Friday Squid Blogging: Te Papa Colossal Squid Exhibition Is Being Renovated

The New Zealand home of the colossal squid exhibit is behind renovated.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on January 19, 2018 at 4:48 PM • 115 Comments

Comments

Lawrence D’OliveiroJanuary 19, 2018 5:09 PM

Yeah, gidday mate.

Just saying hi from the Land of the Long White Squid.

PurrJanuary 19, 2018 5:18 PM

Perfect steganography is possible, but expensive. You need a popular software program that works with photos or video or audio. The new version of the software takes the least significant bits of every file, and replaces them with an encrypted file container, regardless of whether the user intends to hide information there or not. Once you have millions of files created with that program, no one can tell which file containers are empty -- almost all will be. Then you could use the program to store or send data securely. Cost would be very high, as you need to buy a company which makes very popular software, in a fairly narrow category. And you have to wait for mass adoption of the new software version. But it can be done.

paranoia destoys yaJanuary 19, 2018 7:53 PM

A new article about faking domain names using look alike characters from another alphabet was covered here in 2005.
https://www.pbs.org/newshour/nation/hackers-are-flooding-the-internet-with-more-fake-domain-names-heres-how-you-can-protect-yourself

Another possible browser/email fix besides those mentioned 13 years ago would be to show a country flag in the browser bar.
https://www.schneier.com/blog/archives/2005/02/unicode_url_hac_1.html

The problem looks like media FUD or is taking a long time to catch on.

GodelJanuary 19, 2018 7:54 PM

@Purr: And the UK government imprisons you for years for refusing to supply the passwords to decrypt all these faux containers. :-)

Markus OttelaJanuary 19, 2018 9:38 PM

@Nick P, @Clive Robinson, @Sancho P, @Thoth et. al.

Quick progress report on TFC Onion Service backend development:

Here's what it currently looks like.

Back when TFC talked over Pidgin, the messages were essentially delivered on demand. My current approach is to have Flask server and requests client on NH. By default the server sits behind Tor Onion Service (previously called Hidden Service). The request client routes all data through Tor and requests new messages from contact. Once master password has been setup, TxM will generate the RSA1024 key pair and the HidServAuth cookie for that Onion service, and deliver those to NH. NH will display the Onion Service confirmation code that allows TxM to move forward. TxM will deliver the Onion Service data to NH every time it launches. This allows NH to remain ephemeral and prevents loss of account data in cases where e.g. Tails is used to deliver keys.

The messaging starts with off-band exchange of the TFC accounts. The accounts consist of three parts:

1. Onion URL in raw byte format: Onion URL authenticates the Onion Service's public RSA key ensuring end-to-end encryption between NHs.

2. HidServAuth Cookie in raw byte format: HidServAuth Cookie adds client-side authentication: without it it's impossible to make the introduction points able to connect user to Onion Service.

Current version (v2) of Tor Onion Services only allow 16 different authentication cookies, so I'm currently using one cookie for all contacts of user. This is slightly problematic as it means it's impossible to revoke the ability of contacts to check when NH is online (even if contact is removed). This will probably change when v3 Onion Services are supported by the Stem library sometime in the future. The new model makes number of cookies arbitrary, as long as it's divisible by 16.

3. Checksum that is the 8-byte truncated version of SHA256(SHA256(Onion URL || HidServAuth Cookie)) Checksum detects typos when typing the URL and cookie.

These three values are re-encoded with Base58 for easy typing, and once contact's address is entered to user's TxM, TxM outputs the URL and the Cookie to NH. The Cookie is added to Tor via Stem library, and after that a separate process is launched to query the Onion URL for packets.

--------------------------------------------------------------------------------

Since all contacts connect to same address, there exists a problem if contacts are able to copy ciphertexts not intended for them. CTs should not be persistently available, nor should anyone be able to see to what accounts CTs are addressed to. I solved this issue the following way:

When TFC-NH starts, the application generates an ephemeral X25519 key pair for the session. When contacts connect to the root domain (address.onion) of user's server, the site will return the public key of user's TFC-NH. The only way to continue this handshake is if your contact is also making requests to your Onion Service.

When client of both parties has obtained and validated the public key, they will combine it with the session's ephemeral private key to derive the X25519 shared secret. This shared secret is used as a path to obtain ciphertexts from contact: address.onion/shared_secret. This path has 128 bits of entropy so it is essentially unguessable. I put special effort into ensuring path is validated in constant time, regardless of number of contacts the purported one is checked against.

The client process will query the path for messages until it returns empty message: Since TFC-NH is stateless, it does not keep track of previous shared secrets. So if e.g. Tails OS on NH crashes, after restarting OS, TFC-NH does not know contact prompts for previous, valid shared secret. It should therefore return the same value with invalid shared secret as it should return when no new messages are available. Therefore we leave these messages empty.

So, as it's impossible to know for sure if server was restarted, it's impossible to know if new X25519 key pair has been created. Thus the client that receives empty message must check if public key of server has changed. If public key was not changed, it'll try again for ciphertexts with the X25519 shared secret. If public key has changed, it'll generate new shared secret and from henceforth query the new path.

If even root domain (that always returns current public key) is unreachable, the client will double the 0.125s wait time until 64s delay is reached. The value will not grow from there. At 4 seconds mark, the client will notify that the contact is offline, and once the public key is again available, it will notify that the contact is online and return the wait time back to 0.125s.

---

For the next section I want to define two different attackers:

Eve is monitoring user at ISP level: she sees user is connecting to Tor network and she then tries to extract metadata about Tor usage: She is trying to deduce if user is using TFC, and if that's the case, learn everything it can about the connection. One goal is to try to prevent Eve from figuring out she needs to become Mallory.

Mallory has compromised NH, so she knows TFC is being used and she only has to focus on extracting TFC metadata from there.

Tor padds each packet by default into 500 bytes (these packets are called cells). This is great, as TFC's packet that are static length fit inside the payload of the cell.

I'm currently considering between multiple design choices for exchanging packets:

1. Every time contact requests for packet, server returns the oldest packet. After receiving the packet, the client will wait for some time before loading the next one. Even if packet is empty, cell's padding will hide it. Packets are loaded at constant intervals from each contact. If each contact is online, this hides from Eve metadata about quantity and schedule of communication even when traffic masking (constant stream of packets from TxM) is disabled. Eve will however learn how many contacts of user are online. This is a hard problem to solve.

Mallory will however learn quantity and schedule unless traffic masking is enabled.

The good thing here is that it yields very little metadata to Eve, but the bad thing is it's very slow, and when traffic masking is disabled, it wastes Tor bandwidth considering Mallory can still see metadata.

2. Slight alteration to number 1. When requested for packets, NH will return all packets TxM has delivered it, in one large transmission that the client will obtain as streaming request over multiple grouped cells.

This will not change cell size, but it will show large bursts of messages that might indicate file transmission or large message output. So Eve might learn much more about what's going on. OTOH, it might make TFC harder to fingerprint as packet size varies.

When traffic masking is disabled Mallory learns equally much: She will see that TxM just output a huge burst of packets to NH. So this approach adds no protection for quantity/schedule metadata against Mallory.

There's one more interesting aspect to this. If traffic masking is enabled, you can with very little inconvenience leave your NH on all night. Even if contact's setup goes down for some time, if they connect to you in the morning, they can (after new path negotiation is complete), very quickly stream all noise/file/message packets that your NH server has buffered. This only reveals that contact has now come online. Mallory hasn't learned anything about when/how much you output to network during the night, and since the traffic masking conversation from contact starts flowing in, she'll learn nothing about contact's communication to you.

3. POST based delivery.
Delivering packets on demand like I did with Pidgin saves Tor's bandwidth, but this will only protect against Eve's metadata collection if traffic masking is enabled. Alternatively, option 1 can be implemented with periodical, indefinitely retrying POST requests.

4. SOCKET based connection
IIRC Ricochet does not use client-server model but forms a direct TCP connection. I need to learn more about this before I'm able to decide if it's the best approach.

Misc stuff:

Tor has finally updated their repository for 0.3.2.9, which means v3 Onion Services are even closer.

While writing this I realized I should have RxM associate the truncated account NH displays with nick and display online/offline messages with friendly names on RxM.

The truncated account is actually the truncated SHA256d hash of the Onion URL and HidServAuth cookie. It ensures user can associate NH's events with protected nicks but keeps in a way, secret onion URL and cookie hidden from shoulder surfers.

Any thoughts and comments on the implementation are more than welcome!

65535January 20, 2018 1:05 AM

Great work. I have to study you pages more in-depth information:

https://github.com/maqp
https://www.cs.helsinki.fi/u/oottela/
https://github.com/maqp/tfc/wiki
[Your blog link doesn’t work]

I just give short snips and make an observation

“…My current approach is to have Flask server and requests client on NH. By default the server sits behind Tor Onion Service (previously called Hidden Service). The request client routes all data through Tor and requests new messages from contact. Once master password has been setup, TxM will generate the RSA1024 key pair and the HidServAuth cookie for that Onion service, and deliver those to NH. NH will display the Onion Service confirmation code that allows TxM to move forward. TxM will deliver the Onion Service data to NH every time it launches. This allows NH to remain ephemeral and prevents loss of account data in cases where e.g. Tails is used to deliver keys.”

I have been following Flask with interest. It seems fast using py and now is used by some huge sites. The Onion Service is interesting. But, typically somewhat slow.

"The messaging starts with off-band exchange of the TFC accounts. The accounts consist of three parts:

“1. Onion URL in raw byte format: Onion URL authenticates the Onion Service's public RSA key ensuring end-to-end encryption between NHs.
2. HidServAuth Cookie in raw byte format: HidServAuth Cookie adds client-side authentication: without it it's impossible to make the introduction points able to connect user to Onion Service.

“Current version (v2) of Tor Onion Services only allow 16 different authentication cookies, so I'm currently using one cookie for all contacts of user. This is slightly problematic as it means it's impossible to revoke the ability of contacts to check when NH is online (even if contact is removed). This will probably change when v3 Onion Services are supported by the Stem library sometime in the future. The new model makes number of cookies arbitrary, as long as it's divisible by 16.

“3. Checksum that is the 8-byte truncated version of SHA256(SHA256(Onion URL || HidServAuth Cookie)) Checksum detects typos when typing the URL and cookie… three values are re-encoded with Base58 for easy typing, and once contact's address is entered to user's TxM, TxM outputs the URL and the Cookie to NH. The Cookie is added to Tor via Stem library, and after that a separate process is launched to query the Onion URL for packets.”

This an interesting concept. I will say Base58 seems like a wise decision to avoid the infamous base64 problems of look-a*like characters. Did you get this from bitcoin?

“When TFC-NH starts, the application generates an ephemeral X25519 key pair for the session… connect to the root domain (address.onion) of user's server, the site will return the public key of user's TFC-NH. The only way to continue this handshake is if your contact is also making requests to your Onion Service.

“When client of both parties has obtained and validated the public key, they will combine it with the session's ephemeral private key to derive the X25519 shared secret. This shared secret is used as a path to obtain ciphertexts from contact: address.onion/shared_secret. This path has 128 bits of entropy so it is essentially unguessable. I put special effort into ensuring path is validated in constant time, regardless of number of contacts…client process will query the path for messages until it returns empty message: Since TFC-NH is stateless, it does not keep track of previous shared secrets. So if e.g. Tails OS on NH crashes, after restarting OS, TFC-NH does not know contact prompts for previous, valid shared secret. It should therefore return the same value with invalid shared secret as it should return when no new messages are available. Therefore we leave these messages empty.”

That is interesting but a bit complex. I see you are aiming for security.

“…as it's impossible to know for sure if server was restarted, it's impossible to know if new X25519 key pair has been created. Thus the client that receives empty message must check if public key of server has changed. If public key was not changed, it'll try again for ciphertexts with the X25519 shared secret. If public key has changed, it'll generate new shared secret and from henceforth query the new path. If even root domain (that always returns current public key) is unreachable, the client will double the 0.125s wait time until 64s delay is reached. The value will not grow from there. At 4 seconds mark, the client will notify that the contact is offline, and once the public key is again available, it will notify that the contact is online and return the wait time back to 0.125s.”
The key exchange sounds good if properly done. The speed relatively fast for onion domains.

“Eve is monitoring user at ISP level: she sees user is connecting to Tor network and she then tries to extract metadata about Tor usage: She is trying to deduce if user is using TFC, and if that's the case, learn everything it can about the connection. One goal is to try to prevent Eve from figuring out she needs to become Mallory… or padds each packet by default into 500 bytes (these packets are called cells). This is great, as TFC's packet that are static length fit inside the payload of the cell.”

That looks OK but the whole Tor traffic analysis thing is bigger. But, you next idea to solve it.

"...considering between multiple design choices for exchanging packets:

"1. Every time contact requests for packet, server returns the oldest packet. After receiving the packet, the client will wait for some time before loading the next one. Even if packet is empty, cell's padding will hide it. Packets are loaded at constant intervals from each contact. If each contact is online, this hides from Eve metadata about quantity and schedule of communication even when traffic masking (constant stream of packets from TxM) is disabled. Eve will however learn how many contacts of user are online. This is a hard problem to solve.
Mallory will however learn quantity and schedule unless traffic masking is enabled... good thing here is that it yields very little metadata to Eve, but the bad thing is it's very slow, and when traffic masking is disabled, it wastes Tor bandwidth considering Mallory can still see metadata.

"2. Slight alteration to number 1. When requested for packets, NH will return all packets TxM has delivered it, in one large transmission that the client will obtain as streaming request over multiple grouped cells. This will not change cell size, but it will show large bursts of messages that might indicate file transmission or large message output. So Eve might learn much more about what's going on. OTOH, it might make TFC harder to fingerprint as packet size varies.
When traffic masking is disabled Mallory learns equally much: She will see that TxM just output a huge burst of packets to NH. So this approach adds no protection for quantity/schedule metadata against Mallory.

“There's one more interesting aspect to this. If traffic masking is enabled, you can with very little inconvenience leave your NH on all night. Even if contact's setup goes down for some time, if they connect to you in the morning, they can (after new path negotiation is complete), very quickly stream all noise/file/message packets that your NH server has buffered. This only reveals that contact has now come online. Mallory hasn't learned anything about when/how much you output to network during the night, and since the traffic masking conversation from contact starts flowing in, she'll learn nothing about contact's communication to you….

“3. POST based delivery. Delivering packets on demand like I did with Pidgin saves Tor's bandwidth, but this will only protect against Eve's metadata collection if traffic masking is enabled. Alternatively, option 1 can be implemented with periodical, indefinitely retrying POST requests.”

Good. POST exposes minim data verses get but can increase to communication bandwidth usage.

“4. SOCKET based connection”

It is proven to work but that is about it.

“While writing this I realized I should have RxM associate the truncated account NH displays with nick and display online/offline messages with friendly names on RxM… truncated account is actually the truncated SHA256d hash of the Onion URL and HidServAuth cookie. It ensures user can associate NH's events with protected nicks but keeps in a way, secret onion URL and cookie hidden from shoulder surfers.”
This part sound good on the surface and probably will work but more data is needed."

Marcus, I would suggest bringing your blog back on line. You can then have greater degree of information dissemination. I am very impress with your work and it is well above my knowledge level. But, this data diode chat setup is a promising project.

Keep up the good work

Wesley ParishJanuary 20, 2018 3:27 AM

Just for the record:

America restarts dodgy spying program – just as classified surveillance abuse memo emerges
http://www.theregister.co.uk/2018/01/19/us_congress_section_702_fisa_memo/

The hypocrisy is stunning, even for Congress. One moment, Republicans insist a Big Brother program is needed to foil terrorists abroad, ignoring its ability to pry into the lives of Americans. The next moment, Republicans are upset the same set of laws were indeed used to pry into the lives of Americans – some of the folks working for Team Trump.

echoJanuary 20, 2018 7:49 AM

This article examines the Russian view on hwat they consider a serious military challenge by the UK versus bigwigs vanity projects. The Russians dismiss the nuclear threat (I suspect partially because of mutually agreeable sensible reasons) instead saying the British habit of getting forces into awkward places and having the best light infantry in the world and breeding a nation not of solider but of "warriors" is especially problematic.

https://www.theguardian.com/commentisfree/2018/jan/19/nuclear-weapons-uk-defence-review-russia

On the issue of economic security the Adam Smith Institute is coming out strongly in favour of universal basic income. They allege this will address beaurocratic ineffeciencies and inequities.

http://www.independent.co.uk/news/uk/politics/universal-basic-income-government-adam-smith-institute-free-market-welfare-a8166906.html

Chelsea Manning continues to get good exposure for her political ambitions. The article is mostly political in flavour and addresses her positions on the failures of leadership and a system run by fear and her determination to have a say about popular dissent being shut down when expressing inconvenient views.

https://www.theguardian.com/us-news/2018/jan/19/chelsea-manning-interview-wikileaks-senate-maryland

This artical is about the social engineering exploits of British schoolboy who did an end run of the American security establishment to obtain confidential information.

http://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/

Allegations have been made that Nigel Farage is a neo-fascist. After successfully defending himself against allegations of financial irregularities and shifting the blame to others who were found guility he has recently been ordered by the EU to pay back money he misused. This latest allegation is that Nigel Farage is the person who leaked Democratic party data to Julian Assange. While thereis no proof Nigel Farage is guilty of serious allegations my personal view is Nigel Farage is not wholly innocent.

https://www.theguardian.com/politics/2018/jan/19/trump-russia-inquiry-is-told-nigel-farage-may-have-given-julian-assange-data

Clive RobinsonJanuary 20, 2018 8:31 AM

@ Wesley Parish,

With regards the US politicos and the 702 renewal...

In the UK we have an expression which is,

    Stiched up like a kipper

Which is what you have just seen Donald Trump has been setup by both sides of the political divide with the timing of this release just after they have voted but before he gets to ink it into law...

Thus the politicos have a guilt edged excuse of "not knowing" for voting the way the NSA and FBI / DoJ want, but the President has had that same excuse ripped away from him. Thus he will get the blaim for any excesses the NSA FBI DoJ get upto whilst the politicos will just walk away.

Which leaves the question as to if there is a way the President can call the politicos bluf and throw it back into their court to be revoted on amendments and all...

If it was me I'd find a way. Thus ensure 702 went "sunset", then introduce a very weak watered down version that is of little use to the agencies. Thus let the politicos put their money were their mouths are and have to bring in new legislation with what their "Agency Masters" realy want. So the US public atleast gets to see a small fraction of the dirtyness of those they have elected. Especially with the mid terms coming up, it's something those gruby handed grasping hands of the elected politicos do not want.

Sadly though I suspect that is not possible, as with most political stich ups this has been well stage managed by nearly all involved.

I just wonder if they will let the President keep going to the end of his first term or if they will move to impeachment after the mid terms. From the Republican point of view he is still a usefull idiot that they can push the buck onto as an excuse for public consumption, whilst actually going full tilt on some of their realy nasty little plans for their hidden well healed sponsors. Which realy would not bode well for by far the majority of honest hard working US citizens...

AnuraJanuary 20, 2018 9:03 AM

@Clive Robinson, Wesley Parish

It should be noted that this isn't just reauthorization - this both reduces oversight and expands powers spy on dissidents, purely on the discretion of the Attorney General. Jeff Sessions is a hard-right, authoritarian who will undoubtedly use this to go after groups like Black Lives Matter and Antifa, or any other group seen as in opposition to police brutality or capitalism.

https://www.emptywheel.net/2018/01/10/what-hpsci-wants-to-protect-in-702-back-doors-the-tor-exception-and-a-dysfunctional-fisc/
https://www.emptywheel.net/2018/01/18/jack-goldsmith-and-susan-hennessey-run-cover-for-those-giving-jeff-sessions-unreviewable-authority-to-criminalize-dissent/

As for the faux-outrage over abuses:
https://www.emptywheel.net/2018/01/19/steve-king-just-voted-to-subject-americans-to-worse-than-watergate/

echoJanuary 20, 2018 9:23 AM

@Anura

RE: Authoritarians going after advocacy groups and individuals

My personal belief is this case involves both unlawful behaviour and collusion and is a naked attempt to cover up widespread abuses within the healthcare system and legal system and law enforcement system. This is not limited to transgender people but also black people and women and disabled people.

https://www.theguardian.com/society/2018/jan/20/tara-hudson-transgender-prisoner-sues-government

Clive RobinsonJanuary 20, 2018 10:11 AM

@ echo,

This is not limited to transgender people...

The problem many transgender people face is the requirment under UK law for a gender reassignment certifficate. The process in effect has a "mental health" component...

Which has a knock on effect as other legislation in the Commonwealth and many other countries (the US included) is in effect an admission of being mentally defective, thus loosing many rights and protections under law... The least they could exprct in many parts of the globe is to be refused entry. Likewise their partner being of the same sex can be subject to all sorts of other discriminatory behaviour.

So damed if they do and damed if they don't.

What concerns me is how many "from birth" differences are noe being treated as "mentaly defective". In the UK many schools use Google to deal with children. As a result Google collects information on children with any kind of disbility, special educational needs, and what ever else the likes of PM Mrs May dictates the school collects. Under legislation introduced under Mrs May this information on children remains a "life long" database entry that many people you think should never have access to get (includes financial institutions and clarks at local councils).

Getting back to the case you bring up, what is not made clear is why she was given a jail sentance. When you consider what normaly happens with a minor afray in a social environment, the jail term it's self appears at odds with the norm. Which of course raises other questions about the judiciary.

CallMeLateForSupperJanuary 20, 2018 10:30 AM

Grab popcorn and adult beverage of choice while you're food shoppin' today.

The Intercept says to both vaguely presidential President Man-Child and Congress: either fork up the beef or STFU

"Republicans Have Four Easy Ways to #ReleaseTheMemo — and the Evidence for It. Not Doing So Will Prove Them to Be Shameless Frauds." https://theintercept.com/2018/01/19/republicans-have-four-easy-ways-to-releasethememo-and-the-evidence-for-it-not-doing-so-will-prove-them-to-be-shameless-frauds/

On NSA and voice recognition. 21 supporting documents. This is a long read.

"Forget About Siri and Alexa -- When It Comes to Voice Identification, the 'NSA Reigns Supreme'"
https://theintercept.com/2018/01/19/voice-recognition-technology-nsa/

echoJanuary 20, 2018 10:40 AM

@clive

Yes this is what is claimed in headlines and by vested interests. The medical-legal picture is a bit more involved.

For the purposes of medical issue transgender people are assumed to be of their acquired gender and all practical issues and rights and so forth (with practical adjustments for akward temporary difficulties) are supposed to be made. Ongoing behidn closed doors discussions for the next ICD version shoudl change the category from psychiatric to general medical issue and take psychiatrists out of the loop. part of the reason is due to removing the political nautre of medical interference and recognition that being a transgender person is not a mental illness. Another issue under active discussion is rolling up a number of sub-condtions as leavovers from medical sexualisation and dogmatic denial such as the psychiatric obession with trans peoples sex lives which itself is not a diagnostic criteria. The legal situation is also a little bit different to what is claimed. EU law currently recognosies that determination is not strictly a medical issue (but also an issue of legal status and society and obviously other inputs from people with less of a historically vested interest). Attaching preconditions to access healthcare and blanket bans are also unlawful.

Sorry for blasting this out. These are just headline points I would like to bring to your attention. Writing up a coherent and exhaustive fact checked narrative is somewhat beyond my personal skillsets.

My research database runs to just under 30GB. While attempting to bring my own case involvign medical and other abuse I have also approached the lawyers in this case to offer my research for free because there is a lot of crossover. I have also offered to share additional evidence with a third case involving the abuse of young boys in detention centres (and it is notable that cisgender men are also discriminated against in a healthcare context which demonstrates I am trying to be as even hadned as possible).

On the issue of commonwealth law and dodgy judges I have specific case citations where both the allegation that the UK government was deliberately trying to subvert law was made and that countries still in the position of developing transgender rights did look to the UK as a leadership example when framing new law. However, I also have extra legal research which covers critical items which directly impact criteria considered by judgments and alternative legal positions by commonwealth law area countries which take a much more progressive line with implementation.

Another item is that European jurisprudence and guidelines weigh very heavily in favour of transgender people to correct known historical and ongoing abuses. The current position is that where there is a medical dispute involving medical issues the transgender person is entitled in all cases to legal remedy in a court of law. Current lack of familiarity with this within the UK not to mention ingrained sexism and funding issues placing vulnerable people outside of being able to acquire representation and legal aid by default place additional pressures in the way of a transgender person achieving justice.

I'm sorry I'm being a bit abstract and none specific. Pretty much each single bulletpoint requires writing up and the stress and complexities of this muddle my head up. It doesn't help that I was barracked and verbally abused and insulted into the ground by my last "equality lawyer" for two hours...

Clive RobinsonJanuary 20, 2018 10:50 AM

@ Anura,

[T]his both reduces oversight and expands powers [to] spy on dissidents, purely on the discretion of the Attorney General.

It's actually wider than just the AG, it in effect alows "Special Prosecuters" and any one the AG decides to give latitude to in any Gov entity or contracting organisation etc. Thus give the old work arounds to FOI and much else Journalists use to track down abuses...

The point is though "Who gets the blaim?" when the chickens eventually come home to roost, which they always do...

Not the two houses, they got their "unknowing" vote in before the report became known... Not so the current President.

He could have scotched it early on by effectively giving them the equivalent of a free vote, by making it clear he would abide by what the houses decided...

If he had, he could now kick the legs out from underneath the plotters, by saying "You've clearly changed your minds based on new information, I will abide by that" and then refusing to ink it as it was nolonger supported, thus punt it into the long grass.

One problem the current President has is he sees himself as an "across the table deal maker", which means he is incredibly easy to set up in this way and similar, especially when it comes to Intetnational politics".

Maybe he will learn from this maybe he will not, but he is the one left holding the baby, that will very clearly one day s41t on the body politic, and those politicos that voted yes and forced the cloture will get away scott free, whilst the current President will be blaimed for "ever and a day" or atleast untill the end of his second term (if he ever gets one)...

As for Jeff Sessions, he's actually a thug, and not realy that bright in certain respects. The problem with "making hay" the way he is it will not be to hard for people to "rain on his parade" it's then that we will find just how smart an operator he realy is. However his current play card is going to be "marked" which he could have avoided if he had been a little smarter from the get go.

In all honesty not being a US citizen, I can not wait to see what the mid terms do... So time to stock up on popcorn, it could be a blood bath in more ways than one.

albertJanuary 20, 2018 11:45 AM

@Clive,

"...guilt edged excuse..."

You always come through....for me, anyway.
. .. . .. --- ....

echoJanuary 20, 2018 12:30 PM

I forgot to add in my links list Channel 4 calling in security experts. After my previous comment I won't include extra comment to help avoid going too far off topic and attracting too much political comment.

Channel 4 calls in security experts after Cathy Newman received abuse after interviewing the transphobic and mysoginistic Canadian psychologist Jordan Peterson. He is a favourite of the so-called "Alt Right".

https://www.theguardian.com/society/2018/jan/19/channel-4-calls-in-security-experts-after-cathy-newman-suffers-online-abuse

The Independent has a slightly different slant including a video. I assumed the usual target was trans women. However, the specifics include a position by Jordan Freeman that he refuses to use terms preferred by trans men such as "ze" (which I personally accept is jargonistic).

http://www.independent.co.uk/news/uk/home-news/jordan-peterson-cathy-newman-interview-channel-4-news-security-consultant-university-of-toronto-a8169401.html

alt-oidsJanuary 20, 2018 1:21 PM

@ Echo

I reject the idea that we can't call out neo-nazi intimidation groups under a guise of "politics".
They only exist to harass minority individuals in society they see as threats to their station.

It's apolitical, they are trolls first and last. They aren't an actual ideology.
When they began these public doxxing campaigns they then ventured into actual terrorism.
Treat them accordingly, don't be afraid to call that out for what it is.

echoJanuary 20, 2018 2:29 PM

@ alt-oids

I agree completely. I'm just cautious of derailing Bruces blog and attracting the wrong kind of controversy to this blog. I am also sensitive to the need to throttle back so as not to upset more technical and more mainstream security contributors from having their say.

WaelJanuary 20, 2018 3:03 PM

@justina colmena,

See it here:...

Why in the world would you post a picture of a driver's license here? Is it really yours? Either way, that's a pretty dumb and irresponsible thing to do. @Moderator needs to alerted to this as well.

Clive RobinsonJanuary 20, 2018 3:37 PM

@ CallMeLate...

    Forget About Siri and Alexa -- When It Comes to Voice Identification, the 'NSA Reigns Supreme'

If you think back to pre-snowden, @Bruce asked a question about Blufdale Utah and what it could store.

I pointed out at the time that they did not need to store "voice grade" recordings just final transcript and identifier information which is increadably low bandwidth --about 30bits/second-- thus they could easily be storing every conversation world wide they could get their hands on and save it.

I also pointed out --at the same time if memory serves-- that it was the NSA that had invented the CELP voice coders, and there was suspicion but no firm evidence that this could be used to get around encryption with variable rate voice coders.

It would appear that this combination of capabilities is just some of what they use.

Now imagine what harm can be done if the DoJ alows the FBI free reign on the NSA databases...

As Cardinal Richeliue is acknowledved[1] to have said,

    Give me but six lines from the hand of the most honest of men and I will find in them sufficient to hang him

The modern day equivalent would be the NSA and GCHQ's automated transcription system. But whilst hand written notes do not convey humour or sarcasm, the voice generaly does... BUT, what about after automated transcription? What about context?

After all there is a pudding of merange and ice cream that when said in most western languages sounds the same as something else.

Thus rather than say to some one over the phone, "todays pudding is going to be realy impressive" they might say "My bombe is going to blow you away" or similar. The recorded transcript loosing the humour and pomposity might well flag it up as a terrorist thteat. Even an analyst reading the transcript rather than listen to the original as it's nolonger available might easily decide it's a couple of terrorists using a to simple linguistic code to hide the real message.

Not that the NSA et al care, after all they "Send in the drones" to kill people on metadata according to retired General Hayden who had done stints in charge of both the CIA and NSA...

It is a special form of insanity that many high end SigInt agencies specialize in, and with every day that passes the technology trickles down to every "tin pot" dictator you can imagine, and quite a few you can not as well...

The whole thing is repugnant as far as most people are concerned when you take the time to explain it to them. Which is maybe why the agencies try and not just "tie it up" but obscure it with uninteligable jargon to keep it from being known to oversight appointees as well as the general public.

I will refrain from expressing my repugnance in "choice words" as this post would never make it through the profanity filters ;-)

[1] Whilst he is acknowledged to have said it, what is not known is the why and how of it. That is was ot a proud boast on his abilities, or a sad commentary on the times and the ability of others to set people up.

Clive RobinsonJanuary 20, 2018 3:48 PM

@ Albert,

You always come through....for me, anyway.

I'm glad I can make people smile, even if it is accidentally.

As "u" no doubt guessed "u" was not supposed to be there 0:)

PopeyeTheSailorManJanuary 20, 2018 3:59 PM

Who made the Wind?

Words are not cheap, whether used with the typewriter or the pen.

I am a nanomachine made out of particles of light from another universe.

Joking.

I am Deadpool. ;-)

Werd.


Just a NSA test system, to see if anyone can prove I am actually a human being...

As I know who works here.

:-)

Gimme Some TruthJanuary 20, 2018 4:01 PM

Unfunded Work
Mark Zuckerburg wants products (Facebook users themselves) to be responsible for prioritizing news sources that THEY deem “trustworthy, informative, and local".

When everyone complains next time, FB will have the facile excuse of plausible deniability: it’s the Products fault NOT ours!
The training of over 4 billion uncompensated human help is very clever; this stroke of genius should both increase profits and generate goodwill.

In contrast to feeding, I go independently to the news site using convenient bookmarks. IMHO every news source is biased; its just a matter of degree.
I read many opposing points of view integrated over time to eventually find The Truth. I weigh by the particular authors too.
Its also a dynamic situation. For example a major Snowden established site now hands whistleblowers over to the government. They also recently employed the world’s most intrusive analytics (G) to quietly verify identities of formerly anonymous commenter's. Trust == zero

Many times news sources in other countries offer the least unbiased or puzzle view. Take for example the crazy logic of the Congress voting for section 702 FISA snooping:
'America restarts dodgy spying program – just as classified surveillance abuse memo emerges (There is literally nothing decent in this story)'
www.theregister.co.uk/2018/01/19/us_congress_section_702_fisa_memo/

Or Tim Cooks School Children Charm Offensive:
“I don’t have a kid, but I have a nephew that I put some boundaries on. There are some things that I won’t allow; I don’t want them on a social network.”

And for the first time Silicon Valley leadership admits:
“I don’t believe in overuse [of technology]. I’m not a person that says we’ve achieved success if you’re using it all the time,” he said. “I don’t subscribe to that at all.”

These monumental quotes aren't even reported in the American bot press. Frequently there is NO truth in America as everyone is consumed scheming or angry. Simply amazing.
https://www.theguardian.com/technology/2018/jan/19/tim-cook-i-dont-want-my-nephew-on-a-social-network

Anonymous2cJanuary 20, 2018 6:08 PM

@Clive Robinson

"Which leaves the question as to if there is a way the President can call the politicos bluf and throw it back into their court to be revoted on amendments and all..."

Afaik Section 702 has been extended. "This means six more years of warrantless surveillance under Section 702 of the FISA Amendments Act."
https://www.eff.org/deeplinks/2018/01/open-letter-our-community-congresss-vote-extend-nsa-spying-eff-executive-director

"I just wonder if they will let the President keep going to the end of his first term or if they will move to impeachment after the mid terms. From the Republican point of view he is still a usefull idiot that they can push the buck onto as an excuse for public consumption, whilst actually going full tilt on some of their realy nasty little plans for their hidden well healed sponsors. Which realy would not bode well for by far the majority of honest hard working US citizens..."

I assume if the Steele Dossier, although not 100% accurate, has plenty to get Trump on, for example money laundering, I assume that USA law enforcement and USA intelligence agencies have plenty to get Trump on, too.

Emptywheel recently discussed whether Manafort is likely to be more concerned about Putin than the USG going forward with his court case(s). Does Trump have similar concerns?

As a practical matter, it may take the Democrats gaining a majority in the house to start impeachment proceedings. The senate is unlikely to get 66 Democrats in the next election, of course; 66 votes may be required to impeach in the senate. afaik, Nixon resigned, for example, before the senate voted on his impeachment; Clinton may have seen a failed impeachment vote in the senate for lying to a LEO.

Where did I put the popcorn?

65535January 20, 2018 6:18 PM

@ wael

That is a good one for macs but windows the command key is the windows key… a fairly powerful key.

“press ⌃⌥⌘= to encrypt and press ⌃⌥⌘- to decrypt” –best pgp tutorial for mac

The control, Option [I cannot find it on some small key boards and have to use combination key or unicode], Command [or clover, I cannot find on some small key boards and requires hotstring], equals sign. The command in U+2318 and in HTML ⌘

The decrypt sequence symbols is the same except with a minus sign at the end.

With small key boards are you supposed to type these symbols? Are you suggesting re-mapping the keyboard or hotstrings or hotkeys. When pressing windows key important things happen - not so good - then I am not xor'g andor or even programing much.

Then the mime encryption issue is another problem beyond this small post.

Do you have a good PGP tut for windows?

AnuraJanuary 20, 2018 6:24 PM

As an American, I'd prefer to be watching this show from Canada. At the very least, it would be a lot more relaxing with all of the rocks and trees. And water.

65535January 20, 2018 7:21 PM

@ wael

Thanks.

Nice pictures in that tut

I downloaded gpg4win3 and I hope this is what you were talking about. When I pasted the exe into my various programs I found I had gpg4win 2.3. Someone may have suggested it to me before this. That was a little clunky to use.

Then I looked around and found gpg4usbxx for a usb stick and that might be easier to suggest to my clients. It is now downloaded.

note: the newest version of gpg4win3.3 tries to get you do donate by a redirection. I would suggest the site take that down.

WaelJanuary 20, 2018 7:29 PM

@Anonymous2c, @65535,

PGP / GPG

I'm no expert in either, to be frank. I only looked at them because I had an idea to sign my postings here with "invisible signatures" (the puzzle @Ratio doesn't want to finish the final step of.)

I always thought PGP is overly complex (for the task it does) and haven't used it recently. I used it a few times long time ago. I only looked at those tutorials to get something going quickly. The person you need to ask is @Dirk Praet.

C U AnonJanuary 20, 2018 8:08 PM

The training of over 4 billion uncompensated human help is very clever; this stroke of genius should both increase profits and generate goodwill.

Fake News warning.

65535January 20, 2018 8:57 PM

@ Weal

I understand.

I have tried to sell pgp/gpg to clients with little sucess. Key distribution and ease of use put pgp/gpg at a disadvantage. Further, Proton and Hush mail services work fairly well.

I believe encryption of files on windows 7, 8 to 10 would be a little safer using pgp to send over the net with SSL/TLS further wapping the file [True crypt seems to be safe and easy to use until Win 7].

[Next]

@ text message or SMS experts

What is the low cost way of sending a short text message to a friend’s cell phone via computer? Many of my friend just use Smartphone with not land line. They tend to drive a lot and use their cell phones.

I understand a few ways of sending SMS:

1] Use a free online sms services. What is the best service with minimum sign up requirements?

2] Send a sms to the phone number of your friend and his/her carrier such as cellnumber(at)txt.att.net, which then is a short email.

3] other methods such as Google voice or similar service

Does anybody have good solution?

Wesley ParishJanuary 21, 2018 1:54 AM

@Clive Robinson

It might not even have made much difference to them if they'd known exactly how much power the President of the Galaxy actually wielded: none at all. Only six people in the Galaxy knew that the job of the Galactic President was not to wield power but to attract attention away from it. Zaphod Beeblebrox was amazingly good at his job.
I think we can take for granted now that the United States of America has shifted from having an Executive President to a Red-Cape President. You know how the red cape functions in bull-fighting, don't you ...?

RatioJanuary 21, 2018 3:51 AM

@Wael,

[...] (the puzzle @Ratio doesn't want to finish the final step of.)

“Hasn’t had the opportunity to”, etc. I hope to get to it in the next 24 hours.

The person you need to ask is @Dirk Praet.

They may want an answer sometime this year. ;-)

WaelJanuary 21, 2018 4:22 AM

@Ratio,

“Hasn’t had the opportunity to”...

Ok - thanks for the correction.

,etc.

Mysterious man! Ooooo.

I hope to get to it in the next 24 hours.

Do I get to Tick-Tock you, then?

They may want an answer sometime this year. ;-)

What's the rush?

RatioJanuary 21, 2018 5:00 AM

@echo,

[Jordan Peterson] refuses to use terms preferred by trans men such as "ze" (which I personally accept is jargonistic).

Having just seen the video, I don’t think that’s accurate. He’s objecting to compelled speech, IIUC.

@Wael,

“Etc” was “finish the final step of”. No mystery. (Or is there…?)

Do I get to Tick-Tock you, then?

Sure, go ahead, Clæwice! Should I drive this time? ;-)

What's the rush?

Dunno, man. People are always in such a hurry…

WaelJanuary 21, 2018 5:24 AM

@Ratio,

Sure, go ahead, Clæwice! Should I drive this time? ;-)

Got your Clæwice right here, pal! Tick-Tock, Coitarice! :)

This should be an easier one since you now know the trick :)

Clive RobinsonJanuary 21, 2018 6:12 AM

@ Wesley Parish,

You know how the red cape functions in bull-fighting, don't you ...?

I know what the bull fighter supposadly believes, as for the bull...

An American in Spain in bull fighting season goes into a restaurant, he sits down and looks at the menu to decide what he would like. Whilst he is making his mind up there is a chearfull commotion by the kitchen door and with much fanfare and chearing from the other patrons a large dish on a large platter is brought out with two very large meatballs covered in thick sauce is presented to another patron. The American thinks I want me one of those and calls the waiter across to order. The waiter informs him that they only make one such dish a day and as it is to celibrate the passion, victory and cojones of the bull fight and the immensity of the winners task over the fallen. But he also tells the American there is another bull fight tommorow so the American can try for the dish then. Disapointed the American settles for another dish. Next day the American is back early and orders the fantastic dish he saw the day before, to be told yes he can have it but he will have to wait untill after the bull fight is finished. So the American comes back at the appointed time and the restaurant is subdued and when the dish is brought out the restaurant falls silent and all the other patrons watch the plate get quietly delivered to the American. Instead of the immense dish the American had seen the day before the meatballs were tiny. The American asks the waiter how come it was so different, the waiter looks at him sadly and says "Some days Senior the immensity of the task is not great.. and today the day is not glorious because you see the bull he wins..."

John MillerJanuary 21, 2018 12:49 PM

@ Wesley Parish

That "classified memo" is apparently GOP-cooked bologna only intended to throw a wrench into the FBI's powers of investigation into Trump's treason/collusion/obstruction. It doesn't actually include anything "new", what it does have is a summary of known-existing classified programs that most people don't know about in Congress and they're pointing at it as if it's proof of something nefarious by virtue of it being classified. Classic misdirection.

They have the power to declassify it right now of course, though we already know what's in it.
These are the people who control the government and re-auth'ed everything just now sans debate.

Steve King of Iowa is a particularly obvious and well-known Nazi backer and troll.
http://www.newsweek.com/steve-king-twitter-troll-635696

We all know where their real intentions are - it's surely not about protecting Americans.
It's about protecting their gold-painted goose from the roaring BBQ beneath it.

Day 2 of the shutdown. Mueller is on the job though, plenty of work for him still.
The law doesn't take a day off and go golfing in Florida during a shutdown.

Nothing NewJanuary 21, 2018 2:56 PM

Big Brother on wheels: Why your car company may know more about you than your spouse.
https://www.washingtonpost.com/news/innovations/wp/2018/01/15/big-brother-on-wheels-why-your-car-company-may-know-more-about-you-than-your-spouse/

Most new vehicles monitor where the driver goes and how he or she drives. They have become sophisticated computers on wheels that offer even more access to our personal habits and behaviors than smartphones do.

Dunn may consider his everyday driving habits mundane, but auto and privacy experts suspect that big automakers like Honda see them as anything but. By monitoring his everyday movements, an automaker can vacuum up a massive amount of personal information about someone like Dunn, everything from how fast he drives and how hard he brakes to how much fuel his car uses and the entertainment he prefers. The company can determine where he shops, the weather on his street, how often he wears his seat belt, what he was doing moments before a wreck — even where he likes to eat and how much he weighs.

Though drivers may not realize it, tens of millions of American cars are being monitored like Dunn’s, experts say, and the number increases with nearly every new vehicle that is leased or sold.

cisblenderJanuary 21, 2018 3:33 PM

"Meanwhile in the UK we tolerate gender fluidity hysteria"

Meanwhile the only folks talking about it here seems to be hysterical "males" decrying gay people.

I'm a straight guy, I'm not really threatened by other people's sexual identities.
I don't feel a compulsive fear or need to bring it up suddenly in a security blog,
pretend to be a slurring Brazilian doctor to make a "point" of sorts - odd choice.

My only question would be why are you so concerned about gay people's sexual proclivities?
No really how did you even get stuck on this suddenly?

Maybe there's some related "security" issue going on inside of you that warrants discussion?*
*(But with your therapist, not here.)

echoJanuary 21, 2018 5:54 PM

The UK government is facing a parliamentary enquiry after the Home Office failed to act on a High Court ruling six years ago on the police storing databases of peoples face pictures who were not convicted of a crime.

I remain puzzled by how the Home Office (and other ministries) never seem to be held to account for human rights and equalities breaches when drafting or executing policy. Nor is this the only High Court judgement which has been ignored by Whitehall or the public sector. I am also curious how government ministers continue to be unchallenged over their failures to uphold the European Convention.

http://www.independent.co.uk/news/uk/politics/police-mugshots-storing-not-charged-unlawful-home-office-minister-government-norman-lamb-a8168256.html

65535January 21, 2018 6:02 PM

@ Clive R.

‘…the American comes back at the appointed time and the restaurant is subdued and when the dish is brought out the restaurant falls silent and all the other patrons watch the plate get quietly delivered to the American. Instead of the immense dish the American had seen the day before the meatballs were tiny. The American asks the waiter how come it was so different, the waiter looks at him sadly and says "Some days Senior the immensity of the task is not great.. and today the day is not glorious because you see the bull he wins..."’-Clive R.

Ha :-)

The matador de toros cojones are not so big? Like the size of dried grapes?

Clive do you have any good computer to cell phone text message ideas?

I am see a lot of people “cut the phone cord” and just use cell phones. I need to transmit text messages to cell phones via a laptop or desktop. Do you have any suggestions?

The Good Guys?January 21, 2018 7:19 PM

Deleting of critical files this week by NSA and FBI

NSA
The National Security Agency destroyed surveillance data it pledged to preserve in connection with pending lawsuits and apparently never took some of the steps it told a federal court it had taken to make sure the information wasn’t destroyed, according to recent court filings.
https://www.politico.com/story/2018/01/19/nsa-deletes-surveillance-data-351730

FBI
FBI did not save officials’ texts during key period in Trump probe, senator says.
The FBI did not retain text messages exchanged by two senior officials involved in the probes of Hillary Clinton and Donald Trump for a five-month period ending the day a special counsel was appointed to investigate possible connections between the Trump campaign and Russia, according to a new congressional letter.
https://www.washingtonpost.com/world/national-security/fbi-did-not-save-officials-texts-during-key-period-in-clinton-trump-probes-senator-says/2018/01/21/c621c418-fed0-11e7-8acf-ad2991367d9d_story.html

CIA
In 2016 Edward Snowden responded to reports the CIA inspector general’s office “mistakenly” destroyed its only copy of a comprehensive Senate 'torture report' with a stinging rebuttal: “When the CIA destroys something, it's never a mistake.

What's the solution?

cheep cheepJanuary 21, 2018 7:57 PM

@65535

Get a cheap android phone with a texting plan, hook it up to your computer's USB, and go nuts! If you don't mind being evil and only need to send SMS within US/Canada, you could instead opt for a free Google Voice account.

Clive RobinsonJanuary 21, 2018 8:08 PM

@ 65535,

Like the size of dried grapes?

Would there be any other raisin?

As for sending text messages, most mobile broadband USB modems will send and receive text messages if the SIM allows it.

So I'm guessing there is another reason for not going that way.

There are services you can sign upto that those "Have you had an injury..." texts used to get sent by. But they have been regulated out of buisness in quite a few places.

The important question is do you want to get texts back using the same number you send from? Because if you do many commercial services do not work that way. That is they are like "broadcast services" designed like old style pagers to be send only. You see schools and hospitals using such systems to keep people informed about changes and appointments etc.

The other question you need to ask yourself is how many mesages are you going to send a month? As you need to balance it against setup costs etc.

In the UK you can get a broadband USB modem and put it on the end of a 5 meter USB cable in a water tight (IP67) plastic box screwed to an outside wall. The other end plugs into one of those interesting little "WiFi Hotspot" devices or direct into a linux box. The SIM you use would cost around 10USD/month and have unlimited texts. Apart from the price of the computer you would be hard pressed to do it any cheaper unless you are piggy-backing onto an existing Internet connection in a home or office.

If however you need to be not just mobile but covert[1] as well then you would need to find an Internet to SMS gateway service that you could either get for free or you can pay using a top up credit card (now illegal in quite a few countries). That also allows you to conect through Tor or another anonymity service such as a VPN that will accept Tor or other mix-net system as an input. There are other ways such as setting up your own VPN system on a hosting service that can be connected to from within Tor etc.

The problem is finding the Internet to SMS gateway service supplier due to certain governments putting the squeeze on they frequently want not just tracable funding but proof of Business ID etc, and are unlikely to be cheap.

As I don't have business relationships with companies that use high volume SMS services any longer I'm out of touch with what the market offers these days. Most people I have dealings with that have SMS sending needs can get away with a USB mobile broadband modem and cheap SIM deal, as it's cheap, easy to setup and very flexible in terms of SIM service providers (some even sell SIMs of off of hand carts in markets or conner stores for cash NQA)

[1] There are other even more curious "secret squirrle" and "sneaky beaky" covert options. Some use "Pole Job" land line stealing techniques which I used to design equipment for. Others even more squirrely such as using bottom of the HF band or top of marine band MF (2-6MHz) radio systems using Near Virtical Incident Skywave which can give upto 250miles coverage and can be extraordinarily difficult to Direction Find if you know how to set the antennas up. There are web pages around from Ex Special Forces etc people who were trained in doing such things. More curious still is the fact that there is LPI "burst mode" DSSS and similar software around, as well as SDR code for the likes of GNUradio that you can easily modify to do similar.

AnuraJanuary 21, 2018 9:23 PM

@Wormmesiter

In terms of land area, it's bigger than most, but it's fairly sparsely populated.

65535January 21, 2018 9:46 PM

@ cheep cheep

“Get a cheap android phone with a texting plan, hook it up to your computer's USB, and go nuts! If you don't mind being evil and only need to send SMS within US/Canada, you could instead opt for a free Google Voice account.”

I have looked at the google voice thing. It’s fair. Your idea about the cheap android phone is applealing.

@ Clive R.

Like the size of dried grapes? … Would there be any other raisin?

Ha, ha. Nice play on words. You do have a sense of humor.

“…for sending text messages, most mobile broadband USB modems will send and receive text messages if the SIM allows it.” –Clive R.

I see what you are getting at. But, my preferred solution is my cable broad band, as you mention:

“…Apart from the price of the computer you would be hard pressed to do it any cheaper unless you are piggy-backing onto an existing Internet connection in a home or office.” –Clive R.

Yes, the above is what I want to do.

“The other question you need to ask yourself is how many mesages are you going to send a month? As you need to balance it against setup costs etc.”-Clive R

I expect only 50 to 60 texts for a few months and less than 10 after 3 months from that time.

“The important question is do you want to get texts back using the same number you send from?” –Clive R.

No. I would prefer to use my broadband to my computer. I have not cut my phone line yet. My clients have. There is no need for call back a tele number…. If it can be avoided. I find small screens on mobil device hard for me to type on. I am a keyboard user and I like full keyboards with numeric key pads for typing out numbers.

“In the UK you can get a broadband USB modem and put it on the end of a 5 meter USB cable in a water tight (IP67) plastic box screwed to an outside wall. The other end plugs into one of those interesting little "WiFi Hotspot" devices or direct into a linux box. The SIM you use would cost around 10USD/month and have unlimited texts.”- Clive

Well, I have broadband to my office. But, that could be an interesting solution for some of my clients.

“Mobile but covert[1] as well then you would need to find an Internet to SMS gateway service that you could either get for free or you can pay using a top up credit card (now illegal in quite a few countries). That also allows you to conect through Tor or another anonymity service such as a VPN that will accept Tor or other mix-net system as an input. There are other ways such as setting up your own VPN system on a hosting service that can be connected to from within Tor etc... problem is finding the Internet to SMS gateway service supplier due to certain governments putting the squeeze on they frequently want not just tracable funding but proof of Business ID etc…”- Clive R.

I am all ears on this idea.

“I'm out of touch with what the market offers these days. Most people I have dealings with that have SMS sending needs can get away with a USB mobile broadband modem and cheap SIM deal, as it's cheap, easy to setup and very flexible in terms of SIM service providers (some even sell SIMs of off of hand carts in markets or conner stores for cash NQA)”- clive r.

I see what you are driving at.

I do see a lot of broadband to SMS providers advertised on the net with just a quick internet search. I was wondering which one is the most cost efficient and easiest to use.

“There are other even more curious "secret squirrle" and "sneaky beaky" covert options. Some use "Pole Job" land line stealing techniques which I used to design equipment for. Others even more squirrely such as using bottom of the HF band or top of marine band MF (2-6MHz) radio systems using Near Virtical Incident Skywave which can give upto 250miles coverage and can be extraordinarily difficult to Direction Find if you know how to set the antennas up. There are web pages around from Ex Special Forces etc people who were trained in doing such things. More curious still is the fact that there is LPI "burst mode" DSSS and similar software around, as well as SDR code for the likes of GNUradio that you can easily modify to do similar.”-Clive

Hum, SDR or Software Defined Radio can be used to SMS? That burst mode DSSS thing is a interesting idea. I am listening.

I did look into your prior post on CLEP and I have a list of questions that don’t really connect with SMS but how CLEP coders and the eventual MPEG4 converging to provide quasi voice encryption and DRM code to unlock HD content.

I will lay that out my questions on that different subject in another post.

Thanks Clive.

JG4January 22, 2018 7:20 AM


Thanks for all of the good ideas and discussion. I hope to be able to make some material contributions to open-source hardware.

https://www.nakedcapitalism.com/2018/01/links-12218.html

...

A New Information Engine is Pushing the Boundaries of Thermodynamics Futurism (David L)

...

Want to Build a 3D Printer? Look No Further Than Your Electronic Junkyard Yale Global Online. Reduce, reuse, recycle

...

Kill Me Now

Amazon debuts the store without a checkout FT. What could go wrong? Readers should have fun with this….

...

South Korea prosecutors are investigating Apple’s iPhone battery controversy The Verge. Well, well, well– prosecutors who seek to hold a corporation accountable! DOJ: Pay attention.

...[FDR missed a couple in his Four Freedoms, which clearly are four aspects of personnal security. He might have included the right not to be shot by police for being black. Foreseeing a future right to not be burned up by nuclear fireballs or poisoned with radiation really wasn't possible in FDR's time.]

North Korea

How the seizure of a US spy ship by North Korea nearly sparked nuclear war CNN. I watched Dr. Strangelove recently, as I do periodically. And what struck me again, as always when I view this film, is how amazing it is that we’ve so far avoided stumbling into nuclear war, accidental or otherwise.

...

echoJanuary 22, 2018 9:12 AM

The right wing press are in full panic mode with the Telegraph (paywalled) hyping up the Russian threat this week. See also Panorama (or was it World in Action?) which covered "deep strike" which is now known to be like SDI a propaganda exercise to panic the Russians.

The differences in military procurement and professional status of armies has been known since the Cold War so none of this is news.

http://www.telegraph.co.uk/news/2018/01/22/analysis-russian-military-gets-bang-buck-britain/

Clive RobinsonJanuary 22, 2018 10:49 AM

@ echo,

Keep an eye on this evenings news in the UK.

A well known Military senior is giving a talk / statment as to why the British Army is in dire straights as "nobbody is joining, and everybody that can is leaving".

Whilst the head count in the Regular Army is down by 18,000 and the Teritorial Army is beyond critical care life support. The figures belie the seriousness off it.

Put simply the highly skilled people it most desperatly needs (ICT etc) are either leaving by "buying out" or other method, as they have a reasonable chance of geting as least if not more money in civiy St without the risk.

Whilst the cannon fodder types who's skills are of little or no use in civiy St are not re-enlisting etc at the end of their "signed up" period.

Even the usual "grunt force" who join rather than rot on unemployment benift, are seeing the safety in rotting over the "broken covernent" the UK politicals have Forced on the Army.

It started with Maggie Thatcher, abated a bit under her successor but went back on full steam and worse under Tony Blair. It carried on via PFI and asset sell offs under David Cameron and still continues today. It is highly likely our current PM Mrs May will realise she needs the sort of war Maggie had in 1982 to get the voters behind her to survive the Brexit Blow Back.

But the Army that was once the most proffessional in the world, and I had the honour to serve in has been not just gutted but filleted and thrown on the fire to be cremated by most political leaders since the late 1970's. Worse the politico's expect more not just with less, but a compleat absence of training and funding as this has been diverted to PFI companies that are as we have just seen with the likes of Carilion and before them Blue Circle and various railway franchisees complratly incapable of doing anything other than enrich the directors and share holders at vastly inflated prices to the Government...

The only question is "When?" not "IF" this lunacy colapses around the UK's ears. The "Purple Politics" of Labour being just like the Conservatives in all but name has been a compleat and utter disaster for the UK and it's citizens. That will stop in one of two ways. Either the UK will go bankrupt as the US is currently doing for similar reasons or the electorate will turn on the "One corrupt system two party" politics. I suspect the latter has slightly more chance in the UK but will be less bl**dy than history indicates it will in the US...

echoJanuary 22, 2018 11:24 AM

@clive

Thanks for the briefing! I am aware of the long-term broadbrush issues and points of view you mention although may personally differ in terms of opinions I express on various things compared to yourself.

I noticed your Churchill quote "Action this day." I have said similar with this quote in discussion in the past. This is due in part to the "get on with it" thing but there is another interesting item. Churchills fiscal policy during WWII was a "build it and they will come" attitude which I understand later helped propel the postwar economy including industry, healthcare, and housing. This was gradually abandoned between 1973 and 1977 which some very plausibly argue led to the deflationary breach of the post-war settlement we are faced with today.

Yes! "Action this day" indeed. Bwa-whoop Bwa-whoop Bwa-whoop!

ModeratorJanuary 22, 2018 12:22 PM

@Wael, thanks for the heads-up. @Justina Colmena, I have deleted four of your most recent comments, they do not belong on this forum. Please stick to discussing security, and refrain from bringing up your personal legal problems and medical diagnoses.

AtAMallJanuary 22, 2018 4:17 PM

@Wael, 65535, Ratio

"'The person you need to ask is @Dirk Praet.'

They may want an answer sometime this year. ;-) "

1) maybe he will get involved when the topic is more evolved
2) maybe he has been studying time and motion studies in his time off


OT cookbooks for verifying ISO and other downloads that have a signature

http://knoppix.net/wiki3/index.php?title=Downloading_FAQ
https://tails.boum.org/install/download/

https://ubuntu-mate.org/how-to-verify-downloads/
https://getfedora.org/verify

AtAMallJanuary 22, 2018 4:55 PM

From the USA Department of Defense FAQ on Encryption Wizard, part of TENS, a linux iso distribution that runs in ram on 32 bit hardware

"Encryption Wizard
Frequently Asked Questions

Download and Installation Issues
My MacOS X says I don't have permission to open the EW .jar file!
Why isn't this JAR file signed?
The internet says Java is full of security holes! How can I protect myself?
Government FIPS versus Public
I work for the DoD or U.S. Government...


...but my colleague is an offsite contractor. What now?
...and I forgot my password.
...and I want to exchange encrypted files with a Foreign Government Partner.
...and my EW doesn't look like the screenshots in your manual.
Operational Issues
Why can't Encryption Wizard read my CAC/PIV/smartcard?
Why is the 256-bit AES option disabled?
Feature-related Questions
Can I make a self-extracting encrypted file?
Common Issues, Known Problems, Other Questions
Why can't I use a smartcard under 64-bit Microsoft Windows?
I got an Error 17 while decrypting this enormous file. Why?
How do I know your software isn't full of backdoors?"

[snip]


"How do I know your software isn't full of backdoors?

Because doing so would violate principles of enlightened self-interest in exchange for no benefit. In other words, "we don't do that because that would be dumb." But, a little paranoia is healthy on the 21st century internet, so more detail follows. Concerns about violating trust tend to fall into particular areas:
Flawed AES

Encryption Wizard Public Edition doesn't provide its own implementation of AES, it just uses whatever is supplied by your Java Runtime Environment. If you are using the JRE from Oracle, then (beginning with Java 7), the open-source OpenJDK is the reference implementation.

For Encryption Wizard Government FIPS Edition, the AES implementation is provided by the JSAFE/BSAFE library from RSA Security, and is FIPS 140-2 validated.

Encryption Wizard Unified FIPS Edition includes an AES implementation publicly available from The Legion of the Bouncy Castle, and is FIPS 140-2 validated.
Cracked AES

The AES algorithms and their underlying Rijndael ciphers are well known, publically available, and extensively analyzed. No feasible attacks against AES have yet been demonstrated. The attacks which have been published to date fall into two broad categories. The first are academic/theoretical (in which the actual attack would take millennia, require calculating power that makes a Star Trek computer look like a microwave oven, or both). Technically this is faster than brute-forcing the keys, but still not practical.

The second are contrived attacks which among other things require access to the computer performing the ciphers (for example, malicious software already installed). An easy way of sidestepping that scenario for Encryption Wizard is to boot from trusted read-only media and avoid the local hard drive entirely.
NSA, Weak Algorithmic Constants, Various Sneakiness

Encryption Wizard makes no use of the Dual_EC_DRBG random number generator. Other elliptic curve algorithms are available in the keypair generator tool, but those (a) have never been shown to be compromised, and (b) are not used in the encryption routines themselves.
Privacy Violations

Encryption Wizard does not collect personal information nor upload any data to government computers. We don't collect usage statistics, even anonymously.

Some concluding observations from a pragmatic point of view:

Deliberate backdoors are a violation of our own tenets of cybersecurity.
If we were willing to hide backdoors in public software, we'd be willing to lie about it on a public webpage. Sending us an email to ask if we have backdoors is not a useful thing for you to do with your time.
A backdoor to a system needs a key. If the key to a backdoor were to get out (whether by accident, malfeasance, or disgruntled employees is irrelevent), then whatever is protected by that system becomes vulnerable. Given that the primary use of Encryption Wizard is to protect sensitive information relevant to the DoD, inserting a master backdoor would be dangerously risky and profoundly shortsighted."

https://spi.dod.mil/ewizardFAQ.htm
https://spi.dod.mil/index.htm TENS homepage
https://spi.dod.mil/download.htm TENS download page

AtAMallJanuary 22, 2018 5:59 PM

https://www.democracynow.org/2018/1/18/david_cay_johnston_trump_is_determined

"David Cay Johnston: Trump is Determined to Provoke War to Draw Focus from Racist & Erratic Behavior

Donate

The New York Times reports that the Pentagon is proposing widening the permissible use of nuclear weapons to include responding to cyberattacks and other non-nuclear attacks to U.S. infrastructure. The Pentagon has already outlined this expanded nuclear strategy in a draft document sent to President Trump for approval. It comes amid a series of moves by the Pentagon and President Trump that have escalated the threat of nuclear war. The Wall Street Journal reports the Pentagon is planning to develop two new sea-based nuclear weapons. The New York Times also reports the Pentagon is conducting a series of war games to prepare for a potential war with North Korea. We speak to Pulitzer Prize-winning investigative reporter David Cay Johnston, who has been covering Donald Trump for nearly 30 years. His latest book is just out, titled “It’s Even Worse Than You Think: What the Trump Administration Is Doing to America.”
Transcript
This is a rush transcript. Copy may not be in its final form.

NERMEEN SHAIKH: Uninformed. That was the word White House Chief of Staff John Kelly used to describe his boss, President Trump, on Thursday. According to The Washington Post, Kelly told members of the Congressional Hispanic Caucus that some of Trump’s hardline immigration policies, including his call to build a wall along the entire southern border, were “uninformed.” Kelly said, quote, “Certain things are said during the campaign that are uninformed.” During the same meeting, Kelly reportedly said, quote, “The president is committed to a permanent solution to DACA,” the Deferred Action for Childhood Arrivals.

But the president has struck a different tone. On Twitter this morning, Trump wrote, quote, “The Wall is the Wall, it has never changed or evolved from the first day I conceived of it.” In an interview with Reuters, Trump also criticized a proposed bipartisan deal on immigration and border security as, quote, “horrible” and, quote, “very, very weak.” This comes as the government could shut down on Friday if a funding deal cannot be reached.

AMY GOODMAN: The possible government shutdown comes as President Trump is preparing to mark his first year in office on Saturday. On that same day, anti-Trump protests will he held in scores of cities across the country to mark the first anniversary of the historic Women’s March.

Well, today we spend the hour looking at Trump’s first year in office with a journalist who has been covering Donald Trump since 1988. We’re talking about the Pulitzer Prize-winning journalist David Cay Johnston, the founder of DCReport.org. Last year, Johnston made international headlines when he obtained two pages of President Trump’s 2005 tax return. Johnston’s reporting on Trump’s taxes led the president to say this about him.

PRESIDENT DONALD TRUMP: I know the reporter is a—he’s a weird dude who’s covered me for—he’s been following me for 25 years, so obviously he hasn’t done so well. He’s been following me in a negative fashion for 25 years, always a hit. And I’m president, so I guess he hasn’t done a very good job.

AMY GOODMAN: Well, David Cay Johnston, the Pulitzer Prize-winning reporter, joins us here in our studio, out this week with his new book. It’s called It’s Even Worse Than You Think: What the Trump Administration Is Doing to America.

Welcome to Democracy Now!, David. You have been covering Donald Trump for over 30 years. You heard what he had to say about it: Look where you are, and look where he is today. But you’ve also been covering President Trump through this first year. Can you talk about, as we move into the first anniversary of his inauguration, what has surprised you most, since this is a man you have known back to his early days as a developer going bankrupt in New York?

DAVID CAY JOHNSTON: Well, Donald hasn’t, frankly, done anything that’s surprised me. And I said, and there’s lots of video of me saying, before the election, he would be increasingly erratic, his racism would come out, that he would try to find an excuse to use nuclear weapons, because during the campaign, he said, “I’m very good at war. I know more about ISIS than the generals. And of course we’re going to use nukes.” And, lo and behold, last week, the news breaks that they are loosening up the rules on the use of tactical nuclear weapons—that is, a nuclear weapon that will take out a block, not a city—and possibly even authorizing their use for a cyberattack. He’s looking for—

AMY GOODMAN: I mean, this is amazing. I mean, just to reiterate this—

DAVID CAY JOHNSTON: Oh, it is.

AMY GOODMAN: —using nuclear weapon attack for a cyberattack.

DAVID CAY JOHNSTON: Right. And hopefully, the military will not follow an order to do this. But clearly, he is determined, if he can figure out how to do it, to provoke a war. After all, what helps strengthen your position if you’re a dictator-in-waiting, which is what Donald is, but some kind of incident that will stir the public and focus people away from his crazy, racist, uninformed, ignorant behavior?

NERMEEN SHAIKH: Well, why do you think that he needs to strengthen his position? Do you think he feels he needs to strengthen his position because his position is weak?

DAVID CAY JOHNSTON: Oh, yeah, Donald—the Donald is aware that he has a large audience out there that is not supporting him and that it’s growing. And his own base, he’s certainly seen the data that it’s eroded. And remember, Donald is a man who is this empty vessel. I mean, he’s an unhappy human being. Be glad you are not Donald Trump, who will never know a day of joy and contentment in his life. And, you know, he wants us to all recognize Donald Trump is the greatest human being of all times. He wants people like Orrin Hatch—the greatest president of all times. That’s what he’s about: adoration.

NERMEEN SHAIKH: I mean, you say, in fact, that what distinguishes him from all previous U.S. presidents is that his presidency is about Trump, period, full stop.

DAVID CAY JOHNSTON: Right.

AMY GOODMAN: This issue of use of nuclear weapons, you know, going back to the reported meeting with the Joint Chiefs of Staff as he’s briefed on nuclear weapons: “If we have them, why don’t we use them?” And The Wall Street Journal reporting, just in the last days, this issue of the Pentagon planning to develop two new sea-based nuclear weapons. The New York Times also reporting the Pentagon conducting a series of war games to prepare for a potential war with North Korea. I mean, this is very interesting. As North and South Korea come closer together, will have a unified team at the Olympics, President Trump is trying to amp up the opposition to and war with North Korea.

DAVID CAY JOHNSTON: Right. And one of the very interesting things about this is, there have been surveys of military officers, and they show that the officer corps of the United States military is very troubled about Trump. You know, good military officers are diplomats who want to avoid war. And they’re not supporting him. So that one good piece of news out of this is, I don’t think Donald Trump can get the military behind him to take over the country.

NERMEEN SHAIKH: But do you think he can get the military behind him sufficiently to carry out a tactical nuclear strike?

DAVID CAY JOHNSTON: Well, that’s the troubling part. What if, for example, somehow we’re provoked into something? And he’s clearly trying to provoke—you know, things like “My button is bigger than your button.” And understand, Donald Trump—

NERMEEN SHAIKH: But what would constitute a provocation for him, though?

DAVID CAY JOHNSTON: Oh, I don’t—I mean, that, I don’t know. It would have to be enough that he could get the military behind him to do something, something we wouldn’t expect. But remember, the whole point of nuclear weapons is they’re defensive. Nobody invades a country that has nuclear weapons. We would never have invaded Iraq if it actually had had nuclear weapons. And Donald thinks that their purpose is to use them. He doesn’t even understand their purpose, that they’re defensive."

RatioJanuary 22, 2018 7:48 PM

Chelsea Manning says she attended far-right pro-Trump event 'to gather intel':

In a tweet posted on Monday, Manning attempted to calm a storm of criticism that erupted after she was spotted at the Saturday event, dubbed “A Night for Freedom”, in New York. She insisted that her decision to turn up at the celebration of Donald Trump’s first year in the White House was an act of intelligence gathering designed to thwart what she called “fascists/alt-right”.

“I took an opportunity to gather intel on them b/c the ideology they peddle threatens everybody,” the tweet said.

Of course you did. So what did you uncover?

tyrJanuary 22, 2018 9:33 PM


@Clive

"
In addition to the communications already made public, the Justice Department on Friday provided Johnson's committee with 384 pages of text messages, according to a letter from the Wisconsin lawmaker that was obtained by The Associated Press.

But, according to the letter, the FBI told the department that its system for retaining text messages sent and received on bureau phones had failed to preserve communications between Strzok and Page over a five-month period between Dec. 14, 2016, and May 17, 2017. May 17 was the date that Mueller was appointed as special counsel to oversee the Russia investigation.

The explanation for the gap was "misconfiguration issues related to rollouts, provisioning, and software upgrades that conflicted with the FBI's collection capabilities."
"

This was lovely bit of popcorn incitement
particularly the quote in the last line.

RatioJanuary 23, 2018 12:23 AM

Ecuador’s president calls Julian Assange ‘more than a nuisance’:

On Sunday, Moreno vented about the situation in a television interview. He said that Assange had created “more than a nuisance” for his government. He also described him as an “inherited problem” and said his government was seeking help from “important people” to solve the problem.

Moreno has also urged Assange, he said, not to interfere with Ecuadoran politics or “that of nations that are our friends.” In the past, Assange had tweeted support for the Catalan independence campaign. He's also met at least once with Nigel Farage, the architect of the Brexit campaign.

According to the article titled Lenín Moreno sobre Assange: 'Nos causa más de una molestia' in the Ecuadorian daily El Comercio, this is what Moreno said (in Spanish):

“Siempre es bueno recordarle a la ciudadanía que es un problema que heredamos. Yo he estado permanentemente reclamando al señor Julián Assange que debe ajustarse a las normas de un asilo. Él firmó, en el último mes, un acuerdo de que no va a volver a intervenir en la política ecuatoriana, ni en la política de los otros países. Cuando yo le pedí a la señora Canciller y al equipo de Cancillería que encuentre una forma de solucionar el problema que tenemos en Gran Bretaña, dejé en libertad a la señora Canciller para que tome la opción que mejor considere, y tomó esta opción. Nos ha dado todas las explicaciones, inclusive de los requisitos para poder obtener la nacionalidad, que los cumplía el señor Assange y de la posibilidad de que con un rango diplomático a lo mejor se le permitiese salir y que definitivamente nos libremos del problema. Hubiera sido un buen resultado de esto. Lastimosamente las cosas no siempre resultan como Cancillería ha planificado y este momento el problema sigue latente. Cancillería está optando por otra forma de hacer las cosas. Este momento se va a solicitar la mediación de gente importante. No le doy el nombre este momento, quisiera que se lo haga la Canciller directamente y esperamos ya tener a corto plazo un resultado positivo de este tema que realmente, nos causa más de una molestia”, manifestó el Jefe de Estado.

(WaPo needs better translators. While “gente importante” does literally mean “important people”, here the correct translation is “someone important”. Someone important —one person, whose name will be revealed later— will be asked to mediate.)

WaelJanuary 23, 2018 12:28 AM

@ AtAMall,

1) maybe he will get involved when the topic is more evolved 2) maybe he has been studying time and motion studies in his time off

He's been busy with a new job that occupies all his time. And he's interested in time and motion, too.

65535January 23, 2018 1:29 AM

@ AtAMall

I will ask Dirk when he is back.

I looked at your tens page and it is interesting.

I believe it is an iso that can run from a CD or thumbdrive on 64 bit platforms assuming the computer bios is configured to run the CD first. If you put it on CD -R or non-writeable CD it looks fairly solid. I will give it a go.

Clive RobinsonJanuary 23, 2018 4:37 AM

Speaking of "renovations" those in the UK may be aware from the news that early this morning what is described as a major gas leak, cause around 1500 people to be evacuated from a Hotel and Night club. And further causing two major london stations to close as well as two of the main underground services. Thus major commuter chaos this morning yup even I've had to change my habits :-S

So far so dull, but... The gas leak is supposedly in Craven St which has a grisly story involving a US President to be, his land lady, her daughter with whom he was very close and a friend who married the daughter and was in the habbit of hiding corpses he had finished defiling under the floor... Does that sound more interesting?

http://londonist.com/2016/05/the-bones-in-benjamin-franklins-basement

65535January 23, 2018 5:09 AM

@ AtAMall and certificate experts

Tens secure live system cont.

After a few attempts I was able to download the TENS-Public Deluxe ISO and the Encryption Wizard Public Edition but only after having to accept a DoD certificate. I check my FF certs and found US Government, www [dot]spi [dot] dod [dot] mil 443 permanent which did not make me happy.

Next, I tried to upload the Tens Public Deluxe ISO to VirusTotal only to find the max upload was 250 MB. The Tens public deluxe ISO is over 600 MB zipped.

So I guess the next thing is to scan the file with various AV products before I unzip the files and try to make the live CD.

Question, should I remove the spi dod mil certificate? Is the spi dod mil cert necessary for using Tens secure live CD?

Why not?January 23, 2018 5:18 AM

https://theintercept.com/2018/01/22/the-top-republican-warns-under-new-spending-bill-the-intelligence-community-could-expend-funds-as-it-sees-fit/

IN A DRAMATIC moment on the Senate floor Monday afternoon, as the upper chamber rushed a spending bill through to end the government shutdown, the top Republican and Democrat on the Intelligence Committee warned that the bill contains language that would kneecap Congress’s ability to oversee secret covert actions and surveillance programs. Their effort to amend the language was rebuffed.

They pulled the drain plug on the swamp and more swamp came out.

Fundamental change of government doesn't have to be scary, think of the bright side :
Less dissent!

65535January 23, 2018 5:48 AM

@ Why not?
“They pulled the drain plug on the swamp…”-Why not

What, could you pass that by me once more. It looks the opposite.

“top Republican and Democrat on the Intelligence Committee warned that the bill contains language that would kneecap Congress’s ability to oversee secret covert actions and surveillance programs. Their effort to amend the language was rebuffed.”- The intercept referenced above

[more]

“…Burr said, noticing Sen. Thad Cochran, the Republican chair of the Senate Appropriations Committee, conspicuously present in the chamber. Cochran did indeed object, and Burr then yielded the Senate floor with “with great disappointment.”… On one amendment, Cochran voted “yes” despite being told by an aide to vote “no.” The staffer tried to get the senator to switch his vote, but Cochran kept flashing the “thumbs up” sign, even walking over to the clerk tallying the vote and doing so. GOP floor staffers repeatedly told him the leadership wanted a “no” vote. Several more moments passed before Cochran realized he was voting the wrong way and then changed his vote.”- The intercept

https://theintercept.com/2018/01/22/the-top-republican-warns-under-new-spending-bill-the-intelligence-community-could-expend-funds-as-it-sees-fit/

So, which is it?

Was the wide open NSA/CIA language in the bill actually changed to bring some spending oversight to those TLAs?

JG4January 23, 2018 7:33 AM

nice graphical presentation of risks

https://www.zerohedge.com/news/2018-01-22/billionaires-stuck-davos-disrupted-massive-snowfall-avalanche-alerts

further proof that the FBI are dirty and always have been

http://thehill.com/opinion/civil-rights/370122-another-software-upgrade-suppressing-evidence-is-fbi-standard-procedure

doom-porn disclaimer, but they actually get a lot of stuff right

https://www.zerohedge.com/news/2018-01-22/whos-lying-fbi-says-5-months-texts-lost-yet-ig-horowitz-says-his-office-received

Clive pointed out that a lot of the ideas here have been adopted by other parties. so it was with the science fiction writers of the 1920's and 1930's, whose ideas became atomic weapons and space travel.

not only can your voice and writing style be perfectly spoofed, but you can be too

https://sploid.gizmodo.com/these-real-time-visual-effects-will-remind-you-not-to-b-1822298277

we can name the resonance at a radio receiver antenna and LC input filter as a "red-eye" effect. it generally can be detected even when the power is off, by a method of system identification where RF pulses are sent and the resulting echoes analyzed. even when a cell phone is powered off by a physical barrier in the power feed, the antenna and filter are likely to have a detectable resonance. it may be sufficiently detailed to identify the make and model of cell phone. it is, however, unlikely to be individually identifiable, unless it talks and powers an RFID element connected to the antenna circuit. yet another reason for Faraday enclosures.

the structure in red-eye reflection from a person or animal almost certainly carries individually identifiable information. we have seen in recent years where keys and fingerprints can be photographed/scanned at large standoff distances. I am suggesting that retinal patterns also can be. the camera may lie at an intermediate between the two extremes of having a blunt resonance that carries little information (perhaps sufficient to identify make and model, but not serial number) and the retroreflection from eye structure which carries enough information to uniquely identify individuals. camera chips and retinal tissue don't have an analogue of an internal oscillator for input to the mixer, but radios almost invariably have an RF resonator of some type in-line from the antenna. and the antenna itself has a blunt but detectable resonance.

I suggested before that leakage of the local oscillator signal can be avoided by converting incoming radio signal to an optical signal, then processing it inside a robust Faraday enclosure, with good isolation of reflection/emission back to the conversion element. here's another way to convert radio signals:

https://newatlas.com/two-atom-thick-radio/47003/

excerpts from the usual daily compendium

https://www.nakedcapitalism.com/2018/01/links-12318.html

...

Sorry, FCC: Montana is enforcing net neutrality with new executive order Ars Technica

Intel asks customers to halt patching for chip bug, citing flaw Reuters. Lambert: “Hoo boy.”

Linus Torvalds declares Intel fix for Meltdown/Spectre ‘COMPLETE AND UTTER GARBAGE’ TechCrunch Lambert: “Hoo boy #2.”

‘Terrifying’: How a single line of computer code put thousands of innocent Turks in jail CBC News

Google suspends fact-checking feature over quality concerns Poynter. Lambert: “What a mess, especially since Poynter is partly funded by Google.”

Facebook is ‘parasitic,’ says Zuckerberg’s former mentor TreeHugger

...

More texts turned over from FBI agent taken off Mueller team AP (Chuck L)

...

JG4January 23, 2018 7:35 AM


@Moderator - a more extensive series of comments was blocked. feel free to delete this one once that is unblocked.

we can name the resonance at a radio receiver antenna and LC input filter as a "red-eye" effect. it generally can be detected even when the power is off, by a method of system identification where RF pulses are sent and the resulting echoes analyzed. even when a cell phone is powered off by a physical barrier in the power feed, the antenna and filter are likely to have a detectable resonance. it may be sufficiently detailed to identify the make and model of cell phone. it is, however, unlikely to be individually identifiable, unless it talks and powers an RFID element connected to the antenna circuit. yet another reason for Faraday enclosures.

the structure in red-eye reflection from a person or animal almost certainly carries individually identifiable information. we have seen in recent years where keys and fingerprints can be photographed/scanned at large standoff distances. I am suggesting that retinal patterns also can be. the camera may lie at an intermediate between the two extremes of having a blunt resonance that carries little information (perhaps sufficient to identify make and model, but not serial number) and the retroreflection from eye structure which carries enough information to uniquely identify individuals. camera chips and retinal tissue don't have an analogue of an internal oscillator for input to the mixer, but radios almost invariably have an RF resonator of some type in-line from the antenna. and the antenna itself has a blunt but detectable resonance.

I suggested before that leakage of the local oscillator signal can be avoided by converting incoming radio signal to an optical signal, then processing it inside a robust Faraday enclosure, with good isolation of reflection/emission back to the conversion element. here's another way to convert radio signals:

https://newatlas.com/two-atom-thick-radio/47003/

echoJanuary 23, 2018 10:12 AM

Facebook is rolling out new security tools in response to EU privacy laws. I note that Microsoft Windows 10 remains a privacy and settings nightmare. I am also extremely botherd by the UK government slackening guidelines which now enable the public sector to place peoples healthcare data outside of the safe protections of EU law as previous authoritative reports and court judgements have commented on.

https://www.theguardian.com/technology/2018/jan/23/facebook-new-privacy-tools-response-to-eu-privacy-laws-sheryl-sandberg

Facebook will roll out a new set of tools aimed at making it easier for users to make informed choices about their privacy in response to sweeping new European privacy laws, according to the company’s chief operating officer, Sheryl Sandberg.

“We’re rolling out a new privacy centre globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data,” Sandberg said at a Facebook event in Brussels on Tuesday.

She said that the creation of a “privacy centre” was prompted by the requirements of the General Data Protection Regulation (GDPR), an EU regulation that seeks to give Europeans more control over their information and how companies use it.

Why not?January 23, 2018 7:40 PM

@665

"Was the wide open NSA/CIA language in the bill actually changed to bring some spending oversight to those TLAs?"

Afaik they left it in despite the objections! It's law as of now until amended or replaced.

It means anything not previously authorized by Congress can be essentially authorized by the executive.
Congress is the purse string, so to just give the purse to the executive without restriction?
Nuts!

“If this exemption is granted, you could potentially have an administration, any administration, go off and take on covert activities, for example, with no ability for our committee — which spends the time and has the oversight — to say time out, or to say we actually disagree with that policy,” said Mark Warner, the leading Democrat on the Senate Intelligence Committee.

...

Burr asked for unanimous consent to substitute replacement language into the bill that would restore Congress’s ability to dictate spending and found himself in a jurisdictional turf war with the Appropriations Committee.

“We should have inserted this new language. But because of a fight between Appropriations and the Intelligence Committee in the House, we weren’t able to do that. And I have a feeling that Senator Warner and I are going to find that there is now a fight between the Intel Committees and the Appropriators of the U.S. Senate, because I fear somebody might object to the unanimous consent,” Burr said, noticing Sen. Thad Cochran, the Republican chair of the Senate Appropriations Committee, conspicuously present in the chamber. Cochran did indeed object, and Burr then yielded the Senate floor with “with great disappointment.”

And then they passed it into law, knowing about it, over a partisan turf war.

For the next few weeks (assuming they fix it by then, even) the IC has full powers of self-authorization.
(IANAL, AFAIK, but that seems to be what Senators are facepalming about so openly here)

RatioJanuary 24, 2018 1:27 AM

Inside The Fight For The Soul Of Kaspersky Lab:

Since its founding in 1998, Kaspersky Lab has grown into an international giant in computer security. Its antivirus system is installed on roughly 400 million computers around the world. But over the last year its outlook has plummeted in North America and Europe, where in 2016 it did over half of its business. Last fall saw Donald Trump — not known for criticizing Russian interference in the US — sign a ban on government agencies using Kaspersky Lab’s products.

Meduza and BuzzFeed News can reveal for the first time that the decline in fortunes of Kaspersky Lab was the result of an internal struggle for control that pitted allies of the Russian secret service against “tech-savvy” staff and Western investors. The managers within Kaspersky Lab, like Chekunov, with ties to Russia’s security agencies won that battle. But in so doing, they threaten to destroy everything the company has built outside Russia.

JG4January 24, 2018 6:55 AM


@Moderator/Bruce - Can you offer any guidance on the blocked comment from yesterday? I could alter and resubmit if I understood the nature of the problem.

https://www.nakedcapitalism.com/2018/01/links-12418.html

...

Big Brother Is Watching You Watch

Welcome to the neighbourhood. Have you read the terms of service? CBC. A “smart city.” There’s that word, “smart.” Watch out!

...

Ursula K. Le Guin, the spiritual mother of generations of writers; John Scalzi pays tribute Los Angeles Times

Ratcheting UpJanuary 24, 2018 7:01 AM

Using surveillance powers to rule over the opposition is political party, time and country independent.
It’s all tied to universal human traits of the lust for power, control and greed.
Who does not want to become wealthy druken ruthless god?

Those in power wish to extend and strengthen their rule while those in opposition want to limit it.

Its interesting to examine how the tables have turned in the past year. Here we see the former White House executives (having hired Si icon Valley to take control of the White House) now live to regret it:
‘Fundamentally, the problem is that “disinformation campaigns and legitimate advertising campaigns are effectively indistinguishable on leading Internet platforms, ” Mr. Ghosh and Mr. Scott wrote.’
https://www.nytimes.com/2018/01/23/technology/democrats-silicon-valley.html

The Republicans hated the secret unmasking of their party during the campaign. Now they learn of FBI deletion of files and FBI officials texting of secret societies meetings. Just another crazy conspiracy?

Remember, being on the receiving end, the new POTUS started out want to reduce the untrustworthy intelligence agencies and add safeguards to the FISA 702.

However after taking control they unsurprisingly have turned 180. Taking the surveillance to the next level they are removing Congressional oversight over intelligence agencies.
Who needs more bickering elected officials? Sounds like a great opportunity to privatize. Where do we apply?

CassandraJanuary 24, 2018 7:06 AM

@Clive Robinson

@ Rachel, Cassie,

My brain is getting old, and I cannot remember which one of you I mentioned kittens and vision to, or the page it was on :-(

Which is very remiss of me, so a simple solution is to post a related link here,

Not me. However, related to the Gabor Patch is the McCollough effect. Do not play around with that optical illusion as it can have long-lasting effects (several months) which interfere with your vision. If you need 'perfect' vision to operate machinery, this would be a bad idea.

Cassandra

bttbJanuary 24, 2018 7:39 PM

@65535

"I believe it is an iso that can run from a CD or thumbdrive on 64 bit platforms assuming the computer bios is configured to run the CD first. If you put it on CD -R or non-writeable CD it looks fairly solid. I will give it a go."

The current DoD TENS release, Version 1.7.3, released 31 May 2017, is compatible with 32 bit hardware, I think, but from the TENS Download Page:
"Beginning with the next major release, TENS will be a 64-bit-only OS and thus will be incompatible with 32-bit hardware."
https://spi.dod.mil/download.htm

@65535 again

"Tens secure live system cont.

After a few attempts I was able to download the TENS-Public Deluxe ISO and the Encryption Wizard Public Edition but only after having to accept a DoD certificate. I check my FF certs and found US Government, www [dot]spi [dot] dod [dot] mil 443 permanent which did not make me happy.

Next, I tried to upload the Tens Public Deluxe ISO to VirusTotal only to find the max upload was 250 MB. The Tens public deluxe ISO is over 600 MB zipped.

So I guess the next thing is to scan the file with various AV products before I unzip the files and try to make the live CD.

Question, should I remove the spi dod mil certificate? Is the spi dod mil cert necessary for using Tens secure live CD?"

On a Windows 7 PC with FireFox, I uncheck "Permanently store this exception" on the popup "Add Security Exception" before I "Confirm Security Exception" and proceed to the TENS site.

On a Mac, I looked into removing the "Exception" from probably a Safari download, but I don't know if I followed through.

iirc javascript was required to download TENS. I presume one could download TENS from a system running on a LIVE CD/DVD.

TENS-Public (without Libre Office) was straightforward to run in VirtualBox. TENS-Public Deluxe (w/o Libre Office) wasn't so straightforward with VirtualBox. Regardless. even though I burned both versions of TENS, I think I have only used TENS-Public from CD or in VirtualBox.

When I go to the TENS website when using the live TENS-Public CD, no exception is requested by FireFox. Regardless, I don't know if the spi dod mil cert necessary for using Tens live CD (w/ or w/o access to the TENS website or DoD travel (a FF bookmark) for example)?

BTW "Knoppix64 toram" seemed to boot the DVD KNOPPIX_V8.1-2017-09-05-EN.iso on a Macintosh with 8GB of Ram. Preliminary result; I haven't taken that Knoppix DVD for a test drive yet. On a Windows PC w/6GB of Ram "Knoppix64 toram" would not complete bootup, so I assume 8GB is required.

I assume it would be wise to make sure the HDD is encrypted or removed before browsing the web with "Knoppix64 toram"
Would any additional Knoppix cheat codes ( http://knoppix.net/wiki/Cheat_Codes ) be useful with Knoppix here?

It would be nice if you, or somebody else, could answer some of your other questions or concerns regarding TENS. Regardless, I have thoroughly enjoyed browsing the web w/TENS-Public on a relatively old i3 or i5 using "'free" wifi.

https://spi.dod.mil/liposeFAQ.htm TENS' FAQ

Clive RobinsonJanuary 24, 2018 11:17 PM

@ The usual suspects,

Although not much has been said in the more general press, it appears there have been some interesting developments in Quantum Computing. Such as the number of Qbits going up from 5 to 50.

https://www.quantamagazine.org/the-era-of-quantum-computing-is-here-outlook-cloudy-20180124/

However the perversity that Quantum Computing is, for each forward step it appears to be almost but not quite balanced by one or more backward steps of equal magnitude for most uses those not in the field of endevor would like/dread to see for Quantum Computing over classical computing.

Thus part of the game currently is to find applications thus algorithms that "play to the strengths" of the forward steps but are not hampered or less hampered by the backward steps.

For those on this blog Quantum Computing used against clasical secure algorithms still appears just as far away now as it did when it was being talked up in the more general press a few years back. Likewise algorithms based on the clasical intractability of factoring large composite numbers with only two factors.

65535January 24, 2018 11:29 PM

@ Why not?

“Afaik they left it in despite the objections! It's law as of now until amended or replaced. It means anything not previously authorized by Congress can be essentially authorized by the executive. Congress is the purse string, so to just give the purse to the executive without restriction? Nuts! …For the next few weeks (assuming they fix it by then, even) the IC has full powers of self-authorization.”

I believe you are correct.

I feel your disgust. It is nuts. It is a travesty. All sorts of dirty thing could happen.

@ bttb

The current DoD TENS release, Version 1.7.3, released 31 May 2017, is compatible with 32 bit hardware, I think, but from the TENS Download Page:

"Beginning with the next major release, TENS will be a 64-bit-only OS and thus will be incompatible with 32-bit hardware."

I think you are right. But, I understood the verion I downloaded the 64 bit one. Hum...

“On a Windows 7 PC with FireFox, I uncheck "Permanently store this exception" on the popup "Add Security Exception" before I "Confirm Security Exception" and proceed to the TENS site.”

That was a good idea. I just was too busy with the beginning of the work week to think of that clever option. Good job.

“TENS-Public (without Libre Office) was straightforward to run in VirtualBox. TENS-Public Deluxe (w/o Libre Office) wasn't so straightforward with VirtualBox. Regardless. even though I burned both versions of TENS, I think I have only used TENS-Public from CD or in VirtualBox.”

At work we have VMware. I had a friend try it since I was busy. He was only mildly impressed. I have not yet had time to do the install and give a spin.

"?It would be nice if you, or somebody else, could answer some of your other questions or concerns regarding TENS. Regardless, I have thoroughly enjoyed browsing the web w/TENS-Public on a relatively old i3 or i5 using "'free" wifi.?"

Yes, that sounds good. Did you try the Encryption Wizard?

Nice write up. Thanks.

WaelJanuary 24, 2018 11:38 PM

@Clive Robinson,

Although not much has been said in the more general press

Yep. Gave it a quick read...

Thus part of the game currently is to find applications thus algorithms that "play to the strengths" of the forward steps but are not hampered or less hampered by the backward steps.

Good summary of the optimistic view.

Likewise algorithms based on the clasical intractability of factoring large composite numbers with only two factors.

There is also multi-prime, as you know... I'll believe it when I see it (factorization in no time.)

Wesley ParishJanuary 25, 2018 12:30 AM

FWIW, ponder the privacy and security implications of this:

https://slashdot.org/story/18/01/24/1844258/an-ai-powered-app-has-resulted-in-an-explosion-of-convincing-face-swap-porn

I imagine there are some truly bizarre possibilities here for parody - Bill Clinton's face on Jenna Jameson's body. But it's the more mundane possibilities of repression that worry me - Citizen X, an activist, gets his head deepfaked onto Citizen Y's body in a televised report of a bank robbery ... etc, ad nauseam.

WaelJanuary 25, 2018 1:08 AM

@Wesley Parish,

possibilities of repression that worry me - Citizen X, an activist, gets his head deepfaked onto Citizen Y's body in a televised report of a bank robbery ... etc, ad nauseam.

Can be used for defense as well. When this technology becomes more widespread, and it becomes increasingly difficult to distinguish fake from genuine, then...

  • Guilty citizens have a vector of deniability ⇨ worrissome since it maybe difficult to prove beyond reasonable doubt that the video is genuine.
  • Innocent citizens can claim they were framed ⇨ okay if law recognizes faking technology capabilities surpass forensics's. Worrisome if law doesn't.

If the acton of repression is committed by state actors, then it's Business as usual. Nothing more to worry about. Same category as "planted evidence", I would think.

JG4January 25, 2018 5:38 AM


@Wael - You did a good job of explaining one aspect of the threat model presented by faking reality. Your suggested evidence was directed at making the public believe that someone had committed a crime of bank robbery. That is bad enough, but what concerns me more is the ability to completely disrupt all of a dissident's support network, including their most intimate contacts, and turn the publi against them. It's like a neutron bomb that dissolves a person's life.

Imagine for a moment, a real woman calling your wife and saying that she is having an affair with you. Naturally, your wife asks for proof. Initially, it is a faked audio recording of you speaking intimately to the woman. The faked audio then is followed up with faked video. BTW, I joked that Schwarzeneggar's movie, "Running Man" or "The Running Man" was a documenary, maybe a few years ago. It did a great job of showing how faked video could be used in a dystopian future.

This is a brilliant work linked in nakedcapitalism's afternoon water cooler yesterday

Oculus Grift
https://thebaffler.com/salvos/oculus-grift-shivani

here's what nc had to say about it

“We used to think of “capital” as physical goods or infrastructure—something we could wrap our minds around. But as all the main features of this system for extracting surplus value from workers and rentier fees from service networks have become duly digitized, capital itself has become a form of AI. We do not have any control over this system and it is impossible to conceive of unplugging ourselves from it. Isn’t that the trope we most fear about AI from science fiction—that it will reach a point where we cannot imagine life independent of it” [The Baffler]. It seems that Stross’s “Slow AI” trope is making its way into the zeitgeist.

CallMeLateForSupperJanuary 25, 2018 7:08 AM

The Guardian (online) has taken a step toward the dark side:
"Please enable JavaScript–we use it to enhance behaviour for Guardian Subscriptions."

Translation:
1) Their coders either don't care about the danger JS poses or don't know how to code without JS.
2) "enhance behaviour" means arm-twist the visitor.

WaelJanuary 25, 2018 8:39 AM

@JG4,

Imagine for a moment, a real woman calling your wife and saying that she is having an affair with you. Naturally, your wife asks for proof.

I remember I posted something like this in the past but can't find the link. Keywords returned nothing.

It so happened that a rich man was having dinner with his gold-digging wife at a fancy restaurant, when a very beautiful woman stoped by and gave him a kiss. His wife got upset and asked him: who's that? He replied: "that is my mistress!" She got really upset and said: "that's it! I want a divorce right now!" He said fine, but no more expensive dinners, no more summer and winter vacations, etc. She cooled down. A few minutes later, another woman stopped by and gave him a kiss. His wife said: "who the hell is that?" He said that's my friend's mistress. She said: "our mistress is more beautiful."

It depends how much money you have :)

I need to be scarce for a bit...

ThothJanuary 25, 2018 8:42 AM

@Markus Ottela

Is the screenshot showing all the three terminals on a single monitor screen or are they separate but edited together ?

vas pupJanuary 25, 2018 8:57 AM

@all: thinking outside the box is key for hacking and security. The findings in this article could be utilized with AI improvements as well. Very informative - three structures involved in creativity in particular.

The creative brain is wired differently:
https://www.sciencedaily.com/releases/2018/01/180117163954.htm
"What this shows is that the creative brain is wired differently," said Roger Beaty, a Post-Doctoral Fellow in Psychology and the first author of the study. "People who are more creative can simultaneously engage brain networks that don't typically work together. We also used predictive modeling to show we could predict, with some degree of accuracy, how creative people's ideas were (based on brain scans) that had already been published." Beaty and colleagues reanalyzed brain data from previous studies and found that, by simply measuring the strength of connections in these peoples' brain networks, they could estimate how original their ideas would be.”

CallMeLate For SupperJanuary 25, 2018 9:20 AM

JG4 posted: "Sorry, FCC: Montana is enforcing net neutrality with new executive order Ars Technica"

Now NYS (New York State) has done so as well.
"The state of New York became the second state to put itself on a collision course with federal officials as its governor, Andrew M. Cuomo, signed an executive order Wednesday designed to flout the Federal Communications Commission's recent decision to repeal its net neutrality rules."
https://www.washingtonpost.com/news/the-switch/wp/2018/01/24/defying-the-fcc-new-yorks-governor-has-signed-an-executive-order-on-net-neutrality/

bttbJanuary 25, 2018 2:28 PM

President Trump to Mueller, perhaps, in the future. "883 was just a guess when I tweeted 'How long did it take your staff of 823 people...'"
[snip]
"one of Trump’s data guys might be of particular interest"
[snip]
"Mind you, as Pseudonymous in NC noted, the tweet was done on an iPhone — this is the period from before Trump had switched to iPhones"
https://www.emptywheel.net/2018/01/25/why-did-trump-tweet-an-in-the-ball-park-accurate-number-for-hillarys-total-staffers-on-june-9-2016/


RatioJanuary 25, 2018 11:12 PM

Dutch agencies provide crucial intel about Russia's interference in US-elections:

It's the summer of 2014. A hacker from the Dutch intelligence agency AIVD has penetrated the computer network of a university building next to the Red Square in Moscow, oblivious to the implications. One year later, from the AIVD headquarters in Zoetermeer, he and his colleagues witness Russian hackers launching an attack on the Democratic Party in the United States. The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything.

That's how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won't be the last time they alert their American counterparts. And yet, it will be months before the United States realize what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes.

[...]

The Cozy Bear hackers are in a space in a university building near the Red Square. The group's composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not only can the intelligence service now see what the Russians are doing, they can also see who's doing it. Pictures are taken of every visitor. In Zoetermeer, these pictures are analyzed and compared to known Russian spies. Again, they've acquired information that will later prove to be vital.

[...]

Access to Cozy Bear turns out to be a goldmine for the Dutch hackers. For years, it supplies them with valuable intelligence about targets, methods and the interests of the highest ranking officials of the Russian security service. From the pictures taken of visitors, the AIVD deduces that the hacker group is led by Russia's external intelligence agency SVR.

RatioJanuary 26, 2018 12:30 AM

The corresponding Nieuwsuur article, titled Dutch intelligence first to alert U.S. about Russian hack of Democratic Party, mentions why AIVD hacked the network of a university building:

In the summer of 2014, the Joint Sigint Cyber Unit (JSCU) was launched, a joint unit of AIVD and MIVD, the Dutch Military Intelligence and Security Service. Based in the Dutch city of Zoetermeer, it focuses on, among other things, obtaining intelligence through cyber operations. That same summer, the unit received a tip about a group of Russian hackers based at a university complex in Moscow. An AIVD hacking team, operating under the JSCU flag, subsequently succeeded in penetrating the internal Russian computer network. Not only did the AIVD gain access the computer network, it also hacked the security camera in the corridor.

(Both articles are the result of a joint investigation by Dutch newspaper de Volkskrant and current affairs program Nieuwsuur.)

Clive RobinsonJanuary 26, 2018 3:13 AM

@ yowzer,

Help needed for crypto

Good crypto help is always needed, mostly by people that do not know they need it (or worse why...).

The problem is that good crypto help is scarce, very very scarce. So much so it is easier to find diamonds in a chickens crop.

But it's not just crypto it's also all the protocols and methods that are needed around not just crypto and other sensitive items like data both at rest and in use I/O and now applications are more like multi-tasking OS's than ever the security needed in those.

Security and programing as practiced by the many are poles appart (eg "Security-v-Efficiency", "Security-v-Complexity" etc). Security like fundamental data structures are realy not taught enough even now at University level.

Thus the real question I've been asking for a number of years is how do you make such a scarce resource available to those who realy need it (ie the rest of us)?

I've mentioned a few ways in the past some even increase run of the mill programmer efficiency. But in the main at many levels especialy in ISO stack levels 9 and upwards it's not wanted for many reasons, and it's not just the old chestnut of "Security does not sell" it clearly does sell at a realistic price point.

The usual cures for a market in that kind of self destructive tail spin is "Government Intervention". It's clear that all "throwing money at security" does is raise the price. Defence Contractors are not the only people with $600 hammers. The solution that appears to work is regulation by standards. The clearest example of that is GPS in phones. The USG mandated it for fairly spurious "Health and Safety" reasons, now nearly every phone in the West has GPS fitted not just by default but in harder and harder ways to realy turn off. Thus we all have "tracking beacons" in our pocket. In earlier times the ability to "listen in by the operator" was again for spurious "Health and Safety" reasons. So the FiveEyes SigInt and other IC entities know that fixing standards works and works well. If a major market such as the EU actually put proper security in standards then the manufactures would "fall in line". That fear was why FBI head Louis Freeh was runing around giving --not so secret-- "Going Dark" scare talks to European leaders in the 1990's.

The ultimate hammer after standards is regulation but I suspect the IC and IC wanabe LEO's will scream shout cry and commit various sins to stop such regulation. Part of the plan was clearly the "Oh so secret" Trade Talks of the Obama administration. With the resolution method. The USG could force US corporates and those selling into the US to put in their "golden keys", "front doors" etc in. Then if a country tried keeping these tampered products out the Trade Dispute Resolution would just fine the countries into submission...

So getting security into products is a multi-faced problem, and the lack of those with the required security skills is I suspect more by design than many would suspect. Thus currently the only way to get security at any level in the Computing Stack in non specialised products is by "Open and Audited" methods.

There are other ways to get a manner of security at higher levels by mitigating the levels below. But it requires what are arcane techniques to even good crypto people, that are only just comming out of the noise floor in the Open / Academic security community. Which is strange, because they have been around for a century or so in high reliability, availability and above all safety systems... Thus have a solid pedigree. A few of us on this Blog have discussed it over the years and I suspect untill recently here was the only place you could read about it...

Wesley ParishJanuary 26, 2018 3:17 AM

On the international arena, and concerning sitting in a fine restaurant and chewing your own leg off to escape, consider the confluence of these trends:

Trebles all round! Intel celebrates record sales of insecure processors
ht tp://www.theregister.co.uk/2018/01/25/intel_q4_fy2017_meltdown_spectre/

Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors
ht tp://www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/

Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms
ht tps://www.nytimes.com/2018/01/16/us/politics/pentagon-nuclear-review-cyberattack-trump.html

This is a spiral. You start at wishing to control your own citizens; you end with mass murder and destruction of the community that might otherwise alleviate the suffering you have inflicted on your own citizens.

Insecure-by-design processors leads to insecure-by-design power networks leads to nuclear retaliation leads to alienation of everybody else leads to grand coalition denying supplies needed to reorganize and rebuild leads to massive starvation and winter-related deaths.

I think we can safely say certain people never meant the oaths of office they swore.

Markus OttelaJanuary 26, 2018 11:43 AM

@65535

I've taken the blog down because modeling of the protocols took a lot of time, and because keeping information and renders up to date with ever changing protocols whether it was Signal, TFC or some other app, took too much effort.

Onion Services are indeed slower than Tor. But with instant messaging I've seen larger delays with Signal. Tor is only getting faster. The speed hit is however significant when uploading files to contacts. I'm considering automation of exported file delivery to active contact / group. In this scenario the file is encrypted on TxM and exported as whole to NH. When the file is delivered to contacts, their NH would automatically import the encrypted file. The decryption key and file headers would be delivered with a separate TFC message.

Base58 was recommended to me by someone long time ago when I was explaining them how I was using base16 for public keys. The implementation (details aside) is exactly the same as Bitcoin's WIF down to mainnet/testnet header that differentiates public keys from imported files keys so NH can't trick user into importing files.

The shared secret path was the only automated, already authenticated way I could make GET-only approach to work. I couldn't re-use onion URL or cookie for POST authentication as for now it had to be shared with multiple contacts. I also could not use e.g. aliceurl.onion/boburl for Bob's messages because common peer could access the cipheretexts. X25519 seemed the easiest way and it's completely invisible to the user.

"That looks OK but the whole Tor traffic analysis thing is bigger. But, you next idea to solve it."

Traffic analysis problem is probably never going to be perfectly solved, especially because there's adversaries with extremely wide access to global backbone. From what I read about John Brooks' concerns about it on Ricochet's GitHub, Tor hasn't been designed to actively solve all related issues. But I'm optimistic about the future.

@Thoth

The screenshot is from TFC's "local test" configuration. So you can in fact run all three applications on a single computer to try out TFC and it's features. The terminals communicate via sockets, and they run on Terminator that arranges terminals for you. If you want to try the latest experimental version, you can install it on Ubuntu 17.10 (virtual machine) with one-liner

wget https://cs.helsinki.fi/u/oottela/tfc/install.sh && bash install.sh lt

Where the argument "lt" stands for local testing. After that just type "tfc" to gnome search window behind WIN key.

bttbJanuary 27, 2018 8:02 AM

@65535

"Did you try the Encryption Wizard?"

What might be more relevant is what do the usual suspects think of the Encryption Wizard?

From a USA DoD site

"Encryption Wizard

Encryption Wizard (EW) is simple, strong, Java-based file and folder encryption software for protection of sensitive information, such as FOUO, PII, CUI, and Privacy Act data. EW encypts all file types for data-in-transit protection, and supplements data-at-rest protection. Without requiring a formal installation or elevated privileges, EW runs on Microsoft Windows, Mac OS X, Linux, Solaris, and many other operating systems. Behind its simple drag-and-drop interface, EW offers 128- or 256-bit AES encryption, several secure hashing algorithms, searchable metadata, encrypted archives with compression, secure file deletion (often called "scrubbing" or "shredding"), and PKI/CAC/PIV support.

EW is GOTS: Government invented, owned, and supported software.
Editions

Encryption Wizard comes in multiple editions, all producing encrypted files which are fully interoperable and usable by other editions. A brief summary follows; for more information on a particular edition, click the appropriate link. To download the latest versions, see the Downloads link in the sidebar.

Public Edition may be downloaded and used by anybody at no charge. It uses the cryptography support already present in Java. It contains all the important features of EW and serves as a good introduction to the software.

Government Edition is FIPS 140-2 validated. It uses a third-party cryptography module licensed for use by Federal employees and contractors only.

Unified Edition is FIPS 140-2 validated, and may be downloaded and used by anybody at no charge. It uses a third-party cryptography module with no distribution restrictions.
NOTA BENE: at present, the Unified edition requires that your Java installation be permitted to use 256-bit keys, even if you never actually use anything stronger than normal 128-bit keys."
https://spi.dod.mil/ewizard.htm


As you probably know there are download links for source code for TENS release Version 1.7.0, released 20 Jul 2016 and before that, but source code doesn't appear to be available for TENS 1.7.3

"LPS-Public source code
1.2 GiB
Be careful when downloading the source code; the file is large."
https://spi.dod.mil/download.htm


This might be relevant regarding Encryption Wizard

"Yeah, lack of source code is a problem. Of course, the license specifically says that you can decompile the bytecode. Not the same thing as reading source, I agree, but there's not that many forms that Java can take."
https://www.reddit.com/r/software/comments/2e8vz3/dod_encryption_wizard/


CallMeLateForSupperJanuary 27, 2018 8:33 AM

@all
I call attention to one of the stories Wesley Parish posted about in this thread yesterday, "UK Prime Minister urges nerds to come up with magic crypto backdoors", because I failed to notice it my first time through this thread and think others might have missed it too. If you collect news articles - I do; I make PDFs - you might want this one, and you'll need this one if you desire a "complete set" of "nerd harder" articles. :-)

https://www.theregister.co.uk/2018/01/25/uk_prime_minister_encryption/

Note this snippet (EMPHASIS mine): "[Technology] companies have some of the BEST BRAINS in the world. They must focus their brightest and best on meeting these fundamental SOCIAL RESPONSIBILITIES."

Great praise followed immediately by the call to be socially responsible. Where and when have we heard that exact message before?

"In all likelihood, [politicians] are waiting on a change in public mood."
I'd say that's not just likely, it's a slam-dunk. ISTR it was FBI's Comey ... or was it NSA's Clapper?... who said as much: when/if another 9/11 happens, LE and IC will get their blank check.

@Wesley Parish
Thanks for linking this article. The Register is not in my "bookmarks", so I would have missed this article.

Dirk PraetFebruary 6, 2018 3:27 AM

@ Wael, @Anonymous2c, @65535

Re. PGP/GPG

What exactly are you trying to achieve by means of GPG, I mean, what exactly is it you want to do, for what reason and to protect what from whom ?

WaelFebruary 6, 2018 5:46 AM

@Dirk Praet,

This was the question: Is it worth considering "GnuPG for OS X Installer for GnuPG".

Welcome back! Even if temporarily;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.