Defense against Doxing

A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too. Before computers, what we said disappeared once we'd said it. Neither face-to-face conversations nor telephone conversations were routinely recorded. A permanent communication was something different and special; we called it correspondence.

The Internet changed this. We now chat by text message and e-mail, on Facebook and on Instagram. These conversations -- with friends, lovers, colleagues, fellow employees -- all leave electronic trails. And while we know this intellectually, we haven't truly internalized it. We still think of conversation as ephemeral, forgetting that we're being recorded and what we say has the permanence of correspondence.

That our data is used by large companies for psychological manipulation ­-- we call this advertising --­ is well known. So is its use by governments for law enforcement and, depending on the country, social control. What made the news over the past year were demonstrations of how vulnerable all of this data is to hackers and the effects of having it hacked, copied, and then published online. We call this doxing.

Doxing isn't new, but it has become more common. It's been perpetrated against corporations, law firms, individuals, the NSA and -- just this week -- the CIA. It's largely harassment and not whistleblowing, and it's not going to change anytime soon. The data in your computer and in the cloud are, and will continue to be, vulnerable to hacking and publishing online. Depending on your prominence and the details of this data, you may need some new strategies to secure your private life.

There are two basic ways hackers can get at your e-mail and private documents. One way is to guess your password. That's how hackers got their hands on personal photos of celebrities from iCloud in 2014.

How to protect yourself from this attack is pretty obvious. First, don't choose a guessable password. This is more than not using "password1" or "qwerty"; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme or the Schneier scheme, and to use large random passwords stored in a password manager for everything else.

Second, turn on two-factor authentication where you can, like Google's 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that's sent to your mobile phone. And third, don't reuse the same password on any sites you actually care about.

You're not done, though. Hackers have accessed accounts by exploiting the "secret question" feature and resetting the password. That was how Sarah Palin's e-mail account was hacked in 2008. The problem with secret questions is that they're not very secret and not very random. My advice is to refuse to use those features. Type randomness into your keyboard, or choose a really random answer and store it in your password manager.

Finally, you also have to stay alert to phishing attacks, where a hacker sends you an enticing e-mail with a link that sends you to a web page that looks almost like the expected page, but which actually isn't. This sort of thing can bypass two-factor authentication, and is almost certainly what tricked John Podesta and Colin Powell.

The other way hackers can get at your personal stuff is by breaking in to the computers the information is stored on. This is how the Russians got into the Democratic National Committee's network and how a lone hacker got into the Panamanian law firm Mossack Fonseca. Sometimes individuals are targeted, as when China hacked Google in 2010 to access the e-mail accounts of human rights activists. Sometimes the whole network is the target, and individuals are inadvertent victims, as when thousands of Sony employees had their e-mails published by North Korea in 2014.

Protecting yourself is difficult, because it often doesn't matter what you do. If your e-mail is stored with a service provider in the cloud, what matters is the security of that network and that provider. Most users have no control over that part of the system. The only way to truly protect yourself is to not keep your data in the cloud where someone could get to it. This is hard. We like the fact that all of our e-mail is stored on a server somewhere and that we can instantly search it. But that convenience comes with risk. Consider deleting old e-mail, or at least downloading it and storing it offline on a portable hard drive. In fact, storing data offline is one of the best things you can do to protect it from being hacked and exposed. If it's on your computer, what matters is the security of your operating system and network, not the security of your service provider.

Consider this for files on your own computer. The more things you can move offline, the safer you'll be.

E-mail, no matter how you store it, is vulnerable. If you're worried about your conversations becoming public, think about an encrypted chat program instead, such as Signal, WhatsApp or Off-the-Record Messaging. Consider using communications systems that don't save everything by default.

None of this is perfect, of course. Portable hard drives are vulnerable when you connect them to your computer. There are ways to jump air gaps and access data on computers not connected to the Internet. Communications and data files you delete might still exist in backup systems somewhere -- either yours or those of the various cloud providers you're using. And always remember that there's always another copy of any of your conversations stored with the person you're conversing with. Even with these caveats, though, these measures will make a big difference.

When secrecy is truly paramount, go back to communications systems that are still ephemeral. Pick up the telephone and talk. Meet face to face. We don't yet live in a world where everything is recorded and everything is saved, although that era is coming. Enjoy the last vestiges of ephemeral conversation while you still can.

This essay originally appeared in the Washington Post.

Posted on March 10, 2017 at 6:15 AM • 59 Comments

Comments

JG4March 10, 2017 6:30 AM


http://www.nakedcapitalism.com/2017/03/links-31017.html
...
Big Brother is Watching You Watch

Lessons From the CIA Hacking Leak: How to Keep Your Data Secure Bloomberg (furzy)

https://www.bloomberg.com/news/articles/2017-03-08/lessons-from-the-cia-hacking-leak-how-to-keep-your-data-secure

see also:

The Conflict within the Deep State Just Broke into Open Warfare Charles Hugh Smith (dougie)

http://charleshughsmith.blogspot.com/2017/03/the-conflict-within-deep-state-just.html

Dr. I. Needtob AtheMarch 10, 2017 6:36 AM

The "secret question" feature is okay as long as you're allowed to enter your own secret question. Mine is always "What's the secret word?" and the answer is whatever Password Safe generates.

keinerMarch 10, 2017 6:46 AM

In the times of SIP, using a telephone is not really an option, as 100% coverage of the web means all SIP will be stored either.

^^_^^^March 10, 2017 7:21 AM

@keiner,

Well taken point, sort of along those lines is the fact that that specifically is an NSA issue and the current CIA doxx illustrates that many devices (which may be vulnerable by default) as likely not bugged by default as of yet.

Are we there yet?
Are we there yet?
Are we there yet?

George H.H. MitchellMarch 10, 2017 7:38 AM

Seconding the comment from Wulf above. Bruce, I never understood why you didn't like the xckd scheme to begin with.

Tynn MannMarch 10, 2017 7:59 AM

Re: "Pick up the telephone and talk."

"AT&T Is Making Millions Selling Your Phone Records to Police"

http://www.popularmechanics.com/technology/security/a23567/att-phone-records-police/

"The Daily Beast has obtained documents which show that AT&T stores customer data as far back as 2008, and charges from $100,000 to over $1 million a year for law enforcement agencies to access this data. This program, called Project Hemisphere, gives law enforcement access to your phone records without a warrant, at the cost of millions of taxpayer dollars."

Other service and software companies have similar arrangements. I would think the phone companies are recording voice content, too because: Security. I would think that costs extra to get, though.

The point is, telephone communication is certainly not ephemeral.

MrCMarch 10, 2017 8:05 AM

Thirding Wulf re: Bruce's inconsistency on the XKCD scheme.

If I recall correctly, the rough consensus in the comments at that time was that the XKCD scheme provides exactly the entropy advertised *IF* the words are chosen truly at random. However, without additional guidance, many people are at risk of misinterpreting "random" as "whichever words just happen pop into my head." Of course, that's not anywhere close to truly random, and leads to a password that's likely brute-force-able by an attacker who has surmised your password was created via the not-quite-XKCD method. That's all speculation, though; Bruce never articulated the basis for his objection to the XKCD scheme.

(Aside, Bruce's scheme is subject to a similar problem if readers aren't given an additional warning to avoid using famous quotations, song lyrics, Bible verses, etc. as the base sentence.)

qwerttyMarch 10, 2017 8:20 AM

@Bruce
"It's been perpetrated against corporations, law firms, individuals, the NSA and -- just this week -- the CIA. It's largely harassment and not whistleblowing"

I agree that doxing private individuals is harassment, but releasing private/secret information about organisations, corporations or government agencies is another story. If you don't want to call it whistleblowing, call it treason or unlawful disclosure, but calling it harassment is just plain wrong in my view, and gives the impression that the affected organisations are innocent victims. Which the NSA and the CIA certainly are not.

Andrew GMarch 10, 2017 9:16 AM

@MrC Thanks for the clarification and recap; your analysis makes sense to me.

For those who haven't seen it before, a solid method for selecting truly random words is Diceware: www.diceware.com (the name is perhaps a bit misleading, Diceware is not software!)

Bill CummingMarch 10, 2017 9:18 AM

think the objection to the XKCD method is:

If the attack is using a bruit force attack of every variation of 8-128 ASCII characters, then getting the 4 words in the correct order has a high entropy and would take absurdly log time to brake.

If they are using a dictionary type attack e.g.:

ant
bat
cat
antant
antbat
antcat
...
etc...

The level of entropy is lower and more likely to be broken, even accounting for misspelling and character substitution.

I Think...

Andrew GMarch 10, 2017 9:51 AM

@Bill Cumming At first I didn't get what you were saying but now I think I do. I fully agree, you get (a lot) less entropy *for a given length string* if you build the string out of natural-language words.

So the XKCD approach is counter-indicated if your password is limited to a short length.

If you look at it from the point of view of a password being made up of tokens, the 95 printable ASCII characters give you ~6 bits of entropy per token if the character is chosen truly at random. So randomly-generated printable strings require 1 character per token and provide 6 bits of entropy per token.

If you choose a word from a 10,000 word list, truly at random, you get ~13 bits of entropy per word (log2 of the list length) but each token is variable length, nominally with 4-12 characters (we get to choose what words go in our list).

If you don't care about how many characters your passphrase requires, the XKCD approach should work fine. If you do care about length, then you can only count on about 1 bit of entropy per character from the XKCD approach, and that will almost certainly not be good enough; use the Schneier approach or random ASCII instead.

The advantage of the XKCD approach, in my view, is that it is easier for humans to remember a short sequence of tokens than a long one, and you get more entropy per *token* so you need fewer tokens in all. Plus, the tokens are words, which seem inherently easier to remember than random ASCII symbols.

Bruce SchneierMarch 10, 2017 10:03 AM

@ qwerty

"I agree that doxing private individuals is harassment, but releasing private/secret information about organisations, corporations or government agencies is another story. If you don't want to call it whistleblowing, call it treason or unlawful disclosure, but calling it harassment is just plain wrong in my view, and gives the impression that the affected organisations are innocent victims. Which the NSA and the CIA certainly are not."

I know. Lousy paragraph in the essay. The Washington Post sat on that piece for months, and then rushed to run it after the CIA documents dropped. They wanted it to tie in to that, even though it didn't tie in at all.

Anyway, that was the best we could do to tie the CIA story to the trend I was talking about. And, yes, it's not very clear or accurate or even good.

Bruce SchneierMarch 10, 2017 10:04 AM

I don't like the xkcd scheme because I see far too many passwords created by that scheme guessed. The Ars Technica article talks more about that.

Dirk PraetMarch 10, 2017 10:09 AM

@ qwertty

If you don't want to call it whistleblowing, call it treason or unlawful disclosure

For a far as doxxing of spy agencies is concerned, I prefer the term counterespionage by a non-profit, non-state actor. Which from a historical perspective actually makes Wikileaks quite unique.

keinerMarch 10, 2017 10:20 AM

...as long as WikiLeaks is not related in any way to any "state-actor".

And if the leaked actions are against the law (even in the country of origin of the "intelligence agency") then it's whistleblowing.

David LeppikMarch 10, 2017 10:23 AM

The problem with secret questions is that they're not very secret and not very random. My advice is to refuse to use those features.

Wouldn't that be nice? Unfortunately banks, health insurers, and I.T. sites your employer mandates often require them—and when they mess up or migrate to a new platform, if you wrote junk, you're in for weeks of pain.

Not to mention mobile phone carriers, who won't unlock your phone number so you can switch to another carrier unless you can answer those questions or provide the PIN that was buried in the welcome packet.

de La BoetieMarch 10, 2017 10:26 AM

The ArsTechnica criticism of xkcd relates to non-random selection of words. As noted above, if you use diceware, you can make whatever entropy you like, at the expense of longer passwords for that entropy. Physical dice in a technology-free room is good.

How much you like that can depend on your typing facility, I personally find it very easy to produce standard words from muscle memory, so it's fine, and memorising a restricted set of master passwords is easy.

Meanwhile, progress on the 2FA front is glacial, and especially obnoxious is the biometric and smartphone emphasis of many corporates who do offer it. Whereas there is a cheap and more privacy respecting alternative in U2F, that's precisely why it's not being widely implemented - far too unmine-able.

JonMarch 10, 2017 11:30 AM

Wouldn't that be nice? Unfortunately banks, health insurers, and I.T. sites your employer mandates often require them—and when they mess up or migrate to a new platform, if you wrote junk, you're in for weeks of pain.
The last time I had to call my bank to reset them, the guy suggested using a second password instead of the actual answer to the question. In theory, I suppose it would slow down a social engineering attack on your security questions, but not sure whether it is or isn't any more secure.

DanielMarch 10, 2017 11:35 AM

While I agree with the general thrust of this essay there is a significant aspect to this problem that Bruce is overlooking--the problem of third party content. Even if I move all my life off-line I have limited control over what third parties do. At a family reunion? I pose for the group picture and the next thing I know someone has posted it on Facebook. Walking down the street minding my own business? The next I know I am walking past a crime scene and the local TV reporter is there and then I am on the six o'clock news and everyone knows where I am at. There is a lot of me out on the internet that I didn't put there.

About a decade ago I made a concentrated effort to wipe as much of my on-line presence away as possible. I stopped blogging. I stopped commenting on most websites except a small handful. I only e-mail the minimum amount necessary. I use garbage e-mail addresses for most business efforts. I even scaled back buying goods on-line. But over time I have come to see this as mostly an effort in futility. The fact is that I still have an on-line footprint due to (a) the fact that I cannot disconnect myself entirely from modern society and (b) the problem of third party content.

Recently, I have begun to have serious doubts as to whether that effort was worth the cost. Yes it is true that I still have some semblance of a "private life" but I think this sense of privacy is most illusory, like using one of those free VPNs. In a sense I am private but it is like living in a house with no walls and no roof. If I stare at the concrete foundation long enough I can convince myself that no one can really see me because they can't see through the concrete but the reality is that I am visible to most people. A few years ago I read the book The City and the City by China Meiville and I thought it was an effective metaphor for modern privacy--we think we are private because we pretend not to see. My privacy is no longer a function of my own self-expression, it is a function of other people's self-restraint.




HMMarch 10, 2017 12:08 PM

@ Dr. I. Needtob Athe, Re: "Mine is always What's the secret word? and the answer is whatever Password Safe generates."

You can (and I do) use random replies even if it's not your own question, for example: "Where were you born?", A: (random junk words as answer)

A special mention of shame should go to united.com though which not only limits the questions but limits the available answers, for example "What is your favorite fruit/vegetable?" or "Favorite sport?" and then a fixed list of 20 choices or so.

Sancho_PMarch 10, 2017 1:04 PM

He who pays the piper calls the tune, with wapo the genre always is populist.
Thus the content is shallow. Sad to read that from @Bruce.
If serious, there would be several points to challenge (the secret question advice was already mentioned - yes, extra shame on united.com).

What I’m missing here is:
For any password / brute force discussion it would be mandatory at first to distinguish between online and offline attack.

WantedMarch 10, 2017 1:16 PM

Donald J. Trump's tax returns.

There is really no reason to break with the tradition of presidential openness. There are huge conflicts of interest between running Trump's vast business empire and running the U.S. government.

The people of the United States of America will not stand to be ruled from Bilderberg and Mar-a-Lago.

ScottMarch 10, 2017 1:21 PM

How about not trusting Yahoo or Facebook when they want to collect even more data from you, to "keep you safe"? Seriously, you can't rely on third parties for anything. I just accept that my data online is public, lie back, and think of England.

OutrageousMarch 10, 2017 1:34 PM

Wikileaks has joined the proprietary software / tech giant corporate cartel.

"WikiLeaks pledges to release software code of CIA hacking tools to tech firms"

https://www.washingtonpost.com/world/national-security/wikileaks-pledges-to-release-software-code-of-cia-hacking-tools-to-tech-firms/2017/03/09/b61044d8-04e8-11e7-b9fa-ed727b644a0b_story.html

Google, Apple, Microsoft, Facebook, Verizon, AT&T get the hacking code, but GNU/Linux, FreeBSD, OpenBSD, etc. are not allowed to use the information to improve their security.

Slime Mold with MustardMarch 10, 2017 1:37 PM

@Tynn Mann

"AT&T Is Making Millions Selling Your Phone Records to Police"

A good point, one not often brought up on this blog, and something that needs an expansive examination. To whit: If Google Analytics can slurp up your data, why can't any government agency just buy it? Walmart does. We tend to get excited about direct government spying. My guess is that purchasing the various marketing products would get the Three Letter Agencies (TLA's) 70% of what they want on 80% of the US population with very little (if any) legal limitation. I don't see how they could miss the opportunity. They might even pose as some other marketing corp. for the purchase. Merging and mining these databases is the kind of thing Palantir was formed to do.

J. PetersonMarch 10, 2017 2:06 PM

Don't be so sure about phone calls not being recorded. The Internet Archive did a back of the envelope calculation, and figured it would cost $30M (plus $2M/year in electricity) to set up a server farm to record a year's worth of US phone conversations. This is pocket change for US intelligence agencies.

Best KoreaMarch 10, 2017 3:50 PM

@Bruce

You are still blaming the Sony hack on North Korea? I doubt there was any state sponsored hacking involved, and North Korea would be my last guess.

DraganMarch 10, 2017 11:13 PM

Well this may come as a suprise, but I stand behind what i say, avoid cloud, and hold no particular fear for files on my devices. I am hovewer insulted by any kind of attempt to compromise my privacy. Instead of protecting my files and frantically turning around to see if I am being recorded I would prefer to see the agencies and companies which do the spying and data hoarding demolished. Might be easier than billion of us learning and implementing doubtable protection measures.

VincentMarch 11, 2017 4:59 AM

I am a bit suprised that about the attribution of the leeks in the article. In 2014 e.g. most independent experts seemd to agree that North Korea was not very likly to be behind the Sony hacks.

Bruce SchneierMarch 11, 2017 7:51 AM

@ Vincent:

"I am a bit suprised that about the attribution of the leeks in the article. In 2014 e.g. most independent experts seemd to agree that North Korea was not very likly to be behind the Sony hacks."

Yes. But by early 2015, most were convinced it was North Korea.

I know -- as crazy as it seems, North Korea doxxed Sony over a movie.

SmokescreenMarch 11, 2017 12:15 PM

"mostly harassment not whitstleblowing"

What if it is neither? Let us have a conversation inside your head about social engineering, psychological and information warfare. The first person to get in your head has at least a 50% chance of succeeding. You have to spend years training yourself to fail by default. On the job, you may exhibit scientific thought. When you go home and consciously allow media in your head, you shut down your logic like rational thought never existed.

Set aside Julian Assange's CIA bs for a minute. I am going to throw this out there, since people often forget: the govt and private interest can plant "journalists" in the media domain. Beyond the fact that I have watched fake news sites get paid to run stories, people are on retainer with press passes to ask specific questions a certain way, deliver their story a certain way, constantly barrage you with agenda.

Since I have been tracking Cloudflare and Matthew Prince with torrent entrapment and coverups on data theft for several years, Assange looks like he folded and is in on something. This idea of hiding sources and proof is questionable. My intuition says don't go there and get blacklisted. And for the record, what has Ed Snowden said that you could not surmise from piecing together information from the web? In that case, people in the profession are in the know since before CALEA and Snowden didn't even fit the reqs for the 18XRay program. So how did Booze Allen pick him up? He was a basic training washout. Why would you risk a choice job doing anything stupid? Why sign on the line? Hmm.

It's not news anymore. It's a test on how easily duped you are. Turn it into a game and figure out what alternative motives are there. As for the CIA, they don't have a domestic scope really. The govt doesn't even know how to check email. Our politicians don't even follow their own DSS procedures. A story I turn my back on because it wreaks.

Ollie JonesMarch 11, 2017 1:06 PM

Remember the hoary old joke? Two guys in a forest looking at an angry bear? One says, "you'll never outrun the bear." The other says, "I only have to outrun you."

This applies to cybersecurity. If somebody decides my communications are very valuable they WILL get them. If spooks want my stuff, they probably already have it.

In the meantime, as long as my security is better than the next fellow's, I'm OK. Two-factor auth on my key accounts, unique passwords, and the fact that the bank thinks my mother's maiden name was SdVrh,xKg%3N or something like that -- means the bear will catch the other fellow, not me.

NystagmusEMarch 11, 2017 5:14 PM

TO BE CONTINUED...

Good advice is always welcome.
However good advice contaminated by media propaganda and gossip is not a good healthy choice.
We (still) have a saying in the United States:

"...innocent until proven guilty in a court of law..."
In terms of Human Rights (not spatial), this is still relevant even amongst those foolish enough to be competing instead of cooperating.

The allegations against Russia are most likely false.
Please abstain from incorporating media propaganda and gossip into what would otherwise be techical essays.

Here's some supporting information obtained from THIS SITE to countermand some of this nonsense polluting what would otherwise be helpful tech talk:

http://www.counterpunch.org/2017/01/13/did-the-russians-really-hack-the-dnc/

D_d the R_ssians Really Hack the DNC (question!)

More information is forthcoming from those who do not surrender their intellectual abilities to conformity and gossip and unsubstantiated claims and propanda which harms all involved.

If you ever have to talk to a sociopath, keep it simple.
Don't try to please them, don't try to be subservient to them, don't try to antagonize them.

It's a bit like talking to one of those rabid microdogs that's been so heavily overbred that all they do is bark with hostility at anything and everything as if it's a threat (when usually it's not).

If I didn't know any better, I'd think that those rabid microdogs were genetically engineered chimera hybrids of piranhas and lap dogs.

Don't fall for it. Don't fall for I.T.

Meanwhile, we've got surviving to do.
Please stop complicating our existence with cultural provacation.
We need MORE VOICES of REASON, not more conformity and groupthink leading us all unneeded conflict and cultural dissonance.

Technical genius is disrupted by logical fallacies too.

Don't be offended, it's not an insult; you needed a cultural checksum.
That's why we keep refuting the garbage in, garbage out.

Can we please filter out the garbage?
CNN, NPR, BBC and the White House aren't going to do it for us.

We aren't going away. Information isn't going away. Get used to it.
Information has a tendency to include bits of truth.
Can you really destroy all information? Probably not.
Would you really want to? Probably not.
I don't value chaos for the sake of chaos. Do you?
These are rhetorical questions, of course.

If you need to test us for the validity of our personal ethics, please don't do it in a way that worsens an already precarious situation of mallaise and chagrin and misunderstandings and misdirection. There are simpler and nicer ways of getting a personality profile. So yeah, if you're just pretending to support the propaganda and gossip, please abstain from doing that. This is not the time for pollution. It's never a time for pollution.

Information is supposed to mean something. When information itself by definition holds less and less meaning, it's more of a sign of sickness and disturbance than of any other data content... like a microdog that barks at anything and everything because it's brain is so genetically damaged from unnatural hyperinbreeding that it can no longer function without hostility despite the accute LACK of any threat.

The Cold War needs to STAY ENDED.
Now is not the time for sloppy conformity to unsubstantiated claims.
Recruiting more conformist subscribers to the bandwagon does not create truth nor reality.
Plenty of the rest of us are not willing to be strung along into wars of attrition against all sanity, health, infrastructure, stability, sustainability, communication, manufacturing, travel, etc.

The conflagration into extinction isn't worth it to most of us (several billion lives!).
The Cold War needs to STAY ENDED. We the people of Earth will NOT tolerate blind faith submission into the cancerous void of perpetual greed and mischief.

If this writing arouses your irritation and ire, perhaps it's because you sense it's resonance with your characteristics and you resent being called out and identified for what your behaviors represent.

Naturally, if this writing does not seem to apply to you, than of course you would not be annoyed nor irritated by it and you'd most likely comprehend the issues indirectly or directly.

I'm not a spokesperson. But sometimes words need to be said.
Words needed to be said. Words still need to be said, one way or another.

This is a forum of discussion and a vehicle for functional communication at best.
Separate the wheat from the chaff from the flax. And just remember the mass-marketing of mass-produced grass will probably increase your risk for diabetes anyhow since high fructose corn syrup is put into nearly anything and everything. Why? It's not a nutrient. It's part of the machinery and automation of feudalistic corporate greed.

Automated death and disease industry, you're obviously horried. But this time you've gone too far.
And how is that related to a security website?

Those who study the statistics of actual threats to human life via health and death demographics know that the junk food industries and the corporate takeovers of nearly every aspect of existence have more to do with the mass extinction of everything FOR PROFIT.

Know who and what the actual threats are.
Please stop demonizing those who we need to be making ammends with.
Keep it simple. Most lives on Earth (and in the Internacional Space Station) prefer to continue living, and hopefully with a lower level of stress. Russian, American, Korean, Chinese, Syrian, Mexican, Japanese, Israeli, German, Australian, Polynesian, Etcetera... most all simply want to SURVIVE and THRIVE with hopefully a lower level of stress and without distress.

Those of you who are instigators and provacateurs, your provacateur behaviors are not wanted and are dysfunctional and somewhat suicidal in the modern world. We do not all agree with that type of behavior.

If you do not consider yourself to be a provacateur, then why are you supporting the actions and speeches of geopolitical aggitators?

If you are not supporting the actions and speeches of geopolitical aggitators, then you have no problem with me and I have no problem with you.

I don't even know you.

Are you going to get angry at words on a screen?

What's your full context?
Here's a chance to try to remember what your priorities are:
What are your priorities? What's your modus operandi?

I'm asking for you to tell me or anyone else.
You just seemed like you needed a wakeup call.

Who am I addressing this message to?
Does every messaging system require a specific individual recipient? No, no it doesn't.

This is not chaos. Thor overcomes Loki's mischief. Not every master magician is a trickster.
These are words designed to help people think and thus hopefully act more in keeping with continued coexistence. What was the main point? Please keep data pollution to a minimum. No one is exempt.

Here's a reminder of how this message began: http://www.counterpunch.org/2017/01/13/did-the-russians-really-hack-the-dnc/

Please read it. And remember THE GOOD SHOW on RadioLabs. Altruism is a survival-enhancing ability.
Competition and hostility, especially confrontational competition and hostility are not our path into the future we need. Please don't divorce yourselves from information simply because it's not familiar. Xenophobia of information is a maladaptive characteristic. Please attempt to comprehend.


Here's a reminder of how this message began: http://www.counterpunch.org/2017/01/13/did-the-russians-really-hack-the-dnc/


Then you'll understand better why false claims truly need to stop with or without intevention.
Thank you to whomever here at THIS SITE shared the info. Yes, it was helpful. Thank you.
We now return you to your regularly-scheduled programming already in progress. There's no more lyrics.

weaponized narrative nuanceMarch 11, 2017 8:12 PM

Doxing isn't new, but it has become more common. It's been perpetrated against corporations, law firms, individuals, the NSA and -- just this week -- the CIA. It's largely harassment and not whistleblowing, and it's not going to change anytime soon.

If you are going to discuss the subject in this much depth I think it is important to note the early history/etymology of the term. I.e. when the word 'doxing' first was breaking into popular culture, it included significant emphasis on entirely legal activities such as gathering lists of public addresses for public officials or employees of politically controvertial corporations. While clearly this aroused valid and legitimate fears of use for harassment and incitement of such at hithertobeforeseen scale, it also had a somewhat noble robin-hood-esque connotation of finally giving the trodden upon ethical targets for ethical letter writing campaigns that might be mischaracterized by the targets as 'spam' or 'harassment', when in fact they were a smidgen of justice for masses who had been the victim of other system-gamers for so long.

However as with other stupid buzzwords like 'cloud' and 'thing', Schneier seems to fall into a pattern of massaging the narrative like establishment lobbyists. Perhaps there isn't a better strategy for educating the masses. But over the years I don't seem to be feeling more and more like that is the case.

I found this post very insightful outside that narrative nuance. However I think that narrative nuance is tied to big league machiavellian manipulations that have been going on at scale over the last couple decades.

Clive RobinsonMarch 12, 2017 2:41 AM

@ Bruce,

Neither face-to-face conversations nor telephone conversations were routinely recorded

There is recording of the audio and then there is recording of the image...

You might want to add this choice titbit to your collection.of "points made",

http://www.bbc.co.uk/news/uk-politics-39228790

Put simply the BBC had a "long lense" on ex UK Prime Minister David Cameron as he spoke to some of his party colleagues... Then got a forensic lip reader to "See what he was saying".

In the armed forces there is an expression for the fear and the way it effects manpower when there is a sniper in the area. It's called "long gun fever" and it also effects civilian populationd even worse as those who lived in the area through the "Washington Sniper" incident.

Should we now all have "long lense fever" from CCTV or any events that are televised?

After all Google found that high resolution Security CCTV could "shoulder surf" users typing in passwords. And since then various researchers have shown that a high speed camera does not need to see people in the room to "get the conversation" just as with "laser mics" invented around the late 1970's any suitable object in the room will vibrate in sympathy and it's movments picked up.

Clive RobinsonMarch 12, 2017 5:32 AM

@ Wulf and others,

... the XKCD Password method is deprecated.

No the XKCD system is not deprecated, it's incorrect use is deprecated, which is true for the Schneier and other password schemes.

The problem is the limitation of the human mind and what humans will do to make their life easier.

There are a number of parts to the XKCD system but a 20,000ft view is,

1, Random Generator.
2, Token list.
3, The user.

Random generators have a history fraught with problems to long to list be they by determanistic algorithm or even physical sources such as typing, mouse movments, hard drive timing even nuclear decay sources and the likes of thermal and schott noise in electronic components.

Diceware as it's name suggests uses a dice (but should use several). Because not only are dice biased translating their "output" of 1-6 to larger numbers has to be done with care lest you put in further bias.

For instance if you throw one dice the resulting output is a nominaly flat distribution in base 6. But what happens when you add two throws together? Well the output changes it's base but also the distribution becomes like that of a pyramid. The more you add together the more the distribution morphs to the normal distribution "bell curve".

So one way to get other numbers or letters at random is to draw a thirty six element six by six grid and you fill in your desired number range into the elements. But two problems can occur if you want numbers if you fill all the elements with a digit then you've added bias with that extra 1-6 over the 1-30. Even if you do put Xs in six of the boxes to say throw again human failings happen. A human may just reverse the order of the two throws to get a number, or they might just throw one dice again and use either of the two throws from the previous invalid pair. Either way their lazyness adds bias. Similar hidden bias issues apply to all physical random generators that humans use. Oh and don't forget how you throw a dice and onto what surface can without care add significant bias, then those twenty sided dice some gamers use, they can be misread as to which surface is actually facing up...

Then there is the word lists, somebody above mentioned a 10,000 word list, I would make a small bet that they cannot spell ten thousand words correctly, --with the exception of a tiny number of people-- most humans only regularly use seven to twelve hundred words so a list less than five hundred (~9bits) "common words" should be used. Which to get the 64bits of entropy suggested as a safety margin would need not four but eight words...

Which brings us to the user, lets just accept they are a bunch of lazy cheaters. It's the basic message many studies give us, that for whatever reason they take a "path of least resistance" be it to save time, be more efficient etc etc what ever the excuse the result is the same they "cheat the system".

To keep the security margin the user not only has to learn eight words, they have to also remember them in order. Many don't they rearrange the word order to make it easier to remember. To see what effect this has write the numbers 00...99 down and then put the digits in each number in ascending order, then remove the duplicates. You will find that getting on for half the numbers disappear... Also users may not like "duck,duck,snail,duck,snail..." and remove the duplicates or press the button to get a new set of eight words. Each short cut is knocking bit off of that security margin in a quite predictable way.

There are a whole bunch of other short cuts / cheats the users will do as has been mentioned above.

When all of the above is taken into account it's easy to see why the XKCD system security can be easily subverted by the failings of users and the methods they chose. Which is why as Bruce notes the system gets successfuly beaten noticeable more often than it should.

Clive RobinsonMarch 12, 2017 7:23 AM

@ Jon,

In theory, I suppose it would slow down a social engineering attack on your security questions, but not sure whether it is or isn't any more secure.

It depends on how the computer you are trying to login to is configured.

Look at it this way a multi-user computer has multiple passwords, which one is valid depends on the username it's indexed by (in the password file).

Thus your account would be as secure with multiple passwords, if there were several "Question" options each with a different password. That is you would have to know which question indexed which one of the multiple passwords to test.

If your account locks after three unsuccessful attempts then arguably the security is increased by the number of questions. Because say you have written the password on a piece of paper in your wallet (old password advice) and the piece of paper has been stolen or coppied, the attacker does not know which question it coresponds to. The more questions the less chance the attacker has of finding the right one by guess.

Clive RobinsonMarch 12, 2017 7:43 AM

@ Moderator,

The above from "Rufo Guerreschi" is unsoliceted product advertising.

The web site it links to looks like a startup that has taken advice from a Snake Oil Seller.

I suspect that the fact the product uses WiFi would raise alarm bells with the more seasoned readers of this blog.

I've looked at quite a number of what might be called "side channel" security products in the past that aim to move the security end point in some way. Most simply extend the communications of the primary communications channel without putting the necessary choke point / instrumentation in to prevent an attacker exploiting the extended communications channel. Thus have failed to move the security end point beyond the reach of the attacker allong the communications path.

For some reason it appears to be a point few appear to get their head around successfuly why I have not analysed.

Clive RobinsonMarch 12, 2017 9:44 AM

@ J. Peterson,

th regards the cost of storing all the audio, our host Bruce asked the same question triggered I suspect by the NSA repository in Utah.

A few people did the math as well as make a few assumptions about compressing the data, and as it was not evedentiary using auto transcripting to compressed text. The answer came back less than that and Bruce sounded a bit surprised by the result (Utah was probably good for a hundred years or so of the compressed audio even more so with the compressed text).

Clive RobinsonMarch 12, 2017 11:14 AM

@ Bruce,

Yes. But by early 2015, most were convinced it was North Korea.

With regards NK and SPE I suspect that much of that change was "toeing the party line" for the sake of business (as were a number of UK businesses who privately admitted as such).

There has been no evidence shown publicaly that it was NK even on the old Means / Motives / Opportunities test. More over under that test quite a bit of "evidence" to show that a considerable number of others were better placed, had better knowledge of SPE systems and importantly had good reason to work SPE over.

Whilst we know the current NK leaders father was a movie-fruitcake to the point where it appears he had many people kidnapped from South Korea in the 1970's and 80's (some still claim despite denials by those that escaped that they were "defectors not kidnapped" as very unlikely as it appears),

http://www​.bbc.co.uk/news/magazine-31628415

But the current NK leader has considerably different tastes and peccadillos of varying degree. He has a taste for the dramatic statement such as execution by antiaircraft gun, ripped apart by dogs etc. Against which even having his half brother killed by VX nerve agent appears at odds (thus some belive it was planed and carried out by others and leave open the question of the "directing mind", especially in view of the fact China has responded as expected and applied significant sanctions against NK which those in SK and the US and even China are expected to benefit by significantly).

The lack of evidence is not surprising it can and has be shown how the attribution of such an attack can have been faked easily. As you noted the other day we expect attacks from China and Russia so other entities use them to launch their attacks from. The fact FBI director James Comey comes out and says that the Sony hackers sometimes failed to use proxy servers to mask the origin of their attack, thus revealing IP addresses that he says were "used exclusively by North Korea", is lets be honest more indicative of a false flag opperation. In this modern age of hacking there is "no such thing as an IP address "used exclusively" by anyone. Because they can all be either faked at a network node such as an upstream router, or the actual host machine of that IP address could and in all probability had been hacked by one or more national SigInt agencies.

Thus technical network / computer based attribution is never going to appear as admissable evidence. Which leaves only the Humint side of "methods and sources" which is also likely to never form admissable evidence. Further the US is not realy known for "boots on the ground intelligence", and has shown a history of "borrowing" since the U2 incident. Thus you have the issue that at best any Humint is going to be very very fourth hand at best and subject to a lot of redaction and interpretation to protect the source. The most likely place for Humint to come from is SK which is very far from disinterested in many ways including those that involve it's own film indistry that has a number of rivalries and connections to Japan and their native and aquired film industry including SPE.

On balance I would be asking the "follow the money" question of this and there are better candidates than NK including SPE them selves.

I doubt that we will get any real evidence you could take to a civil let alone criminal court on this. Which you also need to remember is a bit of a tell, the US did indict suspected Chinese "hackers" so why not NK ones?... Perhaps because there is neither evidence or sufficient intelligence to give names to NK hackers or their immediate leaders, or even no reliable intelligence at all. So as with aircraft accidents find a suitable entity that can not defend themselves and thus claim "pilot error" etc.

Thus my position is as it always has been, without evidence it is a mater of point of view or oppinion. Oppinion as histroy has shown is very flexible where incentives are involved especially with businesses and profitability, after all "the customer is right" even when they are not, because "He who pays the piper calls the tune".

ab praeceptisMarch 12, 2017 11:26 AM

Clive Robinson

Yes.

Rule of thumb: Assume the contrary of what western media tell you and you'll be quite close to reality.

While formertimes getting angry I meanwhile find it funny how the united states of a part of a part of america f*ck themselves. First some goons feed the media with some BS then the media spread that BS and finally they (gov., goons, spooks, parties, media, just everyone) quote the BS spread by media as "proof" and everyone in the mental asylum believes it.

Logic? Zero, nada, zilch. But then, who cares about logic in the looney bin?

On one hand they paint NK as extremely backwards and one should be surprised if they would have any modern computer in NK at all. On the other hand they paint NK as an evil and seemingly powerful hackers lair that easily breaks through all security wall of the billion $ corporations. Sure. I guess the North Korean hackers do that with chop-sticks and some mythical digital kung-fu ...

Being at that: I do not believe most of the nsa, fbi, cia miracle hacker stories. Simple reason: They don't have enough people with a brain (and those with a brain tend to have rests of ethical conscience).

Clive RobinsonMarch 12, 2017 12:47 PM

@ ab praeceptis,

Sure. I guess the North Korean hackers do that with chop-sticks and some mythical digital kung-fu ...

Rumor has it they do actually hack from beneath a Chinese Restaurant...

But yes the argument they are backward due to repression, whilst also those repressing are technical geniuses does not hang together and stands out like a four foot curtain hanging next to a seven foot curtain.

The truth is that genius is in part a luck of genetics, and in part getting the right education early on. If you don't get both then neither alone will make you a genius.

So if they have technical geniuses only in the senior hierarchy now you have to ask who selected and educated them twenty years ago and for what original purpose. The ability to screen and train further implies considerable expertise going back thirty to fourty years before that. Otherwise you have to conclude that as a general case the NK scientific, mathmatical and engineering education is onpar with some first world nations, and that it's financial resources they lack. Which is what we saw with Russia and their ability to program to squeeze performance out of restricted resources rather than waste it as profligately as the West did where the assumption was "double the power tommorow for half the price of today"...

ab praeceptisMarch 12, 2017 1:19 PM

Clive Robinson

Absolutely. One doesn't need lots of money and the most recent systems and plenty of them. I've seen russian developers whose *strength* it was to learn and grow under very poor circumstances. Also one would be well advised to keep in mind that many asian cultures, i.a. both korean ones (if one wants to differentiate), are quite different from western paradigms anyway.

Plus, let's be honest. I'll try to put it very politely and put it like this: western high tech companies cook their soups with water, too.

Less politely: When looking at western "high-tech", first strip off a fat layer of PR, show, and lies. Then strip off any assumption of "quality work" - as the reality usually is software being developed under the management of profit-driven idiot sales bots ("product managers"). Then strip another layer, the "good and professional tools" fairy tale.

And you end up with? "professionals" most of which have an utter lack of even modest logic capabilities, unnerved by management asking for new features and gadgets and 3-D buttons, having a lousy "education" by profs, many of which are "cool" and more social blabla activists than real professors, etc.

Finally: Most of the miraculous capabilities of taos, cia ultra-hackers and whatnot are? Right. Those are based on exploiting lousy hardware and lousy software and careless ignorant users and "security" people who install some "security" software following the principle that more expensive means more secure.

Short, they even haven't understood that real security (TM) is recognized by coming with a golden sticker.

SkepticalMarch 12, 2017 7:05 PM

@Clive: There has been no evidence shown publicaly that it was NK even on the old Means / Motives / Opportunities test. More over under that test quite a bit of "evidence" to show that a considerable number of others were better placed, had better knowledge of SPE systems and importantly had good reason to work SPE over.

A rather large number of well-respected private companies concluded that the party responsible was likely not an insider. As to your other comments concerning IP addresses, the FBI's list of evidence went considerably beyond that. You're talking about large organizations, public and private, that specialize in, and work thousands of hours per year on, analyzing the components of such events - and with specialists devoted to particular types of analysis. Do you honestly suppose that these organizations simply looked up the origin of a few IP addresses? Or that highly complex constructions and operations are so thoroughly understood that their origins are easily counterfeited?

You are entitled to an opinion that the US attribution is the outcome of some massive conspiracy, of course. But it's a little astonishing that someone with such a grasp of the difficulties of getting complex systems to work precisely as intended should also so easily believe that in the case of a broad cyber-operation like this the perpetrators perfectly concealed their origins such that only human sources from within their own group could possibly reveal them.

@ab: Rule of thumb: Assume the contrary of what western media tell you and you'll be quite close to reality.

The same Western media that reported on the dissenting opinions to North Korea's involvement? Look, you name the outlet, and it's available in the West.

Of course, the nature of an open marketplace of ideas is that while there is room for spin, the facts exert a considerable gravity. Much to the chagrin of those for whom facts are inconvenient things when they interfere with an agenda, and who suppose the open nature of the West implies that information operations are easily done. In fact, the open nature of Western society provides its own immune system against falsehoods sought to be spread, both foreign and domestic - an imperfect immune system to be sure, and some infections and viruses linger for some time - but a better immune system than any other devised by human beings.

Clive RobinsonMarch 12, 2017 7:41 PM

@ Skeptical,

You are entitled to an opinion that the US attribution is the outcome of some massive conspiracy

Typical opener for an ad hominem or strawman gambit...

I seriously suggest you stop go back an actually read what I wrote not your imaginings of what you think you can push down my throat.

As for your opening paragraph yup those companies spend thousands of hours millions of dollars writing reports that fail nearly all tests for cohearant investigation and writing and Im far from the only person who has noticed this boondongle of a logrolling publishing cleaque. At the end of the day nearly all of it qualifies as "Touting for business" FUD marketing. If you do not know that, perhaps you need to stretch your lehs a bit.

JimMarch 12, 2017 11:05 PM

@ ab praeceptis wrote, "Logic? Zero, nada, zilch. But then, who cares about logic in the looney bin?"

Logically speaking, the looney bin does care about logic, only in terms of defying it.

TMMarch 13, 2017 8:20 AM

I write down passwords and keep them on paper in my apartment. What's wrong with that? Sure, somebody could break into my apartment but it's unlikely that that person would be looking for passwords. If I were a celebrity or otherwise valuable target, of course, that calculation would change. But for most of us, why isn't writing down passwords the best solution? Almost nobody can memorize really secure passwords. That is the real takeaway from the Ars Technica article: if a human can memorize it, then it's automatically less than random, and therefore vulnerable.

Another takeaway, to be sure, is that if you make a little effort to strenghten your passwords, you may not be among the low-hanging fruit that gets cracked within an hour or so. But you are still likely to be cracked with a day. The third takeaway is that as we always knew, the main responsibility for security is with the providers, not the individual. As long as they don't clean up their act, we will always be screwed. If they they use appropriate hashes and protect the hashes, even relatively weak passwords are probably good enough.

Dirk PraetMarch 13, 2017 9:38 AM

@ Skeptical

You are entitled to an opinion that the US attribution is the outcome of some massive conspiracy

When a hunter takes a dead eagle to a taxidermist, he can actually make it look like a goose if for whatever reason the hunter has hinted that that's what he would prefer the bird to look like. The cadaver, however can also be so totally shot to pieces that a goose is all he can make of it. What you are saying is that it can only be a goose because that's what the expert thought it was and could make it look like.

Clive RobinsonMarch 13, 2017 10:04 AM

@ TM,

That is the real takeaway from the Ars Technica article: if a human can memorize it, then it's automatically less than random, and therefore vulnerable.

Yup by many many bits of entropy. In effect for you to menorise it it either has to be determanisticaly generated, or it has to be a subset of random from which you can create a determanistic method to memorise it thus "cht371dsz646" migth be remembered as,

"Swiss tea three to seven one dozen buns"

Or something a little better ;-)

As for writing it down, yup that used to be the advice.

The problem was it turned "something you know" into "something you have" and as far as many guard labour agents they have n absolute right to anything you have or are.

Thus "something you know" is the only authentication factor you have real control over.

WHich is why I've discussed extending "something you know" from an abstract memory by adding "a time you know" and "a place you know" which would put limits on the time etc available to extract the information from you under judicial or worse sanctions.

SpookyMarch 13, 2017 11:32 AM

@ Skeptical,

I'm not sure reliable attribution (with digital data) is even possible. For example...

You receive a message from Bruce encrypted with PGP. You check the signature and decrypt the message using his public key and it turns out to be a classic recipe for 0xdeadbeef hash. Great! Because this message was signed and encrypted with Bruce's private key, you decide it must have come from Bruce himself. Quite reasonable. But in reality, you have no idea who signed the letter. Perhaps Bruce has been dead for months, or his younger sister has finally managed to hack his account. His keyring and passphrase may have been secretly copied by Borromean boot weasels. We only know that his private key is still in active use, but not by whom. It's not even clear that an actual person is at the helm; he may have been replaced from whole cloth by a stygian pile of shell scripts articulated with bits of Perl. Suggesting positive attribution here would be a terrible mistake. And yet, most people would not hesitate.

There seems to be a permanent divide between that pile of 1's and 0's and the unconstrained number of conclusions that might conceivably be built upon it. The binary digits themselves do not actually prove anything as far as identity and attribution are concerned. They have no such agency. All they have is an (imperfect) range of meanings assigned to them by us...


Cheers,
Spooky

SkepticalMarch 15, 2017 12:04 PM

@Dirk: When a hunter takes a dead eagle to a taxidermist, he can actually make it look like a goose if for whatever reason the hunter has hinted that that's what he would prefer the bird to look like. The cadaver, however can also be so totally shot to pieces that a goose is all he can make of it. What you are saying is that it can only be a goose because that's what the expert thought it was and could make it look like.

You're in the wrong problem domain.

The companies here have no incentive to act as taxidermists - especially if any competitors are.

The US Government has no incentive to make a false attribution. Far better, if it cannot attribute with high confidence, to remain enigmatic (for which there are various explanations, some plausible, consistent with it nevertheless having made an attribution) than to put forth a proposition that will reveal to the actual perpetrators (and anyone aware of them) a lack of attribution capability.

Indeed, as the PRC likely knows a great amount about North Korea's cyber programs, making a false attribution here is as good as informing the PRC that you lack attribution capability.

Really this is like visiting several doctors for a diagnosis, all of whom say the same thing, and then visiting the most well-resourced hospital in the world which has no reason to put its reputation on the line by making a diagnosis in your case - and yet does so, and moreover, does so with very high confidence and little hedging.

And after all that, then to claim that since you didn't get a chance to look at the blood samples yourself, or the research involved, you don't have a good reason to believe the diagnosis as likely true (subject, as always, to revision in case of further information).

That's fine. Let me bring this back to your original metaphor. If you need a tracker or a guide on a hunt, you don't find the best taxidermist. You find the best tracker or guide. These businesses aren't in the business of taxidermy; neither, for obvious reasons, is the US Intelligence Community (not when putting its own credibility on the line about a factual finding - a credibility which has been badly damaged in sufficiently recent memory already - in other areas, obviously, it may well pursue taxidermy).

@Clive: those companies spend thousands of hours millions of dollars writing reports that fail nearly all tests for cohearant investigation and writing and Im far from the only person who has noticed this boondongle of a logrolling publishing cleaque. At the end of the day nearly all of it qualifies as "Touting for business" FUD marketing.

Of course. Your evidence for these claims must be much stronger than the case that North Korea hacked Sony, so it's clear why you believe the former and disbelieve the latter. I am certain you apply the same standards of evidence to both cases, of course.

Jared HallMarch 27, 2017 3:50 AM

@Bruce: XKCD method? LMAO. I remember the week that strip was published. More to your area of expertise, XKCD had a good one where,in order to change a grade, do you spend $100M to build a supercomputer that can crack a RSA key, or $15 for a chair, rope, and a hammer! Bruce, you're a trip. Thanks for the giggles.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.