Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes

The evolutionary reasons why the strawberry squid has two different eyes. Additional articles.

Original paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 17, 2017 at 4:03 PM • 184 Comments

Comments

GraemeFebruary 17, 2017 4:16 PM


Riseup moves to encrypted email in response to legal requests.

To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in.

We are working to roll out a more comprehensive end-to-end system in the coming year, but until that is ready, we are deploying personally encrypted storage in the mean time.

There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” 2.

https://riseup.net/en/about-us/press/canary-statement

Also more coverage;

https://news.ycombinator.com/item?id=13664590


----------

Bored with ho-hum cloud backups? Use Usenet (yes, Usenet!) instead

https://arstechnica.co.uk/information-technology/2017/02/bored-with-ho-hum-cloud-backups-use-usenet-yes-usenet-instead/

Something the POTUS has probably never heard of.

----------

Zuckerberg thinks he's cyber-Jesus – and publishes a 6,000-word world-saving manifesto

https://www.theregister.co.uk/2017/02/17/zuckerberg_publishes_worldsaving_manifesto/

My InfoFebruary 17, 2017 4:43 PM

These "gag orders" are the spawn of a sick, twisted, FAKE legal system. If the government doesn't want you to shout it from the roof-tops, then the government shouldn't tell it to you in the first place. The government has absolutely no constitutional legal basis to compel you to "cooperate" in secrecy with some long, drawn-out investigation of a third party. That is absolutely outrageous, as is the entire premise behind these silly "warrant canaries." Leave the birdies for the badminton players, stand up for your rights, and stop spreading this kind of disinformation on the Internet.

If the government has a warrant, let them bust in the door while the news reporters have video cameras rolling. Otherwise, GET OFF MY PROPERTY, because I don't have a clue who you are or what country you represent.

AlanSFebruary 17, 2017 4:44 PM

Tutanota trolls Trump while using him to promote its secure email service: After Recent Scandal Trump Family Turns Towards Encrypted Tutanota Emails.

Now that Donald Trump's children are in charge of his business empire, they wouldn't dare to talk about anything that is going on in the Oval Office. Because, well, that would just be unfair. So UNFAIR....Tutanota's encrypted emails are just the perfect tool for Donald Trump as it is not only secure but at the same time as easy as his previous Gmail account. Sources say, he did try to use Signal, but gave up again because Donald Trump claimed that it was too difficult for his big hands to type on a tiny phone display.

TatütataFebruary 17, 2017 5:03 PM

Yet another IoT-related story?

The Berlin Tagesspiegel reports that the Bundesnetzagentur (German network authority) has decided to prohibit a doll called "Cayla", and calls for parents to take them away from their children and DESTROY them (I mean the toy, not the kids). What? Just removing the batteries or avoiding registration on your router isn't enough?

The network-enabled toy is considered a dangerous spying device that grossly contravenes privacy laws. It also enables strangers to enter in contact with kids.

The tone of the report is quite drastic: "Even mere ownership is punishable by law"! Might this have something to do that all collected data are delivered and stored to servers in Trump-Land?

I feel it's something of an unusual move from that department, and curious of the authority under which they operate.

Usually a product withdrawal/recall (e.g.: for the presence of lead-based pigments) would be performed by other branch of the German Federal of Commerce (BMWi) responsible for the Product Safety Act, and the Regulation Regarding the Safety of Toys, and the EU regulations they implement. At a quick glance at the text source I can't a cross-reference in these (2. ProdSV) to data and privacy regulations.

I'm looking forward to a presentation at 34C3 on hacking these things. ;-)

On another front, Mrs. Merkel testified this week at the parliamentary commission of inquiry on NSA spying. Rien à signaler, circulez, il n'y a rien à voir... Всё хорошо, прекрасная маркиза.

rFebruary 17, 2017 5:06 PM

@Johnathan Wilson,

RE: When it's warranted,

obviously neglects the case of 'where' it is warranted.

There's a new problem on the horizon: jurisdiction.

New Jersey can lay claim to Idaho air waves, this is something that specifically needs to be challenged as it challenges State sovereignty.

TatütataFebruary 17, 2017 5:18 PM

It just occurred to me that this doll essentially does what Amazon's Echo and Apple's Siri already do. Could these be next in the Bundesnetzagentur crosshairs?

Can A House Divided Stand?February 17, 2017 6:11 PM

Why did former political appointees Director of National Intelligence Clapper and Attorney General Lynch authorized that raw, unfiltered NSA data-mining of USA citizens to be widely shared without safeguards? Their motivation has become rather obvious; they did not want their eight years of work to unraveled. Making the leaks harder to trace was a planned feature.
https://duckduckgo.com/html?q=lynch%20clapper%2016%20intelligence%20agencies

From Terrorism to Politics
These officals authorized a blatantly unconstitutional political weapon to perform unreasonable search of innocent Americans. It’s used in secret without probable cause, warrant, court oversight, logs or privacy safeguards. Further there is no accountability or consequences for misuse of data unless discovered. Have SIGINIT communications leaks become inputs to taxpayer funded political action committees to fit an agenda?

Snowden Findings Embarrassingly Ignored
The apparently clueless targets do not understand that their cell phone communication are monitored by opponents remotely from anywhere in the world.
How dumb is it to comically use cell live phones flashlights (for video and audio) during national security incidents? Everyone (except the uncleared waiters) should be fired for sheer stupidity. North Korea real-time intelligence (including Facebook) plan was executed perfectly. They must be laughing hysterically at their amateur opposition.
http://www.phonearena.com/news/This-60-Minutes-report-should-scare-all-smartphone-users_id80321

Basic human rights insist on privacy for both quality of life and to be productive in society.
Powerful governments and corporations cannot unreasonably search sensitive databases of political foes or the competition. Our precious constitution states there must be checks and balances including probable cause and unbiased and independent judicial oversight. Otherwise our lobbyist run country will be consumed by daily rancor and extreme stress.

Aren’t these invasive tools supposed to be for fighting terrorism and not turned upon each other?

Ask Abraham Lincoln when American was last deeply divided: http://www.abrahamlincolnonline.org/lincoln/speeches/house.htm

In offering solutions to our crippling excess, America should look to other countries who have successfully implemented cost-effective health-care systems or data-mining protections. For example check-out India’s privacy-first policies.
God help our both clueless and vindictive America.

ThePurpleMangoFebruary 17, 2017 9:15 PM

FYI: ghacks user.js for firefox updated from 7 months ago - now on version 11 (FF 51)

updated article: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
html version color coded with reference links etc: http://www.ghacks.net/files/user.js%20[ghacks]-0.11-dark.html
download: http://www.ghacks.net/download/130328/

And .. now it is guthubbed, no more "releases", follow the commit history and always have an up-to-date release

https://github.com/ghacksuserjs/ghacks-user.js

Regards, Pants

GregWFebruary 17, 2017 9:37 PM

Found a nice quote I thought others here might appreciate.

"Where does a wise man hide a leaf? In the forest. But what does he do if there is no forest? ... He grows a forest to hide it in."
-- G. K. Chesterton

Edward MFebruary 17, 2017 10:06 PM

What are the options?

1. Delete our phone content before traveling, and then restore it when we have landed.
2. Not carry a phone at all
3. Purchase an additional phone that is not smart.

www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban

Subversion #9February 18, 2017 4:50 AM

Speaking of terrorism, don't get punkd(tm).

http://www.usatoday.com/story/news/world/2017/02/17/indonesia-police-chief-woman-tricked-into-attack-on-kim/98039356/

'Tito Karnavian told the Associated Press that Siti Aisyah, 25, received payment to be involved in a prank for Just For Laughs, a popular TV show. He said she and another woman carried out stunts that persuade men to close their eyes and then spray them with water.

"Such an action was done three or four times and they were given a few dollars for it, and with the last target, Kim Jong Nam, allegedly there were dangerous materials in the sprayer," Karnavian told the AP.'

Is it odd that two weeks ago we had someone warning us about banaca ? And you guys are all worried about handguns. Where do we hide the trees?

Slime Mold with MustardFebruary 18, 2017 5:40 AM

Anyone doubting that Orwell was an optimist: Facial recognition on police body cameras -
http://www.vocativ.com/402771/ai-body-cams-cops-google/

I realize few of us on this blog "share" on Facebook, but here is Zuckerberg's "Final Solution".
http://gizmodo.com/zuckerberg-cut-a-line-about-monitoring-private-channels-1792462516

Super scary - After the Associated Press (AP) published the statement, Zuckface deleted the bit about using AI to monitor users. Then the AP story did too .
Winston Smith - the 'censor of history', now AI, payment, or coercion?

MartinFebruary 18, 2017 5:52 AM

What happened to the Giganews post; it was Nº 11 in the queue? I didn't have time to read it when I first visited this site, but when I returned now it appears to be gone. Maybe I'm just overlooking it...I'll recheck the list.

MartinFebruary 18, 2017 5:58 AM

@Tatütata

I seem to remember reading, a couple of years ago, about Samsung (& perhaps other brands) televisions that were also listening and saving to conversations of the owners.

Also, what happened to the usenet post; it was Nº 11 in the queue what I first skimmed over it?

ModeratorFebruary 18, 2017 6:40 AM

@Martin, that post is recycled scandalmongering that's been circulating online since 2014, and contained potentially libelous allegations, so was deleted.

Slime Mold with MustardFebruary 18, 2017 7:04 AM

@ Edward M
Many years back, our host (@Bruce) recommended the following for crossing borders: Full disk/phone encryption. The carrier does not possess the password. The password is later sent by a friend(s) (preferably segmented) upon reaching the destination. Nowadays, I would not be surprised to find such cautious persons permanently housed in the concrete labyrinth beneath the concourse. Some encryption tools offer "deniable folders", but if it is not "full disk" it is open to side channels, and the traveler is facing a state level actor with both zero-days and rubber hoses.

@ Subversion #9

Definitely on the All Time Greatest Hits list. Anyone not familiar with the program . It features (until just now) harmless but baffling stunts pulled on unsuspecting passers-by.

It does remind me of the scheme where a job ad on Craig's List had a dozen applicants appear at the same place at the same time in near identical garb. Only one was a armored car robber . People are gullible. Working in a familiar theme makes them more so.

reFebruary 18, 2017 7:32 AM

What's bothering me, amid all these quotes in the last couple weeks I am seeing major spelling errors and word-substitution as if things are being written via swype on Android keyboards for major news outlets.

Am I crazy? Does any keep tally of the avg spelling accuracy of our (us) national news outlets?

Are these "breaking" repetitive news stories so important that all editing is thrown to the wind? If you can't see the word 'single' substituted for 'something' when you have 5 other 100% quotes to compare to wtf?

ParketFebruary 18, 2017 8:12 AM

@Can A House Divided Stand?

Lincoln quoted Jesus, Mark 3:25 and elsewhere. The question is larger than national politics.

Clive RobinsonFebruary 18, 2017 10:33 AM

@ re,

What's bothering me, amid all these quotes in the last couple weeks I am seeing major spelling errors and word-substitution as if things are being written via swype on Android keyboards for major news outlets.

It's not just that it's the abrupt changes in tense in mid sentence etc, suggesting that the sentences have been "cut-n-pasted" together via poor editing.

You can also see similar incorrect use of tense by some of the more radical posters that have sprung up "as though from dragons teeth" since the start of the change from one US executive to the current executive.

Which begs the question as to if there is a link between them or not...

AnuraFebruary 18, 2017 10:34 AM

@re

The media is all about maximizing revenue. Being the first to report the story is a huge revenue gain.

albertFebruary 18, 2017 2:10 PM

@Moderator,

When did you assume that you were responsible for "potentially libelous allegations"?

Not that I miss not reading the post in question.

Has Bruce even been sued for any comment posted here?

. .. . .. --- ....

Nick PFebruary 18, 2017 3:45 PM

@ glorious spume

I have no idea what this is. It has no description of how it works on homepage. That it's just software makes me doubt it's a TRNG in first place. The code is assembly I can't read. I suggest people staying clear of this thing.

@ Clive

There was another conversation about Secure Drop and similar things on Hacker News. Thomas Ptacek was running most of the debate it seems. I couldn't resist the curiosity to know what the guy looks like, how he talks in person, etc. Such things, esp body language & facial expressions, sometimes reveal a lot about someone's character. Probably should've done that long ago but I found this RSA interview on Youtube.

What does that style tell you? Hint: some of what it took me some time to learn in debates. All in just a few minutes. ;)

@ All

In interests of verification of chips or components, I keep looking to see what happens with things like hobbyist electron microscopes. For atomic force, I found one OSS and one cheap. For hardware, PULPino project added vector instructions and some other goodies to its open-source, embedded RISC-V. For crypto, a Galois Inc rep delivered a talk on ultra-low-power, high-assurance, asynchronous crypto in hardware. They also wrote a paper with tips they learned doing a high-assurance drone for DARPA. For protocols, Microsoft Research is kicking ass again on verification.

MarkHFebruary 18, 2017 4:27 PM

@re:

My reading of newspapers and newsmagazines online has been growing steadily in recent years ... it now takes up a lot of my time.

Yes, it is my impression that spelling and word usage have gotten very distinctly worse.

My supposition has been that this is a by-product of internet in two ways:

1) Revenues have fallen drastically, because subscriptions have declined sharply and the ad market is now super-competitive. So, all of these organizations are cutting staff, including the near-extinct (but damned useful) category of copy editor. Though why they don't use a decent spelling/grammar checker, I don't know.

2) Now that online news publication is continuous, the pressure to get stories "out there" is relentless. There used to be a "deadline" time once or twice each day, and stories could be prepared with some deliberateness if deadline wasn't imminent. Now, whether it's 2 pm or 2 am, news outlets want to get breaking news published in the fewest number of minutes.

These are only my surmises, I don't have any empirical data to back them up as causes of lousy copy (though there is plenty of data on the underlying trends I mentioned).

KH5February 18, 2017 5:16 PM

@JG4
"‘Shadow Government’ Protected Hillary"..?

Good one, LOL. Perhaps the same one that has kept Trump in power all these weeks?

My InfoFebruary 18, 2017 5:36 PM

@MarkH

"Yes, it is my impression that spelling and word usage have gotten very distinctly worse.

"My supposition has been that this is a by-product of internet in two ways: ..."

My great-grandfather was editor of a Finnish newspaper in Astoria, or so I was told from my youth. Finns, for example, are often reluctant to use definite or indefinite articles. In any case, the general decline of spelling and word usage, (i.e. the use of Russicisms,) strikes a primordial ancenstral fear and alarm within me: The Russians are coming! The Russians are coming!

This is my supposition.

rFebruary 18, 2017 6:10 PM

To leak, or not to leak - this is our Senator.

'McCain acknowledged that leaks have the potential to do damage to national security. But he made a surprisingly impassioned case for them in an era when truth is hard to come by. “In democracies, information should be provided to the American people,” McCain said. “How else are the American people going to be informed?”'

http://nymag.com/daily/intelligencer/2017/02/john-mccain-takes-on-donald-trump.html

This is our Senator,

“If you want to preserve democracy as we know it, you have to have a free and, many times, adversarial press,” McCain added. “And without it, I am afraid that we would lose so much of our individual liberties over time. That's how dictators get started.”

https://www.washingtonpost.com/news/the-fix/wp/2017/02/09/john-mccains-brutal-rejoinder-to-sean-spicer/?tid=a_inl&utm_term=.ad4f0cc32ec4

This is a man, standing up for what he believes is right. His words are not hollow, they are hallowed.

Are we all deaf? Or do we just turn our blind eyes conveniently from the 'stark truth'?

Well, Gollly!February 18, 2017 6:36 PM

r, let me help you up there. Your ass hurt? Sorry you just fell off that there turnip truck. No, it's too far gone, you can't catch it.

Your inspiring mentor there, CIA owns his ass. Of course he's got to defend people who leak what CIA wants leaked. Or else the little traitor's name is mud.

http://www.unz.com/runz/american-pravda-when-tokyo-rose-ran-for-president/

http://www.unz.com/article/mccain-and-the-pow-cover-up/

McCain left thousands of his comrades-in-arms to slow death in labor camps. When you blackmail a quisling like that, he stays blackmailed.

rFebruary 18, 2017 6:41 PM

Let me make something clear to you Mr. GRU sub-ordinate, don't you think that if I'm wise enough to poke fun at the fools at the RSA club - I would be wise enough to avoid clicking your links?

I've been tracking phishers and related technology for close to 20 years, I'm hardly green.

Pastebin, or cryptome it or? It never happened. ;-)

Enjoy feeling salty like caviar.

Well Go-olll-lly!February 18, 2017 6:51 PM

Amusing to hear you admit without embarrassment that you're too inept to identify and counter malware or MITMs on a link. Are you afraid to visit the whole internet, or do Mommy and Daddy protect you with some sort of Net Nanny? Downright poignant to see that you are ignorant of unz review. Having already learned that you're afraid of Tor and i2p because it might get you in trouble or something, the bathos is overwhelming.

rFebruary 18, 2017 6:53 PM

Naw, I find the oppression pretty relaxing these days considering the alternatives.

No freedom of press

Gulags

Etc.

Clive RobinsonFebruary 18, 2017 7:34 PM

How big are your digital feet?

Most Internet users are like children in the snow, they run around having fun, leaving nearly every footprint clear to the eye of those that care to look.

Well Internet users are now realising in the last 18-36months that they have to grow up and become adults.

One reason is the interesting comment that there have been more credit card details compromised in the US in the last 48months than there are individuals in the US that hold credit cards... And most of those compromises that make it into the news headlines are about "Internet Hackers take XXX million Customer details...". This has been backed up by people being sent letters about the fact that their CC or other details have been stolen and as part of the remediation package they get a years free credit checking etc.

This need to grow up has been exacerbated by "Digital Stalking" and "Abusive Ex" stories about how easy it was for some low life with an apparently even lower IQ to track down and do harm to their victims.

The problem for most is that unlike the snowy footprints of children at play, digital footprints do not melt away in the cold light of day.

There have been one or two MSM press articles but they invariably offer a mish mash of advice often conflicting and often fanciful. Even advice from experts is often seen by other experts as not advice they would give[1].

That's not to say experts are wrong but their Point of View is their point of view and is thus singular to them, not you.

Back in Charles Dickens' time, it was considered "important to be widely read", something that is now nolonger possible due to the shear quantity of reading available. Thus the trick these days is to be selectively read in as broader manner as is possible in the time you have.

Thus the key to reducing the load being the selection process. To that end people might want to give this a read,

https://tisiphone.net/2017/02/08/is-digital-privacy-a-privilege-of-the-wealthy/

[1] I'm noted for comments like "Paper Paper NEVER DATA", "Energy Gapping", "With cash they can only take what's in your pocket", "Never leave ammunition for the enemy", "Needless Trust is death in waiting", etc. Which used to be considered extream even for high risk individuals I'd advise... but of more recent times many are wishing they had practiced ten or twenty years ago. Times change and as the old saying says "Makes fools of us all", for instance even cash is getting traceable these days...

My InfoFebruary 18, 2017 8:12 PM

@Clive Robinson

Is digital privacy a privilege of the wealthy?

LOL! the cleaning lady took your privacy out with the trash. I used to work at a financial services company, and as part of my work I perused databases of "high net worth" individuals. Example:

http://freeerisa.benefitspro.com/features.aspx
Deluxe search:
... Go after high net worth targets by searching for companies that offer deferred compensation plans to executives. ...

Another example:

http://www.nielsen.com/eu/en/solutions/capabilities/creating-deep-insight-into-high-net-worth-individuals.html
CREATING DEEP INSIGHT INTO HIGH NET-WORTH INDIVIDUALS
More than almost any other customer segment, insight into High Net-Worth ndividuals aims to address the big questions, such as who are they, what are their values and beliefs, their attitudes and motivations, their habits and impulses, how they interact with and value brands and how companies can do this more effectively than the competition. ...

So ... what was the question? Is digital privacy a privilege of the wealthy?

Nick PFebruary 18, 2017 8:24 PM

@ Clive Robinson

Her collaboration was a good read. I see it as one of many pieces of a marketing goldmine that nonprofit businesses can use to produce tools that solve those problems. Then, the experts can just say "use X" like they do with Signal, phone backups, prepaid cards, and so on.

ClippedFebruary 18, 2017 8:40 PM

@Anura

"Trump is now calling the media the enemy of the people for pointing out that we have a bumbling idiot as President"

I didn't know the previous presidents weren't bumbling idiots. Now suddenly everyone's worried about Trump's supposed idiocy, well, Obama was such a caricature but nobody seemed to bother. Not to mention Bush.

At least Trump speaks out of his mind instead of pretending to be "nice".

tyrFebruary 18, 2017 10:29 PM


If you don't teach reading by phonics then
you get spelling errors and functional
illiteracies spread throughout the populace.
Eventually people start to notice but most
haven't a clue as to why it occurs.

Writing is encoding sounds, reading is playing
the sounds back in your head.

The idea that you can magically encode as icons
in your head the 700,000 words in an old major
dictionary is ludicrously stupid since other
societies that do so have an upper limit of
50,000 characters for well educated scholars.
That's why they have switched to syllabaries.

short version it isn't the internets fault
that cloddy cain't read or spell anymore.

ThothFebruary 18, 2017 10:37 PM

@Nick P --ONLY--

The recent growth in the amount of forced unlocking and copying of smartphone encrypted contents might be a worrying sign that privacy and security are not to be expected anywhere in the world.

These occurrences can happen to diplomats, officials, businessmen, travelers and anyone. These are especially worrying sign for diplomats and officials from foreign countries that might be crossing borders for official businesses and their corporate or Government issued smartphones might be searched.

The likes of secure containers ranging from Good Technology, Blackberry's MDM to Samsung KNOX have attempted to address issues using secure separation of work and mundane data in encrypted corporate containers that leverage ARM TrustZone.

We can go about talking about high assurance techniques and technologies which includes data diodes and carrying paper data instead of electronic data but the fact in most corporate environments and businesses do not look at the problem in a high assurance approach. Most businesses prefer to use out-of-the-box commercial security solutions and most commercial security solutions are pretty low assurance anyway.

The game in security is to not be the low hanging fruit by using whatever deception that is available to get the job done.

Putting aside the idealistic scenarios of using high assurance technologies and the suspicion that TEE-OSes might contain persistent problems to enterprise and personal security via the means of Exceptional Access, to raise the bar for most attack scenarios but to maintain compatibility with existing technology, the use of TrustZone backed secure containers for a segregated workspace and a MicroSD Secure Element HSM chip setup to prevent key material extraction (enabling Strict FIPS 140-2 mode) can be used to prevent compromise of corporate or governmental data in tricky situations.

Such MicroSD card HSMs are getting very common and cheap and the common ones are from G&D, SecuSmart, Gemalto, Smartcard-HSM et. al. These MicroSD HSMs may come with FIPS 201 PIV standards or even FIPS 140-2 configuration with up to Level 3 or even 4.

The MicroSD card HSM would store a PIV user certificate for PKI based user authentication into corporate MDM Servers and networks (i.e. Secure VPN network). The MicroSD HSM would contain two sets of PIN (User PIN and duress PIN as usual :D ). The secure container would only be accessible via the MicroSD HSM's PIV user private key to unwrap and attest the integrity of the container header in the TrustZone environment thus sufficiently enabling the inability of accessing the container without the access to the MicroSD HSM.

Upon successfully loading of the secure container, the PIV user certificate is used to establish a secure link within the secure container back to the MDM server to download updates for the container and to access corporate information and working drafts of documents. When the container is closed, the working drafts are pushed back to the MDM server and the drafts are destroyed before re-encrypting the container within TrustZone thus making the secure container essentially a sort of Thin Client. The container should only contain minimal software for the operation of the Container-based Thin Client environment thus ensuring that no stored data is available when requested.

Documents that need to be bound to a specific handset can be done by storing within the container's keystore a device attestation token which is stored encrypted within the Container-based Thin Client environment. The requesting for handset bound documents would not only require the PIV user certificate attestation but also requires the device attestation token stored within the encrypted container so now you will need to handset and the MicroSD HSM to actually pull the document for viewing and editing.

Do note that my heavy mentioning of FIPS standards are due to the fact that the target audiences are mostly for Governmental and Corporate people who have a need to protect secrecy using COTS available and have little time to tinker around and use non FIPS approved COTS.

MarkHFebruary 19, 2017 2:49 AM

@My Info:

In the past 20 years, I've spent quite a lot of time with native Russian speakers, and learned a little of the language myself.

I think that my "linguistic inner ear" is sensitive to the typical grammar and usage errors of English from native speakers of Russian.

Thanks to you, I now know that Finnish has no equivalent of "a" / "the" ... so in usage of articles, I would expect native speakers of Finnish to make errors similar to those of Russian speakers.

I looked at the en.wikipedia article on Finnish grammar. Fifteen noun cases? Yikes!

Though by reputation, America's Navajo language is extraordinarily challenging: Navajo is both tonal and extremely inflected. The amount of information encoded in a single Navajo verb is almost skull-cracking :/

FineFebruary 19, 2017 5:37 AM

Wasn't Vodafone in that tapping scandal in Greece where a network engineer died under strange conditions?

rFebruary 19, 2017 5:53 AM

@Fine,

Yes, see: https://en.wikipedia.org/wiki/Vodafone_Greece

s/'Greek Watergate'/

Absolutely, and anyone with any sense realizes thus far every single ISP short of maybe Quest has been or is complicit with snooping at any given point of time since 2001.

More to the point? SSL MITM is the least of our worries, with ad-networks honeynets search-engine-poisoning and watering-hole-attacks nobody is safe.

All your data belong US, but hey! To a point it's a defensive measure and as stated en-response to @Clive the evidence of it's existence is proof of it's lack of perfection or the quality of the sieve.

Things MUST be escaping the dragnet because they're still (albeit multiple factions) a) trolling b) tralling (to make a distinction with the modern definition of trolling) and c) sending out NSL's.

It's a big problem, and the question boils down to who do you trust?

One needs to be able to trust himself and his devices foremost, sometimes you can't which means you have to be able to understand the requirements of operating in un-trustworthy environments with un-trustworthy devices.

Vodafone Greece was co-opted prior yes, but who hasn't been?

Quest? Lavabit?

That's the short list.

rFebruary 19, 2017 6:07 AM

@GRU,

RE: onz review,

Let's split (and raise) some hairs here, there's at least 2 interesting people involved in onz when I google it.

The first being Ron Unz, who as silly as it sounds advocates opt-in English courses as an American Conservative. That should roll over pretty well for the majority of 'conservatives' out there don't you think?

The second, and this one's a real winner: Steve Sailer. This is another one of our long-term nationalist alt-right leaders huh? It's good to know that when Trump references the 'california take-over' he conveniently neglects these two from his assessment. It's like Seattle leading the world around by the nose, no thank you.

https://en.wikipedia.org/wiki/Ron_Unz
https://en.wikipedia.org/wiki/Steve_Sailer

I'm not interested in having my personal home internet address[es] slurped up within a few degrees of certainty by the alt-right ad-networks.

Forgive me for being suspect.

65535February 19, 2017 6:08 AM

@ ThePurpleMango

FYI: ghacks user.js for firefox updated from 7 months ago - now on version 11 (FF 51)... updated article: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/ …html version color coded with reference links etc: http://www.ghacks.net/files/user.js%20[ghacks]-0.11-dark.html
download: http://www.ghacks.net/download/130328/

That is helpful. I have bookmarked It.

Is there a way to run two versions of FF at the same time on Win 7/8/8.1 boxes? Say, one tightened down via about:config and there other standard?

Further, is there any real increase in security/anonymity to FF 51 over FF 49 for Win boxes?

Thanks Pants.

@ albert

What post got deleted? Was it of significance? I was not watching.

Dirk PraetFebruary 19, 2017 6:22 AM

@ Clipped

At least Trump speaks out of his mind instead of pretending to be "nice".

It's very reassuring indeed to have a POTUS who is a serial liar, issues blatantly unconstitutional executive orders, openly and repeatedly calls the media "the enemy" and ostensibly tosses away court rulings during a campaign rally. Unless you're completely ignorant of history or already have a brown uniform ready in your closet, that should send shivers down everyone's spine.

CzernoFebruary 19, 2017 6:41 AM

@65535, re:
" ... way to run two versions of FF at the same time ... ? "

Launch your firefoxen (each) with "-no-remote" switch. Also use different "profiles" for each instance, and switch "-P profile_name"

If necessary, please search "mozillazine" for lists of FF parameters/switches and exact syntax thereof...

HTH, regards !

Clive RobinsonFebruary 19, 2017 7:06 AM

@ My Info,

LOL! the cleaning lady took your privacy out with the trash.

Nagh it was the instalation engineer on the warranty card on the Smeg fridge he just put in...

Most people would be supprised at just how much warranty information on high end goods gets turned into sales leads. Likewise spend more than 20USD on a single bottle of red wine and some sales droid will salivate to get the rest of your details, especially if you do it more than once a week.

I know people that have some quite expensive professional services, whereby they insulate their more discreet clients from such problems, even to the point they do not appear on "official" paperwork.

As far as I'm aware it's all legal and above board --though legislation changes--, and much of it you could do yourself if you know how to set up companies with head offices in off shore jurisdictions and know tricks about domicility and work rules[1]. The problem for US citizens is US exceptionalism about taxation and where you are domiciled but there are I'm told by those with an indepth knowledge of US legislation ways around that as well.

I used to know a senior company director that had the use of a "caretaker flat" on the top floor of a quite expensive office block. Whilst quite small it directly adjoined the "walnut corridor" facilities of the private company which had an executive dining room, gym, etc etc...

The point is if you have good accountants and the like the function of a room is what you claim it to be and providing you are discreet stick within certain rules that is ultimately what the Taxman accepts. And unless you are upto something realy naughty, most Governments accept what their taxmen accept, as the primary business of Government is to raise taxes to pay for everything else...

[1] It often suprises people to know that "it's where you are paid" more than where you actually work or live that counts. That is as an employee of a company in country X you can be temporarily asigned to work in an office in country W or Z for quite long periods of time providing it meets some almost arbitary definition of "temporary". Usually the higher you are in a companies ranking the more arbitary temporary becomes. Thus as used to be the case you could "live in Monaco" but due to "travel days" be in the UK working upto three days a week, as long as you or your company could pay the travel costs.

TatütataFebruary 19, 2017 7:54 AM

Anyone who knows anything about security should stay far away from this new Vodafone [UK] service.

I looked at your link to a wailing wall for Vodafone customers, and I see that this story is already one year old.

Could this be an implementation of the surveillance demanded by the "Snooper's charter"? How far must an ISP snoop to comply with the letter of the law? And if this actually is the case, changing ISPs won't help.

With HTTPS, all what a third party can see is one or more opened TCP connection to some IP address which was obtained by some prior DNS request. HTTP/2 should reduce the number of simultaneous connections.

If changing the DNS server setting is enough to defeat the system, then, if I'm not spouting utter nonsense, their equipment is only capable of handling TLS 1.1. Support of multiple domains under a given server IP is apparently only possible beginning with TLS 1.2. Since earlier TLS versions don't expose the server name in the handshake, they have to resort to DNS monitoring or rely on a reverse DNS lookup.

This kind of issue isn't really new. I was a very unhappy customer of Arcor in Germany almost 20 years ago (which incidentally now belongs to Vodafone). Among the many egregious problems I had with these bozos, I figured out that there was some kind of hidden proxy spoiling my (unencrypted) HTTP connections. I found out by checking server logs, and saw that the accesses didn't come from my client address. Why they did this at all is still mysterious to me.

Clive RobinsonFebruary 19, 2017 7:56 AM

@ r,

All your data belong US, but hey! To a point it's a defensive measure and as stated en-response to @Clive the evidence of it's existence is proof of it's lack of perfection or the quality of the sieve.

Actually it's a bit more than that.

There is as I've indicated in the past a question of resources and their utilization. Technology currently has the effect of making things tommorow considerably cheaper than they are today. That is you devote todays resources to the problems that show the greatest return. If you commit a crime today however it will still be a crime tomorrow, the day after and several years hence. But it gets cheaper to prosecute with time... So the fact you think you get away with something today does not mean that you have, just that for resource reasons you have not been prosecuted today.

But as I've noted before, the primary purpose of Government is to raise income to pay for votes etc. The traditional method is by taxation but it's clear to anyone who can think that taxation is not keeping pace. Thus another way of raising revenue is by fines and confiscation of the proceeds of crime.

This is where you also have to consider the mode of operation of a gardner or farmer. They have limited resources thus they do not do things as efficiently as they might. For instance, the easiest way to deal with weeds is to not alow them to grow, but it takes quite a large effort in resources to track down each and every seed etc and pick it out, it's less resource intensive to let them grow a while, and take a hoe to them when they are most vulnerable. Likewise the crops, you chose which to pull early as they are not growing as fast as others etc, but generally you let crops grow to a point where you get a good yield but not the best yield due to uncertainties it's a judgment call.

There are advantages in letting criminal activity go on, if nothing else it makes the divertion of resources to the LEAs politicaly easier. But also it can be like farming, you weed out those that are low resource to remove or are going to cause serious problems. The others you treat more like a crop, you let them grow to the point where the cost of harvesting them is more than covered by the fines or asset forfeiture, thus in effect make a useful profit by doing so...

Thus many crimes apparently go unpunished for financial reasons.

Thus to be a successful criminal you need to work out not just how to get away with todays crime today but still be able to get away with todays crime in ten, twenty, fifty or a hundred years from now. Not doing so will put you in line for being dealt with at some point. Thus it's better to never get put in the line rather than wait to get to the head of the line...

At the end of the day it's an individuals choice as to if they commit a crime or not. The only question that arises if they do, is have they avoided being put in the line now or in the future. The simple answer is if the crime is sufficiently recorded then as a criminal you have probably failed and it is just a question of the time/resource curve to sweep you up into line.

As I've pointed out in the past "collect it all" is about building a time machine to apply future technology to todays data to give usefull answers in the future. That is with collect it all your activities get swept up, at some future point the resource cost drops on the getting answers questions. If you are long gone, it does not matter to you but, if you were a bit of a tearaway youth now making good in life, do you want the tap on the shoulder, the quiet word in the ear, the embarrassment or worse?

ClippedFebruary 19, 2017 8:02 AM

@Dirk Praet

"issues blatantly unconstitutional executive orders", isn't that how Obama got us into massive surveillance? Yet I don't see people rallying against this. I don't see how Trump's order was more unconstitutional than that.

But wait, the army of NGO doesn't mind Obama monitoring their communications, but they get so angry when jihadists can't enter the country.

keinerFebruary 19, 2017 8:51 AM

@Clipped

As you are close to the mindset of this orange man, apparently, maybe you can explain to me what happened "last night in Sweden"?

Faux NewsFebruary 19, 2017 8:54 AM


Trump and aids are out of the White House this weekend for a 'routine' bug sweep and upgrade to the aging house infrastructure.

Pence is in Munich this weekend with a raving endorsement from Bono for his two-timing support of liberal AIDS monies targeting Africa.

CallMeLateForSupperFebruary 19, 2017 10:50 AM

@Keiner
"... maybe you [@Clipped] can explain to me what happened "last night in Sweden"?"

LOL. Good one.

Possibly something just as explosive as the "Bowling Green massacre". ;-)

Earlier today I read that some officials in Sweden were wondering the same thing. The only thing they could offer was something about a dust-up related to sports.

Clive RobinsonFebruary 19, 2017 10:54 AM

@ Keiner,

Ahh you mean "sweden just around the corner from Alaska", Donald appears to know his geography as well as Sahara Palin, and quite a few others[1] it's not just a faux republican thing. All jokes about the knowledge a lot of Americans do not appear to have about world geography can be said of many other nations.

However the recent attacks in Pakistan of which Sehwan in Sindh province is just one and possibly what Donald Trump misheared/remembered is a reminder of the legacy of the problems in the ME to do with fundemental religion out of Saudi and petro dollars.

Which begs the question as to why Saudi is not on the Trump List...

[1] http://m.motherjones.com/mixed-media/2013/09/fake-world-map-geography-mistakes-politicians

albertFebruary 19, 2017 11:05 AM

@65535,

See @Moderators comment to @Martin. If it's worse than some of the stuff I read here, it's likely not worth researching.

BTW, Bruce has every right to censor his blog. I don't miss the BS and personal attacks.

. .. . .. --- ....

My InfoFebruary 19, 2017 1:22 PM

@MarkH

I would expect native speakers of Finnish to make errors similar to those of Russian speakers.

Russian (like English, German, French, Spanish, etc.) is an Indo-European language, while Finnish is grouped along with Hungarian and Estonian into a different family. I do not know any Russian beyond making out some of the letters because of their vague resemblance to Greek letters, but I would guess that the languages are so different that to speak or understand one versus the other requires an almost completely different way of thinking. No, I would not at all expect native Finnish speakers to make the same errors as native Russian speakers when learning English.

@Faux News

liberal AIDS monies targeting Africa

Right. It is absolutely imperative that both boys and girls be circumcised by the Médecins Sans Frontières in order to prevent the spread of AIDS.

@keiner

Saudi Arabia is close friend to USA. Longstanding.

Right. What about those wealthy Saudi Arabian Sunni families who fund Da`esh?

keinerFebruary 19, 2017 1:39 PM

@Mark

..and the Saudis in the WTC. And the Saudis funding fundamentalism islam all around the world? Really, have a look at Bitter Lake by Adam Curtis. The stories out there, starting AT LEAST from 911 don't make any sense. But Trump is the wrong answer. If the facts don't make sense, don't kick out the facts, but the STORYTELLERS...

My BabyFebruary 19, 2017 3:24 PM

Speaking of surfing safer with FF does anyone have any insight into the new "brave' browser?

https://www.brave.com/

It makes a lot of claims but I wonder if it is really true or not. To someone like me the biggest advantage is not to have to manage all the add-ons that FF requires.

MarkHFebruary 19, 2017 3:49 PM

@My Info,

My speculation about errors in English was limited to "usage of articles". Like Finnish, Russian has no words for 'a' or 'the'.

As a native speaker of English, I had no idea how hard they are to use until I once tried to explain 'the' to a native Russian speaker. I spent quite a while trying to come up with rules for when to say 'the' and when to leave it out, and no matter how hard I tried I kept finding exceptions to my proposed rules.

So I imagine that native Finnish speakers would have similar confusion when using languages with these articles like English (and all of the western European languages I can think of).

The third article in English, 'some', might be easier for Russian speakers, because they have roughly corresponding words.

I experienced a much smaller version of this perplexity in reverse as a student of Russian. In English, other words around the verb indicate whether it refers to a completed action or a the process of the action (for example, "I walked" vs. "I was walking". In Russian, this distinction is called aspect, and in general there are two separate words for each aspect. Usually (but not always) they are similar, but there are several patterns of variation, so that knowing one aspect does not in general allow you to reliably predict the other aspect. So, for each English verb, I need to learn two Russian words.

To add sauce to the recipe, the aspects have different conjugations too.

For even more fun, verbs of motion (variants of "to go") may have different forms depending whether the motion is one direction ("I'm walking home") or general/multidirectional ("I often drive for my sales job").

My InfoFebruary 19, 2017 4:14 PM

@My Baby

https://en.wikipedia.org/wiki/Brave_(web_browser)

[Brendon] Eich sees the Web as facing a "primal threat" consisting of an impending conflict between advertisers, who are incentivized to collect and store detailed and, oftentimes, highly personal information about individual web users in order to deliver more effective advertisements, and users, who are increasingly averse to the collection of their personal information.

Incentivized? Right. That means he makes a lot of money buying and selling your personal and private information. Has to. After all, he paid a pretty penny for the premium domain name brave.com.

And he wants micropayments on top of that? I'll tell you what: Get your greedy grubby fingers out of my wallet, get your filthy pop-up malvertising scumware out of my computer, and go chase the high net worth somewhere else!

To add sauce to the recipe, the aspects have different conjugations too.

For even more fun, verbs of motion (variants of "to go") may have different forms depending whether the motion is one direction ("I'm walking home") or general/multidirectional ("I often drive for my sales job").

@MarkH

In traditional Finnish, (and my Finnish is both rusty and very, very old, from three of my grandparents who learned it from their parents after they immigrated to the U.S.,) "minä käyn" means "I walk" or "I go." The general/multidirectional form would be "minä kävelen." It's from some root of the same word, but if I understand right it's more like "I'm walking around" or "I'm going for a stroll" rather than for a particular purpose like "minä käyn koulussa" or "I'm going to school," whereas it would not be necessary to say "minä kävelen koulussa," which sounds a little bit odd, and probably would not express the same idea. So there is a general/multidirectional form for many Finnish verbs, but it probably does not correspond very much if at all in usage in most cases to the Russian.

Turd in the PunchbowlFebruary 19, 2017 5:06 PM

@keiner. yes, AT LEAST from 911, and provably from the Oklahoma City bombing. What makes sense is the probative evidence: by 1995 CIA had brought home a strategy of tension long in use in Europe (as "Gladio,") involving armed US government attacks on the domestic civilian population to justify increased repressive capacity.

http://whowhatwhy.org/2015/04/22/exclusive-oklahoma-city-bombing-breakthrough-part-1-of-2/

http://forum.prisonplanet.com/index.php?topic=5760.0

http://www.consensus911.org/

https://libya360.wordpress.com/2015/03/13/the-american-deep-state-an-interview-with-peter-dale-scott/

One important function of the 'security' industry, this weblog included, is to direct everyone's attention to officially-approved threats (Islamic terrorists, cyber, whatever that is) and away from real threats, like serious crimes of concern to the international community committed by the US government.

Our security experts will be afraid to address this until after the US starts and loses WWIII and the SCO rounds up Gates, Brennan, Meyers, Cheney, and Rumsfeld, and gives them the six-inch drop at Nuremberg II.

Dirk PraetFebruary 19, 2017 5:13 PM

@ Clipped

"issues blatantly unconstitutional executive orders", isn't that how Obama got us into massive surveillance?

Please specify which Obama EO pertaining to mass surveillance you're talking about. "All of them" is not a valid answer.

the army of NGO doesn't mind Obama monitoring their communications

Be so kind as to revisit this blog's archives for a better understanding of most regulars' opinion on Obama and mass surveillance. It doubt you will find it very positive.

they get so angry when jihadists can't enter the country.

Please specify the incidents in which jihadists from targeted countries murdered people on US soil. Bowling Green and the Friday incident in Sweden don't count.

rFebruary 19, 2017 5:49 PM

Bowling Green was and is the most absolute tragic terrorist plot to ever happen in the United States of America Mr. Dirk Praet. Why, don't you realize just how upset the Aides in the White House are that it never happened?

They're practically setting the table for it at this point don't ya know.

rFebruary 19, 2017 5:54 PM

@Punch in the Turd bowl,

I would sooner believe that their subsidized operations with the BND are the style of FBI+GRU hand-en-hand operations that happen as opposed to actually using their own services to render such afflictions. They work with GCHQ, BND, after this election I would believe with absolute readiness that certain Republican factions contacted the FSB for Chechen services but not that the CIA would be directly involved.

There's far more possibilities than your short little stories let on.

rFebruary 19, 2017 5:59 PM

But then again, why charge Russian's with treason if they were useful idiots?

Your bullshit only adds up to a pile of crap.

Fly on the WallFebruary 19, 2017 7:56 PM

IF taking electronics at borders and elsewhere to search and copy becomes standard practice, and it very well might it seems to me there would be some good work arounds.

Sensitive matter could be stored on a micro SD card for either phones or computers.

Another option: Clean devices before crossing, then download necessary data via a secure cloud connection.

Buy devices when you get there, load it up with an SD card or via the cloud.

(Frankly, if I had any really, truly secret or incriminating data that needed storage, it would be on paper in a secret safe or in my head.)

The more expansive view is police and governments are collecting this data for general law enforcement and/or political reasons, for nefarious purposes unknown to the general public.

So, for example, to get embarrassing data on a politician, his totally innocent secretary, barber, next door neighbor, anyone who has passing contact finds themselves on a secret targeted adversary list. Everywhere they go they are under electronic surveillance.

Because it can be labeled a security matter, it's thus secret surveillance. Meanwhile, if something incriminating is found NOT related to the primary target, it is still legal to use it as evidence.

We are quite away downhill on the slippery slope of tyranny when it comes to electronics these days. In many respects the USA set the standard for the world...down!

In the end, it's not so much a technical issue, it's a political and human rights issue. They take data simply because they can and there is no one who can or will stop them.

We ought to fix that some day, too.

65535February 19, 2017 7:58 PM

@ Czerno

“Launch your firefoxen (each) with "-no-remote" switch. Also use different "profiles" for each instance, and switch "-P profile_name" If necessary, please search "mozillazine" for lists of FF parameters/switches and exact syntax thereof...”

Thanks. Two different profiles are the solution. I’ll give it a try.

@ albert

I see. The post was not worth the damage it could cause. That sounds reasonable.

rFebruary 19, 2017 8:05 PM

@Fly on the wall,

Bad move downloading after passing through a border, better to pick up a new device randomly and grab your data then. You wouldn't want bedbugs or NIT's to follow you from the crossing to your hotel to your weekend dinner date would you?

Forgive me, but I'm railing against you for the same reason I railed against @Clive in this case and for the same reason somebody could rail against me... The situation is a live grenade, worse yet could be advocating people 'leave their devices at home'.

Where's the security in that?

It's a hard problem sure, and they're right for the most part that without secure software and secure hardware we're through... But it isn't the case when a device isn't unlocked by a fingerprint or an iris.

It's up to you to decide what's appropriate for your situation.

rFebruary 19, 2017 8:12 PM

Language (or the lack there-of) can be an effective data diode.

There's no real reason to panic unless you are bound to a single channel or a complete sentence things can be communicated without legible communication and data can be transmitted and ferried in ways that do not divulge secrets.

Fear and panic have smells that can be detected by dogs and microchip, in some cases video can sense your unease and your sweat.

CCC, cool calm and collected.

keinerFebruary 20, 2017 1:23 AM

@Turd in the Punchbowl

... have look here what Mr. Rumsfeld has to say 1989 (!)

https://www.youtube.com/watch?v=9fPzvG7qFRI

They will go and mess up the middle east. Long planned. Islam is just the boogeyman.

Long-standing practice to introduce totalitarianism: de-humanized a large group of society (how about a religious minority? Don't forget the migrants, xenophobia is a constant, amazingly even in a nation of migrants).

When a large fraction of society has accepted the concept, e.g. by voting for total idiots in an important election, hate and violence will follow soon. And the next step is to missuse security (aka "antiterror") legislation to criminalize any kind of resistance against the regime.

The USA is on a good way under this playbook, as is the UK (even without a direct election, but due to the fact the regime changed after the brexit vote).

Clive RobinsonFebruary 20, 2017 9:06 AM

@ Fly on the Wall, r,

Buy devices when you get there, load it up with an SD card or via the cloud.

Unfortunatly you've not followed the logic through... It's something that Nick P and myself went further with several years ago now, but it's in this blog somewhere ;-)

Briefly, the SD card is just another electronic device, if you can use it then it can be found on --or in-- you when you cross the border. If you are "hiding it" or are presumed to be hiding it then you are in a world of hurt. Lying to a Federal Officer is the least of your worries as the presumption is then that you have reason to be hiding it, which is not where you want to be going.

But following on with the SD card, unless you encrypt the data when it is found then the data is lost anyway and all you've done is earned yourself whatever punishment they decide to throw at you, not for your "crime" but as an object lesson to others, so expect the bidding to start at 30years and go upwards from there...

With regards using the Internet in some way to get around the physical border, similar logic can apply with regards lying to federal officers / false declarations and all sorts of other nonsense. However the point is you would have the data encrypted somehow.

The problem with encrypted data in both regards is the key. You may not be aware but various countries have quite stiff penelties for nothanding over encryption keys on demand. As the legislation is written your only real defence is showing you do not have the key in your possession in the past or currently, and that it is not possible for you to get the key now or in the future within the jurisdiction you are being held in.

It's this last point you need to think about carefully because get that right and the rest is fairly meaningless within the limits of the law...

As I said have a hunt back through this blog and you will find various methods discussed.

Punch in the TurdbowlFebruary 20, 2017 9:48 AM

@keiner, very true - though one could cavil at "the next step," since longstanding police death squads murder blacks with impunity nationwide; and the US government violently repressed Occupy with counter-terror measures including planned sniper murders that FBI is shielding from public or legal scrutiny.

whowhatwhy.org/2013/06/27/fbi-document-deleted-plots-to-kill-occupy-leaders-if-deemed-necessary/

US fake democracy passed through the event horizon when Rumsfeld went to DEFCON 2 and COG replaced the constitution. It's still amazing how no one notices that Congress and the courts have been completely castrated - even compared to the feckless reforms of the Church and Pike Committee days. Senators beg CIA for scraps of answers in this humiliating mother-may-I game. They either work for CIA directly, like blackmailed traitor McCain and Hastert's pedos, or they're flinching and crawling like little butthurt prison bitches, e.g. Wyden.

The US population can't reverse this. They're more under control than North Koreans. It is a problem for the international community. The world knows exactly what they're dealing with: a criminal COG regime that breaks with the past like the Nazis did, and legally does what the Nazis did, crimes against humanity and peace. It will turn out the same way too.

And the security industry ignores it all with a herculean effort of will and feigned obtuseness. Makes you wonder if there were lots of mealymouthed security experts advising the SS on the fine points of slow strangulation with piano wire or concentration camp ethics.

Clive RobinsonFebruary 20, 2017 12:30 PM

AI race car crashes in first race

Those old enough to remember motor racing when it was dangerous, cars crashed and drivers and spectators got injured/killed, modern F1 etc appears tame in comparison.

Even though crashes still happen, they are nowhere near as frequently, spectators are usually quite safe and drivers usually walk away from crashes these days.

Well one area that is new is "driverless" racing. The cars are not remote controled but AI controled. The first competative race between two AI race cars has ended up with one crashing, and the other successfully avoiding a dog that got onto the track,

http://www.bbc.com/news/technology-39027477

Of course this leaves the real question of are there going to be more crashes thus drama, or less thus making it almost clinicaly dull. Time will tell but the first few races atleast should be entertaining.

Clive RobinsonFebruary 20, 2017 12:56 PM

Torrent takedown Madness

You'ld think you could not make this up, only they did, then complained about it,

https://torrentfreak.com/pirate-site-with-no-traffic-attracts-49m-mainly-bogus-dmca-notices-170219/

There is now an evil voice whispering in my ear that this could be turned into a competative sport...

The real point however is it shows how industrialising a process is oft to go badly wrong. It's kind of what you'ld expect to happen with big business paying for results but not checking that what they are paying for is actually real.

Hands up those who could see ways to make this sort of idiocy happen with "collect it all"...

poisonous document formatFebruary 20, 2017 5:14 PM

Please how view PDF without javascript? Google Docs need the javascript and view. samurajdata.se /index.php down much, maybe forever.
Someone knows other services for view PDF?
Much thank!

rFebruary 20, 2017 5:32 PM

LOL @ "they're more under control than the north koreans"

and you know this how?

@Clive,

I just don't think it's a good idea to carry encrypted things with you across a border, there's too many unknowns and then you'll just have to answer questions that can be further mined strategically. It's just not worth it.

Now, unencrypted but SIGNED may be a different scenario.

And as for leaving your devices at home while your errborne itinerary is plotted by whoever guards the borders... they're connected back to your locals so my advice there is again - don't leave your stuff in a fixed location unattented for whomever may not come knocking.

Also, I think I've seen questions about 'updating' containers on solid state devices that enforce wear-leveling so opening your digital brief case once you arrive at your destination and then passing through the next checkpoint may be a nono too.

That's just my angle on things, I find myself concerned with security because I've seen first hand how easy it is for technology to escape one's intended boundaries. It's not worth the risk or the effects of other people having, it's not.

rFebruary 20, 2017 5:40 PM

There's certain things that should be shared, and other things that that specific question is up for grabs - it's just better to report/publish a CVE/disclosure than it is for the general public to have one's niche tools. At this point in time it's borderline manufacturing and or distribution of weapons and that's not even considering the fingerprinting opportunities that present themselves when one's stuff gets out. If you want to have the freedom to code sometimes your code should stay in the lab where you developed it, never seeing the light of day outside unless there's some sort of public need.

Tradecraft, we all stand on giants especially within the open source world but there's just too many kids out there who'll repurpose even a light PoC into something malicious.

Sometimes it's not even a kid, look at Cellebrite FinFisher and GammaGroup.

What some of us do to each other is just sickening.

CzernoFebruary 20, 2017 5:51 PM

@poisonous document format :

The below service is analogous to Samurajdata, for viewing pdf (and other) doc formats online:

http://viewer.zoho.com/home.do

No guarantee, I haven't checked recently if it was still working. Me perso, most of the time I trust google chrome's embedded PDF viewer (needs local scripting, that I allow only case by case using the "ScriptSafe" extension, homologous of the better known "Noscript" for FF). YMMV

Glug glug mmm lumpy punchFebruary 20, 2017 6:11 PM

r furiously waving his flag at fancied Russians: Q.E.D. There's nothing CIA can't put over on a helpless dupe like that. They brainwash him with an eyedropper. Zero critical reasoning skills. Classic downtrodden American victim.

rFebruary 20, 2017 6:21 PM

;-)

The most important thing, and the hardest thing in life - is to be happy.

I'm happy, R U?

rFebruary 20, 2017 6:41 PM

My hopes for you, Mr. GRU subordinate; are that you find direction and happiness that is not at the direction of another.

You and I both know full well, that if you are but one of their many recently co-opted the happiness you must be feeling now pales in comparison to the happiness you thought you had before. It's amazing how quickly things can change no? Sloppy sloppy Mr. GRU subordinate, it's a shame.

JG4 is amazed by 10-20k a month, but we know otherwise don't we?

What you're doing now is not freedom, it's not enjoyable. I don't think you even know the true value of an honest days work do you? Always jet set and martini's.

Is that caviar you're eating or just salt?

rFebruary 20, 2017 7:01 PM

I don't know why I rail against you so, you're just as impoverished as our inner city youth. It's not like you even really have a choice in this day and age, you know: with sanctions and all.

I pity you, but I am not your enemy I am your friend. Come home to ideological freedom, to a free press and a real job.

Come to my table next thanksgiving, I think you'll find there's more than food at the table for you.

Maybe something decent like hope or true friendship, something of more value than what you have now.

The money we earn our paychecks is weak, just like your Rubble.

It's shallow to embrace such a thing, and being paid for your words when they're divisive devalues the currency of your soul.

Anonymous=eFebruary 20, 2017 7:29 PM

They tried to do that to me, too. They put poisoned shellfish (shrimp and scallops) into a dish I had ordered at a restaurant that was not even supposed to contain shellfish. I was rather stranded at the location, and I slept outside in freezing weather, and I puked and puked all night long, but I stayed away from the hospital and survived.

Authorities Investigate Drugs Vanishing At Some VA Hospitals

Christopher Thyer, the U.S. attorney overseeing the case, said the employees were abusing their position to steal from taxpayers and “poison the communities we live in with dangerous drugs.”

The drug thefts from VA also raise the possibility that patients will be denied medication they need or that they will be treated by drug-impaired staff.

In one case, a former VA employee in Baltimore pleaded guilty on charges that he injected himself with fentanyl intended for patients heading into surgery, then refilled the syringes with saline solution. Patients received solution tainted with the Hepatitis C virus carried by the employee.

MarkHFebruary 20, 2017 8:01 PM

@Clive:

"Time will tell but the first few races at least should be entertaining."

No doubt! If you remember the days of 'active suspension', the failures were rather spectacular visually.

Steve Matchett, one-time mechanic for Benetton F1, has said for years that the F1 engineers would love to get rid of the drivers -- the people in the cockpits add aerodynamic drag, raise the center of gravity, need extra hardware for the person/machine interface, and make errors that degrade lap times from their technical optimum.

In addition, once you get the drivers out, you can dispense with all sorts of costly apparatus and testing provided for driver safety.

There's a certain segment of the F1 crowd that would probably be excited to watch driverless auto races. However, I suspect that the rest of the world's motorsport audience would find many other things more appealing.

Muddle turds with Freedom Sugar and ChillFebruary 20, 2017 9:38 PM

@Anonymous=e, Churkin's the third one after Karlov and Krivov. If your bureaucrats are laughingstocks at diplomacy and rule of law, you just kill all the competent diplomats until you're the best. Then you can be leader of the world for sure! That's the American Way!

@r, I know why you can't stop humping my leg, you are friendless and desperate for attention. Drunk posting makes you all emo and makes it worse. Studies show American lumpenproles' lifespans are getting shorter as they poison themselves with alcohol and drugs in despair of the corporate snake pit they are trapped in. It's not your fault, it's your subaltern class habitus.

NameFebruary 20, 2017 10:29 PM

https://www.wired.com/2016/12/dear-mr-trump-cyber-better-try-blockchain/ A DDoS-proof DNS? There's no way the NSA would allow this, right? It would make cybed terrorism harder, it would protect critical infrastructure, and by everyone having a local copy of all DNS records if would uphold the constitution of the US (no more DNS leaks violating the 4th amendment). Any one of those on their own would be enough for the NSA to sabotage it like they did the NIST dual elliptic curve standard, right? Isn't their job to give cyber weapons to terrorist organizations like Shadow Brokers and hide it until China and Russia have used it to do as much damage as possible to critical US infrastructure? Isn't that what they're paid $60,000,000,000 a year for?

Clive RobinsonFebruary 20, 2017 11:43 PM

@ MarkH,

Steve Matchett, one-time mechanic for Benetton F1, has said for years that the F1 engineers would love to get rid of the drivers -- the people in the cockpits add aerodynamic drag, raise the center of gravity, need extra hardware for the person/machine interface, and make errors that degrade lap times from their technical optimum., one-time mechanic for Benetton F1, has said for years that the F1 engineers would love to get rid of the drivers -- the people in the cockpits add aerodynamic drag, raise the center of gravity, need extra hardware for the person/machine interface, and make errors that degrade lap times from their technical optimum.

Yup and fighter aircraft designers say very much the same... Which is why we have drones, and comming soon to a place near you "AI+ Drones"...

I've met Steve Matchett briefly in the 1990's when I was tangentially involved with FOCA (in Brabham HQ in Chesington Surrey) as part of the design of the radio control system for the "cockpit eye view" camera mounted in that little wing you see sticking out of the fairing behind the drivers head. His view on the wing was not as complementry as it might have been --seeing as it was a sport revenue raiser-- but he did joke it was better than using a periscope from between the drivers legs...

NameFebruary 21, 2017 1:28 AM

Here is why the NSA hates blockchains.
From https://www.wired.com/2016/12/overstock-com-issues-stock-via-bitcoin-blockchain/

The blockchain is an online ledger controlled not by any one company or government agency, but by a global network of computers. With bitcoin, this ledger tracks the exchange of money, but it can also track anything else that holds value, including stocks, bonds, and other financial securities. The idea is that this technology can more accurately and inexpensively oversee financial trades while eliminating many of the middlemen and loopholes that characterize today’s markets.

Since blockchains stand to improve nati0nal security by no longer having a single point of failure, a point vulnerable to cyber-terrorists, the NSA will not allow blockchains to be adopted. It would become too hard for terrorists to take down critical infrastructure, and the NSA pledged their souls to helping enable cyber-terrorists by weakening all American cyber-security as much as possible(Google "project BULLRUN" if you want proof of this last part).

rFebruary 21, 2017 5:16 AM

It took you that long to come up with a response your editor would allow you to post?

It's alright Hazel, I forgot that we're not supposed to be speaking directly to each other anyways.

But, so you know: I'm drunk with financial freedom not Alcohol, you? I think you're one of those drink-yourself-into-angry-diabetes-sugar-problems people.

JG4February 21, 2017 12:12 PM


another nice data visualization

https://image-store.slidesharecdn.com/a6ffe88d-9b51-4598-864b-f4073e47399f-large.jpeg

I think that I quipped "the years teach what the days never knew." Without elapsed time for selective forces to distinguish the well-designed and well-implemented from the poorly-designed and/or the poorly-implemented, it's difficult to assess the merits of your systems. Of course, you still have to have a metric for performance and some test points.

Projecting the test point data onto good visualizations can make it much easier to see what is important. Or as Yogi said, "You can see a lot just by looking." If we had the elusive hypervisor, for some time to come, there will be humans in the loop and it would be helpful for them to be able to see distilled essence of failure.

Slime Mold with MustardFebruary 21, 2017 1:33 PM

Re: Revisiting the DNC Hack with Better Information

Two months ago, I called the report prepared by the CIA, FBI, and NSA on the DNC intrusion something along the lines of "piss poor".
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

I'll stand by that. Glen Greenwald called it "underwhelming".
https://theintercept.com/2017/01/06/underwhelming-intel-report-shows-need-for-congressional-investigation-of-dnc-hack/

Well, it seems the "intelligence" agencies could have stapled this 2014 Google report tracking APT28 in real detail to the back and made a solid case that it was the Russians.
https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf

("The Aquarium" is the nickname of GRU headquarters).

Question: The GRU must have been aware they been spotted in 2014. Why didn't they use/develop a different tool set?
Possibilities:
1. They already have other hacks, but considered the DNC a second tier target (after all GRU is military intelligence).
2. Lack of resources

Also Note: It later came out that the FBI had never examined the servers. They relied on a "reputable cyber-security firm" (If I were a Dem lawyer I would have raised holy hell before letting the feds in, just on precedent).

Did the Russians hold back a few morsels for future use in a Hillary administration? I would.

JohnFebruary 21, 2017 2:17 PM

@r
got confused reading this thread
it looks like all the posts you replied to got deleted by the time i read yours
cant find any post by anyone named "hazel"
farther up i see several posts in a row by you, replying to someone, but his posts seem gone?
seeing half of the conversation it looked interesting
why was the other half deleted?

concerned netizenFebruary 21, 2017 2:58 PM

What exactly happened with the Ukraine artillery?
https://motherboard.vice.com/en_us/article/fancy-bear-hack-of-ukrainian-artillery-fighters-shows-future-of-war just says there was a trojan involved
Did GRU get the signing keys for the app, socially engineer or hack the account of whoever owned the thread with the app to download, add a trojan to that app, resign it and text or email everyone, from that account, telling them something like "come get better updated version"?
Popular media is so sparse on details it gives no idea whatsoever of what happened except "some kind of mischief related to technology LOL"...

Clive RobinsonFebruary 21, 2017 5:18 PM

@ Slime Mould...,

Question: The GRU must have been aware they been spotted in 2014. Why didn't they use/develop a different tool set?

That "why didn't they" question was the main reason I argued against the original report as little more than nonsense. Further it was to coincidental with the "Reds Under The Beds" drum beat that had moved from "China APT" to "Russia Inside".

I thus concluded that no "real" investigation had been carried out. Further it smelt strongly of "being led by the nose" in that they were shown what they wanted to see, thus did not look any further than their pre-assumptions.

Which led me to ask where the "contradictory evidence" was, which led to the realisation there was no actuall evidence being presented.

Thus I can not say it was not the Russian's but likewise the same goes for any capable IC or security organisation, any one of whom could pick up the APT28 etc information and reproduce the attacks thus creating a faux impression to cover their own activities.

The whole investigation as publicaly reported was a "I see no ships" event where you "don't look for what you don't want to see", thus you don't see it and can carry on sailing in the direction you want to go rather than the one correct examination of the facts would suggest would be more prudent.

I guess we are unlikely to find out the real motives behind the investigation and I'll let others make their own deductions about the timing by the investigating agency. It will suffice it to say that, that particular "fog of war" could have been caused by any number of smoldering fires all over the place, and thus many motives for "stoking them up" existed...

One thing history shows over and over again is you can win battles but loose wars, thus sometimes the right people win others the wrong and we can only judge which by the facts we have and our points of view. Thus with no facts, any point of view can be held to be true axiomatically, which is why we have the CIA invented "Conspiracy Theories".

Anonymous=eFebruary 21, 2017 7:37 PM

@Fausses Nouvelles

It's the last time he'll order Shepherd's Pie at Trump Tower.

Your French is getting rusty, Madame. If you're really that foxy, go find a boyfriend somewhere else.

  • Not male.
  • Not a Trump fanatic.
  • Not a liberal.

You only got one out of three right. You probably guessed, rightly, that I'm not a liberal. I'm sorry, but Obamacare was an abject failure. All too much of that money for healthcare without accountability went into psychiatric and other medical quackery, barratry at civil and criminal law, and false imprisonment. I'm sorry, but as long as "medical marijuana" is even on the table as a legitimate treatment for any condition whatsoever, I reserve the absolute right to refuse medical treatment.

I'm afraid the doctors need to go to prison, our medical institutions need to be rebuilt from the ground up, and any and all who are interested in medicine need to be re-educated. Let there be no doubt. This will happen. Psychiatry as it is practiced today in the United States of America is not only a hate crime, but a Holocaust-worthy war crime, and those who practice it, cooperate with it, accept it, tolerate it, or condone it must bear their guilt eternally. I'm sorry, but there is no excuse for anyone to slander and libel another human being of mental illness at law, or to use this as grounds for false imprisonment and forced administration of psychotropic drugs. The 21st-century Nuremburg trials are coming. John has recorded it in the Book of Revelation, chapter 7, verses 8–13; and chapter 21, verse 23:

And one of the elders answered, saying unto me, What are these which are arrayed in white robes? and whence came they? And I said unto him, Sir, thou knowest. And he said to me, These are they which came out of great tribulation, and have washed their robes, and made them white in the blood of the Lamb. Therefore are they before the throne of God, and serve him day and night in his temple: and he that sitteth on the throne shall dwell among them. They shall hunger no more, neither thirst any more; neither shall the sun light on them, nor any heat. For the Lamb which is in the midst of the throne shall feed them, and shall lead them unto living fountains of waters: and God shall wipe away all tears from their eyes.

And the city had no need of the sun, neither of the moon, to shine in it: for the glory of God did lighten it, and the Lamb is the light thereof.

cypherpunksFebruary 21, 2017 8:21 PM

Trump's gutting of the FCC and particularly of net neutrality may greatly benefit the poor and oppressed who have limited data.
Please support this https://trac.torproject.org/projects/tor/ticket/21518
By running Tor over zero-rated protocols such as WhatsApp, you will be helping those who need Tor most, by letting them (relatively) safely read news critical of their oppressive governments.
These people can't afford data plans but with the death of net neutrality certain protocols can be used unlimited, for free, and Tor needs developers to help write pluggable transports that benefit from these zero-rated protocols.

furloinFebruary 21, 2017 10:07 PM

@all
https://developers.slashdot.org/story/17/02/21/2039256/php-becomes-first-programming-language-to-add-modern-cryptography-library-in-its-core
Like I would touch php with a 10 foot pole. Anyone heard of libsodium before? Quick reading shows it is based off of the NaCl project which is python and c based. For now I will not get within nuclear fallout distance of php.

@Anonymous=e

Hate to feed what is probabbly a troll (doing their job?) however.
Pertaining to medical treatment, although preferred in some cases to refuse. What does your Authority have to say about evil global pharma/dictators/GRU's forcing you to take the accursed thing? Eventually the peasents may be forced like chattel that go to various military servitude like places to take 'vaccines'. Even if history is about to not repeat its self, even with psyhciatry being a huge barrel of sly remarks, do those quotes have anything to do with security or even what you were talking about to begin with?

And let me stop you right there, don't even go into the supposed 'eternal security' disinfo. Where is that quip about all humans dieing again? Oh yes http://www.zerohedge.com/news/2017-02-21/illusion-freedom-police-state-alive-and-well

https://news.slashdot.org/story/17/02/21/1448201/university-offers-course-to-help-sniff-out-and-refute-bullshit It's like watching the snake eat its own tail. *grabs more popcorn*

Also to obfuscate a link or to not, which is preferred and why?

rFebruary 21, 2017 10:59 PM

@e,

I'll repeat: Awe, I'm inspiring.

How did you get that from Shepherd's Pie?

@John,

Sorry if my responses of madness lose distinction like drops in a pool, I have an ongoing spat with:

https://www.schneier.com/blog/archives/2017/01/friday_squid_bl_559.html#c6742515

While the mod has removed the original make no mistake that I am not the only one who witnessed a response from a supposed GRU superior making an edit of one of the troll's comments here ad-hoc (pre?-submission)(I pissed them off enough to intercede with specific comments about Ms. Chapman). It (The GRU post) has since been deleted but I preserved the originals and attempted to repost them here in succession within that thread. Ofc, I am assuming it's the same person but some of the lingual usage is the same and the slant is always the same.

It's a love/hate kind of thing, again I'm sorry for the lack of follow-ability here and I know full well that I'm taking away from the larger conversations we should be having.

okTurtlesFebruary 21, 2017 11:38 PM

@Freezing

I`m sorry but it really does not speak well of you using/providing an unsafe link. I couldn`t even force https on the site. You should know better.

Once everything uses HTTPS, the "Quantum Insert" class of attacks will require stolen TLS certificates, which will stop most script kiddies (but not TLA's or state funded adversaries).
Decentralizing the CA's would put a stop to that whole category of attacks, and other categories (including passive ones like FireSheep, and downgrade attacks (a clean break would require no backwards compatibility with insecure protocols such as SSL)).

rFebruary 21, 2017 11:52 PM

@Freezing,

I use phonearena quite a bit, while your concerns are valid please remember that tools are to be used at the proper time and in the proper way.

@All,

An, (Im)Proper gander:

https://www.washingtonpost.com/opinions/i-didnt-think-id-ever-leave-the-cia-but-because-of-trump-i-quit/2017/02/20/fd7aac3e-f456-11e6-b9c9-e83fce42fb61_story.html

Is there something we missed? Is there something amiss? I'm sure someone around here is going to claim he was butt hurt. ;-)

Clive RobinsonFebruary 22, 2017 2:10 AM

@ Slime Mould...,

Game of Mirrors yet again, eh old boy? ; )

Give that man a cigar, we need the smoke as well 0:)

Clive RobinsonFebruary 22, 2017 2:41 AM

@ Bruce and the usuall suspects,

out a year ago there was an article about the Dutch Police experimenting with birds of prey to bring down small drones.

Well the WashPo now has another story only this time it's about the French Military,

https://www.washingtonpost.com/news/worldviews/wp/2017/02/21/terrorists-are-building-drones-france-is-destroying-them-with-eagles/

I have no idea if the story is true or not, but the link to SkyTV News in the article makes me uneasy... Anyway it's worth a quick read.

Dirk PraetFebruary 22, 2017 3:50 AM

@ furloin

Anyone heard of libsodium before?

Actually, yes. It's a crypto library and OpenSSL alternative that's becoming more and more popular. Used in dnscrypt-proxy, for example, which I use to encrypt and protect DNS traffic against MITM attacks. Call it a sort of https equivalent for DNS, if you like. There's a growing number of servers out there, a lot of which don't do logging (or at least claim not to do so) and support DNSSEC.

Solve & SeeFebruary 22, 2017 5:50 AM

Remember kids,

The if CIA has it's hands bound from operating within the juridiction of the USA then that means .ca is fair game!

CzernoFebruary 22, 2017 6:03 AM

@Clive, re : French eagles vs. drones

The report is not a fake, it's been covered in several French newspapers and on TV. They said it's a limited experiment though, as the birds even as they are "armoured" are vulnerable and are limited to fighting/disabling the lighter kind of drones.

GamerFebruary 22, 2017 1:11 PM

Is it true that most warez release groups are fronts for the NSA since that is their preferred method of implanting network exploitation tools onto large numbers of Windows machines without burning through expensive zero-day exploits that can't be used for very long?

CzernoFebruary 22, 2017 1:49 PM

@Gamer :

I wonder whether the NSA's most "preferred method of implanting network exploitation tools onto large numbers of Windows machines" hasn't been, rather, by way of Windows Updates : most efficient and direct path from the NSA to Microsoft's victims, uh, Windows users...

The producer.February 22, 2017 5:44 PM

@Czerno, Gamer,

Just because that's not a primary action, doesn't mean that infiltrating such groups doesn't increase the performance of their vacuum.

I wouldn't believe for a second that they're behind the warez, but being behind the groups behind the warez? E.g. Embedded and embedding? Definitely not something that should be discredited considering the dual hat uses behind most any technology, keep your eyes ears and mind open. ;-)

http://www.thestar.com.my/news/nation/2017/02/17/facebook-postings-may-have-led-to-the-death-of-jongnam/

Tread carefully friends.

Clive RobinsonFebruary 23, 2017 5:56 AM

@ Wael,

You might find this of interest,

http://nautil.us/issue/45/power/this-man-is-about-to-blow-up-mathematics

Ignore the sensationalist headline, it's rather more subtal than that. Becaise "incompleteness" has led to certain assumptions being taken as read when infact they may well not be.

For instance think about what we consider as determanistic and nondetermanistic sequences. And how we can make a determanistic sequence which by the observation of such a sequence even though determanistic can neither be shown to be determanistiv or more importantly --from the practical point of security-- be predictable.

Imagine what would happen if it could be shown that there was no such thing as the random oracle or common random string models?

It would have quite an effect on the Cryptographic "Standard Model" and the security proofs that arise from it...

https://en.m.wikipedia.org/wiki/Standard_model_(cryptography)

Clive RobinsonFebruary 23, 2017 7:04 AM

For those still taking an interest in Kim Dotcom's legal adventures in New Zealand (the LEOs of which have had the US DoJ working them like puppets). Even though a judge there has rulled he might be extradited on some charges, the primary charge on which the others rest was dismissed...

Thus if he did not commit copyright infringement, then charges based on the proceads of that accusation such as money laundering fail.

This is going to get interesting, because it's likely the only route open to the US DoJ would be to find and file other charges that are not related to the original charge. And for various reasons that may prove difficult to impossible.

So it's back to the comfy chair with a fresh bowl of popcorn ;-)

http://www.cnbc.com/2017/02/23/kim-dotcom-megaupload-extradition-court-case-seeks-damages-prosecutors-acted-in-illegal-way.html

WaelFebruary 23, 2017 7:20 AM

@Clive Robinson,

Interesting read indeed. I'll get back to both your comments when I have a clear mind. I have a couple of things to finish.

JG4February 23, 2017 11:37 AM


immediate ddos attack originating from government against them or how to tell when you've hit a nerve

O'Keefe Drops "Bombshell" Undercover Footage From Within CNN
http://www.zerohedge?.com/news/2017-02-23?/okeefe-drops-bombsh?ell-undercover-video?-footage-within-fake?-news-cnn
O'Keefe drops 200 hours of audio footage from inside CNN and offers $10,000 award to anyone

Project Veritas Sets Its Sights on "Very Fake News" CNN, The Alt Media Strikes Back
http://www.zerohedge.com/news/2017-02-23/project-veritas-sets-its-sights-very-fake-news-cnn-alt-media-strikes-back
Project Veritas, led by James O'Keefe, has set his targets on the Mainstream Media in 2017 and his first victim has just been announced: CNN.

AnuraFebruary 23, 2017 12:26 PM

@JG4

O'Keefe is a hack; his "stings" suffer from obvious heavy editing to obscure the facts, which come out eventually and then the stories die as they turned out to be either way overblown or just plain BS. They rile up the conservative base, but that's about it.

ThothFebruary 23, 2017 6:36 PM

@Clive Robinson, r

re: Kim Dotcom

The USA being the Big Bro of the world and the fact that NZ is a Commonwealth of the Queen and an ally, could have just as well walk right in and use those CIA assets to pick him off. Since they could "coordinate" a "lawful raid" on Kim's compounds and get him arrested, why not just finish him off by simply throwing him aboard CIA's prison jetliner and send him to Guantanamo instead of protracted legal proceedings for extraditions to waste the tax payer's money.

Since Big Bro wants to "flex his muscles" and have already done so by the illegal raid on Kim's house, might as well follow through and haul him on the prison plane to Guantanamo and let him live with those "hardcore terrorist" in the Guantanamo camp.

The US being the economic powerhouse could levy economic sanctions or other sanctions on nations unwilling to cooperate with it's will or maybe another "Operation Iraqi Freedom" attempt to "liberate countries not following the democracy of the USA".

Nick PFebruary 23, 2017 6:59 PM

@ Thoth

Re this comment

The first thing we need to address is what kind of travelers and borders we're dealing with. Here's some threat profiles:

1. They'll try to download contents off your device if you refuse.

2. They'll seize your device if you don't decrypt it.

3. They'll jail you if you don't decrypt it.

4. They'll jail you for using encryption period.

The solution can stop 1 but so can about all of them. The tamper-resistant, key storage is an extra benefit. The solution can't help 3-4 with it causing an availability loss in 2. The solutions typical for 2-4 is to have a clean device or VM on it that shows nothing serious. Deniability. The real data is downloaded off the Internet once in the country, used until about to leave, put back on the net, device cleaned, and then back through border. The device might be modified with your scheme if it's made deniable. It would have to pose as ordinary, storage card. Or just authentication device (eg Two-Factor Authentication) but not encryption. In this case, it still looks like nothing is there but they or others don't get the data if it's physically compromised in any worst-case scenario.

I'll see what you think of this before moving onto further analyses.

AnuraFebruary 23, 2017 8:59 PM

http://www.latimes.com/politics/la-na-pol-trump-marijuana-20170223-story.html

Well, looks like Trump will start shutting down and arresting small business owners, destroying a multi-billion dollar industry. On a completely unrelated note, the Justice Department is ending plans to phase out private prisons at the federal level.

http://thehill.com/homenews/administration/320915-trump-admin-rescinds-plan-to-reduce-private-prisons

Freedom? Liberty? Nope, the only thing the Trump administration cares about is power and profits. History repeats itself, yet again.

rFebruary 23, 2017 9:03 PM

@Thoth,

I think Kim like the chinese hackers that were outed are low hanging fruit at this point, other than the CIA or whoever shaming names I don't think they have anything to do with what's going on at this point (I don't think the MIC cares really, this is blood not war).

This is just for congress and it's pre-paid yokes.

RE: Dress Code,

I like intamperable, but not for encrypted data. I can't (or wont) chew gum and visit singapore at the same time. It's just not something I like to entertain.

P.S.

Considering my prior musings about the fun behind infiltrating TZ, what changed your position?

ThothFebruary 23, 2017 9:59 PM

@r

re: TZ

My personal opinion for TZ is still the same where I personally don't trust it very much. But if you are in the business of security products, every penny counts and as @Clive Robinson and many of us including myself have already noted very explicitly, that the business of security (yes, business and not personal use cases) are all about making money.

Also, noting that most corporate and govts are too lazy to do their due diligence and prefers COTS with lower assurance like TZ, my version of using TZ as a Secure Container with a corporate VPN backed Thin Client Browser to browse a server side remote virtual desktop in a corporate data center and including a MicroSD card with smart card chip built into it that handles the PIV authentication (eID card) would raise the bar a little higher than most TZ solutions.

Most TZ solutions usually download the whole document into the TZ Secure Container region and do the office work and corporate communications in the container. If the user is forced to decrypt the corporate container, the document would still be lingering around. My method using a TZ based Thin Client virtual desktop would simply clear the session once the container is closed (disconnected) and the force decryption of the container would yield nothing inside.

For personal related security, not going to touch it with a 10 foot pole if you ask me.

The reason as I stated in the past is the TEE-OS for the TZ region and the TZ region is a pure blackbox and the development APIs and stuff are vendor oriented despite a generic API laid out by GlobalPlatform for TEE matters. Also, one needs the proper paid licenses to TrustSonic et. al. that controls most of the commercial TEE licenses just to be able to create your own application for loading into the TZ partition. Too much overhead and very little trust and visibility which I heavily do not recommend if you are using for personal security.

If it is for corporate security or govt security where one is capable of forking out all the cash needed and resources to make your own ARM chipset and write your own TEE-OS and APIs, then why not use that method.

One example is Boeing's Boeing Black phone which is used for US government services where one is able to build a secure smartphone from ground up where every piece is carefully selected and built from scratch rather than the usual COTS stuff you find lying around (i.e. Samsung or Blackberry).

ThothFebruary 23, 2017 11:45 PM

@all

Maker of not so user friendly HSM (Thales HSM :) ) talks about "Why Johnny STILL CAN'T Encrypt".

Maybe Thales should really take a look at what's wrong with their HSM interfaces and why key migration between MS CAPI containers with Thales HSM backed keys, renewing of certificates with HSM backed keys, the usage of non-standard PKCS #11 interfaces and such other usability problems should be fixed first before asking or talking about "Why Johnny STILL CAN'T Encrypt" when they can't even do a clean and good job providing critical HSM infrastructure usability from their Thales nCipher product line.

Link: https://www.youtube.com/watch?v=KuAZFNRCb4E

Clive RobinsonFebruary 24, 2017 2:31 AM

Potentialy Serious Cloudflare vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Project Zero, has found Cloudflare servers were leaking memory that has not been appropriately sanitized. The problem found with web caching has been resolved.

HOWEVER a large amount of confidential data would have been collected by web crawlers and the like, and thus put into searchable caches etc.

Clive RobinsonFebruary 24, 2017 3:20 AM

@ Thoth, r,

Re Kim Dotcom and,

Since Big Bro wants to "flex his muscles" and have already done so by the illegal raid on Kim's house, might as well follow through and haul him on the prison plane

The original US power idiom was "Speak quietly and carry a big stick", not "Banshi scream and smash the place down".

The first way is that of a wiser man, who uses his opponents fear against themselves, the second is the way of the berserker, mad and uncontrollable and only fit to be put down with maximum prejudice as an object lesson to others. Unfortunatly the US did an anti-widishans turn around Gulf War I time and tried to make berserker behaviour rational as "Shock and Awe". Suffice it to say, that during WWII the Axis powers used that tactic to gain large amounts of territory, only latter to get put down very hard by the rest of the world...

Further the US economy to it's currancy value is one of the most misalined of all western nations. The US only get away with it because of the effective seniorage they get from being the world trading currancy. If they got "cute for corporate interests" rather than --alleged-- terrorism without appropriate treaty backstop --which is what TTP was about-- then countries might decide to use another currancy. One of the reasons Iraq got the chop via Gulf War II was given by Paul Wolfowitz as,

    we had virtually no economic options with Iraq because the country floats on a sea of oil.

Most people don't get the full implication of this, however UK PM "Tony Blair" let the cat out of the bag. What had happened was US sanctions were killing people in Iraq quite literally. Sadam had sent feelers out to EU "euro" countries that it they helped lift/break the sanctions then he would only sell oil in euros. The result of this would have sent the US and thus the UK economies down to third world type conditions. Thus the only option to protect the US and UK was to take control of Iraq oil and how it was sold. The fact this also gave a big leaver over OPEC was also of significant benefit.

Thus the US is very fragile to it's currancy status, which is another reason it's borrowed heavily from the likes of China and encoragef Chinese investment. The value of the USD becomes entwined with China's economy, thus attacking the US or USD would be counter productive for the Chinese...

I suspect @Anura will have a few things to say on this, but hopefully I've got the point of the "Wise man confidence trick with carrying but not using the big stick" over.

Clive RobinsonFebruary 24, 2017 4:40 AM

@ Nick P, Thoth, r,

The solutions typical for 2-4 is to have a clean device or VM on it that shows nothing serious. Deniability. The real data is downloaded off the Internet once in the country, used until about to leave, put back on the net, device cleaned, and then back through border.

There are two problems, firstly US CBP and the Israeli equivalent amongst many others are known to "assume" a clean phone is "justifiable suspicion" as is not having "social media" etc.

Secondly, getting a "clean device" is only easy one way, which is to "buy a new" phone / computer etc.

Which also brings up the "out of sight" or "evil maid" attacks. That is the CBP having the backing of the US SigInt agency could easily drop a hidden spyware trojan in the firmware as you cross the border on entry.

Thus buying a phone / computer once across the border might be a better option in some countries. Thus go across with the cheapest phone / computer you can and if it goes out of sight or gets connected to by CBP etc, "dump it" in the bin or pawn brokers etc landside and walk away from it fast.

The other issue to remember about the US is the fact they have increased the border zone to cover nearly the whole of the populated US...

Which brings us back to "Old School OpSec" and the multiple jurisdiction shared key system you and I have discussed in the past.

With the update to the "What you know" factor with "A location you know" at "A time you know" for getting the "key shares" to build the file decryption key for your Internet download.

There is still "wriggle room" in the noose of anti-security legislation but that rope loop is getting drawn tighter and tighter as we pause to take breath...

From a business perspective, companies etc will need to look at sending not individuals but time and location spaced multiple representatives, to play the numbers against the CBP etc. That is if you send two people on different days the CBP only hsve a 1 in 4 chance of randomly getting both, with three that's nearly 89% chance you will get one representative through "free and clear" of "evil maid" problems.

This may only need to be done the once, if you can use the old school OpSec idea of an "in country" secure drop location where equipment can be safely stored between visits.

rFebruary 24, 2017 6:00 AM

@Thoth,

Last question,

Have you considered investigating the DRM component of certain sd formats?

TZ may give headway, or it may not depending.

rFebruary 24, 2017 6:08 AM

@Clive,

A serial port is a hen's best friend if they're flying the coup, I almost responded to you with the assertion that a laptop with one would be a good idea to travel with but it hit me that they pretty much all have very large solder joints and physical gaps in their housings.

So, traveling with one is likely not a good idea. But traveling TO one may be a better solution if you absolutely _must_ containerize.

ThothFebruary 24, 2017 6:48 AM

@r

re: DRM format

Not interested in investigating DRM formats for now and there are quite a substantial research already available on breaking of many DRM formats.

Clive RobinsonFebruary 24, 2017 6:48 AM

@ Jen,

@ Clive you will relate although you don't do you tube.

As it's short, I'll see if I can "sneek in" somewhere harmless and have a looksee, not sure when though.

ThothFebruary 24, 2017 7:55 AM

@Dirk Praet, all

Keybase.io announces a Keybase backed E2EE chat that HAS NO FORWARD SECRECY.

Keybase, being a repository of public keys (imagine a PKI/CA except not in a traditional sense) that uses blockchain and other open source technologies it develops to create a PKI v2.0.

Now it links it's PKI (regardless if it's blockchain backed or vanilla PKI/CA) automatically with it's Chat API and Chat software that has no Forward Secrecy to ease user experience when moving between devices.

On top of that, I have been trying to find a way to execute the attestation of my public key (my account) without using it's supplied software and without using CURL/BASH but it gets irritating trying to attest formally since the only way is to use their software or CURL/BASH and I don't like to install any other software (i.e. CURL) without the time on hand to read it's source codes.

Is the Keybase Chat going to be another Apple iMessage that fails or would it be as good as other truely E2EE chat ?

Link: https://keybase.io/blog/keybase-chat

Clive RobinsonFebruary 24, 2017 8:08 AM

@ r,

A serial port is a hen's best friend if they're flying the coup...

If you think back a couple of months or so I had this very conversation with @Figureitout over his optical data diode.

https://www.schneier.com/blog/archives/2016/12/friday_squid_bl_556.html#c6740551

I pointed out that the best thing to do would be to use USB to TOS-Link devices or even shield boards for the Raspbery Pi etc and "patch up the diode" as required. The thing about AES3 AES/EBU S/PDIF EAJ Optical TOSLINK is it's quite ubiquitous in the "audio world" where it's heavily used in studio equipment etc to give good "galvanic isolation" etc.

Importantly it would give your serial optical data diode not just cheap easily available parts, but an existing major market to sell into. Thus giving the product a high level of deniability.

You will find TOSLINK connectors on the back of semi-pro audio equipment like Sony Mini-Disk audio recorders that are not much thicker than a mobile phone. I've got what looks like a "studio mic" four channel 24bit audio recorder that has TOSLINK connectors and it was less than 100USD and used by quite a few "home artists". I've got it setup to use TOSLNK to a "desktop" computer with a number of other TOSLNK galvanicaly issolated audio units and then that acts as a head end to a standard ethernet network. This is part of a "Studio in a box" system I designed for use by the cost sensitive end of the Broadcast Industry. It's used in all sorts of places world wide with low cost 250W-2.5KW FM broadcast systems. Several of which have been deployed to use "solar power"...

The main point being TOSLINK is very deniable, you can build a unit with an FTD-232 and micro controler on a matchbox sized PCB which is then using epoxy solidly encapsulated into a mini-brick with just a USB conector hole at one end and one or more TOSLINK connectors at the other with a few LEDs showing at the top with an aluminised sticky back lable with product info and socket ID etc info.

Clive RobinsonFebruary 24, 2017 8:30 AM

@ r,

If you don't want to "build your own" optical data diode, you could just by a few of these,

https://www.studiospares.com/Studio-Gear/Signal-Interfaces/Studiospares-RED507-Toslink-SPDIF--AESEBU-Converter_465760.htm

AES/EBU is current loop RS423 which is a doddle to convert to RS232 voltage lines. And S/PDIF is the plastic fiber optical TOSLINK.

Not sure if the RED507 is effectively "pasive" thus transparent or if it's got a microcontroler to regen the clock etc, but the lid is only screwed on with four screws so it would be the work of moments to find out if you had one to hand.

sFebruary 24, 2017 2:56 PM

http://www.theverge.com/2017/2/24/14727418/fcc-privacy-rules-stay-ajit-pai-net-neutrality

It’s part of a larger plan to roll back the FCC’s oversight of network providers, ceding ground to the looser FTC oversight that currently enforces fair practices in most consumer goods.

“Chairman Pai believes that the best way to protect the online privacy of American consumers is through a comprehensive and uniform regulatory framework,” an FCC spokesperson said in a statement. “Therefore, he has advocated returning to a technology-neutral privacy framework for the online world.”
As if most consumer goods are allowed to record the exact position you take them to and everything you read or write on them, and phone it home to their manufacturer who then sales it to marketers and foreign governments.
I guess Pai is okay with typewriters secretly recording everything you write[1] so it can be scraped and sold when you take it to be serviced, or with cars having 24/7 tracking beacons[2] to sell your geo-location information.

1: https://www.schneier.com/blog/archives/2015/10/soviet_spying_o.html A-ok according to Pai. Standard business practice.
2: https://www.theverge.com/2017/2/21/14682068/china-gps-trackers-xinjiang-uighur-violence a link I found a few posts up right in this blog

rFebruary 24, 2017 7:43 PM

@Thoth,

My question was more to the non-copy mechanism implemented in things such as m2 and others, I'm not sure where we currently stand with those mini-arm(?) chipsets in the sdcards themselves.

My point was that from within TZ one may be able to toggle DRM write-protect.

ThothFebruary 25, 2017 7:49 AM

@r

For the SD write protect mechanism, that would require decapping and all that sort. Not my area since it's a very expensive hobby to setup a lab and requires a ton of certification and licenses to be able to purchase acid here simply just to decap a chip.

Toggling DRM write-protect from TZ would mean the TZ's microkernel requires exploiting. It's theoretically possible if the microkernel for the TEE-OS has weaknesses.

FigureitoutFebruary 25, 2017 10:49 AM

Clive Robinson
I pointed out that the best thing to do
--Didn't really convince me at all. You were also implying opto-isolators are a "rarity" in industry? Phew I don't know about that...just one industry is traffic lights. Estimates of up to 312,000 traffic lights in US alone, each of those have up to 8 opto isolators. I'm no gambler, only make bets I know I'd win, I'd bet there's bigger industries that use them too.

The difference is I demonstrated an easy build that a freshman engineer could build, no attacks mentioned here besides end-run attacks, still not demonstrated though. And you can only somewhat describe what to do, with a lot of pitfalls and gotcha's learning about Toslink etc. Seems like more than you need to get the job done, so it's personal preference if you want more attack surface and work or not.

rFebruary 25, 2017 5:10 PM

@Thoth,

Well, we can thank [@Nick P] for promulgating the DIY Atomic Force Microscope. I think the kit still runs $25k?

BUT! That's at least far more modest than some sort of high end smash and grab otherwise or paying the traditional expenses that would be otherwise required.

Thank you for answering my question. ;-)

rspamdFebruary 25, 2017 8:05 PM

Decapping requires LARGE quantities doesn't it?

hundreds++ chips * xx_ml_agent

Purity also plays into that I assume, I'll quit spamming now.

rFebruary 25, 2017 8:30 PM

Fair enough, I can respect that. ;-)

[@Thoth] is still the shit, regardless of his "apprehension" (or lack there-of). ;-O

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.