Researchers in the British Virgin Islands have sunk a giant squid made out of steel mesh to serve as an artificial reef.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
handle_x • October 27, 2017 6:17 PM
https://www.politico.com/story/2017/10/27/jfk-records-rollout-judge-criticism-244257
At risk of being notoriously political and posting too much, (yeah..) well, this man was our President at one time. People remember when he was murdered. Where they were.
His brain literally went missing. People lied. There was a coverup on some level, this release proving that of itself, the intentions of which are debatable to this day.
The Warren Commission was by all accounts a predetermined outcome. A smokescreen. Not dissimilar to the report by Lord Stevens on the investigation into the death of Diana.
They had a very long time to redact these records before by law they had to be released.
They did not do that. The law did not compel them though it exists, is enforceable. (?)
Instead they’ve kept major portions of the records secret entirely in the “crime of the century” (More than 50 years ago) and the plausible excuse given is there wasn’t time?
This is against the law.
Happy Friday
Winston Smith • October 27, 2017 6:54 PM
An important Supreme Court case ahead for privacy advocates:
http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/
Issue: Whether the warrantless seizure and search of historical cellphone records revealing the location and movements of a cellphone user over the course of 127 days is permitted by the Fourth Amendment.
Date: 11/29/17
Nick P • October 27, 2017 7:18 PM
@ All
Two articles I found that are interesting:
Replace UEFI with Linux (slides)
Security Analysis of x86 Processor Microcode (2014 whitepaper)
Clipper • October 27, 2017 9:36 PM
A comment on the UEFI thing.
While this is about a fork of coreboot for google, I doubt google can be trusted more than Intel.
Basically google uses some kind of coreboot for their chrome devices, but I think the reason is to lock out other operating systems on chrome devices and not for any other reason, especially privacy related.
So I wouldn’t treat it as something important in the fight against ME. The project gets coreboot people some money needed, but I wouldn’t get excited about it.
After all, there were laptops providing booting straight into a mini-linux long time ago and this isn’t a really new idea.
Nick P • October 27, 2017 10:08 PM
@ Clipper
“After all, there were laptops providing booting straight into a mini-linux long time ago and this isn’t a really new idea.”
Was that before or after newer CPU’s started coming with backdoors running all this stuff by default? This page comes to mind on why laptops such as Libreboot T400 have old, Core Duo 2 CPU’s. Having free software on our computers might not be a new idea but this project seems to be doing new implementations on new CPU’s. Far as new ideas, I pushed PowerPC and SPARC long ago for their support of Open Firmware. People only cared about performance per dollar per watt. Now, we have this mess with some trying to say prayers for Raptor Workstation II to accomplish who knows what in actual user control given OpenPOWER is complicated and not really open.
Clipper • October 28, 2017 12:11 AM
@Nick P
My memory is not that good but I think it was before 2010. I can’t recall if it was some Toshiba Portege model that did it, but I remember you could boot straight into a minimal but extremely fast and power-efficient linux environment built-in the hardware and do things like browse some pages or check your email.
Later the idea was adapted into having EFI connecting to the internet and downloading some firmware like many ASROCK motherboards do, a frankly terrifying idea knowing what we know about internet-side attacks.
hmm • October 28, 2017 1:34 AM
The reefs and oceans are screwed. Acidification and warming will remake our world in decades. Short term profit was more important. Nobody say Tillerson.
If you can afford seafood be sure to instagram it so future generations will have a frame of reference. They will despise us either way.
Citizen 20938741 • October 28, 2017 5:40 AM
I caught a squid once… or at least I thought I did.
I reeled it in as the cache expired. I was left hungry for the next few days.
(Incoming tomatoes/eggs gratefully accepted as I’m hungry. Sorry @all, I won’t do this again).
Happy Friday/Saturday/xday. I’m glad we have this squid diversion…
Roberto • October 28, 2017 7:10 AM
I can’t help but ponder if the secret acoustic weapons used against American Diplomats in 2016 is revenge for the early sixties CIA Castro Bioweapon Plot:
Judyth Vary Baker has degrees in Anthropology, English and Communications.
https://www.amazon.com/Judyth-Vary-Baker/e/B002M9HMSA/ref=ntt_dp_epwbk_0/142-7469001-3774434
The call to the British newspaper 30 minutes before and a call to Dallas police day before. The perpetual coverup 54+ years all make sense now. When is the Netflix/Amazon spy thriller series coming out?
Grauhut • October 28, 2017 8:37 AM
@Nick,Clipper: If you boot the ME in equation groups own HAP mode, than the funny spy stuff is disabled. 😉
Wael • October 28, 2017 10:23 AM
@Grauhut,
So we have found an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage. We can prove this by the following facts…
How long before that loophole is closed, which is an easy thing to do?
Clive Robinson • October 28, 2017 10:41 AM
Interested in HPC?
Especialy Vector Processors used in Super Computers untill fairly recently. Well they might be hitting the top of the top 500 list again,
https://www.nextplatform.com/2017/10/26/can-vector-supercomputing-revived/
I for one would not be suprised if Array/Vector processing CPUs[1] did not come back into fashion. Overly simply they have a significant number of registers that can be used as an array making for very fast maths through put and much processing virtualy core memory independent. Even L1 cache can not give the same level of performance by quite a way.
CallMeLateForSupper • October 28, 2017 11:26 AM
@Citizen 20938741
“I reeled it in as the cache expired.”
So it was a “cache miss”? 😉
Nick P • October 28, 2017 11:28 AM
@ Grauhut
Yeah, people in the Popular INFOSEC bubble were really confused about that. They didn’t even know what HAP is. Had they read this blog, they might have seen me repeatedly post things like this that use that feature. The commenter I told about that on Hacker News also found an option in the Dell Optiplex support, configuration or some other guide where you could order ME disabled as an option. It’s been there the whole time without anyone noticing it. May have been a shortcut there where white hats order two, one enabled and one disabled, to do a diff of them to figure out what disables it. Well, they eventually figured it out anyway at least.
I still think the semi-custom option is worth trying where a group of companies concerned about backdoors straight-up pay Intel or AMD to remove all that stuff from the CPU. Then, they can re-sell those maybe in the same boards as those open-source servers groups such as Facebook and Microsoft are getting behind. Just add an open or less-threatening MCU for management coprocessor since the enterprises will definitely want that. If Intel and AMD both turn it down, then we’ll have strong evidence something is up with extreme solutions necessary. Right now, they take money to modify their chips so give them money to modify their chips…
@ Clive Robinson
It’s neat they’re still around even though Cray gave up on that stuff. What people don’t realize is there’s been lots of vector architectures. Most in academia but also startups. The big companies just keep buying them out, shutting them down, and keeping the I.P. to sue challengers. Most of them were actually started to go after FPGA vendors rather than GPU vendors. The GPU vendors just ended up generalizing their products to become the accelerator the startups all wanted to be.
Anders • October 28, 2017 11:31 AM
https://thehackernews.com/2017/10/smart-iot-device-hacking.html
Next step – your fridge will become your worst enemy 🙂
Grauhut • October 28, 2017 1:18 PM
@Wael: “How long before that loophole is closed, which is an easy thing to do?”
Balance of powers, they can not easily close it because whoever pays you can decide to be on the exception list. Those who order monitoring don’t wan’t to be monitored themself, so there will always be some kind of HAP mode backexit. 🙂
@Nick: “If Intel and AMD both turn it down”
They will not. There must have been a lot of pressure, so they spent money to make those surveillance coprocessors work. I think this pressure is still there. They can not easily stop it.
neill • October 28, 2017 3:05 PM
@Clive
i’m sure you appreciate the beauty of ‘xor a’ instead of ‘ld a,0’
unfortunately it’s cheaper nowadays to just throw thousands of amazon vcpu’s at a problem vs. a neat architecture with a programmer that knows where his data is located physically … and everyone asks for containers, scaleability, virtualization etc
what a waste of resources! SAD!
Sancho_P • October 28, 2017 7:28 PM
@Winston Smith – Thank you, very interesting case!
Re: Carpenter and the eyewitness rule (or: Twisting the law by Orin Kerr)
http://www.scotusblog.com/2017/08/symposium-carpenter-eyewitness-rule/
Orin Kerr’s arguments are flawed, the conclusion is wrong.
Here is why in five points:
1) Eyewitness:
Clearly the term implies a witness is a person who has seen something (or not).
The important part here is the person, not the used sensor itself (it might be any relevant human sensor, e.g. “I could feel the vibrations”).
Important is processing and storing is done in human brain.
This is crucial as the conception, precision and duration of stored information is completely different between humans and machines.
We would not call a sound or video recording as “eyewitness”.
Additionally:
With humans we have an expectation of incorrectness which we (often incorrectly) do not have in context of machines.
But today it should be known that any technically stored and processed information is prone to errors and must be used with caution.
2) Katz vs. US
Katz was entitled to 4th Amendment protection because it “protects people, not places”. Exactly.
Regardless whether eavesdropping occurs outside or inside the telephone booth (or on the line), the person is protected – even when the person shares the communication with the device / machine / system.
No, (s)he does not voluntarily share the communication with any person at the provider or even the public. The technical capability to share the information is not part of the user’s intent, it must not be abused by the provider.
To store the user’s connection data is not necessary to make the call. If the provider must store data for billing or other internal purposes (e.g. optimizing) the collected data must be the absolute minimum in time and scope and, if possible, must be stored in anonymized form.
The provider is liable for the protection of any stored user data.
Law enforcement may warrant a wire tap from now to future events, as it was with analog communication, but not backwards in time.
The technical possibility does not constitute a right.
3) Justice Harlan’s two part Katz test:
3.1)
”To establish Fourth Amendment protection, a person needed to have a place that society would recognize as justifying privacy …” (Orin Kerr)
The question here is precisely:
Does the society recognize a phone call private or public?
Is an email from A to B recognized as private or is it seen public, like public posting on social media?
If we are not sure about we have to ask the society!
3.2)
”… and had to take steps to shield that space from outside observation.” (Orin Kerr)
Yes, this is done by using point to point communication instead of broadcast.
The sheer technical possibility to access P2P does not constitute the user’s consent to do so, on the contrary, as today no choice is given to the ordinary user to grant or deny access we must default to no consent given.
Banning strong encryption would even deprive the user of any possibility to shield that space.
4) “Voluntarily” share information
”Carpenter has revealed his location to the phone company” (Orin Kerr)
This is completely wrong.
It implicates Carpenter’s intent while the possibility to locate the phone over time is unwanted by-catch even from the provider’s view.
Carpenter did not call the provider to share his location to an employee of the provider.
Location paired with time and username is absolutely private data and must be protected by the provider, if stored at all.
LE may warrant that information from now to future events, as it would be possible (but more difficult) to gain by directly observing the suspect.
5) What to ask
”The right question is, should you have a right to stop others from telling the government about what they saw you do?” (Orin Kerr)
Yes, that’s the right question, but the third party did not see anything.
Twisting machines into humans will not improve society, nor does twisting the law.
Compared to the historical access to user data and communication content we can clearly see the actual overreach that has crept in by abusing digital technology.
It is time to discuss openly what society recognizes as privacy.
65535 • October 28, 2017 9:54 PM
@ Winston Smith
I agree that the USSC should look at the Carpenter case because it hits directly on the infamous tracking/location issue of cell phones and cell tower data related to individual privacy.
This tracking of individuals is completely different that looking a package with a to and from address and recording the to a from address. It is real-time history of and individuals movements which could be recorded for decades.
“For example, the government can obtain from a letter or package without a warrant the sender, receiver, originating and delivery addresses, package size, and weight; however, the government must obtain a warrant before opening the package or letter to obtain its contents… Smith v. Maryland case and the the Stored Communications Act Stored Communications Act, ” [Wikipedia 1] and the police seem to need No Warrant to follow you around via cell phone and cell tower records [let alone stingrays in the field].
I also note that Carpenter got 116.25 years the Federal Prison which is far above the national average for murder although he did not commit murder – aiding and abetting was the charge.
“Carpenter was later charged and arrested and eventually convicted by a jury with several counts of aiding and abetting robbery that affected interstate commerce, and aiding and abetting the use or carriage of a firearm during a federal crime of violence. Carpenter was sentenced by Judge Sean Cox of the United States District Court for the Eastern District of Michigan to 1,395 months, or 116.25 years, in federal prison…”- [Wikipedia 1]
This whole cell phone tracking thing has gotten far out of hand. The USSC should look at this case.
[Wikipedia 1]
https://en.wikipedia.org/wiki/Carpenter_v._United_States
Clive Robinson • October 29, 2017 12:22 AM
@ neill,
what a waste of resources! SAD!
Yes, the actual “efficiency” must be very small, which would corncern any engineer.
However from the managment side such inefficiency gives consistancy and thus fast integration. Thus reducing the price of the code base.
The fact this comes at an aditional price of vulnerability does not appear to worry many managment people…
Thus we have systems quite literally thrown together from pieces, broken off of earlier poor quality projects, all with vulnerabilities aplenty. Then people act all suprised when somebody walks in takes the crown jewels and makes off with them sight unseen…
As two sayings have it “You get what you pay for” and “garbage in garbage out”… It’s why I’m known to call such programmers “artisanal” “code cutters” not “engineers”. Engineering is a thoughtfull process whilst making heaps of garbage requires little or no thought you just keep piling it up till you get a certain “Dead weight”.
I’m not saying that this problem is the fault of programmers, because few can do good work in a “Red Queens Race” with termination as the price of failing to run fast enough for the person in a position of power screaming “off with their heads”…
But it is the fault of team leaders and above. In studying the history of engineering you will find artisans making boilers, that sufficiently often exploded violently, more so than any “infernal device” thought up by those disgruntaled with politics. Thus politicians had to act and they brought in legislation to protect the citizens from the boilers and their builders. It was, supprisingly to many, realy an enforced “Quality Control” process. The result was a meeting of minds between gentlemen of the natural sciences and artisans, which gave rise to the engineer, who was essentialy forged for the public good from the flames of reckless ambition and lust for profit at any price.
You can look up the “ring of iron” and the oath that Rudyard Kipling helped write, and in it you will find the foundations of a proffession with a promise to open design, care for natures resources and much more.
Whilst I would wish no harm on any person it usually takes death and destruction of innocent people to cause blind ambition and endless greed to be sanctioned and brought under sensible control. It’s such a disaster that the software industry needs to turn it into an honest proffession.
neill • October 29, 2017 2:07 AM
@Clive
i feel your pain. i’ve learned to hand code Z80, just with a Zilog datasheet, and knew every OP code and the cycles it needed to complete … and hence knew many tricks to speed up the machine … like one i mentioned
today it’s just next quarter profit that counts, stockprice etc, instead of creating something beautiful – like the POWER chips from IBM, or even itanium (even though commercial a failure but an amazing design effort) or borland’s ‘turbo pascal’ which i looooved
HPC are still a bit different as some mil projects don’t care too much about the costs
programmers have much better tools now than ever (RE optimizing code) but that lets them write sloppy code with all those security problems, that even fuzzing will not find
somehow we’re doomed if all goes into the ‘cloud’ (but isnt that what we called client/server infrastucture a decade ago?)
Clive Robinson • October 29, 2017 3:41 AM
UK ckocks went back to GMT last night
Adjust your thinking appropriately if communicating with the UK from a tome zone that did not.
I guess it will become more fun in years to come after Brexit, as UK laws use a different calculation for the day to “Spring forward” in the spring and “fall back” in autumn. Due to the Summer Time Act 1916 which advanced the clocks in the UK for 1 hour from May 21 until October 1 in the same year. Whilst the EU calls via Seventh Directive 94/21/EC for the first and last sundays in March and October.
Due to other experiments with time like “Permanent Summer Time” the UK has it’s very own time lord who has had to cross over from “The Lords” to “The Commons” with a request to vary times…
Little Parliamentry madnesses like this will need to be sorted out all in time for Brexit… The chances of catching them all is low, but who knows.
CallMeLateForSupper • October 29, 2017 8:26 AM
@Clive
“UK ckocks went back to GMT…”
So no more UTC?! Excellent!! I wish U.S. would do that. 😉
(nudge-nudge, wink-wink, say no more)
Clive Robinson • October 29, 2017 9:36 AM
@ CallMeLate…
So no more UTC?! Excellent!! I wish U.S. would do that. 😉
The US may claim it uses UTC but the US citizens in the main actually use “GMTed UTC”…
The difference is subtle, UTC is based only on the second and the exact number of seconds in a day. Unlike GMT which is based on the mean solar day…
As the earth rotation time is slowing down in the main then the difference would become obvious in a short while. However due to the influance of jupiter the earth also speeds up from time to time as well. So UTC has “leap seconds” that can be added or subtracted to correct for siderial time.
For obvious reasons ordinary citizens do not muck about with leap seconds nor do most networks etc (on the surface).
However both UTC and GMT are guaranteed to read the same at certain times of the year…
Which is why in the US it may be called UTC but for the majority it’s realy the same as GMT 😉
Oh and the likes of the Military still use GMT for the likes of Zulu Time… So…
UTC is however used by scientists because the SI unit of time is the defined second, not the fraction of the mean siderial time. This has knockon effects into technology where “system time” and “wall clock” time will be different.
There are around 15 different ways of measuring the passage of time, mostly the differences make little difference. However we have “Relatavistic UTC” used in GPS and mobile phones…
JonKnowsNothing • October 29, 2017 10:21 AM
So… you are walking down the street and you spot a USB stick…
Heathrow Security Plans
… USB stick containing 2.5GB of data, reportedly including locations of CCTV cameras, tunnels and access to restricted areas, was found in west London
…
the USB stick – which was not encrypted and contained 2.5GB
…
was discovered by a member of the public [and given to a news paper]ht tps://www.theguardian.com/uk-news/2017/oct/29/heathrow-launches-investigation-after-confidential-security-plans-found-in-street
(url fractured to prevent autorun)
Hmmm Hmmmm Hmmmm
If true its both funny and horrifying.
Chaff • October 29, 2017 10:52 AM
If I develop a crack for MSOffice and demonstrate my unique binary gymnastics as in binary meta aka backdoor will Kaspersky out me for my alpha beta and debug heuristics?
A tale of two cities, one being Rome.
Clive Robinson • October 29, 2017 2:19 PM
@ Chaff,
[W]ill Kaspersky out me for my alpha beta and debug heuristics?
Do you realy want to test it out?
Play out a little thought experiment in your head,
If the Kaspersky explanation is true, the hash of your code will hit their servers, and in effect make you “vector zero”. Which is not a good place to be for a number of reasons…
Further if you have not set the Kaspersky option bits correctly those files will smack into their servers to come under the eyes of a Russian analyst, or even the FSB in passing.
Now, the test of the other bit of the Kaspersky story… If your source files carry the markers of a Five-Eyes “secret document” then Eugene will order the files checksum etc “removed” from their servers, but… Possibly not before Mossad come around and knock on your door and give you the “Gerry Bull” treatment :-S or worse some wet work operative from an alied agency to the Five Eyes Sig Int comes in and jump starts you a few times along with the flannel in the face followed by a bucket of water, with the potential of the next thing you know you’ve been “David Kelly’d”…
So maybe, keep that sort of stuff on an “energy gapped” computer, for the sake of your longevity and working fingers…
hmm • October 30, 2017 1:43 AM
“If your source files carry the markers of a Five-Eyes “secret document” then Eugene will order the files checksum etc “removed” from their servers,”
… Eugene knows the word bullshit.
Citizen 20938741 • October 30, 2017 3:37 AM
@CallMeLateForSupper
So it was a “cache miss”? 😉
I suppose so… Excellent 😀
handle_x • October 30, 2017 4:22 AM
All the ‘actors’ would have to do is submit known malware with the codenames of their target NSA malware on/in the files. Presumably after a few iterations of this the KAV software would go looking for “malware” with the names associated with previous matches.
That doesn’t require anyone to compromise the KAV app. Just feed garbage in, a garbage search results, and they pick through it in some clandestine way unknown at this time.
Or you know, Eugene is a spy and his entire life is a deep fraud. Possible.
I don’t have evidence to the contrary or even an opinion.
Grauhut • October 30, 2017 7:07 AM
Nice Google UEFI / Me replacement project: NERF
“Replace Your Exploit-Ridden Firmware with Linux – Ronald Minnich, Google”
Ratio • October 30, 2017 7:10 AM
… and so it begins. Good.
Wesley Parish • October 31, 2017 3:56 AM
Bloodcurdling:
ht tp://www.tikkun.org/nextgen/how-america-spreads-global-chaos
China is already too big and powerful for the U.S. to apply what is known as the Ledeen doctrine named for neoconservative theorist and intelligence operative Michael Ledeen who suggested that every 10 years or so, the United States “pick up some small crappy little country and throw it against the wall, just to show we mean business.”
handle_x • October 31, 2017 11:31 AM
China is no great actor either. They’re the reason India and Pakistan nuclearized.
Markus Ottela • November 1, 2017 9:42 AM
Signal desktop client has been released.
wumpus • November 1, 2017 12:02 PM
@Clive Robinson
Scatter gather is the only thing missing from modern processors that the old vector machines used. Intel is scaling up to 512 bit wide AVX cores, while GPUs provide amazing 32 or 64 word* vectors. Getting them to work with more than unit-stride is a bit of a trick, but I think that nVidia has a bunch of ways to make this work, although you might have to deal with some pretty long vectors of equal stride (basically shuffling instructions).
Putin's Revenge, part 2 • November 1, 2017 8:48 PM
PBS’s Frontline has Putin’s Revenge, part 2, starting shortly; for example, tonite, 10 pm est.
https://www.pbs.org/wgbh/frontline/
https://en.wikipedia.org/wiki/List_of_Frontline_(PBS)_episodes
the link below may make tonite’s show accessible from other countries
http://www.pbs.org/wgbh/frontline/watch/
Nate • November 1, 2017 10:46 PM
“Hackers compromised the Trump Organization 4 years ago – and the company never noticed”
tl;dr: Someone looked at the Trump Org’s GoDaddy registrations, and starting 2013 there are a whole bunch (over 250) of literal Russian malware domains.
Much cyber. Very vetting.
For each of over a hundred of these Trump domains, the intruder created two shadow subdomains, with the names of these subdomains generally following a pattern: three to seven seemingly random letters placed before the real domain name. Here are examples from the list: bfdh.barrontrump.com and dhfb.barrontrump.com; bfch.donaldtrump.org and bxdc.donaldtrump.org; cesf.chicagotrumptower.com and vsrv.chicagotrumptower.com; dxgrg.celebritypokerdealer.com and vsrfg.celebritypokerdealer.com; and bdth.donaldtrumppyramidscheme.com and drhg.donaldtrumppyramidscheme.com.
..
The shadow Trump Organization subdomains point to IP addresses in the range between 46.161.27.184 and 46.161.27.200—and these addresses are part of a larger network. In October 2013, a security researcher identified a website called bewarecommadelimited.org deploying an exploit kit that was intended to pilfer passwords and other information from targeted computers and noted it was associated with this IP address: 46.161.27.176. That IP address is within the same network as the IP addresses used for the shadow Trump Organization subdomains—an indication that these subdomains might have been part of a network used to deploy malware against other computers.
This week, a researcher named C. Shawn Eib wrote a blog post highlighting the existence of the shadow subdomains, which had been referenced in a Twitter thread several weeks ago. Eib noted that “more than 250 subdomains of domains registered to the Trump Organization redirect traffic to computers in St. Petersburg, Russia.”
https://www.unhackthevote.com/our-research/trumps-connections-to-russia-they-are-just-a-ping-away/
Take for example the subdomain dsfs.donald-trump-entrepreneurs-initative.com. As with the other subdomains, no user-visible content is present here. We ran a traceroute on this subdomain to reveal the path taken by network traffic to this address. Here is what we found:
Of particular note: the IP address 91.218.245.201 in the traceroute results is apparently located far east of Moscow, near the town of Vanavara in the desolate Russian precinct Krasnoyarsk Krai. This location is very near the site of the Tunguska event in 1908, an apparent meteor explosion that flattened nearly 800 square miles of forest. However, there seems to be no appreciable increase in latency (the time it takes to go from one server to another) while making this round trip. Instead, it shows approximately the same latency as the servers known to be located in Moscow.
This IP address along with all the IPs in the route once the traffic enters Russia, belongs to the same service provider used by one of the servers hosting Wikileaks.org. This server was established approximately one week before the Podesta emails were released, and is located in Moscow, with IP location tools showing both the Trump subdomain traffic transiting through and Wikileaks hosted in a building located near the Kremlin. Wikileaks has multiple servers, two located in Moscow, and the route for that traffic also includes the trip to Siberia, again with little difference in latency when making this long round trip.
Grauhut • November 2, 2017 5:22 AM
Chinese quantum secure direct communication:
Ratio • November 3, 2017 12:04 AM
Bin Laden’s disdain for the west grew in Shakespeare’s birthplace, journal shows:
A summer trip to the UK as a teenager and visits to Shakespeare’s birthplace convinced Osama bin Laden that the west was “decadent”, the late leader of al-Qaida and architect of the 9/11 attacks wrote in his personal journal shortly before he was killed by US special forces in 2011.
The journal is among 470,000 documents collected from the house where Bin Laden died that were released by the CIA on Wednesday. The agency said it had released the treasure trove “in the interest of transparency and to enhance public understanding of al-Qaida and [bin Laden].”
[…]
In the journal, Bin Laden briefly describes visiting the home of William Shakespeare in Stratford-upon-Avon but says he was “not impressed” by British society and culture during his time in the UK.
“I got the impression that they were a loose people, and my age didn’t allow me to form a complete picture of life there,” he wrote. “We went every Sunday to visit Shakespeare’s house. I was not impressed and I saw that they were a society different from ours and that they were a morally loose society.”
(Insert flashback to Sayyid Qutb in Greeley, Colorado here.)
Bin Laden journal reveals he was shaped by the Muslim Brotherhood:
He then explains that he grew up in an ordinary family. He was a practising Muslim. On factors that led him to jihad, he says: “It wasn’t one thing. I was looked after [in terms of religious commitment] by family, but no side was guiding me in the way the Brotherhood do. I was normal.”
He also mentions that the first time he travelled to engage in jihad was to Turkey in 1976, and suggests the trip was paid for by the Brotherhood. He then cites Erbakan as the reason for his trip but it is unclear what the link was between Erbakan and the idea of jihad.
[…]
In other pages, bin Laden comments on the Arab uprisings in 2011. In one instance, he pins hopes on Yusuf Al Qaradawi, the prominent Islamist cleric based in Doha. The cleric is known for his generally moderate fatwas regarding Muslim lifestyle, but also for issuing fatwas that have sanctioned suicide bombing and jihad over the past two decades.
“Qaradawi, if he talks, that will help and boost popular confidence that the (Libyan) rebels are right,” he writes. “Qaradawi’s shift [means that] Qaddafi is over.”
He also commends Al Jazeera’s Arabic channel for its role during the uprisings: “Al Jazeera, thank God, carries the banner of revolutions.”
(Ikhwan, al-Qaradawi, and AJ? Say it ain’t so!)
Also included in the documents released by the CIA is new evidence confirming Al-Qaeda maintained ties with the Iranian regime, previously documented in the book named The Exile: The Flight of Osama bin Laden by Cathy Scott-Clark and Adrian Levy.
(Bin Laden was clearly confused about his motivations, the timeline, and all the rest of it, as will soon be demonstrated by the usual Very Serious Experts.)
Wael • November 3, 2017 12:54 AM
@Ratio,
Insert flashback to Sayyid Qutb in Greeley, Colorado here.
Why don’t you? Tell me the full story!
Ratio • November 3, 2017 1:36 AM
@Wael,
Tell me the full story!
I’m gonna do a Fermat on you and claim this text field is way too small to contain the answer. 😉
I was mostly thinking of his comments —in The America I Have Seen, I’d guess— on a dance in the basement of a church in this small town, and how to him this was yet more evidence of American sexual depravity.
Wael • November 3, 2017 2:38 AM
@Ratio,
The America I Have Seen
There is no “The” in the book title. It translates to “America that I have seen”.
and how to him this was yet more evidence of American sexual depravity.
He said a lot more than that. He was criticizing, not looking for evidence. In his opinion, he didn’t think it appropriate for a house of worship to double as a dating place.
and how to him this was yet more evidence of American sexual depravity.
He referenced that in other stories in the book. He was describing the society he saw. He also poked fun at the food. I don’t remember exactly what he said, but it had to do with adding sugar to non deserts…. something like that.
Ratio • November 3, 2017 11:08 PM
@Wael,
There is no “The” in the book title. It translates to “America that I have seen”.
Yes, the title أمريكا التي رأيت corresponds to “[America] [that] [I have seen]” in a word-for-word “translation”. But in English you really do need the added “the”, just like you need the explicit “I” that’s nowhere to be seen in the original.
In his opinion, he didn’t think it appropriate for a house of worship to double as a dating place.
That’s one of the (implicit) points he makes in the story A Hot Night at the Church.
He referenced that in other stories in the book. He was describing the society he saw.
Yes, that much I knew. The gist of what I’d heard/read matches with the tiny bits I’ve read so far while looking for that story, but the details are just plain wrong sometimes. (Thanks for pointing me in the right direction.)
He also poked fun at the food. I don’t remember exactly what he said, but it had to do with adding sugar to non deserts…. something like that.
The whole thing is less than 25 pages; more of an article or pamphlet than a book. It’s in the pile, and I’ll let ya know what his culinary commentary was about once I get to it. 😉
Wael • November 4, 2017 12:56 AM
@Ratio,
But in English you really do need the added “the”,
Accepted.
The whole thing is less than 25 pages;
I read the hardcover “book” around 1992. It was 51 pages; a small booklet in Arabic. Maybe it translates to 25 pages in English because of font sizes, otherwise it’d be around 75 to a100 pages in English (if we kept print and page sizes equal.)
I’ll let ya know what his culinary commentary was about once I get to it. 😉
It’s really insignificant. I could search for it if I wanted, but not worth the effort. So what if he thought gravy is a stupid or weird idea? Who cares? It’s not like there aren’t any weird Egyptian dishes! Lookup Feseekh or Mesh 😉
Clive Robinson • November 4, 2017 8:21 AM
@ Wael,
There is no “The” in the book title. It translates to “America that I have seen”.
When a sentence begins with a proper noun that is unique the use of “the” is redundant.
So it’s correct to say “The United States of America” but not “The America”.
In the same way you would not say “The John I have seen” but “John I have seen”. You would only use the former if there was more than one “John” and then to make clear that there was more than one within the scope.
Similarly you would not say “The Manhattan I’ve seen” but you would say “Manhattan I’ve seen”, unless there was more than on Manhattan.
There are various English style guides and they can get quite prissy on certain wording[1]… Another more people are aware of, is the use of “And” at the begining of a sentence. It used to be verbotten sixity years or more ago, then it became acceptable for sentances that were not the initial sentance in a paragraph (thanks to our legal brethren). But now even paragraphs are alowed to start with the likes of “And so…” if the paragraphs form what is in effect a list of clauses or terms.
English is a lazy mongrel language and changes quite rapidly frequently in as little as half a genetation[1]. One of my pet peves is “that that” as opposed to “that which” or earlier forms.
[1] King Kunt tried to make the point you could not order the tides of change to halt to the sycophant courtiers he had around him. Alass he is more usually incorrectly held up as an example of being the fool who tried to order the tide to not come in…
Wael • November 4, 2017 10:36 AM
@Clive Robinson,
You would only use the former if there was more than one “John”
Agreed. There are two or three dimensions to translating this particular title: The meaning the author intended, the correct English grammar that faithfully captures the meaning the author intended, and (heh! the third escaped my mind!!!)
The only reason I accepted @Ratio’s translation is the following: The author describes an America he spent some time in: A View among several possible views that exist in people’s perception. In a way, there is more than one America 😉
Arabic is an extremely precise language, and it’s not so easy to just use a dictionary and translate word for word. Some subtle variations in the structure of a sentence may seem equivalent to the uninformed, but they make a huge difference in meaning. Anyway, the translation I would use is “America that I saw”.
Hail to the King • November 4, 2017 3:54 PM
@Clive Robinson
My Sincere Apologies for correcting a spelling, but I have seen it as Cnut, and Canute, but never the spelling you employed 🙂
And in the English North ‘king is a profanity.
I’m trying to work Knuth in here somehow but I’m struggling.
Wael • November 4, 2017 4:20 PM
heh! the third escaped my mind!!!
Oh, yea! It came to me now. The tenses need to match as well. “have seen” is past perfect, whereas “saw” is past tense. Sayyid used the past tense in Arabic. Had he used the past perfect (one of the forms,) he would have preceded “saw” with “Qad”, which he didn’t do.
Soft cover == hard copy en modern henglish ofc.
Clive Robinson • November 7, 2017 3:51 PM
@ Hail to the King,
My Sincere Apologies for correcting a spelling, but I have seen it as Cnut, and Canute, but never the spelling you employed 🙂
It’s one of those things like the US once had with rrmoving double consonants from words “unless” they were “of indigenous American origin”…
Many years ago I was rubbing along with a young lady from a well known European region where the Vikings decided the East Coast of the UK mainland was a good place to occasionaly plunder… But they knew this from actually trading, because the wealth in the UK mainland was due to it’s place as a European trading hub… Any way she was doing history at an Old British University. She was quite passionate about the spelling, for various reasons I will not go into but her oppinion was that the use of “C” was a “lost in translation” error.
The man himself was the Grandson of “Bluetooth” who was the first christian monarch in that part of the world hence the language issues.
But if you hunt around you will find the “K” spelling.
https://www.jorvik-viking-festival.co.uk/about/history/canute/
@ Wael,
Arabic is an extremely precise language, and it’s not so easy to just use a dictionary and translate word for word.
Speaking of “lost in translation”, yup when you try to translate from on language with complex rules high precision thus low redundancy –that even those who speak it natively rarely master– to perhaps the laziest almost sloppiest –thus most usefull[1]– language, you will get grammar issues 😉
However I primarily find most grammars tend to have to many rules, with worse to many archaic exceptions or modifiers. The legal fraternity thus developed their own subsets containing a lot less of such silliness 😉
[1] In a sloppy language such as “english” you have a very high drgree of redundancy, which gives you lots of entropy, thus lots of information capacity.
Wael • November 7, 2017 5:03 PM
@Clive Robinson,
yup when you try to translate from on language with complex rules high precision thus low redundancy
Depends who looks at it! Someoe’s redundancy is another’s singularity 🙂
The legal fraternity thus developed their own subsets containing a lot less of such silliness 😉
True, but so did a lot of other fraternities, Security not withstanding.
In a sloppy language such as “english” you have a very high drgree of redundancy, which gives you lots of entropy, thus lots of information capacity.
There’s another term: entropy. And I thought redundancy reduces entropy 😉
Hail To The King • November 7, 2017 10:44 PM
@Clive Robinson
My apologies, In trying to be subtle I have lost my signal to the noise.
I wasn’t commenting on the K, or the Knu/Kanu, I was childishly amused because you called him a ‘King Kunt. (i.e. UN). I can’t explain it without running into a profanity filter.
Reading (and much appreciating) your comments over the years I have often mused about the redundancy of the English language and Hamming codes, Voyager etc. I’m sure you could type with boxing gloves on and still be perfectly understandable, unlike some of the other locals 😉
Glad you are on the mend Sir.
Clive Robinson • November 8, 2017 2:53 AM
@ Hail To The King,
I can’t explain it without running into a profanity filter.
Un oh, yes I see what you mean now, the transposition of the two middle letters… Opps totally unintentional, and my ears are now a shade or three darker than a healthy pink :$
As for my health, well they still do not know what the problem is, just that I’ve had a major event that darn near killed me. So the’ve stuck me on another set of poisons (one of which is derivrd from the “woolly foxglove”). And as they don’t want me lounging around in hospital, the’ve also stuck “bluetooth enabled” me… Which now knowing what I do about the (in)security of bluetooth is rather more stressfull than it was a it’s now “a subject quite close to my heart”…
If you read the device info there are all sorts of warnings about “don’t have mobile phones” in the devices proximity… Which as I am an RF Engineer that expects to come into close proximity with TXs and their antennas in the 1KW and up range does not fill me with confidence…
Clive Robinson • November 8, 2017 3:33 AM
@ Wael,
There’s another term: entropy. And I thought redundancy reduces entropy 😉
As you note,
Depends who looks at it!
Take nested HTML tags for instance (I’ll use square not angle brackets as I’m to lazy to type in the long form 😉
[ul][i]xxxx[/i][/ul]
The ordering of the “ul” and “i” in each pair does not matter the result displays the same way. Thus you have four different ways of ordering them, which is the equivalent of 2bits of information that can be hidden away as a transport for other information. Which means not only have you got an information carrying side channel, it’s also “covert” to the majority of people…
Better yet if you use them flags around what is effectively “white space” charecters or other tags you introduce a secondary side channel you can use to act as a signalling channel.
When you look at the immense amount of tag garbage the likes of Microsoft Office adds to “pretty print” a basic text document in both HTML and RTL you quickly realise why I advise people “Paper papet, never data”.
But if you want real “wierd potential” have a look at Postscript[1], it’s actually a Turing compleate stack bassed interpreted programing language (think “Forthlike” with strong daya typing). So you have an immense capability to hide information away in the redundancy that gives you… Oh and remember PDF is a child of Postscript, with extra added features that can add layers of obsfication that needs tobe seen to be believed, and as such means ensuring the security is just not practical.
Wael • November 8, 2017 4:21 AM
@Clive Robinson,
“Paper papet, never data”.
That’s a lost art. I hardly ever use paper or pen. Actually my handwriting deteriorated so much so that I can’t easily read it.
PDF/PS… yea agreed.
Wael • November 8, 2017 4:45 AM
The best security is isolation. Stay off the grid. I particularly like this:
Get rid of your computer’s hard drive. You can do this by boiling it and then smashing it with a hammer before discarding it
Now watch the next researcher spend time on how to extract hard drive data from the vapor of a boiled drive. Now there’s an idea worth funding. I’m tempted to get it partially funded by some organization 🙂
A more advanced researcher will track your data from rain drops that fall in a different country. There is no limit to the “ingenuity bottomless abyss” of side-channel attacks!
Rachel • November 8, 2017 5:50 AM
Wael
you regularly crack me up.
Clive
I saw in a doco, Canutes point about ordering the tides was to demonstrate he was inferior to the Christian God. Thus a shrewd political statement as he wanted the alliances
Hail to the Thief
interested by your statement , in the North of England its a profanity to say ‘King’ Canute. Touch sensitive subject! 🙂
Hail To The King • November 8, 2017 3:34 PM
@Rachel
So you are calling the King a Thief? that’s still a step down from what Clive called him. 🙂
I was merely saying that King can be read as fscking, as in ‘king idiot, ‘king ‘ell, ‘king unlikely usw.
round here someone would definitely have called the good king a ‘king c**t’.
here’s a lateral shift, “Unfortunately, the MINIXCon 2017 conference had to be cancelled due to the small number of talks submitted”, indeed, nobody wants to talk about Minix, why would they? might as well cancel the tide
Clive Robinson • November 9, 2017 7:06 AM
@ Hail to the King, Rachel,
… indeed, nobody wants to talk about Minix, why would they?
Err they might very very soon…
It appears from what has recently been said that Minix runs on more Intel platforms than any other OS…
Apparently that Ring -3 Intel ME uses a full stacks version of Minix as it’s OS.
Thus the way to blow Intel ME to hell and beyond is to “get with the program” which is Minix.
Oh amd just to add a big chunk of fat to the fire, Minix 3 was in effect payed for by the USG…
So one scoop of sugar, one scoop of kernels and add to a very hot pan with a little oil in the bottom. Put on lid quickky, wait for poping to stop and tip out into a bowl, sit back and enjoy the entertainment all sweetened with a big helping of “toffee pop corn”.
JG4 • November 9, 2017 7:28 AM
none of this will be a surprise to Clive
if you haven’t done the math already, it might make the hair on the back of your neck stand up
Clive Robinson • November 10, 2017 6:15 AM
@ Nick P, Wael and others interested in CvP,
I was chatting to a group of people a little while ago when the subject of the British Contribution to computers came up. What is not known to modt is thst it eas the British thst developed thr first single chip 16bit computer back in the 1970’s when Silicon Valley was sill arguing about wether four or eight flower pots in the ALU was the way to go. Any way as was usuall at the time where UK government money was involved the Faranti chip that eas without doubt a world leader was highly classified as it was destined for military purposes. This it’s not part of the “Collective Historical Record” of computing. However there is evidence that the secrecy yet again ment the technology got “gifted” to the US MIC who profited by it greatly…
Any way when reminiscing as older engineers tend to do the conversation came around to the likes of mavericks and the obviois one was Sir Clive Sinclair and the fact his real skill was attracting other mavericks. One of whom was Ivor Catt who is mainly remembered for “The Catt Anomaly” where he disagreed with the general community about the behaviour of the PN junction back in the 1980’s and was effectivly “blanked” from then on in by the community as what you might see as being the equivalent of a “Heretic in Rome”.
However the “Catt Spiral” was mentioned which I vaguely remembered correctly. But what I did not remember was,
http://www.ivorcatt.com/3ewk.htm
Ignoring for the moment he was talking about “whole wafers” in essence his ideas are quite similar to what I had proposed for putting the prisons in CvP on a single chip.
It was something @RobertT was also interested in as his comments at the time show.
Anyway for those who have realised that the future is most definitely massively parallel at all levels up the Ivor Catt work in the 1980’s will be a bit of an eye opener.
Wael • November 10, 2017 6:28 PM
@Clive Robinson,
Sir Clive Sinclair
Once upon a time I had a Sinclair computer 😉
his real skill was attracting other mavericks.
Female mavericks, that is!
are quite similar to what I had proposed for putting the prisons in CvP on a single chip.
He wrote about something that has nothing to do with security. I see remote correlation between C-v-P and what Ivor wrote. The only intersection I see is scalability, there is no concept of prison there, unless I missed it!
Hail to the King • November 10, 2017 8:19 PM
@Clive Robinson
Indeed the revelation that all recent Intel chips are running the infamous ME on/in a modified Minix3 was what I was alluding to.
Thus the way to blow Intel ME to hell and beyond is to “get with the program” which is Minix.
The ‘beyond’ in that sentence could be vast – yes, disabling ME would be nice, but also reversal, analysis, exploiting, repurposing. I have a gut feeling that one could make a nice castle.
This story could/should be enormous and may touch many security niches – backchannels, sidechannels, fragile NOBUS, what ME sniffs and who it reports to, these should be enough to spark Global “Stallman was right” protests. The CVE’s are coming, and hard – I expect new classes of attacks, not just new instances.
Or maybe this will all be waved away as Julian/Eugene officially untrue propaganda that’s demonstrably true.
I should be underground R&D’ing but JTAG access over USB smells nice enough to tempt me out and read the news…
Wael • November 10, 2017 8:24 PM
@Hail to the King,
I should be underground R&D’ing but JTAG access…
Methinks it won’t work. JTAG could be disabled + HW watchdog timer that’ll reset the system if debugged.
Clive Robinson • November 11, 2017 5:30 PM
@ Wael,
The only intersection I see is scalability, there is no concept of prison there, unless I missed it!
It’s a bit more than “scalability” it was also the use of “local memory” for each simple CPU running it’s own simplified task and a mandated gateway to the communications with the rest of the system.
In effect what I added was stronger issolation via an MMU controled by a layer further up in the system, which was in part how the Catt Spiral worked. But the spiral only worked at startup where as I mandated continuous monitoring of “health/sanity” in various ways.
So as far as I’m concerned he had the basic foundation ideas –that I came up with independently later– back in the 80’s. Thus he had in part designed the basic nuts and bolts.
With hindsight it’s easy to say “it’s obvious” but I was a practicing design engineer back then, and I remember how different things were. For instance the reason the 6502 CPU had next to no registers was that it was faster by a considerable margin to use core ram than on chip registers. That only changed with the likes of the AMD 29K 16bit ALU and register bit slice chips.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
handle_x • October 27, 2017 4:40 PM
“researchers” my left ass, they’re the subsurface avant garde. Gorgeous sculpture.
Reefs don’t need to be objects d’art but I guess why not? I hope the bottom feeders appreciate it!