Friday Squid Blogging: How the Optic Lobe Controls Squid Camouflage

Experiments on the oval squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on January 5, 2018 at 4:42 PM • 97 Comments

Comments

Big-Data Trojan HorseJanuary 5, 2018 5:32 PM

Smart-Device Success Story
'China’s ruling communist party is concerned that swathes of politically apathetic millennials, branded its ‘Zen-generation’, are sauntering through life in a passive and unpatriotic way - raising doubts about their loyalty to the Chinese Communist Party.

They are generally born after 1990 and are defined by having a blasé attitude to jobs, politics, and pretty much anything else (including privacy & security) in life.'
Left to their own devices they are also lousy parents prioritizing smart phone addiction first over their own children.

Similar story in America. Congratulations go to our Silicon Valley engineers (who also slowed down older phones). Brilliant!
http://www.telegraph.co.uk/news/2018/01/03/chinese-millennials-choosing-smartphones-communist-values/

Peter S. ShenkinJanuary 6, 2018 12:17 AM

From the Wikipedia article on Cephalopods:

Captive cephalopods have also been known to climb out of their aquaria, maneuver a distance of the lab floor, enter another aquarium to feed on the crabs, and return to their own aquarium.

JonKnowsNothingJanuary 6, 2018 7:49 AM

From Emptywheel

The Government’s MalwareTech Case Goes (Further) To Shit

ht tps://www.emptywheel.net/2018/01/05/the-governments-malwaretech-case-goes-further-to-shit/
(url fractured to prevent autorun)

A detailed (as always) explanation/examination of legal issues, in this case the US Government case against Marcus Hutchins aka MalwareTech.

Basically, given the public information (because the US is hiding a lot of information) it appears that a fair few number of irregularities and perhaps some government illegalities are being exposed in regard to their case against him.

It's an interesting explanation of how twisted the thinking becomes when you are paid for a Conviction Head Count and you need to add to your score for promotions.


refresher: this is the guy that put a stopper in WannaCry and got arrested in the USA, after a week long conference in Las Vegas. The arrest came as he was boarding a plane to return home to the UK.

ht tps://en.wikipedia.org/wiki/MalwareTech
ht tps://en.wikipedia.org/wiki/WannaCry_ransomware_attack
(url fractured to prevent autorun)

mysteryJanuary 6, 2018 7:58 AM

Anyone take a look at the "NSA hacking tools" that have been leaked to-date to see if any took advantage of these two vulnerabilities?

echoJanuary 6, 2018 8:55 AM

The UN security Council declared its scope was international security and voted to endorse the Iran nuclear deal setting aside political unrest as somebody else's problem. The commentary reported in the article is contentious and quite heated but the underlying message for international security and goodwill is very positive.

https://www.theguardian.com/world/2018/jan/05/russia-us-iran-un-emergency-session

Three class actions against Intel have been announced. I have not yet read of legal or regulatory action within the EU to address consumer concerns.

https://yro.slashdot.org/story/18/01/06/0131251/intel-hit-with-three-class-action-lawsuits-over-meltdown-and-spectre-bugs

NameJanuary 6, 2018 9:06 AM

James Risen reflects on his time as a reporter on national security for New York Times. He describes the immense push-back from the US government he experienced when he tried to break stories on sensitive topics such as the CIA operation that inadvertently turned nuclear blueprints over to Iran as well as the massive NSA domestic surveillance operation now know as "Stellar Wind" (both stories eventually appeared in his book titled "State of War"). He also talks about the increasing threat to press freedom in US.

https://theintercept.com/2018/01/03/my-life-as-a-new-york-times-reporter-in-the-shadow-of-the-war-on-terror/

JG4January 6, 2018 10:07 AM


just for the record, enforcing "specific performance" by those granted various licenses, including politicians, lobbyists, lawyers and bankers, isn't a deficit of brotherly love. in fact, quite the opposite. I have been trying to steer a wide berth around politics, including Benghazi, so I'll leave it at that. some of the discontent last year may have been exacerbated by my comments inciting the less restrained "contributors."

we may have touched on connecting graphical data presentation to decision making, but that is exactly the intended use. partitioning graphs into go/no go regions is AI, and OODA is cut from the same cloth. neurogenesis is a key step in language acquisition and many other activities, which have analogues in AI, essentially setting the filter weights in the OOD vectors. this is a stunning article, probably from the usual source.

The Resulting Fallacy Is Ruining Your Decisions
http://nautil.us/issue/55/trust/the-resulting-fallacy-is-ruining-your-decisions

Most poker players didn’t go to graduate school for cognitive linguistics. Then again, most poker players aren’t Annie Duke.
After pursuing a psychology Ph.D. on childhood language acquisition, Duke turned her skills to the poker table, where she has taken home over $4 million in lifetime earnings. For a time she was the leading female money winner in World Series of Poker history, and remains in the top five. She’s written two books on poker strategy, and next year will release a book called Thinking in Bets: Making Smarter Decisions When You Don’t Have All the Facts.
...

I include this only because it is absolutely fascinating. the green shoots after a fire also turn into tasty meat. I think that the short term goal is to drive prey into the open. there may be an analogy is setting the midEast afire as certain politicians and others have done.

https://www.nakedcapitalism.com/2018/01/200pm-water-cooler-152018.html
...
Gaia
“Intentional Fire-Spreading by “Firehawk” Raptors in Northern
http://www.bioone.org/doi/abs/10.2993/0278-0771-37.4.700
Australia” [Bio One]. “Observers report both solo and cooperative attempts, often successful, to spread wildfires intentionally via single-occasion or repeated transport of burning sticks in talons or beaks. This behavior, often represented in sacred ceremonies, is widely known to local people in the Northern Territory, where we carried out ethno-ornithological research from 2011 to 2017; it was also reported to us from Western Australia and Queensland.”

Clive RobinsonJanuary 6, 2018 10:57 AM

A bug named Neopalpa donaldtrumpi

It's funny what you can learn from a quiz in the back of New Scientist, but I had to do a bit of quick research to ensure it was not one of last years "faux news" items... And according to a certain bastion[1] of the British Print Press (or what is left of them) the story appears genuine.

Named by evolutionary biologist Dr Vazrick Nazari, and described in a recent edition of the journal Zookeys. This endangered species is a type of twirler moth and was discovered hidden in the collections of the Universiry of California's Bohart Museum of Entomology by Dr Nazari (thus the naming privilege).

Apparently unsurprisingly this diminutive bug has become a critically endangered species in California in recent times. Due to the very large human population that has no regard or apparent liking of the bug, thus it is now rarely seen there even when takibg flight. Worse with increasing urbanisationin the bugs slim toe hold in California has diminishex to the point it is more frequently seen in Mexeco....

http://www.telegraph.co.uk/science/2017/01/17/meet-neopalpa-donaldtrumpi-threatened-moth-named-donald-trump/

Please note the photographs for identification purposes. You can also see the relative diminutive size of certain appendages as well.

[1] I'm not sure what the faux castle that the "looney two tunes Barcley Twins" owners of the Telegraph call their Channel Isle pile, but the fact they allow no one close suggests "Bastion" is close enough...

Clive RobinsonJanuary 6, 2018 11:05 AM

@ JG4,

Intentional Fire-Spreading by “Firehawk” Raptors in Northern Australia

I think there is a related spiecies that does the same thing but on a world wide scale. Apparently they originate from Northern America and are called "Warhawks"...

ClipperJanuary 6, 2018 2:00 PM

What a coincidence that during the Intel Meltdown the Chinese announced the Zhoaxin KX-5000.

I wonder about backdoors, but even so some competition is always welcome. And the performance doesn't sound bad for most tasks.

Who?January 6, 2018 3:35 PM

@ echo

It is sad, people was much better at choosing passwords four decades ago than we are right now!

At A MallJanuary 6, 2018 7:44 PM

@Name

"the CIA operation that inadvertently turned nuclear blueprints over to Iran as well as"

Interestingly enough, the CIA, perhaps, planned to turn over nuclear blueprints, with flaws, to Iran. From your link and with 'I' being James Risen. At 15,000 words a few, among many, interesting sections are posted here.

"That spring, just as the U.S.-led invasion of Iraq began, I called the CIA for comment on a story about a harebrained CIA operation to turn over nuclear blueprints to Iran. The idea was that the CIA would give the Iranians flawed blueprints, and Tehran would use them to build a bomb that would turn out to be a dud.

The problem was with the execution of the secret plan. The CIA had taken Russian nuclear blueprints it had obtained from a defector and then had American scientists riddle them with flaws. The CIA then asked another Russian to approach the Iranians. He was supposed to pretend to be trying to sell the documents to the highest bidder.

But the design flaws in the blueprints were obvious. The Russian who was supposed to hand them over feared that the Iranians would quickly recognize the errors, and that he would be in trouble. To protect himself when he dropped off the documents at an Iranian mission in Vienna, he included a letter warning that the designs had problems. So the Iranians received the nuclear blueprints and were also warned to look for the embedded flaws.

Several CIA officials believed that the operation had either been mismanaged or at least failed to achieve its goals. By May 2003, I confirmed the story through a number of sources, wrote up a draft, and called the CIA public affairs office for comment.

Instead of responding to me, the White House immediately called Washington Bureau Chief Jill Abramson and demanded a meeting.

Condoleezza Rice stared straight at me. I had received information so sensitive that I had an obligation to forget about the story, she said.

The next day, Abramson and I went to the West Wing of the White House to meet with National Security Adviser Condoleezza Rice. In her office, just down the hall from the Oval Office, we sat across from Rice and George Tenet, the CIA director, along with two of their aides.

Rice stared straight at me. I had received information so sensitive that I had an obligation to forget about the story, destroy my notes, and never make another phone call to discuss the matter with anyone, she said. She told Abramson and me that the New York Times should never publish the story.

I tried to turn the tables. I asked Tenet a few questions about the Iranian program and got him to confirm the story, and also provide some details I hadn’t heard before. The only point he disputed was that the operation had been mismanaged.

Rice argued that the operation was an alternative to a full-scale invasion of Iran, like the war that President George W. Bush had just launched in Iraq. “You criticize us for going to war for weapons of mass destruction,” I recall her saying. “Well, this is what we can do instead.” (Years later, when Rice testified in the Sterling trial, a copy of the “talking points” she had prepared for our meeting was entered into evidence, though I don’t remember her actually saying many of these things.)

Abramson told Rice and Tenet that the decision on whether to run the story was up to Times Executive Editor Howell Raines. After the meeting, Abramson and I stopped for lunch. We were both stunned by the full-court press we had just endured. But I also recognized that I had just gotten high-level confirmation for the story — better confirmation than I could ever have imagined.

Just after Abramson and I met with Tenet and Rice, the Jayson Blair scandal erupted, forcing Raines into an intense battle to save his job. Blair may have been the immediate cause of the crisis, but among the staff at the Times, Blair was merely the trigger that allowed resentment that had built up against Raines over his management style to come out into the open.

Abramson recalls that after our meeting with Rice, she took the Iran story to both Raines and then-Managing Editor Gerald Boyd. “They gave me a swift no” about publishing the story, Abramson told me recently. She said that she told Raines and Boyd that Rice was willing to discuss the story with them on a secure phone line that they could use from a facility on Manhattan’s East Side, but she says they never asked to take that step, and she didn’t push them to do so. Raines disputes this. “I was not informed of this meeting [with Rice and Tenet], nor do I recall being involved with your story in any way,” he said in an email. (Boyd died in 2006.)

Raines left the paper in early June 2003. Joe Lelyveld, the retired executive editor, briefly came back to run the Times on an interim basis. I talked to him by phone about the Iran story, but he didn’t really have time to deal with it.

When Bill Keller was named executive editor in the summer of 2003, he agreed to discuss the story with Abramson and me. Abramson, meanwhile, had been promoted to managing editor, Keller’s No. 2. After I went over the story with him, Keller decided not to publish it. I tried over the next year to get him to change his mind, but I couldn’t.

The spiking of the Iran story, coming so soon after the internal fights over WMD coverage, left me depressed. I began to think about whether to write a book that would include the Iran story and document the war on terror more broadly in a way I didn’t believe I had been able to do in the Times."

[...]

"... now the outcry grew far more intense. Right-wing groups organized hate mail campaigns against us and staged small but noisy protests outside the Washington bureau and the Times building in New York.

Conservative pundits and members of Congress went on television calling for Keller, Lichtblau, and me to be punished. Tom Cotton, then an Army officer in Iraq, wrote a letter to the Times saying that Lichtblau, Keller, and I should be jailed for harming national security. The Times didn’t publish the letter, but it was picked up in the right-wing online universe of the time, and Cotton shot to fame in conservative circles as a result. He was later elected to the Senate as a Republican from Arkansas and soon may be named director of the CIA."

( about Senator Cotton https://theintercept.com/2017/10/18/is-there-a-more-dangerous-member-of-congress-than-tom-cotton/ )

[...]

"Sterling was indicted in December 2010 and arrested in January 2011. The Justice Department subpoenaed me again, this time to testify at his trial.

Brinkema quashed that subpoena, too; once again, I thought I was off the hook. But just days before the trial was to begin, the Justice Department appealed. Obama administration prosecutors told the appeals court that Brinkema’s ruling should be overturned because there was no such thing as a reporter’s privilege in a criminal case. The appeals court accepted that argument, reversing Brinkema and ordering me to testify.

The government’s rationale transformed my case into a showdown over press freedom in the United States. I felt that I had no choice but to appeal to the Supreme Court. Some outside media lawyers made it clear that they didn’t want me to do that because it might lead to a bad ruling from a conservative majority.

That debate became moot in 2014, when the Supreme Court refused to take up the case. That allowed the appeals court ruling to stand, leaving the legal destruction of a reporter’s privilege in the 4th Circuit as Obama’s First Amendment legacy.

But the government’s landmark legal victory came at a cost to the administration and particularly to Obama’s attorney general, Eric Holder. For years, my lawyers and I had waged our legal campaign mostly alone with little fanfare, but as the case barreled toward a climax, the news coverage and publicity reached a fever pitch.

With the surge in media attention came added pressure on Holder, and he finally began to back down. He said that as long as he was attorney general, no reporter would go to jail for doing their job. He also modified the Justice Department guidelines that defined when the government would seek to compel the testimony of journalists in leak investigations. (Donald Trump’s Justice Department is now widely expected to weaken those guidelines, making it easier to go after reporters.)

But even though Holder was making conciliatory public statements, the federal prosecutors directly involved in my case kept fighting hard. At one point, Holder hinted that the Justice Department and I were about to strike a deal, when in fact the prosecutors and my lawyers hadn’t negotiated any deal at all. Behind the scenes, there seemed to be a war going on between Holder and the prosecutors, who were angry at what they perceived as Holder undercutting them. The prosecutors had repeatedly told the court that they needed my testimony to make their case against Sterling. Holder, after supporting their aggressive approach for years, had suddenly reversed direction under public pressure. I was caught in the middle."

[...]


"I believe my willingness to fight the government for seven years may make prosecutors less eager to force other reporters to testify about their sources. At the same time, the Obama administration used my case to destroy the legal underpinnings of the reporter’s privilege in the 4th Circuit, which means that if the government does decide to go after more reporters, those reporters will have fewer legal protections in Virginia and Maryland, home to the Pentagon, the CIA, and the NSA, and thus the jurisdiction where many national security leak investigations will be conducted. That will make it easier for Donald Trump and the presidents who come after him to conduct an even more draconian assault on press freedom in the United States.

The battles over national security reporting in the years after 9/11 have yielded mixed results. In my view, the mainstream media has missed some key lessons from the debacle over WMD reporting before the war in Iraq. Times reporter Judy Miller became an easy scapegoat, perhaps because she was a woman in the male-dominated field of national security reporting. Focusing on her made it easier for everyone to forget how widespread the flawed pre-war reporting really was at almost every major media outlet. “They wanted a convenient target, someone to blame,” Miller told me recently. The anti-female bias “was part of it.” She notes that one chapter in her 2015 memoir, “The Story: A Reporter’s Journey,” is titled “Scapegoat.”

Since then, I believe the Times, the Washington Post and other national news organizations have sometimes hyped threats from terrorism and weapons of mass destruction. The exaggerated reporting on terrorism, in particular, has had a major political impact in the United States and helped close off debate in Washington over whether to significantly roll back some of the most draconian counterterrorism programs, like NSA spying.

But overall, I do believe that the fight inside the Times over the NSA story helped usher in a new era of more aggressive national security reporting at the paper. Since then, the Times has been much more willing to stand up to the government and refuse to go along with White House demands to hold or kill stories.

The greatest shame of all is that Jeffrey Sterling was convicted and sentenced to 42 months in prison."

At A MallJanuary 6, 2018 7:57 PM

Regarding Risen's long article, from Marcy Wheeler

"But a key part of the story lays out the NYT’s refusals to report Risen’s Merlin story and its reluctance — until Risen threatened to scoop him with his book — to publish the Stellar Wind one.

Glenn Greenwald is rightly touting the piece, suggesting that the NYT was corrupt for acceding to the government’s wishes to hold the Stellar Wind story. But in doing so he suggests The Intercept would never do the same.

That’s not correct.

One of two reasons I left The Intercept is because John Cook did not want to publish a story I had written — it was drafted in the content management system — about how the government uses Section 702 to track cyberattacks. Given that The Intercept thinks such stories are newsworthy, I’m breaking my silence now to explain why I left The Intercept."
https://www.emptywheel.net/2018/01/03/why-i-left-the-intercept-the-surveillance-story-they-let-go-untold-for-15-months/

Currently a Section 702 reauthorization bill is being considered in congress
https://www.emptywheel.net/2018/01/06/the-base-bill-for-702-reauthorization-serial-admissions-oversight-committees-havent-been-doing-their-jobs/

GarboJanuary 6, 2018 9:37 PM


@Z80

"Remote Code Execution in AMD Platform Security Processor"

Drill down and it requires physical access as a PREREQUISITE, so your headline is wrong.

echoJanuary 7, 2018 4:50 AM

@At A Mall

I have discovered corruption and double standards and agendas operating within the UK healthcare/local government/media-human rights lobby group arena. This lack of professional standards and failure to observe their own claims in favour of bureaucratic pass the buck and office politics and who had the loudest media friendly voice was a shock. Some months ago I flew off the handle with one big name lgbt media outlet and a big name lgbt lobby group over their agendas and blind eyes to abuse. Neither followed up or admitted any faults or failings. However, the following week a big two steps removed indirect mea culpa was issued by the lobby group and the media outlet published this. While this didn't help my case personally this has in its own way moved things on.

Within the bigger sphere of UK institutional abuse and cover-up another story surfaced this week. I had wondered if this would happen and this group of adults institutionally abused when children would have their say too. I am personally aware of and did witness this abuse myself years ago (and like all things this leaves a trace which may be one of many significant factors and indeed is a critical claim by their lawyers).

By training I am an analyst and don't get office politics at all and am very document focused too. JG4s link to the essay on poker psychology may be helpful. Sometimes we can be "right" but good luck and timing also play their role?

Good luck with your future work. I hope things work out for you and when all is said and done integrity and friendship win the day.

JG4January 7, 2018 7:42 AM


just for the record, I am a bitcoin agnostic. don't own any, but if I could buy them through an online brokerage to manage the capital gains with their tools, I'd light $500 on fire

Andrew Filipowski - Tally Capital - The North American Bitcoin Conference
https://www.youtube.com/watch?v=Gb4XTEEVfEs

https://www.nakedcapitalism.com/2018/01/200pm-water-cooler-152018.html
...
News of the Wired

“Dude, you broke the future!” [Charlie’s Diary]. This is a really interesting perspective from Charlie Stross, well worth a read. Two nuggets:

And looking in particular at the history of the past 200-400 years—the age of increasingly rapid change—one glaringly obvious deviation from the norm of the preceding three thousand centuries—is the development of Artificial Intelligence, which happened no earlier than 1553 and no later than 1844.

I’m talking about the very old, very slow AIs we call corporations, of course. What lessons from the history of the company can we draw that tell us about the likely behaviour of the type of artificial intelligence we are all interested in today?
...[the part that follows is even more interesting - repurposing of the software and hardware mission is deeply analogous to corruption in government/politics]

hopefully this information is useful enough to cover painting close to the line

https://www.nakedcapitalism.com/2018/01/links-1718.html
...
Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown Raspberry Pi (E. Mayer)
...
Mark Zuckerberg’s personal challenge this year is to fix Facebook Recode. In other words, to be the CEO of his company?

The Battle for Best Semi-Autonomous System: Tesla Autopilot Vs. GM SuperCruise, Head-to-Head The Drive.
...
Big Brother Is Watching You Watch

The Base Bill for 702 Reauthorization: Serial Admissions Oversight Committees Haven’t Been Doing Their Jobs emptywheel
...[for those who might appreciate edgy treatments of the gut biome]
Guillotine Watch

In “triumph of ignorance,” Gwyneth Paltrow’s Goop touts $135 coffee enema Ars Technica
...
The secret lives of students who mine cryptocurrency in their dorm rooms Quartz. Them that’s got shall get….
...[did I mention the idea of glass with LCD displays of fake moving eyes?]
AI-Fooling Glasses Could Be Good Enough to Trick Facial Recognition at Airports Motherboard (Re Silc). “Adversarial objects, for your face” (q.v. NC here).
...

echoJanuary 7, 2018 1:07 PM

The Nintendo Switch console is now vulnerable regardless of firmware to running custom code and custom firmware patches and the hackers claim their exploit is future proof. (I'm not sure if I'm allowed to expand on this news or provide a link.)

MassDataCollectionAndStorageJanuary 7, 2018 4:33 PM

Hey! nearly all of the encrypted internet traffic is aes :)

oh reallyJanuary 7, 2018 6:40 PM

Some kind of drop.tables command built into a specifically crafted image... make it so.

rrrrrJanuary 8, 2018 5:51 AM

@jg4,

License plates shouldn't bother you, those are an ezpk bro.

What would be ultra nice is confusing the eeeny meany miney maoi that the Chinese have stitched together in the absence of more phormal hidentification.

JG4January 8, 2018 1:28 PM


spotted on google finance this morning (minus the garden walls)

The quantum computing apocalypse is imminent
https://techcrunch.com/2018/01/05/the-quantum-computing-apocalypse-is-imminent/

turned up in my inbox this morning. can't vouch for it, but the introduction is interesting

https://mises.org/system/tdf/As%20We%20Go%20Marching_2.pdf

from the usual compendium

https://www.nakedcapitalism.com/2018/01/links-1818.html
...

“Black Mirror” Reveals Our Fear of Robots and Algorithms We Can’t Control The Intercept

These psychedelic stickers blow AI minds TechCrunch (original). “Our attack works in the real world, and can be disguised as an innocuous sticker.”

...

Quantum ‘spooky action at a distance’ becoming practical Phys.org

Don’t pirate or we’ll mess with your Nest, warns East Coast ISP Engadget (DK). Once again, any product marketed using the word “smart” you should run a mile from.

iPhones and Children Are a Toxic Pair, Say Two Big Apple Investors WSJ


CassandraJanuary 8, 2018 3:54 PM

@Me

The automatic detection of software vulnerabilities is a difficult task, akin to the problems the Crab has in ensuring the Tortoise does not sneak a record into his record collection (See Gödel, Escher, Bach by Douglas Hofstadter). It is also akin to the well known Halting Problem of computer science. This is not to say the endeavour is without value, but anyone who tells you they have a foolproof method is likely to be surprised.

Cassandra

(Have some side-reading on Rosser’s Theorem via Turing machines)

AJWMJanuary 8, 2018 4:00 PM

A zero day exploit has been discovered in the Xerox Alto.

What, both of them? ;)

KaiJanuary 8, 2018 4:45 PM

I’m harvesting credit card numbers and passwords from your site. Here’s how.
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Basically $EVIL_HACKER issues a pull request against a large number of open source git repos with popular npm packages to fix bugs. In fixing bugs, $EVIL_HACKER adds logging, and make it look all pretty using their npm package that lets you colourise the log messages. This package is then a dependancy for the more popular package and $EVIL_HACKER owns the code in this package.

Through various shenanigans, the malicious code doesn't appear in the git repo, and for the installed packages it's reasonably well hidden, minified and otherwise obscured such that it's incredibly unlikely to be noticed.

The malicious package then takes a number of steps to avoid detection and sits there in the background silently submitting form data to their server - this can be logins, credit card details, personal information - anything submitted in a form on a page on which the malicious pretty log formatting code is run.

Clive RobinsonJanuary 8, 2018 5:16 PM

What the Korean's are upto this week

You've probably not heard in many WASP First World nations with FiveEye connections, but North and South are going to sit down and have a chat on the 38th parallel.

It will be interesting to see how much frothing at the mouth comes from inside the beltway...

But two things to consider the current leader of SK has put on ice the US missile system that was upsetting both Russia and China as well as NK. So that's loosened things up quite a bit. Secondly the world now appears to believe rightky or wrongly that NK has a viable "dead hand" deterant, that is nukes to sit on ICBM technology.

Now the US is waking up to the fact that NK has a way to back up it's "Keep off of our garden" message. And the NK leader is looking and acting a lot more relaxed.

Thus with SK-US war games delayed and the Olympics in SK next month the time is ripe for nearly every one to relax a little and get the North-South "friendship show" abd Six Party talks back on the road again.

The problem is the "nearly everyone" does not appear to include the US and it's Warhawks who are literally spitting feathers at the notion.

Any way the rest of the world is taking a more unified attitude with regards the US and it's temper tantrums so hopefully spitting feathers is all the US will amount to. There are others who like the US do not want a NK-SK relationship to develop one of which is Japan. The Koreans just about where ever you go do not like Japan for various reasons and seek to do them down. Not by violence but by out compeating them and beating them in world markets etc. Many think incorrectly that this is just rivalry, it's not and both sides are playing to win big. Even a loose reunification of the North and South will be a grave economic threat to Japan, not an existential one but certainly a loss of face one.

The big problem is that Japan is in effect dying of old age currently whilst the combined Koreas are not. China likewise has an ageing population issue due to the old "one child" policy. Thus this would provide a clear opening for a combined Korea esspecially if they got Russia "on side".

Any way for a slightly different US take have a read of,

https://www.salon.com/2018/01/07/new-hope-on-the-korean-peninsula-believe-it-or-not/

It to is taking a more upbeat approach.

Wesley ParishJanuary 9, 2018 12:34 AM

@Clive Robinson

It's good news the two Koreas finally getting back into discussions again.

A while back I thought - as you do - that one productive way to prick the balloon on the North Korea "ballistic missile crisis" was to replay the beginning of the "USA-USSR ballistic missile arms race" at the point when it branched into the "superpower Space Race" and offer North Korea the opportunity to earn foreign exchange by launching Earth Orbit satellites.

This would come with a whole set of conditions, of course, and among them would be one binding on the world's space agencies - to come up with a rigorous definition of Space-Worthy that is difficult to game for political purposes. Then you have the North Korean Space Agency accredited (or not) based on this international definition - with the concomitant free access of foreign staff, etc - and you get North Korea competing on the world market.

I haven't had a clue as to who I should be suggesting this to, so I haven't said anything - this is the first time I've mentioned it on a public forum.

But if it got the North Koreans out of their isolation, and gave them a stake in improving relations with the rest of the world, it would be well worth it.

The same applies to the Iranian ballistic missile developments. I mean, can you believe it? Everybody who's got more active neurons than a hibernating polar bear on the edge of death, knows that the Muslim world desperately needs to catch up with the rest. And yet this one Muslim country, which has made the effort, they consistently demonize. No wonder Iran's got such a high rating from the average Muslim.

The "West" needs to pull its foot out of its mouth, particularly when shooting itself in the foot. It's not pretty.

Battery at LyonnaisJanuary 9, 2018 6:23 AM

@Big-Data Trojan Horse

Kinda hard to be anything else than passive with all the lying, propaganda and surveillance in the PRC.

hmmJanuary 9, 2018 9:44 AM

"We have no way to avoid anonymous and secure publication that resists censorship."

I think you misstated that somehow.

Clive RobinsonJanuary 9, 2018 8:26 PM

Update AV before MS Security Patches

It appears Microsoft have decided to slip in some other stuff in Win Update Patches.

Specifically unless your AV software has updated a registry key then MS won't update. But reports it in a very misleading way... So you might think you've patched and upto date when infact nothing has happened.

https://doublepulsar.com/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec

Not exactly very helpfull behaviour by Microsoft...

JG4January 10, 2018 6:34 AM


In case I haven't said it before, it is many miracles that I still am alive. Some of those tales are combinations of entertaining, instructive and horrifying.

I too took the oath, and my disgust with using the troops for private plunder is on the record.

Hope to comment more fully in the weeks ahead.

https://www.nakedcapitalism.com/2018/01/links-11018.html
...
Big Brother is Watching You Watch

Facebook may be ready to invade your physical world with an outrageously priced video device Quartz (margarita). This is enough to make me consider using a voice masking device and donning a fake nose and mustache every time I leave the house.

When Intelligence Agencies Make Backroom Deals With the Media, Democracy Loses TruthOut (TF). Important, particularly if you aren’t familiar with or have forgotten the details about the Church Commission.
...

SystateJanuary 10, 2018 10:33 AM

@Clive
I read that article today and was not suprised. Microsoft tightening the screws on the user. 3 Options
1. You AV does what we say
2. You use our AV and everything is dandy
3. Remain even more unsecured.

At the end of the day, winzode is trying to own your machine even further.

gordoJanuary 10, 2018 11:37 PM

Interesting read on three Supreme Court cases and IoT data protection.

The Kindness of Strangers – Supreme Court and Privacy for Third Parties
by Mark Rasch on January 3, 2018

A trio of U.S. Supreme Court cases – on topics like cell phone records[1], rental cars[2], and overseas storage of Hotmail accounts[3] may change how the Internet is configured and how IoT, cloud and outsourcing agreements are effectuated in the future. What all of these cases have in common is the disconnect between the individual about whom data is collected, and the entity that collects that data. This disconnect – which is ubiquitous in the Internet era – means that the data collected by IoT devices, transmitted over commercial networks, and stored by virtually every company or cloud service may not be entitled to the same legal protections that the same data would be entitled to if the data subject held that data on their own.


At first glance, the three cases have nothing to do with each other, and have nothing to do with the Internet. The first case, Carpenter v. United States, ...

https://securityboulevard.com/2018/01/kindness-strangers-supreme-court-privacy-third-parties/

[1]http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/
[2]http://www.scotusblog.com/case-files/cases/byrd-v-united-states/
[3]http://www.scotusblog.com/case-files/cases/united-states-v-microsoft-corp/

RachelJanuary 11, 2018 12:51 AM

JG4
9 Jan Naked Capitalism Lambert posted a Meltdown and Spectre FAQ which is incredible- and long. It also quotes Mr Schneier ( and misspells his name)
Any chance you could post it here. I physicaly can"t.

ThothJanuary 11, 2018 6:10 AM

@Clive Robinson, all

Some serious snake oil I detected accidentally when reading about the NSA Morale thread.

The NSA Morale thread have a Washington Post article that mentions:

"“Some synonym of the word ‘epidemic’ is the best way to describe it,” said Ellison Anne Williams, a former senior researcher at the NSA who left in 2016 to start her own data-security firm, Enveil."

So I decided to follow this Enveil company (linked below) said to be founded by a bunch of NSA employees that claim that it meets NIST standards on security and more than 10+ patents on some special source top secret Homomorphic Encryption algorithm that can secure Data-in-Use a.k.a Secure Compute even on "compromised platforms without ever to decrypt".

Serious serious snake oil from NSA's peeps.

Note: Link contains a short RSAConference 2017 product promotion and hyping talk that is 3 minutes long and how many patents and NSA employees and NIST standards it achieved and so on.

Links:
- https://www.enveil.com/about/

JG4January 11, 2018 6:11 AM


@Rachel

https://www.nakedcapitalism.com/2018/01/meltdown-spectre-faq-crapification-scale.html

It may be ironic that someone with the moniker John Galt IV would be referencing what arguably is a left-libertarian website. I use to be a reflexive right-libertarian. As noted, I took the oath. In recent years, I've become agnostic on a lot of topics that seem simple under superficial analysis. I started seeing things from a systems point of view, and that can be alarming, as Clive and others noted. I see the US as a fragile system, although some improvements are being made. I gained an appreciation for robust systems, things like C-130's, where you had four engines and four generators. On a good day with the cargo jettisoned, you could fly on one of them. The US has very poor management of conflict of interest at the Federal level and not much better at the state level.

I'm not sure if I mentioned why I left "the service." It was because I could see that they weren't taking care of the troops with healthy conditions, particularly food. And there were a variety of other unhealthy factors. Superficially, they were taking care of the troops, as people were afforded a reasonable middle-class lifestyle after a couple of years of penury. I was exposed to second-hand smoke, often for 12 hours a day, asbestos and neurotoxic solvents. Did I mention microwaves? With that said, it was a first-rate education in systems, from propulsion to electronics to sewage, and some human factors which I have mentioned before.

Not sure if I mentioned one of the miracles. I had my shoulder into an n-ton (n ~ 3) hangar door on rails the size of train tracks. There were at least four parallel tracks and likely six. My head was positioned in the middle of the tracks, moving away from the center, with the door rolling in front of me. Behind me were two dope fiends pushing the next door, their red eyes glowing as they overtook me, all three of us unaware. I was very fortunate that the supervisor was doing his job well and said, "Look out," not very loudly. As I stepped back to see what it was about, the overtaking door scissored past mine with maybe 1/2" of clearance. My head would have been crushed like a ripe melon with chunky spaghetti sauce all over.

It's a short step from managing those types of conflict of interest to good government, the kind that is difficult to find on the old blue marble.

What it's like to live in a well-governed country
http://www.bbc.com/travel/story/20180107-what-its-like-to-live-in-a-well-governed-country
From Canada to Botswana, these six nations consistently rank highest for their progressive social policies, trust in government and effective justice system.
...

Just for the record, I don't envy the police for their job, which involves dealing with with dirty, diseased, troubled and often dangerous people. However, killing of police officers is at a record low level, and shooting of unarmed civilians is at a record high. Human rights, one viral video at a time.

WaelJanuary 11, 2018 10:14 AM

@Thoth,

I have an idea that I would like to prototype. Are you aware of an inexpensive EAL-7 SmartCard development kit I could use for that?

Clive RobinsonJanuary 11, 2018 10:28 AM

@ Thoth,

If you look back this was one of the new nightmares I was expecting.

The point I've made before several times about Kurt Godels work that predated Alan Turing's work kind of guarentees that it would happen...

Put simply if it's in core RAM and you can get at the RAM by bubblng up, reaching down or side steping the CPU/MMU security layer in the computing stack then it is game over with the ways computers currently work.

It was in part this realisation years ago that led to "Castles-v-Prisons" model. Esspecially the "Probabilistic Security" asspect, with a non Turing compleate Hypervisor halting the main CPU and walking the memory looking for illicit or incorrect modification / values...

Which I think we can now safely say has "come of age" and should be out there strutting it's thing.

Anyway "as usual" "you heard it hear first" on this Blog which you can thank our host @Bruce for.

Oh, and I'm expecting a few other nightmares to arise, which a little bit of "Hinky Thinking" should give people as a hint think about those "key stores" you find in those Trusted Platform circuitry oh and for definate new attacks on Intel's Managment Engine. There I've said it start the stop watch ;-)

Clive RobinsonJanuary 11, 2018 10:41 AM

@ Thoth,

With regards the SGX attack the code author is,

http://www.doc.ic.ac.uk/~dokeeffe/

Note his Camb Labs and UCL background and thus who he mixes with. He almost certainly reads this blog.

The interesting thing is just how fast he adapted his other SGX research.

I wonder if he read my comment, he would not be the first from that mix of background we know to have worked on ideas given on this blog ;-)

gordoJanuary 11, 2018 11:46 AM

House Votes to Renew Surveillance Law, Rejecting New Privacy Limits
By Charlie Savage, Eileen Sullivan and Nicholas Fandos Jan. 11, 2018

Before approving the extension of the law, the House voted 233 to 183 to reject an amendment that proposed a series of overhauls. Among them was a requirement that officials get warrants in most cases before hunting for and reading emails and other messages of Americans swept up under the program.

https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html

gordoJanuary 11, 2018 3:46 PM

Correction:

The paragraph I thought that NYT removed was moved a couple of paragraphs down. My apologies.

Clive RobinsonJanuary 11, 2018 5:33 PM

@ Nick P, Thoth, Wael and others.

Now that the two CPU firm/hardware bugs have been highlighted and Specter in particular show their abillity to reach around the standard computing stack security mechanisms into memory have become known. The traditional security models and methods,are going down like a house of cards in a blizzard.

Intels GSX secure enclave has been shown to be vulnerable as have page tables. But the nightmare continues...

Type safe languages are nolonger type safe...

https://wingolog.org/archives/2018/01/11/spectre-and-the-end-of-langsec

Like the ghost of Christmas future this Spectre just keeps on giving in the nightmare department.

Bad as this all might sound, I predict it's going to give a new lease of life to ICTsec, especially in the academic paper department...

Clive RobinsonJanuary 11, 2018 6:01 PM

@ Bruce and the usuall suspects,

Something for the weekend...

Titled "More is Less" this paper from researchers at Ruhr University Bocham[1] (sometimes effectionatly called RUB) points out that the Signal protocol has a problem.

Whilst it is OK with e2e link encryption it has a problem with group chats.

https://eprint.iacr.org/2017/713.pdf

There is an easier read over on Wired,

https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats/

Whilst the problem is mild in Signal it's a bit more serious in Whatsapp, which did it's own implementation of Moxie Marlinspikes protocol (confirming the old adage about crypto implementations[2]).

[1] Bocham is a nice place to visit, it's got a very fine collection of steam trains, mining museum, planetarium and one of my favourity toys a Radio telescope that gets used for Amature Radio Satellite stuff from time to time.

[2] A rework of an older saw about sharp cutting objects. "Children and fools should not play with Crypto tools".

WaelJanuary 11, 2018 6:09 PM

@Clive Robinson,

Now that the two CPU firm/hardware bugs

I really can't add anything meaningful to this topic. Will skip ;)

Sancho_PJanuary 11, 2018 6:10 PM

@gordo, re Supreme Court and Privacy for Third Parties

Thanks for reminding us of these important cases.
But I’m afraid the law twisters will not come to a final decision.
Therefore each following case will depend on certain circumstances (bla bla) and involve several attorneys, time and money, just to make sure it all depends and those who can will win.

However, there would be only two basic points to agree on:

1) Ownership of data:
Yes, ”we don’t own the data collected about us.” (usually called metadata, this is data related to legal entities / persons).
But yes, we own the content, the message, the data itself, and very explicitly this means the content from yesterday, today and tomorrow.

2) Data thrift [1]:
Both, metadata and data must be carefully managed, like an asset, like rare juwelry: If it’s lost (breached) it doesn’t matter if someone was evidently damaged by that loss (because data is intangible, the value may differ from zero to thousands of Dollars at each datapoint).
The person / company / business responsible for collecting + loss of the data has to be held responsible / reliable for keeping the data safe.
There has to be a severe punishment for any lost data point to make sure only absolutely necessary data will be collected and kept by the business.
Because the individuals can’t be compensated for their loss the punishment will be used by the gov to support control and enforcement of data thrift as well as for funding of public education and health care.
For loss in gov departements the fine will be taken from their budget.


[1]
I don’t know if this term is correct but it simply means:
Do not collect / store what you do not need, it’s a hot potato.

WaelJanuary 11, 2018 6:11 PM

@Clive Robinson,

Something for the weekend...

And the weekend is spoken for, too. I am also under the weather. Forgive me, chief! Hate to be a party pooper this time.

Clive RobinsonJanuary 11, 2018 6:35 PM

@ Bruce and the usual suspects,

Hot off the press,from NIST with the assistance of the NSA,

SP.800-90B,

    Recommendation for the Entropy Sources Used for Random Bit Generation

http://doi.org/10.6028/NIST.SP.800-90B

One of three documents it's a fairly dull but important read for anyone looking to make/test a TRNG.

Please note the noise source model they use. It's the model I bang on about, not the broken model Intel and others uses in their chips.

It's very important with TRNGs noise sources that,

1, You have raw source access.
2, You continuously test the raw source.
3, You do not use the magic thinking / pixie dust model of hide it behind a crypto function.

Intel's chip TRNGs do not alow 1&2 and are heavily reliant on 3 to meet any tests, which even before the recent SNAFUs does not inspire confidence.

One reason for the lack of confidence is the "mixing problem of sampled free running ring oscilators".

Put simply if you have two free running bit oscilators you can use one to sample the other via a D-Type or similar latch. What few realise is the supposed random output is actually the digitized product of f1+f2 and f1-f2 which is what you would expect from a Double Balanced Mixer (DBM) putting this through a simple hash function hides this problem from the usuall statistical tests like DIEHARD.

ThothJanuary 11, 2018 7:28 PM

@Wael

The best I have seen is a CC EAL 5+ for overall card security (hardware + Card Operating System).

Some companies might try to push the EAL 6+/7+ marketing pitch but if one carefully reads between the lines, it's only a component that is EAL 6 or 7 as per @Nick P have mentioned in the past. So far, I have never seen any card with an overall rating at EAL 7.

In fact, EAL ratings are kind of pointless once the card is above 5+ certified despite all the jargons in the evaluation documentation.

The main thing to focus on is to get a card of at least EAL 5+ rating and to take your time to learn how to utilize the full security features in the card. Most card hacks are due to improper use and as @Clive Robinson recently said "Children and fools should not play with Crypto tools" and that is exactly the same for smart cards or any security development be it with a secure hardware or not.

Here are some EU/USA smart card shops:
- https://www.usmartcards.co.uk/smart-cards/java-cards.html
- http://www.smartcardsource.com/cart.php?target=category&category_id=11
- https://www.smartcardfocus.com

If you are OK with Chinese smart card shops:
- https://ftsafe.com
- https://javacardos.com/store/
- https://www.acs.com.hk

The Chinese shops might scare many people but for those who are seasoned in this field, they would know how to navigate it and get the cards they want at a cheaper price than the Western counterparts. I have a bunch of Chinese made cards and some Western cards and don't find much difference with them.

What you should be looking for when choosing smart cards is the type of language they use. MULTOS uses C and Assembly buthere is the caveat, it uses the possibly ROCA affected Infineon chips so I do say stay away from MULTOS unless you are willing to take any risk of ROCA weakness or you are avoiding RSA crypto.

MULTOS is rated to EAL 5+ level overall just like other cards.

JavaCard is based off Java 1.2 but it is NOT JAVA. Most people think it is Java because it uses the same syntax but beyond the syntax, the operation is different. You have to do your own memory management (unless you have a high end card with GC), only statically defined codes and variables, all variable assignment done explicitly are considered written to EEPROM or Flash and not stored in RAM unless you call a function to explicitly create objects in RAM of the card and so on. Java Cards by far are the most common and takes up 90% of market share on the smart card and SIM card market.

BasicCard are a rare form that uses Basic language. I have not tried it out but they claim to be much more efficient than JavaCard. I have not heard of any BasicCard with EAL certification yet unless I am probably missing something out.

.NET Card by Gemalto and one that is also pretty uncommon due to JavaCard being the dominant smart card language. Gemalto have some of those with FIPS 140-2 and CC EAL 4+ to 5+ depending on the product type.

Once you select the language you want to develop in, you choose the size of EEPROM/Flash space in the Userspace (not the overall space as per marketing might want to show you), the crypto algos supported, the Global Platform version supported as the basic decision making parameters for buying your cards.

That's the basic thing to consider for beginning smart card development.

ThothJanuary 11, 2018 8:05 PM

@Clive Robinson

Many of our ideas on the blogs have been picked and used freely without a single thank you or acknowledgement. I guess our ideas that we post are given "freely and as-is", it could be taken and then claims to come from their own hands with no acknowledgement. That is one reason I have stopped sharing my latest designs here.

I have recently done quite some researches and made some headway and had given @Nick P some peeks but have not heard back much since he's very busy with his job.

It contains a design and recent research I am doing on a prototype execution environment which I intend to purpose it in the future to turn them into the Prison Computing Cluster when chances arise but workload on my side have also been pretty heavy to do my own administration, marketing and sales besides technical stuff for my own "baby" which as an engineer as my background, this isn't an easy thing to do.

I have pretty much figured out how to make the SIM cards talk to each other in a Prison model but I have not decided on how to do the 'trusted mediator' portion between the cards as the subject of 'trusted mediator' to check the results of computations form multiple SIM cards is rather tricky stuff especially how one can define what a 'trusted mediator' is.

We are in for more bubbling up attacks as you have described. As the Intel SGX model and AMD PSP models are 'children' of the ARM TrustZone which is the 'grandfather', one should not be surprise that the same attack maybe applicable to anyone using the ARM TZ model and it's children model. In fact as I have pointed out multiple times, I don't agree with how ARM TZ give so much privileges to some 'Secure Enclave' world.

I do prefer the GlobalPlatform Smart Card's model where there is no such thing as 'root' or 'privilege world'. All domains/applets in a GPSC model are equals and no one can interfere with the other domain/applet and this is currently my ideal model for a Castle model.

The thing about 'typesafe' language is it makes assumptions of the security of the memory management in the platform and chipset. Once those are violated, it's gone. The better thing to do is as you have mentioned, multiple chips running pieces of the software and using the Prison Computing Cluster model to ensure the integrity of computation can be attested by multiple chips in the cluster.

Regarding Signal derived crypto protocols, I am still very hesitant to use it despite having 'a few reviews' on IACR and some other technical paper publication sites. It has not gone through the test of time that the OTR protocol have been subjected to and existed much longer than Signal's protocols.

For the NIST 800-90B RNG criteria, I am thinking it's a reaction to the canon printer containing the RSA BSAFE with DUAL_EC RNG episode and to clean up the shattered image of NIST, it's in all out damage control mode to try and push out more publications, request for comments and such to polish it's image all shiny and clean again. That's not going to be easy nor is it going to be short term but the efforts they invested are noted. Whether the US ICs might attempt to disrupt NIST's clean up efforts is unknown as of now but who knows if the US ICs might attempt to push something in.

gordoJanuary 11, 2018 9:17 PM

@ Sancho_P,

Yes, case-by-case, at a slow pace! It takes a while for cases to add up!

Your 1) and 2), together, seem to resemble the EU's GDPR which is far ahead of anything coming out of the the U.S.

I think that will be the model, at least, for the West.

U.S. business will have to adapt or they'll not be able to compete.

Whether the current U.S. judiciary can speed this up, remains to be seen. If so, they'll be called activists. Neither the U.S. legislative nor executive branches seem capable at this time. Business, grudgingly, will be the driver.

Maybe in the U.S., a bureau like the CFPB (Consumer Financial Protection Bureau) [with more teeth] would be appropriate, but for data: CDPB (Collected Data Protection Bureau). Your funding model fits.

Kids should be taught basic data economy or thrift at a young age, i.e., the value, use, control, etc., of their own data; rights and responsibilities. (Not to mention addiction issues. If IIRC those issues first showed up in South Korea as it was, and remains, the most wired/high-speed nation on the planet.)

Wesley ParishJanuary 12, 2018 3:56 AM

@Sancho_P

1) Ownership of data: Yes, ”we don’t own the data collected about us.” (usually called metadata, this is data related to legal entities / persons).
Happens I disagree with that.

Who generates the data? As opposed to merely collecting it?

Copyright adheres to the generator of the data unless it has been specifically assigned to someone else. In nearly every case where I have generated data for some other person, whether it is a real person or a fake one like a company, this assigning of copyright has never been made clear, in any of the documents, whether online or dead-tree, relating to this generation of data. Consequently said persons are in breach of my copyright of that selfsame data, whether "personal" or "meta" data, if it is ever used for purposes which are not declared and defined in those documents surrounding this data collection.

RachelJanuary 12, 2018 5:27 AM

Clive
to avoid corrupting the excellent Spectre Meltdown thread I'm responding here to your post about language acquisition in children. apologies for off topic friends will leave it here. Firstly I'm grateful for your words. I was getting concerned about my low blood pressure.
authentic query: dont comprehend how experiments with the optics of kittens translates to language centres in the brains if humans?
i think total immersion is something of a myth. how many comfortable ex pats have we met whom have spent 10 years somewhere exotic without bothering to learn anything? [ I reckon that one sentence will trigger some good yarns frm a few of you ;-)] ones capacity relates to the amount of focused solo study one is prepared to do.
I accept some of what you said may relate to the way things may have been.For brevity: I've been heavily influenced by a new methodology that overcomes all the issues you named and more besides. The book with excellent supporting website is named Fluent Forever by Gabriel Wyner. It revolves around training multiple neural pathways simaltaneously, avoiding translation entirely, commencing with hearing minimal pairs tests, amongst other things. Its dense with supporting studies. I dont have it on hand presently.
Breaking the Gordian Knot of tradition I refer to your final sting in the tail:
I an an excellent writer in English and speed touch typing a suitable companion. However I currently contend with free wifi that regularly drops out without notifying me which ensures a race against time to Post before everything is lost. an old e reader not designed for internet browsing let alone typing, and a temporarily damaged hand requiring an odd digit for tapping. the latter has the odd efect of disconnection my language skils from my motor skills moronity ensues.
Anyone wishing to send me an ebook can do so ;
Rachel c/o Wael c/o Bruce Schneier c/o Schneier On Security, MIT

RachelJanuary 12, 2018 5:36 AM

clive
ps that that is crude to me. I'm a that which, but probably an older variant, can you help with examples? I tried.

ThothJanuary 12, 2018 7:07 AM

@Clive Robinson, all

Intel ME is a gift that simply keeps giving. An article on an Intel ME/AMT bug that lets attackers bypass BIOS, Bitlocker passwords, Secure Boot, TPM pin authentication and so onas the website mentioned.

The attack only require a minute to execute to bypass all the security and inccluding previously secured resources.

Link: https://www.bleepingcomputer.com/news/security/intel-amt-security-issue-lets-attackers-bypass-bios-and-bitlocker-passwords/

Clive RobinsonJanuary 12, 2018 10:39 AM

@ Thoth and the usuall suspects,

a gift that simply keeps giving.

Yes do you remember my Sector nightmare list, I mentiond Intel SGX and it happened, then all that Somebody Elses Problem (SEPPUKU) kit such as those rack boxes for Infrastructure firewalls, comms and storage like SAN...

Well just call me "Mystic Meg" ;-)

https://www.theregister.co.uk/2018/01/12/storage_area_networks_patches_spectre_meltdown_bugs/

So OK what did the stopwatch get to on that one :-)

gordoJanuary 12, 2018 2:19 PM

The third time's the charm on this NYT headline(?). That troublesome choice of a last word went from: 'Limits' to 'Protections' to 'Safeguards'. I think they have the best characterization now. I don't know if there were other published iterations that I might have missed...

House Extends Surveillance Law, Rejecting New Privacy Safeguards

https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html

Pre-Internet editors probably had an easier time with headline corrections: They had to get it right the first time.

Clive RobinsonJanuary 12, 2018 4:18 PM

And another one from Ben Gurian Uni.

https://www.wired.com/story/a-clever-radio-trick-can-tell-if-a-drone-is-watching-you/

This time it involves listening out for the video down link from a drone to detect a drone in the area. Then to detect if it's looking in your direction in effect send a semaphore signal and look for an intime change ib the video down link (this correlation attack will work against many compressed and encrypted video signals) to see if it is watching you.

The thing is that whilst it will work, the degree it does is dependent on what percentage of the frame area your semaphore signal represents.

Another way to do the detection is with a form of doplar radar using a non rotating antenna. Then having found it use a wide angle Lidar signal from a just below the visable spectrum Laser. By applying jitter and beam reduction get just the body of the done in the beam. If there is any camera pointed at you the "red-eye effect" will be visable. What you do after that is dependent on local legislation. But with the military or similar thy might up the output power of the lazer to either "dazzle" or "blind" the camera. Thus different strokes for different folks with the big boys getting the big toys ;-)

Clive RobinsonJanuary 12, 2018 4:37 PM

@ Bruce and the usual suspects,

1,400Km of Chinese canal, 100,000 IoT sensors using whatever signal they can get across open networks...

What could possibly go wrong? :-S

https://spectrum.ieee.org/tech-talk/telecom/internet/a-massive-iot-sensor-network-keeps-watch-over-a-1400kilometer-canal

I'm guessing the IoT sensors will be "home grown" perhaps with some SigInt input for security measures. Otherwise some other nations SigInt agency will try to get in there.

Clive RobinsonJanuary 12, 2018 4:50 PM

@ ALL,

I find this fascinating,

https://arxiv.org/pdf/1801.03534

It's a paper about a mechanical Turing Compleate computer using only two simple mechanical primitives that can be very small,

A new paradigm for mechanical computing is demonstrated that requires only two basic parts, links and rotary joints. These basic parts are combined into two main higher level structures, locks and balances, and suffice to create all necessary combinatorial and sequential logic required for a Turing-complete computational system. While working systems have yet to be implemented using this new paradigm, the mechanical simplicity of the systems described may lend themselves better to, e.g., microfabrication, than previous mechanical computing designs. Additionally, simulations indicate that if molecular-scale implementations could be realized, they would be far more energy-efficient than conventional electronic computers.

If it can be built using molecular-scale parts and has the energy saving potential claimed, these would be very usefull for certain bio-medical applications.

Sancho_PJanuary 12, 2018 6:13 PM

@gordo

AFAIK the EU GDPR is far away from my proposal. Punishment is against business (=shareholder value = secret pockets = revolving doors) so they would oppose it.

EU politics would never try to reign business, this is too late.
We (society, business, consumption) must pick up speed now every day or we will stumble tomorrow.
It’s similar to running downhill: At a certain speed suddenly you can’t slow down anymore.

Sancho_PJanuary 12, 2018 6:21 PM

@Wesley Parish

OK, you may disagree, but these horses left the barn long ago.

And I think I don’t understand your reasoning:
”Who generates the data? … Copyright …”

The ISP accepts your (voluntary) connection, adds timestamp, destination,
whatever -
They observe, they note it down, they do, it’s theirs, or do you mean e.g. the time you’re leaving home in the morning is protected by copyright?

But also what they do is not protected by copyright.
Copyright protects artwork.
You may claim your movements constitute some kind of artwork, but I’m afraid this wouldn’t hold water when it hits a judge.

Protected by copyright may be the content of your message, but it must be somewhat outstanding:
To claim “hello” as an artwork may be difficult.

No, metadata is (rightly) theirs.
We have to fight for the data part - and I’m afraid that is lost already because no one seems to care about the difference.

Clive RobinsonJanuary 13, 2018 9:15 AM

@ Sancho_P,

Copyright protects artwork.

Wrong, "it protects original and derived works" that is "art" has nothing to do with it other than as a "work". It's why what appears to be simple letters have an originator and recipient copyright.

Thus the times you connect and the rest of the metadata together do form a "work"... So software even though almost entirely derived also has a cooyright...

In the US they claim just collecting data forms a work which is why they get away with stealing your details and by aggregating them with others in a database to form a derivied but still original work.

Sancho_PJanuary 13, 2018 7:37 PM

@Clive Robinson

Well, I’m not happy with your simplification.
Although it has (half) a point, I think it denies the most important aspect, this is the creative part.

I used “artwork” because the simple stereotype texting, or simple / primitive drawings (think of scribbling a flower using a pencil) or any “work” without basically unique ideas very likely will not be protected.

My “artwork” stands for “work” + “something”, each part alone wouldn’t matter, as ideas or information alone are not covered, too.
To me artwork is the simplest term, but please give it a better, more understandable word.

Copyright is an artificial right, it is really difficult to explain by a few words, especially because it’s perception is different in different regions and cultures within our small canoe.

An example is the problem with a picture or the Eiffel Tower by night, because the illumination is (probably …) protected by copyright.
Or, in contrast, a picture of a mountain (not an artwork). It must have a unique part, like light, clouds, whatever, otherwise no one could even claim “that’s mine!”.

All “rights” are defined by humans, artificial, prone to injustice and complicated, good law twisters will always find a backdoor.
And most of the “rights” will only serve the upper class business and the lawyers, not the plebs.
Same goes with the copyright, YMMV depending on your opponent.

Good you mention software, that’s an interesting but typical artwork (excuse me!) with creativity and uniqueness (hopefully), even if it’s likely derived work, the “art” is how it is derived.

But what happens in case a machine, say AI, writes the program (or simply, a unique blog posting). What about the copyright, will it span “the lifetime plus …” of the author = the machine, or it’s program?
Or is it not protected, and why?
See the dance of the lawyers? [1]

Anyway, I can’t see any creative, unique idea (and it’s manifestation,as required in some jurisdiction) in surveillance itself, but yes, it may be the method, the how to, to be protected.
But I’m afraid it will not expand to the collected data, ever.

However there is another problem, even if we claim our connection, how we do it, including errors and retries, the timing a.s.f. is clever and unique:
-> The TLAs do not commercially use / reproduce this unique way.
Even if we could claim copyright, there is no violation of it.

[1]
“Software has a copyright”, yes, but is it the source code or the binary? Using a different compiler or a recompiler will change the “work”, but decompiling may reveal some of the “art”, the most important part.
See the twisters dance again …?

Clive RobinsonJanuary 14, 2018 1:33 AM

@ Sancho_P

Well, I’m not happy with your simplification. Although it has (half) a point, I think it denies the most important aspect, this is the creative part.

You will see that I used the word "original" which covers that and more. Patent attorneys use excepted phrasing such as "original work" and "somebody practiced in the art" etc. They appear archaic to the modern eye but they have recognised meaning under law, which is the important part, the same applys to copyright and marks of trade etc. To steal a quote and expand it,

    The law may be an ass, but it has teeth and hoves enough to defend it's self.

And it's a point you forget at your peril...

I used “artwork” because the simple stereotype texting, or simple / primitive drawings (think of scribbling a flower using a pencil) or any “work” without basically unique ideas very likely will not be protected.

What you call "unique" lawyers call "original" the reason is again archaic, but IIRC unique is deemed as a process of the mind without tangible form whilst original is deemed as a process or part of a tangible object.

Importantly the word "artwork" is already defined in a too narrow way. You can pull it up in seconds with Google and you get,

    artwork /ˈɑːtwəːk/ noun : illustrations, photographs, or other non-textual material prepared for inclusion in a publication.

Note the "non-textual material" and "inclusion in a publication" limitations.

Each legal jurisdiction uses it's own "standard dictionary" in the UK for instance it's the "Oxford English Dictionary". Which ever jurisdiction you are in will have it's own standard, which judges and lawyers will use.

Importantly they almost certainly won't be using your "artwork" definition. Almost certainly in an English speaking jurisdiction they won't use "artwork" at all but other terms such as "original work" "derived work" and "practiced in the art" as these have meaning they recognise.

As far as they are concerned it's the degree of originality that counts. If you say write a poem, at the point it ceases to be "common usage" you gain copyright. This maybe as early as the third or fourth word if you use a unique turn of phrase or invented word.

But usage also counts,

    The clock struck thirteen

Whilst an original book title, is known to have been taken from

    the clocks were striking thirteen

Which is the second half of the first sentence in "1984". 1984 which as a number just like "007" would not ordinarily be copyrightable. But as titles in a context they can be if they are the first usage. Likewise "catch phrases" and even "looks" can and are considered to have copyright as long as they are in some way original, even if only in a context (look up "Apple" and "Apple" the two organisations have had their moments in court).

As an overly general rule unless you reasign the copyright it remains yours for a period of time. In some cases it's whilst you live and for a period after your death so your widow and children get benifit, in others not.

However I can take "poems on a theme" from different poets and form them into a collection which is a "derived work". Whilst I do not have copyright on the original poems I do have copyright on the collection providing it has originality in some way such as in the ordering (ie it's not just common usage chronological or alphabetical).

Thus with songs you have copyright by those who wrote the music, wrote the words, arranged the music, performed the song as the primary copyright holders. But there are quite a few other copyrights, including those such as published play lists that include the song...

Copyright like Marks of trade and Patents offer varying degrees of protection under law and in some cases obligations as well. Unfortunately various jurisdictions --the US in particular-- have their own non standard rules and interpretations, which is just one of the reasons we have the WTO rules amongst others. Such issues did if you remember back caused problems with eBooks.

Unfortunately one consequence of protection is "applying it". In the US the interpretatiin is almost always overly favours those with financial clout thus Software and mathmatical patents are alowed, which unfortunatly appear tobe coming to other places real soon now due to corporate lobyists.

As you note IP rights are not natural, but the same is true for all rights. You only get those you can enforce against all comers...

gordoJanuary 14, 2018 3:45 AM

@Sancho_P,

Regarding GDPR, meaningful penalties have been codified. Yes, these are all uphill battles. That the GDPR exists at all says the effort is not futile.

Unless I've misunderstood the nature of your concern(s) e.g., metadata, see, for example then, the recommendations here: "MERGER OF ARTICLES 6 AND 9 (TRAFFIC AND LOCATION DATA)" http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp240_en.pdf (p. 13-15).

JG4January 14, 2018 8:55 AM


@tyr - Thanks for the tip about Creel. I've mentioned Bernays at least a few times in the same context, but I don't think that I ever went as far as linking one his books. I believe that the Creel propaganda effort was one of his formative experiences. the use of the Amazon link is not an endorsement of their them, their partners, their propaganda practices via the Washington Post, their data collection and protection policies, nor their labor practices.

if we think of society and government as a sort of crowd-sourced artificial intelligence for allocating resources, including hardwood shampoo, then false information is analogous to malware running on a processor. it corrupts the integrity of the result, and repurposes the resources. it serves itself first, its friends second and the public last, if at all. this is the crux of the conflicts of interest that are never named in the lamestream media.

Propaganda: Edward Bernays, Mark Crispin Miller ...
... this was the first book that explored the use of propaganda as a government and business means of manipulating the masses.
https://www.amazon.com/Propaganda-Edward-Bernays/dp/0970312598

103 years is a pretty good run on the old blue marble. he must not have been too troubled by the implications of his work. to be fair, if he hadn't discovered the hidden transfer functions, someone else would. a lot more have been found and placed in service since his heyday. ("Merchants of Doubt")

UFC is a subsidiary of Concurrency, Integrity and Availability, or vice versa

https://en.wikipedia.org/wiki/Edward_Bernays
...
His best-known campaigns include a 1929 effort to promote female smoking by branding cigarettes as feminist "Torches of Freedom" and his work for the United Fruit Company connected with the overthrow of the Guatemalan government in 1954. He worked for dozens of major American corporations including Procter & Gamble and General Electric, and for government agencies, politicians, and non-profit organizations.
Of his many books, Crystallizing Public Opinion (1923) and Propaganda (1928) gained special attention as early efforts to define and theorize the field of public relations. Citing works of writers such as Gustave Le Bon, Wilfred Trotter, Walter Lippmann, and his own double uncle Sigmund Freud, he described the masses as irrational and subject to herd instinct—and outlined how skilled practitioners could use crowd psychology and psychoanalysis to control them in desirable ways.[4][5]
...[CPI seems to be an alternate name for the Creel effort]
Ewen (1996), pp. 162–163. "During the war years, Bernays joined the army of publicists rallied under the banner of the CPI and concentrated on propaganda efforts aimed at Latin American business interests. Within this vast campaign of "psychological warfare", as he described it, Bernays—like others of his generation—began to develop an expanded sense of publicity and its practical uses."
...

fake news isn't new, but it often is government-sponsored

https://en.wikipedia.org/wiki/Committee_on_Public_Information

The Committee on Public Information, also known as the CPI or the Creel Committee, was an independent agency of the government of the United States created to influence public opinion to support US participation in World War I.
...[fake news isn't new]
One early incident demonstrated the dangers of embroidering the truth. The CPI fed newspapers the story that ships escorting the First Division to Europe sank several German submarines, a story discredited when newsmen interviewed the ships' officers in England. Republican Senator Boies Penrose of Pennsylvania called for an investigation and The New York Times called the CPI "the Committee on Public Misinformation."[21] The incident turned the once compliant news publishing industry into skeptics.[22]
[more fake news]
Early in 1918, the CPI made a premature announcement that "the first American built battle planes are today en route to the front in France," but newspapers learned that the accompanying pictures were fake, there was only one plane, and it was still being tested.[23] At other times, though the CPI could control in large measure what newspapers printed, its exaggerations were challenged and mocked in Congressional hearings.[24] The Committee's overall tone also changed with time, shifting from its original belief in the power of facts to mobilization based on hate, like the slogan "Stop the Hun!" on posters showing a U.S. soldier taking hold of a German soldier in the act of terrorizing a mother and child, all in support of war bond sales.[25]
...

from the usual daily compendium

https://www.nakedcapitalism.com/2018/01/links-11418.html

...

Silicon gains ground in quantum-computing race Nature

CES Was Full of Useless Robots and Machines That Don’t Work Daily Beast

At CES, Spectre haunted tech executives in public and private meetings MarketWatch

...

Big Brother Is Watching You Watch

Predicting Crime in SF- a toy WMD Orlando Torres. WMD = “Weapon of Math Destruction.”

...[Kubrick didn't miss the stick trick]

Your smartphone📱is making you👈 stupid, antisocial 🙅 and unhealthy 😷. So why can’t you put it down❔⁉️ Globe and Mail

A Field Guide to Deception MIT Technology Review (DL).

The Stick Is an Unsung Hero of Human Evolution Nautilus

Sancho_PJanuary 14, 2018 5:18 PM

@Clive Robinson

I stand corrected and do hope at least all the native speakers will understand the word “original” in the lawyers’ sense.

”Thus the times you connect and the rest of the metadata together do form a "work"...”
Yes, but now I’m not sure if your omission of “original” before “work” was intentionally here?

So, if any, where would you see the copyright protected originality of these metadata, say, our phones whereabouts and movements?

And the violation of the alleged copyright in case TLAs have (silent) access?

Sancho_PJanuary 14, 2018 5:22 PM

@gordo

Thanks for the merger-recommendation link, makes a good reading in case of low blood pressure ;-)
There are too many words to avoid a simple “No”.

Seriously, will the recommendations, let alone legislation,
- ever catch up with the technical evolution?
- stop anybody from hoarding (and selling) personalized data?
- intentionally protect us from overly broad TLA’s access?

Wait until “prior consent” will legalize murder, this is more likely.

I don’t have concerns re metadata, only regarding the content.
My “running downhill” metaphor was to show that, after realizing our Ponzi game economy, no politician would seriously attempt to regulate business now, only in a couple of years …

good questionsJanuary 14, 2018 6:13 PM

@Sancho_P

But what happens in case a machine, say AI, writes the program (or simply, a unique blog posting). What about the copyright, will it span “the lifetime plus …” of the author = the machine, or it’s program?
Or is it not protected, and why?

I can't speak to all of your points, but in regards to the quotation above, the following link and references might be of interest.
https://en.m.wikipedia.org/wiki/Monkey_selfie_copyright_dispute

gordoJanuary 14, 2018 9:01 PM

@ Sancho_P,

Untwisting; And the band played on . . .

Also of interest:

Steven M. Bellovin, Matt Blaze, Susan Landau, and Stephanie Pell. It's too complicated: How the Internet upends Katz, Smith, and electronic surveillance law. Harvard Journal of Law and Technology, 30(1):1--101, Fall 2016.

The arguments made in this Article — namely that the architecture of the technology itself both collapses the content/non-content distinction and renders application of the third-party doctrine unworkable — nevertheless provide an evidentiary technical foundation that supports the privacy-based concerns raised by Justice Sotomayor. Whether or not courts and legislatures choose to engage with the privacy questions inevitably raised by the complexities of IP-based communications, the shaping influence of the factual technical terrain we have described upon surveillance law and policy cannot be avoided (last page, last paragraph).

http://jolt.law.harvard.edu/assets/articlePDFs/v30/30HarvJLTech1.pdf

Sancho_PJanuary 15, 2018 4:01 PM

@good questions

Funny, only that the monkeys triggered the pictures themselves by pressing a button.
In my opinion the photographer can’t claim the copyright.

To add to the confusion: I have images of cats triggered by a sensor when approaching my auto-feeder (I’ve tried face recognition to select only my cats but to no avail so far).

These examples clearly show the abuse of copy"right" for business when machines do the “original work”.

Sancho_PJanuary 15, 2018 4:19 PM

@gordo

Thank you again, I didn’t know about the “It’s Too Complicated” paper, interesting and important, but very sad.
I’m still chewing on it, but my gut feeling is they are completely wrong in their conclusion that the Internet collapses the distinction between content and non-content:

”The narrowness of the functionality provided by the telephone network guided the Justices in “Smith”. But because technology was already beginning to provide more advanced services through dialed digits, the clear boundary between content and addressing information was beginning to blur. This obscuration is, however, nothing in comparison to how the Internet would collapse the traditional content/non-content distinction. (my emph)

Inflating complexity doesn’t serve a good purpose here, on the contrary.

The new technology behind our communication didn’t change anything but improve the collection of data.
Only the prior existing Third Party Doctrine was wrong from the beginning.
As a consequence there were dubious “agreements” in court decisions that successively expanded the "law" up to the debacle we have today.

Now it is extremely difficult, if not impossible, to cut back the false “rights” the TLAs claim, arguing “prevent + CP + serious crime + national security + terror” (but in reality it is protecting big business).

Once it is clear that the TPD per se is nonsense the discussion could bear fruits without technical details. Technics has to follow the law, not reverse.

And I’m afraid conflating content and non-content is dangerous because then they will expand their TPD “rights” to take both, metadata plus content.

Oh, stumbled over another blunder:
”Email addresses are, of course, of great interest to law enforcement. They are more closely tied to an individual than a device is, and email is a common means of communication between multiple parties in ongoing criminal enterprises. Equally important, they represent the technical endpoints of a communication and …”

- More closely tied to an individual than a device?
- Why mentioning criminal enterprises? Cars are a common means of murder?
- Email addresses represent the technical endpoint?

(… Will now go for the red liquid to help me chew on that paper. Very, very sad.)

gordoJanuary 15, 2018 11:12 PM

@ Sancho_P,

A couple of comments:

The third-party doctrine is by definition specious. To say that one must voluntarily give up their Fourth Amendment rights in order to participate in society is wrong. No one should have to give up anything without good cause. Justice Sotomayor, as quoted in the article (p. 101), is on the right track:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.

Regarding content/non-content conflation, it does present an opportunity for making "collect it all" arguments. "It's too complicated" cuts both ways.

Sancho_PJanuary 16, 2018 4:38 PM

@gordo

Um, I agree with “specious” and your rationale, but not with “on the right track”, because the quoted statement doesn’t make sense. On the contrary, to me it contradicts the basic idea of privacy:

When an individual voluntarily discloses information to third parties (say on social platforms) there is no reasonable expectation of privacy, this has not to be reconsidered, it is crystal clear.
Justice Sotomayor’s quote is to mock those who question the TPD,
“voluntarily” is not when there is no choice.

Where the TPD is completely wrong is the unreasonable expectation that sending a message from Alice to Bob means the courier is supposed to read, store and share what they can with whomever they want.

TLAs are only the pretext for big business (He who pays the piper …).

To say: Because there is no technical (or practical) means to encrypt everything or at least to close the envelope, the sender voluntarily agrees to share the message is just cynical.
And it is disrespectful to generalize the public as being dumb criminals. Cop-view.

Regarding your last paragraph I understand the words, but probably not the sense: The conflation prepares to take everything (the same as my perception of what they try)?
But then why “cuts both ways”:
Technically they already have, say, 60%, and it's legal (in their sense since Smith).
But the other way would be: It’s too complicated to separate, so let it go?
Give privacy back to the plebs because it’s too complicated otherwise?

Since Smith v. Maryland (1979) they silently got much more than 60%, because the original pen register was only from now to the future of a _suspect_, but actually they also have the past, and of all innocent citizens (and more), too.

I can’t see how a completely useless and partly wrong technical obfuscation could help to undo fascistic power grabbing in a right wing gov.
It’s a disingenuous paper.
Sorry when I sound a bit harsh, but ”it may be necessary” (Sotomayor) ;-)

gordoJanuary 16, 2018 7:27 PM

@ Sancho_P,

There is no doubt that information is voluntarily disclosed to third parties by data subjects 24/7/365 for whatever purpose, e.g., social media. Without "good cause" the government has no claim on any of this information--regardless of where in the stack that it's disclosed to third parties, voluntarily or otherwise.

Justice Sotomayor admits that there may be a problem with the premise of the third-party doctrine: "no reasonable expectation of privacy in information voluntarily disclosed to third parties." What's crystal clear to you and me, for Justice Sotomayor is only-just or just-only coming in to focus. She is on the right track.

The writers of "It's too Complicated..." have shown that application of the third-party doctrine is failing its own rules. Thus, "it may be necessary...."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.