Friday Squid Blogging: Why It's Hard to Track the Squid Population

Counting squid is not easy.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on July 7, 2017 at 2:08 PM • 186 Comments

Comments

Bruce SchneierJuly 7, 2017 2:10 PM

@ all re ab praeceptis

Thank you all for your comments. I agree that I went too far with a threat to ban ab praeceptis, and I apologize for that (and to ab praeceptis directly). He is a frequent and valued discussant, but the phrase "Nazigrad" got to me. To reiterate: 1) take broader discussions of politics elsewhere; and 2) try to be kind and assume good faith.

Ben A.July 7, 2017 2:33 PM

Sliding right into disaster: Left-to-right sliding windows leak

https://eprint.iacr.org/2017/627


Beyond public key encryption

https://blog.cryptographyengineering.com/2017/07/02/beyond-public-key-encryption/


Revocation is broken

https://scotthelme.co.uk/revocation-is-broken/


Bitscout – The Free Remote Digital Forensics Tool Builder

https://securelist.com/bitscout-the-free-remote-digital-forensics-tool-builder/78991/


Let’s Encrypt to Offer Wildcard Certificates in 2018

http://threatpost.com/lets-encrypt-to-offer-wildcard-certificates-in-2018/126700/


Decryption Key to Original Petya Ransomware Released

http://threatpost.com/decryption-key-to-original-petya-ransomware-released/126705/


Oz government wants its own definition of what 'backdoor' means

https://www.theregister.co.uk/2017/07/07/oz_governments_definition_of_backdoor/


On the Inspection of Anti-Virus Source Code to Demonstrate the Lack of Offensive Cyber Capabilities

https://www.lawfareblog.com/inspection-anti-virus-source-code-demonstrate-lack-offensive-cyber-capabilities


How to pwn phones with shady replacement parts

https://www.theregister.co.uk/2017/06/30/researchers_pwn_phones_with_shady_replacement_parts/


Artpip – 4k fine art for your desktop

https://www.artpip.com/

albertJuly 7, 2017 2:41 PM

"...Cyberspace has increasingly become an arena of national self-assertion and international conflict instead of the transnational global commons it once seemed to be. Preserving the vision and the possibility of a free internet is an urgent task.

That is the basic thrust of a new book called The Darkening Web: The War for Cyberspace by Alexander Klimburg (Penguin Press, July 2017)...."


https://fas.org/blogs/secrecy/2017/07/darkening-web/

Though I disagree with the 'Russian election hacking' meme, I believe that -fear- of Russian hacking is proving just as effective as -actual- Russian hacking.

. .. . .. --- ....

Tables Turned: Spies Paranoid Being MonitoredJuly 7, 2017 2:45 PM

The sharing of intelligence between federal agencies has recently gone between two extremes:
In the last days of the Obama administration a directive was issued to allow sensitive info to be widely shared. As expected, this action resulted in daily leaks to the press.

Now we find the exact opposite – a system where spies and being tracked and held accountable. AND THEY DON’T LIKE IT
Hopefully this PRISM type mass surveillance will stop the next NSA code leak.
Guys if do your job the eavesdropping should be transparent – get over it. Welcome aboard.
As a suggestion Stingrays should be installed at all secure facilities.
http://www.politico.com/story/2017/07/07/trumps-leak-vendetta-sends-chills-240274

To increase accountability polygraphs should include questions over leaking classified information.

BTW can somone summarize what Trump and Putin REALLY discussed?

AlanS July 7, 2017 3:16 PM

Someone in GCHQ's PR department thought this was a good idea. An honest attempt to make amends for what they did to Turing and others would be positive but this comes over as a clumsy and calculated distraction from the fact that they are not paragons of civil liberties.

To celebrate #LondonPride we've teamed up with our colleagues at #MI5 and #MI6 to choose our #PrideRoleModels.

J. K. Rowling

Alan Turing

ab praeceptisJuly 7, 2017 3:38 PM

Bruce Schneier

I won't use it anymore ("nazigrad"), but for the sake of understanding: it brings many ugly things into 1 word. For those who don't know, look up "Odessa massacre" and you'll understand.

Please note that my political musings are usually *not* about pro A or anti B. They are about applying techniques that are common, well established, and useful in our field and they are seen from the very angle you yourself often look from at things.

We are in an information war (you us-americans experience that quite harshly, no?) and just like you do with e.g. tsa and like we do when looking at "secure" protocols, products, etc. my point is about questioning the "information" in the information war. It's, at least for the biggest part, a "technical" and human interest that guides me, not a political one. If the involved parties happen to be russian, ukrainian, us-american, or some island in the south pacific is of little interest to me.

Such my main message with seemingly political musings, e.g. with "nazigrad" is not to paint some party black or white (let alone to insult) but rather to point at gross lies.

We tell users to not blindly trust "bulletproof security!" messages from e.g. AV vendors or to question state sponsored "good random numbers" etc. In the same vain I try to tell "Do not believe the media and politicians!" because they paint a murderous regime as good guys and victims and the real victims as evildoers if it matches their interests.

But again, I will respect your rules as well as I can and as far as I know them.

RatioJuly 7, 2017 4:18 PM

Wasn't the point of @Bruce's comment that this isn't the place for discussion of broader political issues?

WaelJuly 7, 2017 4:41 PM

@Bruce Schneier,

and I apologize for tha...

Courageous and magnanimous! Also down to earth. Admirable qualities.

WaelJuly 7, 2017 5:22 PM

@Ratio,

Is there a difference between;

"discussion of broader political issues"

and:

"broader discussions of political issues" ?

@ab praeceptis,

I won't use it anymore...

You did! Twice.

Mike BarnoJuly 7, 2017 5:26 PM

On Bruce's recurring topic of how to keep a system as secure as possible when its participants have opportunity and incentive to "cheat":

I saw a crawl on the television: "MEDVEDEV FINED FOR UNSPORTSMANLIKE CONDUCT". Sadly, it referred to the tennis player, not the Prime Minister of Russia. Imagine if we had referees to penalize politicians when they commit fouls!

Clive RobinsonJuly 7, 2017 6:21 PM

@ Mike Barno,

Imagine if we had referees to penalize politicians when they commit fouls!

I suddenly had this flash back to the movie "Slap shot" and players getting thrown in the sin bin.

I guess we would need a very strong civil service to run things. As most of the more senior politicians would spend much of their time in the sin bin...

x2bike4uJuly 7, 2017 6:49 PM

@ Clive Robinson

"As most of the more senior politicians would spend much of their time in the sin bin..."

Probably life sentences.

RatioJuly 7, 2017 6:58 PM

@Wael,

Is there a difference between;

"discussion of broader political issues"

and:

"broader discussions of political issues" ?

The word "discussion" appears in the singular in the first phrase but in the plural in the second. Also, the adjective "broader" applies to "political issues" in the first phrase but to "discussions" in the second.

There's a subtle difference in emphasis; the first phrase makes more explicit what is implied in the second.

Does that answer your question?

@Ben A.,

The politics of responsible disclosure, mandated backdoor access etc are all examples of "wider political issues" which are acceptable.

Of course. But that's not using the word "broader" (or the synonym "wider" in your case) the way @Bruce was using it in his comment at the top.

ab praeceptisJuly 7, 2017 7:04 PM

Wael (Ratio is simply ignored)

Are we 14? Do we talk about "you know where" or "you know, down there"? Am I supposed to tell Bruce Schneier "I will not say anymore 'you know what'"?
I'm confident that Bruce Schneier will doubtlessly see and understand what I meant to say as well the absence of any bad intention.

Moreover, I will be polite enough to not spell it out in gory detail, but certainly gentlemen do not bicker after a misunderstanding has been cleared (and even an apology was offered). But well, acting gentlemanly is not given to everybody ...

Let me quote Bruce Schneier "...assume good faith." - One might well follow the question whether he himself did act according to that as his threatening to ban me was evidently *not* based on "assume good faith." (but rather assuming who know what evil from my side).
But the issue has been cleared and apology was offered, hence the right thing to do is certainly not to find reasons for bickering on this and that detail.

I invite you to join me in simply putting this thing to rest and to walk on. If you can.

As for the offered apology, I agree. In does indeed shine a good light on Mr. Schneier.
Unfortunately the power of apologies is rather limited. Just think of those people who have been jailed and then, sometimes later been set free along with an apology. People tick the way they tick. Having read Bruce Schneiers scolding of threat to me people tend to remember *that* and not the correction or apology. As the saying goes: names are smeared and ruined very easily and quickly but restoring them takes an awful lot if it succeeds at all (and smeared honour is particularly difficult to impossible).
Moreover the question arises of how and how far one trusts, say a policeman, after experiencing injustice and being a victim of his actions? That damage is hard to repair, too (and sometimes even impossible).

So, you and certain others here who want to see me weakened or punished you can be happy anyway. Bruce Schneier has lost something (about which he might or might not care), I have lost a lot as a victim - but you can be joyful, you have are the one(s) who have won something.

Again: Just put it to rest and let's walk on.

ThothJuly 8, 2017 12:22 AM

@all

Where IPFS fails ...

This might seem like a disservice to the IPFS project (linked below), it is actually meant as a first impression as I attempted to run an IPFS service recently and hit multiple roadblocks.

Of course the excuse of 'it's just an open source project', 'need more funding', 'why don't you help them and suggest them' and many other possible criticism of my complain (below) of IPFS in it's current state might arise but imagine a non-technical Investigative Reporter or Journalism organization wants to setup an IPFS node in hopes of using 'Censorship Resistant' capabilities of IPFS to publish their news articles would hit these problems almost immediately.

1.) Installation for Linux are TAR files :) . Good luck if the journos don't know how to use 'tar -xvf' commands but that should be simple right ? Hopefully so ...

2.) Installation guide recommends 'mv /ipfs /usr/local/bin/ipfs ...'. OK, that's simple for me but that is not going to make those journos who wants to setup an IPFS node happy this time (for the non-techies).

3.) IPFS is unable to traverse through firewalls and routers and requires firewalls and routers to open ports (default uses port 4001). I forget to mention that my IPFS instance is done on a Linux virtual machine (VirutalBox). Before starting to point out that I contradict myself on the use of Linux, there is so far no OpenBSD port yet and this is a test instance so IPFS on Linux VM seems to not go through firewalls and routers unless specifically edited in the firewalls and routers configs. Not gonna be fun if you have a couple of layers of firewalls/routers/etc to edit just to get through.

4.) IPFS cannot restrict access to certain folders. Imagine you want to host a folder for a friend or small group of friends to access, you would definitely not want the entire world to gain access. IPFS, just like how the Internet treat HTTP Authentication, took the same approach. They simply disregard something as simple and mandatory as secure authentication and access control for IPFS. This is the exact same wrong turn that the Web took and the Web paid for it with crappy HTTP Authentication mechanisms and the consistently failing HTTPS (SSL/TLS) crypto.

History definitely knows how to repeat itself endless and for those who want to design security, I guess it is inevitable that almost all of us will repeat all the same mistakes as we create 'new security protocols' and the old attacks that apply to other protocols will always find use and as @Clive Robinson et. al. always says, 'the old becomes the new again' (not the exact word but same meaning).

There might be other problems but once I noticed that IPFS cannot setup a secure authentication and access control for certain resource, it immediately put me off and I simply discontinued further testing as this is a huge flaw in my opinion on the construct of IPFS.

For the fanbois of IPFS that might find their way to this forum/post, be reminded of the posting rules and not receive 'Yellow/Red Cards' from @Moderator/Bruce Schneier and also think hard on the security IPFS provides :) .

Links:
- https://ipfs.io
- https://discuss.ipfs.io/t/possibility-to-restrict-file-access-for-users-in-network/98

ab praeceptisJuly 8, 2017 2:11 AM

Thoth

Thank you very much, indeed, for that hilarious comedy. Frankly, I wondered whether that ipfs thingy was conceived and "designed" in a looney bin (Answer: No. standford is (officially) not a looney bin).

And it's even available as a binary package. Well, kind of. In fact, you can choose between packages for Arch linux (which is hardly used by journalists I assume), Nix, an interesting but utterly unknown and exotic package manager, and 'snap', a package manager I never heard of.

Lovely.

Alternatively, one can download and install the go compiler (v. 1.8) and then gmake the whole thingy.
Oh and, please note that there is also a javascript version. Those people are dead serious about security!

But then, the real fun starts. Here is all the bits and pieces, some of which might not be necessary for a basic installation but unfortunately they offer only very poor explanations that even a computer savvy user will have to spend quite some time to just understand what he needs and what he doesn't. journalists? Forget it.

Here's the funny list:

fs-repo-migrations
fs-repo-migrations is a tool for migrating IPFS storage repositories to newer versions.
Version v1.2.2

go-ipfs
go-ipfs is the main implementation of IPFS. It includes: - an IPFS core implementation - an IPFS daemon server - extensive command line tooling - an HTTP API for controlling the node - an HTTP Gateway for serving content to HTTP browsers
Version v0.4.10

gx
gx is a package management tool built on ipfs
Version v0.12.0

gx-go
gx-go is a gx helper tool for golang
Version v1.5.0

ipfs-cluster-ctl
ipfs-cluster-ctl is a command-line interface to manage and perform operations on a ipfs-cluster peer. This build is experimental. The latest version of ipfs-cluster can built from the source repository.
Version v0.0.12

ipfs-cluster-service
ipfs-cluster-service runs a full IPFS Cluster peer. These builds are a preview and are considered experimental. The latest version of ipfs-cluster can be built from the source code repository.
Version v0.0.12

ipfs-pack
A filesystem packing tool
Version v0.4.0

ipfs-see-all
A diagnostics and recovery tool for ipfs repos.
Version v1.0.0

ipfs-update
ipfs-update is a CLI tool to help update and install IPFS easily.
Version v1.5.2

ipget
wget for IPFS: retrieve files over IPFS and save them locally.
Version v0.3.0 for linux 64bit
Not your platform? See below for alternatives
v0.3.0

Lovely. Really lovely.

As you already mentioned, their security pretty much comes down to "let's slap ssl on it and be done".

But then, somewhere in the depth of their site (that btw has a typical modern marketing design) I found some mentioning of "specs"! Had I a wrong impression after all and those guys had a proper design for their toybox?

No. Their "specs" are readme files and some simple graphics (close to ascii art) and that with lots of "kind of" in it, that's it. Roughly the quality of a mediocre high-school side project.

With friends like that a journalists enemies like the nsa suddenly look almost good and reasonable.

MartinJuly 8, 2017 5:03 AM

@ab praeceptis

Are we 14? Do we talk about "you know where" or "you know, down there"? Am I supposed to tell Bruce Schneier "I will not say anymore 'you know what'"?

Just as your continued use of the objectionable term in your reply to Mr. Schneier, your reply to @Wael is less than professional and appears to be an effort to defy Mr. Schneier's reasonable and professionally stated request. Why? It not logical to pursue such an approach in a forum of this caliber.

Baby You Can Drive My CarJuly 8, 2017 5:34 AM

Disable Forced Location Sharing
My initial interest in this $88 OBDII device is to disable intrusive telemetry tracking by Big-Data auto manufacturers. Many new cars are tracked for 5 years ‘for free’. That is, owners can turn-off GPS on phones but NOT autos.

Here are the apps:
chffr: chffr is our cloud dashcam app. It allows you to record and review your drives, in addition to helping to train self driving cars. Now if you have a panda paired with chffr, you can record all the sensors from your car. From any part of your drive, assuming your car has the sensors, you’ll be able to see how many RPM your engine was going, how much gas was in your tank, your MPG, if you had a door open, how hard you hit the brake, and much much more.

pandacan: pandacan is a user space library for talking to your car over USB or Wi-Fi from Python. It allows full read/write access to all the CAN and LIN buses. “pip install pandacan”

SocketCAN: SocketCAN is the Linux standard for CAN interfaces. The included driver allows panda to work with all SocketCAN tools, including can-utils and Wireshark.

openpilot: openpilot, our open source driving agent, can use panda to communicate with your car and control the gas, brake, and steering on supported vehicles.

Planned
Wi-Fi ELM327 (Android and iOS apps)
Windows J2534 (Car manufacturer tools)

https://medium.com/@comma_ai/a-panda-and-a-cabana-how-to-get-started-car-hacking-with-comma-ai-b5e46fae8646
http://www.businessinsider.com/comma-ai-george-hotz-panda-hack-car-2017-7

JG4July 8, 2017 7:22 AM


@Rachel - Thanks for the link to the Jim Jefferies video. If I had been clever, I would have sent it to Yves yesterday. I was slow to recognize the fundamental human right to not be shot by idiots, psychotics, criminals and psychopaths, especially ones employed by governments. Can't recall if I included this story in yesterday's headlines:

https://www.bloomberg.com/news/articles/2017-07-06/don-t-expect-health-coverage-if-you-survive-a-gunshot-wound
...
The bill for initial hospitalization of people with gunshot injuries from 2006 to 2014 averaged more than $730 million annually, according to a 2017 study from Stanford University. The average cost per patient was between $24,000 and $32,000. That doesn’t include rehabilitation, money lost due to not being able to work, the financial impact on families, or future hospital visits. Under the ACA, initial hospitalization is covered, as is follow-up care. Of the gunshot costs tallied in the Stanford study, Medicaid covered about 35 percent of the costs and Medicare about 6 percent, for a total of 41 percent.

http://www.nakedcapitalism.com/2017/07/links-7817.html

...[climate insecurity in the news]
Great Barrier Reef dead at 25 million The Sun (David L). Horrible.

...[novel argument about financial insecurity]
Australia Wants Chips in $100 Bills to Stop Crime, Hoarding by Elderly Bitsonline (furzy). So the pensioners will convert the cash into more volatile stores of wealth, like gold or diamonds.

[security of access to information]
Google and Facebook Give Net Neutrality Campaign a Boost Fortune. A big deal since both have lots of clout in the Beltway.

[health security and environmental security in the news]
Human faeces is shit for the environment – but is now making entrepreneurs flush The Ecologist (micael)

...[this is gun control writ large]
North Korea

North Korea’s Fast-Track Missile Development: How Far It’s Come and Why It Has the U.S. on Edge Counterpunch. Important.

Hawaii, Alaska contemplate coming into North Korean missile range Reuters

Unwittingly funny headline – picture state officials in AK and HI contemplating: ‘Hmm, maybe it would be a good thing for us to move into North Korean missile range – might be a good way to get more money from DC.’ Anyway, they’ve been within missile range of China and the deplorable Rooskies for over a half-century now, so the alarmism seems overdone. But whatever helps sell that ad copy, right, Reuters?

The Unacknowledged Logic of North Korea’s Missile Tests Nation

...
New Cold War

Rival accounts emerge from first Trump-Putin meeting

Trump-Putin meeting deepens divisions in US establishment on Russia policy WSWS (micael)

Trump Emerges From Putin Meeting With Cease-Fire and Little Else Bloomberg. Given the apparent lack of groundwork, why is this being dissed?

...
Imperial Collapse Watch

John McCain: The Patriotic Fighter for Sale Near Eastern Outlook (micael)

Big Brother is Watching You Watch

Hackers targeting US nuclear power plants, report finds CNET

...
Our Famously Free Press

After 1,379 Days, NYT Corrects Bogus Claim Iran ‘Sponsored’ 9/11 FAIR (furzy)

MSM, Still Living in Propaganda-ville Consortium News (Sid S)

Rachel Maddow’s Exclusive “Scoop” About a Fake NSA Document Raises Several Key Questions Glenn Greenwald, Intercept

Indigenous Journalist Faces Trial For Flying Drone To Document DAPL Shadowproof (martha r)

Only in America

[further proof that the FBI are dirty. if it comes out that he was a paid informant, he may be an idiot, psychotic, criminal and psychopath employed by government]
Recordings Reveal FBI Gave Man a Rifle, Urged Him to Carry Out Mass Shooting to ‘Defend Islam’ Free Thought (furzy)

This Roofing Company Is Giving Away Free Guns with Every Purchase Vice (resilc)

Cops Say Repeat Prison Escapee Got Help from a Drone Vice (resilc)


TatütataJuly 8, 2017 9:04 AM

How do you measure squid population? Trivial! Count the tentacles and divide the result by 8.

More seriously, there are papers making a connection between the estimation of the number of undiscovered bugs in software with wildlife population counts. (If and when I find them in my "stuff" I'll make an addendum. But the weather is too nice right now, and the dishes in the sink are developing a new life form.)

Dirk PraetJuly 8, 2017 12:30 PM

@ ab praeceptis

Am I supposed to tell Bruce Schneier "I will not say anymore 'you know what'"?

@Wael is right, hombre. There was no point in repeating that word as I am sure the both of you knew very well what the offense was about. @Bruce got ticked off by your rant - and that's what it was - about Ukraine, and gave you a yellow card. I refer to my previous statement: the problem here is not so much the content or going off topic, but the way you sometimes phrase things, and which we just can't seem to get through that thick skull of yours.

Most of us here - including @Bruce - value your contributions, but you may wish to make a habit of re-reading your comments, wait five minutes before posting and then take out the personal and emotional elements that regularly cloud and demean the actual content. I'm pretty sure most regulars here do the same.

@ Andrew

Could a robot be president?

I take it you have never read Isaac Asimov's "I Robot" ?

I don't know, butJuly 8, 2017 12:41 PM

@Albert
"BTW can somone summarize what Trump and Putin REALLY discussed?"

Does Putin have blackmail material on one or more of: Tillerson, translator, or Trump?
If so, that helps explain some things, perhaps.
I imagine security is pretty tight for the translators.

I don't know, butJuly 8, 2017 12:57 PM

ps.
Does Trump have blackmail material on one or more of: Putin, translator(s), or Lavrov?
If so, that helps explain some things, perhaps.

Are one or more of the six compromised? If so do they know it?

Regardless, I hope Trump and the military-industrial-complex don't head us toward a nuclear war with Russia.

I don't know, butJuly 8, 2017 1:24 PM

@Tables Turned: Spies Paranoid Being Monitored
When were spies ever not monitored?

ps. The above reply to @Albert should have been sent to you.

FigureitoutJuly 8, 2017 1:49 PM

Bruce
--I don't think you went too far, the vast majority of his comments are non-technical rants; I'm not sure what other people are reading. I only like the very few times he would get only knee-deep into formal verification b/c I'm going to be an engineer soon and designing robust systems is the overarching goal of any engineer, so long as I can wade thru the worthless language wars. He claims to have released a lot of open source code but won't link it. He also likes to flame nationality politics unprovoked (calling "us-americans" stupid...is needless flame-bait). He says he avoids political discussions but is the first to dive and stir up needless controversy. You told him to stop cursing and he continued shortly afterwards cursing. Here he continues to post unprofessional comments like his reply to Wael instead of backing away from the keyboard and focus on useful things to say.

I don't know, butJuly 8, 2017 2:02 PM

Often sales people were/(are?) trained to refrain from talking about religion, politics, or sex with customers. Of course, it can get boring just talking about the weather, sports, or security.

Isn't there an old saying something like one country's freedom fighter is another country's terrorist? https://www.theatlantic.com/politics/archive/2012/05/is-one-mans-terrorist-another-mans-freedom-fighter/257245/

Perhaps one country's patriotic dogma is often propaganda from another perspectve.

Perhaps one religion's religious dogma is dogma crap from another religion's perspective.

BTW

Is the claim that: "three million non-citzens voted illegally in the 2016 presidential election." http://www.snopes.com/three-million-votes-in-presidential-election-cast-by-illegal-aliens/ reasonably considered propaganda? What other characterizations could reasonably be made of that claim.

From Wikipedia https://en.wikipedia.org/wiki/Propaganda
""Propaganda is "information, especially of a biased or misleading nature, used to promote a political cause or point of view".[1] Propaganda is often associated with the psychological mechanisms of influencing and altering the attitude of a population toward a specific cause, position or political agenda in an effort to form a consensus to a standard set of belief patterns.[2]

Propaganda is information that is not objective and is used primarily to influence an audience and further an agenda, often by presenting facts selectively (perhaps lying by omission) to encourage a particular synthesis or perception, or using loaded messages or "loaded language" to produce an emotional rather than a rational response to the information that is presented.[2] Propaganda is often associated with material prepared by governments, but activist groups and companies can also produce propaganda.

In the twentieth century, the term propaganda has been associated with a manipulative approach, but propaganda historically was a neutral descriptive term.[2][3] A wide range of materials and media are used for conveying propaganda messages, which changed as new technologies were invented, including paintings, cartoons, posters, pamphlets, films, radio shows, TV shows, and websites.""

Ergo SumJuly 8, 2017 3:24 PM

U.S. senators seek military ban on Kaspersky Lab products amid FBI probe

Source: http://www.reuters.com/article/us-kasperskylab-probe-idUSKBN19J2IX

Maybe they know that intelligence agencies can force compromising local software products and assuming the same for foreign companies. Or they are just full of it and forgot, that this is a two ways street...

Can a government compel a domestic anti-virus firm to ignore state-sponsored malware, or even add backdoors to software or hardware products, without getting caught?

Source: http://www.bankinfosecurity.com/blogs/anti-virus-conspiracy-theories-cut-both-ways-p-2509

On the Inspection of Anti-Virus Source Code to Demonstrate the Lack of Offensive Cyber Capabilities

Source: https://www.lawfareblog.com/inspection-anti-virus-source-code-demonstrate-lack-offensive-cyber-capabilities

EarthlingJuly 8, 2017 3:57 PM

Europe should encourage Brexit. With Brexit would come US-Exit, too, and the eventual collapse of NATO, a useless institution. Degenerates like Macron will keep Europe in the thralls of the bankers and in massive debt. Macron comes straight out of the Rothschild clone factory of evil politicians, who in turn work for the Queen and the Pope. Somehow Europeans and other people need to gain control of their money supplies and have some rational discussions on how things should work. People should have real discussions of our purpose in life and what we can do to lead meaningful lives and how we can make that possible for everyone, not the elite few.

I don't know how people do it going to work every day of their lives. I did it for many years and looking back I don't now how I survived the experience. Today I do what I want and it gives me much more satisfaction.

kiss_torJuly 8, 2017 4:04 PM

Tails 3.0.1 is out but a clean install might be better than an upgrade. https://tails.boum.org/home/index.en.html

With some late model usb wifi dongles it appears that mac randomization must be turned off with Tails during boot or they don't work. Any ideas?

As far as I know, which might not be very far, Tails 3.0 ran 'ok' for over two weeks. An obvious noteworthy event was the Tor Browser 'crashing' once.

EarthlingJuly 8, 2017 4:08 PM

Americans have become mostly zombies, caricatures of real people. The fact that people can debate over the relative merits of Trump, Clinton, Obama, and other creatures from the dark lagoon shows their lack of rational thought. The same applies to Europeans for the most part. Europeans may have some better things, like food and health care, but the overall intellectual capacity of a European voter doesn't much exceed that of an American voter. All voters vote to give away their personal sovereignty to creatures they don't know. I lived in Europe for many years but today's Europe does not resemble the Europe of 50 years ago. Better in some ways but worse in most.

The entire MSM belongs to the super powerful. Not just CNN, but Breitbart, the NYT, MS-NBC, Fox, and everything. They create all the opinions. They divide the public against each other instead of against the monsters in charge. They have convinced most Americans to fear Muslims who never will harm than rather than their masters who harm them daily. When the sheep wake up will they tear the shepherds limb from limb? No, because half the sheep will always side with the masters. We see it every election.

not the brightest bulbJuly 8, 2017 4:35 PM

@ LTC V.

(name) withheld, maybe, said that you might be able to get a message to ab praeceptis or Thoth .

I am groveling for a 'golden sticker'

Qualifications might include runni g a Tor relay. Not just any Tor relay. You see this relay has around ten to fifteen gigabytes of hackable required code: macOS, xcode, macports, and tor just to turn on and maybe run. For the "most, or almost, hackable code for the buck" might this rig qualify for a golden sticker?

might provide parts of my torrc on request

you might ask Thoth to repost his marketing link from a month or so ago. There might be a typo in it. All I could finsd is http://thothx.com/space-tracking-communications/

Cheers,
Not the brightest bilb

Cui BonoJuly 8, 2017 5:14 PM

@Earthling
a) "Not just CNN, but Brei@tbart, the NYT, MS-NBC, Fox, and everything."
From your media choices, only nyt.com appears to offer an https conncection.

b) "Europe should encourage Brexit."
Who benefits (Cui Bono)? I heard recently that the United Kingdom majority, majority of voters, or something like that there, might have changed their mind about Brexit.

https://www.theguardian.com/technology/2017/may/07/the-great-british-brexit-robbery-hijacked-democracy
http://www.snopes.com/2017/06/14/data-firm-helped-trump-sues-the-guardian-brexit-cambridge-analytica/
https://www.theguardian.com/politics/2017/feb/26/us-billionaire-mercer-helped-back-brexit

MAC the KnifeJuly 8, 2017 5:52 PM

@Kiss_Tor "With some late model usb wifi dongles it appears that mac randomization must be turned off with Tails during boot or they don't work. Any ideas?"

MAC randomization is done in the software, not the firmware so this is either some bug with Network Manager (that would be a big shock /sarcasm) or in the Linux kernal (another act of feigned shock). My guess is that the network manger service is the culprit this time.

I'll be open and honest with you: MAC randomization is the wrong solution to whatever problem you think you have. If your goal is to be anonymous then buy your hardware anonymously and then you don't need to worry about MAC randomization because there is no paper trail between you and the MAC address to begin with. This is a much safer approach than depending on some software solution that is riddled with bugs.

I don't know where you live but here in the USA there are Goodwills and Salvation Armies thrift stores that seem to be filled with second-hand routers for less than $5. Buy one of those with cash. That's all the MAC randomization you need.


ab praeceptisJuly 8, 2017 6:00 PM

Dirk Praet

a) Oh my gawd, Bruce Schneier himself said "the word", too!1! - of course, otherwise he couldn't let me know what the trigger for him was (and what I should avoid). *Obviously* context is decisive and the context wasn't evil when Bruce Schneier mentioned "the word". Similarly, it wasn't evil, when I replied; the context was entirely different from the original one.

This is getting ridiculous. Do you want another catholic inquisition or what? "He said 'the word', crucify him!". Should we maybe even play games like writing "evil words" in reverse or abbreviated or maybe find stand-in words? Ridiculous.

One major reason it's getting ridiculous is that Bruce Schneiers main line was a) please, don't do things like that again and b) an apology, expressis verbis. And my main line was "I *do* intend to stick to your rules as well as I know them". Some here, incl. yourself, act like "Yes, OK, he did fulfill the contract but he did it wearing an ugly tie! Let's crucify him!"

b) You are not my mother. You are neither in a position to scold or educate me nor did I ask your "advice", nor are you my teacher to grade me.

c) Some here don't like me, my style, or maybe my hair or its colour. So what? I don't like some people and things, too - but I don't make a big fuzz about it nor do I wait for the big boss to scold them to quickly add some slaps from me from behind him.

Btw, I'm among those who talk quite little about politics, in particular about this or that party.

Can we now finally put this to rest and return to what this blog is about, security?

ab praeceptisJuly 8, 2017 6:12 PM

not the brightest bulb

While I see, and commend, that you chose a fine assortment of golden sticker worthy bits and pieces, you did not create "100% bulletproof" software or hardware per se.
So, from what I see, we can't give a golden sticker for that. I can laud and commend you, though (but: is there some AV involved, too?).

But in the end that's for Thoth to decide. It's him after all who creates the inspriring, reassuring, and generally wonderful cards that guide us on our way toward 256% bulletproof security and security-by-browser-plugin.

Also, please note that the application form should preferably provided either in docx format (preferably version specific) or through a website requiring both javascript and flash.

In case you are still unsure about your next attempt, let me hint that a browser-based hypervisor in javascript to run a systemd sakkurity linux would be an excellent candidate and, if done lousily enough, would almost certainly get a golden sticker.

ThothJuly 8, 2017 6:42 PM

@not the brightest bulb

That 'thothx' website you posted has nothing to do with me and neither owned by me nor related to me.

rJuly 8, 2017 8:01 PM

@i don't know, but...

Including, but not limited to: information and or sensory overload, "product" placement, saturation, allusion, talking points, connect the dots, single double triple and slam dunk "intellectual" framing, consistency and "scheduled drooling" (scheduling of light hearted drivel, a form of media packaging).

Nobody, and i meen nobody knows our markets like we do.

Enjoy your regularly scheduled programming.

rJuly 8, 2017 8:07 PM

@tatutata,

While we wait for you to classify your code's bugs... Quantify?

Careful, it doesn't develop into it's own form of life also.

mostly harmfulJuly 8, 2017 8:28 PM

@ MAC the Knife

If your goal is to be anonymous then buy your hardware anonymously and then you don't need to worry about MAC randomization because there is no paper trail between you and the MAC address to begin with.

I don't follow your argument. The MAC of a device is a name. It (almost certainly) is not your legal name, but without MAC randomisation its presence will be invariant across all sessions using that device. Mistake number one.

A user will make further mistakes, mistakes number 2 through N, defining a profile of "the user who makes mistakes number 1 through N". How big does N need to get, before the FBI has your number, so to speak? Why give them a free one?

Not leaving personally identifying information behind at a point of sale is a start, but I don't see how it could suffice to achieve anonymity without many further measures, of which MAC randomisation can be one.

mostly harmfulJuly 8, 2017 8:34 PM

I want to read about traffic analysis, and would appreciate any pointers to introductory level material.

ThothJuly 8, 2017 9:24 PM

@mostly harmful

Setup two computers on a network and on one of the computer, run Wireshark. Do your own packet capture and then use things like tcpdump and so on to attempt to edit the intercepted packets or try to modify the packets.

See how much you can intercept and modify :) . That is the best textbook .. by doing things hands on in the field.

Clive RobinsonJuly 8, 2017 11:07 PM

@ Ergo Sum,

U.S. senators seek military ban on Kaspersky Lab products amid FBI probe

Yes, it's both sad and silly and shows just how little understanding US --and presumably other nations-- politicians realy have.

But if you think back this is not the fitst time US politicians have done this... This time there has been lots of noise about Russia, and a Russian based company gets the thumbs down. Previously there was lot's of noise about China and two Chinese based Telco Companies got the thumbs down.

In the China case other countries ignored it or as in the case of the UK actively promoted atleast one of the companies the US politicians had chosen to blight, by highlighting the companies close development relationship with part of the UK SigInt organisations.

Thus I primarily smell political point scoring in both cases.

It's the same problem as attack attribution, that likewise have a political flavour in reporting to the general public. Thus you start to see a variation on cognative bias that have given us lynching parties and strawmen witnesses[1] in times past. It's the old "It's the Butler wot dunit" knee jerk argument that quickly becomes self reinforcing and thus develops a life of it's own.

It's such a well known problem that the legal system had all sorts of checks and balances including moving trials well away from any area where there had been public reporting on the crime and alleged suspects.

But if we look at the Kaspersky situation we get very clear indicators it's been "Stage Managed" by the FBI. They turned up at Kaspersky labs employees homes without warrants to have "compliance conversations" and the press somehow got to here about not just one employee but enough to put together a story... Yeh right... What a coincidence the previous FBI director James Comey oddly suffered from this same problem numerous times prior to the 2016 US elections...

The point is there are lots of people starting in on the old "Reds under the beds" routine in a play right out of the George Orwell 1984 play book, which has also given us "Spin Doctors" amongst many other modern scourges.

The reason they can do this is you can invent anything you want when there is zero facts or evidence available. As there are no "inconvenient facts" to get in the way of the rhetoric / poisoned narrative, and thus the old "you can not prove a negative" problem applies to those trying to defend their reputation. Humans just love gossip and cognative bias it's why we have the old saw of "There's no smoke without fire" which is backwards reasoning from effect to cause. But also we have another old saw of "when you trough enough mud some of it sticks", to describe this current "Reds under the bed" nonsense.

As the links you give make clear there is zero evidence of wrong doing and there is nothing Kaspersky can do to prove they are innocent.

So welcome one and all to the new generation of politically inspired "Unamerican Activities" trials by media.

As I have said in the past about attribution extrodinary claims or actions requires extrodinary evidence, and we are not seeing any evidence just noise from the self interested.

Trial by media is a two edged sword and playing with it is a lot more dangerous than playing with fire, especially in a globally connected world...

Just one danger is that whilst banging the drum and rattling the sabre at one country you are giving not just a pass to other countries but also a chance for those countries to run false flag operations. And as we know from various revelations the US and UK IC entities were building and deploying "false flag" tools more than a decade ago... And in the UK case many were for use against their own citizens...

[1] I am not talking about "strawman arguments" here but the original "witness for hire" people who would stand outside courts with a piece of straw through their shoe buckle / lace acting as an indicator they would say anything in court for the right money...

Clive RobinsonJuly 9, 2017 12:27 AM

@ Kiss_tor,

With some late model usb wifi dongles it appears that mac randomization must be turned off with Tails during boot or they don't work. Any ideas?

MAC randomization is considered "harmfull to your health" unless you practice very good opsec, and even then it's questionable.

MACs are tied to hardware manufacturers and thus identify not just the make but model and firmware update status. The make model and update status can be verified in other ways. Thus if your hardware and it's MAC do not align you get a big red flag raised, that you are being "One of the four horses of the Internet Apocalypse" and thus may well get nasty "Tor user unmasking" code sent your way.

Further many people do not visit more than one or two WiFi hot spots, thus the Red flag and the real hardware make model etc acts as a finger print to track you by if the operator choses to, or somebody else such as a national SigInt agency has owned the APs which the cheap APs often used are very prone to (and it is rumoured that every open or semi-open hotspot in Washington and similar areas has been owned to find whistleblowers under the past couple of Presidential terms).

You would be better off --as others have noted in the past and above-- having a couple or more actual WiFi dongles and likewise run from CD/DVD based OS's that are different but have Tor packages included.

But even that does not stop the CPU or other motherboard features being fingerprinted.

Thus get a couple of second hand quite old laptops etc and install a more modern (probably not MicroSoft) OS or run from CD/DVD.

What you do is based on your real OpSec requirments. Most people actually fall in the "I don't know enough to be safe" group and end up doing the wrong thing. Which is as good as going up a hill and waving flags and letting of flares and thunder flashes for their anonymity...

OpSec at the end of the day is all about not standing out from the crowd or your surroundings. Wearing full "woodland camo" in a desert is actually worse than wearing "desert camo" in a forrest but not by much, either way once you are in the line of sight you stand out like a sore thumb.

Look at it another way to a customs and imigration officer at the border having cameras says you are either a journo or a tourist, so saying you are there on business is going to look odd. Likewise audio equipment says journo, musician or spy (with a possible "twitcher") the cloths tend to indicate which.

In this modern world of online surveillance it's not bored, tired or otherwise distracted humans watching you it's the ever present computers watching, recording and endlessly analysing looking for Red Flags to bring other resources to bear. Thus the trick to anonymity is not tools that actually make you stand out from the crowd...

Clive RobinsonJuly 9, 2017 12:36 AM

@ Thoth,

That 'thothx' website you posted has nothing to do with me and neither owned by me nor related to me.

That's a shame as those bods have some nice toys to play with. Kind of puts my satellite tracking / radio astronomy kit to shame :-(

ThothJuly 9, 2017 12:59 AM

@Clive Robinson

Indeed :( . I guess tonnes of funding are required to the same level as that 'thothx' website and who knows even Governments and ICs might want a hand in those sort of stuff.

Anyway, what are the chances of launching one's own secure communications satellite via those DIY kits ?

Clive RobinsonJuly 9, 2017 1:56 AM

@ Mostly harmless,

I want to read about traffic analysis, and would appreciate any pointers to introductory level material.

There is actually not much to say at the introductory level.

The idea was thought up during WWII at Bletchly where various activities just came together. It was Gordon Welchman who dod a lot of the thinking and practical work that brought it to life.

At Bletchly they had a "registry" of information to come up with "probable plain text" to make cribs / menues for the bombs used to crack Enigma messages. Part of that was also identifying "traffic nets" that would be using the same key or keys. These nets were given animal names and given coloured pencils so that they could easily be seen and distinguished.

At several million file cards it represented a repositry of a vast wealth of knowledge. Various people realised that this knowledge could give a lot more valuable intelligence if it could be used in other ways. Traffic Analysis arose from just one of those ideas and it realy gives meaning to the expression "Know thy enemy as you know thy self".

In essence it's simple, if you know who is on what net and at what time it can give you an aproximation of what is known as "The order of battle"[1]. But that is just a snapshot in time, which although valuable does not tend to give "intentions". However if you log every message indicator, date, time and importantly size and approximate location it can be graphed and from changes "intentions" can be infered.

So much so that actually knowing the "traffic contents" or "plain text" of the encrypted traffic is often not required to give fast appraisal and accurate prediction of intentions. Thus it is analysis not of the data but the metadata. Which is important to Intetnet Security because encryption is usually only used on the data in a packet not the packet metadata.

But it does not have to be Electronic or Signals inteligence Traffic analysis is applied to, it can be applied to humans and their movments as well...

There is a story about the Gulf War in that whilst there was supposadly a news black out, many pizza and similar fast food outlets knew in the change in the orders placed "when the ballon was going to go up". Subsiquently we have seen crime bosses and drug lords caught by the fact that large food orders have identified which of many "safe houses" they were in. It's just another form of traffic analysis.

Whilst it is simple in principle it can be quite involved in practice and the modern arts of "Data mining" and "metadata analysis" are just parts of it.

Another part that is getting a lot of academic interest recently is "Cadence analysis" this is a bit like looking at a persons pulse to determin their state of health.

Due to failings in protocol design in the Internet and mobile phone specifications a lot lot more information can leak out. Take an interactive sesion protocol like Telnet or a host of others that send traffic at one charecter a packet. Humans especially those who type as part of their living have a tempo / tone / fist of operation. This is because they have stopoed thinking about typing individual characters but words and sentences. Thus the timing of packets can show word and sentence length when a person is typing. This can easily be compared to known plain text in newspapers and the like to actually work out what is being talked about in a sesion. With mobile phones whilst the likes of SMS's might send the information in a single packet, the likes of gyro sensors can reveal not just the cadence but approximate position of where the iser is tapping.

I could go on but you might want to read,

http://www.sans.edu/cyber-research/security-laboratory/article/traffic-analysis

And it's refrences.

[1] http://www.benning.army.mil/Library/content/Virtual/ArmyPubs/fm%252030-19_1959_order%2520of%2520battle%2520intelligence_jun_1959.pdf

Clive RobinsonJuly 9, 2017 3:09 AM

@ Thoth,

Anyway, what are the chances of launching one's own secure communications satellite via those DIY kits ?

It's a good question. You can actually design and build the required electronics for well under $1000 the CubeSate "SpaceBus" to put the electronics in you can buy off the shelf from the likes of ISISpace[1] or if you have a modest machine shop and the required knowledge build it yourself.

As I've mentioned in the past I've prototype CubeSat parts kicking around, they are based on the PC104 industrial control computer and interface boards and as ICS boards they can be purchased for a couple of hundred dollars each but importantly are not "space qualified" or "CubeSat qualified". However that actually does not matter, CubeSats came about because of pioneering work at Surrey Satellite Technology[2] in putting unqualified COTS parts up into space on technology test satellites to prove they are usable.

What is more expensive is testing the design so you have confidence it will work and work reliably for the mission design time. This is important as you will not get a flight ready certificate without it and importantly shown reliable methods of "station keeping and deorbiting".

There is also a whole library full of paperwork you must not just know but be fluent with much of it is odd seeming requirments that are applied differently in each country. Thus you might want your satellite not to be "corporately owned" by the country you design it in... The same goes for radio frequency allocations and their assignments. Some people cheat by using Amature Radio Spectrum to get their control/data uplink and downlink frequencies, which is what some University flights have done.

But you will also have to show you have "Ground Control" capability on more than one orbital point, so you will have to not only build your own "local" ground station but "remote" or "shared" ground stations as well.

Then you have to get a flight... These are neither cheap or readily available. Space junk asside there are a lot of issues in getting "spare capacity" for flight payloads and orbits.

You can get about seven metric tones into space for about $30million, but that includes all the fixings and deployment systems that become junk when the satellite leaves the rocket. So you could in theory launch a thousand 1U CubeSats from the same flight. You would be mad to try but technically there is no reason you could not do so, thus you would be looking at $30,000 for the flight pluss probably five times that in extra costs...

So $300,000 pluss additional annual operating costs for ten to fifteen years would be a starting point but is actually likely to be quite a bit more.

Anyway all of that aside, you would have to learn how to use such a satellite, which is where Amature Radio can help a lot, for comparatively little. To see what you can do Dave Bowman G0MRF has designed equipment not just for flight hardware but also to help others on shoe string budgets get into satellite operating. You can see the slides from one of his presentations,

https://ukamsat.files.wordpress.com/2015/01/a_beginners_guide_-to_amateur_radio_satellites.pptx

There are also "HackerDay" projects for CubeSats and Ground Stations.

For my sins back in the late 1970's I wrote in PrimeBASIC satellite tracking software that would put up a world map on a colour plotter or Graphics terminal and produce an orbital path and track width plot, as well as time tables and expected gain/loss of signal for any given point on the globe. Since then I've written other software to do similar but I still have a softspot for the original and have a tabbaco tin with a two large rolls of punched paper tape one of the program, the other of the map I labouriously digitised and then corrected the projection for.

[1] https://www.isispace.nl/

[2] https://www.sstl.co.uk/

HermanJuly 9, 2017 6:22 AM

Tatütata: Err... your divide by 8 will overestimate the squid population by 20%.

WinterJuly 9, 2017 6:53 AM

@ab praeceptice
"We tell users to not blindly trust "bulletproof security!" messages from e.g. AV vendors or to question state sponsored "good random numbers" etc. "

Melanie Rieback of Radical Open Security is in the news with a two page interview in a national newspaper in the Netherlands where she attacks the security industry for its hypocrisy and its obsession with money:
http://www.volkskrant.nl/tech/deze-wonder-woman-van-de-computerbeveiligingswereld-hackt-zo-je-bedrijf~a4505208/
(Behind a paywall)

The (not-)Petya disaster that paralised a large terminal in Rotterdam harbor was the reason for this attention. I think these latest attacks have alerted the "public" to the fact that the exclusive focus on cyber attack capabilities of the intelligence agencies has left us all vulnerable. This vulnerability is already costing us dearly.

Dirk PraetJuly 9, 2017 10:23 AM

@ Thoth, @mostly harmful

Setup two computers on a network and on one of the computer, run Wireshark.

Alternatively, download a copy of Security Onion. It's an Ubuntu-based Linux distro that contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner and lots more. For testing purposes, you can either replay and toy about with pcaps, for a production environment you need a SPAN/tap port for which there are a number of very affordable solutions here.

@ Clive, @ Kiss_tor

Thus get a couple of second hand quite old laptops etc and install a more modern (probably not MicroSoft) OS or run from CD/DVD.

Yes and no. The problem with many Linux-based "security & anonimity" distributions is that their hardware requirements increasingly include 64-bit processors with extensions that are not supported on 32-bit hardware. Which also goes for TAILS. If you want to continue working on old hardware, then you need to take the OpenBSD road and socat all network traffic through Tor. TrueOS (64-bit FreeBSD variant) allows you to do that at the NIC configuration level, but it's quite easy to reproduce by hand.

@ Clive, @ Ergo Sum,

U.S. senators seek military ban on Kaspersky Lab products amid FBI probe

Not really a surprise when quite some people that suspect the likes of Symantec and McAfee of being in bed with the US IC have migrated to Kaspersky and a Russian entity is probably less likely to cooperate on not detecting US state-sponsored spy/malware.

@ Winter

The (not-)Petya disaster that paralised a large terminal in Rotterdam harbor was the reason for this attention.

The Petya and GoldenEye infections were hardly the fault of the security industry, but of companies and private individuals that for whatever reason chose not to patch their systems or network unsupported legacy operating systems.

However real the threat of state-sponsored malware and APT's, or however ingenious crimeware, almost all disasters I encounter in either private or corporate environments are the result of not observing basic security practices, and for which - especially in an SMB context - your average IT support company is at least as much to blame as the security industry.

Last week, I got called on-site by a friend of mine who owns a small law firm downtown. No more internet. Despite having two telecommunication lines from different providers which I initially thought had been trunked, one line appeared to flaky, and the other one not even connected (!!!). When I asked for a network diagram, asset inventory and backup/recovery procedure, all he could provide me with was a steaming pile of (paid) invoices.

At which time you already know security-wise nothing is going to be in place either. And that was not an exception, but pretty much the same situation I encounter every time I get distress calls like that. A lawyer, or whatever other business owner, is not supposed to be concerned with his IT environment. That's what he hires and pays professionals for. But the quality of what many of such so-called professionals deliver is unfortunately way below standard.

JG4July 9, 2017 10:31 AM


I think that these top two are from the usual daily compendium. One is a better articulation of a headline from yesterday, which was itself nicely done.

http://boingboing.net/2017/07/07/eschatology-watch.html

http://turcopolier.typepad.com/sic_semper_tyrannis/2017/07/no-the-russians-did-not-meddle-in-our-election-by-publius-tacitus.html

One of the advances of civilization is improved scalability of trust. It is subject to sudden reversal when malice is discovered. This should not be construed as an endorsement of Schwab or The Atlantic.

http://www.theatlantic.com/sponsored/charles-schwab-2017-nt/the-trust-economy/1290/

If Trump is aware of Nuland's audio clip, the discussion probably was interesting.

http://www.zerohedge.com/news/2017-07-08/putin-trump-tv-different-one-real-life

I am excited about the potential of AI, but the Five Horseman are using it without adequate disclosure of their continuing theft of information and reckless sales of same.

https://www.linkedin.com/pulse/how-ai-revolution-creates-new-jobs-john-robb
...
This article is what I call a framework. A framework provides decision makers with a tool for overcoming high levels of uncertainty. This is what I do for a living.

I might have spelled that Asteroided, but Vaporized would work too

To America's Tech Companies: May You ALL Be Astroided
http://market-ticker.org/akcs-www?post=232210

Thanks to someone who posted a link to this guys work. It is very lucid.

https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/

Ben Hunt is very bright. I realize that this is somewhat off topic, but there are analogies in the security field. If you fail conventionally along with everyone else, that is much safer than failing unconventionally.

http://www.epsilontheory.com/notes-from-the-field/notes-from-the-field/

See also, pure genius.

http://www.epsilontheory.com/notes/cats-cradle/

Data visualization. I'd like to see this graph log scale on the y-axis to account for population growth over time. The earlier migrations were more significant than they appear. The same though would apply to a graph of security breaches over time - attempting to normalize for the number of servers and the amount of data on those servers.

http://www.zerohedge.com/news/2017-07-06/200-years-immigration-who-came-america-and-when

I hadn't realized until I saw this that Star Trek gave me an appreciation for other cultures. Grad school was multicultural, and I liked the international cooperation. I missed the part where there were Japanese camps in Idaho, Arkansas and other states. I though there was only one in Utah.

Why I love a country that once betrayed me | George Takei
https://www.youtube.com/watch?v=LeBKBFAPwNc

Electronic Intifada: Is Israel spying on your smartphone?
https://israelpalestinenews.org/electronic-intifada-israel-spying-smartphone/

A nice example of system identification, although he doesn't call it that. I think that coded aperture imaging can be cast in terms of system identification. Nearly everything can be, including intelligence. I've been slow to write up notes on the topic, but it is a good one. Finding back-doors is a largely intractable problem that can be cast in terms of system identification.

Imaging at a trillion frames per second | Ramesh Raskar
https://www.youtube.com/watch?v=Y_9vd4HWlVA


MAC the KnifeJuly 9, 2017 11:50 AM

@mostly harmful writes, "The MAC of a device is a name. It (almost certainly) is not your legal name, but without MAC randomisation its presence will be invariant across all sessions using that device. Mistake number one."

Yawn. The threat of this is vastly overstated except in some very narrow and tiny edge cases. Mostly this is an opsec problem masquerading as a software problem. Let's take the average home user. If the average home user obfuscates his identity at the point of sale then when he takes his router home his identity is obfuscated against anything but a targeted attack. The reason this is so is because the MAC address the public sees is not the MAC address of the computer he uses but the MAC address of the router. So unless he is subject to some type of targeted attack that scrapes the MAC off the computer his identity is safe. Randomizing his MAC address in this situation helps him not at all because there is no functional difference between one false identity and a thousand false identities. The only thing the average home user can do here is to buy his computer as well as his router anonymously and he should only do that if and only if he suspects he may be subject to some type of targeted attack.

The other type of cross session attack that can take place is where the person moves from place to place, say from public wifi, to home, to work, etc. But this is really not a software problem but an opsec problem. Such a person should not be using the same computer in all those environments to begin with. Sure MAC randomization solves his immediate tracking problem but it actually only buries the larger opsec fail. If he is a criminal stick a GPS on his car and his MAC randomization is totally defeated. It is the wrong solution to the problem. The other possible situation is where someone is skipping around from public wifi to public wifi and walking between nodes. But even here a old fashioned human tail defeats his MAC randomization scheme.

MAC randomization is a excellent example of the need for thoughtful and careful threat analysis. Who is your adversary? What are his capabilities? How can he defeat your countermeasures? In 99% of the cases MAC randomization is security theater insofar as it is either total overkill for the actual threat faced or it is a measured easy subverted by a nation-state or global adversary. But hey I do agree with Bruce on one point...if it makes you feel better do it. Just don't confuses this feeling of security with actual security.

Markus OttelaJuly 9, 2017 12:05 PM

Pine64's Rock64 is a new SBC that looks like a good alternative to Raspberry Pi for use in TFC. It's fast and features GPIO for those who want to use UART pins and save $40 on TTL adapters, or feed their HWRNG to Kernel CSPRNG via GPIO. AFAICT it doesn't come with integrated Wi-Fi / Bluetooth so the unremovable covert channel isn't there. Consider grabbing one before the company ups their boards to more "convenient" models.

https://www.pine64.org/?page_id=7147

Also, I've been working hard with next release, stay tuned. PyNaCl and libsodium are getting some major updates so I'll probably wait for those before releasing. In the meantime I'll try to find all the bugs I can and update documentation where possible.

Dirk PraetJuly 9, 2017 1:32 PM

@ MAC the Knife

The threat of this is vastly overstated except in some very narrow and tiny edge cases.

You're oversimplifying the issue. MAC randomization - for as far as it generates valid addresses - is just one out of many tools in the drawer to make tracking more difficult, whereas specific address spoofing allows you to circumvent certain software and hardware access restrictions.

Most COTS operating systems nowadays support it out of the box, including Windows 10.

WinterJuly 9, 2017 1:59 PM

"MAC randomization is a excellent example of the need for thoughtful and careful threat analysis. Who is your adversary?"

Say, you have to repeatedly use some public Wifi access point, but do not want the owners to know it is always the same computer/user who accesses this network? That is, very low level threat.

Could Mac randomization be helpful even in such a lightweight case? Or would even this case be not plausible deniability (unless other users use the same trick)?

MAC the KnifeJuly 9, 2017 2:26 PM

@Dirk P. "You're oversimplifying the issue. MAC randomization - for as far as it generates valid addresses - is just one out of many tools in the drawer to make tracking more difficult, whereas specific address spoofing allows you to circumvent certain software and hardware access restrictions."

That response is question begging. For the issue isn't whether or not MAC randomization makes trafficking more difficult but whether or not MAC randomization is a proper tool for the job. In order to assess whether or not MAC randomization is the proper tool for the job one needs to answer the question: making trafficking more difficult for whom? As both Clive and I have pointed out MAC randomization does not make tracking more difficult for a nation-state adversary who isn't likely to be tracking one by MAC address in the first place but is more likely using browser fingerprinting, hardware fingerprinting, GPS tracking, or something else. MAC address randomization does nothing for anyone subject to a targeted attack because MAC randomization resides in software and the targeted attack will read the MAC address from the firmware. In other words, MAC randomization is only a useful tool for the job in a situation where (a) one's MAC address is actually being tracked (2) the person doing the tracking has no method other than a MAC address to track the user and (3) the person doing the tracking has no ability to defeat the MAC randomization scheme through some type of targeted attack. I can imagine edge cases where all those factors are met, for example, with a small private business with a metered ISP who is trying to stop some users from taking advantage of free wifi to download gigabytes via bittorrent. I only insist that those edge cases are infrequent. For most people most of the time MAC randomization is a waste of effort.

RachelJuly 9, 2017 2:28 PM

@ MAC the knife

well said re: MAC
one small exception is if the local network itself is fingerprinting you via the MAC
Or perhaps the library only allows 1gb per 24hrs via your device MAC

DissidentJuly 9, 2017 3:38 PM

Here's one for the "SSL/TLS CA system is Badly Flawed and Highly Vulnerable" Etc. File.

Below is a recounting of the frustrating, futile experience I had today with trying to verify amazon.com's SSL cert fingerprints by telephone. I would be interested in hearing comments, suggestions and similar experiences from others.

What prompted me to attempt to verify the SSL certificate for www.amazon.com today by telephone was my finding, upon checking it, that it changed from the one I would get until today.

I navigated through the menus under the contact option on the Amazon web site until I got to the screen where I could initiate a telephone call. (The closest match I could find in the drop-down menus for selecting my reason for contact was "login issues" or something to that effect. I considered selecting that but decided, instead, to keep selecting "other" until I eventually was given a field to enter my own reason for calling. I wrote, "Need to verify SSL certificate" or something similar.) As I expected, the woman who answered the phone had no idea what I was talking about. I began to try to to explain to her but was quick to point-out that I was all-but-certain that she would have to transfer me to someone else. I said that I realized that most people, unfortunately, are not aware of these things but that those who are versed in such matters appreciate the importance of verifying SSL certs and that there should be someone, at the right department, (i.e. the one that handles the security of the web site) who would know exactly what I was talking about.

The woman put me on hold for several minutes before returning and telling me that she could not find the type of info that I had requested. I repeated that while I did not expect her or anyone at her level to be able to help me, there surely must be someone, somewhere, who would have the information I sought and would be able to provide it to me. This woman put me on hold again before returning and again telling me that she was sorry but there was no one who could help me ("We don't have an IT department here", etc.). I persisted, insisting that there /had/ to be someone, somewhere...I said that there had to be at least one human and probably more who dealt with these matters, with the security of the web site...I added that I could understand if no one were available /today/, a Sunday, but that there should-- there /must/-- be some way to forward my request to the appropriate party and have someone get back to me. I asked, eventually /pleading/, to be transferred to the highest level of support possible.

All to no avail. This woman (who was the same one who had initially answered my call) insisted that there was nothing she could do, no one she could transfer me to who could help me and no way for her to leave a message for someone to get back to me. Exasperated, I told her that while I trusted that she was only responding according to what she had been instructed, it was simply unacceptable for there not to be anyone who could verify the SSL cert. I told the woman that I intended to try again to somehow get through to someone who could help me and that if that did not succeed, I would seriously consider ceasing to be an Amazon customer.

In total, I was on the phone for nearly 25 minutes.

Here is the info for the respective certs:
The cert I would get /prior to today/:

www.amazon.com
Amazon.com, Inc.
Serial #:
1D:4A:BD:AA:78:D0:9A:FE:79:9D:41:BC:EB:7A:76:62
SHA-256 fingerprint:
6A:A0:AB:97:D0:F9:F1:50:58:96:31:3B:E2:37:2D:C3:94:BD:42:77:57:F6:BD:B6:2D:DE:80:ED:54:D4:19:0D
SHA1 fingerprint:
EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E
valid dates:
10/30/2016 to 12/31/2017

The cert I get today:

www.amazon.com
Amazon.com, Inc.
Serial #:
7E:A8:09:3B:99:B7:92:1F:71:D1:47:6C:59:BE:C5:93
SHA-256 fingerprint:
73:E7:DE:32:51:A6:A4:F2:A3:09:49:04:50:C9:95:F1:FF:43:AC:69:10:5F:60:08:36:52:BD:B4:06:59:7C:BD
SHA1 fingerprint:
B9:F0:BA:A7:2A:E7:06:AA:E5:0A:00:7B:51:70:E0:A4:C4:71:B9:9B
valid dates:
November 9, 2016 to November 11, 2017

Dirk PraetJuly 9, 2017 4:27 PM

@ MAC the Knife

As both Clive and I have pointed out MAC randomization does not make tracking more difficult for a nation-state adversary who isn't likely to be tracking one by MAC address in the first place

Which is entirely correct, be it that most of us are not subject to targeted attacks by resourceful state actors to whom we have become a person of interest. While indeed there is little point in randomizing a MAC address when your home router has already possibly been compromised, it is a useful feature when using a live DVD from a laptop while hooked up to public wifi or a 3rd party AP.

The keyword indeed is TARGETED attack. And as long as that is not the case, MAC randomization remains one of many useful tools to remain under the mass surveillance radar until such a time that for whatever reason the TAO or equivalent gets you in its crosshairs and you may wish to dump digital communications altogether.

@ Dissident

I would be interested in hearing comments, suggestions and similar experiences from others.

If you're worried about certificates, get the Certificate Patrol add-on for Firefox and read the manual to differentiate between harmless changes and suspicious ones.

Don't bother calling help desks. First line will be unable to help you, and they will never put you through to 2nd or 3rd line. If they already have one. A while ago I called my ISP to ask them why they were blocking SMTP originating from known Tor exit nodes, while a competitor of theirs wasn't. They didn't have the foggiest idea what I was talking about. Three days later, some genius sent me a mail asking if I could send mail through their web interface.

ab praeceptisJuly 9, 2017 4:52 PM

@Winter

Oh well, just another version of the "[insert poison] isn't dangerous at all" or, alternative version, "XYZ, while being somewhat dangerous under certain cirumstances, is fully contained and under control by [insert state or agency] and we have defensive/protective means in place, just in case" story - followed at some point in time by a clusterf*ckup.

Cyber-centers - the antivirus snake-oil on the state-level. Nothing to see here, move on ...


@Dirk Praet

an Ubuntu-based Linux distro that contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner and lots more.

Which will quite probably simply overwhelm and confuse a (more or less) newbie (and btw, ubuntu? Seriously?).

But granted, the question was put in a rather wide open way. It might be helpful to specify it somewhat.


@Markus Ottela

Looks like an interesting small board. But careful: Arm A53 processor. Not exactly the ideal choice for security stuff.
I myself am very much looking forward to more Risc-V boards and reasonably gate-sized Risc-V ASICs, say <= 45 nm.


@MAC the Knife the knife at al.

It might be noteworthy that quite many ISP still keep the modems MAC linked to the user. Moreover funny (changing and/or random) MACs are pretty much limited to internal networks (where their value is quite limited). In any not small scenario and certainly in carrier and ISP networks hardly anybody would play MAC games, i.a. because it would drastically slow down their switches and, in fact, *de*crease safety.
At the same, just as they are known to be easily manipulated, MACs aren't much used in lea (or are they even stupider than I think they are?)

tyrJuly 9, 2017 4:56 PM


I found the economics of this quite special.

https://www.eff.org/files/2017/07/07/erickson_perez_sinha_2017_wp_0.pdf

Apparently if you dispense with all the mad
lock-in schemes and just deliver a product
that performs its stated function you can
get rich in the process.

I'm reminded of the HAL in 2001 when I encounter
electronics that says " I can't do that."

Amazon doesn't have an IT department !! So why
are they trying to sell the cloud as a solution?

CzernoJuly 9, 2017 5:10 PM

Re: MAC randomisation or "spoofing" : MAC addresses are almost never really set in "hard"ware, they are usually held in EEPROM, flashed at the factory or by an assembler and reflashable at will, iow "firm"ware only. As you know, a MAC address has two main parts, one designates the manufacturer/brand/model, the other field a serial number (supposed to be unique, but in practice unicity seldom enforced, if ever). Depending on the hardware/firmware brand and model, it is/may be easy for you or me to reflash - at a minimum the serial or "user" part of our NIC's firmware MAC addresses (as opposed to mere spoofing by the OS). It can be as easy as - or as hard as - finding the specifications sheet and/or a manufacturer's flashing utility.

ThothJuly 9, 2017 7:07 PM

@Dissident

SSL Certs are simply used as Golden Stickers and are just Cybersecurity Theater of sorts.

These certs don't really worth much from a security perspective as there are simply too many ways to break the security of SSL/TLS and having that green padlock icon doesn't mean you are secure.

Most helpdesk are not equipped to handle such 'complexities' like SSL certs and security. Heck, even some banks' IT dept staff I talk to don't even know what is encryption and how SSL/TLS works let alone a mere helpdesk staff on Amazon. To make matters worse, even the govt agencies' staffs that are suppose to handle IT Security don't know how SSL/TLS works and all they care is the green padlock on the address bar.

Forget about considering SSL/TLS 'secured' connectionsnas secure as they aren't. This SSL/TLS is just a 'security marketting' thing created ny huge companies in an attempt to sell 'security theater' products and are not truely interested in higher assurance security.

Also, check between the certs if th Subject TBS RSA modulus are the same between the certs.

MAC What?July 9, 2017 8:17 PM

Ummm... just ISP's, APT's, and TLA's? WiFi providers are small/local and don't matter? Perhaps not with a slight awareness of OPSEC. Apparently some cellphone OS's come with MAC address randomization as a default. That could be considered useful...

ThothJuly 9, 2017 8:17 PM

@Nick P

Testing on Redox OS v0.2.0

Result: ----- FAIL -----
Environment: Bare Metal attempt and VirtualBox attempt
Failure Conditions: Refusal to boot further into next stage bootloader

I guess the thought of safety centric and security centric micro-TCB would always remain elusive and dream-like as long as the projects are 'Open Source' as per the usual scenario of most FOSS project, no consistent funding or viable business models means nothing would come to fruition for most of the time.

The only industries with working safety and security centric micro-TCBs are the Military-Intel-Govt-Industrial Complex where they always have the best toys to play with and the civilians would take the scrap and vulnerable parts.

Still waiting for the elusive 'Secure Computing' to actually come true one day .......

furloinJuly 9, 2017 10:50 PM

@MAC
"The only thing the average home user can do here is to buy his computer as well as his router anonymously"

If the user is already being targeted then how can they trust that every peice of hardware they buy is not backdoored without being able to verify it themselves? Every 'anonymous' vendor could be a trap for all they know. Most users wouldn't even know to verify the hardware is not backdoored in the plethora of ways it could be. Let alone how to verify if it's not backdoored. I am sure this has been discussed much in the past on this blog if you have further inquries.

@ab praeceptis
I have witnessed MAC's used for computer identification on low security cisco systems used in certain places. It would not suprise me if they used MAC's in higher tier institutions also. Also I wouldn't call them "stupid" more like "outsourced".

@dissident
Aren't they apart of the USA government now? Wouldn't you be contacting the wrong ((agency)) for that?

WinterJuly 9, 2017 11:17 PM

@MAC the knife
"I only insist that those edge cases are infrequent. For most people most of the time MAC randomization is a waste of effort."

Edge case: You do everything right, but dismis MAC randomization. And the public Wifi hotspots you use log the MAC addresses. Suddenly, all your accesses can be linked, and linked to your device.

Edge case: Retail stores tracking visitors by mobile phone MAC address. Android actually uses (broken) MAC address randomization to counter this practice.

mostly harmfulJuly 9, 2017 11:21 PM

@ Thoth, re traffic analysis

Thank you for encouraging the hands-on approach to understanding using basic tools.

@ Dirk

Thank you for package names, pointer to dedicated linux distro including other useful packages, and the hardware page.

@ ab praeceptis: "But granted, the question was put in a rather wide open way. It might be helpful to specify it somewhat."

Yes, it was lousy phrasing. Despite that, the responses have been helpful to me.

I had been reading the Traffic Analysis wikipedia page, and wanted to learn more. A reference there points to a large anonymity bibliography ( https://www.freehaven.net/anonbib/ ), which contains pointers to material that approximate what I initially sought. For example:

Raymond 2000, Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems [pdf][ps][ps.gz]

Along with Thoth and Dirk's suggestions, I have a full plate.

Thanks, again!

mostly harmfulJuly 9, 2017 11:49 PM

@ clive robinson "There is actually not much to say at the introductory level [about traffic analysis]."

He said, as he proceeded to prove otherwise ;)

ab praeceptisJuly 10, 2017 12:20 AM

@all

Oh happiness, flow, flow ...

bruce perens, a well known gpl evangelist, now *warns* of using Grsecurity! He clearly, openly, and expressly tries to ruin the business of Grsecurity.

I personally for myself see one thing here and assume a second. The thing I see is that gpl *obviously* is meant to be a jail as e.g. perens claims that Grsecurity now asking money for their work is somehow illegitimate and a breach of gpl (which Grsecurity used before.
Well noted, Grsecurity doesn't ask a single penny for linux. What they ask payment for is *their* work (and implicitely lots of research, know-how, and experience).

As a developer one clearly must learn that gpl is poisoning and putting into a jail cell those who at some point in time were [insert adjective] enough to succumb to gpl.

But that's not the reason I write this. Frankly, I care little about linux or gpl cuffed developers. The way I see it is "Well, you had it coming, so don't complain" and that's about it.

What really concerns me, though, is that I take the witchhunt against Grsecurity to quite strongly suggest that someone (who might that be? *N*ot *S*ure *A*bout ...) absolutely does not want linux to be any more secure than what the "I don't care a f*ck about security" linux master puts on the plate.
Well noted: I have no proof whatsoever for that but my sensors haven't failed me badly so far.

ThothJuly 10, 2017 3:42 AM

@ab praeceptis

Maybe this suggestion of mine may not sit well with a lot of people out there but I have a weird feeling that the 'GNU/FOSS/GPL' is a gang of sorts and as per usual has it's own fanboi-ism followings.

I think it is the latest attempt to back Linus Torvalds and to mount a verbal 'assault' of sorts in the recent attempts to discredit GRSecurity and to 'bring them down' by simply using the 'weight of the open community' to steam roll GRSecurity out of existence ?

I am not impressed by how the GNU/FOSS/GPL/Linux gang have been handling their PRs lately and I have simply went ahead to not support their movement by ditching as much of my codes I have released under GPL or GNU 'minted' licenses and simply just released them in 3-Clause BSD.

I have also quickly figured out that GNU GPL and variations of the GPL is toxic to the open community and have been pushing out licenses for my open source projects under 3-Clause BSD.

Recently, I have the urge to start monetizing a little on my creations as I need to inject funds into my researches and projects as I have been paying every single penny of the bills incurred with my own money and have so far refused every single offer of funding in a bid to ensure that the company is not tainted by 'outside hands'.

WinterJuly 10, 2017 4:13 AM

@ab praeceptis
"bruce perens, a well known gpl evangelist,"

Sorry, but Bruce Perens is one of the originators of the Open Source initiative. They advocate Open Source, but can hardly be considered GPL evangelists. If you want to attract the livelong hatred of Richard Stalman, advocate Open Source.

It is a blatant violation of every copyright law in existence, anywhere, to take code licensed under the GPL and then distribute patches with your own, non-free, conditions like Grsecurity did. If you want to re-license your additions, use BSD as the source, not Linux.

Try to distribute patches to a Disney movie or Windows binaries to see how this works.

ab praeceptisJuly 10, 2017 5:50 AM

@Thoth

*if* license concerns really were the reason they'd have brought it up much earlier.

As for the people using the gpl I don't want to condemn them; actually I think it's a mixture of immaturity, carelessness, and group dynamics.
Factually there are alternatives that offer pretty much what most of the developers currently using gpl want but without the poison.

I commend your decision to go with a BSD license but I would also have no problems with a more stringent license (except, of course, gpl and accomplices).

Actually, you are much more patient than me; I stopped giving away (BSD type) oss quite some years ago. I still do give away oss but to selected colleagues only and with the condition that it must never ever be part of anything gpl infested or, if used commercially they have to give me a fair share to finance my research.

And, as I said, I'm quite confident that linux and much gpl infested software can't be trusted. What happened re. Grsecurity is just yet another very ugly hint.


@Winter

bruce perens is well known (in part justified as he indeed has done good things) and he is a gpl evangelist; in fact, his current statement re. Grsecurity is that of what I perceive as a gpl hitman.

richard stallman? I know that guy, I've met him in person and took him on. Please note that I do *not* think, he's a bad person; actually I think that he has good intentions but history provides plenty of examples for "well meaning is not equal do well doing; often quite the contrary".

Grsecurity and gpl: As I said, Grsecurity didn't ask a single penny for linux; they - justifiably! - ask money for their work, experience, and research (the fruits thereof) - plus - they *do* care about security.
And btw, where do you want to draw the line? Is, for instance, the work of a consultant who edits linux source for his client (for money) and compiles it then under the gpl, too?

I still remember the games the OpenBSD people had to play due to similarly idiotic wanton rules. Today it's gpl fanatics who drive people to weird things like typing code in europe (or who knows where).

Funny that today the gpl sect plays the role that formertimes was played by at&t, the us of a government, etc.

Gerard van VoorenJuly 10, 2017 5:51 AM

@ ab praeceptis,

Bit**ing about (Free) Open Source licenses is ... not productive. Just use the license that you want to use and leave it with that. We aren't lawyers.

Gerard van VoorenJuly 10, 2017 5:57 AM

... with the exception of CDDL, the license of ZFS, that was specifically created to be both FOSS and incompatible with GPL. The a$$holes.

ab praeceptisJuly 10, 2017 6:02 AM

Gerard van Vooren

That's not the point. The point is the damage created by gpl, when gpl de facto tries to destroy security relevant software, and the general cozyness between the spook agencies and the gpl people.
It was in *that* context that I brought that up.

There are dozens and dozens of oss licences but just one of them, gpl, is frequently the topic of heated discussions - for a reason one would think.

Dirk PraetJuly 10, 2017 6:37 AM

@ Thoth, @ Nick P

Testing on Redox OS v0.2.0

I couldn't even get it to compile on LEAP 42.2. Apparently a known problem with dependencies and the rather elaborate toolchain required.

@ r, @ Thoth, @ Winter, @ ab praeceptis

Re. grsecurity/Bruce Perens

They stopped making it available for free because nobody - even those who used it in commercial products - paid them a dime. You can't possibly blame them for that. This ongoing feud between the grsecurity and kernel development teams should have been resolved in an amicable manner aeons ago. To date, Linus maintains that security is a low-priority issue that eventually sorts itself out. This here saga proves the exact opposite, and Perens's comments only make things worse.

@ Gerard van Vooren

Just use the license that you want to use and leave it with that. We aren't lawyers.

Many developers can't make heads or tails of an ever growing list of licenses and way too often go with one they don't entirely understand the ramifications of. A good starting point is the high-level comparison here.

WinterJuly 10, 2017 7:01 AM

@ab praeceptis
"And btw, where do you want to draw the line?"

That line is drawn by the courts. They decide what falls under copyright protection and what does not. Our feelings and opinions have zero value in that debate.

Linus has chosen the GPLv2, and that licence text binds everyone who distributes copies or derived works of Linux. And it is the courts and only the courts that define the line between a derived and a new work.

vas pupJuly 10, 2017 9:16 AM

@Bruce: you may find interesting this research on risk taking
Why do some people prefer stable, predictable lives while others prefer frequent changes? Why do some people make rational decisions and others, impulsive and reckless ones? Behavioral neuroscientists have identified changes in two brain regions that may hold answers to these questions.
https://www.sciencedaily.com/releases/2017/07/170707095811.htm

Gerard van VoorenJuly 10, 2017 11:42 AM

@ ab praeceptis,

The point is the damage created by gpl, when gpl de facto tries to destroy security relevant software, and the general cozyness between the spook agencies and the gpl people.

That's nonsense. Can you point out the following or relevant statement in the GPL (v2/v3): "This license states that the security of the code is to be destroyed"?

I have read them both (okay, a while ago) and I couldn't find it. Code quality is license independent. It seems cool these days to bash GPL but this isn't a valid reason. In fact, GPL has brought us so much. I am typing this text with mostly GPL licensed software and the only closed stuff is in the hardware. That said, there is nothing wrong with ICS or other Berkeley licenses too, or the Apache license. It's just what you want to gain.

RatioJuly 10, 2017 12:52 PM

Linux's license:

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

Work based on the Program seeks to impose further restrictions on the recipients' excercise of rights granted in license of the Program.

It's all so complicated, I tell ya.

kiss_torJuly 10, 2017 3:07 PM

@Clive Robinson @Dirk Praet @ MAC the knife, @mostly harmful

Disclaimers I have only gotten as far as Dirk Praet (10:23am) and use Tor or Tails at your own risk, of course; maybe search Schneier.com for 'problems with Tor' for example

From my limited sample size of wifi dongles and testing, those same wifi dongles, that wouldn't randomize on Tails 3.0.x now require network manager setup in Knoppix 7.7.1 (presumably in 32 bit mode; I didn't ask Knoppix to boot in 64 bit mode anyway). In other words, with older dongles, previously in Knoppix, I could just click on the wifi symbol in the bottom right area of the screen and then just choose the wifi network to connect to. Finally, I was wondering if there might be some new legal standards wifi dongles might need to meet the united surveillance states' ("'USS'") needs, similar to new hardware standards for routers and firmware flashing.

On Apple hardware, with a sample size of one, Tails 3.0.x seems to still randomize internal MACs ok.

In general, I don't want to allow more easy hacking to my hdd on my laptop, so I tend not to authorize root access to Tails on boot up. Once I boot up Tails I tend to use the same MAC address for an extended period of time (regardless, maybe the worst of both worlds, but now I know that it appears that I can reset the MAC address w/o sudo, so I might sometimes change things).
Assuming, my laptop is anonymizing wifi MAC address, it appears that Tails 3.0.1 is using my hardware vendor without change.
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf ; large document
or $macchanger -l in Tails; also $macchanger -h
https://tails.boum.org/contribute/design/MAC_address/
https://tails.boum.org/news/spoof-mac/
https://www.reddit.com/r/tails/comments/4z2gz7/tails_tor_and_mac_address_spoofing/

Finally1, recently there was a long and fascinating wsj or nyt article about facial recognition in China ... like "good luck" being anonymous in the USSs around the world.
Finally2, does anybody trust surfing the internet from free WIFI hotspots with an existing hdd, when booting Knoppix from DVD. In another words, no root requirements for attaching drives.

ab praeceptisJuly 10, 2017 4:33 PM

Winter

And it is the courts and only the courts that define the line between a derived and a new work.

For one, no, in a civilized society courts consider technical aspects of matters of a technical nature. Often they even get the help of experts. They do not decide arbitrarily and wanton (well, so the courts say).

And please finally understand that what Grsecurity offers is *not* a derived work.

They don't use any linux gpl code to create a derived product. They offer *additional* code and work of their own, which *users* can choose to add to their linux kernel - and those users must not be concerned about the gpl because usually they don't distribute that software.

True, Grsecurity also offers patched and compiled binaries for download, but those are not their product, just like a car is not the product of the sound systems vendor who offers the service to install his products in a customers car.

What Grsecurity is payed for is *their* work, experience, and research (the fruits thereof).

Keep in mind that I have the right to use any gpl infested code and change it to whatever I please, as long as I do not give the result to others, particularly not in the context of selling it.

ab praeceptisJuly 10, 2017 5:05 PM

@Thoth

Great! Haha. That's the first reaction. After some seconds though my second reaction is this: Multics source is available. Wouldn't it have been much more useful if those people had produced something real, say, a modernized version that considers what we know now and didn't know then (security!)?


@Gerard van Vooren

"That's nonsense." - as in "let's not bicker about licenses! ... well, except the one I really hate" *g

You are - or seem to be - right; the gpl does not state any evil goals, quite the contrary.
But then, that's also true for trotsky, goebbels, nsa, and human organ dealers.

Obviously we can not assume that any parties public statements fully disclose its intentions truefully and in full. Secondly, we must also observe the behaviour and the outcome; doing that we quite often find very considerable divergence.

That said, I fully agree that some factors, which happened to often come in the form of the gpl, really did us much good. Moreover I do *not* assume that the gpl was conceived in ill intention. In fact, I can quite well understand (and agree with) some of what the gpl meant to take care off.

However, we must also see the reality, the outcome.


@Ratio

"Work based on the Program seeks to impose further restrictions on the recipients' excercise of rights granted in license of the Program."

True - and laudable, it seems.

However: Grsecurity is certainly *not* what the inventors of the gpl had in mind. That, too, is quite clear from what you quoted, It was about the microsofts and ibms who should not steal the free work of others, make money with it and, worse, use it against them (typ. by enforcing insane "you have no rights whatsoever" eulas).

Secondly and more importantly: Grsecurity is about at least somewhat mitigating the the security nightmare the linux gpl sectarians have created. *Obviously* what the world needs is not a war inflamed by gpl fanatics but security!

Finally, legal language isn't everything. There are other necessities and priorities, too. Safety and security are examples - and it's not by coincidence that safety and security are typical factors for legal exceptions (one may, for example, do quite many quite illegal things to save a human life).

Let me propose a fair solution: Grsecurity is stopped and their company is killed - and the linux people are fined a) to pay 1 billion $ in damages and fines, b) to within 3 months create a reasonably safe linux kernel, and c) if failing they pay 10 billion $ more in fines and damages, and linux gets closed down and all leading figures are brought to court for carelessly engangering millions and millions of people.

Dirk PraetJuly 10, 2017 5:52 PM

@ kiss_tor

does anybody trust surfing the internet from free WIFI hotspots with an existing hdd, when booting Knoppix from DVD.

FDE your HD, or take it out.

RatioJuly 10, 2017 7:19 PM

@ab praeceptis, @Winter,

The idea that a collection of patches to the Linux kernel source code somehow isn't a work based on that same Linux kernel source code, while intriguing, probably shouldn't be at the top of the list when you're picking the central argument for your legal defense strategy.

ab praeceptisJuly 10, 2017 7:37 PM

Ratio

(Somehow) "based on" isn't the relevant criterion. Somewhat extreme counter-example: Would adding lots of comments to some gpl infested source code, say as a teacher for ones students, be a breach of gpl? Hardly, although it certainly were based on the gpl'd code.

Moreover, again: Grsecurity provides patches - which their customers may or may not apply. If they do that's fine, as long as customer doesn't distribute the result (but just uses it inhouse).

Btw, most of the better known lawsuits won by the gpl people were about companies using gpl'd stuff and not telling about it, not providing a link to the gpl and the source, etc.

AnuraJuly 10, 2017 8:55 PM

@ab praeceptis

Would adding lots of comments to some gpl infested source code, say as a teacher for ones students, be a breach of gpl? Hardly, although it certainly were based on the gpl'd code.

Anyone can change the code all they want, as long as they don't republish it under a different license.

ab praeceptisJuly 10, 2017 9:40 PM

Anura

It seems very difficult to understand but offering patches is not the same as editing code. And, yes, those patches *can* be under any license its developers please.

As many seem to have trouble understanding it: If I create patches *and* apply them *and* then distribute the compiled result, say, as "xyz safe linux" - then that must be under gpl.

If, however, I distribute patches - no matter under what license - for people to apply or to print out and put in fortune cookies or whatever that does *not* breach gpl as long as the user does not distribute the patched linux.

So, you and me and Jane and Joe can do whatever we please - but the few linux distros who actually care about safety and used Grsecurity patches, like e.g. alpine linux, are in trouble now.

Net result: what little was available in terms of a more secure linux is being strangled to death now. Congratulations.

Wesley ParishJuly 11, 2017 4:56 AM

Did anyone read the CNN article on what promises to be a bumper crop of (physical) security theatre?

A proposed new military branch would send US troops to guard the galaxy
http://edition.cnn.com/2017/07/07/politics/space-corps-bill-trnd/index.html

Really convincing, considering the USA doesn't currently have any operational heavy-lift rockets. Sounds like Pay (through the nose) and Pray Security. Also that this sort of grandstanding and sabre-rattling is likely to cause relevant parties to up their efforts to ensure they do not get left behind, and thus cause the very thing it is allegedly intended to prevent, an arms race of some description and serious taxpayer discomfort.

And having just seen The Matrix, @Bruce, does the name of the robotic interceptors of The Matrix have anything to do with the Friday Squid Blogging?

(BTW, has anyone heard or seen @S[k]eptical lately? I rather enjoyed the poor twit, and would be seriously upset if either buses or wolves went extinct in the States through massive cholesterol poisoning.)

Dirk PraetJuly 11, 2017 5:20 AM

@ Wesley Parish

A proposed new military branch would send US troops to guard the galaxy

It's beyond ridiculous.

has anyone heard or seen @S[k]eptical lately?

I'm pretty sure he's still lurking around, but his comments generally focus on US IC or foreign policy related issues. I was kinda surprised he didn't reply to @ab praeceptis's recent Ukraine rant, and for which he got slapped on the wrist by our host.

Many here have long thought of him as a government mouthpiece and it's a bit of a weird coincidence that we haven't heard a lot of him since Trump took over. And of whom he appeared to be less than a fan. I also wouldn't call him a twit. Despite the many run-ins we had, his articulate comments and arguments are generally well-informed, to the point and polite, which are qualities I appreciate because they tend to take discussions to a higher level.

RachelJuly 11, 2017 6:22 AM

@Dirk

his articulate comments and arguments are generally well-informed, to the point and polite, which are qualities I appreciate because they tend to take discussions to a higher level.


all qualities one will find in a DC staffer . Apart from the higher level thing. Can't have it all I suppose


JG4July 11, 2017 7:45 AM


A thought on the GPL situation. Why can't a stand-alone commercial package contain a list of changes that alter a Linux package, presumably pre-compile? Analogous to several topics, inculding homomorphic encryption. I'd like to be able to play the movie The Pentagon Wars (and many others) for various people sensitive to coarse and abusive language. If I had a hash of the soundtrack, and made a list of deletions (or other alterations) in it, I could use that hash to maintain sync with a hash of the actual soundtrack, then insert the changes in real-time. One underlying principle is first-sale doctrine. Once you've bought the hardware, software or copyrighted work, you can do whatever you want with it for non-commercial purposes. And you can incorporate changes into an independent package that applies them at time of use.

I stopped short of tying several useful concepts together in recent weeks, probably because I was too busy drinking. Intelligence is approximately a fourth-level adaptive capacity in living systems. The first is genetics, which reacts on a very long timescale. Next is epigenetics, which regulates gene expression on a much shorter timescale and is particularly useful for environmental effects that come and go, e.g., environmental toxins, violence, drought and famine. A lot of recent progress in the epigenetics area. Standard enzyme feedback control systems generally are faster. Finally, intelligence is able to achieve change on the millisecond to microsecond time-scale.

These topics fit neatly into the same framework and have good overlaps to security.

adaptive systems
entropy maximization
intelligence
system identification

The headlines that caught my eye today

http://www.nakedcapitalism.com/2017/07/links-71117.html
...
Why clever people live the longest Financial Times. Correlation is not causation….and this seems to rely largely on IQ, which to a fair degree measure acculturation.

...
EU Prepares “Right to Repair” Legislation to Fight Short Product Lifespans Bleeping Computer (Chuck L). We posted on this but glad to see some outlets in the US take notice.

New Cold War

Fake News on Russia in the New York Times, 1917-2017 Dissident Voice. Stormcrow: “Long but devastating.”

...
Big Brother is Watching You Watch

Company Accused of Selling User Data Shuts Down after $104 Million Settlement Bleeping Computer. More of this, please.

ThothJuly 11, 2017 7:53 AM

@all

Running the latest Ubuntu is going to be as easy as visiting the Windows Appstore and simply clicking the download button and running it. No hassle with esoteric command lines and so on ... with just one huge exception ... that is you need to be running the infamous Windows 10 OS that is known to have all kinds of "goodies" waiting to slurp your personal data and foil your privacy plans.

Also, the Ubuntu upon download would run in some sort of Windows virtualized sandbox. Good luck trying to trust any of such deployments.

Link: https://www.microsoft.com/en-us/store/p/ubuntu/9nblggh4msv6#

RachelJuly 11, 2017 8:17 AM

Energy companies appear to be telling their customers that installing a smart meter is compulsory, despite the Government abandoning its plan to have one in every home within three years.

While it had been official policy that every home in the country would have a smart meter by 2020, the Queen’s Speech subtly downgraded this requirement to every home being “offered” a smart meter – meaning that they are no longer compulsory.

Meanwhile, tens of thousands of smart meters have been replaced after their owners switched providers, rendering them inoperable. And new research from comparethemarket.com also reveals a fifth of Brits do not want a smart meter fitted - around half due to concerns about the way data is collected.

http://www.telegraph.co.uk/bills-and-utilities/gas-electric/smart-meter-roll-out-getting-one-still-compulsory/

kiss_torJuly 11, 2017 9:35 AM

More wifi MAC address problems, or challenges, include:
For those of you booting Tails form USB sticks in coffee shops on relatively recent Apple (Veblen's 'conspicuous consumption', anyone) hardware, I think that your hardware wifi MAC address may be visible temporarily (choice of WIFI links for system recovery; bottom middle of display) at boot time.
https://mailman.boum.org/pipermail/tails-dev/2013-January/002491.html ; perhaps relevant

Dirk PraetJuly 11, 2017 3:30 PM

@ Dirk Praet

A proposed new military branch would send US troops to guard the galaxy

PS: it would appear the idea also comes straight out of South Park: "Ladder to Heaven" (season 6, episode 12), in which a US general proposes to bomb heaven after hearing from the IC that Sadam Hoessein, cast out of hell by Satan, is building a WMD factory there.

vas pupJuly 11, 2017 3:34 PM

CFPB Arbitration Rule: https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-rule-ban-companies-using-arbitration-clauses-deny-groups-people-their-day-court/
"The CFPB rule restores consumers’ right to file or join group lawsuits. By so doing, the rule also deters companies from violating the law. When companies know they are more likely to be held accountable by consumers for any misconduct, they are less likely to engage in unlawful practices that can cause harm. Further, public attention on the practices of one company can more broadly influence their business practices and those of other companies. Under the rule, companies can still include arbitration clauses in their contracts. But companies subject to the rule may not use arbitration clauses to stop consumers from being part of a group action. The rule includes specific language that companies will need to use if they include an arbitration clause in a new contract.
The new CFPB rule applies to the major markets for consumer financial products and services overseen by the Bureau, including those that lend money, store money, and move or exchange money. Congress already prohibits arbitration agreements in the largest market that the Bureau oversees – the residential mortgage market. In the Military Lending Act, Congress also has prohibited such agreements in many forms of credit extended to servicemembers and their families. The rule’s exemptions include employers when offering consumer financial products or services for employees as an employee benefit; entities regulated by the Securities and Exchange Commission or the Commodity Futures Trading Commission, which have their own arbitration rules; broker dealers and investment advisers overseen by state regulators; and state and tribal governments that have sovereign immunity from private lawsuits."

I guess consumers will be happy to have similar rules by FTC and FCC applied to web related services, software usage, privacy, cable TV, phone companies and other (you know what I am talking about)related contracts when on one side is average Joe/Jane and on the other big company with huge law and financial resources.
Everybody deserve their day in court!

tyrJuly 11, 2017 7:57 PM


@vas pup

I wonder if it extends to the taxfarmers
of the student loan scam. The idea you
can saddle the young with debt while
making sure they have no recourse to
law has been a stain on the honor of
a whole people that needs to be fixed.

@Dirk Praet

They probably wanted to fulfil Haydens
delusions about our Starfleet so he
would no longer be a liar about it.

The other possibility is that a God
Emporer without Space Marines would be
a meme fail.

Nick PJuly 11, 2017 9:13 PM

@ Markus Ottela

Keep it up! :)

@ Thoth

"Result: ----- FAIL -----
Environment: Bare Metal attempt and VirtualBox attempt
Failure Conditions: Refusal to boot further into next stage bootloader"

"We are raising a Kickstarter to get funding needed to get off FailBlog into a more reputable publication."

:)

"The only industries with working safety and security centric micro-TCBs are the Military-Intel-Govt-Industrial Complex where they always have the best toys to play with and the civilians would take the scrap and vulnerable parts."

Maybe inevitable. I did find another company doing a phone with OKL4. It has people from same institute including guy who invented their virtualization stuff. Google is doing Fuchasia. Genode continues to try to improve their stuff. Microsoft is using advanced technology to protect their users from backdoors or malware they didn't install themselves. Mainstream Linux distros are adding systemd to contain most init malware in several sandboxes (aka Linux distros) to shield that malware from non-systemd distros. The reports and CVE's show that both strategies are working.

Doesn't look so bleak if you read it taking anti-depressants. Unfortunately, I'm short on anti-depressants.

@ Dirk Praet

It seems the Librem laptop won't be undergoing certification for Qubes again since they changed their requirements and apparently charge a lot of money. That's unfortunate given it was a good combo for that niche. There was much discussion about this ranging from "professionals need to get paid" to "greedy assholes ruin everything." I agreed with one commenter, though, who said they're only hurting themselves by trying to extract money up front out of what could be a flagship product for their product. They probably need to pick a few great laptops, make it work themselves, and re-sell them with a fee as loss-leaders. Maybe as part of a corporate, consulting contract on top of the gear corporations would buy anyway. Sell them on stopping malware while running Windows apps side-by-side or something.

They're really undermining all the good effort they put in on tech with bad marketing. Far as the tech, the Librem announcement talked about how they got hit by Xen vulnerabilities that hit Qubes. Reminds me of something on their mailing list years ago on same subject. ;)

Nick PJuly 11, 2017 11:13 PM

@ Wael

(Figureitout, Clive, and Thoth might also appreciate some projects we linked in bootstrapping wiki)

From here or online? Remember that there was a lot of noise here with less specialists than before. So, I was here less than before in some other places. For example, I just redid my old response on the Karger/Thompson attack with the associated Trusting Trust issue. I'm trying to make it small, simple, and easy to digest (my strong suit right lol?). Here's the recent draft for your review at a one-off reply when people ask that. I also put quite a few links on that page out of the old link farm that's grown enough to require government subsidies to keep in check.

re solving the trusting trust problem w/ compilers

"It's a solved problem. Paul Karger, who invented the attack and concept in the 1970's, immediately worked with others to solve it with rigorous methods called high-assurance security. Far as this problem, it's mainly a problem of people you trust reviewing it, it getting distributed to you, and you verifying you got what they reviewed. With most distro's, it boils down to that since you have to trust millions of lines of code (maybe privileged) in the first place. SCM security of a trusted repo becomes the solution. Wheeler covers SCM security here:

https://www.dwheeler.com/essays/scm-security.html

Now, let's say you want to know the compiler isn't a threat. That requires you to know that (a) it does its job correctly, (b) optimizations don't screw up programs esp removing safety checks, and (c) it doesn't add any backdoors. You essentially need a compiler whose implementation can be reviewed against stated requirements to ensure it does what it says, nothing more, nothing less. That's called a verified compiler. Here's what it takes assuming multiple, small passes for easier verification:

1. A precise specification of what each pass does. This might involve its inputs, intermediate states, and its outputs. This needs to be good enough to both spot errors in the code and drive testing.

2. An implementation of each pass done in as readable a way possible in the safest, tooling-assisted language one can find.

3. Optionally, an intermediate representation of each pass side-by-side with the high-level one that talks in terms of expressions, basic control flow (i.e. while construct), stacks, heaps, and so on. The high-level decomposed into low-level operations that still aren't quite assembly.

4. The high-level or intermediate forms side by side with assembly language for them. This will be simplified, well-structured assembly designed for readability instead of performance.

5. An assembler, linker, loader, and/or anything else I'm forgetting that the compiler depends on to produce the final executable. Each of these will be done as above with focus on simplicity. May not be feature complete so much as just enough features to build the compiler. Initial ones are done by hand optionally with helper programs that are easy to do by hand.

6. Combine the ASM of compiler manually or by any trusted applications you have so far. The output must run through assembler, linker, etc. to get the initial executable. Test that and use it to compile the high-level compiler. Now, you're set. Rest of development can be done in high-level language w/ compiler extensions or more optimizations.

7. Formal specification and verification of the above for best results. Already been done with CompCert for C and CakeML for SML. Far as trust, CakeML runs on Isabelle/HOL whose proof checker is smaller than most programs. HOL/Light will make it smaller. This route puts trust mostly in the formal specs with one, small, trusted executable instead of a pile of specs and code. Vast increase in trustworthiness.

@rain1 has a site collecting as many worked examples as possible of small, verified, or otherwise bootstrapping-related work on compilers or interpreters. I contributed a bunch on there, too. I warn it looks rough since it's a work in progress that's focused more on content than presentation. Already has many, many weekends worth of reading for people interested in Trusting Trust solutions. Here it is for your enjoyment or any contributions you might have:

https://bootstrapping.miraheze.org/wiki/Main_Page"

WaelJuly 12, 2017 12:53 AM

@Nick P,

Remember that there was a lot of noise here with less specialists than before.

It's getting better.

just redid my old response on the Karger/Thompson attack with the associated Trusting Trust issue...

I don't remember the first draft. I'll go through this list later. Too many things to take care of. Will get back to you in a couple of weeks!

Anon Coward from PAJuly 12, 2017 5:10 AM

@Dissident

This article says you may escalate issues to jeff@amazon.com. I did so in the past and received a logical response from Amazon and an Amazon employee visited my LinkedIn page.

Wesley ParishJuly 12, 2017 5:44 AM

@Dirk Praet

re: @S[k]eptical

In general he was well-informed, at least as far as US policy issues. He could be quite unintentionally amusing when the focus was on technical issues, though. And a right royal pain in the [censored] when it came to the possibility of the US being in any way mistaken or malicious.

Everybody knew he was a DC staffer after a while. You can't hide that sort of thing.

So, stand to your glasses, steady!
The world is a world of lies:
A cup to the dead already-
And hurrah for the next that dies!

Let us mourn the wolves and buses that will soon be extinct of massive cholesterol poisoning.

Dirk PraetJuly 12, 2017 8:47 AM

@ Wesley Parish

Everybody knew he was a DC staffer after a while.

Which he denied several times, but is not entirely unlikely. And even if he is/was, for me is not a reason to not talk to someone. But you do have a point that his relentless defense of even the most blatant USG and IC aberrations was sometimes a bit over the top. I do hope he returns, though. Unlike certain others like @He who shall not be named and who irritated the living daylights out of the entire forum with his incessant anti-Snowden rants.

vas pupJuly 12, 2017 12:43 PM

Good article on personal security and psychology in the time of crisis:

http://www.bbc.com/future/story/20170711-what-not-to-do-in-a-disaster
Small extract to catch your attention:

"For decades, scientists have known that most of us are terrible at calculating risk. When the stakes are high, our brains tend to rely more on feeling than fact , banishing stressful thoughts and reassuring ourselves by explaining away the danger. This may explain why cancer patients wait four months on average before getting their symptoms checked by a doctor, or why after the 9/11 attacks, people on the upper floors of World Trade Center waited an average of five minutes before they started to evacuate."

JG4July 12, 2017 4:49 PM


stumbled into this a long time ago and again today

Security is…
http://trouble.org/?p=1176
I once had lunch with Paul Karger at IBM Watson labs while visiting my pal Wietse many years ago. I’d known he’d been around a long time… so I asked him what he thought security was, something that still confounds me. I find myself returning back to his answer: “security is when the money you put in the bank stays in the bank” He was a really neat guy, and it was great to meet him. Very nice, legendary, and very, very smart. RIP Paul.


ab praeceptisJuly 12, 2017 6:49 PM

"rust" (language)

Remember? Whenever rust comes up and (usually) is praised I counter and talk about my verdict: Do *not* use it!

While my arguments are of a technical nature, one major reason for me to mistrust is the fact that a large us-american de facto corp. is behind it. One that e.g. also joined the let's encrypt and other ploys.

Et voilà -> firefox has google analytics in its "about". https://twitter.com/NicolasPetton/status/884694176515936256

How perfidious! Of course next to nobody would ever suspect that "about" wasn't completely local and trustworthy. Accordingly the usual protection plugins do not even care about it.

RatioJuly 12, 2017 8:23 PM

If only people were free to examine all the source code, maybe modifying things if they felt like it, and compile their own binaries. Utopia, some might say, but just imagine what it would be like...

Ah well, maybe some day that dream can become reality. *sigh*

AnuraJuly 12, 2017 8:43 PM

@ab praeceptis

That's for the addons section, not for the regular about page, although I agree that should be static and local until you actually start browsing. It took me longer than it should have to realize that the reason I couldn't reproduce was because of noscript.

Markus OttelaJuly 13, 2017 5:23 AM

"Artificial intelligence software could generate highly realistic fake videos of former president Barack Obama using existing audio and video clips of him, a new study finds."

http://spectrum.ieee.org/tech-talk/robotics/artificial-intelligence/ai-creates-fake-obama

This is extremely detrimental to secure out-of-band public key authentication that doesn't happen f2f. Wickr had a really nice idea of verifying fingerprints through video samples that are hard to forge.

Voice morphing has existed since 1999, but now it's clear real time video morphing isn't far away.

My hope is that QR-code verification plus contact information delivery + fingerprint verification will be made easier in the future. One channel that hasn't been considered yet is Android Beam (NFC).

ThothJuly 13, 2017 6:21 AM

@Markus Ottela

The best way is still to meet up and use a pre-shared key of sorts. The user can enter via nibbles of 8 segments of 4 bytes or whatever that is deemed user friendly enough.

NFC/Android Beam may or may not work with Apple devices despite Apple allowing some access to the iPhone NFC. Also, NFC in plain vanilla mode is unenrypted and insecure. It is also very easy to mess up with encryption on NFC layer to the point I would rather suggest anyone doing development for payments or non-payment related use cases on smart cards (because some cards have NFC) to not try NFC unless they know what they are doing.

So, NFC for key exchange or verification is very insecure if you have not the know-how to do it properly.

It is best to rely on manual entry of pre-shared keymat despite the proble ith trying to enter hexcodes and so on.

draft: An AG-like checklist for TailsJuly 13, 2017 11:34 AM

draft sop Tails use at Starbucks, McDonalds, Dirk's bars, Figureitout's bike rides, etc., and use at your own risk

boot from dvd 'toram'

during/after boot:
direct access or not
mac randomization or not
password or not

settings
turn off wifi +/- bluetooth

Tor Browser- security settings to high

turn on wifi

access wifi ap (local/non-local newspaper, often, if unsafe browser required)

use one or more browsers now


OT
try to not look suspicious
look around suspiciously, think skeptically, do suspicious things, frequently or not

OT2 remember the good old days of windows camouflage

OT3 can one use Tails 3.0.1 without Tor; for example, to just use the unsafe browser, and other stuff, with no Tor traffic?

OT4 I don't understand the time being updated before you choose a wifi AP

FigureitoutJuly 13, 2017 1:12 PM

Nick P
--Yeah those projects are great, thx. The RoTT implementation was interesting. I just want a small C compiler, for PIC/AVR targets. Projects prob won't be that interesting though (security ones have to be simple and boring...besides nice user interfaces for crypto programs, that can encrypt memory drives/files/ etc.). I'm still not ready to bootstrap my own (just don't have the time), have a few more projects I want to do, get decent at making PCB's, etc. So I can make as real homebrew PC as possible (prob. won't homebrew the PCB though). CompCert says they support ARM chips but I wonder if this means every ARM chip or some nasty chip-specific porting still needs to be done. Have a lot of experience w/ one ARM chip, uses gcc-arm, there were comments on some files that it was a pretty shaky port to gcc though.

Been working on my SD card data diode. Got successful file transfer over serial port but only for 1 txt or csv file. The obstacles are too great for simply transferring everything on the SD card over w/ the code space of an MCU (need decoders for every kind of file, plus, I have to get file name, then send it in a marked transmission, make a file on other end, then begin slicing/dicing and send over serial port). I could get a jpeg decoder maybe, could grab relevant data from pdf files etc. So it'll be a tool only used by hopefully law-abiding security people trying to move ciphertext off their airgapped pc's and keep malware off it (that isn't flashed at the factory or injected remotely), so like 5 people (maybe, more like 1 lol).

FigureitoutJuly 13, 2017 2:20 PM

draft: An AG-like checklist for Tails
--Lol, it's good for your health too, but hey don't forget my backpack! Always have my backpack. :p Has all the essentials like cell phone batteries/power packs, laptops, memory sticks, wifi dongles, pens/paper, calculator, spare change...

All common sense to the regulars here but...addenums to your list.

You really need an old enough PC to be able to fish out the bluetooth/wifi modules by hand, get the camera and microphones out, speakers out. Harddrive out too. Scan for your computer before and after you take it out (look for bluetooth devices, make sure you can't connect). There's lots of teardown videos online, take your time and make sure you don't break your case (then you don't need tape on your camera). With those peripherals out, it will knock out a lot of ways in. Next step is flashing coreboot and other chips on board (lots of space for malware still...), I haven't done that for any of my laptops yet. I also haven't tried live Qubes-OS, VM's on RAM only, just more things someone has to breach.

Someone gets a persistent malware on that, means they can remotely write/read to embedded chips on main board at will or program a payload to schedule exfil times. They'll probably breach most anything else you do. So you can give up there or at least make their life hard making the exfil a pain in the A. Not a lot of space to store your keystrokes etc. w/ the disk removed. Some info may get overwritten if they don't have a big enough storage space before next exfil opportunity.

So when you boot up tails it should have no way to connect to internet, no way to read a disk, take your picture, or listen to your voice. Have a hopefully supported USB wifi dongle, so you only connect when needed. I haven't used Tails since like 2.4 so I'm out of the loop a bit. I used default settings to try to minimize the fingerprint (but I have a pretty jarring browser fingerprint).

These are mostly basic practices now...it's getting more impossible each day. I don't really attempt it much anymore, very stressful. Holding onto old hardware is a losing strategy too, have to really know what's in our computers. But it's just a fun thing that everyone should try if you haven't to appreciate how hard it is.

Markus OttelaJuly 13, 2017 4:31 PM

@ Thoth

"It is best to rely on manual entry of pre-shared keymat despite the proble ith trying to enter hexcodes and so on."

As for manual KDK entry, Bitcoin's Wallet Import Format (checksummed Base58) is the gold standard I think.

"Also, NFC in plain vanilla mode is unenrypted and insecure."

The idea here was NFC would replace QR codes when comparing fingerprints. You don't need encryption between the QR code and camera reading it, nor do you need it with NFC. The good thing is that unlike QR-codes, people can't upload NFC data to twitter for "easy fingerprint checking". That's why it can also be used to deliver things like contact's number and name. Key exchange could be done over the network. Finally, NFC could even be used to deliver an additional PSK that would be mixed in the root key of Signal. If adversary's TEMPEST gear was not present in physical space, it makes that Signal session secure against QC. If adversary's TEMPEST gear was present, key exchange can still work as it doesn't only depend on PSK.

If this is still insecure, could you elaborate?

One option here would be a blind Diffie-Hellman. Or, you could show fingerprints on screen post setup to see there was no MITM (this would literally have to be a device between the devices of conversing parties), but it would kind of defeat the purpose to convenience in Signal.

name.withheld.for.obvious.reasonsJuly 14, 2017 12:45 AM

@ Nick P, Wael, Clive, Wesley, Dirk, et al...

Processes at a system of systems level where one system, as in your example, a compiler, represents a derivative of a SoS work or procedural unit. In the case where a project or product can be assured of a robust process, the risk inherent with multi-entity, supplier, integrator, and contributor(s) (which is probably discover-able using say ISO/IEC15408) cannot be understated. I use the NSA subversion of the NIST cryptography standards group as a prime example. Where everything can "look good" but is unable to achieve "good".

My feeling is that a "good neighbor" policy would go a long way--it requires a commitment to a community and the sharing of truths between neighbors, and, a public rejection and repudiation of untruths/lies.

The parallels between what is required of institutions of [wo]men and the systems and devices built [wo]men such that they are useful to the whole body is fascinating.

ThothJuly 14, 2017 1:01 AM

@Markus Ottela, Figureitout, Clive Robinson, Nick P

"The idea here was NFC would replace QR codes when comparing fingerprints. You don't need encryption between the QR code and camera reading it, nor do you need it with NFC. The good thing is that unlike QR-codes, people can't upload NFC data to twitter for "easy fingerprint checking""

NFC is a technology over the ISO-14443 standard and is a complex technology. When you talk about NFC, there are two layers of encoding. There is the physical layer which describes how you layout the bits to be transmitted between NFC devices and chips. You will typically not have access to this layer and most of the time it is either some proprietary SDK or you have to read ISO-14443 on Physical Transport and then do it from scratch or if you are lucky, you might find a fully complete implementation in Open Source but I am doubtful on that for now.

The second layer of NFC transmission which everyone is talking about and what I have touched is called the logical layer. The logical layer is a higher level view of data format similar to smart card communication (ISO-7816) thus to go into NFC development, you will need to have read about smart cards and it's ISO-7816 standards as well.

The commonly used logical data exchange format for NFC is called NDEF format and it has been defined in ISO-14443 as well. NDEF format allows a ton of types of things to be stored from virtual name cards, links, arbitrary text and so on and that includes your own format of public keys stored as some arbitrary text if there is enough space that is.

It is not true that data cannot be copied nor easily copied off NFC as there are many NFC reading applications already existing to read the NDEF messages and then what it can be done can be up to the developer of the application to imagine and implement. Once an NDEF message is intercepted, it can be turned into a QR code and uploaded or it can be rendered in hexcodes and uploaded as a string of hex. To copy the hexcodes to another NDEF capable NFC tag, there is no restriction as to simply grabbing the exposed hexcodes and simply using a writer application and you now have a duplicate NDEF tag with the same data. The only security mechanism to prevent copying in the first place is to restrict reading but that is not possible so you can just as easily copy any NFC NDEF messages and then covertly transmit them over distance to duplicate them if you want.

"Key exchange could be done over the network."

Indeed you can do KEX over NFC and I have done so but for the logical transport side, I did not relying on NDEF format as NDEF format is simply too limited to do any KEX-NFC. I had to revert to more traditional ISO-7816 APDUs for smart cards (NFC and non-NFC). Note that APDU and NDEF are two different logical formats and the type of tags really matters when deciding to use NDEF or APDU as most cheap tags are not capable of using APDUs which are reserved for more powerful smart cards with contactless interface.

In simple, you can think of NDEF as reading from a message block or a filesystem for NFC tags whereas APDUs are command/response (think of HTTP messages) for smart cards and smart cards can be programmed to respond to certain NDEF queries.

If you are doing NDEF, you are literally 'reading and writing files' and this is not suitable for highly interactive stuff like KEX-NFC. If you are looking to simply store a public key certificate or PGP Public Key into an NDEF device and spread them around as name cards, that is another story as you are simply using it as a read/write portable filesystem device.

If you are looking for KEX-NFC, you WILL NEED to use APDU as interactive command/response interaction for a KEX. Symmetric and asymmetric KEX over NFC via APDU transport already exists and I have a few I created too as part of my work.

The typical sensitivity of listening to NFC exchanges would be 4 cm (pretty close ?) but it really depends on the transmitter and it can go up to 10 cm as per regulated in the standard. Note that NFC is magnetic induction and not your radio frequency wave.

"Finally, NFC could even be used to deliver an additional PSK that would be mixed in the root key of Signal."

Depends on how you encode and secure the ISO-14443 logical message packets.

"If adversary's TEMPEST gear was not present in physical space, it makes that Signal session secure against QC. If adversary's TEMPEST gear was present, key exchange can still work as it doesn't only depend on PSK."

It is more of magnetic induction spying and not radio frequency spying. There are many experiments that have shown that sniffing on NFC communication that are not properly secured can be done and can break security. One example is your PayWave or whatever NFC payment protocols. They are suppose to have 3DES encryption or AES-128 encryption if they properly follow the EMV standards to encrypt and MAC the 'cryptogram' packets but typically, I see the EMV defined protocol security as insufficient and thus I created my own protocols and used them across all implementations in my smart card and NFC applets.

"One option here would be a blind Diffie-Hellman. Or, you could show fingerprints on screen post setup to see there was no MITM (this would literally have to be a device between the devices of conversing parties), but it would kind of defeat the purpose to convenience in Signal."

The first thing is will the ISO-14443 logical transport be NDEF or APDU ? I am guessing it would be APDU but who knows. I have a Diffie-Hellman protocol I created call A01 but I have not had the time to publish my A01 protocol designed specifically for APDU transmission.

How it works is simply generate a DH key agreement and have a device signing key to attest to the DH parameters and send them signed DH parameters across the NFC transmission. The signing public keys need to somehow be securely distributed though and this is one of the ye olde problems of distributing public keys without being interfered.

Once the signed DH public params arrived and verified by the signing public keys, a hash can be done on the DH public params to generate a second layer verification code to be visually inspected in some way. Also, to make the visual inspection easier, tricks like breaking the computed hash into 2-halves and then each side checking the halves of the hashes or another method of turning the hashes into some sort of short 'OTP-like' code you typically see for the OTP-based login on 2FA websites (i.e. banking) can be done too.

Thus, the reason I specify that NFC is not the best way around is because it is troublesome, it requires NFC capability (not all phones have them), you still have to double check the KEX-NFC checksums in some way ... just too many things.

The best way is still to generate a PSK, make the other party somehow enter it correctly (i.e. a PSK key blob with self-checking checksum code). This is also how keys are typically managed in EKMS systems used by Govts and such.

Before attempting NFC, please refer to the ISO-7816 AND ISO-14443 documentations first. Those are very lengthy documents but it is a necessary read for anyone touching these stuff.

ab praeceptisJuly 14, 2017 3:21 AM

Thoth, Markus Ottela, et al.

I'm closer to Thoth. My thinking, however, is different anyway in that I'd like to avoid any limitation on some specific type of transmission (in particular waves of any kind); no matter whether NFC or QR or whatever. The simpler and more flexible the better.

To a (considerable) degree what leads me here is my understanding of the problem, namely person A and person B desiring to agree upon and/or exchange keymat as well as my general credo to keep things as simple as possible (for more than the reason that added layers quite reliably translate to lower security).

(And I'll limit myself to the keymat exchange for mortals problem and leave aside nfc and qr approaches and problems linked to that)

My approach would rather be to recognize that humans have a hard time to remember (or even to communicate and store with technical devices) long hex strings - they can, however, easily remember other types of information (such as a set of words, particularly when those words make sense). I would hence keep the difficult part very short, say 4 to max 6 hex digits, and use that as a "salt" for a much longer phrase that makes sense and is easy to remember. Example: "A gentleman never cooks his cat" plus "42beef". One (intended) advantage is that 2 elements open the door to 2F kex; assuming, for instance, that someone is plain incapable to reliably remember even 4 - 6 hex digits, that person could write them down - but - memorize the phrase.

Then I'd use some mechanism that somehow sensibly mingles hash(phrase) and "salt". Example: sha256(phrase) xor sha256(salt) (idiotic but it shows what I mean. A keyed hash algo would be a more realistic example)).

The result might then be used as key. Fed as IV to a good quality prng it might also be used to create quite massive keymat for e.g. Joe and Jane otp.

JG4July 14, 2017 7:11 AM


http://www.nakedcapitalism.com/2017/07/links-71417.html
...
Video shows Minneapolis police officer shooting two dogs in north Minneapolis yard Star-Tribune (Huey). Huey: “The video footage of this incident is unreal, and the police testilying is deplorable. Were police always this cowardly or is this a new trend we’re seeing?”

...
Imperial Collapse Watch

Congress Greases Flightpath for the F-35 Boondoggle The American Conservative

A whistleblower plays by the rules at CIA, and finds ‘nothing gets done’ McClatchy. Film at 11.

Only in America

Open carry law for knives and swords to begin in September ABC

Guillotine Watch

Wealthy investment bank executive is caught stealing $210 of groceries from Whole Foods that he hid in his children’s stroller Daily Mail

Clive RobinsonJuly 14, 2017 2:40 PM

@ Markus Ottela,

If adversary's TEMPEST gear was not present in physical space, it makes that Signal session secure against QC.

You can make the signal secure even if the TEMPEST gear is in range, as long as it is not between the transmitter and receiver.

If you look up MIMO RF systems designed to work within a quater wavelength or less you can see a method using phased coils. Put simply if you have a number of coils you can arange for an anti-signal to cancel out the wanted signal in all but a specified direction and distance.

I'm not suggesting you look at it with a notion to implement, but just to add to your background information.

If you have trouble getting your head around the idea, thing about an old style three legged E-core transformer with a winding on each leg. It's fairly easy to see how you could arrange for large magnetic currents to flow around the outer legs but not the middle leg. Likewise look up "Phantom circuit" with two wire phone systems where you put a center tapped transformer at either end of the line. If you put a signal generator between earth and the center tap you will get equal but opposite currents flowing in the windings that do not produce a magnetic flux in the transformer core. However at the other end of the line if you have a resistor going to ground you will see the signal across it. This trick used to be used to allow two subscribers to use a phone pair when it was not economically viable to put in another line pair.

In free space both the E and H waves can be added and cancelled by appropriately phased signals.

DissidentJuly 16, 2017 3:51 AM

Thank you very much to all who replied to my post of last week in which I described my attempt at verifying the Amazon SSL/TLS certificate by telephone. Your suggestions and comments are much appreciated and noted.

DissidentJuly 16, 2017 8:28 AM

@ vas pup:

'1984' on Broadway now - good interview with actors https://charlierose.com/videos/30704

That interview was addressed by the redoubtable John Derbyshire (political and social commentator, polymath, novelist) in his latest Radio Derb podcast from Friday:
http://www.vdare.com/radios/radio-derb-south-africa-slowly-collapses-its-1984-again-etc
( Begins at 34:27
Transcript should be up later in the week.)

Incisive as usual.

@Clive Robinson:

So welcome one and all to the new generation of politically inspired "Unamerican Activities" trials by media.

I find it rich how the same people who blamed the Right for the Cold War and argued for a "live and let live" policy of tolerance and respect toward the murderous Soviet regime of terror, have now been acting as if they are ready to start a new cold war with Russia, perhaps even bringing us to the brink of a nuclear showdown.

Today's Democrats seem like the new John Birchers.

Today's Russia poses no threat to the U.S., at least as long as we do not needlessly provoke her by meddling into her affairs that should be of no concern to us. (Unfortunately, what would appear to be majorities in /both parties/ are set on doing just that.)

draft: An AG-like checklist for TailsJuly 16, 2017 4:08 PM

As President Trump's fear or paranoia levels might be reaching new highs, civil litigation or potential criminal charges, maybe we need to improve "our game".

sop, in general, macbooks, m. airs, or m. pros to "blend in" in 1st world countries, unless, of course, other hardware would blend in better. Of course, in some places the weirder the better, regarding hardware and other stuff, might be preferable.

Large purses, backpacks, saddle bags, etc., are recommended; carry at least a litre of water.

aconcernedfossdevJuly 16, 2017 11:50 PM

@ab praeceptis

You are simply wrong. GRSecurity is a derivative work of the linux kernel. Yes I am a lawyer. No your opinion does not matter.

------------------------
Some Legal Analysis:
------------------------
The GRSecurity patch snakes through almost the entire kernel; it really touches everywhere
(and Brad Spengler etc have publicly attested to this as a bullet point as it doesn't only
add features but fixes various in-place security errors); and not even as a monolithic block,
it puts a paw here, and there, and there (so on and so on for 8MBs), with the deft agility of a cat,
and the dexterity of a vine wrapped every which-way around the many branches of a bush:
it is a non-separable derivative work.

A counter example would be the Nvidia GFX driver: a portion of that driver works across platforms.
That portion which works on Linux, Windows, etc is a separable work and thus can be argued
to be standalone before a court. Furthermore, in the Nvidia case, that portion was likely
developed on another platform and the wrapper was then built to conform to it.

The wrapper itself that interfaces with linux is licensed under the same terms as linux.

Other drivers can be written in a similar way.

With GRSecurity, on the other-hand, that is absolutely impossible. GRSecurity exists
only to give the linux kernel "self protection" (their words IIRC). They do this
by going in with a scalpel to thousands of areas in the kernel and making small
but important* edits and additions, as-well as by writing some new routines to then
use throughout the kernel.

Unlike a plug-in; their derivative work does not and cannot stand alone.

The Anime-Subs cases reaffirmed somewhat recently that a derivative work
that cannot stand alone and is not authorized is an infringing work.

(Ex: You're a fan, you listen to the Anime Girl cartoon in Japanese,
you write down what they say, you distribute that: that text is a
derivative work and not a standalone one: it required the existence
of the cartoon to itself exist or have any meaning).

I think the situations are very different thusly and that a court
would find GRSecurity to be infringing. If the GRSecurity patch is not
a derivative work then nothing in the realm of source-code is.

To Brad Spengler I'm referred to as a "troll" (months, perhaps a year later
in a discussion I was not involved in), for engaging with RMS on the issue earlier
(something which remains in Mr Spengler's mind:

http://www.openwall.com/lists/kernel-hardening/2017/06/04/24
>... It has been nearly 4 months now and despite repeated follow-ups, I still
>haven't received anything back more than an automated reply. Likewise
>regarding some supposed claims by RMS which were published last year by
>internet troll mikeeusa -- I have been trying since June 3rd of last
>year to get any response from him, but have been unable to. So when you ...

(RMS' opinion can be seen here:
(*7) https://lists.debian.org/debian-user/2016/06/msg00020.html )

As for making modifications: To create the patch Brad Spengler modified the
linux-kernel over the course of 15 years, and to continue continually producing
new patches he continually modifies the linux-kernel even more. Without
permission of the license he has no right to modify the kernel. The mechanical
modification that is done by patching is a red-herring in this case since it's
not needed to argue infringement on Mr Spengler's part once he has been found
to have added an additional term to the agreement between him and further
distributees of the derivative work. Once he has done that, he has violated
the license grant, and he no-longer has a right to distribute the work, nor
to distribute derivative works, nor to modify the work in-order to create
future derivative works.


------------------------
Correction to common
programmer's misunderstanding
------------------------

They don't have to add a term to the GPL per-se as the GPL is not a party to the agreement, it is "merely" the (not-fully integrated) writing describing the license that the rights-holders have granted GRSecurity et al.

That is: the GPL in-part describes the license grant that the linux rights-holders have extended.
(There may be other parts described elsewhere, even verbally or through a course of business dealings or relationship)
(Copyright law, being quite bare on it's own, often borrows much from contract law)

Licensees must extend the same grant to Distributees, they cannot add an additional term to that relationship.
GRSecurity has added such a term.

They did not pen it into the text of the GPL.
But, according to existing testimony they did make it clear that redistribution will not be tolerated.
It is unknown if an electronic or hard copy of this additional term controlling the relationship exists,
or whether it was a verbal agreement, or even some implicit understanding. Any which way: it is a forbidden additional
term.


------------------------
Final Thoughts:
------------------------

Preventing redistribution of derivative works really stabs at the heart of the
GPL. The requirement to allow redistribution of derivative works is really the
one thing that truly made Free Software (and later the open culture movement)
the success that it has become. It has brought many more programmers as-well
as artists into the fold than would have been possible with the BSD type
licenses or Public Domain grants. I know that when I started to program
and make media, many year ago, I was comforted by the fact that if I were
to create a work, that if a future work was built upon my work it would remain
open and that I could then enhance that myself. Such was the "payment" for
my labor. Many programers and artists see this as a good deal. But if it
becomes clear that it is a mirage... who will dip their hand to drink from
a non-existent oasis?

aconcernedfossdevJuly 16, 2017 11:56 PM

@ab praeceptis • July 10, 2017 5:05 PM
>However: Grsecurity is certainly *not* what the inventors of the gpl had in mind.

The inventors of the GPL are not a party to this controversy. They are not the owner of the proprietary interest in dispute: the linux-kernel rights-holders are the progenitors of the terms underwhich they are allowing others to modify and distribute their property and works based off of it. The terms they have selected are memorialized in the text they have selected to represent their will: the GPL version 2.

What the linux-kernel rights-holders "had in mind" is what matters. Not what the drafters of the text had in mind (since they are not a party to the suit).

And for the record: yes the GPL drafters did wish to keep derivative works open.

@ab praeceptis I am a lawyer and you do NOT know what you are talking about.

ab praeceptisJuly 17, 2017 12:28 AM

aconcernedfossdev

"Yes I am a lawyer. No your opinion does not matter."

Funny intro. But not exactly bright. If my opinion does not matter, why then do you address me?

I think, it's quite simple, Mr lawyer: try again once you have gone through all levels of courts and can show me the final and binding verdict confirming your position.

Until then I'll stick to what I say and to the actual reality.

Which is: Everyone can edit and change any gpl infested code to his liking. The thing he may not do is to distribute that changed code under another license.
Certainly enough everyone may also tell others how to make use of their right to change gpl-infested code they happen to have and/or use. Moreover everyone is free to distribute *his changes* to gpl-infested code. That's what Grsecurity does.

You want to somehow twist things as if Grsecurity illegally distributed someone elses software against that someones rules and rights. That, however, is not the case.

Do yourself a favour and work on your fact and knowledge vs sectarian beliefs ratio before engaging or let alone belittling others.

DissidentJuly 17, 2017 12:55 AM

I wonder if "aconcernedfossdev" or anyone else here might perhaps know what, if any, legal and industry standards apply-to attorneys when it comes to email security. I have tried searching for this info but have thus far been unable to find any clear, definitive answers. Specifically, I was rather appalled when my attorney (at the moment, anyway...) suggested that I send him sensitive documents that had not been redacted over non-encrypted email. Is that even legal?

Clive RobinsonJuly 17, 2017 1:19 AM

@ aconcernedfossdev,

I am a lawyer and you do NOT know what you are talking about.

There are two statments in that sentence,

1, I am a lawyer.
2, You do not know what you are talking about.

The first may be a statment of fact thus testable. The second is a matter of at best opinion, not fact.

More interestingly you have not shown that the first statement relates to the second statement which you could easily have done, if you had wished to do so.

That is either a rookie mistake in making an argument, or a deliberate attempt to mislead.

I will let others make their own mind up as to which is true. But they can probably also spot other issues with what you have to say. Thus their opinion of your statments might be that there is a degree of falsehood involved.

Clive RobinsonJuly 17, 2017 1:58 AM

@ Dissident,

... if any, legal and industry standards apply-to attorneys when it comes to email security.

You do not say for what jurisdiction you are asking about, which makes a difference.

However a couple of points to note,

Firstly is the issue of "A duty of care" and secondly to "whom".

Many are surprised to find out that attorneys first duty of care is not to themselves or those who pay them but "the court".

Your concern is one that is not that surprising given recent revelations about SigInt carried out on the communications of legal firms in various jurisdictions.

However over and above sending the attorney a letter about your concerns and asking them not to correspond with you in an insecure way there is little you can do. Even if the attorney does respect your wishes when corresponding with you, that does not mean that they can or will respect them when corresponding with the court or other parties involved.

As has been observed before "The Law is an ass" and thus it exhibits some of the beasts less desirable characteristics. Two of which is it's slowness to see change and it's stubbornness to respond to change, thus glaciers are sometimes known to move faster.

As with many things and people in life they do respond to a viable threat. In society that usually means by those who control their conditions of employment and liberty.

Some legislatures and some law societies have set rules about electronic communications. But even if the rules are recent they will most likely be out of date prior to them being inked due to the nature of the way they are proposed and agreed.

Thus as is often the case with games where the rules are biased against you, sometimes the best course of action is to ensure you don't have to play.

Dirk PraetJuly 17, 2017 4:36 AM

@ aconcernedfossdev, @ab praeceptis, @ Clive

Some Legal Analysis:

I somewhat reluctantly concur with your legal analysis of the matter. Reluctantly in the sense that - as I said before - this conflict should have been settled amicably a long time ago because it *is* hurting the entire Linux community and taking it to court could even do more damage.

Note however that opinions and interpretations of the law by laymen DO matter and that pulling rank - especially without accompanying proof - in general is not considered contributing to a civil discussion. If we were to disqualify from this forum everyone who hasn't got a formal accreditation in security related matters, precious few commenters would remain.

@ Dissident, @ Clive

... if any, legal and industry standards apply to attorneys when it comes to email security ...

In an EU context, GDPR compliance as from May 25th 2018 would apply to law firms too. This impacts the processing and handling of *any* type of personal information - including storage and transmission of email content -, especially when dealing with non-EU cloud and service providers.

ab praeceptisJuly 17, 2017 5:49 AM

Dirk Praet

Sorry, I'm missing the "Some Legal Analysis".

All I found was this:

"I somewhat reluctantly concur with your legal analysis of the matter." - Why? *That* would be the point.

"Reluctantly in the sense that - as I said before - this conflict should have been settled amicably a long time ago" - mere opinion (and irrelevant).

"because it *is* hurting the entire Linux community and taking it to court could even do more damage." - speculation (although probably not unreasonable).

---

Am I wrong wrt. the gpl *not* prohibiting any person to change gpl-infested source to his/her liking?

Am I wrong wrt. the gpl *not* prohibiting telling other oersons how and what one changed?

Am I wrong wrt. the gpl *not* prohibiting to give such changes - the changes, *not* the original gpl-infested code! - to others?

And btw: how about the many companies who offer their code, part of which is based on other gpl-infested code, under both the gpl and a commercial license, particularly if there is no difference in the software?
Isn't it strange that the gpl sectarians are quite selective and love to hunt down certain "possible ants" while completely ignoring large elephants?

Dirk PraetJuly 17, 2017 7:44 AM

@ ab praeceptis

Why? *That* would be the point.

Because IMO Bruce Perens and @aconcernedfossdev are right that grsecurity is in fact a derivative work that cannot be separated from the GPL'ed Linux kernel, and as such falls under the provisions of said GPL.

Grsecurity's redistribution prohibition is explicitly ruled out by GPL v2 Section 6. From a legal vantage, that's pretty much end of discussion, unless you can come up with some very clever or creative argument that grsecurity would not be deravative work or GPL v2 as a whole - or the applicable section(s) thereof - null and void.

It also makes perfect sense that commercial entities providing support or other services for a particular product will distribute under GPL for home users and under a different license for commercial customers. Most GPL and similar licenses have CYA clauses limiting responsibility or even fitness for any purpose which would be thrown out by any lawyer or procurement department worth their salt and representing the buyer of such product/service. I know I would, and IANAL.

ab praeceptisJuly 17, 2017 9:48 AM

Dirk Praet

"derivative work" -hearing that pretty much automatically puts me in guns-loaded mode.

Don't get me wrong, the gpl sect absolutely has the right (so it seems) to put whatever they please into their "license" (read: enslavement, no less worse than large corp. eulas). One likes it, one takes it, or one doesn't and avoids any software infested with it, no problem.

They do, however, **NOT** have the right to wanton arbitrarily define the meaning of "derivative"; in particular their "xyz touched ..." attack is utterly ridiculous in any legally halfway civilized country.

Whatever they please to arbitrarily take "derivative" to mean, fact is this: Their gpl is limited to *their* work.

If someone is using significant parts of any of their work then they can have claims. The mere act of making utterly poor software of incompetent and careless developers somewhat less insecure is *not* derivative work.

Granted, Grsecurity for quite some time did distribute linux with their patches - and that could be construed as distributing derivative work but as soon as they started to distribute only their patches and/or to get payed for the service of applying their own patches, the basis for "derivative work!" claims ceased to exist.

Let me put it like this: If you produce a movie that is so lousily made that it hurts peoples eyes and I create an edited version and distribute that, you have a legal basis to complain (no matter how despicable that would be from a human perspective. In terms of law you would have a basis to go against me).
If, however, I, say create some script that changes your movie to a more bearable brightness then you have no rights whatsoever to demand no matter what from me.
Similarly, you have no right whatsoever to stop me if people ask me to please, as a service for which they pay, apply my script to their version of your movie.

Btw, "bruce perens says so" is no argument unless you accept "my grandma says otherwise" as an argument of equal weight.

Clive RobinsonJuly 17, 2017 11:31 AM

$ Dirk Praet,

Grsecurity's redistribution prohibition is explicitly ruled out by GPL v2 Section 6. From a legal vantage, that's pretty much end of discussion.

Unfortunatly not Copyright law whilst apparently simple is usually far from simple. Worse court judgments are erattic and prone to the old "Who has most high paid sharks" defect.

In theory even though Linux is not sold it is still bound by the first sale doctrine which limits how far it can reach.

Further there is existing "derived work" court decisions, amongst which are those that go back to "sheet music" and the not so distant "Happy Birthday" court case has significant implications.

The fact that somebody puts a clause in what is a contract does not make it either legal or enforcable.

Contracts with an infinite exanding lien are usually frowned up on especially when used to effect the rights of others work. The current "right to repair" issue the Library of Congress is having issues with as are various US states may well swing significantly against the likes of the GPL. This is especially true for the likes of Arch Linux where grsecurity are supplying what are component parts those users then take and build in to repair the defective kernel themselves.

Grsecurity are clearly not just repairing defects in the code Linus and others have produced that can fairly be claimed is defective but also augmenting it in other ways. This is as well as grsecurity fixing/augmenting GCC that Linus is in turn dependent upon giving a "chicken and egg" situation.

What most of the noise is about is firstly a major company taking grsecurity's work making changes that significantly change and weaken it and then "pass it off" as grsecurity's work and responsability to support.

It is the fall out from that which has uncovered a second serious boil that needs lancing. The issues surrounding the clique that is the Linux kernel development and Linux Foundation. It's not just a "Not invented here" issue it is also one of "pulling up the drawbridge". That is the source of finance has been ringfenced by a few who spread significunt FUD to protect not just their owm media image but also ensure that they get and keep any finance that has accrued from grsecurity's work, fixing the cliques mistakes and failings, of which Linus is a major instigator, especially when security is an issue as his repeated brain farts keep showing.

Thus I'm with @ab praeceptis on this personalities should be shoved in boxes and lids fastened and that it is for the courts to decide via a jury.

It might prove costly not just financially but the current situation can not continue, because the result is likely to be an implosion of trust, then funding and thus the down grading of the Linux Kernel to "something that might have been, if only...".

ab praeceptisJuly 17, 2017 12:53 PM

Clive Robinson

Indeed. As I'm not a lawyer and don't know (nor care about) us of a laws I didn't elaborate on that but at least in civilized countries there are some binding legal principles such as proportionality, balance, etc. I have, in fact, seen strong parties with "very smart" contracts - that strongly disadvantaged the other, usually considerably smaller - party looking surprised when their oh so smart contracts blew up in their faces in court.

gpl's position can roughly be subsumed as "we have all rights and no obligations whatsoever, you, however, have all the obligations and few rights - and even those few rights are either at our mood and mercy or, frankly, rather worthless blabla".

In fact, one might well look at the Grsecurity case from the (blabla) freedom perspective: Grsecurity as well as their users and clients are - according to gpl blabla - *free* to do as they please with the gpl-infested source, as long as they do not distribute what might reasonably be considered derived work (like a patched and compiled kernel).

Here comes the rub: gpl sectarian fuming over and against Grsecurity rendering service to their clients, namely applying their patches at *clients private copy* of linux ... means what? That the gpl sect arrogates the "right" to decide who may provide what kind of service to whom!

But there is more. Considering that getting money for something constitutes solid grounds for client to expect something in return (and be it the freedom to use purchased something as he pleases). Maybe, just maybe, the "free" in gpl is not all about nicety and friendliness but also about denying their vict^h^h^h^h users that very legal grounds to actually have rights, too?

BSD licences, for example, offer real freedom and much more of it and yet ask for very little. In comparison the gpl looks quite questionable and not at all "freedom" shiny.

Dirk PraetJuly 17, 2017 2:19 PM

@ ab praeceptis

If, however, I, say create some script that changes your movie to a more bearable brightness then you have no rights whatsoever to demand no matter what from me.

That is unfortunately not the way things work within the legal framework of the GPL. If you edit and "improve" anything I have released under GPL, then you have no right whatsoever to include an additional prohibition clause restricting distribution of the modified code. Irrespective of either the quality of the original code or your personal feelings about the accompanying license. If you don't like it, you're free to either not use the product, or fight the validity of the license in court.

Anyone who has ever worked with grsecurity knows that it's not just a driver or stand-alone kernel module, but a tightly integrated set of patches and modifications that significantly alter kernel functionality and is the equivalent of changing a movie plot.

Let me give you another example: a couple of years ago, a well-known Belgian painter was sued for plagiarism by a law firm representing a young photographer, a picture by whom he had used as a base for a painting of a Belgian politician. Which in essence is what painters and other artists have been doing for centuries. Despite disbelief and righteous indignation by artists, art magazines and critics all over the world, he lost the case and eventually settled out of court. Since the picture had not been put in the public domain (Creative Commons License), according to EU copyright law the painter should have asked prior permission. And which both his then business manager and legal counsel obviously had failed to point out to him. Short: dura lex, sed lex.

@ Clive

The fact that somebody puts a clause in what is a contract does not make it either legal or enforcable.

That is correct, hence my earlier remark "unless you can come up with a clever argument to invalidate either applicable parts or the whole of GPL v2". Which, despite all of its shortcomings, is the last thing I would like to see happen as it will embolden world and dog to go pillage everything ever GPL'ed for their own commercial purposes, in essence creating thousands of grsecurity cases and killing off the entire FOSS movement. Which some of us in their blind hatred of sloppy code or restrictive licensing may applaud, but in the end would only benefit the likes of Microsoft, Apple and their state actor controlled black box code.

What most of the noise is about is firstly a major company taking grsecurity's work making changes that significantly change and weaken it and then "pass it off" as grsecurity's work and responsability to support.

Indeed. As well as others providing old and obsolete grsecurity patches and equally not paying a penny for it.

Thus I'm with @ab praeceptis on this personalities should be shoved in boxes and lids fastened and that it is for the courts to decide via a jury.

I agree on the personalities part. I'm less convinced of the benefits of a jury in a case like this. Since they will be utterly clueless about contract or copyright law, the case would just hang on whatever party can fork out the most money to put on a grand legal show and convince them that the glove don't fit. And which, especially in the current post-truth era, probably doesn't bode too well.

DissidentJuly 17, 2017 4:29 PM

@ Clive Robinson:

I appreciate your detailed reply.

I am afraid I do not quite understand your last sentence, where you conclude,

"sometimes the best course of action is to ensure you don't have to play."

Surely you would acknowledge that there are any number of situations that one may find oneself in, in which one hardly has a viable choice but to secure legal counsel (i.e., the representation of an attorney). Assuming that you /do/ acknowledge that much, then, in light of your warning that,

Even if the attorney does respect your wishes when corresponding with you, that does not mean that they can or will respect them when corresponding with the court or other parties involved.

I must ask just what you meant, in the context-at-hand, by "ensure you don't have to play".

Thank you, as well, to Dirk Praet.

The jurisdiction-in-question in my case is the U.S.A.

My attorney has been less-than-satisfactorily receptive and cooperative when it comes to my concerns over email security. This is actually but /one/ of the reasons why I lack confidence or trust in this attorney; there have been a number of other instances, unrelated to digital technology, in which he has exhibited both what I consider to be incompetence as well as negligence concerning my case. With regard to these latter, non-technology-related concerns, I do believe that I can find someone, a different attorney, who will be much better and I am pursuing just that. With regard to the email security concerns, however, I am far less hopeful. As far as I can see at the moment, the likelihood of finding an attorney that would be much, if any, better in /that/ regard would not seem terribly high.

IndependentJuly 17, 2017 5:16 PM

@ Dirk Praet:

[...]the current post-truth era[...]

Curious phrase, that, "post-truth era". One wonders just what you were characterizing with it. Did you mean only a particular region? A particular party therein or other segment of the political landscape? A particular demographic?

And, whatever it was that you /were/ characterizing as a "post-truth era", would the characterization be any more accurate or apt for /it/ than it would be for, say, the former Soviet Union? (It was Stalin's Soviet Union, let us not forget, that the dystopia in Orwell's much-referenced /1984/ was based upon.)

Dirk PraetJuly 17, 2017 6:01 PM

@ Independent

Curious phrase, that, "post-truth era"

Not really. ‘Post-truth’ was named 2016 word of the year by Oxford Dictionaries. According to Wikipedia: "Post-truth politics (also called post-factual politics) is a political culture in which debate is framed largely by appeals to emotion disconnected from the details of policy, and by the repeated assertion of talking points to which factual rebuttals are ignored."

@ Dissident

With regard to the email security concerns, however, I am far less hopeful.

You need to talk to a law firm that covers technology related areas like data protection and privacy, preferably with IT consultants of their own or closely cooperating with some. Most others will be useless to you for the issue you are describing.

I must ask just what you meant, in the context-at-hand, by "ensure you don't have to play".

It means that you may wish to avoid digital altogether for sensitive communications and revert to older methods. I think @Clive was paraphrasing "War Games".

Clive RobinsonJuly 17, 2017 6:48 PM

@ Dissident,

I am afraid I do not quite understand your last sentence

It was a gentle reminder that in a court of law the only people certain to walk away winners are the lawyer's with their fees. Thus if you can avoid playing their game you are likely to save a lot more than you might potentialy win.

Unfortunately as you note sometimes you have no choice, and yes the system is rigged so that you need an attorney who is sufficiently smart and experienced to be a match or better to the opposition.

When it comes to not playing the attorney's game he can only communicate wirh you by email if you let him. If you don't have an email address (or you don't give it) then that closes that down before it starts.

As I've said before a piece of advice I give fairly frequently is "Paper Paper never data". If you give somebody a bunch of electronic files just about anybody can copy them, and getting access via the Internet is probable if the attorney uses email from the same computer.

Thus giving the attorney paper documents in person puts a bit of a slowdown on what they do with them. You can also copy them onto certain types of paper that make the resulting copy human readable but difficult to copy again. You can also insist for "cost reasons" that you will make all copies number them etc and supply to who ever needs a copy. After all you don't want to be paying 300USD an hour for the attorney's sec to take them down to the local photocopy shop, which these days will almost certainly stick the images on a hard disk in their copy machines. Which guess what, makes them "business records" which could in theory be NSLed.

The trick with not playing the game the attorney's way is to raise the pain threshold for not doing things your way. Thus you have to out think the attorney's behaviour patterns and provide solutions you want with a low pain threshold for the attorney.

The big problem these days is courts have electronic filing etc to reduce their costs. It's difficult for an attorney to buck that as technically the judge is their boss. Courts tend to take a dim view when things are not done their way and will dig their heals in and if the issue gets pushed they tend to take a viewpoint you realy don't want working against you.

Dissident a.k.a. IndependentJuly 17, 2017 11:07 PM

First, to preempt any suspicion of sock-puppetry on my part, I would like to disclose that I authored the comment posted under the handle "Independent" above. The explanation is simple: I absent-mindedly entered "Independent", which is the handle that I use at another site that I had been posting-to, into the name field here.

Fortunately, little, if any harm was done in this case. (While I may /prefer/, ideally, that the two identities in-question remain separate from each other, it is by no means critical that they do.) I am unnerved, however, at how easy it is to make such a slip-up-- one that can, in some cases, have serious and even dire consequences.

@ Dirk Praet:

Concerning your use of "post-truth era", my question remains: /which/ "political culture", specifically, were you referring-to?

Back to email security and lawyers:

You need to talk to a law firm that covers technology related areas like data protection and privacy,

The matter, i.e. the legal case that I am involved in, for which I hired my present attorney and for which I still require legal counsel lies entirely outside of such areas as data protection and privacy.

Were you, perhaps, suggesting that I consult such a firm in order to ascertain what, if any, options may be available to me within the law for ensuring that my present attorney engage in sound practices in the latter area and/or for holding him to account if he does not?

Or perhaps you meant that I should consult the type of firm you described in order to obtain a /referral/ to an attorney specializing in my needed area of law, specifically, one who is known to have sound practices when it comes to data protection and privacy?

ab praeceptisJuly 18, 2017 12:21 AM

Dirk Praet

"That is unfortunately not the way things work within the legal framework of the GPL"

I don't care a rats a** about their "legal framework". And I need not. Everyone may write whatever he pleases and call it "legal framework" or "contract". Hell, there are bdsm fans who - seriously - sign enslavement contracts!

To be valid, all clauses of any contract must be within the laws of a jurisdiction. Otherwise they are null and void. Simple as that.

The basic line of the gpl is valid in most jurisdictions, I guess ("~ if you change our stuff or incorporate it when creating some software, your work must be under gpl, too if and when you distribute said software. Plus you must tell them that such and such gpl software has been used etc yada yada").

As I have a strong aversion against stupidity I actually *like* that; any software dev. dim enough to use that stuff deserves to be gpl enslaved.

The problem is when the gpl sect arbitrarily defines (read: tries to redefine the law) terms of legal relevance such as e.g. "derivative".

Can we, just for a moment, use common sense? Grsecurity exists since quite some years and they did *NOT* even attempt to create derivative work! They were always about research, security, and providing a service. In particular, they did *NOT* try to create a kernel or a linux distro. They were always about stuff (typ. patches) that makes the linux security desaster zone somewhat less dangerous.

It was others who made new linux distros ("derivative work") or even just "new" kernels ("derivative work"). Insofar as Grsecurity themselves offered kernel downloads that was as a *service* ("you are afraid of or don't know how to apply our patches? We'll help") and applied their patches to *common standard* kernels.
Grsecurity was/is transparent about that and they did/do not try to un-gpl the resulting kernels nor did they keep it secret that the kernels were/are under gpl.

But somehow quite some people seem to have major difficulties to understand those details and differences.

And again: Everybody is free to edit/change his personal copy of gpl-infested software. Of course, everybody is free, too, to help others to change their private version of some gpl-infested software. That's part of the "free" the gpl sects loves to talk so much about. And finally everybody is free to ask payment for *services* he renders.
And btw. Grsecurity also gave away their sources plus they didn't un-gpl the kernel.

Short version: Nothing to see here. Move on. Just a couple of gpl-fanatics making lots of noise and being angry that no nation so far has outsourced lawmaking to the gpl sect.

DissidentJuly 18, 2017 1:44 AM

@ Dirk Praet:

As an addendum to my previous post, let me apologize for having been remiss in not /thanking you/ for the reply you had made to my earlier comment. Thank you. I appreciate your taking the time to respond and your efforts at being helpful.

@ Clive Robinson:

Thank you, again, for your detailed reply and for the continued time and patience evidenced therein. I hope to reply in some detail before too long.

DissidentJuly 18, 2017 1:53 AM

In response to earlier comments about removing the camera from a computer, etc.: Would not merely covering the lens adequately with opaque tape be sufficient to ensure that the camera would be unable to take any (useful) photos?

Clive RobinsonJuly 18, 2017 4:00 AM

@ Dissident,

Would not merely covering the lens adequately with opaque tape be sufficient to ensure that the camera would be unable to take any (useful) photos?

In the ordinary sense yes, but not if someone is playing games and can get unobserved access for even a short time (think "Evil Maid" etc).

I have some plastic film that looks opaque in most of the visable light spectrum but is nearly transparent in the near IR frequencies. If someone can remove the IR filter in the camera (if it has one[1]) then puts some of the plastic film over many camera's will still produce an identifiable image. Such plastic film is not difficult to get.

In theory it's possible to in effect make a quite thin pin hole camera that you could put in front using a Fresnel lense etc and then use corrective software to get a usable image. I've not done it myself nor do I know someone who has, but the laws of physics says it's possible. So I assume somebody has not just tried it but got it to work (probably by throwing lots of tax dollars at the problem)...

It's why I use electricians tape and a small coin I take from my pocket just befor using a system with a camera in. Or if demonstrating to some one just grab a Post-It note and use the gummy bit like sticky tape to hold the coin in place. You can get the same effect using a guitar plectrum / pick that you can buy fairly cheaply and would not look out of place in your pocket or in the paper clip tidy on your desk. But easiest of all is just grab a small lump of Blue-Tac and make a small disk of it and just press it in place over the lense and "remodel it" frequently.

But there is another way to test for a near IR camera without seeing the video display, especially a hidden one. We have all seen "Red-Eye" in "party" photographs taken with cameras that have the flash very close to the lens as compacts and instamatic camera's do. This is caused by 180degree internal reflection and nearly all optical systems suffer from this. You can having identified an IR sensitive web cam or similar on a lead build your own "hidden camera detector head" in a small box also using the guts of an old TV remote. If you set it up so the IR LED from the TV remote is very close to the webcam lense and points in the same direction when you look at the video display any cameras that work in the band of the IR LED will twinkle like "cats eyes" in a dark country road.

I used to modify the inexpensive IR "home security" CCTV devices of a company called "Swann" (www​.swann.com) and resell them at a very much higher price as "Hidden CCTV camera detectors". Back then the mark up would make your eyes water, but many other people have got in that game now so the basic rule of cost due to supply and demand has kicked in these days.

I mention this because it's important to remember that if somebody else has access you might also need to look for hidden cameras. To add to the fun there are also now, as we know very thin digital camera electronics that including the integrated optics can hide under a postage stamp, you can see them in some of the thinner smart phones etc. We also know from "ATM Skimming" that with care such cameras can be hidden from even quite close in inspection from the mark 1 eyeball most humans come with. So spotting the twinkle in a camera's eye is becoming SOP for some corporate types.

[1] Not all digital camera sensors have IR filters built in as it "adds to the production cost". You can often check a camera quite easily with a TV Remote Control[2] which communicates using near IR the human eye does not see but a digital camera will. Simply set the camera up for use in a low light / dark room point the TV remote control at it and start pressing buttons. If you see flashes on the video display, then the camera has no or insufficieny IR filtering thus can "see in the dark" like some quite expensive Security CCTV cameras.

[2] Not all TV Remote controls are IR based, some early ones used RF or Ultra sound but they are sort of Museum pieces these days. However if you look at a TV in ordinary room light, you will generaly not see the receiving IR sensors, because they are behind a square of what looks like dark plastic but like the film I have is transparent to IR.

Dirk PraetJuly 18, 2017 4:37 AM

@ ab praeceptis

But somehow quite some people seem to have major difficulties to understand those details and differences.

The main legal issue at hand here is grsecurity's prohibition clause to further distribute the set of patches they have created for a GPL'ed work, and which is a clear violation of GPL v2 section 6. So unless in a court of law you can come up with a legal argument to invalidate either that section or the GPL as a whole, it IS fully applicable until ruled void. Everything else is but emotion and "Hineininterpretierung".

Your "common sense" argument is very much in line with the reply the earlier mentioned painter gave me when I advised him to settle with the photographer instead of taking it to court. He instead decided to go with the legally illiterate "artistic freedom" crowd surrounding him and lost. Contrary to the US, EU copyright law has very limited "fair use" provisions, which from a legal vantage restricted him to a "satire" defense which the judge rejected. And even in the US, the outcome would have been doubtful as there are several case law precedents ruling in favour of the plaintiff too.

To cut a long story short: whatever your personal feelings on the issue, I would recommend to proceed with extreme caution when commercialising personal stuff based on GPL'ed work unless you are operating out of China, the Bahamas or another jurisdiction that has a bit of a different take on copyright than the US or the EU do.

@ Dissident

Or perhaps you meant that I should consult the type of firm you described in order to obtain a /referral/ to an attorney specializing in my needed area of law, specifically, one who is known to have sound practices when it comes to data protection and privacy?

In my experience, not every attorney or even law firm has an equally strong grip on privacy/data protection related matters, let alone the technical implications thereof. It really is a field of its own. Over here in the EU, we see a growing number of firms specialising in the matter as a result of mandatory GDPR compliance as from May 2018. My advice to you would be to write EFF or ACLU asking for a law firm in your area that is up to speed with the subject matter and take your business there, providing of course they can help you out with your core case to begin with.

Concerning your use of "post-truth era", my question remains: /which/ "political culture", specifically, were you referring-to?

Pretty much everything that reeks of cheap nationalistic or religiously based populism proposing outlandishly simple and authoritarian solutions for complex problems: Trump, Erdogan, Le Pen, Wilders, Duterte, Daesh etc.

Would not merely covering the lens adequately with opaque tape be sufficient to ensure that the camera would be unable to take any (useful) photos?

In addition to what @Clive wrote: do a search for "webcam cover". Plenty of useful gadgets you can buy for anywhere between $5 and $10.

ab praeceptisJuly 18, 2017 5:48 AM

Dirk Praet

Funny how gpl seems to influence thinking in weird ways.

Grsecurity can put *their* work under any license they like. And for that it is utterly irrelevant to what their work their work is applied or used for. In this case it happens to be gpl-infested code but it might as well be petty much anything else.

gpl *tries* to taint and infest anything and to claim legal relevance wrt anything that doesn't run away quickly enough - but it doesn't have it.

linux kernel -> up to the linux kernel people to decide their license and modalities of providing it to others.
Grsecurity -> up to them to ...

Simple as that.

"I would recommend to proceed with extreme caution when commercialising personal stuff based on GPL'ed work"

I would, too. But that's irrelevant in this case as the Grsecurity patches are not based on linux just like a text editor isn't based on the texts one edits.

Dirk PraetJuly 18, 2017 6:41 AM

@ ab praeceptis

Grsecurity can put *their* work under any license they like.

No they can't, because their set of tightly integrated kernel patches is not a stand-alone work and in fact utterly useless without the kernel itself.

I guess like usual we'll just have to agree to disagree.

ab praeceptisJuly 18, 2017 7:38 AM

Dirk Praet

Indeed.

Kindly excuse me now. I have to reassure myself that none of the editors I work with is gpl-infested or else you will soon demand that all my work is to be gpl'd, haha.

And I bet you that Grsecurity will *not* be judged to fall under gpl. If it turns out that I'm right you'll owe me a nice prime with no less than 1500 decimal digits.

RatioJuly 19, 2017 6:00 PM

@Dirk Praet,

Concerning your use of "post-truth era", my question remains: /which/ "political culture", specifically, were you referring-to?

Pretty much everything that reeks of cheap nationalistic or religiously based populism proposing outlandishly simple and authoritarian solutions for complex problems: Trump, Erdogan, Le Pen, Wilders, Duterte, Daesh etc.

(That description of post-truth political culture is both too loose and too constrained. But never mind that.)

How is Da'esh an example of post-truth politics?

Dirk PraetJuly 20, 2017 3:46 AM

@ ratio

How is Da'esh an example of post-truth politics?

I gave the Wikipedia definition in one of my previous comments, the exponents I quoted all falling thereunder.

Daesh also classifies as one for targeting a disgruntled and gullible audience with fake promises of a better world (or afterlife), entirely based on emotional appeals, known or provable falsehoods and twisted interpretation of selective scriptures, rebuttal or rejection of which is not even ignored but punishable by death.

aconcernedfossdevJuly 20, 2017 8:49 PM

"I wonder if "aconcernedfossdev" or anyone else here might perhaps know what, if any, legal and industry standards apply-to attorneys when it comes to email security. I have tried searching for this info but have thus far been unable to find any clear, definitive answers. Specifically, I was rather appalled when my attorney (at the moment, anyway...) suggested that I send him sensitive documents that had not been redacted over non-encrypted email. Is that even legal?"


Confidential issues should not be discussed over insecure channels. Request an in-person consultation. Yes attorneys have been sued over email insecurity (outcome depends on state)

aconcernedfossdevJuly 20, 2017 9:05 PM

ab praeceptis is wrong, and seems American since he knows everything outside his actual field since birth.

WaelJuly 23, 2017 10:37 PM

@Nick P,

self-protection: Does the system protect itself, and can its own data (like timestamps, changesets, other data) be trusted?

I see Mr. Wheeler used the CIA definition of security (Confidentiality, Integrity, Availability.)

You essentially need a compiler whose implementation can be reviewed against stated requirements to ensure it does what it says, nothing more, nothing less.

A set of test vectors that any developer can run sounds good.

re solving the trusting trust problem w/ compilers

Our host covered this topic to some extent eleven years ago: Countering "Trusting Trust". Nice articles to read, but they're not my cup of tea! Remember? Compilers ain't my thing. But thanks for the links -- I read as much as I could.

WaelJuly 23, 2017 10:52 PM

@name.withheld.for.obvious.reasons,

[wo]men

"Man" covers both sexes: both are men; the one with a womb is called a woman; the one without, well... is just a man ;)

You dissappeared for some time! I was worried you either succumbed to an acute case of "Snipers Measles", or someone detained you at
a location.withheld.for.obvious.reasons. Glad you're still around!

DissidentJuly 30, 2017 2:35 AM

A belated thank you to everyone who has replied to me in this thread since I last posted to it back on July 18th.

A special thanks to Clive Robinson for yet another comprehensive, detailed reply, this time on the matter of the risk of being spyed-on by embedded cameras and tips to avoid such surreptitious surveillance. Reading it, I am, yet again, reminded of that vintage quote from Gene Spafford,

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

DissidentJuly 30, 2017 3:48 AM

@ Dirk Praet:

Re: Email security and lawyers, etc.:

Thank you for clarifying and expanding upon your advice. Much appreciated.

Re: your answer that the political culture that you had applied the term "post-truth era" to is,

Pretty much everything that reeks of cheap nationalistic or religiously based populism proposing outlandishly simple and authoritarian solutions for complex problems: Trump, Erdogan, Le Pen, Wilders, Duterte, Daesh etc.

I will simply note that I find your words not only highly tendentious but also to be themselves indicative of simplistic and shallow thinking. For the record, I find the basic message/position/cause of unapologetic nationalism that has been articulated and represented by both Ms. Le Pen as well as Mr. Trump, at least, to be entirely legitimate and respectable as well as thoroughly mainstream and indeed quite natural and wholesome. The question of whether either of the aforementioned individuals can be considered credible representatives of said message/position/cause is, of course, another matter entirely. Concerning /it/, I will constrain myself to say only the following, with the caveat that I know far more about Mr. Trump than I do about Ms. Le Pen (and very little about the latter). I only wish that we had someone like Ms. Le Pen here in the U.S.

@ aconcernedfossdev:

Was that little swipe at Americans really necessary?

(Isn't none other than our host himself American?)

Imagine if the identical comment were to be made but with "Americans" replaced by any number of other nationalities, particularly third-world ones. Need one even wonder what the reaction here would be?

DissidentJuly 30, 2017 5:12 AM

To qualify my previous expression of support for the "unapologetic nationalism" articulated by Donald Trump and Marine Le Pen: I was referring primarily to /immigration/ policy; /foreign/ policy is another area entirely. /There/, certainly when it comes to Mr. Trump*, I find myself far less in agreement. Moreover, if Mr. Praet is, as I am, overwhelmingly anti-interventionist, then there would almost surely be any number of points of considerable convergence between us in this area.

Lest Mr. Praet, however, labor under the illusion that the warmongering I refer-to is in any way confined to the U.S. Republican party or The Right, I would hasten to refer him to the writing, interviews and speeches of individuals such as Glenn Greenwald and Jeremy Scahill on the topic.

*With regard to Ms. Le Pen's positions on foreign policy, I must confess to being ignorant of them.

ab praeceptisJuly 30, 2017 5:55 AM

Dissident

The overall topic of this blog is *security* - not politics (which is OK if and when in a security context). I don't see a security context in your post.

I'm sensitive on that because political bickering and fighting pro or contra trump or clinton have created major damage and animosities here a while ago.

Clive RobinsonJuly 30, 2017 9:38 AM

@ Dissident,

Leaving party politics aside, there is a lot of faux news about created by several organisations, that trace back to the same organisations and funding sources of certain older family businesses based around Tabacco coal and Oil.

Also it appears to be the same people who funded and created fake news about the lack of connection between smoking and various forms of cancer who are now are the primary anti climate science. And who also claim to have been the main influancers on pushing the Pro Brexit view that has now got the UK into all kinds of trouble, and will only get worse.

The reason is that the pro brexit politicians like many right wing politicians in Europe are not about resolving issues but creating division. Almost the first thing that became clear the morning after the Brexit vote was in, was that the pro leavers had no policies on what to do if they won...

Similar is true of the far right politicos in Europe. The reason you said,

With regard to Ms. Le Pen's positions on foreign policy, I must confess to being ignorant of them.

Perhaps the reason you might be ignorant of them is that this time around and having a level of popularity she had not had befor she was much more carefull about what she said, to appear "moderate". But in the past it's been little more than "France is for the real French" or get rid of all the immigrants, refugees or anybody else that cause political divisions that she could manipulate and make political capital out of.

Often such swings to political extreams are not realy what the voters want, it's tactical or sending a message voting. Usually to try and get those currently in power to wake up from a mess they are usually sleepwalking into, as often happens after a term and a bit in power. The problem is that when too many people vote that way, they don't get what they realy want, and that is when "buyers remorse" sets in. In some cases the voters get lucky and there is a final round of voting that happens either by design or by some irregularity forcing another vote.

The real reason most politicos do not want a re-vote is because they benifited from the protest/tactical vote and know they are likely to get slaughtered on the "buyers remorse" vote.

In the case of the UK "buyers remorse" has well and truly set in, but worse just about every voter knows that the current political emcumbrants are of less use than a chocolate teapot at a garden party. If there was another vote now there would be a sizable swing and those virtual unknowns that now have ministerial power know they would have their political lives not just kicked into the long grass, but past it into the stygian canyon of cessation and termination.

For self esteem reasons it is always better to be seen tryin to fight forward but not succeed, than it is to succeed briefly and then be snuffed out. For the majority of todays "purple" politicians it is all about self esteem and influence. You get in, you grab the influance and you use it hard to build up favours. When you get out you convert that influance to as much money as you can while you can and cash in the favours one way or another.

The problem for the current UK PM is she has no influance and chose not to build up favours. In fact her main success apears to be incompetence and making enemies. Those she tried to curry favour with in the business community see her as a traitor over her "reverse ferret" from being anti-brexit to pro-btexit just to get the PM post... And the fact thst her call for a general election which lodt her party significant votes and support means that her party do not want her either, abd she knows that it is only a limited political expediancy that is stopping the knifing in the back which is going to happen in less than two years unless she can work a mirical in the meantime...

Clive RobinsonJuly 30, 2017 9:50 AM

Oh I forgot to add what is obvious to some but not all.

A weak government, is a national security issue. If a country is in political disarray, other countries politicians see opportunity to gain advantage. Whilst this might not result in direct warfare, it will almost certainly harm the citizens in the country with weak government.

It's part of the reason "Cyber-Warefare" is coming into vogue, it's a form of Proxie War. Rather than resolve the issue many politicians see advantages to gain influance, in much the same way Senetor McCarthy did with his "Un Ammerican behaviours committy" and the "Reds under the bed" rhetoric. The problem as always with witch hunts is what do you do when there are no real witches to be found and the people you are trying to demonize, call your bluff and decide that going first strike kinettic as a defence is the way to deal with the problem?

Dirk PraetJuly 30, 2017 1:30 PM

@ dissident

I will simply note that I find your words not only highly tendentious but also to be themselves indicative of simplistic and shallow thinking.

You asked me to elaborate on "post-truth", and that's what I did. Not that it's a right-wing only thing. I just gave a couple of well-known names that all objectively qualify as exponents thereof, but the list was far from exhaustive.

Lest Mr. Praet, however, labor under the illusion that the warmongering I refer-to is in any way confined to the U.S. Republican party or The Right ...

I never said any such thing. For what it's worth, outside the US both Republicans and Democrats are considered right wing establishment parties lead by corporate one-percenters, with the average non-American requiring a post-graduate course to even vaguely discern between them.

I was referring primarily to immigration policy

For my personal take on immigration policy, look here. However to the far right of the political spectrum it is considered by the average tree-hugging, bleeding-heart leftist, it is still miles away from whatever simplistic solutions folks like Trump and Le Pen are proposing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.