Friday Squid Blogging: Korean Spicy Grilled Squid

Easy recipe. You can get the red pepper flakes and red pepper paste at most grocery stores.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 2, 2016 at 6:02 PM • 98 Comments

Comments

Privacy Minded VfeMail Invites GoogleSeptember 4, 2016 9:54 AM

To create a new VfeMail account a customer must now agree to Google’s terms of service.
To register you must enter your REAL name, username and new password and then superficially enter the characters in the Google's reCaptcha system.
In VERY fine print are Google terms of service! Even if you successfully enter the characters in the photographs, Google still rejects if Google can’t determine your Big-Data identity. If you are successful then Google has your username and email password.
Is this for real?
https://www.vfemail.net/register/

Creating a VFEMail account is now on par with creating a Facebook account. Both use extremely heavy security take away privacy from clueless millennials.
The VFEmail sellout is actually the tip of the ruthless privacy invasion. They are everywhere:
To buy a Sony 4K TV consumers MUST agree to Googles terms of service. The latest Vizio soundbars and 4K displays are also controlled by Google Smartcast.

What You Can Do
The key is to NEVER connect these devices to your network. Denying them your wireless router password prevents them from adding to your family’s dossier and ultimately controlling their lives. Make no mistake advertising by its very nature dumbs people down. Once addicted they feel helpless and trapped with being reduced to pressing a ‘Like’ button in a children’s game. But no worries! as the years of data mining allow corporations/advertisers make your decisions as you watch The Incredibles.

Seriously technology works both ways so these basic countermeasures are very effective.
You cannot be tracked using a VPN, Linux Mint and Palemoon add-on Secret Agent & uBlock Origin

List to add in the uBlock Origin my-rules tab
* google-analytics.com * block
* google.com * block
* googleadservices.com * block
* googlecommerce.com * block
* googlesyndication.com * block
* googletagmanager.com * block
* googletagservices.com * block
* ajax.googleapis.com * block
* imasdk.googleapis.com * block
* facebook.com * block
* facebook.net * block
* adobe.com * block
https://github.com/gorhill/uBlock/releases

StevenSeptember 4, 2016 11:35 AM

Citizens Bank sends me a new debit card.
The new one has a chip; the old one didn't.
The letter says, "Call this 800 number to activate".
I've done this before; no big deal.
I dial the number.
It says "key in your 16-digit card number".
I key in the number.
Then it says, "key in your 4-digit PIN."
I hang up.

I type the 800 number into Google. It takes me to Citizens' web page, with the correct URL and a green lock icon in Firefox. Once I have the URL, I go to Citizens web site via my own bookmark, type in the path portion myself, and see that I get to the same page with the same 800 number.

I'm sure the card is legit, but I'm still not going to activate it over their 800 number. I'll just activate it by using it at my usual ATM.

I know I've activated these cards in the past without being challenged for the PIN. They use caller ID to verify that you are calling from your home phone; that puts the card at your address, which is all that can be established in this protocol.

I supposed their concern is that if someone intercepts the card, they get my name + address from the envelope. Then they can look up my number in the phone book and fake the caller ID when they call to activate it.

Still, this is really discouraging. Their letter is indistinguishable from a fishing attack. Anyone who has my card number can fabricate a card and mail it to me with instructions to call some number and enter my card number + PIN.

Bonus points if they copied my PIN to a secondary computer system (that manages the card activations) in addition to the primary computer system (that runs the ATM network.)

Joe KSeptember 4, 2016 12:51 PM

Dear @agent_rng,

re: « Survey: Hackers believe strongly in privacy unless they're paid to crack passwords »

The stench of Newspeak is so strong with that one, judging from its title selon les dires de son url, I can smell it from here. No need for a closer examination.

As if taking a vow of crack-abstinence would improve anybody's privacy.

AnonSeptember 4, 2016 12:58 PM

@Privacy Minded VfeMail Invites Google:

Here in Europe, the big service providers require your mobile number to register for anything (including Google, Yahoo, Microsoft). I avoid any service that requires more than a username and password to register.

As with anything online, if you don't provide it, they don't have it.

Dirk PraetSeptember 4, 2016 1:16 PM

@ Grauhut

Grauhut on Friday Squid Blogging: Korean Spicy Grilled Squid:

Funny leaked report: German Federal Data Protection Commissioner about broken German constitutional and data protection laws in the NSA - BND cooperation.

It's actually far from funny: massive legal and constitutional violations, the report withheld from the public, the only response from the government to which is to try and legalize it all and even extend it. Zum kotzen.

r / agent rngSeptember 4, 2016 2:06 PM

From the "After you, I insist." Dept.

https://tech.slashdot.org/story/16/09/04/0912201/ftc-warns-consumers-dont-sync-to-your-rental-car

'"If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages," the FTC said in an advisory released on Tuesday. "Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers."'

When they say delete, they mean both wipe and brick them memory correct?

CuriousSeptember 4, 2016 2:35 PM

Curious about something a friend mentioned:

Imagine that you have a large bunch of encrypted messages sent as 4- or 5-digit groups.

Imagine the total number of all printable characters in all the text in all the pages that have ever been on the internet.

Now imagine that any given group in your encrypted texts might be any one of the above.

And that the "key" is simply which character you started selecting (highlighting) at on which page.

How would you go about decrypting something like that?

(Other than the XKCD Wrench Solution.)

John DoeSeptember 4, 2016 3:00 PM

@Privacy Minded VfeMail Invites Google

In re: VfeMail

I signed up for a free VfeMail using an obviously fake name, and was in business in about one minute. There was a captcha, but it was easy.

Looked over TOS and the Agreement and didn't see anything about Google, real name or the stuff you said.

What up?

ab praeceptisSeptember 4, 2016 3:02 PM

Dirk Praet

ad german bnd scandal:

Add to this that, as we meanwhile learned and got evidence for, the *only* real interest of the government, namely the Kanzleramt (the chancellors office), was how to cover it up. In fact, there was even a sentence like "This would not at all be defendable in a public discussion" (and hence they made sure that such a discussion couldn't come up).

Those are the people who now want to create a federal agency to crack and eavesdrop on encrypted communication.

Hoo DatSeptember 4, 2016 3:31 PM

@ab praeceptis


Re: "Those are the people who now want to create a federal agency to crack and eavesdrop on encrypted communication."

My reading suggests SSL has been broken every which way via corruption of ssl keys and massive Man in the Middle operations. Thus, there is no reason to crack SSL. It's borked.

I suppose PGP and their kin remains a problem maybe, but for one thing who uses it, since it's too complicated for all but the most dedicated users? And, what with entire operating systems converted to key loggers, not to mentioned assorted routers and other devices, there may be no need to "break" PGP.

Frankly, anyone who REALLY wants to keep a secret should never reveal it electronically, at least in encrypted plain language. I suppose there are ways to pile code on top of code to beat the crackers, but again if whatever one is doing needs that kind of secrecy they must be up to no good in the first place, and they know it.

ab praeceptisSeptember 4, 2016 3:57 PM

Hoo Dat

I think what you said can indeed be re-formulated as describing what and how their new eavesdropping agency is about to work. As you correctly state there is in many cases no need to crack anything. It's sufficient to make use of the many weaknesses, incl. those on the user side. Of course, the fact that pretty much every state has a CA that is accepted in the browsers help (them) a lot, too.

I personally consider SSL/TLS a problem and even a pain rather than a solution. On the other hand, it happens to be what is widely installed and what users associate with security.
My guess is that more and more companies, institutions and concerned users will replace it by better (and more adequate) solutions; step by step and as the products/software become available.

As for PGP I do not fully agree. In fact, I happened to succeed to train some people in my environment (e.g. tax consultants) to use it. It's a bit awkward and cumbersome but even normal people can understand (enough of) it and use it. Usually the hardest part is to make them understand the difference between encryption/decryption and signing.

winston smithSeptember 4, 2016 4:14 PM

@hoo dat

I routinely communicate with my wife (and others) with PGP regarding mundane details in life such as coordinating dinner plans... because I value the 4th amendment (yes, United States) and my right to conduct my affairs in privacy. With all my heart and all my being, I despise the evil that we currently suffer which hungers for power and control over the people.

Therefore, I cannot agree that, "They must be up to no good in the first place, and they know it." Not at all!

For what it's worth, the comment about whole operating systems converted to surveillance platforms.... I agree. Such a shame. I say, "You end up with what you put up with."

But for those who "see", the fight will only get harder and harder as more encroachment on individual liberty persists. It's almost game over without " reality re-indoctrination training" for the people.

r / agent rngSeptember 4, 2016 5:07 PM

@Curious,

I had something typed up for you earlier about your initial question but I've lost it amid a multitude of devices.

The targets, in any scenario are as follows:

a) the key
b) the cypher
c) the hardware
d) the human

The scenario you describe, in my mind is difficult yes but not impossible. All it does is make the key hard to obtain directly. A key and or an unencrypted original can be fleshed out of the encrypted copy with **some** work: the attack on 64bit symetrical cyphers is about shortening the attack time that a brute force would take. It doesn't brute force the key directly from the point where you enter it, but from the point where it's applied. Those are what known-plain-text attacks are, you plug in some assumptions about what the contents are and you apply a modified version of the respective cypher you suspect has been used.

That covers both A) and B) I think(?). @Anyone please, feel free to correct me.

c) attacks are covered by what are known as side-channels, certain functions are structured in a noisy way. You can hear the difference between a normal car running down the street and say a truck, when you're using stuff like AES you're hearing (electromagneticly, accousticly and or thermally) that diesel engine run. Some routines, like ChaCha are Mazeratis. They hum along at a quiet purr well beyond what other routines do but because of that they have their own problems 1) being it's a sports car and it can be made to go REALLY FAST. AES for a large part to be competitive with such algo's on the highway of data processing needs 'Encryption Accelerators', to a point those are what make it noisy. The algo by itself is noisy already but accelerating a truck to 150 is not a quiet thing to do.

d) the human factor. This includes you installing things that aren't trustworthy (this is verification), you using things inappropriately (this is best-practices) and other more general mistakes like: "can I use your computer?" or "you can't take it with you".

If I'm wrong, anyone - please feel free to jump in.

Do I think someone would have a good chance at cracking such a scheme? Based on public knowledge? No. Assuming ALL of the above though.

Do I think that it's possible to side step the requirement of having the actual key to decrypt the things inside? Absolutely, see C) and D).

It's a complex problem, we have the solutions but putting them in place and using them correctly is the hard part.

r / agent rngSeptember 4, 2016 5:13 PM

@Curious,

Thoth is appearently working on a sort of "key escrow", where you cannot have physical possession of the key itself but you can of the secure container it resides upon (tamper resistance and detection/evident technology) and a method to keep it from being ever directly used at all.

GrauhutSeptember 4, 2016 5:20 PM

@Dirk: From my point of view the BND/NSA affair is incredibly funny!

Come on, its nothing we didn't know before, at least since the good old 90's.
(I was working then with MFS [Metropolitan Fiber Systems, later Worldcom] in FRA, everybody knew who they were and why nobody wanted to peer at their MAE-FFM routers;)

The funniest aspect is: No more "you evil thin foil hat" bashing possible! :)


Its time to explain to the German public that it had legal consequences to be at war, since NATO Art. 5 decision 10/2001. They "forgot" to tell us after voting for war...

https://www.gesetze-im-internet.de/englisch_gg/englisch_gg.html#p0418

CuriousSeptember 4, 2016 5:26 PM

@ab & r

Muchas Thanks! BTW, that other "Curious" (who didn't recognize Bless) wasn't me.

Tor UserSeptember 4, 2016 5:39 PM

@Bystander

Well written article. I agree that managing the optics of Tor is a difficult business however I think that the claim that it is going to get someone killed is overly dramatic. After all, Tor has put several hundreds of pedophiles in prison already (and more in the pipeline) and given how those people are treated once in prison it wouldn't surprise me if a few of them have not been killed or committed suicide in the process. In other words, if the concern is that re-branding Tor might cause it to get blood on its hands well....it already has blood on its hands.

Several years ago I thought it would be an interesting research project to go back through the news articles over the last decade to calculate the number of years in prison Tor has been responsible for. However, I soon realized the enormity of the project and gave up. But even my very rough "back of the envelope" calculations indicated that Tor has been the source of at least thousands of years of prison sentences already.

So I can't really imagine the Roger and company are going to get agitated about the threat of a few more bodies lying in the street. Just toss them onto the pile already there.

GrauhutSeptember 4, 2016 6:21 PM

@ARYAAC: Thx a lot, but you know, i'm German... For real emergency cases i have my grandfathers M42 helmet. This style still has some social engineering capabilities!

Germans don't wear thin foil. :)

BobSeptember 4, 2016 7:52 PM

@ Tor User wrote, "Several years ago I thought it would be an interesting research project to go back through the news articles over the last decade to calculate the number of years in prison Tor has been responsible for."

It isn't about Tor or i2p or whatever nutsack is used. What is most dangerous than pedophillic imbeciles is a false sense of security that we've been put under. But the common caucus is easily observed. Hear no complains about front/back-doors lately, they got one in Windows 10. Apple stock prices been creeping up lately, dont be surprised if a back/front-door is baked in.

Here's my daily contribution of sock-puppetry.

Clive RobinsonSeptember 4, 2016 7:54 PM

@ Agonizing Return Yet Again of the Actual Curious,

The abducted inventor uses "velostat" which many UK EEngs call "100 Ohm Foam"...

To what end I'm not certain, but one thing I do know is 100 Ohm foam is a real realy cheap way to make "touch sensitive" transducers for robot grippers.

May be he things aliens are going to squeeze his head...

militarization of local police departmentsSeptember 4, 2016 8:04 PM

It is clear that law enforcement is out of control.

Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police
https://theintercept.com/2016/09/01/leaked-catalogue-reveals-a-vast-array-of-military-spy-gear-offered-to-u-s-police/

Maybe think twice the next time you see them asking for more money to "protect" us.

Reforming Police Practices
https://www.aclu.org/issues/criminal-law-reform/reforming-police-practices

Despite the landmark 2013 decision by a federal judge in New York condemning the New York Police Department’s misuse of stop-and-frisk, it remains a popular tactic for surveillance and control in cities of all sizes. The policies and actions of the police are instrumental in deciding who gets stopped, searched, arrested, and funneled into the criminal justice system; indeed, the United States’ overincarceration crisis begins at the front end of the system. Meanwhile, often under the guise of our failed drug war, abuse of civil asset forfeiture is rampant, while federal grant programs enable the increasing militarization of local police departments.

CLRP relies on various strategies to challenge a broad range of unjust police practices. In some instances, we work with law enforcement to develop reforms at the departmental level, using data on deployment, stop, search, and arrest disparities to press for change. We also pursue litigation against departments enforcing unconstitutional and counterproductive policies and tactics that harm the communities the police are responsible for protecting. Ultimately, our efforts are intended to address the longstanding adversarial relationship between police and communities and to help create police departments that work collaboratively and democratically with all of the communities they serve, increasing transparency, accountability, fairness, and public safety.

Elmer FUDSeptember 4, 2016 8:05 PM

Interesting interaction between @Bystander and @Tor User. Bystander points us to a warning: This Virgil Griffith person says you should leave Tor now, because... reasons! The idea seems to be privacy's OK, but that human rights stuff makes Asians mad, so stick to privacy and ixnay on the umanhay ightsray, or you'll get in trouble.

In classic American tourist style, Griffith generalizes about 60% of everybody in the world from what he knows of his adopted city-state, Singapore. Because Singapore absolutely does not care for human rights, he says. Awkwardly, privacy's a human right, as the Government of Singapore knows, because it's Article 12 of the UDHR that Singapore affirmed to the Human Rights Council in that statement Griffith links to, but seems not to have read.

With loving care Griffith powerpoints up a Venn diagram that shows he doesn't know what human rights are. Does he know that human rights are written down, and you don't need to pull them out of your butt based on some vague intuition? And that foreign people know what human rights are, and you probably can't fool them by selling them the sizzle not the steak? Griffith also doesn't seem to understand the difference between privacy and state secrecy, or confidentiality, or clandestine operations.

So this is not a serious critique. It's 2 AM drunk dorm BS. But then "Tor User" catapults it and gets to the point by trying to scare you about all the people Tor got thrown in prison (he gave up trying to count them, but it's lots. Let's see his very rough ""back of the envelope"" calculations.) It's classic statist FUD complete with Blood on their hands®.

It's noteworthy that the Tor strike has flopped but you're still getting disembodied voices attacking Tor for various nonsensical reasons. The COINTELPRO incitement of dissension continues too, although the harder they try, the harder Alison Macrina laughs, so it's sort of an uphill battle. It would seem that the idea of opening the Tor project to people from the Global South is a real threat. It's the final step in severing Tor from its origin as an ONI state weapon. So good luck with it.

FeoSeptember 4, 2016 8:30 PM

@militarization, thanks for the news on America's cop cancer. It reminds us that ACLU is a bunch of apple-polishers. You can read their 'reforms' till your eyes bleed but you won't see the word impunity. Cops with impunity are just criminals who get away with it but ACLU won't touch it with a ten-foot pole. Until the killer pigs go to prison, they'll keep killing whoever they want.

GrauhutSeptember 4, 2016 8:57 PM

BTW: ZeroDays, the Stuxnet documentary is nice

www.zerodaysfilm.com

or longer google.com/search?q=zero+days+streaming

BystanderSeptember 5, 2016 12:19 AM

@those who reacted upon the article on Tor

I neither endorse nor condemn this article. For me this article is a nice illustration on how people/organizations try (and manage) to taint the userbase of a privacy service in a way that suits their goals.

Pointing to the criminal activities is the common approach of those who oppose Tor and yes, there are such activities and this must cease and the crimes must be punished.

BUT:

The current motion that tries to paint the Tor users as human rights activists (there are certainly quite a few using Tor) does not help those who simply want to escape general surveillance. The intentions might have been good here, but the fallout might be not.

CuriousSeptember 5, 2016 4:03 AM

Someone else being Curious above. Two of them actually. :|

Something about a man having planted malware on one or maybe more (I don't know) Linux servers in 2011.

"Florida Computer Programmer Arrested For Hacking"
https://www.justice.gov/usao-ndca/pr/florida-computer-programmer-arrested-hacking

"Bloke accused of Linux kernel.org hack nabbed during traffic stop"
http://www.theregister.co.uk/2016/09/02/alleged_linux_hacker_arrested/

"It is alleged his hacking spree forced the two Linux groups to shut down completely to clean up a malware infection. Austin was stopped on Thursday this week by police in Miami Shores for a traffic offense – and was arrested when he identified himself."

The The Register article apparently links to a pdf file for the court documents though I don't think this is some official link: https://regmedia.co.uk/2016/09/02/linux_hack.pdf

CuriousSeptember 5, 2016 4:57 AM

According to Wired, the FBI released a 60 pages long document friday afternoon about their investigation into Hillary Clinton.

"Bill Clinton Staffer’s Email Was Breached on Hillary’s Private Server, FBI Says"
https://www.wired.com/2016/09/fbi-says-bill-clinton-staffers-email-breached-private-server/

"Since it came to light that Hillary Clinton ran a private email server during her time as Secretary of State, that computer’s security has become a subject of controversy among politicos whose only notion of a “server” until recently was a waiter carrying canapés at a fundraising dinner. But now the FBI has released the first hint that Clinton’s private server may have been compromised by hackers, albeit only to access the email of one of former president Bill Clinton’s staffers. And though there’s no evidence the breach went further, it’s sure to offer new fodder to critics of Clinton’s handling of classified data."

The Wired's article was apparently being edited as I was reading it. At the time when I copy pasted the text a couple of times, there was a difference in the last paragraph.

JG4September 5, 2016 7:09 AM


@Privacy Minded VfeMail

Thanks for your tip about the Sony and Vizio big screens. I suspected that this was in the works, because someone recently told me that they couldn't get their brand-new one to run without giving it a WiFi password. They thought literally nothing of it, but it made the hair on the back of my neck stand up. The news about Samsung's audio stream going out unencrypted was many months ago. I want to buy a big screen that doesn't have any wireless capability. Obviously, if it doesn't have networking, it won't be asking for passwords. I'm willing to live with the electromagnetic emissions.

I have been meaning for months to raise this topic in the forum and see if anyone has a comprehensive view of the situation. I just want to be able to generate HDMI input from DVDs and MP4 files. Does anyone have a forum addressing the anti-privacy features of various appliances? It wouldn't be too difficult to block transmissions, but devices that require handshaking with the server are harder to defeat. I'd prefer to avoid buying them in the first place.

The general problem of IoT mitigation is a good one for open-source efforts. I'm pretty sure that I scoured the internet looking for information on the topic of information leakage from big screens and couldn't find anything.

Only a few percent of people have any inkling of what is happening. Fortunately, some of the brighter folks read here. As I said before, it is going to take a coordinated effort to push back against the intrusions and it will not be easy.

"Still, if you will not fight for the right when you can easily win without bloodshed; if you will not fight when your victory will be sure and not too costly; you may come to the moment when you will have to fight with all the odds against you and only a precarious chance of survival. There may even be a worse case. You may have to fight when there is no hope of victory, because it is better to perish than live as slaves."

Elmer FUDSeptember 5, 2016 8:17 AM

Yes, let's be clear here. Bystander doesn't want any 2nd Amendment rights, he just wants a gun. He doesn't believe in that First Amendment stuff, he just wants to say what he thinks. He doesn't care about that Eighth Amendment business, he just doesn't like getting tortured. Because everybody knows that rights only get you in trouble.

You are like the Nathan Hale of timmies.

ModeratorSeptember 5, 2016 9:09 AM

Newcomers who choose the common handle "Curious" for their comments are not necessarily trying to impersonate or confuse anyone. If you are concerned about impersonation, consider changing your handle to "Curious I," "The Original Curious," or the like.

65535September 5, 2016 9:30 AM

@ John Doe

I tried VfeMail with a browser spoofer and it Did Not work! VfeMail is probably trying to finger print my browser.

John DoeSeptember 5, 2016 10:30 AM

@65535

Good point about the browser spoofer. However, I have found browser spoofers tend to break a lot of websites, even the most ordinary kind.

I used TOR to get a Vfe account, which apparently VfeMail also uses for operations. I did not give even close to a real name, and saw no mention of Google TOS anywhere which was what the original post was about.

I would probably use VFEMAIL for mundane things like getting a free subscription to a site or something. If I was some kind of super spy, I would want to thoroughly test Vfemail, or more likely not use any email account for something really, really really in need of secrecy.

CarpetCatSeptember 5, 2016 4:38 PM

On Nicknames...

Oh, the possibilities!

BerberCat!
Spawn of IANF!
Curious the 3rd, return of the king!

There's just too many wrestling names...

Ergo SumSeptember 5, 2016 4:57 PM

@Clive...

IoT sort of reminds me to the beginning of the early stages of Wi-Fi technology. It has pretty much started out with no security, then WEP, nowadays WPA/WPA2 and soon to be WPA3.

While in the early years most of the Wi-Fi networks were open, as in anyone could connect, it would be hard finding one without WPA/WPA2 protection. Manufacturers made it rather easy to have a secured Wi-Fi access point that secure enough for home use.

The same will probably take place in the world of IoT in couple of years. Companies will learn that they'll need to add security for their solutions in order for being marketable for the masses. People are much more security conscious than they used to be back in the days of early Wi-Fi implementation.

Well, not to the level of people commenting in this blog. And if they will ever reach your and others' level of security knowledge, they probably just buy a typewriter. Or run some version of Linux with the yet to be released encryption by Thoth... :)

Clive RobinsonSeptember 5, 2016 6:59 PM

@ Ergo Sum,

The same will probably take place in the world of IoT in couple of years. Companies will learn that they'll need to add security for their solutions in order for being marketable for the masses.

Whilst that almost certainly happen --but in a longer time scale-- you have to ask avout two things,

1, Legacy devices
2, Fall back issues.

Unlike WiFi routers with their quite short life expectancy, IoT devices are going to be much like "Smart Meters" and "Implanted Medical Electronics" still in use in twenty to thirty years.

Further IoT devices due to "cost constraints" will be very much less likely to be either software updatable, or where possible have software updates in a timely fashion or at all after a year or so. That is IoT devices will get the same "love and attention" Service Providers give to the likes of Android phones.

Thus I can easily see insecure IoT light fittings etc put in this year still being there in a couple or three decades. Almost certainly firmware updates will be history within a couple of years, thus the "head end" control software will have to be updated every 6months or so, but will have "Fall Back" for compatability reasons. Thus an attacker would be able to get between the IoT device and it's control software and force a significant security downgrade.

Whilst getting between an IoT device and the control software could be difficult if both were on a private and issolated network. It's going to be relatively simple when the IoT is in say New York but the real head end is actually in Beijing, Tokyo, Soul, Moscow or even Tel Aviv. Mad as this might sound a number of IoT devices already,

1, Must connect to the Internet.
2, Use insecure coms to the Head end in China.

The logic is simple, if your iPhone has a graphical front end, that talks to the head end in China, then you can update your phone for the next few years without worry. Because the manufacturer keeps the head end in step with future unknown smart phone development. The manufactuter also gets a huge amount of user data that can be used to raise additional revenue.

Thus I feel that IoT is kind of doomed from the "get go" and will remain so for the next few decades...

Forrest Gump says Play Your Cards CloseSeptember 5, 2016 7:01 PM

First VFEMail is not doing the identity verification GOOGLE Is!
If you have an ad-blocker Google Adsense is there initially. Search ‘VFEmail Google’ too.

Logically if Google can determine who you are from browser fingerprinting (and especially your fixed household IP address) then it is to there advantage to keep you ignorant that you’ve just been verified.

The VFE administrator has has a large problem with attacks and now spammers mailings that they are unable unable to control. The mail service has been frequently down. Who who want them to go out of business? lol

Not only does this new technique stop spammer headaches but it delivers advertising revenue.
So what does Google get? Your privacy…which removes the entire reason to pay for VFEMail. This irony goes over the heads...Wooosh!

In searching for a new email provider many use cloud storage which governments can legally hack into without warrant, company or your knowledge or permission. So I use a pop3 server and delete mail on the server after a week. In other words my boring email is locally stored.

Other providers use heavy encryption which I personally don’t need. Actually I’m reverting to paper statements and greatly reducing personal emails as most people are slaves to ‘free’ email. The reality is, I’m being still being monitored at the other end.

Google to Chinese Connection through Vizio
Home TVs and soundbars etc. all have HDD/SSD storage. If you connect even once then the last several months of usage data can easily be transmitted ‘home’. Vizio is also sampling and analyzing raw HDMI data to identify the other programs you watch even if you think you have turned the power off. Their wireless cannot be disabled whereas the Sony has a switch. The Sony 4K TV can also be updated via USB drive, with 1.2GB of Google data-ming code.

My family policy is to use once way communication (recorded OTA TV, US mail and online with VPN, adblockers and fringerprinting spoofers). I’ve been successful (with one small exception for devious Microsoft). As a result we are not dumbed-down by advertising. There are exceptions like Amazon - who have actual products to sell and superior customer service. That is a corporation can learn about me when I directly benefit and keep my data confidential by not sharing or selling. Didn’t the CIA select Amazon cloud services? Your aggregate ‘non-personal’ data can easily be combined (think Palantir) with other databases to determine your exact identity.

We Can Only Dream
My solution is a dumb question:
why hasn’t Amazon offered a free UNSCANNED email service to its Prime members? It would horrifically (or hysterically) devastate the email data-miners in one fell swoop.
This is is also what Walmart/Jet should do to build loyal premium-paying customers.
Sadly even Silicon Valley admits it has to go to China find tech innovation…
The current pathetic situation makes no sense as business would go Boom (like right through the roof)!
Sorry for sounding like Forrest Gump

Elmer FUDSeptember 5, 2016 9:08 PM

It's starting to look like @Bystander and @Tor User above are Virgil himself going blogwhoring for that Medium hatchet job. They sound awfully similar. And the 'Who Needs Rights?' pose has long been standard US foreign-interference doctrine - even covertly-funded subversives like OTPOR genuflected to it. But people can pick it up by osmosis, too, so we wanted to give Virgil the benefit of the doubt.

However the matter looks different when we are reminded that hacker/author Virgil tried to sell Tor2web user data to INTERPOL and the Singapore police. Perhaps Virgil just likes to betray the people who trust him and his code. Perhaps Virgil got an offer he couldn't refuse during the Blackboard lawsuit - he was, after all, accused of economic espionage under 18 U.S.C. § 1831. In any case we see Virgil Griffith pitching in to help with the COINTELPRO tricks against Tor.

GrauhutSeptember 5, 2016 10:25 PM

@Forrest: "why hasn’t Amazon offered a free UNSCANNED email service to its Prime members?"

Because the CIA is one of their prime customers? :D

http://blackbag.gawker.com/amazon-is-the-scariest-part-of-the-cias-new-amazon-clo-1605847721

The hole "Free Internet for Attention and Data" business model is broke, fubar, they need to make a living from our data, not from us by paying bills.

Somewhen between 01/01/2000 and 09/10/2001 the western econ model broke. After that our attention was focused on new targets.

Could someone here explain me the Twitter biz model for instance? ;)

The Other BobSeptember 6, 2016 1:25 AM

@ Clive Robinson

1, Legacy devices
2, Fall back issues.

IoT covers a lot of ground, but I think from the consumer standpoint I'm quite tolerant of these issues. When a smart tv stops being smart, I buy a new one to replace it, definitely shorter product cycle compared to my home router, but I can only speak for myself.

These issues are somewhat evident in what someone covered above re: HDMI. I think what you're trying to get at is where the tradeoff is and what is the general census on the issue (assuming there is a free market), to which I have no idea.

Clive RobinsonSeptember 6, 2016 4:51 AM

@ ALL iPhone 6 / 6 Plus owners,

Apple might end up on the wrong end of a class action over a mechanical design flaw in these phones.

But even if it does not get that far, you might want to consider ditching your 6 / 6 Plus into re-sale before the "grey bar" problem starts to show up on your phone and it slides into full "touch-death" disease and becomes worthless as far as Apple is concerned...

http://ifixit.org/blog/8309/iphone-6-plus-gray-flicker-touch-death/

I guess the CEO of Apple might see the EU "Pay your taxes" issue as more managable than this fairly serious "own goal" with only themselves as the enemy of their beleaguered customers they are so blatently $hafting.

Who?September 6, 2016 6:18 AM

@E "Self Help" manuel

So OpenBSD's FDE passphrases can be brute forced... is it something unexpected?

Just use a large and unguessable passphrase, a large number of rounds (mine uses 65000 rounds, so it is difficult testing more than just a few passphrases per second on current architectures) or, even better, do not use passphrases at all but a digital certificate stored on a USB drive.

Dirk PraetSeptember 6, 2016 7:54 AM

@ Who?, @E "Self Help" manuel

... or, even better, do not use passphrases at all but a digital certificate stored on a USB drive.

OpenBSD supports 2FA Yubikey + password authentication using a small patch. On PC-BSD, you can use Personacrypt, for which you require a USB-stick that will also hold your GELI-encrypted home directory. The password is split over the stick and the device, so you need both to successfully authenticate.

TIP: The Yubico on-line store is currently giving a 20% discount for Github users. That's good enough to make up for VAT or part of the shipping cost.

Joe StalinSeptember 6, 2016 9:13 AM

Contrast Rolling Stone article on GOP removing minorites from many state voter registration lists
http://www.rollingstone.com/politics/features/the-gops-stealth-war-against-voters-w435890

to Wash Post Russian movie plot
https://www.washingtonpost.com/world/national-security/intelligence-community-investigating-covert-russian-influence-operations-in-the-united-states/2016/09/04/aec27fa0-7156-11e6-8533-6b0b0ded0253_story.html

Which evil plot has already affected several election cycles, which plot is more effective? Which is actually covered in all the mainstream media? Which story is only covered by a music magazine and fringy left media sites?

JG4September 6, 2016 12:05 PM


Sadly, I can't recall who was posting the content about data visualization, but that is an important topic that overlaps the security hypervisor. As we touched on recently. I remain interested in that topic and many others.

I missed the fact that Rudy Kalman passed away in July. Eighty six is a good run on your planet.

https://en.wikipedia.org/wiki/Rudolf_E._K%C3%A1lm%C3%A1n

He was one of the many brilliant Hungarians.

https://en.wikipedia.org/wiki/The_Martians_(scientists)

I also missed the fact that he had a data visualization technique named after him, in addition to the filter. This is a nice example of separating data for display:

https://en.wikipedia.org/wiki/Kalman_decomposition
...
In control theory, a Kalman decomposition provides a mathematical means to convert a representation of any linear time-invariant control system
to a form in which the system can be decomposed into a standard form which makes clear the observable and controllable components of the system.
This decomposition results in the system being presented with a more illuminating structure, making it easier to draw conclusions on the system's
reachable and observable subspaces.

If there were a math Nobel prize, he might have gotten one. It wouldn't be too much of a stretch to give him a physics prize. His work was essential to the space program, as well as the deep state.

The whole problem of visualizing problems hidden in a system reminded me of this title:

"What is Seen and What is Unseen"

which is described herein:

https://en.wikipedia.org/wiki/Parable_of_the_broken_window

Some months ago, I posted this. I mention it here, because it strongly overlaps Rudy Kalman's work:

https://www.schneier.com/blog/archives/2016/05/friday_squid_bl_527.html#c6724663
...
The Beginning of System Dynamics
http://web.mit.edu/sysdyn/sd-intro/D-4165-1.pdf
...
"explore the use of computers for the handling of management information"

I'll go a step further and say that this was an early attempt to create a management information display to enhance decision making. Not all such attempts end well:

Whom the Gods Would Destroy, They First Give Real-time Analytics
http://mcfunley.com/whom-the-gods-would-destroy-they-first-give-real-time-analytics

Shecky Hitler, CompSec ComedianSeptember 6, 2016 12:28 PM

Somebody help! The police and the judge keep ordering me to tell them my password, and I keep telling them, "Geaux_pfuc-y0ur$elf!" and they JUST WON'T LISTEN!

Ba-domp-BOMP-ssssss

Who?September 6, 2016 1:04 PM

@Dirk Praet

Thanks. I was not aware of this patch.

It is at a different level than the one discussed here. Not a two-factor authentication at the boot level (FDE) but once the operating system has been booted. It is however a nice improvement. Right now a Yubikey can be used as an authenticator, but someone with physical access to an enabled Yubikey can authenticate without typing a password. Someone should contact one of the maintainers of src/libexec/login_yubikey to see if there is interest in adding this patch.

This patch should, however, use the password stored in /etc/master.passwd instead of a password encrypted in the /var/db/yubikey directory (I think the reference to /var/db/yubi in documentation is wrong).

ab praeceptisSeptember 6, 2016 1:29 PM

Clive Robinson

@ Nick P, and others,

You might find this of interest,

I did, thank you. And I enjoyed to find quite some my thoughts and work confirmed.
But then, no surprise to find good thinking with someone heartly recommending the static analysis paper from Aarhus (the scandinavians have contributed quite some good and interesting work and tools, to; Uppaal, to name an example).

regards, "others".

I Am Curious (Yellow)September 6, 2016 2:17 PM

If you are concerned about impersonation, consider changing your handle to "Curious I," "The Original Curious," or the like.

Or you could reference a classic late 1960s film, either the Yellow or the Blue.

Omar Gonzalez, lone nutSeptember 6, 2016 4:03 PM

@Joe Stalin

The hilarious part of that Russian Scare is the idea that Putin might actually get fooled into thinking that he's dealing with the Presidential puppet ruler and not the CIA.

Lookit Obama - despite being born and bred in the intelligence community, and groomed and vetted by the intelligence community, the poor sad figurehead gets threatened with instant death if he makes one false move. It started when he made noises about investigating torture: immediate explicit threats of CIA mutiny. When Obama fails to do what he's told, at once, with a smile, CIA hits him with this giant extravaganza of lone nuts, potshots, and life-threatening cockups.

It's nothing new. Remember the 4,000 Manson girls who plinked at Gerald Ford to remind to keep his mouth shut about CIA's past coups: CIA's bloodless Watergate coup, and CIA's not-so-bloodless coup against JFK. US presidents have less workplace discretion than Amazon order pickers.

It's one thing if Americans are too stupid or too deluded to know CIA's in charge. Does anybody think you get to be president of Russia if you can't see the CIA's hand inside the presidential sockpuppet? Everybody knows this but Americans.

BobSeptember 6, 2016 7:11 PM

@ Clive Robinson,

@ All,

This might just make your problems of the day appear minor in comparison,

https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

Hopefully the "idiot" will be outed real soon (and thus might be unemployed shortly there after, based on the principles of the 'Greater Good' and 'protecting the innocent from harm').

Seems like a "shock post" with intent to revive forum interest. Lots of key words and links (farming?) Not sure who the idiot(s) is

tyrSeptember 7, 2016 1:02 AM

@Clive

This priceless quote was in the serverfault link.

"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."

CuriousSeptember 7, 2016 6:18 AM

I have better things to do than following US news all day long, though looking over the recently released FBI report ("a summary of former Secretary of State Hillary Clinton’s July 2, 2016 interview with the FBI") into Hillary Clinton's email investigation, there are afaik just a couple of paragraphs about FBI having talked to Hillary:

On page 26, it says that FBI showed her copies of "her classified e-mails ranging from CONFIDENDIAL to TOP SECRET/SAP" (SAP=special access program?), and also, with regard to an email classified as SECRET//NOFORN, she had stated that she knew 'SAP' information was of great importance and needed to be handled carefully.

I can't help but think that if it is so that FBI Comey have been pointed out something along the lines that Hillary was too dumb or clueless to understand secrecy classifications, and therefore she had done nothing wrong, with what was written on page 26 FBI apparently knows that she knew about the concept of sensitivity of information with regard to secrecy in knowing about that which is called 'Special Access Program'.

So, I guess if you claimed to have been briefed about SAP type of information, while also not recalling having been briefed about how to handle such information, in the eyes of FBI you have done nothing wrong because it wasn't anyone's idea to have you end up as a criminal anyway.

https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-documents-in-hillary-clinton-e-mail-investigation

Nick PSeptember 7, 2016 12:45 PM

@ All

(esp Clive, Thoth, ab praeceptis)

It irritates me that the best of the formally-verified compilers are getting locked up commercially. I was looking for a way to cheat using the HOL to assembly systems of Myreen et al by shoving a formal semantics of C with a C program through one. Might work or be incredibly stupid. :) Well, I found something more practical in the process: an *executable*, formal semantics for C covering all the essential properties of the language. The cool thing is they've built it in such a way that it extracts to an interpreter/compiler, debugger, and static analyzer. The KCC tool is even used in Csmith tool that found bugs in all the regular compilers. Oh, it gets better: they packaged KCC up so you can use it just like GCC on the command line. :)

GitHub page for K framework and KCC

Note: Of listed papers, most of the details are in "An executable, formal semantics of C with applications" (2012). Great paper since it covered important properties and use cases instead of just technical aspects of implementation.

K Framework homepage

Note: It's apparently part of a broader technique of rewriting-based semantics that can be used for arbitrary languages. I like that they specifically mention it handles things like "abrupt termination, exceptions, and call/cc" that some tools ignore due to difficulty. My research on formal verification showed teams often built several semantics... denotational, axiomatic, and operational... that each helped prove different things. The Matching Logic link at the bottom indicates their method can do at least two of these in one language in a way that's language-neutral and automatically drives it through a prover. I'm not specialist enough to tell at a glance if it can do denotational semantics, too.

ab praeceptisSeptember 7, 2016 1:10 PM

Oh, not just compilers. There's a lot of tools in the whole field that are locked up commercially. Which is fine with me if it's a corp having created something with their own money. What drives me angry is that I find that more and more in university/academic contexts.

As for K: It seems (didn't look very closely yet) that, as soon as you want to do real world work, you must contact a company for help (they name it).

I'll look again but my current gut feeling/impression is that like with quite some tools in that field you basically get a test version. If you want to really use it for real projects you need to cough up money and sign a dotted line. Sad state. Really sad when evil corp gives away actually good stuff for free while more and more academic institutions play greedy games.

That's part of the reason why I gave up looking around a lot but rather go the hard way.

Nick PSeptember 7, 2016 2:41 PM

@ ab

"What drives me angry is that I find that more and more in university/academic contexts."

Yeah, that's the problem I was referring to. It's happening in all the major countries doing the top work. There's fortunately a subset of CompSci people open-sourcing their work. Hard to tell if that's growing or getting rarer, though.

"As for K: It seems (didn't look very closely yet) that, as soon as you want to do real world work, you must contact a company for help (they name it)."

Same with Frama-C. There's an extendable, open, weak tool for basic stuff. There's one or more companies, like trust-in-soft.com, providing heavy-hitting, read-to-use apps on top of that for a price. As with it, the KCC work could be extended by FOSS contributors if they chose. We've already seen that with Frama-C where teams continued to add plugins to the free one. A formal, execution checker for C code in general is already nice, though. Helps tell you if you're getting code or compiler errors when things screw up.

r / agent rngSeptember 7, 2016 8:53 PM

@Phar Middle,

How's that? Digitally promoted job offerings and cheap medication?

r / agent rngSeptember 7, 2016 8:59 PM

@Phar Middle, All

Actually, far funnier than job suggestions - would be transportation and relocation offerings a la vintage 1940's european train cars. Is that a bandwagon/bus you'd be willing to jump onto?

r / agent rngSeptember 7, 2016 9:01 PM

Third time's the charm:

There's a couple bumps in the road to the future, we're just going to smooth things over a little bit for ya.

pretty goodSeptember 7, 2016 9:19 PM

https://news.ycombinator.com/item?id=12448844

The 100% correct way to validate email addresses
the user enters an '@' symbol somewhere
I guess that's approximately a 99.37500000000000000000000000000000000000% chance of correct validation (assuming loop+equiv rather than regex)

The 100% correct way
Send your users an activation email. (That’s a bold full-stop for effect.)
These days, it seems that not much more could practically be done after that...


Although, I could go on to argue the 100% correct solution would instead be to first analyze the validation methods of every mail client/server software that is currently in use.
Then, compile all those restrictions into a least common denominator.
Finally, submit a new RFC that aims to eliminate the extraneous details from the old.

Then again, I'm not really a code lawyer; and even still, I heard that computers were also making it tougher for junior word lawyers to find entry level work nowadays...

Guess there's not enough profit to be made in simplifying the rules just yet! ;-)

r / agent rngSeptember 7, 2016 10:27 PM

Since my right wing-ed (don't read right-winged) trolliness has not generated a job offer yet...

Got some interesting and appropriate darpa funding snooze for ya:

"Explainable Artificial Intelligence (XAI) Darpa Funding (fbo.gov)"

"The goal of Explainable AI (XAI) is to create a suite of new or modified machine learning techniques that produce explainable models that, when combined with effective explanation techniques, enable end users to understand, appropriately trust, and effectively manage the emerging generation of AI systems."

https://news.ycombinator.com/item?id=12449297

https://www.fbo.gov/index?s=opportunity&mode=form&id=1606a253407e8773bdd1a9e884cc5293

LOLSeptember 7, 2016 11:07 PM

re: XAI

See also: https://fas.org/blogs/secrecy/2016/08/dsb-autonomy/

Easy solution is:

Are you making the bacon? → yes → Autonomous system is working.

no

Is there an opportunity to bring home the pork next cycle? → yes → Autonomous system may need adjustments.

no

Autonomous system is borked.

What could possibly go wrong!?

OmarSeptember 8, 2016 12:44 AM

@ r/agent rng, "Actually, far funnier than job suggestions - would be transportation and relocation offerings a la vintage 1940's european train cars. Is that a bandwagon/bus you'd be willing to jump onto?"

I would not be surprised because Right Wing Ers are out voting in full force. I think the media played it wrong. If they had endorsed Trump instead of Hillary, Trump will not stand a chance. The more they bash him, the higher his true poll rating goes.

r / agent rngSeptember 8, 2016 6:18 AM

Speaking of italians (aimed at other thread)

"Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man,"

https://news.slashdot.org/story/16/09/08/0025258/leaked-demo-video-shows-how-government-spyware-infects-a-computer

JG4September 8, 2016 10:24 AM


from another daily compendium

Coda in the Key of F2654hD4
http://berghel.net/col-edit/out-of-band/sept-16/oob_9-16.pdf
Exposure of the Diebold AccuVote system’s weakness is generally credited to Johns Hopkins University computer scientist Aviel Rubin and his colleagues, who in 2003 began analyzing the source code discovered by Harris. It’s useful to frame this story in terms of Rubin’s analysis of the Diebold source code.

most people opt for the blue pill. you have to have huevos grandes to take the red pill. even then, your sanity may not survive the trip.

DonSeptember 8, 2016 8:13 PM

@ Phar Middle @ All

Google Program to Deradicalize Jihadis Will Be Used for Right-Wing American Extremists Next


So what occurs after a 'Jihadi' is 'deradicalised'?

do they turn into a 'ihad'? (I Had)

@ All

be careful using Tim Ferriss sites. Despite repeat requests to upgrade he is only using HTTP. Given his sites receives massive (eg millions) of regular visitors, and he also sends out weekly emails including a newsletter full of obfuscated links - there's a very broad attack surface. I don't need to spell out the dots.

Advice is to avoid until the security issue is remedied


JG4September 8, 2016 9:24 PM


Karl is a bit rabid, but a) he means well, and b) he is remarkably self-consistent, a rare virtue.

The 'Ransomware' Idiocy
http://market-ticker.org/akcs-www?post=231490
...
I'm not talking about security "bugs" here; these programs use well-established and documented means of hooking into these systems, which allow them to do so without any sort of explicit warning that the act they're about to undertake could have extremely dire consequence and should only be allowed by the user if said user is completely certain that the software in question is authorized and desired.
Such a prompt would stop these "ransomware" attacks dead in their tracks, permanently.
Microsoft and Apple should both be held civilly and criminally liable for the failure to provide such protections and warnings under the very simple perspective that they are knowingly and intentionally leaving the fence out of their pool construction, despite many people having drowned in same.
I'm tired of this crap and you ought to be too.

MenestrelleSeptember 8, 2016 11:58 PM

> The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man,"

A blowie, I hope?

RémiSeptember 9, 2016 12:52 PM

What's the deal with IX sponsored TrueOS (formerly PC-BSD) and FreeNAS not offering secure downloads? Bugs were filed years ago, posts on the issue get deleted from the 'community' forums, and Kris Moore and Allan Jude hosts of TechSnap and BSDNow say i'm raging and trolling. I realize that they are financed by IX, but makes me wonder since the whole bsd community is smallish and IX sponsors FreeBSD events all the time. I have more and it's archived, but SERIOUSLY??

https://static.spiceworks.com/shared/post/0006/6611/ixhistory_twitter.png

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.