Friday Squid Blogging: Gonatus Squid Eating a Dragonfish

There's a video:

Last July, Choy was on a ship off the shore of Monterey Bay, looking at the video footage transmitted by an ROV many feet below. A Gonatus squid was spotted sucking off the face of a "really huge dragonfish," she says. "It took a little while to figure out what's going on here, who's eating whom, how is this going to end?" (The squid won.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 22, 2017 at 4:05 PM • 105 Comments

Comments

keinerDecember 22, 2017 4:21 PM

[u]Firefox on opensuse - loading executable from net via http on first start[/u]

See the post here by suse-rasputin, 15-DEC-2017 um 10:43

https://forums.opensuse.org/showthread.php/528559-Paranoid-browser-test-is-there-privacy-in-FOSS/page4

The branded Firefox (FF) in the opensuse distribution (also in Tumbleweed and Leap) are shipped with a proprietary Cisco H264 plugin you can not uninstall.

Besides the intrusive contacts to mozilla domains all over the place during FF start, the unsecure download of this Cisco plugin via http on the first start of the browser is somewhat amazing.

Given the history of Cisco with backdoors in routers patched with other backdoors this is somewhat disturbing to me.

Do I have to add that the IP of the author of this post is blown from the internet within minutes when trying to contact th opensuse forums?

And that he no longer can log in these forums?

Would expect something like this in Russia or Turkey, but Suse is a German/UK company...


Merry Christmas! :-)

surveilled in the usaDecember 22, 2017 4:50 PM

@keiner

"[u]Firefox on opensuse - loading executable from net via http on first start[/u]

See the post here by suse-rasputin, 15-DEC-2017 um 10:43"

Sometimes I use TENS (formally LPS).

With it, before connecting to the internet or browsing with Firefox, sometimes I 1) enable the Extension NoScript and 2) Never Activate the Add-ons.

Has suse_Rasputin tried TENS?

surveilled in the usaDecember 22, 2017 5:46 PM

Misc. Questions

Is PayPal preferable to using a credit card for internet purchases?

Does anybody know if all usa credit cards are equally bad subpoena/privacy/3rd party holder-of-data wise?
Does anybody know if all usa cellular providers are equally bad, more or less, regarding things like subpoenas/privacy/3rd party holder-of-data , except for perhaps Credo Mobile. For example, Credo Mobile, AT&T, Comcast, T-Mobile and Verizon are reviewed on
https://www.eff.org/who-has-your-back-2017
,but
Sprint,
Straight Talk
Walmart's brand
Consumer Cellular
Ting
TracFone
and so on,
aren't listed by eff.org above (maybe they will be next time)
Any recommendations for subpoena/privacy/3rd party holder-of-data vs. price? Credo ain't cheap.

https://www.consumerreports.org/u-s-cell-phone-carriers/best-cell-phone-plans-save-money/
https://www.consumerreports.org/cro/cell-phones-services/buying-guide
https://www.nerdwallet.com/blog/utilities/prepaid-cell-phone-plans/
https://www.pcmag.com/article2/0,2817,2375644,00.asp
http://www.toptenreviews.com/mobile/phones/best-prepaid-cell-phones/

hmmDecember 22, 2017 8:41 PM

"Is PayPal preferable to using a credit card for internet purchases?"

If you like paying more and getting less with less recourse in the event of fraud, sure.
Oh and your transaction history is sold either way.

"all usa credit cards are equally bad subpoena/privacy/3rd party holder-of-data wise?"

If they're US companies then they're legally more or less same, they can be compelled with zero effort.
If it's a foreign issued card it can vary, as can how well individual banks protect private info.
I've always found specific niches of credit unions blow all others out of the water.
You can also hire financial management services but that's millionaire stuff.

"Credo aint cheap"

Neither is rolling your own. Just use burners and live off prepaid cards. Brevity is wit.

It sounds like you're trying to avoid getting popped but you want to be half-assed about it.
Good luck with that.

AtAMallDecember 22, 2017 9:07 PM

https://www.washingtontimes.com/news/2017/dec/21/barack-obama-used-classified-intelligence-leaks-po/
[snip]
"operative some believed had a hand in plotting the gruesome 2009 suicide attack in Afghanistan that killed seven CIA officers.

Their pursuit was personal, and by early 2014, according to a source directly involved in the operation, the agency had the target under tight drone surveillance. “We literally had a bead on this guy’s head and just needed authorization from Washington to pull the trigger,” said the source.

Then something unexpected happened. While agents waited for the green light, the al Qaeda operative’s name, as well as information about the CIA’s classified surveillance and plan to kill him in Pakistan, suddenly appeared in the U.S. press.

Abdullah al-Shami, it turned out, was an American citizen, and President Obama and his national security advisers were torn over whether the benefits of killing him would outweigh the political and civil liberties backlash that was sure to follow.

In interviews with several current and former officials, the al-Shami case was cited as an example of what critics say was the Obama White House’s troublesome tendency to mishandle some of the nation’s most delicate intelligence — especially regarding the Middle East — by leaking classified information in an attempt to sway public opinion on sensitive matters."

News to me. Like Cheney/Bush burning a MI6 or MI5 asset before the 2004 election. Any comparables for Presidents Clinton or Trump?

echoDecember 22, 2017 10:40 PM

I discovered an opnion by Prospect magazine which framed the EU as a security issue not a trade issue. Brexit is a very political issue. I have extracted the points solely relating to the issue of security. (The full article is available behind registration.)

When discussing Brexit online with both American and EU citizens I argued that within the context of constitutional law the UK government have no powers in law to proceed, and advocated other EU citizens contact their respective politicians. Coincidentally, Scottish politcians are currently challenging via the courts the government on constitutional grounds. Additionally, the EU is also considering suspending membership of Poland for authoritarian government undermining the status of the rule of law and the concept of democracy which is a core value of EU membership.

With regard to current published UK Ministry of Defence strategic policy other news is that climate change may result in an increase of foreign people seeking refuge within the EU.

I note Edward Snowden's comment earlier this year that human rights must be baked into security protocols.

https://www.prospectmagazine.co.uk/politics/the-government-is-acting-as-if-the-brexit-negotiations-are-just-about-trade-heres-why-thats-dangerous

When we think of security, we think first of police or armies, of how to deal with terrorists or wars in our neighbourhood. These are all important, but they miss the most important factor contributing to our security. That is, friendly relations with the countries that are important to us.

One of the things that no one explained to the British people—not in the referendum campaign, nor in forty years of membership of the European Union—is that while the primary purpose of the EU is political, its most important goal has always been security.

[...]

One small example: when British sailors were captured by the Iranian Revolutionary Guard, the EU made clear immediately to the Iranians that they risked quarrelling not just with the UK, but with the whole EU. The sailors were quickly released. That’s what friends are for.

[...]

The natural place for us to work together is security. UK cooperation with fellow EU members has produced important results in this field, like the Iran nuclear deal, or in the success the EU has had in all but ending piracy of the Somali coast.

EvilKiruDecember 23, 2017 1:37 AM

@Stop_tinfoils: That's a bullshit reason by Mozilla. It should be an OPTIONAL (and SECURE) download for those who WANT it.

oh sureDecember 23, 2017 2:21 AM

Mozilla is making some Apple-esque moves lately. Mr robot? Why are you doing this?

And now random plaintext CISCO certs without telling people, as if they won't find out?

Who are you and what did you do with the mozilla foundation

DroneDecember 23, 2017 4:44 AM

Seems like face munching Squid are fairly common:

"The law of beak and claw" [02:16]

Monterey Bay Aquarium Research Institute (MBARI)

Published on Jan 13, 2014

This video shows a deep-sea squid Gonatus onyx fighting to eat an owlfish Pseudobathylagus milleri. It was recorded using [the] remotely operated vehicle Doc Ricketts.

https://www.youtube.com/watch?v=IumiGIM26wc

BobDecember 23, 2017 7:46 AM

GCHQ report dropped just before Christmas, salient parts:

"265. GCHQ said that the FOXTROT Programme – costing £***m over five years) is in part a response to the growth of ubiquitous encryption ***.

However, since its establishment, the programme has suffered a number of delays. GCHQ told us that “the task has become more complex, the skills shortage has become more apparent, ***”.

276 This resulted in a one - year delay for the delivery of ‘Tranche 1’ capabilities (***), and an AMBER/RED rating 277 from the MPA. GCHQ told us: I think it’s one of those programmes that’s red because it’s really really difficult. So we would be surprised if it wasn’t red. We discuss this at the Board regularly.
It is our number one priority and our number one worry. I think we are doing all the right things. There are some problems that are just very, very hard to solve, not just because it’s technically difficult, but because the skills aren’t there."

"267.It is concerning that a programme described as critical to GCHQ’s work is marked AMBER/RED, and assessed as likely to remain this way. We urge GCHQ to reassess what more it can do to improve the outlook of this project and to ensure that its recruitment and skills management approach for the future addresses the skills shortage issue in this area.

268. Project GOLF (£***m over ten years) is a project to enhance the supercomputing capacity that supports much of GCHQ’s work. GCHQ has told us that this project is particularly critical, as it predicts that “projected mission needs will exceed existing data centre capacity limits in ***”.

279 GCHQ noted that its relationship with the US brought significant benefits ***.280 GCHQ has reported that this project *** is on track to be fully operational in early 2018."

Can read the whole thing here:

https://sites.google.com/a/independent.gov.uk/isc/files/2016-2017_ISC_AR.pdf?attredirects=1

Quantum attacks on safe primes?

CallMeLateForSupperDecember 23, 2017 8:44 AM

DHS runs a face-scan program at at least ten major U.S. airports. The target is apparently a certain class of foreigners leaving the U.S., but everyone on the flight, including Americans, gets scanned. When identity data from a scan does not match the person's credentials, that person then gets fingerprinted to verify their identity. In that case, USG has slurped up TWO biometrics, without a warrant nor any reasonable suspicion of wrong-doing.

(EMPHASIS mine)
"This sophisticated biometric screening system could
cost up to ONE BILLION DOLLARS. Congress has already
created a “9-11 Response and Biometric Exit Account”
to fund a biometric exit program in that amount. Yet,
curiously, NEITHER Congress NOR DHS HAS EVER JUSTIFIED
the need for the program. Congress NEVER PROVIDED A
RATIONALE for it. For its part, DHS says that airport
face scans are designed to VERIFY the IDENTITIES of
travelers as they leave the country and STOP IMPOSTERS
traveling under someone else’s identity. [YET] DHS itself
HAS REPEATEDLY QUESTIONED 'the additional value biometric
air exit would provide' compared with the status quo
and the 'overall value and cost of a biometric air exit
capability,' even as it has worked to build it."

"DHS’ biometric exit program also stands on shaky
legal ground. Congress [...] has never clearly
authorized the border collection of biometrics
from American citizens using face recognition
technology. [...] DHS also is FAILING TO COMPLY
with a federal law requiring it to conduct a
rulemaking process to implement the airport face
scanning program — a process that DHS HAS NOT EVEN STARTED."

Finally, the error rate of this scan system is troubling on at least a couple of levels:
"According to DHS’ own data, DHS’ face recognition
systems erroneously reject as many as 1 in 25
travelers using valid credentials. At this high
rate, DHS’ error-prone face scanning system could
cause 1,632 passengers to be wrongfully delayed or
denied boarding EVERY DAY at New York’s [... JFK]
International Airport alone."
Again, that is at just one airport; TEN airports are doing this
Every.day.

The study paper by The Center on Privacy & Technology at Georgetown Law
https://www.airportfacescans.com/

I agree with the authors: this smells like an on-the-cheap test of a questionable system cum biometrics-slurping fishing expedition.

So, unlock any of your eToys with your finger or face?

RachelDecember 23, 2017 9:19 AM

Happy festive experience
Joyeux Noel

be kind to each other. take care of your precious body. sleep lots. avoid politics.
Clive I hope you are recovering well


Have a great time everyone

RachelDecember 23, 2017 9:21 AM

Mr Schneier and Moderator

thanks for the fruits of your labours we have benefitted from for free
Thanks for making the world a better place

JG4December 23, 2017 9:54 AM


@Wael - I think that this wiki entry does a good job with the effect of time dilation. I've forgotten where I heard it, but the quote, "In the reference frame of the photon, emission and absorption are simultaneous," struck me as very profound. There is some connection to entanglement and quantum spookiness, but I don't begin to understand it.

https://en.wikipedia.org/wiki/Time_dilation#Relative_velocity_time_dilation
...
The faster the relative velocity, the greater the time dilation between one another, with the rate of time reaching zero as one approaches the speed of light (299,792,458 m/s). This causes massless particles that travel at the speed of light to be unaffected by the passage of time.

thanks for the continued excellent discussion. there's a lot more interesting news than this on nakedcapitalism today, but I am trying to be a good netizen and hew to the rules.

Links 12/23/17 | naked capitalism - Tor Browser
Posted on December 23, 2017 by Lambert Strether
https://www.nakedcapitalism.com/2017/12/links-122317.html

...

Beyond Secrets: The Consumer Stake in the Encryption Debate (PDF) Consumers Union (via)

...

NYPD to reveal names of vendors hidden for nearly nine years NY Daily News. “The News reported in February that vendors’ names for contracts worth nearly $390 million in the NYPD’s budget were withheld on the city Comptroller’s Checkbook 2.0 database that details city spending.” That’s real money!

...

Ergo SumDecember 23, 2017 10:05 AM

@surveilled in the usa...

Is PayPal preferable to using a credit card for internet purchases?

That depends, do you like to be "surveilled" by at least four financial entities? Namely by the online store, Paypal, credit card company and your bank to pay your credit card bill...

There isn't much one can do about preventing surveillance of your financial transaction in the case of online purchases. Well, other than forgo online purchases. But even in that case, brick-and-mortar store purchases monitored in similar way, if and when the purchase is made via credit card.

Personally, I use credit cards for online purchases. Most credit card companies in the US offer "ShopSafe" type of service. Where you log in to your account and generate a virtual credit card number for the online purchase at hand. If the online store hacked, the hackers will have my expired virtual credit card number.

It's very similar to the script that used to reside on my PC long time ego. It could generate a valid credit card number for any bank, but admittedly, the interface wasn't nearly as nice as the current "ShopSafe" interface.

echoDecember 23, 2017 12:56 PM

@Bob

Skimming through 'Intelligence and Security Committee of Parliament. Annual Report 2016 –2017': Section 8 "Diversity in agencies" notes the benefits of diversity both in terms of avoiding "groupthink" and enhancing skillsets. I note both a US study into military organisation and UK NHS internal reports strongly suggest that a rigid hierarchial organisation with overwhelming challenges can be conservative and error prone with regard to innovation and responsiveness when needing to provide solutions. Issue remain within UK education and properly valuing the economic contribution and value of diverse groups so recruitment goals will continue to lag.

Section 5: Cyber Security. GCHQ’s implementation of the strategy. 89. “we’re spending too much time shouting at users and telling them they’re too stupid to do the right thing frankly, and that hasn’t worked and we need to get away from that”

Quite.

This report is interesting from a political and social perspective. It sheds a little light on organisational mindset and attitudes in a constitutional and policy sense but also attitudes towards the various stakeholders. Economic and fiscal policy don't escape attention either where they weaken the conditions GCHQ claim to be working within.

It's easy to criticise. On the plus side this document is a contribution to dialogue which is itself a step forward.

VinnyGDecember 23, 2017 2:55 PM

@surveilled in the usa
It would be helpful to know what kind of surveillance concerns you most. Some random observations: Walmart gift cards can be purchased for cash and used for any on-line transaction that accepts VISA. Some providers (e.g., Private Internet Access) accept payment from a company named Paygarden (there will be a modest processing fee.) Paygarden can be loaded from the aforementioned Walmart gift card. Some of these services require an email address to register - Private Internet Access (PIA) requires an email address to receive the account authentication info, which may be delayed. For any transaction that only requires a demonstrated valid email address, I recommend a one of the domains maintained my Mailinator (mailinator.com and some of the others are commonly detected as "bogus" but @suremail.info usually works.) Don't use Mailinator to send anything confidential, just use it for email address proof. Also avoid it for any message exchange that may take longer than an hour or so, as Mailinator dumps messages as its buffer fills. For actual exchange of info such as PIA requires, a one-week trial account with StartMail can be obtained without providing any personal information. You can also purchase a Trakfone at Walmart for cash and register it using a Mailinator address. None of this is foolproof and most of it involves some degree of difficulty, but it is doable. While none of this will render you untraceable to a statist organization with unlimited resources, it may increase the resource cost to the point that someone would need to be very interested in you, personally, to make the expense worth their while.

VinnyGDecember 23, 2017 3:21 PM

Ubiquitous vehicle surveillance - are we there yet?
Most of those who frequent this blog seem to be of higher than average IQ, much higher than average technical sophistication, and at least somewhat paranoid as well (that last attribute may in some part be a consequence of the first two.) Most posts on surreptitious surveillance here tend to emphasize the risk; even assume that the real-world risk is at the highest point possible in the range of potential risks. I have no disagreement with that - I think it is necessary to err very much on the side of privacy and security vigilence in such analysis. However, I think that, in the interests of balance, it might also be useful occasionally to match those potential risks with some real world observations that illustrate some of the difficulties that the Authorities face in implementing effective surveillance, as I think we tend to discount those. Case in point:
http://www.mycentraljersey.com/story/news/crime/2017/12/21/new-brunswick-juvenile-charged-stealing-cop-car-impersonating-officer/973701001/
A 16 year old male stole an umarked NJ State Police SUV (a recent model Chevrolet Tahoe) from the cop's home driveway in New Brunswick, NJ on he morning of December 17. The kid ran around in the truck for over two days, stopping motorists on major NJ highways, impersonating an LEO, attempting to shake down the motorists he stopped, and trying to pilfer fuel from a gas station using the same ruse. He wasn't found and arrested until December 20. I think its fair to presume that the Tahoe was equipped with all of the location-tracking tech that would be forced on you or I if we purchased a similar model off a new car lot, and possibly more. I would also think that the NJSP would have some location tech of their own, and also access to at least some federal tech through one of the many fusion programs that have proliferated since 9-11, and that the embarassment factor would have provided a pretty strong incentive to locate their truck and the perp expeditiously. The fact that it took them the better part of three days provides me with a little comfort that while the potential of tracking my vehicle (and yours) in real time is impressive and frightening, there apparently are also obstacles to the realization of that potential, at least at the moment.

Clive RobinsonDecember 23, 2017 3:28 PM

@ Drone,

Seems like face munching Squid are fairly common:

You mean outside of the US Banking Industry ;-)

VinnyGDecember 23, 2017 3:33 PM

Just a random thought prompted by discussion of techniques to thwart facial recognition in a thread here a week or so ago. I wonder if a technique that provide the algorithm with more "too much information" might be applicable to thwarting license plate recognition. I've seen numerous methods and products that attempt to prevent the cameras from capturing a sufficiently good image of the plate to generate an accurate plate number. I wonder what would happen is one had several items that met the system criteria for "license plate" displayed on the vehicle, all displaying different numbers (this is mostly an academic exercise, I'm aware of the unwanted attention this would likely attract from LEOs?) There are laws mandated the display of a valid license plate, I assuem there are also laws against displaying an expired or stolen plate, but I wonder if there is any law against displaying an artifact that appears to a computer program to be a valid license plat, but is not.

Clive RobinsonDecember 23, 2017 5:24 PM

@ VinnyG,

Ubiquitous vehicle surveillance - are we there yet?

No nore are we ever likely to be, because it's unnecessary.

You need to think in graphs, specifically nodes and the connecting edges / pathways.

There is rarely any reason to monitor an edge, because you have to pass through a node to get access to it. Thus the nodes are in effect "instrumented choke points" that you have to navigate to get anywhere.

Which is why the major nodes get instrumented first. For various reasons only around 2%-5% of nodes need to be instrumented to cover 50-90% of journeys at, atleast two points...

This is important for a couple of reasons, firstly it makes "Toll Tags" etc not need to be any more than an outside RFID thus cheap to make and monitor unlike camera based plate readers. Secondly the system is essentialy passive in nature, (which means "spoofing" is way way easier).

Thus the protocol the RFID tags are likely to use will in all probability be designed not for security but reliability (making spoofing easier).

Thus the authorities will have an established hierarchy of mainly low cost passive tracking systems. As long as they do not suspect you are manipulating the simple automated system they will not drill down to investigate the other systems, as that would be a needles use of valuable resources.

So if you fake someboby elses tag, they will accept the node logs unless they have reason to fall back to checking the saved video from which they might human verify the number plate. Likewise if you also fake the plates they will accept that record unless they have some reason to doubt it. The risk with faking a number plate is "street cops" who might stop you and cross check the drivers details, which is the apex of the technology for most current street cops, because of resources...

Obviously if you are of a technical persuasion and have some knowledge of the systems in use you can do two things. Firstly spoof/set up a false but accepted "trail", second using other technology they don't currently use, lay down a different trail for yourself as an alibi etc which would throw a wrench in the "beyond reasonable doubt" burden of the prosecution in court.

And this is the point, all these automatic systems are not "credible witnesses" in court. Any Police Officer presenting such as "proof" is in effect commiting purjury because they have "no first hand knowledge" thus are presenting hearsay as such. Which they know --from their training--
unlike many members of the public is not allowed, which means it's not an acceptable error but a deliberate attempt to manipulate the evidence, thus a case will get binned fairly rapidly unless there is a strong motivation to keep at it.

Thus you need also when setting your alibi trail ensure your face is seen and recorded else where by either their systems or otherwise independent witnesses, such as a waiter at a bar or restaurant where you pay with a CC etc...

It's interesting to note that some of the brighter young street criminals in London give their phone travel card and recognisable Hoodie Jacket, even a bank card etc to those of similar size and stature so that an alibi is established...

The dumb ones supprisingly still use their phones to take selfies of themselves and their mates either "in the act" or with the "proceads of their crimes", even though how the police find and use such videos/photos has been shown on TV Crime-Stop programs. As the idiots also tend to be the violent types, natural selection shows societal benifit from time to time...

Clive RobinsonDecember 23, 2017 7:08 PM

@ Bruce and the usual suspects,

You may have noticed I have mentioned from time to time that many transducers are bi-directional[1] and this has security implications[2].

Well as has been demonstrated in the past Hard Disk Drives (HDD) radiate energy in both the Electromagnetic (EM) and acoustic (sound) spectrums.

This paper details how the process can be used in reverse to in effect produce a Denial of Service (DoS) attack on HDDs,

https://arxiv.org/abs/1712.07816

In essence they use the fact that all tangible objects have dimensions and other properties that give rise to a number of resonance effects, one of which are self resonance and anti resonance which involve energy storage or transmission often at very high levels causing significant mechanical destortion effects above the objects plastic limits

Many people will have seen video of a wine glass being shattered by the effects of self resonance, so can appreciate the following information,

Many hard disk platters are not made of metal but glass. The reason for this is that as you thin metal down it becomes "foil" and most of use have played with aluminium foil and know how easy it is to not just bend but distort. The reason to use glass instead is a little harder to get your head around unless you are familiar withe the properties of Glass Reinforced Plastic (GRP) and optical fibers. That whilst flexible and bend are difficult to permanently distort without breaking them.

So in theory the glass platters in a HDD could be made to shatter at sufficient localised sound power.

Whilst the paper does talk about using a speaker, this would not generally be a practical way to implement an attack. What the paper did not mention is that lasers of even moderate power when pulsed can cause the target to self resonate. In fact the high power military lasers actually pulse the laser to induce destructive resonance in the target as this requires less peak output power. So even though the HDD in a DVR or computer may not be visable, it's case may well be visable through an external window. Thus a practical form of acoustic DoS on a HDD could be done by a pulsed CO2 laser through an office window focused obto a DVR or PC case.

I expect a certain Israeli University will start work on a paper for such an attack and have it ready by Easter ;-)

[1] The simplest example most have seen is a DC Motor being used as a Generator, what not so many realise is both effects happen at the same time[2], and it is the generatrd Back Electro Motive Force (EMF) that is used by DC motor speed controlers.

[2] Another example I have mentioned in the past is that a moving coil speaker works as a moving coil microphone and the other way around. I have also mentioned that if you connect it to the bidirectional port of a two to one port circuit like a circulator you can use it as both a speaker and a microphone at the same time. This has had security implications from the 1950s onwards. It is known that the KGB amongst others used to install broadcast radio receivers in town cars and hotels used by foreigners. Who had been mistakenly led to belive that the radio could be used to hide a quiet conversation. It's known that the man who designed "The Great Seal Bug" developed a speaker/mic bug using a transformer based circulator because very few people including quite experienced technicians and engineers would spot it, especially as it also provided lineraising feedback to the audio amplifier, thus made the radio appear as a more upmarket or luxury item...

Clive RobinsonDecember 23, 2017 8:11 PM

Any convincing Blockchain use cases?

It's arguable as to just how old the Blockchain is, some say a decade some as much a quater of a century. The actuall idea kind of goes back to the first chained mode cipher systems, so gives Methuselah a run for his money.

But appart from a psudoanonymous ledger for crypto currencies nobody has come up killer application or even non contrived use case, according to this,

https://hackernoon.com/ten-years-in-nobody-has-come-up-with-a-use-case-for-blockchain-ee98c180100

Whilst some might spit feathers --especialy those running expensive "blockchain courses"-- the fact is I've no use for them, and I don't know anybody who does.

The nearest I got was quite some time ago to make an imoroved "code signing system" where individual code changes in a repository got put in a daily Merkel Tree Hashed chain (without the pointless HashCash proof of work).

Any one else got a Blockchain use case where they think it actually needed the blockchain as opposed to a "nice to have it"?

AnuraDecember 23, 2017 9:23 PM

@Clive Robinson

The only real use-case for blockchains is an environment where parties have to interact or do business but absolutely no one can trust each other. This is the epitome of laissez-faire capitalism.

abolishnsaDecember 23, 2017 11:29 PM

Re: surveilled in the usa

US Mobile is a small MVNO offering T-mobile and Verizon service. It's not the cheapest, but it's competent, and I doubt it's engaging in traffic spying through proxies (as many MVNO's do). They also accept store purchased debit cards like Amex Bluebird - without asking too many questions. "Too many questions" is so common these days - ya just wanna slap em.

US Mobile is useful because they break their offering into voice, text, and data. IMO data is all you want. No contact with the carriers systems besides the cell site itself. Don't use carriers for PSTN switching.

Instead use Signal and Sudo (https://anonyome.com/). Signal for all communications with family, Sudo for communications using the PSTN. Anonyome Labs MUST comply with CALEA laws - but they won't sell you out without a warrant (according to their TOS).

Use smartphone wifi effectively by protecting it with a VPN, and 100 MB of data each month is all you really need for complete telephone service. That's $4 per month.

Those Sudo numbers are state of the art Twilio product likely using Opus and webrtc tech. They handle DTMF signals well.

tyrDecember 24, 2017 1:24 AM

I happened to catch a couple of new Mark Blyth
videos on youtube. He's a political economy
prof at Brown University and is always worth
some attention.

He happened to show a video clip on entrainment
from some guy at MIT. This was in reference to
systems theory where second or third order
effects can feedback to override what should
be randomness. He seems to think that may have
much larger implications in social systems.

Once you adopt the one true way to do things.
Intel CPUs being a marvelous case of this you
expose yourself to the invisible possibility
of entrainment in which everyone finds that
they are in lockstep but got there without it
being a stated goal.

Anyway if you have the time, have a look.
He is also quite unkind to economics but the
objections apply to a much wider field.

I particularly liked his description of how
we build a gaussian curve of the regularly
occurring events of a black swan russian
roulette game. My guess would be that it
should be plotted as a Dirac function.

The security aspect is that if everyone is
doing the same things the side channels of
Clive are being opened wider by that set of
entrainment without anyone being aware of
their participation in it.

echoDecember 24, 2017 1:48 AM

@Anura @Clive

Yanis Varoufakis discusses Bitcoin’s bubble, the fantasy of apolitical money and the opportunities for the blockchain to reform Europe

http://www.wired.co.uk/article/yanis-varoufakis-bitcoin-bubble-interview

Yanis ideas include disintermediation of control and distrubuting resources more fairly and notably combatting corruption. He proposes blockchain can be used or play a role in facilitating solutions. The article is rather long. If you wish to skip most of the discussion the last three paragraphs of this article contain a potted summary.

echoDecember 24, 2017 2:07 AM

@VinnyG

I am not a judge or proescuting authority so have no idea but imagine the fraud or computer misuse acts may be relevant to prosecuting number plates modified to evade electronic survellience. It seems there is already a specific law covering this.

Vehicle Excise and Registration Act 1994

https://www.legislation.gov.uk/ukpga/1994/22/part/III/crossheading/offences-relating-to-registration-marks

Obscured registration mark.

(1)If a registration mark fixed on a vehicle as required by virtue of section 23 is in any way—

(a)obscured, or

(b)rendered, or allowed to become, not easily distinguishable,

the relevant person is guilty of an offence.

echoDecember 24, 2017 2:38 AM

Here are some articles on power and conflict and false memories.

Here's How Being in Power Messes With Your Brain, According to Science
http://www.sciencealert.com/this-is-what-power-does-to-your-brain-and-your-body

It's Possible to Plant False Memories Into Your Brain, And It Could Be a Good Thing
http://www.sciencealert.com/brain-fuzzy-trace-false-memory-advantages-human

A Psychologist Explains How to Deal With Conflict Over The Holidays
http://www.sciencealert.com/a-psychologist-explains-how-to-deal-with-conflict-over-the-holidays

FoxpupDecember 24, 2017 2:43 AM

@Clive
No, "blockchain technology" is pretty much just a buzzword to separate fools from their money. Here's a good article about it:

It's Not About the Technology, It's About the Money

TL;DR: The blockchain was designed to solve a specific problem in electronic cash systems, and simply doesn't make sense when applied outside of that narrow context. This shouldn't be surprising since most technology can't be applied outside of the narrow field for which it was originally designed, but some people insist on learning that the expensive way.

AnonDecember 24, 2017 3:24 AM

Merry Christmas/Happy Holidays to everyone, and thank you to Bruce and Mod for this forum.

Blockchain: A solution looking for a problem.

If Blockchain was actually secure, it wouldn't have the problem whereby an attacker having more than 51% control of a network and faster computers can create fraudulent transactions. I have yet to hear of a solution to this problem, and it seems to be conveniently ignored.

Blockchain is slow (or at least, the Bitcoin version of it is) and so doesn't scale to large volumes of transactions.

Beware hype.

Winston SmithDecember 24, 2017 9:03 AM

"Edward Snowden... unveiled a new phone app he helped create, called Haven, that aims to protect laptops from physical tampering."

'Snowden says it's an open-source tool... it uses an Android phone's sensors to detect changes in a room."

https://apnews.com/7b8aacd0d929493bb4fea9ca57ea90d3/Edward-Snowden-unveils-phone-app,-Haven,-to-spy-on-spies

https://www.wired.com/story/snowden-haven-app-turns-phone-into-home-security-system/

—-----------------

I did not see it on Google Play.

Github link:

https://guardianproject.github.io/haven/

CallMeLateForSupperDecember 24, 2017 10:32 AM

Re: Haven, the fartphone program

"Take heart amid the deepening gloom" that, at last, an old phone relieves you of the task of physically holding your closely held secrets (and your eToys). It is now perfectly safe to abandon that laptop in your hotel room while you dally over a meal or drinks elsewhere, because, in the event that a balaclava-clad miscreant does relieve you of said eToys in the mean time, you will have a short, commemorative video of the heist.

And then there is this tweet by Edward Snowden:
"When the lead developer explained the project to his young children, they found another use for it: 'We’re going to catch Santa!' "

Ya buy 'em books, ya buy 'em a mule, and you send them to school. What do they do? They chase Santa on the mule and pummel him with books! :-)

Clive RobinsonDecember 24, 2017 3:36 PM

@ All,

Rumour has it is at this time of year we try to be nice to people or get called an "Old Scrooge" or something similar. Some of us old miseries blaim some bloke called Dickens who wrote stories that actually showed that the "Class System" in London and England could easily be measured by the food you put on your table[1] not just most days but high days and holidays as well.

Befor then there used to be a tradition that "the lord" used to serve his servants on Christmas day, the modern version is those who work tirelessly in soup kitchens and similar ensuring that people can have hot healthy food for atleast one day of the year. So spare a thought tommorow for such people and those that raised the money etc to obtain the food.

I hope everybody here has a good day tommorow and contacts members of their more distant family and friends just to show that they are still thought of.

So peace be with you and yours and have hope that next year will be better than this year.

[1] This is apparently even more relavent today than in Dickensian England. With child poverty being the highest it ever has been since appropriate records have been kept in what was the fourth richest nation in the world.

oh reallyDecember 24, 2017 4:13 PM

Nice words Clive.

Unfortunately the idea of helping the poor get a leg up is unpopular in the modern Conservatism.
The poor are despised and mocked by the robber baron culture. The tax scam is just the latest bit.
They literally have made a policy of killing poor people as able.

They have redefined Christ in their greedy self-serving image rather than serving Christ's teachings.

When the party that proclaims outwardly to serve the ideals of Jesus Christ acts like this, just what is it that they think Jesus Christ ever represented? A shrewd investor? A racial purist?

Merry Christmas to those who believe those teachings have value - rather than those who just celebrate an economic consumerist 'holiday' devoid of meaning beyond consumption.

If He's coming back to cleanse the wicked, now would be a good time.

Mike BarnoDecember 24, 2017 4:13 PM

@Clive R,

...This is apparently even more relevant today than in Dickensian England. With child poverty being the highest it ever has been since appropriate records have been kept...

Here in the USA, we enhanced? our society's security by funding a US$1.5trillion tax reduction, over a trillion of it directly or indirectly for our wealthiest 0.1 percent, while declining to fund the Children's Health Insurance Program. While setting up our child-poverty-fighting programs for automatic budget cutting soon, when the first accounting shows deficits.

If you stand to inherit hundreds of millions worth of real estate assets, when your father or father-in-law dies in disgrace impeached and removed from office, then this bill is great for your security. If you're a passive investor, making money off investments in someone else's work and someone else's ideas, then this bill is great for your security. But a child outside these socioeconomic groups is less secure in 2018 and beyond.

Clive RobinsonDecember 24, 2017 4:26 PM

@ Winston Smith and iterested others,

From the Wired article on Ed Snowdens Haven we get,

In WIRED's initial tests of Haven's beta version, the app successfully detected and alerted us to any attempts to approach a laptop on an office desk ... If anything, the app was too sensitive to saboteurs; it picked up and alerted us to every stray office noise. The app's accelerometer detection was so hair-triggered that even leaving the phone on top of a computer with a moving fan inside created hundreds of alerts.

The "over sensitivity" is actually quite a good sign, as it indicates it probably has a suitable dynamic range available.

The trick now is to not "adjust sensitivity" but "adjust sensitivity in frequency bands".

For instance the fan in a computer has a recognizable and learnable frequency spectrum. If you create "an inverse transform" you in effect either remove or significantly reduce the fan noise in the signal you process further for signs of saboteurs.

But of more interest most mechanical noises are,fairly determanistic in their behaviour, thus any change indicates that something has changed in the environment. It might not be a person or other entity but the fact there has been a change should be noted and considered with respect to other sensor inputs

The chances are it is something like clouds clearing alowing stronger sunlight hit the computer case causing it's temprature to increase thus causing the fan to work harder to remove the increased excess thermal energy. However it should also cross correlate with other sensor data such as that measuring light levels. It it does not correlate then it could indicate that there is an EM Fault Injection attack etc in progress, which is being tried from a remote location.

At the end of the day there are trade offs to be made as resources are finite. That is there is only a certain number of CPU cycles you will get with any given battery state, thus a choice has to be made between what gets monitored, recognised and communicated versus battery life.

Unfortunately this opens loop holes that adept specialists can exploit, "IFF" they are sufficiently predictable. Thus the more "knobs to twiddle" by a user the less chance a specialist has to slip through any loop holes.

Nobody ever said security was easy ;-)

ChucklesDecember 24, 2017 5:55 PM

New York City’s Bold, Flawed Attempt to Make Algorithms Accountable
https://www.newyorker.com/tech/elements/new-york-citys-bold-flawed-attempt-to-make-algorithms-accountable

A tiny, intriguing, ambitious thing, it proposed that whenever a city agency wished to use an automated system to apportion policing, penalties, or services, the agency would be required to make the source code—the system’s inner workings—available to the public. It would also be required to simulate the algorithm’s real-world performance using data submitted by New Yorkers.

Alas, it got watered down.

justina colmenaDecember 24, 2017 6:53 PM

@surveilled, VinnyG, echo

Almost all license plates here in Alaska are totally obscured by snow in the wintertime. No one is going to bother prosecuting you for that. There are plenty of electronic or electromagnetic means of tracking motor vehicles.

Clive RobinsonDecember 24, 2017 9:15 PM

@ Jack,

Your computer has security knobs?

From the article we were talking about an input being too "sensitive"... Traditionaly to adjust sensitivity you would "twiddle the knob" to get the desired level of response. Some one who does this almost involuntarily is often called "A knob twiddler", for instance various rock musicians who have been known to continuously adjust their instrument especially bases or their effects devices like the "sustain" have been called "A bit of a knob twiddler" at practice sesions. In the satirical film "This is Spinal Tap" there is a famous scene where one of the band members is seen discousing the bands knobs with a journalist and how their kbobs are special because "they go all the way to eleven"[1].

Even our host @Bruce in his book about Hawks and Doves showed a first order system with control knobs.

Such knobs are quite frequent in certain types of physical instruments to show exitation levels and response. Thus to make the computer simulations more "realistic" they show analogs of knobs on the screen that you can twiddle to your hearts content all day long even though they are not physical in nature.

But incase you are not sure of what a knob is in English english. From thae Cambridge dictionary,

https://dictionary.cambridge.org/dictionary/english/knob

knob noun [C] (ROUND OBJECT)

C1,

    a round handle, or a small, round device for controlling a machine or electrical equipment:
    a brass door knob
    Turn/Twiddle the little knob to adjust the volume.
    a round lump on the surface or end of something

[1] https://m.youtube.com/watch%3Fv%3DN3L4EZwmRrA

Clive RobinsonDecember 24, 2017 9:51 PM

Are modern games slow?

A number of people will get new electronics today to play with.

A number of us "Old Timers" will tell you games were faster in the 1980's on old 8bit computers using a 6502 CPU chip clocked at 1Mhz which is a couple of thousand times slower and has only a tiny percentage of the transisters you get today.

Well guess what there is a real truth behind this, they were faster in one important respect for interactive devices, upto six times faster in input to output "latency",

https://danluu.com/input-lag/

And despite what you will hear claimed, it is true that lower latency realy does feel faster. It used to be an important psychometric value as it was known to effect how people felt about the systems they worked on.

Oh and the big offender in making latency longer, is our old friends in Redmond Washington State with "MS-DOS and Windows perched on top like zimmer frame pushing old granny.... MS-DOS 5 on it's own was about the fastest in terms of latency which is why suprise suprise some "word smiths" still use it along with WordPerfect for DOS...

Winston SmithDecember 24, 2017 10:04 PM

@Clive re: Haven

The "over sensitivity" is actually quite a good sign, as it indicates it probably has a suitable dynamic range available.

The trick now is to not "adjust sensitivity" but "adjust sensitivity in frequency bands".

Refinements and optimizations could make this a worthwhile (and more efficient, productive) product. Even in its current iteration, for example, it could not just alert you to the evil maid but it could monitor your vehicle while you go about your business or validate the affair your wife is having with the pool boy. It could surveil just about any location or situation within reasonable limits. But unless its code and authenticated communications are secure, too, then unfortunately any TLA, a cabal, your resourceful enemy, or many private businesses could make use of it against you. Could one really ever trust it? And even if you could trust it, what about the side channel attack that takes control of your phone, and therefore, Haven, too?

Step forward a handful of years from now. Imagine, from the 'Google can do anything with enough resources' department... instead of offering descriptive analytics about the world it sees, Haven ver. 3.7.1 provides prescriptive analytics. This notion yields actionable information instead of descriptive data. Instead of receiving a text message sent to your "real" phone that an alarm has been triggered on the "burner" phone indicating an abnormal sound has been recorded, it sends the owner a text message of this sort:

"3 men entered the surveilled room at 2:15 p.m. deduced by voice signatures and the pattern of footfalls. Our DSP processed 13 incidents of high decibel, short duration sound bursts consistent with the opening and closing of vessels and doors in a relatively short period of time. A phone call to 998-765-4321 was made at 2:17:33 p.m. which was determined by the frequency of the tones of each number dialed. This number is your business partner's cell phone. Voice analysis indicates inflection and tone of the conversation was predominantly anxious. A recording of this conversation can be heard at the following link: www.googleismyfriend.com/havenuser144334. For an additional $10 per month, you could automatically run a background check on any recognized voice or face that was recorded."

With each step on the slippery slope toward social acceptance, Google and the TLAs could have this service running for their benefit within a few more Android OS deployments.

Oh. Wait. Maybe we don't want Haven and its potential for misuse after all. The stakes keep getting higher, the technology gets more powerful, but the weaknesses of the moral character of the human beings remain as common.

ThothDecember 24, 2017 10:41 PM

@Clive Robinson

Re: Are modern games slow

They are not only slow but are very poorly coded, poorly executed and poorly designed.

I was playing a game where concurrency protection was almost non-existent and the management of fetching data from server and caching was so bad that my clicks are mistranslated and wrongly executed.

It turns into an aaarrrggghhh... moment when you see your clicks doing things you dont want to do due to delay and poor design and execution.

I wonder what happened to lessons on programming these days when something like managing concurrency, protecting against corrupted object and data due to multi-threading (i.e. using concurrency locks and message stacks and routing). It is not just games that are having trouble with concurrency and preserving integrity of transactions but even bitcoin exchanges that deals with potentially millions or billions of USD worth of them are known to glitch out from concurrency and failure to preserve integrity of transaction operations in critical setups.

I wonder the mass usage of Javascript or web scripting which took out most of the concurrency management portion of programming actually made programmers and script creators less aware of designing their software to be able to decently handle concurrency and also preserve integrity of transactions.

tyrDecember 24, 2017 10:59 PM


I found this interesting.

https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

The comment section is worth a look also.

The only weird part was I found the pointer
to it on Art Hlavaty (better known as
cranky old fan in SF circles).

@Clive

Class system enforced by food differences
has been used for social control for
millenia. Someone who suffers from dietary
difficiencies can't sustain an offensive
or a siege over a long period of time.
They may be outraged enough to begin to
revolt but by starting out half starved
it only makes their condition worse as
they continue. You also get the effects
that Zinnser pointed out in Rats Lice
and History. Any susttained campaign is
likely to be decided by the biome and
by starting of at risk to begin with
you rarely see any successful peasant
revolts take place.

Glad you're all doing OK, keep it up.

Markus OttelaDecember 24, 2017 11:18 PM

Happy holidays everyone. While it's still a work in progress, I thought I'd share this screen shot to let you know what to expect from 2018 (= Let's hope Stem supports prop 224 soon.

RachelDecember 25, 2017 4:22 AM

Tyr

tactics also include leaving food but only such to diminish the population and render them passive and incapable of resistance - in the case of potatos in Ireland

Clive

The comment by Jack about security knobs was I believe in jest but I love how you meet almost every comment with a straight face and detailed
reply. Some countries have another definition for the word knob.

Justina
yes the wide band cameras at tolling checkpoints can image a numberplate regardless of snow or mud obscuring plates

Clive RobinsonDecember 25, 2017 8:07 AM

@ Rachel,

Some countries have another definition for the word knob.

Yes which is why Terry Pratchett invented a baudy song for Diskworld "A Wizards Staff has a knob on the top" to be sung by a obe toothed Witch with gusto ;-)

For fun, imagine a male baritone voice, with a stiff upper lip and "Plummy Mid Surrey" English accent of the "Mad Dogs and Englishmen" type as beloved by American TV Producers, reading out my reply to Jack and you should see it in a different way ;-)

@ tyr,

Class system enforced by food differences has been used for social control for millenia.

It was not just food but many aspects of life including what cloths could be worn, with unolesant death as punishment.

In reality what lies behind it is "status". Some people would willingly give up half their wealth and power in life, if it dimminished the status of the masses, such that the "status gap" was increased to their benifit.

It's sad but true, such people exist and will fight tooth and claw to be seen as better than others and rub it in their faces. It's kind of worse than being a Z list celebrity with narcissistic sociopath disorders, and "daddy" to have left enough money such that they can buy their own authoritarian followers.

JG4December 25, 2017 8:07 AM


Just for the record, government is the ultimate sockpuppet.

https://www.nakedcapitalism.com/2017/12/links-122517.html
...
Big Brother is Watching You Watch

What Happened To Julian Assange’s Twitter Account? Social Media Confused International Business Times
...

I think that I found the next link on Drudge. Not sure if I mentioned that he used to post to alt.conspiracy before he had a web page. Just for the record, there was a lot of crazy on alt.conspiracy in those days, but he generally was a voice of reason with interesting gossip. This could turn interesting:

https://www.cbsnews.com/news/julian-assanges-official-twitter-account-not-appearing-wikileaks/
...
It wasn't clear whether the account was suspended or deleted by Twitter or Assange himself -- or why or for how long. Twitter wasn't commenting.
The official Wikileaks Twitter account was still live but wasn't mentioning the Assange account.
An account purporting to be an alternative Assange account was claiming Twitter had deleted his official one ahead of a blockbuster story he's preparing to break. There was no confirmation that Assange was authoring that alternative account -- and that account has now been suspended by Twitter.

WaelDecember 25, 2017 12:08 PM

@JG4,

I think that this wiki entry does a good job with the effect of time dilation.

I take it you're responding to this post.

I took a quick glance and couldn't immediately see how it supports your claim, but I'll check it again later.

WaelDecember 25, 2017 5:04 PM

@JG4,

Ok, GR it is (Gravitational time dilation.) I still can't wrap my head on this:

the radio photons/waves experience departure (creation) and arrival (dissolution) simultaneously.

Give me an example.

AnonDecember 26, 2017 1:09 AM

As anything with mass approaches the speed of light, mass necessarily approaches infinity, thus light speed is unattainable.

Light has no mass, hence the ability of a photon to travel at light speed.

Due to the ability for a photon to travel at light speed, it therefore instantaneously travels between two points from the perspective of the photon.

As always, frame of reference is very important.

tyrDecember 26, 2017 1:41 AM


@Rachael

The Potato famine problem was twofold.
First it was a monocrop of a single
variety, this is a major flaw if you
want any robustness. When it occurred
the folks who were growing other crops
were still exporting food abroad, the
system is called business as usual.

Left with nothing to eat by crop failure
and the sneering attitude of the upper
crust the Irish peasantry were reduced
to eating grass. The whole episode left
a bad taste in the mouth all around.

Systems have a nasty habit of doing these
kinds of thing due to human biases and
what Nasim Taleb describes as 'skin in
the game'. If the consequences do not
have an effect on you personally you can
avoid feeling any emotional response as
it ruins others. Happens all over the
world these days as the middle east is
being rubbelized for unclear outcomes.

We used to be geared up to fight over a
couple of ideologies, now we are bombing
for something called "terror". Terror is
only felt inside an individual human brain
there is no way to externalize and quantify
anything so nebulous. However like Orwell
pointed out given the control apparatus
you can rewrite everything on the fly to
make it all a consensus reality with no
one able to express doubts.

However you should trust the people who
show they are trustworthy and those who
think things through. That's the real
spirit of this season we have hope and
are willing to trust each other for
many reasons. Humans are a pack animal
whose very survival was always through
the act of cooperation and sharing.

Wesley ParishDecember 26, 2017 4:04 AM

@usual suspects and anyone else interested

I came across something interesting in one of my books, Small Places, Large Issues by Thomas Hylland Eriksen. It's an introduction to cultural anthropology, and the relevant part that grabbed my attention was titled "Human Security as a Topic for Anthropologists", pp 186-187:

'Human security', writes Oscar Salemink (2010), 'ís a relatively
new concept that usually defines security along economic dimensions ("Freedom from want"), physical and political dimensions ("Freedom from fear") and ecological dimensions ("Freedom for future generations to inherit a sound natural environment")'. As a 'people-centered security concern' it constitutes a shift away from the focus on the state as the locus and subject of (military, political) security, towards the individual as the locus and subject of (the right to) 'human security'. Originally a concept developed by the UNDP (United Nations Development Programme) in a bid to expand the scope of human rights policies and interventions, several anthropologists have seen it fruitful to incorporate the concept in their own research

It makes sense to me. It explains the gullibility of the West in the face of "Terror" and pterorism much better than various alternatives, most of which are regularly peddled by various governments and media outlets.

WaelDecember 26, 2017 4:43 AM

@Anon, @JG4,

As always, frame of reference is very important.

Of course! Also as important is the speed of light in a vacuum. Light slows down as the index of refraction of the medium it travels through increases. Speed of light in water is slower than it is in vacuum.

Light has no mass, hence the ability of a photon to travel at light speed.

Photons cannot be brought to rest, so the concept of 'rest mass' doesn't apply to them, although there were studies that gave an upper limit to their mass and an estimated lifetime of a Quintillion years.

Infinities and zeroes are hard to wrap one's head on. Theoretically they are possible, but in real life 'things' can only approach infinity or zero, but never reach those two extremes, in my humble opinion.

Now all this stuff can be found courtesy of wikipedia, google, etc... What I wanted @JG4 to think about is to correlate "Photons experience no time" to "entanglement". Einstein’s famous critique of quantum mechanics: "spooky action at a distance" could be countered with "well, from the particles' frame of reference, there is no distance" :) There! No spookiness (but only in vacuum)

JG4December 26, 2017 11:36 AM


https://linux.slashd​ot.org/story/17/12/2​4/0149241/fleeing-go​ogles-apps-and-ios-m​andrake-linux-creato​r-launches-eelo-proj​ect

@Wael and Anon - Quantum spookiness, hidden variables and instantaneous action at a distance are beyond my current grasp. I have a sense of where the limits of my ability lie, although I would like to push them out a bit further. They may be shrinking at a faster rate than I can push. It was vaguely disturbing to think about a photon that originated billions of years ago arriving in my eye. Apparently, matter experiences the passage of time, but massless particles don't. That's probably as close as I can get to an example.

Feynman showed that interactions of charged particles are mediated by photons. It is a short step from there to the conclusion that thoughts themselves experience both time and timelessness. Did I explicitly say that information theory has helped progress in both biology and quantum physics? It always comes back to the question of highest and best uses of resources on the old blue marble. I may have said that for the poor, resources are blood, sweat and tears. For the wealthy, the resources are time and money. I am in between.

I'd like to study math and physics in Switzerland, but that ship probably sailed in 1995 to 1997.


echoDecember 26, 2017 11:55 AM

US businesses refusing to accept cash and insist on card payments only and Visa bribing merchants to do away with cash and no laws preventing this just did my head in.

https://news.slashdot.org/story/17/12/26/1519255/cash-might-be-king-but-they-dont-care

In the UK public protest and government action have asserted the publics need for access to cash especially in deprived areas not serviced by bank branches.

https://www.link.co.uk/media/1316/h-documents-projects-interchange-2018-model-and-plan-interchange-consultation-public-final.pdf

11.

The Board is committed to retaining free access to cash for as long as required by consumers and with a broad national geographical coverage of ATMs. This means that the Board in relation to any changes to interchange will maintain LINK’s support for:

a. Free machines in areas of consumer demand.

b. Financial inclusion subsidies, where demand is insufficient to justify a machine receiving standard interchange rates and where there is consumer financial detriment arising as a result of the lack of an ATM. In particular, LINK intends to continue to use and strengthen the well established Financial Inclusion Programme. The Programme’s key parameters will be retained, including the 1 kilometre distance to a free machine criterion for subsidy for all of the most deprived areas in the country (defined as the lower quartile of all Super Output Areas ranked by deprivation).

echoDecember 26, 2017 12:03 PM

@wael @jg4 I have been having a quiet Christmas and spent time reading articles and blogs about science and watching a lot of sciency things and documentaries on youtube.

Reading about how scientists have discovered how to track unobserved quantum particals recalled metadata and the Snowden affair and reading a document which explained how a needle in the haystack (i.e. a threat who had turned their phone off) could be discovered.

Physicists Have Discovered a Way to Track Unobserved Quantum Particles
https://futurism.com/tracking-unobserved-quantum-particles/

WaelDecember 26, 2017 1:54 PM

@JG4, @echo, @Anon,

Quantum spookiness, hidden variables and instantaneous action at a distance are beyond my current grasp.

Don't feel bad. Nobody understands QM. Not even Feynman.

I'd like to study math and physics in Switzerland, but that ship probably sailed in 1995 to 1997.

Learning is a lifelong experience, ma man. Never give up! 3Blue1Brown is a good series to follow. I have posted other excellent resources on math as well, for example, search for Gilbert Strang on linear algebra. This is a good series to watch as well.

JG4December 26, 2017 2:14 PM


Thanks for the kind words. I actually still am learning, but realized in recent years that I have some cognitive disabilities. I'm almost halfway through a book on diamond coatings and recently cracked open a book that may have been mentioned here. Or I may have stumbled into it as a result of comments here:

Open Sources: Voices from the Open Source Revolution Paperback – January 13, 1999 $2.72
by Chris DiBona (Editor),‎ Sam Ockman (Editor),‎ Mark Stone (Editor)
3.5 out of 5 stars | 24 customer reviews
https://www.amazon.com/Open-Sources-Voices-Source-Revolution/dp/1565925823/

Didn't realize how long diamond-like coating technology has been around, but like I said at the Air Force museum at Wright-Pat, "It's amazing what you can do with $15 trillion of R&D funding." The key question in play is whether it was enough to buy permanent full-spectrum dominance. Various other parties are interested in different aspects and different durations of dominance:

https://www.nakedcapitalism.com/2017/12/net-neutrality-technical-solutions-new-neutral-corporate-net-municipal-broadband-mesh-networks-gamers.html

65535December 26, 2017 11:30 PM

A vexing question about SSL stripping and AV vendors doing so moved from "GCHQ Found and Disclosed Vulnerabilities' thread.

@ all SSL/TLs experts and the like

Is the danger of Anti-virus software that also strips SSL/TLS and it high level of privilege, including sending files off of the local machine a danger? Is this SSL/TLS stripping done by hiding the user’s cert behind the root cert of the AV vendor and his this dangerous or exploitable? Could this common method of SSL stripping undermine the PKI system and banking transactions? How exactly is SSL stripping done by AV vendors?

Here are those questions by Wael, Clive R. and 66535.

Wael,

“Root cause: violation of 'Least Privilege'. Anti malware processes need not have write privilege. Also a violation of 'Separation of Domains': Anti malware processes need to be containerized so vulnerabilities are local to their container. New architectures need to be explored. On the subject proper: disclosing one vulnerability doesn't imply all were or will be disclosed.“-Wael

https://www.schneier.com/blog/archives/2017/12/gchq_found_--_a.html#c6766348

65535 [asking about SSL stripping by Avast]

[StackExchange discussion on SSL stripping]

[StackExchange commenter discussing actual SSL stripping and overwriting of Windows certificate store]

"This is certainly the first I've heard of avtivirus software scanning inbound HTTPS connections…But turns out that yes, in fact it is replacing web certificates with its own root CA certificate and then using that in place instead of the website's certificate. This is how Man in the Middle (MitM) attacks are carried out. From Avast's Website:

[Avast]
"Avast is able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering component. To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are digitally signed by Avast’s trusted root authority and added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS; traffic that otherwise could not be detected. Avast whitelists websites if we learn that they don't accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site.

"Further goes on go to explain:

[Avast]
"... Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection. Since Avast is running with Administrator rights and elevated trust on the computer, it can create and store certificates that the browser correctly accepts and trusts for this, and only this, machine. For every original certificate, Avast makes a copy and signs it with Avast's root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose.

"An important note about this:

[Avast]
"Our customers’ privacy was our first concern when planning the implementation of HTTPS scanning. That’s why we created a way for whitelisting, or ignoring, the connection when Avast users access banking sites. Our current list has over 600 banks from all over the world and we are constantly adding new, verified banking sites. You can, and should, verify the bank’s security certificate when using online banking sites. Once verified, you can submit the banking or other web site to our whitelist by sending us an email: banks whitelist@avast.com.

"What happens if I attempt to connect to a website with a self-signed certificate? Avast will detect this, and use an untrusted certificate signed by Avast, allowing for normal "insecure" browser behaviour. The browser will still warn the user that the connection is insecure."- Stackexchange

"I don't see any mention of secure data being shipped off site, but be sure to read the software's privacy policy and end user licence agreement. The feature can be turned off, as explained Avast's website.”

for complete links see the following comments:

https://www.schneier.com/blog/archives/2017/12/gchq_found_--_a.html#c6766509

65535

“[The] advantage the Public Key System is ease of use and possibly perfect forward secrecy. I will say private signed certificates [PK] within a perimeter is probably good to a point. But, private signed certificates don’t transfer the wider internet public.”

https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html#c6765659

Clive Robinson

"If you listen carefully, all you will hear is the sound of tumble weed blowing through an arid dessert of no indescribable features...We now know that there is no such thing as a trusted third party even with life or death leverage over them and their loved ones. We can also see that there is an increasing probability that existing PubKey systems will have their assumptions kicked out from under them within a fairly short time period (or atleast that is what "many in the know" believe). We have seen quite a few "one way functions with trap doors" fail for various reasons one of the original "Knapsack algorithms" being one that many remember[1]. However other Knapsack problems may be one of the few post quantum computer algorithms left to do two party secret sharing in an open channel... However the fundemental problem that PubKey systems provably exist, leaves us in a "Red Queens Race" with the added temporal problem of "store it all" The only known two party secure system to exist is not actually the One Time Pad but the One Time Code/Phrase system."

[and]

Clive Robinson

"...have a number of thoughts on the problem but they all rub up aginst one or more of,
“1, Centralized Authority.
“2, One line only use.
“3, Third party involvment.
“Issues when designed to be used in an Open --to observation-- environment. Our host @Bruce once observed that we had secure crypto algorithms enough for our needs for the near future. What wr did not have and badly needed was Key Managment systems”.

https://www.schneier.com/blog/archives/2017/12/security_vulner_10.html#c6765724

https://www.schneier.com/blog/archives/2017/12/gchq_found_--_a.html#c6766529

65535

"It still looks like Wael is correct and ability of AV to write; manipulate files including certificates and send them to the mother ship is above the danger level… if a NSA contractor who works as a top vender for the NSA and is trying to re-vamp state sponsored malware gets his data sent to Kasperky then the level of “technical savvy” is red-ling the savvy meter."

https://www.schneier.com/blog/archives/2017/12/gchq_found_--_a.html#c6766549

Clive Robinson

"...Standard admin tasks for *nix but not so much for MS-NT servers and rarely if ever for end user machines. This difference in ethos goes from the lowest levels through to the highest, thus *nix has significant advantages with admins where as MS is almost "pro-cracker" in it's vanilla deployment. Much MS OS AV software for home users is written on the assumption of vanilla OS and app instals, anything mildly different and things die silently thus offer no protection or "blue screen" during downloads or backups. Whilst AV software takes a load off of inexperianced users, it can and has caused many down the line problems, when MS make even minor changes. Worse with MS OS AV Admins generally only get flexability with "Pro" versions, that generaly have instructions written in "elbonian"[1] or similar thus require "tech support" lines to translate. Thus if your MS OS system is vanilla, you get some protection but at the expense of making a crackers life easier... That's before you get into issues of the AV working effectively at the highest priority and significantly increasing the attack surface. The ideal solution is that AV runs at the lowest priority possible to the main OS, but for obvious reasons this has issues. One way around this is to run what is being checked and the AV software in a jailed environnent, the modern example being various container/silo techniques. This still has issues. Even at the simplest levels this is way beyond what an average user is capable of implementing... Which brings us back to the savvynessof the box owner/operator. Can AV software improve it's usability to reduce this issue. Well yes but for various reasons it's not currently in their interest to do so..."

https://www.schneier.com/blog/archives/2017/12/gchq_found_--_a.html#c6766602

Back to the main question. How is AV successfully stripping SSL and sending files back home. Is this AV SSL stripping dangerous or subvertable to bad actors? Is AV vendors who use SSL stripping dangerous and worth the added expense?

Clive RobinsonDecember 27, 2017 6:02 AM

@ 65535,

How is AV successfully stripping SSL and sending files back home.

There are two ways to get access to enciphered plaintext,

1, Get access to the PlainText.
2, Get access to the KeyMat.

The first is done by getting between the application decryption and the HCI / UI. This generally requires an end run attack via the users computer at the device driver or memory level, which if the OS is any good would require high privilege levels. One way is to in effect install an executable or patch to the application on the HD such that the OS accepts it and executes it and it then "pipes" the plaintext to another executable.

The second can be done similarky by getting the KeyMat from the application memory space. But a second way is to take advantage of incompetantly specified Standards / Protocols / Applications. In essence you get faux KeyMat accepted by the users application and run a MITM attack.

As Wael has pointed out some combined CA's and AV suppliers have been caught doing this, and they then run the "Rouge Employee" defence in public. Which most here would say "cough cough BS cough cough". The chances are that such employees are doing what their "Pay Masters Instruct" which just leaves the question of who the pay masters are they hold most allegiance to...

But the real people who should be taken out and out on top of the pyre is those that design and implement the insecure Standards / Protocols / Applications. As I've noted in the past the W3C is a major offender when it comes to selling users privacy down the river, but they are just one of many...

JG4December 27, 2017 7:16 AM


@wael - Thanks for the links.

@Clive - there is at least one more mechanism for conversion of laser energy to acoustical/mechanical energy. I mentioned it in a September post here in the context of a single pulse:

https://www.schneier.com/blog/archives/2017/09/friday_squid_bl_592.html#c6760509

If the energy deposition rate is high enough, the plasma at the surface also will constitute a heat engine. The laser can be modulated with complex patterns to excite particular resonances. The plasma heat engine can be much more powerful than the thermal expansion of the material itself, likely over different frequency ranges. There are plasma speaker systems where the periodic heating of an ionized gas leads to audio output. I haven't seen anything about them for many years, but recall reading of them in the 1970's and/or 1980's for high-end audio. BTW, conventional glasses won't transmit CO2 laser radiation, but do quite well with Nd:YAG.

Best Android Deal Out There Right Now
http://market-ticker.org/akcs-www?post=232704
...
Buy a slightly used LG V20.
...
What you get for that is a Snapdragon 820, 4Gb of RAM, Nougat (and should get Oreo) Android (7.0 right now), and, in most cases, 64Gb of storage plus a removable battery. It also has an SD card slot and a headphone jack (both of which are missing on many newer devices.)
...

https://www.nakedcapitalism.com/2017/12/links-122717.html
...
Big Brother IS Watching You Watch

Homeland Security Increasingly Means Putting Agents Outside the Homeland NYT (JH)

New York State To Motorists: All Your Info Are Belong To Us Medium (UserFriendly)

...

New Cold War

...[this is fascinating]

Go Ask Alice: the Curious Case of “Alice Donovan” Counterpunch. Initially posted last week, taken down, reposted (and revised and updated– or so I think).

...

Health Care

How Big Tech Is Going After Your Health Care NYT (David L)

...


65535December 27, 2017 7:46 AM

@ Clive R.

I agree.

But, you are a little short on detaits of how wide-spread SSL stripping is in AV products which we use. How exactly is it done?

Do you have any actual documentation on how AV programs or even one link on how a single AV programs exactly strips SSL to read the plain text messages?

To you have any links or exact explanations?

It is doubt full that an NSA employee relized the exact details on the use of Kasperksy’s AV products which Kaspersky’s products stripped the SSL and exfiltrated the NSA weapons.

Sure, we have a vague notion that the Kaspesky “found” malware and copied the malware and/documents to their servers. Exactly, how it was done is in doubt.

Lets not stick our heads in the sand, if Kaspersky did it so can the NSA and GCHQ.

We all are at risk. This SSL striping trick could be used by common hackers in various forms.

I think we deserver to know exactly how SSL stripping is done on our every day digital machines [dispite Bruce S having and SSL site]. Most of use AV and it most likely strips SSL to our distain.

[Wikipedia on the SSL striping deal – non technical]

“July 2017, the United States' General Services Administration (GSA) removed Kaspersky Lab from its list of vendors authorized to do business with the U.S. government and further reports by Bloomberg and McClatchy DC alleging that Kaspersky Lab had worked on secret projects with Russia's Federal Security Service (FSB). Anti-Russian sentiment had also grown in the country in the wake of an investigation of Russian interference in the 2016 presidential election. Kaspersky denied these reports, stating that it did not have "inappropriate ties" with any government, and "never received a request from the Russian government or any affiliated organization to create or participate in any secret projects, including one for anti-DDoS protection."On 8 September 2017, U.S. electronics store chain Best Buy pulled Kaspersky products amid concerns over these ties.[130] On 13 September 2017, the Department of Homeland Security issued an order banning Kaspersky products from use within the U.S. federal government, citing "[concerns] about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. On 6 October 2017, The Wall Street Journal—citing "multiple people with knowledge of the matter"—alleged that in 2015, hackers working for the Russian government used Kaspersky antivirus software to steal classified material from a home computer belonging to a National Security Agency (NSA) contractor. According to the report, the incident occurred in 2015 and remained undiscovered until early 2016. The stolen material reportedly included "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S."333 New York Times reported that the hacks had been discovered by Israeli intelligence agents who had themselves hacked into Kaspersky's network.[133] On 11 October 2017, The Wall Street Journal additionally alleged that Russian intelligence uses Kaspersky software to scan computers worldwide for material of interest.[134] The company once again denied the reports, arguing that they were "baseless paranoia" and a "witch hunt", and considered it suspicious that major U.S. media outlets simultaneously "went for us almost in full force and they fantasized simultaneously, as if receiving an order, but they've got confused in details.25 October 2017, Kaspersky confirmed that the incident described by The Wall Street Journal had occurred in 2014, and was the result of the software having detected a ZIP file containing samples and source code from "the Equation Group" (the Tailored Access Operations (TAO) unit NSA). The user had enabled the Kaspersky Security Network (KSN) features of the software, so the files were automatically uploaded as a malware sample to KSN for analysis, under the assumption that it was a new malware variant. Eugene Kaspersky stated that he ordered that the sample be destroyed. Kaspersky claimed that the antivirus software had been temporarily disabled by the PC's user in order to install a pirated copy of Microsoft Office. When the software was re-enabled, it detected both the Equation Group code, as well as unrelated backdoor infections created by a keygen program for Office, which may have facilitated third-party access to the computer…13 November 2017, the British intelligence agency MI6 raised suspicions over Kaspersky Lab software after it was distributed for free to more than 2 million UK Barclays customers.[141] On 2 December 2017, Barclay's announced that they would no longer provide their new customers with the company's software.[142] Also around 2 December 2017, Britain's National Cyber Security Centre advised, as a national security precaution, that UK government departments avoid Russia-based anti-virus software such as Kaspersky, but stated there was "no compelling case at present to extend that advice" to the wider public”- Wikipedia

If banning Kasperksy AV from most federal products what about the rest of us? How do we control SSL striping? Details are important in this issue.

Let get this SSL striping out in the open for discussion. What about Avast, Semantec, and others? Is the SSL stripping worth the AV cost?

https://en.wikipedia.org/wiki/Kaspersky_Lab

or

https://en.wikipedia.org/wiki/Kaspersky_Lab#Allegations_of_ties_to_the_Russian_government

Bob PaddockDecember 27, 2017 7:54 AM

"Proof of randomness builds future of digital security

John Schoonejongen for the Office of Engineering Communications
Dec. 21, 2017 11:40 a.m.

In an effort to block emerging threats to online security, researchers at Princeton University have developed a method to verify the strength of random number generators that form the basis of most encryption systems."


Clive RobinsonDecember 27, 2017 9:30 AM

It appears that "Hacker One" Bug bounties are compleatly bogus when ever their client (Uber in this case) are finding excuses not to pay...

https://medium.com/bread-and-circuses/how-i-got-paid-0-from-the-uber-security-bug-bounty-aa9646aa103f

As has been suggested you will get more money for your effort selling it as an exploit to any number of people...

So thumbs down to "Hacker One" may they wither and die on the vine like any other rotten tomato...

As for Uber may their execs be shortly wearing orange jump suits and matching wrist and ankle "Jsil House Bling" as befitting their status in life ;-)

CabbageControlDecember 27, 2017 9:41 AM

I had some fun this Christmas installing the Intel ME security update.
Eventually a Dell tech support person guided me through the correct procedure:
1) install the BIOS update (in my case this went ok)
2) discover that the computer hangs when booting from anything, including the DVD
3) discover that the Flash update option in the F12 boot menu has the same problem
4) choose "diagnose" from the F12 menu, it reboots instead of starting to diagnose
5) choose "diagnose" again, and like magic everything works

Bob PaddockDecember 27, 2017 11:15 AM

Researchers chart the 'secret' movement of quantum particles summarized here:

Physicists Have Discovered a Way to Track Unobserved Quantum Particles and detailed here:

Evaluation of counterfactuality in counterfactual communication protocols D. R. M. Arvidsson-Shukur, A. N. O. Gottfries, and C. H. W. Barnes Phys. Rev. A 96, 062316 – Published 18 December 2017

Looks to me like classic Star Trek from the 60's. Can't track the cloaked ship so track its wake. In this case track the wake of the particle in a quantum state to determine its location.

Does this get us any closer to a real Heisenberg Compensator?


RatioDecember 27, 2017 12:31 PM

Revealed: The Secret KGB Manual for Recruiting Spies:

This is the first of a three-part series based on never-before-published training manuals for the KGB, the Soviet intelligence organization that Vladimir Putin served as an operative, and that shaped his view of the world. Its veterans still make up an important part of now-Russian President Vladimir Putin’s power base. All were trained in the same dark arts, and these primers in tradecraft are essential to an understanding of the way they think and the way they operate.

U.S. intelligence operatives understand this only too well. Former Director of National Intelligence James Clapper told CNN earlier this month Putin is “a great case officer,” suggesting he “knows how to handle an asset, and that’s what he’s doing with the president”—that is, the president of the United States.

“I am saying this figuratively,” Clapper went on, when asked to clarify his remark. “I think you have to remember Putin’s background. He’s a KGB officer. That’s what they do. They recruit assets. And I think some of that experience and instinct of Putin has come into play here, and he’s managing a pretty important ‘account,’ if I could use that term, with our president.”

The first installment of this series, directly relevant to the question of how Putin’s minions played members of the Trump campaign, looks specifically at the use of third parties to target individuals and organizations.

(Includes the KGB training manual.)

GrauhutDecember 27, 2017 2:03 PM

@65535 "But, you are a little short on detaits of how wide-spread SSL stripping is in AV products which we use. How exactly is it done?"

The AV Vendors install Browser Plugins and inject their mitm certs into the browsers cert db.


"It is doubt full that an NSA employee relized the exact details on the use of Kasperksy’s AV products which Kaspersky’s products stripped the SSL and exfiltrated the NSA weapons.

Sure, we have a vague notion that the Kaspesky “found” malware and copied the malware and/documents to their servers. Exactly, how it was done is in doubt."


Kaspersky didn't need to strip ssl while scanning a file on disk, ssl is transport, not storage security. They added ssl while uploading suspicious files to their servers for review. ;)

MS AV API docs (some details): https://www.google.de/search?q=microsoft+antivirus+api

GrauhutDecember 27, 2017 2:16 PM

@Ratio: "Putin’s background. He’s a KGB officer."

Clapper is a real comedian! :)

It is a little difficult to be an officer of a dissolved secret service.
Of cause, Putin was a low rank spy some decades ago.


Bonus question: Wich prez had the higher rank in their agency times, George H. W. Bush or putin? ;)

RatioDecember 27, 2017 3:23 PM

@Grauhut,

It is a little difficult to be an officer of a dissolved secret service. Of cause, Putin was a low rank spy some decades ago.

Oh, yes, of cause.

So who said that “there is no such thing as a former KGB man” in 2004, more than a decade after the dissolution of the KGB? Isn’t that a little difficult? Was he being silly? What’s going on here?

Wich prez had the higher rank in their agency times, George H. W. Bush or [P]utin? ;)

Vladimir V. Putin had the higher rank in the KGB. (He was a Lieutenant Colonel.)

Later, Boris Yeltsin appointed Putin Director of the KGB’s successor agency, the FSB.

George H. W. Bush was Director of the CIA for the tail end of the Ford administration.

ThothDecember 27, 2017 5:50 PM

@Clive Robinson

Re:HackerOne (S)campaign

It is like any professional business, HackerOne is also a business with clients including Uber. The clients are also trying to save every buck from what they seem as unnecessary. I personally get a bad vibe from HackerOne and feel that it is like any businesses trying to makr a buck off somewhere.

The best is people whom have found vulnerabilities either report them directly out of good will to affected organisations, groups, communities or individuals and expect that they WOULD NOT BE PAID and monetary rewards are just a sign of good will or the other usual way is to make money out of the vulnerability by weaponizing them abd selling weaponized exploits or use the exploits to the fullest capacities. Of course I am not advocating nor encouraging nor approving the second path which is weaponized exploits and such and prefer people to simply send a bug report and see the monetary gift as .... a gift of good will.

Finding exploits casually and relying on bug bounties money should never be used as a main business for those who are unwilling to do a professional business service. A proper business front for professional testing should be done with a stable income and bug bounties should be seen as bonus.

RatioDecember 29, 2017 8:12 AM

The KGB Playbook for Turning Russians Worldwide Into Agents:

This is the third and last article in a series based on never-before-published training manuals for the KGB, the Soviet intelligence organization that Vladimir Putin served as an operative, and that shaped his view of the world. (Part 1 can be found here; and Part 2 here.)

Reacting to the first installment in the series, John McLaughlin, a former deputy director of Central Intelligence, drew a direct line between what’s contained in these manuals and the cases being examined by special counsel Robert Mueller: “This is classic spycraft from Sun Tzu (6th century BC) till today. A shadowy mosaic of cut-outs, access agents, plausible denial, gossamer webs. Whether or not Mueller proves collusion, Russia clearly took its best shot.”

This article looks at the way KGB operatives were taught to use Soviet citizens abroad, whether they were willing or not, for the organization’s own purposes.

echoDecember 29, 2017 12:02 PM

I'm fairly sure this would be against UK case law and the EU Goods and Services directive. The basic reason is there is no clear understanding of what is being agreed to (or that the effort to understand is disproprotionate or made deliberately harder by confusion or secrecy). The Data Protection Act may also apply as it follows that this is a misuse of a device.

App descriptions and EULA may fall foul of this law and/or can not remove a users rights.

With regard to the companies strongarm tactices and childrens rights within the context of psycho-social development is it possible within UK law this may also count as a psychiatric assault?

That Game on Your Phone May Be Tracking What You're Watching on TV
https://yro.slashdot.org/story/17/12/29/1626234/that-game-on-your-phone-may-be-tracking-what-youre-watching-on-tv
https://www.nytimes.com/2017/12/28/business/media/alphonso-app-tracking.html

While these apps, mostly available on Google play, with some available on the Apple Store, do offer an opt opt, it's not clear when consumers see "permission for microphone access for ads," it may not be clear to a user that, "Oh, this means it's going to be listening to what I do all the time to see if I'm watching 'Monday Night Football."'
One advertising executive summarizes thusly: "It's not what's legal. It is what's not creepy."

surveilled in the usaDecember 29, 2017 3:25 PM

@hmm, Ergo Sum, VinnyG, abolishnsa, justina colema

Thanks for the input.

... "Just use burners and live off prepaid cards. Brevity is wit.

It sounds like you're trying to avoid getting popped but you want to be half-assed about it.
Good luck with that."

Maybe I should read about Threat Modeling or Risk Assessment stuff. For example,
https://ssd.eff.org/en/module/assessing-your-risks
https://arstechnica.com/information-technology/2017/07/how-i-learned-to-stop-worrying-mostly-and-love-my-threat-model/
https://mobile.twitter.com/thegrugq/status/864023197145944064 graphic
https://www.slideshare.net/grugq/mobile-opsec/21-THREAT_MODEL

A couple of links regarding shopping with credit cards.
https://www.consumer.ftc.gov/articles/0020-shopping-online
https://forum.dontpayfull.com/threads/keeping-a-separate-credit-card-for-online-use.14276/

"Almost all license plates here in Alaska are totally obscured by snow in the wintertime."
Are 'they' still putting RFIDs in tires?


RatioDecember 29, 2017 8:00 PM

@Grauhut,

Yesterday Vladimir V. Kara-Murza had a piece in the Washington Post called Putin's dark cult of the secret police. You may want to give it a quick read for more context on this whole “[Putin]’s a KGB officer” thing.

Here’s the first paragraph:

On Dec. 20, the Russian government proudly celebrated the 100th anniversary of the founding of the Cheka, the Soviet secret police. In his official message of congratulations to “officers and veterans” of the security services, President Vladimir Putin urged them to “honor the traditions and the legacy of their predecessors.”

The briefest of overviews of what those traditions and that legacy are —and how the current Director of the FSB, Alexander Bortnikov, has recently been honoring some of his predecessors— follows.

These are the last two paragraphs:

Many of the people assembled on Lubyanka [Square in Moscow] that night [i.e., August 22, 1991, after the failed coup attempt] wanted to seize the [KGB headquarters] building itself, too. But the leaders of Russia’s democratic government talked them out of it, promising to reform the system from inside. Whatever their intentions, they failed. As President Boris Yeltsin later acknowledged, “the KGB … turned out to be unreformable.” On Dec. 20, 1999, Yeltsin’s prime minister, a relative political unknown by the name of Vladimir Putin — a former officer in the KGB — came to the Lubyanka to unveil a restored memorial plaque to [former KGB Chairman Yuri] Andropov that had been dismantled in August 1991. It was a telling sign of things to come.

The failure to condemn and eliminate the vestiges of the KGB in 1990s Russia is a textbook example of why it is important for post-totalitarian (or post-authoritarian) governments to fully face up to — and deal with — the past. […] A democratic post-Putin government in Russia must make every effort to fully come to terms with past crimes committed on behalf of the state — and to make an official celebration of the founding of the Cheka in Russia as unthinkable as a celebration of the founding of the Gestapo or Stasi would be in today’s Germany.

(Emphasis mine.)

65536December 30, 2017 2:17 PM

@ Grauhut

"The AV Vendors install Browser Plugins and inject their mitm certs into the browsers cert db."

That doesn't really spell out how it is done.

The MS AV API docs were not exact on SSL Striping.

True Kaspesky did not need SSL/TLS to find the Malware but I am sure they ex-filtrated it with encryption of some type.

From my post above there is a lot more going. Take avast SSL Stripping
"Avast makes a copy and signs it with Avast's root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose."- Avast

This seems to indicate not only injecting a root cert in the browser but manipulating the OS certificate data base. How the certs are "over-written" without scamming certs including banks or other financial institutions there excuse is a white list. I would guess this white is can be deleted in a blink of an eye and the data peeked at and then re-over-written[and or sent to the mother ship].

How dangerous this can be including ex-filtration is certain of interest to some of us with vital information. You could be buy an AV package only to find it is a spyware package. I would like to hear more from the guys who write this stuff. SSL Stripping on any communication doesn't sound good.

GrauhutDecember 30, 2017 7:26 PM

"SSL Stripping on any communication doesn't sound good."

Ehhhmmm, ssl is --transport-- security and your browser "strips ssl" in the moment you read a page here... ;)

Once upon a time av modules linked into api's of your browser reading this decrypted clear text. Nowadays they try to snipe maleware and their mostly js based droppers before they reach your browser or mail application in order to get them out of the line of fire by putting proxies with sandboxes in front of them. These proxies are then the new, we all hope harder, attack surface, but the price for this is a benevolent mitm attack, these proxies need you to trust them.

Don't use av software from vendors you don't trust. Thats all that can be said.

GrauhutDecember 30, 2017 7:51 PM

@ratio "A democratic post-Putin government in Russia must make every effort to fully come to terms with past crimes committed on behalf of the state"

What about a modified version?

"A democratic post-imperial government in the U.S. must make every effort to fully come to terms with past crimes committed on behalf of the state"

How many innocent Iraqi civilians were killed as collateral damage for that funny WMD powerpoint FAKEINT joke?

How many innocent civilians were killed by some of the stars on the wall in the pic below?

https://obamawhitehouse.archives.gov/sites/default/files/image/image_file/cia_visit_ps-0554.jpg


Three letter agencies are difficult, all over the world. We hate them, we need them.


What sense does it make to try to demonize Putin? What did this former Tshekist do his US collegues wouldn't have done for their country?

What is all this hate crap good for?

RatioDecember 31, 2017 1:45 AM

@Grauhut,

What about a modified version?

Good job, now your whataboutism actually starts with those two words. :-)

What sense does it make to try to demonize Putin?

Who’s trying to demonize Putin?

I was simply showing you why Clapper says “[Putin]’s a KGB officer”, and how Putin views the relationship between the current and previous incarnations of his country’s TLAs for the broader context. (Putin himself probably agrees with Clapper. After all, it was he who said “there is no such thing as a former KGB man” in 2004.)

You’d think that someone who thought Putin was a “low rank spy” and did not get what Clapper was on about would appreciate this sort of information. I guess not. ¯\_(ツ)_/¯

VinnyGJanuary 3, 2018 3:16 PM

@abolishnsa re US Mobile:
I reviewed their info, seems pretty good. Pricing and billing structure is comparable to Ting (which operates over TMobile & Sprint networks,) which I currently use. Ting makes no comparible explicit privacy declarations, so US Mobile gets a point there. I would consider switching, if they had coverage where I own some SHTF land (where Ting does not.) The US Mobile search engine by ZIP indicated coverage in that area on both their networks. I was skeptical, since afaik only US Cellular has any signal nearby. I emailed their support folks with the specific address (well, a geographically proximate address, anyway - I'm somewhat paranoid :) Sure enough, no coverage. So if you are interested in their services, and you aren't certain of coverage, email them and ask first. The good news is that their support folks (help@usmobile.com) are right on top of things and very helpful. For now. Had to add that because I've had good experiences with mobile services support before, only to have some corporate genius reduce it to common denominator garbage to save a buck (e.g., Cingular)
-VinnyG

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.