Friday Squid Blogging: Sex Is Traumatic for the Female Dumpling Squid

The more they mate, the sooner they die. Academic paper (paywall). News article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 9, 2017 at 4:25 PM • 120 Comments

Comments

Ben A.June 9, 2017 4:30 PM

xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

http://cyber.bgu.ac.il/advanced-cyber/system/files/xLED-Router-Guri_0.pdf


Pen & Paper cryptography - people always have a safe place to communicate

http://www.revk.uk/2017/06/pen-paper-cryptography-people-always.html

http://boingboing.net/2017/06/04/theresa-may-king-canute.html


It is not OK to break the law to catch criminals, judge rules

https://nakedsecurity.sophos.com/2017/06/08/it-is-not-ok-to-break-the-law-to-catch-criminals-judge-rules/


Ex-NSA bod sues US govt for 'illegally spying' on Americans: We drill into 'explosive' 'lawsuit'

https://www.theregister.co.uk/2017/06/08/nsa_fbi_comey_sued_spying/

https://regmedia.co.uk/2017/06/08/01-main.pdf


Spy commissioners: Did we audit our bulk data sharing with industry? Err... not exactly

https://www.theregister.co.uk/2017/06/08/spy_data_sharing_not_audited/


Platinum APT First to Abuse Intel Chip Management Feature

"Microsoft has found a file-transfer tool used by the Platinum APT that leverages Intel Active Management Technology to stealthily load malware onto networked computers."

http://threatpost.com/platinum-apt-first-to-abuse-intel-chip-management-feature/126166/


50 hashes per hour

https://securelist.com/78588/50-hashes-per-hour/


NSA’s EternalBlue Exploit Ported to Windows 10

http://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/


Authentication Bypass, Potential Backdoors Plague Old WiMAX Routers

https://threatpost.com/authentication-bypass-potential-backdoors-plague-old-wimax-routers/126135/


On enabling NX and ASLR for a module after the fact

https://blogs.msdn.microsoft.com/oldnewthing/20170607-00/?p=96295


KeePass 2.36 available

http://keepass.info/news/n170609_2.36.html


Google Fixes 30 Vulnerabilities, Five High Severity, in Chrome 59

http://threatpost.com/google-fixes-30-vulnerabilities-five-high-severity-in-chrome-59/126091/

AlanSJune 9, 2017 5:47 PM

Tories, having attacked Corbyn as a terrorist sympathizer, form a new government by going onto coalition with the DUP. Hard to see how the UK government is going to be an honest broker of peace in NI. Aside from their links to loyalist paramilitary groups, the DUP is a sewer of dark electoral money.

So, who are the DUP?

Democratic Unionists and what do they want?

Meet the Scottish Tory behind the £425,000 DUP Brexit donation

DUP Donaldson can’t remember why his Brexit campaign spent more than £32,000 on controversial data analytics company linked to Trump

What connects Brexit, the DUP, dark money and a Saudi prince?

The great British Brexit robbery: how our democracy was hijacked

SmackadoodledoJune 9, 2017 6:46 PM

"It is not OK to break the law to catch criminals, judge rules"

My belief is that SCOTUS will ultimately find those Playpen warrants acceptable for no other reason than it is difficult to find any case where SCOTUS has been sympathetic to pedophiles. I think this is double true because after the change to Rule 41 all those warrants would be acceptable if they were written today. So the practical effect of voiding Playpen warrants would mean that SCOTUS must be willing to let hundreds of pedophiles go on what would be a legal technicality. Unlikely.

Ministry of TruthJune 9, 2017 8:00 PM

@GoogleSpreadsMalwareFakeNewsAdsAndExtremism
You can get malware just by visiting the Google-owned "Youtube" with JavaScript enabled[1][2]. Merely avoiding Google Play isn't nearly enough. It's recommended to access everything except your financial webs
ites (bank, company, government stuff, ebay and such) with Tor Browser Bundle and security slider set to "High". If that's too m
uch, at the very least use Firefox or Jondoefox with NoScript and uBlock Origin/ABP + uMatrix.

@Smackadoodledo
POTUS once said "those who would sacrifice liberty for national security deserve neither", meaning that if you can't catch pedop
hiles without violating the bill of rights you shouldn't be in any position of power.

@USA! love it or leave it
Actually the Christian bible itself touts privacy, with Christ himself being in favor of anonymity, specifically to "hide" from persecution by corrupt authorities[3].
As for your implication that anyone who loves USA should hate privacy... the declaration of independance was drafted anonymously[4], meaning that if you hate privacy you hate the USA.
Works Cited [1] https://arcticwolf.com/siem-services-skills/youtube-infiltrated-by-malvertising-network/
[2] https://www.techworm.net/2014/10/youtube-malvertising.html
[3] https://www.gotquestions.org/do-not-tell.html
[4] https://constitutioncenter.org/blog/why-did-jefferson-draft-the-declaration-of-independence/

Ergo_SumJune 9, 2017 10:27 PM

@ Ministry of Truth..

Quote from last week:

QubesOS dom0 has no browser, and the default installation image has an option for installing Whonix (which only has Tor Browser Bundle, based on Firefox).

I've tried QubesOS on my older ThinkPad T430, that normally runs Windows 10, via adding a second drive in a drive caddy and removing the internal W10 drive. Certainly, installation/running this QuebesOS isn't as easy as Linux and others, but that's not what has been interesting.

Having two drives in the T430 allows booting the selected drive via the "F12". This had worked, when the W10 drive had been removed for installing QubesOS and after the installation. Like booting from the USB flashdrive to install the OS, even pressing "Enter" the during BIOS boot resulted in a number of options, enter BIOS setup, select boot device, etc.

As soon as the W10 drive was reinstalled, the BIOS stopped responding and just booted into Windows. It didn't matter what key(s) were pressed during BIOS load. I could use my palm to press lot's of keys and didn't even get a keyboard error. Just booting in to Windows...

Would you happen to know what causes this BIOS behavior and how to fix it?
TIA...

BIOS is not magicJune 9, 2017 11:01 PM

@Ergo-Sum

The BIOS loads before the OS so it is not a Windows problem. BIOSes are not generic but specific to each manufacturer and sometimes to each motherboard. My guess is that the BIOS was not designed to handle two different PCI devices (disk drives)--one in the main bay and one in the caddy. Since you do have two drives this is causing a hardware fault and so the BIOS boots the first thing it can find. The best way to confirm this hypothesis is to switch the drives. Put the Windows drive in the caddy and the Qubes drive in the main bay. If you run into the same problem then you know it is a mobo problem and there isn't anything you can do except get a new laptop or reign yourself to a one-drive system.

Also, you didn't mention where you got the drive caddy. If you bought it for cheap off of e-bay those Chinese things are known for causing all sorts of problems being cheaply made. That is the other possibility.

The fundamental point, however, is that if you can't even get into the BIOS the origin of the problem is in the hardware, somewhere.

Who?June 10, 2017 4:26 AM

@ Ben A.

xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
http://cyber.bgu.ac.il/advanced-cyber/system/files/xLED-Router-Guri_0.pdf

Another use the evil LEDs and photodiodes to jump air gaps exfiltration paper from Yuval Elovici and his team (the same author of the research on exfiltrating data using scanners and lasers), this time using the LEDs on a router of an air gapped network (by the way, how many air gapped networks have routers?).

What will be next? Covert data exfiltration from air-gapped networks via NIC LEDs? HDD LEDs? webcam LEDs? The display itself? Keyboard LEDs? My bet is either display (you can even take pictures of the display using a dron, it is a good bandwidth) or the keyboard LEDs (you can use a simple shell script to change the status of the caps lock, scroll lock and number lock LEDs).

Seriously, the research community should stop this trend to publish the same improbable research multiple times under different names. It is some sort of soft self-plagiarism at best.

It is very good for the research community I had been oust from their environment of prevarication and fraud years ago.

Sadly, right now there is much better and valuable knowledge on blogs like this one than on research publications. Something is really broken in the goals of the research community.

Who?June 10, 2017 6:24 AM

@ Ergo_Sum, BIOS is not magic

BIOS is magic these days, just think on a UEFI firmware's EFI shell where you can run generic binaries stored on a FAT filesystem, but as Michael Ende said "it is another story and shall be told another time."

Ergo_Sum, what you describe is odd. So, you can boot from the drive in the caddy only when there is no drive in your ThinkPad? I assume the caddy is installed on the UltraBay.

The "BIOS stops responding when the internal drive (W10) is installed" looks like it is in UEFI mode and Windows takes control from the computer as soon as your computer sees it. You can try several workarounds, I right now would suggest two approaches to your problem:

1. try setting the BIOS in legacy mode and see if you can boot both operating systems (Startup -> UEFI/Legacy Boot [Legacy only]). In legacy mode you should have access to the boot menu via the "F12" key.

2. try changing the boot order on your BIOS (Startup -> Boot -> Boot Priority Order), put ATA HDD1 before ATA HDD0 and remove the drive from the UltraBay when you want to boot into Windows (I am supposing "ATA HDD1" is the drive on the UltraBay, use the right one if it is not.)

From these choices, "2" is the less intrusive one and should work.

Ergo SumJune 10, 2017 7:40 AM

@BIOS is not magic, Who?..

Thanks for your suggestions...

BIOS is "black magic" for most people... :), but thanks for reminding me to check for the latest version.

The source of the issue was the BIOS/EUFI, where the boot priority is set to legacy first. Updating the BIOS to the latest version did somewhat fixed the issue. Entering BIOS setup or using F12 when the laptop is powered on are not working, it just boots W10 as previously.

On the other hand, rebooting Windows makes entering BIOS setup and F12 available. That's better than swapping out drives and good enough for my needs.

Again, thanks...

JG4June 10, 2017 9:10 AM


Interesting Observations From 'Code'
http://market-ticker.org/akcs-www?post=232115
I was sent an interesting slide deck from the "Code" conference the other day. It was large. It was mostly drivel. Whoever paid that person to show up and present that, no matter what sort of "compensation" was involved, overpaid.
Heh, if you want someone to show up at an event like that and actually present a card deck that will make you think, call me. I'm not hard to find.
But.... buried in there was a gem or two, and I want to discuss one in particular.
Data security.
There's this "idea" that applications, cloud or otherwise, are "enterprise ready." That is, they're secure, they're well-written, they're crafted to do a job, etc.
Sorry, nope.
...[an impressive rant follows]

A Phone Steps Up
http://market-ticker.org/akcs-www?post=232110
Ok, it's not "really" BlackBerry's phone -- TCL makes it.
Nonetheless, one of my big beefs over the last few years is that it's virtually impossible to replace a battery in these devices. The manufacturers glue the phone together, they glue the back on, and in many cases the only access is through the front which means you have to violate the glue on the screen assembly and manage to disassemble half the device -- which is made with "designed to be inserted once" connectors -- to get to it.
Well, TCL just changed the game. There are now multiple reports of people being able to trivially remove the back of the KeyOne; it just snaps on (and off.)
...

http://www.nakedcapitalism.com/2017/06/links-61017.html
...
Big Brother is Watching You Watch

China uncovers massive underground network of Apple employees selling customers’ personal data Hong Kong Free Press (UserFriendly)

https://www.hongkongfp.com/2017/06/08/china-uncovers-massive-underground-network-apple-employees-selling-customers-personal-data/

...
Imperial Collapse Watch

Air Force grounds F-35A operations at training base after pilots suffered hypoxia ars technica (Chuck L). In case you haven’t seen it: AAA THE F-35 IS A LEMON PIERRE SPREY (RUNAWAY FIGHTER) FIFTH ESTATE EXTENDED INTERVW YouTube
https://arstechnica.com/information-technology/2017/06/air-force-grounds-f-35a-operations-at-training-base-after-pilots-suffered-hypoxia/
https://www.youtube.com/watch?v=mxDSiwqM2nw&feature=youtu.be

my comment: The struggle is to manage conflicts of interest. Imperial collapse occurs when some combination of failures of adding complexity to the system fails at roughly the same time that conflicts of interest spiral out of control. It's a system dynamics problem in an adaptive dynamical system where the gain matrices are unknowable. It can only be described in qualitative terms, and treated statistically. At least until Spookwerks West (Google) and/or Spookwerks East (NSA) finish reading everyone's mind and producing a reasonable estimate of the individual responses.

a poster child for situational awareness

Texting woman seriously injured in fall through sidewalk access door in Plainfield, New Jersey
https://www.yahoo.com/news/texting-woman-seriously-injured-fall-231649505.html
A woman was injured in New Jersey Thursday afternoon when she fell six feet through a sidewalk access door while distracted by her cellphone.

no clearer illustration of the usefulness of considering conflicts of interest first

Will the Mainstream Media Ever Report On the Numerous Admitted False Flag Terror Attacks?
http://www.washingtonsblog.com/2017/06/false-flags-5.html

Make the worst volume control you can imagine
https://imgur.com/gallery/XOT47

Awan Brothers Scandal Creates Fears About Scope Of Data Leak
http://www.zerohedge.com/news/2017-06-09/awan-brothers-scandal-creates-fears-about-scope-data-leak

file under, "the FBI always have been dirty"

Retired FBI Special Agent Blows The Whistle On The Real Robert Mueller
http://www.zerohedge.com/news/2017-06-09/retired-fbi-special-agent-blows-whistle-real-robert-mueller
...
It’s important to be aware of that background as you read the following excerpts from the excellent post published at CounterPunch titled, Comey and Mueller: Russiagate’s Mythical Heroes:
Mainstream commentators display amnesia when they describe former FBI Directors Robert Mueller and James Comey as stellar and credible law enforcement figures. Perhaps if they included J. Edgar Hoover, such fulsome praise could be put into proper perspective.

further proof that Comey is just as dirty as all of his predecessors

Trump Lawyer Doubles Down On Comey Perjury Accusation
http://www.zerohedge.com/news/2017-06-09/trump-lawyer-doubles-down-comey-perjury-accusation
"Our statement was accurate and was not referring to the May 16, 2017 story. It is obvious that whomever was the source for the May 11, 2017 New York Times story got that information from the memos or from someone reading or who had read the memos."

trigger alert - this will be disturbing to the average reader

file under, "your children are someone else's food security" have been for at least 80,000 years before Hansel and Gretel. I might add, "When the going gets tough, the tough start eating other people."

http://www.thecommonsenseshow.com/2014/05/30/what-will-happen-when-the-dollar-collapses/
...[excerpt from comments]
can you tell me how to form a cooperative group of people when it comes to preparation for this soon to arrive fiasco They just don’t get it, or, are living in total denial, and the latter is probably more true than the former, but the results will be the same: AN UNTIMELY DEATH. It just disgusts me to no end that I will have to defend myself against my foolish lazy neighbors when shft. Most people get angry at the very mention of preparation. And then you have the nerve to print the truth about cannabilism and people really come unglued. Well, allow these words. I was an eye witness to cannabilism in Labone, South Sudan in April, 2002. If anyone has ever seen a child skewered over a pit then they have an idea of just how quickly cannabilism can go from being an extreme taboo to just another sit-in meal. I certainly did not participate in that meal, but saw it happen and it is very unnerving. People should never allow themselves to think that it cannot happen here. You have educated me on one thing I never would have thought of though, and that is law enforcement forming their own gangs for survival. That should not have slipped up on me, because local law enforcement in Sudan going rogue is exactly where the so called “warlords” came from. Another prospect people don’t won’t to hear is the control of people through food resources. Not only did the South Sudanese government use food as control, the church supported organizations used it to perfection. Example given, believe our doctrine and practice our form of worshp or go hungry. I shudder to think the churches of all denominations in America might stoop to the same level.

Ergo SumJune 10, 2017 9:19 AM

@BIOS is not magic, Who?...

One more thing...

If CubesOS (HDD1) is the first in the BIOS boot order, both entering the BIOS and F12 is working at the time the laptop is powered on. If Windows 10 (HDD0)is the first, BIOS options are disabled when powering on the laptop, a.k.a. cold boot. Is that because the BIOS checks the OS for the HDD and if it is Windows, it disables accessing the BIOS and loads Windows?

It certainly looks that way...

BIOS is not magicJune 10, 2017 9:55 AM

Ergo Sum

Looks that way to me too. As I said BIOS are designed by each specific manufacture to do its thing, and sometimes the manufacture's designs can politely be described as whimsical. As Who? says, it could be a legacy/UFI issue. It bemuses me why F12 is disabled on cold boot but not on a Windows reboot as that makes no sense whatsoever. In theory because the BIOS loads before the OS it should be OS agnostic, and it should be especially agnostic to the shutdown state of the OS.

More broadly, this is an example of a security issue that @Bruce has talked about before viz. that computers can be so complicated it is impossible for the average user to know whether the behavior they are seeing is a result of poor design, bad coding, a glitch, or an actual compromise. All I can say is that a properly designed BIOS should not be exhibiting the behavior you describe.

Who?June 10, 2017 11:06 AM

@ BIOS is not magic, Ergo_Sum

I have seen this behavior before. When you turn off Windows you are not really "turning off" the computer; it goes into some sort of "suspend mode" that allows the computer to boot faster later. It is part of the UEFI standard behavior, I think. What you believe is a "cold boot" isn't, the computer just seems to cold boot but it is not starting from the same point a real cold boot would do.

When you reboot the computer you are doing a real "warm boot", it is not like a "cold boot" but enough to reach the BIOS and either going into the BIOS setup, AMT setup, PXE setup or changing the boot sequence by means of "F12."

I am not a Windows user at all, never did. But I think it is the difference between "turning off" a computer and "powering off."

Slime Mold with MustardJune 10, 2017 12:37 PM

Why Do Printers Have Yellow Dots
Another annoying article that does not deliver its headline.
http://www.bbc.com/future/story/20170607-why-printers-add-secret-tracking-dots

All the what, none of the why.

The explanation is a bit more pedestrian than shadowy schemes hatched in subterranean chambers of the puzzle palace.

As high quality laser printers and scanners became ubiquitous circa 1990, office workers who found themselves short sometimes ran off a few twenties to hold them over until payday.

This alarmed the Treasury sufficiently that they approached all the manufactures and the watermarks were born. There were rumors of payments, and very little comment as it became public. Other applications were instantly realized, of course.

Robert in San DiegoJune 10, 2017 3:57 PM

One Time Pads by hand will always work.

On the other hand a relative who'd had a friend go to bad kids boarding school all sorts of weird harassment (as did the friend) when the two resorted to ROT13 for the postal cards (not even post cards, pastal cards because with the printed-on postage contraband couldn't be hidden under a stamp) they sent each other. I got a visit myself because I taught ROT13 to my relative.

I'd probably still be explaining what they were doing if I'd suggested Playfair or double columnar transposition.

anonymousJune 10, 2017 5:59 PM

@Ministry of Truth

You can get malware just by visiting the Google-owned "Youtube" with JavaScript enabled[1][2]. Merely avoiding Google Play isn't nearly enough. It's recommended to access everything except your financial webs
ites (bank, company, government stuff, ebay and such) with Tor Browser Bundle and security slider set to "High". If that's too m
uch, at the very least use Firefox or Jondoefox with NoScript and uBlock Origin/ABP + uMatrix.

I couldn't find Tor Browser in F-Droid but I found Orfox. Is that good enough for normal activities? I obviously wouldn't try selling contraband or something with it.

65535June 11, 2017 3:14 AM

@ JG4

“China uncovers massive underground network of Apple employees selling customers’ personal data Hong Kong Free Press (UserFriendly)” –JG4

Chinese authorities say they have uncovered a massive underground operation involving the sale of Apple users’ personal data… Of the 22 suspects, 20 were employees of an Apple “domestic direct sales company and outsourcing company”… The suspects allegedly used an internal company computer system to gather users’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan (US$7.36 million).” –HKFP

JG4 link:
https://www.hongkongfp.com/2017/06/08/china-uncovers-massive-underground-network-apple-employees-selling-customers-personal-data/

That is not a bad return in China where food preparers make a fraction of that amount of money. 7.36 million USD/22 people = 335,000 USD per person. Is the tip of the Apples Manufacturing and Maintenance Attack Surface Area iceberg?

It would be a good area of actuarial and/or risk study to examine all of Apples far flung manufacturing facilities, the number of people and subcontractors and those possible employees selling data, installing backdoor/malware for a winning Phd paper.

I wonder what the true, shall we call it, “Manufacturing Attack Surface Area” is, and how to calculate the Attack Surface Area and the odds of a malefactor or government agent to penetrate the hiring process and become a saboteur/thief/government agent to plant malware in Apple products including cloud centers for financial gain.

I would guess the Manufacturing Attack Surface Area is much higher than most consumers think. This might include what most insurance/security companies have.

This Manufacturing Attack Surface Area would include very part in Apples products from the Miro-controllers, the EFI/BIOS, CPU Chips, memory, HDD both conventional and SSD, radio devices, Blue tooth devices, NFC device, Secure Enclave, the finger print reader, the cameras, the microphones, and so on – including all computer code down to the base level code, all Apple store/iTunes products and accessories and code, Apple Cloud accessories and so forth.

I would guess the actuarial Manufacturing and Maintenance Attack Surface would be approximately three-fourths of Microsoft Windows products. If any of you have a different number please feel free to express it and how you came to that conclusion.

@ JG4

[other topic]

Yes, the F35 has probably been there most abused mass project the military has undertaken to date. When it will end and what the tab will be is not known by me – but I would guess it is quite high.

Ergo SumJune 11, 2017 8:44 AM

@BIOS is not magic...

that computers can be so complicated it is impossible for the average user to know whether the behavior they are seeing is a result of poor design, bad coding, a glitch, or an actual compromise. All I can say is that a properly designed BIOS should not be exhibiting the behavior you describe.

Certainly, the latest BIOS in this T430 is guilty as charged.

Who?...

I have seen this behavior before. When you turn off Windows you are not really "turning off" the computer; it goes into some sort of "suspend mode" that allows the computer to boot faster later.

That had been my understanding of Windows 10 as well, until the swapping drives suggested by "BIOS in not magic" was followed.

The QuebesOS drive moved to be internal and Windows 10 drive in to the caddy. Starting up the laptop or cold boot, keeping the boot order of internal drive in place, booted QubesOS without displaying any BIOS options. Rebooting QubesOS resulted in all BIOS options available, the same as it behaved with Windows 10 drive being the internal drive.

It seems that the BIOS checks, if the first boot device has an OS. If it does, it'll just bypass displaying BIOS options and hands over control to the drive.

I was curious about the performance of the cheap Chinese made drive caddy in place of the CD/DVD drive. The internal Samsung EVO SSD certainly had a better results with AS SSD Benchmark than the same drive being in the drive caddy. 30-35% lower benchmark results for the same Samsung EVO in the drive caddy. It's pretty much compatible with USB3 performance. That might be due to the laptop's internal connection's maximum throughput more than the actual caddy in itself. It's doubtful, if HDD performances would be noticeable ...

ab praeceptisJune 11, 2017 9:39 AM

Ergo Sum (Who?)

It seems that the BIOS checks, if the first boot device has an OS. If it does, it'll just bypass displaying BIOS options and hands over control to the drive.

Evil BIOS, doing just what it's supposed to do!

While the details are somewhat depending on the maker and model, the BIOS usually has a setting to define whether BIOS options are visible or not (default: yes). Re. the drive to boot from most BIOSes offer an option to show a "boot menu" with all principally bootable disks (where "principally" mean all disks and media the BIOS could boot from, if there was something on it to boot from). The default for this usually is "no. don't show"; often that can't even be changed but there is a key (like F12) that, pressed at the right point during bootup, opens a boot menu.

Unless that option is available and used the normal - and standard! - order is to boot from the first bootable device into the (first) active partition. Some BIOSes offer a compromise in that they have a fixed boot order but one, where an eventual USB device is first, CD/ROM is second and first hard disk is last, which makes sense for most users and most situations.

Also note that most of this is nothing to do with the OS. You can, for instance, put a boot manager on your first hard disk which then allows you to choose a partition of your liking for booting. This is often used for dual-booting, i.e. machines with 2 (or more) OSs on the disk. Note that some boot managers can even boot into partitions on other disks, i.e. they mimic the functionality of a "luxury BIOS boot manager".

*Of course* there are many quirks and strange corners (like e.g. windows overwriting all boot managers and "force installing" its own (rather lousy one). But what I just told you is the basic way it works (modulo quirks).

keinerJune 11, 2017 10:50 AM

@ Ergo sum

Have a look at (used) Dell Precision M notebooks, having two standard bays for HDD/SSD connected both with full bandwidth. And eSATA (also available on decent Latitude notebooks), which can be used with a cheap+simple plug adapter for additional OSs on extra 2.5" SSD/HDD (though I didn't check the speed for this connection).

Ergo SumJune 11, 2017 12:00 PM

@ab praeceptis...

While the details are somewhat depending on the maker and model, the BIOS usually has a setting to define whether BIOS options are visible or not (default: yes).

Both the "Option key Display" and the "Boot device List F12 Option" are and had been enabled. Yet, the BIOS acts as previously described, regardless of the OS on the internal drive...

Also note that most of this is nothing to do with the OS. You can, for instance, put a boot manager on your first hard disk which then allows you to choose a partition of your liking for booting. This is often used for dual-booting, i.e. machines with 2 (or more) OSs on the disk. Note that some boot managers can even boot into partitions on other disks, i.e. they mimic the functionality of a "luxury BIOS boot manager".

*Of course* there are many quirks and strange corners (like e.g. windows overwriting all boot managers and "force installing" its own (rather lousy one). But what I just told you is the basic way it works (modulo quirks).

It's been a long time that I used boot managers, Windows or Linux, for dual-booting purposes. I much prefer the BIOS F12 option for this purpose, since damage to the boot manager renders both OSes inoperable, among other things. As long I know the quirks with the T430 BIOS, it'll suite my needs.

Thank you all for your help and suggestions...

ab praeceptisJune 11, 2017 1:09 PM

Clive Robinson

[off-topic] Clive, are you OK?

It seems you haven't commented a couple of days. I hope the reason for that is a positive one and not any troubles. In case you are having health troubles: My best wishes for a quick and full reconvalescence!

AnonJune 11, 2017 1:15 PM

UEFI bisoses can have a specific option to permit warm-booting in order to speed up the boot process. This works even if Windows was "shutdown".

What it doesn't do: clear registers or caches of hardware devices, and skips tests. It just brings up the CPU, powers devices and checks they're up, then boots by running the code already in main memory, reading the HD only if necessary.

ThothJune 11, 2017 6:39 PM

@ab praeceptis

re: Clive Robinson

I wonder if he's out to play with some new technology (i.e. satellites) again.

JG4June 11, 2017 8:55 PM


another data visualization

http://www.zerohedge.com/news/2017-06-10/tracking-hacking-visualizing-worlds-biggest-data-breaches

Karl is a bit rabid, but he means well. I would like to see the streetlamps festooned with the bodies of the criminals, after fair and speedy trials.

Why We're Doomed - Idiocy On Display
http://market-ticker.org/akcs-www?post=232120

This is worth watching folks...
http://www.wsj.com/video/wsj-privacy-test-who-can-see-your-personal-data/0C0B606A-4E52-4F39-B537-9825D48C1E81.html

The WSJ went out and showed people exactly how much of your personal information was available online.

There were a lot of oh my gosh's, and a few oh that's creepy but I didn't hear one I'm going to kill them all.

That's the problem, in a nutshell.

It actually concerns me was the strongest thing I heard.

It concerns you?

Concerns?

That's all?

These were mostly all millennials.

Until we see reactions that are more akin to "Please excuse me; I need to get a gas can and my gun" there's simply no hope.

By the way that's not calling for violence -- it's simply recognition of the fact that the people running these companies do not fear you doing anything to them as a result of their practices no matter how much of your life they invade or to who they sell the information they have.

...[a long rant follows]

AnonJune 11, 2017 9:10 PM

@JG4: I think the same thing!

"They're doing what?! I'm outraged!!!!!!!". * Goes home and acts like nothing happened *

"Boycott X company!!". * Posts on Facebook, then goes to X company for Y product *

Sigh...

ab praeceptisJune 11, 2017 11:06 PM

Nick P

I just fell over this -> https://www.ralfj.de/blog/2017/06/09/mutexguard-sync.html

Money quote "[it's about] a classical example of a data race: Two threads accessing the same location, and at least one of them writing to it. This is exactly the kind of concurrency bug that Rust set out to prevent. How does it come that the compiler accepted this code?"

(my answer: too much "fun" blabla, too little actual safety engineering, but oh well, the company behind rust also gave us ... uhm? Yes, right, javascript, another summit of safety ...)

It seems that the rumours about rust being oh so safe a language are grossly exaggerating ... (and in part based on a free McKenna miracle. But at least someone is working on actually proving rusts correctness (and finding the equivalents of ebola in the bug world along the way)).

Just btw.: the website of that guy, of course(!) has plenty "only free software !!11!" and "it's a lot of fun" in it, so don't hold your breath for rust becoming safe.

ThothJune 11, 2017 11:38 PM

@ab praeceptis

No matter how much mutex guard or whatever guard function can be applied, the best is still the die diligence and care qhen implementing and planning the software to not allow deadlocks to occur in the first place and also to have well defined functions.

P2PJune 12, 2017 3:24 AM

Nice to see all the discussion about F-Droid.

I just thought I'd chime in about one of the little known features it has that could avert a disaster.

In the event of cyberterrorists attacking critical network infrastructure, countries where most people rely on centralized systems would be paralyzed.

Lots of open source projects have ways to protect countries from such cyberterrorism, but only if prepared in advance.

Everyone who replaced Google Play with F-Droid would be able to send the latest version of whatever software was useful during such a crisis, to as many peers as desired. This can be done with the normal version of F-Droid by simply accessing a menu item.

Other examples of protective measures that could shield a country's critical infrastructure against terrorists are Serval, Rumble, Ricochet, and anything else related to "mesh networking" or "peer to peer technology". Such technology got a bad reputation because criminals used it for stealing copyrighted materials, but nowadays copyright holders such as Blizzard Entertainment and Microsoft Corporation utilize peer to peer technology because of the resiliency it has against DDoS and against other forms of cyberterrorism.

I couldn't possibly list all such defensive programs, instead I ask that you all look for decentralized versions of everything that you would suffer to do without. Please remember that this is defense in depth analogous to vaccines, and that even if you don't care about what could happen to you, you should do it for your family, friends, neighbors and overall community.

Dirk PraetJune 12, 2017 4:49 AM

@ Anonymous

I couldn't find Tor Browser in F-Droid but I found Orfox. Is that good enough for normal activities?

If for whatever reason you really must use Android, the first rule that comes to mind is not to use it for anything sensitive in the first place, which includes banking. No other COTS platform is so riddled with malware and it's entire ecosystem so broken beyond repair than that. You can mitigate it somehow, but the end result will still be an entirely insecure device. That said, here's a couple of tips:

  • Check your OS version. You want the latest version, which is Nougat (7.x) Unless you just bought yourself a brand new phone, chances are that neither the carrier or the vendor you got it from will be providing updates. Your best bet of staying somewhat current is with an Android from Google itself (Nexus series et al).
  • If you got your device from a carrier, it comes preloaded with all kinds of junk- and spyware which you neither want or need. Reflash it with an official vendor ROM or with one from CyaonogenMod (now defunct), LineageOS or CopperHeadOS if available. Check https://forum.xda-developers.com/
  • Do NOT root your device. It will only make it even more vulnerable.
  • Only install apps you somehow know and trust, whether you get them from Google Play or F-Droid. Avoid anything that comes with ads. A theme or screensaver that requires access permissions to everything is probably not what you want either. There's a fine collection of anonimity and privacy apps (plus tutorials) available at the Guardian Project: they include Orbot, OrFox, Signal, CSipSimple, K-9 Mail and others. The OrFox bookmark page gives you shortcuts to adding HTTPS Everywhere and NoScript add-ons. Note that ChatSecure is no longer actively developed on Android.

Who?June 12, 2017 6:42 AM

@ Dirk Praet

In short, do not use Android. Ever.

  • even nougat is highly vulnerable; while here, nexus devices are "too old" to get support (who cares about those expensive two years old devices?), you should buy the very expensive pixels instead.
  • reflashing official roms does not help either, these images come preloaded with all the junkware and spyware too, just like the preinstalled operating system; as all these junkware is installed on the system partition it cannot be removed (the system partition is digitally signed, a security feature that only blocks the owner —not malware— from (ab)using it.)
  • I agree about not rooting these devices, even if it is the only way to run one of the "mostly useless" Android firewalls; better use a real hardware firewall1.
  • not only apps with "ads," even apps not officially announced as "supported by ads" display ads or notifications feed through insecure channels.
  • all the alternative roms you describe follow the same support policy as official ones2.

1a real hardware firewall will not help a lot either; Android has the same vulnerabilities as Windows, most of the attacks are not against vulnerable ports but against vulnerable apps (i.e. by means of files loaded into the devices.)

2from your wikipedia link: "in the past, the nexus 5 and galaxy s4 were supported. The nexus 5 was dropped in october 2016 when Google ended support.

Dirk PraetJune 12, 2017 9:05 AM

@ Who?, @ Thoth

reflashing official roms does not help either ...

Yes it does. In terms of crapitude, it's carrier-vendor-3rd party ROM. Re-flashing is actually the only way to get rid of the spyware that comes with carrier provided devices. And whereas arguably 3rd party ROMs are all but a guarantee to keep your OS current, the alternative of staying on Kitkat for ever for lack of carrier/vendor updates is even worse.

Although I a absolutely agree with the baseline premise to stay away from Android as far as possible, the reality of life is such that not everyone can afford to fork out $600+ every two years for himself and his family members. So unless you can convince your teenagers to get rid of their smartphones altogether or talk them into taking on a burger job to pay for their expensive phone habits themselves, the only option is to mitigate as much as possible because these pesky things are not going away.

Nick PJune 12, 2017 9:19 AM

@ ab praeceptis

You've stumbled across a compiler error in a corner case of *specification*. The programmer used automatic typing instead of static typing to declare their intent. The compiler had no idea which type it should used. It picked the wrong one. It was filed as a bug as compiler authors encourage. I see no evidence against Rust's claims in this post. Just a specification error and/or compiler error in handling weird cases of program structure and typing. All complex compilers have these issues. Another example being Ironsides DNS in SPARK Ada that originally had one or two security problems due to the "mature" compiler optimizing away important checks. Like I said, compilers will have bugs.

I'm a fan of static typing for this reason. I do appreciate the example as I might reuse it in discussions on *that* instead of on Rust itself. It wouldn't be intuitive to me that a language usually having good, type inference would break concurrency model just because of one inference. Whereas, inferring in a parsing tree from static types is straight-forward and less error prone.

keinerJune 12, 2017 9:55 AM

"So unless you can convince your teenagers to get rid of their smartphones altogether..."

Been there, seen it, done that. Absolutely feasible. Don't swim with the idiotz...

ThothJune 12, 2017 10:27 AM

@Dirk Praet

It is not about Android but the cheap. You could run Genode framwork on top of a smartphone chipset with probably some cool hypervisor or microkernel but the problem is always about the bubble up attack which has always been mentioned. Intel AMT/AMD SP and ARM TZ is the true danger that so many people simply ignore by thinking that flashing a new userspace OS suffice.

Forget about doing sensitive operations in these smartphone chipsets. You should know very well what we have been repeating all these time anyway. Forget it if you cant use a proper hardware.

albertJune 12, 2017 10:49 AM

@Thoth, et al,

"...Just stay away from ***ALL*** smartphones ever for the security paranoid...."

Not really. It's nice to have a phone with a good camera, sound recorder, etc. in your pocket, as long as you're aware of the dangers. Avoid banking (inc. purchasing online), -email-, web searches about personal information, web sites that require personal information, etc. In short, anything you're not concerned about being printed on the front page of the NYT, or the lead story on FoxNot News.

(OT) I've been missing Clive as well. Lot's of topics here that for sure would have elicited replies, and no doubt welcomed replies.

. .. . .. --- ....

ab praeceptisJune 12, 2017 11:06 AM

Thoth, Dirk Praet, et al.

It seems to me that we look from a useless angle.
One **can** run a "smartphone" software stack on much lower grade chips than arm multicores. One *can* have the street maps of half a continent on such a simple "smartphone". One even can watch videos. We have plenty older evidentiary devices.

In other words: android and the i-blob are **not at all** needed to have a quite useful smartphone.

Those big fat crap stacks are needed only for one reason: large corps wanted another big fat huge market - and nsa/cia & accomplices gladly joined and supported that because that new market would get massive parts of the citizen herd to use "smartphone" (and tablet) devices which allowed the spooks to much better surveil and eavesdrop, to control and to manipulate the citizen herd (which along the way could be even more stupidized, too, as a welcome side effect).

I'm convinced that that's what those devices and software have really been designed for and it also happens to be working quite well (for the spooks, that is).

ab praeceptisJune 12, 2017 11:27 AM

Nick P

No, it's not as superficial and easy as you paint it. The guy whom I quoted is betting his PhD thesis and I say that he is working a rich field.

rust isn't even properly (read: formally) specified. And no, the compiler didn't pick the wrong type; it made an assumption with grave consequences for memory safety.

You see, there is many people working on that since many years and quite some of them aren't stupid at all. Came some people along who didn't quite understand their task in the first place (well, from mozilla. No surprise there ...) and who utterly ignored what so many smart people have learned during so many years of research.

I'm disgusted since quite a while to see rust praised as the C family messiah. Simple reason: If you come up with their safe pointer system you bloody formalize and model test it. Moreover you formally spec. your language; in fact, a good language starts in formal spec (and not with compiler code).

I do that with far simpler constructs. If you come up with a new construct or mechanism you first spec and model check it. Period. If you don't do that you'll end up with amateur crap, simple as that. rust is half cooked amateur crap.

Remember what you told me about Yannick and the intern? That they'd have him first math check and play with rusts mechanism. That's the pro way. And btw, you probably didn't notice it but it was that information you passed on that all but proved to me that rust is crap. Why? Because *obviously* there wasn't yet proper specs and models (otherwise Yannick and his people would have reused them).

I perceive your attempt to put Ada next to rust as disgusting (and btw. not well informed). *NO* an optimization done by a mature compiler is *by no means* in a similar leagues as the rust problem I linked to. The solution for Ada was simple: better compiler control and better, more granular runtime-check pragmas (which now exist since quite a while). The solution for that 1 rust problem is a PhD thesis and thousands of man-hours away (and considerable changes in rust).

I had my reasons to write that, if needed, I'd prefer C + separation logic over rust.

RachelJune 12, 2017 12:25 PM

'Although I a absolutely agree with the baseline premise to stay away from Android as far as possible, the reality of life is such that not everyone can afford to fork out $600+ every two years for himself and his family members'


Whilst I appreciate your regular comments about avoiding Android, Dirk, the alternative is a phone by a company with the most outragous exploitative buisness practices that costs something like 5 or 6 times as much as a brand new android on ebay, and is nonetheless capable of being lost broken or stolen just like an android. there are a lot of countries out there with a lot of people in them whom don't have a lot of money to throw around. for the majority there are two OS's to choose from, a bit like having only two political parties to vote for.
i avoid apple like the plague simply because from an ethical perspsective their conduct and exclusivity is so offensive

albertJune 12, 2017 1:10 PM

@ab praeceptis, @whomever,

"...Those big fat crap stacks are needed only for one reason: large corps wanted another big fat huge market..."

Well, not really.

For the most part, tech folks don't run large corps. A more nuanced viewpoint says that "Android is FREE! What's not to like?"

Apple had two choices: Write a new OS from the ground up, or modify a Linux-like system.

@Rachel,
IIRC, Apples profit margins are around 60% for iPhones. I don't have data for others, but a 10% margin would make the iPhones 50% cheaper. Not that it would ever happen....

iPhones are the most popular phones in the world.....for stealing.

. .. . .. --- ....

ab praeceptisJune 12, 2017 1:32 PM

albert

It seems to me that you're confusing the real reasons and the PR and marketing blabbering. "It's free!" was the *way* to make the stupidized masses eat the poison pill.

Dirk PraetJune 12, 2017 2:53 PM

@ Thoth

Forget about doing sensitive operations in these smartphone chipsets. You should know very well what we have been repeating all these time anyway.

I never said otherwise, and neither am I encouraging anyone to use, let alone do sensitive stuff on a smartphone. The fact of the matter however remains that we can bark as much as we want to, but none of us are going to stop anyone from using their precious iPhones, Galaxies or whatever is the shiniest new thingie on the market. Feel free to try and talk your friends, relatives and customers out of it, but you'll just find yourself fighting windmills to the point that they'll think of you as either incompetent or a dinosaur from an era long gone by.

Personally, I am still on an ancient Nokia smartphone which I use for phone calls, texting and the occasional picture. But I also have a box of smartphones I picked up secondhand and which allow me to stay up to date and hands-on with operating systems, apps and security/privacy mitigation. It makes for an entirely different impression telling someone that all of these these devices are inherently insecure while at the same time being able to demonstrate a reasonable degree of knowledge and proficiency with them.

@ Rachel

i avoid apple like the plague simply because from an ethical perspsective their conduct and exclusivity is so offensive

I couldn't agree more.

@ ab praeceptis

In other words: android and the i-blob are **not at all** needed to have a quite useful smartphone.

Of course they aren't. But it's unfortunately pretty much what we're stuck with, even in the high-end commercial segment (Black Phone, Turing Phone, Solarin). The alternatives: Sailfish, Firefox, Ubuntu Touch, Tizen ... all Linux-based too. Windows Phone? No, thanks.

So may I take it you guys are still on a Nokia 3310 too? Or carrying around an OpenBSD laptop in a backpack to keep in touch with what's happening in the world around you? 8-)

albertJune 12, 2017 2:55 PM

@ab,

Free for the -maker-, not the customer.

"You get what you pay for." The customer gets screwed, but the maker gets more profit.

The IC/LE community doesn't need any input to the makers; they already know where the holes are.

As a thought experiment, how much would Android have to cost, in order to price itself out of the market?

Considering:
https://www.theguardian.com/technology/2014/jan/23/how-google-controls-androids-open-source

and:
https://pando.com/2012/01/28/how-google-can-save-android-close-it-license-it-swim-in-the-profits/

. .. . .. --- ....


vas pupJune 12, 2017 3:06 PM

http://www.bbc.com/capital/story/20170606-you-can-teach-yourself-to-be-a-risk-taker

Those who do not take chances are on the path to “guaranteed failure”, according to Facebook founder Mark Zuckerberg

Research has found, for example, that our individual testosterone levels can directly correlate with our appetite for risk. Since men tend to have higher testosterone levels than women, they can often be more willing to act impulsively, on partial information – even though both genders have similar appetites for risk.
When you’re gearing up for a fight or you’ve taken a risk and it’s paid off well, your testosterone levels increase and you become more confident,” says Dr Tara Swart, a neuroscientist and leadership coach based in London, England. On the other hand, when your risky venture leads to failure, your testosterone levels drop.
“Your brain will actually prevent you [from taking more risks] by giving you more memories of times when things went wrong,” Swart adds.
Our own experiences and our individual emotional histories will also affect how risky we’ll be. Your parents may have been particularly risk-averse during your upbringing, or you may have taken a risk in the past that didn’t pay off, making you cautious when you face your next “should-I-shouldn’t-I?” moment

Clive RobinsonJune 12, 2017 4:47 PM

@ ab praeceptis, Thoth and others,

I hope the reason for that is a positive one and not any troubles.

I decided to keep a low profile during the UK General Election, on the theory I did not want to hear about "Russian" or other interference etc etc etc... So I went and stayed somewhere quiet till it was over...

Now of course although the counting is over, the real probs are starting because it's lifted the lid of a realy nasty can of worms... thus it appears the fun is far from over.

We have no clear winner which is going to make Brexit a real problem. But worse the encumbrents have decided to have a relationship with a very minority party (DUP) with clear past links to "loyalist" terrorism and other criminal activities during "The Troubles" in Northern Ireland.

Oh and it has some further very serious side effects, which will result in the failing of the Good Friday Agreement[2]. We are also coming into Marching Season with the various "Orange Orders" being a significant influance on the minority politicians in question. Thus Loyalists marching through Republican areas, with all the attendant violence. Some of us remember back to the late 60's and what happened when the troops moved in to protect the Catholics / Republicans, and how badly it all turned out in the early 1970s[1]. Which dragged on for decades with mote than 50,000 casualties, and supposedly ending with The Good Friday Agreement, which involved power sharing provided certain conditions held.

So it looks like I'm not going to be able to stay low long enough to "wait the storm out"... So "Back to the grind stone" as the old saying has it.

Hopefully this time around bullets, petrol bombs and much, much worse will not happen, just because of one stupid woman's ego and self delusion.

[1] https://en.m.wikipedia.org/wiki/Operation_Banner

[2] https://skwawkbox.org/2017/06/12/dup-dismay-causes-queensspeech-delay-as-tensions-and-fears-rise-in-ni/

AlanS June 12, 2017 5:15 PM

@Clive

I am not sure mention of a certain NI political party is allowed here. An earlier post of mine with links to media coverage in the Guardian, Irish Times and Open Democracy has disappeared along with my comment that the British government was undermining the honest broker role required by the Good Friday agreement.

Regarding Russians and UK elections: Why would they interfere? I suspect the Russians figured out early on that the best strategy was leaving the British electorate and political parties alone.

gordoJune 12, 2017 6:45 PM

@ Clive Robinson,

I was thinking that you may've been busy "getting out the vote".

65535June 12, 2017 8:40 PM

@ Clive and Alan S

I keep a low profile here after having been hit by the banning stick. I was going to comment on the Snoopers Charter and the UK elections but I decided against it. It is not worth writing a post only to have it disappear. Further, I think this blog has its share of paid sock puppets from K street and IC/LE agencies to cause disruption.

JG4June 12, 2017 9:54 PM


this made the hair on the back of my neck stand up. a nice continuation on the discussion of super-bright people from late last summer.

http://slatestarcodex.com/2017/05/26/the-atomic-bomb-considered-as-hungarian-high-school-science-fair-project/

without the Hungarians, Japan may have delivered a bomb to the left coast of the US

Hiroshima and Nagasaki atomic bomb documentary[REAL TRUTH]
https://www.youtube.com/watch?v=Z6_eXfssseo

if Hitler hadn't invaded Russia, most of us might be speaking German. it's a fine language, well-suited to the scientific endeavor, but I am quite happy with English

Nick PJune 13, 2017 12:27 AM

@ AlanS, 65535

"I am not sure mention of a certain NI political party is allowed here. An earlier post of mine with links to media coverage in the Guardian, Irish Times and Open Democracy has disappeared along with my comment that the British government was undermining the honest broker role required by the Good Friday agreement. "

"I keep a low profile here after having been hit by the banning stick."

Huh? That's weird. AlanS's situation happens with a pile of links coming in matching spam filters on occasion. 65535's is more direct. What did I miss?

Slime Mold with MustardJune 13, 2017 2:28 AM


@ Moderator

Anonymity is a value endorsed by many on this blog. Please feel free to delete this comment or any others which seem to violate this theme.

Dirk PraetJune 13, 2017 4:34 AM

@ AlanS, @ Clive, @ 65535

Regarding Russians and UK elections: Why would they interfere?

It is probably fair to assume that any state actor or associated group with adequate resources will indulge in pen testing, exploration and exploitation of both allied and adversary network infrastructure in the context of national cyber operations. Inevitably, some of these efforts will be picked up by defenders, information about which (correct or false) may or may not surface as part of the great spy v. spy game and accompanying propaganda.

But which is not entirely the same thing as deliberate and decisive subversion of said infrastructures, and for which to date there is still no single shred of credible evidence that indeed the Kremlin was behind it, and with said intent. My gut feeling is still telling me that the DNC hack was an inside job by a disgruntled Sanders supporter, and for as far as motive goes, a state actor like Israel had much more to gain from a Trump win than Putin did.

As to the UK election, suffice it to say that I too am dumbfounded by the almost unbelievable way May shot herself in the foot and - instead of following Cameron's example - is now desperately clinging to power by associating herself with the DUP, which bodes all but well for the fragile peace in NI. It's like you say: why on earth would Putin (or anyone else) interfere when you have utterly deluded nitwits like May, Rudd, Farage and Johnson doing a much better job at dividing the country (and the EU) than any cyber or psyop of your own ever could. That is, of course, unless all four of them are actually on the Kremlin's payroll, which at this point is even less far-fetched than Trump being a Russian agent 8-)

Clive RobinsonJune 13, 2017 5:12 AM

@ Alan S,

With regatds the Russian's remember that the Five Eyes was actually put together by Britain at the end of WWII by a couple of people from Bletchley. Their reasoning boiled down to Britain had the brains and the Empire/Commonwealth, the US had not just the money but more importantly the manufacturing resources. As far as we can tell both the UK and the US IC's have improved in an asspect they were deficient in (money and brains respectively). But have also lost on the other asspect to other players (Empire and manufacturing respectively).

Thus as far as the UK anf US IC's are concerned sticking together and even bringing in more players is desirable. The UK and US went further and pulled in other capabilities. The Brit's have tended to invest in HumInt whilst the US for various reasons pulled back from "Boots on the Ground" and went for SigInt and space based systems. What you might call "Playing to their strengths".

Which brings up the question of just who they are using these capabilities against. The obvious targets are China, Middle East and Russia and their respective spheres of influance. Which boils down to around just about everywhere outside of four of the original five eyes. So when you add in the political paranoia that is building up (possibly in lieu of war) every one is regarded as suspect either in the traditional "body and spirit", or more often theses days in their electronic shadow. And obviously you are most suspicious if you don't have a visable shadow...

We know China has a similar viewpoint amd is now making their citizens electronic shadows the equivalent of "credit", what is less clear is what Russia and the rest are upto with regards theor citizens, but it is unlikely they are not at the data orgy party "Keeping up with the Jones's".

Thus I suspect that the UK is under both Russian and Chinese surveillance where possible, the fact that the Internet is now in nearly every middle class home and many others as well via permanent connection and increasing IoT gimick presence can be seen as a massive "infection vector". If other nations IC's were not swiming around in that murky cessepool I would be not just surprised but amazed, likewise the European equivalents.

Now you've been hanging around the UK long enough to have noticed that politicians and others talk of "cultural spread / infection" from the US especially when talking about crime / film industry / technology / etc etc. The "It'll be here in five years" used to be the usual mantra. It's a kind of inbred inferiority complex that various politicians have encoraged over the years. Thus you can be sure thay if the US have some kind of "Red's under the beds" type scare the UK broad sheeys and tabloids will likewise start their own version...

Thus I was expecting the drop in votes for the encumbrents, because two terms is about the limit for UK politics, as parties tend to self destruct in the inevitable "greed for power" and it's attendant back stabing in the MSM). Thus any such drop to be explained away by "It woz the Ruskies wot dun it" in the same way it was always the buttler that got his collar felt in pre WWII crime fiction. The reality of "we the people" are sick of you and want a change from your inbred fighting would not be acknowledged and probably not even considered privately.

However the current encumbrent in No.10 thought that if she called an early election she could thwart the two term issue. The result was thus a drop but not enough to cause a clear win (some MP's got margins as slim as 43 votes in over 28K or 0.14%). Thus the unseamly scramble around was way more newsworthy and the "Ruskies wot dun it" excuse for failure was not needed this time (but keep an eye open for next time ;)

From the security aspect what wories me is that both Brexit and NI are going to gove rise to conflict within the UK and a very real danger it will escalate. There are a couple of commenters on this blog who lived through "The Troubles" and the dirty tricks and surveillance / internment without trial etc that went on. Such things have a habit of being flash points for other resentments which in turn brings in more draconian responses, especially when idiot politico's want quick fixes so they have a trophy to hang on the historical wall.

Thus this past week with the terrorist attacks, general election and minority / hung government has thrown one heck of a lot of wood on the pile. The last thing we need is turning up the political heat and desperate measures causing flying sparks.

And it's not as though the encumbrent PM has shown she has the ability to lead. She is still trotting out the "no communication unseen" mantra even though there is no evidence the last three terrorist attacks in the UK used electronic communications in the planning etc. Thus the PM is well behind the times and "simple terrorists" have "out evolved" her and the ideas she has been given by her favourd advisor who in turn got them from her previous GCHQ lover.

Clive RobinsonJune 13, 2017 5:57 AM

@ JG4,

this made the hair on the back of my neck stand up. a nice continuation on the discussion of super-bright people from late last summer.

At the end of the piece the author wonders if he has missed something. To which the answer is yes.

Theoretical physics especially quantum physics was a very very new field of endevor.

When you get any new field of endevor there is rapid "broad progress" that makes those people look commanding. As the field develops progress continues but it becomes more fine grained as the easy wins are gone. Eventually the cost of progress limits the field and the rest of the world catches up, thus the gains though harder appear unimpressive.

In a way it's like mining bitcoins, each coin found gets successively more expemsive. Thus the pioneers get the lions share due to the easy win factor.

Computer science has shown the same sort of behaviour, more recently computer security.

I suspect that both Ross J Anderson (UK Cambridge Compuyer Labs) and our host Bruce Schneier are both cognizant of this "early developer easy win" situation. Because both have started their own new domains or fields of endevor.

As I know they both read the comments hear perhaps they might care to comment on the hypothesis.

JG4June 13, 2017 6:08 AM


http://www.nakedcapitalism.com/2017/06/links-61314-2.html
...
Look at This Massive Click Fraud Farm that Was Just Busted In Thailand Motherboard (resilc)

...
New Cold War

Oliver Stone on Vladimir Putin: ‘The Russian people have never been better off’ Guardian

Oliver Stone Reveals a Vulnerable Putin Consortiumnews (Chuck L)

Imperial Collapse Watch

US Army Captain says country’s military ‘not best in the world anymore’ The Independent (JTM)

Big Brother is Watching You Watch

The Internet Of Things Is Becoming More Difficult To Escape NPR


Clive RobinsonJune 13, 2017 6:20 AM

@ Bruce,

The more they mate, the sooner they die.

That is true for many species, including before "birth control" humans. The demands on the body of producing offspring are quite horrofic when you look into it. In effect the growing foetus cannabalizes the mother. It's part of the reason why women who still lactate find it harder to get pregnant again it was natures form of birth control.

But nature is a funny --peculiar-- thing, for quite a number of species mating is a death sentence. Spiders, Mantis and similar female insects cannibalize the male, salmon and similar fish die to leave their body nutrients in place for their young to grow on.

And for real yuk factor look at those who breed parasitically such as digger wasps that lay their eggs into the young of other spiecies which then hatch and eat the host alive from the inside out (probably gave rise to the idea of the ailien face hugger ;)

Then there are the weird ones such as the parasite egg that gets eaten by a snail. Which on hatching eats it's way up the snail finally going up into the left eue stalk. Where it then likrs malware takes over the snail and makes it crawl up a grass stalk etc where the pulsating parasite is easily visable to birds that then eat the snail and the parrasite. Once in the birds gut the parrasite starts producing eggs which the bird then disperses with it's droppings. Which is similar to the pig to host and back again of human tape worms. The intermediate host (snail/pig) must get eaten for the life cycle of the parasite to continue... It makes you wonder how and from where such patasites evolved and now provide food for our nightmares...

Who?June 13, 2017 7:13 AM

@ 65535, AlanS, Clive Robinson

I keep a low profile here after having been hit by the banning stick. I was going to comment on the Snoopers Charter and the UK elections but I decided against it. It is not worth writing a post only to have it disappear. Further, I think this blog has its share of paid sock puppets from K street and IC/LE agencies to cause disruption.

I have not yet been hit by the banning stick (perhaps I am too boring and show a low interest in political affairs, so I prefer focusing on the technical matters) but in the last months I have felt very uncomfortable with some comments from other members of this forum. Don't know if it had been the consequence of puppets of the IC/LE agencies doing their job or just a few random trolls, but it has been annoying.

albertJune 13, 2017 8:09 AM

OT discussions -can- be interesting, depending on the subject...and the commenters.

Politics and gun control seemed to have created the most furor here. Sober and objective commentary disappears and rational discussion is all but impossible.

So if I never read another word about, say, Russian hacking, I'm -quite certain- that I won't be missing anything.

@Clive,
Welcome back!
You Brits have produced some great stuff in the creative arts. The work of David Hare, for example.

Though we may be 2 great countries separated by a common language, we seem to be sharing political inclinations as well. Like Trump and May.

. .. . .. --- ....

Clive RobinsonJune 13, 2017 8:52 AM

@ Albert,

Thank you for the kind words, that distant glow is not a nuke but my ears glowing pinkly ;-)

It's funny you should mention,

Though we may be 2 great countries separated by a common language

Just a couple of hours ago I was trying to explain what a "Fanny pack(er)" was, much to the embarrassment of both parties.

The oldest "officialy" that I know of was the guidence leaflets/booklets given to US armed forces personnel. The one from WWII had the helpfull advice about cheques and bills in restaurants. That is Americans asked for the cheque and paid with a bill, whilst the English asked for the bill and paid with a cheque (not that anyone below the upper middle classes had bank accounts with cheque books).

ModeratorJune 13, 2017 9:37 AM

@AlanS, your earlier post was deleted not due to specific political parties mentioned in it, because it was all about politics, with no explicit security tie-in.

@65535, I'm not sure when the "banning stick" struck you. I unpublished one recent comment in which you called attention to moving company spam. (Thank you for this.) Back in April, you noted that some of your comments had been blocked; whatever the problem might have been (possibly as simple as inadvertent blocking of a Tor node), it doesn't seem to have recurred.

@65535, @Who?, @All: Yes, this blog attracts a good share of trolls, no doubt including puppets, sockpuppets, and random ranters. That's what we get for hosting open conversations on often-controversial subjects. We can't just enact IP bans, so many people use Tor. We can't just ban usernames, they're easy to change. Please feel free to call out disruptive rudeness, aggression and hostility. And thank you all for keeping the conversation going.

AnuraJune 13, 2017 10:03 AM

@Dirk Praet

far as motive goes, a state actor like Israel had much more to gain from a Trump win than Putin did.

Well, look at the current turmoil in the middle east. Russia now gets to go into Qatar and say "Look, the US is unreliable, they were on your side with Arab Spring, now everyone has turned on you; we have no interest in regional politics, but if you let us build a base we will make sure no one tries to attack you." Then Russia gets influence over all of that natural gas while the US and UK play economic isolationist thanks to all of the nationalist sentiment.

Now,why did Trump go against his advisors, Tillerson and Mattis, and call out Qatar? My money is on Trump being manipulated by the Saudis, but it could have been anyone with interests there; Trump is really easily manipulated, so I would see that as a reason the Russians would want him anyway. His business ties to Russia are still a closed book, but we know they exist from past statements.

Is Trump a Russian agent? No, he's too stupid to do anything competently. However, he is acting guilty and I would suggest that it is more likely that he had business contacts or organized crime contacts that hacked the DNC, which may have had ties to Russian Intelligence.

To suggest there is absolutely no reason Russia would want Trump, or a more isolated UK is a bit naive, especially as we have been on opposite sides in the wars in Ukraine and Syria.

vas pupJune 13, 2017 10:20 AM

@JG4:"if Hitler hadn't invaded Russia, most of us might be speaking German. it's a fine language, well-suited to the scientific endeavor, but I am quite happy with English."
Same thoughts come to my mind after watching multiple videos on Nazi developed amazing weaponry (including but not limited to rockets utilized by allies and Russians after Germany was defeated).
I guess his fatal mistake was his racial policy which kicked out of Reich (or even killed many talented physicists/scientists based on their non-Arian decent who could substantially help and make him such weaponry(e.g. atomic bomb),which could justify your first statement above absolutely and really change history. He did not understand that science (and truth generally) does not have nationality, other demographics, you name it.
Moderator could ask: How that is related to this blog? That is applied for any security, meaning it is easier to make brains loyal than vise versa.

Dirk PraetJune 13, 2017 11:54 AM

@ Anura

To suggest there is absolutely no reason Russia would want Trump, or a more isolated UK is a bit naive

Seriously naive, I'd say. A year ago, it could easily be foreseen that he would go much easier on the Russian interventions in Syria and Ukraine than Shillary would have done, which to Putin would definitely have been a plus. It was also predictable that he would take a hard line stance against Iran and turn the other way with regards to the Israeli settlements. Obama and Netanyahu were all but friends, and that relationship wouldn't have improved with Clinton in the White House.

Both parties IMO at least had an equally big interest in a Trump victory. The more unpredictable part, like you say, was Trump recently giving the Saudis - known sponsors of Islamist terrorism and the cradle of Daesh ideology - not only a $100 billion arms deal but for all practical purposes an almost blank cheque to do whatever they want, to the point that it emboldened them not just to continue their proxy war with Iran in Yemen but also to clamp down on Qatar under the preposterous excuse of "combatting terrorism".

In the end, there is only one party that benefits from ongoing tensions and wars along the Sunni-Shia divide in the Middle East, and that's Israel, not Russia. And you can hardly blame Putin to selectively try and step in every time the US (and its allies) create yet another fubar. That's ultimately what the Chinese do too, beit with a more economic than military approach.

JG4June 13, 2017 12:46 PM


@Clive

Interestingly enough, Leo Szilard left physics to go into biophysics, with a quote to the effect of, "It takes me a year of hard work in physics to break new ground, but in biology I do something significant every three days." He was aware that the easy wins were gone, although both he and his friend Einstein had ploughed more than their share of new ground in physics. Later in life, Szilard recognized that the real problems on the blue marble of entropy maximization are political. I think that he helped with arms limitation.

I'm not sure if nuclear history goes too far off the security topic, but Leo Szilard invented the chain reaction as he stepped off a curb in London in 1933. I may have rehashed this history recently, but I have memory problems. He filed a patent shortly thereafter, which was classified. The establishment sat on the information until the unfortunate events of 1939. It took the British until 1941 to figure out that Leo Szilard's conjecture was spot on, as they say. Meanwhile, Leo was writing a famous letter to FDR with Einstein. The US sat on the information for two years and only started an active project when the British envoy showed up in DC in 1941 with their correct assessment.

@vas pup

Leo Szilard lived in Germany with his suitcase packed for about four years. He knew that he would be leaving. I had heard the expression "Jew physics," but it turns out that they really called it that, with disdain.

http://www.nybooks.com/articles/2016/12/22/private-heisenberg-absent-bomb/

The history is fascinating. Had they not driven out the Jews, and invaded Russia, the results likely would have been much different. Einstein was not the only part of the Jewish brain trust that showed up in the US, with at least some connection to Germany. I can't recall many of the names, but they also figure prominently in the Manhattan project.

Fritz Haber personally turned the valves at the first chemical attack in the first global war, probably in France. In light of his service to the Fatherland, Hitler allowed him to leave, probably in the 1930s. The Haber-Bosch process accounts for about two-thirds of the protein in humans, with a significant input of fossil fuels. One of the most famous chemists of the 20th century was exiled for his racial heritage, in a country that ended up so short of manpower that they sent children into battle.

Dirk PraetJune 13, 2017 1:10 PM

@ Anura

Well, the arms deal isn't even real or new

Wot? Trump lied ?!

ab praeceptisJune 13, 2017 2:09 PM

Clive Robinson

Good to know that you are OK; I was a bit worried.

As for those elections, I don't have much too comment, i.a. because I see little reason to take the diverse democracy (and rules of law for that matter) simulation seriously.

Funnily, no matter who wins or governs, ghcq will always have their budget ...

AnuraJune 13, 2017 2:54 PM

@Dirk Praet

The press should really get two independent confirmations before they repeat what Trump says as fact.

AlanSJune 13, 2017 5:33 PM

@Moderator

@AlanS, your earlier post was deleted not due to specific political parties mentioned in it, because it was all about politics, with no explicit security tie-in.

It main point of my comment was clearly related to terrorism and stability of the NI peace settlement. That's not related to security? Please explain. I quote my comment minus links:

"Tories, having attacked Corbyn as a terrorist sympathizer, form a new government by going onto coalition with the DUP. Hard to see how the UK government is going to be an honest broker of peace in NI. Aside from their links to loyalist paramilitary groups, the DUP is a sewer for dark electoral money."

JG4June 13, 2017 7:36 PM

http://www.nakedcapitalism.com/2017/06/200pm-water-cooler-6132017.html
...
Big Brother Is Watching You Watch

‘Untangling the other dark web – of pervasive, inescapable, corporate surveillance” [Privacy News Online] (original report; PDF). “Moreover, it’s not just obvious things like which sites we visit that are captured. Other aspects include the timing and frequency of phone calls, GPS location, Web searches, how you fill in online forms, grammar, punctuation, and even whether you allow your phone battery to run down frequently. Since database storage capacities today are effectively infinite, everything we do can be stored in the hope that hidden among the apparently trivial details there are key signals about our views, wealth and buying intentions.”

FrugalJune 14, 2017 12:18 AM

If you live in an area with that 5ghz LTE that interferes with 5ghz WiFi, and you have a SIM for the LTE, and there is no DRM on the SIM, can you just save the data from the SIM and put it in any non-TiVo'd device that has a 5ghz WiFi antenna to avoid wasting money and electricity on MiFi?

Who?June 14, 2017 2:51 AM

@ Moderator

@65535, @Who?, @All: Yes, this blog attracts a good share of trolls, no doubt including puppets, sockpuppets, and random ranters. That's what we get for hosting open conversations on often-controversial subjects. We can't just enact IP bans, so many people use Tor. We can't just ban usernames, they're easy to change. Please feel free to call out disruptive rudeness, aggression and hostility. And thank you all for keeping the conversation going.

I understand this one is the price of anonymity, and am glad of accepting it. I will continue doing my best, even if it is not much when compared with other members. Hosting open conversations is a must when talking about certain subjects, especially if we want the right people involved in the conversation.

Keep up the good work!

Moby DickJune 14, 2017 2:59 AM

@Thoth
Just stay away from ***ALL*** smartphones for the security paranoid
https://duckduckgo.com/?q=People+without+smartphones+targetted+with+extra+surveillance

@Dirk Praet
Re-flashing is actually the only way to get rid of the spyware that comes with carrier provided devices
Assuming that reflashing an official ROM means flashing stock AOSP, sure.
But you have to unlock the bootloader to get AOSP, so why not go for a custom ROM that doesn't just strip out carrier malware but also Google malware?
Of course make sure it's a GPL compliant RAM with lots of people working on its codebase. If you find some random post on xda-developers with only a binary file and some guy claiming it gives you perfect security when you flash it, with no source or anything, that's probably something you should run away from as quickly as you can.

@Thoth
Intel AMT/AMD SP and ARM TZ is the true danger
Don't all of those increase security as long as they are user configurable?
And what would you recommend most people use if you think Intel/AMD/ARM should be boycotted? SPARC?
Sure it's harder to get rid of chipset backdoors than OS backdoors but chipset backdoors get used a lot less often since once they are exposed it's a lot harder to rekey them, isn't it? Or do you really have an architecture in mind suitable for mass adoption that is proven to be safe? Aren't open hardware projects all way out of any sane price range, and don't they still have issues trusting the fabrication equipment?

@Clive Robinson
Which brings the question of just who they are using these capabilities against. The obvious targets are China, Middle East and Russia
Please try to explain this in a simple, easy to understand way.
I always thought that the obvious target of groups like the STASI and GCHQ were the citizens near them, who might vote out or riot out the bosses of such groups. What am I missing?

politicians and others talk of "cultural spread / infection"
Again I end up feeling stupid for not catching onto something that is apparently obvious to most people.
I had always thought that when authorities or people who support them spread xenophobia, that it is simply the oldest trick in the book to convince as many people as possible to trust the authorities with unlimited power to protect them from "evil foreigners", a simple way of preying on the most base human emotion (fear of the unknown).
Is there actually something far more complicated going on that I've been missing for my whole life?

And it's not as though the encumbrent PM has shown she has the ability to lead. She is still trotting out the "no communication unseen" mantra even though there is no evidence the last three terrorist attacks in the UK used electronic communications in the planning etc. Thus the PM is well behind the times and "simple terrorists" have "out evolved" her and the ideas she has been given by her favourd advisor who in turn got them from her previous GCHQ lover.
I'm not trying to play dumb, I just really can't follow your points at all.
Isn't what you described the most effective, most tried and true way that rulers have always cemented their power over their subjects?
When you have some authority over a group of people, but they have something that limits your authority, isn't the most obvious action to convince them that that something is dangerous and to get rid of it?
Such as by saying that some evil foreign entity will use it to kill everyone unless it's banned?
I don't understand how she is an incompetent leader. I would do the same thing if I had power that I wanted to cement.
Isn't it the same as how in the dark ages, the roman empire saw that knowledge was empowering the masses, and so a system was made where only religious leaders knew the Bible, and everyone had to go through them for what they considered most important? Before printing, when any kind of books could be easily controlled, wasn't this basically done with every book, and the masses kept completely illiterate?
Isn't the obvious modern analogy that leaders want to control all access to knowledge, such as by convincing people that there is no good reason to want to read or write anything anonymously? I'm not being sarcastic here, I truly can't understand how she is inept as a ruler.

@Dirk Praet
Both parties IMO at least had an equally big interest in a Trump victory. The more unpredictable part, like you say, was Trump recently giving the Saudis - known sponsors of Islamist terrorism and the cradle of Daesh ideology - not only a $100 billion arms deal but for all practical purposes an almost blank cheque to do whatever they want, to the point that it emboldened them not just to continue their proxy war with Iran in Yemen but also to clamp down on Qatar under the preposterous excuse of "combating terrorism".
Wasn't that the easiest to predict action that he could have taken?
I thought that the last two POTUSes cemented their power by inducing Islamic terrorism so that there would be a common "evil foreigner" threat to rally the masses behind and increase nationalism while decreasing concern for abuses of power bordering on totalitarian dictatorship. Why wouldn't Trump follow their successful paths to have the same marshal law power and emergency suspension of all oversights, checks and balances just like they did? Would you do different if you were the POTUS and wanted to increase your power?

I also can't grasp the reason that many people call Hitler stupid for going after all the Jews instead of just the ones that weren't useful scientists.
Hitler would be ruling the world now if only he hadn't been so mean to the Jews? How? Wasn't most of his power derived by making the majority race (Arians) fear the minority race (Jews) and then promising to get rid of the Jews? Isn't this how most leaders succeed?

I'm really trying to understand how all of the "private communications are dangerous! encryption is dangerous! there's these really nasty people totally different from all of you that we're trying to save you from, so just give up what little power you have left and we'll protect you!" is new. Nevermind the fact that you're more likely to be killed by acts of God, such as lightning strikes, than by terrorists.

Isn't the current "west vs middle east" just the next "white vs black" now that coloured people are too numerous to be so easily marginalized? What exactly is new about any of this?

Who?June 14, 2017 3:04 AM

@ JG4

This one is the report you are talking about:

http://crackedlabs.org/dl/CrackedLabs_Christl_CorporateSurveillance.pdf

I will read carefully this review. Right now I can say section 3.4 is really worrying, I can hardly imagine IoT devices becoming the next players in the pervasive tracking business. An ubiquitous surveillance network. In my humble opinion, corporate surveillance is more a legal problem than a technical one. Hope governments will be able to establish the right laws and, above all, enforce them before it is too late.

Thanks for sharing this document.

Dirk PraetJune 14, 2017 5:33 AM

@ Moby Dick

... so why not go for a custom ROM that doesn't just strip out carrier malware but also Google malware? ...

All of which is perfectly feasible. It's essentially what Silent Circle has done with the SilentOS for their Black Phones. But it does take a lot of time and effort to become somewhat proficient in building custom Android ROMS for specific devices and chipsets all while knowing that the underlying foundation remains inherently insecure. For all its shortcomings - including the uncertain long-term viability of the company - it's what I generally recommend to security-conscious non-military customers with a no-Apple policy.

The alternative @Thoth was suggesting (Genode-microkernel-hypervisor) from a security vantage is obviously preferable, but will take even more resources to develop and maintain while still not solving subversion at the hardware layer.

Wasn't that the easiest to predict action that he could have taken?

Fearmongering to increase power and control over a population is a proven strategy. Publicly cozying up to a nation state actor that not only is the ideological source but also a known sponsor and global proliferator of the exact evil you're pretending to fight from a five mile-high view doesn't quite pass the smelling test. Any nation other than Saudi Arabia for its real or alleged involvement in what was probably the biggest trauma in US history since Pearl Harbor would have been bombed to Kingdom Come. But what we saw and still see is the exact opposite.

It's quite obvious that there are economic and geo-political interests at work here that by far trump any amount of casualties caused by Islamic terrorism either at home or in the Middle East. Scapegoating the old foe that is Iran in this context is equally predictable, but makes just as little sense to anyone with even the slightest clue of what's going on in the region.

Clive RobinsonJune 14, 2017 5:55 AM

@ Moby Dick,

Is there actually something far more complicated going on that I've been missing for my whole life?

Possibly, "cultural infection" is not about people but the things people do or are assumed to do. For instance "drugs -v- alcohol" most western nations tolerate the consumption of alcohol but not "drugs". The opposite is true of a number of nations in the middle east, that is they tolerate the use of hashish but not alcohol. But in other places such as the Caribbean the use of both is tolerated.

Thus "your" culture can become contaminated by "emulation" either from direct experience of those from another culture or by secondary experience through music, books, films, documentry etc of another culture. The assumption is the usual conservative "Not Invented Here" thinking, which is to reject social change of any kind without thought or reason.

For many years during And after WWII the "American Influence" was treated as a real threat to the existing order in Britan. The reality l as usuall was the fear of change by those with either vested interests or conservative outlook.

If you want an example of how odd it can look, have a look at these two "conservative outlook" English Newspapers going on about the French accadamy of France,

http://www.telegraph.co.uk/news/worldnews/europe/france/8820304/Frances-Academie-francaise-battles-to-protect-language-from-English.html

http://www.dailymail.co.uk/news/article-2268722/Zut-alors-The-French-banned-world-hashtag--email-blog-English-intrusions-beloved-language.html

Whilst on the face of it they are "making fun of the French for being silly" the real purpose is propaganda against Europe and the European Union via Fracophobia. Thus doing almost exactly the same thing of ensuring centuries of emnity continue, just as "French disease" and "Maladie anglaise"... Or more recently from the US of "Cheese eating surrender monkeys"

https://en.m.wikipedia.org/wiki/Cheese-eating_surrender_monkeys

RachelJune 14, 2017 6:43 AM

JG4

Appreciate the interesting comments
Theatre production about 'what would happen, if Heisenburg and Bohr had had an all night conversation in Copenhagen'. Around the time it was released, uncannily a secret letter of their correspondence was declassified and made public.
I saw it when it was new. It is excellent. It's essentially a two-hander with Bohrs wife Margrethe stepping in here and there. Based on the Wikipedia I wouldn't bother with the TV adaptation however. Okay no more from me on the topic.

https://en.wikipedia.org/wiki/Copenhagen_(play)

RachelJune 14, 2017 6:53 AM

Dirk Praet
Silent Circle:
For all its shortcomings - including the uncertain long-term viability of the company - it's what I generally recommend to security-conscious non-military customers with a no-Apple policy.

really, thats interesting you recommend it. Whilst you are obviously fully aware of its shortcomings Dirk, others may appreciate doing a blog search on Blackphone for comments in years past regarding its claims. Nick P in particularl I recall wrote an excellent lengthy deconstruction of the issues beyond the wizard of oz security curtain

Dirk PraetJune 14, 2017 8:14 AM

@ Rachel

Whilst you are obviously fully aware of its shortcomings Dirk, others may appreciate doing a blog search on Blackphone for comments in years past regarding its claims.

As I said before, and from a security vantage, my usual advice to everyone is to stay away from smartphones in general and Android in particular. For those who for whatever reason are still hell-bent on a smartphone and have a no-Apple policy in place, I will indeed recommend a Black Phone as the less insecure commercially available option as compared to an OTS Samsung Galaxy, Huawei, LG, Acer or Windows Phone. Note the difference between "secure" and "less insecure".

Will it protect you from the NSA or similar actors: most definitely not, but they are also not the type of adversary the average citizen or business is up against. And yes, I always put all of these caveats in writing to avoid the exact kind of confusion that even on this esteemed forum seems to persist whenever I'm making such recommendations.

ab praeceptisJune 14, 2017 10:05 AM

Ad "smartphones"

Mind you, what are we talking about anyway? I remember the days when many of the very few who had a mobile phone were considered show offs and braggers. Somehow the human race managed to survive many millenia without smartphones, yet today one wonders how one can survive a walk to the supermarket without ones smartphone.

And, no, I'm not at all against technical evolution. What I am against is utterly mindless me-too-ism and humans being changed into consumer herd animals.

Moreover, most of those consumer animals don't care a rats a** about security. What they *do* care about is colorful nonsensical gadgets, design, and, most of all, surrogate feelings.

We have way more important things to discuss, for instance, the *why* behind the despicable situation, the why of massive eavesdropping, the why of utter lawlessness of (many of) the "guardians of law".

Nick PJune 14, 2017 10:15 AM

@ Rachel, Dirk Praet

Thomas Ptacek et al have been putting together recomendations for journalists. The assumption is whoever is reading is non-technical to the point they probably can't securely use a desktop computer. They'll also be carrying a phone of some sorts. They might also need to open attachments and such. This happens regardless of security advice given about PC's or smartphones.

The most compelling things they point out in favor of iPhone are security updates and hardware support. The Android vendors often ship updates really slow or don't do them at all. Apple does. That's almost a trump card by itself. The other thing is Apple has advanced, security features that apps are more likely to actually use. The last is the App Store has less malware due to their rules and review. Android situation is polar opposite.

So, a no-Apple policy is probably a pro-malware policy at this point. I'm not sure what the delay is between vulnerability discovered, fixed by Google, and updated by Blackphone. I don't have timing data on other Android-based cryptophones. I know there's at least one, 3rd-party service providing updates from Google to end users. Situation is really bad since Google doesn't care about security at all. Last hope is SailfishOS taking off and doing something. They already got Russian and Chinese contracts.

AlanSJune 14, 2017 10:36 AM

@Moderator

Thank you.

@All

The UK general election campaign rhetoric about terrorist sympathizers followed by the Tory Party aligning themselves with the DUP to form a government links back to earlier discussions here about the meaning and uses of the word terrorism e.g. The Continued Cheapening of the Word "Terrorism". Although in this case the opposite is true. The word is subject to asymmetric and hypocritical political uses. For example, the media's reluctance to use the word in the context of events such as the Charleston church shooting and, in this this case, the association with Irish Republicanism but not British Unionism. For some discussion see this paper on Unionist discourses about violence and responsibility: Denial, Silence and the Politics of the Past: Unpicking the Opposition to Truth Recovery in Northern Ireland.

Dirk PraetJune 14, 2017 1:43 PM

@ Nick P

The most compelling things they point out in favor of iPhone are security updates and hardware support.

Which indeed is the primary reason to go with iOS instead of Android both on smartphones and tablets, and with a company like Silent Circle instead of Samsung or LG if indeed for whatever reason a private individual or company has a no-Apple policy in place. I refer to @Rachel's previous remarks about Apple, and which are all but uncommon. Silent Circle has only a few hardware models and boasts rapid security updates as soon as bugs/vulnerabilities are fixed by Google.

On top of that, their SilentOS has been built with privacy and security in mind (read: contrary to the other lot, we have at least thought about it), allows for compartmentalization ("Places") and does not contain all the (Google and other) cr*pware that typically comes with vendor and carrier distributed Androids. Whichever way you turn it, those are plusses.

@ ab praeceptis

the *why* behind the despicable situation

Some way or another, marketeers succeeded in convincing the general population that being reachable 24/7 was not just a good idea, but pretty much indispensable. As more and more folks bought into it and cellphones eventually evolved into powerful pocket computers, it became a self-fulfilling prophecy.

After years of pushing back, I got my first cellphone in 2001 from an employer for whom acceptance of the device was a prerequisite for the otherwise very interesting and well-paid job. To date, I still don't carry around a smartphone and on a normal week day my cell goes off from midnight till 7AM, during which I can only be reached on my land line, an unlisted number I only give out to a highly restricted group of close friends and relatives.

the why of massive eavesdropping

For folks like Tim Berners-Lee, the idea was to make the internet everyone's digital window on the world. It didn't take long for governments, LEA's, the IC and data miners to realize it could also be turned into their window on the citizenry. As had been predicted by Orwell and other visionaries in the first part of the previous century.

the why of utter lawlessness of (many of) the "guardians of law".

Without a very strong system of checks and balances, the law devolves into an instrument by the rich to control the poor and in which the guardians are just part of the illusion projected to the citizenry.

ab praeceptisJune 14, 2017 1:58 PM

Dirk Praet

Neither apple nor google deserve even an examination; if done, it would only questions about the details of guilt and spooky colaboration.
"updates from apple" are a plus? Not in my book. Who knows what those "updates" contain and I'd guess that some "updates" actually serve to solve spook problems.

"Some way or another, marketeers succeeded in convincing the general population that being reachable 24/7 was not just a good idea, but pretty much indispensable."

That explains the idiocy of idiots thinking they are important enough and have important and urgent enough info to share or to receive to carry around mobile phones.

It does, however, not explain the escalated idiocy of carrying around half (and for not too few even all) of their computer equipment. I guess, though, that the explanations are similar ...

Which btw opens a funny question, namely "should a state protect citizens (read: tax and consumer animals) from their own idiocy?". I consider that a funny question for a reason: Obviously the states and large corps (insofar as there is still a difference) answer would be a sound "No!"; after all they invested decades to dumb down the populations so as to serve as dumb tax and consumer animals.

The funny part is this: How would the "citizens" answer? And: Would they find the right button to click "No!" on their smartphone?

Dirk PraetJune 14, 2017 2:32 PM

@ ab praeceptis

Which btw opens a funny question, namely "should a state protect citizens (read: tax and consumer animals) from their own idiocy?".

Most countries have laws dealing with deviant behaviour considered harmful to oneself or others. The point you are missing here is that we have evolved into a society where - unless you're over 65 - not having a smartphone and not being on social media is considered deviant, or at least suspect, not the other way around. So be careful what you wish for ...

ab praeceptisJune 14, 2017 2:52 PM

Dirk Praet

a) I'm far below 65
b) I'm not considered to be but I *am* "deviant" and not the least interested in what's considered "normal"
c) we have not evolved but *de*volved into that kind of society.
d) and most importantly, I care about safety and security, reality (it might be worthwhile to notice the "real" in reality) and *facts*, not about what politicians or marketing departments declare the reality du jour.

P.S. Nothing in my posts is a judgement about you. There *do exist* valid reasons to carry around a smartphone, alone for the fact that most people aren't capable to build devices themselves or even just to understand, let alone judge their devices.

Generally speaking, however, imo the main factor in that whole mobile trend is sheer idiocy. Granted, most idiots weren't born idiots but made into idiots, i.a. by the education system, but that doesn't change the facts.

My interest is mainly to have safe alternatives for the non-idiot minority.

CzernoJune 14, 2017 4:21 PM

@ Ab Praeceptis, @All, re : smartphone.

I don't own or use or want mobile phones - smart or dumb - (and BTW I /am/ over 65)...
nevertheless... I'm aware the POTS telephone landlines and exchanges are set to be shut down, scrapped, in this (European) country starting no later than year 2022. In preparation, starting next year, no NEW subscriptions for plain old telephone lines shall be possible.

I guess other countries in Europe (and America?) have similar programs to shut down POTS (analogic telephony), possibly each with different agenda. So... AnywayS... How am I supposed to avoid acquiring a "mobile" by that time (if I am still alive, goes without the saying) ?

P.S. I can't help, your pseudonym hurts the latinist in me. It's "A" praeceptis, not "ab" ! "Ab" only ever before a vowel, or an H.

Dirk PraetJune 14, 2017 4:37 PM

@ ab praeceptis

My interest is mainly to have safe alternatives for the non-idiot minority.

I believe we had already previously established that from a security vantage there currently is no such thing as a "safe" smartphone, or at least none that is commercially available or that we know of. Neither am I aware of any setups outside personal labs or research facilities like the one @Thoth described.

Sailfish OS, also mentioned by @Nick P, looks quite interesting but is again (Meego) Linux-based and comes with an additional Android HAL and runtime for compatibility. Unless it's picked up by one of the big players, chances are they'll just become yet another niche player struggling to survive.

I get your anger, but I currently don't see a lot of safe alternatives. For better or for worse, smartphones have become part of most people's everyday life, and calling them idiots is just not going to change that.

ab praeceptisJune 14, 2017 5:06 PM

@Czerno

If "ab" hurts you, feel free to address me using "a". That said, according to what I've learned you got it inverse. "a" can only be used before a consonant (excl. "h") while "ab" must be used before vowels and "h" but can be used generally.


@Dirk Praet

You might want to properly read before responding to avoid misunderstandings.

I did *not* say that there are smartphone alternatives besides android or apple crap that are mass-sold and/or easily available and well supported.

Moreover I did *not* say that people are idiots because they use android or apple smartphones. What I said was that they buy and use those smartphones because they are idiots (kindly note that I a) left room for exceptions and b) asserted that they are not guilty but driven into idiocy).

"but I currently don't see a lot of safe alternatives" - I take that as a premise error. The assumption that smartphones are somehow vital is factually untenable (but maybe socially true).

Why idiots?

For a start, a non idiot is capable to and does think about whether he *needs* something. Furthermore a non idiot easily identifies privacy and safety as far more important than being able to whats app or to browse wherever he happens to be. There's more but I guess that's sufficient.

A cop or a taxi driver *do* need some form of mobile communication. Joe and Jane usually don't.

So, yes, there *is* an alternative. It's quite similar to the alternative to mobile kitchen sinks:- Most do not need it and hence should not pay high price both in $ and in attack surface.

CzernoJune 14, 2017 5:35 PM

A or Ab : sorry YOU remembered it wrong. It's AB before a vowel (or an H), A before consonant (except T), ABS (or A) before T. Arma virumqve cano Trojae qui primus ab oris...
Y'know, we used to /learn/ latin (and greek) in depth in those days, and learnt pages upon pages of poetry as well as prose to be recited by heart some of which I can still recall after more than half a century...

Which, admittedly, is off topic, and you are absolutely free to "nym" yourself by a solecism here :=)
Actually, I'd been wondering whether you chose the improper spelling consciously in the first place, as a layer of clever obfuscation...

ab praeceptisJune 14, 2017 6:06 PM

Czerno

Probably your are right and I'm wrong. That said, I'll go with what is established by now.

As for (land line) phones changing/being abolished I have but 3 remarks to make:

- Too bad. ISDN had some nice sides, too (e.g. synchro).
- Not surprised at all. All networked is a nice ploy for the telcos and the (eavesdropping) state, too
- encrypted communication works quite well over the net and there are many more people knowing their way with network packets than with phones.

Anonymous CowardJune 14, 2017 7:10 PM

non-technical to the point they probably can't securely use a desktop computer
Doesn't that describe everything? Is anyone technical enough to securely use anything?


The most compelling things they point out in favor of iPhone are security updates and hardware support. The Android vendors often ship updates really slow or don't do them at all.
???
Android gets security updates as often as iPhone, on supported hardware,
There are probably more types of Android available that are compatible with the frequent Google releases than there are types of smartphones that iPhone will run on.
Isn't there just one phone per year released that supports iPhone and its updates? Isn't that actually rather bad hardware support?
Not to mention how available the two types are to regular, non-super-ultra-mega rich people. Android hardware that officially supports Google's tight release schedule are cheaper than any iPhone.
Isn't it rather unfair to compare low-end Android phones subsidized by Chinese malware and Finfisher, to the Apple phones which are all more expensive than Android flagships?


Apple has advanced, security features that apps are more likely to actually use
I wasn't able to find any supported by iPhone that aren't supported by Android, but I'm not exactly the best researcher. Could you post a link to some information on this, please?


the App Store has less malware due to their rules and review. Android situation is polar opposite
That's probably true but since you're talking about which phone is more secure, not which phone has the most versions of Angry Birds, wouldn't it be more fair to compare F-Droid to the App Store? App Store is the only show in town for Apple users, whereas with Android it's possible to get software that is available for anyone to expect, and a lot of it even has reproducible builds, which can never be implemented in something closed source such as App Store.
Also, it's far easier for Apple users to get malicious updates, similar to the Flame malware that infected people through Windows Update.
With Android, it's at least possible (if not easy) to just run git update, see the changes, and then compile that source code locally with a pretty idiot-proof build process.
Also, if the mal-update isn't targeted, no skills at all are needed. Some nerd will see the malicious changes and warn everyone. With Apple the only way this could happen is by people who are skilled at disassembling ARM binaries. Such people are likely far rarer than people who can read source code, making it far easier to poison iPhone updates.


@Dirk Praet

Without a very strong system of checks and balances, the law devolves into an instrument by the rich to control the poor and in which the guardians are just part of their illusion projected to the citizenry
The closest system to strong checks and balances is a democratic peer to peer model, such as "web of trust" public key cryptography, crowd hosted "Tor nodes"/"I2P peers" that constantly validate eachother and automatically blacklist bad actors, Likewise with distributing installation CDs or even simple updates; a hash that doesn't even take up 1 kilobyte being gotten from another channel such as offline, is good enough to ensure that you're not downloading a backdoored version of an operating system or update. Anyone who distributes bad versions is automatically and instantly kicked out of "the swarm", as opposed to being able to send out malware until end users notice and report it, and administrators look into it and finally carry out the removal. It's also harder for DDoS attacks to take down peer to peer updates/installations.
Really, self-regulating systems are the closest thing to checks and balances.


@ab praeceptis

the idiocy of idiots thinking they are important enough and have important and urgent enough info to share or to receive to carry around mobile phones.
So despite the fact that most jobs require you to have social media profiles and give your employer access to them, as well as require you to be reachable, it's dumb as hell for people to do so?
Besides, if you don't have a means to film and upload videos of abuse of power, how exactly does that keep the state in check? Do you really believe that having a smartphone with you doesn't make it easier to be a whistleblower when you see somebody in a position of authority abusing their power?


It does, however, not explain the escalated idiocy of carrying around half (and for not too few even all) of their computer equipment.
Isn't that the only way to prevent evil maid attacks?


Which btw opens a funny question, namely "should a state protect citizens (read: tax and consumer animals) from their own idiocy?"
No, but they shouldn't launch cyber attacks, without any form of due process or warrant, against innocent civilians *cough mass hacking of people accused of no crime with "network investigative technique" malware, malware written using the tax dollars from the very citizens that the government is using the malware to attack cough*.
They also shouldn't bribe or blackmail standards bodies such as NIST *cough dual elliptic curve backdoor cough* to sabotage widely used encryption protocols, and then require everyone involved in any kind of business to use those broken standards. Is it stupid to use something that's broken by design if the government will take all your money or arrest you otherwise?

I believe we had already previously established that from a security vantage there currently is no such thing as a "safe" smartphone, or at least none that is commercially available or that we know of.
Well then shouldn't the goal be to find the least unsafe one, and do whatever you can to support it (whether by teaching the... "less technically adept" people how to get it, or by contributing code, or simply donating to the developers or helping test betas)? Or is it really more logical to simply tell everybody to lose all hope and give up on life?

Dirk PraetJune 14, 2017 7:17 PM

@ ab praeceptis

The assumption that smartphones are somehow vital is factually untenable (but maybe socially true).

You obviously have no teenagers in the family. By depriving them of a smartphone, you turn them into social outcasts. And have you watched any reports on refugees on TV lately? Their smartphones often make the difference between getting stuck somewhere or finding up-to-date information on how to get to whatever destination it is they have in mind. That is the reality of today, whether we like it or not.

@ Czerno, @ ab praeceptis

As a fellow Latinist, I concur with @Czerno.

ab praeceptisJune 14, 2017 8:50 PM

Dirk Praet

I do have kids but gladly I always understood that a major part of bringing up kids is to prepare them for life. That includes to teach them the importance of using ones brain and to not allows some smart mindf*ckers in marketing or PR to remote control them.

But don't take that as personal. I'm certainly not on a crusade against smartphones. May everyone use them to his liking (and leave me the freedom to have my own view and liberty to decide).

Returning to a somewhat less sociological/political but more technical and fact based perspective: One can have all those (more or less really) useful things but not necessarily in one package/device. In particular, communication (both data and voice), data, and diverse gadgets (navi, browser, music, etc) shouldn't be in one device - if one looks at the interest of persons; looking at the interest of state and large corp, of course, the opposite is true and smartphones are great.

Let me close with a hint: The kids of your kids won't be able to tell anymore whether their "social interaction" is really with people or with an AI. Again, I'm not evangelizing but I certainly keep the right to challenge what is presented to me as "reality".

Dirk PraetJune 15, 2017 4:04 AM

@ ab praeceptis

But don't take that as personal.

Rest assured that I don't. Like I said: I totally get your take on the matter, and I largely agree with it. Nevertheless, I don't think there's much we can do to stop the rise and proliferation of the new Homo Digitalis and the overlords he's willfully submitting to.

JG4June 15, 2017 7:02 AM


I see a parallel to software here. The word substitutions are left as an exercise for the interested reader.

Planning documents for tower in fatal fire omitted safety barriers
http://uk.reuters.com/article/uk-britain-fire-cladding-idUKKBN19538U
...
Planning documents detailing the refurbishment of a residential tower block in West London where at least 12 people died in a fire on Wednesday did not refer to a type of fire barrier that building safety experts said should be used when high rise blocks are being re-clad.
The local authority which owns Grenfell Tower in Kensington declined to confirm whether fire barriers were installed on most floors between the insulation panels attached to the exterior of the building as part of the renovation.
Rydon Group, the construction company which undertook the work, also declined to say whether they had been used, but said the revamp "met all required building control, fire regulation and health and safety standards."

nonlinear feedback system
https://hbr.org/2017/06/is-america-encouraging-the-wrong-kind-of-entrepreneurship

securing information exchange
http://www.spiegel.de/international/ornithologist-richard-prum-on-duck-sex-and-human-evolution-a-1151217.html

spoofing signals
https://www.spectator.co.uk/2017/06/the-forger-who-fooled-the-art-world/

all from the brilliant daily compendium

http://www.nakedcapitalism.com/2017/06/links-61517.html
...
The Seven Stages of Gun Violence Stonekettle Station (WobblyTelomeres).
http://www.stonekettle.com/2012/07/the-seven-stages-of-gun-violence.html
...[but at least their rights won't get trampled]
It is easier for a crazy person to get an automatic weapon than healthcare in America. - Shannyn Moore, Moore Up North

Imperial Collapse Watch

What went wrong with the F-35, Lockheed Martin’s Joint Strike Fighter? The Conversation

The ‘Global Order’ Myth The American Conservative

45 Dead After Oxygen Sucked Out Of Room During Pentagon Planning Session Duffel Blog

New Cold War

Senate Approves Russia Sanctions, Limiting Trump’s Oversight The Atlantic

Democrats: Your Russia obsession is blinding you from what really matters The Week

Clive RobinsonJune 16, 2017 4:35 AM

@ Bruce,

As this Squid thread is about reproductive issues, and another thread this week is about "millennials disclosing information" industry and political leaders would rather have kept quiet... the following information is bubbling up again,

@ All,

As you probably know most chip manufacture is done outside of the West, mostly in the Far East. Have you ever wondered why?

Often the argument centers around labour, and you get told the workers are "more productive" or by others "more compliant" or "diffetent cultural ethics" etc. Whilst there is a degree of truth in that there is a very dirty quite toxic secret you don't get told.

Nearly every one thinks "electronic industry" which hides the fact that making chips is an etching process. Which is all about chemicals from growing the crystals, cutting, cleaning, preping, photo resist, the highly corrosive etchants and leathal dopents it's a chemical soup of real nasty components.

So nasty in fact that the levels workers are allowed to come into contact with in the US are so small it makes fabrication at best difficult is not impossible. We've all seen the "Intel Bunnies" dancing in the adverts a decade or so ago when the "Intel Inside" add war started. The implication was that they were wearing "clean room suits". In reality they were more like level four Hazmat suits. But... even if the chip workers were to wear level four hazmat suits some of the chemicals (EGEs) would pass through with little or no difficulty. To make just the gloves resistant to the chemicals would make them impractical for use as the workers would have no dexterity in them, thus other way way more expensive tooling would be required.

The Semiconductor Industry Association has been aware of this for years, and as such has kept quiet about the fact that some of their members "exported" the work and the toxicity to the Far East.

But as things have a habit of doing, the story is bubbling up again, because millennial researchers are investigating several hundred percent increases in reproductive disadvantages in chip manufacturing workers in the Far East.

https://www.bloomberg.com/news/features/2017-06-15/american-chipmakers-had-a-toxic-problem-so-they-outsourced-it

Clive RobinsonJune 16, 2017 5:31 AM

@ Bruce and the usual suspects,

As we know there are many researchers looking to find Quantum Computer (QC) proof Public Key or asymmetric key algorithms.

However as I've occasionally noted Quantum Key Distribution (QKD) would be an alternative if the "distance and switching" issues could be resolved.

The distance issue should be solvable, after all we can and do see with telescopes free space light from millions of years ago, thus millions of light years in distance. However the distance in optical fibre appears to have topped out at a little over 100Km.

Scientists believe that Quantum Repeaters (Qreps) are practical to build, just technically difficult.

Which is important because Qreps will be needed to form the basis of other quantum devices such as quantum switches. Because if optical fibre QKD is to be practical for general use the switching problem has to be resolved as there is not enough glass in the world to give point to point links to every point of communications.

Well the Chinese have just shown that we may have a way to implement QKD with ten times the distance and not using optical fibre, but a satellite.

You can get a copy of the "science" paper from behind their pay wall,

http://science.sciencemag.org/cgi/doi/10.1126/science.aan3211

Or have a look at another view on it in Scientific American,

https://www.scientificamerican.com/article/china-shatters-ldquo-spooky-action-at-a-distance-rdquo-record-preps-for-quantum-internet/

But whilst the Chinese have produced a practical demonstration of QKD from a satellite it is in a low orbit and each entangled pair received is just one in several million sent out over the 1000Km path.

However in Europe measurements on existing 38,000Km links have shown that QKD from geostationary orbits will be practical.

https://doi.org/10.1364/OPTICA.4.000611

Whilst this might all appear to be close to Science Fiction, it needs to be noted that the early telegraph that proceeded our modern globe and space spanning communications networks had, a little over a century ago, significant cable and free space distance issues which both science and engineering ingenuity overcame within a couple of generations.

Thus we may have a practical QKD solution ready to put in place before both Quantum Computers or the asymmetric algorithms resistant to them become of use.

JG4June 16, 2017 7:22 AM


Interesting coincidence with the healthcare headline - the reason that I'm a regular here is that many years ago (seven? ten? thirteen?) my company's health insurance providere emailed all of the employee social security numbers and birthdates to me, then claimed that it was secure because it was password protected. With the password in the same email as the link. I'm still rabid about it. Stupidity can be a fatal affliction, but unfortunately it isn't a capital crime. The problem is when their stupidity kills you.

http://www.nakedcapitalism.com/2017/06/links-61617.html
...
On the rise of unproductive entrepreneurs like Travis Kalanick Izabella Kaminska, FT. With a shout-out to Hubert Horan’s article here yesterday.

Google faces big EU fine over search practices FT

Facebook has a solution to all the toxic dross on its site – wait, it’s not AI? The Register

Policing the power of tech giants Axios (Re Silc).

Making Humans a Multi-Planetary Species Elon Musk, New Space. Silicon Valley entrepreneurs are why the aliens quarantined the Solar System in the first place.

...
Hospital Sends Legal Threats To Researcher, Then Asks For Her Help Identifying Breach Victims TechDirt

...
Fireproof cladding that would have prevented Grenfell Tower tragedy ‘would have cost just £5,000 extra’ – and the cheap version that WAS used is BANNED in America Daily Mail

...
New Cold War

Mueller, Known for Being Above the Fray, Is Now in the Thick of It NYT.

Mike Pence Lawyers Up The Atlantic

‘All this circus’: Putin takes heat from broke, angry Russians in live call-in show WaPo

Putin ready to provide political asylum to former FBI director TASS (MT). Cheeky!

The Madness of King Donald Richard Evans, Foreign Policy. Must-read.

...
Big Brother Is Watching You Watch

Telegram founder: U.S. intelligence agencies tried to bribe us to weaken encryption Fast Company

RachelJune 16, 2017 10:15 AM

JG4
Telegram founder: U.S. intelligence agencies tried to bribe us to weaken encryption Fast Company

i continue to be irritated when I read comments by/about Telegram like this. It's a continued attempt to establish a 'they hate us but we stood up to them' narrative. (which of course Apple tried to milk too)
everyone knows telegram is a waste of skin. Telegram is so dense, light bends around it.
But then you get people like Matt Mullunweg of Wordpress fame saying 'use telegram, it's good encryption. and its not google or facebook'
Ab Praeceptis and Dirk have had creative tension over the contraries of 'Tor/Signal puts you under the radar / but it's a viable option for the general public' . Well, telegram is the worst of both worlds


ab praeceptisJune 16, 2017 11:53 AM

Rachel

As for the telegram founders statements re. us-american attempts I consider those believable (very highly likely and credible).

As for telegram itself I'm bewildered. While I'm under the impression that the telegram people seriously and honestly wanted to create a good and secure solution, it also seems very obvious that their understanding of security (and safety, for that matter) is quite rudimentary.

The widely known background story of telegram, i.e. the strong desire to escape "russian censorship and eavesdropping" on one hand is quite credible (i.e. yes, there are, usually "liberal" groups in Russia who seriously believe that the Kreml and the security apparatus are "KGB minded" and oppressive) and on the hand is utterly ridiculous; not so much in terms of political belief but rather in terms of how Russia ticks. Summarizing it somewhat crudely one could say that there is real and serious freedom of speech and opinion in Russia but - and that's in no way a Putin phenomenon but deeply and since eternity rooted in Russias wiring - that one has to act "showing ones face" (~ real names are accessible to authorities); that, quite naturally goes strongly against the grain of liberals.
Of course, looking from a western perspective that might look weird or even evil but we should be very careful and avoid judging other cultures and societies by the measures of our own.

My (not at all profound) research of telegram led me to a clear verdict: There are enough obvious red lights to avoid telegram. STAY AWAY!

To offer some examples: SHA-1, heavy use of openssl, utterly misguided authentication (by SMS and only optionally 2 factor. And indeed there have been cases where telegram accounts were "hacked" by intercepting auth SMSs), "cloud based" (which quite reliably translates to crap), weird self rolled "security" protocol ("MTproto"), etc.

Some will now probably say that I'm an evil guy who doesn't point to a good alternative and that, after all, Joe and Jane need some way to securely communicate with their smartphones (and point at Signal as a reasonable alternative) but I disagree. "Let's eat cat poop; it's not tasty or healthy but still better than dog poop" is not an acceptable approach as far as I'm concerned. Maybe it's about time for Joe and Jane to learn that sometimes "colourful and funny" and "secure" just are mutually exclusive.

RachelJune 16, 2017 3:31 PM

@ Ab Praeceptis

appreciate the reply, respect. As you know there are a number of essays available deconstructing the seemingly endless number of poorly constructed ill conceived concepts in Telegram code.
The founders consider being Maths PhD's to be sufficient cred for rolling their own. Their solution to dissent in the community was, instead of addressing the concerns publically, was to host a crypto contest. & et cetera.
One red light for the attentive may be the IC reports in the media 'telegram is the only one we can't crack. And thus those evil people are flocking to it'

It's too much to expect many others to value your insights and feedback about Russian culture that make this blog a much richer place. You couldn't possibly know what you are talking about. It does raise the question - why are seemingly intelligent people so threatened by having ones inner paradigm challenged? Worst scenario is the individual ends up wrong. But no, it's 'I don't understand. That's wierd. So you suck'. I love the healthy dynamic challenge of a new experience, intellectual practical or otherwise. Although in your specific instance [while I have no experience of the aspect of Russian society of which you speak] to be fair it's not entirely the fault of the general person. The media, being the sole source of information about foreign cultures, is largely responsible. Ultimately the individual must take responsiblity for their beliefs, be willing to challenge them/have them challenged, engage critical thinking, and stop claiming to follow the scientific paradigm if they don't live a life of self examination and apply those paradigms to their own values and thoughts

Genuine enquiry: Been meaning to ask you for some time. And it will be of value to others too. You have commented upon Pussy Riot a couple of times here. Essentially saying the situation was not what it seemed. I can't recall the exact details, but I remember thinking 'how did you get your information' . They did a couple years time, no? What was the point of jail time, how did that serve their paymasters? I think you said the initial protest was funded by the state or something. Anyway if you care to elucidate what was really going on there, it may doubly serve to illustrate other realities of Russian culture many here refuse to integrate


ab praeceptisJune 16, 2017 4:03 PM

Rachel

As this is the squid thread I can respond.

pussy riot was an art group (inter alia but that pretty much sums up the public side of it) of very little significance. But as it called itself an art group/collective and appealed for public funding they got it. Of course, you will find that fact very rarely mentioned in the western press.
It gets even better. At one occasion in the context of their criminal attack on the cathedral some conservative Russians challenged Putin why the state finances such criminal perverts. Putin responded something to the effect of "a good government a) doesn't reign in or control art but b) actually even values the expression of dissent that is so frequent in artists circles".

Why were they sent to prison? Simple: They broke the law and were accordingly sentenced by a court.

Did that serve their paymasters? Certainly! The jail sentence allowed their western patrons to smear the russian government and in particular president Putin as despotic, oppressive and dictatorial. Btw, there were quite many Russians who were very upset about pussy riot getting away with such a mild sentence and at some point in time they even formed civil groups for the protection of churches.

In fact, it served them *so well* that later at the Sotchi Olympics pussy riot staged "yet another oppressive arrest"! Gladly some bewildered citizens filmed the whole act and so it turned in fact against pussy riot. In the western world that perfidious attempt to smear Russia with a fake arrest was simply ignored as if it never happened.

After outliving their usefulness as a tool against the russian government, the pussy riot triade attempted to get grip again by cooperating with femen. Largely failing they entered the usa and managed to achieve a couple of moments of short lived fame mainly by being seen near or even supported by i.a. clinton. From what I know they tried to enter the us of a music industry and maybe even recorded something but they ended up pretty much in obscurity and insignificance. Oh well, the modern Rome (aka washington) doesn't treat its tools well once it outlives its usefulness ...

There might be more but my interest in researching trash is very limited to what I happen to pick up along the way.

Moby DickJune 17, 2017 5:24 PM

What happened to my post? Are we not supposed to ask questions about IT security here?
Anonymous
While FOSS products in general do tend to have advantages over most commercial products, there's very little hope in securing Android.
That said Orfox is probably an improvement over the stock browser or even Firefox, simply because a lot of the hardening done to Tor Browser carries over to Orfox.

@Who?
do not use Android. Ever
What if you must have a smartphone? Do you think that Android is actually worse than iOS or Windows Mobile?

I agree about not rooting these devices, even if it is the only way to run one of the "mostly useless" Android firewalls
I also agree that rooting is dangerous, which is why CopperheadOS doesn't come with root.
I disagree about all Android firewalls needing root, though.
Google Play has rootless firewalls (unless the government ordered Google to block all safety features such as firewalls and antivirus, and F-Droid has at least one (NetGuard). If you count Orbot's VPN mode then that makes two.

all the alternative roms you describe follow the same support policy as official ones
How does the support policy factor in to security or privacy? Don't all non-enterprise OSs have bad support policy, and enterprise ones have massive backdoors for "management"/"administrative"/"maintenance" purposes, even worse than the consumer ones do?
I do agree that his applause for CyanogenMod is bad though. Replicant (if available for your device) is almost as good as taking your desktop and replacing Windows or OSX with stock Debian. CyanogenMod is more like Ubuntu. CopperheadOS is probably one of the best. What do you think about OmniROM and ParanoidAndroid?

ModeratorJune 17, 2017 6:12 PM

@Moby Dick, I don't see any pending posts from you, and none flagged as spam. Something happened, I don't know what or why. Please feel free to repost, and if it gets hung up, let me know and I'll check the pending queue again.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.