A 50-Foot Squid Has Not been Found in New Zealand

A 50-foot squid has not been found in New Zealand.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 2, 2016 at 6:18 PM • 124 Comments

Comments

Inmate #137468December 2, 2016 6:42 PM

"Starting Tomorrow, Feds Can Hack Millions of Devices with One Warrant"

http://forum.prisonplanet.com/index.php?topic=318171.0

"Senator Ron Wyden, a member of the Senate’s Intelligence Committee, is a sponsor of the Stopping Mass Hacking Act. In a last ditch effort, he called on Congress to take action in an attempt to block the rule change. Unfortunately, the motion was voted down on Wednesday morning.

“If Congress doesn’t stop these changes, a single judge will be able to grant a warrant to hack a million (or more) computers and other devices. By hacking the devices of victims of a botnet, the government will be treating victims the same way it treats attackers. We need to pass my Stopping Mass Hacking (SMH) Act right now.”

The "rule" went into effect yesterday, Dec. 1.

So tomorrow was yesterday.

I've seen weird "glitchy" stuff going on already.

Resistance is futile when the standard bearers of law can make a rules exempting themselves from the rule of law and any serious scrutiny or accountability.

They do it because they can and there is no one who can stop them.


Karen StarrettDecember 2, 2016 6:47 PM

i'm number one! Love me long time!

@ Thoth

respect for your committment and toil on your smart card project.
there has been a lot of discussion (thanks @ Clive @ others) on one time pads.
Thoth, what about the old school trade craft method of micro dots - can that have an obscurity value in your smart card project ?

@ All

RE: he with the unfortunate name that as a result was no doubt was teased a lot at school: some important news

http://en.uncyclopedia.co/wiki/UnNews:Zuckerberg_to_cure_all_diseases_except_narcissism

Karen StarrettDecember 2, 2016 6:52 PM

damn you @ Inmate numbers. You beat me to poll position.

@ Clive

Thank you for all your important contributions.
Curiosity question/musing for you

Mr Assange was quoted in a book called Cypherpunks, about how the universe (or nature) favours crypto, because it is easy to encrypt and difficult to decrypt.
It is articulated far better than this simplistic explanation.

From that 'meta' level, it is intriguing to ponder that defending is a fundamentally weak position and to be the attack is always the weaker position
@ Clive does that prompt any commentary?

[ it reminds me of martial arts - the notion of 'self defense' is a fallacy. One only attacks, only an attack can physically exist. The dog is not defending itself against the man with the stick, the dog is biting the man. ]

Karen StarrettDecember 2, 2016 6:56 PM

Apologies all and Mod, Please excuse my error above. I intended to say, as we know, in IT / InfoSec, defending is the default weak or vulnerable position, and to be the attacker is the position of strength in perpetuity.
To follow on from Mr Assanges statement about crypto - does the Universe / Nature favour the attacker as a rule.

ThothDecember 2, 2016 6:58 PM

@Karen Starrett

OTPs can be done in smart cards but where are you going to find space to store the OTP keymats inside a smart card with say around 80 KB to 144 KB of EEPROM space ? You would run out of keymats very quickly unless you intend to carry a lot of smart cards on you or have a refill mechanism of sorts.

More practically, I am thinking of revisiting my ChaCha20 cipher for smart cards and upgrade it to full 32 bit support but that will mean a lot of smart cards wouldn't be able to support the 32-bit ChaCha20 cipher expect for chips with full 32-bit operation support.

Anyway, for smart cards, it's better to stick to AES-256 despite the fact that AES has huge amounts of leaky side-channel issue as trying to create a cipher in something so constrainted like a smart card is very difficult (includes NDAs as well if you are going to code native apps).

ThothDecember 2, 2016 7:03 PM

@Karen Starrett, Nick P, Clive Robinson et. al.

I have recently talked to one of my manufacturers to request ChaCha20 be integrated natively and the answer is no ... not anytime soon. The reason is that ChaCha20 is not FIPS algorithm and the inclusion of a ChaCha20 native app (even if I were to create one and ask the manufacturer to inject my native ChaCha20 app inside the smart card chip) will immediately void the FIPS 140-2 and CC EAL rating. The manufacturer chose to follow FIPS and CC ... so we wouldn't be seeing native ChaCha20 apps that uses native routines to accelerate 32 bit maths. Now I can only bet on the Java/Card side 32-bit maths (hoping the manufacturer did a good job implementing the 32-bit maths in Java/Card).

Note that injecting native apps is fully beyond my control as a card developer, you can only do the Java/C side which will run within the card VM. Only manufacturers of cards who have signed NDAs and paid their fees are allowed access to native developments.

ab praeceptisDecember 2, 2016 7:59 PM

Thoth

Well noted, I say the following absolutely friendly.

When will you get it? How many more times do they need to spit in our face for you to get the message? All that "secure card" crap doesn't care a rats poop about security. They care about committee orgies and golden "secure" stickers (like eal).

You, however, care about security. It's sad, I know, but caring about security not only is quite different from golden sticker business but it actually often is quite the opposite.

I think you should step back for a moment and have a fresh view.

Those funny cards offer quite nice hw protection features. The important ones for you are probably that it's at least difficult to force-read them and that they offer some tamper protection.

They have disadvantages, too. They are quite hardcore closed off, they offer lousy performance and to make things worse, they add a fat secret sauce layer.

So what? Give me a couple of bytes that with a reasonable certainty an opponent can't know and I'll give you exabyte of pseudo-random bytes an opponent can't know/predict.
Give some kilobyte of reasonably secure storage and I'll give you exabyte of reasonably secure stored bytes.
And so on.

I'd strongly advise to finally make use of what's useful instead of fighting against insane wanton limitations (as just again reported by you).

Here goes (lose description and pseudo code):

- card spits out some random bytes
- ProgThoth on whatever (say amd64 on linux) calcs hash of itself.
- ProgThoth allocates 1 (or 50) MB of memory, zeroes itand initializes some state, then calcultes hash of that.
- ProgThoth encrypts initial bytes from card using hash as key and sends result to card.
- If card is happy it sends some kind of reasonably crypto-secured "Go!" plus part 1 of some secret stuff, keys, whatever needed by ProgThoth.
- ProgThoth does its thing. Just before "opening the safe" (doing whatever sensitive) progThoth req's another random string, repeats hash checks above and if everything is OK gets the second part of some secret stuff, key, whatever.

Is it high end secure? No. But neither is the card thingy (unless you blindly trust their marketing blabla). But you get
- fast operations
- lots and lots of space
- considerably higher security than with PC or whatever alone.
You have, for example, blocked about all the usual attacks. They can't change a byte in ProgThoth, they can't inject poison, they can't get any secret keys or whatever from the PC, they can't guess anything. And thrown in for free the whole mechanism doesn't work without the card thingy inserted.

Man, you have invested so much work. Don't allow that committee and banking standards golden sticker mafia to stand in your way. Your basic approach "Hey, one should be able to quite interesting and useful stuff with them secure chips on them cards!" is perfectly OK and smart.

65535December 2, 2016 9:22 PM

Q and A of Snoopers’ Charter cont. 2.2.0

https://www.schneier.com/blog/archives/2016/11/friday_squid_bl_555.html#c6739417

@ Inmate #137468

"Starting Tomorrow, Feds Can Hack Millions of Devices with One Warrant" -Inmate

http://forum.prisonplanet.com/index.php?topic=318171.0

This seems to follow the invasive/mass surveillance trend codified the UK’s Snoopers’ Charter. This leads to the use of Network Investigative Techniques such as planting key loggers on individual computers, Fox Acid and Quantum Insert attacks. The question now is will these be used on a mass scale?

"Network Investigative Technique, or NIT, is a form of malware (or hacking) employed by the FBI since at least 2002. Its usage has raised both Fourth Amendment concerns and jurisdictional issues. The FBI has to date, despite a court order, declined to provide the complete code…” Wikipedia

https://en.wikipedia.org/wiki/Network_Investigative_Technique

‘How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID’

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

[Snoopers’ Charter is a done deal and most likely active]

@ Ratio

@65535,

“All that's missing is the (royal) rubber stamp. It's done.”

“Well that is a blunt no nonsense assessment. High praise indeed. :) By the way, it's been stamped. “

“Does this mean the UK Intelligence Agencies is engaging the spying apparatus at this point in time? No, that happened long ago.” -Ratio

https://www.schneier.com/blog/archives/2016/11/friday_squid_bl_555.html#c6739439

@ Ted

“I am still trying to understand the substantive details of the legislation and its historical, political, and social underpinnings.”- Ted

I am also doing the same. There are a lot of unanswered questions [See my question list in prior posts].

https://www.schneier.com/blog/archives/2016/11/securing_commun.html#c6739023

[and]

https://www.schneier.com/blog/archives/2016/11/friday_squid_bl_555.html#c6739417

Feel free to add sneaky tricks used by both the UK and the USA in the name of “National Security” and saving our children. Things are looking bad for privacy advocates at this time.

ayDecember 2, 2016 9:32 PM

> Foreign special services are preparing a cyber attack aimed at destabilizing the financial system of Russia

> Russian Federal Security Service received information about the preparation of the foreign intelligence services in the period from December 5, 2016 large-scale cyber attacks in order to destabilize the financial system of the Russian Federation, including the activities of a number of major Russian banks.

> As a result of operational search activities found that the server capacity and command and control centers for cyber attacks are located in the Netherlands and belong to «BlazingFast» Ukrainian hosting company.

> Cyber planned to accompany the mass sending of SMS-messages and publications in social networks (blogs) provocative in relation to the crisis of credit and financial system in Russia, business failure and revocation of licenses of a number of leading banks in the federal and regional significance. The action is aimed at several dozen Russian cities.

> Russian FSB carried out to neutralize the threats the necessary measures of economic and information security of the Russian Federation and the documentation of the impending action.

http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10438041%40fsbMessage.html

Clive RobinsonDecember 3, 2016 2:58 AM

@ Karen Starrett,

I think Assange was drawing from the "mixing paint" argument, of "the more you mix two paints the harder it is to unmix them if at all...", it applies to many things in nature. It also applies to the notion of energy being effectively "self mixing" in any bounded environment and it's where Shannon borrowed the name "entropy" from, and the phrase "Nature moves from a state of order to disorder" which is true even when you are trying to do the opposite, as you have to supply more energy than you would get back (think turning CO2 and H2O molecules back to hydrocarbons).

As for "attack-v-defence" one implies the other and they are both a waste of resources and if things progress that far quite destructive and inordinately costly.

Mankind is gradually comming to terms with the idea that you actually gain nothing constructive from conflict, something most conflict tainted soldiers learn fairly quickly.

So the real answer to "the art of war" is consideration and diplomacy, to avoid destruction of any kind. Unfortunatly it's something both sides have to believe in, which often is not the case ("Might is right" is a stupid philosophy as there will always be some one who will be mightier than you at some point, and you most asuradly will not want to meet them when they are looking for payback...).

Clive RobinsonDecember 3, 2016 3:08 AM

@ Thorh,

The reason is that ChaCha20 is not FIPS algorithm...

Thus demonstrating once again the law of "Unintended Consequences" or "IC finessing" depending on your viewpoint of the beast.

And the more I see of the beast, the easier it is to understand the latter view point, especially when NIST are also involved as the front/ fall guy (such is power of the much favoured "Plausible Deniability" meme).

JG4December 3, 2016 5:45 AM


Skynet grows stronger with each passing day. It is just a matter of time until it becomes self-aware.

http://www.nbcnews.com/mach/technology/deep-learning-predicts-future-n690851
...
To create the program, the MIT team relied on a scientific technique called deep learning that's become central to modern artificial intelligence research. It's the approach that lets digital assistants like Apple's Siri and Amazon's Alexa understand what users want, and that drives image search and facial recognition advancements at Facebook and Google.
Experts say deep learning, which uses mathematical structures called neural networks to pull patterns from massive sets of data, could soon let computers make diagnoses from medical images, detect bank fraud, predict customer order patterns, and operate vehicles at least as well as people.
"Deep neural networks are performing better than humans on all kinds of significant problems, like image recognition, for example," says Chris Nicholson, CEO of San Francisco startup Skymind, which develops deep learning software and offers consulting. "Without them, I think self-driving cars would be a danger on the roads, but with them, self-driving cars are safer than human drivers."
...
While research into neural networks, loosely based on the human brain, dates back decades, progress has been particularly remarkable in roughly the past ten years, Nicholson says. A 2006 set of papers by renowned computer scientist Geoffrey Hinton, who now divides his time between Google and the University of Toronto, helped pave the way for deep learning's rapid development.

JG4December 3, 2016 6:24 AM


I failed to comment on several interesting topics that came up in last week's squid post, for lack of time. I do want to address the climate change topic that I accidentally injected into the discussion. It has been the long-standing approach of companies and groups with profitable businesses to steer public thinking (and political thinking) in generally-successful attempts to maintain profits. Sugar, tobacco, fossil fuels, petrochemicals, weapons, the list is very long. So it is with climate. My point was that cognitive limitations will be exploited, not that climate change is real or not. For the record, I am an agnostic of sorts, but I find the physics of the greenhouse effect compelling. Refining computer models of the effects until they can be trusted is a good approach.

It is likely that humans are more or less unintentionally altering the climate with CO2 emissions, methane, etc. and possibly dust/aerosol effects. The problem is that the cost of addressing the issues is very large and upfront, while the costs of not addressing them are unknown and lie at unknown times in the future. Further, solar effects and space weather almost certainly alter climate in ways as yet unknown. I am in favor of increased research to better understand the issues, and put in place mitigating technologies. I even like the idea of carbon taxes. They at least begin the process of weaning off of fossil fuels.

Hubbert showed in 1956 that fossil fuels only ever could be a stepping stone for humans, irrespective of climate change. His conclusion was that nuclear fission would be a second bridge to provide abundant power for millenia, while fossil fuels could only last for a few centuries. I'm not against nuclear power, although it was disappointng to see the country that brought Toyota and Honda quality to the world floundering in profound and continuing dysfunction during a catastrophic nuclear accident. The sharper knives in the drawer will note that it was a US reactor design, not that the Soviet or UK designs were much better. Codename Chernobyl and Windscale. Just another orbit around your star on the blue marble of unintended consequences.

I am absolutely delighted with what has happened in solar PV. The earth's crust is all but made of silicon, aluminum and oxygen, which can be used to transduce energy with very low environmental impact. I am surprised that after 400 years of battery technology innovation (not counting whatever the ancients knew), the problem of cost-effectively storing renewable energy really hasn't been solved at a level affordable to the average formerly-middle class househould. For what the US spent on genocide in the middle East, enough solar thermal infrastructure could have been built in the desert Southwest to power the entire US electric grid and free up all of the coal and natural gas for transportation uses. The savings from that would have paid for the next round of innovations (energy storage) to run the transportation system from a second solar thermal infrastructure in the Southwest. It also would have left the middle East to sort out their political difficulties with a lot less dollars and weapons. They too will have to put in place solar energy installations and figure out how to grow food in the desert.

ThothDecember 3, 2016 8:12 AM

@all

The baneful Buffer Overflow has never ceased to turn systems into crap and after so many years, it is still alive and kicking ... making a shame out of "security".

don't worry about all the iOS security if you can't access one of those Apple devices ... they can't defeat a Buffer Overflow.

Didn't James Comey, Theresa May, Cameron, Mike Rogers et. al. sweared to their governmental hearings (parliaments and congress) that their agencies are going dark ? How are they even going dark when Apple known for it's recent improvements in security couldn't even keep the baneful Buffer Overflow bug from appearing ? Going dark is a very bad lie....

Link: http://arstechnica.com/apple/2016/12/buffer-overflow-exploit-can-bypass-activation-lock-on-ipads-running-ios-10-1-1/

rDecember 3, 2016 9:18 AM

They're going dark because they no longer report their methods, accurately even. It's not we're going dark, it's that they have to turn to backroom misgivings and the extortion racket they learned from the mob.

They ARE going dark; parallel construction, redaction, black budget financing.

rDecember 3, 2016 9:21 AM

They go dark by signing NDAs, if you'd just hand your dick pics over we wouldn't have this problem.

Right?

rDecember 3, 2016 9:27 AM

@Thoth,

It's cute that attack uses induced lag too widen the availability window behind the lock screen.

TedDecember 3, 2016 9:59 AM

@65535

I am also doing the same. There are a lot of unanswered questions [See my question list in prior posts]. -Ratio Q and A of Snoopers’ Charter cont. 2.2.0 https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739678

Great questions, thanks for the keeping the links so well organized :)
https://www.schneier.com/blog/archives/2016/11/securing_commun.html#c6739023

2] Who is not covered in the Snoopers Charter? Politicians? Lawyers? Doctors? Banks?

According to The Independent, under a tailored application of the law, Parliament has exempted itself from the same level of surveillance access as its compatriots. Warrants to access records belonging to members of the British parliament, as well as assembly members of other European parliaments, must be further be approved by the prime minister. This is an additional approval that is beyond the secretary of state approved warrant access applicable to most citizens, and is actually less than parliament had hoped for.
http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-a7447781.html

3] Who is the judicial arm that allows MI5/MI6, law enforcement and others to view this huge data base?

Although, this does not answer that question specifically, it provides some context on the evolving matter of oversight. A special report from The Economist "Espionage: Shaken and stirred" provides a look at the transition intelligence services are experiencing as they move from services governed under the reigns of public trust to operations that are subject to higher levels of scrutiny. According to the report, the struggle to come to terms with increasing accountability from the press, the legislative assembly, and the courts over the past 15 years is one that is ongoing.
http://www.economist.com/news/special-report/21709778-intelligence-services-both-sides-atlantic-have-struggled-come-terms

And more on the petition: The petition to repeal the Investigatory Powers Act is now the most signed petition of 3,300 open petitions. As of today, it has received over 152,350 signatures. Only 60 unarchived petitions have garnered more than 100,000 signatures, less than 1% of the 8,000 petitions accepted for signatures. It is currently the 23rd most signed petition of 23,000 petitions submitted.

keinerDecember 3, 2016 10:13 AM

@Toth

We live in a world FULL of lies and parallel constructions. Hard to say where it starts and where it ends. Has been so for the last 2-3000 years.

But things are moving faster now, people are not that experienced in handling the amount of trash and so we get lost in a hurricane of false flag and "who-to-trust-and-who-not" until the whole world has become totally neurotic.

JasonDecember 3, 2016 10:45 AM

Just days before the FBI was given permission to hack any computer, anywhere in the world:

http://thehackernews.com/2016/11/fbi-rule-41-hacking.html

A Firefox zero day exploit that allowed Tor users' real IP address to be exposed was discovered. When a corrupted web page was opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverages a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows. Using virtually the same code as a 2013 exploit used by the FBI to unmask Tor users, the exploit submits users' real IP address, MAC address, and machine name to a server belonging to French Web host OVH at 5.39.27.226 on port 80.

http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/

The source code of the exploit was released:
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

A patch was quickly issued to close the vulnerability:

http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

The exploit worked only on Windows computers, and only if Javascript was enabled. MalwareBytes also claims their Anti-Exploit Premium program would have prevented the exploit from working.

It sounds as though some TLA or LEA has had their parade rained on. We got lucky this time. But with Tor itself relatively secure, browser exploits are going to happen again... and again... and again... With browsers continually being "improved", vulnerabilities allowing the Tor proxy running on the same machine to be bypassed are inevitable.

A good mitigation strategy would be to avoid using the Tor package on a Windows machine. Not because Linux is immune to exploits, but with the majority of computers using Windows, they will go for the low hanging fruit. With so many different Kernals and Distros in use, writing an exploit for Linux would be much more difficult and time consuming with little to show for it.

A much better strategy for protecting your identity would be to run the hardened Tor browser on a dedicated Linux machine, but run the Tor package on a separate appliance such as TorPi. If a browser exploit did occur, the Tor appliance would either reject the data packet or force it through the Tor network effectively hiding your real IP address.

AndrewDecember 3, 2016 10:47 AM

Seen "Snowden", better than expected. No matter how accurate it is, people will still believe technical stuff is fictional.

keinerDecember 3, 2016 11:06 AM

@Jason

Can you provide a serious link to TorPi? I couldn't find anything NOT looking like a trap...

WinterDecember 3, 2016 11:33 AM

For those who still can sleep. Most of the above is just part of the pattern:

War/ning 2020
https://global4cast.org/
Social integration and expansion in anarchistic systems
How connectivity and our urge to survive determine and shape the war dynamics and development of the System.

Free book download. Read and shudder.

Maybe we won't even make it long enough to care about global climate change

DanielDecember 3, 2016 12:38 PM

@Karen

Thank you for your comment regarding the nature of attack vs. defense because I have recently been thinking about that issue myself. As I see it the best phrasing is to say that "defense must be asserted". That may seem like a contradiction in terms but I suggest it is not. Privacy is an interest and a value that must be asserted against a universe where the default is to permit. It doesn't follow, however, that this means privacy or defense is inherently weaker because a defensive stance doesn't tell us anything about the relative strength of the two parties.

So in my view the reason why assertions of privacy fail are not because there is anything inherently weak about privacy, it is that there simply aren't enough people who hold privacy as a value. That truth is not natural but cultural and...to give your thesis the coup de grace...culture is always an assertion against nature. This leads to the ironic conclusion that a culture of openness is by definition an assertion of privacy. This irony helps us to see that hidden behind claims of openness vs privacy are actual claims to privilege of one cultural group over another cultural group, claims such as a preference for introversion over extroversion (or vice versa).

So claims that nature favors the attacker are in error because attack and defense are inherently cultural constructs and there is no evidence that culture over the long term favors anyone.

Gerard van VoorenDecember 3, 2016 1:21 PM

@Figureitout,

First tell us how to prevent backdoors being mandated in the legislation

I will tell you right after I have figured out how to cure capitalism. In other words: I don’t have the answer to that question.

What's actually needed is better engineering, then extensive checking (they're different skills, the primary creators, then the checkers and testers) and actual actions of individuals proactively preventing attacks via OPSEC dedicating computers to specific purposes so the opportunity cost of any attack goes up.

I don’t disagree. I hear you. But how can you make that happen? Punishment! Punish the "cowboys"! And you need a legal framework for that. That's why legislation is probably the only answer (I can think of). I have linked this blog post a couple of times but it's still a good read.

keinerDecember 3, 2016 2:16 PM

@Gerard vV

On on hand is liability the key. On the other hand: Who should pay the insurance needed under such a law for the Linux kernel? And the respective Linux distributions?

ab praeceptisDecember 3, 2016 4:14 PM

That secushare link is ridulous blabla and "competition bashing".

Examples: "1. Downgrade Attack: The risk of using it wrong." - I'm no fan of PGP but I've seen used by users whose IT knowledge reached it borders in ms word.

"2. The OpenPGP Format: You might aswell run around the city naked."

PGP didn't aim for that. It aimed for example for you being able to send confidential information to your lawyer. The question whether anyone (e.g. state agency) sees that you send encrypted confidential information wasn't addressed.

One might as well say "But everyone can see you riding in a train. Hence trains are an insuffient means of travelling".

"3. Transaction Data: Mallory knows who you are talking to."

Oh gawd! Well, Mallory knowing that isn't to do with PGP but with SMTP.

...

But the best part comes at the end where they talk about alternatives as promised early on:

"... let's first acknowledge that there is no obvious alternative.", some entences later followed by "There is no one magic bullet you can learn about." in bold.

Ridiculous self promoting competetion bashing blabla.

Clive RobinsonDecember 3, 2016 4:28 PM

@ Jason,

A good mitigation strategy would be to avoid using the Tor package on a Windows machine.

In the case of this particular exploit, which as described in the articles gets what the computer thinks is it's real IP address... Just running a private network at home on one of the reserved IP address ranges behind a Network Address Translation Router/Firewall might well nullify it.

However I can not see them just going for the IP address, afterall why be that restrained when they could fingerprint the computer by other techniques such as the fonts etc.

rDecember 3, 2016 5:03 PM

@Clive,

They don't just go after the originating IP, we already know they gather at least the hw MAC's too. Likely anything else available through ring3 methods not excluding values made available through various **cough** subsystems which wouldn't normally be available to something left to lower iopl's.

I highly doubt they under normal circumstances use priv esc attacks for their purposes but I'm more than willing to bet quality identifying markers are available even with the lowest of privs under _most_ OSs.

It's a great argument for Qubes/Whonix not for the networking qualities but for some of the isolation tendencies themselves.

CzernoDecember 3, 2016 5:10 PM

@Cive, @Jason : reportedly the exploit steals both the local IP address (which, as you wrote, would be meaningless to a global attacker if the computer be NATed); /and also/ it steals the computer's MAC address (which might be much more useful to pierce anonymity, unless the attacked has taken more precautions than usual, viz MAC address "spoofing").

Also, according to Tor's Roger Dingledine aka Arma, the exploit might be adapted to work in Linux even though the specific found incarnation of it worked against Windows only.

That said, the exploit requires Javascript in the victim's browser. Perso, contrary to the Torproject guys recommendation, 1. I will /never/ allow scripts to run in a torified browser (and only reluctantly in non-torified ones, btw), and furthermore, 2. I will /never/ use the official, tweaked Firefox aka Tor-browser, which will never be secured. I use an old firefox 3.5 instead, without scripting as said, no Java, no nothing... that has little to no attack surface !

The Tor guys would argue that by not doing it in their prescribed way, I'm standing out of their (small btw) "crowd" (re. Panopticon and similar tests) BUT I will gladly sacrifice the "crowd" effect for more security against nasty penetration exploits and zero-days !

I do cosmeticly change Firefox 3's "user-agent" string to look alike the official Tor-browser, which won't fool the real "spooks" but is enough to make me look like I'm a regular Tor user to many sites, - including Torproject's own "Am I using Tor?" at "check.torprokect.org" :=)

ThothDecember 3, 2016 5:17 PM

@r, Nick P, ab praeceptis

Re: OpenPGP
I have always found Secushare's many recommendations and articles (not just OpenPGP bash party) not only a bunch of bad advises but have no solutions either. The most troubling and dangerous is the possibility of misguiding new comers who are trying hard to secure themselves.

RSA being broken anytime soon is clearly fear mongering. As @Clive Robinson have mentioned, how would a 256-bit ECC be more secure when you need 2048-bit equivalent in RSA. It has always been a mystery to me how people can go about "selling ECC" when it's rather obvious that a smaller key size attemptimg to provide the same security as a bigger key size of between RSA and ECC. Also, RSA maths are more straightforward whereas ECC you have to handle all minds of curves and weird parameters. Too much esoteric stuff in ECC while RSA is much cleaner.

In short, that Secushare thingy is highly dubious.

My GroggyBox format was designed from day 1 to have capability of preventing the knowledge of who sent to who and with some obfuscation capability to create seemingly "targetless" messages but I am still implementing it during my free times. It is currently usable in the level of sending smart card commands to he applet but for GUI, I am still working on it.

rDecember 3, 2016 5:18 PM

@Czerno,

While I appreciate your sentiments, using an old version of FF may leave you far more vulnerable than I think you're anticipating unless you're recompiling it yourself with updated dependancies.

Never ever ever assume that the images you're seeing are valid representations, we have had exploits in GIF WAV PNG MP3 JP[e]G and SVG.

Those will punch through noscript and ublock practically every time.

@Nick, ab

Thanks for responding to the threadpost on pgp opinions.

CzernoDecember 3, 2016 5:59 PM

@r : I hear your point. Can you provide a trusted site where exploits against known vulerabilities of old FF versions are demonstrated and can be tested ?

And I mean not just bugs, not even the kind that will crash the browser (even the OS) but actual exploits that either exfiltrate data from or allow secret code execution, system file modifications on a windows or linux sytem (and non-root, non-admin, and sandvoxied in Windows).

Until I can /see/ such exploits -that I could not further mitigate by adequate configuration restrictions, I feel comfortably secure using good old FF 3.5. I could be persuaded to run FF 10 (ESR) torified instead, but won't go for any newer : Mozilla keep inflating the attack surface endlessly adding crap like webgl, websockets, html5, geolocation ... every bit of which can introduce new dangers and possible bugs and by-passes and exploits (intended or not)...

GrauhutDecember 3, 2016 6:24 PM


Seems the social media Trump-Bots were real high tech, based on big data, deep learning and psychometrical AI. :)


"...the bomb has burst: Contrary to projections of all leading statistician Donald J. Trump has been selected.

Kosinski long looked at the Trumps jubilee celebration and the election results of the individual federal states. He suspects that the result might have something to do with his research..."

https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.dasmagazin.ch%2F2016%2F12%2F03%2Fich-habe-nur-gezeigt-dass-es-die-bombe-gibt%2F&edit-text=&act=url


"NEW YORK, Nov. 9, 2016 /PRNewswire/ -- Cambridge Analytica, the market leader in the provision of data analytics and behavioral communications, would like to congratulate President-elect Donald Trump and Vice President-elect Mike Pence on their historic victory.

Cambridge Analytica was instrumental in identifying supporters, persuading undecided voters, and driving turnout to the polls. "

http://www.prnewswire.com/news-releases/cambridge-analytica-congratulates-president-elect-donald-trump-and-vice-president-elect-mike-pence-300359987.html

ab praeceptisDecember 3, 2016 8:08 PM

"The general concensus then is that secushare is a blueteam false flag?"

I didn't look deeper into it so what I say here is just a subjective opinion. But, no, I'm not under the impression that those guys run a false flag.

My personal take is rather that those guys are well meaning "religious" zealots (keep in mind the old wisdom "well meaning often leads to done bad") who seriously and honestly believe that they are out to save the world and that everybody must must must use their toy^h^h^h tool or else the dark evil forces will read all the apple pie recipees Jane and Joe are so bloody insecurely sending to each other.

Moreover I'm under the impression that they do not really know what they are doing but that they rather collected the usual security must-haves zoo from stupipedia. otr, perfect forward, etc.

Also, I didn't find any tangible information on the crypto on their home page or in their faq. Oh well, ...

Btw: their stuff is in C, of course, as befits cool world saviours. Need I say more?

MaliakiDecember 3, 2016 8:58 PM

@ Grauhut,

"Seems the social media Trump-Bots were real high tech, based on big data, deep learning and psychometrical AI. :)"

Our mainstream media bots got schooled big time... must be the Russians. :)

ThothDecember 3, 2016 10:09 PM

@all

Re: Mozilla + Tor under active attack et. al.

The simplest way to handle it is use NAT and a zero ot thin client Live CD setup. Do note that the PC used for this setup should be classified as public facing network and should never be used to handle anything classified.

AndyDecember 3, 2016 11:21 PM

What's wrong of this, last squid friday.
Memset(out,0,Glen); first 0 should be 0x00 , out should only be used like that if it's on the stack, if in heap use &out and let heapalloc sort out the size and 3 dword sig, plen, should differentially be a global var, start of the program initialization, they fixed it but don't look for a specific error code, instead go white list in
If(error == 0x00(differrent for other os) && error != cfflag && error != 0x22,0x25,0x5f,0off,0x0d,0x0a, me meet is secure well they fixed the thing, but it's what's before that's the important bit, the above which I called could use 7 different version of strcmp, some even are logged as such, it's the IF statements, that need to be sat on like a toilet.

Karen StarrettDecember 4, 2016 2:19 AM

@ Clive
thankyou for taking the time to reply, appreciated.
It's really a miracle that someone as inventive, original and insightful as yourself endured wearing the green for so long (not that I know how long).
Surviving blockheads with authority over you, all the middle management and utter inefficiency, carbon copy triplicate x 4 to order a meal etc. Diametric opposite of thinky hinky

@ Thoth
Thankyou also for responding in depth. I was't actually asking about OTP, did get that it was not compatible with your project. Mentioned in context of old school methods - was in facct suggesting/asking about microdots as an old school steganography for your smartcard. I don't know if they have a place in modern computing cryptography/obscurity but it's an interesting thought. It would require kilobyte space to implement however.

@ Daniel

Thanks. You almost sorta lost me but I get the general gist.
I think people do care about privacy. They want curtains on their windows. They would be offended if someone eavesdropped on their conversation at a cafe, or opened their personnal envelope before it was delivered. For some reason the electronic sphere seems to be more ephemeral in the mind of the average joanna and is not taken as seriously

if one is going to split hairs I would say they want privacy but are not prepared to take threats to it seriously and/or are not prepared to do what it takes to uphold it.

@ All

new book for your interest.

https://www.amazon.com/Into-Lions-Mouth-Real-Life-Inspiration/dp/0425281817

A biography of the man whom was the actual, genuine inspiration for James Bond as stated by Ian Fleming whom witnessed him in action.
It's a full biography, very well written and researched. His extraordinary service to britain as an agent during the war. His courage, ingenuity and capacity and scope was amazing. Dusko Popov. Agent stories really don't get any more remarkeable than this. He provided FBI and Hoopy or whatever his name was, with the full details of the pearl harbour event about 4 months before it occurred, and followed it up more than once. They refused to do anything with the information.

HermanDecember 4, 2016 2:59 AM

I'm so glad that squid picture is a fake. Imagine the horrible calamari that people would have made from that thing...

Gerard van VoorenDecember 4, 2016 4:24 AM

@keiner,

On on hand is liability the key. On the other hand: Who should pay the insurance needed under such a law for the Linux kernel? And the respective Linux distributions?

If you read the blog post that I linked you can read the vision of PHK. My opinion is that (F)OSS should legally be considered as hacking. There is nothing wrong with that. Everyone can express their creativity, jump in, eliminate and create bugs. The code can be verified etc..

That all change when it becomes (part of) a product that is gonna be used for a profit. Whether that product is (F)OSS, closed source, or the web, cloud, it doesn’t make a difference. Then there should be liability. So the question is whether the Linux kernel is a product. I don’t think it is, but if the Linux kernel is being used in Red Hat, then that question is definitely yes and it’s Red Hat who is selling the product so they should be liable. And if they are then you can be damn sure they take commits much more seriously.

CarpetCatDecember 4, 2016 9:37 AM

@r

https://en.wikipedia.org/wiki/BREACH_(security_exploit)

the gzip compression has never been fully mitigated, despite what we've all been told. However, the wording on the wiki has been changed to help us feel better.

Notice the HEIST exploit listed in the further reading.

Bottome line, you'se guys been living in a fantasy world. One that you thought had any privacy whatsoever. You have no secrets.

The only thing you keep to yourself is the childish idea that this can't be happening. We're all doomed. :)

ab praeceptisDecember 4, 2016 10:21 AM

Gerard van Vooren

As much as I value PHK, not just as a developer but as a generally bright man, this I think is mislead; it's impractical and it would kill off some 90+% of foss.

Assume foo inc. markets some products baz with the linux kernel in it. How on earth could they practically accept liability for the linux kernel? And how could, say, eff or linus himself accept that liability? What might be possible is that some big corp credibly accepts liability for the linux kernel. But then they would incur cost and they would have decisive power which would hardly be acceptable for many developers.

Some foss projects bet on some form of meritocracy. The problem with that is that corporations and the legal system need *tangible* liability. meritocracy shows good will and, if done properly, has some factual influence on quality, but it's far away from what legal and corps need.

It's IMO, in fact, the elephant in the foss room that is just conceniently ignored and replace by lots of "creativity" and "fun" blabla.
If we want liability then we will need to return to the non foss model.

Let's have a practical look: If I write, say, a TLS implementation, The max frame is my professional competence which also defines to a certain degree the min frame of quality. Chances are that I as an experienced developer don't create a high number of bugs and possibly no grave ones. In other words I would be a good candidate for a meritocracy setting.
If I work unpaid the quality of my code will be about as good as if I were paid. The reasons for that are only in my personality and mindset.

The very second I shall accept liability for my code it won't be foss anymore. Simple reasons. a) there is another side that has rights re. myself. b) I must be prepared, say by paying some (imaginary) insurance.

I'd suggest a different model. A model where

a) all code written by people paid (at least in non insignificant part) by the public (-> academia!) *must* be fully open, albeit with limited liability.

b) Some kind of public body in charge of code quality *must* inspect and "stamp as OK" (or not) any and all code used by state agencies or in certain products (airplanes, core routers,...).
This public body would also take on liability for anything it stamps OK unless, in the case the code comes of companies such liability would be on the companies to a large degree but shared by the public body if the stamp it OK.

c) companies can and are encouraged to open source share parts of their codebase that are not sensitive for their business. The liability problem would already be solved by them needing to have it "stamped" anyway. They could gain reputation by open sourcing and might gain in diverse regards, e.g. by becoming more attractive as an employer.

d) There might be considerably lower checking fees (by the a.m. public checking body) for non-corp foss projects meeting certain criteria. Moreover those fees might be paid by interested in the code business entities.

Disclaimer: I'm an idiot in the legal field. Hence there might be gross legal idiocies in the above. It might be useful as thought food though.

Nick PDecember 4, 2016 11:12 AM

@ Gerard

Well-said. I'll go further to point out that something like 70+% of commits to Linux kernel are from corporations that use it. Red Hat is one. IBM is another. It's mostly a corporate thing despite people throwing the word FOSS around with the impression of a community-driven development or public commons. I'm not sure what real-world metaphor to use for Linux at the moment. Kind of like one of those non-profit buildings used for community activities, flea markets, and corporate events.

ab praeceptisDecember 4, 2016 11:31 AM

Nick P

Absolutely. Plus: It's, in fact, a way out of liability for them.

Would the same employees write the same code under e.g. the ibm name, ibm would be liable. Having their employees write that code for foss linux, however, frees them from liability and instead forces the foss "nothing whatsoever guaranteed" dictum on their customers.

rDecember 4, 2016 11:31 AM

Businesses are part of the community in any given area including FOSS, think of it as a public infrastructure project that everyone gets to benefit from.

Everyone just so happens to include redteams/blueteams infortunately.

Nick PDecember 4, 2016 11:58 AM

@ ab praeceptis

We don't have software liability here in the U.S.. Big software companies with lobbyists made sure of it. If we did, they'd definitely try to use it to dodge liability. Or spread it out. Hence, Gerard's distinction of what's being used for fun and what people are paying for.

Gerard van VoorenDecember 4, 2016 12:30 PM

@ ab praeceptis,

As much as I value PHK, not just as a developer but as a generally bright man, this I think is mislead; it's impractical and it would kill off some 90+% of foss.

It's my opinion, not that of PHK. Read the blog post.

That said, I like your ideas too. This discussion all comes from @Firureitout with his remark that we need better engineering in the software industry, or software in general. To be honest, I don't care how that is achieved, it's about the end result. I think that "product liability" is probably the easiest route. But IANAL too and all we are doing here is about this topic is expressing opinions.

CallMeLateForSupperDecember 4, 2016 12:39 PM

Another article about $50 USB Killer. Lots of pretty pictures for us hardware gadget fans.

http://arstechnica.com/gadgets/2016/12/usb-killer-fries-devices/

A detail that had somehow eluded me before: after dumping an energy load into a port, USB Killer checks to see if it survived; if it did, it receives another whack, another check, ad infinitum.... until it succumbs.

"You can even purchase a "Test Shield" for £15/$15, which lets you try out the kill stick — watch the spark of electricity arc between the two wires! — without actually frying the target device [...]"

Said Shield might be just the thing to protect your USB. Although desktop 'puters are mostly air, laptops aren't. I guess laptop owners could threaten to revoke a trespasser's citizenship. ;-)

TedDecember 4, 2016 3:17 PM

Leo Laporte & Friends of TWIT (This Week in Tech) talks with Iain Thomson (@iainthomson) with The Register about Snooper’s Charter.

https://twit.tv/shows/this-week-in-tech/episodes/590 [minute 6 to 18]

As a journalist who worked in the UK for 20 years, Iain has a ground-level view on the bill. He, Leo, and the group talk about bulk data collection, crime prevention, encryption, civil liberties, and what someone could do if they wanted to get involved, like reaching out to their member of Parliament or Congress.

Leo Laporte also broadcasts a program with Steve Gibson called Security Now! For the week of November 22, 2016 the gents review several prominent stories, including the UK’s new IP Bill and Bruce’s Congressional testimony on the Internet.

https://www.grc.com/securitynow.htm [Episode #587]

NicolaDecember 4, 2016 3:53 PM

If you thought speakers acting as microphones was the stuff of paranoids,
1) physics. A dynamic microphone and a common speaker are the same, a coil moves a membrane AND viceversa. If you're still not convinced, the hugely popular Shure SM58 is a dynamic microphone.

2) If you think it requires complex chip or 4 wires or else..or the sound quality wouldn't be so great...you've been successfully mislead.
80's tech doing it with 2 wires a couple of analog traces
https://youtu.be/FAHSkcP1PPc?t=3m

65535December 4, 2016 6:19 PM

@ Ted

“According to The Independent, under a tailored application of the law, Parliament has exempted itself from the same level of surveillance access as its compatriots…” –Ted

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739700

[Accordingly noted]

Ah, I see special exemption for the Rich Powerful People [and maybe their children] but mass surveillance for the average Joe. I appears to be an unjust double standard.

The bottom of Independent’s has a quirk:

"Internet connection records – a history of every website that someone has visited, but not every page – will still be collected for MPs, since they will be done en masse by internet providers for all of their customers. But they won't be able to be accessed without a warrant [In theory but may be not in practice –ed].” - Independent

http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-a7447781.html

I see opening for Internet providers to possibly read and maybe disclose to allied parties the MP’s internet history. This appears to be a by-product of mass surveillance.

[List of people/Three Letter Agencies who can access the spy data bank]

"The full list of agencies that can now ask for UK citizens’ browsing history, which is laid out in Schedule 4 of the Bill and was collected by Chris Yiu, is below:

• Metropolitan Police Service
• City of London Police
• Police forces maintained under section 2 of the Police Act 1996
• Police Service of Scotland
• Police Service of Northern Ireland
• British Transport Police
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service
• Secret Intelligence Service
• GCHQ
• Ministry of Defence
• Department of Health
• Home Office
• Ministry of Justice
• National Crime Agency
• HM Revenue & Customs
• Department for Transport
• Department for Work and Pensions
• NHS trusts and foundation trusts in England that provide ambulance services
• Common Services Agency for the Scottish Health Service
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for Communities in Northern Ireland
• Department for the Economy in Northern Ireland
• Department of Justice in Northern Ireland
• Financial Conduct Authority
• Fire and rescue authorities under the Fire and Rescue Services Act 2004
• Food Standards Agency
• Food Standards Scotland
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commissioner
• Information Commissioner
• NHS Business Services Authority
• Northern Ireland Ambulance Service Health and Social Care Trust
• Northern Ireland Fire and Rescue Service Board
• Northern Ireland Health and Social Care Regional Business Services Organisation
• Office of Communications
• Office of the Police Ombudsman for Northern Ireland
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Services National Health Service Trust"

http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-act-snoopers-charter-browsing-history-what-does-it-mean-a7436251.html#

That is just wonderful! /

JG4December 4, 2016 7:24 PM


@Winter

Thanks for the global4cast link. That is a fascinating effort. It will not escape anyone's notice whose opinion is worth reading that it will be very difficult to parameterize those models. I only got through the introduction. Yet another compelling application of AI and modeling to better understand where we are, how we got here and where we are going.

ThothDecember 4, 2016 7:51 PM

@Clive Robinson

There are many ways to connect network (point-to-point, broadcast ...etc...) but network enclaves have to be able to talk to other network enclaves in a distance to be effective.

The scenario I am referring to is where a secure network is surrounded by hostile networks that can DOS or interfere with the secure network. One good example is you have a group of people that are communicating in a network (local enclave) and have to rely on Internet connection to communicate with the "global enclave". The usual mode of connecting to the Internet (global enclave) to transfer messages and communicate publicly would be via WiFi, GSM network, physical network cables to an ISP or even satellite communication which then routes to the Internet.

WiFi and GSM network are susceptible to wireless electronic warfare tactics (i.e. jamming and interference) and wired network can be susceptible to physical attacks (i.e. tactic assault unit deployment) and most satellites are controlled by big organisations and powerful nations.

What is the more reliable method of exchanging information (back-hauling operations) for small groups that only have WiFi, GSM, wired connectivity or probably just some sort of Bluetooth or WiFi mesh to defend themselves against bigger groups (mostly state sponsored actors) short of needing to sacrifice trusted human couriers which I am pretty sure no one likes to be captured and executed (via shooting the messenger).

One method that is probably useful is to use radio frequency and channels that are very common in a geographic location that are also shared by the attackers so that they are forced to take down their own networks if they try to take out their own targets' networks.

What are the other practical options available at hand for such situation to allow a minority survival in a situation of being surrounded by a majority ?

TedDecember 4, 2016 8:03 PM

@65535

"Internet connection records … But they won't be able to be accessed without a warrant [In theory but may be not in practice –ed].” – Independent

According to Motherboard, a total of 2,315 incidents of inappropriately accessed personal information by more than 800 UK police staff occurred between 2011 and 2015.

http://motherboard.vice.com/read/uk-police-accessed-civilian-data

Per Iain Thomson at minute 8 to 9, bulk records collection is rife for corruption and legal problems. Folks have been able to “pass a copper a 25 quid” and have access to info from a police records database.

https://twit.tv/shows/this-week-in-tech/episodes/590

Curious XDecember 4, 2016 8:11 PM

Despite the rush of press reports I am deeply skeptical that this latest Tor exploit was used against child pornography sites. For one, this is the first time we have ever heard of where an NIT was discovered before a website was taken down and an official press release issued by the FBI. So who discovered it and most importantly how?! If this NIT code was really used in a dark web child pornography investigation it would mark a radical increase in the ability of child pornographers to detect and mitigate investigation techniques. While I claim no deep and profound insight into the ways of child pornographers the only term I can come up with to describe what people are claiming to have happened in this situation is "unprecedented". And when faced with such unprecedented claims one needs more facts than just the rumor and innuendo--extraordinary claims require extraordinary evidence, etc, etc.

The second reason why I am skeptical is that people have noted that contained in the released code is a string of random numbers that looks suspiciously like the ID number produced by the account creation on a popular brand of forum software. If that supposition is correct, it would mean the the NIT was deployed to hack a specific user of a web site. That too would be an unprecedented act by the FBI in a child pornography investigation. In the recent Playpen and other prior investigations the NIT was installed when any generic user clicked on a specific page; prior investigations did not target specific users.

So this Tor exploit was used to hack a specific person and this specific person not only thwarted the attack but manged to uncover the details of the exploit and publicly release them. If that is what in fact happened this wasn't the FBI in a child pornography investigation; it isn't their MO.

Karen StarrettDecember 5, 2016 2:58 AM

@ Thoth

@ Ab P.
@ All

in seperate threads last week, Thoth and Ab P. both initiated a discussion about the 'snoopers charter' and practical ways of living with it, although no one really picked it up apart from a couple of responses to Thoth. It deserves it's own thread by our Host, really

So. Where to start? it is good to keep in mind, of the 99 percent of people that don't have the specialised knowledge & capacity available to folk here - 50 percent want to actually do something to help themselves but don't know how.
It seems a number of steps beyond the EFF's 'use privacy badger' add on is necesary

The good news is that every culture by default has a counter culture.
Whats the new counter culture going to be? A chilling factor so extreme people stop using the internet altogether?
pencil and paper OTP for the masses ?

ThothDecember 5, 2016 3:56 AM

@Karen Starrett

Sadly, the current direction is that the people don't care, the organisations and nation states continue to promote ignorance and cover things up while harvesting and making use of their "human raw materials" and hope that people don't wake up or the amount of people that could oppose them is less than the amount of people you can squeeze into half a football field (to handle with).

keinerDecember 5, 2016 4:34 AM

Play "Dungeon Hunter" and kill 12 people in real life. How to prevent something like that on a technological base?

Marseilles Brute Crowd, ReloadedDecember 5, 2016 5:03 AM

@Karen

The masses will be *just fine*. Make a few enquiries about PRC and their regime. Their what-its-name FB replacement and Sina Weibo (Chinese Twitter knock-off) make do *just fine*. And so do their audiences.

For a more local sitrep, try visiting any 'tech for the masses' website that has a news section with comments. Open any security-related news piece, read the comments. Try not to be disappointed much.

ab praeceptisDecember 5, 2016 9:45 AM

Karen Starrett

"and Ab P. both initiated a discussion about the 'snoopers charter' and practical ways of living with it"

Did I? I don't think so; in fact, I was and am not exactly delighted about yet another largely political discussion. Shortly mentioning that attack on the people would be sufficient for an audience with inellectual capabilities beyond high school.

What I *am* indeed interested in (and what is in our scope), however, is "practical ways of living with it".

Short yet full answer: 99,9% will have to submit to it, period.

Reason: One can not defend oneself, let alone fight back with crap OSs, crap libraries, and crap programs.
Golden "100% secure" sticker might have an amotionally calming effect. Like lots of discussions.

MistersilverDecember 5, 2016 10:42 AM

FOX News Analysis of the 50Ft Squid Controversy:
The two photos are not proof that the squid photo is fake. The exact same people, dressed exactly the same for both events could have shown up for both events. After all, its December and it is cold so Global Warming must be a hoax.

ThothDecember 5, 2016 10:53 AM

@ab praeceptis, all

These images are so "soothing" :D . Some golden stickers for ye.

Links Original:
- http://www.itpromag.com/wp-content/uploads/2016/03/FIPS-140-2-level3.jpg
- https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcSY3hYhq2bEo1EMXYgsWZia52_KCmfTSB_ws8u7cE9IZqEJ0ddB
- http://connectivity.opentext.com/common/images/articles/FIPS_Compatible.png
- https://www.bluecoat.com/sites/default/files/cloud-data-protection-fips-140-2-circle-sm.gif
- http://www.filetransferglossary.com/wp-content/uploads/2011/01/FIPS_140-2_validated_logo.gif
- http://imperva.typepad.com/.a/6a01156f8c7ad8970c01bb08aec10c970d-pi

Oh wait ... we still have poster ladies for the show :) .

Links v2.0:
- https://i0.wp.com/thetechieguy.com/wp-content/uploads/2014/07/german.png

Poster ladies not fashionable ... how about nationalistic tendencies ????

Link Plus:
- https://silicontrust.files.wordpress.com/2012/09/bsi_gd.jpg
- https://www.lancom-systems.com/fileadmin/user_upload/BSI-zertifiziert.jpg
- http://www.infothema.fr/documents/janvier-2016/anssi.png

Put it in a very concise manner, all the "security golden stickers" above does not mean a thing in security. Who knows if the certification bodies actually does the required testing besides looking through a checklist and then give the grades.

How are the labs going to test hardware secured chips ? Probably just try to hook it to some power and do some power line analysis, glitch a little ... short of actually decapping the chip before giving the certification (which they should have been doing all along).

Anyway, there are many instances where certified products have shown to hide vulnerabilities and these had happened to secure hardware (including well known HSMs) that have signed the papers claiming they have already checked and secured the system and it turns out many years later, the signed piece of testimony is useless when the system turns out to not be secured against certain attacks and then the PR, marketing and sales guys would come out to social media to do damage control and send out lawyer letters to gag security researchers .... that's just how it is in the industry.

ab praeceptisDecember 5, 2016 11:13 AM

Thoth

Thank you so much for that beautiful collection! *That* is real security!

As for the german bsi "federal agency for security in information technology" - that's their real name, I kid you not - there is a tiny detail that might be noteworthy: They are also in charge of the "Bundestrojaner", the eavesdropping, spying trojan german law enforcement puts on the systems of their victims.

So they deserve a special sticker, one that mentions "100% secure" *plus* "trustworthy".

Unfortunately there is no windows 10 desktop image version available. So, for the time being I'll have to content myself with a golden Symerski sticker.

WhiskersInMenloDecember 5, 2016 3:34 PM

"Detectives from Scotland Yard's cybercrime unit decided the easiest way to get around their suspect's careful use of full-disk encryption and strong passphrases on his Iphone was to trail him until he made a call, then "mug" him by snatching his phone and then tasking an officer to continuously swipe at the screen to keep it from going to sleep, which would reactivate the disk encryption.

"It's an elegantly simple countermeasure,..... "

https://boingboing.net/2016/12/05/uk-cops-beat-phone-encryption.html

GPI-1December 5, 2016 4:45 PM

Curious X (re 8:11), the discoverer was SIGAINT, which has stopped other bumbling FBI attacks in the past. SIGAINT is an email site - like tormail, the actual target of the last high-profile US attack on 'child pornography.' Both times FBI did what it always does: it tried to taint the site with some of its world-class child porn collection to frame privacy rights defenders with a non-political crime.

When there's a real child sexual exploitation case, FBI figures differently, as when FBI murdered Gary Caradori and his child and confiscated evidence to protect the supply of fresh meat for VIP chickenhawks.

ThothDecember 5, 2016 5:44 PM

@WhiskersInMenlo

This is where individual file encryption comes in. Once you have unlicked your FDE partition you are vulnerable and the RAM data and disk image are sitting ducks. The better way is to use another layer of individual file encryption. To prevent the file encryption password from being bruteforced, one can pair the file encryption with a smart card with PIN retry limits and the usual security I always talked about for using smart card based file encryption.

65535December 5, 2016 5:50 PM

Q and A of Snoopers’ Charter cont. 2.2.1

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739678

"Starting Tomorrow, Feds Can Hack Millions of Devices with One Warrant" -Inmate

http://forum.prisonplanet.com/index.php?topic=318171.0

Question

2] Who is not covered in the Snoopers Charter? Politicians? Lawyers? Doctors? Banks?

“According to The Independent, under a tailored application of the law, Parliament has exempted itself from the same level of surveillance access as its compatriots.”

Question, 3] Who is the judicial arm that allows MI5/MI6, law enforcement and others to view this huge data base?

“Although, this does not answer that question specifically, it provides some context on the evolving matter of oversight. A special report from The Economist "Espionage: Shaken and stirred" provides a look …” -Ted

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739700

Answer to question 3

"The full list of agencies that can now ask for UK citizens’ browsing history, which is laid out in Schedule 4 of the Bill and was collected by Chris Yiu, is below:
• Metropolitan Police Service
• City of London Police
• Police forces maintained under section 2 of the Police Act 1996
• Police Service of Scotland
• Police Service of Northern Ireland
• British Transport Police
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service
• Secret Intelligence Service
• GCHQ
• Ministry of Defence
• Department of Health
• Home Office
• Ministry of Justice
• National Crime Agency
• HM Revenue & Customs
• Department for Transport
• Department for Work and Pensions
• NHS trusts and foundation trusts in England that provide ambulance services
• Common Services Agency for the Scottish Health Service
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for Communities in Northern Ireland
• Department for the Economy in Northern Ireland
• Department of Justice in Northern Ireland
• Financial Conduct Authority
• Fire and rescue authorities under the Fire and Rescue Services Act 2004
• Food Standards Agency
• Food Standards Scotland
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commissioner
• Information Commissioner
• NHS Business Services Authority
• Northern Ireland Ambulance Service Health and Social Care Trust
• Northern Ireland Fire and Rescue Service Board
• Northern Ireland Health and Social Care Regional Business Services Organisation
• Office of Communications
• Office of the Police Ombudsman for Northern Ireland
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Services National Health Service Trust"

http://www.independent.co.uk/life-style/gadgets-and-tech/news/investigatory-powers-bill-act-snoopers-charter-browsing-history-what-does-it-mean-a7436251.html#

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739794

Abuse of Snooper’s Data Base

“According to Motherboard, a total of 2,315 incidents of inappropriately accessed personal information by more than 800 UK police staff occurred between 2011 and 2015“ –Ted

http://motherboard.vice.com/read/uk-police-accessed-civilian-data

'Per Iain Thomson at minute 8 to 9, bulk records collection is rife for corruption and legal problems. Folks have been able to “pass a copper a 25 quid” and have access to info from a police records database.”'-Ted

https://twit.tv/shows/this-week-in-tech/episodes/590

https://www.schneier.com/blog/archives/2016/12/a_50-foot_squid.html#c6739798

The above link is a List of Questions about the Snoopers’ Charter which is the anchor for the on going Q and A of Snoopers’ Charter thread. Please excuse the grammar and other errors. This is a wrap up for this squid post.

ThothDecember 5, 2016 6:56 PM

@65535

The world has already sunken into what is known as State of Tyranny where the Elitist that rules the Governments of The World has shown no care about their people's privacy and security whatsoever. I have mentioned many times in the past that the so called National Security we know it today only serves the purpose of preserving the World Elites and Tyrants. In no way has any National Security initiatives, laws or bodies have had any positive impact to The World as a hold and those so-called Intel Agencies have not prevented big "terrorist attacks" in the first place and who knows who is behind all these.

We know that ISIS was funded and supported by the Clintons and there are probably many so-called "Terrorist Orgs" that are supported and funded by the World Elitist Governments and we know that Al-Qaeda was a product of US support in the past.

The people are on their own now and the best bet is to assume the collapse of Order and to take one's own personal security and privacy into one's hands.

1984 has already quietly crept into our lives for many years (even before 911).

Don't expect anyone to provide you with the necessary security and privacy if you can't do it yourself.

It's just how things are ......

MeChelle LeJurcDecember 5, 2016 7:40 PM

Apple Confirms Work on Autonomous Systems for Transportation

Apple’s car plans have long been kept under wrap by the company itself, but a new regulatory filing shows it publicly address the industry for the time. In a letter to the U.S. National Highway Traffic Safety Administration (NHTSA) uncovered by VentureBeat, Apple urges the government not to restrict testing of self-driving vehicles

Clive RobinsonDecember 5, 2016 9:33 PM

@ Thoth,

Once you have unlicked your FDE partition you are vulnerable

A slip of the fingers (or tongue ;-)?

Or a humorous side swipe at suggestions for the use of more outrageous body parts for phone biometrics to increase peoples security?

What ever the cause it made me smile so +1 :-)

ThothDecember 5, 2016 9:50 PM

@Clive Robinson

Oh my ... typing a reply on Android screen while just waking from a night's sleep in the morning is painful. More mistypes than anything else happens on touch screens.

I was considering of getting a physical keyboard adapter for my Android phone but it's too troublesome and doesn't flow well on the overall form factor. Oh ... and not to mention most Android keyboards are not secure anyway and some of those Android external keyboards uses BLE, NFC or some wireless protocol for the phone and who knows how secure that is anyway.

Tongues for biometric authentication would be disgusting and unhygienic anyway.

Karen StarrettDecember 5, 2016 10:37 PM

@ Thoth
thank you for your response

@ ab praeceptis

YE: "Did I? I don't think so; in fact, I was and am not exactly delighted about yet another largely political discussion. Shortly mentioning that attack on the people would be sufficient for an audience with inellectual capabilities beyond high school. What I *am* indeed interested in (and what is in our scope), however, is "practical ways of living with it "

ME: I meant practical, not political, also.
Your post I refer to is from the previous weeks Squid. Apologies if anyones upset but I feel it worth quoting ('bumping') in full such is its value. Anyone? Anyone? Bueller? Bueller?


Ab Praeceptis wrote:

"uk snooping"

a) maybe we should examine the question whether what the uk really did was to merely do *officially* what many other do secretly.

b) I'd like to suggest that we look at that matter mainly from a technical perspective as there is our forté and our defense options.

One path of thought that might be promising is to not only focus on the "encrypt everything and transmit everything encrypted" but also on the path of staging.
By staging I mean to find ways to work with transmitting only a few bytes which then can be "unfolded" or used a seed, or ... to en|decrypt.

Another question I'm pondering is to generally understand our opponent (state actors) better rather than to think quite unidimensionally in ITsec/crypto terms only.

Example: we strive for random looking byte streams. That's one important measure of quality for us. If, stupid example, we'd find ways to disguise, say as mp4 byte streams, we could deny the opponent a critical element, namely to easily and automatically categorize and recognize some stream (in a cable) as "encrypted stuff" and then to tag it as suspicious. "

Clive RobinsonDecember 5, 2016 10:58 PM

@ Karen Starrett,

So. Where to start? it is good to keep in mind, of the 99 percent of people that don't have the specialised knowledge & capacity available to folk here...

The honest answer is like the old joke punchline of "If I was you, I would not start from here".

Personal security is maintaining "a state of mind" that is mentaly thus physically taxing, and as we know tired people make mistakes, and as we know from WWII and Ultra "even small mistakes kill" your security, when you have an ever watchfull adversary.

One of our first mistakes is "The Ephemeral" and "Nobodies Interested in Me" assumptions as they lead our thinking astray.

As I've said before the "collect it all" ethos of the SigInt agencies like the NSA and GCHQ has been quite visable for some time. Since the 1970's atleast if not longer, the SigInt agencies own security slips have alowed investigative journalists like Duncan Campbell to expose the ethos. A clasic example to look up that the NSA did alow to get an airing was Project VENONA, that ran from 1943 to the 1980s.

VENONA would only have been possible with not just a "Collect it all" policy but importantly a "Keep it all" policy as well. For those who chose to look in the right places, the work the NSA had done in data recording technology should have waved a hugh red flag of warning for a lot of people, but for some reason people chose to be at best indifferent to it.

The "Big Picture" point is that, what the collect/store "it all" policies have done, is create an "information time machine" in it's most frightening sense of it "never forgets".

That is for your communications footprint the "ephemeral assumption" is conclusively FALSE, and the "nobodies interested in me assumption" has temporal implications we have formerly not given thought to when we realy should have.

That is the collect/store all alows future investigators to reach back not just to now, but ten or more years ago for quite a few and right back into WWII for some entities.

What has raised the flag for most ordinary people is in fact not the SigInt/Govetnment but Corporate "Big Data" driven by the worlds largest industry --outside of religion-- "Marketing" and it's hugh reserves of capital that dwarf even the NSA budget. Their fear is not so much for them but for their children, where some childish prank may forever blight their childs future (and we wonder why we have "helicopter parenting").

Thus the public has kind of developed a "two minds" view of the world where we are scared of the lesser harm, because we don't comprehend the greater harm / threat / danger.

The problem is for by far the majority of people, that the lovely line from the film holds true "You can not handle the truth"...

Even though the Bush administration made it very public with rendition, gitmo, Abu Ghraib, water boarding etc and we know people have been "disappeared" for political reasons for considerably longer than living memory all over the world, we prefere to believe in the FUD and the patently false "If you have done nothing wrong, you have nothing to fear" platitude.

It's only when people take this onboard at a visceral level will they start developing the required mental outlook, as they had to do in the not so old and returning "cold war" days behind the "iron curtain".

The old joke about the difference between "Communism and Capitalism" of "You lock up your capital, we lockup our people" has been reversed. Now it's the Capitalists locking up people for money, lots of it with the only ideology "profit at the expense of all others". You might not think you are "behind bars" but they are there made of the copper and glass of the data cables and fibers used for everyday communications and soon the smart meters spying on your home life as well as your TV and fridge. Because no matter how guilded, a cage is a cage, and the only true difference between a castle and a prison is the mental outlook of those gazing out as well as those gazing in...

Oddly perhaps the founding fathers were more mindful of their security and privacy than we are today...

So the first steps are "To learn the lessons of history" and the field crafts that arose under more overt oppression.

ThothDecember 5, 2016 11:19 PM

@Karen Starrett

The first step is awareness (by discarding the "I have nothing to hide" attitude) and the next step is wanting to do something about it. Without the first two steps, there is nothing to talk about (i.e. encryption, secure computation and execution ..etc..) since those things to be discussed further when a person starts to be aware of their surrounding and consequently their impact to themselves and others and the willingness to get started will build upon the first two steps and as a sort of reflection and self-searching on a better answer to problems that arise along the way.

Despite all the huge hacks, exposed spy programs and leaks, it seems most of the people are still having that "I have nothing to hide" mask on their faces either as a self-protection mechanism against their inability to move forward and find answers (for some reasons) or they are really ... brainwashed ...

Clive RobinsonDecember 5, 2016 11:51 PM

@ Thoth,

Tongues for biometric authentication would be disgusting and unhygienic anyway.

Yup but not as bad as some have suggested on this blog previously, even if only in jest.

That said, Douglas Adams of Hitchikers fame, had a nice story line on the need for "telephone sanitizers"...

Speaking of "british humour" I don't know if you are aware of who "Mr Bean" is and his antics?

But the thought of somebody licking there phone for security reasons in public would "fit right in" with the "gross out" asspects of such comedy.

WaelDecember 6, 2016 5:30 AM

@Clive Robinson,

I don't know if you are aware of who "Mr Bean" is and his antics?

Everybody knows Mr. Bean. I heard he's an engineer by education. The dentist episode is one of my favorites.

65535December 6, 2016 10:08 AM

@ Thoth

“The world has already sunken into what is known as State of Tyranny where the Elitist that rules the Governments of The World has shown no care about their people's privacy and security whatsoever. I have mentioned many times in the past that the so called National Security we know it today only serves the purpose of preserving the World Elites and Tyrants. In no way has any National Security initiatives, laws or bodies have had any positive impact to The World as a hold and those so-called Intel Agencies have not prevented big "terrorist attacks" in the first place… ISIS was funded and supported by the Clintons and there are probably many so-called "Terrorist Orgs" that are supported and funded by the World Elitist Governments and we know that Al-Qaeda was a product of US support in the past… Don't expect anyone to provide you with the necessary security and privacy if you can't do it yourself.”-Thoth

It sure looks that way. To add insult to injury the average Joe is paying for this “National Security/Mass Individual Spying” via his taxes. Ouch.

For those who are reporters, privacy advocates or privacy defending lawyers, indigent people, elderly, and those just ignorant of the system, I can only wish them “good luck” because they will be the first into the slaughterhouse.

The 1984 style of mass control appears to be in the making or fully operational. The future is not very bright.

TBBDecember 6, 2016 1:42 PM

I think that's a great attitude and I hope things are good enough for it to be practical for everyone to share your attitude.

If anyone does come across a website that they feel such a strong need to read that they consider allowing javascript so they can submit to the CloudFlare captcha, a less bad option is using a proxy like https://archive.org/web/ https://ixquick.com https://startpage.com https://validator.w3.org or maybe even https://translate.google.com ... hopefully TBB will start detecting CloudFlare like captive portals are detected, and proxy it automatically, so new users aren't tricked into enabling javascript.
These proxies aren't to use instead of Tor but with it. For websites that block people with Tor from reading them (with the nonsense excuse that blocking read-only access prevents spam).

If you must watch a video, instead of enabling javascript just view-source and search for ".mp4"(on youtube you might have to look for an iframe first), or look for a website that lets you download youtube without javascript; there are plenty. Make sure all your media players and decoding libraries are up to date. Videos aren't as dangerous as javascript but ffmpeg and stagefright have been attacked before.

Oops I crapped on your flagDecember 6, 2016 4:53 PM

@66535, turn that frown upside down! This is the last four years of this USA crap, according to the guy who predicted the end of the USSR in 1990

http://scar.gmu.edu/op_11_galtung.pdf

The successor states will be smaller and saner after the regime's final psychotic break. Countries break down all the time and the world knows what to do.

Karen StarrettDecember 6, 2016 7:38 PM

@ Clive Robinson

As always, very grateful for your response . Thanks also, @ Thoth


""Speaking of "british humour" I don't know if you are aware of who "Mr Bean" is and his antics? ""


Mr Atkinson can actually play the straight guy really well also.

Are you aware of the BBC series The Thick of It, Clive?

If not I urge you and everyone else with even a vague sense of humour, to
rush out and buy the Box Set immediately

it's's a political comedy starring Minister of Communications Malcolm Tucker
(now the current Dr Who)

the sharpest, rudest, smartest satire ever made. And it just gets better and better as the seasons progress - seasons 3 and 4 (out of 4 seasons) really are priceless. They are all just running around in circles trying to protect their images and mop up after their carelessness

find some samples on the youtubes if you need convincing

Karen StarrettDecember 6, 2016 7:42 PM

The Thick Of It

maybe a bit OT but it ties in loosely ;-)

episode one season one

https://www.youtube.com/watch?v=hgBWx2dOXI8


here's's the first episode, the format doesn't really do it justice and as I said it does just rapidly improve with progress but if you need convincing there it is

There is a also a feature film closely based on it called In The Loop which
was very well received

Canonizing IronizeDecember 7, 2016 7:29 PM

Curious; does anyone else note how the internet has seemed to really change in last few years? it seems evermore difficult to find much of anything anywhere for example. maybe soon, things considered, using computers the web and so forth just won't be worth the hassle anymore. wow

FigureitoutDecember 7, 2016 11:04 PM

Gerard van Vooren
I don’t have the answer to that question.
--Yeah no one does, even if you read random laws here (don't even want to think about EU laws, but I literally just thumbed thru and choose a random page in my state laws, not even federal, and spotted a backdoor clause for law enforcement. They're everywhere in the laws). We know intel agencies don't even follow laws or make secret laws w/ rubber stamp courts. We've seen abuse of legal privileges in news so many times it gets numbing, this will make that worse.

My argument is NO ONE knows all the laws that we're all subjected to. There's books upon books upon books, then court cases that change them. We don't need more crap laws on the books when we don't even know what's going on right now.

Punishment! Punish the "cowboys"!
--The punishment is the hacks and embarrassment and reputation damage from that (maybe bring down the business, maybe). Once a hack happens w/ a certain brand and it was a stupid mistake on vendor's part (and if it was an epic hack, we can be a bit lenient since it could happen to anyone), it gets tarnished to hell in the modern world in about a day for the info to reach large number of people. That's punishment enough. No we don't "need" more laws, that's just an option that I don't think will work in this industry.

You need to list specific legislation that we can see just how good/bad it is, not like Bruce calling for broad legislation and regulations. It's lazy, ill-informed, and dangerous, and is likely just a bandaid. Who wants to make bets lawmakers get this right?--lol(not funny though)... Attacks need to be made nearly impossible or costly via physics (crypto and info flow isolation), not laws. Demand for more security comes when hacks and attacks get too crippling to function. We need to let it get that bad to get the investment.

Yeah and don't like that PHK essay, thankfully it's just an essay and won't change a thing. If it does by some chance, would be hilarious if his own http project gets wrecked (why not https?). Take down his area of the computing industry, I don't care as much. But stay the hell away from embedded (he's not embedded anyway). Also, how is the internet still up and why isn't there more destruction yet? When's it going to happen? Global internet shutdown? Waiting...We know we can lock down routers and computers pretty well via hardware-locked encryption keys (and never read in plaintext). We have not seen an attack that can bring down all global networks in world yet.

AndyDecember 8, 2016 1:23 AM

@Figureitout
You just gave the answer https, there's more work processing that, than sending a plaintext messages, add a exponent and dnssec then chainreaction one to two times two plus repeat, securing dns to dnssec could make us more vunabilty

Clive RobinsonDecember 8, 2016 4:00 AM

@ Figureitout,

... don't even want to think about EU laws...

The "Directives" have in all the ones I've had reason to read "National Security exemptions". The "Treaties" are somewhat different and appear not to have get out clauses --except for the EU hierarchy--, as they would take power from the Council of Ministers (Who do not tolerate "nay sayers" as the UK is starting to find out with Brexit...".

But you've missed a point with,

... calling for broad legislation and regulations. It's lazy, ill-informed, and dangerous, and is likely just a bandaid. Who wants to make bets lawmakers get this right?

Who want's to make a bet lawmakers will get it right, the way the lobbyists want? Then they go into a well feathered nest?

Have a look at "anti-corruption" legislation and see who it excludes to see "corruption in action".

In the UK at the moment we see the Prime Minister, trying to act illegaly over Brexit, and quite rightly the courts getting involved.

What Theresa May PM should have done is taken a little time to do things the legal way which is first change the existing legislation. She did not so now we have the UK Supream Court sitting there waiting to see if the PMs legal people can find some loop hole for her to save face through... If they do it will be a very sad day for justice... Worse it will set a president that is a highly undesirable step to a police state / dictatorship.

arthurDecember 8, 2016 7:47 AM

This device may allow a thief to steal your car
Complete article at:
http://www.usatoday.com/story/money/cars/2016/12/07/car-theft-remote-entry-national-insurance-crime-bureau/95085746/


A device that lets thieves steal cars that use key fobs has been identified by a national watchdog group.

The device, which allows a person to open car doors, start vehicles and drive them away suggests the auto industry is entering a perilous new frontier in which tech-savvy criminals can bypass the keyless theft-prevention countermeasures installed on certain recent models.

The National Insurance Crime Bureau said it had purchased the device "via a third-party security expert from an overseas company" that developed it "to provide manufacturers and other anti-theft organizations the ability to test the vulnerability of various vehicles' systems."

The so-called Relay Attack device demonstrates how thieves in certain instances have recently stolen vehicles that were supposed to be extremely difficult to swipe. The boxy device, about the size of a smartphone, is used to capture a signal from a nearby key fob before using the signal to gain entry illegally.

Clive RobinsonDecember 8, 2016 10:03 AM

@ Arthur,

The so-called Relay Attack device demonstrates how thieves in certain instances have recently stolen vehicles that were supposed to be extremely difficult to swipe.

The device is nothing new and security folk have been thinking about the "assumption of distance" for quite sometime without a realistic solution.

Years ago I was "relaying" GPS signals hundreds of meters with ease, and later using hand built microwave links that cost under a 150USD --new 25usd second hand-- got it to over 10Km...

But that was "one way relaying" for most key-fobs you would need a two way relay working on the same frequency. It's harder to do but not impossible.

The real problem is signal bandwidth is inversely proportional to distance resolution[1]. Thus the narrow the bandwidth the less precice the distance measure possible.

In general for key fobs their actuall signal loss rang is but a very small fraction of the minimum distance resolution of their bandwidth.

So guess what the assumption in the design is for distance security...

As I've said in the past that's the reason relaying attacks work. You can do tricks with multiple antennas and phase measurments as well as "near field" techniques with Multiple transmiters / receivers but the price would be approaching that of replacment tyres on high end modles of car...

[1] The normal rule of thumb is 1/16 at best of the free space wavelength which is C/freq so a 1MHz bandwidth gived 300meters free space wavelength which gives you at best 19m resolution. When you get down to normal audio and lowspeed base band signalling you are looking at around 1KHz which means 19Km resolution...


3

TedDecember 8, 2016 1:47 PM

The Stop. Think. Connect. campaign hosted a Twitter chat yesterday to raise cybersecurity awareness for holiday shoppers. The Moderator asked some 11 or so questions to more than 40 guests. Lots of great ideas were shared.

Dale Drew @packetcop
A9: “You cant connect to the Internet until your 26. Now go to bed.” #ChatSTC
2:47 PM - 7 Dec 2016

Twitter Chat from December 7:
https://stopthinkconnect.org/blog/chatstc-twitter-chat-be-a-cyberaware-and-privacyaware-shopper-this-holiday-season (#ChatSTC)

AnuraDecember 8, 2016 8:28 PM

Is there any possible way that the US can change course? I've spent so much time trying for a multi-party system, I fear in 8 years the Democratic party will cease to exist, and the US will be left with a single-party system. The Republicans were losing the war, but they won the one battle they needed most. The tactics of using propaganda and investigations to attack political opponents have now been validated by the American public in the eyes of the Republican party; is there any reason to believe it will not be used more now?

The problem is that there is absolutely no power system to restrain the Republicans, and now the next eight years I fear they will repeat their tactics of fishing for charges (if not planting evidence) on journalists, the media, and especially state level Democratic politicians. Seizing control of the states, they can gerrymander, write targeted voter restrictions, target police against leftists, minorities, and women so there are fewer eligible Democrats, they can use federal asset forfeiture laws against Democratic donors, favor industries that donate to Republicans, and pretty much completely suppress the entire voice of the left in absolutely no time.

The thing is that I fear that as long as the right-wing propaganda blames leftists, minorities, and foreigners then our country will go along with it. I mean, many of these tactics have been used, and you have the Republicans cheering it on, while the rest of the population is apathetic; the question is, is there any point where they will draw the line as long as the propaganda outlets support these actions?

I fear that just for criticizing right-wing views online people will start being put on no-fly lists and terrorist watchlists, if they aren't busted for child porn that was planted on their computer, or other impossible to fight charges. Child porn works best, as it causes even their allies to distance themselves, which validates the charges and plays to the idea that Democrats are immoral and corrupt.

FigureitoutDecember 8, 2016 10:49 PM

Andy
--Yeah saw that looking at the varnish project. That he writes an essay about bringing down all of computing industry as we know it, then works on a http project, says enough for me.

Clive Robinson
you've missed a point with
--Yeah, should be assumed I mean lobbyists too since they do a lot of the writing and footwork. I remember watching lobbyists watching lawmakers vote in legislation. Speaker sounded like one of those fast speaking auction guys.

I'm good on looking it up. Between the "pig f*cker" who wanted to ban encryption (baffles the mind), the clown "johnson", and now another out of touch person. Not sure why I'd want to look it up.

ThothDecember 8, 2016 11:44 PM

@Anura
There is nothing that can be done to any political system. It is corrupted on an International level beyond help.

Citizens are left on their own. It's really up to the individual's will to find put how to defend themselves and what to do and where to procure their resources.

Also, people have their own small groups and following. Due to human nature, they have their own self-interest first and thus the reason Linux is still insecure like Windows ans Mac and why so-called security centric OSes, microkernels amd other security technologies are still not matured despite years of existence of such ideas.

You can imagine like a network map where everyone is pointing a weapon at the one next to you. This is the state of developmwnt where self-interest, politics and all the nasties are playing their part on ensuring we will never be secure.

Clive RobinsonDecember 9, 2016 8:09 AM

Thermin Bug technique for IoT WiFi

As most are aware WiFi is a thirsty beast and uses quite a lot of power in it's RF modulator/demodulator TX/RX and other "RF Analogue " circuitry. Digital comms however uses uWatts of power which is many thousands of times less. Thus there is a significant power saving to be made. One way is to use what have bern called "passive modulation" techniques that are externaly excited by a large enough EM (RF) field. The first generaly known use of this was Thermin's "Great Seal Bug" in the US Embassy in Russia.

Well as some of you will remember I've described how to make your own Great Seal / Theremin / reflector bug with a tuned antenna and a Field Effect Transistor when talking about the TAO catalogue bugs.

I'm guessing either some students "were reading along" or realised the simplicity for themselves. Any way they've taken it from "covert spying" to Overt WiFi for IoT which is probably still spying on you just in an approved --radio wise-- way.

http://passivewifi.cs.washington.edu/files/passive_wifi.pdf

It's very important for security personnel to get their heads around this because getting the system to work with any EM field is very very simple compared to traditional analogue systems and it is incredibly low power, thus the potential for covert spying using a slight modification to this technology is actually very high.

I know because I've been designing and building these types of "bugs" for several decades now. For those that want to build their own, all you need is a 74C13 quad schmit input nand gate IC, an electret microphone a couple of caps and resistors and a J310 FET for a bug in the VHF region all of which will cost you under a dollar. You can do the same using a very cheap PIC microcontroler if you can write the simple software. With a little care these will run off of a battery for a week or considerably more...

tyrDecember 9, 2016 7:26 PM


@Anura

The conditions you deplore in the future are the
conditions that already exist. There is only the
Republicrat/Demicans in control. All of the viable
opposition gets silenced or crushed by any means
at their disposal to shut up anyone who dares to
ask an embarrassing question about the culture.

I have a picture of Clintons/Trumps together at a
party we were not invited to. If a picture is worth
a thousand words that one tells you all you need to
know about US partisan politics. Assuming that the
election was between opposing parties instead of
the oligarchs having a new figurehead posing for
the cameras as a winner is the distraction needed
to keep you from seeing how to change the system.

There is a huge embedded federal bureaucracy and
a hidden security state with an agenda that makes
no rational sense stuck in the toxic beltway culture.
Changing the figurehead around won't fix the base
problem of the ingrown toenail of bankrupted or
obselete ideas that substitute for governance these
days.

The trouble with long term propaganda efforts is
that if people hear the same story for long enough
even the tellers of twisted falsehoods start to believe
that they are true. In the beginning they were told
by cynics and opportunists but over time the tellers
begin to believe them even though compelling evidence
exists to expose the truth and the origins of the lies.

The way out of this morass is easy to start with. Stop
using binary logic and stereotyping as a substitute for
thinking. Most things worth thinking about cannot be
framed as good/evil, most thinngs worth answers can't
be answered with a yes/no. You also have to drop the
very human trait of believing things about others that
you would be outraged by if they were imputed to you.

One thing is clear, the excuses about partisan blocking
of needed things isn't going to be used. If things remain
messed up that arm of the Republicrats is going to have
to take the blame squarely on themselves.

The underlying structural problems are going to have to
be dealt with at some point but for the most part are
out of the reach of a clueless political leadership.

AnuraDecember 9, 2016 8:31 PM

You also have to drop the very human trait of believing things about others that you would be outraged by if they were imputed to you.

What did I say that is a belief rather than a fact? The Republican party has been:

1) Pushing fear of voter fraud to suppress voters
2) Pushed all sorts of speculation about Clinton in order to win the election
3) Used investigatory powers for the sole purpose of winning the elction
4) Pushed the idea that the mainstream media is a corrupt wing of the Democratic party so that people would distrust it
5) Pushed the idea that there is a massive left-wing conspiracy to steal freedom

The entire time, most of the country has ignored it, while the Republican base has cheered it on.

As for your whole "both sides do it too" rant: Seriously? Clinton isn't great, no, but if you think she is the same as Trump or worse, then you are ignorant of reality - only one has been pushing baseless accusations about their opponents, only one used an AIDS event that they didn't donate too for a photo op while using their charity for blatant and obvious self-dealing. If Clinton's concern was purely with growing her wealth, she's doing a shitty job of it; on the other hand, Trump has only ever done or supported anything if it was in his own personal best interest or didn't affect him.

On top of that, the Democrats have not been doing everything in their power to suppress democracy. They don't have to, because the public is on their side on most issues. The Republican party resorted to these tactics because it was unable to change with the country. All Democrats had to do was hold out for 8 more years, and the Republican party would have been forced to adapt to the people, which would have allowed us to reduce inequality and obtain more freedom. Now, they have shown they will do everything in their power to bend the people to their will, for the sole purpose of gaining more power.

This "whole both sides do it" crap is pure bullshit that serves only to further the cause of those who want to destroy whatever modicum of democracy remains in this country. There are degrees of corruption, and only one side has shown there is no line they won't cross in order to grow their power, while the other side has been playing your standard political games we've had in this country since the beginning. Spare me.

rDecember 17, 2016 5:41 PM

@ab,

And in case you ever need an Eiffel tower or a brooklyn bridge, contact me; nobody has better prices than me!

That's because you get paid in Kremlins. But! har har har I garantee you still make more than I. I want to apologize (as usual) for being an extremist - I do like you and enjoy reading some of your witty repartee too - but I'd like to muscle in on your comfort zone for a second politely.

Did you see the wkar/pbs video link I dropped? The partial "free"(complementary) audit revealed about 10,000 problems even with our paper paper paper paper devices.

That's what I was advocating, so sorry for "freaking out" but I thought a "free audit" was a good thing yanno?

We now know the internal state of the machine.

And I think, just maybe - now you understand mine a little better.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.