Friday Squid Blogging: Live Squid Washes up on North Carolina Beach

A “mysterious squid”—big and red—washed up on a beach in Carteret County, North Carolina. Someone found it, still alive, and set it back in the water after taking some photos of it. Squid scientists later decided it was a diamondback squid.

So, you think that O’Shea might know the identity of the squid Carey Walker found on the Portsmouth Island Beach, just by looking at an emailed photo or two? Indeed, he did. After a couple of days of back-and-forth emails—it can be difficult to connect consistently with a world-famous man who lives now in Australia—he reported that, while unusual to be seen on beaches in our parts, this was not a particularly unusual squid: It was a diamondback squid, known in scientific nomenclature as Thysanoteuthis rhombus.

T. rhombus, also known as the diamond squid or diamondback squid, is a large species that grows to about 100 centimeters in length, which translates to about 39 inches, and ranges in weight from 20 to 30 kilograms, which translates to 44 to 50 pounds. Which means that, if nothing else, Carey Walker is pretty good at estimating the weight and length of big red squids he picks up on remote beaches.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on April 28, 2017 at 4:37 PM139 Comments

Comments

Ben A. April 28, 2017 4:42 PM

Who Is Publishing NSA and CIA Secrets, and Why?

Bruce Schneier: “There’s something going on inside the intelligence communities in at least two countries, and we have no idea what it is.”

https://www.lawfareblog.com/who-publishing-nsa-and-cia-secrets-and-why

NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide

http://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/

N.S.A. Halts Collection of Americans’ Emails About Foreign Targets

http://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml

https://www.lawfareblog.com/nsa-statements-stopping-certain-foreign-intelligence-collection-activities

https://www.lawfareblog.com/can-nsa-drop-about-collection-without-gutting-tofrom-collection

http://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html

How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents

http://corporate.findlaw.com/litigation-disputes/how-to-avoid-going-to-jail-under-18-u-s-c-section-1001-for-lying.html

UK drops in World Press Freedom Index following surveillance and anti-espionage threats

https://www.theregister.co.uk/2017/04/26/uk_drops_in_world_press_freedom_index_following_gov_surveillance_and_antiespionage_threats/

The Slitheen technique uses popular sites as camouflage for banned ones

“We propose Slitheen, a decoy routing system capable of perfectly mimicking the traffic patterns of overt sites. Our system is secure against previously undefended passive attacks, as well as known active attacks.”

A Seven Dimensional Analysis of Hashing Methods

“Our study clearly indicates that picking the right combination may have considerable impact on insert and lookup performance, as well as memory foot-print. A major conclusion of our work is that hashing should be considered a white box before blindly using it in applications, such as query processing. Finally, we also provide a strong guideline about when to use which hashing method.”

http://www.vldb.org/pvldb/vol9/p96-richter.pdf

Exploiting .NET Managed DCOM

http://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html

Alert: If you’re running SquirrelMail, Sendmail… why? And oh yeah, remote code vuln found

https://www.theregister.co.uk/2017/04/24/squirrelmail_vuln/

http://threatpost.com/no-fix-for-squirrelmail-remote-code-execution-vulnerability/125151/

FBI allays some critics with first use of new mass-hacking warrant

https://arstechnica.com/tech-policy/2017/04/fbi-allays-some-critics-with-first-use-of-new-mass-hacking-warrant/

Next Steps Toward More Connection Security

“Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

Peace in our time! Symantec says it can end Google cert spat

https://www.theregister.co.uk/2017/04/27/symantec_ca_proposal_for_google/

Linux kernel security gurus Grsecurity oust freeloaders from castle

“Linux users, the free lunch is over. Pennsylvania-based Open Source Security on Wednesday decided to stop making test patches of Grsecurity available for free.”

https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/

https://grsecurity.net/passing_the_baton.php

Attack Method Highlights Weaknesses in Microsoft CFG

https://threatpost.com/attack-method-highlights-weaknesses-in-microsoft-cfg/125242/

https://www.endgame.com/blog/disarming-control-flow-guard-using-advanced-code-reuse-attacks

A serious bug in GCC

https://akrzemi1.wordpress.com/2017/04/27/a-serious-bug-in-gcc/

Browserprint: Browser fingerprint tool now can guess client OS even when spoofed

https://browserprint.info/

Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools

https://www.securitee.org/files/trackblock_eurosp2017.pdf

git-crypt – transparent file encryption in git

https://www.agwa.name/projects/git-crypt/

Punching holes in nomx, the world’s “most secure” communications protocol

https://arstechnica.com/information-technology/2017/04/punching-holes-in-nomx-the-worlds-most-secure-communications-protocol/

https://www.theregister.co.uk/2017/04/27/nomx_insecurity/

https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/

Homebrew crypto SNAFU on electrical grid sees GE rush patches

https://www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_of_black_hat_demonstration/

Reckon you’ve seen some stupid security things? Here, hold my beer…

https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/

Shutting down public FTP services

https://lists.debian.org/debian-announce/2017/msg00001.html

Facebook says it will act against ‘information operations’ using false accounts

http://www.reuters.com/article/us-facebook-propaganda-response-idUSKBN17T2G6

Uber’s app fingerprinted iPhone hardware, breaking App Store rules

https://arstechnica.com/apple/2017/04/tim-cook-once-slapped-uber-on-the-wrist-for-breaking-the-app-store-rules/

The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence

https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-roman-seleznevs-record-27-year-prison-sentence/

More LastPass flaws: researcher pokes holes in 2FA

“LastPass has been in the news again for another chink in its armour – though it has now been fixed, you’ll be glad to hear.”

https://nakedsecurity.sophos.com/2017/04/26/more-lastpass-flaws-researcher-pokes-holes-in-2fa/

Forensic accountants appointed to pore over Post Office IT scandal

“The UK’s Criminal Cases Review Commission has confirmed that it has appointed a firm of forensic accountants to assist its investigation into whether sub-postmasters were wrongfully prosecuted due to issues affecting the Post Office’s Horizon IT system.”

https://www.theregister.co.uk/2017/04/24/forensic_accountants_appointed_to_pore_over_post_office_it_scandal/

“I don’t want porn coming in to my home”

The owner-operator of Andrews & Arnold Ltd. (a small UK ISP), whose main selling point is anti-censorship, was contacted by a woman who wanted to block adult material [porn]. Humorous story.

http://www.revk.uk/2017/04/i-dont-want-porn-coming-in-to-my-home.html

http://www.aaisp.net.uk/broadband.html

A privacy aware domain registration service

Except they own your domain…

https://njal.la/

Fantastic free Open Journal for Quantum Science

http://quantum-journal.org/papers/

Unhappy Jim April 28, 2017 4:59 PM

no not that Jim
http://www.newyorker.com/magazine/2017/03/13/who-is-trumps-friend-jim

I thought about Dysthymic Jim, but I think that Dysthymia has a DSM-IV or DSM-V code, so I settled on Unhappy Jim.

Another potentially interesting article from firstmonday.org (See “Reading Anaylytics and Privacy” on the Schneier Blog 27 April 2007, for another long article from firstmonday.org).

From the Conclusions of http://firstmonday.org/ojs/index.php/fm/article/view/6817/5919 :

“These five cases, from different sectors and reflecting an array of privacy issues, expose some clear contrasts between processes for redress for privacy harms in Canada and the United States.

The first obvious difference is that there is a single point of contact for privacy complaints in Canada. The argument should not be overstated. The Canadian federal system is complex, and other federal agencies in Canada also have responsibilities for privacy protection: the Canadian Radio-Television and Telecommunications Commission (CRTC), for instance, has responsibilities for enforcing telemarketing rules, the Do-Not-Call-List and the new Canada Anti-Spam legislation (CASL). The salient point, however, is that if a complainant went to the OPC with an issue that was not within its jurisdiction, it would typically be able to refer that individual to the relevant provincial or federal agency, and it even has online tools to help the individual [22]. The OPC therefore serves as an important clearinghouse for privacy complaints and as a central authority for the interpretation of the law and the provision of guidance to organizations about compliance.

The situation is obviously far more fragmented and complicated in the U.S. Firstly, it is more difficult in the U.S., for an individual to determine if what they perceive as a privacy violation is actually illegal. These five cases, in themselves, have revealed the potential responsibility of numerous federal and/or state agencies. For some cases, the potential authority is also distinctly hypothetical and contingent. As in Canada, an American consumer could complain free of charge to any number of agencies about a privacy violation, but there would be far less guarantee that the agency would have the authority, expertise or inclination to investigate. Most would have many other statutory responsibilities beyond privacy protection.”

The five cases are:
Case One: Google allows sensitive personal health information to be used to target ads, without consent
Case Two: Online dating service commits multiple privacy infractions
Case Three: Insurance company overhauls its security safeguards following privacy breach
Case Four: Hotel discloses a guest’s check-in and check-out times to his employer
Case Five: Telecommunications firm does not respond to access requests and destroys personal information subject to those requests

ab praeceptis April 28, 2017 5:08 PM

Ben A

Re: Who Is Publishing NSA and CIA Secrets, and Why?

Sorry, but with all due respect I think that Bruce Schneier is gravely mistaken and, moreover, committed reasoning sins.

This is particularly evident re. a wapo(!) article about some nsa guy talking about the hacked Russians and about the us of a spooks watching them, even on (hacked) cameras.

For a start wapo, just like nyt, has zero credibility, null, nada, zilch.

Also note that the us of a intelligence services had been under considerable pressure to somehow add some evidence to their merciless “Russia hacked the elections, the democratic party and my neighbours dog!!!” propaganda – which, well noted, was done in collusion with the us of a media.
So what do us-american agencies do when they need evidence and have none? They invent it. (“powell and the iraq uranium flask”).

Moreover Bruce Schneiers interpretation is utterly incredible and suffers from the “projecting ones own inner working on someone else” phaenomenon, or, at the very least from a quite questionable premise, namely that Russias intelligence agency acts like the us-american ones and buys COTS plus is stupid.

Looking closer we find that all this is built on rather thin ice, as there is pretty much nothing in terms of tangible evidence. We are basically left to just blindly trust and believe the story served by nsa & wapo – which I’m absolutely refusing to do.

But I admit that the story came very, very handy and just at the right time for nsa and accomnplices.

So: What’s the make and model of said cameras used by SVD (not FSB btw, which is more like fbi)? What OS do they use? How, e.g. with what toolkit and using what language, do the evil Russians do their hacking?

Those question would be very simple to answer for anyone with true insight, yet we are presented with … nothing but some blabla fairy tale.

David Leppik April 28, 2017 5:10 PM

@Ben A.: The hashing paper is interesting, but I’d be remiss if I didn’t mention that it’s about insecure hashing methods, not cryptographically secure ones.

gordo April 28, 2017 5:22 PM

Robot news:

Silicon Valley security robot attacked by drunk man – police
http://www.bbc.com/news/world-us-canada-39725535

http://www.pcmag.com/news/353311/drunk-man-arrested-after-attacking-armless-security-robot

http://fortune.com/2017/04/26/crime-fighting-robot-arrest/

http://www.foxnews.com/tech/2017/04/26/man-attacks-security-robot-in-silicon-valley-police-say.html

On a more serious note, from a couple of months back:

Suicide Robot Boat Blamed for Attack on Warship
By Jeremy Hsu | Discover Magazine | February 21, 2017

A suicide boat attack that killed two sailors aboard a Saudi warship was apparently carried out by an unmanned, remotely-controlled boat. The U.S. Navy says the incident likely represents the first ever use of a suicide robot boat as a weapon on the high seas.

http://blogs.discovermagazine.com/lovesick-cyborg/2017/02/21/suicide-robot-boat-blamed-for-attack-on-warship/

The Grugq's Evil Maid April 28, 2017 6:41 PM

Re: Slitheen

Oh ha ha ha ha. Yet another LEA honeypot created with the help of academia. Let’s assume that Bruce’s thesis is true. If the Russian are so deep in the NSA they can dump tools to brag about it and the NSA is so deep in the Russian whatever agency they can take pictures of the spooks peeing then what the hell chance does any ordinary person have with projects like Slitheen?

The only security there is in cyberspace stems from two great truths.

(1) There are many people breaking many different laws.
(2) The NSA, FBI, and all the other similar agencies worldwide have limited budgets
(3) ergo they can’t catch them all.

Anyone who advances a security product or strategy based on any other thesis is a liar or an idiot.

MORANSTOPPER SECRET//ORCON/NOFORN April 28, 2017 7:17 PM

CIA’s diabolically clever cyber-pitfall for eradicating whistleblowers! It’s proven 100% effective on whistleblowers with IQs of 85 or below – if they are stupid enough to use Microsoft Office, CIA stops them dead.

https://wikileaks.org/vault7/?scribbles/#Scribbles

That’s quite adequate, because as Wikileaks has shown, CIA spooks are not the brightest bulbs.

Rube April 28, 2017 8:47 PM

https://eprint.iacr.org/2011/638.pdf

This paper is on group theory and talks about Rubiks cubes and hash functions that can be solved easily. This is a 2013 paper. Jean-Jacques Quiquater was hacked by the NSA in 2014 as reported by Schneier on Security.

The movie Snowden works a Rubik’s cube into the plot as if to “solve me.”

Does the reference seem intentional? Will I get killed if I talk about this?

Patriot COMSEC April 28, 2017 10:20 PM

@ ab praeceptis

To be frank, your comments are so poorly written that I had to struggle to find your meaning. After the effort to find your meaning, I had to do some mental gymnastics, even yoga, to reach your argument–but that was impossible because it did not exist.

Writing on this blog gives us the opportunity to do many things, and one of the most important is to practice clear and concise communication about technology. If you want to learn how to write clearly, whether you are a native English speaker or not, take a writing class at a good university. Something else that is very important for good writing: good reading. Make sure and put high-quality language into your brain every day. If you expose yourself to garbage, garbage will come out. If you listen to BBC Radio 4 every day, listening to professors from Cambridge and Oxford fight it out about John Milton, the Scottish Enlightenment, or the theory of mathematics, then your English will surely improve. You can also read what Mr. Schneier has written; for example, his book on applied cryptography. A prospective writer can read it on the level of well-chosen words, phrases, and clauses.

The interesting thing about writing well is that you end up saying what you intend, even if that meaning is not what you intended in the first place. In other words, you learn. Kapisch?

So, this point about why the NSA and CIA seem to be falling apart…

Mr. Schneier asks, “What happens when intelligence agencies go to war with each other and don’t tell the rest of us?” I would change that a little: “What happens when people in American intelligence agencies go to war with each other and don’t tell the rest of us?”

What happens is what you see today.

David McClain April 28, 2017 10:28 PM

I can tell you from my own personal experience, going back more than 30 years, that the people in the intelligence branches have always been at war with each other. Manifestations that we all know came out surrounding the infamous 9/11 attacks, when there were breakdowns in communications between the FBI and the CIA. This has always been the case.

My personal recollections recount animosity between NSA and CIA, where the NSA ran the collection sites, but were unable to access the data because of derelict computing systems. So CIA would do the data reduction for them, but bargained for 24 hrs of pre-look before turning over the data to NSA.

  • DM

Patriot COMSEC April 29, 2017 3:20 AM

@ MORANSTOPPER SECRET//ORCON/NOFORN

What an interesting post! I have often wondered how Thomas Drake got caught. Maybe this was it.

@ David McClain

From reading the news closely, there is some cooperation between NSA and CIA, but then again there is some fighting and even downright, jaw-dropping subversion. If z’s job is x and z said y about the situation, but newly-arrived p bellies up to the bar in country v on z’s turf, and says negative y, that z and his boys know nothing, and can prove it, that’s a fight in which the bad guys (worse guys?) win. You would think that American intell people (“Romans are people who kill other Romans.”) would cooperate during war–take Afghanistan for example–but in many cases they did not. They were too busy fighting each other. Result? I am sorry to say it, but Afghanistan is about to go into the loss column. If you are focused on the fight with the foreign enemy, and you are in this kind of internecine turf-war environment, the war then becomes strange and surreal: the Taliban have no business getting in our fight, and a lot of money is involved. They wear plastic shoes in the winter and don’t matter. Afghanistan is like a stage set for a battle between Americans. The Taliban are props. The prizes are large.

Rogers almost lost his job as DIRNSA because he went to talk to Trump (and the leaders lacked the data). Flynn lost his job because of a straight-up political assassination. I am not saying that Flynn is an angel of light. I know someone who used to work for him. He rubs some people the wrong way, and he took the step of getting directly involved in a political campaign. Some people hate his guts. So when the NSA had some info on him that could be used to eject him from his job, the people privy to those tid-bits could not resist their desire to stick a knife in their former colleague, who, by the way, was extremely good at his job of defending the country. America rolls on.

Snowden got a bad evaluation at CIA and went rogue. His psychological profile is much like Timothy McVeigh’s, the difference being that the building Snowden blew up is not in Oklahoma City. Snowden hates somebody who was his boss in Geneva, and his betrayal of his oath is just hatred written large. The CIA and NSA are deeply antagonistic towards Russia, and Snowden went there out of spite.

Robert Hansen, who was mentally sick, betrayed America in the most injurious way. If he were arrested today and spoke of personal privacy, I think some people would listen and actually believe that he was a good guy. He is not a good at all.

Chelsea Manning is not exactly cut from the same cloth because she told her boss that she was no longer on the team. She tried to warn her supervisors that she was not OK. But she too was probably motivated by anger, by being gay and not being accepted. That kind of reminds me of Glenn Greenwald. Greenwald has been an important catalyst to Snowden’s perfidy, and Greenwald tells people up front that he wants them to be as angry as he is. But he is not as broken up about government spying as he is about not being accepted for being gay, his status as an outcast. Again, America rolls on.

Personal antagonism has increased between some people who work in U.S. government agencies, just as it has gotten worse in U.S. society. The number of people with high clearances has mushroomed, and this is an important factor in the increased number of leakers. The system has branched out like an unsecure computer network with unsecure routers. Contractors make things worse because they are not controlled to the same degree as military people. That is why you have so many military folks in the NSA.

There is no mystery. There is no new epic battle between Russian and American intell agencies. A lot of people had to neglect their jobs for Snowden to do what he did, and the same goes for the CIA. Look at the OPM disaster: no one cared enough to encrypt the personal information of everyone in the U.S. intell community. The belly laughs in Beijing must be just as big as their astonishment. A lot of Americans failed by omission in this particular disaster, and the reasonable explanation is that they just don’t care.

The elephant in the room is China, which no one wants to talk about because they are winning, and they treated an American President with amused contempt when he tried get off his plane in Hangzhou last year. Every day they get stronger as people in the U.S. government fight each other and knock the U.S. down. It is a comfortable story to say that some mysterious battle is going on that is not our problem. This is not the case at all. A clear and present danger to the U.S. is in front of everyone’s eyes: that U.S. intell agencies are not doing their jobs well because of intensified internal fighting, and, perhaps in some cases, bloat and apathy.

tx521 April 29, 2017 5:45 AM

why do people say bitcoin is secure?
the bible says that satan will make it impossible to trade without some kind of mark or identification..
so cash and bitcoin will be destroyed
satanic countries like china already ban it
so how can people say it is uncensorable??

Ergo Sum April 29, 2017 6:30 AM

@Ben A…

Browserprint: Browser fingerprint tool now can guess client OS even when spoofed

Like most browser fingerprint sites, this one also fails detecting the OS and just guessed the browser without Java script:

Your user-agent string specifies your browser as being a variant of CHROME.

Judging by your fingerprint we believe your browser is a variant of FIREFOX.
Your user-agent string specifies your operating system as being a variant of CHROME_OS.
Judging by your fingerprint we believe your operating system is a variant of LINUX.

The OS is not even close…

On the other hand, this result is bad:

Your browser fingerprint appears to be unique among the 32,275 tested so far.

Being “unique” is just as bad as the positive ID…

Aulde Gote April 29, 2017 6:39 AM

Simply publishing a bunch of links to stories isn’t helpful to me. Some of them are questionable or hype products. I prefer to read a contributor’s personal views or experience regarding the link/issue. It’s called wisdom. Shared wisdom is invaluable.

Re: Bitcoin. Tried it. Practically impossible to get without submitting every iota of your personal data including bank accounts, passports, drivers lic. etc.
Any thoughts of being anonymous soon fade to dust.

Exchanges are habitually liars regarding the speed of transfer. They are in some far off, unregulated, country, with no street address, no documentation, maybe even a shady email address. And, they get ripped off CONSTANTLY for millions of coin.

Better to go the the 7-11 and get a money order. Cheaper and decidedly more anonymous.

Ergo Sum April 29, 2017 8:08 AM

Questions about Kaspersky blog for fileless malware:

https://threatpost.com/hard-target-fileless-malware/125054/

Last June, fileless attacks were suspected in the hack the Democratic National Committee as a way to penetrate computer systems, according to Carbon Black.

Suspecting “inside job” is another guess, no? There’s no evidence either way and judging by the size of the stolen emails, the inside job sounds more feasible at this point, unless DNC really didn’t even have the standard security measures in place.

Conventional malware isn’t going anywhere anytime soon, said Edmund Brumaghin, threat researcher with Cisco Talos. But he said, the increase in fileless attacks isn’t seeing a corresponding response on the defensive side because only a minority of organizations are running memory-analysis tools.

So, would MS EMET and/or Malwarebytes 3.0 would stop fileless malware? I do know that blocking Powershell connection to internet will…

However, these type of attacks have one big drawback: When the application is closed or system is turned off, the in-memory attack ends.

That’s a good thing, I think, but can it be automated to reload when the PC starts?

Browsers do cache some of the contents for the visited sites. Depending on the settings for the temporary internet files, the browser could reload the exploit, if and when it started. The default setting for IE is to automatically check for newer version of the page. This setting could be changed by the attacker to “every time the browser start” to reload the malware in the memory, no?

Albeit once the temporary internet files are stored on the local drive, it could be detected by AV and/or other security tools. Unless the malware instructs the browser to cache it in the memory.

I am probably wrong about automating the reload of the malware…

Doktor Freud April 29, 2017 9:24 AM

@PATRIOTCOMSEC, Tom Drake got caught because he went through channels. Also, your elaborate psychoanalysis of people you never met does not seem to reflect their words or behavior.

Manning articulated the law in respect of your right to seek and obtain information. Then she acted in conformity with that law. She also complied with the Army Field Manual and the War Crimes Act. Probably – strictly speaking, evidently – she was motivated by her legal obligations.

Snowden also articulated and acted in accord with the law in respect of your right to seek and obtain information. And when one listens to him and interprets his words and demeanor, he doesn’t seem angry, he seems to be having the time of his life with his hot girlfriend in a country with a vibrant culture and more rights than the USA. By the way, you are using the word perfidy incorrectly.

Your essay, discursive though it is, gives the distinct impression that you aspire to a clandestine occupation of some sort. If that is in fact the case, there are a few things it would help you to know – the birds and the bees, as it were. The recruitment process favors people who go in with their eyes open.

Fellow Bunny Rabbit April 29, 2017 11:18 AM

@Unhappy Jim

  1. Google allows sensitive personal health information to be used to target ads, without consent
  2. Online dating service commits multiple privacy infractions
  3. Insurance company overhauls its security safeguards following privacy breach
  4. Hotel discloses a guest’s check-in and check-out times to his employer
  5. Telecommunications firm does not respond to access requests and destroys personal information subject to those requests

People used to call this gossip and frown upon even sharing with even one or two of your closest friends. Now these companies are making money — in fact, loads of cash hand over fist — selling the gossip on you and your private business and your private activities to thousands upon thousands of total strangers. Especially the sex gossip. That runs into serious cash. Finders’ fees for pimps and whores looking to profit from those with a reputation for moral weakness, without regard to whether such reputation is justified or not. Legitimate relationships and marriages destroyed on false grounds because it’s more profitable for the pimps to separate those partners and keep them “in the game.”

That’s the optometrist who diagnosed you with STD for “looking” at the girl across the street from the law office next door.

The female police officer in full uniform behind the counter at the police station who had some poor fellow with an unrelated complaint arrested for allegedly offering her money for sex. (Last time I bought a cup of coffee in that town, I received a counterfeit one-dollar bill in change.)

It just goes on and on, and there is no end in sight, not a glimmer of light at the end of the tunnel. This kind of business goes where it always does: headlong into hell.

KISS layman's email transition April 29, 2017 11:51 AM

Regarding: Changing email vendors and email address(es)

Currently email is provided by ISP in USA (resident in same country); one address with stuff to be kept and cr*p that may or may not be worth dealing with.

What do you think about:

a) pop3, imap, or webmail from a security point of view (use: currently desktop only, but would like to check webmail while traveling)

b) manually giving “keepers” the new email address, while migrating “losers” to an alias (or not) with the same email vendor

c) it seems that pop3 or imap may have the advantage of not requiring javascript (noscript or not)

d) this may be relevant to people being migrated to aol.com email from verizon.net email by mid-May or users in general

e) leaning toward icloud.com (Apple’s privacy policies, and pop3 or imap)

f) does it make sense to try to download all via pop3, a backup of all, keep the keepers in two keeper email addresses (personal and other) then request the ISP to delete the rest

g) trying to “measure twice cut once”, an old This Old House saying

Rather than reinvent wheel, relevant links or things to consider would be appreciated.

JG4 April 29, 2017 11:54 AM

Links 4/29/2017 | naked capitalism
http://www.nakedcapitalism.com/2017/04/links-4292017.html

Big Brother Is Watching You Watch

N.S.A. Halts Collection of Americans’ Emails About Foreign Targets NYT

https://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html

NSA Backs Down on Major Surveillance Program That Captured Americans’ Communications Without a Warrant Dan Froomkin, The Intercept

https://theintercept.com/2017/04/28/nsa-backs-down-on-major-surveillance-program-that-captured-americans-communications-without-a-warrant/

NSA Had Found “Many” Improper Queries on Upstream US Person Data at Least by 2013 emptywheel

https://www.emptywheel.net/2017/04/28/nsa-had-found-many-improper-queries-on-upstream-us-person-data-at-least-by-2013/

Hopping Mad April 29, 2017 11:58 AM

@ Patriot COMSEC

Acronyms like DIRNSA [Director of (the) National Security Agency] and POTUS [President of the United States] are bad enough, but when it comes to SCOTUS for “Supreme Court of the United States,” I just KNOW the intelligence creeps are doing something flat-out ILLEGAL and finding some bizarre, twisted, and contorted legal justification for it.

Not really classified // NOFORN [NO FOReigN dissemination] // NOBUS [NO butts But US]?

You people are deluding yourselves, and you’re all in it together with Glen Greenwald, who lives in some mountaintop mansion near Rio de Janeiro, Brazil. That fellow must be loaded with cash from blackmailing “gay” folks who would rather the whole world not know they are “gay.”

Brazil is “gay-friendly.” Haircut-and-sexual-assault-in-bed friendly. Certainly not friendly to victims of sexual assault. No. Not LBT friendly. GAY-friendly. Give-me-money-or-you’re-OUT-friendly.

Nick P April 29, 2017 12:24 PM

@ All

re fault-tolerant architecture

Why Do Computer Systems Stop and What Can Be Done About It? (1985)

This is a nice piece by Gray that systematically analyzes how failures occurred to then look for ways to block that in hopes of driving uptime toward 50 years. The context that implements such ideas was the Tandem NonStop system that HP now sells. I keep the old documents since their patents have expired but the techniques have not. I’d love to see an open clone of NonStop’s low-level architecture using inexpensive, commodity parts. Then, teams could port resilient microkernels such as QNX or Minix 3 onto it in a way that leverages what hardware/firmware is already good at. Also, languages such as Ada/SPARK or Erlang that are already highly-available in practice could do well on something assuring everything below them.

When digging this out, I found nice stories from NonStop admins. One sold management on a Cyclone by pulling out two CPU boards and some discs while it was doing important work. Kept working. Another who used them in military said an older model was engulfed in flames somehow but they didn’t lose their data. He didn’t say whether a redundant disc survived or it was clustered. Yet, the point was probably that catastrophic loss can knock out poorly-designed solutions in HA which NonStop was not. Corroborated by HP’s video of them blowing up a datacenter with OpenVMS and NonStop coming back up several times faster than Windows and UNIX’s.

Hopping Mad April 29, 2017 1:58 PM

@Nick P
re fault-tolerant architecture

… the trend for software and system administration is not positive. Systems are getting more complex. …

That’s the trouble we are having with the Brazilian Mafia. More complex means more fragile. These people are selling us fragile “handle-with-care” shit when we ordered military-class reliability and robustness.

Nick P April 29, 2017 2:35 PM

@ Hopping Mad

“That’s the trouble we are having with the Brazilian Mafia.”

What does this mean?

Hopping Mad April 29, 2017 3:02 PM

@Nick P

BRICS: Oh, excuse the financial acronym. I guess it’s not recognizable here. It’s not a “government intelligence” acronym.

Brazil, Russia, India, China, South Africa.

Follow the money. Find out what’s going on. I’m not leaving out South Africa with all the mines and gold krugerrands.

Nick P April 29, 2017 3:13 PM

@ Hopping Mad

“Brazil, Russia, India, China, South Africa.”

That makes more sense. People acquiring equipment out here watch out for three on that list regularly. We fortunately never have to deal with the other two. Only thing I see regularly from South Africa is oranges haha. Unfortunately, I may have to deal with the Chinese at some point because Shenzhen is the best place to get electronics done cheaply. Gotta vet the suppliers and talent first, though.

Hopping Mad April 29, 2017 3:59 PM

Robotic apple-pickers
http://www.seattletimes.com/business/agriculture/a-robot-that-picks-apples-washington-states-orchards-could-see-a-game-changer/

The eventual loss of jobs for humans will be huge, said Erik Nicholson of Seattle, an official with the United Farm Workers union. He estimated half the state’s farmworkers are immigrants who are in the country illegally.

But many of them have settled in Washington and are productive members of the community, he said.

“They are scared of losing their jobs to mechanization,” Nicholson said. “A robot is not going to rent a house, buy clothing for their kids, buy food in a grocery and reinvest that money in the local economy.”

Right. Steady work year-round. Picking apples by hand makes enough money to rent a home, clothe your kids, buy groceries, and “reinvest” in such a caustic “community.”

More sickness with Washington State:

http://blogs.seattletimes.com/pot/2014/07/11/city-attorney-pete-holmes-apologizes-for-taking-pot-to-work/

SECTION 25 PROSECUTION BY INFORMATION. Offenses heretofore required to be prosecuted by indictment may be prosecuted by information, or by indictment, as shall be prescribed by law.

This means that felony charges in Washington State, contrary to the U.S. Constitution’s Fifth Amendment, do not require the indictment of a grand jury:

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; …

and the Supreme Law of Land clause from the aforementioned U.S. Constitution:

This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.

News to me. From all appearances, neither prosecutors nor judges, nor, for that matter, defense attorneys, are “bound” by any sort of law in Washington State. Washington is not even a state. Washington is a Mafia-controlled territory with an ante-bellum slave state constitution. What do you expect for the home of the BRICS-controlled megacorporation MSFT?

tempid April 29, 2017 4:52 PM

@KISS…

Before all that, you might want to take a moment to clearly define what it is you want/require from your email.

1) Start here:

An Introduction to Threat Modeling
https://ssd.eff.org/en/module/introduction-threat-modeling

2) Then search/read – for example – this sort of thing:

Good, simple list of reasons that email is inherently insecure
https://security.stackexchange.com/questions/30087/good-simple-list-of-reasons-that-email-is-inherently-insecure

3) Then factor in this – Most often (always?) there is a trade-off between degrees of convenience/functionality and security/privacy. So, define what functionality you want/require (and what security/privacy you’re giving up to get it) and then confirm the perspective provider fits your requirements. Generic example: Protonmail offers a mobile app but not work with any desktop client.

…and I’d be remiss if I did not restate the obvious for the gazzillionth time…

Free email isn’t free. Granting the email provider complete access to the content/contacts/calendar/tasklists of your “private” email is the price you pay.

Patriot COMSEC April 29, 2017 4:57 PM

@ Doktor Freud

I know that Snowden is a popular guy in some circles, but so was Timothy McVeigh. I still think that Greenwald has been a catalyst to Snowden’s state of being faithless, but I know you will disagree with me on that.

It is kind of interesting that Russia has suddenly popped back into the mass consciousness as enemy number one. Those on the other side of the fence have to be careful not to overstate the positive side of Russia. As far as Russia goes, we want it to be stable. If you want to live in a nice place where individuals are respected and every move you make is not recorded, try Iceland, or Chile. Antarctica might be a good option too.

Patriot COMSEC April 29, 2017 5:10 PM

@ Ben A

I like that you post a list of articles. All of the ones I have read are on topic and potentially interesting to someone here. Here is a quote from that second article, NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide: “Now you have a nation-state attack tool available to anyone online to use for their own purposes. It’ll be used to compromise and impact systems for many years to come.” That is almost as good as Assange saying that the CIA has set up “another NSA”–yikes.

It is not that interconnection has caused a loss of trust because national governments are spying on everyone. It is that everyone can spy on everyone, and national-level tools are there for those who want to use them. In Thailand, there is a lot of spying going on, mainly aimed at faithless partners, etc. It has become popular. Wait until it becomes normal!

tempid April 29, 2017 5:15 PM

@Traitor COMSEC

Did you really just compare Snowden to Timothy McVeigh?

Do you have no shame? Facepalm.

Doktor Freud April 29, 2017 5:15 PM

The basis of your analogy between Snowden and McVeigh is not clear. Are you implying that Snowden, like McVeigh, was a government provocateur framed for a crime committed by the state?

http://whowhatwhy.org/2015/04/22/exclusive-oklahoma-city-bombing-breakthrough-part-1-of-2/

The two seem equally well-meaning but the difference is, Snowden was too smart to let himself get used. Whereas poor military dope McVeigh kept informing on people who were informing on him until the government decided who to blame their armed attack on.

jdgalt April 29, 2017 7:51 PM

The developer’s platform site CodeBase is shutting down. As a result, VeraCrypt is moving. This page explains why, but does not yet give a new location for the project.

Nick P April 29, 2017 8:26 PM

@ r

re grsecurity switching to paid-only model

They basically got tired of their stuff not getting put into mainline Linux and at least one company ripping their work off without GPL compliance. They decided to cut off access to any new source code except for paying customers. Although some claim it’s still free software, I really had to question that. I haven’t been getting consistent answers. Here’s my last attempt:

“This is what I’m not getting. I’ve seen the claim in several places. Free/libre software requires ability to read, modify, and distribute the code. It’s only free-as-in-speech software if I’m allowed to give it to the whole world for free. If it’s freely provided and no source distribution is allowed, then it’s free-as-in-beer. If it’s paid-source and no redistribution, then it’s proprietary software that comes with source. So-called shared source is a business model I encourage for companies that absolutely won’t do paid GPL or dual-licensed. Better than nothing if tool becomes popular or necessary. Plus, might let license of specific products or versions expire into FOSS license later.

In any case, it’s proprietary, shared-source software if I have to pay for the source and can’t redistribute it. So, could any HN readers who really know how their business model works confirm or reject that with data? What exactly do people buy with what rights? I keep hearing different things.”

Viraptor, who submitted that one, responded with this: “You can redistribute it. The license doesn’t stop you. You may just find yourself in a situation where grsecurity won’t renew your contract next time, if you do that.”

My response: “I appreciate the clarification. Yeah, that’s not free software since you have to keep paying for it. Or it’s a grey area kind of like charging for distribution but used to nullify a benefit of free software. I’m still thinking of this as non-free, shared-source software for now.”

Sergio April 29, 2017 10:10 PM

Hello all.

Please, is there any resource on binaries performing ECC on startup? Would it be like a packer, and work for all bins in an instruction set? Which sets make it impossible?

Phat# April 30, 2017 2:15 AM

@ab praeceptis

Ah, Mr.ab praeceptis you are quite the Putin apologist. Perhaps, you should stop reading Zerohedge,RT,Spuknik News etc. Such a rant to @Ben on DNC hack. Is the heat being turned up to find how much intel, we have by your SVR not SVD handlers, Wouldn’t you like us to disclose. Hmm,we know exactly everything, how is that for an answer.

As to MH17, we know about Buk332 having taken forensics or ask Gen Sergey Nikolaevich Dubinsky seen on video and heard on audio

shilrgb April 30, 2017 4:38 AM

@jdgalt Don’t you mean CodePlex ?

Also, searching through the forums, I found this topic : https://veracrypt.codeplex.com/discussions/662521. VeraCrypt seems to lack funding and the main developer (also the one with the release signing keys) doesn’t work on it anymore.

I use this software but it may be time to look for a replacement.

Patriot COMSEC April 30, 2017 6:02 AM

@ Tempid
@ Doktor Freud

It is good to be able to share one’s thoughts on this important matter. I compared Snowden to McVeigh because I think they are similar. Both of them wanted to be Special Forces, which is no easy path to take in life, and both of them did not make it. Snowden had a double failure– in that he got a bad evaluation in Geneva when he was at CIA. Both were US Army, both were young. Both did a lot of damage.

Think about the scale of damage that Snowden did to the US intelligence effort. He exposed the work of thousands of technicians, scientists, cryptographers, testers, soldiers, etc. And what Snowden did was during a time of war. The U.S. is at war. You may not feel so threatened; it may not seem to you that the U.S. is actually at war or that a massive attack could come. Iraq, Afghanistan, Somalia, etc., might not seem real to you. Terror might not be real to you. But it is real. San Bernardino is a good example. Snowden has enabled terrorists and weakened the position of the U.S. against its enemies. You can gather what has happened from comments that the current Director of the NSA has said to his oen people: hey, stop thinking the sky is falling!

I like that Snowden exposed the illegal NSA programs. But the way he did it was nuts. He did everything he could to hurt the country, and I am amazed that anyone could think differently. If another big attack occurs, and it turns out that Snowden enabled it, what are people going to be saying then? Please do not jump on the Snowden bandwagon.

Vaifj April 30, 2017 6:39 AM

@Patriot COMSEC assuming that he tried, like he said, to raise his concerns about the illegal programs through official channels, and that nobody took action, how do you think Snowden should have published his documents ? He gave them to renowned journalists that curated them and avoided releasing personal names or information that could directly put people in danger.

What I recall from the articles I’ve read about it is that the NSA spied on phone records, cloud data and other means of communication, and nothing more.

Could you explain precisely how Snowden could have enabled any attack ?

Slime Mold with Mustard April 30, 2017 6:44 AM

Re: The Goldwater Rule

Thou shalt not offer psychological or psychiatric diagnoses of persons not evaluated in person (I have to recite this every time my wife and Donald Trump are simultaneously within audio or visual range).

r April 30, 2017 10:20 AM

@Nick P,

Yeah, it’s a shame but what is a business entity to do?

It’s a loss for the public, it’s a loss for grsec and it’s a loss for the company leaching off of grsec…

The good news? As always licensing from them should be covered as a business expense in most circumstances if an entity is structured properly but what does this mean moving forward?

Winter April 30, 2017 10:54 AM

Re: The Goldwater Rule

But, we can speak about the image projected by the behavior and words of a person and discuss how it influences his/her work and use it as a hypothesis of the personality of the person.

If a politician were to speak and behave like a narcisticist psychopath, to use a purely hypothetical example, it is a valid subject to discuss how this behavior affects his policies and to what extend this behavior could change in the future.

Who? April 30, 2017 10:55 AM

@ shilrgb

At the end it is the same all times: money, money, money.

On the Microsoft/Apple world you will get nothing without a credit card. No FOSS project will survive on these commercial operating systems. Well, think on it as an opportunity to move to better, more secure alternatives, like OpenBSD plus softraid’s encrypting discipline to achieve true security and FDE.

Who? April 30, 2017 11:01 AM

@ JG4

N.S.A. Halts Collection of Americans’ Emails About Foreign Targets

We have learned a lot listening to Mr. Obama: it only means the NSA will continue collection of americans’ email —this time collection will not be restricted to “emails about foreign targets.”

Spooky April 30, 2017 1:30 PM

@ all,

“NSA halts collection…” All this from an organization whose leaders have repeatedly lied to congress about the full extent of their data collection? An organization with absolutely no remaining public credibility? Which words have been legally reinterpreted to mean their opposite this time around, halts or perhaps collection? Repeated, ongoing abuses of the (mainstream) public’s trust have basically drained away their remaining social capital. Any claims for a substantive change in their policy that are not subject to independent verification are essentially more meaningless, empty drivel. “I can hear what you’re saying, but…”

@ ab,

Such a nice, well-reasoned opinion from the eu of a. No bias at all. 🙂

@ Nick P,

It’s a real shame to see Grsecurity pack up their toys and leave. They have some excellent ideas, at least when it comes to bandaging the Linux kernel in its current form. It is hard to escape the overwhelming sense that some large-scale changes to the underlying architecture of Linux will eventually become a non-arguable necessity within the next 10-20 years; perhaps the required alterations can only happen post-Linus. Although I think Torvalds can be fairly credited with making the best possible short-term decision in the design of Linux, I still believe the future belongs to Tanenbaum (and others). We have MIPS to burn these days and I can think of no better way to spend them than categorically better security and reliability.

Cheers,
Spooky

tempid April 30, 2017 2:09 PM

@Vaifj, @all

Re: @Shillin4IC COMSEC – Please don’t feed this troll.

@Oath-Breaker COMSEC

I’m very familiar with your argument. It’s an argument that has been thoroughly debated – and thoroughly refuted – by nearly everyone not being paid to think/say otherwise. In fact, it’s been beaten to death in the comments section of this very site (btw – beaten by those on both sides of the argument that are actually as intelligent as you comically think yourself to be).

So, on behalf of actual patriots everywhere, I’m only going to respond to the tone of your over-simplified, oath-breaking, boot-licking, totalitarian-state-apologist, more-of-the-same-weak-ass-propaganda with…

“I disagree.”

Slime Mold with Mustard April 30, 2017 2:34 PM

@Winter
The Goldwater Rule is a real thing, https://en.wikipedia.org/wiki/Goldwater_rule

My wife is a real psychiatrist (which why this is funny).

@ Spooky
My understanding is that the new rule is that the NSA will no longer automatically collect correspondence that mentions a target. If I type “Uralvagonzavod – we’re working for you in Ukraine“, it is no longer automatically collected. Sounds like an efficiency move dressed up as some privacy enhancement. PR/Marketing people: Another reason office windows don’t open anymore.

Clive Robinson April 30, 2017 3:15 PM

@ Slime Mold…,

+10

Just as well I was not slurping my tea, otherwise it would have been rather more messy 😉

As for diagnosing politicians sanity, please don’t bring your wife to the UK our current crop of village idiots would result in you losing your voice…

Winter April 30, 2017 3:40 PM

@Slime mold…
“The Goldwater Rule is a real thing, ”

I know. But Most of us are not psychiatrists and do have to deal with deranged politicians. We will have to break this rule out of pure self preservation.

Btw, there was a long article in my newspaper about the mental health of a US politucian where all of the professionals refused to state a diagnosis under this rule.

Nick P April 30, 2017 4:05 PM

@ All

I was skeptical about Google’s Fuchsia since they haven’t shown any knowledge or talent in high-security programming up to this point. It did look to have some neat features in terms of a microkernel. Well, maybe I can have a bit more confidence in it at least on design/usefulness given John Nagle (Animats) just said that Google hired a bunch of QNX people to work on it. That was a good OS that unfortunately was snagged by RIM. I also found out that an early desktop from Burroughs, the ICON, ran QNX on Intel’s 80186. I bet it was reliable even if not as pretty as the Apple and Microsoft stuff. 🙂

My Info April 30, 2017 6:24 PM

@Patriot COMSEC

Think about the scale of damage that Snowden did to the US intelligence effort. He exposed the work of thousands of technicians, scientists, cryptographers, testers, soldiers, etc. And what Snowden did was during a time of war. The U.S. is at war.

Snowden has enabled terrorists and weakened the position of the U.S. against its enemies.

I like that Snowden exposed the illegal NSA programs. But the way he did it was nuts. He did everything he could to hurt the country, and I am amazed that anyone could think differently.

I believe we are in complete agreement with respect to Edward Snowden.

In and of itself, it is good to expose illegal activities. Nevertheless, it is not good to betray our secrets and fellow citizens to our enemies in war. Nor is it good to use the illegal actions of certain public servants of the U.S. as a justification to wage war against the people of the U.S. and lend aid and comfort to our enemies.

You may not feel so threatened; it may not seem to you that the U.S. is actually at war or that a massive attack could come. Iraq, Afghanistan, Somalia, etc., might not seem real to you. Terror might not be real to you. But it is real.

This is a very present and very real threat.

San Bernardino is a good example.

This and similar incidents are small, self-limited acts of suicide warfare, which play hand in hand with California’s extreme gun control agenda, the true object of which is to establish precedents in order to so completely disarm the people of the United States of America that we are helpless before our enemies.

The true threat is that of open warfare and annihilation of a large fraction — many millions — of citizens of the United States. We must be ARMED to prevent that:

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

Off-duty CIA April 30, 2017 6:51 PM

LOL at sheep who think Snowden is their shepherd.
He’s a sockpuppet made by the NSA to brag about how far above the law they are, and to create a chilling effect to stop their seniors being exposed. They are really overfunded compared to us and have little to show for it.
It’s hard to justify using chemical (incendiary) weapons like white phosphorous against a country’s civilians just because that country was testing chemical weapons on its own civilians, especially when the NSA has been testing chemical weapons on US civilians and trying to blame the CIA for it.
Watch as everything critical of the NSA gets censored by their massive propaganda department.

tyr April 30, 2017 10:58 PM

@Nick P., Clive

I’m glad someone has solved the halting problem.
^ )

I saw where May had to call an election because
law enforcement is after her party for election
practices. Sounded pretty phoney but with politics
you can never tell.

Apparently India and Pakistan are still having
internal debates about how to use Nuclear weapons
on each other. I’d feel more secure if they had
already decided on guidelines. I’m amazed that
no one wants to talk about how to play After the
Holocaust. Back in the day we were not so blase
about being turned into radioactive glass and
wandering mutant scroungers by government nitwits.

John Goodwin May 1, 2017 2:30 AM

I should mention that ‘Shadow Brokers’ is clearly a US Intel agency, and probably the CIA. No foreign intelligence agency, in retaliation for ‘Vault 7’ release on 3/7, would give Microsoft enough advance information that they could patch in advance the results that Shadow Brokers would release in retaliation.

The timing (Vault 7 + about a month) pretty much unmasks the CIA as the Shadow Brokers. That makes the timing of the other Shadow Broker releases interesting — why then, why the CIA?

  • August 13th, 2016 – first damage to NSA
  • October 31st and ‘Cyber Monday’ — second and third strikes
    … long silence…
  • April 8th retaliation (response to March 7th, 23rd, 31st, April 7th releases by WikiLeaks)
  • April 14th retaliation (continuing releases by WikiLeaks now every Friday … 14th, 21st, 28th…)

Steele has laid out the case for WikiLeaks/Vault7 and Shadow Brokers leaks being responsive to each other — that is, an NSA vs CIA mutual leak fest:

http://phibetaiota.net/2017/04/bruce-schneier-nsa-cia-cyber-leaks-blaming-russia-robert-steele-disagrees-suggests-inter-agency-warfare/

This line of reasoning also suggests, by Occam’s razor, that if Wikileaks (the NSA’s preferred leak site, with ‘the Russians are coming’ as the NSA’s preferred cover story…) has a dust up with the Guardian over the Manning publications, then the Guardian/Intercept may be CIA’s releases, and WikiLeaks, as always recently, the NSA’s.

Both sides are very measured about doing maximum damage to the other agency, and minimal collateral damage to US interests.

Clive Robinson May 1, 2017 3:08 AM

@ Tyr,

I saw where May had to call an election because law enforcement is after her party for election practices. Sounded pretty phoney but with politics you can never tell.

She’s an opportunist with delusions of grandure. In the last PMQs she and Corbin were sparing and he made a comment about labour and “if you vote for us” and she replied some nonsense and “A vote for me“… The last time a female lead for the Conservatives started talking like that the party did a “Julius Ceaser” on her…

Any way even in “set pieces” like PMQs which is almost scripted she realy is quite bad, as others have remarked her conversational skills are about the same as a wet lettuce, and many would expect her to get slaughtered on television debates where those involved have no idea how the questions will come out. Thus unsurprisingly she has refused to entertain the idea. Hopefully she will be consigned to the dustbin of history, especially if she gets the kicking she deserves for Brexit by the other countries in the Union.

As for the police and fraud, yes it’s real allright and they are as far as we can tell “guilty”. In the UK we have election spending rules and how things must be accounted for and by whom. There was a Conservative “Battle Bus” that visited various constituences that was not declared in their spending. Which is a major no no, thus something that could not have happened by just an innocent mistake.

As for May calling a snap election, she has realised that whilst she currently appears strong she is not, and as the opposition in England is currently weak due to disagreement with the “Blarites” within shes taking a gamble.

Most people in the UK remember Tony Blair as “teflon tony” or “Bush’s poodle”, a fairly despicable individual who was up to his nose in very questionable financial arangments with his wife and a number of unsavoury individuals. Then of course their was “Cash for Questions” scandal he masterminded and one or two other fiscal skeletons rattling away in many cupboards. Then of course was his personal desire to out do Maggie Thatcher, which ment he had to have “a glorious war” and thus he was a prime mover and shaker in that mess we called the Second Iraq War, where there was no glory no honour and a degree of brut savagery and abuse that many in the UK realised would be the result… So the Blairites are not liked by many people and are actually seen as being more right wing and authoritarian than many Conservatives…

Any way we are likely to be going to war in the South China Seas or Middle East again in the not to distant future, so May needs to clear the decks for her “glorious war” opportunity to enrich the MIC and thus her parties donors…

Thoth May 1, 2017 5:02 AM

@Nick P

re: GR(In)Security

They are just doing more disservice by pretending that Linux can be secured. It is like trying to extend the food expiry date beyond it’s intended shelf life and this is a very dangerous thing as we all know that Linux was never built for security in the first place and adding additional extensions like it’s own offerings for Linux does not remove the inevitable which is Linux was never meant for security in the first place.

It would be better off if they could actually put some thought into aiding the Zephyr project, Genode or Redox projects and do something more substantially useful.

Anyway, security on top of a potentially malicious and flawed Intel, AMD or ARM platform is still insecure which ever way you look at it with the potentially malicious Intel SGX, AMD SP and ARM TZ whose SGX, SP and TZ partition kernels and hardware designs were never made known outside of their closed world.

The better option would be still to approach the problem via air and energy gap on separated hardware running off some sort of microkernel or OpenBSD or even custom security kernel which OpenBSD would always be the most preferred choices.

re: Project Fuchsia

I wonder if this project will go down the way like many other failed OS projects (i.e. Meego et. al.) where the only surviving OSes would always be the few like MS Windows, Mac, BSD and Linux. There are so many attempts to re-do computing and OSes for many reasons including security but after all, the money would usually be put at the mouths of the above 4 types of OSes and rarely those of other types. I wonder if this project is already doomed since day 1 just like many other fanciful projects where support are sparse and nobody’s giving it a second look or bothered to spend money on it because it’s a weird OS and the usual 4 of them already is “good enough”.

re: Secure Computing

We have to re-think the entire concept of Secure Computing if we really want it to manifest. We have to accept the fact that Windows, Linux, Mac, BSD and such insecure OSes will always be out there. This brings back ye olde Castles-&-Prisons methods and this topic reappears yet again endlessly.

For now, my approach is to use an external smart card CPU along the lines of Castles where it bypasses the problems of Windows and such altogether by doing a Secure Execution Environment in an attached smart card CPU where the execution logic and data is fed into the SEE environment of a HSM or smart card since the HSM and smart card typically have very tiny operating environments due to the constraint in features and the chips do not have much RAM and EEPROM/Flash space, this means that the TCB must also be very small and due to the nature of HSMs and smart cards, their TCB must meet standards including CC EAL as you should already know. Thus, delegating Secure Execution on top of HSMs and smart cards capable with Secure Execution is the best approach and by the way Secure Execution is still considered a “Secure Munition” and thus export control. Creating an open source with a commercialized variant so that people can verify it will be very valuable in this aspect.

Also, the DSEE environment I am in the midst of the planning phase would also be capable of scaling to look like the Prison model that Clive Robinson described.

The vulnerable systems (i.e. Windows, Linux, Mac et. al.) would still be around no matter how much research is going to be put into microkernels and so forth due to the amount of money that have been poured into the “Big 3” OSes which none of them were built for security since Day 1 and nothing is going to change with all these warnings and conferences going on. The best way to side-step them is to acknowledge their existence and use a SEE environment and one of them that is open sourced and usable is the Trusted Execution Module (TEM) made by Srini Devadas whom is famous for the Aegis security processor project.

The TEM smart card applet codes are linked below. Since it is written in JavaCard codes and a ton of smart cards out there uses JavaCard language, an open source smart card based Dynamic Secure Execution exists but I am doing my own variant in my own style with my own set of twist. The entire TEM paper is also included below.

For verification of codes in a formal methodology, using some sort of Java verifier would be possible since JavaCard is a stripped down Java made for smart cards. Secure Computing via the means of Secure Execution Environment for the masses is not very far and already exists in the form of smart cards and the TEM project despite their slow execution speed and no screen or input which is good enough to execute something of very high importance coupled with the verifiability of the open source source codes and it using commonly available Java and hardware. This is a highly underrated and untapped area for development and use in rather sensitive setting with lesser cost overheads compared to writing an entire microkernel since the TEM project already exists and JavaCard smart cards can be found everywhere.

Links:
https://github.com/csail/tem_fw
https://people.csail.mit.edu/devadas/pubs/cardis08tem.pdf

r May 1, 2017 6:26 AM

Re: ‘”we” will not be collecting America’s email’…

Wasn’t it announced just a month our two ago that those collections would now be held by our friendly neighborhood information store providers?

It’s open and shut to me.

Thoth May 1, 2017 6:35 AM

@r

Host your own email server on a cheap single board computer and you are less likely to have your emails collected by unwanted entities.

r May 1, 2017 7:46 AM

@Thoth,

Before or after the direct targeting of network administrators?

Before or after the IoTrialAndError?

Before or after the brute force? Or the time window of year zero and post patch?

Before or after the multiple drive or flybys?

I get my gas from a Syrian, does that make me a target? 🙂

Monday morning watering hole talk.</end>

Thoth May 1, 2017 8:03 AM

@r

You did not open the tag correctly. It seems like they have eaten your tag to attempt to make your script not function correctly.

You can start to create your own embedded SMTP Server on STM32G Discovery boards. Due to the STM32F not having a ARM TrustZone partition and it has comprehensive documentations, I would prefer using it as a component for embedded hardware projects.

Link:
http://www.st.com/en/evaluation-tools/stm32-mcu-discovery-kits.html?querycriteria=productId=LN1848
http://www.st.com/content/ccc/resource/technical/document/application_note/9b/c9/3c/b1/eb/3e/4c/39/CD00238932.pdf/files/CD00238932.pdf/jcr:content/translations/en.CD00238932.pdf
http://www.st.com/content/ccc/resource/technical/document/application_note/b1/ab/e3/5b/80/8e/4d/4f/DM00024859.pdf/files/DM00024859.pdf/jcr:content/translations/en.DM00024859.pdf

TS May 1, 2017 8:16 AM

Why do people go “ohhh” and “awww” and “sadface” when seeing japanese bake or eat live squid,. but at the same time we dump live crab, lobster and crayfish in hot water, and it’s all good?

cypherpunks May 1, 2017 9:35 AM

@Spooky

It’s a real shame to see Grsecurity pack up their toys and leave. They have some excellent ideas, at least when it comes to bandaging the Linux kernel in its current form. It is hard to escape the overwhelming sense that some large-scale changes to the underlying architecture of Linux will eventually become a non-arguable necessity within the next 10-20 years; perhaps the required alterations can only happen post-Linus. Although I think Torvalds can be fairly credited with making the best possible short-term decision in the design of Linux, I still believe the future belongs to Tanenbaum (and others). We have MIPS to burn these days and I can think of no better way to spend them than categorically better security and reliability.

… why is Windows good as long as there are some knobs that can be set more secure, e.g. to slightly(not completely) lower the automatic uploading of everything to the Cloud, but Linux is awful just because some distros ship with bad defaults (which can be changed, unlike in Windows)? Isn’t that a double standard?

JG4 May 1, 2017 9:44 AM

I received some excellent responses to my question about the best Linux and programming books. I should have cast the net more widely as “resources.” I am trying to get permission to post the responses in the hopes that they will lead to a more spirited discussion than my questions received here. “more spirited” is secret code for “any”

A wiki or a FAQ might be helpful to put past comments into a structure that is easier to navigate than searching the old-fashioned way. Did I post a link to the Li dissertation that used natural language processing in a very powerful way?

I was asked last night “What is the difference between misinformation and disinformation?” after I repeated my recent critique of Mark Twain’s quip. In terms of transfer functions and vectors, misinformation is the result of quasi-random errors that are shaped by cognitive bias, whereas disinformation is a non-random modification intended to produce advance an agenda.

Links 5/1/2017 | naked capitalism
http://www.nakedcapitalism.com/2017/05/links-512017.html

…[pretty dark. same as it ever was – every cognitive limitation will be exploited by psychopaths, sociopaths and their associates]

Facebook targets ‘insecure’ young people Australian Business Review. Interesting:
http://www.theaustralian.com.au/business/media/digital/facebook-targets-insecure-young-people-to-sell-ads/news-story/a89949ad016eee7d7a61c3c30c909fa6

A 23-page Facebook document seen by The Australian marked “Confidential: Internal Only” and dated 2017, outlines how the social network can target “moments when young people need a confidence boost” in pinpoint detail.
By monitoring posts, pictures, interactions and internet activity in real-time, Facebook can work out when young people feel “stressed”, “defeated”, “overwhelmed”, “anxious”, “nervous”, “stupid”, “silly”, “useless”, and a “failure”, the document states.
After being contacted by The Australian, Facebook issued an apology, and said it had opened an investigation, admitting it was wrong to target young children in this way.
I’d want more verifiable technical detail on the actual targeting — this is, after all, a sales pitch — but regardless of what Facebook is actually doing here, should they even want to?

Employees at this Swedish company can get a microchip inserted under their skin World Economic Forum. “The process lasts a few seconds, and more often than not there are no screams and barely a drop of blood.”
https://www.weforum.org/agenda/2017/04/this-swedish-company-is-implanting-microchips-in-its-employees

…[my previous Big Brother post clearly is disinformation, and I should have said so, but my error has been appropriately critiqued]

Big Brother Is Watching You Watch

NSA Kept Watch Over Democratic and Republican Conventions, Snowden Documents Reveal The Intercept
https://theintercept.com/2017/04/24/nsa-kept-watch-over-democratic-and-republican-conventions-snowden-documents-reveal/

In pursuit of WikiLeaks The Economist
http://www.economist.com/news/united-states/21721396-he-liked-leaks-better-when-he-was-candidate-pursuit-wikileaks

Trump says China could have hacked Democratic emails Reuters
http://in.reuters.com/article/us-usa-trump-russia-china-idINKBN17W0N4


Our Famously Free Press

Dumb And Vile – Independent Falls For Prank, Smears Other Journalists Moon of Alabama. The “prank,” from 4chan, p0wned several liberals on my Twitter feed.
http://www.moonofalabama.org/2017/04/dumb-and-vile-independent-falls-for-prank-smears-journalists.html#more

Confirmed: the crucial role of Chilean media mogul on US plan to overthrow Allende Unbalanced Evolution of Homo Sapiens
http://failedevolution.blogspot.com/2017/04/confirmed-crucial-role-of-chilean-media.html

The secret lives of Google raters Ars Technica
https://arstechnica.co.uk/features/2017/04/the-secret-lives-of-google-raters/

…[much the same wordcraft that we have seen from the likes of Crapper et al]

The Rule of Law Won’t Save Us Jacobin
https://www.jacobinmag.com/2017/04/law-constitution-trump-president-abuse-power

…[file under cognitive bias with potentially fatal consequences at the current scale and direction of human activity]

The five universal laws of human stupidity Medium
https://qz.com/967554/the-five-universal-laws-of-human-stupidity/

see also:

The “Taxation Is Theft” Meme Has Officially Gone Mainstream
http://www.zerohedge.com/news/2017-04-29/taxation-theft-meme-has-officially-gone-mainstream

not all taxation is theft, just the portion of the taxes that actually are stolen by the politicians and their associates. there are some flaws in Ayn Rand’s works, but it still is an impressive body of literature. the taxation is theft people have staked out an extreme position which at least serves the purpose of inviting debate and thought.

the surveillance constitutes an illegal and unconstitutional theft of intellectual property and the resulting power is absolute. it will be used for the most stunning identity thefts ever perpetrated – the ability to perfectly reproduce your voice, face, facial expressions, and writing. implicitly, that includes the power to disrupt any human network on your planet. it also includes the power to take over any business, particularly theft of intellectual property, which includes supply chain and customer data

ab praeceptis May 1, 2017 10:01 AM

Thoth

Linux was never built for security in the first place

It’s much worse. Linux was designed and built in utter ignorance of security and that ignorance even extends into the development model.

As for OpenBSD: Sorry but as much as I value the OpenBSD people, I really do – OpenBSD was not developed to be a secure OS. The driving idea was and is to develop a UNIX of high implementation quality. The correct term describing the achievable optimum is “safe” (and not “secure”).

No matter how much we like Unix, we can’t but notice that Unix/Posix is a rather poor choice in terms of security and even of safety. Anyone doubting that should have a look at plan9 which i.a. tried to do better in some regards, although it also wasn’t even meant to be a safe and/or secure OS. Limbo the “C” of plan9 is one example.

But then, we must, of course, also see the time frame and scenario. Decades ago some glorious hackers sat down to build an OS for a new architecture (as was the habit then; they even usually created a new language, too).

As for a big (wide spread) OS that is safe I’ve come to the conclusion that that simply won’t happen, at least not for some decades.

Reason, i.a.: The properties of “safe” and of “for the masses” are just too different, even mutually exclusive (today). What I think might be possible (and pretty much the maximum) were to have e.g. Microsoft create a (quite) safe OS and to sell it at a high price as “secure OS” to companies and state agencies. They could easily ask 3.000$/license.
Why microsoft? Because they invested heavily in research and got quite some results and because they have a double incentive, a) money and b) become a heavyweight again (as well as c) cross leverage for their diverse internet/cloud/etc business that would handsomely profit from a golden “safe” sticker).

Here and today I see no alternative to the approach you suggest.

Matthew May 1, 2017 11:21 AM

Regarding the NOMX “secure” email protocol, it looks like a con job. The guy is clearly trying to hide the rasp pi by hiding inside a enclosure twice its size.

The Arstechnica article’s commentators found an interesting information. Will Donaldson is also the CEO of a USA military contractor Hard Corps, Inc.
There was a comment if a NOMX device can only send emails to another NOMX device, it would be relatively secure provided they did not use the default snakeoil cert.

I am going to speculate and try to a provide a scenario to Bruce’s question in Lawfare “Who is leaking the NSA secrets”.

Hard Corps had been selling these “secure” email devices to USA government, military and other third party military contractors at least from 2012 based on the oldest software. A foreign intelligence agency has managed to decrypt and eavesdropped their emails because of the default snakeoil cert. The government users believing it to be safe, send and receive confidential emails including servers logins and passwords allowing the attackers to expand their reach and penetrate more servers.
Because of Manning and Snowden leaks, 3-letter government agencies are trying to verify the security of their networks, causing business for Hard Corps to dry up. So the CEO is forced to sell his “secure” emails devices to civilian business where the con is found out.
At the same time, the foreign spies are finding their hacks no longer works so they are now dumping it to wikileaks and the news media as a final parting shot to embarrass the USA.

End of speculation. I will stress again the above scenario is my imagination based on a few facts. There is no need to correct me if it is wrong.
I may refine it as an entry for the movie plot contest.

AJWM May 1, 2017 1:01 PM

@ab praeceptis, @Thoth

No matter how much we like Unix, we can’t but notice that Unix/Posix is a rather poor choice in terms of security and even of safety.

I’d go further and say that x86 is a rather poor choice in terms of security and even of safety. In fact, never mind x86, I’d say von Neumann architecture machines are a rather poor choice, etc. Modified Harvard architecture is somewhate better, and Harvard best of all of existing common architectures.

Even Harvard or modified-Harvard is not perfect. While instruction and data memory are distinct, and in pure-Harvard, instruction memory is essentially read-only, it might still fall victim to subtle hardware attacks or back-doors.

Although, given those, you’re pretty much forked whatever the architecture or OS.

AJWM May 1, 2017 1:13 PM

Adding to my above….

Later implementations of x86 (and x86-64) as well as other nominally von Neumann CPUs (ARM, SPARC, PPC etc) do have a quasi modified Harvard concept in the NX (no execute) bit (goes by different names on different processors). But this merely protects (or endeavors to protect) blocks or pages of the uniform (mixed data and instruction) memory space from execution.

In Harvard architecture, instruction and data spaces are completely different. I.e., hardware location 0x100 in the instruction space is something completely different from hardware address 0x100 in data space.

(Interestingly, the venerable 6502 8-bit processor has a signal pin which indicates whether the CPU is doing an instruction fetch or a data fetch, so could in theory be used to design a system with a Harvard or modified-Harvard architecture.)

AJWM May 1, 2017 1:16 PM

P.P.S (and that’s it, honest…)

Of course it doesn’t matter how secure your hardware is if your OS is full of security holes, any more than vice versa. Weakest link and all that.

anony May 1, 2017 2:28 PM

Intel processor backdoor confirmed

Remote security exploit in all 2008+ Intel platforms

https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

“Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened.

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. “

Drone May 1, 2017 3:15 PM

Here we go again…

“Rare Endangered Squid Found Stranded on N.C. Beach. Likely Caused by U.S. Navy Sonar. Naked Protesters Covered in Black Ink Display Outrage – Chant ‘Squid Lives Matter’!”.

r May 1, 2017 5:00 PM

While Intel does say it affects first gen core+++ systems there’s a tiny little note starting that the bug ‘does not affect consumer devices’…

Clive Robinson May 1, 2017 6:09 PM

@ AJWM,

I’d say von Neumann architecture machines are a rather poor choice, etc. Modified Harvard architecture is somewhate better, and Harvard best of all of existing common architectures.

The intel CPUs for some time have been internaly a modified Harvard architecture, hence the cache architectute.

Whilst a full Harvard CPU internaly and externaly has security advantages it has significant functional limitations. One of which is it can not load executable code and still maintain the security it gains from the seperation of the instruction and data busses. The simple solution to the loading of programs is to use a P-Code, J-Code Forth or even BASIC interpreter in the code memory and load the token code into the data memory. But this too removes the seperation of data and code thus the security advantage…

It’s why full Harvard architectures are few and mainly in the all in one chip microcontrolers used in the embedded systems market.

There is another way to load the code with a Harvard CPU which is via DMA from another CPU that acts as a hypervisor. It’s a method I’ve spent some time investigating in the past and if done properly can maintain the security advantage you get from the seperation. However you have to ensure you maintain seperation all the way. Which often includs fully seperate storage systems for code and data, whichbhas other issues.

Thoth May 1, 2017 7:45 PM

@anony, Clive Robinson, ab praeceptis, r, Nick P

re: Intel AMT/SGX backdoor

If you look at the architecture of Intel AMT, it resembles that of the ARM TrustZone where a “Secure Partition” CPU (in Intel case is the AMT partition and in ARM case is the TZ Secure World partition) that have hardware level super duper root access or some sort of Ring -1000 access. The main CPU is not the one truely in-charge and this all-powerful super duper partition (a.k.a Secure World) is the one truely the boss and having so much more powerful access.

Intel AMT/SGX is the tip of the iceberg. The one that is truely problematic is the ARM platform which gave rise to this ARM TrustZone which is the predecessor of Intel AMT/SGX , AMD SP, Samsung KNOX and Apple’s Secure Enclave. This extremely powerful super duper Secure World partition (which is less than secure anyways) due to it’s immense ability and privileges has to be properly designed and implemented but if we look at the feature list which not only runs it own separate kernel but also the interception and modification capabilities, one is looking at an immensely complicated super duper Ring -1000 that is not only providing it’s supposed task of a hardware separated “Secure Execution Enclave” but it provides so much more features with interception and modification capabilities which no wonder it becomes too overly complicated to be anything usable in security. Also the allure of turning this super duper Ring -1000 CPU into a hardware backdoor is irresistible and no sane company in this age of market corruption would not back down from the desire to simply backdoor everything that can be backdoored and thus adding a backdoor on such a huge feature set for a Ring -1000 and the corporations’ attitude to researchers and the secrecy around TrustZone and it’s “offsprings” suddenly turns into a huge mess which it’s envisioned security goals will never be met. This horrendous monster as proven time and again that is suppose to provide security turns out to be badly implemented and with backdoors.

The worst part is the ARM A series chips are now widespread and can be found in your IoT systems, routers, digitalized security cameras to your smartphones and probably some dumbphones. It is everywhere and the ARM A series chipset has the TrustZone capabilities and this means we are always haviong tonnes of backdoors. Not to forget your favourite Single Board Computer (i.e. Beaglebone, Raspberry Pi, Orange Pi, $9 CHIP et. al.) all uses ARM A series chips and are known to have TrustZone which translates to potential backdoors everywhere.

It is not looking really good now that almost everything before 2008 is to be considered gone case as per @Clive Robinson have suggested. The only choices are to use chips that are old or to use chips that have been well documented in have tonnes of information in the open and without secret sauce “security partitions” which for now I have noticed ARM Cortex M series without the TrustZone and with a good amount of documentations available for the many Cortex M type chips (i.e. STM32F) would be rather useful to implement your own projects.

Also my above mention of using smart card based TEM modules to offload security sensitive operations into the smart card’s DSEE environment would be rather nifty if one uses it with the open source TEM applet and compiler provided. I have yet to test the TEM yet which will be doing in the future.

Nick P May 1, 2017 8:02 PM

It’s what we said would happen. I’ve been warning people, including in IT security, for a long time about that. Sure enough, there’s a backdoor in a component with network and DMA access that listens while the computer is off. Because of course there is. 🙂 Also, Intel participated in Trusted Computing Group with their closed door meetings with the NSA. I haven’t trusted them to not subvert us since given those meetings real purpose was mostly DRM and backdoors w/ security as the public benefit.

All that said, FioraAeterna on Lobsters who works on GPU code generators warned the site has a history of bullshitting and not getting its facts correct. They sometimes don’t know the basics of the material they post on. Intel posted an advisory on this so we know it’s at least there. I am passing along this epic example she said was her favorite where they talked GPU’s:

“You probably don’t remember but the Midgard architecture you know and love is a four wide architecture four stages deep. Each cycle one thread, aka a triangle or quad, is issued to the execution units. Since they are four wide they can take a full quad a cycle which is a really good thing. Unfortunately most game developers seem stuck on triangles which tend to use only three of the SIMD vector lanes. This is bad but modern power gating means it won’t consume hideous amounts of power, it just doesn’t utilize the hardware to its maximum potential often. The technical term for this is inefficiency.”

I’m adding emphasis on the part where I would’ve laughed them out the room.

ab praeceptis May 1, 2017 8:04 PM

Thoth

I fully agree.

But: The fun doesn’t end there. Welcome to the next deeper level, to the world of verilog and VHDL where test harnesses – even when done by experienced professionals – commonly don’t catch all errors. Which translates to a richly filled basket of funny bugs in all that lovely AMT circuitry (and others).
Actually, that should also somewhat spoil fun for the the sectarian religion of testing but don’t be worried, the believers are not easily shaken in their sectarian habits.

Funny fireworks in the making.

Clive Robinson May 2, 2017 3:38 AM

Spooky, Nick P,

It’s a real shame to see Grsecurity pack up their toys and leave. They have some excellent ideas, at least when it comes to bandaging the Linux kernel in its current form

The root of the problem appears to actually be the Linux Foundation and their PR and misappropriation of IP without any acknowledgment via the KSPP.

Basicaly as we know the security of the code that the public face kernel developers have produced is shall we say flaky at best. Grsecurity put in a lot of effort sorting out some of these issues but basicaly got blanked by the kernel developers, who’s own agenders did not have very much to do with security.

The kernel developers argument to anyone talking about security issues with their code was and still is “upgrade to the latest…”[1]. A few moments thought will make most realise that whilst one or two old bugs might get fixed there will be a whole slew of new ones. Thus the upgrade to the latest version is “A one way ticket on the hamster wheel of pain”.

However the lack of kernel security is becoming quite an embarrassment for the public faces as people keep asking them questions for which the answers would tarnish the myth of Linux. Thus the political trick of setting up a PR front of the KSPP, which talks a good game based on Grsecurity’s work but does not acknowledge the work they have done or how most of the recent Kernel security threats would not have been an issue if the Grsecurity work had been in the kernel years ago.

So for the Linux Foundation it’s a political “Put lipstic on the face of the piglets, whilst sending the sow to slaughter” game under the excuse of “All for the Greater Good” of “It’s our way or no way” tyranny which will keep certain corporate interests happy and probably the likes of the NSA, GCHQ and other SigInt agencies as well.

So Grsecurity are excercising their IP rights which will they hope throw the points on certain kernel developer “gravy train” agendas.

It will be interesting to see how it plays out.

[1] https://forums.grsecurity.net/viewtopic.php?f=7&t=4476

Clive Robinson May 2, 2017 4:10 AM

DA issues false/fraudulent subpoenas

In yet another abuse of power “For the common good” a DA’s office in the “deep south” is trying it on big style, and even though caught out are saying that their crime is ok because it’s for the common good…

https://www.techdirt.com/articles/20170428/20250437262/louisiana-das-office-used-fake-subpoenas-decades-to-trick-people-into-talking-to-prosecutors.shtml

You can be sure that like cockroaches where you see on scuttling for cover there will be hundreds more…

Anselm May 2, 2017 6:28 AM

The impasse as far as the grsecurity extensions to Linux are concerned is that current Linux kernel development practices dictate that something as big as grsecurity is introduced in a number of incremental, reviewable patches that build on each other and touch only manageable amounts of kernel code. The people behind grsecurity don’t want to do this work without being paid for it, but they have also said they won’t accept payment from the Linux Foundation. In addition, they seem to have issues with other people reviewing their code prior to merging into Linux. Finally, Linus Torvalds isn’t enthusiastic about some of the things they do in their code – it can be debated whether his concerns are justified or not, but the net effect is that this holds things up.

The Linux kernel development community at large is often criticised for not putting the appropriate emphasis on security, which to some people means prioritising security over any other concern such as maintainability, efficiency, backward compatibility, and so on. The KSPP is about integrating the less controversial bits of grsecurity (among other things) and tends to attract flak from both kernel developers and the grsecurity project.

ab praeceptis May 2, 2017 9:25 AM

Clive Robinson

“DA issues false/fraudulent subpoenas” – How shocking and surprising!

Who would have thought that the “lighthouse of democracy” actually doesn’t care a rats a** about democracy, law, and basic rights?!

Clive Robinson May 2, 2017 9:50 AM

@ ab praeceptis,

Who would have thought that the “lighthouse of democracy” actually doesn’t care a rats a** about democracy, law, and basic rights?!

Totaly schocking, I had to blink twice…

After all in England –where the US nicked it’s legal system from– we expect the journalists to accept what a member of the entrenched legal/political class says is “Gospel” / “Kosher” and to only report favourably. That’s the problem with the free press in the US of A you have to bribe them with dinners at the Whitehouse etc otherwise they don’t say what you want them to say. Most most anoying 😉

ab praeceptis May 2, 2017 11:22 AM

Clive Robinson

So, one might say that us of a is to law what linux is to security it seems …

Seriously, I have been refusing since quite some years to travel to the us of a and the lawlessness and quite arbitrary “rights” and behaviour of their leas and officers is a major reason for my position.

Sure, other countries (incl. uk) aren’t exactly angels either but there is at least a widespread understanding with lea that lea officers should (at least usually, in most cases) act in a lawful manner.

Thoth May 2, 2017 7:19 PM

@ab praeceptis

re: Fake Subpoenas

Nothing short of what is expected of a country where it’s legal and political systems have been long crippled by swarms of thieves with status and power harming the populace in the name of so-called “Democracy” and “Common Good”.

Might as well they learn from Asians by giving their officials absolute power without need for any subpoenas so that there is no need to blatantly lie and makes their process more easier. One example is the sweeping powers given to agencies as per Asian and South East Asian countries in a dictatorial style setup.

Clive Robinson May 3, 2017 9:02 AM

@ Bruce,

A follow up on the supposed “cuflinks terrorist” Samata Ullah (34) has been found guilty and sentanced to 8 years in jail.

What is not clear is what involvment the FBI had as he for some reason unknown pled guilty…

Freezing_in_Brazil May 3, 2017 2:36 PM

Everyone who makes wild generalizations about Brazil [like Brazilian Mob – come on, really?] deserves to be slapped in the face with a squid.

Brazil is BIG country, not well-suited for crazy generalizations. Any poster on SoS should know better.

*BTW, great software being done here. Never underestimate the prowess of Brazilian IT people [or do it, for our comfort, thanks very much].

Clive Robinson May 3, 2017 4:39 PM

@ Nick P, usuall suspects,

We occasionaly talk about journalist’s and their OpSec and one thing that comes up is photo / video and the overly obvious cameras.

Well a professional war photographer writes why he’s switched to “A cheap Chinese Copy” android phone.

Even if you are not thinking OpSec such a high quality image platform would be of interest to many,

https://www.outsideonline.com/2175146/why-my-new-professional-war-camera-cheap-chinese-iphone-knockoff

It might be interesting to find out just how well it does with IR lighting and that B&W sensor.

Jacob May 3, 2017 7:30 PM

We all got amused watching how King Theo took his machete to slice and dice OpenSSL at the time, ridiculing the hell out of that ancient code base, full of holes and support of god-forgotten operating systems.

Laugh no more: LibreSSL has been accepting for the last few versions illegal/invalid certificates during TLS negotiations and declare them valid.

http://seclists.org/oss-sec/2017/q2/145

Figureitout May 3, 2017 11:17 PM

Clive Robinson
–Good for him. Depends on what type of opsec you want to do, strongest requires no smartphones (minimize tech where possible) and unlivable paranoia. If you’re taking pictures and don’t care if they’re public, then smartphones are fine. Have to operate w/ assumption there’s an unknown amount of hidden backdoors for remote wiping phone and memory cards, you’ll behave extra safe w/ that assumption. Back up any important pics ASAP. Also, so long as you’ve never put PII on the phone, wouldn’t need to cleanse image metadata w/ screen shots & “snipping tools”; again only if you don’t want your identity known.

Francis May 4, 2017 3:18 AM

There was a post here to WikiLeak’s tweet that they released a password to some whistleblower material in response to censorship attempts.
Was it real? Why would WikiLeaks use a password like ShatterIntoAThousandPiecesAndScatterInTheWind? My bank said good passwords must have a special character, a digit, and can’t be over 8 characters. Is WikiLeaks using bad password practices?

Dirk Praet May 4, 2017 3:32 AM

@ Chris

there is a new project on git for linux an appfirewall called Opensnitch.

Thanks for the heads-up! With the exception of Subgraph, it’s something that is prominently missing from Linux and should really have been there by default for ages.

Wael May 4, 2017 3:34 AM

@Francis,

and can’t be over 8 characters.

It should state: ‘can’t be under 8 characters’.

Is WikiLeaks using bad password practices?

A somewhat subjective question. Seems a good password / quasi pass-phrase.

Wael May 4, 2017 3:40 AM

@Clive Robinson,

Well a professional war photographer writes why he’s switched to “A cheap Chinese Copy” android phone.

It’s his insurance against border / unexpected checks. If his professional equipment had cellular data connectivity, I beleive he’d stick with them. Take a picture, upload it somewhere safe, and leave ‘non-incriminating’ pictures in the camera’s memory. Does he know about methods of digital interception?

ab praeceptis May 4, 2017 4:25 AM

Jacob

Well that’s actually not too surprising. Keep the context in mind. A bunch of OpenBSD and related C developers were going full steam ahead under quite some pressure to pull off the LibreSSL thing. And the goal wasn’t – and couldn’t sensibly be – to create “perfect ssl”; the goal was to create an alternative that was way less bug ridden than openssl. That goal they achieved and they achieved it remarkably fast. Praised be the OpenBSD crowd.

Btw, part of the context is also that the OpenBSD people started working barehanded; some even smirked at them – while linux foundation got thrown millions of $ at itself. That alone was utterly ridiculous and demonstrating how rotten much of the foss universe is, particularly the part around linux.
That was absurd and infuriating. linux getting millions and being more of a problem than a solution – and – OpenBSD actually doing the work but being largely ignored by the foss donor mafia.

Thoth May 4, 2017 4:50 AM

@ab praeceptis

Here’s a possible theory why OpenBSD and it’s teams and projects are relegated to the side while the US Govt, big corps, XYZ foundations and institutions are pouring cash into less secure Linux may lie in the fact that the complacency and larger userbase is the main issue. Linux is just like the next Windows XP 2.0 where people are either stuck with Linux flavours or Windows and that is especially true with enterprises where they are less willing to upgrade the Windows patches let alone doing something more complex like patching Linux kernel bugs.

Another subtle reason is for the 5Eyes to keep people to Linux so that they can continue to hoard their bugs. The 5Eyes have also pushed and sponsored adoption of Linux and one probable reason is if everyone suddenly woke up and moved away from Linux to OpenBSD, they will immediately lose a ton of access to systems they once had reach although they could technically use more advance backdoors like CPU level (i.e. Intel AMT/AMD SP/ARM TZ) but that will directly confirm the existence of such backdoors and force the companies that are in bed with them to lose sales and is bad for both the 5Eyes ICs and the CPU manufacturer.

The easier solution would be to keep the FOSS hoard distracted with Linux and all things Linux to make it look cool and savvy while quietly finding and hoarding more bugs than ever to gain access to a whole ton of people running Linux and Android.

Trying to “code it safe and secure”is very difficult as @Clive Robinson have pointed out many times. It is already so difficult to code it “safe”, let alone to add the word “secure”. The OpenBSD team did a good job but not good enough since someone found bugs in their LibreSSL.

Clive Robinson May 4, 2017 9:05 AM

@ Thoth, ab praeceptis,

It is already so difficult to code it “safe”, let alone to add the word “secure”. The OpenBSD team did a good job but not good enough since someone found bugs in their LibreSSL.

I would say that it is not so much “difficult” as “impossible” to code it safe or secure in absolute terms.

There are a number of reasons for this but the important ones are, Firstly “unknown-knowns / unknown-unknowns” of which you can only generaly mitigate against the former and do essentialy nothing against the latter. Secondly is bubbling up attacks, at any level of the computing stack from international treaty level down to quantum effects at the lowesy physical level you usually can not mitigate at a lower layer in anything like an efficient manner with current standard / COTS systems designs.

Because of the above it’s why we have to consider as primative mitigation methods as we can. Which boil down to strong segregation of functions, fully defined interfaces and instrumentation of the interfaces.

But this alone is insufficient as things fail or have failure built in. In the simple case of “fault tolerance” a system uses identical parts in parallel, if one part fails the other parts take over in what is called “fail over”. Whilst this works at the component level, it does not function if the fault was “built in” as all identical parts will fail. To protect against this you use hybrid design where the parts in parallel are deliberately designed not to be identical and produced by different teams from a functional specification. The problem of course is if there is a fault in the functional specification.

Thus even formal methods will not find all faults thus you can only talk in relative measures when talking about safety or security.

I’ve talked about this in the past when discussing Castles-v-Prisons and the resulting “Probabilistic Security”.

Which brings us back to OpenBSD, whilst they are very thorough at what they do they have to work within certain constraints, such as having to run on inherently insecure and unmitigatable systems…

One issue that will upset many is the implications of the “Unix legacy”. Unix was not designed to be anything other than very minimally secure, because it’s main goals was “Efficiency” of resource use. Both safety and security carry a heavy cost in terms of resources thus they did not figure at all in the original unix design. In fact safety and security came late to the unix game by which time it was difficult to bolt them on with the not unexpected detrimental effects.

Whilst most don’t consider it, both Apple’s and Microsoft’s OS’s suffer from the “unix legacy” at the levels it counts for when talking about safety and security. Thus the three main commodity OS are, and will continue to remain deficient as far as safety and security is concerned.

Thus the question arises of how to deal with this, the problem being that in commodity systems you have even less choice when it comes to hardware. Basicaly x86 or ARM both of which are known to have both safety and security faults built in…

Thus the bottom line is current commodity systems are not the way to go when either safety or security are a consideration, irrespective of what OS and system languages you use.

Which raises the question of if you could get some hybridization from commodity hardware in some way. When it comes to PCs I think the answer is no. But with microcontrolers and some smart cards then the answer maybe yes if chosen with care. However there is a high price to pay in terms of performance.

Thus consideration should be given to using current PCs as more or less “observing terminals” with critical functionality carried out in other modules where it is possible to get hybrid advantages.

Sergio May 4, 2017 10:17 AM

Hi everyone.
Of course no reason is needed, since this is a private site, but I’m confused why my post was deleted, or if it was even intentional.
I was just asking if there were any resources available on making executable files perform electronic error correction on themselves, similar to how programs like WinRar can make self extracting archives.
That’s not very security related but isn’t general discussion allowed in squid posts? If it’s not, apologies.

ab praeceptis May 4, 2017 10:38 AM

Clive Robinson

I’ve mentioned (or should I say warned?) quite sometimes that we will waste lots of energy and work if we don’t properly define what we’re after and what the problem is.

Quite often or even almost always (when reading here) the problem seems to be that security is-not-100%.

That is wrong, or, more precisely, that is indeed a problem we have – but not the problem that is plaguing us and that makes our data and communications pretty much a free meal for intelligence agencies and other criminal organisations!

That, the plague problem, is that we have basically NO safety, security, etc. The vast majority of software was developed not even trying to achieve even a reasonable minimum of safety. Safety, security, etc. were simply non-goals!

No matter whether OSs, libraries, office suites, compilers, or what not, the typical goal spec. has been and is something like “shall perform desired services under usual and common circumstances”.

Just look at testing! Typically testing is more or less about what I just wrote about usual goal specs. The difference between testing sloppily and thoroughly is much about what “usual and common circumstances” might mean.

To be worried about someone cunningly eavesdropping, say the optical interface between two of our devices, from time to time would be a rather luxurious situation compared to the current situation we’re in.

Being interested in this field, I’m of course interested in e.g. Clive Robinsons somewhat exotic musings; similar to a doctor being interested in some exotic rare disease. We are, however, not doctors in an academic setting researching the outer edges of our field – or at least we shouldn’t be because our world is ravaged by a massive plague epidemia (to stay in the doctor image).
I’m much interested in the outer edges of our field – but the people out there don’t die due to exotic diseases; they die because our streets and cities are full of sh*t and waste and washing ones hands before eating is considered a rather funny and shrewd thing to do which even most cooks don’t do …

Yes, some of the doors in our houses are not at all of good quality. But it might be smart to first get rid of the plague epidemia and all the rabie dogs, wouldn’t it?

Aaron Barr, International Man of Cyber-Mystery May 4, 2017 11:55 AM

@Thoth, regarding your concept of linux as a honeypot or roach motel for surveillance. You might want to peruse Kaspersky’s statistics on vulnerabilities that have actually been exploited. For linux you can count them on the fingers of one hand while eating a messy sandwich. To align your idea with the evidence, you could embroider it by saying, they’re holding the vulns in reserve, or they’re so diabolically cunning that no one’s ever caught them at it. But neither possibility holds water.

Holding vulnerabilities in reserve is contrary to the bureaucratic imperative we’ve consistently seen in the Snowden and Vault 7 docs. Bureaucrats don’t sit on the vulns, they scrounge frantically for the flimsiest excuses to use them and show them off.

And the more we see, the clearer it is that these are not superhuman brains in jars, these are beltway drones. Remember when NSA was far too clever to tamper with BIOS, they must be reprogramming your MAC? Most of NSA’s best tricks work only on people who naively trust the government.

How do you stop NSA vermin from gnawing your wires and burning your building down? Ask an exterminator. Plug the holes, sure, but that’s not enough. Put out traps and baits and hide the food. And get a couple ratters. Wikileaks, Citizen Lab, Project PM, they’re the ratters.

JG4 May 4, 2017 1:30 PM

@Sergio

I have been asking similar questions and I think that I suggested a wiki and AI for cataloging the brilliant information in here from the usual suspects, especially as it regards toeholds for books, hardware, firmware and source code. No one ventured an answer to my request for starting points, and I have a solid foundation, except for the permanent cognitive deficits. I also have another excellent answer to my question, but haven’t yet received permission to post that one.

From: JG4
Date: Sun, Apr 16, 2017
Subject: quick easy question: Linux books, etc.
To: A. Goodfriend

Hi A.,

I’ve stagnated some in recent years, although I still enjoy the Zerohedge doomporn as much as the next guy. I [finally] realized that I am nearly clueless about Linux and a lot of other important topics (web tools, scripting, etc.). Can you point me to any book lists that will cure ignorance?

Thanks, JG4

From: A. Goodfriend
Date: Wed, Apr 26, 2017
Subject: Re: quick easy question: Linux books, etc.
To: JG4

Hello,

This is actually a hard question because there’s a lot of ground to cover.

When I was in college, this was a textbook for CS 120 (the programming in C class):

[…you can look this up at goodreads without feeding the beast]

https://www.amazon.com/UNIX-Impatient-2nd-Paul-Abrahams/dp/0201823764

We had the first edition of that book, and I don’t remember if it was an optional textbook for the course, but it was a very useful one. I found a copy of the second edition a few years ago and skimmed it and it still seemed relevant. I recommended it to a co-worker back then. It probably won’t help you with system administration-related tasks, but it covers a lot of utilities you’ll find on Linux (and Unix) systems like sed, shell scripting, etc.

Late last year there was a Humble Bundle of Unix books from O’Reilly. It’s ended now, but the list of books they offered is at

https://web-beta.archive.org/web/20161207184823/https://www.humblebundle.com/books/unix-book-bundle

Some of those books are old and programming-related — might not be of much use to you.

I work for a company that does outsourced development (they started off by selling their own games, but they haven’t self-published in a few years now). They have a group of people working on Android apps, another group for iOS apps, a few web developers, a large games team that uses Unity3d, and a few other departments (illustrators, 3D graphics artists, game designers, QA, project managers, etc.).

The Android people all know Java and the iOS devs use Objective-C or Swift. The games team works with C# (Unity3d) and some C++ (cocos2d-x for older projects). Everyone in those teams knows their entire stack. The web team, though, is a mess. Some people know Ruby on Rails, some people use node.js or do front-end work only (CSS + HTML + Javascript on the browser), and two work with Python for a long-running project. There is no single platform for the web. We’re trying to make everyone use either Ruby on Rails or node.js for new projects, and to try and deploy to one platform (Google App Engine). Most of the web team isn’t familiar with Unix.

A lot of free courses at

https://www.udacity.com/courses/web-development

might be good to start with.

A. Goodfriend

From: JG4
Date: Mon, May 1, 2017
Subject: Re: quick easy question: Linux books, etc.
To: A. Goodfriend

Thanks for your very helpful reply. If I wasn’t clear on this point, it always comes down to the same question on your planet. “What is the highest and best use of resources?” You can define resources in many ways, but I like “blood, sweat and tears” as well as “time and money.” Can I post your comments to Schneier after removing all information about your identity?

From: A. Goodfriend
Date: Tue, May 2, 2017
Subject: Re: quick easy question: Linux books, etc.
To: JG4

On Mon, May 1, 2017 JG4 wrote:

>

Can I post your comments to Schneier after removing all
information about your identity?

Sure!

A. Goodfriend

Clive Robinson May 4, 2017 5:54 PM

@ Wael,

Nearly missed this,

It’s his insurance against border / unexpected checks. If his professional equipment had cellular data connectivity, I beleive he’d stick with them.

Possibly, possibly not. Expensive camera / audio gear says “journalist” way more than anything else does. A scratched up mobile phone says not very much these days.

Whilst a smart phone may be problematic ICT security wise an expensive camera with mobile data attachment is probably more vulnerable, and certainly not “use & throw away”. Whilst a $500 phone is not something you’ld “not mind” loosing it’s a fraction of the price of a Hasablad and a couple of lenses and a lot less than a satellite phone with data connectivity suitable for large format pictures or video.

But the point is a generic mobile phone does not realy attract that much attention these days.

Further a mobile phone as a camera can be hard to spot if used with a book / magazine / newspaper as many have the lense right at the top of the phone so only a cm or so would stick out. Likewise you can always do the old Minox camera trick which is use a cigarette packet over the top with an unobtrusive hole for the lense to look out through. So after a lirtle practice you pick it up and take a picture whilst pulling a cigarette out of the packet all in one fairly natural looking movement.

Whilst the equipment might be new the old dog does the tricks the old way just as they have for years…

tyr May 4, 2017 5:58 PM

@Sergio

It probably won’t help much but ECC on executables
is usually handled at the core CPU levels inside
the chips themselves.

Once you go up to the application program level
you want the executable to fail so it can be
fixed. Most of the ECC stuff is done within
the memory chips to get reasonable data integrity.
Running partially failed executables is a really
bad idea. If you think aboutit for awhile you’ll
see why failure is a much better idea. Nick P.
is probably the go to guy for documentation of
this kind of thing. CPU designers are quite
secretive about how they do internal ECC.

Here’s an interesting quote I ran across on
Charle Stross blog.

Elderly Cynic | April 12, 2017 16:27

The days of actually fixing (or even locating) non-trivial bugs are long gone, and have been largely replaced by making changes or adding layers so that the bug does not appear in the cases that ‘matter’. Also note the increasing use of fixing problems by changing specifications and even contracts – yes, some do (effectively) say “thou shalt not cause our software to misbehave”. Several decades ago, I said that computing was ceasing to be a mathematical/engineering discipline and rapidly becoming something closer to animal or plant breeding. A rather eminent computer scientist regretfully agreed that I had a point!

You can see that approaches vary.

xt521 May 4, 2017 6:15 PM

@JG4

In terms of transfer functions and vectors, misinformation is the result of quasi-random errors that are shaped by cognitive bias, whereas disinformation is a non-random modification intended to produce advance an agenda.

So would the following be a prime example of disinformation?

Clive Robinson • May 2, 2017 3:38 AM

It’s a real shame to see Grsecurity pack up their toys and leave. They have some excellent ideas, at least when it comes to bandaging the Linux kernel in its current form

The root of the problem appears to actually be the Linux Foundation and their PR and misappropriation of IP without any acknowledgment via the KSPP.

Basicaly as we know the security of the code that the public face kernel developers have produced is shall we say flaky at best. Grsecurity put in a lot of effort sorting out some of these issues but basicaly got blanked by the kernel developers, who’s own agenders did not have very much to do with security.

The kernel developers argument to anyone talking about security issues with their code was and still is “upgrade to the latest…”[1]. A few moments thought will make most realise that whilst one or two old bugs might get fixed there will be a whole slew of new ones. Thus the upgrade to the latest version is “A one way ticket on the hamster wheel of pain”.

However the lack of kernel security is becoming quite an embarrassment for the public faces as people keep asking them questions for which the answers would tarnish the myth of Linux. Thus the political trick of setting up a PR front of the KSPP, which talks a good game based on Grsecurity’s work but does not acknowledge the work they have done or how most of the recent Kernel security threats would not have been an issue if the Grsecurity work had been in the kernel years ago.

So for the Linux Foundation it’s a political “Put lipstic on the face of the piglets, whilst sending the sow to slaughter” game under the excuse of “All for the Greater Good” of “It’s our way or no way” tyranny which will keep certain corporate interests happy and probably the likes of the NSA, GCHQ and other SigInt agencies as well.

So Grsecurity are excercising their IP rights which will they hope throw the points on certain kernel developer “gravy train” agendas.

Considering that he is telling people to use Windows instead of Linux due to the possibility that Linux updates might introduce new features (which could potentially have bugs), and since he left out the part about how security focused Linux distros use LTS(Long Term Stable) releases which specifically opt out of new features to prevent exactly this problem…
Since he basically says “use Windows since its updates are safer than Linux’s” even though Microsoft admits to signing malware and pushing it in automatic updates that can’t even be refused starting with Windows 10…
Is his post a good example of some Chinese, Russian, or Western black hat hacker who is trying to spread disinformation in order to convince people to practice less safe computer usage?

mostly harmful May 4, 2017 6:21 PM

@Francis

There was a post here to WikiLeak’s tweet that they released a password to some whistleblower material in response to censorship attempts.

Was it real?

My understanding is that it is the password for decrypting some bittorrented archive of material that (at that time) had yet to be released. I expect the material formed part of the vault7 releases, but I am not up to speed on Wikileaks’ recent releases.

If the password had been fake, one suspects it would be difficult to avoid hearing about.

Why would WikiLeaks use a password like ShatterIntoAThousandPiecesAndScatterInTheWind?

It is probably a reference to this: https://www.reddit.com/r/AskHistorians/comments/4tjcz7/did_jfk_actually_say_he_wanted_to_shatter_the_cia/#content

So, the password in question served two purposes; it was at the same time two things:

  1. a password
  2. a message

My bank said good passwords must have a special character, a digit, and can’t be over 8 characters.

(Pace Wael’s contention that Francis’s received advice was a misquote, there are still in operation systems which impose precisely the eight-character limit that Francis cites. That someone might mistake it, given the context in which it was probably offered, to be an inscrutable piece of “password security advice” is understandable.)

A limitation of password length to 8 chars is, on the most charitable interpretation, a limitation imposed by the software your bank chooses to use. Such a limit does not make anything more secure. Quite the opposite. All else equal, the longer a password is, the more passwords it might be, and hence the harder it is to guess.

As for requiring “special” characters, etc, if your passwords tend not to make use of the full character set permitted by the system in use, then they are more predictable than an arbitrary password, and hence weaker than the system permits. If you want to construct a maximally difficult-to-guess password, then you will want to consider all permitted characters when selecting each of its characters. Edicts like “It must contain a number”, “It must contain a ‘special’ character”, and “It must contain a mix of upper and lower case letters” are most likely attempts to encourage that practice.

However, if an authority really wanted to enable good password choices, they would spell out precisely what characters are permitted by the system in use. I cannot recall having ever seen this done, however.

Is WikiLeaks using bad password practices?

You here must be asking about this particular case, regarding the password to an ostensible encrypted archive which apparently neither you nor I have felt the inclination to download and try to decrypt?

There certainly are passwords of the same length that would have been more difficult to guess. If confidentiality of the password-protected material had been the only consideration, then Wikileaks’ choice of password was unnecessarily poor.

But consider Wikileaks’ presumed goals here, one of which was presumedly: To disseminate, yet delay revealing temporarily, material that it planned to reveal at some later time. Wikileaks, or so it seems, was not trying to keep the material in question confidential for all time. Quite the opposite, in fact.

And perhaps there were other goals as well: You and I, for example, are currently discussing, however tangentially, the Vault7 releases in a public forum, despite the fact that (as previously noted) neither of us felt inclined to fire up a bittorrent client in earlier days to download the encrypted archive, and hence make use of the password in question.

The curious message/password, even when not fully understood by a recipient (for example, you yourself, hence your question here), had the effect of signalling “There is meaning here,” and sparking someone’s further interest.

Making a password do double duty as both a key and a message entails dual tradeoffs:

  1. Your message length is constrained by the password environment.
  2. The conventions inherent to the linguistic medium of your message (here, written English) will impose patterns, which can be exploited, on the structure of your key.

Finally: I claim expertise in nothing and welcome corrections and criticism.

Thoth May 4, 2017 6:57 PM

@xt521

I do not recall @Clive Robinson talking about switching to Windows. You could point out where did he mention about Windows.

In fact if you were to search through all his older posts, he makes fun of Windows as well.

Ratio May 4, 2017 7:49 PM

@xt521,

Considering that [@Clive Robinson] is telling people to use Windows instead of Linux […]

There isn’t even a mention of Windows. Are you sure that’s the meaning of the text you quoted?

@Clive Robinson does seem to have uncovered a link to issues of gender:

Grsecurity […] basicaly got blanked by the kernel developers, who’s own agenders did not have very much to do with security.

It’s unclear to me what the purported issue and its solution are, but the genderless among the kernel developers appear to be involved.

😉

Wael May 4, 2017 8:41 PM

@mostly harmful,

Francis’s received advice was a misquote, there are still in operation systems which impose precisely the eight-character limit that Francis cites.

I can see how you understood it this way. I’m saying a proper policy should state no less than 8 characters in it’s rules. I’m not saying @Francis misquoted something. I’m aware of the limitations imposed by some applications as you described.

Wael May 4, 2017 10:30 PM

@Clive Robinson,

Likewise you can always do the old Minox camera trick which is use a cigarette packet over the top with an unobtrusive hole for the lense to look out through.

You don’t need any lenses! Just use an IoT home-built matchbox pinhole camera: http://matchboxpinhole.com/box.html

Add a crystal receiver, a passive transmitter, and you’re all set. You know, use one of your few microwatt transmitters that can transmit signals to a few hundred miles! 😉

Clive Robinson May 5, 2017 12:24 AM

@ Wael,

You know, use one of your few microwatt transmitters that can transmit signals to a few hundred miles! 😉

I did tell you what the bandwidth was did I not?

You could die of old age waiting for a “screen shot” to send…

Wael May 5, 2017 12:30 AM

@Clive Robinson,

I did tell you what the bandwidth was did I not?

Yes, you did. I also told you about a compression algorithm I worked on but never finished.

You could die of old age waiting for a “screen shot” to send…

Better than dying at a young age if I’m caught with it, wouldn’t you say? 🙂

Jenny May 5, 2017 1:17 AM

@ Wael

and can’t be over 8 characters.

It should state: ‘can’t be under 8 characters’.

my bank expressely won’t allow MORE than 8 characters.

Wesley Parish May 5, 2017 4:59 AM

Anyone remember the discussion we had on this blog a few years ago about secure Linux LiveCDs? And the US Air Force LPS was mentioned, amongst others, iirc.

I decided to revisit LPS, since I’ve got a laptop with a defunct HD and a working CD/DVD reader.

According to Google, and via both Mozilla and Chrome, the TENS MIL https://spi.dod.mil/lipose.htm site is HTTPS but not trustworthy.

Will wonders never cease?!? They’ve apparently munted the config so it can’t be trusted. (I’ve downloaded the LiveCD, but I think I’ve now got one very very tame beer coaster.)

Chris May 5, 2017 8:24 AM

Hi tried to make a list regarding architect/fulcrum stuff from vault-7

maybe i forgot something or did some mistakes?

ARCHITECT/FULCRUM:

COPY OF THE SITE YOU ARE ABOUT TO VISIT
CAN ONLY BEEN DETECTED BY LOOKING AT THE SOURCECODE
IF SO, WHAT IS THE SOURCECODES FINGERPRINT EXACTLY?

LOOK BELOW

1.) MAC ADDRESS OF THE LAN SIDE IF OF THE GW
2.) MAC ADDRESS OF THE TARGET MACHINE (NWMANAGER 1.20 > 1.40) MAYBE THIS IS WHY ITS DELAYED?
3.) THE URL TO INJECT INTO THE HTTP RESPONSE
4.) THE INJECTION METHOD OF THE HTTP RESPONSE
5.) CHARACTED SET OF THE PIVOT MACHINE
6.) USER AGENT STRING WHITELIST ENTRIES
7.) USER AGENT STRING BLACKLIST ENTRIES
8.) ANY TARGET CONTENT TYPE MODIFICATIONS
9.) IS THE PIVOT MACHINE A LAPTOP OR A DESKTOP
10.) OPERATING SYSTEM VERSION OF THE PIVOT MACHINE
11.) THE BITNESS OF THE PROCESS FULCRUM WILL RUN IN
12.) THE PRIVILAGE LEVEL OF THE PROCESS FULCRUM WILL RUN IN
13.) WHAT PSP:S ARE PRESENT ON THE PIVOT MACHINE
14.) HOW THE FULCRUM FILES WILL BE DELIVERED TO THE PIVOT MACHINE
15.) WHERE THE FULCRUM FILES WILL BE DEPLOYED ON THE PIVOT MACHINE
16.) WHEN FULCRUM SHOULD BE DELIVERED ON THE PIVOT MACHINE
17.) HOW FULCRUM WILL BE STARTED ON THE PIVOT MACHINE
18.) WHEN FULCRUM SHOULD BE STARTED
19.) IF FULCRUM SHOULD BE AUTOMATICALLY RESTARTED
20.) WHEN FULCRUM SHOULD BE SHUTDOWN
21.) WHEN FULCRUM SHOULD BE REMOVED

MITIGATION TECHNIQUES:

-SPOOFING OF MAC ADDRESS
-SPOOFING OF OPERATING SYSTEM
-SPOOFING OF CHARACTER SET
-SPOOFING OF 32/64BIT SYSTEM
-SPOOFING OF LAPTOP/DESKTOP
-MIDDLE LAYERS WITH PSP AND SNORT
-BLOCK IFRAMES (SHOULDNT BE A PROBLEM)
-HOW TO MITIGATE AGAINST ARP SPOOFING/REDIRECTION
ARPWATCH/ARPFREEZE/SNORT MANUAL ARP-TABLES?
-LOOK OUT FOR PROMISCUOUS MODE TRAFFIC
-USE VIRTUALMACHINES (MULTIPLE SCEŃARIOUS THAT MAKES IT USEFUL)
-FORCE HTTPS
-USE MULTIPLE IPS ON EVERY NIC
-USE MULTIPLE GW ON EVERY NIC (NOT REALLY A GOOD IDEA?)
-DISABLE EXECUTIVE RIGHTS FROM TEMP (PAIN AND A HALFASS IN WINDOWS)
-NEVER SURF DIRECTLY TO THE ROOT (FULCRUM WONT TRIGGER)
-WARN ON ICMP INCOMING FROM LOCAL LAN IP:S
-BLOCK AND WARN ON OUTGOING TRAFFIC TO PORT 8080
-USE IPV6
-IMPLEMENT SNORT ON EVERY MACHINE

SNORT RULE TO LOOK FOR IFRAME TRAFFIC:

html, body
{
overflow: hidden;
margin: auto;
height: 100%;
width: 100%;
}

SNORT RULE/RULES TO LOOK FOR FOLLOWING USER AGENTS:

USER AGENT: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)
HOST: Host: mytest.com
REQUEST: GET / HTTP/1.1
USER AGENT: User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
HOST: Host: 10.0.0.11
REQUEST: GET / HTTP/1.1
USER AGENT: User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:23.0)
Gecko/20100101 Firefox/23.0
HOST: Host: http://www.mytest.com

REQUEST: GET / HTTP/1.1

MOST OF THIS STUFF REMINDS ME OF DUGSONG 1999-2000
NOTHING MUCH NEW BUT GOOD REMINDERS TO USE ARPREDIRECTION MITIGATION TECHNIQUES

//Chris

Clive Robinson May 5, 2017 10:30 AM

@ Bruce and the usuall suspects,

The UK has basicaly gone overboard on Internet Surveillance just after Parliment has recessed for PM May’s General Election. Basically she came up with the Snoopers Charter and now it’s Full Speed Ahead on the more outrageous parts without any hope of political oversight,

http://www.zdnet.com/article/leaked-document-reveals-uk-plans-for-wider-internet-surveillance/

On another note, for some time now I’ve been warning what information your utility meter can say about you. Well don’t say I didn’t warn you, somebody has taken the idea and turned into a consumer product,

http://spectrum.ieee.org/view-from-the-valley/energy/the-smarter-grid/want-to-know-whats-happening-in-a-building-listen-in-at-the-breaker-box

What’s the bets on how long it will be before somebody turns the device into a surveillance device?

Speaking of betting on when it would happen. I’ve known since around 2002 that SS7 was vulnerable to some nasty little tricks which is when I started thinking that using SMS as a side channel for One Time Passwords etc was nolonger the good idea it had been in the previous century. Well it’s taken longer than I expected for people to use SS7 to go after TAM (German banking one time tokens). But they have done,

https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

Thoth May 5, 2017 12:25 PM

@Clive Robinson

Someone must be feeding May and apply abnormal amounts of pressure on May to get her to push such bills otherwise nobody would bother to go to such extend.

Sergio May 7, 2017 4:26 PM

@tyr

It probably won’t help much but ECC on executables
is usually handled at the core CPU levels inside
the chips themselves.

Once you go up to the application program level
you want the executable to fail so it can be
fixed. Most of the ECC stuff is done within
the memory chips to get reasonable data integrity.
Running partially failed executables is a really
bad idea. If you think aboutit for awhile you’ll
see why failure is a much better idea. Nick P.
is probably the go to guy for documentation of
this kind of thing. CPU designers are quite
secretive about how they do internal ECC.

Here’s an interesting quote I ran across on
Charle Stross blog.

Elderly Cynic | April 12, 2017 16:27

The days of actually fixing (or even locating) non-trivial bugs are long gone, and have been largely replaced by making changes or adding layers so that the bug does not appear in the cases that ‘matter’. Also note the increasing use of fixing problems by changing specifications and even contracts – yes, some do (effectively) say “thou shalt not cause our software to misbehave”. Several decades ago, I said that computing was ceasing to be a mathematical/engineering discipline and rapidly becoming something closer to animal or plant breeding. A rather eminent computer scientist regretfully agreed that I had a point!

You can see that approaches vary.

Thank you for the information.
So an executable definitely couldn’t correct an arbitrary number of errors in its own error checking code.
I’m curious if some instruction sets could have such a thing if it was only guarenteed to self-heal from 1bit errors every 8 bits, or even every 16 or 32? Bitrot is a very slow process but having some defense against it in your database executable or FS driver or OS or firmware would be good, right?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.