Friday Squid Blogging: Squid Fossils from the Early Jurassic

New fossil bed discovered in Alberta:

The finds at the site include 16 vampyropods, a relative of the vampire squid with its ink sac and fine details of its muscles still preserved in exquisite detail.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 27, 2017 at 4:37 PM • 210 Comments


RhysJanuary 27, 2017 5:31 PM

Just because decabrachians (squids, cuttlefishes) and vampyropods (octopods) remain just beyond the general awareness of the "basket of deplorables" doesn't mean its a great find. Interesting perhaps.

I really hope this isn't some tacky reference to the Safe Quick Undercarriage Immobilization Device, or SQUID?!

Those who don't believe in the evolution of species will be offended by any findings that correlate (missing link) an ancestral origin of squids and octopods.

Shouldn't we be worried more about slime mold colonies?

ThothJanuary 27, 2017 8:01 PM

@ab praceceptis, all

Happy Chinese New Year.

I have made a New Year's image for @ab praceceptis and everyone else for this festive occasion.

(In)famous root CAs that have known breaches comes with New Year's greetings.

I have hand typed the two lines of Chinese greetings which are:
- Gong Xi Fa Chai (Self-explanatory)
- Lian Nien You Yu (May the year be fruitful and have abundance to carry onto the next year)

Also note that the WEBTrust logo is there. Most are familiar with known Root CAs but what is little known is in order to be a Root CA, you need WEBTrust approval as they are the global Root CA approving body and only with the nod of WEBTrust then can you be added to web browser's CA Certificate chain. WEBTrust are known to conduct logical and physical inspection (including on-site premise visits) to rate the organisation wanting to be a Root CA or to renew their licenses as a Root CA.

Apparently, there hasn't been an official notice to handle Root CAs that have been issuing "accidental certificates" and WEBTrust have been quiet (as usual).

Happy New Year of the Ding Fire Rooster (Phoenix) Year. The Ding Fire (candle flame) element is said to produce petty quarrels around the world but nothing too serious. The rooster can turn aggressive at times and reinforces the Ding Fire element which produces petty small quarrels and posturing. Have a fun year ahead :) .


My InfoJanuary 27, 2017 9:27 PM

@Mr Motorcycle Man

Yes. The Übermensch these days requires Microsoft Windows. The governments of Japan, Germany, Italy, as well as the Vatican, ISIS, and many other nations of the Axis of Evil. We are almost at the point of a second Civil War in the U.S., let alone the rest of the world.

Holocaust 2.0 inevitably leads to WWIII.

I am running Fedora 25 right now, and my computer is currently microsofted up with all the usual viruses, worms, trojans, malware, adware, spyware, and popups.

I feel that this is a direct result of the unnecessary sacrifice of simplicity, speed, correctness, and security for special interests that was made with systemd which was so forcefully railroaded over the Linux community a couple of years ago.

My InfoJanuary 27, 2017 10:14 PM


Whatever happened to those efforts to supplement the Root CAs' authority with an independent web of trust for the same server certificates?

In the most basic incarnation, I'm talking about certificate pinning, which now seems to have been hopelessly ruined by committee, but more toward projects like SSL Observatory. Why can't these be combined in a decentralized web of trust?

Such a system would be completely independent of the Root CAs and of server administrators, and solely for the use of end users who want extra assurance of the identities of various x.509 certificates presented by public internet servers "out there."

Why not? What gives? Why is this so hard?

PhJanuary 27, 2017 10:34 PM

@My Info

The Übermensch has been suffering from bad press.
I am a Mensch

And i agree with your basics, but i just run a Virtual Host and use windows, debian, kali, DOS and FreeBSD machines for whatever i need at that time.
Mal, Spy, Crap and most other -wares are just as inevitable as flu and sniffles.

Clive RobinsonJanuary 28, 2017 3:05 AM

@ My Info,

I feel that this is a direct result of the unnecessary sacrifice of simplicity, speed, correctness, and security for special interests that was made with systemd which was so forcefully railroaded over the Linux community a couple of years ago.

You are not the only one that regards "systemd" as a work of evil

Others also thought many moons before that, that Microsoft's introduction of the registry was a bad idea as well. And so it has proved to be, it provides a place for evil to hide out of sight for the majority of users and many administrators with the general feeling of "here be dragons" and lack of readily available sensible documentation, the learning curve whilst not being impossibly verticle is close enough in most cases to be of little difference.

I attribute this to the "front end, middleware, arse end" thinking that has instilled it's self over the whole industry in one way or abother and causes a big fail.

In essence you have a database, that all parts of the system put configuration information in, thus it is kept in one place with the illusion of tidyness. However these databases are not realy databases as a DB admin would understand them. They are just heaps of poorly at best indexed information stored in a very lax manner, that code cutters who think they are clever abuse every which way they can and as with the bad days of MFC keep knowledge to themselves jealousy. Thus the repository is not human readable in any normal acceptance of the idea.

But it gets worse the meta-data is hidden away by the code cutters in various places and the rules to updating the specific records and how they interact and effect each other is hidden because it's rarely tested by the code cutters. Then they provide a user interface that trys to hide things even further from the users eye.

Thus if something corrupts a record then it can be impossible for anyone outside of the secretive code cutters to sort out. This often results in an "uninstall-reinstal" cycle that can make things even worse when the "uninstall" is as is often the case sloppy at best.

Hence the "hamsterwheel of pain" is such that people pay handfulls od gelt to undesirables to make the problem go away.

Back in the early days of *nix it was known that configuration was one of those things that would be a night mare. The early developers tried to make things easier by having rules about where you would find things in the file system. But there was a rule that was so obvious nobody wrote it down, which was "KISS for humans" That is configuration files would be in ascii in ways that humans could actually read and understand, thus have rational thoughts about...

The code cutters however prefered "KISS for software" as it gave them power, and managment were supportive of this because they could see profit in tied support contracts that the "Big Iron" IBM etc companies had.

The result that after a couple of generations of code cutters the "KISS for software and profit" notion has becomes "We do it that way, because that's the way we've always done it, now quit arguing or..." as people with power don't want to lose it so a whole truckload of excuses, falsehoods and hostility are used to brook reasonable argument and people eventually give up or get "pink slips" etc.

For some reason this stupidity happens over and over and as always "rice bowls get broken" eventually, but not before immense harm has been done...

JG4January 28, 2017 6:30 AM

I've wondered from time to time whether Dr. Hunter S. Thompson was correct that the best-case scenario on your planet is "a profoundly dynamic balance of terror." Here's an entertaining story about a guy who's interested in testing the hypothesis at scale:
Here’s a quick list:
Intellectual-property rights, no; political leaders, really no; progressive politics, really, really no ("Liberalism is the thing we whistle while we assert our domination over people," he says in the film); the tech world, pretty emphatically no ("Silicon Valley needs to get its teeth kicked in whenever it can; I'm down for that first and foremost," he said in the interview).
Easy access to guns, yes; unfettered encryption, yes; radical free speech, yes; a monetary system untethered to any government, really yes; a government that itself withers away, Marx-style, really, really yes.

I think that Mr. Wilson was correct in saying "Power is the threat of violence," but his belief that "the mere possibility that anyone can take up arms will... keep everyone in check — in turn both neutralizing government and taking over its order-maintaining function," is incorrect.

The substance of criminal gangs, whether public-sector or private-sector is the ability to organize violence at a larger scale than individuals and ad hoc groups. That requires an energy source, which generally is taxation of one form or another. I am counting drug distribution as a type of taxation.

The logical outcome of life as entropy maximization is a profoundly dynamic balance of terror.

MarkHJanuary 28, 2017 7:55 AM

The Great Calamity

The collapse of a dam is sometimes preceded by the appearance of cracks, or small flows of water near the base, which may not appear dangerous in themselves.

The United States has detained refugees who were on airline flights when Trump's ordering banning refugees and immigrants from several majority-Muslim states, with the apparent intention of deporting them to their countries of origin, even though they might be in grave danger upon return.

An attorney for one the detainees said, “These are people with valid visas and legitimate refugee claims who have already been determined by the State Department and the Department of Homeland Security to be admissible and to be allowed to enter the U.S. and now are being unlawfully detained.”

As an example of a basis for refugee claims, one detainee worked as an interpreter in Iraq for a US Army unit. Persons working for the US in this capacity have been targeted for murder.

Tin HatterJanuary 28, 2017 7:59 AM

Bruce has mentioned he would like to see government reduce heavy surveillance of electronic communications. From his perspective he can see the big picture better than most. What he sees concerns him. Me too.

Commenters chide China for their censorship practices. But, I got to tell you I think the USA is quickly catching up to the level of the more oppressive regimes of the world in both surveillance and censorship.

I see it on the comment boards in particular with removals and banishment, but also in the various corporate and government announcements declaring their intent to make the internet safe via intense scrutiny, censorship and take downs. Who decides what is safe for us, and why?

It seems to me the several post-Snowden federal laws were intentionally written and passed to increase electonic surveillance and make legal what was and should be illegal. Heavy censorship logically follows intense surveillance.

I'd like to mention that as I write this draft with notepad my computer is attempting to make outbound connections (blocked by firewall) to a very well known software corporation at least once every minute.

Why is that?

The bottom line is, I think the situation is hopeless and we all need to hunker down and prepare for 1984-2.0, "The Real Deal".

JG4January 28, 2017 8:53 AM

@r I suspect that 85% is a bit optimistic. I'd put the figure closer to 100%

a couple of gems from Zerohedge

waves of disinformation can reduce entropy in an analog of Clive's method

I wouldn't be surprised if the Chinese are diligent in their work, but ignoring several more effective and pervasive efforts is a kind of disinformation

Nimble VS StrongJanuary 28, 2017 9:14 AM

The adverarial threats we face have never been greater, and our own nimbleness has never been greater.

My mid end laptop can run Qubes OS. I can chose different software. You can' run high end strategy programs like Qubes OS on 1990s computers.

Life ain't good, but if this where right now, an exact copy of 1984, all the readers of this blog would not be alive. Yet, here we are.

I would recommend
18:10 is the theme I was getting at.

Tin HatterJanuary 28, 2017 9:52 AM


The fact are you taking diversionary steps is good and shows general agreement that our rights and privacy have been violated. As to:

"Life ain't good, but if this where right now, an exact copy of 1984, all the readers of this blog would not be alive. Yet, here we are."

Life and death are poor enumerators of an Orwellian electronic police state.

After all, Winston not only survived but learned to love big brother. And, of course, we will not have of an exact copy of Orwell's fictional 1984. Indeed as it's shaping up now it will be likely much worse. Lastly, we aren't there yet, but very close. Our military-corporate big brothers are lining up the ducks quite nicely, but aren't ready to spring the trap just yet. Soon though.

“He gazed up at the enormous face. Forty years it had taken him to learn what kind of smile was hidden beneath the dark moustache. O cruel, needless misunderstanding! O stubborn, self-willed exile from the loving breast!

Two gin-scented tears trickled down the sides of his nose. But it was all right, everything was all right, the struggle was finished. He had won the victory over himself.

He loved Big Brother”

― George Orwell, 1984

trump_be_nimble ...January 28, 2017 10:32 AM

Watching President Trump and Theresa May on TV yesterday made me think of A Phil Roth quote in the New Yorker:

“I was born in 1933,” he continued, “the year that F.D.R. was inaugurated. He was President until I was twelve years old. I’ve been a Roosevelt Democrat ever since. I found much that was alarming about being a citizen during the tenures of Richard Nixon and George W. Bush. But, whatever I may have seen as their limitations of character or intellect, neither was anything like as humanly impoverished as Trump is: ignorant of government, of history, of science, of philosophy, of art, incapable of expressing or recognizing subtlety or nuance, destitute of all decency, and wielding a vocabulary of seventy-seven words that is better called Jerkish than English.”
by Judith Thurman

Elsewhere in the current New Yorker magazine:

How Arguments About Nuclear Weapons Shaped the Climate-Change Debate
In “Autumn of the Atom” (p. 22), by Jill Lepore.

A fascinating article with quotes from Thomas Schelling (p. 28) and Donald Trump. From President Trump, albeit also from November, 1984, regarding wanting to negotiate nukes with the Soviets:

"It would take an hour-and-one-half to learn everything there is to learn about missles," Trump told Romano. "I think I know most of it anyway." (p. 26)

My InfoJanuary 28, 2017 10:54 AM


The Übermensch has been suffering from bad press. I am a Mensch

I don't need a Wikipedia article.

Mensch is a human. Good, bad, or ugly. In German the word is a noun of masculine gender. Its Norwegian or Danish cognate "menniske" is neuter in gender, while the Swedish cognate "människa" is feminine.

When Mensch holds himself over (über) other Menschen and mistreats them, then I violently object to the Übermensch's mistreatment of the Untermensch. Here is your Wikipedia article:

Mal, Spy, Crap and most other -wares are just as inevitable as flu and sniffles.

I really, really, hate that attitude, and I violently disagree with it. Get the fuck out of my computer and stay out.

ab praeceptisJanuary 28, 2017 11:16 AM


Wow, thank you very much. I'm really enchanted; what a nice piece.

I particularly like the excellent CAs which like towers guard the four corners.

THAT is how security works!

May the CAs be fed with lots of money so that they can invent new super-über-master-secure products and golden locks and logos!

One tiny point of criticism: OpenSSL is missing there. They certainly deserve to stand right next to the CAs and to fips.

David WebbJanuary 28, 2017 11:22 AM

Hunted - did anyone else watch this new US TV reality show?

The idea is that a team of two people (there are 9 teams) must stay uncaptured by the hunters for 31 days (a month?) to win the substantial cash prize. The teams are started on the run during various episodes of the show.

It is interesting to see the techniques of the hunters (various retired law enforcement/TLA people). They go through the teams homes collecting electronic devices, calendars (one team wrote their plans on a calendar and ripped the page off leaving the rest with imprints of their plans), etc. The hunters break into social media pages and see likes, post things to see who responds to get contact info, etc.

One thing I learned is that the US Post Office apparently scans all letters for address info (metadata). One team on the run set up a random e-mail account on the run and sent snail mail letters to contacts with info on the new e-mail account and aliases to use should the mail become compromised. However, the hunters somehow learned of the letters and were able to obtain images of the envelopes with contact information.

The mistakes of the teams are interesting, too. Besides the calendar mentioned earlier another team used a credit card in an ATM in a bus depot and then bought bus tickets. Not a good way to stay off the grid.

MarkHJanuary 28, 2017 11:30 AM


We citizens of the US feel your pain.

PM May can offer in her defense -- however unsatisfactorily -- that Turkey is a NATO ally of the UK.

As our new president leaps into bed with Russia's Putin, his "justification" is much weaker. Russia is bitterly opposed to US interests, policies, and alliances.

Trump is trying to sell this act of treason by claiming that Russia will "help" against Daesh.

A few days ago, Daniel Benjamin (who worked for 3 years as the State Department's Coordinator for Counterterrorism) explained why Russia is a terrible ally against terrorism.

The only "American interest" that will be helped by shameful appeasement of Russia's aggression will be the bank accounts of some of Mr Trump's ultra-wealthy friends ... and perhaps Trump's own bank balance.

trump_be_nimble ...January 28, 2017 11:34 AM

More from the New Yorker:

In 2009, Thomas Schelling, an economist, national-security expert, and Cold War deterrence theorist, who had won a Nobel Prize for his game-theory analysis of conflict, issued a dire warning:

A “world without nuclear weapons” would be a world in which the United States, Russia, Israel, China, and half a dozen or a dozen other countries would have hair-trigger mobilization plans to rebuild nuclear weapons and mobilize or commandeer delivery systems, and would have prepared targets to preempt other nations’ nuclear facilities, all in a high-alert status, with practice drills and secure emergency communications. Every crisis would be a nuclear crisis, any war could become a nuclear war. The urge to preempt would dominate; whoever gets the first few weapons will coerce or preempt. It would be a nervous world.

Schelling’s nervous world is the setting for “The Case for U.S. Nuclear Weapons in the 21st Century,” a careful and balanced study by Brad Roberts, the director of the Center for Global Security Research at Lawrence Livermore National Laboratory. Lamenting the hardened lines between advocates and abolitionists, Roberts calls for a fresh and broad-minded debate: “Whether nuclear weapons will continue to be effective in preventing limited wars among major powers is an open question.”

albertJanuary 28, 2017 1:11 PM

I haven't seen this anywhere else. Comments?

"...Russia is bitterly opposed to US interests, policies, and alliances...". Maybe it's time for you to be objective about 'US interests, policies, and alliances'.

"...Daniel Benjamin (who worked for 3 years as the State Department's Coordinator for Counterterrorism)...". See the result of 'US Counterterrorism' efforts. Now tell me why Benjamin should be considered an expert, except on how -not- to handle counterterrorism.

Re: your other comment: Those folks mentioned in the link above weren't refugees or citizens of ME countries.

Interpreters are always considered traitors by their countries of origin, especially if citizens, but more importantly, as fountains of information about US military strategy. It's a dangerous job.

I believe that most of MS developers weren't thinking about evil hiding in the registry. From the OS perspective, binary data files are faster to access and require less parsing than ASCII text. and take a lot less memory. Any history on this?

I developed a complete generic GUI for our companys industrial control systems (PLC interface). I decided to follow my 'big data, small code' philosophy, and used ASCII data files for everything. Since these files were read-only, simple headers gave the application all it needed to know in order to parse them. Each was parsed and read into arrays or structures in memory. There were maybe 10 or so separate files. The beauty of the system was that you could change anything, even screen configurations. Simply restart and you're done. You could even add new data points in the master tag file. We even shipped with a backup directory in case someone effed with a datafile.

Sorry for rambling on...
. .. . .. --- ....

My InfoJanuary 28, 2017 2:28 PM


"...Russia is bitterly opposed to US interests, policies, and alliances...". Maybe it's time for you to be objective about 'US interests, policies, and alliances'.

Yes, we need to be more specific. 'US interests, policies, and alliances' are simply too diverse for Russia or any other country to be opposed to all of them. I refuse to have anything to do with alleged 'US interests, policies, and alliances' unless they adhere to the U.S. Constitution.

TedJanuary 28, 2017 2:43 PM

This "2014 Quadrennial Homeland Security Review" provides a summary of DHS's strategic self-assessment and also reviews the five homeland security missions. These are:

• Prevent Terrorism and Enhance Security
• Secure and Manage Our Borders
• Enforce and Administer Our Immigration Laws
• Safeguard and Secure Cyberspace
• Strengthen National Preparedness and Resilience

Late last year, General John Kelly provided over 150 responses to pre-hearing questions regarding his nomination as Secretary of Department of Homeland Security.

These questions cover the far-reaching roles and responsibilities of DHS, such as management, grants, acquisitions, workforce, DHS consolidation, risk management, countering violent extremism, FEMA, transportation security, the secret service, immigration and border security, cybersecurity, the science and technology directorate, biosecurity, congressional relations, etc.

One of these questions and the start of his response:

If confirmed, what would be the highest priority items you would focus on? What do you hope to accomplish during your tenure?
If confirmed, my highest priority would be to close the border to the illegal movement of people and things […]

As a former commander of U.S. SOUTHCOM, he elaborates further on his knowledge of Central and South America and his thoughts for improving border and regional security. He testifies that the US's drug demand from the region has brought a level of violence to these countries that make them some of the most dangerous in the world. He offers Columbia as an exception to this trend and a close ally in the region, a country that has turned the corner from an imperiled state to one that "exports security in the region.”

His pre-nomination testimony and congressional hearing can be found here:

OllieJanuary 28, 2017 3:24 PM

MarkH doesn't know what aggression is. He thinks 8 bis and 8 ter are rap movie sequels. Let's all have some luls while he tries to explain which Russian acts constitute the elements of the crime of aggression in view of the threshold for manifest breach in character, gravity, and scale derived from US precedent in Afghanistan, Iraq, and Syria.

MarkH also doesn't know the difference between bitterly opposed and indifferent. Having controlled the threat to peace of the rustbucket graft-ridden US military and its mile-wide, inch-deep NATO Chowder and Marching Society, (Did you scotch-tape that B-52 engine back on yet?) Russia is now the world's most influential advocate for rule of law.

Benjamin's a sad clown who got purged for cataclysmic failure. Read him so you see how easy it was for Russia to crush the US covert weasels.

Clive RobinsonJanuary 28, 2017 4:39 PM

@ MarkH,

The only "American interest" that will be helped by shameful appeasement of Russia's aggression will be the bank accounts of some of Mr Trump's ultra-wealthy friends ... and perhaps Trump's own bank balance.

Yup the same with PMT.May and the old lags in the Conservative Party. If you want to see just how bad look up UK MP Malcolm "rockets" Rifkind, absolutly shocking example of sell arms at any cost to others and get your now wealthy friends to slip you a nice well payed gig or two or campaign for a safe seat in London after the Scotish voters drop kicked him out of office. Back in the Thatcher Regan era he had the hots for Russia and persuaded Thatcher to meet Gorbachov...

MarkHJanuary 28, 2017 4:52 PM


David Cornwell, famous under his pen-name John le Carré, is a thoughtful novelist who studies the world with keen moral insight.

For a long time now, his spy novels have been sprinkled (rather subtly, but not infrequently) with references to the international arms trade.

It is a grim and endlessly bloody business.

jJanuary 28, 2017 5:09 PM

Accurate prediction of personality types based on Facebook likes used for extremely micro-targeted campaigning by Trump and Farage teams:

This is clearly an exploitation of a bigger issue that the US is ripe for facism, and that US citizens vote like they buy things, but this is an unprecedented method of wide-scale emotional manipulation, playing on people's individual fears and weak points based on a generalisation of their personalities, that leaves little trace unlike negative political TV ads or mailings. I hope this doesn't spell the end of democracy in our age.

Ergo SumJanuary 28, 2017 5:11 PM

@David Webb...

I watched couple of episode for the same reason as you did. And yes, the USPS collecting metadata of the mail caught me by surprise. Unfricken believable how entangled with tracking life in the US is and it is just the tip of the iceberg...

The rest of it wasn't much of a surprise and the hunters have access to all of the monitoring services. Having real-time access to credit card usage and receiving a popup when the suspects using them does put them in the driver seat. Especially, when the suspects can have only 500 bucks cash, that won't be enough for 31 days.

I'd would have cheated and pack up with cash in advance, borrow someone's credit card for a month just in case and total blackout for the phone and internet access. Leaving some "false itinerary" in the house, make sure that computers have nothing on them, start "killdisk.exe" for example, etc. Preferably hide in an apartment in the same town, or just house-sit for a month. Running/moving around in different town or states would just give the hunters clues...

Clive RobinsonJanuary 28, 2017 5:30 PM

@ Albert,

Sorry for rambling on...

Nay worries, in most technical rambles there is a nugget or two of information for the more perceptive to think upon, and hopefully learn from to their and others advantages.

The nice thing about ASCII files is that if as a developer you use them they become a window for others to look through and apprais you. Thus as a developer you tend to think about what it is you display to people and what they will think about you. Which generaly means that ASCII human readable files get better input than binary files that tend towards being dumping grounds for half thought throug ideas.

The original *nix ethos was all you had was a glass TTY and a line editor, thus everything had to be not just human readable but concise and understandable without the support of any other resource other than man pages. Microsoft followed this ethos with a few differences, they also had a poor mans version of the *nix boot system which developed over time as drivers became more complex and numerous and displays etc improved.

Clive RobinsonJanuary 28, 2017 6:17 PM

@ Ergo Sum,

Preferably hide in an apartment in the same town, or just house-sit for a month.

That is actually not a good idea for various reasons.

Better is to set up a small business and rent a single room office space in something like a converted brownstone etc put in a kettle a microwave a large supply of "dry goods meals" like "pot noddles" and camping type MREs and tinned goods. Then take up jogging or riding a push bike in swetts with a hoody or similar so you have a reason to have a change of cloths etc so people never realy get to see your face going in or out of the building.

I know from personal experience you can live in such a place for months without anybody getting remotely interested. A friend found it was a cheaper option when doing major rebuilding of his house. He used the office for project management etc and payed only about 30% rent on the office space than he would have for a "studio flat"...

The real hard part is setting up babk accounts and such like that are not connected to your name. There are some books out there that tell you how to go avout this, and it's different for each country but not that different.

Oh the other thing is to purge your existing onlibe identity, this is not as difficult as it sounds and you can get some hints from,

D-503January 28, 2017 6:30 PM

There has been a lot of reporting on this in the Canadian news media.
There are so many angles to this story, I don't know where to start.
I'll start with an angle that's unrelated to electronic security:

The start with, it's worth pointing out that many Canadians traveled to the border, declared they were going to the protest, and were let through with no hassles.
Based on the Canadian news media reports, there were several things that were special about that group of would-be protestors:
1) Apparently, one of the travelers handed the border agent the wrong passport. This is a frequent error among people who have more than one nationality. Nevertheless, it isn't exactly a crowd-pleaser among border agents. Border agents do check a traveler's ID against the ID that Homeland Security has on file. This has happened to two acquaintances of mine, years ago (one was levied a fine and barred from the US for a few months, the other lost his job and was exiled overseas.) The potential consequences are catastrophic – felony charges and a permanent ban – but rarely applied. More often the traveler gets the scare of his or her lifetime.
2) Apparently, the group of would-be protestors couldn't get their story straight where they were going and what they planned to do in the US. In normal times, not a problem. But these aren't normal times. These are crazy overboard jackbooted paranoid times.
3) Bearded young student shows up at border saying he wants to prottest against Trump. Meets rural rust-belt law enforcement officer in deepest pro-Trump heartland. Law enforcement officer's sense of humor is tested by the absurdity of the whole situation. Does hilarity ensue?

Security lessons:
1) Innocence is no defense
2) Obsessive attention to detail may help. Maybe. Or maybe not.
3) Franz Kafka says "beware of border crossings, they're tricky"

rJanuary 28, 2017 6:34 PM

These things are only going to get worse, get your act together.

I was at my bank last week just before closing and I heard them describing a meme to each other, to my horror they were on facebook not on their fones but on their kiosks. So I asked them, you guys are allowed onto the public internet with those things?

"Yes, but it's monitored."


So it's going to be a second security related ticket I've opened with their stupid asses over the last 3 years because I don't think their HR and IT/IS departments understand the problem.

TedJanuary 28, 2017 7:24 PM


From what I’ve read, you’ve provided quite a few good resources. Still reading. Much like security, it’s probably easiest to design for such things early and at every stage of the development process.

ThothJanuary 28, 2017 9:06 PM

@ab praeceptis

The OpenSSL logo would be added soon to the next festive greetings. The picture only took me at most 25 minutes to do up on GIMP. Pretty fast and straightforward to create.

PetterJanuary 29, 2017 3:00 AM

A month ago journalists and filmmakers signed a letter and asked for encrypted memory cards for photographers and journalists.

A group of students on Swedish university Chalmers and replied and informs us that they have such a system in the works.

With real time encryption of anything saved to the card.

Here's their paper.

And the Abstract:

This thesis details the design of an encrypted SD-card adapter for journalists to be used in destabilized areas. The SD-card adapter should be designed to protect the journalist’s photographs while allowing previewing of the photograph until the SD-card is powered down. The SD-card adapter is designed to appear as a generic SD-card adapter with the exception that it encrypts the data and hides any changes in the file system. The design is based around a FPGA with use of a publicly available IP-core for encryption. The SD-card adapter uses both symmetrical and asymmetrical encryption for protection of individual files. A soft-core is used for generating encryption keys, asymmetrical encryption and general management. Through use of software based emulation, the concept was proven feasible.

Clive RobinsonJanuary 29, 2017 7:11 AM

Beware "Shimmers" not "Skimers"

The technological war between credit card info thieves and those with EPOS and ATM card slots they are trying to defend is progressing a pace.

A while ago people over at the UKs Cambridge Computer Labs warned of "electrical man in the middle" attacks where the contacts on a chip and pin card could be intercepted between the payment card pads and the card reader contacts.

As is normal for the Payment Card Industry, they poo pooed the idea as being theoretical only. Then there were stories/reports that some one had been caught with a payment card with another chip glued on top.

Now you can see a eMITM Shim (Shimmer) that's for real,

ThothJanuary 29, 2017 8:18 AM

@Clive Robinson

re: eMITM

I haven't been sitting around even on my busy days in a bid to talk to smart card vendors and smart card dev forums to apply secure channel protocols designed to frustrate shimmers.

Why are card shimmers effective ? The reason is simple. Nobody bothers to encrypt and strongly MAC the traffic between the chip contact and the card reader contact pins. The smart card technology is pretty much secure for it's use case but the protocol and software applets installed on the cards are not.

What I have been doing even on my busy days (take 30 minutes a day) to talk to developers and card makers to allow secure channel protocols at the very least and if possible, I have even provided to them openly my open source implementation of my A02 secure channel protocol that includes features with asymmetric key establishment (over RSA certificates), padding of all messages to same length, Encrypt-then-MAC scheme, 4 byte session counter (bigger counter sizes available but will soon become very clumsy on 16-bit smart card CPUs) and finally to hide the actual command headers inside the encrypted payload while using a generic command header so that on the traffic it will look almost the same between every card protocol packets.

I have caught a few software applets not bothering to do proper security and I have already talked to their authors but as with any security, most people just shrug their shoulders and say it's not necessary to go all too crazy with security or the other excuse is "it's just a client demo" which somehow might end up in a real world scheme one day.

I have lately been experimenting with the transit smart cards here in my own setup and I have picked up some theoretical attack possibilities but I doubt I will actually do anything since I am just curious on the smart card file system format in Singapore's transit cards. The transit cards uses a standard called CEPAS (electronic micro-payment) and the local shops support these transit cards as valid micro-payment cards and local banks also issue their debit cards and credit cards with CEPAS standard (e-wallet standard for transit and micro-payment). I have noticed that the card totally destroys privacy by storing timestamp, type of transaction, amount transacted and even the bus number or train station where someone boards. The records are read from the card and compared with another copy in the backend to ensure no tampering (very weird and insecure way of checking for tampered cards and records). The records when read (usually over contactless NFC) are not even MAC-ed or signed in anyway and could be forged with ease by knowing the format. The attack surface I theoretically predict would be to tamper with the records to cause a buffer overflow to the backend (since they require some parsing) if the backend software is badly written (as always happens most of the time). I have no proof yet since I have not tested such a theory and testing it will immediately put me behind bars and other nasty stuff.

The main thing is that most card applets are so badly written without much security in mind, one doesn't need to go to the extend of decapping a smart card to figure much out. Simply sniffing and playing with the card traffic is quite sufficient for most scenarios due to the lack of basic secure channels being used.

Also, to prevent MITM over the asymmetric negotiated key exchange, an organisational CA can be used to issue cards with their certificates and the organisational issuing machines can be done air-gapped with an OpenBSD setup and the latest stable build of the libpcsclite library for smart card communication over USB or serial card readers.

Most of my advise usually are fallen on deaf ears anyway but I am still trying to actively convince whoever that might be concerned without getting myself into too much trouble.

CallMeLateForSupperJanuary 29, 2017 9:19 AM


Re: that shimmer. The person(s) who made it is/are penny wise and pound foolish. Glass board is much more rugged than phenolic. It costs more but a shimmer has big ROI, so the extra cost here is insignificant. And those big pads appear to have been "tinned" by hand.

I suppose the pictured shimmer could be just a prototype, for proof of concept, but its mechanicals don't impress me much.

"Tap" a card? This American had to look that up.

AnonJanuary 29, 2017 9:57 AM

What if someone denies having social media accounts? How do they prove that?

What if they travel with a new phone they bought for the purpose, or the phone/electronic devices do not have any contact info on them to collect?

Maxwell's DaemonJanuary 29, 2017 11:38 AM


I can't evaluate exactly what this is worth, but you have had and will continue to have my attention. "Security is hard." Having to continuously evaluate the state of the art on hardware, software, social and process aspects makes it no easier to nail down.

My InfoJanuary 29, 2017 12:58 PM

Re: Microsoft Windows

People talk about the Blue Screen of Death, but they never mention its real meaning: all the hidden murders, attempted murders, and conspiracies to commit murder that go unacknowledged, uninvestigated, and unprosecuted by police.

Clive RobinsonJanuary 29, 2017 1:12 PM

@ Anon,

What if someone denies having social media accounts? How do they prove that?

As I'm well aware "You can not prove a negative!". The best you can hope to do is try and prove "That for you it's not probable".

The first step of which would be being over fourty years old with rough hands of a manual worker.

Then by having an old fashioned non-smart phone in well used and scuffed condition, most definately not new. Also no ebook reader or any other device that has mobile data, wifi or even wired network or USB capability such as laptops, netbooks, tablets, pads or any number of entertainment devices like Nintendo 3DS etc...

Have only a dog-eared paper-n-pencil diary with a contacts list that only has names addresses and phone --not even fax-- numbers in lots of different inks, and slips of paper with other names and numbers loosely in there, along with recipts etc. Likewise slightly dog-eared business cards that suggest you are in some kind of manual labour trade --not profession--, again with no contact on it other than phone numbers/postal address. Which is a little difficult as even gardeners, window cleaners and handymen have email addresses and web sites thesedays. So much so you are more likely to have a web site than a business bank account...

Anything less than a dog-eared paper trail that will survive actuall contact with customs etc officials will cause them to not belive the "legend" (image) you are trying to protect.

Other tricks are the "my business partner/advisor/secretary/etc does all of that for me, why buy a dog and bark yourself?" position. Though you do need an aswering service that calls back to your mobile to carry that off.

There is also for the older person a creative/artist "type" mentality with the not wanting stalkers or bother line but avoid writer/researcher for obvious reasons.

Ultimately is "To be Bruce" that is be a security knowledgeable/aware type and have social media that is empty to stop impersonators but not actually use it, just have a message to that effect in it with the likes of a post office / business address. When asked why say "are you aware of how insecure that service is" with the "if people were realy aware of how insecure they would not use it".

I actually have the misfortune on this account to have atleast five people with the same name as me that do have social media accounts etc... It makes it quite difficult to say they are not your accounts when asked.

One way to avoid the whole issue in many places is not to put yourself in a position where you might be asked questions about social media etc. So not traveling into boarder zones is one way to avoid obvious risk. Likewise not going where police etc presence in hostile mood is to be expected like marches, rallies and protests / demonstrations. Likewise places where there are frequent social disorder offences like rowdy or drunken behaviour, or lots of "youth" or other stigmatized group.

Sadly there are still many who see a black face in a white community as tantamount to criminal behaviour and the opposite as well. Those from "Black Lives Matter" and similar groups can give you an idea of just how bad that gets. So you would want to avoid places "Where your face does not fit".

Which brings up the point of the important thing to develop ia an OpSec "sixth sense". As my father used to tell me when I was quite young "The best place to be when there is trouble, is to be seen somewhere else." Likewise when "wearing the green" we got taught rudimentry OpSec techniques and how to assess and mitigate a situation, the likes of LEOs get similar training.

However as the old rider about "... but a coward lives to run away another day" has a lot of logic in it as does "There are the old, and there are the bold, but few are old and bold". Likewise there is "Only pick fights you know you can win" or the old Art of War advice of "if you must fight your enemy, pick a place where he is weak and you are strong" alied with the most important advice "You must know your enemy but be unknown to him".

But be aware you have to think carefully about some ambiguous advice like "The one may succeed where the many will fail" it's more about thoughtfull and covert / stealthy and above all good OpSec behaviour than it is about the scream and charge berserker behaviour or shock and awe tactics.

For instance it applies to a sniper, who is a much feared thus powerfull force multiplier. Look up the expression "long gun feaver", one effective tactic that is not generaly made known is their PsyOps advantage. This was once made known to me by a rather pithy trainer with an earthy view on life as "If yer shoot the balls off of tay cook when he's taking a shit, he'll scream so loud that every one will get to know, and not only will the food get bad, but no one will want to take a piss or a shit where they should, so the place will soon stink up and they'll all be scared, sick, tired and usless". There is of course a down side as any trained sniper will tell you, like a radio operator you are "a marked man" in the enemies eyes, and if caught you are unlikely to become a prisoner of war, in fact you will be lucky to get a clean death.

That's why you have to think carefully about what you do "As actions have consequences.".

WaelJanuary 29, 2017 1:52 PM


FPGAs and a slick phone hack with some interesting stuff about matrix algebra versus cryptosystems.

I came to respect your book recommendations, and now I'll need to extend that to online references as well - keep it up.

Watched the entire video and learned a few things. Weaknesses in KDF resulted in deducing the master key. 29:39 Snowden discussion with bunnie to protect reporters in dangerous situations...
Another important thing: Any system that's sufficiently complicated is going to have a weakness so subtle that... @Skeptical: pay attention! Direct introspection: detect when the phone is transmitting when we know it shouldn't be. This means it's definitely compromised. 33:11 monitoring the antenna circuitry subsystem which is independent circuitry from the baseband and application cpus. Exploit some hardware test points.Open source FPGA that's inspectable. 47:30 hardware subversion does happen! 49:00 nouvina opensource laptop

The essential guide to electronics in Shenzhen

1:14 new thing learned! Reading a map isn't part of the Chinese curriculum. Hard to believe, but ... I wonder how their military operates.

1:24 getting code from a smartphone into a micro controller using sound! CheabyOS Thin Flex-boards, too.

Two books to consider getting:
Andrew "Bunnie" Huang. The hardware hacker, Adventures in making and breaking hardware

A blog to monitor:

And a Phd in electrical engineering from MIT, too... not sure I'll have time (or interest) to read.

I must have missed the: matrix algebra versus cryptosystems part!

Finally a new definition I like: A hacker: sees through the abstraction layers )Hint for the security architect ;))

OH MYJanuary 29, 2017 3:01 PM

@Clive R.

RE: Your most recent comment about social media account.

Well done! It reenforces my evolving view that the future is not based around encryption and anonymity but around camouflage. It isn't good enough anymore to simply be unknown--one needs to look exactly like one's adversary expects one to look. Confirmation bias is king.

DanielJanuary 29, 2017 6:39 PM


Speaking of confirmation bias and camouflage, it turns out the the GOP's secret retreat was infiltrated by a woman who posed as a Congressman's wife.

It a vivid reminder that not all security threats are cyber-related.

StanstanistanJanuary 29, 2017 9:18 PM

Another vivid reminder that not all security threats are cyber-related: we can put that constitution into a DEFCON 3 grade national security emergency system with decentralized fusion centers annnd it's gone.

Suckers. You live in the United States of COG.

Jen Gold StockholmJanuary 29, 2017 10:52 PM


"I haven't been sitting around even on my busy days in a bid to talk to smart card vendors and smart card dev forums to apply secure channel protocols designed to frustrate shimmers. "

Like you, Samy Kamkar using his ingenuity for sake of genuinely trying to protect consumers and companies:
in case you haven't seen it

Jen Gold StockholmJanuary 29, 2017 10:57 PM

@ Wael

'Finally a new definition I like: A hacker: sees through the abstraction layers .Hint for the security architect'

Samy Kamkar says something to the effect of, his definition is: someone overlooking the/a intended primary functionality, and instead asking 'what else can this do?'

by the way thanks for the 'did/didier' video. although I didn't get how the camera kept cutting back to the actor in the audience, watching himself on stage - laughing at his own jokes. bizarre!

WaelJanuary 29, 2017 11:09 PM

@Jen Gold Stockholm,

watching himself on stage - laughing at his own jokes. bizarre!

Not sure if you're serious... That's Steve Bridges impersonating Bush. The real Bush liked him and was present at some of his shows. He did Obama impersonations as well. Steve died young, do don't wait for a Trump impersonation from him.

WaelJanuary 29, 2017 11:11 PM

@Jen Gold Stockholm,

Actor in the audience... I get it :)
I prefer Andrew's definition! It's much more profound.

Jen Gold StockholmJanuary 30, 2017 1:08 AM

> Actor in the audience... I get it :)

hmm yeah, I was actually genuinely a bit confused by the camera swaps between the two players - not being particularly acquainted with W in his 'casual cabaret' mode - but my question to you did indeed have about three layers of satire.Well done you correctly picked one layer :-)
Obama impression? Blackface? Thats quite frowned upon where I come from ;-)

>I prefer Andrew's definition! It's much more profound.

agreed. offered another angle as Samy had discussed the definition in an interview in some length. What if I send an 0 instead of a 1? What if I send a pause when it expects an input? etc.

Jen Gold StockholmJanuary 30, 2017 1:14 AM

@ Wael
>Go get your Toilet Snorkel. May save your life one day.

reminds me of the movie Kingsman, Secret service.
the neophytes have a training exercise thrust upon them whereby they are woken in the the night to find their dorm is flooding to the ceiling. they are underwater, working out solutions, improvising: someone gets a piece of u pipe from the sink and tries to breath from the air trapped in the cistern.
As they scrambled for solutions I observed they were not working as a team and instead sought solutions solo. I decided they would all be given a fail mark for this reason - if they survived. The instructor appeared, and I was indeed correct.Maybe I should audition for a reality show :)

keinerJanuary 30, 2017 2:20 AM

RE: airport security (aka "a massive success story")

How does it feel to be in the real-time remake of "1933", guys in the USA? Your actor playing Jo Goebbels (this Brannon guy) is really out of sync, isn't he?

Prins van de SchemeringJanuary 30, 2017 3:07 AM

@Clive Robinson

I actually have the misfortune on this account to have atleast five people with the same name as me that do have social media accounts etc... It makes it quite difficult to say they are not your accounts when asked.

Somewhat of a problem. There are a few others in (anti)social media with my exact same name, and some of them have widely differing political views so that if we ever met, they'd punch my lights out... an interesting experience no doubt for the unwitting (by definition) secret service agent who wishes an encounter... and then there's that pesky pack of vampires up in Washington, Oregon or wherever. No hay problemo - whatever we do in the shadows is by definition no interest to them.

Speaking of OpSec, Dum Maaro Dum's got an interesting solution to one pressing one - how do we fix the referents so that it takes pure serendipity to answer the question of "Who is...?" The people asking the question live in the same milieu as the people setting up the situation posing that question, and it takes serendipity at the very end to answer it.

ab praeceptisJanuary 30, 2017 3:35 AM


Whatever your point of view happens to be, putting Trump and his administration next to Goebbels or Hitler proves just one thing, namely that you are not capable to participate in a reasonable discussion.

Simple old rule: Only idiots put people they don't like next to Hitler, Goebbels, clinton or Idi Amin.

Con De ZenderJanuary 30, 2017 5:06 AM


Seems like a great way to inject bacterial spores directly into one's lungs, no thank you!

But, it does remind me of how to get away with cigarettes or fusing plastics for shanks in jail. ;-)

WaelJanuary 30, 2017 5:24 AM

@Con De Zender,

Seems like a great way to inject bacterial spores directly into one's lungs

Bacteria is good for you! And it's a good way to hide your "bacterial fingerprint". Haven't you heard?

fusing plastics for shanks in jail. ;-)

"Shanks", mate? Now I know what "Shawshank Redemption" means :)

Michael LooJanuary 30, 2017 7:01 AM

I am a computer science student at a G8 university in Australia. Over the past few years, i noticed many students,housewives, old people, working adults,all who seem look chinese tailing me in person around. They seem to have a massive grid network of spies who can tail seamlessly. But cars with the same plate no. keep reappearing at different dates and locations, a few months apart; Chinese people sitting near me on flights to and fro Australia magically reappear in some other location and date. And there are some indirect circumstantial evidence to me that my house has been bugged,both in sound and spycams but i resisted looking for them, acting as ignorant as possible. Today i finally went to the AFP police station at an airport and reported informally to them. Although i am uncertain whether the reappearances are just coincidental, i stress that i am neither paranoid nor have mental problems, i have a fairly good visual memory and i was in Mensa. I just want to warn all IT people to be careful of your computer and your own physical security. I suspect state-trained chinese spies are working with state hackers to track peole in critical job fields. I don't have proof but am saying this for my own safety since they know now that i know. I will strive to stay alive to tell u the details, but IT people have to take their HUMAN physical security seriously. Humans ARE the weak link in IT security.

ThothJanuary 30, 2017 7:34 AM

@Michael Loo

I am guessing the nickname is a fake name ? If not, don't bother changing since you have already exposed yourself.

Security has it's weakest link in humans and you are right. I don't think you are paranoid about your OPSEC. Many of us in this forum find these extra caution somewhat a norm that we integrate into our daily lives.

Make sure you know who gets into the lift with you. Make sure to check the corners and ensure no one is going to tail or surprise you when you move. Make sure that you take note of strangers loitering and pretend not to see them. Never look into a person's eye if you don't have to and to avoid all eye contact (esp. with security personnels in stations and check points) unless necessary. Close curtains before sweeping for "weird stuff" in the house to avoid visual recognition (it does only to lessen lousier surveillances). It is worth being a little more cautious especially when the world's powers are having their petty feuds and blowing things big.

Michael LooJanuary 30, 2017 9:12 AM

Judge for yourself. Some clues to group of humans spying on you:
1) In a big crowd like those in a shopping mall or festivals, you observe some people picking you out visually immediately on entering the crowded room,say, and all these people seem to be of the same race, in my case,Chinese. Human eyes work like a search program, you cannot find a record without scanning for it. In the eyes case, you almost certainly need to scan the crowd first before identifying someone. I have observed Caucasians, Indians, Africans and other races as "placebo", none exhibit this trait.
2) Normal people who have not apparently noticed your presence don't look at you with the corner of their eyes when they walk past you. If they don't know you are there, they can't peep at you from the corner of their eyes, can they? Add to that, all these people are of the same race. Other races(placebos) don't act this way. When a normal person notices someone from the corner of their eyes, only by turning their head and looking can they see that someone.
3) This one is just a warning to you to be careful. I have thrice felt a faint aerosol sprayed onto my face when some girl walked past me. I know it is not the wind because the aerosol came from a different directions, 2 times were indoors. On all 3 occasions, the girls were Asian student-like. On all 3 occasions, i went down with severe viral fever the very same night. It didn't seemed contagious even with sharing a room and a cup with my old folks in their eighties. Perhaps genetically engineered virus, i don't know.
Again, i have no proof. I am not being a racist, i am ethnic Chinese too. It is difficult for me to out them if not for fear of being silenced permanently. This is a catch-22 for me.You guys be careful.

Mike LooJanuary 30, 2017 9:47 AM

I appreciate your advice, thank you. Not my real name, but doesn't matter, they know who i am anyway.
In the last 6-7 years,i have also noticed a few oddly out-of-place Caucasians(Russians? I don't know) and Indians(Hongkong Indians? No idea) which the suspicious asian "spies" seem to know and work in tandem with. But I won't go into details, the sample space is too small for me to infer anything. Perhaps just me over-observing things.
Dear all civilians, please just be careful, watch your back always but don't get too paranoid. That's life, we all have to go Home someday. The point is to fight not flight, when there is no place to run. Even if it eventually costs you your life, at least those who have read this will have a better chance.

JG4January 30, 2017 12:20 PM

I've been too lazy and dysfunctional to buy the Dusko Popov biography that was suggested around December 7th. did I remember to post the quote from Hoover about sticking pins in rattlesnakes?
Fake News
The Real 007 Used Fake News to Get the U.S. into World War II The Daily Beast
(furzy). If I had a quid for every Brit identified as the real 007… (FWIW, I think the model was Fitzroy Maclean author of the splendid Eastern Approaches— pick up a copy if you can. You won’t be disappointed.)

Jen Gold StockholmJanuary 30, 2017 12:38 PM


'too lazy and dysfunctional'

[dulcet feminine tones]
"Bzzzzzzz. I'm sorry JG4.Server is detecting invalid input. Please try again."

'(FWIW, I think the model was Fitzroy Maclean author of the splendid Eastern Approaches— pick up a copy if you can. You won’t be disappointed.)'

no it was Popov. Ian Fleming stated as much more than once. They had been professionally acquainted. Fleming also witnessed Popov in a casino behaving in a way that became the exact inspiration for scenes in Casino Royale

Mike LooJanuary 30, 2017 1:38 PM

One more point: the human spies are like malware. You patch the hole, they will tweak their method and improve.
I'm at the airport taking flight to the embassy, hope i get there in one piece. Notice these persons at the airport.
1) the guy with the yellowish dyed hair who walked past me a few times at Macdonalds and Hudson coffee.
2) the tall bispecstacled guy who followed me to the water cooler outside the just-washed toilet at the jetstar terminal.
3) the fat guy with long shiny greased hair combed all the way back, who is at the same boarding gate as me,taking same flight.

I have seen ALL 3 of them before at some other places and times.

Nick PJanuary 30, 2017 2:03 PM

@ people into hardware or EE

Texas Instruments is giving away two, free eBooks you might like:

Analog Engineer's Pocket Reference

Handbook of Amplifier Operations by Brown (revised for modern stuff)

First link requires sign in for some reason. Second is just a PDF.

Another I got in recently is Embedded Muse 310 and 311 with some neat tricks for monitoring firmware. The mainframe trick was pretty cool. Stuff like this might have future value in subset of research concerned with monitoring properties of chips to detect defects or subversion.

MarkHJanuary 30, 2017 2:04 PM

@Mr Loo:

With great respect and compassion, I observe that you express some doubt as to whether you have detected surveillance, or (as you put it) over-observing things.

I have a little personal experience (one friend who was going through this himself, and two friends who told me accounts of a friend or relative) with folks who worried (or became convinced) that they were under surveillance.

It's worth noting that all three were bright, creative people.

To be sure, this sometimes happens in fact. It is worth considering, that if all of the things you have recounted here were indeed examples of surveillance, this would represent an operation costing quite a great deal of money and limited personnel.

To my knowledge, such an effort is reserved for cases of extremely high priority, and rare in practice.

Changes in brain function, which often occur in the late teens through mid 20s, and seem to be more prevalent in men than women, frequently provoke such apprehensions.

I encourage you to seek the best professional advice you can, with respect to your concerns and in support of your peace of mind.

I wish you continued safety, and best luck!

My InfoJanuary 30, 2017 2:50 PM


@Mr Loo:
Changes in brain function, which often occur in the late teens through mid 20s, and seem to be more prevalent in men than women, frequently provoke such apprehensions.

What??!! Another shrink run amok? An online diagnosis of dementia praecox? You are just as crazy as your "patient" here!

FYI: changes in brain function occur not only in the teens and 20s, but even from the earliest development the womb throughout life, as we acquire experience, wisdom, and maturity, outgrow old interests, and develop new ones. Such changes are universal, and certainly no more common among men than among women.

Reminds me of "the male" troll a while back....

My InfoJanuary 30, 2017 2:53 PM


Nor does anyone dispute the fact that all of us are under constant surveillance of numerous government spooks and peeping toms.

MarkHJanuary 30, 2017 3:36 PM

@My Info:

Suggesting that a person who seems quite worried seek advice from a professional, is an "online diagnosis?"

Diagnosis, if indeed a problem is present, is the job for a qualified professional who has the opportunity to gather sufficient information to make an evaluation.

If somebody tells says that he feels intense pain in his chest and left arm, and another without medical qualifications replies "you're having a heart attack," that is an amateur diagnosis which has a high probability of being wrong.

If the response is, "better get to a doctor right now!" that is a simple humanity.

I plead guilty to poor sentence structure. Hopefully clearer version:

Such apprehensions are frequently provoked by certain changes in brain function, which often occur in the late teens through mid 20s, and seem to be more prevalent in men than women.

That is my layperson's understanding.

MarkHJanuary 30, 2017 3:54 PM

Ransomware Goes Electromechanical

At an Austrian hotel attackers reportedly:

(a) disabled (I presume, "re-keyed") the electronic locks of several guest-room doors; and

(b) shut the hotel's staff out of the computer system used to make new card-keys

The hotel paid the ransom of 2 bitcoin, and management is considering reverting to old-fashioned mechanical-key door locks.

To resist paying the ransom, when guests are standing by complaining that they can't get into their rooms, would be a very hard stand for a hotelier to make.

The news story refers to a fiction TV episode in which a "hacker attacked a law firm in the middle of a prominent case, encrypting its files and demanding a $50,000 ransom."

As it happens, I was talking with an attorney in his office not long ago, who told me he had just had a lot of his documents encrypted by ransomware and was discussing with me what he might do.

That ransom was also something like 2 bitcoin, as I recall. It would make sense for attackers to target law offices, where the cost of not paying (in the absence of complete and safe backup) will often be be so high that payment of a "moderate" ransom is a likely outcome.

tyrJanuary 30, 2017 4:17 PM


+2 for the toilet snorkel.

I know that one of the MacArthur admins problems
was that Tokyo didn't have a map. So the American
Army had to make one for the Nihongi. It may be a
result of asians distrusting officials with too
many records available. It could also be because
most humans are stuck in the same place most of
their lives by choice. The ones that roam go all
over the planet, but folks left behind avoid any
trip past ten miles if they can do so.

Given the swarming season currently in China the
idea they can get by without maps is a mind boggle.


There are two strategies, one is to be a fixture
or basically furniture that isn't noticed, the other
is to be so outrageously exhibitionist that no one
suspects any ulterior motives. both take advantage
of stereotype pigeonholing (the human substitute
for thinking). Hiding in plain sight.

rJanuary 30, 2017 5:04 PM

@en Leiu of,

Carry double sided tape and a couple throw aways if you're being tailed, if you dive around a vacant corner smack the thing to a wall or a window real quick.

There's fake electrical face plates for iphone's that have been used in bank assaults and things like a fake brick or a metal cover with a couple screw holes could work wonders on the obnoxious playbookers when faced with some ad hoc ingenuity.

Have fun, turn the license plate readers against them if you haven't already.

It's better to be safe than to be sorry.

My InfoJanuary 30, 2017 5:18 PM

@MarkH • January 30, 2017 3:36 PM

Suggesting that a person who seems quite worried seek advice from a professional, is an "online diagnosis?"

You're really stretching my patience, Doc. It is totally unprofessional to chase your patients in the loo and diagnose them on the toilet. The firefighters need to stick to the hook-and-ladder business, the police need to stick to enforcing actual criminal laws that have been passed by the legislature or Congress of the appropriate jurisdiction in accordance with the appropriate state and national constitutions, and the EMTs need to stick to, err, actual medical emergencies.

That teen/twenties changes in brain function bullshit you're talking about, that just doesn't cut it. You "groomed" these kids when they were under eighteen, and did who knows what with them then, and now that they are of age, it's open season in the loo with them? I don't think so, Doc. It's high time to fuck off and get out of the loo with you and your professionals' cocked-up mental diagnoses.

rJanuary 30, 2017 7:14 PM

@My Info,

By your own words that makes you what? A professional loon¿

If someone wants to make an arm chair diagnosis or a recommendation let them, their retort is no different than you me or anyone else offering their unverified expertise to an Internet denizen.

Free speech and open discussions promote awareness and education.

easy_rider_#9January 30, 2017 7:17 PM

@Mr. Motorcycle Man wrote:

"Japanese Government Requires Java and" ...

No big deal; some live dads include:


for other uses

JG4January 30, 2017 9:34 PM

@ab praeceptis

You are correct that it is very early innings to compare Trump with any of them. We'd have to be quite unlucky for Trump to reach credible comparisons with the serious killers. Even Kissinger fell short of Hitler, Stalin and Mao.


I didn't write the newsclip, just excerpted it under fair use exemption. I was giving due credit to the Popov origin. It may be that there were multiple inspirations, even if most of it is due to one person.

jen gold stockholmJanuary 30, 2017 11:19 PM

actually I realised you did this when I checked out the page. Hard to tell whats going on there, so many (highly interesting) quotes and links crammed in!
I hope you swap your lazy and dysfunctional self diagnosis for something else. I don't believe it. oh dear just committed a syntax error! I offered an alternative unsubstantiated internet diagnosis! i may get my license revoked!
Oh the horror, the horror! Shwarz?! Brando?! Anybody?!
On that note, @ My Info and, in fact @ everyone else : this is excellent, quick reading which @ Wael will agree can be somehow tied into security.
mental health is the only area of westeren medicine whereby no tests are conducted to demonstrate a diagnosis. there is no proof of correlation between poor mental health and brain chemistry:

WaelJanuary 31, 2017 12:31 AM

@jen gold stockholm,

[...] will agree can be somehow tied into security.

Anything can be tied to security. Challenge us with a counter example!

ab praeceptisJanuary 31, 2017 2:51 AM


I'm sorry to day the following but I feel it needs to be put on the table:

Is there some kind of brain-eating disease spreading wildly in the us of a?

Even Bruce Schneier, a doubtlessly highly intelligent man and experienced thinker seems to be hit by the disease (albeit relatively mildly, I'm happy to note).

1) This blog is about security. There's a gazillion of blogs and media propagating unfounded hysteria.

Is it really asking too much when I expect that we stay plus minus on topic and within the bounds of reason (minus the occasional exception. We're human, after all)?

2) security is *not* achieved by hysteria, nor by painting anyone as the new Hitler!

3) *we/you will need better security!* - no matter who happens to run the ship.

If you really think that Trump is the new Hitler or evil Joker or whatever, then you'll want and need security; secure communication, secure data.

If you happen to be a Trump fan, then you'll also want and need security (as far as we can tell, neither clinton nor soros will just quietly pull back and who knows, the german bnd might even grow from a cia outlet into some kind of intelligence agency).

No matter what exactly drives you into panic, you will need security. Period.

So for gods sake, cut all the hysteria already and let us return to what this blog is (was?) about and what we (at least some of us) are here for and know about, security.

I'm not too itchy regarding politeness. Sometimes some gas in our intestines just escapes; that's OK, we are all humans. But as soon as it gets massive it's considered both reasonable and polite to go to the bathroom.
Same thing here. An occasional fart doesn't do harm and can be forgiven. But kindly realize that massive farting will not increase safety and security. So, please, use the bathroom (there is plenty leftist blogs out there) and don't poison and/or occupy our virtual conference room.

Reminder: openssl just these days extended its bug,leaks,and crap portfolio. So, again: There is a real need for knowledgeable people to discuss security. Kindly don't disturb us.

Jen Gold StockholmJanuary 31, 2017 3:28 AM

@ Wael
> Anything can be tied to security. Challenge us with a counter example!

I love you Wael

ThothJanuary 31, 2017 3:50 AM

@ab praeceptis

"openssl just these days extended its bug,leaks,and crap portfolio"

Probably one of the bugs that does not die when put into strong acid or orradiating it out. No easy cure until all programming languages stop binding their crypto implementation to OpenSSL and start to actually look at better alternatives. Most languages does a bad job at that anyway (PHP, Ruby ...etc...).

@Bruce Schneier and @Moderator needs to really clean up the forum more frequently to keep it's cleanliness without fearing of verbal attacks for "censorship" to allow proper security discussions to take place.

MarkHJanuary 31, 2017 4:14 AM

@ab praeceptis

1. When your:

• contributions to security technology
• distinguished career in said field
• extraordinary effectiveness in communicating important security matters to the general public

are comparable to Mr Schneier's, you might succeed in establishing a forum attracting interest and attention on the level of this blog.

When that day comes, you will have the discretion to define the scope of subject matter as you please.

2. For those of us who have taken some time to read Mr Schneier's writing over the years, it is clear that he considers the topic of security broadly and comprehensively.

In his work, and on this blog, "security" is not limited to technologies, techniques, information security, opsec, and the like, even those are very frequent topics of discussion.

Control of Earth's most powerful and influential government has passed to those whose beliefs, mindset, ethics, qualifications and temperament are far outside the parameters of US historical precedent.

Is it wrong to regard this as a matter of significance to the most fundamental dimensions of security?

A puzzle for the bright minds here. We know about a person P that:

(a) P composed as a set of persons who are in some respect(s) equivalent {Hitler, Goebbels, clinton, Idi Amin}

(b) P darkly implies that George Soros is a danger to individual security

When P uses the word "hysteria" ... what does it mean?!?!?

Often as I read comments on, I wonder "is the writer practicing a sophisticated form of irony, or suffering from a crippling deficiency in self-perception?"

Dirk PraetJanuary 31, 2017 4:36 AM

@ ab praeceptis

I'm sorry to day the following but I feel it needs to be put on the table

Putting up for discussion issues like the recent EO "limiting" privacy rights for non-US citizens has nothing to do with brainrot or partisanship, but directly relates to security. Asking questions about the implications of the new POTUS most probably using an old and insecure Android from a security vantage is just as relevant as discussing a breakthrough in homomorphic encryption.

That is of course unless you want to limit the forum to technical matters only, and which IMHO would be shortsighted. If the Snowden revelations have taught us one thing, it is that the fate of safety, privacy and security will not be decided on the engineer's drawing board but at the legal - and thus political - level. We can come up with whatever we want, but it will be pretty much useless when fighting resourceful adversaries with not only formidable technical skills but who also have the law on their side to work around whatever we throw at them.

It's one of the main reasons I have become exceedingly interested in the legal aspects of privacy and security. And it doesn't take a genius to see where that battle is currently going. If tomorrow someone gets a bill through Congress mandating backdoors or outlawing E2E encryption, 10 years of technical discussion overnight becomes irrelevant.

I do get that not everyone is equally interested in these topics, and that indeed they are often politically biased, but I do believe it comes with the territory just as much as changing diapers comes with baby.

@ Thoth

@Bruce Schneier and @Moderator needs to really clean up the forum more frequently to keep it's cleanliness without fearing of verbal attacks for "censorship" to allow proper security discussions to take place.

I concur. My previous reply to @ab praeceptis not withstanding, I have no problem with @Moderator removing any of my comments if I stray too much off-topic when getting all worked up about authoritarian trolls on a mission spouting nonsense and doing so in a less than civil way. However much I get that neither @Bruce nor @Moderator have the time to micro-manage this blog, I'm not sure how tolerating folks whose very user handle is calling everyone with a dissenting opinion losers is bringing added value to this forum.

ab praeceptisJanuary 31, 2017 4:59 AM


Congratulations, going ad hominem you managed to disqualify yourself in record time at the first attempt.

@Dirk Praet

With all due respect, you might want to reconsider that. It may seem like what you said *if* one - erroneously and untenably - assumes that the us of a until now did not utterly ignore (to avoid saying "shit on") the rights or privacy or <insert favourite desirable> of non-us-americans.

And those victims are the lucky ones! Others, like, for instance, the people of Iraq, were a lot less lucky.

Moreover as plenty of victims who even are/have been us citizens clearly demonstrate the us of a did not even care about the basic rights or privacy or <insert favourite desirable> of many of its own citizens.

Furthermore we know that 5 eyes (lead by the us of a) spy on everyone incl. their "friends" and invite (to put it euphemistically) their friends to also spy on their own citizens.

From what I see the country across the ocean has been the single most evil terrorist state and offender of the basic rights (let alone privacy) of pretty much everyone who didn't happen to be a colluding billionaire since decades, no matter the party affiliation of the captain running their ship.

The only real difference was *how* they played it. With Iraq and plenty others they played it overtly brutal while with others - including their own citizens - they made the effort to disguise their lawlessness behind a "democracy and rights" charade.

The major issue I see with Trump is that he might actually be serious about reinstating some basic rights at least for the citizens of his own country. (note the "might", not "does" or "will", just "might").

We need every bit of safety and security we can possible get. This is neither anti-usa, nor anti-clinton, nor anti-Trump; this is merely stating a matter of fact that should be obvious to everyone with some mental capability left to see reality behind all the charades.

We need safety and security and from what I see there is only one way to get there: to properly examine and analyze, to properly conceive and design, and to he properly implement.

Dirk PraetJanuary 31, 2017 5:59 AM

@ ab praeceptis

We need safety and security and from what I see there is only one way to get there: to properly examine and analyze, to properly conceive and design, and to he properly implement.

I just couldn't agree more, but I can only repeat what I previously said: what's the use of it all if our work can be legally subverted, worked around or downright banned? Then it just becomes an intellectual circle jerk by a bunch of basement geeks.

The major issue I see with Trump is that he might actually be serious about reinstating some basic rights at least for the citizens of his own country.

If it provides any clue, I find nothing serious about the recent immigration EO, at least not from a security vantage. Regardless of political bias, its legality or the way it has managed to further divide American society, it is fighting a phantom menace, at least according to a CATO Study on Terrorism and Immigration, and from which I quote:

Casualties by terrorist attacks on US soil by nationality (1975-2015):

- Libya : zero
- Yemen : zero
- Iraq : zero
- Iran : zero
- Somalia : zero
- Sudan : zero
- Syria : zero

Number of Trump Hotels, offices or other businesses in said countries: zero

rJanuary 31, 2017 6:00 AM


Do you have a list of other forums where railing against international privacy is acceptable or is this just the only one?

I would be interested to see what keeps you here if the discussions BLOW so hard.

Regards, your friend and companion in this invasive world

rJanuary 31, 2017 6:04 AM

Maybe, it's your job to belittle all of us (some of us, whatever).

And maybe just maybe, you don't like your job.

You certainly don't sound like you do.

ab praeceptisJanuary 31, 2017 6:22 AM

Dirk Praet

what's the use of it all if our work can be legally subverted, worked around or downright banned?

I understand that pov and I also understand that things can look rather discouraging at times.

However: The problem class to say "fuck you!" to eavesdropping or even repressive governments is a very different one from the technical one - and one that is easier to solve I think.

For one there will always be other governments which are more open. I happen to know even some eu countries who are not exactly eager to obey to every Orwellesque whim of the us of a (which means a lot considering that the eu has become but an obedient colony of the us of a).

Moreover, the political problem class (let's call it that for the sake of simplicity) is technically easier to solve, e.g. hide whatever crypto system one comes up with within https. Have done that, know that it works nicely. But there are other approaches, too; steganography comes to mind.

The basis for everything, however, is good crypto and proper implementation (read: *not* ssl/tls crap).

My motivation hapens to be largely of a technical nature while others might be motivated politically but no matter, the basis is always good security engineering.

JG4January 31, 2017 6:39 AM
Big Brother Is Watching You Watch

Trump’s Flack Says She Doesn’t “Resemble” Terrorists: Except this One New Economic Perspectives

FBI Forced Twitter To Share User Data Without Legal Warrant, Company Reveals As Gag Orders Lifted International Business Times

@ab praceceptis

I forgot to mention that Goebbels and Rove are blood descendents of Bernays

rJanuary 31, 2017 6:52 AM

I would argue, that no matter which side of the discussion you sling rocks from - that only a very small percentage do so for reasons other than "feeding their family". This obviously includes both trolls proles and advocates of personal security and privacy, denouncing others for a different "incorrect" view is the absolute worst thing to do in the face of what should be viewed as economic motivations for voicing one's opinion of how to better feed their families.

Trolls included asshole, denounce that.

MarkHJanuary 31, 2017 9:21 AM

"going ad hominem you managed to disqualify yourself"

Is that a logical response to an argument?

Or a textbook example of ad hominem?

Either a sophisticated form of irony, or a crippling deficiency in self-perception.

I lack the data, to ascertain which.

Either way, well played!

john bJanuary 31, 2017 11:19 AM

Trump to sign cyber security executive order

The president is expected to sign an executive order on cyber security at 3:15 p.m. The order will advise agency and department heads that they will be held accountable for cyber security, CBS News’ Mark Knoller reports.
No vulnerability study has yet been made, according to a White House official said.

Just before he signs the order, he’ll hold a “listening session” with cyber security experts.

Masshole State PoliceJanuary 31, 2017 11:26 AM

@Dirk Priet "I find nothing serious about the recent immigration EO, at least not from a security vantage."

Your straightforward public-health analysis is quite right, as far as it goes. The nationality of the excluded migrants does not indicate risk. But when risk stems from clandestine programs that move their geographic focus, bayesian probability can't keep up.

The effect of the ban is to halt the conveyor belt supplying CIA assets like Mateen, Tsarnaev, Al-Hazmi, or Al-Mihdhar. Domestic assets like these are precisely controlled and protected, but sooner or later, Oops! they get away, and then there are attacks on the civilian population which the government uses to justify enhanced repressive capacity.

For a spectacular example of this risk, ask Ibragim Todashev. Oh wait, you can't, he's dead. Fortunately the poor bastard was able to get some things off his chest before he was summarily executed by a death squad, to wit, Aaron McFarlane, Joel Gagne, and Curtis Cinelli. A little international cooperation will hang that death squad out to dry and expose a lot of universal-jurisdiction crime.

MarkHJanuary 31, 2017 3:17 PM

Trump to sign cybersecurity executive order

... or, not

A little while ago, the White House announced without explanation that Trump will not be signing a cybersecurity executive order today.

This reportedly followed much publicity and fanfare earlier today, for the now-canceled signing.

It's like watching a toddler play with a loaded handgun: relentless gut-wrenching dread, knowing that needless tragedy may erupt at any moment.

albertJanuary 31, 2017 3:35 PM

@john b,

"...The order will advise agency and department heads that they will be held accountable for cyber security...."

A great move, but:"...Just before he[Trump] signs the order, he’ll hold a “listening session” with cyber security experts...."

And boy, will he get an earful:)

-No- bureaucrat wants to be 'accountable for cyber security', not even Directors of Cyber Security.

Either Trump is very clever, or there's nobody home upstairs. Either way, it'll be interesting...

@Mike Loo,
I'm guessing:
1. You speak Chinese
2. You have written papers about cybersecurity, etc.
3. You have knowledge state actors are interested in.
4. Your workplace is of interest.

. .. . .. --- ....

Dirk PraetJanuary 31, 2017 4:05 PM

@ Nick P

Most hilarious response I've seen to it

I've seen that one before. It's been dubbed almost as many times as that famous part from "Der Untergang" in which Hitler goes all bonkers on his chiefs of staff.

Nick PJanuary 31, 2017 6:37 PM

@ Dirk

That's possibly the best one of all time. So good it makes me want to watch the movie at some point but just haven't chanced it being a foreign film. Too bad they were trying to take the remixes all down. Marcus Ranum's on cloud computing was the first I saw.

Jen Gold StockholmJanuary 31, 2017 8:52 PM

@Nick P

That's possibly the best one of all time. So good it makes me want to watch the movie at some point but just haven't chanced it being a foreign film. Too bad they were trying to take the remixes all down. Marcus Ranum's on cloud computing was the first I saw.

you don't like foreign films, Nick P? oh dear I would have assumed you were exempt from the well known 'north americans can't read subtitles' malady. no disrespect to our north american readers intended.

you should definitely watch it ('Downfall') is the known english title) it is excellent.
Also recommended for various reasons not least an accurate depiction of the police state, two other german films set in GDR:

The Lives of Others &

Jen Gold StockholmJanuary 31, 2017 8:59 PM

@ Ab Praeceptis

Thank you for your open statement - articulate and relevant as usual - and I appreciate and support your position. I find it unfortunate you have so far been only met with disdain rather than an resonance with the spirit of your position; if not the details. I don't get the overt or defensive reactions.
I am certainly an contributor to the off topic tangents for which your rebuke was well received if not the specific target.
Perhaps a constructive step forward would be to open the discussion for specific technical tangents that support the argument you are making, or raise certain questions for brainstorming. I am aware you have touched upon the need for this before around the time of certain recent bills in the UK, although I don't recall others rising to the challenge.

Nick PJanuary 31, 2017 9:36 PM

@ Jen

It's a cultural thing. Many of us are raised seeing certain styles of film. We expand into our own interests. Then, the foreign films can be *really* different due to how certain aspects of them are implicitly targeted to local culture's preferences and understanding. I've enjoyed some of them with first probably being Ghost in the Shell. Few animes I watch I do with subtitles on purpose. Whereas, the English translation of some Ramstein songs almost ruined them by having boring, soft lyrics to something sounding so dark and hardcore. I liked our Girl With Dragon Tattoo better because it was harder hitting and had Daniel Craig. I've enjoyed quite a few independent films focusing on foreign culture & scenarios but not necessarily made by foreigners.

So, the whole thing is hit and miss with me but I try. :)

Note: Just finished watching the new Arrival movie. Started as a Day The Earth Stood Still knockoff plus remix of some other elements cuz modern day Hollywood just reboots shit. Then, turned into quite a good presentation with unique elements & mystery. Gonna have to rewatch it. One of few that *might* have outdid original. Will have to rewatch original, too.

AnuraJanuary 31, 2017 9:53 PM

@Nick P

Started as a Day The Earth Stood Still knockoff plus remix of some other elements cuz modern day Hollywood just reboots shit.

I have a really good rant about how all of the problems with the Hollywood reboots are because of capitalism, while explaining why this would not be a problem under market socialism. But, of course, all of our economic (and, for the most part, political) problems are caused by capitalism and just the general concept of the pursuit of power over others as a philosophy in general.

Although, at the next Convention for the Promotion of Big Government we are debating forcing New Hampshire into a participatory economy as a trial to see if it pacifies the population.

Nick PJanuary 31, 2017 10:18 PM

@ Anura

Definitely. Cracked has a nice summary. Disgusted to find out the reason I stopped seeing John Woo films. Broken Arrow was the shit back in the day. Then Deadpool was that many years in the making with it looking like a Kickass knockoff in some ways since they waited so long. Capitalism sucks. Either immediately or in the long run.

Nick PJanuary 31, 2017 10:55 PM

@ Wael


Definitely not following you about what was strange liking Broken Arrow. Feel free to elaborate.

Jen Gold StockholmJanuary 31, 2017 10:57 PM

@ Nick P
understood although I do echo @ Waels response!
@ Nick P @ Wael
Try the norweigan film Headhunters. it somehow manages to perfectly balance bent humour, drama and thriller elements in an original and quirky way. And (Gasp!) manages to touch on security themes

and based on what you've written you may relate to the us-english 'safety not guaranteed'

Jen Gold StockholmJanuary 31, 2017 11:02 PM

@ Nick P

i was hoping robert rodriguez would be mentioned in your cracked article.
he realised from the beginning that having not enough money and not enough time was the perfect way to approach making a film - it forced you to be creative and inventive. He subsequently applies that as a rule to any project.
oh no the building burnt down before we could film it - that's fine just re write the script and film it burnt down - thats funny the film works even better now!

with this analogy and parallel variations we will note many parallels to our experience of tech actors, independent, fringe or state sponsered. those without the luxury of money or resources are forced to be more creative. Then there is eg microsoft on the other end

WaelJanuary 31, 2017 11:19 PM

@Nick P, CC: Jen Gold Stockholm,

Definitely not following you about what was strange liking Broken Arrow

Great movie! Nothing strange about liking it. The strangeness has to do with something else; serendipity, if you will.

Feel free to elaborate.

I will one day... has to do with this.

furloinJanuary 31, 2017 11:34 PM

@ab praeceptis

"Is there some kind of brain-eating disease spreading wildly in the us of a?"

Yes it is called herd mentality. The constant bombardmant by corperate media doesn't help their plebs either. Then there is that pesky need to eat food and not get killed by NWO spies and etc.


"However as the old rider about "... but a coward lives to run away another day" has a lot of logic in it as does "There are the old, and there are the bold, but few are old and bold"."

Ah how much I miss the days of where fleeing to a mountain was all that was needed to avoid the madness. The youngins of this generation and the next will be enslaved long before having aged enough to realize that.

WaelFebruary 1, 2017 1:28 AM

@Clive Robinson, @Nick P, ...

This might warm the cockles of your heart,

It does, and brings back memories of the i860. At one point I dreamt of owning a quad i860 coprocessor board from Hauppauge or Midway, I forgot. Couldn't afford it at the time.

Stratus was a competitor to Tandem's NonStop Himalaya. I forgot the record of Himalaya. Been some time, it could still be running. ATMs and payment processing ran on them for quite sometime.

Each pair executes the exact same code in lock-step.  CPU check logic checks the results from each,

Sounds familiar, doesn't it?

OT question: When you see @xxxx, how do you mentally read it? I always find myself reading it: at xxx... annoys me because he is "at Nick P" in my subconscious mind!!!

Dirk PraetFebruary 1, 2017 4:14 AM

@ MarkH

Your political "theology" isn't the problem.

It is however kinda hard not to miss the irony of someone attacking our host over "liberal bias" eventually outing himself not as a conservative, but as a national socialist advocating a take-over by an enlightened Supreme Leader to rid the Republic of a despotic Supreme Court occupied by traitors to the Constitution. However bitter the dissent of certain Justices on cases that didn't go their way, I don't quite think that's the remedy they had in mind.

That said, I am firmly with @Cider Warrior observing that the general disposition both of folks like @loser thingie and Trump himself - even under a veil of blind accusations, name calling and alternative facts - is making it very clear where everybody stands, ultimately forcing people to make hard choices what kind of future society they really want. It's gonna be a serious stress test for US democracy, and which I can only hope will prove more resilient than the Weimar Republic did in the previous century.

I don't think we have seen the last of @loser thingie yet. Analyzing his writing style and general demeanour, it was the same person as the @Trump Supporter who got banned a while ago, then proceeded by cloaking himself using Tor.

Dirk PraetFebruary 1, 2017 4:26 AM

@ Moderator

I am increasingly experiencing posting failures either with "invalid request" errors or comments just being blocked, no matter what browser I'm using. What's happening?

Clive RobinsonFebruary 1, 2017 6:58 AM

@ All,

It would appear that Trump's measures are already starting to back fire on him, in the High Tech Sector.

Basically organisations are already starting to put more than plans in place to move staff north of the border to Canadian cities like Vancouver.

The thing is once a tech company does have to move staff, not only are they not likely to bring thrm back ever, they are likely to move associated jobs up towards "Key Staff" thus other jobs will follow and soon the creative side will be out the door compleatly. Leaving only those sides that don't actually make money in the US. Then at some point the company will just move out of US jurisdiction to avoid other issues...

It'will be interesting to see how they setup their corporate structure to avoid further political inspired interferance, not just with employees but customers as well.

MarkHFebruary 1, 2017 8:11 AM


The Cato Institute — which [loser] will be gratified to know is not a "liberal" organization — recently published a paper with estimates of the risk to each American, of being killed in a terrorist attack committed by various categories of immigrant.

This risk per year came out to roughly one in three billion for each of the categories of refugees and asylum-seekers*. So taken together, their estimated risk would amount to one American killed by such attacks every five years.

Their estimated risk from immigrants on ordinary visitor visas is vastly greater: see 9/11.

The Cato numbers are based on analysis of 40 years of data up to the end of 2015.

* The distinction is that asylum seekers first come to the US and are then evaluated for immigration; refugees are evaluated while they are still outside the US.

The "security" case for Trump's spasmodic assault against the world's most vulnerable is, in the words of the distinguished General Norman Schwarzkopf Jr, "bovine scatology."

It is an appeal to the visceral prejudices of the most ignorant Americans (and I can tell you, the most ignorant 30 or 40 percent of my homeland is Very Deeply Ignorant) ... and nothing more.

Clive observes that costs are already becoming manifest: they will be many, and they will be deep. The economic costs will be astronomical. The intangible costs will be on a scale exceeding all reckoning.

As if the damage to the foundations of the republic were not sufficient, we can expect heavy security blowback. The US and its interests abroad will not be protected by this action, but rather put at much greater risk.

The most dangerous enemies of the US and its alliances have just received a free gift, which they must be relishing.

Those in ISIS charged with assembling and training new fighting units, are likely making ready for a surge of new volunteers.

ModeratorFebruary 1, 2017 8:19 AM

@Dirk Praet: You've triggered a filter that puts certain comments into moderation. I've approved your comment, as well as previous ones that met the same fate.

ab praeceptisFebruary 1, 2017 9:27 AM


While I myself am rather pro Trump simply for the fact that he is not clinton, my point wasn't pro or anti A or B. Sure, the us of a still happens to be the master of the colonial empire and hence has a certain weight for us in the colonies, but still my education tells me to respect their election and the results thereof; after all it's their elections and not ours.
So I wouldn't laugh at clintonistas and I would respect their position as theirs, i.e. I wouldn't try to missionize them.

My point, the virus I was talking about, was about the *way* those (non-)discussions are done and about the frenzy.

This site is about security. Security, of course, touches political, social, ethical, and other aspects, too, but still security should be the main course here.
Similarly I understand that during the end phase of elections and shortly thereafter there is a certain frenzy and obsession and so security has to stand back for a week or two. It's similar to soccer championships. It's not pleasant and even regrettable but it is how it is; The brutal decultivation along wit ever poorer education and intellectual standards ask their tribute. I don't like it, I even despise it, but I tolerate it and I've made plenty of experience telling me that it just makes no sense to debate the masses.

But this isn't 4chan, this is the blog of a very well educated man with lots of academic experience and about a certain field where I would - blue-eyed and unrealistic maybe - assume a certain level of reason and behaviour.

In the last weeks issues related to security became rare and if someone happened to try it, (s)he would soon be overwhelmed by posts of serial shooters, and generally this blog here looked more like a looney bin than what I'm used to. One particularly unpleasant example is what seems to be relatives of @r (or maybe aliases) high-frequency serial-vomitting whatever happens to run awry in their heads into this comment section.

ab praeceptisFebruary 1, 2017 9:44 AM

Clive Robinson

re "Trump/high-tech"

There are many aspects to that, and yes, there is a wide-spread rather superficial perspective that is roughly this: high-tech is the largest corps. and the most successful ones of the us of a, so evidently Trump must be insane to piss them off or to harm them.

Well, not really. Trump is (among others) very much about jobs. The high-tech corps a) have been strongly pro clinton and have repeatedly worked against Trump and what he stands for, b) are lousy tax payers, c) have vast parts of their work outsourced and d) employ a *very* high number of aliens.

One might well feel that those corps take all advantages of the us of a and give back next to nothing.

Looking at Trumps position one will find, that those corps can *not* simply leave the us of a. And keeping in mind that he wants to renogiate nafta the old equation "canada is just another us of a" might turn out to not hold true. My guess is that he will tax them quite brutally and they will have to pay because the us-american market is one they hardly can ignore.

Trump wants the us-american citizens to have jobs again and he means jobs that the average us-american can fill - which is not true for the high-tech sector which drains the brightest of many countries and for which most us-citizens wouldn't qualify. So for Trump that sector is by far less attractive and important than they think themselves.

My guess is that this is some kind of poker where in the end, some will leave but most will stay and bring back at least some production to the us of a - which then sees a happy Trump and happy us-americans. Alternatively they'll pay very tough taxes when bringing in their stuff from canada or elsewhere.

Kindly note (@all) that this is *not* pro or anti Trump but merely looking a situation that happens to exist, be it for good or for bad.

rFebruary 1, 2017 10:10 AM


appreciate the polite response/explanation, don't believe it considering prior statements which conflict with your 'best foot foreword' today.

It's the first of the month, are you out of viagra no hard on for us today?

You admit to despising it now, +1 for me. Maybe now we can drag you back into constructivism/activism instead of merely much munchausen munchkinism.

Stay focused, sharp like a laser you disdain politics but you broadcast only a specific frequency. I'd like to believe you're smarter than that,

r u?

Dirk PraetFebruary 1, 2017 10:18 AM

@ MarkH, @ Clive

Clive observes that costs are already becoming manifest: they will be many, and they will be deep. The economic costs will be astronomical.

I'm not too convinced. Companies will just work their way around it, either on their own or by striking all sorts of "mutually beneficial" agreements with the very authorities imposing such restrictions. Only the little man will suffer.

In the wake of the Snowden revelations, many analysts predicted catastrophical suffering for US technology companies. They did eventually take some hits, but rapidly caught on and recovered while most of the world just carried on shrugging its shoulders.

Almost four years on, most of what was brought to light has effectively been legalised and/or replaced by even worse stuff. Despite a few small victories in court, most legal and constitutional challenges have gone exactly nowhere. Those in charge or blatantly lying about it to the general public were never held accountable. I could go on but I guess you get the picture. We had a similar scenario with the financial crisis.

I am not very optimistic that it's going to be any different with what the Trump administration is currently unleashing on the world. His electorate - without understanding the ramifications - applauds everything he does, the silent majority doesn't care and those that currently resist in due time will either be silenced or marginalized by the thought police.

Perhaps @ab praeceptis & co are indeed right and we should just stick to being a geek forum cultivating our own little security thingies, stash up on guns, sit out the entire thing with a strategic reserve of popcorn and then tell people "we told you so" when it all blows up in their face.

My InfoFebruary 1, 2017 10:22 AM

@jen gold stockholm

On that note, @ My Info and, in fact @ everyone else : this is excellent, quick reading which @ Wael will agree can be somehow tied into security. mental health is the only area of westeren medicine whereby no tests are conducted to demonstrate a diagnosis. there is no proof of correlation between poor mental health and brain chemistry:

Not only that, but there is no correlation between poor mental health and the shrinks' and shysters' allegations at law of poor mental health. However, don't expect that to even slow down the aforementioned shrinks and shysters. To this day, the so-called "mentally ill" are still loaded in cattle cars and railroaded full speed ahead to the gas chambers and crematoria.

The victory of WWII was all for nought.

rFebruary 1, 2017 10:30 AM

@My Info,

Please forgive me ahead of time, I've been trying to avoid this topic with you but:

"They've got a pill for that (everything)."

You of all people should be aware of that fact first hand.

HRT specifically: is one of those.

Tread lightly my brother in [h]arms.

rFebruary 1, 2017 10:35 AM

@My Info,

You and I both know, a large percentage of the medical community simply take advantage of both the market and the lack of education among those who comprise it.

Your enemy, my enemy is the same in this case - be aware of who's bullshit you're swallowing before you pronounce death upon those holding a shrinkray.

CallMeLateForSupperFebruary 1, 2017 11:16 AM


stopped working here. No problem, ever, and I know I used it recently because that's where I first read about the cyber penetration of that Austrian hotel. Today I get a (NoScript generated?) hard stop.

And no, I did not change NoScript settings in the mean time.

(GASP! Maybe I'm being "gaslighted". That web page *never* worked; I just imagine that it always did.)

trump_be_nimble ...February 1, 2017 11:45 AM

@Clive wrote:

"There is also the other issue of "your rights" police officers in several jurisdictions are required to read them to you and get an acknowledgment you understand them. It's going to be difficult to represent hysterical screaming as either being able to hear them being read or acknowledging them."
(currently that thread is closed)

In the USA often you are not read your rights until well after being detained, but in the police car or taken to jail. It might have to do with when you are under arrest.

fwiw years ago I exercised my legal right to not provide my name to a law enforcement officer (at least in some state(s) that used to be legal). Regardless, I ended up in jail for a few days. I dont recall what I was charged with, perhaps resisting arrest; regardless jail can be a good place to catch up on sleep for some (and there didn't use to be too much electromagnetic radiation inside, afaik)

Eff has something for Protestors or Demonstators:

Anyone care to speculate on the power struggle going on in the USA (perhaps with life and death consequences) among:

the military
the various intelligence agencies
the white house
government organizations
the governments federal, state and local
law enforcement organizations federal state and local
the judiciaries
and so on.

In other words, what might "flies on the walls" be seeing?

ValeFebruary 1, 2017 1:27 PM

Our judges were told to use a potentially CIA controlled environment: Tor.

Why would they have to do that if not facing certain targeted hactivities?

Who would blanket target judges?

Criminals would target individual judges, individual prosecutors. Who would seek to co-opt an entire judicial subsystem?

Less exploits in this quarter, more sophistication. Were groups corralled? Recruited? Rounded-up? Were they directly or indirectly directed or funneled into a single or smaller set of operations? If sophistication went up, and assaults went down has there been some sort of standardization implemented on some board or drawing board somewhere?

My InfoFebruary 1, 2017 2:10 PM


Our judges were told to use a potentially CIA controlled environment: Tor.
Why would they have to do that if not facing certain targeted hactivities?
Who would blanket target judges?

Lawyers from big firms. That is a gold mine for a numerous reasons to be able observe judges' online activities.

Criminals would target individual judges, individual prosecutors.

Are you kidding me? We're talking organized crime. These "individuals" are just the low-level fall guys.

Who would seek to co-opt an entire judicial subsystem?

That would be the big bosses. They have already co-opted the entire system. They keep a low profile, and sell limited access to individual judges, individual prosecutors, etc. to subordinate mob associates.

trump_be_nimble ...February 1, 2017 2:55 PM


footnote(s) please; I recall hearing about something about judges and Tor awhile back.

@My Info
your link appears to be to an advertisement

ValeFebruary 1, 2017 3:08 PM

@My Info,

Interesting that I blatently disregarded all your prior anti-mob rants until this post specifically, I don't think I shall ever read any of your "organized crime" responses the same moving forward.


Competing organizations, one gets closer to an existing institution and methodologies/counter-measures would have to be improved. VERY curious, thanks.


trump_be_nimble ...February 1, 2017 3:33 PM

@Figureitout wrote:
--Why would someone do that, I've had remote shutdowns before, but it's hard to distinguish between sh*t hardware, sh*t software, or an actual attack. All these remote shutdowns always happen when I have internet on. But if you care about that, at least take computer into bathroom w/ you, I'd never leave my laptop out in a public place unless I don't care about it.
yes I had wifi-on, was on a laptop, probably plugged into a/c. why? I don't know Perhaps, if it wasn't hardware or software, to remind me they can or to send me a message. software- the latest version of Tails (good download copy) I think. hardware- Intel chip, i5 or i7, 2 to 7 years old (last ssd or hdd format about 9 months ago). Being old like that, the PC could easily have been physically tampered with over the years or I could have been remotely hacked (bad firmware, for example). By my own admission, my opsec sort of sucks.
Recently, booting Tails from DVD "toram" with no-persistence (not even inserting usb thumb drives; or saving to the "cloud" or webmail) and with Tor Browser Secuity settings set to "high".

Thanks for the other input and advice, too.

Tails appears to be planning to only support 64 bit microprocessors in the future (13 June):

Perhaps with additional funding, 32 bit chips, w/o things like Intel management engines, could be supported.

Bruce and Tails in the French media:

trump_be_nimble ...February 1, 2017 3:52 PM

@Vale @My Info

from :

"In a recent hearing related to the FBI’s mass hacking campaign, a judge revealed that a Department of Justice official had recommended Tor.

The US government has a complicated relationship with Tor. While the US is the biggest funder of the non-profit that maintains the software, law enforcement bodies such as the FBI are exploiting Tor browser vulnerabilities on a huge scale to identify criminal suspects.

To add to that messy, nuanced mix, one Department of Justice official recently personally recommended Tor to a room of over a hundred federal judges.

Ovie Carroll, director for the Cybercrime Lab at the Department of Justice, urged the judges to "use the TOR [sic] network to protect their personal information on their computers, like work or home computers, against data breaches, and the like," Judge Robert J. Bryan said in July, according to a hearing transcript released on Friday.

"I was surprised to hear him urge the federal judges present," Bryan said. Bryan was talking during a hearing on two motions to withdraw guilty pleas in the FBI's recent mass hacking campaign. In February 2015, the FBI took over a dark web child pornography site called Playpen, and deployed malware in an attempt to identify the site's visitors. Bryan has resided over several resulting cases from that investigation.

"I almost felt like saying, 'That's not a good way to protect your stuff, because the FBI can go through it like eggshells,'" Bryan continues. Of course, this isn't really true: although the FBI has had some notable successes at identifying criminal suspects on the dark web with technological means, it is not the norm.

It's worth remembering Carroll is not the only Justice Department or US law enforcement official to endorse Tor. According to emails obtained by Motherboard, one FBI agent was also an advocate of Tor."

besides criminals
criminal litigants
civil litigants
pro/anti abortion groups, etc
other interested parties in hacking judges could include, from above,
the military
the various intelligence agencies
the white house
government organizations
the governments federal, state and local
law enforcement organizations federal state and local
other judges
and so on.

After all today's FBI NITs are tomorrows dissertations and fodder for script kiddies in the future (or something like that).

name.withheld.for.obvious.reasonsFebruary 1, 2017 6:00 PM

Building a wall to secure the border of our country is nothing less than idiocy and raw unadulterated crony capitalism carried out with the help of so called lawful organizations. The illegality affected by uninspired politicians cannot be allowed to stand. How about a fiber channel ribbon capable of sensing minute movements along a physical extent. At a cost of $5,000.00 dollars a mile, a project based on this design would save more than $2,000,000.00 dollars a mile. Compare

Fiber channel(s) : 5,000 per mile
Wall : 4,000,000 per mile

BUT WAIT--does the East Germany experience inform us about what this security model really represents?

Jen Gold StockholmFebruary 1, 2017 8:41 PM

@ Clive William of Orange Fiennes- Robinson

>You might like this slide deck,

thankyou. I found that old post of yours as, after reading your reply on the other thread (thankyou) I was interested in finding your previous comments about being bailed up in meatspace by 'employees of state non-thespian actors' (sic), but despite trying a few different search terms had no luck. Did find several hours of other unnrelated Schneier reading, though :-) any search string suggestions appreciated by us all

@ Wael

the film Biutiful. how about watching it 'blind' without knowing anything about it. it will exponentially improve the experience

Jen Gold StockholmFebruary 2, 2017 2:32 AM

> It's the first of the month, are you out of viagra no hard on for us today?

if you don't have something constructive to further the interests of the community, would you kindly refrain from attacks on personality? I am having memories of a recent Friday squid populated with about 200 comments from an 'r' of a similar nature.Was that you?

Clive RobinsonFebruary 2, 2017 3:40 AM

@ trump_be_nimble,

After all today's FBI NITs are tomorrows dissertations and fodder for script kiddies in the future (or something like that).

The problem is that as far as we know they are not the "FBI NITs", they don't have the inhouse knowledge or skill due to many of their recruitment and promotion requirments. Thus they buy them in from US universities and those who could be described as a halfway point between academia and commercialized script kiddies...

Money talks and a thesis can be published without being publicaly so. Ask yourselfe which is easier, take a million few questions asked from the FBI toeards your lab or research, or spend half your time failing to get grants that would not even cover the price of a research assistant, when the University you work in has turned it's self into a hedge fund...

Clive RobinsonFebruary 2, 2017 4:40 AM

@ Valerie, Dirk Praet,

Tee and Krumpettes

And you forgot to mention the "false flag" attack against the CIA that was also a "Fundraiser" for the man ;-) That Brian Krebs mentioned in the article.

So smoke and mirrors drift and reflect confusion to a nice little profit... Why with the FSB/KGB and the CIA involved am I compleatly and uterly unshocked by this...

I wonder if a DNC person or their hired advisors have any comment to make?...

This is becoming like elementry quantum mechanics, with spin up and spin down giving great indeterminacy ;-)

Pass another bowl of popcorn, I'm just getting comfortable, with this Box Set :-)

ThothFebruary 2, 2017 5:09 AM

@Dirk Praet

"Perhaps @ab praeceptis & co are indeed right and we should just stick to being a geek forum cultivating our own little security thingies, stash up on guns, sit out the entire thing with a strategic reserve of popcorn and then tell people "we told you so" when it all blows up in their face."

If you realize, myself, and I suspect many other regulars, have not been all too bothered about proposing or getting new ideas or projects and discussing them here too often in the recent months. The only recent idea I discussed recently was regarding scripting languages for a VM and it was rather brief.

With all the atrocities, the clock still ticks on and Earth continues to spin. Very little changed. SSL/TLS already existed since the 1990s and it is only after the Snowden revelation that once ancient and esoteric technologies become a little more widely deployed. Things like 2FA and SSL/TLS become the more common security implementation but they are still not perfect.

We are still using Intel CPUs with ME despite all the petitioning and noise made around it. Intel continues to produce ME capable CPUs and there is nothing that exist to push the brakes on ME deployment. Even the Defense Industries are building products based off Intel's ME and stuff in a deliberate fashion (Intel SGX, TXT and all that stuff).

What can we do about Intel ME ? Boycott it ? Is ARM CPUs up to the task ? Are we going to see the replacement of all desktops, laptops, tablets, servers and everything else with ARM ? Is ARM even secure against backdoor (recall my rants on ARM TrustZone if you have forgotten).

We are effectively building almost all of our TCB on flimsy security guarantees and platforms (i.e. Intel ME capable web servers running some NGINX or Apache or even IIS with your SSL/TLS private keys).

The best we can do is to secure our tiny little corners as best as we can despite the futile efforts. We need equally more hands to get down and dirty with practical implementations without relying on known broken or problematic platforms (i.e. OpenSSL et. al.)

Dirk PraetFebruary 2, 2017 6:50 AM

@ trump_be_nimble

Perhaps with additional (TAILS) funding, 32 bit chips, w/o things like Intel management engines, could be supported.

Not gonna happen, unless they build it on something else than Debian that made the same announcement already quite a while back. I regret it too, as I am currently running it on several cleverly disguised, *really* old machines without wifi, bluetooth and a dead battery. I guess these too will now become BSD machines after June 13th. On the bright side, 2.10 has Tor that contains the revised code that allows Micah Lee's Onionshare and similar stuff to transparantly run on TAILS. I hope they also add or allow for Tor Messenger and Ricochet in some upcoming release, either as optional add-ons or as a replacement for Pidgin.

@ Thoth

The best we can do is to secure our tiny little corners as best as we can despite the futile efforts. We need equally more hands to get down and dirty with practical implementations without relying on known broken or problematic platforms (i.e. OpenSSL et. al.)

Indeed. One can only laud the BSD folks for having dumped OpenSSL in favour of LibreSSL. Not that it hasn't got problems of its own, but it's a step in the right direction. I wish some of the main Linux distributors would do the same. OpenSSL, like Flash, is dead, and anything either running or requiring it outside of dedicated dead zones and without a valid upgrade path should be put out of our misery.

@ name.withheld.for.obvious.reasons

...does the East Germany experience inform us about what this security model really represents?

The subtle nuance here being that the Berlin Wall was to keep people in, not out. But you never know, of course. If at some point the Great Leader reintroduces the draft for young Americans to go fight Bannon's wars against China and Iran, we can still see a massive exodus to either Canada or Mexico.

@ Jen GS

... would you kindly refrain from attacks on personality?

I believe this forum would indeed benefit from a prominent link on the home page pointing out the rules of engagement. Sockpuppeting, soapboxing, using multiple offensive handles, personal attacks and insults should be rewarded with an immediate temporary or permanent ban. @r has also already been asked multiple times both by @Moderator and others to refrain from compulsive consecutive outbursts that are irritating everybody.

rFebruary 2, 2017 7:08 AM


Gentoo makes libressl options readily available as USE flags for allot of stuff. If you're building small purpose servers and isos it's very reasonable.

Clive RobinsonFebruary 2, 2017 11:51 AM

@ Dirk Praet, Thoth,

Not that it hasn't got problems of its own, but it's a step in the right direction.

For years I've been muttering about NIST should get it's act together over frameworks not algorithms.

If we had a standard framework then the API's would be the same for both libraries and changing from OpenSSL to LibreSSL or any other SSL library would be one heck of a lot less painful and could be at link time not compile time for most applications.

MarkHFebruary 2, 2017 12:12 PM

Secret Police Need Your Support
News that is sure to please some of our loyal readers:

Less than a month after Mr Trump acknowledged that cyber crimes targeted against US political entities (which, incidentally, were in electoral competition with Trump) were committed by Russian entities, he ordered a limited (and rather obscure) roll-back of sanctions against elements of the Russian Federation.

Specifically, Trump's order seems to help pave the way for the sale of IT equipment to the FSB (the renamed, and of course kinder and gentler, KGB).

To what end, tovarishchi? Ought to be a fun topic for speculation.

MarkHFebruary 2, 2017 1:41 PM

Secure Against What?

Recently, I suggested that Bruce takes rather comprehensive -- or perhaps, holistic -- view of the scope of "security."

Several comments seem to express nostalgia for a narrower focus on the minutiae, the nuts-and-bolts of security tech. Personally, I acknowledge that this work is critically important, and with present trends more so than ever.

The broad perspective is very important too.

Prominent Putin critic hospitalized after sudden organ failure
Vladimir Kara-Murza is on life support in a medically induced coma, his wife said. She said the “clinical picture” was identical to that of an incident in 2015, when Kara-Murza almost died from sudden kidney failure.
At the time, tests found that the kidney failure had been caused by a poisonous substance, though it was unclear if Kara-Murza was intentionally poisoned or if it was an accident.
"The reason is unclear like last time. He's been active and healthy [recently]," his wife, Evgenia Kara-Murza, told the BBC.
Some are concerned that the Kremlin critic may have been deliberately poisoned.
Kara-Murza, a coordinator for the pro-democracy group Open Russia, was a close associate of opposition leader Boris Nemtsov, who was murdered in 2015.

Aspects of the Putin regime are openly admired, and already to a small degree imitated, by the US president.

To protect from moisture, we can assiduously apply conformal coatings, fit environmental gaskets, and even spread Henley's compound to seal the enclosure (Clive will know what all this stuff is) ... whilst the dam a few miles upstream from betrays omens of impending collapse.

Jen Gold StockholmFebruary 2, 2017 2:11 PM

@ Mark H

>we can assiduously apply conformal coatings...

> Henley's compound to seal the enclosure

so, what you describe is the utility of henleys coated all over the skin to protect against a certain style of russian umbrella discretely wielded by a london pedestrian.

MarkHFebruary 2, 2017 3:27 PM

A Different Interpretation of the Sanctions Change

From the NY Times, it isn't a relief from sanctions, but a practical adjustment initiated before Trump took office:

The technical explanation is this: Apparently Russian border and customs officials are connected to the F.S.B., so theoretically, any visit to Russia that involves payment of a border tax is a violation of sanctions — it would be material support to the F.S.B. That goes well beyond former President Barack Obama’s intent. The adjustment keeps the sanctions focused on the intelligence unit of the agency.

If this is the case, then it isn't such a tempting wellspring for speculation. Sad!

WhiskersInMenloFebruary 2, 2017 4:01 PM

Russia charges cyber security expert, FSB officers with treason
Posted Wed at 11:46am

The headquarters of Kaspersky Lab in Moscow.
PHOTO: A Kaspersky executive with ties to the Russian intelligence services was arrested on treason charges. (AP: Pavel Golovkin).....
Russian Federation authorities have charged two officers in the Federal Security Service and an employee of cyber security firm Kaspersky Lab with committing treason in the interests of the United States

To me the implication is that life just got scary for anti virus folk and the next risk is weaponized
and targeted not-anti virus tools.

For mortals it makes sense to demand that flaws suspected or known by any be reported to OS vendors.
OS vendors that fail to address reports risk being labeled as an agent for the other guy no matter
who the other guy is. Bug reporting systems should minimize even purge retained metadata on the real chance
that the bug reporter would be risking a lot.

Combine this with Ransomware attacks and the business of internet business things just got more difficult.

Dirk PraetFebruary 2, 2017 4:39 PM

@ Clive, @ Wael & @ Usual Suspects

Is any of you guys familiar with Neil Postman's Amusing Ourselves to Death ? It would seem he totally nailed today back in 1985.

What Orwell feared were those who would ban books.
What Huxley feared was that there would be no reason to ban a book,
for there would be no one who wanted to read one.
Orwell feared those who would deprive us of information.
Huxley feared those who would give us so much that we would be reduced to passivity and egoism.
Orwell feared that the truth would be concealed from us.
Huxley feared the truth would be drowned in a sea of irrelevance.
Orwell feared we would become a captive culture.
Huxley feared we would become a trivial culture.

MarkHFebruary 2, 2017 5:08 PM

@Jen Gold Stockholm:

I aver that I have never walked in central London without wearing URB (Umbrella-Resistant Breeches, or Бричове Срещу Чадъри).

ThothFebruary 2, 2017 7:45 PM

@all, Clive Robinson, ab praeceptis, Dirk Praet

Apple continues development of ARM co-processors for it's Macs. The new T310 ARM design that Apple is working on is envisioned to provide more deep system integration including access to storage, RAM and also allowed to access WiFi !!!

This can be an opportunity to allow security independent of Intel or it can be yet another death trap to lock users. If they are not implemented openly, properly and with security in mind (usually these are not the virtues of big businesses who only can about bottomline), it will be a double Management Engine (one from Intel in the Intel CPU and another in the ARM T310 by Apple).

Secure execution with a secondary smart card (I won't call it Trusted Execution) according to the paper called Trusted Execution Module (linked below with prototype codes) that uses commonly available JavaCard based smart cards that can be easily purchased off-the-shelf would provide a more assured security co-processor and can be widely adopted and implemented in the event you only have an untrusted computer you need to work with but you have a smart card loaded with TEM module and some signed (and optionally encrypted) Secure Execution scripts for the TEM enabled JavaCard smart card to execute.

I did mention about VM Script languages due to the fact that TEM paper uses a RISC approach for it's VM which I fully disagree. I personally prefer a CISC approach for this particular use case for the TEM's VM due to the fact that the scripts are uploaded and held in RAM memory and due to smart cards being a constrainted device, RAM memory and EEPROM/Flash space are a rare thing and RISC approach meant that the bytecodes compiled would be too much for the RAM to handle while a CISC approach would meant reducing bytecodes to only the essential stuff. Also noting that the trend in smart card is coming to a point where we are close to 1 MB of Flash storage (EEPROM cards are the thing of the past) and about 25 KB RAM (compared to 2.5 KB RAM in the past), the huge amount of Flash storage on the modern smart card chips (near 1 MB) is suitable for a limited CISC setup for a very limited set of Secure Execution functions just enough for most common use cases (sealing, verifying, data comparison, simple 32-bit maths, simple bitwise operations, simply data manipulation ...) needed for Secure Execution use cases.


p smileyFebruary 2, 2017 8:08 PM

So in USA, so-called "trusted third-parties" - like Neustar, Subsentio, and Yaana - may handle warrants served from offices such as the Foreign Intelligence Surveillance (FISA) Court.

These third parties have ISPs and possibly phone companies as their customers.

Below article says that:

With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

Meet the shadowy tech brokers that deliver your data to the NSA

won elgoog llikFebruary 2, 2017 8:14 PM

That Google was lying should not come as a surprise to anyone. They are after all more dependent on user's willingness to hand over their data than the other tech companies (with perhaps exception of FB).

NSA top lawyer says tech giants knew about data collection

Nevermind the vociferous denials from tech titans like Google, Microsoft, and Apple. They knew the government was collecting their user data, the NSA's general counsel says.

WaelFebruary 2, 2017 9:03 PM

@Dirk Praet,

any of you guys familiar with Neil Postman's

His picture seems familiar but his writings aren't. I've been reading and listening to philosophy lectures lately. Strange because a year ago I wouldn't have thought I'd be attracted to that subject.

Seems he was a visionary.

ab praeceptisFebruary 2, 2017 9:35 PM

Thoth & security minded colleagues

I'm not so sure. While Arm is supposedly less rotten than x86 it is far away from being secure and trustworthy.
As for LibreSSL I commend the OpenBSD people for their effort to create something much more reliable and better than the openssl crap but I also see that ssl/tls is not the solution but a problem. To make it worse, looking at tls 1.3 clearly demonstrates that the tls people haven't heard the shot; they happily and ignorantly tumble on.

Rest assured that I'm busily working. But I have reasons to be somewhat reluctant towards the public. The reason is simple: We do not have the tools and people to *really* solve our problems.

For the time being it seems we have some rather few people who at least try their best and work hard at making our situation somewhat better. Thoth is an example.

Our 3 main enemies/obstacles are

- Plain stupidity, ignorance, rotten education

In that area I see us pretty much lost. While I'm pleased seeing some, e.g. the french doing much to keep their capabilities up I also see how deep most of the western world have fallen. Many universities produce hardly more than trained idiots nowadays. Sad story and tragic in our field.

We would urgently need a large amount of well trained IT engineers with strong math. foundation plus the capability to put their intelligence at work for more than "fun" (probably the single most evil poison. "fun" seems to have become the only motivation other than money).

- Utter greed and the capitalistic system in one of the worst forms

In that area I see some promising things happening. My main hope is that ASICS whill become much cheaper and in particular realistic in even small quantities.
Risc V will probably be on the more expensive end but there are also (simpler) cores where producing ASICS comes into reach.
On the software side I see Microsoft doing some great things. The important point there is in my minds eye not their modern tools themselves (because usually they are tainted or crippled in one way or another) but the fact that the giant goes that route and the great many small teams and solutions that are created along the way.

- "Tradition" and history. ssl/tls is an example. One simply can't change to something better in short time, even if one happend to have something better.
In a sense efforts like libreSSL, while certainly being laudable, are of little worth as much of tls is rotten in the core. To offer an example, ssl/tls is an open DDOS invitation.
We need to rethink much. We need to understand that our situation is *very* different from the one decades ago. Today whole states and economies depend on IT and at the same time evil doers have very capable means at their disposal.

I have something cooking that considers all that and that will offer *much better* security but unfortunately my client says he can't open source it. Sad. (I'll continue anyway because we damn need such stuff).

Nick PFebruary 2, 2017 10:03 PM

@ ab praeceptis

"In that area I see some promising things happening. My main hope is that ASICS whill become much cheaper and in particular realistic in even small quantities."

I'm working on it. The main problem, even ignoring development costs, is the mask costs. The masks are custom patterns that are run across a silicon wafer similar to how a printer runs the head across the paper. The masks are custom-made piece-by-piece using equipment that cost millions. The patents on better stuff take so long to expire that it will stay expensive to do high-performance, traditional designs. The main method of getting the cost down are multi-project wafers (i.e. shuttle runs) that split a mask & wafer between multiple parties. You're still looking at (MaskCost / PercentOfMaskUsed) + ($3,000perwafer / numberOfChipsPerWafer) * NumberOfWafers. It will require significant, up-front investment.

Now, people wanting microcontrollers, slow PC's for console apps, or clusters of shitty boards are in luck. There's open-source MCU's for that sort of thing that can be made on older nodes with low, per-unit cost. The J2 SuperH claims to be $0.03 per chip on an 180nm process. It will be that plus mask, packaging, distribution, etc. ;) The EuroPractice service says all of the 180nm's start at about $1,100 per mm2 of prototyping... if you get lucky. Yet, if there was volume demand, the upfront investment on that might pay off.

ab praeceptisFebruary 2, 2017 10:31 PM

Nick P

Yes, the SuperH was one example I had in mind. You might know better but from what I heard a unit price of 50 cents with a lot size of 100_000 is quite realistic.
Now, sure, 50K$ isn't pocket change but certainly within the reach of countries and even of universities or larger groups (like, say CCC).

The SuperH is a fine processor but it brings up another point that I didn't address: Today most developers aren't used to care about resources. Now, I would not demand that everyone does what I ( and certainly you, too) did decades ago, namely to put work into saving yet another dozen bytes. But I'm quite sure that we must learn to be at least more reasonable in that regard than many are used to.

To cut out the bloat and the careless crap would at the same time help safety and security.

Finally I see the law of simplicity. The more complex something gets the more difficult it is to understand, verify, and control it. Yet another reason why I consider processors like the SuperH J2 very attractive. Moreover, we nowadays have the design blocks to add some specific support to those processors; stuff like M ladders.

Private note: haha, I'm not at all surprised (and actually pleased) that you and probably Clive Robinson would trigger on that. Sometimes being experienced and having seen a lot just pays off.

Clive RobinsonFebruary 2, 2017 10:34 PM

@ Jen Gold Stockholm,

so, what you describe is the utility of henleys coated all over the skin

Err I think that might get classified as "kinky behaviour"...

Technically Henley's is a "non drying void filling mastic" with high physical and electrical strength and low shrinkage.

At the very least I would advise a liberal coating of either "baby powder" or "baby oil" prior to trying to use it to make the equivalent of a plasticated rubber suit.

Several years ago some fashionista coined the expression "spray on pants" Henley's would be more like "slap on wet suit".

However I'm fairly uncertain as to if it would have --as some of my chemist friends would say-- "Toxilogical disadvantages". Which is a bit like "politely" saying that Ricin and Polonium 210 "do not make good dietary supplements"...

Clive RobinsonFebruary 2, 2017 11:09 PM

@ MarkH,

Recently, I suggested that Bruce takes rather comprehensive -- or perhaps, holistic -- view of the scope of "security."

You might find my reply to another poster of interest,

Put simply, as CompSec practitioners we need to put our own house in order, such that we can show that unlike the charlatans we actually have an open verified method of evaluation and proof, based on reliable fundemental measurments.

As always solid foundations allow the building of reliable edifices that will survive.

Clive RobinsonFebruary 3, 2017 3:48 AM

@ Jen Gold Stockholm,

gchq staff sue bosses

That was back in 1982, and I actually remember it for reasons that it was not just GCHQ staff with their heads stuck in manky WWII / GPO headsets[1] for eight to fourteen hours at a time.

The fact that GCHQ staff were technicaly civilians and unionised at the time thus could sue was an anathema to certain politicians. In particular one Margret Thatcher who got incensed about payouts of around five times that of the annual salary of low end civil servants. She then started working against the unionisation of GCHQ staff and eventually outlawed them on 25th Jan 1984 with the assistance of the USA.

The Conservatives have not changed, they have fought unions, but have found that the Disabled and ill are much better targets as they can not as easily fight back.

[1] To realise what they were like think back to the old tinny inserts in old fashioned phones, where you could atleast take the handset away from your ears. These inserts had a bakelite slightly dished cover and a metal clip like a large C-clip that had a steel spigot about 3cm long and 4mm in diameter that went into a sprung metal strip about 25cm long and about 6mm wide that had been formed to go over the head. The wires were that awful rubber insulation with a woven outer cover that stank of old lino and calaco these were screwed to the exposed terminals on the back of the inserts... Oh and they were not always connected by "safety transformers" into valve radios with pentodes with 600V on the anodes and -90V on grid one. Sometimes they used paper insulation capacitors, that would punch/burn through. The only concession to protecting your ears was a selinium diode stack acting as a clipper. The line out these headsets were connected to were often next to or the same as the Speaker Out which could put about 10Vrms into 600r head phones or 70-80r speakers, the problem some of those earphones were actually not 600r but more like 50r which ment your head would get very very loud baddly distorted and heavily cliped roaring static (the same sort alledged to be used for torturing people).

Dirk PraetFebruary 3, 2017 4:14 AM

@ Wael

I've been reading and listening to philosophy lectures lately.

For a most excellent executive summary, pick up a copy of Bertrand Russell's "History of Western Philosophy" (1945).

@ Clive, @Jen GS

Err I think that might get classified as "kinky behaviour"...

If you haven't read it yet, go get Tom Sharpe's "Riotous Assembly" (1971). You'll know why I'm referring to it once you get to the chapter. ROFL guaranteed!

Also note that there are kevlar and other types of armor pants out there.

@ ab praeceptis

I have something cooking that considers all that and that will offer *much better* security but unfortunately my client says he can't open source it.

Sounds intriguing. Would your client object to sharing the general idea and would it fit @Clive's (very much correct) idea of being a replacement framework rather than just another set of algorithms and functions ? I fully agree with your analysis of SSL/TLS being rotten and outdated, but the reality on the shopfloor unfortunately is that in practice it is very hard to get rid off. Any disruptive new technology not only will need to be affordable as much as it is appealing, but will also have to offer a practical replacement plugin for what we have today.

@ Ratio

You may have already seen this, but in case you haven't ...

That's the article that triggered my post.

It sounds like he's saying that today is Brave New World instead of Nineteen Eighty-Four. Why can't it be both?

Thinking about it, I'd say it has elements of both. Which is even worse.

WaelFebruary 3, 2017 4:39 AM

@Dirk Praet,

For a most excellent executive summary, Bertrand Russell

Yes! He was one of them. I started from the earliest ones like Plato and Socrates, Al Kendi, Descartes, Kant, etc..

@tyr got me hooked on the subject after I read the book he reccomended (A world without time.) Then Dr. Adnan Ibrahim got me more interested! Most of his lectures are in Arabic, but some of them are subtitled. Pretty sharp fellow with some unfamiliar views (to me.)

The guy has a YouTube 30 hour lecture series on evolution and a few more on philosophy. Amazing amount of knowledge he has! Very controversial, too. But he defends his views pretty well -- he's a philosopher, after all!

ab praeceptisFebruary 3, 2017 4:52 AM

Dirk Praet

I'm awfully sorry but I'm not at liberty to talk a lot about it. I'm working, though, to get permission to tell at least a bit more about it or, even better, to have a part of it or a lite version open-sourced. Frankly, I'm not too confident at the moment but hey, maybe ...

I think I can talk about three interesting points, however. a) the client of my client basically approached them telling them that their research had shown them that ssl/tls was utterly inacceptable and that they needed "something like ssh/scp/sftp but really secure", b) they explicitly looked at a solution outside 5 eyes (and later, internally I was lead to assume that they are actually looking for protection against 5 eyes or at least that seems to be one major concern), c) they had the view (which I found sadly correct) that most are either network oriented or crypto oriented but they needed a solution for, as it was put to me, "everyday real world use"; from what I know one of their major concerns are DDOS.

rFebruary 3, 2017 6:00 AM

DDoS is a listener problem, an availability problem, an interface problem.

It permeates all layers, availability and accessibility are the double edged swords that will defeat us.

How should we protect oil pipelines that traverse AmerIndian soil?

How do we harden them?

Are there unreasonable protections? Should things that pass through the public domain be reasonably expected to be secure from defect and harm?

A deployment is a point on a graph, but like all graphs the lines they define extend for all time.

Moving forward, is your implementation extensible? Or is it a galvanized pipe in the ground prone to both time and corrosion?

If someone cuts into one end of your pipe, is it prone to pressure surges/changes?

Can I recognize endpoints?

Can endpoints recognize endpoints?

There's far more than 5 eyes that saw your response ab, please be careful in [h]arms way.

DDoS is an extensible problem, it scales far beyond the socket layer as we've seen with Tor.

Good luck.

Dirk PraetFebruary 3, 2017 6:54 AM

@ Wael

Then Dr. Adnan Ibrahim got me more interested!

Judging from the Wikipedia page, he sure sounds like an interesting fellow. It's kinda sad that we hardly ever hear of such people in our western MSM.

His claim that many western scientists back in the dark ages had gotten their mustard from Arab scholars is exactly how we learned it in school. And who in their turn had built upon the work of older civilisations like India, Babylonia and Assyria. There is however no denying that for quite some time the Arab world was a shining beacon of knowledge, science and enlightenment while us here in Europe for all practical purposes were a bunch of barbarians deliberately kept scared and stupid by a church that censored or persecuted anything that was even remotely deemed incompatible with its own teachings. I think it was Carl Sagan who once said that if it weren't for the Catholic Church and the (consecutive) destructions of the library of Alexandria, the theory of general relativity would already have been around in 1500.

It's just one of many reasons why I completely reject any ideology that is rooted in hate, fear and the supremacy of the word of $DEITY over anything else. BTW: if you can recommend any works like that of Bertrand Russell giving a fine overview of Middle Eastern philosophy, do send them my way.

Clive RobinsonFebruary 3, 2017 7:09 AM

@ Dirk Praet,

If you haven't read it yet, go get Tom Sharpe's "Riotous Assembly" (1971).

I know exactly what you mean. I read all the books years and years ago with keen egerness (with the exception of the later "Wilt in Nowhere" book which I did not finish at the time).

Though, I will warn those not familiar with Tom Sharpe, that his works can be quite vulgar (when Wilt's wife overdoses him with a varient of "spanish fly" she has put in his home brew is a story line that is not for those with delicate sensibilities). As for his first two books well they were writen about 1950s South Africa and the mores of the time, and exploding ostriches are not to every ones taste, nor the "avertion therapy" or lush psychiatrist.

Dirk PraetFebruary 3, 2017 7:51 AM

@ Clive

... nor the "avertion therapy" or lush psychiatrist.

The shenanigans of Konstabel Els and his elephant gun so profoundly changed my perception of LEO's that after finishing the Piemburg books I was never quite able to look at them in the same way again. Even more so than any "serious" anarchist or anti-authoritarian work I ever read.

MarkHFebruary 3, 2017 1:39 PM


Thanks for lifting my spirits!

Is that Benedict Cumberbatch in the website photo?

WaelFebruary 3, 2017 5:45 PM

@Dirk Praet,

you can recommend any works like that of Bertrand Russell giving a fine overview of Middle Eastern philosophy, do send them my way.

I Haven't had the chance to read any of them to any depth sufficient for a recommendation. You know, these guys write volumes. And it's not like reading a newspaper!

I read (past tense) more from western philosophers.

WaelFebruary 3, 2017 8:11 PM


Relatively Painless Philosophistry.

I Kant understand it ;)

Dungeons & Dragons? @Bruce is going to be all over it! I'm willing to bet one of his passwords has a substring of it :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.