Rob February 24, 2017 4:29 PM

It’s certainly been an interesting week.

SHA1 collider: Make your own colliding PDFs

Watershed SHA1 collision just broke the WebKit repository, others may follow

Multicollisions in iterated hash functions. Application to cascaded constructions

I’ve seen it suggested that SHA1 and MD5 be used together to provided added security. Here’s why that’s not a good idea.

Intermediate CA Caching Could Be Used to Fingerprint Firefox Users

Bad news for TOR users

E2EMail research project has left the nest

One of the things we’ve done over the past year is add the resulting E2EMail code to Github: E2EMail is not a Google product, it’s now a fully community-driven open source project…

FCC to halt rule that protects your private data from security breaches

Nuts and Bolts of Encryption: A Primer for Policymakers

How much does Facebook really know about you – and is it right?

The Lawfare Podcast: Edward Jay Epstein on “How America Lost Its Secrets”

Cloudflare Bug Leaks Sensitive Data

1Password has been compromised as a result of Cloudflare data leak:

1Password allege their customers data is safe despite major vulnerability and that’s it’s only been exploitable for 4 days. Tavis Ormandy calls them out for repeatedly lying:

“Yes, they worded it confusingly. It was exploitable for months, we have the cached data.”

“Yes, we recovered and purged cached 1Password api data.”

1Password respond with a sarcastic blog depicting a bear being ‘protected’ by three umbrellas:

Roustem Karimov, founder of 1Password, asks for preferential treatment from Tavis Ormandy. 1Password’s security/development teams should be proactively testing their systems instead of relying upon Google employees to do their work for them.

“I know you do not have to do this but we would appreciate a heads-up before a post like this. Our phones, twitter, DMs are on fire.”

In the same week 1Password failed to listen to an Apple security employee when they were told of the revised Common Name requirements. They follow up with a blog blaming everybody but themselves:

Certainly a good time to consider offline password managers like KeePass or Password Safe:

List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Found a bug in Cloudflare? Their top-tier award is a t-shirt!

Uninformed February 24, 2017 4:44 PM

“I’ve seen it suggested that SHA1 and MD5 be used together to provided added security. Here’s why that’s not a good idea.”

They may be used independently to provide added security. i.e.

SHA1(mydata) = adf
MD5(mydata) = gvx

rather than

MD5(SHA1(mydata)) = zzz

r February 24, 2017 4:56 PM


Yes, layering them instead of using them in parallel (eg. side by side) doesn’t help anything at all.

ticktock February 24, 2017 5:12 PM

Re: How much does Facebook really know about you – and is it right?

Facebook has become a monopoly. Job applicants are researched on Facebook. If you have no activity, you have no chance of obtaining a corporate job. If you have politically unacceptable activity — for that employer, that is — you have no chance of obtaining a job there.

Just imagine trying to enter the U.S. in the near future with no social media activity. Homeland Security will demand your passwords and won’t believe you when you tell them you avoid Facebook as you do fresh turds. No entry for you.

‘Hey, Homeland Security. Don’t you dare demand Twitter, Facebook passwords at the border’

The battle was lost long ago when credit agencies became the owner of our credit. Experian, Facebook, Google, and the other data brokers are making a killing and then lobbying to keep the gravy train running smoothly. Take a look at the chart at the below link. Note the growth of Google’s lobbying. Also note how its lobbying peaked — so far — in 2012 when it was active in getting Obama reelected. The choice of political party makes little difference, contrary to the closely held opinions of many here.

Barrett February 24, 2017 8:36 PM


Be careful pasting links you might get dissapeared like

“Is it a crime for someone simply to share a link to stolen information? That seems to be the message conveyed by today’s indictment of former Anonymous spokesman Barrett Brown, over a massive hack of the private security firm Stratfor. Brown’s in legal trouble for copying and pasting a link from one chat room to another. This is scary to anyone who ever links to anything . . . .

“This charge does not allege Brown actually had the credit card numbers on his computer or even created the link: He just allegedly copied a link to a publicly-accessible file with the numbers from one chat room and pasted it into another. . . . As a journalist who covers hackers and has ‘transferred and posted’ many links to data stolen by hackers – in order to put them in stories about the hacks – this indictment is frightening because it seems to criminalize linking.”

You might get life since you basically linked to a guide on cracking SHA-1. Maybe even capital punishment.

Down with Tor February 24, 2017 8:52 PM

Tor is being used by enemy combatants

The FBI took no action against Bob Beckel or the numerous other senior figures calling for my assassination. A bill was put before Congress to declare WikiLeaks staff “enemy combatants” in order to make our assassination legal. It did not pass, but the FBI still refused to act.


Ministry of Truth February 24, 2017 10:00 PM

Citizens of the united nations, always remember that lying is telling the truth, terrorizing civillians is counter-terrorism, hate is love, mandating insecurity is national security, and attacking others in wars of aggression is defense.
Also, nothing is more patriotic than betraying your fellowmen and the principles your countries stand on.
Good night, and God bless the allies.

No man left behind February 24, 2017 10:23 PM

For all its faults, at least the US has transparency now. The US government shows how to respect servicemen who put their lives on the line protecting our freedoms from tyrants. Now that’s the kind of leading by example that all countries should aspire to!

By creating a bureaucratic maze from which only a fraction of the documents could emerge—only records that revealed no POW secrets—it turned the Truth Bill on its head. The McCain bill became law in 1991 and remains so today. So crushing to transparency are its provisions that it actually spells out for the Pentagon and other agencies several rationales, scenarios, and justifications for not releasing any information at all—even about prisoners discovered alive in captivity. Later that year, the Senate Select Committee was created, where Kerry and McCain ultimately worked together to bury evidence.

Thoth February 24, 2017 10:29 PM

@Moderator, Bruce Schneier

For clarity, these are the two posts:
– Down with Tor • February 24, 2017 8:52 PM
– Ministry of Truth • February 24, 2017 10:00 PM

Rob February 25, 2017 2:29 AM


The link about CA profiling does mention that it can be tweaked for TOR. I’ve read other articles which say it has already been used successfully to deanonymise TOR users.


So much for freedom of speech…

Some countries even restrict security research: in the name of ‘security’.

Drone February 25, 2017 3:20 AM

“They took all squids and left.”

The correct plural form when referring to squid collectively is “squid”, not “squids”. So the above quoted mess would become”

“They took all the squid and left.”

But hey, you can’t expect too much from a child/person using Twitter.

You know February 25, 2017 6:32 AM

“Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users.”

CDNs are creating another juicy choke-point worthy of exploit, besides the fact they have essentially destroyed any security credibility of SSL with their MITM abilities.

Random cranial misfires:

  1. Why store any serious password in the cloud when data can be exploited by a CDN itself, or others due to longstanding CDN exploits? Conversely, logins/pws having no special worth to the user or anyone else, e.g. a login credential to the free account newsletter, would be OK.

  2. Is it too tinfoil to suggest corporations and governments are mass stockpiling login/pw credentials of all devices just in case they find a need to have them someday? A great exploit: Punch in mac address of address of target device into the AI multi-trillion credential super computer library and come up with all credentials, including login, in like, .5 seconds?

r February 25, 2017 7:00 AM

@Winter, You know,

Because, you know there’s more to selection your selections from a single selector.

MAC Addresses are only the begging.

It’s a start though, homogenization is another aspect.

Beyond OS identifiers there’s version identifiers habitual usage patterns etc

Stumble Bum February 25, 2017 9:23 AM

I thought I read somewhere once In-Q-Tel(the CIA investment arm) was one of the original investors in Facebook. I was right, $13 million dollars. Some say Mr. Zuckerberg was covertly selected to be the “face” of FB because he is so gullible and clueless.

Meanwhile, Google and Facebook are working on a system to filter fake news. Apparently they feel their algorithms won’t seem like another leg of the “Great Firewall of China” of which they are part. Sure, why not. Is it too olden days to say, “LOL”?

Lastly, while trying to enlighten myself I stumbled on the In-Q-Tel site itself and found they are investing in a lot of stuff with your money:

Decidedly creepy. Also it seems your ‘puter will be fingerprinted for merely going to the site.

I am so glad the government is keeping us safe aren’t you?

Winter February 25, 2017 9:31 AM

“Beyond OS identifiers there’s version identifiers habitual usage patterns etc”

Every extra step your opponent has to make to track you is an risk of losing you. And the probability of keeping track of you decreases exponentially with the number of steps needed.

Le Sigh February 25, 2017 10:39 AM


Brown’s in legal trouble for copying and pasting a link from one chat room to another. This is scary to anyone who ever links to anything

There is nothing novel about this criminal charge, the journalist’s comment only reveals his ignorance. Linking is already criminal in certain contexts. For example, if anyone posts a link to a website that contains child pornography that is considered to be “promoting” child pornography regardless of whether or not the person who posted the link actually clicked on the link themselves.

Note that this link goes to a news story about linking to child pornography and not a child pornography website.

It never ceases to amaze me how people get outraged at activities that have been going on for decades only THEY didn’t know about it and now that they know about it that changes EVERYTHING.

Le Fap February 25, 2017 11:32 AM

Le Sigh thinks you are stupid. Look how stupid he thinks you are. He talks about child pornography because OMG CHILD PORNography!! However the documents at issue in the vindictive prosecution of journalist Barrett Brown were records from privatized spy agencies researched by Project PM. FBI’s misleadig rationale is that the links contained personal information.

The issue here is how NSA evades laws like FOIA and the Privacy Act by getting companies like Palantir to break the law for them. Le Sigh is still butthurt from getting his beltway bandit weasel creep company doxxed in the interest of the public’s legal right to seek and obtain information.

Lewank February 25, 2017 11:46 AM

Here’s why Le Sigh and his 3rd-rate washout spooks sicced the FBI Stasi on Barrett Brown. They don’t want you to know that they’re pissing away your taxes for Big Brother.

Barrett Brown’s out. And he’s not the only one who’s pissed. Le Sigh might be the next Aaron Barr.

moz February 25, 2017 12:37 PM

The 1Password case is quite interesting. On the one hand 1password say they are secure. On the other hand Tavis Ormandy said he found “API data” then seems to have stopped investigating for fear of the law. He seems to be hinting that he saw bad tings in the “API data”, but just because it looked bad (“parameter name=encryption key”) doesn’t mean that it was bad (actually it’s encrypted encryption key).

1Password the app probably sends everything encrypted, however do you trust this web page? It seems to be doing AES symmetric encryption of keys before sending them up over SSL. Are those sent things then password equivalent? It seems their design doesn’t assume SSL is secure so it should be fine and their bug bounty program doesn’t rule out MITM attacks even with it’s long list of exceptions.

What would you tell people who use 1Password?

Bloated Cow February 25, 2017 1:15 PM

Video from Bruce’s speaking engagement at the World Government Summit must be available somewhere. Youtube user Jason A’s news summary used several snippets of it this week. (First occurrence is at 3:26.)

A Nonny Bunny February 25, 2017 2:38 PM

@Down with Tor

Tor is being used by enemy combatants

Newsflash, enemy combatants are also using the regular internet. So shut down your computer and stop supporting the internet!
Maybe outlaw breathing as well, I’m pretty sure the enemy does that. If we can’t keep air from just the enemy, it should be kept from everyone!

JG4 February 25, 2017 4:08 PM

Big Brother is Watching You Watch

SPIEGEL Exclusive: Documents Indicate Germany Spied on Foreign Journalists Der Spiegel (margarita)

As Security Violations Erupt, the Operator of India’s Biometric Database Stands at a Troubling Crossroad The Wire (J-LS)

India Inc Needs To Fix Its Numerous and Basic Information Security Flaws Quickly The Wire (J-LS)

the single most important piece of evidence as to whether the safeguards are adequate is whether there is a useful audit trail that reveals the leakers

see also:

Of course, none of this matters if Trump doesn’t discover any of the sources behind the leaks. Lately, that seems to be the only information not getting out of the White House.

n00b February 25, 2017 7:47 PM

A little EMV help, please? I’m new to this stuff. I guess some here have solid experience with EMV.

I’ve been asked to look into a custom application that could run on credit cards along with the usual banking applications.

It’ll be great if you don’t mind replying with:

  • link to a good introduction to EMV internals
  • what would the process be for adding a custom app?
  • recommended development kit(s)
  • Thanks to all

    specious February 25, 2017 8:40 PM

    Little story: I have bipolar diosorder and ended up in a PRP (Psychiatric Rehabilitation Program) basically adult daycare for folks with mental illness. Anyway I had an engineering and computer background and ended up with a part time job there running the computer lab for the PRP clients (they also like to call them consumers). Clients got up to two 1 hour sessions per week in the computer lab, though that policy wasn’t strictly enforced. The equipment was a mish mash of out of date donations and obsolete operating systems (win xp with no more security updates and some win 7 systems). Me being a curious fellow harvested a few orphaned win 7 pro COA’s and admin passwords etc. Anyway in my examinations of the equipment I noted a few CRT’s donated, apparently, with Property of In-Q-Tel stickers on the back. Ah I thought some little computer company trying to glom on and ride the coat tails of Intel Inc. Now ome time later in my readings I discovered that In-Q-Tel is the venture capital cutout of the CIA. Where, where have I seen that name before I puzzled. Then it came back to me – at Keypoint PRP. Now imagine if you will, me telling my therapist or my psychiatrist that the computer equipment in the lab came from the CIA. Well I can tell you that the mental health providers are clueless about computers and what goes on the the world of computer security. None the less I related the story, coherently and mildly, to my therapist and no one ever suggested to up my meds, however I’m not sure it’s a great idea to use CIA computer equipment in a mental health facility where folks are prone to paranoia, where it might trigger adverse reactions amongst curious clients. That’s my anectdote for the week.

    Thoth February 25, 2017 8:41 PM


    re: EMV

    Which aspect of EMV are you interested ?

    Before we start to write “custom applications” for “EMV cards”, we have to know what EMV means. EMV is a payment scheme that includes protocols, protection profiles, management profiles and so on on financial transactions that includes the use of smart cards that support EMV standards.

    The “credit card” or “debit card” are typically normal smart cards loaded with applications called applets. There are two common flavours of development platform for smart card applications namely the JavaCard platform or the MULTOS platform. Think of those two platforms as different OSes but these are much more than simply different OSes as they include differing management methods and programming API. JavaCard uses Java syntax and is maintained by Oracle/Java group. MULTOS has it’s own organisation to maintain. Another type of smart card development method is simply raw micro-code where you write in the proprietary assembly languages supplied by the smart card provider.

    Most EMV banking cards would typically use the JavaCard type of smart cards these days as it’s simply Java with a twist for smart card format. You just need an Eclipse or Netbeans IDE and activate the JavaCard Development Kit module on the IDEs and install an Oracle Java JDK and that’s all you need to develop a JavaCard smart card module.

    Before you start developing your custom applet for the financial card, this is what you need to find out about the card:

    • GlobalPlatform version ?
    • JavaCard or MULTOS platform and version or native assembly type card ?
    • GlobalPlatform Secure Channel Protocol version support (used for loading applets on to card)
    • GLobalPlatform ISD key and key diversification methods (required to know the ISD key and the key diversification methods otherwise even with the applet, without the correct key and diversification methods of the master key, you cannot load the applet without being able to use the master key for the card to authorize the operation).
    • RAM memory space (very important so that you don’t over allocate resource into the RAM)
    • EEPROM/Flash storage space (very important to decide the size of applet and stored objects)

    Once you have all the above information, if the card is a JavaCard type, download Oracle Java JDK (full version) and download Netbeans or Eclipse IDE WITH JavaCard Dev support. If you are using a Linux or BSD OS, make sure you have PCSClite installed otherwise if you are on Windows, Windows already ships with it’s own PCSC library used to talk to smart cards. If your card is MULTOS, download a MULTOS Dev Kit or check with colleagues if the company have the necessary kit. If the card is native assembly, check with card supplier. If the card is .NET Card or BASIC card, MS Studio would do but make sure it has the card development kit active.

    If you have any doubts, please visit the smart card forum linked below to get appropriate help. I am also inside the smart card forum linked below to provide necessary help. If you are interested in talking to me on the Javacard Forum, drop me your username here and I will find you.


    furloin February 25, 2017 8:47 PM

    @r @Ministry Of Truth



    So I was going to venture into trying to secure a router from script kiddies and mid-level attackers. Besides hardware backdoors/insecurity and implementing a secure software side from bootloader up, how concerned about wpa2+aes should I be? Is it broken yet? I know dictionary attacks have improved as computing power marches on. But with a sufficiently strong password(30+ random characters changing every few weeks) I should be protected from attacks over the air against data in the air right? Yes I know this assumes my computer is not MITM’d or compromised and same goes for the router during data transfer.

    Thoth February 25, 2017 9:04 PM


    “I was going to venture into trying to secure a router from script kiddies and mid-level attackers

    how concerned about wpa2+aes should I be? Is it broken yet? I know dictionary attacks have improved as computing power marches on. But with a sufficiently strong password(30+ random characters changing every few weeks) I should be protected from attacks over the air against data in the air right?”

    How about using a wired connection instead of a WiFi ? This saves you problems on deciding if WPA2 and so on is secure enough or not if you have such concerns.

    Also, do not rely on WiFi security and use E2E comms and endpoint protection mechanisms if you are really serious in your defenses.

    r February 25, 2017 9:11 PM

    e2e is like adding another layer to the OSeye model, how many additional layers does it take before your broadcast becomes a broad cast (of the lure(think casting a line in fishing)) of “here I am, here I am!”

    E2E without major major major protections will quickly turn into a phishing expedition.

    But, they’re right – PSK is just about the only way to go – just don’t expect not to get noticed if you’re traveling on public reads.

    Why is there a non-negotiated pseudo random point to point stream from this location?

    Let’s reel him in boys.

    Thoth February 25, 2017 9:48 PM


    “E2E without major major major protections will quickly turn into a phishing expedition.”

    That’s where you obfuscate with the usual TLS traffic so that on the surface it looks like normal TLS web traffic but underneath, you can do you E2E PSK comms. Just to make it harder to attack, a hardcoded key length and key type (i.e. everyone agrees on ChaCha20 which has a single key size of 256-bit key and a 256-bit keyed HMAC-SHA3) on both end’s communication/software where now you can encrypt the header as the payload as well so that without the key, you don’t get to see the encrypted header. The MAC is applied after the encrypted payload. Assuming the packet gets intercepted, the payload without a visible header looks as good as random.

    On top of that, the usual stuff @Clive Robinson and the rest of us mentioned using mixed message pool, fixed data lengths and many other techniques to make traffic analysis a pain can be used.

    The main problem is actually key management where you need to find a way to securely negotiate session keys and trust between partners and this has always been the problem that has always been side-stepped since day 1.

    Whonix Fan February 25, 2017 10:26 PM

    @Down with Tor


    Did you mean Reporters Without Borders? I sure hope that yiu were being sarcastic:

    @You know

    CDNs are creating another juicy choke-point worthy of exploit, besides the fact they have essentially destroyed any security credibility of SSL with their MITM abilities

    Using CloudFlare makes it easier for ANYONE to hack your website:
    , not just easier for CloudFlare to hack your website.

    Also, CloudFlare is against Tor (and thus against the journalists protected by Tor):



    ( )
    Apparently microkernels like SubgraphOS:
    and QubesOS:
    are not affected by attacks against the browser or operating system:


    Use random mac addresses. Can be easily set.

    Here are some gotchas to be careful of when MAC spoofing:
    tl;dr if done wrong it can make things worse

    n00b February 25, 2017 10:33 PM

    Thoth, thanks for taking the time to wrote a really informative reply.

    I will “dig in” to that forum.

    Purism February 25, 2017 11:02 PM

    @You know

    CDNs are creating another juicy choke-point worthy of exploit, besides the fact they have essentially destroyed any security credibility of SSL with their MITM abilities.

    SSL is insecure for sure. TLS 1.2 may be secure, but SSL is flawed by design because of backdoor “EXPORT” ciphers that the NSA demanded.

    Why store any serious password in the cloud

    Cloud alternatives from my post elsewhere;
    There is huge push from the IC to do everything in “The Cloud” since that is the least secure way.
    Some people are standing up to this by making QubesOS to replace Windows 10, Replicant to replace Android, F-Droid to replace Google Play Store, OsmAnd to replace Google Maps, Signal/Telegram/Silence/Serval/Rumble/Ring/Conversations/Xabber/Kontalk/EnsiChat/Surespot/Fire Chat/Gilga to replace Google Hangouts/iMessage/etc, offline A-GPS, offline speech recognition, etc. If you wish people well then please support such projects.


    What would you tell people who use 1Password?

    Use an offline password manager. Having your password be made from a hash of the domain name+your master password means nothing needs saved, so you get all your passwords on all your devices without needing to worry about syncing through The Cloud or trying to make reliable backups without having your passwords stolen from them.
    Here’s one example.


    how many additional layers does it take before your broadcast becomes a broad cast (of the lure(think casting a line in fishing)) of “here I am, here I am!”

    All it takes is reading about LinuxJournal, Tor, or Tails. The NSA really hates it when people learn about their right to privacy, or about free (as in freedom) software.

    Clive Robinson February 26, 2017 2:46 AM

    @ Winter, r,

    Use random mac addresses.

    The original IEEE intent of MAC addresses was two fold, the first that they always be unique, the second that they also identify the manufacturer and thus the actual hardware… and I guess any useful flaws if you are a SigInt agency looking to get a fulcrum.

    There are two schools of thought about changing MAC addresses, the first is for anonymity, the second for accessing resources.

    When it comes to anonymity there are three basic ways. The first is effectively brain dead randomization, and it has a number of disadvantages, the main one being it’s fairly easy to spot. The second is you randomize BUT importantly not the manufacture ID or go outside the known subrange for the hardware you are using, this is the least likely to raise flags. The third is “be overt” that is to pick a MAC address that is used by many people such as 0xBADBEEF… and similar.

    When it comes to accessing resources the MAC address is not a very good authenticator and has all the security of using a wet noodle to tie up your shoes. Not that that stops quite a number of people thinking it’s a sufficiently good idea to use. It’s kind of like having public transport where you only have ticket machines not barriers or inspectors, the honest pay, the dishonest ride for free. There is plenty of “pen-tester” type software that will enable you to slurp MAC addresses of air. Likewise there are various other bits of software to do some other nasty little tricks to peoples computers as quite a few people have eventualy found. There are “stories” of national SigInt agencies getting at devices using airport and other travel terminus and hub point public WiFi. How true they are is speculation, but we know that there is plenty of tools to do such things from many places.

    From a security perspective, it’s probably wise to assume, as a starting point, that any computer that has WiFi on it that has been used, is now harbouring nasties. Thus you need mitigation strategies and methods, unless you have the ability to show otherwise. And to be honest, I doubt that there are many people who could do this without a lot of information and specialised tools to reliably read out device firmware etc. Writable firmware is ubiquitous, there are “out of sight” microcontrolers in just about every block in a modern computer, even in battery packs. Great for control freek manufactures like Lenovo and Apple, some of whom have realised new profit vectors such as user data marketing, but a real headache for the rest of us who have reason to be aware of the issues.

    not so specious February 26, 2017 8:25 AM

    hey specious, your nugget of information is very intriguing. Was your facility near In-Q-Tel, or did someone on the staff have, um, connections? Paranoid people can have enemies too. Ask John Hinckley or Sirhan Sirhan, tame assassins CIA brainwashed to whack VIPs that annoyed them.

    When the lone nuts start blasting away at Trump, guess we should start digging into their PRP’s. By now everybody’s on to Saint Elizabeth’s and Boston Psychiatric so it makes sense that CIA would disperse its assassin factories.

    r February 26, 2017 9:06 AM

    lone nuts lol,

    because we’re nowhere nearly as organized as you and your GRU editors right?

    In your world, we’d not be lone nuts if we were all homogeneous yes-men muttering: yup yup yup yup yup yup at your behest.


    I enjoyed your math, harmless or maligned – I think both Goodwill and Salvation Army normally remove property stickers on donation but definitely thank you for sharing.

    specious February 26, 2017 9:42 AM

    @not so specious

    Well the location is in Baltimore, MD – close enough I suppose. From the schizophrenic point of view, if two words rhyme, then there’s a deep insidious connection. Like the yarn and thumbtacks in “A Beautiful Mind” I do know that the IT for the PRP was outsourced to a contractor. Never looked into it.

    re February 26, 2017 9:42 AM


    This one one of yores? 😉

    [ ]

    Thanks for shopping.

    re February 26, 2017 9:51 AM


    If our logic is anything like ML/DL then the fuzzy mentalities you mention could be missing a few layers of ‘exaction’, someone who is minorly fuzzy is reasonably functional where someone who is majorly fuzzy is impaired.

    With respect to the donations, it could’ve been outsourced sure. But it could also be a minorly maligned dual-purpose donation – it could’ve legitimately been inqtel hardware that was maligned and used for those few hours a week to consult without consulting. Or, as uninsinuated it could be mind control related instead of access and mining methodology.

    We’ll never know, but the phun of it is in giving minor credence to [@My Info] and others.

    I’d like to believe it was harmless or advantageous w respect to cover, unlike our GRU colleague above.

    specious February 26, 2017 10:16 AM

    Clients lined up first come first served until no more stations. No passwords on guest accounts. Admin account needed password but easy to obtain from win xp with the right tool. Same network as the staff computers I believe maybe a different segment. Could see their wifi with my wireless usb. Easy to boot tails on machines. Next door Future Care nursing home with it’s wifi guest available – never tried it.

    ~specious February 26, 2017 10:35 AM

    Specious you are onto something. These days nobody can deny CIA’s domestic psywar programs except a few of the dimmest vocationally-trained RWA dupes like poor lonesome whatshisletter. It’s intricately linked with the child trafficking and pedophile abuse CIA uses to induce dissociative disorders for exploitation. That’s the grain of truth in the Pizzagate red herring.

    Vulnerable as you were, specious, you might have been in an unusual position to finger the CIA cutout betraying his Hippocratic oath. If you were to recall any system credentials, you could pass them discreetly to anons who can take it from there.

    It might turn out to be important. Trump announces candidacy to challenge CIA’s candidate Clinton, Bremer gets released. Trump pulls ahead of CIA’s candidate Clinton, Hinckley gets released. Duh. This telegraphs CIA’s next line of defense, in case fabricated Red scare propaganda fails to convince all the same idiots who fell for Iraqi WMD, Syrian nerve gas, Libyan Viagra rape squadrons, the Tsarnaev Brothers, Mohammad Atta, and let’s roll.

    r February 26, 2017 11:19 AM


    There were no hand kept logs? How long ago was this? What about CCTV?

    The good thing here is both the GRU and I believe such a fish tail to either be superiorly inventive or quite authentic unless you’re a victim of another ‘fuzzy’ head like some of us.

    An In-Q-Tel monitor is directly in line with the monitor hacks or a drop in replacement/bugs/von eck sniffing.

    Either way it is most certainly curious.


    Stop steering, start digging duh.

    r February 26, 2017 11:51 AM

    A few additional thoughts,

    we don’t know what kind of fine print was involved (as the CIA said certain laws enable the NSA and criminals why not the lowered FDA requirements being allowed to cater to the CIA), we don’t know what if any (or type) of experiments went on.


    with the retirement home next door it could’ve been a pet project set up for one of the retiree’s next door.

    r February 26, 2017 11:54 AM

    re: catering && fine print

    especially where [@My Info]’s complaints about his lack of dignified rights.

    Not So Special February 26, 2017 12:01 PM


    with the retirement home next door it could’ve been a pet project set up for one of the retiree’s next door.

    Now the connection between schizophrenia and dementia praecox becomes more apparent. Said retirees are widowers, widows, childless? Living in a home literally at death’s door?

    specious February 26, 2017 12:29 PM

    @r – The clients signed a blank sheet at the beginning of the session (one in the morning and one in the evening) some snuck on, not to say sometimes staff might use one. Tax prep folks came in sometimes for free tax prep and others. No CCTV indoors yes for outside – don’t know about Future Care cams or if their wifi needed pw. The computers were in cubicles somewhat out of sight, though the PRP manager’s office was right in the back of the lab and a door to the other staff offices was next to that. Between 2011-2014. I still stop there for Dr. appoinments occaisonally. My motivations then and now were out of boredom and despite my own predispositions nothing ever really made my hair stand on head while there, in Dundalk (a not-for-profit not the same as a non-profit) Perhaps it should stand on end but most of time I’ve been pretty sane rational and organized and not worried.

    r February 26, 2017 12:41 PM


    I’m not so paranoid as to believe there’s no legitimate purpose at all as demonstrated above, again I appreciate your candor and keen & curious eye. But it’s still worth annotating this stuff, I guess if anyone’s in the area maybe a couple days of camping out might aid in clearing the err around this just in case there really is something amiss going on.

    Moving companies anyone? Unfortunately that’s beyond my own “lone nut” capabilities.

    Be careful though if or when you go back, some fox holes are manned by antlions. Be mindful of any medications or diagnosis’ that might result.

    Handwritten entry logs could provide significant headway into any current ‘frame’ of mind as to usage or medication also.

    ≠specious February 26, 2017 2:01 PM

    Or, one of your friends from the halfway house from the halfway house could be the next lone nut who aimlessly wanders all the way across the country and just happens to whack some guy nobody ever heard of, who just happens to know an awful lot about CIA crime.

    The Russians do it too, as Ames can tell you. It’s not rocket science when you’re locked up incommunicado as a ward of the state.

    r February 26, 2017 2:05 PM

    @obviously very inequal,

    Now that’s a recognizable error, care to correct your studder for the rest of us?

    Wandering across the country to whack someone is not aimless per se, where did you learn your english?

    And as for wards of the state, I already mentioned ‘a strange’ fellow suffering from “locked-in” syndrome.

    не specious February 26, 2017 2:27 PM

    Interesting stab at forum-sliding at 2:02, evidently to induce some hackneyed partisan squabbling in a bumbling attempt to interrupt the far more interesting topic of impunity for CIA crime.

    Why might this evergreen topic be touchy now, you ask? Well, it wouldn’t do for our CIA murderers to have someone looking over their shoulder at recent MK-ULTRA hi-jinks. And who are the world leaders in health-care network penetration?

    Specious might be crazy like a fox.

    r February 26, 2017 2:31 PM


    May or may not be, but hijinx are fun regardless don’t you agree?

    and about Mark 2:2,

    it’s all relevant now.

    Nothing Unusual February 26, 2017 2:41 PM

    Las Vegas’ medical mafia

    ‘Medical mafia’ don pleads guilty

    I-Team: Medical Mafia Member takes Plea Deal

    Surgeon ‘very happy’ with language in order ending probation

    Health Care Goodfellas: Mafia Turns to Medicare Fraud

    Who’s the billionaire doctor palling around with Donald Trump?

    New Jersey Officials Say Mafia Infiltrated Health-Care Industry

    Speak Out: Trump may be our best president ever

    Medical mafia: The medical society has become the medical mafia. They have seniors where it hurts in our so-called golden years. The gold in old age is theirs. Look at the commercials. Ninety percent of the ads are pharmaceutical ads for old age-related illnesses or greedy personal injury lawyers trying to sue the medical society.

    specious February 26, 2017 3:34 PM

    I didn’t want to stir things up too much. The medical software side is interesting. The folks I’ve been speaking of had their computer software revamped to connect all client records and personel (community outreach, treatment Drs. Therapists, counselers and residential/assisted living personel) on one system. And of course about 2-3 weeks ago my outreach counseler (nice guy kinda a slacker) had his company cell phone and laptop with said software stolen from his vehicle…he said don’t worry it’s password protected…

    Clive Robinson February 26, 2017 4:12 PM

    @ Muttering and Flublishing,

    100 lies and counting

    There was me thinking he’d scored his first century before crossing into the major leagues, and was going for a 1000 average this year.

    Anura February 26, 2017 4:25 PM

    @Clive Robinson

    Only 1000? Are you not including lies by omission? For example, Trump tweeted that the national debt actually declined, which is true, it’s just something that tends to happen around tax season. Thus, his followers think he’s accomplishing something, when in reality it’s just normal seasonal fluctuations (not like he’s done anything with respect to the budget anyway).

    r February 26, 2017 4:50 PM


    Inorite? I had to listen to that bullshit this morning and believe me I’m grumpy enough already as it is.

    Magic National Debt – Go Away!

    Only in Trump Land, the guy can’t even build a sentence he has to have polished advertisers for that.

    Wait, Policy Advisers*

    Clive Robinson February 26, 2017 5:20 PM

    @ Bruce and the usual suspects,

    Those Israeli students do it again…

    What they have done is used the hard drive LED as a serial data transmitter. Although the bandwidth is low, it’s worth depends on what secret you can leak via it.

    This type of attack is so old it’s beard rivals Gandalf’s. Back in tje 1980’s there was streambased cipher kit that had a “Health Indicator” connected to the output of the stream generator. Which at 2400b/s was readable via a photo diode some distance away. Further in the 1990’s we were warning banks and other organisations not to put comms and server racks in “glass rooms” for the same reason. This time it was modems with “health indicators” LEDs on the serial data lines on “private wire” comms lines. A group of “security experts” had shown that renting office space in an adjacent building overlooking a server room, could with a telescope and photo detector could read the line traffic off of the front pannel indicator.

    I’ve kind of mentioned this problem before as have students at the UK Cambridge Uni Computer Labs.

    I guess that like many old attacks they get depreciated by newer more sexy attacks, so the grey beards don’t tell the youngsters –or they don’t listen– so the wheel turns and what was old and dull becomes bright shiny and new, just like flared jeans, tie dye etc in the fashion industry 😉

    NetBeans February 26, 2017 6:56 PM

    from the same page (the aimsicd that busts illegal wiretappers) there is
    “0x00000000: ffffffff 00000022 006e004f 0079006c ‘….”…O.n.l.y.’ 0x00000010: 00530020 0061006d 00740072 00610063 ‘ .S.m.a.r.t.c.a.’ 0x00000020: 00640072 00410020 00490050 006d0020 ‘r.d. .A.P.I. .m.’ 0x00000030: 00790061 00610020 00630063 00730065 ‘a.y. .a.c.c.e.s.’ 0x00000040: 00200073 00490055 00430043 00000000 ‘s. .U.I.C.C…..'”

    what are all the 0x00s for? is it utf16 or similar?

    Thoth February 26, 2017 7:25 PM

    @Clive Robinson

    re: LED Data Exflitration

    Just keep the keys inside a smart card already and let the smart card do the crypto. No LED blinking since smart cards are simply just cards. Even with LEDs for USB-based smart cards, the USB controller that also controls the LED wouldn’t known what is going on inside the smart card chip and that pretty much solves quite a number of issues.

    All smart cards are tamper resistant and most smart cards have some form of side-channel protection (DPA and SPA) which would be rather decent for most use cases.

    The overly simplified strategy we have always been discussing for a long time in the end can be summarized as Data Diode + Smart Card + (Energy + Air Gap). Secure screens and keyboards would be mounted on endpoints sitting behind the Data Diodes. Done.

    Thoth February 26, 2017 9:04 PM


    That project already existed for a while. I believe some posters might have mentioned it quite awhile back.

    What you are pointing to is the failure to read the SIM card which is essentially a smart card. It has the openLogicalChannel exception means that it cannot talk to the SIM card due to some errors.

    Commands working for a particular SIM card may not work on another due to the applet codes varying between carriers or even SIM card applet versions.

    Another reason could be the Security Domain keys used to establish a GP-02/03 SCP to MAC the Command APDUs before sending them. There are many reasons including certain SIM cards running only with 1 logical channel and the normal Android OS would have effectively used that single logical channel causing additional request to open for another new logical channel to fail. Think of it like a single-threaded TCP server for SIM cards running with only 1 channel and multiple-threaded TCP server for SIM cards with > 1 logical channels.

    It really depends on the card, card applet and SD keys being used.

    NetBeans February 27, 2017 12:05 AM

    great explanation, thank you
    after posting this i went back and saw that the last update was “over a year ago”
    please, any suggestions on similar tools that are free software but still have people working on them today?

    Clive Robinson February 27, 2017 12:53 AM

    @ Anura,

    1000 average this year

    Is the same as saying “100% score this year”…

    It’s the same as the “Millesimal fineness” gold measure of “1000 fine”, which is not possible.

    JG4 February 27, 2017 6:03 AM

    Big Brother IS Watching You Watch

    Documents Indicate Germany Spied on Foreign Journalists Der Spiegel

    I Tracked Myself With $170 Smartphone Spyware that Anyone Can Buy Motherboard (furzy) A reminder of the perils of smartphones– and that Big Brother is only the tip of the iceberg.

    vas pup February 27, 2017 12:52 PM

    ISIS using commercial drones for dropping bombs:
    For all their brutality and intolerance, IS fighters are nothing if not ingenious and in recent days they have been deploying a battle tactic almost unprecedented in modern urban warfare – the use of commercially available drones to drop bombs and grenades against civilian and military targets.
    …the frequency and accuracy of how the Islamic State group is utilising small, relatively unsophisticated drones in Mosul has significantly slowed the advance of government forces.
    The use of drones, with their relatively light payloads, will not change the course of this conflict.
    Yet the psychological impact of drone attacks cannot be discounted, says Emanuele Nannini from the Italian aid agency Emergency, which helps run the hospital where Umm Mohammed and several other drone victims are being treated.
    “Physically they are very similar to a mortar attack but actually they are very precise,” Mr Nannini tells me, as he supervises a rapid expansion of the hospital beds and wards in anticipation of the battle unfolding in western Mosul.
    “So each of these drones is actually striking the target that was chosen. Psychologically it can be very bad for the population because they can strike at any moment and at any place.”

    Are we within US ready to counter such application or as usually we are in reactive mode?

    Tatütata February 27, 2017 1:53 PM

    Slate, Someone leaked a story about Sean Spicer’s latest effort to stop White House leaks :

    Under the supervision of White House attorneys, Spicer last week held “an emergency meeting” where staffers were told to hand over their phones to prove they were not communicating with reporters. Personal phones were also part of the inspection. Politico reported that Spicer and the attorneys were looking for encrypted messaging apps like Confide and Signal. Spicer informed his staff that these texting apps were a potential violation of the Presidential Records Act.

    According to BuzzFeed reporter Sheera Frenkel, Spicer has Confide on his phone.

    I wonder which story Spicer leaked (or planted) to Mrs. Frenkel over Confide…

    Bacos February 27, 2017 5:47 PM


    Spicer made the leak and covered it up by grilling his innocent help, classic misdirection and trust building.

    Davey Jones February 27, 2017 6:24 PM

    They’re all working under the Umbrella of IMSIs and Google’s push installer, better to be authortarianing from an old brother in their position considering all the friendly jabs that have been made at the [M]IC.

    vas pup February 28, 2017 9:32 AM

    @all: Private owners of drones should have insurance (mandatory) as high risk device (like car)- see below
    Man jailed for hitting woman with drone:
    The owner of an aerial photography business has been sentenced to 30 days in jail after a drone he was operating knocked a woman unconscious. Prosecutor Pete Holmes said the faulty operation of drones was a “serious public-safety issue that will only get worse” and more prosecutions could follow.
    Ravi Vaidyanathan, a drone expert from Imperial College London, said he was “not aware of anything previously resulting in jail time”.
    He said it was inevitable more accidents would follow and called on the regulatory bodies that governed drone use to provide “a consistent set of guidelines on usage”.
    “In the US, there are rules for commercial use but different ones for hobbyists,” he said.
    During the past fiscal year, more than 1,200 possible collisions between an aircraft and a drone were reported to the Federal Aviation Administration.
    The FAA was unable to confirm any strikes, but it has reported several close calls, including a Lufthansa jet approaching Los Angeles that passed within 200ft (60m) of a drone.
    Other drones related security development:

    Anura February 28, 2017 5:24 PM


    More to the point:

    Donald Trump’s attorney general said Tuesday the Justice Department will limit its use of a tactic employed aggressively under President Obama — suing police departments for violating the civil rights of minorities.

    “We need, so far as we can, to help police departments get better, not diminish their effectiveness. And I’m afraid we’ve done some of that,” said Attorney General Jeff Sessions.

    “So we’re going to try to pull back on this,” he told a meeting of the nation’s state attorneys general in Washington.

    Thoth February 28, 2017 5:30 PM


    USA could just as well declare martial law since it is already descended into a state of tyranny a long time ago before Obama. The difference is Obama expanded surveillance and tyranny like never seen before.

    Anura February 28, 2017 5:41 PM


    Agreed that Obama let the NSA/CIA run a lot looser than Bush. However, the same can be said of Bush, and Trump has also promised to remain more committed. By ending net neutrality, the ISPs are going to have the power to limit content, censor the news, and force more monopolistic control of all of our content on the internet here in the US.

    Obama, at the very least, fought for net neutrality and the environment. The GOP appointed an oil industry shill as head of the EPA, and are dedicated to doing everything they can to limit our environmental protections. This affects the entire world. There is not a single time in recent history that I can remember where the GOP acted against corporate interests – and US corporate interests include global domination.

    r February 28, 2017 6:46 PM


    Yep, the cornerstones have been enplace for quite a while now. Good thing I’m white hispanic until they come for my blood sample I don’t have anything to worry about except the other minorities lashing out at the minority rapport.

    r February 28, 2017 6:53 PM


    And that my friend is why we don’t know for sure if Obama really let the Bush era continue completely unabated, think about it.

    He certainly had updated technology to play with but Buzh/Cheney 2016 could’ve been far more destructive given the tools that are being deployed and develope now.

    r February 28, 2017 6:58 PM


    Add, the concept of international greed to the GOP/Multinational corporation list. It transcends all borders, all nationalities. At least the other shoe was pro American, pro-people who wanted to be Americans. These other people just want to be lawless multinational playboys.

    Yaughta Yaughta Yaughta.

    r February 28, 2017 7:02 PM

    People who want to make a difference in the lives other others instead of just their pocket books, but w/e if they want to make it easier to scam/steal/invest let them we know how to turn it to our advantage just as well as they do. They party line will NOT protect them when the mortgages come home to roost.

    The Repugnican Party isn’t what it used to be.

    r February 28, 2017 7:18 PM

    It makes me second guess the motives behind Obama’s last moves, were they to enable tracking this supposed Russian threat or are is the GRU right and they super pwn us now?

    Was it an admission of defeat enabling that massive jurisdiction overhaul?

    r February 28, 2017 7:21 PM

    It certainly was a pro-state move allowing Ohio to validate a warrant for Oregon or to enable putting an IMSI catcher in the raw over the whole of the Unifeyed State.

    JG4 March 1, 2017 6:59 AM

    several other interesting news stories at nakedcapitalism today that are spot on data security

    Do Democratic Operatives Dream of Big Data Death Stars? 
The Case Against Cambridge Analytica As a Propaganda Tool
    Posted on March 1, 2017 by Yves Smith
    By Marina Bart (formerly aab) a writer and former public relations consultant, who thinks and writes about many things, including political economy, culture and communication

    It has long been the case that “Big Data” has been treated as a magical, unstoppable force that will reap power and profits for those who can channel it effectively. In the 2016 Presidential election, the Clinton campaign and Democratic National Committee relied heavily on Ada (named after Lord Byron’s mathematician daughter, a perfect identitarian for Clintonian Democrats, combining as she does into one symbolic person aristocratic status, the creative class, feminism and computing). Ada was the Democrats’ attempt at a Big Data Election-Winning Machine, apparently created for it in secret in a dark cave at the top of a mountain by Eric Schmidt and unknown coding slaves who were probably killed as soon as Eric carried his prize down the mountain to Hillary’s waiting arms.
    That last part is made up.

    But the Democrats did have Ada, which only top aides were allowed to use or even see. Very little is known about Ada, because (spoiler alert) Clinton lost and the brain trust leading the party (if you can call it that) didn’t want anyone to focus on their incompetence and wasteful spending because RUSSIA. Ada said Wisconsin was a safe state. Ada said paying Jay Z to perform would win Ohio. Ada failed, along with Clinton.

    gordo March 1, 2017 3:15 PM

    Will Democracy Survive Big Data and Artificial Intelligence?
    We are in the middle of a technological upheaval that will transform the way society is organized. We must make the right decisions now
    By Dirk Helbing, Bruno S. Frey, Gerd Gigerenzer, Ernst Hafen, Michael Hagner, Yvonne Hofstetter, Jeroen van den Hoven, Roberto V. Zicari, Andrej Zwitter | Scientific American | February 25, 2017

    In the 1940s, the American mathematician Norbert Wiener (1894–1964) invented cybernetics. According to him, the behavior of systems could be controlled by the means of suitable feedbacks. Very soon, some researchers imagined controlling the economy and society according to this basic principle, but the necessary technology was not available at that time. (par. 5)

    Editor’s Note: This article first appeared in Spektrum der Wissenschaft, Scientific American’s sister publication, as “Digitale Demokratie statt Datendiktatur.”

    Clive Robinson March 1, 2017 4:47 PM

    @ Gordo,

    Will Democracy Survive Big Data and Artificial Intelligence?

    As I’ve said many times before, we do not live in a democracy, we live in a representational democracy, where representatives can be bought. So the question is moot.

    Perhaps we should ask “Will Society Survive…” and if so in what form…

    Anura March 1, 2017 5:16 PM

    @Clive Robinson

    No, we live in a plutocracy – control over the economy is proportional to wealth, and the economy is involved in every aspect of your life. Things would be great if we lived in a representative democracy. The problem is that society can’t survive capitalism. We need complete transparency into what data is collected, and who exactly is using it and what exactly are they using, and make sure that we have direct, democratic ownership over the companies that own our data by setting them up as consumer cooperatives.

    gordo March 1, 2017 6:37 PM

    @ Clive Robinson,

    While the title does identify at least a dual threat, i.e., to both democracy (representative) and to democracy (direct), respectively, the subtitle, as you’ve teased out, does get at the big ask.

    r March 1, 2017 6:42 PM

    There, I was almost at a loss for words but I finally found some:

    “Because, we don’t just want anyone in the United States yanno.”

    GTFO Gestapo, what’s your job to check the color of my underwear?

    What do you do for a living Mr. DHS? You call that a job?

    It’s welfare for white people with anger problems.

    Since when has including others been a bad thing?

    I’m a private investor, how’s my wallet feel in your hand?

    Feels good having real money doesn’t it, how’s your mortgage? Your wife? Your Escalade?

    Your children through college yet?

    How ever did you do it?

    r March 1, 2017 6:46 PM

    I bet the people in charge of the DHS/CBP feel pretty good about themselves having all those minorities filling their open job positions.

    Feels good telling people to do all sorts of insanely disrespectful things to others and getting away with it because they couldn’t possibly find another well playing job doesn’t it?

    High five dudes, drinks all around.

    r March 1, 2017 6:48 PM

    Here’s some slant for the CBP,

    I bet you more white people bring weapons onto planes than anyone else.

    How does that sit with you?

    Window seat or Isle?

    Clive Robinson March 1, 2017 8:35 PM

    @ Anura,

    No, we live in a plutocracy.

    Technicaly no, practically almost certainly. It’s the reason I said

      … where representatives can be bought.

    But I should have added it’s not just our elected representatives, it’s also those at the top of the armed forces, intelligence agencies, in fact just about anybody who has a budjet derived from the “public purse” by which they purchase goods and services.

    @ gordo,

    I left the important word “first” out between “should” and “ask”.

    Society to many is not something they consider, they make the mistake of thinking that it’s “all politics”, which is why we let politicians have more power than they should have. In some respects “we are the frog in the pot”[1] and we ignore or fail to see the slowly ever tightening nose our “elected” representatives have put around our necks.

    For instance back when Bill Clinton was in the White House we fought and supposedly won the Crypto War. With hindsight however we can see that we actually won little to nothing, because we fought the wrong battle. The NSA had lost interest in the “bit length” of ciphers having developed alternative more effective methods. Which we later saw some of them coming out with the AES contest, the NSA rigged the contest through NIST with the result that the software most downloaded and used was full of time based side channels, that leaked info on the key via cache timing attacks that could be seen across the network. We even later saw NIST having to withdraw a standard because the NSA were less than subtle about how they had put in the fix.

    From the few documents that have so far been made public from the Ed Snowden trove it became clear that the majority of people had failed to realise the way the various Five-Eye SigInt agencies were working. That is the majority did not realise that they were the targets, even though various people had been saying so for years before hand.

    I guess it’s no secret that the various national SigInt agencies are out of control, and the legislators have no intention of reigning them in via legislation or budget cuts. Thus people should be asking why this should be so, but you don’t hear it asked.

    Yes the big five ICT corps know more about many people than those people know about themselves and those close to them. But you have to ask what scope they have in doing harm compared to the out of control “guard labour” of the IC & LE organisations?

    Those who lived in East Germany during the Cold War can tell you the effect on society of the Secret Police. It was quite bad, but it was limited in effect because the Secret Police did not have the resources to commit worse harms against society. Now consider what effect they would have had, if they had had the technical resources we have today… George Orwell had more than just the date wrong in 1948 when he wrote his book about Winston Smith. He failed to realise just how willing a society is to be spied upon at their own expense in exchange for a few gizmos integrated into a little box smaller than a notebook or diary…

    [1] Yes I know the reality is the frog will hop out of the pot as the water gets hot. But whilst it might not be true for frogs it has certainly been true for humans (see deaths with Victorian cast iron baths with gas burner heating underneath).

    JG4 March 2, 2017 6:21 AM

    Big Brother Is Watching You Watch

    Police say they were ‘authorized by McDonald’s’ to arrest protesters, suit claims Guardian

    Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings Motherboard

    Yahoo says about 32 million accounts accessed using ‘forged cookies’ Reuters

    Clive Robinson March 2, 2017 8:21 AM

    @ My Info,

    Sonic boom or Russian ICBM?

    The energy signiture and residials in the atmosphere will be sufficiently different to know the difference.

    The problem, finding someone sufficiently independent that you can trust their measurments, results and analysis…

    Otherwise you have to start figuring probabilities backwards from effect to cause, and that is rarely considered good science, more often it’s considered “guess work, based on assumptions”, which is a long long way away from what many would consider a rational process (see the history of forensics to see why).

    JG4 March 2, 2017 11:56 AM


    I think that I’ve suggested in the past an open-source collaborative system for capturing and correlating sounds at neighborhood scale. That could be readily scaled statewide, where it would provide interesting information about the origin any large scale sound, e.g., thunder and sonic booms. My guess is that it would provide insight into the capabilities of very fast high altitude aircraft like the purported Aurora. The Creative SoundBlaster external USB-connected stereo ADCs 24-bit ADCs have stunning specifications for under $100. A the nanosecond clock output from a GPS could be fed into the sound channel above the audio range to provide timestamping for the correlation. I don’t have a good suggestion for a high quality microphone that is inexpensive. B&K spring to mind, but those run into serious money. It’s about time that they were copied in Asia for 1/10th of the price. I’m still interested in a good ultrasonic microphone for monitoring fugitive emissions from consumer electronics. The same ADC could be used, possibly by overclocking or by heterodyning ultrasound into the audio range.

    gordo March 2, 2017 5:07 PM

    @ Clive Robinson,

    Regarding that tortured “frog in the pot” metaphor [more follows and mixing, generalizing], together with what Orwell got “wrong” (and see below), I think Huxley got popular culture “the frog in the pot” and Orwell government culture, hand on the temperature dial, waiting and watching (as and while “the big five ICT corps”, etc., stir society or “the [melting] pot”) to see who hops, when, where, why and how.

    Comparisons of Aldous Huxley’s Brave New World with George Orwell’s Nineteen Eighty-Four

    Social critic Neil Postman contrasted the worlds of Nineteen Eighty-Four and Brave New World in the foreword of his 1985 book Amusing Ourselves to Death. He writes:

    What Orwell feared were those who would ban books. What Huxley feared was that there would be no reason to ban a book, for there would be no one who wanted to read one. Orwell feared those who would deprive us of information. Huxley feared those who would give us so much that we would be reduced to passivity and egotism. Orwell feared that the truth would be concealed from us. Huxley feared the truth would be drowned in a sea of irrelevance. Orwell feared we would become a captive culture. Huxley feared we would become a trivial culture, preoccupied with some equivalent of the feelies, the orgy porgy, and the centrifugal bumblepuppy. As Huxley remarked in Brave New World Revisited, the civil libertarians and rationalists who are ever on the alert to oppose tyranny “failed to take into account man’s almost infinite appetite for distractions.” In 1984, Orwell added, people are controlled by inflicting pain. In Brave New World, they are controlled by inflicting pleasure. In short, Orwell feared that our fear will ruin us. Huxley feared that our desire will ruin us.

    Clive Robinson March 2, 2017 5:13 PM

    @ JG4,

    I think that I’ve suggested in the past an open-source collaborative system for capturing and correlating sounds at neighborhood scale.

    You are not the only one, Matt Blaze for instance is actively interested in it.

    The first people I heard talking about it were back in the 1980’s and they were from entirely different but not unrelated backgrounds. The first group were historians, the second the police. The historians were concerned that whilst we had and do have photographs –selfies being just a modern version– the written word and similar, there are few if any recordings of sound, unless attached to media worthy events such as news and sports items, none of which are representative of normal sound.

    Back in 1979 I worked for a while in the BBC engineering Dept in Chiswick London, and was involved with the testing of a new style of microphone. In essence it was four cardiod microphones aranged at 120 degrees to rach other in a pyramid. The four sources were then recorded onto a high quality four track recorder or a pair of the microphones onto an eight track. After the recording it was possible to phase and delay the four channels from a microphone to in effect not just stear it to a particular sound source but also adjust the beam width. In essence it was a little like a phased array antenna used in radar systems. Back then DSP systems were still in their infancy, modern digital systems for both recording and phasing would be quite cheap and low powered. Two or more such microphones could in turn be used like a Very Long Baseline Telescope etc.

    Which brings me back to the police interest, they wanted to detect/locate the discharge of firearms in a city. They used simple omnidirectional microphones mounted at hight connected back to Sun Workstations. However it became clear that the system could do other things including track aircraft from their sound (something “stealth technology” has apparently not taken into consideration). Likewise vehicles with characteristic noises. As so often happens when interesting research gets to a certain point it disappears from the public view. As it has not realy reapeared as a commercial product it only leaves two basic possibilities…

    More modern research has produced other systems that are even more curious in that you can use sound to make three dimensional images by the reflections etc. Simplistically it uses the same basic principles that these “WiFi imaging” sustems you hear about from time to time use. And can thus can and have been used for other things, amongst which are burglar alarms that can detect doors and windows etc opening/closing/breaking. But can also detect and characterize the ordinary occupants such as the house holders and their pets sufficiently to tell them appart, and thus not trigger if the cat climbs through the cat flap or open window, but will do if say a child or adult does.

    One trick I have been shown more recently is detecting “sound holes”. That is an object that absorbs but is not reflective or transmissive of sound. Which as you will appreciate is problematical for stealth systems, which generally work by “making like a hole in space” by absorption or by deflecting, not reflecting back to an energy source…

    BAE Systems were looking at one time to a multiple dispersed series of emmiters with offset receivers to overcome radar stealth systems. Sound being “naturaly produced” or “cheaply emmitted” would be much more effective than radar sources in that you have thousands of randomly placed sound sources available to use…

    r March 2, 2017 5:35 PM

    It doesn’t sound like anyone was really addressing actual security, just still continuing on the assumption that there will continue to be holes than can be punched or picked through.

    I think now more than ever especially with security ‘experts’ we need to be tightening our belts moving from unvetted inclusions into the realm of proofs and vetted code.

    When one little unsigned integer can unleash a 100,000 strong single minded thread imagine what happens when that single minded thread is spreading an ML algo tailored to Intel’s soon to be released DL opcodes.

    Sure, such dependencies are limiting factors but modular code and automatic refactoring are not things of the distant past – they are things that are going on behind the scenes in the here and now and they will not be going away any time soon.

    Just like the argument with QC, there will be co-existence. It’s time to fasten our belts, tie up our laces and pull up our pants. Put your boots on, things are going to get dirty.

    r March 2, 2017 5:39 PM

    especially with security experts detracting from the traditional frame of thought and questionerr’ (as currently with anyone bucking Nick P, ab, Clive), just still continuing*

    Hybridized attacks are not new, droppers will upgrade the friends they invite into your home.

    JG4 March 2, 2017 5:50 PM


    I’ve seen headlines, possibly in this forum, indicating that at least several major US cities have deployed sound localization for gunshots. I think that I read about it rather than conceiving it myself.

    The middle letter in the MIT consulting group BBN stands for Beranek. They were paid by the House Select Committee on Assassinations in 1979 to analyze the Dealey Plaza audio tapes. They concluded that there were at least two shooter locations, but their results have been at least questioned, if not discredited. Gunshot is a particularly convenient signal in that it essentially is a delta function. I saw a convincing video indicating that the fatal shot came from a storm drain.

    going on 102 years is a pretty good run on your planet

    The cell phones in a city provide a rich source of signals for synthetic aperture radar of stealth aircraft and other purposes. I am impressed with how inexpensive microwave electronics have become.

    SMAKN HB100 Microwave Sensor Module 10.525GHz Doppler Radar Motion Detector Arduino $7.60 & FREE Shipping

    Wells March 2, 2017 6:50 PM



    Take that to two extremes? No. You’re probably right, contrast is here to stay

    Clive Robinson March 2, 2017 7:12 PM

    @ My Info,

    How often do Tunguska-scale meteors strike?

    Lumps of matter of the same mass hit the earths atmosphere rather more often than many people realise. Oddly though proportionate to size the moon apparently gets struck rather more frequently, which has led some researchers in the past to say it acts as a partial shield to the earth. Whilst the argument about how many hit the moon was thought to have been settled recent evidence suggests it was too low by a significant amount,

    Which suggests that also more hit the earth than was previously thought as well…

    Part of the reason people think that the earth gets hit by lumps of matter a lot less than actually happens is to do with the composition and another to the angle they hit at. Thus they can burn up, air burst or bury themselves in the oceans or land.

    Another important aspect is just how little of the earths surface is actually occupied by mankind and how little people used to communicate. An example of which is the puzzle over 1908 Tunguska event, although it’s shockwaves were felt as far away as England, and there was masive devastation at Tunguska, there are no records of human deaths or injuries relating to it. It also remains a bit of a mystery, some Italian researchers indicated that it could have been two lumps of matter, one hitting the ground forming a lake the other “air bursting”. Other researchers and investigators say it might have been a comet not a meteorite…

    But the assumed answer is still that it was a meteorite and that it obliterated entirely in the aerial explosion of an oblique trajectory air burst. Which is what happened during the 2013 Chelyabinsk meteor event, which thanks to dashboard cams and cellphones and modern media was both well recorded and reported. So I would expect the number of reports to start rising, especially when you find out just what lumps of meteorite fetch at auction.

    Meh March 2, 2017 7:18 PM

    I guess I should’ve read the ESET breakdown before I claimed ‘anti-worm’, but it’s still a major privilege escalation hole none-the-less.

    r March 2, 2017 7:43 PM


    I saw something about the USGS seismometers being used for something else successfully, forget what. There’s you a network of LF audio sensors.

    “Shot Spotters/ing” is the term you’re looking for where audio triangulation is residentially deployed.

    Clive Robinson March 2, 2017 7:58 PM

    @ gordo,

    Aldous Huxley’s Brave New World

    It’s one of those books I have on the book shelf from long long ago, that “I had to read little by little” with the rest of my class as part of my education some cough cough years ago, and thus hated. I “broke the rules” with 1984 by just sitting down and reading it from cover to cover the sunday afternoon after it was issued, then annoying my english teacher greatly the following day by trying to hand it back in. She incorrectly assumed that nobody of my age and social class could read such a book in an afternoon. Imagine just how annoyed the old dragon realy got when she tried to prove it by asking me about the book and I said things like “on page 21 in the second paragraph it says…” to say she was develiping a head of steam might describe why she had gone the colour of freshly boild beetroot…

    The book we had to read for our exams was “The Ship” by C.S.Forester, is not a book you should force on teenagers, I still think the school selected it because it had twenty six chapters all short enough to be set as homework and they purchased it as a job lot. Come the exam I was supprised to find that other books could have been selected one of which was Clive King’s “Stig of the dump”, it was a magical book that I had loved reading, and thus answered the questions about it rather than The Ship. The result was that I got very unexpectedly the best pass mark of the class.

    So now I’m considerably older I should one sunday get the kettle on make a pot of tea and get “brave new world” out for a reread in one go (still the best way to read a novel).

    r March 3, 2017 6:00 AM


    My view on the best way to read a novel, is to your children piecemeal.

    😉 But I guess that’s the USG and MSM’s methodology too huh?

    r March 3, 2017 6:09 AM

    Librarian’s are some of the worst book burners, critiquing parental choice in reading material. I suppose we all do it but when the principal and librarian decide to have a meeting with you over your reading of ‘to kill a mocking bird’ with your young children as an exercise in ’emergency’ ‘intervention’ I suppose that would foment the sharp edges of anyone’s meringue.

    Bias here, bias there, bias everywhere. Where are the impartial librarians when it comes to ‘god save the children’ ? It’s fine when they’re playing patsy to some government sanctioned curriculum but god forbid we deviate from the list of supported authortareons.

    r March 3, 2017 6:29 AM

    I will pay you $25 million USD to include my /agent rng/ in your cost saving solution, everybody knows cryptographers and ‘correct’ coders are expensive on both the cost and time investment graphs.

    Any objections? Time to market should be your primary concern, you wouldn’t want any other upstarts to usurp your rightful place on the market podium.

    Let me know when this sync’s in.

    gordo March 3, 2017 3:25 PM

    @ Clive Robinson,

    I’m not surprised to hear that you ‘broke the rules’. Though I think I lived on book reading in the days of my youth, I was never quite the quick reader as you and so many others. One trick I recall, but not for purposes of speed, was Marshall McCluhan who said that he read every other page, as I recall it, of mystery novels, so as to allow his mind to fill in the gaps on its own. Hmm, I see that I may have conflated something there, ah, well –

    Marshall McLuhan’s Strange Reading Habit: “I Read Only the Right-Hand Page of Serious Books”

    Yes, a nice, sunlit room, comfy chair, foot rest and tea make a good novel all the better. Enjoy!

    With new arrivals in the extended family, Stig of the Dump may be making some new (American) friends soon, but I’ll, of course, first have to give it a read of my own 🙂

    gordo March 3, 2017 3:33 PM

    Donald Trump, the First President of Our Post-Literate Age

    By Joe Weisenthal | Bloomberg | Nov 29, 2016

    And here we begin to see how the age of social media resembles the pre-literate, oral world. Facebook, Twitter, Snapchat and other platforms are fostering an emerging linguistic economy that places a high premium on ideas that are pithy, clear, memorable and repeatable (that is to say, viral). Complicated, nuanced thoughts that require context don’t play very well on most social platforms, but a resonant hashtag can have extraordinary influence. Evan Spiegel, the chief executive officer of Snap Inc., grasped the new oral dynamics of social media when he told the Wall Street Journal: “People wonder why their daughter is taking 10,000 photos a day. What they don’t realize is that she isn’t preserving images. She’s talking.”

    tyr March 3, 2017 4:44 PM

    @Gordo. Clive

    I think the contrast in Huxley/Orwell comes
    from their personal experiences. Reading
    ‘Down and out in london and Paris’ makes an
    interesting contrast to Huxley. I’d be willing
    to bet Aldous never missed a meal out of need
    in his life.

    I tend to agree with the future is here but is
    unevenly distributed. Folk who indulge in trying
    to cast the horoscope of what’s next are pretty
    dull compared to someone like Wells or Verne.

    It was a shame Pratchett never did a collaboration
    with Ian M. Banks that would have made a greater
    future than most people could stand to contemplate.

    It is interesting to me that ocean algae bloom
    when fed microscopic iron particles. That means
    the meteorite rains have been going on with the
    regularity that life has adapted to their presence.

    The only dystopia I know of with modern styling
    is the works of M A Foster whose descriptions of
    the human world outside the Ler mutant reservations
    seems to match current trends pretty closely.

    Gameplayers of Zan makes an interesting case for a
    society so bound by surveillance and central planning
    as to have lost the will and ability to innovate with
    a total enervation of the overcrowded populace as a
    side effect.

    Clive Robinson March 4, 2017 3:19 AM

    @ gordo,

    With new arrivals in the extended family…

    Ahh “little ones” as once observed “God invented children to keep parents young”. A lesson from an old fart like me is “A book, if you look after it is a friend for life, and a window into many places you would not otherwise see”. And for parents, a book can broaden their childs horizons, whilst keeping their restive feet still, importantly if people don’t read well, they do not write well, which limits their ability to communicate.

    Next week is the aniversary of Douglas Adams birthday, and Sir Terry Pratchets death, both of whom left us much earlier than they should have. Each in their own way have enriched the outlook and horizons of very many people of all ages, and hopefully will continue to do so for very many years to come. Both admitted to reading Tolkien’s The Lord of the Rings, and HG Wells stories, which gave them inspiration for their works. Whilst their quirky outlook on life and sense of humour gave their books an added dimension, missing in so many other more “literary” works favourd by the likes of the Booker Prize etc, most of which tend to find little audience thus fade fairly quickly from view (Douglas Adams satirized “awards” with his skit in the flying party…). As Terry Pratchet once noted, the important thing is not what children read, but that they read and enjoy doing so often. A child who hides under the bed clothes with a book and a flashlight after bed time is destined for a curious and interesting future.

    Clive Robinson March 4, 2017 4:24 AM

    @ tyr,

    I’d be willing to bet Aldous never missed a meal out of need in his life.

    From memory, yes he did have a privileged background one of his relatives was a Nobel Prize winner, his grandfather a researcher known as “Darwin’s Bulldog”. His father was a biographer and school master, his mother set up a private boarding school and died whilst he was still quite young. His two brothers went on to get knighthoods for their scientific work (Aldous declined his without giving a reason). He was born in Godlming Surrey UK, just around the corner from where some of my relatives later lived and his family features prominently in the local history. His family was friendly with the likes of Lewis Carroll, W. B. Yeats, George Bernard Shaw and W.B.Yeats and many other artists and scientists most of whom Aldous would have known well.

    However in other respects his life was virtually over before it got started, at an early point in life he suffered an illness that left him near blind and quite reliant on others. In short his life choices were few and only because he was well educated could he become a teacher and later a writer. He also got lucky to be in the right place at the right time and became a highly paid scriptwriter in the US.

    When he was a teacher on of his pupils later took on the pen name of George Orwell, who later accused Aldous of plagiarism of the thems in Brave New World.

    So life was both bad and good to him…

    tyr March 4, 2017 10:34 PM


    I first ran across him when Doors of Perception
    was the must read book of a generation. Later
    I dug through most of his works which gives a
    fascinating run through of the thought processes
    of the english upper class. He did some passable
    science fiction most of it better than Brave New
    World but not quite as catchy for the mainstream
    Humour is hard to do and those rare folk who can
    pull it off should be showered wih accolades and
    money. Laumer and Sheckley could do it but they
    were exceptions like Adams and Pratchett.

    I seem to recall that he managed to overcome his
    vision problems by learning to draw accurately
    and wrote it up in a small book (one I’ve never
    seen). It seemed like a very good idea since a
    major basis of science is to do careful observations.

    Some carry that too far like the guy who drew all
    of the diatoms he could find. : ^ )

    You might try Cyteen by CJ Cherryh for a look at
    what Brave New World looks like as a concept for
    another story background. Good writers steal the
    ideas all the time but great ones transform them
    into new richness.

    The popcorn wars continue apace in Merkin politics.
    They’re all so serious about it too, it’s becoming
    hard for the comedians to satirize . Too bad JJ
    Angleton isn’t around to help out the witch hunts.

    J b y a p, d n m t r n o t g y. March 5, 2017 5:26 PM


    If you’re going to spam multiple threads, there’s more creative ways to test the double-post prevention filter than to simply append numbers.

    It would be less obvious #1, #2 you might get more traffic.

    Leave a comment


    Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

    Sidebar photo of Bruce Schneier by Joe MacInnis.