Friday Squid Blogging: Squid Communication through Skin Patterns

Interesting research. (Popular article here.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 10, 2017 at 4:25 PM • 135 Comments

Comments

My InfoFebruary 10, 2017 5:17 PM

Law Enforcement Information Exchange (LInX)

LInX correlates and identifies hidden data and linkages across multiple jurisdictions, bringing them front and center for authorized users to see.

So what do you folks think about Northrop Grumman's Law Enforcement Information Exchange?

rFebruary 10, 2017 5:48 PM

Two curious links,

https://yro.slashdot.org/story/17/02/10/2048243/former-cia-analyst-sues-defense-department-to-vindicate-nsa-whistleblowers

(https://theintercept.com/2017/02/10/former-cia-analyst-sues-defense-department-to-vindicate-nsa-whistleblowers/)


https://yro.slashdot.org/story/17/02/10/191251/microsoft-allowed-to-sue-us-government-over-email-surveillance

(https://www.bloomberg.com/news/articles/2017-02-09/microsoft-can-pursue-suit-over-u-s-sneak-and-peek-searches)

rFebruary 10, 2017 5:50 PM

@Mobile Device User,

My apologies for the (http://broken.link.com), it wont happen again sir. ;-)

FancyFebruary 10, 2017 5:52 PM

I had a thought today and I wonder if it's practical.

We are talking about hardware backdoors. Now what if we connect a laptop to an ARM device (or something similar) using the ethernet port, and having the extra device act as a filter for vpro communications and similar spying behaviour?

In addition, that extra device could run Tor or other software.

Is this a feasible idea?

rFebruary 10, 2017 5:55 PM

Eh, make it three:

'"The fact that all this started right after the election suggests to me that journalists are the next wave to be targeted by state-sponsored hackers in the way that Democrats were during it," said one journalist who got the warning. "I worry that the outcome is going to be the same: Someone, somewhere, is going to get hacked, and then the contents of their Gmail will be weaponized against them -- and by extension all media."'

https://politics.slashdot.org/story/17/02/10/1726206/state-sponsored-hackers-targeting-prominent-journalists-google-warns

(http://www.politico.com/story/2017/02/google-hackers-russia-journalists-234859)

rFebruary 10, 2017 5:59 PM

@Fancy,

Unless it's an older ARM or MIPS sourced from desoldering say an old DVR or set-top-box or something similar, probably not. There's no reason why you can't find an old MIPS and freeform it to a serial port or something similar, but then the problem is how do you program your creation in a trustworthy way?

Do you do it from your i5 windows 10 desktop?

Your core2 linux home server?

Maybe you write out the MIPS assembly on your ARM android?

To those who still have SUN and SGI laying around, you lucky dogs you.

rFebruary 10, 2017 6:06 PM

The safest methods would be bootstrap some handcoded assembly byte by byte a la the inverse concept to 'clean room' coding practices, how much one would have to bootstrap for an older mips/arm/motorola though depends on what you're trying to do. This is where compiler questions and adventures in lisp engineering comes in, you can use qemu to emulate your proposed emissions to a point but eventually you need to start dropping real stuff that's not intended for the structures and environments that qemu present.

PhFebruary 11, 2017 2:37 AM

@Fancy

>Now what if we connect a laptop to an ARM device (or something similar) using the ethernet port, and having the extra device act as a filter for vpro communications and similar spying behaviour?

Isn't that just a firewall?

keinerFebruary 11, 2017 7:28 AM

@ Fancy

If you want a monitoring device: Raspi 2 with openSUSE linux, two USB-RJ45 adapters briged, the built-in RJ45 to manage the device (headless setup).

Plug the two bridged RJ45 between whatever device you want to monitor (Windows machine, whatever...) and the switch it is connected to.

Now start a Wireshark session on the bridge and you get full control over each and every package going in/out of your machine ;-)

Subsequently you could use a firewall software with comparable hardware to control data flow for each individual computer. It will be a PAIN for M$, but it's fun to do.

My Windows machines are in separated networks and have no internet access at all (besides "firewall rule updates" for the id*ot clients asking "do you use an up-to-date firewall on your computer?"). Internet only via VNC from a completely different network. Works fine here!

Dirk PraetFebruary 11, 2017 8:45 AM

@ Clive

UK comedian Frankie Boyle, has a bit of an acid toung on him, not just in standup but in his occasional pieces for The Guardian newspaper.

I know Frankie and read the article a couple of days ago. Some other interesting food for thought was an Amanda Taub piece from about a year ago that was linked in another Guardian article called Americans aren't as attached to democracy as you might think. It's called The rise of American authoritarianism and it paints a rather chilling sociological background behind the rise of Trump, which can easily be extrapolated to that of the alt-right in Europe and Brexit. In essence, it says that the real or perceived combination of fear of physical harm and social change threatening an existing status quo awakens the authoritarian disposition and calls for a "strong" leader in broad parts of the population while at the same time instilling authoritarian sentiments in those that are less prone to it.

FancyFebruary 11, 2017 8:48 AM

@r, Ph, keiner

Yes, you could say that a firewall and monitor, but I should elaborate on the initial idea.

We are talking about hardware level backdoors on practically every laptop on sale. Let's assume for a moment that an ARM board similar to a rpi exists that isn't backdoored on the same level. (I know this is an assumption)

Now suppose you could use this board so that your laptop connects only through its ethernet port, which connects to the ethernet port of the board, which uses its own or a USB wifi circuit for wireless connection to the internet. Or even another ethernet port for wired connection since we got so far.

You could even run Tor on the board to use it as a Tor router, similar to the Whonix gateway.

Now let's take a look at the result. We can run monitoring software or a firewall on that device. However, is it possible, with the knowledge we have so far, to defeat things like the ME backdoor using this scheme?

As little is known about the way things like ME work and how they communicate, is it possible to implement a protection scheme like that and expect it to work?

(We all know the need for a backdoor-free CPU, but in the meantime I wonder about the next best thing)


AnonymousEFebruary 11, 2017 9:19 AM

@Aaron McFarlane

http://www.newsbud.com/2017/02/10/the-fbi-the-silent-terror-of-the-fourth-reich/
Lately, there’s been a lot of rhetoric comparing Donald Trump to Adolf Hitler. The concern is that a Nazi-type regime may be rising in America.
That process, however, began a long time ago.
In fact, following the second World War, the U.S. government recruited Hitler’s employees, adopted his protocols, embraced his mindset about law and order, implemented his tactics in incremental steps, and began to lay the foundations for the rise of the Fourth Reich.
Sounds far-fetched? Read on. It’s all documented.
...
All told, thousands of Nazi collaborators—including the head of a Nazi concentration camp, among others—were given secret visas and brought to America by way of Project Paperclip. Subsequently, they were hired on as spies and informants, and then camouflaged to ensure that their true identities and ties to Hitler’s holocaust machine would remain unknown. All the while, thousands of Jewish refugees were refused entry visas to the U.S. on the grounds that it could threaten national security.

I know. I'm transgender. I'm a prime target for these undercover government Nazis. Lately they've been coming out of the woodwork like silverfish, termites, and carpenter ants under Obama and Trump, because they so resent serving under a Black and a Jewish president, respectively.

JG4February 11, 2017 9:56 AM

http://www.nakedcapitalism.com/2017/02/links-21117.html
...
Big Brother is Watching You Watch

Russia Considers Returning Snowden to U.S. to ‘Curry Favor’ With Trump: Official NBC (Bill B)

http://www.nbcnews.com/news/us-news/russia-eyes-sending-snowden-u-s-gift-trump-official-n718921

What Happens to Communities When Streetlights Join the Internet of Things? DZone. Tony K: “Scorpion Stare, here we come.”

https://dzone.com/articles/what-happens-to-communities-when-streetlights-join

Google AI invents its own cryptographic algorithm; no one knows how it works ars technica (Chuck L)

https://arstechnica.co.uk/information-technology/2016/10/google-ai-neural-network-cryptography/

Clive RobinsonFebruary 11, 2017 10:12 AM

@ Nick P and the usual suspects,

This might be of interest,

http://apenwarr.ca/log/?m=201612

As for buying the book, I'd try a library first. I read it some "herumph-um" years ago and I'd borrowed it from a person who was getting unhappy in the SixSigma world...

Clive RobinsonFebruary 11, 2017 10:49 AM

@ Dirk Praet,

If you look back on this blog a few years you will find I recomended that Bruce and others read a freely downloadable book on "Authoritarian Followers". The field of study is now called "authoritarianism".

I don't think many people here at the time read it (Wael did and I think Nick P did). Whilst not as predictive as the Vox article claims of later researchers it should definitely raised a few red flags with people.

In essence from 20,000ft people are tribal unless they have not been brought up and continue to live in a tribe. They also tend not to think about tomorrow let alone what will happen 18-60months down the road. Those who are authoritarian follows are in many respects very imature. They look for a strong leader like a small child says "kiss it better mummy". They also take an imature attitude to responsability, they don't see that many of their troubles are their own fault and those like them. They could if they could have bothered kept themselves informed and educated ahead of the rest of the pack. Many of them did not get much out of school beyond K12 and went into work where brawn not brains put food on the table, and beer in the ice box. Others chose to bury themselves in "the good book" or similar text which whilst it helped them form a tighter community had the down side of making them even more tribal and authority following without question. They are in effect the tail end of the social norm ditribution curve, and as long as they are with those of similar opinion get on with life unquestionibgly, with their "elders" leading them like sheep. Thus not questioning if it's to new pastures or the slaughterhouse (see what happened in the Polish ghettos for an extream example).

WaelFebruary 11, 2017 11:07 AM

@Clive Robinson, @Nick P,

I read parts of it. Well written book, informal style too. I like it and learned a few things, but never had the bandwidth to finish it. For some reason I got sleepy when I tried to ;)

You reccomended it back in 2014, I think.

AnonymousEFebruary 11, 2017 11:56 AM

@Clive Robinson

Many of them did not get much out of school beyond K12 and went into work where brawn not brains put food on the table,

Intelligence, brains, education, what-have-you, all need to be applied, sometimes with considerable force, to "put food on the table."

and beer in the ice box.

That is sad.

Others chose to bury themselves in "the good book" or similar text

Sort of like the Bible, but not exactly.

which whilst it helped them form a tighter community had the down side of making them even more tribal and authority following without question.

Let's make sure we are following the right authorities. You have heard the frequent exhortation "Question authority!"

They are in effect the tail end of the social norm ditribution curve, and as long as they are with those of similar opinion get on with life unquestionibgly, with their "elders" leading them like sheep. Thus not questioning if it's to new pastures or the slaughterhouse (see what happened in the Polish ghettos for an extream example).

The concept of "social norm distribution curve" pertains to social Darwinism, an extremely pernicious political cancer that appears to have overtaken much of society lately. Those basic principles of right and wrong, which may be found in the Good Book, will not fail when they are applied correctly, and we do not need "social norm distribution curves" for this.

Heyman LuckyFebruary 11, 2017 12:13 PM

@JG4: Well, Russia considering extradition of Snowden. If I were Dangeros Don, I just would tell the Russians Snowden would not be prosecuted in the US, so drop the geezer at the Russian border or wherever. After all, Snowden was just a clerical employee stealing NSA docs that were some 30 yrs old. No IT skills whatever, that guy. OK, maybe Word & Excel. Again, a pathetic joker with an inflated ego. What I really would want is getting hold of the Hacking Team pizza idiots. They are a dangeros bunch of criminals and not the clown Snowden. Seems the Schneier community rather likes the HT bunch.

WaelFebruary 11, 2017 12:15 PM

@Clive Robinson, @Dirk Praet,

The year was 2013. Here is the link you recommended back then. Was OT back in 2013; on topic in 2017. Seems your crystal ball has 4 year visibility.

Heyman LuckyFebruary 11, 2017 12:58 PM

May I remind the various posters that the US still is a democracy as opposed to the EU and its unelected clowns. Me knows, truth can be hurtful, above-all for the bien-pensants.

Iron HeelFebruary 11, 2017 12:59 PM

@Wael

Actually I wouldn't say it was OT, unfortunately this is the way democracy works. You have lots of people with little brains trying to find a strong leader to kiss it better. Like "we have all the solutions", "we have a fully blown program to counter the crisis" and so on. Some scam artists know how to play the game and get elected.

If you have ever tried to appeal to people's good judgement, then you know how badly this works, people don't have good judgement and don't feel they need it. They want good sensations.

Everyone who disagrees, keep in mind that the average person you meet on the street is not the average person you meet here.

Iron HeelFebruary 11, 2017 1:03 PM

@Heyman Lucky

Speaking of EU, Europeans themselves do have the warm feeling that they are very democratic, despite the fact their leaders have little care about their well being. In EU, you can easily go to jail for your political beliefs, yet most Europeans will shrug it off with something like "who cares" and "they were fascists anyway" and so on.

Thomas_HFebruary 11, 2017 1:03 PM

Worst back-up idea ever after "no back up" and "no functional back-up":

Back up your computer, including user files, to Usenet

Maybe a TLA could help this idea along by creating alt.all.your.data.are.belong.to.us, a newsgroup to which the really dumb can upload their sensitive files (although I guess the "us" would not be limited to "US", which might be a problem).

Heyman LuckyFebruary 11, 2017 1:10 PM

@Iron Heel: Means the 7m killed by the Huns are irrelevant? The EU is the world's only zone containing a country that started & lost two WWs.

Iron HeelFebruary 11, 2017 1:45 PM

@Heyman Lucky

While everyone thinks of Germany when talking about EU, other countries have strange things going on as well. Take Sweden for example, where political correctness has skyrocketed, or UK where the BREXIT referendum resulted in the side that lost it going crazy and saying things like "it shouldn't count because the pro voters are fascists" and things like that.

After all, even Berkeley has changed to the worst, so I guess it has become an international phenomenon.

keinerFebruary 11, 2017 2:10 PM

@Iron Heel

People are traumatised from the 2007/2008 crisis and it's one of the REALLY big PR or better propaganda stunts to forget about the banksters causing all the pain and grief caused and to direct the hate against the weakest in society, immigrants. And make people vote an id*ot and his billionaire friends.

This is even sicker than this Iraq WMD brainfu*k causing 1 million of civilian casualties in a nonsense-war.

And now the Brannon fascho guy wants to destabilize Iran to start the next brainless war. The nonsense-wars are the only things to stabilize the totally rotten political and economic system of the USA.

Clive RobinsonFebruary 11, 2017 2:22 PM

@ ,

Means the 7m killed by the Huns are irrelevant?

No more so than those killed in Russia, Poland, what became Yugoslavia, China, the Pacific and far east. Oh and for genocide Australia.

Then in more moder times Korea, Vietnam, various parts of South America etc.

It's hard to find a place that is not disposing of people for political reasons in the last century one way or another, and yes the US Executive has done it and is doing it one way or abother, which does not bode well for US Citizens in the long run.

History shows authoritarian behaviour tends to end badly as the politicos and elites that pay them resort to Guard Labour and Extrajudicial activities. Some how East Germany and South Africa managed to avoid the worst of it. Russia was not as lucky and things are coming back to haunt those living in Eastern Europe.

Even India and Packistan are slowly getting to the otherside, mainly because they have Nukes pointed at each other and MAD is actually a consideration... It's noticable that the US is being a little more circumspect about North Korea now they appear to have nukes and more importantly delivery mechanisms that would appear to cover an awful lot of "US friendly teritory" with a big chunk of the pacific etc in range, Russia etc as well.

It would appear that there are two routes to a peaceful coexistence, MAD and Trade. The fact that the US wants to pull back from these does not bode well. But hey wait and see...

CallMeLateForSupperFebruary 11, 2017 3:47 PM

In my opinion, this targeting of the cellphones of ... um.. disruptive persons has jumped into the lead in "the race to the bottom" of morality. The targets are not terrorists nor criminals; they are proponents of Mexico's soda tax. To me, this attack smells of an arrangement between big business and corrupt government officials.

NSO Group is an Israeli company that sells exploit tools to governments. You know, one of the good guys (retch).

"Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links"
https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/

tyrFebruary 12, 2017 12:35 AM


@Clive

Franky Has most of it right. Trump seems to
be a typical being who thought he could step
in and fix all that was wrong with USA. But
like Mckenna said social systems that appear
easy to tip over possess an enormous inertial
moment. Being POTUS doesn't give you magical
powers to do changes. That doesn't mean that
that the naive won't imagine that they could
fix everything given the chance. Notice that
the first clash with the legal arm ended in a
defeat. That is how the system was set up here
the powers are supposed to act as a check on
each other by dissenting. Consensus driven ass
kissing is the road to Orwellian dystopia but it
is touted as the way to act in a democracy.
Fortunately the founding fathers of USA knew
that an electoral college would block the rise
of a limited interest candidate. The Congress and
Senate would block the over-reach of any would be
dictator whatever his intentions.

@ Wael

It is worth finishing that book. The authoritarian
mindset forms an interesting 'reality tunnel' for
people to function in.

Clives contention about the death tolls matches my
own reading in history. The other thing that occurs
is the blindness inherent in accepting the narrative
written by the victorious side in any conflict. If
you start in 1870 it looks like France started WW1
and WW2 and barely avoided defeat in 1918 and was
decisively beaten in WW2.

If you look at Wilhelm Reich on fascism it becomes
a lot less of a mystery. With the voodoo tossed it
no longer has hidden origins and that makes it easy
to stop before it takes you on another taboggon ride.

The biggest danger of fascism is when its enemies
demonize it as incomprehensible and mystically evil.
That makes a nice epistemological cartoon for the
propaganda mill but has absolutely the worst effect
if you want to decisively defeat it.

I'd be hard pressed to say which US president of
the last fifty years was the worst because of the
lovely pantheon of loserdom on display. Beware of
the superlatives when making a choice particularly
when the antagonistic infotainment crew is busy at
gaming the narrative.

@albert

Lakoff has a nice conceptual work on 'framing' as
a way to guide not only your own narrative but what
your political enemies are allowed to use. A very
cute trick that goes under the radar for most folks.

Clive RobinsonFebruary 12, 2017 12:44 AM

Oracle proving they don't learn

Having been told by both a jury and a judge that Google's use of the Java API clearly clears all for requirments for "Fair Use". Oracle appear to have signed a suicide pact with their lawyers...,

https://arstechnica.com/tech-policy/2017/02/oracle-refuses-to-accept-pro-google-fair-use-verdict-in-api-battle/

The real reason Oracle's Java business is in tatters is down to their managment, not what Google has done. If anything Google's use of the API could be easily argued to have improved the Java market, thus made life easier for Oracle's Java business.

Apple have recently lost their battle to get an injunction stopping sales of Samsung product, and worse had the "big money" aspect kicked out by SCOTUS. For those with slightly longer memories SCO imploded trying to fight Linux over similar claims.

Thus it's unlikely that Oracle will win what looks like "Patent Troll" behaviour with copyright claims. Even if Oracle do get a partial win it will almost certainly by pyric, as that multi-billion dollar claim for damages is likely to get cut down to at best fractions of a cent on the dollar after the SCOTUS ruling that damages should not be based on the whole profit but a proportional part.

The real question now is what Google decide to do about Java. It's fairly obvious that Oracle are not going to stop coming at Google as they think they can grab a few billion dollars and thus have a form of "gold fever". Thus I'm sure there are some in Google who will recommend ripping Java out of Android one way or another, the question arising will be how hard that will be and how long it will take.

If Google do a total rip out of Java then Oracle will see it become a lot lot less popular and their supposedly tattered Java business will not improve and will get a load of tarnish on it as well. After all if you are a designer of a new product, are you going to go down the Java route or seek another less dangerous road?

rFebruary 12, 2017 3:22 AM

https://www.whitehouse.gov/the-press-office/2017/02/09/presidential-executive-order-enforcing-federal-law-respect-transnational

(a) strengthen enforcement of Federal law in order to thwart transnational criminal organizations and subsidiary organizations, including criminal gangs, cartels, racketeering organizations, and other groups engaged in illicit activities that present a threat to public safety and national security and that are related to, for example: (i) the illegal smuggling and trafficking of humans, drugs or other substances, wildlife, and weapons; (ii) corruption, cybercrime, fraud, financial crimes, and intellectual-property theft; or (iii) the illegal concealment or transfer of proceeds derived from such illicit activities.

Clive RobinsonFebruary 12, 2017 7:26 AM

Snake Oil Extrodinar

It's been a while since Bruce had a "Snake Oil" piece, and many will know the name came from Patent Medicine cons from back in the 1800's through early half of 1900's.

Back when electricity could be reliably generated in the mid 1800s there were various quack medicine devices using it (which lasted to today with brain frying by ECT...).

ll less well known is that in the first half of the 1900's there were similar claims for radiation in it's various forms. Most were totally fake in that they had no rasioactive source. Some however were loaded down with so much they could make some tableware glow in the dark...

One such device was the "Radithor" which was eyewateringly expensive, and as it turns out would be not just dangerous but skin peelingly so,

https://carlwillis.wordpress.com/2017/02/03/a-nuclear-jockstrap/

As the auther notes, the glow in the dark potential would not just have burned your snake, but everything else around...

ab praeceptisFebruary 12, 2017 7:29 AM

Thoth

I'm strongly doubting that that will happen.

For quite some major reasons. One being that one doesn't just completely change over a market with billions of devices. Another one being that both go and rust are no capable replacements.

But I'm also doubting that oracle does what it does merely for money. Look at it this way: Doing it they strongly push the message "See! Java is immensely important and capable and strong and powerful! Why else would a giant like google steal and use it for a major product line?"

Even better that marketing pays for itself; all oracle really needs to achieve is to get the pocket money for its legal costs out of google. And even if they failed it would still be a very major and worthwhile marketing gig.

As for java (don't get me wrong. As for as I'm concerned, java could be slaughtered tomorrow morning) I guess it'll evolve. Example: Scala.

Dirk PraetFebruary 12, 2017 7:40 AM

@ Heyman Lucky

The EU is the world's only zone containing a country that started & lost two WWs.

Technically, it was Austria-Hungary that started The Great War by declaring war on Serbia.

After all, Snowden was just a clerical employee stealing NSA docs that were some 30 yrs old. No IT skills whatever, that guy.

That is factually incorrect. He actually took several courses (Java, CEH) at a company I used to represent. And neither were the documents you mention 30 yrs old.

May I remind the various posters that the US still is a democracy as opposed to the EU and its unelected clowns.

Sensu stricto, the US is not a democracy but a republic. Even a former POTUS has gone on record to declare that the US "does not have a functioning democracy anymore". Contrary to the US, the EU - for better or for worse - is mainly an economic union, not a political one. The members of the EU parliament are however democratically elected. The EU Commission (ministers/secretaries), its President (~ prime minister), the President of Parliament (~ House Speaker) and the EU President are not.

In summary: however much you are entitled to whatever opinion, please try to get you facts right.

@ Iron Heel

In EU, you can easily go to jail for your political beliefs

Contrary to other countries, freedom of speech is not absolute here. Revisionism, public display of nazi-era symbols, racism, incitement to hatred and violence etc. are criminal offenses in most parts of the EU. And I would very much like the same to apply to political and jihadi salafism, its militants and sponsors.

Moreover, several countries have legally enshrined the concept of political and press crimes, which rather than censorship I (reluctantly) consider a necessary check on the freedom of speech just like "between consenting adults" is one on the freedom of sexual intercourse. Democracy, however flawed and imperfect, requires a strong line of defense to protect it from those that by trying to engulf the population in a universe of bigotry and "alternative facts" seek to destroy and replace it by some political or religious form of authoritarianism.

USA USA USAFebruary 12, 2017 8:28 AM

Sensu stricto, Dirk is being very very tactful to his new rah-rah patriot friends.

Heyman Lucky, since CIA took over in 1949 they pushed aside your first choice, Taft, for Ike, shot your second president and two unauthorized aspirants King and RFK, framed and ousted your fourth president, installed a guy who covered up the murder of your second president as your fifth president, conspired with foreign enemies to disgrace and defeat your sixth president, and shot the seventh. Then they just said screw it and ran the country with their own guys from 1989 to 2016.

They set up a Democrat party that systematically disenfranchises reformers and a Republican party that systematically disenfranchises Democrats. There's a third party but they get arrested whenever they show up to debate.

Your government has got 1 branch, CIA, and it's a criminal enterprise.

rFebruary 12, 2017 9:10 AM

@GRU GRU GRU,

No corpus dilecti, do us all a favor since you're obviously adept at infiltrating our governments worldwide - show us evidence that what you say it true and that you well-of-thought-poisoners weren't involved.

Thank you ahead of time, PS. have you thought about how to respond to my query about your savings account yet?

Nick PFebruary 12, 2017 11:09 AM

@ Thoth

It's very possible they'll try to gradually ditch Java by introducing other first-class languages on the system. The primary possibilities are Go and Swift. The native SDK already allowed people to wrap it to use other languages. People have done interesting things with it. Go has the benefit of being more efficient than Java, their own I.P., and a huge ecosystem. The recent rumors are that, after it was open-sourced, Google is considering Swift. That language is *very* different from their current tooling in a way that would take rewrites and ports. The main advantage I see is that iPhone development will be done with Swift, too. That means any of those great iPhone apps could more easily port to Android or vice versa. One language for both, major platforms could be pretty awesome.

They're definitely tired of Oracle's shit, though. Oracle's legal action, especially treating API's as copywritten, led me to recommend nobody use anything Oracle makes whether it's open or closed. Too much liability.

Clive RobinsonFebruary 12, 2017 1:30 PM

@ Nick P, ab praeceptis, Thoth,

... led me to recommend nobody use anything Oracle makes whether it's open or closed. Too much liability.

There is of course another reason, Oracle made claims about the security of some of it's products, and got shot down in flames fairly quickly. A silly claim to make and a not unexpected result, as it would apply to almost any moderatly complex software product.

But then they turned on their customers, if you remember a fairly senior lady in Oracle on her blog gave an opinion of users investigating security faults in Oracle products were in effect "criminals" and should get treated as such...

It got taken down quickly but not before it got copied many times. It's probably safe to say that unless the opinion about the customers was not a general one amoungst Oracle seniors then she would not have posted it...

Thus it's fairly safe to say that Oracle's attitude to their customers is behind the scenes fairly bad verging on evil.

Which bearing in mind the "Sun Culture" Java grew up in might well be a major cause of why Oracle's Java Business is in tatters and as others have noted in the past dysfunctional in many ways.

ab praeceptisFebruary 12, 2017 1:59 PM

Clive Robinson

While I fully agree, things seem more complicated. Major example: Sun, which today is somehow kept in romantically beautified remembering.

Fact, though, is that Sub committed multiple big idiotic sins. Two major ones were java and buying mycrapsql for a billion $.

So, for the sake of fairness it should be seen that Sun had it coming and still piled more idiocy on top of former idiocy.

Also for the sake of fairness it should be seen that oracle wasn't the worst grinder sun could end up in. Sure, oracle immediately started to brutally cannibalize the Sun corpse and to sully what they kept with oracle-isms, but hey, at least they did't simply kill any and everything surviving like HP did with Compaq (who again had bestialized DEC).

But in my minds eye the real lesson to learn is that at least across the ocean "stupid and blunt but rich" tends to win over "brains and at least some engineering values".

Oh and btw, if SAP hadn't thrown overboard all quality it once had and rather tried becoming some kind of oracle, too, they could have killed Oracle easily.

SpookyFebruary 12, 2017 3:10 PM

@ Fancy,

I was trying to put together a post last week related to your query and never quite managed to finish it (much less test it). Unfortunately, this weekend is equally committed to a growing pile of external deadlines...

I think the answer to your question is a qualified Yes. It should be possible to block both inbound and outbound ME traffic, IFF (if and only if) the darn thing actually behaves in the manner described in the available documentation; of course, one can never be categorically certain (and if your situation requires that certainty, then as others have pointed out, you are probably better off relying on consistent OpSec, absolute segregation of your data and activities and non-Intel platforms).

As an example, suppose you have a RasPi with two wired ethernet NICs in bridging mode; it behaves like an invisible, non-IP addressable filter. Communications with the RasPi are handled via serial console (using a breakout kit, etc). All inbound and outbound traffic (for all protocols) not explicitly passed is dropped by default. All traffic passing to or from ME (as determined below) is logged and then dropped by default. Because ME can be assigned its own IP address (while still using the host's MAC) all traffic passing to or from any IP other than that of our main host is logged and dropped.

By default, outside connections to ME arrive over TCP on a standard set of ports depending on the Intel AMT/ME version present on the host. ME has priority access to all traffic passing thru the NIC, so it will intercept these special out-of-band packets before the host ever has a chance to see them or block them. When ME is active on your host, a full port sweep from an external machine (diff'd against the resulting host logs) would likely show missing packets in the 16K range, IIRC. This might be version dependent and there may also be additional ports held in reserve depending on the packages active in the firmware of a particular installation of ME. Inbound traffic on all of these standard ports will be logged and blocked at the bridge. If we assume that this represents the sole means of passing inbound traffic to ME (to thunderous laughter and applause) we still have the problem of catching outbound traffic when ME inevitably tries to phone home (whether externally prompted or not).

BSD and Linux hosts allow you to permanently constrain the range of ephemeral ports assigned to processes that want to communicate with the outside world. ME uses its own internal TCP stack for all communications, so flags, sequence numbers and port assignments will typically be at variance with those of the host stack, esp. if we adopt some non-standard settings (and we will). Keep in mind though, ME has access to all host assets including kernel memory containing elements of the host TCP stack; if ME should wake up one morning and decide to start forging host packets, there is nothing we can do about it. For hosts running Linux or BSD, we could limit all outbound ephemeral port assignments to some odd, narrow range--say, 60k to 63k. That would be adequate for your application pool and still offer a useful filtering criterion for outbound packets at the bridge; any outbound port assignments outside the specified range could be assumed to issue from the ME TCP stack, so they are duly logged and then dropped. Again, we (naively) assume that the behavior of ME is static and consistent, and that repeated communication failures would not result in some unusual measures being taken (hijacking host packets, etc). Because ME is a programmable device, its behaviors are always subject to change without notice (a perpetually moving target).

I suppose that there are a million little caveats worth adding here... but I really should consider sleeping soon. Despite an interest in these potential mitigations, I think the only real solution is the complete and total removal of ME from all systems intended to be part of a trusted computing base (TCB).


Cheers,
Spooky

Dirk PraetFebruary 12, 2017 4:42 PM

@ ab praeceptis, @ Clive, @ Thoth

Fact, though, is that Sun committed multiple big idiotic sins. Two major ones were java and buying mycrapsql for a billion $.

As a former Sun Microsystems SE, that's not the way I remember it. Java was developed by James Gossling, whom I met several times at our annual enigneering conferences in the US, and was first published by SUNW in 1995. Far from being a sin, Java was initially hailed everywhere for its cross-platform capabilities and taking out much of the pain typically associated with C and C++.

You are however right that Sun was a master at acquiring other technologies for absurd amounts of money and then left them to rot. The way they destroyed the Cobalt product line was just one of numerous shameful examples of utter management incompetence.

What killed Sun in the end was their transformation from an engineering to an account driven company run by a Mexican army of VP's and middle management levels that lost product focus and alienated the folks on the shop floor from an executive management that over time had taken a bigger interest in their golf handicaps than in technology. By the time CEO Scott McNealy finally stepped down, it was too late for the company and the incredible moron that was his successor Jonathan Schwarz sealed its fate.

That said, I still do think very fondly of Sun. The combined brainpower of that place was beyond formidable and together with the inspiring presence of a number of mythical characters made it a truly great work environment until the Arthur Andersen accounting types took over and drove it right into the ground.

ThothFebruary 12, 2017 7:55 PM

@Nick P, Dirk Praet, ab praeceptis, Clive Robinson

An easy to install, manage and develop higher level language with support for PC/SC (smart cards) would be preferable. Usually that would mean Python (since they have PC/SC bindings) and I noticed that Rust have a somewhat maturing binding for PC/SC.

Something along the lines of self-contained executables like Java's JAR archive would be nice for easy transportation and also removes the problems of "dependency hell".

tyrFebruary 13, 2017 1:43 AM


@r

That's the first shot across the Yakuzas
bow. I know they never expected to have
an enemy show up later as POTUS but revenge
is best when served cold.

@Clive

There were some touting trips into the depths
of old mines for the benefit of breathing the
Radon gas in the tunnels. If cancer cures your
other health problems then you need a better
class of doctor. Some of the electro gadgetry
were marvels of science and fun to play with.
Purple sparks dancing across your skin like
lightning bolts probably scared the Hel out
of the bacteria in the area.

Clive RobinsonFebruary 13, 2017 4:34 AM

@ tyr,

If cancer cures your other health problems then you need a better class of doctor.

Funny you should say that, but it's not to far from the truth of other diseases...

For instance prior to anti-biotics which came about during WWII, one of the worst possible things you could get was syphilis, it's manner of killing people was most unpleasent and prolonged, and in the tertiary stage, you would be seen by most as "Carrying the mark of Cain" and condemed to be hidden away from others. Then somebody remembered that others had noticed that intense feaver had benificial effects on various types of dosorder such as epilepsy...

http://blogs.discovermagazine.com/bodyhorrors/2014/05/31/pyromania-syphilis-malaria/

Other parts of that blog cover poping out peoples eyes and raming an ice pick in to mess up the front of the brain like scrambled eggs.

Dirk PraetFebruary 13, 2017 4:57 AM

@ Thoth

Usually that would mean Python (since they have PC/SC bindings) and I noticed that Rust have a somewhat maturing binding for PC/SC.

I highly doubt Rust in one way or another would be able to gracefully displace Java given the huge Java ecosystem and user base out there that has had 20+ years to mature. It is just very unfortunate Java ended up with Oracle instead of, say, IBM. Lots of people consider Oracle the epitome of corporate evil in an IT world, with several of my former Sun colleagues still working there lovingly referring to their employer as "Horracle". There's just too many suits, accountants, lawyers and spreadsheet managers there to nurture a culture of creativity and innovation, as a consequence of which they are more into what @Clive would call "rent seeking" and which the ongoing legal battle with Google is the best, beit quite sad, expression of. Would it have been any different at IBM? Hard to say, but being familiar with both corporate cultures, I'm fairly confident IBM would have gone about several things in an entirely different way than Oracle did.

As for Google's own Golang, I highly doubt they would be willing to invest the resources required for a massive transition from Java, with an additional downside of Golang having no runtime modularity, which makes it unsuitable for any end-user operating-system level API's. So unless Oracle would still find a way to prevail in court, I think it's safe to say that Google will probably stick to Java for now.

rFebruary 13, 2017 6:03 AM

@tyr,

Yakuza or not, I posted it because the GRU falls into this category at this point due to their recent hiring practices.

I woke up this morning to my wife trying to shove this down my throat:

https://www.youtube.com/watch?v=l3tQT35CKnE

Yay! Could it be?

http://www.snopes.com/muslims-chanting-on-video/

Now she's mad at me because she doesn't understand the concept of dubbing and bounching tracks. W/e maybe I'm wrong, I certainly wasn't there to validate these claims!

The funny thing is, I can see her mouth moving but there's literally nothing coming out.

rFebruary 13, 2017 6:08 AM

It's utterly (pun intended) AMAZING how far a little giftwrapping goes for people impressed by shiny new things.

rFebruary 13, 2017 6:20 AM

@JG4,

134,000 clicks with little to no effort.

How much does google pay per-impression? I take aspirin almost daily but there's no way to quell this kind of inflamation.

@ 5cents an impression there's an easy 600 bucks for ya.

After all, nobody watching even realizes that video is being taken from a helicopter/drone. Where'd the audio come from? If this is the type of thing you want to do to your fellow man then go ahead, just remember when the class action lawsuit opens up against you with the new anti-libel laws your tiny little hands wont be able to hang onto enough Bill Clintons to pay for your liar. (not really directed @JG4, consider it more of an anti-defacation rant)

ThothFebruary 13, 2017 7:25 AM

@Dirk Praet

All it might need is for Google to use it's Android NDK layer and create more support for LLVM on NDK (which seems to exist) and then push in an official Golang VM. One benefit would be posturing which would probably signal to Oracle to drop their nonsense or Google might actually do it (move to Golang or something else).

Another thing Google needs to do is to create a layer somewhere along the NDK that will support most of the very important Android Java functions would require (i.e. Keystore, Crypto) and the Java functions would simply act as "DLL calls" into the NDK layer function which would allow cross language usage of highly critical functions with very little friction to allow developers to decide which languages to use without bothering of the lower layer stuff.

By pushing critical functions to lower layers and not allowing them to be exposed to the higher language layer, it maybe useful in preventing corruption that occurs on the higher levels to hopefully not spread downwards if done correctly (kind of like a separation based security on a bloated Andrdoid TCB which is like a passing dream and has been :D ).

Well, all these said, it's all a fantasy regardless of how easy or hard to implement because Android is essentially Google's property (despite being "Open Sourced").

JG4February 13, 2017 7:59 AM


"tell us a little bit about yourself" and we will weave into a rich tapestry that sells for a lot of money

http://www.nakedcapitalism.com/2017/02/links-21317.html
...
Big Brother is Watching You Watch

Erasing yourself from the Internet is nearly impossible. But here’s how you can try. WaPo

https://www.washingtonpost.com/news/the-intersect/wp/2017/02/10/erasing-yourself-from-the-internet-is-nearly-impossible-but-heres-how-you-can-try

In Jharkhand, compulsory biometric authentication for rations sends many away empty-handed Scroll.in

https://scroll.in/article/829071/in-jharkhand-compulsory-biometric-authentication-for-rations-sends-many-away-empty-handed

Mission possible: Self-destructing phones are now a reality Yahoo.com (Chuck L)

https://uk.news.yahoo.com/mission-possible-self-destructing-phones-134642092.html

Slime Mold with MustardFebruary 13, 2017 8:27 AM

@JG4
In 1974, I purchased a book titled "Privacy: How to Protect What's Left of It".
I was still in grade school, since then I have been hyper-alert to paper traps/trails. I am damn hard to find on Intellius. I tried to get my kids into anonymity - good lucking fuck with that!

When I tried to link the page for the tome, my hard drive started spinning. Good to know the folks at "Privacy Journal" are on the job! : (

Dirk PraetFebruary 13, 2017 8:53 AM

@ Thoth

Well, all these said, it's all a fantasy regardless of how easy or hard to implement because Android is essentially Google's property

I know for a fact that quite some Sun defectors had a serious hand in how Android developed at Google. One of the biggest mistakes Oracle made regarding Java was treating Gossling in such a totally disrespectful way that he was left with no other option than to quit.

@ r

Guy from NASA's JPL is away in Chile racing solar powered stuff, comes home to CBP/DHS demanding he unlock his secured company fone.

There still seems to be quite some confusion about this. Although technically the BCP cannot make you give up any password without a warrant, refusing to do so as a non-citizen may prevent you from entering the country, while as a citizen you can get detained and have your devices seized for further examination. This can rapidly cost you hours of your time.

If for whatever reason you cannot or will not give up passwords or PINs, it's better to travel with blank devices and restore from cloud or other backup once you get to your final destination. If, like in this here case, it involves crossing borders with company devices, it's up to your IT team to provide you with a working strategy. EFF has a pretty good paper on this.

rando mFebruary 13, 2017 9:46 AM

Even though the travel ban was overturned, the current administration has probably given new marching orders to the customs officials through more direct channels...

Wouldn't surprise me if they did this to Bruce one day (unless they only do it to US citizens that have more foreign-sounding last names).


NASA scientist detained at US border until handing over PIN to unlock his phone
http://www.computerworld.com/article/3168975/security/nasa-scientist-detained-at-us-border-until-handing-over-pin-to-unlock-his-phone.html


Sidd Bikkannavar understands that his last name may sound foreign, but he is a natural-born U.S. citizen who has been working at NASA’s Jet Propulsion Lab for 10 years. He was flagged by U.S. Customs and Border Protection (CBP) for extra scrutiny when returning to the U.S. from Patagonia where his vacation consisted of racing solar-powered cars.

After his passport was scanned at George Bush Intercontinental Airport in Houston, Bikkannavar was detained by CBP until he handed over the PIN to his government-issued phone.

At first, the border agent asked him questions that CBP already knew the answers to since Bikkannavar is enrolled in CPB’s Global Entry program which gives “pre-approved, low-risk travelers” expedited entry into the U.S.; before being approved for the program, CBP says “all applicants undergo a rigorous background check and in-person interview before enrollment.”

Bikkannavar has traveled extensively, but he had not visited any of the countries listed in the immigration ban. Although he asked the CBP official why he was chosen for extra scrutiny, the agent refused to answer his question.
...
After his phone was returned, Bikkannavar turned it off until he could give it to the JPL IT department. While he didn’t say what was on the phone, he did tell The Verge that the “cybersecurity team at JPL was not happy about the breach.” Since the incident, JPL has given Bikkannavar a new phone with a new number...

D-503February 13, 2017 11:50 AM

@rando m
Racing solar-powered cars? Good Lord, if that isn't cruizin' for a bruisin' from the authorities, I don't know what is.

I wouldn't be surprised if the current administration has already started watchlisting NASA engineers who accept mainstream science on the shape and age of the Earth. Trump has already publicly threatened to shut down NASA's science programs over NASA's claim that the Earth is a sphere*.

Watchlisting US citizens for their opinions or work has a precedent under the Obama administration: I've run into a couple of US citizens whose computers were seized because they were on three-letter agency watchlists. In both cases, the individuals had worked for arts and human rights organizations involved in 1st Amendment protected political advocacy. This was the apparent trigger for watchlisting. In both cases, the individuals are US-born, white, from Christian backgrounds, and have names that are as un-"foreign" sounding as you can possibly get. I doubt they are the only ones. And I doubt Mr. Bikkannavar's ethnicity had much to do with his detention by CPB. I could be wrong, though: There are still a few officers who have a chip on their shoulder about visible minorities, and the current administration is likely to hire more of the same in the near future.

*Global warming is a touchy subject in the English-speaking world right now. Many politicians have staked out the position that anyone who doubts the Biblical Truth(TM) that the Earth is a flat rectangle is a Terrorist(TM). Trump's appointees are particularly extreme on this topic. The irony is that Trump is the least churchy President in living memory. But he's part of the unholy alliance between powerful short-term commercial interests and right-wing religious fundamentalism. Without a public outcry, I think it's inevitable that modern telecommunications and computer technology will be used to crack down on citizens who don't fully conform with corporate/religious dogma.

ThothFebruary 13, 2017 11:54 AM

@all

Re: NASA JPL Phone Breach

Nothing can be done to increase security of smartphones. As long as the market is concerned about making bucks and trampling on their customers and the customers are not bothered about protecting themselves, every plan that can be laid on the table be it multi-factor authentication or external hardware encryptors would simply be just plain suggestions and hardly effective in action.

Most of us regulars have talked a ton about smartphones and security and gave suggestions already that can be searched pretty easily. If NASA does not care about their security and allow highly sensitive materials and conversations to go on to conventional networks or smartphones, then that's their problem as they should know better the flaws in modern COTS products.

I wondered if the employee did manage to ask for remote phone wiping before handing over the phone to the Customs. As per usual, self-destruct functionality not carried out from secure hardware is pointless. Good Technology smartphone workspace and other MDMs like Blackberry Enterprise have a remote wipe function which can be used ... if enabled and the user knows how to use it.

ab praeceptisFebruary 13, 2017 12:27 PM

Dirk Praet

I didn't respond to your first post mentioning gossling in bright light. I will stay away a second time but don't make it too hard for me by praising him again.

There are certainly some out there who do not at all see a geat man or mind and praising him only goes so far in compensating for well justified criticism.

And don't get me wrong, I was a big fan of sun. I remember well when we built up a new carrier and the question came up, which system to use for the backend, critical but not infrastructure (multiplexers, routeres, etc). My answer without any hesitation was "Solaris on Sun" and none of my engineers objected.

That said, Sun should have stayed in what it was known for and good at. java? What for? Sun had just 1 architecture, Sparc.
They should have continued to drive Niagara forward instead of stupidly and blindly jumping on the web hype waggon. "Running on everything" from a company that was built on selling excellent machines built on 1 architecture? That was a suicidal plan and it indeed worked out like that. Sun died.

D-503February 13, 2017 1:51 PM

@Thoth
I don't think there's a technical solution to this problem.

Do you have any idea how CBP would react to a traveler wiping his or her data? (Hint: Don't try this, if you value your life.)
Anything a traveler has access to, CBP has access to. And I suspect that destruction of evidence woud be taken as proof of guilt.

In this case, in hindsight it would have been prudent to avoid traveling with a phone that has access to sensitive information, and instead use a second phone reserved for personal use only. People are becoming increasingly aware that they need to keep their personal accounts and business accounts strictly separate, but it's still common for people to take an employer-issued smartphone with them on vacation. Blame the 24/7 work culture.

I don't think anyone at NASA expected to be targeted by their own government. It just isn't part of the culture. I think up to now, most people there assumed that science had bipartisan support at the highest level in the federal government, despite a lot of anti-science sentiment in local politics.

Dirk PraetFebruary 13, 2017 4:41 PM

@ ab praeceptis

They should have continued to drive Niagara forward instead of stupidly and blindly jumping on the web hype waggon.

It made them a whole lotta money. There was nothing wrong with product diversification, but instead of focusing on a limited portfolio, they tried to do everything and failed spectacularly at it. Conversely, the spectacular R&D costs for SPARC/hardware required to keep up with a competition with a much broader user base in the end would have killed them too.

rFebruary 13, 2017 5:12 PM

@Thoth,

That's not true,

with the cellebrite leak in the open, volumes should be spoken without much ado about words.

The operative's word being, volumes.

When you can characterize even a few of your enemies your defenses can be reenforced.

ab praeceptisFebruary 13, 2017 5:15 PM

Dirk Praet

[blindly jumping on the web hype waggon.]

It made them a whole lotta money.

That's one way to see it. My way, however, is to see that they ended belly up.

Entrepreneurship 101: Expand so as to complement you core business. If you are building high-end hardware and want to expand into software, create something that makes your hardware even more attractive and that provides added value, competitors can't offer.

And as you insist ...

java isn't a solution, it's a cancer that took about 20 years to properly deliver on its promise - looking positively.
And that idea was extremely poorly executed, looking at it from a PL perspective.

I never perceived gossling as a visionary. He wasn't. One might put him next to pike (who, what a coincidence, also created a "visionary" language for a large corp whose business is something else that, however, might profit from a language).

Wirth is a big name. Ichbiah is, maybe Thomson and Kernighan. Prof. Meyer is a visionary and maybe even G. van Rossum is one.

Our world and industry hasn't become one iota better thank to gosslings fumbling but it has experienced major security problems thanks to him. And, as far as I'm concerned, he is major factor in Suns demise.

rFebruary 13, 2017 5:29 PM

@ab,

So better, doesn't include what not to do?

With your busyness, and your edventures?

;-)

rFebruary 13, 2017 5:35 PM

@Thoth,

e.g., one can breath a sigh of relief - but not relax.

A large % of the exploits employed aren't "NSA quality" exploits, that's a good look at reality: CC: all.

While it doesn't preclude larger more @Clive-esq attacks it should certainly tell you alot about what can and cannot be done to harden against some of the lower level hentities afoot (they're obviously not ahead).

Kind of along the lines of what ab is speaking of above, companies have options; developers have options.

Do I expand horizontally?

Or should we get all Verticlese on them?

rFebruary 13, 2017 5:45 PM

They will adapt, as quickly as the public can adopt.

We will adapt, they will adapt.

It's the same escalator we've been on for 20 years just packaged into nice neat little box with a box.

Do we really believe that the NSA would provide the same people (DHS/CBP) suspected of aiding Mexican cartels with smuggling drugs into the -united states with the same tools they would use on say someone like Mr. Assuage?

I think not, I would hope that off the radar would still mean flying low can get you by with a smart pilot.

Cat and mouse is largely a game of logistics, are they forward deployed? are they listening? can they hear you? do they understand? Can they interrupt your conversations? can they impersonate you or your conversant ?

We know largely, what they are doing and how they are doing it. There's only a few unanswered questions at this point imb.

That's not necessarily a good thing when you look at them as a defensive position that could be over-run at any moment either for surely! you and me are not the only 1's.

Dirk PraetFebruary 13, 2017 5:50 PM

@ ab praeceptis

I never perceived gossling as a visionary.

You're getting carried away a bit here. I never said Gossling was a genius, nor did I say that Java was so great. In fact, you wouldn't even believe some of the stuff I have seen at customers that were caused by it. Like an entire E10K domain going down because some idiot had written a web form in Java. Or a directory server that had to be restarted every 15 minutes because of a memory leak and the garbage collector not functioning correctly. I could go on.

What I said was that Sun had no other choice than to diversify its activities. That they failed at it for the reasons I mentioned. And which - I'm sorry to say - neither Gossling or Java had anything to do with. But don't take my word for it. Ask any former Sun SE.

Sequoia February 13, 2017 8:09 PM

@ All

anyone feel infosec confident using Evernote in an exclusively offline capacity?

rFebruary 13, 2017 8:11 PM

@JG4,

That is one book that will likely get you added to the do-not-fly list, if anyone is willing to test that hypostasis please by any means necessary: let us all know.

rFebruary 13, 2017 8:13 PM

@Sequoia,

I would recommend an editor that is not resource heavy like notepad or leafpad, you wouldn't want your edits caught up in a swapfile somewhere would you?

Meher Baba ReaderFebruary 14, 2017 12:35 AM

@r

can you take responsiblity for your tourettes symptomology please? (apologies to anyone/anyone with relatives, with actual tourettes)
maybe your expressions are more suited to a private journal, where the audience is just one and comprehension is not a criteria?

[ you'll even get the colour the conversations any which way you choose!]

_thankyou_

JG4February 14, 2017 6:59 AM


http://www.nakedcapitalism.com/2017/02/links-21417.html
...
Big Brother is Watching You Watch

48 Questions the FBI Uses to Determine if Someone Is a Likely Terrorist Intercept (Bill B)

https://theintercept.com/2017/02/13/48-questions-the-fbi-uses-to-determine-if-someone-is-a-likely-terrorist/

A sign of the times: Mazda’s new billboard is watching you Globe and Mail

http://www.theglobeandmail.com/report-on-business/industry-news/marketing/mazda-canadas-new-interactive-ad-has-heads-turning/article34005213/

PayPal Kills Canadian Paper’s Submission To Media Awards Because Article Had Word ‘Syrian’ In The Title Techdirt. Headline weirdly understates what happened.

https://www.techdirt.com/articles/20170213/09193236699/paypal-kills-canadian-papers-submission-to-media-awards-because-article-had-word-syrian-title.shtml

see also:

false signals generally are intended to corrupt system integrity

http://www.nybooks.com/daily/2017/02/13/the-true-history-of-fake-news/

The Four Kinds Of Dystopia - Which One Is Yours?
http://www.zerohedge.com/news/2017-02-13/four-kinds-dystopia-which-one-yours

rFebruary 14, 2017 7:52 AM

@JG4,

Fun link on the dystopian divergence, in the comments it talks about repurposing keywords and phrases.

Is ZH an acronym for Zieg Heil?

;-)

The last one, about written language - while imperfect both in time and in accuracy it breeds further thought.

Destroy AllsoftwareFebruary 15, 2017 12:00 AM

https://www.destroyallsoftware.com/blog/2017/the-biggest-and-weirdest-commits-in-linux-kernel-git-history
biggest and weirdest commits in linux kernel

personal opinion. no claim for expertise.

1.)the Linux Kernel is important
2.)Security review is weak. Linus places low priority
on security. He is sometimes the only and last
'line of defense.'
3.)thinking proceeds in 'chunks.' Too big is no good,
because only the highest experts can understand.

4.)weirdest commits is no good. The potential is to
make 'accidents possible. sic." how more mistakes are
just made? how many mistakes differs from how more mistakes.

5.)even those who study RUST or shen language or
abstractions can get lost in the linux kernel changes.
strange commits can result in strange results in
testing.

6.)testing mis-matches, even basic regression testing
or stress testing could in theory be fooled by
WEIRD COMMITS IN LINUX KERNEL.

7.)in my opinion, e-mail conversations with developers
who do not have specific technical communications
training can be DANGEROUS. email is the wrong paradigm.
obviously, it is asynch with actual code evolution.

Dirk PraetFebruary 15, 2017 8:59 AM

@ Petter

If Flynn violated the Logan Act and tried to cover it up by lying to the vice-president and to the press, then it's pretty obvious he had to go. Focusing on who leaked what and whether or not the Logan Act is outdated or unconstitutional doesn't change that. You really can't ask for an opponent to be locked up over alleged wrongdoings, then turn a blind eye when one of your own is caught doing the same. Everything else - especially all the "damning reports" from anonymous sources - at this point is nothing but conjecture and hearsay.

PetterFebruary 15, 2017 10:11 AM

@Dirk Praet

Yes Flynn did mess up and he had to go.
Thats not the interesting part of it in my opinion.

It's how they got to know it.

Same with Clintons emails. She messed up, tried to cover up.
But the interesting thing is which states or parts managed to get access to them.

Clive RobinsonFebruary 15, 2017 3:16 PM

Death by driving figures up again

It would appear that death on the US roads is up yet again giving an increase of around 14% more deaths over those of two years ago.

One suggestion is it might be down to drivers etc not paying attention due to using mobile technology/comms, including hands free etc.

https://techcrunch.com/2017/02/15/u-s-motor-vehicle-deaths-see-biggest-two-year-jump-in-over-50-years-per-nsc/

Personally I'd like to see a ban on the use of mobile technology whilst incharge of a vehicle, also whilst walking down the street. I can not tell you the number of times I've had a mobile engrossed person very nearly walk into me when I'm standing still on the pavement, but it's more than two a day on average.

rFebruary 15, 2017 4:10 PM

@Clive,

It is illegal in lots of areas within the United States, as a DOT card holder prior to the mainstream ban I was legally required to pull over for anything short of a Garmin. That includes phones, food, maps, anything.

The problem is enforcement, it's a well acknowledged problem at this point there's been a large spike in vehicle-to-pedestrian accidents as well excluding pokemongo.

Medications play another part to the puzzle.

Clive RobinsonFebruary 16, 2017 3:28 AM

@ r,

And people still question why I say JS is bad news and argue against the fact I don't alow it to run on any of my computers...

People should just give it the boot off of their systems. If enough do then web developers might just get up to speed on doing things on the server, not the client machine.

JG4February 16, 2017 6:59 AM


http://www.nakedcapitalism.com/2017/02/links-21617.html
...
Hackers demand $3.6m bitcoin ransom to unlock Los Angeles hospital medical records Boing Boing
https://boingboing.net/2016/02/16/hackers-demand-3-6m-bitcoin-r.html
...
Big Brother Is Watching You Watch

NSA analysts spied on spouses, girlfriends: documents NY Daily News. Film at 11.

http://www.nydailynews.com/news/politics/nsa-analysts-spied-spouses-girlfriends-documents-article-1.2058282

If U.S. asks foreigners for their passwords, American travelers may face the same McClatchy. No duh!

http://www.mcclatchydc.com/news/nation-world/national/national-security/article131827924.html

Dirk PraetFebruary 16, 2017 9:45 AM

@ Clive

How Oracle stiffs it's staff

Not exactly new stuff. I have worked for at least two other US technology companies that pretty much did the same thing, unilaterally imposing modified compensation schemes on employees who were told they could either accept the new plan or be first in line at the next RIF. Several such former colleagues - all in sales roles - who were denied their rightfully earned commissions successfully sued said companies under Belgian law that governed their employment contracts.

NewbieFebruary 16, 2017 7:41 PM

Anyone here know how safe Termux on Android is? It apparently uses GPG without HTTPS(according to one poster at https://git hub.com/termux/termux-packages/issues/167)

rFebruary 16, 2017 8:28 PM

@Newbie,

Safe how?

You mean during over-the-air-package-installing?

You're not worried about their pre-built packages like Perl/Python are you? Only that the downloads are intamperable it sounds like to me.

What I'm saying is, you're worrying about subsystem updates to it being authentic without worrying about whether the subsystem you're downloading is actually vetted or not.

It seems to be a more extensible continuation of the discontinued Android Terminal Emulator, in it's listing of similar software it neglects to mention the (fairly) well known JuiceSSH. Sounds like it's a hybrid of busybox/aTE/linux deploy.

(Why don't they list JuiceSSH(?)(commercial reasons?))

GPG without HTTPS shouldn't be a problem provided you're sourcing the GPG public keys as bound through the third-party sourced APK and that it's actually verifying any signatures available. Cygwin works like this, it's not **impossible** to verify but the issue of safe/trust still exists.

But there's lots of questions, how are the public keys provided?

Bound through the APK over google/fdroid?

Downloaded via HTTP (not HTTPS) ?

Can/Do you trust the devs?

Can/Do you trust the community?

Can/Do you trust the public certificate model that https runs along with?

Can/Do you trust that not only are the devs of that project legitimate but also that they keys available to you for that project are legitimate?

The FBI has made statements as to them "going dark", does this mean that they're taking over development efforts? Supplanting identities and community leaders?

All hail the DHS and GRU, whom do you trust?

Is it "safe" to trust Android with your developmental efforts?

If X-Windows has so many problems do you really believe that Android and it's framebuffer model has less considering all those shared inter-app permissions and memory leaks? (think shamesung)

Safe is in your head, nothing is safe. You're safer knowing that #1

#2 ?

I'm sorry it's scary shit. Hopefully I'm not overstepping my niche bounds here maybe somebody around here actually knows about that specific application as it does look fairly interesting to me considering prior efforts in the chroot arena requiring multiple vendors sources and this will seemingly provide a sole solution for those curious.

The point is, there's alot more to security than just a GPG verification over http[s]. ;-)

I hope you enjoyed this response.

furloinFebruary 16, 2017 11:38 PM

@r @Newbie

My usage of it with xprivacy and iptables reveals it does not make any malicous android ndk/sdk function calls nor does it use any 'passive' network connection. I tested this with both f-droid's app, from github, and with google play store's download. So if it is doing anything it is hiding from a personally compiled system and termux specific ps, top, netstat, iptables, /proc/*, export, and does so with and without local root exploit. So if you are worried about low skill passive surveillance from it, don't be. My testing was not very comprehensive so a termux included root exploit with modified libraries included could possibly be replacing everything on your system with perfectly modified timestamps and file sizes. Someone with those skills is either not the type to target android phones or is working for nation-state level actors as @r implies.

Of course that is not even going into data security before you even compiled, compiling, and or as you were deploying it.

"Safe is in your head, nothing is safe. You're safer knowing that #1"

NewbieFebruary 17, 2017 12:41 AM

@r
I meant https://github.com/termux/termux-app/issues/167 sorry.
What is a node.js phish? Cross site scripting attack specific to sites based on node.js?
@all
Thanks for the fast and detailed resppnses. I don't know the creator of Termux but I trust F-Droid to do at least some vetting of apps. I'm guessing the GPG key is built into the APK from F-Droid but maybe it is downloaded by the app over http!?

NewbieFebruary 17, 2017 1:27 AM

Please, any guidance from experts and/or enthusiasts on how to be less unsafe without desoldering the antennas or otherwise taking it offline?

What is the least dangerous way to update Android System WebView and mediaserver/stagefright without Google Play?
Are there any other libraries that can't be updated through F-Droid?
Is there any Android distro that uses apt/apt-get/aptitude/yum/dnf/homebrew or any other desktop/server package manager?

rFebruary 17, 2017 5:20 AM

@Newbie,

The least dangerous way to update the android system ... without google play?

If you trust Google, go with a stock nexus or moto device.
If you trust Cyanogen, go with them.
If you trust OmniROM, go with them.
If you trust Replicant, definitely go with them.

Those are the 'easiest', but if you really want _safe_?

Go with Replicant or:

Compile Android and it's dependencies for your device yourself, do this from a 'secure' environment in a secure way. Don't include random junk, rip out the proprietary guts from the branches your source requires and inspect every corner. Check upstream linux kernel advisories and double check that your android source doesn't reflect those vulnerabilities.

---

We have to think of it as 'inviting people into our house', what type of characters do you associate with? Do you bring them home? Do you let them in?

Do people watch for you?

Follow you?

What if they try to force their way in?

What if you're like me and there's only 2 people who know where you live?

What do you do about solicitors and trespassers?

This is what we're up against when they see you shopping for window dressings, the "Peeping Tom Dick and Harry's" follow you home. (@My Info) ;-)

and@February 17, 2017 7:19 AM

@r

The least dangerous way to update the android system ... without google play?

If you trust Google, go with a stock nexus or moto device.
If you trust Cyanogen, go with them.
If you trust OmniROM, go with them.
If you trust Replicant, definitely go with them.

Those are the 'easiest', but if you really want _safe_?

Go with Replicant or:

and that, folks, is the problem with this entire "if you trust..." decision making ecosystem: that you in the end have to trust people you have never even met, let alone gotten to know properly.

The same stuff as in "do not install software from vendors you don't trust". Who-ever came with that guideline originally seem to have thought that trust is just some mental choice that people can do on a whim about some new binary executable.

rFebruary 17, 2017 7:27 AM

Agreed,

but what other options do we have other than non-participation?

;-) We didn't even cover the:

"Do you trust ARM/Intel?" questions that were covered more recently. It's a mess for sure.

rando mFebruary 17, 2017 7:28 AM

@D-503
Racing solar-powered cars? Good Lord, if that isn't cruizin' for a bruisin' from the authorities, I don't know what is.

heh, yea:-) that probably became his downfall the way things look like developing;-P That terrorist, planning on overturning our oil-based economy...

JG4February 17, 2017 9:12 AM


http://www.nakedcapitalism.com/2017/02/links-21717.html
...
Big Brother is Watching You Watch

What You Need To Know About The Trump Administration’s Ties To Russia Onion (David L)

http://www.theonion.com/infographic/what-you-need-know-about-trump-administrations-tie-55302

I’ll never bring my phone on an international flight again—neither should you Medium

https://qz.com/912950/never-bring-your-phone-on-an-international-flight-unless-you-want-us-border-control-and-customs-to-take-your-data/

Facebook algorithms ‘will identify terrorists’ BBC News (furzy). Help me.

http://www.bbc.com/news/technology-38992657

Could your Fitbit data be used to deny you health insurance? The Conversation (J-LS)

https://theconversation.com/could-your-fitbit-data-be-used-to-deny-you-health-insurance-72565

How algorithms (secretly) run the world PsyOrg

https://phys.org/news/2017-02-algorithms-secretly-world.html

NewbieFebruary 17, 2017 10:57 AM

@r @and@
Thank you for the ideas.
I should have mentioned that I've never compiled software before.
I'm basically just looking for a safer way to update the parts that aren't in F-Droid than downloading the APKs over http from the various shady APK websites.
Since most web-faving F-Droid apps seem to use Android System WebView or mediaserver/stagefright, please could you teach me the best way to update them without Google Play or adb or my own build box?
Not negating the value of what you already offered, it's just beyond my near-term abilities.

blood thinner testingFebruary 17, 2017 11:11 AM

Regarding blood thinners Warfarin/Coumadin may be the gold standard. In the USA, cardiololgists tend to not want to prescribe Warfarin often these days.

With home pt/inr blood testing, performed weekly, one patient I know usually stays within target range (for example 2.5 plus or minus 5 or 10%)

https://en.wikipedia.org/wiki/Prothrombin_time ; see near-patient testing

rFebruary 17, 2017 5:21 PM

@Newbie,

Your best bet for continuing support is going to be to track either a customized (developer rom, think xda/sdx) rom (potentially very dangerous) or to grab a legitimate google device like a nexus or a moto for a thoroughbred experience or find one supported by a) cyanogen b) omnirom c) replicant. In my opinion trustworthiness in those aspects are cyanogen, google, omnirom, replicant from least to most but who am I to judge I haven't vetted a single LoC (line of code) it's just an opinion.

Replicant is less enjoyable but you will find the EFF behind it and their efforts to be genuine I believe.

Pick up a device supported by any of those, some people here will eschew you away from android(arm/mips/intel) and argue for RasberryPi devices but fairly enough they suffer from the some of the exact same problems as say Android e.g. ARM.

Any of the custom (developer) based roms are going to have support and interdiction pitfalls that are nearly impossible to overcome without compiling your own from their sources after diff'ing.

Something to consider, in the question of trust - Apple. While not Android their recent spat with the FBI may give hope to some users.

Me? I go the other direction from most of the grain/flow. I think Android's are easily enough to source that their potential as throwaways gives them additional benefits, also there's value to be found in the exigent variants of MIPS and less-so Intel. Apple is only a single architecture and you can't include protections and or mitigations reasonably outside of what they provide.


@rando m,

Cute, +2 for that curiosity.

A Nonny BunnyFebruary 18, 2017 2:41 PM

@Heyman Lucky

May I remind the various posters that the US still is a democracy
God, yes! I really needed that.

Oh wait, there's more..

as opposed to the EU and its unelected clowns.

The EU isn't a country. So the comparison doesn't really make sense.
NATO isn't a democracy either, nor is the UN. For that matter, neither is the US supreme court.

But as for the EU, all the members states are democracies, and the EU parliament is democratically elected.
And while the European commission may not be elected, it is appointed by the democratically elected member states. A bit like how Trump can appoint members to his cabinet, none of which has been chosen by the people.

Anyway. Good luck with your elected clown.

AnonymousFebruary 18, 2017 5:59 PM

How do everyone solve "bootstrapping problem"?
Most computer so backdoor from manufacturer, no need government do anything. Few like Purism's Librem that not, is all interdicted and implanted by DITU, right?
If no reasonable privacy expectation, can not get patent... do that mean all should forfeit all attempt to innovate in IT?

OSeyeFebruary 18, 2017 7:50 PM

No need to solve "bootstrapping problem" at hardware level can be solved at network level.

Clive RobinsonFebruary 18, 2017 9:15 PM

@ Anonymous,

How do everyone solve "bootstrapping problem"?

The honest answer is "If the US DoD can not solve the problem how do you expect to?".

If you go back a few years, the US DOD put it's hands up to not knowing how to solve the "Supply Chain Poisoning" problem in areas like semiconductor supply. They put out some tenders, and as predicted on this blog by @Nick P within a short time period the projects became "off radar" and still are.

Several years before that however I had started thinking on the problem and as I've said before as an individual you can not solve the actual supply problem. But there are ways to mitigate the effects, which I have mentioned on this blog a few times.

From an individuals view point, it is now easier to assume it is not possible to secure any device with communications capability in it, nor easily insulate/shield it from devices that do (see "energy-gapping" and "end run attacks").

Further it is now clear that any Commercial/Consumer Of The Shelf (COTS) device with storage capability can not be protected from the likes of Law Enforcment Agencies by individuals through technical means. That is through legislation like the UK RIPA or more recent "Snooper's Charter", they can now effectivly "Dissapear You" into "Secure Administrative Measures" or force use of your bio-metrics or coerce your passwords out of you etc etc. In the US there is the extension of the boarder zone to cover the majority of the country and those --supposadly-- new Customs and Border Protection (CBP) rules to make your give up your passwords to consider. All backed up by the delights of "lying to Federal Agents" punative legislation and a thousand and one other laws etc you've never heard of.

So any mitigation has to involve being beyond communications reachable end points and not involve storage that can be got at. As there are no technical measures an individual can deploy within those areas reliably you have to keep what you want to keep private out of them.

As I've noted before information is not tangible, it has no physical actuality of it's own. What we do is we impress or modulate energy or matter with information to,

1, Store information.
2, Communicate information.
3, Process information.

From the human perspective information in it's raw or "plaintext" form is only required to process it or use it in some way.

We have known how to both store and communicate information for thousands of years and for much of that time we have also known how to make the information unusable to others when doing so. Over time the two main ways of making the information unusable was by either hiding the message (stego etc) or changing the message information in some way (codes, ciphers etc).

For most of that time period neither mechanical or electrical devices existed to perform these actions, therefore humans with pen, ink and paper devised many workable systems. Much of which was still in use in the Cold War era and was covered in general OpSec proceadures for secure messaging.

As I've mentioned before, it is back to these Cold War and earlier OpSec etc methods that individuals should be looking to protect their private information and to mitigate the general technical surveillance "collect/backdoor it all" methods used against consumer electronic devices/communications.

Snore.February 18, 2017 10:38 PM


it is now easier to assume it is not possible to secure any device with communications capability in it, nor easily insulate/shield it from devices that do (see "energy-gapping" and "end run attacks").

And we are absolutely certain right?

Is it worth the risk otherwise?

What are you Mentholated? You're like old man winter around here, we appreciate the thought provoking tips and intelligent quips but really?

If they were all knowing they wouldn't be attacking systems, staging forward positions and exfiltrating data. While there's obviously way's in, the should still be obvious ways around.

Don't buy into this whole "don't move or we'll shoot" bullshit, they will shoot but they can still miss - I don't care if it's some kids nintendo ds posting to pastebin in an xor'd jpeg for someone with a search key.

Yeah yeah yeah they have analysts for that, if these things weren't at least partially effective every last analyst could go home.

Basically, they're not omnipotent yet they're still omniimpotent and want you to believe otherwise. Don't believe me?

Think. You're outmanned, outgunned and all they want to do is go home to their wives because they know what she's got planned from her yahoo search bar. If you keep them out too late she's going to catcall the neighboorhood drug dealer over to rub on her feet why do you think they get so angry when the swat team is called?

It's not hopeless, follow best practices listen to what they're saying about hardware and dig deep - also - you can't win the lottery if you don't play - and sometimes your number (win or lose) will get called.

Take chances, make calculated risks and hone your skills.

And by all means, be RESPONSIBLE - be respectful - be aware and - beware.

Naysayers lol, United States is up against the black wall of anonymous and you claim that there's no hope. There absolutely is hope, just some people stand in the way of those trying hard to see it. Win or lose, good or bad - all is never lost - if you smell like shit the flies will seek you out and lay their eggs all over you.

NystagmusEFebruary 20, 2017 2:58 PM

Snore, nice post. I sincerely mean that.

I wonder what the actual deep sea mysterious Octopi Squid Cuttlefish think about all this human swarming and it's electromagnetic pollutions.

Widen the context and let reality back into view.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.