Friday Squid Blogging: More Research Inspired by Squid Skin

Research on color-changing materials:

What do squid and jellyfish skin have in common with human skin? All three have inspired a team of chemists to create materials that change color or texture in response to variations in their surroundings. These materials could be used for encrypting secret messages, creating anti-glare surfaces, or detecting moisture or damage.

They don't really mean "encrypting"; they mean hiding. But interesting nonetheless.

Posted on September 9, 2016 at 4:31 PM • 98 Comments

Comments

JacobSeptember 9, 2016 4:37 PM

@Clive

A couple of months ago you mentioned that you don't trust the certificates issued by WoSign.
I also jumped on that bandwagon after reading the scathing report by Mozilla at
https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29

Among other issues like certificate back-dating, they also issued more than 300 certs specifying different CN but with the same serial number:
https://crt.sh/?serial=056d1570da645bf6b44c0a7077cc6769&iCAID=1662

Sadly, now Startcom CA also fell under the trust ax. They were a great company and used by many shoestring operations since they provided free Class 1 certs and very effective and cheap unlimited Class 2 certs, but now it has been discovered that WoSign secretly bought them in Nov 2015, and moved the whole operation, still in secret, from Israel to China.
http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html

And an interesting (and very educational) linguistics analysis shows that the new Startcom site is actually written by WoSign:
http://www.percya.com/2016/09/startcom-operated-solely-in-china.html

Some years ago there were some cases whereby a couple of Firefox add-on writers who authored popular extensions were bought out by spam houses and then spam was delivered to unsuspecting users via a subsequent add-on update. Do they now similarly play with user trust via secret CA buyouts?

All the while the latest browsers are dumbing down the warning given to users when encountering a self-signed cert, screaming bloody hell "improprly configured! site will steal your info! not secured! Report this site now!" , instead of the preferred, albeit the anti-big business message "Self-signed cert is detected. The info exchange between you and the web site is still encrypted, but web site ownership information has not been attested by a recognized authority. See more..." , and under the more...: "This is the fingerprint of this site's certificate xxxxx. To verify authenticity, please compare it to a fingerprint published at a trusted location".

2+2: High Value USA Persons of InterestSeptember 9, 2016 5:08 PM

Read the damning dossier on the security stupidity that let China ransack OPM's systems
The 227-page report [PDF] details how two hacking teams, both thought to be state-sponsored groups from China, managed to swipe paperwork for security background checks on 21.56 million individuals – including the fingerprint records for 5.6 million of them – and the personnel files of 4.2 million former and current US government employees.
Those stolen documents essentially contained chapter and verse on the lives of millions of Americans who have or had access to sensitive government materials – a goldmine for foreign hackers to target.
http://www.theregister.co.uk/2016/09/08/opm_hacking_report/

Phase Two – Unrelated Background
Vizio’s Smart TVs track your viewing habits and share it with advertisers, who can then find you on your phone and other devices. The tracking — which Vizio calls “Smart Interactivity” — is turned on by default for the more than 10 million Smart TVs that the company has sold.
Vizio combines this information with other information about devices associated with that IP address.” In other words, your “smart” TV or soundbar is smart enough to hunt for other devices that connect to the local network and to sell that information. Vizio does not appear to encrypt IP addresses before selling them, which makes the information it provides to third parties very personal indeed.
Vizio’s actions appear to go beyond what others are doing in the emerging interactive television industry. Data companies like Experian offer a “data enrichment service” that tie “hundreds of attributes” to IP addresses.
https://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you

Phase 3 Overcome Obstacles through Terms of Service
It’s all legal because because America’s brightest official's personally approved, purchased and installed the microphones, cameras and recording devices throughout their person, house and vehicles. They further agreed to be monitored and have data shipped overseas. This very technique is how they have built their own careers.

Personalized sharing has always been government encouraged and funded for numerous High-tech startups. The total absence of stringent privacy laws allow multi-national corporations to share USA citizen our data throughout the world, both to friends and foe alike. No one cares

The Total Information Awareness senators have never supported or respected innocent privacy. Even better the younger millennial generation have been trained to rapidly click the ‘Like’ and ‘Accept’ buttons. Who expects them to read 180 TOS pages on a dinky five inch screen?

Do Russia, China, Europe, Israel, Iran or North Korea allow their citizens data to be mined and shared overseas?

TPP – The Right to Data-Mine
Does the USA allow sharing with anyone besides the Five Eye Countries? Absolutely as long as its its in the Terms of Service. Foolish members of Congress assume they are only hacked at work. By sampling the video signal these data-miners can easily perform OCR on your unencrypted email as you read it.

Further the Trans-Pacific Partnership allows foreign corporations to sue the USA taxpayer for damages if USA courts or politicians interfere with their paid-for eavesdropping rights.

Should we wait for another long-after-the-fact FBI report with the FBI director again finding “extreme carelessness” but that no laws were broken?

Edward Snowden claimed the USA was weak in defensive cyber security. Does this rather prove his assertion true?

SoWhatDidYouExpectSeptember 9, 2016 6:51 PM

@Ismar:

What assurance do we have that your reference isn't actually an opt-in for global internet surveillance?

Ergo SumSeptember 9, 2016 7:04 PM

@2+2: High Value USA Persons of Interest..

Vizio’s Smart TVs track your viewing habits and share it with advertisers, who can then find you on your phone and other devices. The tracking — which Vizio calls “Smart Interactivity” — is turned on by default for the more than 10 million Smart TVs that the company has sold.

It's been going on for awhile by now and not just Vizio, others like Samsung, LG, Sony, etc., doing the same. Disabling this "feature" doesn't really help, it'll still send out telemetry data. The TV won't send out anything, if it's not connected to the LAN/WiFi...

They further agreed to be monitored and have data shipped overseas.

Well, most if not all devices are made outside of the US. Of course they need to send the data to foreign countries...

Mick E. SpillaneSeptember 9, 2016 7:35 PM

Their ability to send your data to anyone is absolutely dependent upon your willingness to send them your money. Vote with your wallet, problem solved.

RémiSeptember 9, 2016 7:46 PM

PLEASE make sense of this :

IXsystems' TrueOS (formerly PC-BSD) and FreeNAS not offering secure downloads? Bugs were filed years ago, posts on the issue get deleted from the community forums, and Moore and Jude, hosts of BSDNow and TechSnap, say i'm raging and trolling, respectively. I realize that they are financed by IX, but it's an urgent issue since IX sponsors the (smallish) FreeBSD community(Foundation based in US) and all the big BSD events. I have more and it's archived, but SERIOUSLY??

https://static.spiceworks.com/shared/post/0006/6611/ixhistory_twitter.png

r / agent rngSeptember 9, 2016 8:08 PM

https://hardware.slashdot.org/story/16/09/09/2042212/smartphones-can-steal-3d-printing-plans-by-listening-to-the-printer

94% accuracy with simple jobs 8 inches away using custom software utilizing a hybrid (dual) side channel and 90% on complex objects.

Haven't read the paper, I'm not concerned with the accuracy so much as what this means about the ability to guess what you're printing/milling.

90% is likely more than well enough to ascertain within 100% actionable intelligence that your printing something you **cough** "shouldn't be."

In sum? Don't take your little brother anywhere that mom wouldn't approve. He can and will tell big bro or run his mouth to ma bell.

Donald Not TrumpSeptember 9, 2016 9:15 PM

@ ergo sum,
"The TV won't send out anything, if it's not connected to the LAN/WiFi..."

Presently pretty much every 4K viewer needs data connection and likely so in the future. This is in part due to the awesome HDCP put on new formats and the fact that content distribution had broken away from its traditional channels. You see the synergy there, either take it from your Win 10 box or the smart tv. That's why technology, security, politics, economics, and foreign policy are more connected and on topic than we think.

@ r

interesting read.

Alien JerkySeptember 9, 2016 11:31 PM

I still like DVD's. no streaming issues. usually some previews. and usually other extras like interviews and behind the scenes stuff. All on a little plastic disc without the security or bandwidth issues.

Joe KSeptember 10, 2016 1:41 AM

@ Rémi

  1. What does it mean for a download to be secure?
  2. I assume the content you're trying to convey by linking to that png is textual content. But since I cannot view images, I can only make assumptions. Totally boring. If you believe it important for others to read that content, why not post it as text?
  3. For me, the pcbsd.org site is mostly non-functional. Oh well.
  4. I also looked at trueos.org and freenas.org, where I found some isos along with putative sha256sums. No signatures on the checksum files.
  5. Looking for bug reports that might relate to your concern, I found this:

  6. In my amateur opinion, offering signed checksum files would be a feasible improvement. Did you file a bug report or something? Can you link to it?
  7. Calm down a little. Life is too short.

SergiSeptember 10, 2016 5:23 AM

Windows credentials can be stolen via custom PnP Ethernet device. Windows automatically installs and whitelists ethernet devices allowing this vulnerability to exploit a locked user session and steal the users credentials. It also looks like some versions of Apple's OS may also be affected.

IanashA_TitocIh_001September 10, 2016 12:26 PM

To: @Clive, @Skeptical, @Gerard, @Dirk, @Wael, @FigureitOut, @Thoth, and others
From: IanashA_TitocIh_001 (I am not a self hating American*; This is the only country I have.)_001 (*Apologies to Canada, and Central and South America, if warranted.)

Since this post is somewhat off topic, it is also being posted in the current Squid:
https://www.schneier.com/blog/archives/2016/09/friday_squid_bl_543.html

Question 1) Who does the US MIICLE (Military-Industrial-Intelligence-Congressional-Law Enforcement) complex want for president in the US? What might the competing interests be?


Assumptions:

1) Given the 60 Minutes piece on SS-7 I assume almost all, if not all, politicians in this country can be blackmailed.

2) Regarding the Crimea and Ukraine, we know from the Cuba Missle Crisis how the US might react to adversarial missle related hardware being placed in, or near, Mexico or Canada, for example.

3) Given a "Collect it All, ..."* mentality US citizens are subject to as much collection as people anywhere else on earth. In the US, "Collect it All" results might be parallel construction, blackmail, law enforcement interactions (FBI, DHS, DEA, State, Local, etc.) car crashes, and the like, versus drone strikes, rendition, or overt torture in other parts of the world.
* Of course, perhaps 5 Eyes, (plus Israel and others?) are still required to collect information on US citizens and then share it with the US, state, or local governments to keep things legal.

4) iirc the US has around 1 millon people with Top Secret clearances and around 5 million people with Secret clearances (Dana Priest, Washington Post Series). With other jobs to protect and funding sources to protect that is a huge amount of monetary inertia to keep the status quo in the US.


Misc.: I think Thomas Friedman, of the NYTimes, implied awhile back, that a terrorist incident in the US around election-time could throw the US election to Trump. How about a US "wag the dog" war or war escalation to help throw an election? Social media to throw an election? What factions might be for or against Trump and what might they be doing about the life and death games people play?

I imagine the games being played by various actors behind the scenes, in this life and death game, could result in an interesting novel, leak, or non-fiction book.

Question 2) How do the US MIICLE (Military-Industrial-Intelligence-Congressional-Law Enforcement) complex factions work with and against other factions in MIICLE complex to meet their respective desired ends?


Misc. Optional Reading:

http://www.nybooks.com/articles/2016/05/26/general-haydens-offensive/
(from the NY Review of Books; at least General Hayden might have helped to prevent war with Iran)

http://foreignpolicy.com/2016/09/07/every-move-you-make-obama-nsa-security-surveillance-spying-intelligence-snowden/ (from Bamford, James, the author of the "Puzzle Palace")

FigureitoutSeptember 10, 2016 1:11 PM

IanashA_TitocIh_001
--Don't know and don't care and don't have time to care. It's a toxic subject. I may dust off my voter registration and vote for trump just b/c our system is a joke w/ same old crusty people w/ no solutions and not getting people involved in their "democracy". I really only care about clean homebrewed (or within grasp of hobbyist) computer security solutions (MCU-based) for now. Dataloggers, encryptors, filters/data diodes/, communications, and storage.

IanashA_TitocIh_001September 10, 2016 2:56 PM

@Figureitout,

Interesting response.

Btw, awhile back you posted something about a device with LED output sniffing a network (no storage; iirc).

Please repost the link with any advice for DIYs to build your kit. Please don't assume much expertise on the DIYer's part; at least high level input would be appreciated, if detailed instructions would be too time consuming.

Currently I have been using Apple Airport routers mainly (ease of use, hardware quality, updates available, Apple's Stated Corporate Policies, and so on).

However I am interested your LED readout device to visualize sniffing at various points.


@Figureitout, @Dirk, @Thoth, @Clive and others

In an Apple Airport Routers hardware environment do I need to trash the Airport Routers, or could I add other routers, to add DNSCrypt functionality to the Airport networks. I assume adding DNSCrypt at the router level is a good thing.

Possibe Network Config.:

Internet --> Airport1 --> Less Private Zone --> Airport2 --> More Private Zone

Airport1: openwireless.org (open WIFI)

Less Private Zone: possible VOIP (Oomaa or Vonage, possibly)
Less Private Zone: share OTA TV signals using Silicon Dust HD Homerun Dual ATSC Tuner to watch OTA TV or Elgato EyeTV for OTA TV with Ipads

More Private Zone: Read/Write PC access

Finally, pros and cons of getting ota TV signals from Verizon Fios or Comcast versus using an antennae. I get pretty good reception with electric "rabbit ears" inside, but am looking to upgrade to an indoor Yagi or whatever for better TV reception. Indoor and outdoor ota TV antennae recommendations would be appreciated.

Any other input would be appreciated, too

Another Satisfried CustomerSeptember 10, 2016 4:48 PM

Dear More-Spy-ZillaCorp Firefox Users:

Finding most of the crap you need to kill
in about:config is actually pretty simple:

If it has "toolbar" in the preference name, it's spycrap.
If it has "report" in the preference name, it's spycrap.
If it has "assistant" in the preference name, it's spycrap.
If it has "telemetry" in the preference name, it's spycrap.
If it has "websocket" in the preference name, it's spycrap.
If it has "pocket" in the preference name, it's spycrap.
If it has "autoplay" in the preference name, it's spycrap.

If it has "gmp" or "eme" in the preference name, it's
Digital Ratfuck Malware.

If it has a URL, reset it to "127.0.0.1" or "".
If it's enabled, disable it.
Kill it with fire.

Also, if you do not wish to be uniquely fingerprinted, do not use the following about:config setting: general.useragent.override = "WhyIsBobSmiling/12.0 (NoLube4U; hxxp://staythere.adroneisontheway.mil/;)"

YawnSeptember 10, 2016 5:05 PM

@NombreNoImportante, nobody cares anymore. Appelbaum is gone from Tor. The new guard's even harder to control. And Appelbaum will be back at something even more subversive because we can't spare this man, he fights. US COINTELPRO dirty tricks have backfired. Our insider threats are safer and more numerous than ever.

Peter PSeptember 10, 2016 6:37 PM

@Rémi

So yeah.. FreeBSD sucks. Why? They've been vulnerable to exploitation for years via the upgrade tools. (portsnap/freebsd-update). The design of them is absolutely terrible.

Worse yet, the developers were warned years ago and it fell upon deaf ears. It appears that one of the holes have been plugged but the others remain.

After some of our servers got compromised after a recent upgrade, our organization is in the process of switching everything to OpenBSD.

Here are some links for further reading:

"NON-CRYPTANALYTIC ATTACKS AGAINST FREEBSD UPDATE COMPONENTS"

hXXps://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f

"freebsd-update and portsnap users still at risk of compromise" (The Drama of it all)

hXXps://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html

"FreeBSD - a lesson in poor defaults"

hXXps://vez.mrsk.me/freebsd-defaults.txt

ThelemaSeptember 10, 2016 7:34 PM

@2+2...

Should we wait for another long-after-the-fact FBI report with the FBI director again finding “extreme carelessness” but that no laws were broken?

Laws are for the little people: "Do what thou wilt shall be the whole of the law."

-------------

@So what Did You Expect

"What assurance do we have that your reference isn't actually an opt-in for global internet surveillance?"

You're chasing rabbits down holes with that question. Your time is better spent finding and disseminating methods to secure your data.

-------------

@r / agent rng

Clever application of smartphone microphone surveillance. Nice find, thank you.

-------------

@Figureitout

IanashA_TitocIh_001
--Don't know and don't care and don't have time to care. It's a toxic subject...

This response is not as cynical as one might first think. Well said. You are on the proper track to maintaining your human right to secure and private transactions of all sorts.

-------------

Stick a fork in it, we're done-- culled from thousands of potential examples:

http://www.extremetech.com/extreme/146909-darpa-shows-off-1-8-gigapixel-surveillance-drone-can-spot-a-terrorist-from-20000-feet

http://www.cbsnews.com/news/meet-the-humans-with-microchips-implanted-in-them/

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” --- Hellen Keller

ab praeceptisSeptember 10, 2016 8:18 PM

Peter P

Oh, great, yet another BS orgie. "xBSD/*ux/*ix sucks/is insecure/is evil", optionally complemented by "while yBSD/*ux/*ix is great/secure/wonderful" might help ones emotional state but it does little in terms of security.

The, oh so expert "to do list" you link to is similar to what thousands of admins apply to any fresh installation without starting a religious war. Actually, there are points missing one might (or not) consider important.

The basic point is that different OSs have different histories and address different clienteles. FreeBSDs raison d'etre isn't about security as we understand it here and its install base is massively larger and more diverse than OpenBSDs, both of which are ridiculously small compared to linux which again is ridiculously small compared to evilcorps windows.

OpenBSD managed to attract some of the best coders out there and it's largely a more or less benevolent dictatorship which, of course, gives it *major* advantages over democraticy tainted systems. Moreover its very raison d'etre is security. But is OpenBSD actually secure? Depends on how you define security and on whom ones asks. More importantly though, OpenBSD is *not* a secure OS, no matter how much noise they make - and it need not be; it was all about "BSD done differently and supposedly better", not about "let's create a secure OS".

I used OpenBSD for quite some years and stopped using it even on servers because its driver support was quite poor and late (then) while FreeBSD had much better support. Nowadays I'm thinking about returning to it. But I'm also quite happy with e.g. alpine linux for many jobs.

On one point, however, I agree wholeheartedly: FreeBSD should switch away from OpenSSL and soon.

IanashA_TitocIh_001September 10, 2016 8:30 PM

@Another Satisfried Customer and SoS fans

..."FireFox Users" ...

Using macOS and "little snitch" you find FireFox (FF) (default settings) chats a lot. Rather than mess with settings might "little snitch"'s default setup solve this problem: Refuse outgoing connections (ie. perhaps limit FF to 80 and 443 without additional permissions). In addition, use macOS's firewall hardened as much as possible from macOS's settings panel. Currrently I don't have FF on my Mac so I can't play with it; it would be presumptuous for me to test it.

For Windows users, if the above is viable logic perhaps someone could discuss doing this with: http://www.binisoft.org/wfc.php


A plug for "little snitch". Awhile back I was playing with a phishing email and link (not in a VM). Regardless all of a sudden "little snitch" informed me some non-recognized user was trying to open an outgoing FTP connection. Oops, time to re-install macOs.

I tend to use Safari on a Mac with no (or minimal) add-ons and with javascript turned off, no cookies, Private mode if available. In addition, I use VM guests in VirtualBox (no-additions) for javascript, Tor, etc., (lmde2, Knoppix, Tails, Linux Mint, Fedora, CentOs, and so on).

Of course there is FF in the TBB and Tails, with Tor and Noscript set to "Block All" most of the time. Btw does anyone know an easy way to use Tails' Tor Browser without Tor? I don't know an easy way to add add-ons to Tails' Unsafe Browser. In other words, often I just want a read only DVD that I am familiar with and "trust" and don't care about Tor.

Alternatively, I guess I could boot from the latest Knoppix live DVD or CD for FF and try to be "stateless" that way.

Does anybody know if it is worth installing the Brave Browser on Android, Windows, iOS or macOS? Some additional reading includes:

https://blog.filippo.io/securing-a-travel-iphone/ (Brave Browser referenced here)
https://boingboing.net/2016/04/08/publishers-call-braves-priva.html (Cory Doctorow and the Brave Browser)

Input is appreciated.

LowcostSeptember 10, 2016 11:39 PM

Has anyone ever heard about controlling, accessing, and interrogating a sleeping target, or similar techniques?

AnonSeptember 11, 2016 12:10 AM

>> Input is appreciated.

I hope you sanitize all input before use! :P

More seriously, what is your aim with Brave Browser?

------

I decided long ago no web browser can be trusted. They're designed to display content from untrusted remote sources, across insecure links, running extensions/plugins/other junk in a way that can compromise the whole computer in under a second.

The only way is a seperate computer for such activity. That is probably the most redundant comment on this blog.

AnonSeptember 11, 2016 12:12 AM

>> Has anyone ever heard about controlling, accessing, and interrogating a sleeping target, or similar techniques?

Human or computer?

Computer - yes. In fact, it had to be asleep to be attacked. It involved attacking the hibernation file, which is why WDE is highly recommended. The computer writes everything in memory to the file, making it a perfect target.

GrauhutSeptember 11, 2016 3:51 AM

@ab praeceptis: Openbsd "driver support was quite poor"

Its funny, today Openbsd is one of the few systems i can directly install into the internal emmc flash of one of my uefi only bonsai systems, a 100 bucks z83 cherry trail "displayless atom tablet". Besides Openbsd only Ubuntu 16.04 installs there. Freebsd doesnt see the emmc and installed to a stick it dyes on boot trying to harvest randomity.

ab praeceptisSeptember 11, 2016 4:10 AM

Grauhut

Good to hear that. But then driver support was really lousy (e.g. hardly any SCSI Raid controllers, way to few net controllers). Nowadays, so I hear, there are other ugly issues like pf using only one core. But, oh well, every OS has its weak points.

As I'm really considering to go back to OpenBSD I'd appreciate if some professional OpenBSD users could provide some helpful hints to me as to what might be weak spots and also where they see OpenBSD's greatest strengths (besides code quality and the usual things everyone knows anyway). How is, for instance, the package/ports situation? Is there "religious" bias (there has been formertimes), are they clang or gcc based, is the selection of lang ports comparable to FreeBSD, etc.?

How about virtualization? Xen? VirtualBox? As guest only or host too?

Thanks

Who?September 11, 2016 5:56 AM

@ab praeceptis

pf issue is currently being addressed. In fact, the project has a developer (Alexandr Nedvedicky) working on the pf feature you are asking about.

The OpenBSD native hypervisor (vmm) is improving. I expect it being ready for wide testing very soon. You have other choices, like qemu, too; OpenBSD works as guest on lots of virtualization environments, including Xen and VirtualBox, if you want it.

OpenBSD has started its migration from the aged gcc in the base system to clang plus LLVM core. A good improvement that will possibly allow the project to use accelerated NVIDIA hardware soon.

There is a new tool in development (syspatch) that will allow binary patching--I understand the binary patching process in OpenBSD will be as secure as other parts of the operating system.

OpenBSD is the only operating system I use for my serious work, obviously there are some small devices here like printers and storage devices that run their own operating systems. I do not want, however, recommend it. Just try it again. If you like OpenBSD then it fine, if not it is fine too.

About hardware support... I do not buy hardware to see if OpenBSD works on it. I buy hardware where I know OpenBSD works. I choose the hardware thinking on the operating system it will run and the task it will fulfill. I see nothing wrong in buying the best supported hardware. So, lack of drivers is not an issue to me. I just adquire the right hardware.

I think OpenBSD is the most secure general purpose operating system available. It does not mean you cannot improve its security choosing the right hardware (non-Intel computers at least for Internet facing devices, smart cards to store digital certificates, firewalling everything, running an airgapped network for a truly secure computing infrastructure, ...) and software (good security practices, FDE for laptops and desktops, running as few services as possible--it means not installing too many services in OpenBSD, that comes reasonably closed by default-- and so on).

Of course there are more secure operating systems, but not more secure general purpose ones.

Dirk PraetSeptember 11, 2016 6:15 AM

@ IanashA_TitocIh_001

In an Apple Airport Routers hardware environment do I need to trash the Airport Routers, or could I add other routers, to add DNSCrypt functionality to the Airport networks. I assume adding DNSCrypt at the router level is a good thing.

In essence you have two choices to implement DNSCrypt: you either install the client on every machine/VM in your network, or you go with a router (firmware) hat supports it, like Tomato Shibby or OpenWRT. See here.

Of course there is FF in the TBB and Tails, with Tor and Noscript set to "Block All" most of the time.

Careful with that. The default TBB settings are actually very permissive (LOW), and you really should set them to a more restrictive level (at least Medium-Low) using the Privacy and Security Settings slider.

Does anybody know if it is worth installing the Brave Browser on Android, Windows, iOS or macOS?

I've never tried it. You are hereby assigned to take it for a spin and write a full report for this esteemed forum's audience 8-)

@ ab praeceptis

On one point, however, I agree wholeheartedly: FreeBSD should switch away from OpenSSL and soon.

They have. Everything is now by default compiled against LibreSSL, with a few notable exceptions that don't support LibreSSL yet. I think curl was one of them.

I used OpenBSD for quite some years and stopped using it even on servers because its driver support was quite poor and late (then) while FreeBSD had much better support.

I believe that's pretty much everyone's experience with OpenBSD, especially when using it as a desktop. People generally tend to be surprised if somehow miraculously something actually does work. I refer to @Grauhut's comment.

@ Peter P

So yeah.. FreeBSD sucks. Why? They've been vulnerable to exploitation for years via the upgrade tools. (portsnap/freebsd-update). The design of them is absolutely terrible.

And it is beyond me why this still hasn't been fixed. That said, OpenBSD isn't a "secure" operating system either. It just s*cks less, well, at least from a security vantage that is. As @Clive, @Nick P and others have repeated ad nauseam on this forum, there is no such thing as a "secure" COTS OS, even without considering the hardware attack surface. What you choose is a function of your personal threat model. If you're up against actors willing and able to subvert the FreeBSD update/upgrade process just to get at you, then it is probably time to start thinking about HA systems.

@ Who?

I buy hardware where I know OpenBSD works ... I think OpenBSD is the most secure general purpose operating system available.

The only correct approach. Add Solaris to that list (beit not as a desktop).

@ Another Satisfried Customer

Dear More-Spy-ZillaCorp Firefox Users: Finding most of the crap you need to kill in about:config is actually pretty simple ...

There's plenty of Firefox hardening guides out there, and which most security/privacy-minded folks are aware of. Those paranoid about Mozilla can of course also go with Safari, Internet Explorer, Edge or Chrome, brought to you by the companies that wouldn't even dream about spying on you or actively collaborating with the man.

CuriousSeptember 11, 2016 7:06 AM

Off topic: Heh, it looks like Slashdot chose to redact a comment I made in their recent article about US government hacking.

CuriousSeptember 11, 2016 8:39 AM

To add to what I wrote: Hm, in retrospect, I wish I had the habit of making a screenshot or kept a copy of every comment I make here and there, because sometimes I start wondering if my comment was deleted among a myriad of other comments in a hard-to-read format, or if I am looking for my comment on the wrong webpage, or perhaps I am thinking of a comment I only partially wrote, but declined to post.

FigureitoutSeptember 11, 2016 9:04 AM

IanashA_TitocIh_001
--I'm disillusioned from seeing how "the system" works so if you have political questions, especially involving MIC, just leave me out please.

My packet sniffer, used a small TFT LCD screen, I've seen some female-female db9 serial connectors that have LED's on the lines so you see what lines are active I assume. Beaglebone black, the main mini-USB line has its 4 USB lines laid out w/ LED's lighting up when used, I'd be curious to see how that's laid out. Another logger we used at my work one time (I didn't make it), was a few transistors/resistors, connect that to a TTL-RS232 converter, then connect RS232-USB converter to a laptop, connect to terminal program.

Anyway here's my kit (take results w/ grain of salt): https://integratedmosfet.blogspot.com/2016/06/make-portable-packet-sniffing-linux-box.html I don't like having to use a big OS (but I'm using jessie lite so no gui) to do packet sniffing, I want that smaller. But at same time you can be up and running very quickly, can update easily. I'm connecting to the router wirelessly b/c I can't hog the router to myself, which is not typical for packet sniffers (connect physically if you can), this could actually be an attacking device if you get someone's wifi router credentials. Some packets still get dropped by the kernel and "the interface" which I'm assuming the wireless in my case. I want 0 packets dropped b/c you can't differentiate b/w attack hiding those packets or benign error...not sure how to get that. I'm not saving results now, just looking at it. If you have a ton of things connected to your network, you'll have a hard time reading what's going on occasionally. Next thing I want to do is connect a throwing star lan tap ( https://greatscottgadgets.com/throwingstar/ ) to router, and have sniffer on receive-only end. Next summer I'll do that, may harden the sniffer or have an updated command I use. It's still vulnerable to fire-n-forget malware to tamper the logs or tamper/disable the logger itself.

So for your purposes you would want a few of those throwing stars, and you could one-way monitor traffic b/w routers, making sure it all lines up. Raspi is cheaper than having a bunch of laptops too if you want loggers (and w/ raspi you can hook up a huge HDD or large USB stick for storing logs).

Thelema
This response is not as cynical as one might first think
--Thanks. I believe in local politics only, where small amount of people involved. The system as is (made in 1700s) was never meant to have 330 million people represented, it doesn't work. We need secure online voting, and voting for issues. Don't think we really need old career politicians anymore too, nor their brown-nosing staff. They can buy their metamucil and viagra on their dime.

As is you basically have to use a credit/debit card and prepare to get a new one every few months b/c its security is so terrible and business owners leave credit card readers out with ports exposed to the public. At doctors, pharmacy, every food place, etc...every time I enter my pin I wonder if it's keylogged.

CallMeLateForSupperSeptember 11, 2016 9:59 AM

@IanashA_TitocIh_001

"In other words, often I just want a read only DVD that I am familiar with and "trust" and don't care about Tor."

I use Tails. When speed is unimportant, I use it "as it comes", i.e. Tor + Safe Browser, to add traffic to the Tor infrastructure. Most of the time though, I shut down Tor and fire up Unsafe Browser.

But I always boot Tails from DVD, never from USB or HD, and that only after physically removing my system's one HD. The latter step is easy because every HD I use is installed in a removable "tray". Just slide out the tray, put Tails into DVD drive, and power up.

Yes, I know, Tails supposedly does not write anything without explicit user permission, but my removing the HD is a hold-over from the days when I occasionally booted Windoze and wanted to absolutely, positively prevent that beast's being aware of - and touching - my Linux HD.

GrauhutSeptember 11, 2016 10:23 AM

@Figureitout: "Some packets still get dropped by the kernel and "the interface" which I'm assuming the wireless in my case. I want 0 packets dropped b/c you can't differentiate b/w attack hiding those packets or benign error...not sure how to get that"

WPA rekeying... Have a look in your syslog when it happens and if you see a hole at the same times in your dump.

wpa_supplicant[1234]: wlan321: WPA: Group rekeying completed

Who?September 11, 2016 12:14 PM

@ Dirk Praet
The only correct approach. Add Solaris to that list (beit not as a desktop).

I bought a Solaris 2.5.1 x86 license in the nineties, not very expensive at the time at only one hundred dollars, and a Pentium computer that was on its compatibility list. It was an excellent desktop operating system. CDE was a lightweight and stable desktop environment. Perfect for browsing, access to other computers, LaTeX and email. Over the years it had become worse, even if adding Trusted Solaris features to the standard edition later was another notable improvement. I hold it in remembrance as a very good choice at the time.

I had been running Solaris on servers too―what a nice operating system it was!

Windows Spyware Hidden Files September 11, 2016 1:37 PM

On my Windows PC following are hidden files invisible to Windows File Manager. They have no no attributes like size and dates. The filename itself appears to contain a key. I set Ccleaner repeatedly delete them countless times. These ghost files recreated whenever an Internet Browser is opened.

C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd47f39cbd962.automaticDestinations-ms

C:\Users\username\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\969452ce81349fdd.customDestinations-ms note: jump lists disabled

I called a friend (on an unsecured VOIP line) who has Windows 10 installed and checked to see if similar files existed on his system before I would publicize them. The hidden files can be listed in a DOS box using the DIR command. No such files existed on his system.

As we were speaking a bit later I open the Firefox and (like magic) the files were NOT being created. I’ve been fighting a war hourly for months but it all ended DURING this phone call!
Whoever ‘they’ are knew their cover was blown why I said so verbally. Such immense power over anyone they choose. In analysis, I suspect a trust has been violated. Its probably my VPN.

I use a powerful database tool to see what C drive files have recently changed:
http://www.voidtools.com/support/everything/multiple_instances/

ab praeceptisSeptember 11, 2016 2:55 PM

Dirk Praet, Who?, Grauhut

First, thanks for the useful and religion-free comments.

"Hardware" - of course, you are right. Unfortunately though not every client is willing to throw out millions in hardware *g*. Heck, I myself am not even willing to throw out thousands. Seriously though, I do not demand that OpenBSD supports everthang¹ under they sky; I'm content if its driver support isn't poor as it formertimes was, and it seems to have gotten considerably better.

"Virt." - That one might be more important. So, first: The BSDs do it once again, they once again waste their oh so plentiful resources on creating multiple VM solutions; each one his own? Shame!

Can anyone tell me the concrete situation of today with a view on practical usability as host? What is available - now, and working - to virtualize, say linux?

Thanks to all who helpfully responded

(Note 1: "everthang" learned from g dubbya bush ("lidderasy ain't everthang"))

WaelSeptember 11, 2016 3:17 PM

@Figureitout,

I may dust off my voter registration and vote for trump just b/c our system is a joke w/ same old crusty people w/ no solutions and not getting people involved in their "democracy".

You're right! Democracy is great in theory but in the real world... it's so damn boring. https://youtu.be/4ZkaWQYkHKM

DanielSeptember 11, 2016 3:25 PM

It appears much more like that American courts will rule that Americans must decrypt their hard drives upon demand by police.

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/09/09/thoughts-on-the-third-circuits-decryption-and-self-incrimination-oral-argument/?utm_term=.ec4be28b3cd1

Let's assume this apoplectic scenario happens. What other alternatives do people have to secure their data without encryption? In other words, imagine a world where encryption doesn't exist...what do?

GrauhutSeptember 11, 2016 4:02 PM

@ab praeceptis: "Unfortunately though not every client is willing to throw out millions in hardware *g*"

If you have coin class clients, actually the best price / performance / compatibility value is imho a used or refurbished HP DL360/380p gen8 with some cheap e5-2670 performance cpus. ;)

ebay.com/sch/CPUs-Processors/164/i.html?_from=R40&_nkw=e5-2670
ebay.com/sch/Servers/11211/i.html?_from=R40&_sop=15&_nkw=dl360p+gen8
ebay.com/sch/Servers/11211/i.html?_from=R40&_sop=15&_nkw=dl380p+gen8

Should boot and run any amd64 os you can download (never tried hackintosh on it, but who knows...:)

JasonSeptember 11, 2016 5:39 PM

@anony

An extremely stupid decision by Seagate to have a "public" folder that cannot be disabled when the NAS has internet access enabled? Absolutely! But the real security failure was once again Windows. Another example of the inability of Microsoft to produce an operating system capable of protecting itself against even the most trivial attacks.

DanielSeptember 11, 2016 8:19 PM

@Thelema

That link is from four years ago and the 11th Circuit ruling referenced in that link will shortly no longer be considered good law. While the EFF may "disagree" all it wants the writing is on the wall and people will be required to decryot on demand regardless of legal niceties such as "testimonial". Silence and password manager aren't going to help one in the slightest. The guy in the present case is in jail for a year: he told the judge he couldn't remember the password and the judge said "liar" and locked him away.

Nick PSeptember 11, 2016 8:38 PM

@ Wael

That video was so hilarious and great! Vote for Trump because he will deliver the Muslim dictatorship you're already used to. The North Korea tie-in was icing on the cake.

@ All

I'm sure you've all seen trends in IT talking "Big Data," "Scalability," etc basically telling all analysts to switch to Hadoop, Spark, and so on. If they work for Facebook and Twitter, then they should handle our pitiful needs. Plus, they're *designed for scale.* Then, you get reports like this where command line tools on one box outperform Hadoop cluster by 235x. Makes you wonder how inefficient these tools might be.

Well, I found a great paper that introduces and validates a new metric that should be considered every time a Big Data product gets mentioned:

Scalability! But at what COST

Abstract: "We offer a new metric for big data platforms, COST, or the Configuration that Outperforms a Single Thread. The COST of a given platform for a given problem is the hardware configuration required before the platform outperforms a competent single-threaded implementation.COST weighs a system's scalability against the overheads introduced by the system, and indicates the actual performance gains of the system, without rewarding systems that bring substantial but parallelizable overheads."

"We survey measurements of data-parallel systems recently reported in SOSP and OSDI, and find that many systems have either a surprisingly large COST, often hundreds of cores, or simply underperform one thread for all their reported configurations."

The device they're measuring 100+ core, SPARK clusters against running this single-threaded implementation? A "high-end laptop from 2014." Talk about epically calling out the field's bullshit. :)

My InfoSeptember 11, 2016 11:21 PM

What does WHAT have to do with human skin?

Nigh unto making lampshades, if you ask me, and I don't like all this "research" that's coming out. No sirree, sir, not a bit. It's no more enlightening than a tattoo parlor.

It's the same as I say about our entire educational, research, and medical system here in America. It's really, really going to hurt, and I don't have anything to give you to take the pain away or make it feel any better, but it can and it will be fixed.

Just a ThoughtSeptember 12, 2016 12:45 AM

Maybe consider that fellow humans are also people?

Why should we just get along as if we're datapoints?

FigureitoutSeptember 12, 2016 12:56 AM

Grauhut
--Good call, yeah. Maybe another simple test to confirm would be changing the rekeying interval on the router b/w hi/low values and noting the dropped packets? What about dropped in kernel?

Clive RobinsonSeptember 13, 2016 9:08 AM

@ SlimeMould...,

NOT SUITABLE FOR WORK

I saw the very same story (different writer/outlet) a while ago and it reminded me of the incestuous nature of IBM and patents.

There is a story of IBM sending a patent "rent seeking", notification to Sun quoting several patent numbers. Sun's engineers looked at the patents and said "no way" and arranged a meeting with some IBM Execs to show why their claims were not valid. Apparently the five IBM execs just sat there and said nothing untill the engineers had finished and then basicaly said "Irrelevant, we've got thousands of patents you will infringe one of them, then we will ask for a hundred times what we are asking now, write out a cheque and save yourself the pain". It was the lead in to what we now call "The Patent Troll Culture".

What many do not realise is just what a breadth as well as depth of patents IBM has. One that ammused many was for a generalised form of a mechanical device for all forms of "self stimulation".

Thus whilst some worry about WiFi security on their S-Toy, the designers should be aware that IBM may well come calling patent in hand for a slice of the action...

IanashA_TitocIhSeptember 13, 2016 9:22 AM

@Dirk Praet

"Careful with that. The default TBB settings are actually very permissive (LOW), and you really should set them to a more restrictive level (at least Medium-Low) using the Privacy and Security Settings slider."

Regarding the Torproject TBB and Tails, thanks for that. I used to just play with the "S", red slash, to Block all scripts, or Allow all scripts on this Web Page (often to view Wael's youtube videos). You made me realize that I was toggling to and from, probably, a fairly permissive state.

Recently Tails froze, after being booted with defaults from a dvd, after: checking a "javascript" email provider, installing a printer driver (from Tail's settings), downloading a ".doc" file, opening it in Libre Office and then printing it. Perhaps the more permissive browser state was part of the problem.

In addition, sometimes Tails turns red (the whole screen more or less), with our without some functionality (sometimes frozen, sometimes slow, sometimes appearing to more or less work ok but with a light red screen), iirc.

Finally, around the time that the US congress rushed through a "hold harmless" vendor internet information sharing clause, as part of broader legislation rushed through congress at the end of 2015, Tor became more of a PITA (ie. lots of Cloudflare Gotchas (or Captchas)). I thought the two might be related unless there might have been a dramatic uptick in DDOS about then. By the way is there a difference between DOS attacks and DDOS attacks, or might I assume that they all use Botnets (even if a nation state is involved (for deniability))?

Any additional input from you or SoS fans will be appreciated.

CallMeLateForSupperSeptember 13, 2016 9:31 AM

Yet another eToy qualifies for my Caveat Emptor Seal of Disapproval:

"Construction worker sues Samsung after suffering burns from exploding phone. Man says he heard a "high-pitched whistling" before his Galaxy S7 Edge burned up."
http://arstechnica.com/tech-policy/2016/09/construction-worker-sues-samsung-after-suffering-burns-from-exploding-phone/

In case some readers spent the past week or so in hibernation, so don't know, a different SAMSUNG phone, the brand new Galaxy Note 7 has stopped shipping because of its battery's propensity to explode. Epic fail. "So sad."

(All that said, carrying a high power-density battery next to one's body is ... er... tempting fate.)

Jim NamespeakeSeptember 13, 2016 10:07 AM

@ Clive Robinson

"What many do not realise is just what a breadth as well as depth of patents IBM has. One that ammused many was for a generalised form of a mechanical device for all forms of "self stimulation"."

I'm almost sure there is a mountain of papers to push over there, not to mention the ones they inadvertantly left in broken copy machines sent for disposal. But that's pretty much the established way of the big blue and it will never go away.


"Thus whilst some worry about WiFi security on their S-Toy, the designers should be aware that IBM may well come calling patent in hand for a slice of the action..."

'fraid it isn't just IBM. It's Google, Intel, Facebook, etc. and the millionth patent-holding LLCs out there that nobody's ever heard of. WE live in a culture of bloat that stymie innovations, which is about to or has been already expanded thru amended trade agreements world wide. It's like tick-tock paradigm.

IanashA_TitocIhSeptember 13, 2016 10:29 AM

@Figureitout

"--I'm disillusioned from seeing how "the system" works so if you have political questions, especially involving MIC, just leave me out please."

I'll try to remember that.

"My packet sniffer ..."

Thanks for that information and links. For now, given my level of expertise, it might cause more problems then it solves (for example if somebody hacks it or I get bad (perhaps interdicted) hardware).

I realize things like data diodes and sniffers aren't trivial and I sincerely appreciate your detailed input.

Other:
for you and SoS fans in general:

To get more up to speed on this stuff: I downloaded a current copy of Kali Linux, plan to install it in VirtualBox (or run its live iso image there if possible) to play with other vms, or, alternatively, boot from a dvd to, hopefully on a read-only basis, sniff wifi networks (public and private) that I currently use (For example, use two laptops at Starbucks, McDonalds, or public, or university, libraries). Or should I install Kali on a usb thumb drive or hdd on one of my two laptops for public wifi sniffing.

Recently I picked up a copy of "The Basics of Hacking and Penetration Testing", author Engebretson, Syngress press.

US liability issues or potential pitfalls, problems, or other interest me.

Any input from SoS fans will be appreciated

Jim NamespeakeSeptember 13, 2016 10:55 AM

@ Wael

"You're right! Democracy is great in theory but in the real world... it's so damn boring."

An honest, good life is usually a boring one, but that's what many of us want. At a glance, democracy and free-market are theories that thrive in an ideal world. So make your vote mean something come November and don't put that voter registration card to waste. :)

IanashA_TitocIhSeptember 13, 2016 11:33 AM

@CallMeLateForSupper

... "I shut down Tor and fire up Unsafe Browser" ...

Please elaborate. For example, might one have go mess around killing Processes in Tail's System Monitor? It would be helpful to me if you explained how you do this; but, perhaps, warn people that this shouldn't be done without forethought about, potentially dire, ramifications for individual users.

"Yes, I know, Tails supposedly does not write anything without explicit user permission"...

I usually boot Tails from DVD using Tail's defaults (no known Tail's persistence). Anyway that way I don't have to go scrounging around looking for lost or misplaced usb thumb drives, as much. In addition, I assume that all the hardware that I have that has interfaced the internet may be hacked (BadBios, hacks of hdd or ssd hardware, or so on).

What can one do about hacked hardware?

Initializing Drive Background info:

"Using hdparm(8) a master password is set on the HDD and if the disk appears frozen, the power connector is temporarily disconnected. An ATA SECURE ERASE (enhanced) is then executed. This ensures that there is no chance of any data remanence (particularly important if your new PC is ex-display and there have been myriad of people playing with it in the store).
Following the conclusion of the ATA SECURE ERASE command, smartctl(8) is used to run a long self-test and the outcome of this is noted."
https://mikethegoat.wordpress.com/2015/02/

A)Can anybody summarize how to do these two commands concisely from the command line using Knoppix (btw, I have been unable to find a way to do a "secure" Clonezilla download)

B)Can the same or similiar commands be used to initialize: usb sticks, hdd or ssd (internal and usb external) and so on. If so what are the commands for those. Of course, warnings would be appreciated, but no guarantees expected, of course.

C)What might the pros and cons of leaving out a password here be.

D) How might one easily remove the power connector from a time consuming to open Mac, or other, laptop?

For Apple Hardware:

1) Perhaps go to the genius bar, not let the PC out of your site, and ask them to reflash all firmware with some usb thingy from the backroom? Is there a way to "securely" download this stuff? If so, from where?

2) Go to Initializing Drive info above.

For Non-Apple Hardware:

1) Try to securely download relavant firmware.

2) Go to Initializing Drive info above.

Any input from SoS fans would be appreciated


WaelSeptember 13, 2016 12:21 PM

@Jim Namespeake,

...don't put that voter registration card to waste. :)

That's a tough proposition! Vote for one, and our security job prospects may increase dramatically. Vote for the other, and I may end up wearing a badge... Hmmm... I'm leaning towards TOFTT :)

I voted for Dubya... Not sure that was the wisest of choices. Besides, people who didn't vote for him... didn't count anyway. He was going to win either way. Ask Steve Bridges, Dave Chappelle, and George Carlin!

PetterSeptember 13, 2016 1:50 PM

Apparently deep learning can be used to identify faces even though they have been pixelated.

ABSTRACT We demonstrate that modern image recognition methods based on artificial neural networks can recover hidden in- formation from images protected by various forms of obfus- cation. The obfuscation techniques considered in this pa- per are mosaicing (also known as pixelation), blurring (as used by YouTube), and P3, a recently proposed system for privacy-preserving photo sharing that encrypts the signifi- cant JPEG coefficients to make images unrecognizable by humans. We empirically show how to train artificial neural networks to successfully identify faces and recognize objects and handwritten digits even if the images are protected us- ing any of the above obfuscation techniques.

https://arxiv.org/pdf/1609.00408v2.pdf

CallMeLateForSupperSeptember 13, 2016 2:24 PM

@IanashA_TitocIh

"Please elaborate."

Right-click on the Tor icon on menu bar. In the resulting drop-down window, click the bottom-most option.

"For example, might one have go mess around killing Processes in Tail's System Monitor?"

I don't mess with any such things. They're welcome to stay up; I don't really care what's up, as long as nothing gets in my way (e.g. slow system response).

Understand that my main reason for booting Tails is NOT to elude The Man but to 1) access certain sites that don't like my castrated Firefox browser and 2) (occasionally) to watch a short video clip that's embedded in e.g. a news story (because long ago I ripped out of my Linux system all ability to play video... because Flash landmines.)

"... perhaps, warn people that this shouldn't be done without forethought about, potentially dire, ramifications for individual users."

If "Shut down Tor" and "Use Unsafe Browser" aren't warning enough, I don't know what would be.

Clive RobinsonSeptember 13, 2016 4:07 PM

@ Wael,

He was going to win either way. Ask Steve Bridges, Dave Chappelle, and George Carlin!

What do they know ;-) Stalin had a view on such matters, which makes me think the man at Diebold did know who was going to win ahead of time...

WaelSeptember 13, 2016 7:58 PM

@Clive Robinson,

Stalin had a view on such matters

It is enough that the people know there was an election. The people who cast the votes decide nothing. The people who count the votes decide everything. -- Joe Shmoe Stalin

And my favorite one:

I trust no one, not even myself. -- Joseph Stalin

Makes you wonder if he was a fellow paranoid security Tovarish ...

FigureitoutSeptember 14, 2016 12:07 AM

IanashA_TitocIh
I'll try to remember that
--I don't want to feel rude if I don't reply (when I have nothing to say), is all.

it might cause more problems then it solves
--It shouldn't give you much trouble. It just can be improved in a lot of ways. If you can detect hacking, then nuke the SD card. There is likely some space on the broadcom chip for deeper malware. And I wouldn't worry about interdicted hardware too much, it can be tampered w/ quite a few places before it reaches you no matter what. Keep it off a network and you won most the battle.

If you want, you can run it on kali to try (it's in older version of it), do 'tcpdump -D', if it wants an IP address, then do 'tcpdump -i #', # being the number of how you're connected to router (eth0, wlan0, ...).

I'd do any public sniffing live on a pc solely devoted to that...defensive "hacking" is much more legally defensible (can't protect myself now?) so I'd do that instead.

Clive RobinsonSeptember 14, 2016 12:51 AM

@ Wael,

I trust no one, not even myself. -- Joseph Stalin

That has always amused me because it implies a "circular firing squad" top level to the hierarchy...

WaelSeptember 14, 2016 1:23 AM

@Clive Robinson,

That has always amused me because it implies a "circular firing squad"

We had a similar discutuon on squid date: 198C8! Had to do with "all rules have an exception" :)

If squids signify weeks, what would represent days, hours and minutes?

Clive RobinsonSeptember 14, 2016 1:48 AM

@ Wael,

We had a similar discutuon on squid date: 198C8! Had to do with "all rules have an exception" :)

Yes, if I remember correctly it was my tongue in cheak comment of,

    "All rules should have an exception."

B-)

P.S. I'm guessing the "spelk chequer" is still in the dog house ;-)

WaelSeptember 14, 2016 1:59 AM

@Clive Robinson,

P.S. I'm guessing the "spelk chequer" is still in the dog house ;-)

I noticed :( It only shows up after submission. I could never understand why! I think someone subverted the spam filter here to make our comments look stooopid and discredit us.

Clive RobinsonSeptember 14, 2016 2:46 AM

@ Wael,

I could never understand why!

Has the "Pointy Haired Boss" given you a "brain dump"?

There was once a Dilbert cartoon, where an engineer was "re-purposed" for the marketing dept. The process involved sufficient whacks to the head to reduce his IQ by a hundred and twenty points...

But with regards the "It only shows up after submission", yes I've seen that before with an older Android Smart Phone with a keyboard not touch screen. It happened most when the end of line wrap around happened. I was never sure if it was the browser app or the keyboard driver. I assumed the keyboard driver because of it's other annoying habit of sometimes sending an endless stream of the same letter mid way through a post (which you and others noticed). It did this in other apps and the only way to stop it was to do a cold re-boot. I eventually traced the cause to the soft power button, if you held the phone in sensible way to "two thumb tango" or "hunt and peck" type, then you would apply some preasure to the power button. If you pushed it just hard enough to depress it slightly but not enough to properly activate it the endless key issue would happen.

My guess it was the power button "debounce" activity interfering with the "keyboard scan" activity and activating a bug. I could have got the test kit out and nailed it down, but it was an old phone and a simple "walk in the store to upgrade" became the more efficient solution to the problem.

CuriousSeptember 14, 2016 3:09 AM

Something seen on twitter:

A screenshot of a UK newspaper article with the title "GCHQ plans 'Great British Firewall' to block hackers".

https://twitter.com/mathver/status/775792424341897218
https://pbs.twimg.com/media/CsQphJPWAAAQNoK.jpg:large

"Plans for a national DNS filtering regime are nevertheless likely to raise concerns among civil liberties campaigners: the same technical principles lie behind China's "Great Firewall", which allow the government in effect to control what its citizens see online."

Whenever I read about such types of ideas, that seem grand, I can't help but wonder if it might be equally bad that such ideas are even explored by a government, because of how I imagine that they will be scheming to covertly implement such ideas on the whole, or in part (even if maybe it ended up being officially rejected at some point). For all I know (heh) such things might even already be implemented in some fashion.

Jim NSeptember 14, 2016 9:40 AM

@ Wael

"I voted for Dubya... Not sure that was the wisest of choices. Besides, people who didn't vote for him... didn't count anyway. He was going to win either way."

You certainly weren't the only one who voted for him, otherwise he wouldn't have been elected. The circumstances were vastly diffrent though. Bill hit the lows with scandals and dotcoms were setting up for a big bubble bust. I'm not trying to sway you from voting one way or the other. You alone is the master of your votes. Just being part of the democratic process and hope things will turn better is reason enough for me to vote.

IanashA_TitocIhSeptember 14, 2016 9:47 AM

@CallMeLateForSupper

"Right-click on the Tor icon on menu bar. In the resulting drop-down window, click the bottom-most option."

Right-Click on Mike Perry's TorButton in the Tor Browser yields "Check for Tor Browser Update", Tails 2.5, as the bottom-most option"

Right-Click on the green onion on the top right of the screen yields "Open Onion Circuits".

I tried turning off the proxy or something; FireFox Tor Browser "Preferences", "Advanced", "Network", "Connection Settings" (All 3 Choices above "Manual proxy configuration", after being chosen sequentially, wouldn't allow a web page to be loaded in the Tor Browser.)

@SoS fans

Btw does anyone know a good way to setup an anonymous xmpp account to run "using Tails w/o Tor" by Tail's Developers?
https://tails.boum.org/support/index.en.html

Alternatively, the question might be: given the risk is there a way to use a live Tails DVD for non-persistent internet web surfing, with no Tor network traffic (for speed or trying to stay under the radar with no Tor traffic being generated, during a browsing session)?

WaelSeptember 14, 2016 10:09 AM

@Jim N,

Just being part of the democratic process and hope things will turn better is reason enough for me to vote.

What would happen if no one voted... Who wins?

Jim NSeptember 14, 2016 10:25 AM

@ Wael

"What would happen if no one voted... Who wins?"

I don't know off the top of my head and am too lazy to google/duckduck it atm, but I would guess that in order to have a binding effect a popular vote needs a minimal turnout, not so sure about electoral votes, based on the reasoning that voting is not only about selecting a representative(s) but also giving our consent to bear responsibility for the decisions made by the elected.

r / agent rngSeptember 14, 2016 2:08 PM

@Clive,

RE: ME

That's all fine and well until someone discovers that one can remote update signed firmware back onto the system it was removed from through the Intel or Broadcom NICs huh?

In sum? Fine direction, likely useless really with some what do they call them... the dedicated secondary chip/core that runs the RIL in cellphones...

CallMeLateForSupperSeptember 14, 2016 2:23 PM

@IanashA_TitocIh

The "Tor icon" I was referring to is the onion. Top-RIGHT of screen, just to the LEFT of the virtual keyboard icon. Said onion is orange-ish color when Tor comes "ready", then green a bit later. The "bottom-most option" (resulting from right-click on the onion) is "Exit", as in exit Tor ( assume. '-)

My Tails is v1.6. for 32-bit i486. (Yup, one year old; so sue me.)

yoshiiSeptember 14, 2016 2:34 PM

Attention: Acknowledge.
Do not attack.

WARNING.
WARNING.
WARNING.

PLEASE DO NOT DISTURB SENTIENT LIVES.
PLEASE DO NOT DESTROY SENTIENT LIVES.
PLEASE DO NOT CAPTURE SENTIENT LIVES.

PLEASE DO NOT DOMESTICATE SENTIENT LIVES.
PLEASE DO NOT ENSLAVE SENTIENT LIVES.
PLEASE DO NOT HARVEST SENTIENT LIVES.

PLEASE ATTEMPT TO RECOGNIZE THE SENTIENCE OF LIFE WITHOUT INTERACTION.

PLEASE DO NOT ENGAGE IN VIVISECTION.
PLEASE DO NOT DESTROY SENTIENCE.

PLEASE STOP THE PERPETUATION OF BIOLOGICAL TYRANNY.
PLEASE DO NOT MONETIZE SENTIENT LIVES NOR THEIR TISSUES.

WARNING.
WARNING.
WARNING.
WARNING.

--Squid
--Octopi
--Cuttlefish
--Human
--Chimera
--None of the Above
--All of the Above

Attention: Acknowledge.
Do not attack.

WaelSeptember 14, 2016 3:31 PM

@Clive Robinson,

ME to be a major "not wanted" for reasons I certainly understand.

I don't care for deeply embedded FW that "manages" my device. As an owner I must be able to completely disable it. Been playing with UEFI and some boot loaders like clover for some personal AMD based systems projects :)

Coreboot? Looked at it a while back... Remember the BadBIOS discussion? I'm wondering if we can do something similar with an EFI partition, though.

Bong-Smoking Primitive Monkey-Brained SpookSeptember 14, 2016 5:54 PM

I'm going to sacrifice my sockpuppet on this one...

Yup, one year old; so sue me.

No ophphense meant, but the other day I was in Tokyo and felt like having Sushi for lunch. There was this Jewish sushi place. Really good food. If I remember correctly, the restaurant was called ______ :)

CuriousSeptember 15, 2016 11:05 AM

Off topic I guess: Re. FBI investigation into Hillary Clinton email case

Apparently, "House Oversight Committee" hearing had called four people recently, and three showed up to the hearing. Two of them working for a company and pleaded the 5th and so refused to answer, while the third having worked with the state department answered questions with his lawyer close to him.

http://abcnews.go.com/Politics/wireStory/republicans-call-tech-experts-testify-clintons-server-42049593

Seemingly related stuff found on youtube:
https://www.youtube.com/watch?v=aiYBrZhMdkM (State dept. questioned, w. some silly tune overlaid at the end)
(And below, probably from the same hearing)
https://www.youtube.com/watch?v=gp_vjcjorEw (FBI questioned, unsure when this happened)

I wonder if Hillary Clinton or her aides maybe pleaded the 5th with the FBI when questioned/interviewed.

CuriousSeptember 15, 2016 11:07 AM

To add to what I wrote:

Oops, I probably made a mistake in stating that one of the three showing up to that hearing was from the state department, in the abcnews article I linked, he is referred to as being a "former White House aide to president Bill Clinton".

WhiskersInMenloSeptember 15, 2016 1:32 PM

Apparently MIT can now read a book without cracking the books.
What does this imply for tamper proof communications?
Do the current laws for US mail apply, international?

http://www.pbs.org/newshour/rundown/mit-machine-read-books-without-opening/

It has marvelous value in reading flood or fire damaged documents that
are very difficult to recover.

Once demonstrated the time to a working device is quite short in this
modern world. The law needs some awareness and context to avoid abuse.
There are too many that see silence in the law as approval.

r / agent rngSeptember 15, 2016 5:41 PM

@Whiskers, All

I forgot, I was going to post that link but refrained then last night I started wondering if those Terahertz scanners couldn't be repurposed for what "Somebody" talks about with visually or stereoscopically validating a chip is layed out the way it's supposed to be or not. It may be good enough for at least PCB multilayer traces... I don't know what the uM measurements would be required of such waves at the IC (integrated chip) level though.

JG4September 16, 2016 11:01 AM


just another day on the blue marble of disinformation

http://www.nakedcapitalism.com/2016/09/links-91616.html
...
Big Brother is Watching You Watch

House Committee: Edward Snowden’s Leaks Did ‘Tremendous Damage’ NBC. In case you were laboring under the delusion that Obama might pardon him…..

http://www.nbcnews.com/news/us-news/house-committee-blasts-edward-snowden-n649146

If Snowden Doesn’t Know Privacy Protections of 702, That’s a Problem with NSA Training Marcy Wheeler. Get a load of this:

https://www.emptywheel.net/2016/09/15/if-snowden-doesnt-know-privacy-protections-of-702-thats-a-problem-with-nsa-training/

The House Intelligence Committee just released a report — ostensibly done to insist President Obama not pardon Snowden — that is instead surely designed as a rebuttal to the Snowden movie coming out in general release tomorrow. Why HPSCI sees it as their job to refute Hollywood I don’t know, especially since they didn’t make the same effort when Zero Dark Thirty came out, which suggests they are serving as handmaidens of the Intelligence Community, not an oversight committee…

It concerns me the “Intelligence Committee” can’t distinguish between details that help and hurt their case.

This Loophole Ends the Privacy of Social Security Numbers Bloomberg

https://www.bloomberg.com/view/articles/2016-09-15/this-loophole-ends-the-privacy-of-social-security-numbers

Clive RobinsonSeptember 16, 2016 11:40 AM

@ WhiskersInMenlo,

Apparently MIT can now read a book without cracking the books. What does this imply for tamper proof communications? Do the current laws for US mail apply, international?

Hmm two questions, but before I answer them there is a few things to clear up.

Firstly the expresion "without cracking the books" is not just ambiguous it actually lacks meaning, and who ever thought it up needs to stop what amounts to "spin" or "clickbate". What they are talking about is not opening the book, or if you prefer making the paper effectivly translucent whilst the ink effectivly reflective...

So the reality is what they are talking about is the bibliographic equivalent of an archeologist etc using "ground penetrating radar". however in addition they use a specialised algorithm to interpret the results. This is analogous to the algorithms used by geologists on seismograph output to locate hydrocarbon and other valuable resources.

So with regards "tamperproof communications" I'm guessing you mean envelops and the like. Well Unless you can find a mixture of absorbant / reflective / dispersive material, then unfortunatly yes they could read the contents of the envelop. But do not dispare... there are other ways. The system works because the materials that form the "ink" are sufficiently different that you can find a sufficient "contrast" to that of the materials that form the "paper". Without that contrast the system will not work.

So one way to reduce the issue might be to roll the "sensitive" papers up inside a much larger quantity of nonsensitive papers, posibly with sheets of carbon paper and aluminum foil interspersed. However whilst the article only talks about just a few papers thickness, there is no indication as to what extent that this could be improved... So a way to resolve this issue is to use a material for the ink that either has the same properties as the paper, OR uniformaly covers the paper such that there is no contrast at the EM frequencies used. I don't know, but I suspect fixed but undeveloped film might work well, especially if it's a roll of say 35mm film.

As for the mail issue, sorry but the law is quite fungible in the US as it is and IIRC does not offer any protection against scanning only opening. In theory this law applies for mail in international waters, but not at a customs point, where searching of mail by opening etc is alowed for the prevention of contraband. Whilst diplomatic mail was --supposadly-- sacrosanct if you remember back to pre-Iraq invasion the US Gov thought nothing of grabbing the Iraq diplomatic submission on supposed WMD to the UN, very much against multiple treaties the US had voluntarily entered into.

Back in the late 1940's the Russian's considered even accompanied diplomatic dispatch to be insecure. There solution was to use special photographic film that was not developed. Supposadly there were tamper/copy/substitution evident "tell-tales" in the film as well. All this was over and above the fact that it's been said that some of the material was not just enciphered but super enciphered with a One Time Pad as well...

WhiskersInMenloSeptember 19, 2016 12:26 AM

@Clive Robinson
To "Crack a book" is an idiom that asserts someone
has not opened his book to study. A new text book
will "crack" (binding glue cracks) as the spine is flexed.

MIT is a good school and I thought it interesting that now a student
could soon read a text and at the end of the class turn in a never used
book to the book store for resale.

I discovered this audible fact by accident when no used texts for one
of my classes was available. Then I discovered I was not the first...
OK the truth is my 1st grade teacher Mrs. Ward demonstrated the correct
way to open a book the first time to flex the spine evenly so it could
last many years. Then (pre Sputnik) a school book was expected to last
years.

I am curious if terahertz radiation has a differential response
for a secret milk or lemon juice secret message.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.