Friday Squid Blogging: Squid Fake News

I never imagined that there would be fake news about squid. (That website lets you write your own stories.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on August 4, 2017 at 4:24 PM • 201 Comments

Comments

Ben A.August 4, 2017 4:25 PM

'Real' people want govts to spy on them, argues UK Home Secretary

"Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?"

https://www.theregister.co.uk/2017/08/01/amber_rudd_on_encryption/
https://ar.al/notes/decrypting-amber-rudd/

https://news.ycombinator.com/item?id=14898640
https://news.ycombinator.com/item?id=14900006


WannaCry hero Marcus Hutchins could face 40 years in US prison

"Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI."

http://www.telegraph.co.uk/technology/2017/08/03/fbi-arrests-wannacry-hero-marcus-hutchins-las-vegas-reports/

https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us


A First Legislative Step in the IoT Security Battle

"IOTCIA amends the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) in order to encourage research on device vulnerabilities."

https://www.lawfareblog.com/first-legislative-step-iot-security-battle

https://www.scribd.com/document/355269230/Internet-of-Things-Cybersecurity-Improvement-Act-of-2017


Introducing 306 Million Freely Downloadable Pwned Passwords

You can now check if your password has been pwned by searching Troy Hunt's website or by downloading the passwords for offline searching.

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/


Firefox are piloting anonymous, expiring file shares using JavaScript crypto

Alternatives include "https://transfer.sh" and "https://file.pizza/"

https://send.firefox.com/

https://github.com/mozilla/send


Learning PowerShell: basic programs

https://blog.malwarebytes.com/101/2017/08/learning-powershell-basic-programs/


A curated selection of DEFCON 25 presentations

https://blog.malwarebytes.com/security-world/conferences-security-world/2017/08/defcon-25/


LastPass introduces a $48/year family plan and doubles premium to $24/year

https://9to5google.com/2017/08/03/lastpass-families-plan-doubles-premium-option/

Data Mining Rockets DepressionAugust 4, 2017 6:58 PM

Obsession: Have Smartphones Destroyed a Generation?
The professor asked her undergraduate students at San Diego State University what they do with their phone while they sleep. Their answers were a profile in obsession. Nearly all slept with their phone, putting it under their pillow, on the mattress, or at the very least within arm’s reach of the bed. They checked social media right before they went to sleep, and reached for their phone as soon as they woke up in the morning.

The study found girls have borne the brunt of the rise in depressive smartphone symptoms among today’s teens. Boys’ depressive symptoms increased by 21 percent from 2012 to 2015, while girls’ increased by 50 percent.

Do younger generations care about personal liberty, bedroom dignity, privacy and security? These manipulated young people simply don’t care. See for yourself: temporarily hide the phone

The calls for save-our-children from data miners are denied by the no-conscience tech giants and Wall St. Instead they increase lobbying and reelection funds to a corrupt Congress.

Only in America
Not only parents but teachers pass addictions onto students. Through legislative loopholes the worlds largest advertisers are allowed to hand-feed lazy teachers and innocent children.
https://www.theatlantic.com/magazine/archive/2017/09/has-the-smartphone-destroyed-a-generation/534198/

DarthFaderAugust 4, 2017 7:01 PM

Meanwhile,
Several security analyst groups working on the Trump-Russia accusation realize that "it just might have been Russia" that hacked the DNC, knowing anybody could have procured and used the same malware. Commandant Mueller moved on to heresay conversation and accusation and Darth Trump signed the sanction, an act that removes much ammunition from the DNC.

As an un-sided bounty hunter, I must say that proof of firewall log and email server log would have been decisive, currently missing. I am also suggesting that block chain does not solve the fail point: govt contractor hiring practice and outdated voting client software. Block chain is still reliant on other security mechanism and the voting system has been hijacked by the states. Since no federal requirement for voter ID, there is no official integrity system.

The Dems attempt to run a smear campaign for 4 years will become a lost capstone by the time Darth Trump deploys a Star Destoyer.

... A Lost Hope

ThothAugust 4, 2017 9:00 PM

@Ben A

Re: WannaCry hero

I guess this will be a good wake up call to treat thr USA and 5Eyes as a group of black listed countries for security researchers to visit and the importance of anonymous disclosures.

Also, it is best presenters in Defcon and Blaclhat wear masks :) .

AnonAugust 4, 2017 10:06 PM

DefCon: didn't certain hackers already express distrust in the presence of LEO at these conventions?

Security Research: this has always been a shady area in the UK, as it is necessary to share virus code and exploits to learn anything, but the act of sharing electronically could be construed as supply, even if the intention of the sharing was legitimate research (e.g. Researcher A sends code to malicious Researcher B, who then uses said code for illegal purposes without A's knowledge).

YearOfGladAugust 4, 2017 10:31 PM

All,

I want to learn more about autonomous car technology. Here's my specific question:

I've read some high-level articles (read: popular/consumer press) describing how cars on the highway will be constantly exchanging telemetry with all the other cars around them, reporting speed, position, braking, steering motions, etc., in real time.

What is the envisioned authentication mechanism here? What is to prevent this incoming info from being spoofed? If I built an "Evil Black Hat Car" that drove down the road beaming false information to force all the other cars off the road, what fundamental thing is going to prevent this?

I know this is a complex subject, so I expect I will need to do some reading to understand it. Pointers to any papers, proposed standards, or other online information would be greatly appreciated.

Thanks in Advance,

YoG

Ben A.August 5, 2017 2:49 AM

The UK has an extradition treaty with the USA so his visit to DEFCON wouldn't have made much difference in this case. The UK even has arrangements for extraditing its citizens to North Korea!

It's certainly so that many conferences are being moved from the USA to more accommodating countries.

According to his indictment, leaked online, he was involved in banking malware although it's possible that they've misunderstood the nature of his research and elided white hat research with black hat.

Clive RobinsonAugust 5, 2017 3:05 AM

@ Wael,

IoT benches coming to a park near you!

It's funny that you should say that. I was thudding my way along on my crutches through South East London to a Turkish Deli I occasionaly go to when an obstruction hove into view.

It was called a "Smart Bench" and had been paid for by a cancer charity. I looked at it and I could not see anything particularly smart about it... But it did have some USB charging points.

Then that "Dr Evil" part of my brain thought "are they just chargers" a smile spread across my face and all was well in the world again. B-)

I. GivvupAugust 5, 2017 6:56 AM

This is somewhat old news but in December, "the U.S. Department of Defense, ... announced that it’s just signed a deal with Microsoft for $927 million worth of services and support over the next five years."

That's one government contract of, no doubt, thousands all over the world. It's a wonderful deal for MS, but for us, not so much. Government and business contracts are where the real money is.

After reading articles like that and watching my network monitor sending outbound packets to MS thousands of times per day, despite my best efforts to block them, it's clear to me Windows cannot be trusted at all to protect end user privacy and security. Users simply aren't worth the trouble as customers. They make good targets though.

You know the rest.

I tried Linux and found it ...hard ....and in need of constant attention. I read up on OPENBSD which sounds great for security. But, half way through the install write up my mind went numb. And, it seems there's always a problem with...drivers, ...etc. hmmmm.

I sort of trust Apple. They say they make products and their business model does not include profiting from user data. I am going there.

What does MS do with all the data they collect? It's really, really HUGE. They have a legal license, literally, to take, keep and use EVERYTHING from us.

Frankly, it boggles the mind. Yet, few seem to know or care. Even the government. Especially the government. I wonder why?

Clive RobinsonAugust 5, 2017 6:58 AM

@ DarthFader,

As an un-sided bounty hunter, I must say that proof of firewall log and email server log would have been decisive

Wrong.

All they would show is what the next node up stream from the DNC computers told them. Thus if you control that node you can make it look like the attacks came from the WhiteHouse, North Korea, Hong Kong, China, Iran, or even the CIA down in "foggy bottom".

Likewise if you control the upstream node as China does with North Korea you can make it look like it's North Korea attacking to the rest of the world.

As I keep pointing out "attribution" is at best very very hard and requires reliable HumInt. With SigInt it is in effect impossible because anyone who thinks about it for half a monent will realise if you can get into someones computer covertly to gather evidence it means that someone else can get in to plant it. Thus it does not meet evidentiary requirments.

So if you don't control the upstream node you can get in and change the logs to show what you want within reason.

Untill people "grock this" we will have the stupidity we have seen over this past decade continue. It will waste resources polarise the unknowing masses and led almost as sureky as night follows day to kinetic action under the "first strike defence" doctrine promalgated by those who will profit by it.

Dirk PraetAugust 5, 2017 7:12 AM

@ Ben A.

The UK has an extradition treaty with the USA so his visit to DEFCON wouldn't have made much difference in this case.

Although the UK has a simplified extradition procedure with the US, the US is a category 2, type A territory. This means that extradition requests need decisions by both a Secretary of State and the courts. The regular extradition process follows these steps:

  • extradition request is made to the Secretary of State
  • Secretary of State decides whether to certify the request
  • judge decides whether to issue a warrant for arrest
  • the person wanted is arrested and brought before the court
  • preliminary hearing
  • extradition hearing
  • Secretary of State decides whether to order extradition
This means that several authorities may ask to substantiate any proof against the suspect which the requesting party may either be unable or unwilling to share, especially in seemingly dodgy cases like this one. The suspect may also not be high enough on the most-wanted lists to start up a formal extradition procedure. In both cases a more opportunistic approach may be preferred, as in just waiting for the unwitting suspect to cross the border.

If indeed Hutchins knowingly and actively participated in developing the Kronos malware, he had it coming. If not, it's open season for hunting security researchers and they may wish to reconsider any US travel plans.

Like This On Facebok!August 5, 2017 7:28 AM

@DMRD, yes it's fascinating to see a social media addict jonesing for signal strength. The withdrawal verges on panic. And it's not just youngsters. When people complain about venture-capital fixation on stupid apps, they forget that stupid apps are designed to have the same lucrative addictive properties that made tobacco such a blue-chip industry.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5076301/

Addiction's how the government imposes more and more intrusive surveillance.

JG4August 5, 2017 8:01 AM


https://www.nakedcapitalism.com/2017/08/links-8517.html
...
New Cold War

Go look at the replies to this tweet to see how much support there is for free speech in America. As Lambert has said, this is not the behavior of a confident elite.

...
Big Brother is Watching You Watch

That Drone Hovering Over Your Home? It’s the Insurance Inspector Wall Street Journal. Drones presented as a consumer benefit, natch. Glad I live in an apartment building with super tight security (the permanent residence of the Egyptian ambassador is two floors above mine, and they’ve had that entire floor for fifty years).

You Are the Product London Review of Books. On Faceborg.

...
The Scandal That Matters Wall Street Journal (UserFriendly). Key paragraph:

Because based on what we already know, the Awan story is—at the very least—a tale of massive government incompetence that seemingly allowed a family of accused swindlers to bilk federal taxpayers out of millions and even put national secrets at risk. In a more accountable world, House Democrats would be forced to step down.

Police recover car stolen from senior couple, then try to auction it Boing Boing (resilc)

New McCarthyism

It’s Getting Real – Google Censors the Left. And Us. Bruce Dixon, Black Agenda Report

Black Injustice Tipping Point

NAACP Travel Warning for Missouri Is a Sad Fact of 2017 Esquire (UserFriendly). Ugh: “The NAACP says this is the first travel advisory ever issued by the organization, at the state or national level.”

[...it means sharpen your pitchforks, go long boiled hemp and popcorn]
Kill Me Now

What Does ‘Late Capitalism’ Really Mean? Atlantic (UserFriendly)

ThothAugust 5, 2017 8:04 AM

@I. Givvup

You are mostly right when you say you have given up. Problems range from OSes being insecure (Win, Mac, Linux are the big 3 targets) to fully unusable systems.

OpenBSD and probably Qubes ? How about some microkernel systems ?

We have been stuck in this crappy state for a long time.

How about tryong SubgraphOS or some Linux OS with GRSecurity proprietary blobs for extended security ?

Hmm.... it seems all of those above are either in a very bad state of development with missing drivers or as POC systems for demos and getting fundings or they maybe insecure or unusable from a newbie perspective.

This state will continue on as long as Governments are more interested in trying to backoor/frontdoor everything and their wish is to keep the security community as divided as possible so that unusable secure OSes would never exist.

Good luck finding a suitable and usable secure OS. Despite my efforts to search for one, none of them make the cut.

Moulie StoolieAugust 5, 2017 8:05 AM

@E.B.R. "pointless-police-raid-on-innocent-family's-home" mentions one crucial detail only in passing. Those far-fetched suspects were CIA. Does anybody actually think cops were looking for drug cultivation, (...no wait, drugs,) for hours? This raid is an early tremor of the insider-threat panic, long before it boiled over publicly with Manning/Snowden/Martin/Winner etc., etc., etc. At least since 2005, when the US just barely managed to hush up the international consensus on impunity, the CIA mafia has been petrified that one of their button men is going to rat them out. Panic raids like this go in the same file folder with all those bankers dropping like clay pigeons.

http://wallstreetonparade.com/2014/04/suspicious-deaths-of-bankers-are-now-classified-as-%E2%80%9Ctrade-secrets%E2%80%9D-by-federal-regulator/

So, ah, by the way, how did Lazarus wind up with Longhorn?

Clive RobinsonAugust 5, 2017 8:11 AM

@ Ben A,

The UK has an extradition treaty with the USA so his visit to DEFCON wouldn't have made much difference in this case.

Whilst there is not just a traditional extradition treaty with the US and a very onsided agreement signed by Tony Blair against better advice, UK judges are not as stupid.

Extradition can be fought and fought well and sometimes refused, and has been in Hacking cases.

As far as we can tell so far the case against Marcus is at best nebulous and may not even actually be a crime at all.

It's fairly well known that the FBI "invent crimes" in all sorts of ways by abusing process and defendants rights.

For instance if Marcus was in the UK he would probably not be considered a "flight risk" and would be bailed. His employer would probably carry on employing him, and he would probably get not just legal aid to fight extradition but a lot of political support and "crowd funding".

The FBI / DoJ have lost against this in the past, especially with their ludicrously broad interpretation of overly broad scoped legislation and their demands for longer than life sentencing in a prison system that's not rated as highly as it is in some third world nations.

All the FBI / DoJ is interested in is show convictions especialy of foreigners who will get little media thus public support. Even if they have no chance of getting a conviction for what they first claim they will keep throwing on charge after charge untill you give up in one way or another.

Also they have the embarrassment of a couple of US citizens they locked up now out and going for compensation. That problem does not arise with foreigners as they in effect have to attend court in person to get restitution and the FBI can keep them out of the country once deported. Their solution for US citizens is to go for mandatory life sentencing... Which does not go down well with extradition oversight judges...

Clive RobinsonAugust 5, 2017 9:19 AM

@ Thoth, I.Givvup,

Good luck finding a suitable and usable secure OS. Despite my efforts to search for one, none of them make the cut.

There used to be the now old argument of "Security-v-Usability" whilst not totally excluding the "Secure&Usable" option of the table it needs a lot of computer power that was not realy available back then.

Also in it's roots is the "Security-v-Efficiency" point I mention occasionaly. Whilst it is possible to have "Secure&Efficient" the usual consequence is very very minimal functionality. That is you look for a single functional activity (eg "data diode") you then black box review it assuming all ports are bidirectional and assess not just the forward protocols but the reverse protocols as well not just under ordinary usage and errors but under exceptional usage as well.

You then look for the various timing channel issues and assess if they exist and if so what their bandwidth is and determine what methods of mitigation exist.

When you get to design the system the usual ground rules are simple state machines, all states assessed, no feedback, no feedforward, no parallel chains of operation. Also all data is isolated from functionality. That is you do not look at data values and take action on them based on the value. Think more DSP type behaviour than GP-CPU.

You also asses all failure modes thay are after all Shannon Information Channels and thus subject to the idea of "Emmission" --leakage-- and "Susceptibility" --fault injection-- in all it's forms.

I could go on but you get the idea of what is involved for a simple "chain" system. It gets considerably more complex when two or more simple systems need to feed into a larger channel such as a MUX etc.

Clive RobinsonAugust 5, 2017 10:05 AM

@ Bruce and others,

I don't know if you have seen tgis or not,

https://arxiv.org/abs/1708.00884

It's about finger prints and using a Smart Phone's camera for recognition rather than the optical sensor traditionaly used.

As they say,

    Due to exorbitant advancement in technology, computational speed and quality of image capturing has increased considerably. With an increase in the need for remote fingerprint verification, smartphones can be used as a powerful alternative for fingerprint authentication instead of conventional optical sensors.

The way they go about at first sight appears odd, untill you realise it's the easiest way to use existing back end,

    In this research, we propose a technique to capture finger-images from the smartphones and pre-process them in such a way that it can be easily matched with the optical sensor images.

HumdeeAugust 5, 2017 10:57 AM

@Ben A.

'Real' people want govts to spy on them, argues UK Home Secretary

I think she is correct. Frankly, most people would give up their first born child if the government told them it would stop a drug dealer. It doesn't matter if the logic "if you don't have anything to hide" is unsound. Of course it is unsound but that is not dispositive because people harbor all sorts of unsound beliefs and worse vote on the basis of those unsound beliefs. Proof that they do? Amber Rudd.

CallMeLateForSupperAugust 5, 2017 11:17 AM

U.S. Army uses COTS drones from a Chinese company. Now somebody suspects that using products from a potential adversary, for DOD purposes, might have a significant down side. (Gee, ya think?)

"...Army has for some time allowed units to purchase hundreds of off-the-shelf drones made by DJI, the Chinese consumer drone maker."

"...Army Air Directorate's deputy chief of staff Lt. General Joseph Anderson issued a memo on August 2 ordering units to 'cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow-on direction'."

https://arstechnica.com/gadgets/2017/08/army-tells-troops-to-stop-using-dji-drones-immediately-because-cyber/

mostly harmfulAugust 5, 2017 11:31 AM

Regarding the Kronos malware case, discussed above by @Thoth, @Ben A, @Dirk Praet, and @Clive Robinson, the DoJ indictment against Hutchins and an alleged co-conspirator can be found here: https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html

Notice that the name of Hutchins' alleged co-conspirator, "Fozzie Bear", is redacted throughout the document. Note also that, when it comes to specifying overt acts[1], it is mostly Fozzie Bear alone, and not Hutchins, who is alleged to have performed them. Leaving aside any so-called "conspiracy", all that the indictment deigns to allege Hutchins has done is write some code.

Furthermore, the indictment itself suggests (arguably, and by omission) that, as far as the Feds are aware, Hutchins himself earned not a penny for his trouble.[2] (Fozzie Bear, for his part, is alleged to have acquired a princely sum of two thousand USD.)

Reading between the lines, it looks like Marcus Hutchins is being shaken down; the Feds are putting the screws on him in order to coerce his testimony against Fozzie Bear.[3] This is normal, in the legal ghetto that constitutes US federal court:

In 2013, while 8 percent of all federal criminal charges were dismissed (either because of a mistake in fact or law or because the defendant had decided to cooperate), more than 97 percent of the remainder were resolved through plea bargains, and fewer than 3 percent went to trial. The plea bargains largely determined the sentences imposed.

Consider also the nature of "conspiracy" charges in the US: https://en.wikipedia.org/wiki/Conspiracy_(criminal)#United_States

One important feature of a conspiracy charge is that it relieves prosecutors of the need to prove the particular roles of conspirators. If two persons plot to kill another (and this can be proven[4]), and the victim is indeed killed as a result of the actions of either conspirator, it is not necessary to prove with specificity which of the conspirators actually pulled the trigger.

In the excerpt above, replace reference to "killing" with "selling things capable of enabling naughty behavior". Replace "pulled the trigger" with "made any money whatsoever in the process". The absurdity of the present case becomes apparent: Hutchins, having perhaps written some code and done nothing more than that, is getting farcically dragged. His name alone is writ large on every single page of a conspiracy indictment, in which he played at worst a minimal part.[5] Indeed, by their very nature, his alleged actions (writing inherently reusable code), might just as well have been performed by a party unwitting to the particular consequences. What's next? Indicting game theorists for conspiracy because some construct they've described gets employed by a con artist?

TL;DR, US courts are a swamp of perverse incentives. See Rackoff in the New York Review of Books for some lucid discussion from a sitting federal judge.

Notes

  1. See page 3 of the indictment, Count 1, Section 4 "Overt acts in furtherance of the Conspiracy". There are seven items, 4a through 4g, only two of which mention Hutchins, and both of these consistent with Hutchins having done nothing more than share proofs of concept. All six remaining items are attributed solely to Fozzie Bear.
  2. See page 3 of the indictment, Count 1, Section 4f: "On or about June 11, 2015, defendant FOZZIE BEAR sold a version of the Kronos malware in exchange for approximately [USD] $2,000 in digital currency."
  3. This via the gauntlet of prosecutorial bullying that masquerades as a federal court system in the US. For some background, see (for example) Jed S. Rakoff 2014 Why Innocent People Plead Guilty https://www.nybooks.com/articles/2014/11/20/why-innocent-people-plead-guilty .
  4. This parenthetical is only for show since, remember, only 3% of federal cases go to trial. The "and [the charges] can be proven" part is as obsolete as a rotary telephone. Prosecutors don't have to prove a thing. They just need to scare the crap out of you. Or, failing that, scare the crap out of a "co-conspirator" first.
  5. It does appear that Hutchins may have made the newbie error of answering questions posed to him by cops. In the US, don't ever do that: https://www.youtube.com/watch?v=d-7o9xYp7eE

mostly harmfulAugust 5, 2017 11:37 AM

"All six remaining items are attributed solely to Fozzie Bear."

*five, not six.

JG4August 5, 2017 11:58 AM


missed a few on the first pass. dealing with problems at the correct level of abstraction is part and parcel of genius. Einstein did it for light and gravity. we need to do it for security. as always, appreciate the discourse, at least the good parts of it. I am not suggesting that I am a genius. I deal with these topics at a high level of abstraction more because I am cognitively impaired. but, also, your system-level architecture has to be workable before there is any point in pouring effort into the subcomponents. that's where the high level of abstraction is most useful. unless you know a priori that the subsystems will stand on their own and fit into other system architectures. it's all about the building blocks. if you have to buy the building blocks from compromised companies, then the system architecture is even more important.

a nice example of entropy maximization producing conflicts of interest at different vortex scales.

https://www.nakedcapitalism.com/2017/08/bribery-cooperation-evolution-prosocial-institutions.html

the shear between lamina generates spin. the results are not linear. we have seen repeatedly the conflicts of interest between security and time to market, security and "government interests," security and the monetization of user data, security and useability, and countless others to numerous to catalog here. just another day on the old blue marble of conflicts of interests. the natural tendency of humans is to cooperate with the in-group. the dissidents are rendered into foul-smelling plastics and elastomers that are sold around the world.

backdoors are like nuclear weapons, because there always is some small chance that they will cause staggering levels of damage to civilian infrastructure. another useful analogy is that handguns are the nuclear weapons of interpersonal relationships. you'd prefer that your protection systems not destroy you. there should be analogues of the non-lethal or much-less-lethal approaches. like tasers for rogue countries. the business of blowing holes in people and blowing up countries really is outdated, except for the part where it generates staggering profits for the insiders.

The Chinese are said to have an expression "calling things by their right names is the beginning of wisdom." calling issues by Karl Rove's names is the beginning of the end of empire. don't run their code (software, words) on your hardware (CPU, brain). that really is the crux of the security problem. it's OK to run their OS as long as you don't let it also control the inbound and outbound traffic and everything else.

https://www.nakedcapitalism.com/2017/08/links-8517.html
...
Banning Nuclear Weapons: The Beginning Portside (Sid S)

6-Monsanto-Consultant-Protests-Ghostwriting.pdf Baum & Hedlund Law (Chuck L). From “Monsanto Secret Documents” in the Roundup multidistrict litigation.

...
China?
...
Chinese chatbots apparently re-educated after political faux pas Reuters (Chuck L)

...
Syraqistan

Our generals reveal why we lost in Afghanistan, and will continue to lose Fabius Maximus. Resilc: “The BEST generals have not won since Truman.”

...
Trump Transition

Why Leaking Transcripts of Trump’s Calls Is So Dangerous Atlantic. Lambert ran this in Water Cooler, but worth highlighting.

DarthFaderAugust 5, 2017 11:59 AM

@Clive
You're right. That's not how it would have gone down, nor what the purpose could be. My big deal is physical security and humint also. I would also cut my throat on email admin these days, especially for the govt accountability practice and DSS procedure that no one seems to follow.

My point is, if evidence were viable in the court of law, we probably would have caught news about it, judicial or leaked. It took DefCon to prove they(party house or voting system) don't have their ducks in a row, and never will. Simply saying a specific malware is obscene.

It is interesting to note that the Dems at least forced Trump to sign the sanction. He obviously did it to steal some ammo in the court room. I find the case weak. It would have been easier to arrest Reagan for Iran-Contra.

Note to self: lawyers and paralegals like to drag their personal laptops wherever; nevermind the contractor thing.

Clive RobinsonAugust 5, 2017 12:09 PM

@ mostly harmful,

It's about what I would expect of the us (in)justice system.

Plea barganing is an excuse for one party to commit perjury against another in order to save their own skin, it's as bad as jail house stoolies saying they have heard a person confess in return for consideration on their sentance. Such "evidence obtained under duress or favour" should be no more admissible than a confession after duress by physical or mental persuasion (the US DoJ does not recognise what most people call tourture so it's pointless saying "tourture" rather than persuasion).

The fact that the FBI played administrative games for atleast two days suggests that the duress was going full tilt along with the other lying they are alowed to do. It appears to be little different to that which the Chicago PD did in their of books detention center where there was not even a legaly required register of people in the building let alone in detention.

The simple fact is that the psychopaths ib both the FBI and DoJ are,yet again going ITCSec trophy hunting. Apple stood their ground and prevailed, hopefully Marcus will as well though he will never get his life back irrespective of if he is found guilty or not. It's an almost certainty he will never be alowed back in the US or given fair access to the MSM. Appart from denying him access to the Internet as part of bail conditions there will be a court ordered gag put on him (the redactions show that). If he so much as breaths to a journalist they will drag him back in and charge him with breach of a court order etc. Basically they are going to use picking his nose in public as a public order offense so that they can show he is a criminal thus nix any opportunity to claim compensation.

So expect inflammatory comments from FBI insiders and the like basicaly blackening his name and trying to provoke a response that they can then use in court against him (have a look at Weev's case for an example of that, then there is a journalist as well and these are US citizens not "heathen foreigners").

That's the nature of "Rights Stripping" and the FBI/DoJ are past masters at it. They will push the boundries and if he accidently falls down stairs or jumps infront of a bullet, no problem judges don't convict law enforcment for murder as there is administrative excuses for that these days...

And people wonder why I say the US is higher on my don't visit list than any other Super Power and a great deal of third world dictatorships...

Who?August 5, 2017 12:11 PM

@ CallMeLateForSupper

Does the U.S. Government know of any shady DJI secrets? Are they just spreading FUD as they did to Lenovo years ago?

Unwitting USA CollusionAugust 5, 2017 12:33 PM

Unwitting USA Collusion

The White House, Congress, Pentagon are being monitored in real-time by smart-phones and drones

But First a Message from our SMART Leaders:
When top-secret-special-access cleared Jared Krushner met with the Russians he brought his ‘smart’ phone into the meeting. There is little doubt the major intelligence agencies tapped his phone and listening in real-time through the ss7 worldwide spying network.
https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-web-tap-phone-texts-cyber-crime

Insider Information
There is strong evidence that Senators and House Representatives are being monitored in real-time by foreign adversaries
http://www.cbsnews.com/news/suspicious-cellular-activity-in-dc-suggests-monitoring-of-individuals-smartphones/

ET Phone Home
The USA special forces (like the army) luv to use Chinese drones even on the most sensitive missions.
https://www.suasnews.com/2017/05/global-information-gathering-network-uas-dji-data-collection/
http://www.defenseone.com/technology/2017/08/us-army-just-ordered-soldiers-stop-using-drones-chinas-dji/139999/

Silicon Valley National Security Threat
The sheer naivety of security cleared American politicians, government workers, and military boggles the mind. The root-cause can be traced to pandemic levels of smart-phone addiction. By design, people from all occupations are literally programmed to never put the phone down the despite national security implications.

Mandatory Detox Program
Why no special prosecutor to investigate top govt officials for passively colluding with the Chinese Military?

The Art of War
This increased levels of spying can be traced to the Chinese Premier Xi aggressive 5 year plan to rule the World. Knowing the West will eventually respond they have already implemented repressive new cyber laws.
https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html

Asymmetrical Spying
One aspect is data localization where data generated within China can no longer be sent overseas. Yet as we see above, surveillance data within the USA can be shipped to China.
Given this asymmetry does the USA even stand a chance?
Note: even though national security is at risk Silicon Valley sides here with China - keep the borders open (to be attacked)

Improved Great-Wall Cyber Defense
When attacked China will be able to totally cut-off external interfaces with zero effect on their economy. They are currently practicing stress tests by disabling lists of web sites. Of course they will use proxy nations to attack.

In contrast America and its allies appear to be wide open to massive waves of cyber nasties.

Note the similar increased Chinese aggression against India: http://www.dailymail.co.uk/wires/afp/article-4762904/China-ups-ante-high-altitude-standoff-India.html

TomAugust 5, 2017 12:36 PM

@I. Givvup
From an everyday, practical pov, the Mac is a good choice, in my experience. What that means: if you don't require airtight security against industrial espionage threats or the NSA-FBI is not going to be going after you individually, a Mac is good. For those who don't want to spend a thousand hours trying to figure out a Linux install, a Mac is the best choice.

To stay secure: do the updates. Stay away from torrent clients and off-the-net apps (e.g. Handbrake, but it could probably happen to anyone). Don't fooled by stuff in emails.

I used to run XP and found the time it took to run virus and malware scans was becoming too much, so I tried the other brand. The Mac is not perfect either, but it's basically a nice *nix implementation with a very nice gui. What's not to like? Heh, heh the haters will claim plenty, we do know that, and fud is only fud.

But, most, indeed nearly all, threats are aimed at Windows, and OS X has the inherent security of Unix.

Clive RobinsonAugust 5, 2017 1:10 PM

@ YearOfGlad,

What is the envisioned authentication mechanism here?

What ever it is, it is unlikely to be of any real use. The simple way to see this, is to look back down the chain of the speed sensor. How do you authenticate it's actually mechanically linked to the wheels or other method of detecting real velocity. That is what is to stop me pulling it out from the axle/wheel and instead connect it to say a DC motor and sun and planet gearbox that drives the sensor instead.

What is to prevent this incoming info from being spoofed? If I built an "Evil Black Hat Car" that drove down the road beaming false information to force all the other cars off the road, what fundamental thing is going to prevent this?

Thus there is currently nothing to prevent the radio traffic being spoofed by false --but valid looking-- information.

As for fundemental thing, it's the same story as with Smart Guns, you can do all sorts of things in the upper layers of the computing stack, but down at Layer 0 and it's physical sublayers nobody has come up with even a guess of a way that might at some future time become implementable. But will it ever by both practical and affordable, I doubt it will happen in my liftime or that of my great grand children (which would be around a century and a half in my families time scales todate).

Clive RobinsonAugust 5, 2017 1:17 PM

@ Tom,

and OS X has the inherent security of Unix.

Which is not much realy when you get down to it.

Further the biggest security threat these days is not the OS but the apps and the user.

Take a web browser, it is a process in it's own right. Which means in many cases all those open browser tabs share the same memory space and the same code. Something multi tasking OS's stopped doing around the time MMUs and hardware segmentation became available on 16bit CPUs.

Some browsers are trying to do segregation in software, but at the end of the day it's never going to be as reliable as a Ring 0 setup hardware based MMU.

RachelAugust 5, 2017 1:20 PM

JG4

i am used to you mostly sharing links. Recently you've been adding your own commentary more and more (don't know if you used to do this more regularly)
The below is staggering and even beautiful. Thank you. Reminds me of the wisdom of Tyr's writings. ( The human, not the mythological being. Not sure the latter had spare time for writing) Please contribute more regularly, and even without the links.
as for your useful metaphor about the gun in the preceeding paragraph. Blake said those whom wish to create, and those whom wish to destroy, cannot be united - they must be seperated.


The Chinese are said to have an expression "calling things by their right names is the beginning of wisdom." calling issues by Karl Rove's names is the beginning of the end of empire. don't run their code (software, words) on your hardware (CPU, brain). that really is the crux of the security problem. it's OK to run their OS as long as you don't let it also control the inbound and outbound traffic and everything else.

@ All
does Bruces fill in the blank 'What is this blog about?' question for posters, achieve anything? Isn't a bit redundant these days , now that a T1000 can spam forums from the future etc

Dirk PraetAugust 5, 2017 1:33 PM

@ mostly harmful, @ Clive

Leaving aside any so-called "conspiracy", all that the indictment deigns to allege Hutchins has done is write some code.

Hutchins is for all practical purposes being accused of both creating and updating the malware, hence the indictment on six charges of conspiracy, CFAA and ECPA violations. Either they can make these stick and his life is over, or the entire purpose is indeed to coerce him into ratting on Fozzie Bear and instill fear in the security research community at large. Any which way you turn it, the indictment IMO is particularly shallow and the absence of details not particularly reassuring that - as many suspect - this isn't yet another example of the FBI playing dirty.

If Hutchins refuses to deal and the FBI fails to make the charges stick, then I will gladly support his defense funds to counter-sue for $15 million for having his reputation destroyed.

May I inquire into where you got the Fozzie Bear name from?

It does appear that Hutchins may have made the newbie error of answering questions posed to him by cops. In the US, don't ever do that

However true, I'm not sure if my untrained 23 year-old self in similar circumstances out of sheer panic wouldn't have confessed to anything ranging from the murder of JFK to global warming.

@ Clive

This looks like a three bowl of popcorn event.

LOL. It would seem that for many Americans, Zappa's Law ("politics is the entertainment branch of the MIC") is no longer a joke but a guiding principle.

@ Tom

For those who don't want to spend a thousand hours trying to figure out a Linux install

That's really not true. There's plenty of user-friendly distributions out there that install like a charm and that get you going as fast as a Windows user installing MacOS for the first time. Try Mint sometime.

AnuraAugust 5, 2017 1:35 PM

@Rachel

The amount of spam has dropped considerably since they added that, even if it has ticked up in the last year or so. It's trivial for a bot writer to get around, but it's effective against naive bots (which seem to be the bulk of spam bots on the net).

I have here in my hand a list...August 5, 2017 2:02 PM

@Clive, US plea bargaining really is an exact functional analog to torture.

http://chicagounbound.uchicago.edu/cgi/viewcontent.cgi?article=4154&context=uclrev

In terms of developed-world legal standards, it is testimony and confession compelled by the threat of arbitrary and disproportionate sentences, often life or execution, in breach of ICCPR Article 14(g). DoJ calls it compulsion but under US commitments it is mental torture, and the state has broken its own supreme law by refusing to criminalize it. The state won't do because, as the Langbein paper above points out, CIA's Paper-Clip Sicherheitsdienst would collapse without it.

The most powerful 10% or so of DoJ are illegal domestic CIA NOCs under deepest cover, so of course they're psychopaths, they had to flunk multiple customized psychological tests to get into CIA in the first place. The swine who work in DoJ and FBI have degenerated to the level of Santebal or SERC or on a good day, SAVAK.

ab praeceptisAugust 5, 2017 2:04 PM

ad I. Givvup

Look at nasa's budget. Or look at the increasingly serious plan to make manned flights to Mars and to later even colonize it.

In other words: mankind can strive for and sometimes achieve quite amazing things.

There is no OS that is reasonably safe and secure yet easy to use for Jane and Joe (which to create is presumably quite a bit less difficult than space travel)?

Well, chances are that mankind - or, more precisely those who say to represent us - simply *don't want* such a system to be available to Jane and Joe.

What sounds rather unhappy from and to the Janes and Joes ("Yuck! No simple, reasonably secure system!") might actually sound like "a very satisfactory situation. job well done." to "the [s]elected few" and their helpers and to the oligarchic pals...

Thinking CapAugust 5, 2017 5:52 PM

@Unwitting
“The USA special forces luv to use Chinese drones even on the most sensitive missions.”

There knew we were coming and unexpectedly met heavy resistance...

TomAugust 5, 2017 6:20 PM

@Clive,

Thanks for a technically-based counter. I tried to say that there is no perfect solution for the ordinary home user. But, I'm sorry-- that as a guy who once was a basic tech in a shop that worked on Windows machines, and now a slightly higher than lowly end user-- it's over my head. I can only speak from my experience.

What would be really good? Three machines built yourself, with individually purchased at different retailers parts; bare bones, no wifi, no Bluetooth, no sound cards, OS runs off ROM. And only one of them connected to the internet with one used to carefully investigate any stuff from the net that will be carried over to be used on the working, secure machine? All inside a Faraday cage. Yet to be solved is the MITM problem posed by possibly collusive ISPs, etc.*

With XP, I once got a piece of malware that deleted my drive. My carelessness, my fault. Due to others in the household who do click on links in strange emails, further such troubles would've been a real risk had I continued with Windows. In 15 years, the only problem while running OSX was a defective aftermarket HD, replaced under warranty.

Which brings me to another advantage of the Mac: Time Machine backups. When that HD failed, it was very easy to restore from the Time Machine backup with very little lost time. Four backup HDs are kept in circulation here since redundancy is good.

@Dirk,
Thanks for suggesting Mint, maybe an experiment one day. About 16 years ago I installed Red Hat, or was it Fedora by then? It seemed a little shaky after XP and the fast, lovely BeOS.

*Firmly in the Dept of Speculation: say you had highly confidential, possibly actionable data to be shared with international "business" partners. The Internet is obviously of no use. For some data exchanges a trade of time for secrecy might be practical. How about wifi? Nodes on private jets and yachts.

mostly harmfulAugust 5, 2017 6:53 PM

@Clive Robinson

Such "evidence obtained under duress or favour" [that is, testimony extorted via a plea bargain] should be no more admissible than a confession after duress by physical or mental persuasion (the US DoJ does not recognise what most people call tourture so it's pointless saying "tourture" rather than persuasion).

Exactly. So much for the plain meaning of that mechanical balance held by all the iconic lady justice statues.

Not too many years ago I attended a trial (one hearing charges of conspiracy, as it happens) in which the prosecution repeatedly staged multimedia presentations, featuring a large screen on which were displayed to the jury several transcriptions, produced (and edited) by law-enforcement, of telephone conversations allegedly conducted by the defendants. Audio recordings of these same conversations were simultaneously played for the jury in the courtroom. The resulting audio quality was poor enough that one had to rely on the displayed transcriptions in order to maintain the pretense that anything remotely comprehensible was being presented. Thus, the mode of presentation conspired to put law-enforcement's words into the mouths of the defendants.

(Wait, is this supposed to be a conversation between Mr. P and Mr. Q? Well, of course it is. That's what the transcript says, after all! What on earth did Mr. P just say? That was barely audible! Oh, never mind, it's written right there! Hmm, I wonder what that exotic-sounding term means? Oh, the nice detective on the witness stand says the criminal classes use it to mean "regular customer". Impressive demonstration of expertise!)

Most disturbing of all, though, in my opinion, was not this absurd practice of displaying the prosecution's cooked, annotated transcript that could not help but bias any first-time audience to the presented conversations. Say whatever we might about the practice, at least it had the benefit of providing clarification to evidence badly in need of clarification, however dubious its claim to accuracy.

(Obligatory Monty Python sketch featuring the peerless analytical talents of Sir Bedwyr, and his state-of-the-medieval-art balance of justice: https://www.youtube.com/watch?v=zrzMhU_4m-g )

What was inexcusably worse, was that on a separate screen, adjacent to the transcript, prosecution would gratuitously display the mug shot of whomever they alleged to be speaking at a given turn, just in case the speaker happened to be a defendant. Other parties, namely those not indicted, when present in the recordings, were depicted by their drivers license photo (or occasionally not at all).

What was the point of pictures at all? The defendants were present right there in the courtroom, in case anyone had momentarily forgotten what they looked like. The only conceivable justification for the slideshow of mug shots was their inherently prejudicial nature.

@Dirk Praet

Hutchins is for all practical purposes being accused of both creating and updating the malware, hence the indictment on six charges of conspiracy, CFAA and ECPA violations. Either they can make these stick and his life is over, or the entire purpose is indeed to coerce him into ratting on Fozzie Bear and instill fear in the security research community at large.

It is unfortunate that those two disjuncts are not, in fact, mutually exclusive. We got us a justice system that can do both!

May I inquire into where you got the Fozzie Bear name from?

Heh. Looking at the indictment some more, I now wonder whether there could be more than one redacted co-conspirator.

Anyways, Fozzie Bear: https://www.youtube.com/watch?v=-R_pRKPp4L4

However true, I'm not sure if my untrained 23 year-old self in similar circumstances out of sheer panic wouldn't have confessed to anything ranging from the murder of JFK to global warming.

I hear you. I meant only to highlight the preventable nature of the error for the benefit of others, not to blame a victim of the police state.

Silence does not come naturally in many situations. Situations that cops get lots of practice in constructing. Speaking of which…

@All

In my initial comment on Hutchins' situation, I worded (at least) the following observation poorly: "5. It does appear that Hutchins may have made the newbie error of answering questions posed to him by cops."

In this institutionalized con game, as it is played in the US, refusing to "answer questions" is insufficient precautionary discipline; Cops are trained to trick you into making statements without letting on that you are being interrogated, and they get lots more practice at their role than you get at yours. Instead, just follow the rules:

  1. Do not talk to police at all.
  2. When in doubt, see Rule #1.

Stay free!

ThothAugust 5, 2017 9:00 PM

@all

Re: Safer Security Conference Venue

Any suggestions for a much more safer place where security conferences like Defcon and Blackhat can hold their conferences at with lesser problems of extradition ?

Let's get the ball rolling:

- Switzerland
- Iceland
- Russia

ab praeceptisAugust 5, 2017 10:06 PM

Thoth

From what I see, swizzerland has far too much bent over to every whim of a certain country and can pretty much be regarded as a colony. Russia would be a good alternative, indeed, will however not be accepted by very many who have been brainwashed into believing that Putin is a dictator, lgbts are arrested, if not eveb tortured and sent to gulags, etc.

Iceland looks quite good, though, plus it's in an attractive location.

Clive RobinsonAugust 5, 2017 10:22 PM

@ Thoth,

Any suggestions for a much more safer place...

Define what you mean as "safer"?

You might not get arrested in Russia or China, but that does not stop you getting an "Evil Maid" doing her thing on your gear or on you for honeytrap treatment.

Switzerland has odd notions on what is owned by whom and how. They have quite draconian laws when it comes to protecting "their" banks and industry. Caution is advised there as they are not adverse to locking up people for what are ostensibly business reasons.

Iceland is an interesting place it is small in population but they are of a vary independent mind set. Which translates to not being nice to the hidden nuances of Big-Gov secrecy / deals etc. Which is why "to big to fail" did not play out so well for their bankers some of whom are "cooling their heals" whilst some more are likely to join them. Their advantage currently is they have natural resources, but their landscape does not appeal to many as it's "rugged" in a way that appeals to mad outdoor sports often involving high risk and certainly requiring an excess of adrenaline if not testosterone and high horsepower engines. Just one of the sports they invented is racing snow mobiles across open water (remember snow mobiles are most definitely "negatively boyant" ;-)

I would avoid both Africa and South America and chunks --but by no means all-- of the Middle East, especialy out of the winter months in the Northern Hemisphere.

Australia would once have been high on the list, these days not (sorry guys vote out the drongos and Poli-dingos and that view might change).

New Zeland is sort of still Five Eyes and under the NSA thumb, but that is changing as the population has more in common with that of Iceland than it does of the USA and they are starting to scratch their way out and that includes more of the politicos who want shot of the IC BS due to the real embarrassment the US is causing.

There are a number of Far East countries I might consider, but some are definitely off the list for various reasons even though they are popular with Tourists.

South Korea is a plesant enough place and is very technically literate. But I'm somewhat biased as I have Korean friends and like many aspects of their culture. They actually have some very strong anti industrial espionage laws some are considered the strongest in the world. They also have a very different outlook on data objects and now have legislation that regards physical and information objects equally under their criminal code.

Both Japan and your home country I would happily visit again as a tourist and on ordinary business. However I'm not so sure on certain aspects when it would come to the likes of what would be seen as "Hacker cons" thus potrntialy anti establishment.

A few years ago I would have recommended quite a few European countries but the list is going down for various reasons. Germany and Sweeden are off the list as is France. Oddly due to economic conditions Greece and Portugal might be OK. Greece especialy is not friendly diplomatically with the US or the more risky northern European Nations.

Obviously give the UK a miss but Southern Ireland might well be fine.

Looking back up I can see I'm favouring smaller countries with smaller governments who have been effectively peacefull for over fifty years. However much as I like the place I would rule out Holland due to their surveillance legislation and closeness to FiveEyes nations.

I'll let Dirk speak for his home nation the bits I've been to I like but they are coastal port areas and the capital so not realy representative. He'll probably kill me for saying this but the impression I've had could be expressed as "twee".

A decade or so ago I'd have had Canada on the list, even though they are Five Eyes. But their politicians of recent times do not inspire confidence in fact they are getting US level scary. Which is a shame as I like the place (but not the "9mm mosquitoes" ;-)

I'll let others make their pitches for or against countries, as it will --hopefully-- bring up further insights.

tyrAugust 6, 2017 1:56 AM


I've heard Prague is a good place to
visit. I'm also quite fond of the Irish
as long as they're not just finished
singing the Rising of the Moon. Once
the dust settles after Brexit there
might be some others on a short list.

Currently avoiding entanglements is a
really good idea until the pendulum
swing back towards rational governance
takes place.

ab praeceptisAugust 6, 2017 2:38 AM

Just btw.

I find it shocking that there is any need to think about good places for such activities.

Even more shocking I find that there seem to be very few countries that make it into a list of candidates to reasonably consider.

Something is very wrong.

RatioAugust 6, 2017 3:10 AM

Bail of $30,000 set for UK cyber expert Marcus Hutchins:

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview. "He admitted he was the author of the code of Kronos malware and indicated he sold it," said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money.

(Emphasis mine.)

Clive RobinsonAugust 6, 2017 5:26 AM

@ Ratio,

You should have included other bits from the BBC article such as,

    Judge Nancy Kobbe was sympathetic to the defendant's plea to be released on bail, waving away a claim from a government lawyer that the cyber-security expert posed a risk to the public because he had gone shooting on a gun range popular with tourists.

That's kind of like sayinghe posed a risk to the public and he should be held in jail because he had been seen driving a car...

As for not being alowed to use the Internet I would be curious about the exact terms, because Kevin Mitnick worked his way around the one he was given fairly easily. Thus I suspect it may be worded to be a trap.

The excuse for it is probably the "yet to be arrested" co-defendant. Which I suspect is poibtless because if they can fly that bird would have long left the nest for a migratory type flight south etc.

From other parts of the article it looks like their might be evidence that some code he wrote has been put in the malware by another person. As for the chat logs about arguing over money it might just be an angry outburst along the lines of "You nicked my code and are selling it you 13astard. That's my work you are getting money for, and you don't acknowledge or pay you are just a crook".

As for the claim he admitted to writting the malware I suspect that is a typical "over stretch" by the prosecution basically deliberatly miss hearning or "laying it on thick" just as the bit about he's a danger because he's been seen at a gun range. After all it's not unknown for the prosecution to lie, the FBI have been caught out many times as have local law enforcment. The reason they get away with it is the plee barganing process. With less than 3% of cases going to court such lies rarely get questioned and when they do it's almost always a "minor mistake" or some such crap. The fact thst Marcus clearly mumbles is going to give the prosecution as much leeway as they can grab. And by the sounds of things so far they can not see any straws on the horizon they can grab at so lies are the next best thing.

I'm guessing that there is more behind this than at first meets the eye. The story about the sting does not appear to coincide with other information out there. I'm guessing Marcus is not the target of choice, but a bird in the hand... I'm guessing that a deal will be done that he has to leave the US only allowed to return to give evidence against the other person if they get apprehended. It will in a way kill his employment prospects with US companies which is broadly in line with current US Presidential thinking about foreign workers...

We will need to wait and see what comes up if it ever gets to trial which may be unlikely if the other person is aprehended in reasonable time. He does after all have the option to push for an early trial and it may be in his interests to do so, it depends on his legal team, at the moment it sounds like he does not have one just a representative for his bail hearing.

Of course there is one big question, if they do have evidence from 2015 why did they not act on it back then and go for extradition. Likewise why did they not arrest him earlier in his visit after all it sounds like they had him under surveilance whilst he was there...

ThothAugust 6, 2017 6:37 AM

@Clive Robinson

Looking at the current development where security engineers and researchers can be simply kidnapped off the streets by agents besides electronics being snatched and preserved for evidence planting and harvesting, what are the best method of Dead Man's Switch besides the usual canary and blogsigs to announce that something bad had happened since if one has been kidnapped by agents, there would typically be no Internet access to broadcast.

So the Dead Man's Switch should work when no Internet is accessiblenand in the event the agents realized a Dead Man's Switch has been rigged up, the victim should be able to issue a canary without being suspected. It should be fast and easy to use as well because attackers would not sit idle and give ample time to the victim.

Computer Nerds Target WomenAugust 6, 2017 7:48 AM

@Like This On Facebok!

While this controversial subject has all the limelight it pales in comparison to their intrusive products focus on targeting women and children
https://www.recode.net/2017/8/5/16102476/google-diversity-vp-employee-memo

Parents vs Silicon Valley Social Misfits
These ruthlessly logically male data-miners develop algorithms and programs which studies show adversely target women by over a 2:1 ratio. Deep down inside the male software engineers may be biasing their design as it can perversely compensate for the rejection they’ve felt.

Personally I’m a software engineer who built weapon platforms. I retired rather than use my potent skills to data-mine as I instinctively knew the destructive harm it would bring upon families.
Good parents nurture children using tender love and empathy while preventing attacks from strangers.
Its a sick parent who exploit their children but big-data has no such qualms.
Silicon Valleys profit and promotions are similar to hackers by forever pushing the privacy envelope and selling the personalized data. Rather ridiculously they call this innovation then claim ‘to do no evil’ while paying off the politicians (to prevent a crackdown).

Only Babies are Hand Fed
Thousands of years ago people had to be told murder was wrong. Today we need to comprehend that transferring our human experiences into robots will progressively firstly make us zombies then kill off the human race.
First it was porn. Now the rejected Silicon Valley Social Misfits desperately want to create personal sex-bots[1].
This first ‘successful’ relationship will be the highlight of their life! Littler wonder the work is proceeding at a furious pace. Like ancient mankind no one is able to comprehend the danger these geeks pose to the human race[2]

Women Targets
From the US National Library of Medicine National Institutes of Health
“Cell-phone addiction shows a distinct user profile that differentiates it from Internet addiction. Without evidence pointing to the influence of cultural level and socioeconomic status, the pattern of abuse is greatest among young people, PRIMARILY FEMALES.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5076301/

The study found girls have borne the brunt of the rise in depressive smartphone symptoms among today’s teens. Boys’ depressive symptoms increased by 21 percent from 2012 to 2015, while GIRLS’ INCREASED BY 50 PERCENT.
https://www.theatlantic.com/magazine/archive/2017/09/has-the-smartphone-destroyed-a-generation/534198/

Women Leaders Begin to Speak-Up Against the Misuse of Silicon Valley Technology
https://www.theguardian.com/society/2017/aug/05/children-bingeing-social-media-anne-longfield-childrens-commissioner

[1] Look how fast male geeks pushed aside virtual reality based sex
[2] Authoritarian countries realize the danger and ban porn

Clive RobinsonAugust 6, 2017 8:14 AM

@ Thoth,

... what are the best method of Dead Man's Switch besides the usual canary and blogsigs to announce that something bad had happened since if one has been kidnapped by agents, there would typically be no Internet access to broadcast.

There are two basic types of dead mans switch, those that trigger on Acquisition of Signal (AoS) and those that trigger on loss of signal (LoS).

The problem with LoS systems is that they are "obvious in their use" in that they are sending signals continuously or at regular intervals. Thus they can be intetcepted, tracked, interfeared with etc. They also have power requirment issues considerably above those that trigger on AoS.

The thing is for normal operations deadmans switches are a back stop solution in case inteligence or other operational issues fail. If your OpSec is upto scratch then they are considerably more trouble than thay are worth due to false positives.

One way to build the actual switch is by using ECG type systems mounted in the small of your back (thus accessable when cuffed/trused in the usuall maner

The use of the ECG acts as a pre alert system as being snatched, drugged or knocked out have certain heart rythm changes just as running or other exertion such as struggling.

If however you want a kill switch for use of a computer a smart card attached to the wrist by a short leash works as does using a memory stick attached to your arm via a usb lead. Snatching you away causes a trigger signal in the PC that can kill any crypto keys etc.

As I've discussed with Nick P a sprung plastic cloathes pegs with drawing pins pushed in as contacts held apart by a cardboard tag like those used for tie on labling can be attached to your system. Devices such as this have been used for trip wire detonators etc and are easy to put together. When wired into a 25way D-Type connector on an old PC printer port they generated a fairly fast interupt in the OS from early PC/MS-DOS through NT5 that was easy to use even from a batch script.

There are a whole other bunch of things an inventive mind can do. But in the main time would be better spent in improving both OpSec and Snatch Preparedness.

My advice to many is Snatch Preparedness is the most valuable thing you can do. Put simply if they have not got anything of use out of you within 48Hours you've returned to a sense of equilibrium and they are unkikely to get further from you. The old advice of "Name, Rank and Service Number" and nothing else and just concentrate on saying them over and over in your head to the exclision of all else is still good. The important thing is not to engage no matter what the provacation, if you engage they have got you plain and simple because you've let them in your head.

NOCNOCwhosthereAugust 6, 2017 8:38 AM

Anybody notice how deep-cover CIA agent Bitkower got squirted out of his cover job at DoJ? Right after Vault 7 started coming out and Shadowbrokers offered the SWIFT notes? Whaddayaknow. Secret Agent Bitkower obstructed justice for CIA on torture, indefinite detention, urban domestic Operation Phoenix, and domestic digital surveillance. The nascent stink about banking malware is going to take some very fancy footwork. CIA really stepped in it now.

Just in case you were wondering why FBI is rounding up some usual suspects, like hapless amateur Marcus Hutchins.

HellnoAugust 6, 2017 8:39 AM

Windows Hello biometrics in the enterprise

https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise

"Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials."

All biometrics are stored locally. However, not mentioned is whether the feature can be reversed or altered remotely. Apparently the cam stays on constantly to monitor your commings and goings. hmmmmm

This feature was included my recent personal update from W10-Pro to Creators.

You might want to get the band-aid out for the laptop cam and disable your microphone. Or, just trust MS to do the right thing.

JG4August 6, 2017 8:50 AM


Thanks for the discussion of relative merits of countries. Doug Casey advocates a three-flag concept, where you keep your money in a place like Switzerland, you live in a place like Phuket, and your citizenship in a place like Singapore. The general premise is not unlike the division of powers in the US Constitution, at least before it was systematically dismantled by the Deep State/neocons/MADD/Congress/etc. In a sense, Casey's concept is an application of game theory, where you leverage the strengths of various countries, without suffering the downsides. We can note the high cost of living in banking havens, the risk of theft by corrupt authorities in some tropical countries, and the risk of political persecution. You enjoy the benefits of working with the gnomes, while living in a tropical paradise and exercising freedom of expression. It wouldn't be advisable to criticize the issuer of your passport, the jurisdiction where you live or the gnomes. As long as you are seen as a harmless crank by the US, they won't bother to ring up the retired assassins in Phuket.

@Clive - Thanks for the excellent discussion of open-source hardware. I really like the concept and your exposition of the difficulties is helpful. This is a ripe area for abstraction in the sense that you would have a better chance of funding a piece of hardware on Kickstarter and equivalents if it had a wide range of applications. I've had good luck with eval boards from the various manufacturers, but you still need intermediate boards (including optical data diodes with protocol filtering) to tie those building blocks together. Someone (Avnet/Altera/Taiwan shop) makes a remarkable FPGA platform called MAX10 that is worth a look. I vaguely recall seeing the jackpair concept, and apparently I wasn't actively commenting in that part of 2014. I was pretty sick then. Doing much better now. Jackpair is quite close in concept to the bidirectional audio data diode that I suggested last week. The 24-bit digital I/O interface is available as a $10 to $90 soundcard, or the MAX10 on-board accessories could be used. There are plenty of inexpensive microphones at Sparkfun and Digikey. I found a small piezo speaker from Digikey for a few dollars. MAX10 has enough horsepower to run the encryption algorithm for the audio. I can provide the links if needed. I can't provide the cognitive horsepower to make it all happen, but I'm happy to help.

@Rachel - I was reasonably eloquent a couple of years ago:

https://www.schneier.com/blog/archives/2015/10/friday_squid_bl_498.html#c6708900

I think that this is close to when I first started commenting:

https://www.schneier.com/blog/archives/2010/11/psychopaths_and.html#c507586

I seeded this post and maybe one to a few others with emails to Bruce:

https://www.schneier.com/blog/archives/2010/11/psychopaths_and.html

I'm pretty sure that I seeded this one:

https://www.schneier.com/blog/archives/2011/07/comparing_al_qa.xml

the daily news

https://www.nakedcapitalism.com/2017/08/links-8617.html
...
Imperial Collapse Watch

The end of the “wars on the cheap” for the United States The Saker
...[there is or was a method to their madness]
Now, of course, if we assume that the Neocons are completely crazy, then everything is possible, from a US invasion of Lesotho to a simultaneous thermonuclear attack on Russia and China. I am in no way dismissing the insanity (and depravity) of the Neocons, but I also see no point in analyzing that which is clearly irrational, if only because all modern theories of deterrence always imply a “rational actor” and not a crazy lunatic on an suicidal amok run.

...
Big Brother Is Watching You Watch

Report “Corporate Surveillance in Everyday Life” – Info Institute for Critical Digital Culture (full report).

Our Minds Have Been Hijacked by Our Phones. Tristan Harris Wants to Rescue Them WIRED (Re Silc).

Big Data Is Coming to Take Your Health Insurance Bloomberg

...[one of the more powerful neurotransmitters on your planet]
Soft Money Is Back — And Both Parties Are Cashing In Politico (Re Silc).

...
Inside Patreon, the economic engine of internet culture The Verge

ThothAugust 6, 2017 9:05 AM

@Clive Robinson, Dirk Praet, Nick P, usual et. al.

I have figured a way to do secure input on 'dumb' smart cards (no secure display or keyboard attached - traditional card-only) variants.

Works very nicely with air-gapping and energy-gapping if you want to take it a step further.

Not going to be hassle-free though due to the 'gapping' used but it provides a somewhat strong model of ensuring the input 'keypad' even under a semi-trusted condition and where the 'receiver/card/crypto' module under a fully untrusted condition can still maintain security as long as the input is 'semi-trusted' at the very least.

Dirk PraetAugust 6, 2017 9:17 AM

@ Clive, @ Thoth

I'll let Dirk speak for his home nation the bits I've been to I like but they are coastal port areas and the capital so not really representative.

What makes Brussels a particularly great place for any type of convention attracting "persons of interest" is the utterly dysfunctional state of local law enforcement and IC, whose authorities are spread over way too many entities at different administrative levels and which, on top of that, are understaffed and not sharing information due to ongoing turf wars and political infighting. Despite the city being an international spy hub due to the presence of NATO HQ and the EU Institutions, chances of being disappeared in the de facto capital of Europe are reasonably small as it would carry the risk of a major diplomatic incident. Unless there's an international arrest warrant out for you, there's not really a lot to worry about, and if for whatever reason you get into trouble, you can always go underground in the suburb of Molenbeek, where people will rather bite off their tongue than cooperate with LE. Another plus is the excellent food and beer. Although I personally find Brussels reasonably boring, more interesting towns like Antwerp, Ghent and Bruges are but a one hour train ride away. None of them are, of course, Las Vegas.

The closest thing to a hacker event we have in Brussels today is the annual FOSDEM conference, which already does attract a bit of an international crowd. The most popular European hacking event is Germany's annual Chaos Communication Congress, hosted by the Chaos Computer Club (CCC).

South Korea is a pleasant enough place and is very technically literate. But I'm somewhat biased as I have Korean friends and like many aspects of their culture.

Same thing here. My favourite ex was from South Korean descent, another one Japanese 8-) I also think it would make sense to split up both BH and DC over an east and west edition as to accommodate a maximum number of participants. Seoul would make perfect sense for the East, Brussels or Reykjavik for the West.

@ Thoth

... what are the best method of Dead Man's Switch besides the usual canary and blogsigs to announce that something bad had happened ...

I think the simplest method would be to agree upon a fixed communication schedule and accompanying distress code with a friend or relative.

@ Clive

Likewise why did they not arrest him earlier in his visit after all it sounds like they had him under surveillance whilst he was there...

Perhaps they thought he was gonna meet up with Fozzie Bear and arrested him when he didn't show up? But still. The entire thing stinks like a titan arum.

The only upside to the story so far is that large parts of the infosec community are all up in arms about it and which I hope will lead to better OPSEC and also more mainstream attention to both the FBI's questionable methods and the overly broad statutes they're drawing their authority from. Although their job is of course not a popularity contest, they are certainly not coming out of this as the good guys.

Nick PAugust 6, 2017 10:07 AM

@ Wael

So, I said before 2004 if avoiding subversion from mass surveillance with before 1999 for avoiding subversion from targeted attacks. Check this out. It says of TAO group:

"This TAO unit is born of the Internet -- created in 1997, a time when not even 2 percent of the world's population had Internet access and no one had yet thought of Facebook, YouTube or Twitter. From the time the first TAO employees moved into offices at NSA headquarters in Fort Meade, Maryland, the unit was housed in a separate wing, set apart from the rest of the agency. Their task was clear from the beginning -- to work around the clock to find ways to hack into global communications traffic."

Created in 1997. Still just getting started with a foreign focus in 1999. Unleashed on Americans after the Patriot Act. My claim of pre-1999 hardware being safe looks to be on the money. Man, am I good or what? This shit is TS/SCI/ECI and I'm still predicting their moves based on watching how shadows move in Plato's cave. The outsider keeps coming in to show the cavemen the light only to find them look at one guy in particular glued to his PC nodding, "Yep, told them already. On new stuff now."

WaelAugust 6, 2017 10:49 AM

@Nick P,

My claim of pre-1999 hardware being safe looks to be on the money. Man, am I good or what?

I asked you something about four years ago:

I'll buy your argument if you can tell me the date NSA started subverting systems and chips. I'll be looking for your post titled: "The day NSA subverted Microprocessors" :)

Four years later, you give me the answer! Calling once, calling twice: argument sold ;)

You are gooder than good, Dawg. One thing off your plate.

FigureitoutAugust 6, 2017 11:27 AM

Clive Robinson
You then look for the various timing channel issues and assess if they exist
--You claimed in the past to have played a role in developing DECT standard, have anymore experience w/ higher freq. RF? If so how'd you deal w/ syncronization of receiver and transmitter? I know the usual, we use best most accurate crystals we can find, this thread was nice: https://electronics.stackexchange.com/questions/268903/how-does-sender-and-receiver-clock-time-periods-synchronize-in-data-communicatio

Ever have problems w/ that? We don't have dead-in-water problems, I can't say specifics (I wish), but we're observing some potential for problems in tough RF environments. Some chips offer some software facilities to adjust crystal trim to deal w/ minor imbalances that get multiplied up w/ higher freqs. But it's a very manual process w/ a frequency counter of spectrum analyzer... I'd love to implement an automatic software tuning solution but I don't think that's possible. Ever do that?

WaelAugust 6, 2017 11:45 AM

@Figureitout,

I'd love to implement an automatic software tuning solution but I don't think that's possible.

Have you considered a PLL or SPLL as a building lock in your design?

Clive RobinsonAugust 6, 2017 12:33 PM

@ Wael,

I asked you something about four years ago

I'm surprised with your Google Fu you did not link to where he said hardware befor 2005...

Mind you, you will probably find where I said mid 1990's or earlier...

The point is that 1999 and slightly earlier hardware was still in use when TAO got going thus that hardware may well have been on their list. Further Flash ROM was starting to appear in that era as well. I remember having a hard time finding a motherboard that still had bytewide ROM which I could swap out.


CallMeLateForSupperAugust 6, 2017 12:51 PM

@Who
"Does the U.S. Government know of any shady DJI secrets? Are they just spreading FUD as they did to Lenovo years ago?"

Why ask me what gummint knows? Better you ask gummint and get information first-hand.

I don't know specifically what "FUD" you mean.

(Your post reads like click-bait.)

WaelAugust 6, 2017 1:05 PM

@Clive Robinson,

I'm surprised with your Google Fu...

Well, you know @Nick P. Hard to nail him to anything. He's a moving target, so to speak.

Perhaps your Google Fu training will help you find better "links"?[1]


[1] We know you don't watch YouTube. This is Mr. Bean in Kung fu training.

FigureitoutAugust 6, 2017 1:08 PM

Wael
--I had a different simpler idea in mind, but we need more data to make a decision. Originally we were advised we'd be well within tolerance, we just need to look and see (again). Also fyi it's in production right now and no complaints from customers yet.

Have you ever implemented a SPLL?

JG4August 6, 2017 2:01 PM


Writing the bit about Doug Casey and dividing government powers arrayed against the common man made me think of computer architectures where multiple processors are separated by various types of filters. Thus, no one CPU can "drive the bus." In fact, several of them can be dedicated hypervisor components. I came close to the idea yesterday when I said that you can't let their OS control the inbound and outbound traffic and everything else, even though it is fine to run their OS.

As I recall, with dimming vigor, the space shuttles had three computers that ran the same code. The outputs went to a voting system to insure reliability. You could configure three completely different CPUs to run equivalent code, then vote the results. Anomalies would suggest either bugs or undocumented features in play.

The data diode concept could be taken to an extreme and used to filter both the memory and data buses of a standard CPU, e.g., one running the management engine malware. If the data and memory values were constrained to known good sections of the appropriate parameter spaces, it would be quite difficult for an opponent to breach the system. They would be forced to simultaneously subvert three different processors. Hopefully without knowing which ones and what code they are running.

My threat model is commercial IP being stolen as part of the mass surveillance paradigm. Any business can be taken over by the government, as they have a complete data set for running any company. Lists of all of the customers, vendors, parts, assemblies, etc.

I probably recommended "American in the Gulag" for the reading list. The subtitle is "Alexander Dolgun's Story." The Soviet prison/labor system is a microscosm of the human condition. If you can pull a business model out of your back pocket every time you go through a door, you've got survivor written all over you.

RatioAugust 6, 2017 2:03 PM

@Clive Robinson,

You should have included other bits from the BBC article [...]

You should have written that comment as a series of haikus. In French.

Those other bits don't indicate what they claim to have on him.

Dirk PraetAugust 6, 2017 6:21 PM

@ Wael, @Nick P

My claim of pre-1999 hardware being safe looks to be on the money.

The downside however being that you'll remain stuck on older operating systems and apps whose newer versions - especially for crypto-related stuff - require processor extensions not supported on aging hardware.

Disney Tracking our ChildrenAugust 6, 2017 6:50 PM

There are no checks and balances for corporate data-miners. They are at the same level as the CIA and NSA:

'According to the suit, the Disney apps for both iOS and Android do not ask for parental permission before they use software development kits that assign unique identifiers to users and then use those identifiers to track the location of the users, as well as activities in-game and across multiple devices. The data is then fed to advertisers to serve up targeted ads...games that allegedly run afoul of the Children's Online Privacy Protection Act (COPPA).

Billionaire Mindset
No leaders in the USA government or law enforcement cares if their children are tracked. In fact Trump wants to remove this law in his CRAP Art of the Deal.

https://www.theregister.co.uk/2017/08/05/disney_charged_slurping_kids_info/

65535August 6, 2017 7:03 PM

@ Thoth

“I guess this will be a good wake up call to treat thr USA and 5Eyes as a group of black listed countries for security researchers to visit…”

I would say so. Did you notice how the FBI waited until Hutchins left the Vegas Cons with a puter full of notes and “other items” and “detained” at an international airport [probably LAS where the International or ‘boarder search rules” are easier to abuse].The USA FBI was hoping to find more black hat programs on his gear to add to their list of “crimes.” This does send a message to the security research industry not to attend USA based conferences.

@ mostly harmful

“Notice that the name of Hutchins' alleged co-conspirator, "Fozzie Bear", is redacted throughout the document. Note also that, when it comes to specifying overt acts[1], it is mostly Fozzie Bear alone, and not Hutchins, who is alleged to have performed them…”

Yes, I did notice. I would guess the FBI is trying to squeeze Hutchins for the name and location of “Fozzie Bear” and any other immediate people. But, who knows what the FBI is doing [Testing their expanded rule 41 to intimidating researchers]?

@ Clive Robinson

“The fact that the FBI played administrative games for atleast two days suggests that the duress was going full tilt along with the other lying they are allowed to do…wonder why I say the US is higher on my don't visit list than any other Super Power and a great deal of third world dictatorships...”

I agree with the basic thrust of your statement.

I will say that I doubt the FBI actually tracked Hutchins for years. I would suspect that a disgruntled individual, such as the individuals behind WannaCry or other jealous individuals lead the FBI to Hutchins [possibly individuals in the 5-eyes IC circle]. But, it is possible that Hutchins was playing both sides of the road in the malware game and got run over.

@ Legal Experts on this board:

Was Hutchins bail amount was set at $30,000 or the usual $3,000 using a bail bonds company?

It seems both amounts could have been raised fairly quickly given his status. Also, I see that Emptywheel says Hutchins’ passport was taken away. How will he travel to Milwaukee from Vegas?

It is assumed the base code for WannaCry is from the NSA. All and all, the FBI’s case has a bad odor.

“The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).”

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

@ Unwitting USA Collusion

“There is strong evidence that Senators and House Representatives are being monitored in real-time by foreign adversaries”

That could be very true.

Once the IC agencies opened the “stingray Jeanie bottle” it is logical to assume other Nations, IP thieves, politicians, and criminals would follow. Once the Jeanie is out of the bottle it is hard to stuff back in.

I read “Detecting Stingrays” by Bruce S. It was interesting. I am not fully conversant on how these “stingray” devices work or how to identify Stingrays in field. I did get something out of the SeaGlass Project

https://www.schneier.com/blog/archives/2017/08/detecting_sting.html

I read about the Seaglass project and their “algorithm” for finding Stingrays device. It seems the 4 major ways are:

1] Spoofed Transmissions

2] Unusual Channels

3] Unexpected Broadcast Properties

4] Changes over Time


And the combination of those four into an algorithm.

https://seaglass.cs.washington.edu/#bringing-transparency-to-cellphone-surveillance

I would guess the Changes [of location] over Time and Unusual Channels used by said cell towers would be the bigger giveaways to being a victim of a Stingray attack. I would assume that once the “giveaway” mechanism is known then consumer iPhones and Android devices will have plug-ins to alert the user.

The perfecting of the “algorithm” will be best option. But, I would imagine that this algorithm will first go to Politicians and the rich and famous and then trickle down to average Jane and Joe on the street. We shall see… unless the US TLA’s snuff it out.

@ I. Givvup

I understand your problem. I am in the same area. The small business clients I have need security and privacy. Some of them have trade secrets and/or are lawyer and doctors.

Windows 10 leaks like the Titanic. You cannot tell what is actually being transmitted to Microsoft because of encryption and a lot of peer 2 peer activity.

Every shop I know has tried various OSes including Mint and so on. The problem is lack of drivers and business level Office Suites. Most of my clients use Microsoft 7 pro or 8.1. They also use Office 03, Office 07, and a few office 10.

None of my customers use office 365 or Win 10. I have suggested some customers who can afford Win 10 Enterprise and Server 2016 to use them. But, when the budget is tight and the returns are low Win 10 Enterprise makes no monetary sense.

The other main issue on the privacy front is Adobe pdf files. Most programs in the business area use them for documents. I this Adobe is unsafe - but that is the defacto standard. This situation is a travesty.

I have no solution but to wait until Windows gets out of the data mining business or Linux produces an office suite that works as well as Microsoft Office.

As for the US government buy millions or even billion of dollars of Microsoft "Products" I am wondering if Microsoft is sell the TLA's their customers data at a huge markup. Think about all of the Win 10 home and pro uses around the globe China, the EU, Russia, the Middle East and so on]. Their data is very useful to the US IC complex.

ab praeceptisAugust 6, 2017 7:27 PM

65535

... tried various OSes including Mint and so on. The problem is lack of drivers and business level Office Suites

At least wrt that point I can point you to a nice solution -> http://www.softmaker.com/en/softmaker-office

They offer both windows and linux versions which are famous in insider circles for the best (and up to date) mso compatibility. The suite includes something like ms word, ms excel, and ms powerpoint (didn't test that one). I myself use it since years and love it. They also have a free version ("SM free office") that is modestly castrated but easily good enough for a test drive (and even for not too sophisticated private use).

ThothAugust 6, 2017 7:44 PM

@65535

Re: leaving Las Vegas Conf full of notes and stuff in computer

Sadly this is where Govts are no better than criminals in their conduct these days as they are motivated by the same desire and as @Clive Robinson said:"the road to Hell is paved with good intentions". They might have good aspirations but they have definitely fallen.

@Dirk Praet

Re: Agreed distress code

I have worked in the Govt and non-Govt side of security and until now my own parents and kins are still strange to the concept of security despite my frequent ranting and they know of my work and it's sensitivity and yet they are still not used to it. Not sure of distress codes would ever work for them as they are too complacent.

We need a robust method for securing transmissiom of distress signals to not just kins but the public.

WaelAugust 6, 2017 7:57 PM

@Dirk Praet, @Nick P,

The downside however being that you'll remain stuck on older operating systems and apps

True. There is always a price to pay. Brings up an interesting tale of two cities dichotomy: why is older hardware considered more secure whereas older software less?

65535August 6, 2017 8:09 PM

@ ab praeceptis

The SoftMaker office suite looks nice. I will give it a go. Thanks.

@ Thoth

“Sadly this is where Govts are no better than criminals in their conduct these days as they are motivated by the same desire and as @Clive Robinson said:"the road to Hell is paved with good intentions".

It is sad. The odd thing is that both Law Enforcement and Criminals think about the same. The lies, the deceptive behavior; the motives, and so on, seem to intercourse with the two groups or appear to be used by both.

Clive RobinsonAugust 7, 2017 3:32 AM

@ Figureitout, Wael,

Re synchronizing, the answer depends on what you are sychronising and why. As you can not say I'm going to have to try to cover all bases...

The first thing you have to decide on is are you sychronising,

1, Time.
2, Frequency.
3, Waveform edges.
4, Area under the waveform.

They are not the same for various reasons to do with relative motion, local frames of refrence, bandwidth and waveform amplitude.

In the question you link to the questioner asks,

    In asynchronous data communication, Initiation of data communication between two stations(sender and receiver) involves synchronizing their clocks to ensure both stations are agreed upon same bit times.

They are confusing two things "asynchronous data" and "synchronous data". For the former you do not synchronize clocks, the latter you do. They are also confusing terms or understanding[1]

In async you detect some function of the waveform either an edge or area under the data curve and use this to do a "sliding window estimation" of the baud[1] period over a one baud period or less then sample the waveform state.

Async codes used to be called "self clocking codes" which is not strictly true and can be found in some academic engineering texts causing confusion to readers.

Async codes are usually used "for line" transmission where bandwidth is not an issue and sync codes used "for RF" transmission where bandwidth is a serious issue. Put another way async codes are edge based and sync codes are usually area under the curve based, because edges have "infinite bandwidth" where as a clean sinusoidal wave form in effect has no bandwidth as it is a point in the frequency spectrum.

To get a reasonable waveform edge rise time you need atleast the third if not seventh harmonic of the highest code component frequency. That is if you look at a zero DC content code like Manchester encoding you can see you have a low frequency square wave component and upto twice that frequency due to data. Thus you would be looking at a line bandwidth of between six and fourteen times the basic data clock rate... As you reduce the bandwidth edge uncertainty (jitter) increases and is much more susceptable to noise and Inter Symbol Interferance (ISI)[2]. Which makes detection much harder and thus "level based" sensing not "zero crossing" sensing is frequently used with line codes.

RF systems have horible characteristics when it comes to edges, levels, ISI and noise interferance. The least susceptable transmition system is wide band FM which is unacceptable for efficient spectrum use. Minimum bandwidth usage is demanded and this means "continuous waveforms" not "discontinuous waveforms". Thus "area under the curve" or integration. Further as levels are uncertain and there is often no DC component you are looking at squaring the waveform to get a zero refrence back. Squaring has another advantage in that it doubles the frequency thus makes sampling detection much easier in synchronous codes as it alows easy generation of two carriers at 90 degrees thus coherant detection. Which in turn can give a significant noise margin with weak signal detection.

However for both sync and async codes you eventually end up doing some form of level detection or zero crossing detection to recover the data from the code. Thus the question arises of when to sample the waveform arises and how to estimate it[3].

In essence you are looking for a time delay to drive a sample gate. The better you make this estimate in an async code generaly the better your data recovery is. If bandwidth and noise considerations are ignored then any point after the edge change would do. In practice you would be looking to sample at around 75% of the minimum symbol width depending on what your main limitation is (bandwidth, jitter, noise, doppler/drift). To get around this some systems use multiple sample points and adjust a sliding window for optimum sampling window.

In a simple async code system you would have a free running clock at eight or sixteen times the symbol rate. When an edge is detected you reset a counter driven by the clock. When it gets to the required count it triggers the sampling and stops counting. The sample then gives the level that is used to determine the symbol value. With a bit of graph paper you can work out what the margins are for the data Doppler/drift, though mostly it's not a consideration. You can see when it is in a test setup, you transmit a known data pattern and check it against what the receiver things is the pattern. By producing a graph of errors against time or data pattern value you can usually spot what your problem is. When it comes to a clock drifft issue looking at the time waveform gives it away. You will see --as a consequence of sampling theorem-- that the errors will bunch up and seperate which if integrated will produce a sinewave at the difference frequency (it's why you can use a D-type latch as a mixer thus use it in Digital PLLs).

With synchronus codes you basically integrate the waveform over a period of time then compare the level at the integrator output. The inyegrator needs to be either "leaky" or quenched otherwise it will take a drunkards walk into one of the powersupply rails. There are two ways to make the use of the integrator effective, the first is to synchronise it's quenching to the code the second is to use two phase shifted codes and compare the outputs of the leaky integrators and synchronise the data sampling to that.

Most synchronous codes when squared give up a waveform that can be used reliably for synchronisation.

You can then use the code waveform derived synchronizing signal to drive a clock into synchronisation. Injection locked oscilators (ILO), Phase Locked Loops (PLL) or dither / early-late loops are used to do this. Whilst an ILO is easy to build and can be found in TV chromer decoders and Stereo Radio decoders it's quite hard to tailor their characteristics. PLLs however are more complex circuits but you can fairly easily tailor their characteristics at the loop filter. More importantly you can constantly vary the characteristics of the loop using other control loops. Dither and early-late loops work by in effect having two frequencys that straddle the code frequency, by integrating the difference you can follow the changes in the code waveform frequency.

Which ever way you do it you end up with an oscilator that closely aproximates that of the code waveform frequency. You usually then use this to derive two waveforms 90degrees appart that then coherantly detect the code waveform.

In older analog systems the oscalators were based around either a Gouriet-Clapp or Vackar positive feedback oscillator with an independent tuning element alowing good stability and wide tuning range as well as definable Q which effects the tuning slew rate [4]. In some cases the coherant detector used a phase shift circuit, however unless you are sneeky in the way you go about it most 90degree phase shift networks are inherantly narrow band. Which is why the use of higher frequency oscillators and ring circuit deviders started to be used in the 1970s as MSI digital components became available.

Likewise early PLLs were based around using ring diode mixers as the phase detector, or later analog squaring circuits. Again the use of MSI digital logic either as the XOR gate or two D-Type latches fairly quickly replaced that. The advent of fast ROMs later brought in the first true digital oscilators, where a part of a sinewave is stored in a ROM driven by a counter with the output feeding a DtoA convertor to produce a sinewave. With modern high speed CPUs you can do most of this with software inside a $1 chip from the likes of MicroChip.

If you want more info or details then you will have to give me a little feedback as to what you are looking for.

[1] Yes it's "baud" not "bit". Baud referes to the "transmission code symbol" length/time which is what you would see on a scope or eye diagram, not the bits within that symbol that could actually vary. The confusion arises because in many simple transmission codes there is only one bit per baud, in complex codes there can be four or more aranged by phase and amplitude. And some codes use Inter Symbol Interferance (ISI) constructively.

[2] Inter symbol Interferance (ISI) can be caused by two basic methods. The easiest to visualize is multipath signals. The second is harder to visualize because it involves energy passing through a filter. But simply as you narrow down the bandwidth symbols get both delayed and spread out thus energy from one symbol appears in another symbol. You can actually do this deliberatly to narroe the signals bandwidth, but you end up using multilevel detection which means your noise immunity goes down thus weak signal handeling is impared.

[3] The reason you have to estimate is due to not being able to see into the future. However if you can tolerate delay in data recovery you can use a synthetic delay line and search for an optimum sample point "in the past". The gain you get is only with very weak signals or signals that are being strongly interfered with, thus before the advent of DSP technology it was only done in military and diplomatic wireless systems and even then rarely as orthagonal signalling gave greater gains and smaller bandwidth.

[4] There is a myth in electronics circles that high stability oscilators need high Q, it's not true. It comes about because most high stability oscilators are based around XTAL's that as a consiquence of their physics have a very high Q. I have a Vackar FET VFO in a huff-n-puff circuit that has a measured loaded Q of around 4 but it's frequency stability is around 1.6ppm free running.

Dirk PraetAugust 7, 2017 4:43 AM

@ Wael, @ Nick P

... why is older hardware considered more secure whereas older software less?

Older hardware didn't have Intel ME and similar stuff. The problem with older software is that - next to obvious bugs and vulnerabilities solved in later releases - e.g. in the case of crypto apps they may not support newer hashing or crypto algorithms and are still stuck on older and nowadays deemed insecure or obsolete ones.

@ Thoth

We need a robust method for securing transmission of distress signals to not just kins but the public.

If one cannot fall back on a non-technical control such as a trusted human element, then the next thing that comes to mind is a sort of dead man's switch integrated in a smartphone or smart watch, the carrying of which has the unwanted side effect of giving away your location at any time. So there is a trade-off to be made. A public warrant canary is an option too, but which equally needs to be monitored by someone unless you set up the host machine with some simple script to send out alerts to 3rd parties under (a) specific condition(s).

When you come to think of it, conventions like Black Hat or DefCon could even provide this as a sort of service to attendees, with alerts being raised for those who haven't checked in at arrival, departure, safe return or alternative agreed upon checkpoints.

@ 65535, @ Unwitting USA Collusion

There is strong evidence that Senators and House Representatives are being monitored in real-time by foreign adversaries

If this wasn't the case, someone would not be doing his/her job. The US IC are doing the exact same thing with foreign politicians of interest.

I have no solution but to wait until Windows gets out of the data mining business or Linux produces an office suite that works as well as Microsoft Office.

Have you ever tried LibreOffice, and if so, what specific problems were you having with it? I have introduced it as a substitute for M/S Office with both private individuals and SMB's, both of which adopted it relatively easily after an initial period of whining but which can be overcome by forking out a small budget for training focused specifically on compatibility issues and M/S Outlook withdrawal symptoms.

The other main issue on the privacy front is Adobe pdf files.

Whether you like it or not, the .pdf format is a de facto industry standard. But which doesn't imply Adobe lock-in. LibreOffice can export .pdf's too, and you can use alternatives like Foxit Reader for either reading or writing.

JG4August 7, 2017 6:26 AM


It might be helpful to say that the dead hand switch or deadman switch is intrinsically low bandwith, perhaps as low as 1 bit per hour or 1 bit per day. A cell phone would be overkill, but convenient in the sense that most people have them and have them on all the time. Clive could comment on how small an HF transmitter could be and still reliably give 1 bit per hour of information transfer. If it were spread-spectrum with a suitably obscure noise-like pattern, and low-enough power, it probably wouldn't give away location.

https://www.nakedcapitalism.com/2017/08/links-8717.html
...
Why are we so crazy about bitcoin? Ann Pettifor, Verso

Competition authorities need a digital upgrade FT

We Need More Alternatives to Facebook MIT Technology Review

Former Facebook exec paints a grim picture of where the U.S. will be in 30 years MarketWatch (Re Silc). “‘Every time I meet someone from outside Silicon Valley – a normy – I can think of 10 companies that are working madly to put that person out of a job,’ [Antonio Garcia Martinez] said.” “Normy.” Rather reminds me of “muppet.”

Facebook is starting to put more posts from local politicians into people’s News Feed Recode

Amazon is the new Walmart: the e-commerce giant is increasingly becoming a symbol for everything wrong with big business Business Insider

Is Amazon getting too big? WaPo

...
Imperial Collapse Watch

The Pentagon Money Pit: $6.5 Trillion in Unaccountable Army Spending and No DoD Audit Project Censored

Is U.S. blocking publication of former NCIS investigator’s tell-all torture book? Miami Herald

Big Brother Is Watching You Watch

Guess Who’s Tracking Your Prescription Drugs? The Marshall Project

U.S. Citizen Who Was Held By ICE For 3 Years Denied Compensation By Appeals Court NPR

...
The Structural Consequences of Big Data-Driven Education SSRN

Ergo SumAugust 7, 2017 6:57 AM

@Tom...

But, most, indeed nearly all, threats are aimed at Windows, and OS X has the inherent security of Unix

That could be related to the platform market share more than the "inherent security" of the platform. When it comes to Android vs. iOS, the picture is pretty much the same.

That's just for the underlying platform security that could easily be bypassed the apps, as Clyde stated.

Then, there's the question of privacy for the end user. The argument can be made that Mac/iOS platforms are probably marginally better than Windows/Android from this perspective. That marginal difference quickly disappears, when the end user installs MS Office, 365 or Office 2016, for the Mac/iOS. Not to mention any other non-Apple software that all come with "telemetry" function, auto-update, etc.

The alternative to these platforms are way to "complex" for the average end users, not to mention the lack of applications that the end users might desire for the alternative platform. It does not seem that the market share for these platform will substantially change in the near, and from some respect, in the distant future...

Et 2?August 7, 2017 7:21 AM

"FTC must scrutinize Hotspot Shield over alleged traffic interception, group says"

https://arstechnica.com/tech-policy/2017/08/ftc-must-scrutinize-hotspot-shield-over-alleged-traffic-interception-group-says/

"A privacy advocacy group has filed a formal complaint with the Federal Trade Commission, alleging that Hotspot Shield, a popular free VPN service, collects numerous pieces of data and intercepts traffic in contrast to the company's claim that it provides "complete anonymity."

I've wondered quite a bit whether there is adequate security and privacy with VPNs ...or....is it all marketing hype?

When the VPN says they don't log, how do we know it's true? Very credible and sincere reviewers tout the "no logging" claims, yet does anyone ever knock on the door and say, "Let's see your stuff".

There are rumors around a lot of VPNs are collecting and sharing user data for marketers. That's bad business for sure. However, what if they are doing the same for government agents all over the world?

Why doesn't NSA/FBI whine incessantly about the world going dark due to VPNs?

Personally, my guess is all USA, at least, VPN traffic is hitting UN-encrypted chokepoints and the government, at least, have a full take of everything. I suppose that is sort of OK if you aren't a crook or violent extremist of some kind. Or, maybe the VPNs simply divert it to them for a fee or maybe...free.

The article contains a link on how to roll your own VPN. Doesn't sound too hard at all.

vas pupAugust 7, 2017 9:42 AM

https://www.sciencedaily.com/releases/2017/08/170804100440.htm

"Our results showed that the participants liked the faulty robot significantly more than the flawless one[!]. This finding confirms the Pratfall Effect, which states [!]that people's attractiveness increases when they make a mistake,"[!] says Nicole Mirnig. "Specifically exploring erroneous instances of interaction could be useful to further refine the quality of human-robotic interaction. For example, a robot that understands that there is a problem in the interaction by correctly interpreting the user's social signals, could let the user know that it understands the problem and actively apply error recovery strategies."

May be that is why life of perfectionist is difficult.

Clive RobinsonAugust 7, 2017 11:34 AM

@ Ratio,

Those other bits don't indicate what they claim to have on him.

No, but they do fairly well indicate that what they might be pretending to have is either probably garbage, or non existant.

The likelyhood is they are trying it on for a number of reasons, and they are lying in order to try to get leverage they realy do not have.

But we won't know one way or another till it gets to court if it ever does and there is less than a 3% chance of that happening.

Think on the point that other people have said Marcus was asking around for copies of the code? If he had it to supposadly sell to an undercover agent why would he be asking around for it, likewise if he had written it?

As I've indicated before things are not adding up with that which is coming to light through others in the industry. And as you realy should no by now even judges assume FBI agents lie out of every orifice, and have said as much to agents faces in court.

Any way isn't it time you got back to your English Literature? and leave Japanese poetry on French to those that can appreciate them?

FTA1000August 7, 2017 11:52 AM

JG4, thanks again for shoveling some ponies out from under all those random NC links. DoD's audit breakdown (army's black hole is the least of it) is the inevitable consequence of the CIA shell game detailed by L. Fletcher Prouty back in the early Seventies. CIA procures military weapons with off-budget funds, typically the proceeds of crime, and "loses" the assets. After Echo Tango Suitcase of witting procurement staff, the weapons fall off a truck into the arms of traitors in CIA's current victim nations, lately, Syria, but increasingly Venezuela. You can learn a lot about CIA gun-running procedures by watching the psychotic US obstruction of the Arms Trade Treaty.

Dirk PraetAugust 7, 2017 12:19 PM

@ Clive, @ Ratio

... leave Japanese poetry on French to those that can appreciate them?

Ce trou parfait
Que je fais en pissant
Dans la neige à ma porte.

Clive RobinsonAugust 7, 2017 1:16 PM

@ 65536,

I have no solution but to wait until Windows gets out of the data mining business or Linux produces an office suite that works as well as Microsoft Office.

The question I ask people who make a similar comment is,

    What do you use the MS office files for?

Youl'd be supprised how many don't use them for anything other than storing on internal file servers. The next question is does anybody ever send you MS Office files, again a supprising number say no.

When you ask about used features most are quite happy with Office97...

Few actually ever updated because they needed new features... It turns out many I've talked to about it, it boils down to compatability with new machines (small offices) or license complications.

Not exactly the sort of solid reasons for upgrading you might expect...

One organisation I know when they buy in replacment / new machines strips them right back then adds older applications. If they need more licenses they buy in scrappers from "junk dealers" in those who deal in bankrupt stock or old office equipment. They take the licences and punt the hardware out to charities with linux on.

Not what you might expect but the MD thinks that way, Oh and no Internet for the staff including the MD (who is an accountant and lawyer by training...).

WannalaughAugust 7, 2017 1:52 PM

Good example of what Marcus Hutchins can expect: The Norwegian judiciary is an actual functioning court, unlike the NeoSoviet US rubber stamp. So naturally the Norwegian court caught FBI fabricating testimony during extended detention without charge.

https://krebsonsecurity.com/wp-content/uploads/2015/09/Mark-Citadel-VG.pdf

The IP used to identify the target was 193.105.135.50, not a Tor node. Was the suspect an idiot? Or a super-sophisticate like those of us here who know that NSA will get everything, so why bother? This is very strange: who knows enough to build and maintain diabolical malware botnets, but doesn't know enough to obfuscate his IP?

Gerard van VoorenAugust 7, 2017 3:03 PM

@ Clive Robinson,

I have no solution but to wait until Windows gets out of the data mining business or Linux produces an office suite that works as well as Microsoft Office.

What do you use the MS office files for?

Youl'd be supprised how many don't use them for anything other than storing on internal file servers. The next question is does anybody ever send you MS Office files, again a supprising number say no.

Which boils down to: Fear, Uncertainty and Doubt. MS happily deals with these problems. As long as you pay them (with money or data), they send updates / patches, which fixes this, for as long as MS supports MS Office.

@ Ergo Sum,

The alternative to these platforms are way to "complex" for the average end users, not to mention the lack of applications that the end users might desire for the alternative platform. It does not seem that the market share for these platform will substantially change in the near, and from some respect, in the distant future...

Do you remember Turbo/Borland Pascal with Turbo Vision on MS Dos? Do you remember how easy that was and how fast? Then they switched to Windows (they had to) and everything suddenly became complex, bloated and slow. You know, Prof Wirth was right. Simplicity is THE most important part in computing. We passed the point of no return in complex graphically "good looking" software roughly 20 years ago. The web is also part of this. It's an ever growing beast that is a money machine for GAFAM. The side effects are massive in the long term.

Clive RobinsonAugust 7, 2017 3:29 PM

Hmmm,

    That's just for the underlying platform security that could easily be bypassed the apps, as Clyde stated.

Much as I like orangutans...

Dirk PraetAugust 7, 2017 3:47 PM

@ 65535

Also, I see that Emptywheel says Hutchins’ passport was taken away. How will he travel to Milwaukee from Vegas?

See this here TSA list of accepted ID for domestic travel within the US. In his capacity as an employee for LA based security firm Kryptos Logic, he probably had one of the other documents listed there. Or he was issued a special airline or airport-issued ID.

As to the bail, some jurisdictions have schedules which recommend a standard bail amount, but it also depends on the severity of the crime, the defendant's criminal record, he/she being a flight risk, and is ultimately - but with certain reasonable limits - at the bail hearing judge’s discretion.

@ Ergo Sum, @ Gerard

The alternative to these platforms are way to "complex" for the average end users

There's several reasons why folks remain on Windows, but complexity is not one of them: it's what their new PC usually comes with and also a matter of convenience in the sense that old habits die hard and even the family computer geek can't help them with anything Linux or *BSD. A sexy and intuitive user interface would go a long way too. KDE (however bloated) was getting there, but the rewrite for Plasma 5 was a serious setback for many.

65535August 7, 2017 3:52 PM

@ Clive Robinson

[I am on meal time so I am a bit limited in my response]

“The question I ask people who make a similar comment is, What do you use the MS office files for?”

My clients use: Word, Excel and Power Point - in no particular order.

Some of my clients are quite shy about attaching MS office as attachments because of the perceived notion of virus infection and the sender not opening an MS office document because of the perceived possibility of a booby-trapped document. Although, to some extent Word, excel, and PP can be intermixed the final document is usually a pdf.

“When you ask about used features most are quite happy with Office97...”

I use it.

I frequently use a copy of office 97 or office 2000 to get a corrupted version of Office up and running [I believe the 97, 2000 and 2003 office version uses xml as a major component. Office 2007 and up, uses compressed xml and can convert Word files to pdf files. I prefer the xml versions because of a huge user base, although the files are large – correct me if I am wrong].

I will for go the Word to pdf option just as long as my clients do not complain.
What are Office documents used for?

My clients tend to use Word to copy most web pages along with said hyper links.

Second is actual construction of proper letter writing and legal items => converted to pdf for transfer or storage].

PP is used for governmental presentations.

Excel is used to take certain accounting documents that are CSV and place them into said spreadsheet. Then the data can be manipulated to their desire and can be export in CSV format.

OT:
Clive, are you talking Medical Doctor [MD] who is also a lawyer and accountant? That is a rare combination.

@ Dirk Praet

“Have you ever tried LibreOffice…”

I have not tried LibreOffice.

I have tried Open Office. My clients complained about compatibility issues with MS office files and help files with Open Office.

“Whether you like it or not, the .pdf format is a de facto industry standard. But which doesn't imply Adobe lock-in. LibreOffice can export .pdf's too, and you can use alternatives like Foxit Reader for either reading or writing.”- Dirk Praet

My problem is most new adobe pdf readers are server side type programs [some would call them thin client programs]. Thus, it is theoretically possible to envision a hacker, CIA plant, or bad employee adding a little code to send the client’s text back to the mother ship.

Fully standalone adobe readers where the docs don’t leave the client space are more secure.

I used to use Foxit as did some of my clients. The free version of Foxit has a little problem with addedware. The old versions of Foxit are fine. There is a problem of “finding words” [the find command] in foxit. It may stem from the free version not being fully OCR readable – that is what one client said. I don’t have all the details of all the Foxit versions so I am taking my clients word for it.

“…strong evidence that Senators and House Representatives are being monitored in real-time by foreign adversaries.” -Previous poster

“If this wasn't the case, someone would not be doing his/her job. The US IC are doing the exact same thing with foreign politicians of interest.” -Dirk Praet

That is true. But, it is also true that National IC protects information transmitted between top law makers [or secures it as in the case of a foreign stingrays grabbing US senators hand sets]. This assumes I am reading your statement correctly.

I got to go. Excuse all the errors.


Clive RobinsonAugust 7, 2017 6:14 PM

@ 65535,

, are you talking Medical Doctor [MD] who is also a lawyer and accountant?

No I'm not talking American MD (medical doctor) but a UK MD (Managing Director) which in America they would call a CEO (Chief Executive Officer).

65535August 7, 2017 10:13 PM

@ Clive Robinson

I understand now. I learn something new here all the time. Thanks for the explanation.

Thinking Cap OnAugust 7, 2017 10:57 PM

Google has fired James Damore, an engineer who wrote a controversial essay arguing that the company has gone overboard in its attempts to promote diversity. Damore confirmed the firing in an email to Bloomberg.

As usual dim witted Americans took emotional sides on the issue. I think the issue is largely a red-herring for the real reason the Google culture MUST CHANGE.

Intelligence without Conscience
Google was too ruthlessly effective in data-mining and programming people into becoming addicted zombies. They were smarter than professors, teachers, courts, law enforcement and law makers. The bought off the news media with click-bait advertising. They have corrupted institutions like government, libraries, and grade school educators. They used they superior intellect to data rape entire societies who have become addicted to being hand-fed.

We’re on to Them
Only now after a few decades a groundswell of people are starting to wake up. Like Europe with its record 2.7 BILLION fine. Most countries of the World could see the harm and reject American Big Data.

The bottom line is American Big-Data was able outsmart and thus exploit everyone else. Clueless Americans knew the country was on the wrong track but were unable to figure out why? In their defense all the high-tech companies work in bulletproof extreme secrecy (with China the exception).

Their elaborate all-encompassing surveillance system is largely in place. They knew this exploitation could not last forever so they can now afford to become less technically and brutally effective. So being good citizens they are changing their culture and trying a different approach

Training the Minions
American Big-Data is now flat-lining out with the stock market set for a big correction. Google CEO Eric Schimdt went to the Obama White House hundreds of times and investigations were dropped. Then last fall he went to Trump Towers twice but was politely turned away. No more special favors...

If You Want Something Done Right - Do It Yourself
Silicon Valley’s livelihood depends on hiring innovative engineers who have not been debilitated from their very same algorithms! But Trump is a HUGE problem.
Since they now control the news feeds they are counting on once again be able to use their superior intellect to outsmart the minions by subtlety shaping and biasing the news over the next three years. Hence Mr. Facebook's run to be the next president.

The Stupidity of Nagging 150 Times Day
Note the author is still able to still critically think (by not owning a ‘smart’ phone)

FigureitoutAugust 7, 2017 11:26 PM

Wael
--Yeah I looked at that, would be tough to implement on this platform.

Clive Robinson
--Thanks for the background on the subject. I don't have the brainpower or experience to reply to it really. Said it before, wish I could talk in person or just have you visit the lab (only if you were bored and I could compensate you w/ a nice cup of tea w/ honey :). There's a certain amount of error that's acceptable in the crystals, and what appears to be happening between some particular 2 units, one of them has an error above the desired frequency, and one below. That gap, on some evidence we gathered today, appears to get near the limit. Why that mismatch caused some reduced (but still acceptable to us) performance in units may be laid out in your comment. Using an external crystal, we're bypassing the internal FLL used otherwise, so the clock signal I don't think is well-protected.

TomAugust 8, 2017 12:35 AM

@ Ergo Sum, @I Givvup @Clive

"It does not seem that the market share for these platform will substantially change in the near, and from some respect, in the distant future..."

That's how it seems. Clive was dismissive of the vaunted "inherent security of Unix," in which direction I waved my arms. So at least I've got unpopularity on my side.

Yet, as a user who has seen certain conveniences disappear over the years, and how permissions seem to gain importance (at times causing further inconvenience) in how the machine handles some end user visible operations, I do conclude that Apple is trying to solve security problems before they become big. Apple apps are preferred, and I've got nothing MS branded. Libre Office is pretty good, and it opens files Pages won't.

@Clive, & Others following the RF topic

I think another part of the high Q oscillator inductor myth derives from the use of toroid cores, which are compact and convenient and high Q. But they are subject to physical factors, impact, vibration, heating. So a good air core inductor will yield lower phase noise.

In reference to low power or low bandwidth signals. You're probably aware, but if not, might the weak signal software WSJT & WSPR have something to offer here? The slow morse experimenters achieve very narrow b/w; google QRSS.

ThothAugust 8, 2017 12:38 AM

@Clive Robinson, Nick P


re: Enigma Bridge's distributed smart card array presentation slides and Prison Model

Their presentation slides regarding their distributed smart card array setup is in the link below.

I wouldn't want to talk too much about creating smart card arrays for now as these are proprietary information but it is not as simple as converting network commands to smart card commands as things can go very wrong easily if network commands are not properly filtered. There is a heck of a lot of stuff going on behind the scenes and it gave me a bad headache when I was developing my proprietary production smart card array setup but I eventually solved them.

Honestly, it is pretty impressive that they got so much figured out but they are still lacking because they assume a semi-honest setup where a quorum of ICs with distributed crypto but doesn't seem to have algorithms to check whether the distributed crypto is correct as the output is simply trusted.

This is definitely more of a Castle Model than Prison Model as Prison Model relies on checking the computation (correct me if I am wrong @Clive).

@Nick P, I would assume they have figured out how to do load balancing between smart cards since I was digging around the demo and it seems like they could automatically assign a unit of card(s) to do an operation (although the test timed out).

Link: https://enigmabridge.com/DEFCON25_mpc_security_when_all_is_hacked.pdf

Clive RobinsonAugust 8, 2017 4:15 AM

@ Tom,

You're probably aware, but if not, might the weak signal software WSJT & WSPR have something to offer here? The slow morse experimenters achieve very narrow b/w; google QRSS.

I've done a bit of EME and Troposcatter a few years ago now, back when even slow morse was not upto the job. I wanted to have a go with 6 tone Piccolo (developed by UK's Diplomatic Wireless service) but non technical issues got in the way of that. I've also worked very long paths on 144 using very slow data rates[1].

The problem is even under ideal conditions there is only so far you can go before you can not aford the cost of the equipment.

Worse you rarely get ideal conditions, and a Loss of Signal (LoS) system is going to get a lot of false positives. Think being in a car and driving down a freeway/motorway/autoban at speed listening to am FM radio station you get to hear the effects of metal lamp posts causing peaks and nulls in the signal. Those are but a tiny fraction of the effects you get with QRP systems when worked mobile.

Also the problems get worse with increasing frequency thus shorter wavelength, but it's the short wavelengths you need to make the antennas sufficiently efficient yet unobtrusive on your person.

I've even had fun using loops made of ribbon cable and LF to make "Cave Radio systems" for pot-holing enthusiasts. That have an RF bandwidth so low and narrow that only a euphonium player in a German Oompah band with a bad head cold would sound normal.

And the one characteristic all these low power narrow band systems have "flaky operation" across the air interface.

There are ways to improve things, multitone orthagonal signalling with Forward Error Correction trellis encoded data formats is one. But then you kind of reach limits on that when you are sending twice the number of bit of error correction that you are data. You can squeeze a bit more by using repeats with time diversity.

Better yet is to use Spread Spectrum techniques such as Direct Sequence as they tend to overcome certain types of interferance such as other transmitters.

In recent years DSP via PC sound cards has become normal and amateur radio enthusiasts have embraced them much more than the commercial sector. You can even get apps for your mobile phone that turns it into a PSK31/63 modem... So yes it's getting easier but no it's still not ready for "Prime Time".

But the one mistake you should not make with an LoS system of this nature is to use two way error correction. That's most definitely not a good idea as it tells a potential attacker where the "check station" is.

[1] Such things have a funny side. Imagine if you will to bare and oft windswept hills in two different countries early on a very cold and frosty morning, where the ground was frozen so hard you could not drive an earth spike in. Although the wind was still the air had that pregnant feeling of sleet or blizard being over due. Looking over the sea it had a gunmetal hue and a heavy oil roll breaking inaudibly far below. You use the excuse that the car battery looks low to fire up the generator for a little while in part to break the unearthluly quiet, and so you can use the car-kettle to make a flask of realy hot tea. The duely apointed hour arives, on last system check the genny gets switched off and you flick the switch on the hand built computer auto keyer, it sends out your call sign at 12WPM as required by the licence conditions before switching into a long very slow morse signal then the surreal quiet gets shattered by morse code from your pocket, it's a text saying "are you up" not from your loved one still curled up warm in bed at the hotel but from that distant unseen point you are aiming for. You ring back saying yes and then you discuss moving the antennas a fraction, just as you are getting a signal a disembodied sound comes from the rising mist, there is something out there, you ignore it concentrating intently on the task at hand. Then a dog barks, and a shape rises rapidly from the mist in the corner of your eye, and a bl**dy sheep startled by the dog runs straight into the loops of cables pulling the antennas down and the transmitter off the table and there is a loud futz as the hand built autokeyer gets the full works treatment from your just made cup of tea. The sheep frees it's self and wanders back into the mist, and a voice floats out of the only bit of kit still working, it's your oppo from that distant unseen point on the mobile phone asking if you are all right as they had heard you shouting very naughty words. You explain whilst looking at the kit and realise once again the day is over before it's begun and that maybe fishing would be a better hobby, because at least you can talk about the one that got away without getting Shaun the Sheep jokes.

Dirk PraetAugust 8, 2017 4:51 AM

@ 65535

But, it is also true that National IC protects information transmitted between top law makers [or secures it as in the case of a foreign stingrays grabbing US senators hand sets].

For some interesting insights into the state of POTUS communications, see here. The DHS has also recently released a new study on Government Mobile Device Security to Congress.

Perhaps someone else can fill us in on current standard communications security programs for members of Congress. Needless to say, of course, that none of these programs will be very effective if said members of Congress do not adhere to security recommendations or use different devices for personal communications, as recently shown by a high-ranking USG official using a very old and very insecure Android to tweet about.

JG4August 8, 2017 6:29 AM


the discussion of optimal investment and optimal gambling strategies touches a some of the simpler aspects of game theory. Reagan may have been one of the sharper knives in the drawer, having an innate sense of game theory (e.g., trust but verify), but Trump may be a master of it. this is not an endorsement of Trump or the War Party that he may or may not be battling, just an invitation to ask whether there might be a method to his apparent madness

http://www.zerohedge.com/news/2017-08-07/trump-winning

I thought that I had posted in 2013 the beginnings of a first-principles derivation, but I can't seem to find it. it begins thusly, "From quarks to galaxies, dollars to donuts, neurochemistry to politics, it's all transfer functions, all the time, all the way up and down the scales of length, time and networks." it ends with the key question of the human condition, which is optimal resource allocation, "what are the highest and best uses of resources?" for the poor, the resources are blood, sweat and tears. for the wealthy, time and money. the middle class used to be in between. it must be obvious that security depends deeply on game theory. wisdom is the ability to recognize, articulate and balance long-term interests. of course, you won't have any long-term interests if you can't manage the short-term problems, like being eaten because you're made out of tasty meat.

https://www.nakedcapitalism.com/2017/08/links-8817.html
...
Error 404: A Look At Digital Decay Visual Capitalist (micael). This is a big issue. For instance, NC is an important resource to economists and historians and even more so post 2011 due to our detailed reporting on the crisis in real time and excerpts from sources that have since gone dark.

The End of Typing: The Next Billion Mobile Users Will Rely on Video and Voice Wall Street Journal

How Smartphones Are Making Kids Unhappy NPR (David L)

...
Big Brother is Watching You Watch

Why Facebook should pay us a basic income Financial Times (David L). A provocative ways of arguing users should be paid for their data.

You’re CLEAR CLEAR (UserFriendly). Super duper bad. Normalizing handing over biometric data for mere convenience.

We Anonymously Controlled a Dildo Through the Tor Network Motherboard. While this is all good fun, it also means someone can probably anonymously control your IoT device if he’s determined to do so.

435 Single Points of FailureAugust 8, 2017 6:49 AM

If only one House member (out of 435) of USA Congress communications are compromised then they ALL are. Since they don't trust one another, they each hire computer professionals.

In this case the internal emails of all House of Representatives have been monitored by Pakistani system administrators since 2010.
There is an active FBI Investigation.
While still on taxpayer payroll the evil genius con-man was recently arrested attempting to flee the USA for Pakistan.

Only in America
The 10% popular Congress is in denial while the press is asked not to cover this gigantic security breach.

Code Name BozoAugust 8, 2017 9:07 AM

@435, Awan is also linked to Egyptian and Iraqi intelligence assets. He's a perfect example of standard CIA procedure for domestic operations: borrow another country's intelligence assets under eyes-only liaison agreements, and protect them from law enforcement as sources and methods.

http://www.unz.com/pgiraldi/the-tale-of-the-brothers-awan/

You may recall, that is how CIA infiltrated 9/11 boogeymen Khalid Almihdhar and Nawaf Alhazmi into the United States. That trick is reserved for the touchiest, most sensitive jobs. Like making sure evidence of CIA's universal-jurisdiction crime does not leak out. You know how Brennan went berserk and hacked Congress when he thought CIA's torture report might have got around. He got a public spanking for that, so CIA's new approach is implausible deniability - high-profile surveillance of legislative oversight with a spy-vs-spy cover story for the rubes. Awan's business card actually reads CIA (Cars International A, huh huh get it?)

Because the crime against humanity of systematic and widespread CIA torture is the least of it. CIA's got hotter stuff to hide. Proliferation and use of BWC-illegal bioweapons. Proliferation and use of NWC-illegal nuclear weapons. The crime of aggression. The whole world knows CIA is the USA's command structure, and they're going to put a stop to CIA's covert fun and games.

TomAugust 8, 2017 2:37 PM

@Clive
Thanks for the best radio adventure yarn since Hammond Innes, indeed better -- due to unpredictable outcome. Hi.

Nick PAugust 8, 2017 4:57 PM

@ Wael

"I asked you something about four years ago. Four years later, you give me the answer!"

Oh, hell no! I gave you part of the answer in that one but a thorough answer in another thread breaking it down year by year. I talked about prior policies, 9/11, how it would be done in a SAP, how it would take a few years for certain projects to come online, and so on. I can't find that second one which is actually the important one. It doesn't help that every HTML page on this blog has "2004" in it due to the About section. You got a link to it?

"Brings up an interesting tale of two cities dichotomy: why is older hardware considered more secure whereas older software less?"

It's straight-forward. For hardware, the subversions started later with one able to assume it was non-subverted by default with decent probability. Secondly, they had limited resources the more you go back where they didn't waste them on things like management engines. For software, attacks are found over time, patches are needed, and so software gets more secure over time with updates.

@ Clive

"I'm surprised with your Google Fu you did not link to where he said hardware befor 2005..."

Thank you! Seems you remember the one where I broke it down in detail. He's either messing with me or been using his own prescriptions in his morning coffee or tea.

@ Dirk Praet

"The downside however being that you'll remain stuck on older operating systems and apps whose newer versions - especially for crypto-related stuff - require processor extensions not supported on aging hardware. "

The trick is to use old hardware with modern BSD's or Linux. Some assembly might be required. The generic drivers used work pretty well, though, if one is talking basic PC's.

Clive RobinsonAugust 8, 2017 5:04 PM

@ Tom,

Thanks for the best radio adventure yarn

It's one of a few, the one that generally gets most laughs is from when I was wearing the green. It involved a 1KW HF transmitter, a cow that became a dummy load and a mad Scotsman with three stripes on his arm and red hair that put carrots to shame. It gets most laughs when I impersonate him, not just in words and accent but actions as well as he ran across the field to berate the cow with a baseball bat... I suspect that the sight would have warmed the heart of the great Scottish poet who was also from Dundee William Topaz McGonagall. Who wrote,

On yonder hill there stood a coo. It must hae gone, it's not there noo.

WaelAugust 8, 2017 5:43 PM

@Nick P,

For hardware, the subversions started later with one able to assume it was non-subverted by default with decent probability

We can't make that assumption. I say subversion was there from day 1. It's not like TLA wizened up all of a sudden! The fact that we don't know (yet) about previous subversion mechanisms has nothing to do whatsoever with their existence. Can you quantify the probability?

and so software gets more secure over time with updates.

That's debatable. Some software updates weakened OpenSSL, counter-examples aplenty.

Some assembly might be required.

Wasn't that the root-cause for ROP on OpenSSL? Look: software updates could be a security fix and they can be a security hole, deliberate or unintentional.

He's either messing with me or been using his own prescriptions in his morning coffee or tea.

Not messing with you. Put the link where your mouth is :) Besides, this is the wrong prescription, ma man! This version helps one remember. The other imitation variant makes one forget, which is what you probably meant.

65535August 8, 2017 8:38 PM

@ Dirk Praet

I took a look at both of your links

https://electrospaces.blogspot.de/2017/01/the-presidential-communications.html

Process to be made mostly in the future [One one hand good security on the other hand bad security]

https://electrospaces.blogspot.de/2017/01/the-presidential-communications.html

[See two-thirds down electrospaces page]:

I looked at the picture of USA President Obama using Araya 9608 “secure phone” in mid 2015.

Wikipedia [the Araya 9608 is a fairly old phone]:

"The 9608 phone is an eight-line phone with directory and speed dial functions, with a monochrome display and four programmable keys. The device also supports Bluetooth headsets."

[Note, the Bluetooth headset which would be a favorite of Obama and his need for radio communication gadgets – which doesn’t seem super secure. Someone/something close to him could possibly pickup the Bluetooth signal and probably get the metadata and record it].

https://en.wikipedia.org/wiki/Avaya_9600_Series_IP_Deskphones

or

https://en.wikipedia.org/wiki/Avaya_9600_Series_IP_Deskphones#Current_models

That secure phone may be fairly scammable. This lame on the part of who ever is securing the US President.

@ 435 Single Points of Failure

“If only one House member (out of 435) of USA Congress communications are compromised then they ALL are… Congress is in denial while the press is asked not to cover this gigantic security breach.”

If you are correct the USA lawmakers have a huge security problem… along with the rest of the Country.

I assume this compounded by the use of private email servers for keeping behind the scenes discussion from the public record. Think HRC email server...

@ Code Name Bozo

“…Awan is also linked to Egyptian and Iraqi intelligence assets. He's a perfect example of standard CIA procedure for domestic operations: borrow another country's intelligence assets under eyes-only liaison agreements, and protect them from law enforcement as sources…”

Hum, that is a possible scenario. I did not think of that.

tyrAugust 8, 2017 10:40 PM


@Clive

Chasing away sheep before operations reminded
me of the reason for kilts. A hiland sheep
can hear the sound of a zipper for miles.
Just run your zipper up and down a few times
then operate your radio,

I suspect your affinity for Orangutangs is
library related.

ThothAugust 9, 2017 12:38 AM

@all

Naive attempt for scheme to create pseudo-anonymity and preservation of privacy in 5G network.

Cell network protocols are designed as closed walled gardens and not for anonymity. Such research efforts to modify 5G network to be more privacy enhancing is in my opinion going to go down the drain as our Governments are more desperate to cling on to power and quell dissent and differing opinions. The Service Providers are required by law to fascilitate in 'lawful intercepts and exceptional access' and thus any form of privacy or personal security is not acceptable.

Link: https://arxiv.org/abs/1708.01868

Clive RobinsonAugust 9, 2017 2:14 AM

@ tyr,

I suspect your affinity for Orangutangs is library related.

Actually no, but I can see why you might think so.

You have just demonstrated why I don't like "forensics" in that you have gone from a known effect via second known effect backwards to an incorrect cause.

I like Orangutangs because they are an exception to a more general rule. Humans see things in certain ways especially when it comes to "efficiency of form". We have a notion about large primate shapes that can be said to be a subconcious view on triangles. You can sketch out a series of isosceles triangles that give the essence of a human givin sholders to waist and waist to hips and the simalar for the parts of the limbs. You see a similar pattern in gorillas. In general we see that form as desirable imbuing it with notions of strength, cleanliness of movment etc.

When you look at an orangutan you don't see this power pattern it looks wrong to our eyes, they look soft and cuddly. As Terry Ptatchett observed they do rather look like an oversized hot water bottle or rubber sack sparsely covered in orange/brown hair with that rumppled sunday morning just out of bed look. But when you look at them and they look back there is something very very human in the look they suddenly look like an old person or young child just enjoying sitting their watching the world go by. Unlike some other large primates they rarely make you feel nervous in their presence.

There is also the story of primates and what they do with a camera. Chimpanzees are said to snatch it away and when they can't eat it throw it around and break it. Gorillas are said to take it politely look at it and either put it down or give it back to you. Orangutans are said to take it politly examine it take it appart put it back together in a different order and hand it back to you.

Which is maybe why Samsung made a special camera for Nonja who is a captive orangutan in Austria. Some of the pictures can be seen at,

http://www.facebook.com/pages/Nonja/190010092116

RachelAugust 9, 2017 2:50 AM

@ Clive

I have wished to thank you for your detailed response about situational awareness. Really appreciated. I'd be embarrassed to be considered the sort of person to consider cinema as a parable for real life, but for the sake of education I did indeed recall a scene from the second Jason Bourne film in response to your descriptions of situational awareness. Those films illustrating the mindset and characteristics you describe in a fairly lucid way The protaganist is hiding out in Goa with his girlfriend, when an operative arrives to kill him. Bourne keeps insisting to his girlfriend 'he's wrong, it's all wrong, the clothes, the car, the hair, he just doesn't fit here, we have to go' Many of us will describe having a similar- if less dramatic-sense of innnate knowing about scenarios or people, although most of us learn the hard way - by having no choice - instead of the formal training a field operative may receive. Which involves the act of repetition you described, Clive.

Clive thanks for the discussion about countries to host an event. Interesting you mention Ireland there is a similar event in Dublin in October I posted a couple months back www.cyberthreatsummit.com
Okay not really on par with what Thoth describes but there it is

I wished to ask you why you placed Australia so high on your list (until recently) There are countless examples over decades of why its governance could be considered equivalent to a mere vassal for US policy, often in complete opposition to the feelings of its residents.
I might add, no reason for previous politicos to be considered any better than current ones
(oh no! Did I just disagree with Clive?!)

RachelAugust 9, 2017 2:57 AM

Someone commented on the VPN Hot Spot Shield

as long as three years ago folks were pointing out its TOS reads like the most overt honeypot imaginable. On the lines of "we will take your data. We will sell it to all comers. We will enjoy doing so and in fact will be sure to have a beer whilst we do" Certainly pays to read them

EULAlyzer was mentioned here, great idea - reviews TOS for dodgy keywords on your behalf. Haven't gotten around to trying yet - 65535 I recall you were going to demo?

https://noiszy.com/
This was raised here a long while back but no one commented. It's a FOSS add on for drowning online behaviour in, er...water.(?)
Anyone see any drawbacks with this approach?


RachelAugust 9, 2017 3:03 AM

PS thanks to Thoth for opening discussion about countries and thanks to all for their the fascinating responses

Thoth : your question about a canary style comms for personal safety. Dirk addressed the simplest, non technical approach. Which is arguably the most reliable.
I won't go into detail as there are many far more qualified to discuss but biographies describe old school methods and how they were employed: through out the Great War and the bigger war that followed

RachelAugust 9, 2017 4:17 AM

Clive

JG4 sent me a few links of his comments from year past (one was a duplicate, JG4 but thankyou) and therein found the following comment by you articulating the failings of digital payment methods. Which, of course, you have described in depth here many times

"Clive Robinson • October 20, 2015 6:24 AM

@ Anura, Wael,

Well as you will find on reading my earlier postings, I realised that humans were going to have issues with the volume of accurate typing that a reasonable level of security in the authentication required against computer based attacks. So I came up with what felt like a good idea at the time which was a strategy that played to human strengths and computer weaknesses "Capatchas"...."

So, Clive did you invent Captchas? This guy here thinks he did - see first paragraph of intro or just read my paste.

https://tim.blog/2016/01/26/luis-von-ahn-duolingo/

'Luis von Ahnis an entrepreneur and computer science professor at Carnegie Mellon University. He is known for inventing CAPTCHAs, being a MacArthur Fellow (“genius grant” recipient), and selling two companies to Google in his 20’s'


I am now wondering if Mr Ahnis has heard of Chuck Norris and all that entails

Dirk PraetAugust 9, 2017 4:50 AM

@ Nick P

The trick is to use old hardware with modern BSD's or Linux.

Although I haven't run into problems with BSD yet, there's two things: several Linux distributions (and some BSD's like TrueOS) are retiring 32bit and a growing number of applications are requiring SSE2 processor extensions which are missing on older processors. Examples: Firefox, Chrome, Adobe Flash, Veracrypt etc. You can check for yourself, for example by trying to install a recent 32bit Mint on an AMD Athlon processor. You'll see core dumps and "illegal instruction" stuff popping up all over the place, essentially ending up with an unusable system.

It would be kinda decent for installer routines or even the apps themselves to check for required processor extensions instead of installing normally and then failing hard at execution time.

@ Rachel

EULAlyzer was mentioned here, great idea - reviews TOS for dodgy keywords on your behalf.

It is worth noting that lengthy stranglehold EULA's the incomprehensible legalese of which boils down to having to sacrifice your firstborn to Moloch in a EU GDPR context are history as from May 2018. Non-compliance will carry stiff administrative fines.

I did indeed recall a scene from the second Jason Bourne film in response to your descriptions of situational awareness.

Situational awareness requires appropriate training (or otherwise induced levels of paranoia). It's not any different than first-aid or CPR training. You can read about it as much as you want, but without repeated hands-on practice, there's little chance you're gonna save anyone the day you need it.

RachelAugust 9, 2017 5:26 AM

Dirk

Situational awareness requires appropriate training (or otherwise induced levels of paranoia). It's not any different than first-aid or CPR training. You can read about it as much as you want, but without repeated hands-on practice, there's little chance you're gonna save anyone the day you need it.

Thanks. You are correct. First Aid is a good example, because even I as a former emergency services professional can say, it's something so rarely required in practice for most people that the weekend first aid course once a year really isn't enough, because civvie life simply doesn't provide the opportunities to use it.

When I said people learn situational awareness the hard way. I was commenting on those whom have grown up in or been exposed to a hard environment. Front line war journalism is one example.
I had a colleague who lived right through the Troubles in Northern Ireland as a civilian and he said he had a really keen sixth sense about people and places as a result

Which reminds me, @Tyr you may appreciate Sebastian Junger - war journalist - written extensively on necessity of war and the tribe it provides - PTSD occurs not because of war but because of the lack of tribe post-war. and et cetera


Dirk PraetAugust 9, 2017 6:13 AM

@ Rachel

Front line war journalism is one example.

Or, in a more urban setting, career bartenders 8-) They usually spot trouble the moment it walks in, whether it be folks under the influence, idiots in search of a fight, psychopaths, dealers, prowlers or undercover LEO's. I've picked up quite some valuable tips over the years from the guy at our place round the corner.

JG4August 9, 2017 6:17 AM


@Nick P - Thanks for the link to your excellent compendium on securing the design/manufacturing process.

today's news dump

https://www.nakedcapitalism.com/2017/08/links-8917.html
...
Everything is random: Why history’s overrated for risk management American Banker

...
Imperial Collapse Watch

Michael Brenner – The Linear Mindset In U.S. Foreign Policy Moon of Alabama

...[understanding why people fight; entropy maximization in another guise]
Syraqistan

Enhancing the Understanding of the Foreign Terrorist Fighters Phenomenon in Syria (PDF) United Nations Office of Counter-Terrorism (MT).

...[vaguely off-topic]
Who Will Win the Great China-India Naval War of 2020? Foreign Policy

...[signal integrity]
The media cannot reform itself until it acknowledges its power Mainly Macro

When Silicon Valley Took Over Journalism The Atlantic

TeffloneAugust 9, 2017 7:38 AM

Rachel,

> I have wished to thank you for your detailed response about situational awareness.

I must be blind or exhausted (don't see where it is and the search does not help). Please point me out to that/those posts.

Thanks.

ab praeceptisAugust 9, 2017 10:12 AM

Thoth

"How gloriously self-deceiving."

Interesting can of worm, albeit one I won't dig into as it's not my field. Just as an amuse geule:

Social engineering. Usually we hear about that in the context of oh so smart and evil hackers. It might be worth a closer look, though, to find out who are the big league players of social engineering. My guess: the governments. And yes, *of course* the large corps don't hesitate a second to ride the wave, too.

Looking factually at it, the truth of the statement that software can't be but lousy interestingly depends *entirely* on the context.
Fact is that we *can* build software that is at least almost free of bugs, vulnerabilities, etc. Unfortunately, fact is also that we almost never do that and prefer - for diverse reason - to produce plunder. It seems important to me, however, that that is the result of a *volontary* decision.

Nick PAugust 9, 2017 11:21 AM

@ Wael

re NSA subversion

"We can't make that assumption. I say subversion was there from day 1. It's not like TLA wizened up all of a sudden! "

There's little to assume. I've been doing research on NSA since Puzzle Palace. There's declassified documents and retiring people from military who didn't like them going way back. Per Schell, they were so ignorant of need for computer security they didn't even have a security kernel for BLACKER since they focused on COMSEC almost exclusively. That tells you we're totally safe from NSA with US equipment at that time (early-to-mid-80's). Declassified docs and writings of Richard Marcinko et al showed they mostly did SIGINT with it on foreign countries. They established standards for INFOSEC (where to hit) by 1983 with that being a splinter group that main NSA people opposed seeing little need for it. That collapsed a bit with COMSEC and "COMPUSEC" forced to integrate to start working together for first time in 1990. They can't be subverting boxes if they can't even agree whether we should attack boxes or algorithms. So, 1990 hardware in U.S. probably not subverted. The Crypto Wars begging for escrow tells us they were still focused on algorithms (think like cryptographers, not hackers) who weren't routinely breaking implementations and OS's. Makes sense given Hayden's report on the NSA indicated they were a cluster(bleep) of epic proportions operationally. See their ineptitude in his "went bang" description here. His attempt to whip them into shape with strong focus on SIGINT and modernizing IT started in 1999 with him still griping in 2000 about operational issues.

So, around time of Hayden, they actually started getting their stuff together. I assume they were seeing all the media hacks like everyone else. Hiring more hackers as groups like Marine Corp Intelligence were. The hackers were still low-level footsoldiers. Although Myers wrote on subversion in 1980, NSA still hadn't been hitting endpoints as well as Karger et al did in the 1970's when NSA was in the mid-1990's with Hayden fixing it in 1999-2000 range. Based on that data, *you* are assuming there's a high probability that they (a) got that knowledge to high-ups via footsoliders' managers, (b) started a waived USAP since spying on Americans was illegal then per law, Bamford, and others, (c) developed the expertise of all sorts in that bubble, (d) infiltrated, paid-off, or repo-hacked Intel and AMD all in a few years, and (e) started using those subversion after 9/11 when it was legal. That sounds like more than just assumptions: it's quite an inventive story that goes against the data of how they were acting at the time. I figured they'd be hacking foreign targets at most based on the data.

So, I predicted 1999 or before was safe from all U.S. subversion with mass surveillance plus potential subversions (esp software) starting around 2003-2004 based on time from 9/11 to USAP's to NSA launching programs to them coming online. Always takes a few years for big agencies. So, we get the leaks. We find they started tapping cell networks for mass surveillance around the year in my timeline. We recently find that TAO wasn't even created until 1997 with overall operations a disaster still in 2000. Combined with data saying they did foreign only, this supports my claim that 1999 or earlier hardware probably wasn't subverted by TAO if it's domestic supplier. I'd say there's more reporting in there than assumptions. Both predictions were hits with reasonable error margin that didn't impact security results.

Now, we might find new info that counters my theory with some facepalming. I'm proud of my detective work, though, since it's held up through over a decade of leaks including Snowden's and Core Secrets.

re software updates

You bring up the fact that a change can reduce security. It's you who claimed software security goes up over time. Not us. Within your claim, I found some specific things (i.e. updates) that on average improve software over time if it's a bug-fix. The alternative is leaving a known vulnerability in the software. Most hacks are due to people patching too slowly as opposed to 0-days. So, the data supports my claim that updates usually improve security. Another thing that does is peer review. Old hardware doesn't improve from that since a better design is *new* hardware by definition and result of manufacturing processes. It might not even have physical properties of old one even in features they share due to differences in manufacturing processes.

"Put the link where your mouth is :)"

It was like 2nd or 3rd time you brought it up. So, I didn't save link. Figured you had it. Oh well. My explanation above could probably be turned into it.

@ 65535

I really doubt those Avaya phones are secure. The trend recently has been to get more COTS's stuff with more features faster at expense of quality or security. They just added some software components and did some EE work for the SCIF. That's all we should assume. If Avaya had a secure TCB, they'd probably be reusing it for ROI in a lot of other products in enterprise space. Instead, we just see their phones getting smashed by hackers. Quick illustration. You know it's bad when they accidentally find a vulnerability while looking for a different one.

@ Dirk Praet

"Although I haven't run into problems with BSD yet, there's two things: several Linux distributions (and some BSD's like TrueOS) are retiring 32bit and a growing number of applications are requiring SSE2 processor extensions which are missing on older processors."

Yeah, I'm aware of the trend. One would need old versions of software that supports key apps or needs. It gets worse over time. It's because they don't know the value of supporting that old hardware or have the resources one. Possibly work like SAFEcode or SVA-OS could be used to keep those OS's secure even with most of the vulnerabilities in them. Then, backport modern, lean tools being written in stuff like Rust to the older OS's. Gonna be a lot of effort regardless if one wants legacy NIX applications.

WaelAugust 9, 2017 11:23 AM

@Rachel,

So I came up with what felt like a good idea at the time which was a strategy that played to human strengths and computer weaknesses "Capatchas"...."

If I invented CAPTCHA, I would deny it. Lousy control. Relatively good concept, dreadul implementation

WaelAugust 9, 2017 11:56 AM

@Nick P,

There's little to assume. I've been doing research on NSA since Puzzle Palace.

You make a good argument. But have you investigated the possibility that "they" leveraged or outsourced foreign expertise pre 1999?

I'm proud of my detective work, though, since it's held up through over a decade of leaks including Snowden's and Core Secrets.

It's extensive work. You should be proud :)

It's you who claimed software security goes up over time. Not us.

I don't remember that claim!

My explanation above could probably be turned into it.

Excellent explanation, given the relative secrecy and lack of information you had to work with.

Who?August 9, 2017 12:12 PM

Found this while looking for information about the modernisation of the U.S. nuclear arsenal... believe it or not, "Defense is still using 8-inch floppy disks in a legacy system that coordinates the operational functions of the United States’ nuclear forces."

http://www.gao.gov/assets/680/677436.pdf

(from pp. 60 and 61)

"The Strategic Automated Command and Control System is the Department of Defense’s (Defense) dedicated high-speed data transmission, processing, and display system. The system coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts, among others. For those in the nuclear command area, the system’s primary function is to send and receive emergency action messages to nuclear forces.
According to Defense officials, the system is made up of technologies and equipment that are at the end of their useful lives. For example, the system is still running on an IBM Series/1 Computer, which is a 1970s computing system, and written in assembly language code. It also uses 8-inch floppy disks, which are a 1970s-era storage device; and assembly programming code typically used in mainframes. Replacement parts for the system are difficult to find because they are now obsolete."

(from p. 61)

Defense is also replacing some legacy functions in the near term—according to officials, there is a plan underway to replace the floppy disks with secure digital cards. This effort is underway and is expected to be completed in the fourth quarter of fiscal year 2017.

65535August 9, 2017 5:16 PM

@ Nick P

“I really doubt those Avaya phones are secure.” –Nick P

It looks like you are correct.

I took a look at your link. Yes, those Avaya phone look insecure:

“Dr Ang Cui explained that this vulnerability was found last year in Avaya ONE-X blowers (including 96xx models – the models Obama was using)… Every single Avaya phone out there that has this vulnerability works with a user root and a password of nothing…”

[And]

“Dr Ang Cui anyway shares some information related its tests:
• 20 phone fuzz farm
• 1 month automated fuzzing
• 10gb of crash data
• 10K+ documented crashes
• Ran basic clustering algorithm to determine unique root-causes
• Chose top 4 unique crash cases
• All Reliably reproducible
• Manual analysis for exploitability”

See:
http://securityaffairs.co/wordpress/36187/hacking/how-to-hack-avaya-phone.html

A nation state actor could probably scam those phones. And, the model of phone Obama used had a Bluetooth head set [more attack surface].

From Avaya’s description, they copied the blackberry system. The phone was connected to a server and used SSL/TLS and probably a Kerberos style authentication system. The rest of Avaya details were sketchy. The phones seemed fairly scammable.

Worse, the President of the USA was using it in his “Secret” conversations.

cgAugust 9, 2017 5:22 PM

Re: Paul Manafort

Of all the Trump campaign officials, Manafort has the most known connections to Russia. Before he joined Trump's campaign, he was a political consultant in Ukraine, where he helped elect a president backed by Russia.

I've been following news of recent political campaigns and elections from U.S. and in the English language from Ukraine.

This is the most damning evidence yet against Donald J. Trump. In my opinion, if this pans out, he will surely be impeached and removed from office and "subject to Indictment, Trial, Judgment and Punishment, according to Law."

Return of British Common Sense – Say it Ain’t So!August 9, 2017 5:36 PM

I’d written off the British government as utter fools controlled by big-data corporations. Privacy was overrun just like the faded Red, White & Blue in America

So I’m pleasantly shocked with the following:
The new British Data Protection Bill (DPB), as it's currently known, includes amendments for GDPR compliance. For example:
≻    Make it simpler to withdraw consent for the use of personal data
≻    Make it easier and free for individuals to require an organization to disclose the personal data it holds on them
≻    Allow people to ask for their personal data held by companies to be erased
≻    Require ‘explicit’ consent to be necessary for processing sensitive personal data
≻    Enable parents and guardians to give consent for their child’s data to be used
≻    Expand the definition of ‘personal data’ to include IP ADDRESSES, internet cookies and DNA
≻    Make it easier for customers to move data between service providers

The criminalization of data re-identification
On top of the GDPR provisions, the DPB also comes with an extra proposal. This is the creation of a new criminal offence for when someone, intentionally or recklessly, re-identifies individuals from anonymised or pseudonymised data.
"Offenders who knowingly handle or process such data will also be guilty of an offence," the DPB proposal reads. "The maximum penalty would be an unlimited fine."

Comment
This must be fake news as the toilet has already been flushed. Or disingenuous ploys by British politicians?

“It is not far fetched to believe that May’s unpopular proposals – from deeper corporate surveillance to outlawing end-to-end encryption – could be shoehorned into the DPB in the period following Brexit. Suspicions of the DPB being a sort of “Trojan Horse” are valid.”

These EU typelaws are taking effect May 2018. They are a major reason Google and Facebook are FORCED to change their data-rape culture.
In contrast the Addicted Zombie Coalition is in conditioning training to vote the Facebook Minions Party candidate for President.

Pulling the HeartStrings
Sadly many tears later Sheryl Sandberg still hasn't recovered from her loss and (behind the walls) Mark had a baby. How joyous!
Such caring, touching, personalized ordinary people. I deeply feel they are my bosom buddy friends.

Clive RobinsonAugust 9, 2017 5:43 PM

@ Rachel,

oh no! Did I just disagree with Clive?!

Don't worry you won't be turned into an internet frog[1] :-D I'm told disagreeing with people is part of societies social development when constructive.

With regards,

I wished to ask you why you placed Australia so high on your list (until recently) There are countless examples over decades of why its governance could be considered equivalent to a mere vassal for US policy, often in complete opposition to the feelings of its residents.

In part it was from visiting Australia half a lifetime ago and from the many of "Australia's Sons and daughters" I've worked with over the years some of whom had done their time at the ADFA doing amoungst other things studying Crypto and more recently computer security.

As for the quality of Australia's Politico's, how can I put it delicately, the world press when they talk about them it's usually because one of them has behaved like a "Sir Les Patterson" chatacter. The most recent being reported even on this blog over the primacy or not of the laws of mathmatics... As for them behaving like a vasal of another nation, that's Unfortunatly true of a large number of countries the UK being one as well...

As I've noted with the FiveEyes nations before the respective IC's all appear to belive they are above the elected representatives of their respective nations and not accountable to anyone other than clique. Something the people of the US have had a rude awakening to since the revelations of some of the Ed Snowden trove.

[1] Though I hear people are doing strange things with cane toads these days,

https://www.washingtonpost.com/news/morning-mix/wp/2016/06/14/australian-is-battling-a-killer-toad-by-turning-the-frogs-own-toxin-against-it/?utm_term=.32bfbb3cbf9a

Clive RobinsonAugust 9, 2017 7:02 PM

@ 65535, Nick P,

Worse, the President of the USA was using it in his “Secret” conversations.

You are making an assumption that may not be valid.

US Presidents come and go, and are amenable to persuasion as J Edger Hoover well knew.

Thus as Hoover and most longer term heads of agencies know you don't survive by say anything important to a here today gone tomorrow politician as they will only blab about it or create trouble. It's a standing joke that if you want everyone to know you tell a congress critter it's of the highest level secrecy and they will "pass it on" thus every one will know.

Thus it's unlikely that any US politician gets to hear about anything that realy needs to be kept secret, and that includes the President. Which means only that which it can be assumed that others such as foreign agencies already know about is told to the President.

Look on it as all part of "Being economical with the truth" and thus "Plausible deniability" which gives rise to the "Don't ask, won't tell" ethos that gave us amongst other things the banking crisis one and two...

65535August 9, 2017 7:08 PM

@ Rachel

I didn’t promise to demo but I said I would check it out – a lot less then demo it.

I did download EULAlyzer 2.2xx from BrightFort LLC. I used a sacrificial box [XP Pro SP3 with Office on it. I made a restore point before installing EULAlyzer.

Then I installed EULAlyzer. This caused the program's EULA to pop-up and I had to click a radio button to get the program to install. I did not get to analyze said EULAlyzer's EULA [a disappointment].

Next, I downloaded the Chrome browser. Then I started to install the Chrome Browser and the EULA popped up.

I had difficulty getting the drag and highlight tool in the EULAlyzer to cover the entire Chrome Eula. I did click Chrome’s printer friendly button and highlight all of the text and pasted said text into the EULAlyzer box.

I then hit the “analyze” button in the EULAlyzer. The results were quite lengthy.

The flagged text indicated a number of groups or areas of interest which can be expanded by clicking the plus symbols:

Advertising:

12 hits for flagged Advertising text. The highest interest level 8 on a small graph was “displayed Advertisements” which showed a snips of text:

“…by advertising revenue and may display advertisements and promotion. These advertisements…”

The other hits were rated at interest Level 4 or half of the first hit.

Promotional Messages:

1 Hit at interest level 4 reading:

…enue and may display advertisements and promotions. These advertisement may be…

Third Party:

11 Hits all in the 5 Interest Level

“…has no responsibility to your or to any third party for) any breach of your oblige...

And others including

“…has no responsibility to your or to any third party for) any Content that you creat…

[These text snips were very troubling]

Web Site Address:

13 Hits from #7 Interest Level to #5 interest level:

Since there are legal ramifications I will just say the actual web sites were mostly Giggle web addresses and adobe… some odd ball like Mpegla[dot]com [?] and so on.

Without Notice

There were 3 hits at #5 Interest level including:

“…ly requested, downloaded, and installed without further notice to you.”

[The above were very troubling]

Next, I Submitted "On line" the Chrome EULA and I will see what happens next.

Thus, I did not install Chrome browser on my test box.

Others on this board can have a go at testing the "EULAlyzer".

ThothAugust 9, 2017 7:26 PM

@all

Microsoft Hyper-V hypervisor has a bug that allows guest machines to escape it's confines. The CVE link is below.

Do we really want to trust our executions to these systdms that have not been proven to be reliable and secure ?

Not to forget it has the CC EAL 4+ golden sticker too !!! But EAL 4+ means nothing as everyone is getting that EAL level with ease anyway and Redhat Linux too is EAL 4+.

True open security hypervisors and microkernels are still a long way to become trusted, usable and main stream. The best way to handle multiple OSes is to use the good old way of multiple physical hardware and is this current era where singld board hobbyist computers are inexpensive, there is very little excuse for auch a setup for higher assurance security.

Link: https://nvd.nist.gov/vuln/detail/CVE-2017-8664

Clive RobinsonAugust 9, 2017 8:09 PM

@ Return of British...,

I’d written off the British government as utter fools controlled by big-data corporations

Firstly be aware that Sheryl Sandberg has been over in the UK on a "charm offensive". And somehow managed to con an honour that is given to very few people

http://www.bbc.co.uk/programmes/b08z9b81

You need to ask why the dragon has slithered out of it's lair and flown across the Atlantic?

The answer can be found by looking at the current UK Prime Minister, who due to her own vanity and stupidity is now in a precarious state. Thus the time is right to strike.

You need to realise that Mrs May was not fond of the Silicon Valley Corps, unlike her predecessor as UK Prime Minister David Cameron.

The Silicon Valley Corps see Mrs May's ideas on back doors etc as a real threat to their businesses. Put simply their users are product just like cattle are on a farm. If it becomes clear to the cattle that they are for slaughter, they are not going to cooperate with the farmer any more. Mrs May's bleatings and droning on directly or through her idiot side kick Amber Rudd "is making the product nervous" as they start to think and get cautious about what they say and do online[1].

That's the absolutely last thing Facebook's investers want as Facebook's entire business model is predicated on exploiting the spew of social intercourse that many think is what being social is all about these days.

But when it comes to modern legislation you have to think "What the left hand gives the right hand takes away"...

Think long and hard on,

This is the creation of a new criminal offence for when someone, intentionally or recklessly, re-identifies individuals from anonymised or pseudonymised data.

The UK Government has set it's self up in competition to the Silicon Valley big data corps. The UK Gov collects a lot of data on people, way way more than the US Gov does, and unlike a lot of the social spew that Facebook and Google get there is real gold in the data, things like peoples entire medical records from cradle to now and who they are related to. The UK gov want to make serious money out of this, or more correctly politicians want to feather their retirement nests with backhanders from the drugs companies and similar.

Various people have shown that the words of the UK Gov about "anonymity" via various techniques are compleatly false and thus havr campaigned tirelessly to make people aware of the dangers.

People have taken action in that they have written to their GPs saying that they are "opting out". Others have leaked what health ministers have said about how to ride rough shod over peoples wishes. It's got nasty and the Government need a way to "fool the masses". Well that is what you see there. It's an overly broad piece of legislation that actually has no teeth. Fines are just part of "The price of doing business" or more correctly "Raising revenue". They will also distort the market, such that it acts like a regulatory draw bridge to new entrants into the existing market place. Thus as a side effect reinforcing the "To big to fail" issue we see with banks into other corporates. Large Corps already know how to get around such legislation and as the UK Gov will put little or no resources into enforcment, for the big corps it will be "business as usual" with any fines being passed onto the customer.

[1] Part of it is the "anti-terror" and similar trials where things said on social media are used as evidence. People are starting to think what Cardinal Richelieu made clear with his "Give me six lines by the hand..." and it's starting to have a noticeable "chilling effect".

furloinAugust 9, 2017 8:48 PM

@Thoth
Here I was thinking I could just go and design cellular modem software. That is too bad. Why has no one tried implementing an open GPS specification? Is it for similar reasons?

@Clive
"The UK gov want to make serious money out of this, or more correctly politicians want to feather their retirement nests with backhanders from the drugs companies and similar."
More aptly put, the UK gov wants to fraudulently entice future politicians with the data they collect and with currency. Many of the current politicians already have feathered plenty of retirement nests as it is. Enough to last several generations.

ThothAugust 10, 2017 12:49 AM

@furloin

The GSMA amd like many industries are very tight lipped. They will have a specification for public review and another bunch for internal use.

Also you may need to have a national license to do telecomms related stuff including providing your own cell network. This means you have to "cooperate" with the local agencies and Govts.

Also, if you have taken a look at spec sheets for cellular modem chips, I recall a bunch of those (i.e. Broadcom) either provides a limited public API with most stuff hidden or none at all which requires reverse engineering.

ThothAugust 10, 2017 1:17 AM

@furloin

GPS is not related to GSM/Cell network. GPS is only used for positioning and you can find the specs and open implementation for GPS not GSM online.

Wesley ParishAugust 10, 2017 2:13 AM

@Clive Robinson

Re: Aussies and Politicos

You might like to know that Saltbush Bill, the quintessential Aussie, has informed the world that the angels in Heaven are building a Politician-Proof Fence.

JG4August 10, 2017 6:32 AM


I think that it is fair to say that the disinterest of the public in computer security, communication security and various other aspects of the state/corporate surveillance paradigm are lamented frequently here. I was heartened to see two promotional new items this week claiming that the migration of financial transactions to new technologies will jumpstart interest in security, if not surveillance. It's a matter of what is seen and unseen. People don't often get a glimpse of how detailed their Palantir dossier is, which might make them care about the daily harvest of life details, mood, thought, identity, voiceprint, and so much more. But they'll notice very quickly that their account is overdrawn because of a wire transfer to Belarus or their wallet is empty because their device has been hacked. Disclaimer: both links lead to subtly promotional material. Reasonably well written.

https://www.caseyresearch.com/new-type-crime-wave-will-send-industry-soaring/

https://capitalistexploits.at/2017/08/snowden-failed-wont/


quite the bumper crop today

https://www.nakedcapitalism.com/2017/08/links-81017.html
...
Troops, Trolls and Troublemakers: A Global Inventory of Organized Social Media Manipulation Computational Propaganda Research Project

Welcome to Our Global Censorship and Surveillance Platform Global Guerillas

Facebook is officially launching its big attack on TV Business Insider

The New Copycats: How Facebook Squashes Competition From Startups WSJ

Internet Archive was blocked because of court orders obtained by Bollywood studios Medianama

Maybe Americans don’t need fast home Internet service, FCC suggests Ars Technica

...[it would be helpful to distinguish neoliberal from libertarian]
Sphere of Influence: How American Libertarians Are Remaking Latin American Politics The Intercept

...
China

Chinese quantum satellite sends ‘unbreakable’ code Reuters

...
New Cold War

A New Report Raises Big Questions About Last Year’s DNC Hack The Nation. Important.

Secretive search for man behind Trump dossier reveals tension in Russia inquiry Guardian (Furzy Mouse).

Trump loyalists lash out at ‘deep state gone rogue‘ FT

Liberating Europe from Russian Gas Counterpunch

The View From the Kremlin: Survival Is Darwinian NYT

Russian spy plane trolls Trump with flight over D.C., New Jersey Politico. Open Skies program, with US observers.

* * *

FBI conducted predawn raid of former Trump campaign chairman Manafort’s home WaPo. On July 26.

We Interrupt This Grand Jury Lawsplainer For A Search Warrant Lawsplainer PopeHat

...
Imperial Collapse Watch

Trump White House weighs unprecedented plan to privatize much of the war in Afghanistan USA Today

Dangerous Pollutants in Military’s Open Burns Greater Than Thought, Tests Indicate Pro Publica

...
Black Injustice Tipping Point

‘Ferguson became a giant’: How 3 years of activism is slowly reshaping the St. Louis area St Louis Public Radio

Health Care

Judicial Watch: HHS Documents Reveal Known Pre-Launch Security Flaws in Healthcare.gov Judicial Watch

In the CMS “Pre-Flight Checklist” published on September 20, 2013, is a chart that indicates that the “Hub,” designed to help with verifying applicant information used to determine eligibility for enrollment, was unable to perform its tasks. Regarding verification of citizenship is the comment: “Hub has been too irregular to work thorough this, and still don’t have the right data to test to the 5 year bar.” Regarding verification of SSN is the comment: “Hub has reliability issues …” The Pre-flight Checklist also notes nine “high” security risks, 123 “moderate” security risks, 68 “low” and 17 “common” risks in various components of the Obamacare system.

On October 1, 2013, Americans started shopping for health insurance on healthcare.gov, and the site crashed.

A ginormous debacle for which nobody in the administration was held accountable, either internally or by the press.

Comey’s FBI Promised $50K to Shady Fusion Before ElectionAugust 10, 2017 9:04 AM

@JH4
Two of the articles involve the FBI being used as a political weapon. Comey admitted leaking to the press as revenge for being fired.

Comey’s FBI Promised $50K to Fusion Before Election

“The Judiciary Committee is also inquiring whether Fusion and Akhmetshin have done business together in the past.
The strange overlap between Fusion GPS, the dossier, and the Trump Tower meeting has piqued Grassley’s interest. He has sought to find out who exactly was paying Fusion GPS for all of its projects.
Grassley is interested in the dossier because of its importance to the FBI’s collusion investigation.
The bureau has reportedly used information from the dossier as part of the basis for its probe. The dossier was reportedly used to obtain a Foreign Intelligence Surveillance Court warrant against former Trump campaign adviser Carter Page.
Page, an energy consultant, is named in the dossier as one of the Trump campaign’s liaisons to the Kremlin. Page has dismissed the claims. He refers to Steele’s document as “the dodgy dossier.”
Grassley has also questioned the FBI over whether it paid Steele to investigate Trump. FBI agents reportedly made an informal agreement with Steele in October to pay the former spy $50,000 to continue his investigation. That payment was reportedly never made.”

Further background
Trump nemesis John McCain sent two aides over England to arrange for and then delivered the godgy Fusion Dossier to the FBI.
Bottom line it appears both Manafort, Flynn and Fusion are all dirty.

The all-consuming rage and fury of the swamp intensifies and leads to debilitating paralysis.
How can it be radically transformed?
Can war eliminate nasty out-of-control corruption?

The Guam Debate
The pertinent question is it better to hide the codes and suitcase? Or not?

To relieve the tension everyone sing ‘Theres Got To Be a Morning After’ #gallows humor

Clive RobinsonAugust 10, 2017 9:05 AM

@ Rachel, Wael,

Regarding captchas wael has a point with,

If I invented CAPTCHA, I would deny it. Lousy control. Relatively good concept, dreadul implementation

Further I doubt the person who claims to have invented them did either. They might possibly have been the first to push it publicaly, but the captcha were an idea that came of age from early replacment systems for passwords. The systems used obscured images rather than characters, usually in a three by three grid. Something else that came from that password replacment idea was seven segment displays in buttons, that would randomly position the 0-9 keys on PIN entry systems and locks.

The idea for the obscured images almost certainly came about from psychometric theory that there are things humans do well by being imprecise that computers find hard if not impossible by being precise. It expanded via "theory of the mind" as derived by evolutionary theory.

Or to cut the soft science short, the human brain developed a method to "see tigers in the bushes" kind of by joining the dots together, that would send us scurrying up trees rather than go to pieces down it's digestive tract. If you had the gene you survived long enough to pass it to the next generation a few times, if you did not then your genes kind of died with you...

Later in the 80s and 90s fuzzy logic started to eat in on the difference between computers and humans by partially mimicking the way neurons work. Basically fuzzy logic dropped the bivalent logic and replaced it with multivalence and variable action potentials

What I without doubt did do, was see the potential for the use of captchas to reduce the cognative load on humans whilst increasing it for computers for the purposes of using much shortened strings that humans could use to cross air gaps. The purpose being to put the human into the communications loop to extend it into a device that was the security end point. Thus putting the securiry end point beyond that of any device that could use covert channels to end run the security end point as currently happens with all comms connected computers and smart devices.

The mistake I made was assuming there was not a cost benifit in employing individuals to break captchas whole sale (which is what we now know happened in some of the Far East economies).

It was a mistake not to do so and not only did I put my hand upto it long ago and I still use it as an abject example of how security needs to be examined out of an economic frame. Because your implicit assumptions of your own econonic frame may not be valid in a different economic frame.

tyrAugust 10, 2017 9:14 PM


This should make us all feel more secure.

Swiped from www.tomdispatch.com

“While as a rule, U.S. leaders of both political parties have consistently committed to the maintenance of U.S. military superiority over all potential state rivals, the post-primacy reality demands a wider and more flexible military force that can generate ad­vantage and options across the broadest possible range of military demands. To U.S. political leadership, maintenance of military advantage preserves maximum freedom of action... Finally, it allows U.S. decision-makers the opportunity to dictate or hold significant sway over outcomes in international disputes in the shadow of significant U.S. military capability and the implied promise of unac­ceptable consequences in the event that capability is unleashed.”

And here’s a question that this crew of researchers miraculously don’t seem to have thought to ask: How has “more” worked out so far in the twenty-first century when it comes to the U.S. military’s “freedom” to act on an increasingly post-primacy planet?


@Rachel

Was that PTSD ? I thought I was just suffering
from the lack of clear symbolism being displayed
to indicate hierarchy.

@Nick P.

It took quite awhile for the shift to comp based
communications to re-align the radio based boys.
That is usual in the march of technical progress.
There's a certain element of tulip faddery in the
way methods of doing things catch hold and then
receive lots of funding, this drags various spy
agencies along in its train. Few areas of progress
are planned operations even though endless bloviaton
after the fact claims astute planning by wise folk
in leadership positions.

@Clive

Looking our fellow creatures in the eye often
gives us a new insight into the world around
us. A highly recommended practice for curious
folk.

ThothAugust 10, 2017 9:19 PM

@Nick P, Clive Robinson, ab praeceptis, Dirk Praet, Markus Ottela, figureitout

too lazy to do my own twitter and instagram et. al. and they are well known for guzzling up info on the user. i will put up the uniform format later on setting up a searchable gitblog soon in the README files but firstly the manifest files must follow as mine.

Link: https://github.com/thotheolh/gitblog

Clive RobinsonAugust 11, 2017 12:53 AM

@ Thoth,

too lazy to do my own twitter and instagram et. al.

Well you could modify/write an app to push blog titles ;-)

The hard hard problem as you will find is "finding" things to post to talk about on a regular basis that follow a general "theme" to develop your brand around.

The most important thing a blog must do is be "like clock work" that is put up a post at same time of day on same day of the week, so people know when to drop by. Importantly resist the urge to post a hot topic as soon as you hear about it, stop wait and importantly think before you post, have something original to say about it and try to be non judgemental. Think back to the age of newspapers, they came out at certain times of day and that was like a pulse for the readers. Journalists even newsdesk journalists tried to be fact based and impartial except on an "opinion piece" that was clearly indicated as such in some way.

Also Remember you add a little piece of you with every thread you post, it is that which people see and judge you by.

The next is being actually "open", too many blogs want "accounts" or similar impediment. Where people have to setup an account, give their email address or use javascript or some other impediment to "drop by comments", they loose the opportunity to gain a new member of the community.

Many blog owners make this mistake because they think it will lighten the moderation load etc. It won't infact it can add to your load by adding maintainence that you don't need.

Oh and resist the urge to pass judgment either good or bad on posters unless they are violating a rule or accepted norm. One of the bad things that can happen to a blog is "user up/down voting" it causes "partiality" which leads to favouritism cliques and polarisation which is actually worse in a blog than it is in a school playground.

Thirdly people don't work the same way some like to see all comments as they come in others like to see them on a thread by thread basis, whilst others like to be notified. Whilst the first two are generaly easy to do, avoid the "notified" asspect it can quickly become a massive workload and nightmare especially if you use email, because you have all the "message bounce" issues to deal with. There are better ways to do it once upon a time it was with feeds, these days some are trying with twitter etc. Pick the methods that cause you least maintenance issues but balance by load on the user.

As they say "A good garden needs constant loving attention" the same applies to blogs, if you want them to be successfull.

I used to get asked here why I did not have my own blog, and my answer was all ways the amount of work you need to put in. They realy are "A labour of love" and like humans they suffer from good and bad times. Especially they tend to have less comment on economic downturns than they do on upturns, therefore they require extra love and attention at those times. It does not matter what else you are doing you will need to keep nurturing your blog.

Clive RobinsonAugust 11, 2017 1:56 AM

@ tyr,

The funny you mention Tom's Dispatch, as I've been mulling over posting a link to one of the current articles there.

As you know there has been talk on this blog about the fall of the American Empire. History shows that Empires have two choices they die out or they evolve into the general back ground (see Rome that actually did both, first by military power which died and secondly by religion which is still around and growing two mmillennia later).

The thing is, for a non American citizen it's fairly easy to see a "Post Americam Primacy" (PAP) as a "self inflicted wound" for the US and the more the likes of the Donald fund the MIC the harder and faster the PAP is going to happen and the more it's going to hurt American citizens.

If you look at it in more human terms, people raise children to be adults, eventually the adults they have raised will join society, and in time the parents retire. The comfort of that retirment is based on what the children do...

The thing is for as long as most people can actually remember rather than learn about the US has done little but start and loose wars and any successes they might claim have been a fresh crop of dictators staging military coups against democracies or other established order. Which unfortunatly for US citiens then need to be backed up militarily to stop subsequent coups. Great if you are the owner of a corp in the "I" of the MIC but bad for just about everybody else including the non "Staff" of the Military such as those who actually fight and die.

The thing is if you analyze coups you find a strong correlation beyween the coup leaders and US Military training... Which is what the subject of the Tom's Dispatch link I was thinking of posting,

https://www.tomdispatch.com/post/176317/tomgram:_nick_turse+_counting_coups/

RachelAugust 11, 2017 4:17 AM

Nick P, Dirk
moving to Squid.
thanks for the fantastic responses about DDT !
OT momentarily, i am reminded of a ruse from my country. Tourist wanders through a certain area of the city. Attractive young woman says hi, how about we have a drink? She leads him into a pre determined venue. They sit, she says 'buy us a bottle of wine'. Meanwhile the doors are secured by staff. The mark is subsequently informed the bottle of wine will cost 800 euro - and he'll be personally led to the cash machine, or else. Requires street smarts right from the outset, which isn't impossible - actually the joke as I see it is any native being so instantly friendly from the outset is definitely trying to scam you!

So Nick, my immediate thoughts about DDT. The
participants are drinking themselves. This is highly problematic - all the concommitant issues with being intoxicated on a job requiring extreme physical and mental vigilance.
And yet they need to maintain their cover. I'd say drinking some kind of drink that looks like alchol to everyone including the bar man but not imbibing, or is antidoted (kudzu vine!!! great treatment for alcoholism, everyone check it out)

The barman is the most dangerous individual on site because he is 1. sober 2. been around the block a thousand times 3. personal vested interests 4. detached observer, not participant

The other thought, is of the participants not being adeuqately vetted and obtaining a hero complex if/when the sh5t hits the fan. Further, alcohol can increase such feelings of action movie hero status regardless of vetting.

My other observation is that drunk people and sober people have different brains. Subterfuge and misdirection/distraction can be readily applied upon the drunk person. And yet,the sober actor is weaker for not sharing the same emotional space, the primal same cues and prompts. Sometimes it works the other way - a scenario that a sober person is certain indicates imminent hostility, turned out to be perceived radically differently by the drunk mass and they can instead celebrate it or completely ignore it.
This dichotomy of Apollonian and Dionysian interface is a curious one ,thats for sure. Great sharing, Nick!

RachelAugust 11, 2017 4:21 AM

PS one note on the tourist ruse. as long as the bar staff don't enforce their demands, the scenario is not really breaking any laws.

Dirk PraetAugust 11, 2017 7:00 AM

@ Rachel, @ Nick P

The other thought, is of the participants not being adequately vetted and obtaining a hero complex if/when the sh5t hits the fan.

Over here, any type of vigilantism is strictly forbidden and even a concerned citizens committee actively or passively monitoring the neighbourhood needs to formally register itself and its participants with the police.

It's also ill-advised for anyone who hasn't received formal training in self-defense, situational awareness and a number of legal issues. For starters, you have to be able to differentiate between a drunk and someone who's high on drugs like cocaine, crystal meth, amphetamines or PCP. Whereas in general you have little to fear from someone who is just drunk out of his mind, a physical confrontation with a motorhead not too happy about having his picture taken or other perceived busybodying can get ugly really fast and may end you up in a hospital yourself.

JG4August 11, 2017 7:08 AM


one term of art for what the US is attempting to maintain is "full-spectrum dominance" I think that I'm on the record as saying that in the hands of benevolent despots, that's as good as it gets on the old blue marble. in the hands of psychopaths, not so much. I'm probably also on the record as saying, in agreement with Clive, that the days of US full-spectrum dominance are numbered. they may be able to wring a few extra years out of it with all of the dirt they've amassed via electronic surveillance of politicians around the world.

the US will seek to pit capable adversaries against each other to dilute their strength. you would have to look further than the Iran-Iraq war of the 1980's or the present border dispute between China and India. If the Chinese and Indians team up, it's very nearly game over for US dominance. if Russia and Brazil are included in the consortium, it's even quicker. has it been noted that there are a million Chinese working in Africa to build infrastructure for resource extraction?

DARPA is one of the engines of technical dominance and this particular project is a great idea for any number of reasons. not to imply that they got it right on the first try or will on the 100th try:

https://www.wired.com/story/darpa-bs-detector-science/

speaking of DARPA, "The Secrety History of Silicon Valley" is worth the hour. I'm almost certain that I've posted the link before. sadly, I can't recall if I posted Hans Rosling's "Asia's Rise" that attempts to pin down the year that the economic supremacy baton is passed.

a nice example where a security requirement that inputs be filtered to only include the known-good parameter space would be helpful:

Scientists Create DNA-Based Exploit of a Computer System(technologyreview.com)
https://science.slashdot.org/story/17/08/10/1957208/scientists-create-dna-based-exploit-of-a-computer-system?SetFreedomCookie

Someone posted a link yesterday that was just above the discussion with Don last year about swimming pools as a wildfire saferoom. I went through the physics in greater detail and strengthened the position that below-ground ones work as advertised. the numbers are pretty convincing. I'm sorry to say that I still haven't purchased the books that were recommended by Don and others at the time.

Naked Capitalism has been helpful to me in seeing that the root problem is unaccountable power, whether it is communists, capitalism, spooks, bankers, Democrats, Republicans, or hardware backdoors, the results are always the same. and the tools of lying, stealing, torture and murder are always the same, except when the veneer of civilization is in place. the underlying reality of the human condition is never more than a scratch of the veneer away. it's all entropy maximization, all the time, all the way up and down the scales of length, time and networks. the key entropy maximizers are money and power.

I enjoyed the discussion of vigilantism. if you think government is expensive, try anarchy. if you think education is expensive, try ignorance. if you think that a healthy diet is expensive, try sickness. vigilantism is a form of DIY government. it's not a bad idea to have a neighborhood watch. it's a short step from there to monitoring the local network and the garden path for intrusion. an underlying issue is how you have to be prepared to escalate at every step in the process. that's why the police are taught to be a55h0les.

the daily news dump

https://www.nakedcapitalism.com/2017/08/links-81117.html
...[a simplified version of Boyd's energy-maneuverability diagrams, also overlaps transitive dice]
Chimpanzees learn rock-paper-scissors PhysOrg (Robert M)

...[difficult to believe that computer security isn't involved here]
U.S. conducting criminal probe focused on Malaysia 1MDB’s stolen funds Reuters

...[GPS spoofing is a signal integrity problem not unlike fake news]
New Cold War

Ships fooled in GPS spoofing attack suggest Russian cyberweapon New Scientist (Robert M)

Imperial Collapse Watch

Even Americans Are Now Demanding the Closure of US Military Installations Across the Globe Near Eastern Outlook (micael)

Big Brother is Watching You Watch

ACLU: Absent warrant standard, police could monitor anyone via location data are technica (Chuck L)

...[I didn't elaborate how difficult it is to manage feedback loops]
Americans Pay More For Prescription Drugs Because Our Politicians Take Bribes From Pharmaceutical Companies Howie Klein (RR)

...
New McCarthyism

Haha, a first! Neera Tanden tongue-tied on Twitter. As Lambert said: “Now we know that Nation article on the DNC hack is serious.”

Why Some U.S. Ex-Spies Don’t Buy the Russia Story Bloomberg. This is a big deal. Bershidky is unquestionably anti-Putin.

The Russia-Did-It Certitude Challenged Consortium News

Asking our tech guys if this affects us. Click on the tweet and scroll down to read more examples. I suspect it does even if not directly. Recall that according to a Google spokesperson, one of the purposes of the April algo change was to downgrade “upsetting” content. Apparently saying anything critical, even of Hitler = “upsetting”.

...[I think that we've seen an article titled "Google is the Deep State]
Google: Search Engine or Deep State Organ? Mike Kreiger (micael)

JG4August 11, 2017 7:48 AM


It is reasonably well known that the US sowed the seeds of WWII in Europe with Bernays' experiment in mass propaganda via radio in the runup to WWI, but I hadn't realized that the US also sowed seeds of disaster in Asia even before that:

Diplomacy That Will Live in Infamy
http://www.nytimes.com/2009/12/06/opinion/06bradley.html

Mass propaganda is a signal integrity issue. You could think of a society as a computer for resource allocation. The value of products, money, the time value of money, news, balance sheets and so on are signals within the computing engine. If those signals are compromised, it will be much more difficult to get the correct answer. Fortunes can be made by comparing those signals and recognizing disparities. One of the Enron analysts realized the who thing was a scam and went short at life-changing scale.

The crushing defeat of Germany by US involvement in WWI led to a crippling treaty. The resulting economic devastation made the people desperate, which set the stage for a savior figure and some of the most brilliant oratory the planet has ever seen. The levers of power for central planning go back to the late 1800's when Germany was the most civilized country in Europe. Had the US stayed out of WWI, as Wilson promised in 1916 with the slogan "He kept us out of war," WWI would have stalemented with a far more reasonable treaty. Germany would have been strong enough to be a bulwark against Soviet expansion. The US would not have enjoyed the economic benefits of having destroyed most of the industry on the planet, which flowed to the US population via manufacturing jobs in the post-war era.

I realized only recently that Teddy's son Kermit played a key role in the Iran disaster of the 1950's. I've always suspected that the Yellowstone fire of 1988 was sowed by Teddy Roosevelt in response to the 1910 fire, which burned 3 million acres and blanketed DC in smoke for weeks. I still like his rugged individualism. What libertarian wouldn't?

https://en.wikipedia.org/wiki/Great_Fire_of_1910

https://en.wikipedia.org/wiki/Yellowstone_fires_of_1988

The transfer function is not unlike the issue in financial markets and economy where the quasi-Federal non-Reserve uses monetary policy to suppress recessions. The suppression of small fires leads to a massive buildup of fuel over decades. Likewise, without recessions to liquidate malinvestment, unsupportable debt and malinvestment build up to catastrophic levels that can only be cleared by a Great Depression. Empire is not so different in that many little entropy maximizing vortices build up in every nook and cranny. There are multiple overlapping feedback loops that comprise an interlocking series of adaptive system. The late-stage is optimizing extraction of wealth from the serfs and anyone within reach of the legions. Instability arises when the serfs are being extracted so hard that they'd be better off dead. You'd like to clear out those inefficiencies before they reach crippling levels that result in failed empire and failed governments. The status quo organizes to make certain that is not possible.

Speaking of people who played a role in multiple disasters, the same guy who scaled the leaded gasoline process that cost the US 7 IQ points off the national average, as well as the epidemic of urban violence in the 1970's, also scaled the Freon process that damaged the ozone layer. Midgley was crushed to death by his motorized bed, after he contracted a crippling disease. Just another century on the blue marble of unintended consequences. Lead in the brain causes data processing errors. Propaganda in the empire causes bad collective decisions.

vas pupAugust 11, 2017 9:12 AM

@all:
Was Google wrong to fire James Damore after memo controversy?
http://www.bbc.com/news/world-40865261

That is bad decision on Google side, but they are just try to save their 'butt' against those stupid lawsuits which are emerged out of nothing, destroy life of many decent people and served as source of big $$ for 'suitor' and their lawyers. You should fight ideas with counter ideas not with 'stick' aka firing, and not transform any deliberation into argument.
By the way, 'Without freedom of thought there can be no such thing as wisdom - Ben Franklin), We do need wisdom in IT, and security in particular.
My point is that difference in that memo exist, BUT they are very useful and to be utilized. Human side provided by female team member very important for nerds (I stated that before as example - Scorpions on CBS).
Israel utilized folks with disability - autism for spatial intel work on maps, i.e. differences are important when their advantages utilized for the common good.

Moreover, as example, women played huge role in decoding German crypto messages during World War II.

Pure statistical approach to resolve better diversity is counterproductive. Merits, not demographics on case by case basis should be key factor for hiring, promotion and firing as well.

Post American Primacy Exhibit 1,938,782,137August 11, 2017 9:45 AM

CIA agent Haftar, hero of the Toyota War, hedges his bets with Russia, Jordan, Egypt, and Mossad; CIA whines in impotent pique about their lost protégé.

https://www.newsbud.com/2017/08/10/newsbud-exclusive-israels-mossad-replaces-cia-as-handler-of-libyan-strongman-khalifa-haftar/

(Spoiler: Mossad false flag sends the US off to war, good practice for 911!)

Libya downed 10 US planes when the US attacked in 1986; made the US cut and run from their next attack by going to court in the ICJ in 1991; and secured vindication for the Lockerbie bombing frameup worldwide (except inside the US propaganda bubble.) Haftar watched with amusement as Washington got all those black eyes. Haftar, and even more his kid, Saddam, are going to be CIA's revolutionary pan-African nightmare.

D-503August 11, 2017 10:40 AM

@Google Fu for thought
Re Using DNA to deliver malware
All the interesting stuff is in the actual technical paper:
https://dnasec.cs.washington.edu/dnasec.pdf
They don't demonstrate anything remotely resembling a practical attack – for example, they had to custom modify the target software in order to make it vulnerable, disable ASLR, and make the stack executable – but the general points they make are valid. I'll comment more on this later.
There's also a press release that makes a lot more sense than most of the news media reports:
https://dnasec.cs.washington.edu/

ab praeceptisAugust 11, 2017 11:32 AM

Thoth

blog - I'd certainly have a look and be ready to take part. However, all I see is a pretty much empty github page (which might be me being stupid. I use git[hub] quite little (passively only) and know only basic stuff).

stickers - No! Please, no! Not just text. I love your cards and serious professional "132% bulletproof" stickers do have some gold and some image/logo.

And I have an idea: why not create "BSAL - 1 to 7"? ("bulletproof sticker acceptance level" other interpretations of "BS" are possible but oh so unintended). I'd be ready to award you BSAL-5 right away for your nice cards. And I'd be willing to upgrade that to level 8 out of 7 if the next card of yours would be extra secure by having "extra secure!" written on it.

Clive RobinsonAugust 11, 2017 1:30 PM

@ JG4,

[H]as it been noted that there are a million Chinese working in Africa to build infrastructure for resource extraction?

I mentioned it a few times in the past prior to "China APT" as a serious security threat for futute years. Nobody appeared particularly worried about it at the time.

However I still think it will be a serious issue in the future, especially as the US has as others have noted in the past "gone to war over oil".

The simple fact is that industry needs things,

1, Intellectual Property.
2, Energy.
3, Raw,Resources.

We know China has aquired IP by direct theft (China APT) and by controling raw resources they have a monopoly on such as certain rare earth metals essential to the production of basic sub assembles essential for modern systems including many of those used by the military. In essence they blackmailed the production and associated trade secrets into China where the Chinese Govetnment agents set up compeating manufacturing or used political/legal techniques to take over the plant of the foreign companies.

Unlike most in the West Chinese politicos take a long term view. Which means that the likes of Chinese engineers and managers in Africa is a way of puting in place the personnel required to extend the raw resource monopoly in the future.

You will see similar behaviour over energy both in the form of power generation and human labour.

Their current behaviour in both the South China Seas and on the mainly contested border between India and other Nations China has invaded is an indicator that they have rrached a point where they believe they nolonger need to be as covert as they used to be over their longterm plans.

Put simply they have seen PAP comming for quite some time and have not just been planning but putting the pawns in place. In effect they now regard the US as little more than a "Paper Tiger" and that they want the US out of the South China Seas either volunteeraly or by force and they are not fussed either way.

Personaly I think they may be a little premature, but they have in effect bought enough of the US to cause very significant economic problems for the US if they so wish.

I guess we are going to have to play the game of "wait and see".

Dirk PraetAugust 11, 2017 1:32 PM

@ JG4

The crushing defeat of Germany by US involvement in WWI led to a crippling treaty.

I believe it would be historically incorrect to blame the US for the rise of Hitler. Although Article 231, also known as the War Guilt Clause, was drafted by American diplomats Norman Davis and John Foster Dulles, it was primarily the French who had insisted on debilitating reparation payments that were perceived as utterly unjust and humiliating by the entire German nation (or what was left of it)

Dulles, later on in his career, and like many others, believed that the treaty was indeed one of the causes of WWII. By 1954, as US Secretary of State and in discussion with the Soviet Union in regards to German reunification, he commented that "Efforts to bankrupt and humiliate a nation merely incite a people of vigor and of courage to break the bonds imposed upon them. ... Prohibitions thus incite the very acts that are prohibited." A lesson obviously not learned by contemporary US politicians when they invaded Iraq and other countries.

Germany would have been strong enough to be a bulwark against Soviet expansion.

That's rather questionable. Although most analysts believe Germany would have lost the war even without the US intervention, it would probably have gone on for about another year or more and at the expense of even more destruction and casualties on both sides, ending in a German collapse by starvation, mutiny and revolution by bolsheviks and far-right paramilitary forces plunging the nation in total chaos. German leadership, knowing they couldn't win, foresaw this exact outcome and which is why they eventually surrendered.

Personally, I believe that a US decision not to intervene not only would have seriously stalled American economic growth and expansion, it would also have left Germany in utter chaos and ruin, and hit with even harsher sanctions not moderated by Wilson's diplomats. The inevitable outcome of which equally would have been an authoritarian power grab, just ten years earlier. And with the exact same results.

JG4August 11, 2017 3:33 PM


@Dirk - Thanks for your helpful comments. I didn't elaborate that both Lincoln and Wilson wanted to avoid punitive terms for the defeated states. Wilson was incapacitated by a stroke and Lincoln by a bullet, so their visions were not implemented. I blame the US bankers for foreign entanglements, and for the crushing defeat, but not the terms of the treaty. Bernays' experiments with mass propaganda and book stand as testimony to the potentially damaging effects of propaganda.

@Clive - Thanks for your helpful comments. The Chinese are noted for long-term thinking and patience.

an awesome story about money security

http://www.snopes.com/business/money/mister880.asp

if people are in your feedback loop, it's all about the data visualization

How Darpa Is Making Hacking Into a Spectator Sport | WIRED
Darpa, the Department of Defense research arm, is trying to make its biggest hacking
challenge into a visually exciting competition, complete with color ...
https://youtube.com/watch?v=y9ifQfla-pM


https://www.nakedcapitalism.com/2017/08/200pm-water-cooler-8112017.html
...
News of the Wired

“The Wartime Origins of Farmers Markets” [JSTOR Daily]...

“Small Functions considered Harmful” [Cindy Sridharan, Medium]. “Inasmuch as it’s impossible to abstract perfectly, the best we can do abstract well enough insofar as we can. Defining “well enough” is hard and is contingent on a large number of factors….”

“HyperCard On The Archive (Celebrating 30 Years of HyperCard)” [Internet Archive]. I love HyperCard… It’s too bad we don’t have an Internet-enabled version of HyperCard today. It would slay the browser.

ThothAugust 11, 2017 7:29 PM

@Clive Robinson, ab praeceptis

re: gitblog

The idea is to find a way to do more censorship resistant publications and not really about blog content itself. It is more of an experiment to use common technologies like git and PGP signing and the web to make a mnore robust publication technology.

Also, the benefits of using git is that git repositories are easily accessible and available as long as there is Internet. There are no known ways to censor git since it uses SSH or HTTPS to transfer images between git repositories. The use of PGP/GPG for signing is to avoid re-inventing the wheel on signature schemes to make up for possible git weaknesses when it comes to repository signing.

Another feature I will slowly add is the ability to asynchronously add other git repositories as asynchronous peers and create into a sort of asynchronous git based decentralized network.

The end goal is to experiment and look at the viability of meshing up some commonly available technology to attempt content distribution and censor resistance.

Also, to make up for the lack of content protection and privacy setting found on IPFS network, I would like to introduce some sort of access control via encryption on this scheme. Details will not be immediately available as I will slowly think about it in my free time and publish them there as well as using the published methods as a demo in itself.

ThothAugust 12, 2017 12:53 AM

@Clive Robinson, ab praeceptis

There is almost nothing they can do if I were to install my own git hosting daemon like gitosis. Also do note that git != Github. Github is more of gitosis where it has a central pooled git repository where I use my local git repo to sync to my rented remote git repo. If they were to remove my Github account, I do note effectively lose my local git repo but my remote git repo is simply gone. All I need is just install a hosting daemon for git (i.e. gitosis) and I would effectively be my own Github.

In order to silence me, they would need to destroy every instance of git repo that survives and what if I were to give away my git repo address and ask many people to do git clones and git pulls of my git remote and local repos thus now everyone has a copy of my git repo. This becomes problematic for attackers as git is decentralized in nature. Github is just a small fragment of git in the form of a publicly accessible and convenient remote repo.

Comventional blogs and websites are centralized and thus allow DMCA takedowns but P2P publication like using git and asking others to perform git clones and pulls would make DMCA takedowns and censorship very difficult.

ThothAugust 12, 2017 1:08 AM

@Clive Robinson, ab praeceptis

In fact on a second thought, I do not even need to install gitosis at all.

I simply need to know a remote repository's path and issue:

git clone ssh/https:// ..... (repo-name).git

For SSH, I just need to ensure the public key matches to ensure no MiTM going on and happily clone away a remote repository. The use of a hosting repository is due to the fact that your PC might need to be offline and you need a consistently online host and this is where a middle man, a hosting repository, comes to use which otherwise, if you know that your target for cloning is online and running git, you can simply just do the git clone and it should work.

Imagine an array of RPis can be used with each RPis used as hosting repos holding an image of your current local repo. The RPIs can be scripted with shell scripts to periodically perform a git pull on your local git repo (firstly by checking if your machine is switched on by a test pull or an ICMP ping) within the internal LAN network to update themselves.

If you need to distribute the repos, you can simply pop out the MicroSD card from the RPis and hand them over physically to other peers or distribute one of the many remote addresses of your RPis assuming that proper network configuration have been done to them.

Clive RobinsonAugust 12, 2017 4:27 AM

@ Thoth, ab praeceptis,

If you need to distribute the repos, you can simply pop out the MicroSD card

It would be a more secure way to do things if you can do a "Hand2Hand" (H2H) transfer as that way you could keep the essential core off line and away from tamparing etc.

The problems arise when you can not do H2H, the most important aspect is to stay below the grass as it were. The use of standard protocols is prefered especially of they look like standard "syncing" of mobile devices etc.

The problem with many file formats is they are not "code repository" friendly Microsoft use what is in effect zipped document files. The down side of which is one small change in a file like adding an extra space effects the rest of the file from that point on. However plain text files don't tend to do graphics very well. There are text formats that do both such as PostScript but can be almost as bad as zipped files and don't play nicely.

Clive RobinsonAugust 12, 2017 4:52 AM

@ Thoth, ab praeceptis,

If you need to distribute the repos, you can simply pop out the MicroSD card

It would be a more secure way to do things if you can do a "Hand2Hand" (H2H) transfer as that way you could keep the essential core off line and away from tamparing etc.

The problems arise when you can not do H2H, the most important aspect is to stay below the grass as it were. The use of standard protocols is prefered especially of they look like standard "syncing" of mobile devices etc.

The problem with many file formats is they are not "code repository" friendly Microsoft use what is in effect zipped document files. The down side of which is one small change in a file like adding an extra space effects the rest of the file from that point on. However plain text files don't tend to do graphics very well. There are text formats that do both such as PostScript but can be almost as bad as zipped files and don't play nicely.

ThothAugust 12, 2017 5:04 AM

@Clive Robinson, ab praeceptis

It is rather surprising but Microsoft has also fully embraced git and they have even written plugins and tools for handling the git repositories and even published them in the open as FOSS. It has also come to a point that Microsoft has been loading into their git repositories a good portion of the Windows source code too.

The use of git with it's SSH and HTTPS repo syncing is also a very common sight these days and the use of SSH and HTTPS as it's crypto protocol is going to be a very good cover.

Clive RobinsonAugust 12, 2017 1:52 PM

@ Thoth, ab praeceptis,

It is rather surprising but Microsoft has also fully embraced git...

Call me old fashioned but I can remember Microsoft's "Embrace and Extend" games, causing problems in the past. Thus I just don't trust them.

With regards,

The use of git with it's SSH and HTTPS repo syncing is also a very common sight these days ...

I've been thinking about the next step in the "Surveillance State -v- citizens" battle since the likes of HTTPS and SSH became way more frequent. I think they are going to move into "finger printing" crypto implementations.

The easiest way to fingerprint a protocol is to embed unique identifiers like "Magic Numbers" into it. This was a natural consequence of Microsofts "Embrace and Extend", and made life easier for the surveillance / SigInt agencies. One rich source of such numbers was Microsoft's file formats, where fixed values were encoded in fixed places.

When magic numbers cannot be used due to encryption there are various tricks that can be pulled at the upper protocol levels during the likes of the negotiation stages.

Because people are waking up to the problems associated with protocol negotiation stages the SigInt agencies will be already looking at how to continue fingerprinting. Thus the next logical step is likely to be fingerprinting by time based side channels.

As it's reasonably certain Microsoft is in effect "in bed" with the SigInt agencies it's the sort of thing they would build in as it looks like an innocent consequence of the software implementation.

Yes I know it sounds a bit paranoid but it's the sort of thing I would do if I was in the position of Microsoft with respect to the US IC.

FigureitoutAugust 12, 2017 2:58 PM

Clive Robinson et al
--Have you seen any comments on this blog that you thought was undoubtedly unlawful? How is the reasonable person supposed to know all the laws of what is legal or not with an internet comment compared to a statement made out loud in public?

One time there was a fork-bomb I think.

ab praeceptisAugust 12, 2017 3:15 PM

Clive Robinson, Thoth

Hmmm. Why am I not surprised? linus, big corps. behind it and all the usual drones hype it ...
Well, there's a reason why I try to stay away from git. I don't trust it any more than I can throw an elephant. I.a. because git is also a proof that certain people have learned regrettably little from diverse disasters and just happily go on brewing crap.

For less than 50$ a year one can get a decent virtual server and be independent with ones blog, forum, website, etc. And, of course, one can run some reasonable and decent vcs/scm. Which btw should and would also allow easy H2H.

Talking about it: Feel free to call me an old broomstick but a developers code should reside on a *local* repo and not on the public one. But then I'm talking about developers/engineers and not about "collaborating hacking hords".

As for what Thoth seems to have in mind you might want to wait a little (at least with a final decision/version) as I happen to have something cooking in the pot that was designed with high resilience (also against take downs) and security in mind. Sorry, that I can't talk a lot about it for the time being (at least not publicly),

ab praeceptisAugust 12, 2017 3:22 PM

Clive Robinson

Yes I know it sounds a bit paranoid

No, not at all. From where I stand it looks utterly demented to see it with trusting eyes, whereas your point of view is solidly reasonable.

From what I see, the moment microsoft touches anything it's as if some vogon bureaucrat slammed an "nsa approved and integrated" stamp on it.

Clive RobinsonAugust 12, 2017 7:25 PM

@ Figureitout,

Have you seen any comments on this blog that you thought was undoubtedly unlawful?

I'm not that fond of the term "unlawful" because it has different meanings if you are in a Permiso rather than Non Permiso jurisdiction. Historically in UK and US law you are in effect alowed to do what does not have a legislative prohibition, where as in a number of European countries you are in effect only alowed to do what there is legislation for.

A simple venn diagram would show that there is a large middle ground where something is not legislated about in either direction and a smaller intersection where things are legislated for but differently in diferent jurisdictions. Alcohol being one, where it's consumption is not legislated against in one jurisdiction and others where it's consumption is legislated against.

Thus any comment that is not totally banal is likely to be both legislated for in one or more jurisdictions whilst also being legislated against in one or more other jurisdictions but not legislated for or against in others...

How is the reasonable person supposed to know all the laws of what is legal or not with an internet comment compared to a statement made out loud in public?

A reasonable person is in an awkward position. You are expected as a basic assumption to have some "common" code of ethics/morals --or mores[2]-- that indicate what is and is not "reasonable behaviour" (you can look up the "Reasonable man on the Clapham Omnibus"[1] which is often cited as the legal test).

The point is that societies mores are not just volatile they change from social group to social group. Thus even a single Sovereign Nation" has many often conflicting mores. Even those ideas we regard as universal such as "Though Shalt not Kill" that we think constitutes "rights" are at best fluid.

Thus you have no way to appear "reasonable" let alone law abiding across the entire planet...

The best you can do is stay within the mores and laws of the jurisdiction you are within.

However you have to remember that "The right of free speach / assembly / association" are like "The World Series" something that is actually quite parochial deluding it's self that it is universal. Thus you could get a quite nasty shock if you step out of your parish or jurisdiction.

[1] The origin of the expression "The reasonable man on the Clapham omnibus" goes back in English law to the decision of Lord Justice Greer in the 1932 in the case of "Hall vs Brooklands Auto-Racing Club". The "reasonable man" appears like "Mr Average" as that ubiquitous, yet mythical, person in order to set "reasonable" standards in effect by the prevailing mores of society[2] (though in practice they almost always take a conservative rather than catholic view point).

[2] https://en.m.wikipedia.org/wiki/Mores

Clive RobinsonAugust 12, 2017 7:49 PM

@ ab praeceptis, Thoth,

As for what Thoth seems to have in mind you might want to wait a little...

Hopefully it will see the light of day soon.

I've lost count of the number of projects I've had involvment with that unfortunatly end up in non technical tar-pits. I sometimes have the feeling that the only projects that get to see the light of day are ones "nobody want's to own".

I don't mean that to be/sound nasty, but it's a reflection of the Internet world. If you have something that's going to be successful every psycho want's a piece of the action or to kill off any competition from it. From previous employers through patent trolls and Oh so secret Government agencies, they are all "rent seeking" or "IP stealing/killing" and claiming they have the law on their side. Thus it's a miracle when any real technical inovation gets to the point it can stand on it's own two feet.

ThothAugust 12, 2017 9:14 PM

@Clive Robinson, ab praeceptis

re: gitblog

I would agree that git is by far not the best way to implement distributed publication and by no means the final step. I see it more as an initial step to get everything off the ground first and a very nifty evasion tool for the Low and Mid Level Attackers. The High Level Attackers would typically do as what @Clive Robinson described via side-channels and probably wouldn't stop at side-channels but go down to the chip level (i.e. ARM TZ, Intel SGX et. al. which I have raving and ranting about for a while now).

In essence, my gitblog is not foolproof nor high assurance but more of a hack and piece together method for those who love to wear the 'I A Haxxor' badge. It is useful in the sense that typically adversaries (i.e. non-sophisticated state actors) wouldn't be blocking off every single HTTPS or SSH connection as these might contain legitimate traffic which is why git was chosen as it supports both for such a property to blend into 'normal traffic' until a highly sophisticated state actor comes in and decides to do side-channel analysis and what not.

Also regarding whether the gitblog would be finalized, I have no idea as I am pretty busy with other projects. Hopefully it would come to light in the form of some documentations.

ThothAugust 12, 2017 9:36 PM

@Clive Robinson, ab praeceptis, Markus Ottela, Figureitout

I should say that I have something installed for @Markus Ottela and @Figureitout for them to test with their projects (and it's FOSS too).

BerrangeurAugust 13, 2017 9:48 AM

re: git

It is actually decentralised. Every node can act as a 'server'. The irony is obvious if you notice how much stuff is hosted on Github. People who do that have kinda set a single point of failure themselves, nullifying the 'decentralised' part.

RatioAugust 13, 2017 5:00 PM

@Clive Robinson,

Those other bits don't indicate what they claim to have on him.
No, but [...]

Fascinating, and completely irrelevant to what it is that they claim to have on him.

@Dirk Praet,

Ce trou parfait
Que je fais en pissant
Dans la neige à ma porte.

*chuckle*

Somehow reminds me of Nanook and his momma ...

Clive RobinsonAugust 13, 2017 8:52 PM

@ Ratio,

Fascinating, and completely irrelevant to what it is that they claim to have on him.

If you read the paper work you will find they are not actualy claiming anything that is verifiable as being factual.

But hey don't forget what they say about FBI and DoJ types "They are like busted watches, if you're lucky for a split second twice a day they are right, the rest of the time they lie".

Any way how's your Shakespeare revision going?

FigureitoutAugust 14, 2017 12:02 AM

Clive Robinson
--It's terrifying not knowing what is and is not legal. Yep...the worst thing is no conveying of context in an online message or text/email that you get from a statement in person...complex issue.

Thoth
--What would that be? Have my first PCB made w/ eagle on the way from oshpark, I wanted to just get the first proto in so I didn't take time to get silkscreen working, I found it was easier to just start over a few times before you get used to the software lol. Think I'm going to have a layer of metal on an inner layer saying "tinfoil transfer" and labling of pins lol. I'm looking forward to making more boards for projects.

FigureitoutAugust 14, 2017 12:59 AM

Wael
--Argh, too much manual work lol. I like shipping designs off (with oshpark you don't even need to create gerbers, just give .brd file in eagle).

JG4August 14, 2017 6:37 AM

Bitcoin is a threat to government power and banker power, so it has been flagged for extra effort and scrutiny of users. Just like if you frequently used PGP from 1994 to 2006. Yves Smith at NakedCapitalism calls Bitcoin and TOR "prosecution futures." I use the latter, but not the former. Either way, I already have a big enough target painted on my back. I'd like to modestly support Wael's effort. If I could buy Bitcoin for cash, without having my picture taken, and were able to do an H2H transfer, I'd be all in.

http://www.zerohedge.com/news/2017-08-13/us-launches-quiet-crackdown-cryptocurrencies

suppose the US had mapped every one of the NorK's fortified artillery locations and designated a smart bomb or missile so that they all could be destroyed simultaneously? I believe that it is possible to observe the presence of underground structures by some flavors of electromagnetic system identification. it could be near-field observations by a long-wire antenna pulled behind a plane, as Barringer, the Canadian polymath, used to find a billion dollars worth of minerals underground, back when a billion dollars meant something, or ground-penetrating radar from satellites. Barringer also invented or popularized ion mobility spectrometry, which is used with swabs to detect explosives in airports. Barringer was using it for geochemical prospecting for hydrocarbon vapors. His IMS company was bought by Smith's Detection

http://www.zerohedge.com/news/2017-08-13/james-rickards-warns-war-almost-inevitable

https://www.nakedcapitalism.com/2017/08/links-81417.html
...[apparently Anthony Weiner isn't exceptional - the most useful piece of data for understanding this anti-social trend would be "success rate."]
AirDropping penis pics is the latest horrifying subway trend NY Post. Yet another sound reason to stick with my dumbphone

...
Ultrafast wi-fi on horizon as scientists send data at 100 times current speeds Telegraph

...
Kill Me Now

Amazon looks to new food technology for home delivery Reuters

Are American Shoppers Ready For Walmart’s ‘Scan & Go’ And Amazon Go? International Business Times

...
New Cold War

YouTube Begins Purging Alternative Media As The Deep State Marches Toward WW3 UserFriendly

...
Police State Watch

The 22 Dems Who Want to Strip Ivanka Trump’s Clearance American Conservative. Skewers gotcha virtue-signalling undertaken with no awareness of the consequences.

RatioAugust 14, 2017 8:00 AM

@Clive Robinson,

If you read the paper work you will find [...].

Fascinating, and completely irrelevant to what it is that they claim to have on him.

WaelAugust 14, 2017 11:33 AM

@JG4,

I'd like to modestly support [...] effort

I'm curious as to what effort that would be. A target on the back?

Clive RobinsonAugust 14, 2017 12:37 PM

@ Ratio,

I guess your cognative ability is not what it could be, which I guess is why your needle appears to have got stuck.

I guess you need to get out the K12 books on English literature, for reading under the covers.

RatioAugust 14, 2017 2:52 PM

@Clive Robinson,

Is there any actual point to these comments of yours that so proudly showcase your fabled cognative [sic] ability?

Since you apparently haven't gotten the message, I'll explain nice and slowly, just for gifted people such as yourself:

You said I should have included $WHATEVER in my original comment that quoted the BBC article.

In response, I suggested you should have written your comment as a series of haikus. In French.

People with highly developed reading comprehension skills might have noticed an echo of your "recommendation" in my comment, and been struck by the contrast between the apparent seriousness of the former and the barely concealed ridicule of the latter. They might have deduced that there is —shall we say— a certain degree of resistance on my part to the idea that I be told what to write and what not to write.

Sledgehammer too subtle for you?

ab praeceptisAugust 14, 2017 4:27 PM

Ratio

Feel free to discuss whatever points you please with Clive Robinson in whatever halfway acceptable way, but...

don't you notice how poor and dirty it is to ride an attack based on what are evidently typos and/or a spelling weakness (which is quite frequently oberserved in otherwise highly intelligent people)?

Looking at your posts and Clives posts even less technically knowledgeable people can't but note a significant difference, particularly in quality.
How dare someone like you who rarely contributes anything relevant to the topic to attack someone like Clive who frequently and commonly offers insights based on an evident long professional experience and lots of know-how.

If you have anything like a spine and some honour left, you'll apologize for that dirty low swing.

Clive RobinsonAugust 14, 2017 4:30 PM

@ Ratio,

As you want to try and slide sideways out of what you actually said the question realy should I alow you to grease your way out or remind you about the problem of petards?

As for sedgehamers in your case a pin hammer would be over kill.

RatioAugust 14, 2017 5:04 PM

@Clive Robinson,

Ah, you want to know why I repeatedly described a comment of yours as fascinating, and completely irrelevant to what it is that they claim to have on him. The reason would be that you repeatedly addressed fascinating (well, you know...) comments about Marcus Hutchins to me that (guess what?) are completely irrelevant to what it is they claim to have on him.

You are apparently eager to speculate on guilt or innocence, motive, backstory, etc. I am not interested. You could have taken the hint.

Anything else?

Clive RobinsonAugust 14, 2017 5:37 PM

@ Ratio,

Ah, you want to know why I repeatedly described a comment of yours as fascinating, and completely irrelevant to what it is that they claim to have on him.

Actually no I like most other people around here find you fail to do basic research even when prompted repeatedly to do so.

Worse you appear to read some picayunish point that meets your authoritarian follower behavioural viewpoint. To which you try to stick with as though it is some truth carved in a tablet of stone. In short you have very close minded behaviour.

Now personally I care not a jot for your lack of cognitive ability, insight or other social skills you frequently display, or for that matter your lack of technical ability.

What I do care about is the false impression you set that others might be misled by, thus I point out there is rather more to something than your selected picayunish view point.

Any way there is now more than the "six lines by your hand" that others can see and judge you by.

So job done.

RatioAugust 14, 2017 6:10 PM

@Clive Robinson,

*ROFL*

That's an impressive amount of nonsense you spewed there.

Job done indeed!

Dirk PraetAugust 15, 2017 4:52 AM

@ Ratio

You are apparently eager to speculate on guilt or innocence, motive, backstory, etc. I am not interested.

I'm not entirely sure what message you're trying to convey. The reason why many folks are speculating about the Hutchins case is because it is not the first time the USG is going after security researchers, hitting them with blood-chilling charges worth decades of jail, based on overly broad authorities and without presenting publicly or to the defendant even minimal corroboration or evidence for said charges. If my understanding of the arraignment and plea minutes is correct, they don't even have to do so until one (1) day before the pre-trial hearings and even at that time can still (and probably will) waive the "national security" flag to withhold specific information and/or sources. That's a no-win for the defense.

Whilst I understand that your focus is on the *technical* facts of the proceedings, it would appear that you are kinda ignoring the elephant in the room that based on past FBI behaviour they are indeed trying to coerce Hutchins into ratting out the unknown 2nd defendant whom they assume he has a direct connection with.

Given the rather flimsy nature of the indictment as currently presented, there is sufficient reason to suspect that there is indeed more to the picture than meets the eye, speculation about which is not conspiracy theory but a matter of common sense and precaution for everyone working as a security researcher or practitioner.

name.withheld.for.obvious.reasonsAugust 15, 2017 1:39 PM

@ Dick Praet

Whilst I understand that your focus is on the *technical* facts of the proceedings, it would appear that you are kinda ignoring the elephant in the room that based on past FBI behaviour they are indeed trying to coerce Hutchins into ratting out the unknown 2nd defendant whom they assume he has a direct connection with.

Given the reclassification of "criminal hacker" to "enemy combatant" in the govt's holy war on "hackers", I could see how "enhanced interrogation technics" would be applied to persons in degrees 2 and 3 of a directed graph of associates.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.