. Here's the by-analogy-relevant edited plot fragment from the Wiki:

      […] Said reveals his reason for becoming a suicide bomber: his father was an ameel (a collaborator, or Palestinian working for the Israelis), who was executed [by PA] for his actions. Said blames the Israelis[%] for taking advantage of his father's weakness.

    [^%] That is what ALL security services do: they select and recruit various "black sheep," fallen sons, rapists, and petty criminals everywhere as their snitches. As a rule, they distrust, so won't touch any "self walk-ins."

    Clive RobinsonJune 15, 2016 12:21 PM

    @ Wael,

    With regards "doining a number" on Italian And Not French's ass, have you examined his latest missive for clues?

    Perhaps,

      (I wouldn't call him the clickbaïty "asset" though—reserved for agents)

    Has a clue or "bait" in it ;-)

    But if you want me to do a quick two minute knock off... A rewording of "Pimpernel" might add a little bloom to his image.

    ianfJune 15, 2016 1:45 PM


    @ Wael,
                 propriety forbids me to comment on what is not my business, but curiosity got the better of me: is that your "doing a number" another form of alluding to you running some sorts of numbers game, perhaps taking bets, behind my back? I'd ask Clive directly, but would rather not risk a 5k response missive from him muddying things up (this only 391 chars incl. this tally).

    WaelJune 15, 2016 1:51 PM

    @Clive Robinson,

    A rewording of "Pimpernel" might add a little bloom to his image.

    I remember you mentioned this word in an obfuscated format in the not too distant past. I also remember replying to it. Can't find the link! Only found a reference to it.

    WaelJune 15, 2016 2:26 PM

    @ianf,

    perhaps taking bets, behind my back?

    Behind your back? It's happening underneath your nose! I ain't no bookie, maintain your composure.[*]

    I'd ask Clive directly, but would rather not risk a 5k response missive from him muddying things up

    Yea, it's an improvement over the "7K parable" I linked to in my previous response. Besides, are you implying you understand what @Clive Robinson says given that it's below a certain length threshold (say 57 words)?

    [*] @Clive Robinson, @Nick P,

    Odds are now 12:1 (hint-hint, wink-wink)

    Anon10June 15, 2016 6:07 PM

    @ianf

    The FBI found videos of beheadings on his hard drive. Only three kinds of people are going to keep videos of real life beheadings on their personal hard drives: A) the insane, B) sociopaths and C) fully radicalized Muslims. We don't need to go out of our way to avoid admitting the obvious: the shooter was a troubled gay man who couldn't reconcile his lifestyle with his Muslim faith.

    Dirk PraetJune 15, 2016 6:42 PM

    @ Anon10

    Only three kinds of people are going to keep videos of real life beheadings on their personal hard drives: A) the insane, B) sociopaths and C) fully radicalized Muslims.

    About 10 years ago, I was shown some very explicit, non-censored video footage by a service man stationed in Fallujah, Iraq. He claimed military command was distributing this material to remind everyone what kind of folks they were up against and that falling into enemy hands was not in their best interest.

    Clive RobinsonJune 15, 2016 7:07 PM

    @ Wael,

    I remember the 7K, comment, I thought he was some common northerner telling one of those exaggerated tales of the "One that got away".

    You know the ones where an old codger, after spending another cold rainy night dipping his tackle in some dank pond or canal, has to tell his mastadon of a wife what gives him the urge to do something so unnatural. Such is the most common of course sport in the middle of the UK, apparently more so than footie, and upsetting the French. Though why they call it course I have no idea, I suppose it's all that messing with their maggots and flys. As they wait with baited breath for that all important twitch that says some dumb piscine has taken a nibble at his tackle that he's been waving about. Such is the art and science of fishing.

    But since then, he's been prone to other ginormous observations, outrageous gestimations or exaggerations, depending on how you wish to politely put it. But I guess when you get down to it counting is still not his thing. Which possibly accounts for why "doing a number" is of such worry to him. Possibly bringing back unwanted memories, of school and the dread of having his name called and then that walk of shame to the blackboard.

    the-best-securityJune 16, 2016 1:11 AM

    https://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

    "Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks.
    ...

    The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system."


    If hackers ever figure out how to break the security of the ME, the potential for rootkits and APTs would be utterly amazing.

    Clive RobinsonJune 16, 2016 1:34 AM

    @ the-best-security,

    You beat me to it...

    The "ME" article on boing boing does provide some background. Importantly it tells you which Intel chip set's you do not want.

    As for that 2048bit signing key, it's mathmatical security might be high, but does it's physical security match?

    Stuxnet showed that signing keys could be obtained.

    Or how about it's legal security?

    The FBI came close to getting a US magistrate to force Apple to provide code under it's signing key...

    Intel should wise up and listen to what it's security sensitive customers tell it over ME, before it has no security sensitive customers, perhaps we need a catch phrase to replace "Intel inside" something like "Intel no for ME".

    ianfJune 16, 2016 2:29 AM


    @ Wael,
                 “[12:1]” of WHAT… my presumed Italianishness:Irishness? (me selfish genes demand to know).

    Also, you lose me when you imply that I “implied to understand what Clive Robinson says given that it's below a certain length threshold (say 57 words).”

    … which I have no recollection of what.so.ever (must've fallen under the threshold of my ATTN); and then especially when that your mythical back-to-blackboard-fear-inducing # of 57 appears to have grown overnight by a magnitude:

    […] “the 57 character that challenged the living day lights out of your wits

    Do remind me which 57 characters of Clive's l.i.t.e.r.a.r.i.l.y and l.i.t.e.r.a.l.l.y were these. Pretend I'm dement. If case doesn't matter, USE ALL CAPS.

    WaelJune 16, 2016 3:35 AM

    @ianf, @Clive Robinson,

    of 57 appears to have grown overnight by a magnitude:

    Yes, my mistake. I noticed after I posted it.

    Do remind me which 57 characters of Clive's l.i.t.e.r.a.r.i.l.y and l.i.t.e.r.a.l.l.y were these.

    Usually I have no problems finding links. This one is exceedingly challenging because I can't remember enough keywords. I'll try again when my mind is clear.

    ianfJune 16, 2016 4:27 AM


    @ Wael, you've became quite a baït-and-switch artist of late: first you make a threat/ promise, then you beg off with meeky make-believe excuses. I hesitate to write it, but could this be YA sign of your atavistic Oriental duplicity?

    PS. this is what you were looking for, only Clive thought nothing of your request. And him the second of three-legged zecqreet conspiracy allegedly under my nose (can but see dick).

      This concludes this morning's episode of “Teaching Wael To Sit Pretty.” Tune in tomorrow for the exciting sequel of “Wael paints QEII by numbers.”

    WaelJune 16, 2016 4:42 AM

    @ianf,

    you've became quite a baït-and-switch artist of late:

    Seriously?

    I'd ask Clive directly, but would rather not risk a 5k response missive from him muddying things up

    The 57 characters is in reference to this post: "We seek his ear. We seek his hair. To net that dam, Old moaning Pimple head." (Punctuation not counted)

    Which happens to be a word play on:

    We seek him here, we seek him there, Those Frenchies seek him everywhere. Is he in heaven?—Is he in hell? That demmed, elusive Pimpernel.

    @Clive Robinson was correct saying:

    As Wael knows from the past, more can be communicated by what is not said than what is said and will no doubt have located the message within it's borders.

    As for:

    which I have no recollection of what.so.ever (must've fallen under the threshold of my ATTN);

    Perhaps you missed the hint I gave you. You got another hint today: Pimpernel!

    Bait and switch, eh? :)

    WaelJune 16, 2016 4:53 AM

    @ianf,

    then you beg off with meeky make-believe excuses...

    Oh, that's coming. Count on it :)

    Dirk PraetJune 16, 2016 5:23 AM

    @ Clive, @ the-best-security

    Intel should wise up and listen to what it's security sensitive customers tell it over ME, before it has no security sensitive customers, ...

    NOBUS at work. But there is little doubt in my mind that the architecture and capabilities specs have been fully shared with NSA and the likes. If not, it would be hard to believe that such machines could be used in any security sensitive environment.

    Clive RobinsonJune 16, 2016 7:20 AM

    @ Dirk Praet,

    But there is little doubt in my mind that the architecture and capabilities specs have been fully shared with NSA and the likes.

    Exactly my thoughts some considerable time ago. And just one reason I avoid the more modern (ie this century) Intel platforms where I can. And where I can not lock them up in an environment where information can not be easily leaked.

    However, as you probably realise, what I might regard as sensible precaution with an eye to the future based on what I see as possible, others regard almost as raving paranoia. What is worse when you eventualy get proved right (as has so far always happened with IC activities), they find some excuse not to admit they were wrong, that you misunderstood them or similar...

    @ ianf,

    When I said,

      Thus you need to know what is and is not there to understand what lies beneath the prose, but it's not a line of Trollops.

    I thought you would get the joke. It after all refers twice to the second oldest proffesion.

    The more famous version is from WWII when a British liason Officer, was escorting a very senior US --and later somewhat famous-- Officer around London. On getting caught up in an air raid in Piccadilly they walked towards a public shelter, to be greated by a number of ladies of the evening. The US officer asked "Is that a collection of English prose?" to which the British Officer replied "Yes I believe it might be a line of Trollopes".

    Clive RobinsonJune 16, 2016 8:31 AM

    @ The usual suspects,

    You might find this of interest,

    http://queue.acm.org/detail.cfm?id=2855183

    Basicaly probabilistic algorithms "almost" solve some difficult problems such as "central point failure" or "branch breaking" in hierarchical networks.

    After a few moments thought you can see how such algorithms can actually have a dual purpose in mesh and similar networks, in that they can be used to increase security against external observation (traffic analysis and the like).

    ThothJune 16, 2016 9:26 AM

    @all, Clive Robinson, Nick P
    A Parallelized & Scalable Multi-Secure Element Secure Execution Environment Architecture

    Secure Computing are usually reserved for those who can afford to pay for expensive security appliance with hardware protected Secure Execution Environments (i.e Thales nCipher HSM, Safenet ProtectServer HSM and Bull's Trustway HSM). These solutions can be highly expensive just for the purpose of securely executing mission critical codes for Small and Medium Enterprises within a secure and trusted environment. These HSMs usually relies on a general purpose processor encased in layers of tamper protection mechanisms and secure booting with a small and trusted TCB for it's kernel which it may share with generic HSM management processes and activities.

    Small and Medium Enterprises also have valid rights for the access to such better protected Secure Execution Environments to execute mission critical applets without needing to pay for such highly expensive solutions for protecting critical enterprise assets from attacks carried out by skilled and unskilled adversaries. The cheaper alternatives for introducing a highly scalable and parallelized Secure Execution Environment would be Secure Elements (i.e. smart card chips).

    Secure Elements have desirable properties making them the suitable candidate for a cheap , highly scalable and parallelized Secure Execution Environment. The low cost of the Secure Elements and mass production for use in smart cards, TPMs, eSE ...etc... make them ideal for those who require security but are tight on resource and funds. A sizable body of literature on the security of Secure Elements are available as these Secure Elements have their security time tested for a few decades since the 1970s and having survived for many years of security research and real world attacks are still considered secure enough for the mission critical jobs they are required to host and carry out.

    Communication between Secure Elements and controller units have to be flexible enough for being able to scale and be parallelized as needed. Flexible communication brings both risk and opportunities for enabling Secure Elements and their controller units to be scalable and parallelized. How a Secure Element is exposed to the external world and how multiple Secure Elements interact amongst themselves would have an impact on both the overall security of the entire architecture and the the security of each Secure Element.

    In a traditional context most Secure Elements either have the capability to communicate with the external world via in-built processor units or via a MCU or FPGA (usually a 1-to-1 relationship). This MCU or FPGA can be used as both an interface to the external world and also at the same time a hardware firewall to protect the Secure Element from direct exposure to the external world. This approach not only limits the speed of secure execution capability and scalability to a single Secure Element, it also makes detection of possibly malicious Secure Elements difficult as the assumption of trust would be pegged onto the single Secure Element. The MCU or FPGA attached to the Secure Element (if one exists) maybe used as an insecure execution environment for detecting malicious patterns coming from the Secure Element but this will cause a performance bottleneck and also the insecure execution would become problematic in terms of data security compliance and in an event where software or hardware tampering were to actually take place, the MCU or FPGA (assuming without any security capabilities of a Secure Element) would be left naked to intruders logically or physically probing at the MCU or FPGA that may contain sensitive secrets while attempting to execute security operations to detect traitorous patterns from the Secure Element.

    Secure Execution, scalability, parallelization of resources and traitorous pattern detection can be achieved by the act of having a common and open platform across all Secure Elements to allow a single language where Secure Elements can be parallelized and scaled in real-time which can be used for secure detection of malicious patterns in a pool of Secure Elements.

    Ledger have brought into existence an Operating System architecture for Secure Elements called the BOLOS for their Ledger Blue personal security device product. The concept is to host an open and secure OS within the Secure Element while introducing a proprietary HAL layer for portions of the Secure Element requiring NDA (common within the Secure Hardware industry). Leveraging on the Secure Element's hardware MPU capabilities, BOLOS can provision security applets to be securely executed and managed by the Secure Element's MPU without needing to worry about malicious applets trying to interfere with other applets running within the Secure Element. With the exposing of open APIs and platform, different varieties of Secure Elements can be used to host BOLOS as the kernel with their individual proprietary HAL and MPU capabilities. The more the variety of Secure Elements can operate BOLOS, the more this scheme for scalable and parallelized Secure Elements would benefit by the fact that different varieties of Secure Elements can be used to play the game of detection of each other's possibly traitorous habits and not easily collude due to the difference in their hardware designs.

    Arranging the Secure Elements in a Group-Tree-Star style architecture with low capability MCUs as message routers and low power processing units can help to scale the architecture infinitely and also provide pattern matching and checking for traitorous behaviours amongst Secure Elements even to the extent when the message requests for the Secure Elements are specifically encrypted where the low power MCUs cannot decrypt the secure messages.

    In order to execute the Group-Tree-Star architecture, at least 2 or more Secure Elements would have to be paired to an overseeing MCU and derive a shared secret amongst the Secure Elements group. A request sent is always targeted on the group level encrypted with the shared secret. The message would usually be sent to the overseeing MCU and the MCU would dispatch the encrypted message to the desired Secure Element for processing (or to all the Secure Elements in it's group). By comparing the encrypted results of the Secure Elements within the group under a common shared secret, the MCU would be able to assert the possibility of traitorous patterns by observing the computed encrypted results for inconsistencies amongst the group of Secure Elements. Nonce and IV generation would either be determined by the overseeing MCU or the Secure Elements must agree on a shared IV or Nonce (to encrypt the response) and reveal the IV or Nonce to the MCU for asserting the encrypted results. Groups can be linked up to form Branches and Trees via multiple overseeing MCUs grouping together and routing messages amongst each other and also the capability of getting a Group to assert another Group's execution patterns for cross checking of results using shared secrets. A centralized MCU can be used for job delegation, managing scaling of newly added or removed groups and as an interface with the external world.

    This highly parallelized and scalable Secure Execution scheme is not so far fetched as the main components (low powered MCUs and Secure Elements) are already existing or just coming into practical existence and maturing (for BOLOS). What is required is the transformation of this concept into actual protocols and schematics on the software and hardware layer to actualized a cheap, self-checking and secure environment for mission critical operations while continuously evolving this scheme as needed for additional features or fixing flaws in the concepts and protocols.

    Link:
    - https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-connect
    - http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/protectserver-security-module/
    - http://www.bull.com/hardware-security-module-hsm
    - https://medium.com/@Ledger/introducing-bolos-blockchain-open-ledger-operating-system-b9893d09f333#.sgm9v5w9q
    - https://medium.com/@Ledger/secure-hardware-and-open-source-ecd26579d839#.xz703br1f

    Clive RobinsonJune 16, 2016 10:48 AM

    Breaking News

    UK Member of Parliament Jo Cox (Labour party), for Batley and Spen, West Yourkshire is in a critical condition after being shot and stabbed multiple times in her constituency this lunch time.

    It is reported that a 52 year old white male has been arrested. Eye witnesses say the man wearing a white baseball cap shot her twice and sge fell to the ground, then lent over and shot her in the head a third time befor stabbing her atleast six times with a foot long knife. Some witnesses claim they heard the man shouting "Briton's First" which is a campaign slogan for a far right political party.

    West Yourkshire Police will be holding a press confrence at 5PM UK time.

    Clive RobinsonJune 16, 2016 11:28 AM

    News Update

    It's been anounced by West Yorkshire Police that Jo Cox MP died of her injuries at ten to two this afternoon.

    A seventy seven year old man who had tried to stop the attacker has also been injured and is in hospital.

    Locals have named the man arrested a mile from the scene of the attack as "local loner" Tommy Mayer.

    Clive RobinsonJune 16, 2016 12:00 PM

    Atleast one MP has been interviewed and has made comments on bringing in new methods to control online media.

    Which is I think quite frankly shocking, that political point scoring has already started.

    Anon10June 16, 2016 1:34 PM

    @dirk

    I'm sure you come up with exceptions, but I doubt any of them would be remotely applicable to the recent shooter's situation. He wasn't a NATO soldier, preparing for a deployment to Fallujah.

    WaelJune 16, 2016 3:27 PM

    @Clive Robinson,

    After a few moments thought you can see how such algorithms can actually have a dual purpose in mesh and similar networks, in that they can be used to increase security against external observation (traffic analysis and the like).

    Pretty interesting reading. Familiar examples and techniques. Was an easy read until about 60% through, when things went downhill so fast (for no apparent reason) that I decided to save it for a later reading session.

    Nick PJune 16, 2016 3:32 PM

    @ hardware geeks

    Found a nice project you might like. It's a crowd-funded board that converts a 9V battery into 3.3V or 5V electronics kits need. Snaps right onto the battery. In production stage per their updates. I thought it was neat. I also remember that the starter kits for building PCB's and analog use batteries to knock out all kinds of complexity and risks for simple circuits. This might help with that, too.

    @ software geeks

    You might find ZeroTier interesting if I didn't already mention it. Software-defined networking and VPN with all the main code open-source on GitHub. The inventor listed the requirements on Hacker News along with a nice blog post on why he didn't use or even believe in a fully-decentralized option. I'm pushing him to explore decentralized for just logging or verification as untrusted computation + decentralized checking is often good enough for accountability. Lets one maintain most performance & simplicity of centralized computing while at least detecting and rolling back malicious BS.

    Also found a likely reason that Morpheus and others were able to hack into The Matrix so easily.

    WaelJune 16, 2016 5:14 PM

    @Nick P,

    hardware geeks [...] re: voltage regulator

    The construction is cool. The design / idea is a sophomore EE subject.

    Clive RobinsonJune 16, 2016 5:28 PM

    @ Nick P, Wael,

    You might find ZeroTier interesting if I didn't already mention it.

    I was not aware of it but it's a subject that interests me deeply. Also although @Wael does not perhaps realise it atleast one aspect of it interests him at a very deep level.

    It's best seen through a comment made on the HN discussion pages, somebody states the following,

      Zero Configuration is also basically impossible because you have to bootstrap the network some how.

    We actually believe it's possible not impossible because of the universe we live in.

    You are stuck with the "inteligent creator" problem. Which is "who created the inteligent creator", who created our universe? It's the inverse of the "lesser flee" or "turtles all the way down" problem.

    If we don't have an "intelligent creator" then we have to find a way starting from true zero to get to where we are. That is we have to design a system that evolves from absolutly nothing into what we have in the way of a universe. Some years ago a group of theoretical physicists one of whom was Stephen Hawking to think about this problem.

    About the only easy to explain thing they came up with is a form of chaos. Imagine if you will the big bang produces a bubble of energy that rapidly expands, as it does the energy per unit volume drops so, so does it's effective temprature. At some point matter condenses but in the process gives out energy. Thus you get a self exclusive effect that says that matter can not condense at all places at the same time. So even at the nanoscopic scale matter is granular ie discreet not continuous. Now the problem with this is matter attracts matter thus you would have to have an impossibly regular grid of matter all balanced with impossible precision to stop clustering and clumps of matter forming as the cooling continued.

    The problem is how do you get from such chance formation of matter to where we currently are? As the commentator put it "you have to bootstrap the network some how". So can chance alone build the start of an system that does not just get more chaotic or complex alone, but actually self selects in some way? That is can it evolve from absolutly nothing? The answer had better be yes, otherwise we are back to the turtles all the way down problem.

    Dirk PraetJune 16, 2016 7:28 PM

    @ Clive

    At least one MP has been interviewed and has made comments on bringing in new methods to control online media.

    Traditional, government controlled media providing a 24/7 platform for *ssclowns like Donald Trump, Nigel Farage or Boris Johnson would of course be exempt. (Cue: "Back in the USSR" by The Beatles)

    WaelJune 16, 2016 7:52 PM

    @Clive Robinson, (@Dirk Praet: you maybe interested as well)

    You are stuck with the "inteligent creator" problem. Which is "who created the inteligent creator"

    Watch what Dr. Adnan Ibrahim has to say about it. By the way, "Blank" means "Planck" as in Max Planck. There is no 'P' in Arabic (Arabs drink Bebsi; Gulf Arabs drink Beebsee) -- I guess the translator didn't know.

    Some years ago a group of theoretical physicists one of whom was Stephen Hawking to think about this problem.

    String theory versus super gravity theory. 10 dimensions vs 11. Fascinating story...

    While you're at it, listen to some thoughts about terrorism, it's two parts, and this is part two - about an hour total...

    Also on the Theory of evolution ,this is the first of about ten or so in the same series.

    I stumbled upon this guy during one of my YouTube sessions. Pretty knowledgable. He's an imam in a mosque in Vienna.

    tyrJune 16, 2016 9:29 PM


    @Clive

    I don't think anyone has demonstrated the existence
    of any isolated matter that wasn't imposed by the
    paradigmatic view of a human perspective. It seems
    to be a localized vortex caused by continuous phenomena
    interacting with each other. If it is continuous that
    bursts the bubble of the 'do we live in a simulation'
    folks also. The idea of an analog simulator of the
    size needed would really be stretching the idea past
    our limits.

    I like what Mach said about us as being an oil molecule
    in an automobile engine so our awareness of the destination
    of the automobile is far out of our comprehensive reach.

    All of the creation myths (sciences big bang, warm hearted
    demi-urge, benevolent universe crafter) run afoul of the
    constraints of out instrumentation and our scale problem.

    Best guess models are just that but no one has the facts
    needed to pretend they have the answers. Every generation
    has had "the myth' to explain it all, and all have been
    falsified over time.

    Once you get past the limits of human scale you have only
    mathematical guesswork to rely upon and it may look real
    plausible but that's not a proof of anything except math
    consistency until you can hang it on something tangible.

    On a local scale we need to figure out why the local
    diety seems that she is overly fond of beetles and bacteria.
    :^)

    FigureitoutJune 16, 2016 11:50 PM

    Turn an arduino into a serial-USB converter

    This is well known, but you may not be aware just how easy it is. If you just had a regular serial-USB thing you would need to either solder wires directly on db9 or make a little custom interface card.
    3 methods here (I can vouch for the 3rd): https://oscarliang.com/use-arduino-as-usb-serial-adapter-converter/

    Doing the 6 lines of code worked for me, so easy yet so handy. I used to try debugging a stupid tp-link router that just won't get its firmware overwritten (tried web flash, tftp, you could even send commands over the serial interface w/ a little program in the arduino, which is very cool, since I may have slightly bricked the router as it's boot info changed a bit and I can't access via ethernet anymore). On each boot, it spits out a bunch of u-boot diagnostic stuff. I don't know what's at the beginning of the dump, but I'm fairly sure it's what been causing me problems. My paranoid side says "bootkit" that won't let me kill it, practical side says different serial settings. I couldn't even get this damn router connected via DHCP on my modem (which besides having it flashed w/ malware from the factory, is the main time infection could've happened), it's been a constant waste of time, and it's gonna rest in peace soon. TP link MR3420, $20 piece of crap, be warned.

    Couple pics:

    https://postimg.org/image/aj5bky7h3/

    https://postimg.org/image/6cnton7i9/

    Nick P RE: batteries
    --I'd use a high capacity, high amp hours, Lith ion battery instead of some energizer/duracell 9V one. Linear tech has a slightly more efficient one (90% or greater efficiency, this was 88.3% at most...tsk tsk :p) even though they're SMPS's. Also design wise, how easy would it be to snap that PCB in half unplugging it or doing that cringey bending your nails?

    ThothJune 17, 2016 12:52 AM

    @all
    Github users do yourself a favour for your own security and start enabling 2FA with an authenticator device. Github authentication servers are picking up trends of suspicious login attempts.

    It seems like only the Google Chrome web browser as the only browser to support FIDO U2F login which shows the slow progress of browser and online security as most browser vendors view security as an after thought thing while cool features and speed as the first thing on their minds.

    Link: http://arstechnica.com/security/2016/06/github-attacker-launched-massive-login-campaign-using-stolen-passwords/

    ianfJune 17, 2016 4:47 AM


    @ Anon10, (cc: Dirk Praet)
                      given cowardly response in an earlier thread where you were clutching at straws to pin IdontKnowWhatMoreDirt on Ed Snowden in Moscow, I'm not sure you rate an engagement… but now you seem to be equally bent on establishing the Jihobbiest dimension of the Orlando shooter at all costs.

      Because THAT WOULD EXPLAIN EVERYTHING, and, presumably, MOREOVER, give the authorities the license TO DO SOMETHING ABOUT IT ONCE AND FOR ALL (am telepathologically channelling you here, no permission needed).

    Guy could have been a wacko with repressed homosexuality and daddy issues, or bored with his same-old, same-old so-called-life; playing Russian roulette with cops' real bullets; but all that matters TO YOU is what the FBI and the CNN have said about his HDD, because that "black box" is all they can autopsize and then rhapsodise about.

    Well, let me tell you EX THIS CATHÆDRA provided by Bruce: abominable as it may be, having watched ISIS videos does not automagically a Jihadist make. This takes much more than a single (and terminal) act of violence, a history of gradually escalating radicalization, stretches in society's "mandated vacation holding tanks," the works—perhaps in time leading to a one-way ticket to Syria, only ending up in Gitmo.

    In fact, if this pair of US think-tank sociologists is to be believed, the USA is vastly underrepresented in statistics of foreign ISIS volunteers. Underrepresented means "having little appeal." Francophone nationals are in the lead. Also learn of “sheer destructiveness” of Trump's stated position, because, “as an anti-terror policy, it'd make much more sense for America to welcome Syrian refugees than to deny entry to Muslims.” [Not a concept viable on CNN due to potential loss of the Rolaids® ad-buy account].

    But of course, all that was examined and reported by some eggheads… what do they know when you feel what you know.

    Gerard van VoorenJune 17, 2016 4:50 AM

    @ Thoth,

    About online security, things are much more broken. It all started with that HTTP is utterly broken (but hey that was designed 30 years ago). THEN came the DoubleClick court which settled the tracking cookie future. Today lots of hacks are made with tracking ads and web sites have become bloated and slow or not even loading at all entirely because of tracking ad servers that are occupied. The use of ad blockers help and so does not enabling JS but in todays world your mileage vary. HTTP/2.0 could fix that but because of big money politics (read Google) it simply became a re-branded SPDY protocol. HTTP/2.0 could have dealt with session management (the excuse to use cookies at all and which, in combination with ad hoc laws, is now the cause of all the paywall screens). PHK wrote about this in his bikeshed forum.

    I am not saying that the login feature of Chrome is bad but the root cause is located in a very different place (which is big money). Tim Berners-Lee's decentralized web can probably fix this but I think that the big players aren't happy with it and they can sabotage that idea in many different ways.

    Gerard van VoorenJune 17, 2016 5:07 AM

    @ Clive Robinson,

    Sorry to hear about the murder of Jo Cox. What I am about to say now could be placed in the conspiracy theory area but I only really hope it wasn't the "lone gunman treatment" that the history is full of. The stakes are high enough for it though and the timing is right too. The brexit camp was ahead in the ratings and there are enough big players that don't want this at all. The (long) future will tell us as for an investigation the time too short.

    Wesley ParishJune 17, 2016 5:21 AM

    @everyone interested

    I've just been reading a set of interviews with Noam Chomsky titled The Common Good, where amongst other things he discusses some mythical Libyan hit squads that one Gipper aka President Ronald Reagan was reportedly so afraid of that he stationed tanks around the White House for his protection - after having hyped up the "threat" of these Libyan hit squads to the heavens. "Libyan hit squads" made it onto Zippy the Pinhead that year, and that's saying something. Where would we be without the $FOREIGNERS to blame?

    That's the source and context of my assertion that the Orlando massacre was an all-American massacre. Just like the murder of Jo Cox MP was a British crime, and not something that could be "rent-a-mobbed" out to some convenient $FOREIGNERS elsewhere.

    Nick PJune 17, 2016 10:33 AM

    @ Figureitout

    Yeah, a lithium-ion battery or battery pack would be an improvement on it. I think some homebrew on those circular, CMOS batteries could be interesting since they have a long history of use in computers. See how far IOT boards/chips could push one.

    Anon10June 17, 2016 6:50 PM

    @ianf

    Lots of people have "daddy" issues and up until ~20 years ago, when gay rights really started to gain momentum, there were probably millions of closeted homosexuals in the US. However, close to none of them committed mass shootings. So neither of those alleged causes can come close to explaining the shooter's actions, unless you include another factor in the mix: jihadist beliefs. Also, I wasn't arguing that watching behadings turned him into a jihadist(although that's probably true), so much as that was prima facie evidence that he subscribed to jihadist beliefs.

    Anon10June 17, 2016 6:58 PM

    @ianf

    And you were the one clutching at straws with respect to Edward Snowden. It's obvious that all his interview statements should be considered lies until independently verified or corroborated.

    ianfJune 26, 2016 6:44 AM


    ERRATUM of the postscript in my earlier post.

    I wrote there “that is what ALL security services do,” but that was a needless extrapolation of (pre-state) and early Israeli security outfits' practices of enlisting specific types of informants among the Palestinian Arabs, NOT what all other security apparatuses elsewhere do/did in their domains. The verbatim quote

    "Types generally exploitable for intelligence work are rebellious sons, thieves who have brought disgrace on their families, rapists who have acted on their passions and fled the avengers of tainted honor"
    also came from a different 2008 review of the same book “Army of Shadows: Palestinian Collaboration with Zionism, 1917-1948,” here by Benny Morris' "The Tangled Truth." [pretty long, but deservedly so]

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.