Friday Squid Blogging: Interesting Interview

Here's an hour-long audio interview with squid scientist Sarah McAnulty.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 9, 2018 at 4:22 PM • 184 Comments

Comments

echoMarch 9, 2018 5:06 PM

Kaspersky discover a false flag operation. This particular attempt seems a little crude but, iteself, can also be a hall of mirrors. I would hate to be the person pressing any button dependent on this kind of data.

http://www.theregister.co.uk/2018/03/08/analysis_suggests_norks_not_behind_olympic_destroyer_malware_attack/

https://securelist.com/the-devils-in-the-rich-header/84348/

The existence of the fake Rich header from Lazarus samples in the new OlympicDestroyer samples indicates an intricate false flag operation designed to attribute this attack to the Lazarus group. The attackers’ knowledge of the Rich header is complemented by their gamble that a security researcher would discover it and use it for attribution. Although we discovered this overlap on February 13th, it seemed too good to be true. On the contrary, it felt like a false flag from the beginning, which is why we refrained from making any connections with previous operations or threat actors. This newly published research consolidates the theory that blaming the Lazarus group for the attack was parts of the attackers’ strategy.

http://www.theregister.co.uk/2018/03/09/signoff_process_for_snooping_warrants_revealed/

The Investigatory Powers Commissioner's Office, the body tasked with watching UK spooks, has revealed how it will decide whether to approve snooping warrants authorised by government. The advisory notice (PDF) published yesterday will act as a guide for IPCO's 15 judicial commissioners – working and retired judges appointed to help regulate the intrusive spying powers granted to government under the Investigatory Powers Act 2016. Previously, politicians had sole say over what investigatory powers the spy agencies could use.

IPCO Advisory Notice 1/2018
https://ipco.org.uk/docs/20180308_IPCO%20Advisory%20Notice%2012018.pdf

With regard to the European Convention (as implemented via the Human Rights Act) and EU law sections 19-23 are interesting.

19. The purpose of the so-called “double lock” provisions of the Act are to provide an independent, judicial, safeguard as to the legality of warrants, in particular to their necessity and proportionality. In cases engaging fundamental rights, the Judicial Commissioners will not therefore approach their task by asking whether a Secretary of State’s decision that a warrant is necessary and proportionate is Wednesbury reasonable, as this would not provide the requisite independent safeguard.

20. This is the approach that is taken by domestic courts in judicial review cases when reviewing measures and decisions that interfere with fundamental rights under the Human Rights Act 1998 and when applying EU law, and a similar approach is adopted when considering interferences with common law rights. Since the Judicial Commissioners are required to adopt the same approach as would be applied by a court in judicial review proceedings, the Judicial Commissioners will adopt this approach in such cases.

21. The engagement of the Human Rights Act 1998 and EU law will also have a bearing on the scrutiny afforded in individual cases as a greater level of scrutiny will generally be required where the 1998 Act or EU law is engaged.

bttbMarch 9, 2018 7:32 PM

How do you verify a purchased Knoppix 8.1 DVD (contained in ADMIN magazine at a bookstore near you) against the download hashes, signature, or the like from knoppix.net.

Sometime back, Clive may have recommended CDs or DVDs from magazines. Is that still valid?

Regardless I am looking for a way to verify a purchased DVD against a downloaded DVD somehow. Along those lines I found these links.

https://unix.stackexchange.com/questions/39467/how-to-verify-a-cd-against-an-iso-image
https://unix.stackexchange.com/questions/373123/how-to-checksum-a-cd-dvd-to-verify-integrity-of-my-debian-installation

Clive RobinsonMarch 9, 2018 8:10 PM

@ echo,

From the end of the Register article,

    Costin Raiu, Kaspersky’s director of global research and analysis, warned the conference that attribution is going to get tricky in the next couple of years. Security firms are building code databases that could automate the attribution of malware samples, but at the same time coders are getting smarter and we could see similar false flag operations in the future

It's nice to see people catching up with this blog ;-)

As I pointed out just a day or so ago, commercial investigation companies are at a distinct disadvantage when it comes to Internet malware attribution, they can not do what is required to get a higher level of confidence without breaking the law...

Personally I think that there have been rather more than just this one false flag operation. With the limits on what they can lawfully do in the digital realm the next best thing compaies can do is a "follow the money" type reasoning excercise. Which with supposed State Level activities means political analysis. Of which I'm now starting to think should be done by a seperate team to those doing the code analysis. That way if the confidence levels differ sufficiently people can start looking for evidence of a false flag operation.

neillMarch 9, 2018 11:00 PM

@Anna Stasi

wonder if anyone looked for natural causes, too, w/o first trying to find malice here, nation-state attacks etc

from news footage i remember it's a tall building with recessed windows, maybe in a 'windy' part of town (pun) ... that could lead to wind buffeting in the infrasound freq range

it happened e.g. new all-glass buildings (or aluminum facades) that the suns rays were reflected and concentrated, melting nearby plastics or blinding peds

a 7kHz 'chirp' could have come from some bloke listening to 'kraftwerk' while nearby ...

HmmMarch 10, 2018 12:42 AM

@echo

Lazarus group isn't (alleged to be) Russia, but NK. Russia framed NK, according to that KAV report.
Worth mentioning that I think, if readers assumed Lazarus was Russia it would be very confusing.
Lazarus group was framed, Lazarus is NK associated with the US Sony hack and attacks on SK foremost.

The KAV report does (conveniently and of necessity both) leave it open-ended because they don't actually "attribute" the attack, just say the header was forged and thus the attack was a frame job on some level trying to make it look like NK's Lazarus. So they don't for example go into whether US framed Russia in framing NK's Lazarus.

However specific malware details cross-pollenated with NotPetya, which (if you believe anyone reporting publicly knows anything real) was a major (billions) attack on Ukraine's economic and industrial centers pretending to be ransomware, but without any capability to either accept the coins it demanded as ransom nor to restore the files it destroyed. Kind of an odd series of coincidences for "ransomware" targeting Ukraine mostly, and it has other major shared DNA with the IOC attacks according to those same sources. (Sofacy.) Kaspersky seems to my read just to be reinforcing the existing attribution without spelling it out and "picking a side" on it. Gnome saying? Does that make sense to you also or am I a rooftop night gardener for reading it that way?

@Anna Stasi

It seems to have several limitations in explaining what may have happened in Cuba, one notes also asserting it as "an accident" no less : Various US intel agencies have in fact swept ALL the rooms, hotels, apartments, and found nothing of the sort. There's reason to believe this happened over a long period of time which would leave a large chance for exposure of devices if left in situ as alleged by hypothesis.

Now obviously agencies might omit a report of that type of device for some intelligence/diplomatic purpose, but one would imagine if they found sought proof or a smoking gun that something as serious as a covert attack on diplomatic staff - for which we've already pulled all diplomats from the entire country for example, one or two steps below dropping all formal relations - one can hardly imagine they'd be covering for their attackers by keeping that secret and looking incompetent and vulnerable the while.

As far as the idea that the CIA's own secret ultrasonic bugs 'interfered' somehow and caused these massive brain injuries, it's just about as ridiculous as anything one could invent and have zero evidence of but still say is "like, possible, man" between bong rounds. Sure it's possible. But nobody found any of them, or the guy that did was murdered by the CIA to keep him from talking. Either way we have zero (public) evidence of Dr. Fu's proposed hypothetical sources of interference, transmitters or jammers, either one.

It is true you can do a lot with ultrasound interference. You can levitate items in mid air with a very specifically tuned rig, cut flesh, push air around, whatever. What you can't do is do any of that easily at all through a wall or window, or easily target someone's pillow on their hotel bed without a very deliberate aim to do that. That would take either new tech or a lot of emitters that then all disappeared within hours to days. It's not impossible. They just didn't find any, that we know of. Not one. You'd need several, they targeted several places over a period of weeks to months. It's easy to see how that would be a complex operation to pull off without anything being found even as agencies are sweeping the sites.

Moreover the idea that "covert" devices are actively broadcasting even nearly powerfully enough to even possibly resonate as described and cause these serious "shaken brain" type damages is just ridiculous on a physics level, to say nothing of the OPSEC level. You would need a purpose-built device to be able to do that even a few feet away, by definition not covert at all. If it was IN the mattress, that's about the distance where any of this Dr. Fu hypothesis would even be possible - The problem with that of course is some people weren't hit in their beds, and the lengths of device-on attack times varied substantially. Then they suddenly stop(!) They don't continue when anyone is around to monitor, they start happening somewhere else to a new victim? If "accidentally" caused, that's a pretty long series of coincidences for imaginary invisible bugs that nobody can find "accidentally" causing brain damage in the next room, then stopping and hitting someone else in a different building, over a period of months.

It just seems out of place for Fu to say "accidental" so very hypothetically this early into this event.
Did that stand out to anyone else?



CassandraMarch 10, 2018 4:29 AM

@bttb

You raise a very important and subtle question. The simple, and quite possibly incorrect, answer, is to run a checksum program on the DVD and compare the calculated checksum with the one published on the Knoppix web-site. However, ultimately, it is turtles all he way down.

There are three checksumming methods in general use for doing what you want:

md5
sha1
sha256

The results of checksumming a Knoppix 8.1 ISO image are available on the various download mirrors where Knoppix itself is available - for example, http://mirror.switch.ch/ftp/mirror/knoppix/DVD/

How to checksum an ISO image and verify that it is legitimate is covered in the the Knoppix downloading FAQ here: Knoppix Downloading FAQ

However, note that you do not have an iso image, but an actual physical DVD, so you need to be aware of a couple of things.

1) You do not necessarily know that the Knoppix 8.1 on the DVD is meant to be exactly the same as the Knoppix 8.1 you can download. There could be minor differences which change the checksum. On the other hand, if the DVD and the ISO contain exactly the same data, the checksum will be the same - so if the checksums do match, you can use the procedure in the FAQ.
2) The layout of data on the DVD can be (an often is) different to the layout of an ISO image file on a disk. Essentially, one or the other can be padded with zeros so that the data fits exactly into an integer multiple of the minimum block size of the device the data is stored on. If the checksum program reads all the storage blocks including the zero padding, then if the block-sizes are different, you will get checksums that do not match. You are not the first to come across this issue, and solutions are outlined here, as you yourself found: Calculate md5sum of a CD/DVD

Verifying the checksum using md5, sha1 and sha256 and verifying the PGP signature are probably 'good enough' for your purposes. However, if you are the subject of interest of people who can influence your Internet connectivity and physical post, it is difficult to ensure the information you obtain through those methods is untampered with, which is why I made my 'turtles all the way down' comment.

Clive Robinson's comments about using software from magazine covers (assuming the magazine is bought from a random vendor) ensure that it is less likely that you will receive software that is specifically tailored for you. It does not protect against generic tampering.

Note that the checksumming programs, and PGP signature verification programs you use should also be trusted by you, so you would need to think about where you source those from, and indeed, the status of the computer you execute the programs on. The precautions you take will depend upon your level of (justified or not) paranoia. If you are an average law-abiding citizen, then downloading a couple of well known 'Live CD' or 'Live USB' Linux or BSD distributions and using the checksumming and PGP programs included with them is probably 'good enough'.

Cassandra

keinerMarch 10, 2018 4:44 AM

@bttb

To me it is not 100% clear what you want to "confirm" by this exercise.

Do you trust the DVD, because you bought it "ready to use"? Then use it.

Don't you trust the DVD? Then don't use it.

Why compare a checksum for the DVD to the download version? Would mean you trust the download version. So download and use it!

You can't compare two untrusted versions or a trusted vs. an untrusted and concluded to trust in the end one or both of these copies. Doesn't make sense to me...

LycosMarch 10, 2018 5:34 AM

1/6/2016, fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec

CassandraMarch 10, 2018 6:02 AM

@Lycos

It would be difficult for an adversary to generate hash collisions for MD5, SHA1, and SHA256 for the same file, so good practice would be to check all three, if available (which they are).

Cassandra

Gunter KönigsmannMarch 10, 2018 6:10 AM

If the internet provider exchanges both the program and the md5 (https://m.heise.de/security/meldung/Opera-VLC-WinRAR-7-Zip-Skype-Tuerkischer-Provider-ersetzt-Downloads-durch-Spyware-3990285.html) checking the checksum won't help. If the CD was made with someone with a different provider it will maybe.

echoMarch 10, 2018 6:10 AM

@clive

I wondered if you would notice the comment about attribution problems! While everyone their cat and their dog skips my highlighting the human rights issues I do agree with your noting the political angle must be considered parallel to the attribution issue. My reasoning is if there is no clear scientific or legal explanation then it must be political and political often implies hidden agendas, and not being wholly truthful and, of course, complicity.

The issue of law I mentionioned is one thing. Section 21 sounds fine on the surface but contains a few problems. "Greater scrutiny" is one way UK "authorities" use to put on the appearance of an investigation and, allegedly, use to subvert European law and the European courts including the European Court of Justice which I'm not persuaded the ECJ fully realises even if Brussels politicians seem to have some suspicion this is the kind of game the UK government plays. Nobody has yet managed to nail the UK government for this but I'm fairly sure a "collect it all" approach to a legal case may open this door.

"The secret of science", he once said, "is to ask the right question, and it is the choice of problem more than anything else that marks the man of genius in the scientific world." -- Henry Tizard. (The sexist sod.)

JG4March 10, 2018 6:41 AM


If you think that government is expensive, try anarchy. Just for the record, I used to self-identify as a member of the anarchist wing of the libertarian wing of the Republican party. Now I am skeptical that any human human effort can alter the future on a long timescale. There will be a lot of self-similarity in the vortices that are spawned and play out along the way. "On a long-enough timeline the survival rate for everyone drops to zero."

https://www.nakedcapitalism.com/2018/03/links-3-10-18.html
...

Imperial Collapse Watch

The Gulf monarchies and the corruption of US foreign policy NationofChange (furzy)

Big Brother is Watching You Watch

Think One Military Drone is Bad? Drone Swarms Are Terrifyingly Difficult to Stop ExtremeTech (furzy)

There Are No Guardrails on Our Privacy Dystopia Motherboard

Documents Prove Local Cops Have Bought Cheap iPhone Cracking Tech Motherboard
...

keinerMarch 10, 2018 7:04 AM

@G Königmann

Good point, never obtain file and checksum via the same route if really critical

Checksums should be available in forum announcements for releases, ideally as gif or something (if you want to be really sure).

echoMarch 10, 2018 7:23 AM

These two scientific discoveries are curious. I'm not able to articulate this and wonder if there is some relationship or insight which can be derived, like detecting stars on the other side of the milky way through the noise, which has or might have applciations within cryptography/cryptanalysis.

A Classic Formula For Pi Was Discovered Hidden in Hydrogen Atoms
https://www.sciencealert.com/formula-for-pi-has-been-discovered-hidden-in-hydrogen-atoms

Back in 2015, scientists found something amazing for the first time - a classic formula for pi hidden in the world of quantum physics.

Even The Most Massive Objects in Space Are Ruled by Quantum Mechanics
https://www.sciencealert.com/massive-astrophysical-objects-are-governed-by-schroedinger-s-equation-quantum-mechanics-disks

The foundation stone of quantum mechanics doesn't just describe the behaviour of infinitesimal subatomic particles – it also governs the movement of the largest and most massive objects in the Universe, says a prominent astrophysicist.

Clive RobinsonMarch 10, 2018 8:12 AM

@ echo,

While everyone their cat and their dog skips my highlighting the human rights issues I do agree with your noting the political angle must be considered parallel to the attribution issue.

Human rights are very definitely part of politics. If you regard society as I do as being on a journy then as a "ship of state" it has both a prow and a stern. If a society is progressive then you have the liberals at the prow looking forward and the conservatives at the stern looking back. As a society becomes more repressive as many are these days it is the conservatives at the prow trying to turn the ship around to return to whence it came. One major problem with going back is that the past has gone and can not be reclaimed to try to do so is to rebuke those who have fought long and hard to drag society out of an unenlightened past.

In the middle you have the majority, who's main interest is generaly to form relasionships and thus family. The liberals try to get them to look forward to what they hope will be a more egalitarian future for all. The conservatives on the otherhand try to paint a rosey picture of the past that is all but false in it's reality to drag the majority back and downwards. In general the conservatives only tell what they think is the best of the past, which is most easly interpreted as what is best for the tiny elite. It generaly does not involve money or power but status. They will happily lose 50% of what they have if it means the majority loose more, thus opening the status gap in their favour. Such foolishness can be seen currently with Brexit. Whilst I am no lover of the unelected EU elite who in many ways are ultra conservative and long for the early 1900 coal coalition. I can see that membership of what is probably the worlds wealthiest trading block makes good sense, especially when the only real way to change it for the better is from within.

At the end of the day human rights are a gift from today to our and others future and that of our descendants. Thus we should be very wary of those who use petty arguments that have little or no merit at the worst of times to degrade them. For the past decade and a half we have had those who seek both money and power aligning themselves with those who want status at any cost. It is without doubt a "very unhealthy aliance" from which no good for the majority can occur.

As for Prof Tizzard, do not judge him through the attituds of modern society, but the society he was brought up in. Back then Science was still seen as part of philosophy. That in turn was still in the throws of casting off the Victorian and earlier requirments of entering the church to actually get a degree. And as we know today religion in the western world is still very much about chauvinism and misogyny and it is the congregations that are often more conservative than the clergy.

Further piety and poverty often go hand in hand and it is easy to see this from the proflific numbers of non mainstream organisations that claim to be churches or charities in South East London and many other places. Most have little or no ligitimacy and often leave debt and damage as the profligate ministers disappear supposadly on "missonary work" abroad shortly prior to the authorities turning up at their door.

To see how bad it can be such ministers tithe the congregation at 10% or more of gross not net income... Various techniques are used such as sending the elders around to the homes of those who do not pay or stop attending. If that does not work then they are disturbed at their work place as are their known friends etc. It is with little doubt a quite effective form of a protection racket. Of course when the minister does disappear on his missionary work the elders discover they are often the ones to carry the debt...

MarkMarch 10, 2018 8:58 AM

FooCrypt,0.0.1,Core,Live,Linux just went live.

http://www.foocrypt.net/live-linux.html

https://www.fookey.net/store/p886/FooCrypt%2C_A_Tale_of_Cynical_Cyclical_Encryption._%3A_FooCrypt%2C0.0.1%2CCore%2CLive%2CLinux_%3A_For_ANYWHERE_on_ANYTHING.html


Featuring....

FooCrypt,0.0.1,Core
Live Linux ISO based on uBuntu 16.04.03.
dd to a USB disk for Live USB booting, for ANYWHERE on ANYTHING
VM the ISO into a hypervisor, no DISKS REQUIRED.
Network has ingress / egress set to rejected for all packets once the firewall loads, just don't give it a NIC for 100% guaranteed only local physical access.

Supports the hardening of 97 OpenSSL 1.0.2g Cyphers by DEFAULT, utilizing The FooKey Method. [ http://www.foocrypt.net/uploads/2/5/0/3/25038315/20180304005345_usr_local_openssl_foocryptlinux4.10.0-28-generic_bin_openssl-1.0.2g_bin_openssl-5_2.log ]

http://www.foocrypt.net/validation.html

http://www.foocrypt.net/the-fookey-method.html

Moo CowMarch 10, 2018 11:24 AM

While this will undoubtedly be appealed, for the first time a federal appeals court has ruled that victims of data breaches have suffered enough harm to bring class action suits against companies for their poor security practices. This is a huge win for consumers, it has the potential to radically alter the economics of corporate security, and it will likely be given special weight by other appeals courts since the 9th circuit sits on the doorstep to Silicon Valley.

https://www.mediapost.com/publications/article/315744/zappos-must-face-class-action-over-data-breach-ap.html

parkerMarch 10, 2018 2:36 PM

@Moo Cow

It's not a huge win for consumers.
It's a huge win for lawyers.
It will have the opposite effect to that expected.
All the lawyers will have to do is demonstrate that there was something, anything, some tiny patch or update, that wasn't done.
This reminds me of the straw man front and center in patent reform arguments.
Does all of this lunacy really originate in N CA? Yep, follow the money.

PanzerknackerliMarch 10, 2018 3:14 PM

First digital safe deposit hack ever?

On 9th March 2018, robbers have emptied several boxes in an auto safe deposit box of a Raiffeisen bank located in Basle. There are no traces of destruction at all...

Seems, this is the first ever digital safe deposit hack.

Obviously, the bank has got not idea how much was stolen. However, as this was an auto safe deposit box, I do not think the value of the stolen items was substantial. In Switzerland, as far as I know, there is only one more auto / drive-in safe deposit box. It belongs to the Zurcher Kantonalbank and is located in Zurich City's district 5.

Usually safe deposit box rooms are located in the basement of a bank and you can only enter that room once a bank employee has opened the main door. Typically, in those safe deposit boxes, people would stash their SFr 1,000 bank notes (some $1k). A cheap and simple way to avoid declaring ones nest egg. A small safe deposit box costs some $60 per year only but can store a few 100 SFr 1,000 bank notes. However, it never ever happened that a regular safe deposit box of a bank was robbed. As opposed to the U.K. (e.g. the "famous" Hampstead Safe Deposit Box [does it still exist?]), there are no standalone safe deposit boxes in the country (except the previous two).

https://www.bzbasel.ch/basel/basel-stadt/diebe-klauen-millionenbetrag-aus-basler-raiffeisen-schliessfaechern-132301984

HmmMarch 10, 2018 3:42 PM

@Mark Lane

Your "foo key method" link... you need to turn off the blink tag man.

Not cool!

JimMarch 10, 2018 9:43 PM

Nick P, Thoth, and others


Anyone had a look at the technical surety and utility of Fookey?

MrCMarch 10, 2018 9:53 PM

@ parker:

You seem to be speaking from a place of ignorance, both about this particular opinion and about negligence law in general.

This opinion does not say, "All the lawyers will have to do is demonstrate that there was something, anything, some tiny patch or update, that wasn't done," or anything close to that. What is does say is:
1. Increased risk of identity theft/phishing/pharming/etc. is itself a redressable harm. In other words, "you can't sue me because the hackers haven't committed identity theft with your info... yet... so far as you know" is not a valid defense.
2. "OK, identity theft was committed with your info, but you can't sue us because the fraudsters might have gotten your info from a different data breach" is also not a valid defense, unless the defendant proves the fraudsters actually did get the info from a different data breach.
When you actually read what the Court said, it's pretty obvious that the Court got this one right, and that Zappo's arguments were bullshit.

Not only is your statement that "All the lawyers will have to do is demonstrate that there was something, anything, some tiny patch or update, that wasn't done" not a remotely accurate description of this particular opinion, neither does it accurately describe the law of negligence in general. You seem to be implying that any security failing, even if totally unrelated to the data breach, gives a basis for a lawsuit. This is not correct. In reality, a plaintiff would have to prove:
1. That patch X was not applied.
2. That a reasonable person, standing in the defendant's place, would have applied patch X.
3. That the data breach would not have happened had patch X been applied.
If a plaintiff can prove that, then they ought to win, oughtn't they? Or are you really shilling for the position that corporations should never face consequences for data breaches, ever?

JimMarch 11, 2018 1:49 AM

@Mark

thanks for your response and contribution. I don't have an interest/need for using the product myself. From a technical perspective however, this not being my field, I am also interested in feedback on Foocrypt from experts such as Mr Bruce Schneier and other regulars here. Funny name! :-) Are you on civvy street or in the services, Mark?

MarkMarch 11, 2018 2:00 AM

@Jim

Civilian, that worked in the defence sector providing engineering capabilities.

FooCrypt & FooKey kinda evolved from my 70's Cobol Programming and that well known Foo character, combined with the common programing methodology of 'for foo in bar' where bar is short for the barhumbug that #Oz, has received by the Governments adoption and implementation of #Wassenaar

FooCrypt & FooKey is simple to understand, its key management and applies multiple layers of encryption whereby the key length is max'ed to ensure that brute force attacks have to run for a very long time and/or consume alot of CPU cycles in order to get down to the data. It's a fairly old method ( I originally wrote back in the pre dot com 1990's when SATAN & COPS picked up prevalence ) , if you read the export permit Defence ended up providing after extremely long delays.

The FooKey Method, minimizes possible unknown exposure to MALWARE, etc.

Wesley ParishMarch 11, 2018 2:21 AM

@usual suspects

ht tps://www.bleepingcomputer.com/news/security/sgxspectre-attack-can-extract-data-from-intel-sgx-enclaves/

Academics say an attacker can leverage the repetitive code execution patterns that these SDKs introduce in SGX enclaves and watch for small variations of cache size. This is a classic "side-channel attack," and is quite effective.

It struck me that this is an example of metadata attack. And thus side-channel attack is a subset of metadata attack.

MajorMarch 11, 2018 11:35 AM

@JG4

I used to think anarchy was a good idea. I found my interest was inversely proportional to having something to lose! Well off and established it sounds horrible.

And furthermore, it is untested, and undoubtedly would lead to economic chaos. Who does this serve? The sick & vulnerable would be at greatest risk.

echoMarch 11, 2018 11:41 AM

@Clive

Yes, it's all a bit of a bother isn't it? When you described the system before I imagined it was akin to a hyperactive spider fighting with a bottle of glue.

I agree education is lacking and the UK espeically lacks a proper degree of civic education not to mention history being too tilted towards the same old razzle dazzle job titles and their writing of the narrative.

Professor Tizzard is as you say. I was being a little ironic as I do recognise the history you describe and like old school gentlemanly behaviour and charm. On the other side of the fence women can and do find ways to make the system work in a human way in spite of instititional toxicity.

UK law is practiced somewhat differently to mainland EU and the US. Thereis very little in the way of strategic legal action. The system seems to bump along with the status quo or pick up the pieces rather than be a corrective against executive action. I suspect this is one reason which the Equality Commission is pressing for powers to bring cases in a similar way to the ACLU.

@Mr C

In UK law the "reasonable person" test is relative i.e. if the person is an expert then the threshold for performance is raised. While some "experts" have tried to pull a fast one and con the court into judging them on the lesser threshold this obviously isn't true but is something to watch out for. There is also the issue of the lay citizen who may themselves have done their due diligience and be able to claim an equiavlent (or greater ) expertise. This has standing in UK courts and may be a significant factor to weigh in a battle between "expert opinion" and the citizens opinion. This degree of lay expertise may also feed into expectations of performance and wther the "expert" paid due regard to the situation.

With regard to the average person and dealing with goods and services (i.e. dealing with experts and policies and guidelines and other material relevant to a decision) the EU Goods and Services Directive applies which means that clever clever language or obfuscation and so forth weighs against the provider if a claim is made against them.

echoMarch 11, 2018 11:57 AM

The Chinese are pressing forward with "smart glasses" beings used as blanket survellience technology. My sense is like your average UK bureaucrat of the type who likes the power their job title confers a little too much working without oversight and I daresay US politicians et al, is the Chinese is pressing forward with what they perceive they can get away with. See also power grab by China's President Xi Jinping (not to mention you know who occupying a house painted white to obscure gunpowder burns and Brexit campaigners).

https://www.reuters.com/article/us-china-parliament-surveillance/china-eyes-black-tech-to-boost-security-as-parliament-meets-idUSKBN1GM06M

BEIJING (Reuters) - At a highway check point on the outskirts of Beijing, local police are this week testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects.

albertMarch 11, 2018 1:19 PM

@Mark,

Please address the reason for the annoying blinking. Is it really necessary? Will it help 'sell' your product? What?

. .. . .. --- ....

HmmMarch 11, 2018 1:27 PM

I'm with Albert on the blinking. I don't think that's helping advertise the product.

WhiskersInMenloMarch 11, 2018 1:31 PM

@Cassandra

A DVD can sit and the researchers can work on validating it and the contents.
If nothing else sitting on the shelf for a month can do no harm and still allow
checking by canary users.

Containers and VMs can allow mixed system cross validation.

It is not silly to boot a read only live-DVD from two years ago and use it
to validate the latest DVD image download.
It is not silly to keep that old laptop and use it only (behind a firewall
or air gap) to build the check and install bootstrap tools to improve the
confidence of the new distribution.

While it is common to say that it is turtles all the way down some
of the turtles can be snapping turtles and some of the turtles can stand
on hippos, alligators and crocodiles.

Mono culture was one of the reasons the Dutch Elm disease killed so many elms
so quickly. Had cities large and small planted a mix of alternating trees some
culling might have stopped or drastically slowed the progress of of the infection.
https://www.forestry.gov.uk/fr/beeh-9u2k3p
Chestnuts too.

This mono culture problem is way too much like the current operating system and
communication tool set. The success of Microsoft gives joy to those that wish
to hack and attack. Like Apple should Microsoft allow the escape of software crypto keys
a lot is lost.

Oh and do not forget the flood of IOT devices that like the Trojan Horse need only carry
a small set of tools to get behind the well locked gates and open them to let the larger
army in.


albertMarch 11, 2018 1:48 PM

@Anna Stasi, @hmm, neill,

I agree with the analysis in the link you cited. I reached similar results with my own analysis, as I reported in an earlier comment. However, that's only half the story. We started with a dirty sample. You can hear room background noise in the sample I used. Some from on site no doubt, but some from the room the sample was played back in. It's in the lower freq spectrum.

We have no details regarding the on-site investigation. Did the rooms have occupancy detectors? Did they have bug repelling devices? Spooks aren't likely to give up secret technology (even if it's not so secret), so it's anyones guess as to those details.

Ultrasonic jammers for mics are an interesting concept. Useful in places that you can't sweep. They may be valuable for interview rooms (like when outsiders are present), but sleeping quarters?

I would like to see actual research on the effects of those particular sounds on human subjects. That's the real issue here. This is not likely to happen any time soon. I suspect that there -is- secret research in that area that we don't know about. Neurologists know that brain damage can be caused by factors other than physical trauma.

I have worked on industrial ultrasonic equipment (used for heat sealing). Those transducers are aluminum blocks. They are obviously high power devices. Closer to home, check out the cone movement of a tweeter. Depending on the designed freq range, it's undetectable. Piezo tweeters have no magnets or coils.

Y'all can check out a Google satellite view of the building. It's practically in the water, on the NW coast of Cuba. There's also a field of very tall flagpoles facing the E side of the building. See 'Monte de las Banderas'. They form a chevron arrangement. Interesting history, that.

I guess I'm just naturally suspicious.

. .. . .. --- ....

HmmMarch 11, 2018 2:02 PM

@Albert

And yet nobody has demonstrated the specific type of damage can be caused with Dr. Fu's methodology.
That's a big hole, in addition to his big assertion of "accidentally" in there as if that's supported.

"Spooks aren't likely to give up secret technology (even if it's not so secret), so it's anyones guess as to those details."

But nobody has found any of this "secret" technology or even demonstrated that it was used here.
Yes they swept the rooms. A lot. They found nothing, unless they kept it entirely under wraps.
Look at the subsequent actions : They recalled the diplomats and continued investigating.

They didn't attack a single building either, that's a misread. It occurred over months.
There's been plenty of opportunity to discover any "accidental" cause/devices.

Nothing.

echoMarch 11, 2018 3:53 PM

@hmm

It wouldn't be "secret" if they put on a public demonstration or left it lying around for anyone to find. Ok, I know there's the Lockheed F-117 Nighthawk (which suffered both fates) and the British Welrod WWII era suppressed pistol blurted out without permission from the UK from previously confidential American records and the Valerie Plame affair, or the Strategic Defense Initiative "secret" weapons which didn't actually work but spooked the Russians. I supoose it all depends which version of "secret" you adhere to.

HmmMarch 11, 2018 4:35 PM

@echo


Ultrasound emitters aren't some fantastic new tech, but using several as a weapon like this hypothetical would be unprecedented certainly against multiple Diplomatic staff members in a covert brain damaging attack, perpetrated over months in several different locations. There could be an intelligence angle for keeping that under tight wraps, but then... they recalled the diplomatic staff and basically closed our diplomatic relations with the country over it. It's very serious. It's a valid cassus belli. People have serious brain damage.

So the only thing that makes sense from my perspective would be if they had a pretty good idea who was behind it, but didn't want to go all the way to WAR. "Accidental" exposure is ridiculous for reasons above, this was a purpose-built weapon of some type that was removed from the locations and ONLY targeted US diplomatic staff - That's no accident. That's no 'string of unproven coincidences' from co-interfering 'covert' devices that nobody can actually point to causing this very serious and debilitating brain damage.

If going with that theory, you require no wind in the sail and no evidence in the hold.

We provably know for example the https://en.wikipedia.org/wiki/Bulgarian_umbrella did in fact shoot a ricin pellet into https://en.wikipedia.org/wiki/Georgi_Markov, and of https://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko 's killer https://en.wikipedia.org/wiki/Andrey_Lugovoy did in fact leave a radioactive trail along most every location he visited that could be later followed. These things happened.

Nerve gas was just used in the UK, affecting hundreds and obviously that's another major cassus belli. These 'coincidences' just stack up to a point where I get physically weary of talking about them to folks plausibly 'trying to keep an open mind' about these events as if there's really much doubt at all. Dr. Fu's report is debunked, he doesn't try to replicate anything approaching the actual environment nor actual brain damage. He's right that ultrasound can interfere though, sure. Taking it any further beyond what his study actually proves is a propagand-ic use of falsely-summarized information, basically.

But the idea that chirping listening devices cointerfered and gave ONLY diplomatic staff massive brain damage and nothing was found and nothing can be admitted to and our government allowed that to happen over months and months and THEN recalled our diplomatic staff from Cuba and changed security protocols worldwide... tends to be evidence in favor of something more than "accidental" ultrasound exposure - I'd say that's obvious even to lay people without security clearances if they think it through even slightly.

TLDR - In the Cuban diplomatic case, it's a major message. It's not a series of unfortunate events.
They haven't ruled out unknown biotoxins so it could be a combination attack to confuse investigation.

The question : Are these types of attacks, whether on diplomats or ex-spies in parks, going to be something that we go to limited war over - or total war? This isn't going to be something that can be ignored or 'trolled away' on the internet by disinformation campaigns. This is deadly serious.

HmmMarch 11, 2018 4:41 PM

Diners and tourists are being told to wash their clothes in case of trace contamination with a WMD.

Well over 200 random Britons have been potentially exposed to the nerve agent in the UK, as a result of the assassination attempt on the "traitor" that Russian state TV just got done gloating about.

That's where we are right now. People who want to play 'secret conspiracy' have to come back to facts:

We have been attacked and there's no compelling reason to think it's going to stop there.

This IS war.

HmmMarch 11, 2018 4:44 PM

Sorry, did I really just misspell casus belli twice? That's a personal shame.

echoMarch 11, 2018 5:04 PM

@hmm

It was a joke. I was joking. I think sometimes we can talk ourselves over the cliff. Whatever happened to "look before you leap"?

I really have no idea about the acoustic issue but the Russian poisoning issues are problematic too. While not directly related I understand in the UK there has been an approximately 20% unexplained rise in counterfeit goods/copyright infringing. I'm wondering if this is an indicator for organised crime activity and Russian business corruption are related, which may (and I do say "may") help explain motives behind the Russian killings as there is no obvious state level motivation. All of this is my armchair speculation.

I forget the link but within the past week an AI researcher was criticised for releasing a paper which indicated techniques which could be used maliciously. This kind of AI research and other research around gene editiing and checmical warfare is becoming more sensitive as these technologies with potentially catastropic results are now within the reach of people outside of well resourced agencies.

The World Health Organisation has added "Disease X" (a hypothetical virus) for inclusion within assessments and simulations.

http://metro.co.uk/2018/03/11/mystery-illness-dubbed-disease-x-kill-millions-scientists-warn-7378506/

http://www.independent.co.uk/news/science/disease-x-what-is-infection-virus-world-health-organisation-warning-ebola-zika-sars-a8250766.html

HmmMarch 11, 2018 6:40 PM

@echo

"It was a joke. I was joking." - I did get that, sorry I wasn't more clear. I didn't mean it to seem like I was responding just to what you said there or as if you were a proponent of something, my fault there.

"as there is no obvious state level motivation." - I think it's somewhat obvious given the history.
You don't just kill someone with a nerve agent in a foreign country without a good reason.

Skripal was convicted of high treason and sent to the gulag, then freed for a spy swap.
So Putin got his own spies back, and he got to the traitor who sold out his own IC.
The latest one in a series of high-profile "reach out and touch you" operations.

That's a powerful message and motive for a strongman and/or ex-spy, either/both.
It also cements his power domestically. It's a very popular move in Russia.
Helpful when you're jailing political opponents and are effectively a lifetime dictatorship.

The fact that Russian state TV just went back and forth over "what traitors can expect"...
I don't think many are sitting around scratching their heads over the motive on this one.

You're right to be wary of the proliferation of those technologies beyond nation states.
If/when/as biowarfare tech becomes conventional or commonplace we are all screwed.
You just saw civilians exposed to WMD's in the UK. Everything is on the table.

Disease-X is I believe meant to be a NATURALLY-evolving virus, that's their threat model for it.
Even a non-weaponized superbug could devastate the entire world right now in a year or so.

It's quite a world we've left for the next generations, isn't it.

HmmMarch 11, 2018 7:59 PM

http://www.bbc.com/news/world-europe-43365800

In the film, Mr Putin says that he may forgive some things, "but not everything".

When asked by Mr Kondrashov to clarify what cannot be forgiven, the Russian leader says: "Betrayal."

The Russian president's paternal grandfather worked as a chef for the former leaders Lenin and Stalin.

(-Lenin AND Stalin. I did not know that..)

If anyone thinks I'm pro-war or anti-Russia for posting this, I apologize. I am not at all.
I do believe Putin has been fairly clear however. He ought to be taken seriously, it's no joke.
I can't find the humor.

MrCMarch 11, 2018 8:05 PM

@ echo:

Thanks for the U.K. gloss. I was specifically talking about one 9th Circuit U.S. case and its potential consequences. Nevertheless, the U.K. info is valuable. The U.S. also has variations on the reasonableness standard for certain professionals -- it's probably the same rule. I didn't mention it in my prior post because (1) I'm not aware of any precedent on whether corporate computer security "experts" are held to a higher standard, and (2) I wanted to stick to the absolute basics when responding to parker.

echoMarch 11, 2018 8:06 PM

@hmmm

The UK is being lambasted by the UN again for human rights abuses. While not necessarily the intent of government there may be the odd malicious/incompetent individual or organisational entity. I surmise the Russian affair may not be unlike this. This is all against a background of massive social and economic change. Things do look a little gloomy but also there are many opportunities offered by new technologies and freedoms.

I have never had a Russian client and, admittedly, this neuro-toxin affair would make me think twice but if their money was good and they were clean (i.e not meddling in things they would be advised to keep their noses out of and having acquired too much wealth too fast by too dubious means) what is the identifiable risk?

Perhaps more due diligience would help? I offer these two opposing views on the Russian question.

https://www.telegraph.co.uk/news/2018/03/11/vladimir-putin-gave-order-shoot-passenger-plane-sochi-winter/

Mr Putin said he sought advice from security officers and was told the emergency plan for that type of situation called for the plane to be shot down. "I told them: act according to the plan," Mr Putin said, adding that shortly afterwards he arrived at the Olympic venue with the International Olympic Committee officials. After several minutes Mr Putin received another call, he said, informing him that it was a false alarm - the passenger was drunk and the plane would continue its flight to Turkey.

https://www.theguardian.com/politics/2018/mar/11/litvinenko-widow-warns-tories-over-russian-donations
The Conservative party is facing pressure to return Russian donations after the attempted murder of the former Russian spy Sergei Skripal on British soil. Marina Litvinenko, the widow of another former Russian spy, Alexander Litvinenko, whose murder is believed to have been carried out under the direction of Russia’s FSB spy agency, said the Tories risked tainting their reputation if they held on to the cash. “You need to be very accurate where this money came from before you accept this money,” she told Sky News. “If you identify it’s dirty money [you’re] just not allowed to accept it because I think reputation is very important. [The] reputation of the Conservative party in the UK and all around the world needs to be clear.”

Clive RobinsonMarch 11, 2018 8:09 PM

@ Major.

Well off and established [anarchy] sounds horrible.

Actually it's rather less scary than where the current political encumbrents in quite a few places are taking us.

What you have to remember is most people are social even anarchists which means there is some form of society for them to fit in. Even the most disfunctional of micro societies have mores, morals and behavioural lines people cross at there peril. Humans have had rather mor time living with anarchy than they have with Kings, Tyrants, Clergy and those jonny come really late to the party politicians.

Despite what politicians and some dictionaries[1] want you to believe, anarchy does not mean vilonce or disorder or the fall of civilisation. It simply meant originally "to live without leaders". Which if you think aboit it is what an ideal democracy is all about...

It's in the politicians self interest for you to belive it would be disorder, chaos, etc, etc as well as those of the "Guard Labour" they keep around to keep you away from them.

In effect it's only an "unknown hermit" that lives in a state of anarchy or pure democracy. The rest of us live in social groupings even if "we are of grid". All social structures have hierarchy thus leaders and followers.

Just remember "A lack of a leader or leaders and their guard labour does not mean disorder, discord or any other bad thing".

[1] Anarchy : noun,
1, a state of disorder due to absence or non-recognition of authority or other controlling systems.
2, absence of government and absolute freedom of the individual, regarded as a political ideal.

echoMarch 11, 2018 8:16 PM

@MrC

Thank you. If we keep things light some legal cross-fertilisation can be helpful. I find it helps can unjam thinking and reveal new ways of looking at things. There are examples of US law and legal theory which can and have been imported to the UK. (Standards of evidence and Information Theory Law are two examples.) I like to believe a UK perspective is helpful in the other direction too. While the language is different the idea of "margin of appreciation" has found its way from EU law into the latest Investigatory Powers Commissioner's Office guidelines on survellience.

HmmMarch 11, 2018 8:20 PM

@echo

"I offer these two opposing views"

Forgive me for asking but are those two articles really 'opposing' views? I don't quite get your meaning, I'm not understanding.

Clive RobinsonMarch 11, 2018 8:21 PM

@ echo,

On the other side of the fence women can and do find ways to make the system work in a human way in spite of instititional toxicity.

On the other side of the fence is the whole world... "isms" happen, it's part of tribalism...

In fact I know one or two women who don't blaim men for the current state of affairs but other women. Who for whatever reason be it complacency or status do not want things to change, because they are "comfortable with what they've got". That is they take the "Somebody elses problem" attitude. Thus more harm is caused by those who look away than was ever caused by those who would pick up a stick or stone. And to be honest those women are right, it's those who let things happen who are to blaim...

echoMarch 11, 2018 8:37 PM

@hmm

The first article covers Putin approving shooting down a civilian aircraft and the Russian military later reporting back this was not necessary. The Russian military obviously did their due diligience before firing off a missile. Putin did seem somewhat wrapped up in do what the manual said and the manual did seem to go far enough in this instance. The second example is Marina Litvinenko essential reminding UK politicians to pay attention to their own manual with respect to checking the source of party funding i.e. an appropriate level of due diligience. If the money is not "dirty" then it is fine to keep it otherwise action must be taken.

Investigations into human rights abuses can be very difficult especially when dealing with instititions. Identifying exactly who is responsible or why, or sometimes even establishing a collective failure, can be very uncertain; moreso if dealing with a scattering of influence.

Speaking of Stalin I watched three slightly security related movies this month: The Death of Stalin, Last Knights, and Den of Thieves. I recommend all three if anyone has a wet Sunday afternoon to dispose of.

echoMarch 11, 2018 8:47 PM

@Clive

Yes, I agree with this too. I guess this is where some of the more recent very public discussions at least give these things an airing.

MarkMarch 11, 2018 8:57 PM

@albert

The 'strobe' effect provides an illusion in sync with the music when played, its nothing more that a multimedia effect that provides entertainment. Personal reaction to the 'strobe' and/or music, is an individual's choice. In some respects it is an illusion, not as much as the modified illusion images created by vCrypt @ http://www.foocrypt.net/illusions.html ( may confuse your mind and you may see items rotate in different directions, when in fact, all components of the GIF image, are identical, except for the colors ).

The FooCrypt provides the end user with obfuscation capabilities in standard third party key ( FooKey ) exchange. Rather than sending the third party the FooKey ( which is protected by DEFAULT by a single layer of encryption ), you can exchange the static source from whence the FooKey was created.

ie: utilize IWMB ( Import Window Memory Binary ) to read the data from a :

GIF Image
JPG Image
Music file
Word Document
PDF Document

Modify the the imported strings as per XY notations.

Exchange the source data with the third party.

Third party recreates the FooKey via IWMB.
Third party recreates XY modifications.


Confirm MD5 check sums with the Third party.

Happily exchange and data which is FooCrypt'd using the common FooKey.

It might take 5 - 10 minutes to perform between both parties over a long distance using a public medium to transport the data, but no one 'SNOOPING' on your internet connection / email / etc, will know that you have exchanged a FooKey.


It's annoying for a reason....


It highlights the obfuscation possibilities at a low level.

MajorMarch 11, 2018 9:59 PM

@Clive

I thought it was clear in context that I meant that now that *I* am well off and established, anarchy sounds horrible.

I can't think of an example of a functional anarchy of any scale in the last 500 years.

We humans are a deeply ambivalent predator species. The fact that we have a civilization of our current quality is amazing. And it is reducing poverty and increasing quality of life at a good clip.

Comparing human life with ideals is comparing apples and oranges, complex reality with simplified concepts. It is unrealistic to expect anything near perfection. The constant improvement that we have shouldn't be discarded, it should be treasured.

A country the size of England hasn't lived in anarchy since people left the trees. And there are always leaders of some sort, because we are a hierarchical pack species and we are driven to organize ourselves in this way. It is really the only way we know to conceptualize a mass endeavor like building a spacecraft or running Amazon.

I have started realizing that I no longer care to spit on a life that 99.9% of humans past and current would jump for just because it doesn't match figments of my imagination. Our way of life needs, and is achieving, slow constant improvements, not a revolutionary change like anarchy.

Rick MoenMarch 11, 2018 11:19 PM

Bruce, please consider this a very, very strong second of @CallMeLateForSummer's citation of the article "BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?" It's an eye-opening and technically competent expose of some governments' use of MITM hardware to do nasty Internet manipulations based on deep packet inspection. Please do have a look.

Bonus eye-opener: https://www.bleepingcomputer.com/news/security/23-000-users-lose-ssl-certificates-in-trustico-digicert-spat/ . (Note that this is a different link from the interesting one @Wesley Parish posted upthread.)

HmmMarch 12, 2018 1:34 AM

@echo I see what you meant now thanks. IMHO none in any government should be accepting ANY foreign money for elections, Russian or not - & it's not like there aren't enough political ads already - as having far-off untraced monies trying to push a local political movement they are excluded from voting in is a patent loophole. If these latest disinformation/meddling campaigns haven't underscored the need to improve our systems and processes nothing will. This wakeup call brought to you by Vladimir Putin and Oligarchy, and the letter N.

@Mark You cab pipe that blink tag right off to /dev/null!

@Rick Woof, that's a comedy of errors without the comedy. SSL resellers storing the private keys!
How would anybody ever know? A: They wouldn't - until stolen & mass-defaced w/ huge malware campaigns.
If you can't trust SSL issuers to be stage I competent how can we trust anything online?
Google can't deprecate fast enough.

HmmMarch 12, 2018 1:38 AM

@Major

Just replace "anarchy" with "libertarianism" as a 1:1, it means the same thing.

These people have no idea what they're proposing. They'd complain loudly if it were so.

HmmMarch 12, 2018 2:30 AM

@Major

"Despite what politicians and some dictionaries[1] want you to believe, anarchy does not mean vilonce or disorder or the fall of civilisation." -sic

Anarchy isn't just a lack of leaders but a lack of laws and thus any meaningful enforcement of justice, any forethought in the interest of keeping ANY of us safe from our most dangerous creations, a lack of any sense of the granular consensus among we inter-dependent organs of the host. Without the host you surely would die, and any knowledge gained would not be transferred over from one life to another.. That knowledge would completely die away in corporeal form instead. Humanity would devolve in every sense. Our lives would revert to struggling to feed ourselves while dying of simple diseases. In the end there would be no lasting anarchy, there would be local despotism - and death. People would be subjugated or simply killed by the local power-that-be. So I don't think that's what you're trying to propose, is it.

But if you don't require society why don't you go MAKE your own anarchy, right? There are corners of the world where no human being will tell you what to do within reason. The government of the wild. You can be as lawless in the wilderness as the word implies, most of the world is completely off-grid uninhabited even now. Of course this hypothetical means you're already completely self-sufficient right? So why aren't you already there now? You seem drawn to chatting with society on the internet instead somehow, as if distracted from your proposed freedom. You can't have both you realize. Which is it going to be?

CassandraMarch 12, 2018 7:35 AM

@r

Also covered on Slashdot: Feds Bust CEO Allegedly Selling Custom BlackBerry Phones To Sinaloa Drug Cartel which discusses an article on the topic on Motherboard/Vice: Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel

In addition to removing the microphone and camera from BlackBerry devices, Phantom also takes out GPS navigation, internet browsing, and normal messenger services, the complaint reads. Phantom then installs Pretty Good Privacy (PGP) software to send encrypted messages, and routes these messages through overseas servers, the complaint alleges. The complaint points to Hong Kong and Panama as countries “believed by PHANTOM SECURE to be uncooperative with law enforcement.” Phantom can also remotely wipe devices in the event they are seized by authorities.

It looks like someone was doing their best to remove most of the ways a two-way messaging device could easily be subverted and/or tracked (base station triangulation would still work). The comments on the Slashdot site make some interesting points.

The complaint filed in the Southern District of California is linked in the Motherboard/Vice article: https://www.documentcloud.org/documents/4406486-Vincent-Ramos-Complaint.html

It provides further interesting details, such as an estimate of the order of 20,000 such devices in use.

MarkMarch 12, 2018 9:11 AM

If I take this text :

Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........
Hello, this is a test message containing 64 characters.........

and encrypt it via FooCrypt, with a FooKey of 50 cycles, and transition it to base64 it becomes :

U2FsdGVkX18qFtRsITV40crGMWMBOG0+6gBtqM6y0wSgROP7HMYZAQ/9PcWvCJG7
aojfr/vQL+hWJ7e/fXifNNJuI9IVMgCi+GcF1wjJVCSYCNLiZMB/JNxdP5Skff39
AYadHRJKF3F6XFLuTbUrRxh79Y0r3Fnnlq5NH60Z7Y6JB6q5WW+qGWT8kAFKXF8n
SYKq5i4UBf0Uk+7ZTl7U+ZXSKesAq/v7MfZh5hu9dlRQeHgBYU0EWXBQ91pwwKcP
EvnPoMqBbuKnjfI0zYNXvZ0sjlYGxw1u6CcGtPqVbS5KTAsiV4VsI9Am9KS1YAyC
TyyeFaI7ZCJKDZjfeIljHikFg8/Dznfq8jqPeMx7j7kvlgwCaMghlrd7fsUcUHY+
mIueooz8pgRwk1ntnUNSf0cpYVdoOd6vgtTu+UwtqC/FLp1dzXawmpl6TRnFO8en
ng0B+ZVN//EheFXMHUJWSqpBv2iyYk+hbKQRenHf7gkwwbbtHEvg3wmbNhj9jyxF
iC7zvpSvwTsGL0yPaubc2+bthD2tZbfUcgB+9hI5d/aq/+H4ib/vgJKegGb99pWo
V9oALCNr+yuOik8xc+tHowmf2udKHD+y5l2hX2wShMfqMEo89wQ4+odmAmCUZALP
UDSa0sCbZkR2qST56z0Bu4S8znOqZFhQPF3lwgxtA7XEMxRo0fxdnTSxV6FWREkt
iAbQkI1uV5zDLq76SnJjeUUTLw+9HW4cKnREa1zA+lsZIzY5pEqGfeKd83m0WawJ
9TbJ6FLtDezg529i/MJLStG+y2npwHASDhnMkGOiaGGLaHLOP2Y6AjVpTf2I7B/k
eBSajBWa2lxnNuHnN0RZ9DJzviN9Wwcq/JGtU01b36eoNpFrVpiUWMhPU4+EK/SP
JsNz0vRiGXH23RXhTcSBH2Oi5TAToosONAuqaYPjTlomvKtYsY3bQGj/xTcBokhI
y91mzH4KXsXR4my9lz7tMy61HUMQxeRJUf4TPjkoY9kSj9l6hkdfx2jQchbo5v0z
OKUmslp7SnB2Ct0YGY0U4q53xjvlaCUBJOPXtxZ9WY1SwTYT/UxTwedhcZge/csu
bSgfuuHU4swXz/hhH7K+GIY3QTSgijai1bRcnaI7OhFdmZiz8lNmWf9SIXXAD8cX
rWL2h1ZxJR67EAQVnA/tBXqDbKzcI6gyEIAlFQz3rUtmcEq2MjJTEXfm0xbMAvPn
/49SfhYx4rybeyZ/GMteZqhMBXwSSA7lKqjrifBaZoR/ZfqK4quiimLL/0y4gIgN
QUDs9oSa86JqUX/7XrfqHsccteEWhV8RAFjooFLArZGzbOTBgqK5rN82KNGPcmiQ
5rGdNYDJ+thDZwYb8SK2NrJtM+krqFU2dhjPnA6Sn+tb4HswwI4qEm4rdlzF81lr
sJgtZOKEgd77SnQnh8AOS2JNAf/AxBl95Zg2gNwX0qkTPLobfsy1cLYhWUcfuJLU
fHx2s1LTJovqqzX23348ZXQ1RQGGXgYjwgtqnXXZxL5kI+MmH3yGAwgbyk1iH24D
LF6kb7c8YAo1OoioDzayoRX96eN5MSvGc7BgfoDr/XuAO4a0NAb7swoI+9V2xRP5
loPNO3ESZh0YyRBcEcLNSa7uXnVZBaKaevVGwXFtTYpURUt+TcWokTPw4S2P1i9O
HmhKAVWbpJsszbn2Y7Un74X71IDHtF4W73FBYtQzFYlPgR+oTrpQqRHgiQp1O+la
ijvvtZm3b9goRHOyGgjlJZo6YfHI3YS6hs4TcxAIkI+lZzk2cUosP/M/TKs7PLjn
j2zNF7jZfZ7IqTlq2uFCh9FA/4pR4NKQ0hz3Y1IKL7RlIEs7HveO1fW5wSWD9UrQ
L8gLXh1Jp6tSeEEww/CurbHn+1NvTW1AGzOaRBTDFLi7xXXxlRvOscPikMRfL4lH
Zeel6e7lDKVw0NN5Gr7K7MFBNZV1UXIAMHtXNoGbNeaelHp0/c+Vd3KW0XsgenwM
tgGXbOGQeqvQCsUMnYuGgGQ3gHMyVSvlWv7rGD+PSk/b2h/FBq8lf8xDqg9YiOad
Dm7fQC9YZs47FoCjo0q8eNjjAzrpM6gw0ICVDAblg3lJ0rKx8ic6hMRA+tsKD6u2
oxzhd6JCCOUf8+YQNlPR1GNt41/ouocclJtk4inl8uI6xI0E2f2ulCZdWvZSwfcD
MpuluipPrnS2fAOwZ1rLZcf7y2yVOAtbaRBIAQ/tZRKs45lhBrlGSKjGHgghf0yq
Pze8TohI5rcyf+Fk+1HP1CWOtbg7wS6+LEIe+VypkUQBMen7lZ2DiKJseJryShXu
YXemhQaM41woZiwOYx4XDN6Mmtf6PtQ/Fpg9cgHrW+gV7brIJpwTe6jbbnU0KGtv
xmZH2C+O3dc5Aa2TByfTUWg6n7CWgIPYhN9PehpJt6vv8WtwSdxP04FRZg8k3+Jf
TwdLUE+CoNnKMPFe5nZAWuTMw5YRE6zTu3YJ5ZfxiwfyU8pNOEu3EncHCuOVx6cC
E4+WXMoySHnPgpHUdieyHmZt/czNtFZEzGn6jOdPr4L3jWLTcFPg5GFlQFcUdtL+
pTUW7zVnGs/frEs0tYUTGgDSntbGwT7Ci3YBePnjjKg/L89Fr2f2aNCaxMybBPsa
/Pq2m6vEP018HlzRglGP+cZ7rlY/lyJLH3CUD9SjyxQLK9zEci6kxEbWs9jTOFOU
CFV89d1gunFkDAFXO2GaqqStq7W+Q8Nu9asZva313ciKQbipsNf4sY8v40NhMM5E
7ZmGY79W5nMM5QwZnmuKXgExfOh+c8C9anDahBiSRJWGpj4du7Kq+Y8CkyDLqNpi
kBFNB93+SfJe83ryH9SmWU7v8A1MyaI6qeNxzvNOdX67kARY406FsPhE1bvxteY+
wGtX6KBcFSV6xBpSk9c7S71vhVvTZzE9LEmIuIhzOj6SZbaB/uvFS5qXMYLp0ECU
57eMtO7HC7BE4+DqFJkz+dKRQQ/AUr2WmabYVSYcnrMpbOcn/knmSAoyBX0g4PUd
XQEViSOXbasoBtJRM+qy3BLUBbAdurNFf9rlnNkk0mCfVtTnmkKf3ju0lwdkxuld
L0zqoeiBg9rEZnDvSEHEWlvWhRikYQmK93pljCjuPcUkNExUqqRXFNtSUi0FRlrf
YamIf29wWmfiML4AKoBr+igf8Hjzxdnal49Et/L9Pkn5I/qNdxeilN//XAFi5vzF
ap5ZJC84SWDFMmOvkNcoFYIbMemtTlPl7Zr/QbOIDQ39OFHt6p3eo6cPMBc8j31t
12na4QifUjy0r6JXFSxBacOBgIcYmnnsX+GF4n0xua6pHOuPf4XxbD+DT7GOGJc/
KGW8iOXZbVBqINBNKhpNw/XQStdO3QZJsvpNBnY5yCqsQHlqGwzhjFLhwAWmjnrW
WomDTAM/XX6vt6Ih62BIzCszQc6QSKrbzOb6WspcRZCZi2IwxtlTztoUXbiIBET9
GEAGBxonwSjHrBU8nd7hvvZ9eboRTyx2hcEphhS7z8YosR+CAZhhP7ZaczIu7WmK
vTLfopSxF7tw840K2ApVdDXfw/JJImRxgBAke9g6nOJPL0SDx6UZpTXMAHvTFyW2
mcmSHrf3ub4Mfgg1mLcu0X6qBa4US8kLoxjRnQFAEhGUE7X45dHU+tj8vC1N2X94
EK9bnhQFqF4bI2Tfc+ID5iH7XSL4Uy8f/0BJbJwFU+u3ellfPCTaDq9x/TrHu2Eu
lOaiVu3yBOOEaj0usz/nXU4yilwcVl7hfVkXFen9x1y5o7v6Jm3ShjCw3kjPnSVI
9c/v9EHEB061iyh8o5MWaiIxJOguE1t0beblMm31/+y5I5I9VTvuzr9fsofAIZSo
6fttVq6cNY3j2B6rjghOSWFUQXv/8cYuRrsbpW1rZlUqTx04TUJ22khg5X0l/Lqj
oh5sliEp4MNDRgCXcVO8ivUId66rdHWx8634miJ5EnAINtbDoiikA6c7kzsiP0Yp
1yzCPLJI/OzjhDL5Hzhrr8TKZml+yw7HRoohUbYhol0TPI4UVYRF3jE4G7fl7k1g
t05WGAeZFb7oaoclwKRuRxztW5FWOmO2w8Hi0plc71oMZcnhiQ+/tX/ZbwPYGdvj
rOsRZrqljyggs26kLHFaMMnlgUnRrQbUXRPsY7hNLO3BEEXgcBWtm+FCpxSw0ja7
ZhmNDKUJiefVkgzUSSfzB4JhHjQ4yqRFijoGmt/WTFlxmcCI7KCX+30d4v09xpI/
qUWg3pDBp+aLahrVRrGhuhXm3cb+dIlI5tRE3mS6wdFV22nrwm8Xzurkwtl+89Wv
lhOJUsE97naBpqJttFKIJORX6plgWIdRpAC6rqrJ7fs+XI+pbpuuTnBsTlYwb7aT
MHmSDp4TxAOTz6faxb9/aFZZh7BRYiMPk6ZA14htitSMbwjyJn3bq8Qwx5gYwLZm
FbHbTEaytIOP7PNY7NuAT73Gh6LFsiiw+vbDZOaH+BWIR4Rmwe6MlGiGUh9oLShl
iSPcZHcU5p1Xz5RnZQYg+nyct5esI3lvfBIqPQPS3HQIdy/gR1heAMaZWfcxK6ji
DNXeKUVan9AzD5GapvVKF8opzdSkFG32gnLrCeVjyFiqJz+3r6pqwXS+4gfpAEKJ
1CdxS9s1RNm5mOF77YOpOWUdY0VR8C1Z7njwPtcA74MZ8+EYVH55Fqy36VLCILee
L/CYBt0iFEPTUDUpxkPGo8U68xnzXuQPo6TuTbCn5lYKXgQb33SCB4Us0hDC99q9
Cd6rD621ZkkvyNiQnGo9wjLDtJmxf2K4whIGx2HwYTJxwDUZa3oYIFx+sL+sGaqd
8sa7nLA/sYbJPQBlGOWKvud1E7YRtgdOojp82K9qw1Cvrf5BvbdVwFE9VC7N27qz
1B7I+3SHlov9WDjPXGwYR1NeNPfNxHFfRYOqdUCb7kQuGwtyW13J46H6rgN8BHC5
BHJuQm4jcZkNLC+MWNwO8t9ThQYh/aUEC2J5pVmA7bFjYERl0rfiS9elt48eLlKS
6/2wgDKAm752gTTUOqyZfhIVP/4gdOkQbhSlPRArCw+Ch2BTdsD3cdcsFD5ciWCF
bBz1/9qJSWScs24cLrWZQTRoQeyXCNrv/IOK+al4qj8B+r+VRR9G9RHPQIODc+Si
BIWnQevGUut5z295hkIfLmJR5eGOQlKB5tBpaNQAVGHJorP5jhYt6JO/y++69Lsb
fWaGwo0vhiW0Vn5MN8a9yt8MeV8rF7GU0G4Bej2HxWlVcNEqZdLUe8qiFlJtHTgk
6ilb1evWwLY18+Du3ioWtUfEHkLSLiabhvN9nwE5ukRuddzB8pnJwDFG4aDQG+Y4
ZrNoRFoFUd/6SF7BADlJrkhBybUGWFp7tZ6nd+HWWpIcEUVkzI+Wk2OgATZNQPFf
OI2LkGifBL3RgtLhmITRzfRvl2vPt8UJ779yvCO1wZhSuB++9dyaOMDWoXGyG9x+
GViZAr15dtgvDH6OnrNk01qcD3NzbltInOWqzFaZ83y2kCD58S79Rl7iCfcJOhum
NySm4V5xDErVa88GKtWUDzU7/m6lcHTnGKjqdiQb718x/tLDyru59m1Ad6bM0OBx
QZ8xvNe8WSbB00SI15WFPkOp4Az8zUeB5uQ/gxpWqwC9dp0EMxAaQTetXea03UMZ
0f3BD7lLELKB1Kbo/OnS50MEpe09XtbsPx2LvLD/dHb+XpfcU0QP65hSanMakcwO
13By+wz/BYZnRyYsxo+5vuKBwx1Qebz3onhf7IFYGuMUzNkksmrE/P4epC8LzxQl
6VM7RNguMV3LlhsMT8lFQNNsDux4Lc4nHAr56vwdV4+ANG1DvQQFySN1ExtIJsI8
amqTyRItXh915T46tDLIk4RHPF1C0pBnfLtA0NXaQHcBVT0/G+nkBqSeyvwQlnZc
6qGAYOm4Rg8UuG2yAmu1eDsoB+DucECIboualtmZZ1CGkrGqWItwdAefMvmnC+Gx
BlL0FE9iA03OqrBBQkcA1HgzreFIFdU8v2A+JFEg6ghHELT53EXWP6CE7Fs0wuL9
OtLP6XvXSAoDZ/SJT6bNkfi2KrvNKSr5OmnnhFx76y9HeCajeuj9AYhApnKYUTWq
Sc8P3ga8Dj6L3WS1XgoTXHDsu3uCNAXGKp7NRu0WheIorJpf4AhTymcaGekCqCZo
b+vwJiEGcpSnrbRUt+hsYuq/cEl8HJeQuEUIfhf4rJH4RKrXX6RwuPIs8r4hs4jj
w83sgFGNWac2zwvFpRcTv3r4Neyf3gn7SS1w3K6rf4p3tWTCsVpGVXkgO7RtdmGT
xFpUeSrx7mwEisMxZX2NP0tgLDRsMz2KNhv/nF/Zan34xcf5wTaGic9DOqogmNSA
6xSixDJESoSJ+0u2DmYsdMG9K0JBdWl/8cJ4oCuNZIAoAIWAd0iMJjjgThX1faRe
jwO8OTuFMC2jvyEcBkaqGctipKc7NTB7Wfqy9PXIyUl7j7/Rko7zb8rC2YNeIncT
TUg45viONDkEWCS0BncAdVr1tHMed5Kb8/WV4u3wOnb+97YPvLR/n9bQLqfvMXko
uFLXO5ernmjgcd3wGdCM0LPosvdzVJU1XNf7ubaUWpuyEdSSvtw/vnBq5C5Y5mQC
OevLp+EV/ctZdDYjdJevrzqhY+5Ueb5YftVdxLa4rjr7o/5yiFyTkVojq9SF9Flv
P99zmOmJ29bAkgQJAlQS8URxUjuAmVaahUzl88sx1XVqlqDDXRcwTBPB01p8X/VY
StN0EiDhZoJPB8Zf3bsRlBSRQlP5LQw4+xSTehUteFSEYVLlEmJXw3cdO2eAzqRn
xheCJNu1n7SapRbc86+vMTVI9zqBp8O1wk+J9xSkhIPI9BtTaK8H5L9BGDzSBXGn
oXm9cIuT9vzqdKoXO6FZjat91gD1HHzJ7NErn5ubqT3S2QwJEXR6Hzvi1qqTjoJm
Csh1vmkK5PwVCQgQEcwFtDhHypSn5XKr9MtOrxkKzuOnOFyftOQWJWZJOoO8vWCs
PkQtI5jmq+PhO345qwulq+c7LB0A1FC4vElQsM6xnrD+99dxMbbmx8+x+y0ug2p+
bBmwca0ynd030csWMO2Jcorn1/amce2hdKHOp2EXIj4pfuk6J/O2yGF8kFjXykv9
vhRERozR+ZrwydE9NcnoJ3aVbVdfHre/RGymiqXe7C28SPmmfgwRoi53Rxun0cpQ
eaW/eBvvkY0FuuI70sn7di9gqgk8luRm6cN8XU8sHTcx/+B6LNf615BXyM3I1i25
pqHfXqT+6Hyn3KX4hkWahQeVWJqaSwFV/H7mJGjrjOsmCT9sFt1LrF/q71gtrM+o
rNchhzGbuxWU6wRPZ/ShkFBOO5E40cBisdNFDfdS2KP68rwqiNMUtAYXD+xvtmeR
bSIB0VSRj5XTCdrSod7ZuEAZqusA59UENMyhxvcxDtRyuQmSJ6Ha3J+RnXOJXfzf
jfQx61WDYkk16DrlnmKDZ4/ptrZ7rfc35uiNWqrSjj0JD9+PaCvdkMWEW6BSjOAo
U5nbWrx4/UHh6gAxvgLhYt4taT8cBT4xQy8Q8pv9H0YqcDBwDjlFpmANq7CNdCBG
bIXnZ90geJL6GedNEj79v4s+Tyhz5qDb6tZAWo3Cp8w19XyP1tWwBkRB947tiz2i
JMbrFLlhPi4W7LQczbF0JMWO3llRZ66YKOsLFfr8FiL1Okkl5LkBJzQbtGYf7gVj
MNKhxxZQTENkPyn276W+mVde4pTI1n6sxdGJz66HWee9h8BM6GoYiid8EAOceMTc
UNl34xl0vl6NqhqxZ3AHeELPIn9yQ8WRlnA0kUcY/CHBREnNFs3Hj/suGC4sX9Dv
w3HeQqWf1BXKh9C0NguhSjCsxgSWj89aai9Ntrf8RwJauc0sgLqbfQYCrLjnh6T5
iJeLXOMywWHN9bxFi0MRbrQy/JQOeZ6mM/baL+wMUgjCLFmLgoOYh6XfR67OUDj9
ctLGWKRjGD7BUrRa3UatoHFAqPayU5r/uNQ5Tg9BVBDoKHKbLunVnyPdiUqLHDox
1XAm5cIOKdx7MPVxGr4ohDivrKJCfPhJYKwjQ8oE9Vej6my87WuE3Dheb8Zxv067
ZOp6XU/OuVDFtC6Jcq/shPRR7t/6N6vE09GrszB9Pb0jHInLmttkwtB+LYF8lyMO
+vmPWBO35nRE1mJA46dSAxIlclqfShA/X8p2d1j7X/dUV9s25qFX8Fb2TfY9FeHS
MSHEvbitRYXhpdoJBUAo1SMIbe9A12wFZCzSxhQmV59+HEWdiYM/Yl/lr0kOFNp8
sdFEq5x6CilZav5Ql5oecwHLv1/B5KTvR1u6uMeGCN4TUP5QF88CVlUUhfjltCyO
ByXkOqYG/a05qPbdPSoI1yjS2BlYJBSVpOkDKl7R7DRIOL3yY1IDU3iPw2XfCtP+
fT9WWKlsjM+HTeGgyME+A8Znu670fketJHwLGoEGtCmXkPSt41wzxLHFWMjOxkt2
u56SuU1a5DD6x81/v/Z0aJM/Tru2xvr35gzg6rlSyMy0ljPnfE1A/siFg4Qu9Wwd
EL2fQyfA8356wXnXUew81bl4Wxd2M1mUB+hazvUQaeWE+l6YIyk/NGtBXplPXPNH
0Z6zH5DLUu7v2LosWJ07c6U54uQ9vbIH6YjRmo1OrD6syoVyW3nQS35fwILtjK1s
a4o0NOshy22Dy2ZeWH2Dhr1MchcEkC3X/7oGEEekQ/5u8Hjs44GTWmrrGkU5lGd/
uG9jvf4QuTchlteSaiFnBBwgraxij/mEfMxq9judWhl1Rk0NDVheBeiNQ5uzvUbU
xCvyY6iLNqBIG2ce0VZB0aixvX9SIpy60nPHub0/GZsFTbE7fXr11YI1MJxcHzgb
UARKOYhYDiX/RCaI+mreJMecrw9PM76XV7NjyH9oUlmYDAmg4wL16stcLx/ix3Vm
1dAE0e9odw3lsa9yc5moJLG7/JjbRgF2uFxdL5E/Ea0K0aY3XLZXzE9mSTechghp
4IIqIoOlOyD6jDazWBR4odN3rVaWOKc4/3C7O+eSXBEmqoGrrlKEYJHYOjYrI7Bg
Sq+TM/RFKIR/LPSV0nJv+oQ1LvMAwFISXOXTqBs9rmoYilcbUBO73AsGx921PaME
7lonngSxxcndQaFJoZCJMc1a8QHd3JY7fQxoC1Hxf5CHB78FPvjzoNl+jl8OsD2s
fYt4gs/1ykrZKFu7beFcSiLPxrzAT/qBXtxy9NSAjjzKPkS35cUdMO4K0VbFXBPI
Ee5mt29HL0BobsTO376MfC9NQVvUO4ZQ5vxTg/XB/OuKXf5TeqMW6wLTRglZBeGh
G482eLwcbGC9CHwRnKOIGK49HwO4d4cgZ7qMNnRY9x8P9UDlcFd0h0gQ4LFEo0tB
l8sO1lMg3ljUVxdHBELerTg1GQhHnpUgDwqHSc4wKlT0UMymyi8sjdEZEIzC+yQT
LRwapLc5XB018HQuWJPcP1LwNxk8EXAlhbB1KrDvxtCTKaJgNeLMv/OhKSzf42ka
kMHa0IBUTfit6YafICdJvz7SPs/3iPjvGIWJYEmDaQuRSwrZcqsFcz9egYR3Y7+S
2tbiCFPSZTC2ifJH8ebol9H+q9FoMhK1PAGToxAPAbstyb1LDmZO21M4PZIP0S1Q
a455fcpxQmSmVy8tNSv/6fF3gIiT12Tid8zdFBVM5NS1Cvnsv6SoPmAab8/R4QSG
Z0JluNs24aKdgEdlWbUm58SfU5yeQ0MLYnMdLEr624GNd3GQQ2jgbgDaye4u9xBt
atwqP88ix+OU/6oDkgq+mFDKK4GMxUE/utTnmENZa/yghZ7SwWEsikHpXtNRLhHJ
GQE1VNz/B3KR/YasD4jyS8W+Kt5pJQHVNExLCubQfBaonglYNmib4JF0VXCvficD
ecXRAx1jvcUv8NuWmLGolYAlKVGom4j6pBNJwtDztRZDXnYDZTf6irphIaKmq8P1
2577QRVEU2LPuYcr1O8dyYt/myVbrS2mh94seswYLWbmbdWaZZzQchatE8t5HSAA
aWPa16uGvZDbOrKAwLaj2NJYFTDkm5rD0BIRgHN68h6Yi5pWbelGwKiO4uEnatWM
rUej2DAOXWa1w/UbHQ+BMX1INj9rzJQEf3nn0OM82pt96XhKILzdegnX6MPgFpLB
geNM6jxqgAz/rEcbi4y/994GtFIK66y3om7IZ0Lrz9M/e7gEROjCy+MVI+6eeJ2k
tyFIC848m26SIAAlbz2qmXhhrTsdM0zmuuUw8HTtk4WfI3X5VAAMJ+LPlNL67UQo
5d5lp8Aq+uJ8bBikNH7mUC77M1L87Bz5Epcz7VzvWkw=

Anyone know why base64 censors FU2 to U2F ?

CassandraMarch 12, 2018 9:21 AM

@Hmmm
If you can't trust SSL issuers to be stage I competent how can we trust anything online?

That question has been exercising Bruce and others for quite some time. There are no simple answers. The short answer is that you cannot, the longer answer is that online trust can only be assured by building carefully upon offline trust relationships, which need to be more pervasive than you might at first think. You actually need to think about what 'online' means, what 'trust' means, what you are trying to render 'secure', and from whom, and what 'access' means. Most people have a very hazy idea about all of the above. I am very grateful to other contributors to the blog comments here for their insight and clarity of thought around these areas, which have informed my thinking for some time now. I am very much in their debt.

Cassandra

MajorMarch 12, 2018 10:24 AM

@Hmm

I think you are addressing your comments to Clive. I was not supporting anarchy.

But your argument borders on silly. Anarchists cannot use the internet, why? Anarchy is about less restrictions, not more. Enjoy your straw dog!

I am a libertarian. Your substitution of it for anarchy is without argument and not worthy of a detailed response. However, in my view libertarianism is an incremental move to more freedom while anarchy is a revolutionary break with current culture.

I do, in fact, live in Latin America because where I live is less regulated, more free, more dangerous and more fun.

MarkMarch 12, 2018 10:30 AM

I'm not asking for you to post more garbage but I doubt the text is censored. How do you draw that conclusion?

MajorMarch 12, 2018 10:43 AM

@Mark

I am full of typos today. I meant "straw man".

"Heaven and Earth are ruthless. For them the people are but straw dogs. The Sage too is ruthless. For him the people are just straw dogs. But Heaven and Earth and all between are like a bellows. Seemingly empty, when worked they give a supply that never fails."
- Tao Te Ching

MajorMarch 12, 2018 10:44 AM

Again! Straw man/dog above should have been @Hmm. No more posting until I wake up!

HmmMarch 12, 2018 11:20 AM

@Major

" Anarchists cannot use the internet, why? "

It's not like I'm saying "kick libertarians off the internet" ... although! D: Kidding.

In my view the internet is kind of a model or metaphor of governance of itself.
There's a lot going on, a lot of individual interests are set aside in compromise.

Anarchists (a few..) can use the internet, anarchy as a system cannot sustain the internet.
Or anything of that interdependent complexity. (See actual internet, cracking up even WITH laws..)
Proponents of (anyone, not you) anarchy surely must realize they'll have to give up some things.

I'll agree that anarchy is the ultimate result of unfettered libertarianism without restraint,
but small-l libertarianism can be seen as just a focus towards individual liberties in societal situ.
Where though exactly would you draw the line between ultimate libertarianism and anarchy? Aha.
You mentioned you live in SA, but that isn't anarchy or true libertarianism except in the wild.

I'll gently push back on the idea that everyone in South America has more fun, however, as far as continental competitions go, I like your suggestion. It's a fine value criteria and in fact it's valued also up north of you where I live, under the header "pursuit of happiness" of course. Everything has trade-offs, that's all I mean.

Back to the grind. Sorry if I misattributed mindsets in omission.

@Cassandra

"The short answer is that you cannot, the longer answer is that online trust can only be assured by building carefully upon offline trust relationships"

That's very true and well put. I also am grateful to those who make these things possible.

HmmMarch 12, 2018 11:43 AM

@Mark

Improvement. Not causing viewing guests to have seizures is kind of an unwritten rule I think.

albertMarch 12, 2018 11:45 AM

@hmm,
I agree with Fus -analysis-, but not necessarily his -conclusions-. As far as recalling staff, regardless of who (or what) is responsible, it's the right thing to do. I'm sure they remember the Moscow-US embassy-microwave thing. We -know- microwaves are dangerous. The effects of low-level audio signals, ultrasonic or not, are unknown, at least in the public domain.

Any secret research is unknown to us, at this time.

Speaking of research, I wouldn't put it past some folks to use unwitting test subjects in experiments. We've done it, as have the Soviets, and no doubt other state actors.

I don't know what sweep procedures were used either. How effective are they? What kind of technologies are used? How clever are these people?

Many questions, but few answers...

. .. . .. --- ....

MajorMarch 12, 2018 11:58 AM

@Hmm

Well you may have seen my critique of anarchy addressed to Clive so we are in some agreement.

I'd say push libertarianism until the danger of breakdown of infrastructure and undesirable disorder. Isn't this a fairly obvious line?

Disorder in itself can be fecund with possibility. I spent the early 80s in the autonomous zone of alphabet city in NYC and there never was a place more alive with art music entrepreneurship and freedom if one were willing to brook some risk.

Such a tradeoff is not for everyone and I wouldn't force it on everyone. But as a limited autonomous zone it is fair, feasible, and wonderful.

The internet was and is frequently conceived of as a free space, decentralized and not dependent on individual nodes and censorship resistant. A less global but more free and less infrastructure reliant net can easily be established by individuals with mesh networks.

You don't know where I am which I am purposefully eliding. Certainly much of Latin America is not as unregulated. But don't be limited by what you think you know. Freedom does not only exist in the wilderness.

I'd say the United States is wonderful in many ways. The Constitution is a marvelous document. But Americans are becoming weak and angry despite a fantastic quality of life, many incensed that someone might be having more fun than them. Amidst relative poverty there is less empty noise and more appreciation.

HmmMarch 12, 2018 12:41 PM

"I agree with Fus -analysis-, but not necessarily his -conclusions-."

Then we agree also more than not. It was broad conclusions that were the glaring part.
The effects of infra/ultrasound on people is not public knowledge, that's true.

"I don't know what sweep procedures were used either. How effective are they? What kind of technologies are used? How clever are these people?"

That's a black box, no way of knowing to us. I'd imagine they're relatively as tech-adept as the attackers in this case though that's pure hunch. Detecting inf/ult is not rocket science if you're looking but of course anything could be overlooked once, twice, a dozen times. But we do know that several agency teams swept several times in several places, and nobody admitted to finding anything or published anything on it. One would expect those sweeps to be pretty comprehensive towards the middle-end of the event chain given the seriousness of the circumstances. In this case the extent of the damage was not known right away because of the nature of the attack. We're completely in the dark as civilians.

In my mind a pulsed directed energy weapon maybe around the radar range somewhere could have the right combination of being readily aimed, penetrating simple surfaces, absorption resonance in-brain with the power to do damage in a certain pulsed range, and leaving few tell-tale signs of use in the direct aftermath that anyone might see externally. I don't want to test my hypothesis but I'd bet you can ring someone's ears with it somewhere along the spectrum. Your ear is just hair vibrations processed by neurons which obviously have an EM range of their own. The FBI analysis said something to the effect of "audible effects experienced by the victims misdirected the investigation" or something like that. They also mentioned the gag orders on medical staff against speaking about anything not previously mentioned in the media, and ultrasound was definitely mentioned by almost everyone and specifically carved around by exclusions. Nobody said much of ANYTHING about DEW weapons however.

I rudimentarily looked into medical scanner documentation about EM SAR levels in the brain, apparently there's a sig dif in absorption between gray and white matter. White matter is the 'wiring' of the brain as opposed to the 'hard drive' gray matter, in this crude analogy. It also happens to be much more absorptive in these ranges, which means to me if bombarded in this way you'd expect it to be most affected of the two types. I believe (not a brain scientist) this actually meshes pretty well with the described symptoms, but this is just spitball non-analysis. Microwaves are just ONE frequency. Tuned and pulse-modulated output in different bands could really have a range of effects that none of us would have any idea about because we're not mad scientists radiating the brains of living test subjects. That research exists somewhere in the world I'd bet.

Attacking diplomats is way above test stage in my view. They would have honed it previously.
Someone in the world knows about that testing, and world IC's must have some ideas I'd bet.

It's worth noting nobody is pushing public attributions as of yet.

WetSuitMarch 12, 2018 12:58 PM

@hmm:

About the Cuban affair:

The technology to target a person within a foot or so, from a hundred yards distance, with ultrasonic output that is good enough to be heard very well, has been in existence for about thirty years. I once owned stock in a company that built the stuff. I was not happy, as they sold it to the Army, and my stock went down the toilet - was reduced to penny stock value. I had about four hundred shares. They didn't get much (a few hundred thousand dollars) - and I never heard anything else about the tech from that point on. Buried, I'd guess. BUT - I did see a demo of it working!!!! Can't forget that, in spite of all the "sonic weapons are not feasible" bull I hear in the press. Mind numbing.

A person could be a half dozen feet from the targeted person, and NOT HEAR anything at all! Now, admittedly it was not shot thru glass windows in the demo. But, you can stand next to a window and hear someone yelling outside it, no? So, the window simply represents some amount (dB) of attenuation. They simply crank the power up to accommodate the intervening barriers. To target people, the little heartbeat signals of a cell phone could be zeroed in with a high gain antenna, and with the ultrasonic emitter automatically tracking it with servos and a raspberry Pi. People often keep phones close to their bed.

Size? It was fairly small, with a dish about 18 inches in diameter, and not very heavy.

My evaluation?

Press = Willfully ignorant.

Gerard van VoorenMarch 12, 2018 1:44 PM

I am perfectly aware that Intel Corp is working *really* hard to help securing their product line, however why aren't we being told about their plans? Their plan felt down now more than a month ago and I have heard nothing.

Another interesting thing that I have found is made by the makers of Google, in the name of Rob Pike and others. It's called Upspin and I don't know what it really is, but it looks like a directory service, made for *everyone*. Just think about a global 9P, but then a bit alternated.

echoMarch 12, 2018 2:36 PM

Tim Berners-Lee offers his comment on the internet turning into weaponised walled gardens hoovering up all the competition and destroying diversity.

https://www.theguardian.com/technology/2018/mar/11/tim-berners-lee-tech-companies-regulations

Sir Tim Berners-Lee, the inventor of the world wide web, has called for large technology firms to be regulated to prevent the web from being “weaponised at scale”. The web can be weaponised – and we can't count on big tech to stop it
Tim Berners-Lee

Berners-Lee, in an open letter to mark the 29th anniversary of his invention, said: “In recent years, we’ve seen conspiracy theories trend on social media platforms, fake Twitter and Facebook accounts stoke social tensions, external actors interfere in elections, and criminals steal troves of personal data.”

These problems have proliferated because of the concentration of power in the hands of a few platforms – including Facebook, Google, and Twitter – which “control which ideas and opinions are seen and shared”.

“What was once a rich selection of blogs and websites has been compressed under the powerful weight of a few dominant platforms,” said the 62-year-old British computer scientist.

These online gatekeepers can lock in their power by acquiring smaller rivals, buying up new innovations and hiring the industry’s top talent, making it harder for others to compete, he said.

rMarch 12, 2018 3:43 PM

To: Cassandra, Cc: Clive

Due diligence dear, my linking to of and from JavaScript pushers is sometimes inflammatory thanks for digging2.

Clive RobinsonMarch 12, 2018 4:33 PM

@ echo,

Sir Tim Berners-Lee, the inventor of the world wide web, has called for large technology firms to be regulated to prevent the web from being “weaponised at scale”.

Yeah well maybe he should start with sorting out the W3C... For the past decade all they appear tb have been doing is pushing new tools to make life easier for the "large technology firms" to rape pillage and plunder peoples data and destroy an vestige of privacy the same people have.

Depending on who you ask, something like 75-80% of HTML5 has hugh security risk marks hanging over it... We should know a lot better but people are ignoring the lessons from history of just a handfull of months ago.

Most Web developers from the code of theirs I've seen appear not to have the first clue about security. Which realy makes me wonder about the others...

Then there is so much more wrong about the modern web that I'm realy starting to question peoples sanity / probity.

Any way I keep both cookies and Javascript off and would run a more basic browser if I could find one for Android...

HmmMarch 12, 2018 5:52 PM

@wetsuit

"The technology to target a person within a foot or so, from a hundred yards distance, with ultrasonic output that is good enough to be heard very well,"

Not through a wall, and not "covertly" - you might see those limitations.

" But, you can stand next to a window and hear someone yelling outside it, no? So, the window simply represents some amount (dB) of attenuation. "

But you can't just crank up the volume/frequency to compensate for that as simply as you would a regular sound, you'd need to perfectly tune for a specific shot if it's going to have this resonance effect on a specific target. That means to me pre-testing the attack in situ if you're going to do that and expect results - and in this case on multiple buildings, and multiple rooms within those buildings. Even trying to hit the 3rd floor versus the 2nd floor from a relatively close position is going to require a different firing solution. So you're right, I can't rule out ultrasound even though the FBI reportedly has already done that.

"They simply crank the power up to accommodate the intervening barriers"

That's going to scatter and resonate on those surfaces increasing likelihood of it being observed,
if you're going to effectively penetrate them at all. Even a 2-pane window is going to be a challenge.
Try it and see. A single pane window might even crack at serious outputs. That'd be disaster.

"and with the ultrasonic emitter automatically tracking it with servos and a raspberry Pi"

Maybe, but they found nothing. If they had found that they'd be a lot further down the road.
I'm not trying to say what you suggest is impossible, but it's not trivial by any stretch.
Dr. Fu's conclusion that it was 'accidental' I'd say IS impossible though given all circumstances.

"My evaluation? Press = Willfully ignorant."

Well, how so though? What would you have them report of this mystery that they had not? Speculation?
They can't. In fact they have gag orders on any sources in the case. That's a tangible writer's block..

How exactly would you report this differently than the big bad media, I'm curious?

MarkMarch 12, 2018 6:01 PM

@Major my firefox ( 58.0.2 (64-bit) ) performing a Command + F is unable to locate the FU2 or U2F strings in the base64 text on this web page. So weird.

@Hmm, I'll see if D.O.D. is interested in your theories....

HmmMarch 12, 2018 6:26 PM

@Mark Well, it is just a theory, I've never been to Cuba and I've never irradiated anybody.

I've got nothing to.. hold on, a knock at the door? Who could that..

k15March 12, 2018 7:21 PM

If something like the 'Great Firewall of China' got implemented here in the U.S., but the builder didn't want to be straightforward about it, what would the web experience be like, inside?

HmmMarch 12, 2018 7:26 PM

@K15 Google search right?


@all

https://www.engadget.com/2018/03/11/sophisticated-malware-attacks-through-routers/

https://www.kaspersky.com/blog/web-sas-2018-apt-announcement-2/21514/

Latvian router maker, I'd never heard of them.

the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive. Kaspersky describes these two elements as "masterpieces," and for good reason. For one, it's no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active. If there's a common method of detecting malware or identifying its behavior, Slingshot likely has a defense against it. It's no wonder that the code has been active since at least 2012 from /.

Anyone feeling paranoid suddenly?

Clive RobinsonMarch 12, 2018 11:49 PM

@ K15,

If something like the 'Great Firewall of China' got implemented here in the U.S., but the builder didn't want to be straightforward about it, what would the web experience be like, inside?

That's easy to explain if you live in the UK and use mobile broadband, because it's already happening...

Take a suplier like Vodafone, thay have a "child protection system" in place. It has three basic types of failure.

The first is for obviously naughty web sites where they put up a warning that you need to prove via credit card that you are over 18.

The second way is with web sites like "www.foocrypt.net" and other less well known Crypto product and secure message product sites that might be of "criminal or similar"[1] interest where they send you back a DNS resolver message about the site is unknown so fast it gives the game away or if you go via the IP address it blocks it and eventually gives a site not responding message...

Other sites like The Urban Dictionary get blocked in other ways, slightly differently to the first method.

[1] That is sites the UK Government and it's agencies do not like because they are about "Privacy Protection"[2] and to the current UK PM that means you are defying her wishes even though though her wises are not lawfull.

[2] These are the FUD sites that get the "Think of the children" style arguments. Usually where the argument is a faux excuse given like "Terrorists could hide behind..." that are all part of the FBI "Going Dark" mantra[3].

[3] EU and other Western nations LEO's adopted the "Going Dark" phrasing and mantra after FBI head Louis Freeh's round of "Secret Briefings". Back in the mid 90's Freeh lobbied successfully against the "SAFE" bill before congress that was designed to loosen encryption rules to provide increased privacy/security for US citizens. After Freeh's interference the amended version of the SAFE bill not only kept the then current export restrictions, it also called for a sweeping set of new federal powers etc to control the use of encryption domestically. This caused Freeh to get considerable "Push Back" as he realised he was unlikely to get what he wanted. He went on a "European tour" of "secret briefings" to try to get EU country "buy in" that he could then use as leverage back in the US. Every FBI Director from J Edger Hoover onwards has pushed against the US constitution to get increased "no oversight" surveillance powers. Some like Comey were not very clever about it...

Clive RobinsonMarch 13, 2018 12:12 AM

Re Kaspersky and "slingshot APT",

It is interesting to note it appears to be "targeted" so far and the countries are mainly African...

This from the bottom of the FAQ should be read by everybody, especially the last sentence,

    What do we know about the group behind Slingshot?

    The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time. The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.

    Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.

Such an honest appraisal is not something you get from other analysts...

tyrMarch 13, 2018 12:44 AM


@Clive

I listened to what May said to parliament.
It was couched in weasel words for deniability
later. Then she started yapping like it was
a proven case against the eviil Rus. It all
smacks of the great game crap to me. Lots
of noise and finger pointings at the boogey
man.

Divide and conquer intended to keep the heat
off before Brexit? I seem to recall a Hermann
Goering quote about how it will work in any
country to rouse the common folks.

I expect her to claim that if the snoopers
charter was in effect they could have found
the perpetrator instantly.

If W3C had killed DRM mad schemes Lee might
have more credibility with the older Netizens.

HmmMarch 13, 2018 12:59 AM

" given its Sunday evening in your Time Zone.... "

Is "Sunday Pizza" a codeword?

So I google it, no, it's a group of Irish who get together with local homeless over food and music.
https://pizzasundayclub.com/about-us/

Learn something everyday. Thanks Mark, either you're some kind of social engineering genius or.. yeah.

The blink tag was a good disguise.

Mads M.March 13, 2018 2:38 AM

@Hmm

seeing as you say you can't garden after dark - maybe the knock was your friendly nightsoil collector?

Gerard van VoorenMarch 13, 2018 2:49 AM

@ Clive,

"Any way I keep both cookies and Javascript off and would run a more basic browser if I could find one for Android..."

Sorry to say this, but if you use Android, why even bother...

Wesley ParishMarch 13, 2018 3:17 AM

Beating my own drum, as seems to be becoming usual around here :)

You Can't Always Get What You Want
https://antisf.com/the-stories/you-can-t-always-get-what-you-want

A commentary on certain precedents which have been set - in concrete, some would say. And which reinforced concrete is lovingly attached to the feet of Western Democracies as flotation aids for deep sea diving. But not in Jacques Costeau's style, alas ...

HmmMarch 13, 2018 3:23 AM

@ Mads

In my country the knock is very optional anyway, it's best not to expect it.

Clive RobinsonMarch 13, 2018 5:47 AM

@ Gerard van Vooren,

Sorry to say this, but if you use Android, why even bother...

It depends on who you are defending against, to what level, and to what level.

My base assumption when it comes to mobile phones and connected computers in general, is as I've said before,

    Whilst you might have payed good money for such mobile devices you in no way "own them"

This is due to the likes of "OTA update", "Walled Garden" / "jailing" and more insidious issues. That is true for all mobile devices and there is no avoiding that issue in consumer communications devices.

Also from a more practical view point such devices can not be secure because as I've noted on a number of occasions,

    The comms end point reaches further forward than the application end point.

That is I assume --quite rightly-- that the "plain text in its various forms at the HCI is already "fully compromised" and that includes the audio, video and all other sensors such as the gravatometers/accelerometers touch screen etc.

Thus I view the mobile phone or device or any computing device that "gets connected" as deing fully compromised as a basic starting position.

As you know there are ways to mitigate this as I have said before on a number of occasions.

The next thing to realise is not only is there little choice of OS in the mobile device market, the device pricing is such that if you buy very cheaply your mobile device will "Do an ET" and phone home to it's mothership in China or where ever with every key press etc in what is effectively plain sight. That is over and above the fact that realy cheap mobile devices will not receive OS support and will probably blow up in a very short time.

But... if you rmember back to the "Carrier IQ debacle", "Doing an ET" also applies to higher end phones as well due to Service Providers installing Tech Support "test harnesses"... So buying as part of a contract is not a very good idea.

But there is also the "Premium Price" issue of mobile devices, which is why I realy do not see the point in wasting money on Apple products and the like. Because they are just as insecure in many ways thanks to HTML5 etc, and they have been caught out being just as dishonest as those noname Chinese mobile device suppliers in "end of lifing" there devices. As for Microsoft products... do I realy need to go into details.

But there is another issue to consider... In London atleast there is a fairly thriving second hand device market from which you can buy wisely with a little research on the longevity side. They are generally as cheap as Chinese No Name suppliers, and the parts and manuals required to repair them are also available.

Thus having indicated that I assume that any mobile or connected device is "fully compromised" and not worth the price you pay for it... you might ask what is left to use it for ;-)

Well it's not for social media, as we know that is fully compromised beyond any understanding of the non techie folk as well as quite a few of the techie folk as well. Nor is it for Email that was fully compromised by design from day one as is any "mid point" service that is plain text based. So on a personal level I don't do Email any more as people on this blog have been told a few times over the years. Likewise I'dont do online shopping or banking or anything to do with the private side of my life. Oh and as I have hearing issues I don't use the phone side either. I prefere non ephemeral written corespondance as I've also said,

    Paper paper never data.

Thus my main use for a mobile communications device is looking up info on technical sites of various forms for "personal projects" and "a bit of blogging". None of which I consider particularly private. If a technical website gets too clever with it's web portal, I either go to a competitor or use a search engine to pull out what I want which is often just a PDF data sheet or similar mainly text based file. As I've also said in the past there are ways of dealing with them even though they might contain malware.

I'm aware that most people can not "live that way" as,they have a compulsion bordering on mania to spill their guts on social media and the like. Which finally the medical proffession is catching up on, which has revealed in turn that the likes of Facebook are deliberately designed to be addictive just as certain money making games are.

As I don't do those sorts of "addictions" I don't generaly have to worry avout them (though "party/group photos" are an issue). So my reasons for turning off javascript and cookies is not for what you would regard as privacy/security issues. As you note I would as many millions have failed at the purchase phase if that were my intent. No it is as I've indicated in the past to minimise the "annoyance factor" of bad web design, bloated adverts and various other things such as them stealing my bandwidth or CPU cycles and damaging the mobile devices batteries.

Which is why amongst other reasons I have for disliking HTML5 etc is it also acts as a bandwidth CPU cycle thief that costs rather more than time and energy...

When even simple text file content of less than a couple of KBytes takes upto three MBytes to pull down off the web I think I'm being subject to the online version of being mugged. Especially when the difference is made up of what I regard as being worse than most malware.

So "cutting the fat" and "other crap" is my purpose not privacy or security. However also not using javascript and cookies makes anybodies life online a little bit more secure so from my point of view it is a bonus ;-)

But if I was to use a mobile device for anything secure then I would ensure that what I did extended the security end point well off the mobile device and it's myriad of failings... In fact I would do things without using consummer level mobile devices that are "tagged" with electronic serial numbers and the like. As I've indicated in the past there are ways you can do these things if you understand the technology sufficiently well.

In fact it's quite sad when you consider things, the SigInt agencies are expending vast amounts of their resources on "collect it all" and proportionately less and less on much more resource intensive forms of surveillance... A failing that will no doubt come to peoples attention eventually. Till then the realy techie types have a myriad of games they can play to stay several steps ahead, if --and only if-- they know how to do good Old School "OpSec and Field Craft" but apply it in more modern ways.

JG4March 13, 2018 7:28 AM


Sorry that I haven't had time to comment on the anarchy discussion. That was largely a result of my libertarian wet dream, but I was beginning to grasp the scaling problem. The whole thing fits very neatly into a conflict-of-interest analysis, in which there are no easy answers. I still am fond of the founder's quote, "The government that governs least governs best," that seeded my thinking when we were being brainwashed in US exceptionalism. Coals to Newcastle:

https://www.nakedcapitalism.com/2018/03/links-3-13-18.html
...
Big Brother is Watching You Watch

Tim Berners-Lee: we must regulate tech firms to prevent ‘weaponised’ web Guardian (Chris M)

Questions for TSA after reports of laptop and phone searches on domestic flights Guardian

Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel Vice (Bill B)
...

Clive RobinsonMarch 13, 2018 8:04 AM

@ Hmm,

Donald Trump's administration has decided specifically NOT to attribute the nerve attacks to Russia.

As the UK legal investigation is still in progress that is possibly a wise thing for him to do. Especially as the UK PM has warned him off in the past for interfering with an open UK investigation. Some one will no doubt have told him of the legal consequences... Remember whilst he might be a head of state and technically a diplomat, none of his UK property is covered by diplomatic privilege. Thus as the US is fond of doing can be legaly ceased. Thus a UK court can take it all away from him on "contemp" or various forms of "interfering". So can the family of the victims if he gets it wrong. Technically all he can do is offer condolences and support for the victimes and the family...

But there is also a king sized elephant in the room which you may not be aware of. In effect there is a load of dirty washing in the UK that the UK PM has now had dumped on her and it realy is her own fault. Which makes her rather more desperate than Trump to appear to be doing something whilst actually not.

Officially there have only been three assasination attempts of this form in living memory of most in the UK.

1, Georgi Markov,
2, Alexander Litvinenko,
3, Sergei Skripal and his daughter.

These are the ones that arguably the Russians wanted to become public by their use of rare but eventually identifiable high tech poisons[1]. Which alowed the assassin sufficient time to escape.

However inbetween these three time points there have been something like twenty deaths of Russians in the UK that were odd if not down right suspicious. Yet they were at best badly investigated and pit down to "natural causes".

As I pointed out the other day there are several acetylcholine [2] inhibiting and similar based drugs that act as paralysing agents that will cause you to die unpleasantly of what will look like a heart attack etc. They don't show up under normal autopsy chemical screening as they break down very rapidly in blood plasma. Thus a death has to be treated as highly suspicious to warrant a more indepth forensic autopsy which the UK rarely if ever carries out these days. Even the death of Alexander Litvinenko might well have gone unnoticed if the assasins had not used many many times the level of Polonium 210 to kill him, and the press got involved whilst he was still alive.

Over ten of these odd deaths of Russians have happened on the watch of the current UK PM when she was Home Office Minister in charge of the police thus influential in any investigation into such deaths. She was directly responsible for significant cut backs and other policies that would have impacted on investigating of the deaths.

But polotically there is another asspect, Whilst the current political incumbrents have been in power they have actively been encoraging investment from both Russia and China in part to stave off the bursting of the property bubble and to cover up the effects of a disastrous politicaly inspired fiscal austerity policy that has alowed for massive tax give aways to the 1% of the 1%. Thus when others join the dots there is likely to be some political ructions. It's already been sugested in the press that the current incumbrents quite deliberatly looked the other way, thus the elephant in the room has been publicaly noticed.

I'm sure that the US President will have been advised that recent US tax give aways would in all likely hood come under a renewed focus if such stories "get legs" in the UK press. Thus the wise thing is to say nothing about the still only "alleged" Russian assasination attempt. He will if pressed by the press core probably fall back on the fact it is still under investigation by UK police, mention his previous indiscretion that caused the current UK PM to rebuke him, then make a joke about not wanting to have the UK PM phone him up again.


[1] It appears that it's not VX but something worse from a family of nerve agents called "Novichok" that might have be used on Mr Skripal and his daughter. Apparently these "Newcomer" nerve agents can only be produced by highly specialised scientists, according to the researcher Soviet scientist Vil Mirzayanov who helped develop some of them. Likewise once produced as nerve agents they can only be used with intense supervision not just due to their toxicity but other issues. The researcher who made news of their existance to the world also revealed that the country had secretly developed the powerful nerve agent family, which was supposadly far more toxic than anything in the UK or US. Importantly because the chemicals involved were not on the "banned list" they could be made without violating treaty agreaments. Whilst still unknown which of the "nrwcomers" it is, it's certainly not the only effective nerve agent in the family that was made by the USSR/CCCP. Some of which are "binary chemical weapons" which are made of two seperate chemical components that are combined at the point of delivery or shortly before. As the two components are considerably more benign on their own it makes long term storage and manufacture considerably safer for those handling it and in reasonable proximity. Thus making binary chemical weapons more suitable for assasination rather than the battle field...

[2] Acetylcholine is a chemical that is naturaly produced in the body and acts as a neurotransmitter used at the neuromuscular junction. Or to put it another way, it is the chemical that motor neurons of the nervous system release to stimulat thus activate ribbed muscles. Suxamethonium chloride (sux) and similar drugs effectivly block the acetylcholine which means they can also be used as a nerve agent. If the ribbed muscles are deactivated by such drugs paralysis results. The heart however is smooth muscle so not effected, thus keeps beating, starved of oxygen because the victim is nolonger breathing they enter an excruciatingly painfull state that will result in a full blown heart attack unless intubation or other breathing assistance is used. Because of the stress and pain caused similar very short acting drugs have been used as part of "aversion therapy" in the past in prisons and other institutions. Sux fairly quickly breaks down in blood plasma even after death, thus whilst not an untracable poison makes it very difficult to detect in the conventional way (drawing blood for toxicology). That said parasympathomimetic drugs[3] based around acetylcholine inhibition are very important and can be found in any hospital that does general surgery. They are used for various reasons not least as part of a pre-med to alow for easier inserting of a breathing tube for endotracheal intubation.

[3] https://en.m.wikipedia.org/wiki/Parasympathomimetic_drug

Gerard van VoorenMarch 13, 2018 8:20 AM

Well, I have to say that I still am not convinced. But that counts for all mobile OS players. It just happened to be Android, thanks to Google and all the contributors. About HTML5, true, that is a honey pot waiting to be opened. It's a present to all the users. And no, I don't think that this will become any better.

vas pupMarch 13, 2018 10:41 AM

Musk on AI:
http://www.bbc.com/news/technology-43367191
"AI is far more dangerous than nukes," he said, dismissing the pushback from AI experts who suggested Mr Musk was more interested in controversy than studying the work."I’m not normally an advocate of regulation and oversight," he added. "This is a situation where you have a very serious danger to the public. There needs to be a public body that has insight and oversight so that everyone is delivering AI safely. This is extremely important. "Nobody would suggest that we allow anyone to just build nuclear warheads if they want, that would be insane."My point was AI is far more dangerous than nukes. So why do we have no regulatory oversight? It’s insane."

My take: When AI remains like a brain only without having any actionable capability (agree with Musk absolutely if AI would be combined by nukes application) I did not see any danger when final decision remains on humans. I just want to suggest that all restrictions on science (gene editing, AI, mind control, you name it) by US and other Western countries based on moral principles is not going to work and be counterproductive because there are other actors on international stage (e.g. China) will continue to do such research in secret regardless leaving democracies far behind.
Do you remember what Inquisition did to science in Middle Ages? I see very vivid similarity. Science is the tool. There is no crazy science, only crazy scientist and ignorant politicians who applied science for bad not for good.

snur-peleMarch 13, 2018 11:26 AM

@Clive, On Android

Mostly sharing your opinion, I have for some time been using Naked Browser and NoRoot Firewall

Sadly, lacking means, I have not been able to thoroughly investigate them for possible misbehaviour.
In case someone else has, here are their data:

Name: Naked Browser 1.0 Build 128.apk
Size: 119.98 KiB
MD5 checksum: cb60528493a6cbb1d71c45b7757bb58e
SHA-1 checksum: ac06e1c8416e50556dc77bf12e2c182d57bc8e1d
SHA-256 checksum: 321da63e0c70225b9dd9e598063801eac62e5c77c53dccb72855cd855ecaef6a


Name: NoRoot Firewall 3.0.1.apk
Size: 1.01 MiB
MD5 checksum: b48c35a3ea1cf292c7578862690c3d6d
SHA-1 checksum: 21fd123eed6e6d8de7bb0e718a226034b30fedc9
SHA-256 checksum: b8c7e4fd106c3be8fa0cf02d4d1ff805b9e858f8328fa0f88ca1b91581323bc5

echoMarch 13, 2018 11:27 AM

@clive

Yes, WWW style head in sand over effective standards and bikeshedding (much like the C++ committee) seems fond of creating a monster like most beaurocracies which have forgotten first principles. As for refactoring to new standard the primary concern seems to be with poor old companies who have to deal with code development and legacy issues which isn't half the problem with shippable product in the hands of end users this insinuates. I note this kind of entity is never so slow when commissioning an expensive shiny new HQ.

On the issue of post mortems: I have forgotten the exact numbers but vaguely recall the number of substances tested for is of the order of 30-40 while an extended test is 65-ish? Government on the cheap is a little shy of publishing the lists for obvious reasons.

@vas pup

My best reading of discussion surrounding censorship of AI research and gene editing etcetra is more akin to anti-proliferation. There is no such thing as neutral science hence the need to put rules and mitgation measures in place. Unlike Brexiter negotiating which would allo American asbestos products to be sold in the UK it's generally not a good idea to allow children to play in asbestos sandpits for similar reasons.

albertMarch 13, 2018 12:08 PM

@hmm,

"...It's worth noting nobody is pushing public attributions as of yet...."

Which raises another question. What if they -did- find something, and for various national security reasons, decided not to admit it. After all, attribution won't restore the victims health. I hope we haven't heard the last of this, but only time (or a whistle blower) will tell.

Perhaps 70 years from now it'll come out in an FOIA request. I don't know about you, but I'll be residing in an urn somewhere....having made my small contribution to global warming.

. .. . .. --- ....

echoMarch 13, 2018 12:22 PM

According to this article a standard for requiring answers to allegations aready exists.

https://www.theguardian.com/politics/blog/live/2018/mar/13/tillerson-firmly-backs-uk-over-salisbury-spy-poisoning-as-white-house-refuses-to-blame-russia-politics-live?page=with:block-5aa7f0ece4b0d60f07ce4e7c#block-5aa7f0ece4b0d60f07ce4e7c

The Organisation for the Prohibition of Chemical Weapons (OPCW) called the use of the nerve agent novichok “extremely worrying” but stopped short of ordering an investigation. But, claiming that Theresa May’s ultimatum to Moscow breached OPCW protocol, which he said allows nations 10 days to respond, Russia’s ambassador to the OPCW, Alexander Shulgin, accused the UK government of making “unfounded accusations” and “pumping hysteria”.

Clive RobinsonMarch 13, 2018 12:36 PM

@ Gerard van Vooren,

About HTML5, true, that is a honey pot waiting to be opened. It's a present to all the users. And no, I don't think that this will become any better.

I would like to think W3C was in a tail spin, that would atleast have a chance of being pulled out off. Even a full on nose dive you can do something about if the wings don't come off. But all the signs are suggesting it's not just the wings that have been torn off...

Thus I guess it's just a question of when, not if the smack down is going to happen.

Oh and if you wanted to "front door" things. The crap state of SSL and CA's plus all the big data seizing companies pushing for what will make digital rape easier are going to leave nice little holes for others to crawl through. Thus your data to leak out and be hovered up by the likes of GCHQ and the NSA and all those other "eyes" that work with them to name but a couple of dozen. Then of course there are all those other SigInt entities all looking for "that in" HTML5 implementations will give them...

I'm sure there will be some who think I'm being a little over the top, but lets wait a few years before we call it one way or another...

RatioMarch 13, 2018 12:49 PM

U.K. Prime Minister's Speech on the Russian Poisoning of Sergei Skripal: Decoding the Signals:

On Monday, U.K. Prime Minister Theresa May said that it was “highly likely” that the Russian government was behind the poisoning and attempted murder of former Russian military intelligence officer Sergei Skripal on British soil using a Russian-developed nerve agent from the “Novichok” neurotoxin family. According to May, if the Russian government makes no “credible response” by the end of Tuesday, “the U.K. would conclude there has been an ‘unlawful use of force’ by Moscow.”

[...]

May wasn’t speaking to a domestic audience: Her speech was aimed at the international community. The United States needs to hear it for what it is—and it doesn’t have a lot of time to get its act together and plan how to respond.

Diplomacy involves careful language and signalling; the language, style and delivery of the U.K.’s the message requires some decoding.

(Compare and contrast with Very Serious Commentary above.)

Clive RobinsonMarch 13, 2018 12:56 PM

@ Cassie,

Thanks for posting the link, I did not have time to find it earlier.

HmmMarch 13, 2018 2:03 PM

@Clive

"As the UK legal investigation is still in progress that is possibly a wise thing for him to do. Especially as the UK PM has warned him off in the past for interfering with an open UK investigation."

Nobody is interfering with the investigation by noting obvious reported facts of the matter.
Certainly not by reiterating exactly what the PM said herself. That's a bit absurd to suggest.

There's no plausible counter explanation or motive. Attribution has in fact been made.
The UK and PM May herself have formally accused/attributed Russia. Verbatim. Fact.
The investigation continues but they have multiple smoking guns in hand.

None the least of which is unambiguous admissions by Putin himself on the very topic!

Interestingly, Rex Tillerson AGREED that Russia was behind the attacks where Trump refused to.
Trump meanwhile made Sarah Huckanjive Sanders go out and do her mealy-mouth thing, talking around the issue and refusing to address the obvious. Her omissions are for a purpose, ordered.

Rex was fired today. No reason given. Treasonous water-bearer Mike Pompeo will take that job.

(https://www.washingtonexaminer.com/russia-takes-credit-for-getting-trump-to-reject-mitt-romney-as-secretary-of-state-report/article/2650674) - Precedent perhaps.

A multi-event settled history, opportunity, the ONLY means, STRONG motive, and now an 'admission' of sorts.
It strains credulity that anyone is carrying any well-founded doubts here with zero evidence.

What alternative, CIA duplicated Russian WMD's just to attack a former Russian spy (and Britons too) for the purpose of pointing a stronger finger at Putin, as if there weren't dozens and hundreds of such fingers already pointing at him the entire time? It's beyond ridiculous. They have reasons to go to war already before this incident if they wanted to. Nobody needs to "frame" Russia for hacking or assassinations. They do those things and we've proven it in the recent past beyond a shadow of a doubt.

How many in a series of smoking guns are required with nothing contradicting them?

If you don't want to take PM May's word, or the forensic analysts in any case ever...
take Putin's word then. He admits it verbatim

http://www.independent.co.uk/news/world/europe/vladimir-putin-traitors-kick-bucket-sergei-skripal-latest-video-30-pieces-silver-a8243206.html

Just to be friendly and charitable, sure, "Maybe Putin is unfairly maligned once again."
Maybe! It would be big egg on my face if Putin is someday fully exonerated. (I'll wait..)

But I can't play "gaslighting doubter" today, I've got to get to work eventually.
I guess we'll agree to disagree on what obviously is supported by evidence once more.

@albert

"What if they -did- find something, and for various national security reasons, decided not to admit it."

All hypotheticals are hypothetically possible - we presume, from pure lack of information.

But in this case they had the Cuban counterparts also sweeping the rooms early on and none of them found+reported anything either. It seems to me unlikely that Cuba would accept the vague blame for this event if they indeed had nothing to do with it, and also then sit on a found smoking gun disproving their involvement even as the US breaks diplomatic relations with them and as that event saws in half efforts to modernize and integrate Cuba into the lucrative US markets.

In fact, the US did make a semi-attribution, they said the Cuban government "could have stopped the attacks" and gotten to the bottom of it if they wanted to. Reading between the lines with the embassy closures, that's not nothing in terms of attribution. So my initial statement wasn't in fact fully accurate, but the 'full' attribution with details hasn't come yet. We certainly can wait. The diplomats are no longer in ongoing danger, although to this day they have massive brain damage issues. I'm reasonably confident that the attackers will be identified eventually.

Attacking diplomats and civilians is a really bad strategy in my view.

Clive RobinsonMarch 13, 2018 2:14 PM

@ echo,

    An investigation is underway following the unexplained death of Mr Nikolai Glushkov. Police were called by the London Ambulance Service at 10.46am, Monday 12th March to reports of a man in his sixties found deceased at a residential address in Clarence Avenue, New Malden.

With regards the new "unexplained" death of a Russian yesterday that the Met Police counter terrorism command are leading the investigation of "as a precaution".

I was wondering why the avenue was closed off when I tried to walk up that way yesterday. I'd had an early lunch with a friend in a cafe we like in New Malden prior to me going on to a cardiologists appointment at Kingston Hospital, I'd thought as the weather was OK I'd walk a bit of the lunch off rather than catch a 213 bus...

Gerard van VoorenMarch 13, 2018 3:29 PM

@ Clive Robinson,

"I would like to think W3C was in a tail spin, that would atleast have a chance of being pulled out off."

"Thus I guess it's just a question of when, not if the smack down is going to happen."


So, in other words, there is yet another catastrophe waiting to happen. Thank you, W3C. Well, the answer is *of course* in the standardization process. But I still remember that debacle with PHK and the HTTP2.0 IETF standardization process. So, and this are my words, the standardization is inevitable. The only question what is left IMO is how to mitigate these well funded standards.

Clive RobinsonMarch 13, 2018 4:50 PM

@ Hmm,

Attribution has in fact been made. The UK and PM May herself have formally accused/attributed Russia. Verbatim.

You need to check the time line abit. As far as I can tell the actions you accused the US President of occured befor the UK PM made the facts as plain as diplomatic speech will alow, and indicated correctly that it was an act of War by Russia.

If you check what the US President has said subsiquently you will find that you don't realy have reason to complain. Likewise the EU minister on Brexit, reminding EU countries that Britain is currently still part of Europe, which has a side effect of puting NATO publicaly on notice.

Rex was fired today. No reason given. Treasonous water-bearer Mike Pompeo will take that job.

As for Rex Tillison getting the push I was not aware of that as it's not been mentioned on the radio news I've heard in the UK.

However you might likewise not been aware that yet another Russian has turned up dead in an "unexplained" way in the UK. This time the Met Police appear to be taking it seriously as they have put the counter terrorism unit in charge of the investigation. The point I made earlier about the other ten or so Russian Deaths on the UK PMs watch when being the Home Office Minister still stands, as do other comments I've made about the lack of facts made public from the investigation.

It turns out that the UK Porton Down Scientists have made some form of partial identification on the nerve agent used. It comes from a family of over a hundred nerve agents that have a unique commonality.

As for your CIA point, it could also have been Syria, apparently they purchased the primary agents for making the nerve agent family from Russia at some time in the past. I'm guessing that they were not the only state that made similar purchases. There is still publicaly no indicitive evidence that has been made linking the Russian's to the attack.

So from what we have publicaly. A Russian Sergei Skripal who was spying for the UK was caught and sentenced to a 13year imprisonment in Russia and after around a decade in he was used in an "exchange" for Russian spys caught in the US including Ms Chapman who had nominal UK nationality (the exchange of prisoners would have had to be approved by Russian President Putin at the time).

On the day of the alleged attack Sergei Skripal went to London Heathrow Airport in a red BMW to pick up his daughter who had flown in from Russia. They stoped in Salisbury for a drink at the Mill Pub and then went on to a Zizzi restaurant. From their they went back to their car in a Sainsbury's car park and were found alive on a bench but in a very serious condition. They were taken to Salisbury district hospital and a full scale chemical weapon lock down was put in place. That's the bare bones of the incident. Currently the police are still investigating other places, in and around the town and expect to do so for several weeks if not months. There has further been a partial identification of the nerve agent at the UK Porton Down research center. In the past a Russian Scientist involved with the development of the nerve agent family has said it's extreamly difficult to not just make safely but also needs specialists supervising it's preperation for delivery. Further he went on to note that there was no known antidote / treatment. Apparently also that part of the advantage / disadvantage of this nerve agent family is how easily it gets through safety clothing and the like.

Those are the publicaly known things you might consider facts but they are not evidence for a criminal trial.

So to recap, what has been said publicaly in the UK is that,

1, The investigation is still under way and may take months.
2, The nerve agent is one for which the chemical formular and other information for the family has been published by the Russian researcher some years ago in a book.
3, That Porton Down scientists have identified a chemical compound unique to the family of nerve agents developed in Russia but not the actual nerve agent used.
4, That the UK PM has named the family of nerve agents publicaly in her diplomatic statment to the Russians giving them about two hours now to respond.
5, The diplomatic message has also said that the Russians have committed a primary act of war.
6, The Russian's are denying the request and say there is a response mechanism in the CWC.
7, However the nerve agents used are not covered by the convention.
8, The man in charge of upholding the convention appears not to wish to investigate the claims.

Have I missed anything out?

Thus whilst it is highly likely the Russians did commit what is a primary act of war with a weapon of mass destruction, publicaly there has only been an argument for their involvment not actual evidence presented (though there may be actual evidence that has not yet been made public).

The US President has made a series of statments indicating that he thinks what has happened is deplorable and that the US will take action if it's found to be true. And from what was reported he was first going to speak with the UK Prime Minister.

In other words he has behaved in a responsible manner so far this time.

HmmMarch 13, 2018 5:23 PM

Trump and Tillerson have had numerous disagreements over serious policy issues, but the one that appears to have cost him his job was Russia.

It is particularly troubling that the proximate spark for Tillerson’s dismissal appears to be his support for British Prime Minister Theresa May when she demanded that the Russian government explain a “reckless” nerve agent attack on British soil. Tillerson called the incident an “egregious” act that clearly came from Russia; within hours, he was out.

Trump and Tillerson have had numerous disagreements over serious policy issues ― Iran, Israel, Middle East peace, North Korea, steel tariffs, expansion of nuclear missile forces ― but the one that appears to have cost him his job was Russia.

The dire import of this connection cannot be overestimated. It sends a chilling message to our closest allies and to every member of NATO that they cannot rely on the United States where Russia is concerned. It again provokes anxieties that ill-serve the U.S., both around the world and domestically: that considerations of Russia appear to be the primary driver of policy in the White House.

Steven Pike is assistant professor of public relations and public diplomacy at Syracuse University’s S.I. Newhouse School of Public Communications. He retired from the U.S. foreign service in 2016 after a 23-year career as a diplomat.

"Responsible" redefined.

HmmMarch 13, 2018 5:28 PM

"(though there may be actual evidence that has not yet been made public)."

Hence the ultimatum. Yeah of course they have evidence that isn't public, it's a WMD attack.
Just the formula of the weapon used is a state secret by itself, without details.


"Have I missed anything out?"

You sure did omit everything Putin has said or been proven guilty of in the last few years.
Being the publicly accused party, that's an omission of note.

HmmMarch 13, 2018 5:49 PM

https://www.rusemb.org.uk/fnapr/6008

PRESS RELEASES AND NEWS
16.03.2017

Why Are Fugitives From Justice Welcome in the UK?


Interesting timing for the Russian embassy to ask this publicly.

What could possibly be the message or reason for this timing, one wonders while others might not.

HmmMarch 13, 2018 5:57 PM


Putin says ex-spies should "kick the bucket" and the one unforgivable thing is "betrayal"

Putin says he "could care less" if hackers attacked the governance of another country,
because that wouldn't be illegal in Russia, so it's no problem.

Russian state TV puts out days of "what a traitor should expect/deserve"

Russian embassy asks "Why are fugitives from justice welcome in the UK" days after attack/attacks.

PM May and Rex Tillerson agree Russia is responsible, Rex is fired by Trump within hours.

Trump refuses to blame Russia for anything they've ever done, or even criticize known issues. Ever.

"Have I missed anything?" Yes, I think it's fair to say you have missed a few things there.
The larger pattern seems hard to miss, but you deftly avoided it.

ThothMarch 13, 2018 5:57 PM

@Clive Robinson, all

We have heard a ton about how Intel SGX has been shown as insecure despite their dishonest sales and marketing claims and now to join the ranks of broken "Secure Enclaves", we now have AMD's turn to have it's variant of "Secure Enclaves" called the PSP being defeated. The article is linked below.

Now we have all the three major "Secure Enclave" platforms of ARM's ARM TrustZone, Intel's Intel SGX and the new member being AMD's AMD PSP all showing that their security claims of so-called "Trusted Execution" or "Secure Enclaves" are not able to hold up to the test of real world attacks and all these "Enclaves" from the "Holy Trinity" of CPU makers are all broken.

We have been advocating that sensitive executions should be air + energy gapped onto an isolated machine and environment but most people prefer to buy into sales and marketing instead and now this "pipe dream" of supposed running sensitive apps securely on a single smartphone or CPU is broken thoroughly.

Link: https://arstechnica.com/information-technology/2018/03/a-raft-of-flaws-in-amd-chips-make-bad-hacks-much-much-worse/

Clive RobinsonMarch 13, 2018 6:31 PM

@ Gerard van Vooren,

The only question what is left IMO is how to mitigate these well funded standards.

I think the answer is there is little or nothing you can do.

The oldest trick in the book is if you don't like a standard, you create an "Industry consortium" and come up with your own standard. You then build to your standard and in effect end up with a standards war. We saw this in the VHS-v-Betamax home video machine market.

Thus with the likes of the major browser makers being either a big player or dependent on a big player you know which standard is going to win...

Which means TBL is right in one respect, the big players realy do need their wings clipped by government etc through regulation they can not avoid or buy. But what's the chance of that happening when they can and have bought not just legislators but Main Stream Media as well... There are times when you realy do need the Judge Harold H. Greens in this world.

https://en.m.wikipedia.org/wiki/Harold_H._Greene

This time hopefuly it will be a European Judge that wields the axe.

Clive RobinsonMarch 13, 2018 6:48 PM

@ Thoth,

all these "Enclaves" from the "Holy Trinity" of CPU makers are all broken.

Yes and we've known for years something like this was going to happen, we just did not want to admit it.

For year after year since the mid 1970's we have had a "doubling up" of performance. We know or should no we were running into trouble. If you look at any of the old papers @Nick P used to pull up ypu could see that people knew that there were going to be troubles back in the 1960's.

The question is how to start introducing TEMPEST style techniques into CPU design...

echoMarch 13, 2018 7:11 PM

@clive

Yes, I caught wind of this. I wouldn't wish to speculate. Putin does seem to have his bossy hat on this week telling the West to "get to the bottom of this".

I haven't read through all the documentation but the OPCW will only respond to an investigation request after bi-lateral diplomatic discussions have failed? How is the alleged neuro-toxin not covered by the convention?

While searching background material I discovered via another blog a review in Nature of a new book on Russia's history with bioweapons research.

https://www.opcw.org/chemical-weapons-convention/
https://en.wikipedia.org/wiki/Organisation_for_the_Prohibition_of_Chemical_Weapons#Challenge_inspections_and_investigations_of_alleged_use
In case of allegation of use of chemical weapons or the prohibited production, a fact-finding inspection can be employed according to the convention. None of those activities have taken place, although the OPCW contributed to investigations[when?] of alleged use of Chemical Weapons in Syria as part of a United Nations mission. The OPCW only undertakes these inspections on request of another member state, after verification of the presented proof. To avoid misuse, a majority of three quarters can block a challenge inspection request.[14] Furthermore, the OPCW can only be involved after bilateral diplomatic solutions have failed.

https://www.nature.com/articles/d41586-018-02693-9
http://blogs.sciencemag.org/pipeline/archives/2018/03/08/a-poisoning-in-england-but-which-poison#comment-290126
Ominous biosecurity trends under Putin. Gary Ackerman praises a meticulously researched tome on Russia’s history with bioweapons research.

echoMarch 13, 2018 8:59 PM

@Thoth, @Clive

According to a comment on OSNews (which covers this story) contributers to the Phoronix forums and Reddit are alleging this an attempt by scammers to short AMD stock. Given the 24 hour disclosure period and the vulnerabilities themselves which require firmware updating and local machine access my sense was this was an attempt to cause interference for AMD to detract from Intel's problems. Intel may be clean but I'm glad people did ask questions...

http://www.osnews.com/story/30228/Security_researchers_publish_Ryzen_flaws
http://www.osnews.com/thread?654447

Again, from OSNews comments: the CTS management team...

http://www.cts-labs.com/management-team

Viceroy Research don't seem to be a very responsible company either.

https://uk.reuters.com/article/prosieben-media-accounts/germanys-bafin-says-viceroy-breached-rules-with-prosieben-report-idUKFWN1QU0QP

FRANKFURT, March 12 (Reuters) - German financial watchdog Bafin said on Monday that short-seller Viceroy Research breached German securities law with a research report on ProSiebenSat.1 as it did not notify the regulator of its activities.

Under German law, any entity that is not a securities firm, a fund manager, an EU administrative firm or an investment company that intends to publish recommendations on investments in assets must notify Bafin ahead of time, it said.

It also said Viceroy’s website did not contain information on where the company was based.

ProSieben last week rejected a critical report by Viceroy that led to a drop in its share price by as much as 9 percent, saying the allegations of questionable accounting contained in it were “unfounded and distorting reality”. (Reporting by Maria Sheahan Editing by Arno Schuetze)

HmmMarch 13, 2018 9:57 PM

@echo

"How is the alleged neuro-toxin not covered by the convention?"

Vx is covered, unknown formulations are not expressly banned from study. So long as they don't make some modicum number of gallons/tonnes/hogsheads and keep it stocked, they haven't violated the particular language. The use of any such weapon is still considered a war crime.

ThothMarch 14, 2018 1:13 AM

@echo, Clive Robinson

Both, @Clive and myself already know that it's a matter of time the AMD PSP would hit a problem.

Both of us have been discussing about the so-called "Secure Enclaves" and you can do a search on our conversation as I do not wish to repeat so much data again.

Essentially, the AMD PSP is a descendant of the flawed ARM TrustZone design and similarly the Intel SGX is also a descendant of the flawed TZ design and similarly the same for Qualcomm QSEE/Haven, Apple's Secure Enclave and Samsung Knox. This makes any descendant implementations flawed whichever way you look at it.

It is only a matter of time people build hardware based malware on these flawed enclave designs and in fact the Qualcomm's implementation of TZ and Intel SGX have all found to have problems.

Whether it is to short the stocks, it does not matter as the fact that a castle cannot be built atop a weak foundation (TZ design) that they all share.

ThothMarch 14, 2018 1:24 AM

@echo, Clive Robinson

In fact, if you look at the AMD architecture, they have made known that they use an ARM Cortex A series chip as it's "secure processor" and from the A series, we know that A series chips are equipped with ARM TZ as part of it's soft IP design for the chipset. This is more than enough of a "smoking gun" for those who heard us rant about so-called "Secure Enclaves" which is a pretty strong link of heritage of the so-called AMD PSP which is most likely a ARM TZ in an altered form.

On an after-thought, I wonder if those guys took the ideas from @Clive and myself via our rants against these "Secure Enclaves" here which we posted in the past and they read it.

MarkMarch 14, 2018 3:22 AM

et al,

WMD's are all covered by the ‘Wassenaar Arrangement’

Including Cryptology, which is now listed as Duel-Use.


MarkMarch 14, 2018 3:48 AM

AsiaCrypt2018 : https://www.iacr.org/meetings/asiacrypt/

Currently being sponsered by, The Australian Department Of Defence, Science and Technology, CSIRO & Data61, which have all been doing their best to 'CONTROL' cryptology and/or ban cryptology in Australia, since the implementation of the 2012DTCA(Ac) listing of Cryptology as a Dual-Use Good in the DSGL.

232 Members have signed the initiating petition from 2015, https://www.iacr.org/petitions/australia-dtca/

Only 11 Australians have openly signed the petition in 2015, I’m number 9 of 11 Australians, 221 of 232 signatories.

Am assuming that one and all who read here understand the consequences of the sitting governments implementation.

up to 10 years in jail, .5 million in fines, etc....

ThothMarch 14, 2018 5:49 AM

@Mark

"Currently being sponsered by, The Australian Department Of Defence, Science and Technology, CSIRO & Data61"

I would guess the AsiaCrypt conference would be a highly effective tool to help 5Eyes map out all the cryptographers and probably a gathering of other foreign intelligence units that maybe present at AsiaCrypt.

Clive RobinsonMarch 14, 2018 6:01 AM

@ echo, Thoth,

Given the 24 hour disclosure period and the vulnerabilities themselves which require firmware updating and local machine access my sense was this was an attempt to cause interference for AMD to detract from Intel's problems

As @Thoth has noted there have been the odd back and forward on the subject of hardware vulnerabilities on high end CPUs recently due to both Meltdown and Specter. But long before that discussions on an entirely seperate form of Parallel processing system architecture you will find on this blog under "Castles-v-Prisons" which various of the old blog members who hardly post these days were quite active in discussing.

@Thoth and I had a couple of discussions as he formulated his own version of C-v-P based around higher level security Smart Cards. Which I'm glad he asked about and I hope he will make money off of it.

However to "ruin the party" there is a company set up by academic staff from the UK University College London (UCL) that have taken the idea and produced a poor imitation of C-v-P which is anoying as they give no credit as to where the original ideas come from. In the case of one of the academics (George Danezis[1]) I know he has read this blog when he was at the Cambridge Computer labs.

You can read about their low end rip off device in a document they have produced,

http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/2017_mavroudisA.pdf

Any way that aside he and I have bumped ideas on traffic analysis when he was still associating with the Cambridge Computer Labs under Ross J. Anderson.

The point is the whole Castle-v-Prison idea came about because I realised that the reason there was no real security in the computing stack below the Instruction Set Architecture (ISA) level was because for various reasons the hardware design engineers at Intel especially either did not know or were not alowed to use Secure Design Principles. I concluded that as there was so many of them it was probably the latter, brought about by the unrelenting specmanship that Intel had got into. Having been involved with the design of a super computer back in the early 1980's down to the gate level and later doing secure communications system design I realised just how bad things could get hence my generalized idea of "Security-v-Efficiency" that you will find mentioned from time to time on this blog along with "helpfull hints" about what you need to consider when doing secure hardware design.

In essence unless you are very clever the more efficient you make a computing system in part or whole the more transparent you will make it, the more side channels you will create especially time based ones, oh and the greater the bandwidth these vulnerabilities will have to leak the data you are trying to protect. And that's before you need to break the habit of thinking channels are "one way".

To try and put it tactfully it had become noticable that Intel in particular did not have security savey people siting in any of the driving/command seats and the aim of the company was being controled by the marketing dept that wanted "Go faster stripes" on every thing and wanted to double up the power / transistor count every 12-18 months...

The truth is the bulk of CPU user, that are just plain consumers nolonger need that power or speed of Intel CPU's they had moved from desktop monsters chained up by the power lead to mobile devices with boat anchor battery issues. Thus there use of less powerfull CPUs but doubled up battery life with half the battery weight.

However as I've mentioned quite recently CPU designers have a hard limit they can not get around and that is how fast data can move from place to place within a computer, which has the consequence of much slower clock speeds to access the main Core Ram. So they went down the various side tricks to up the data through put on the bus. Part of reducing the latency was to use "speculative memory fetching" and that is where things have gone a bit rotten on them as they have tried for too much efficiency without understandin what the security consequences were...

Part of the Castle-v-Prison design was to speciffically get around this issue...

Any way as for the fact that they only gave AMD 24hours warning after setting up their web site etc for a month or so does kind of look suspicious.

However there is no reason why they should give any notice when it comes to vulnerabilities. When you look at what Intel got up to to ensure not just a profitable Xmass but not having worthless shares on the CEO's hands, I to would go for fast publication, to try and stop the legal and other types trying a preemptive strike etc to stop disclosure. If you think back a little it was not that long ago when large corporates would set two hundred in house legal sharks on you rather than actully fix quite minor problems with their product. So yes I can see why they might do that, as for shorting AMD stock well yes I'm sure there are some out there who would see profit in doing so, but to try and take some heat off of Intel, no not unless they have a "round two" in mind to make extra profit off of Intel... Which lets be honest Intel are overly ripe for.

[1] http://www0.cs.ucl.ac.uk/staff/G.Danezis/

RatioMarch 14, 2018 7:07 AM

[...] Cryptology, which is now listed as Duel-Use.

Alongside rapiers and pistols. Ciphers at dawn.

ThothMarch 14, 2018 8:46 AM

@Clive Robinson, echo

"Which I'm glad he asked about and I hope he will make money off of it."

I am more interested in open sourcing the smart card applets if it works as it will be a very good experimental subject for more discussions and the possibility of a whole new probable way of securing codes and how we compute.

"In essence unless you are very clever the more efficient you make a computing system in part or whole the more transparent you will make it, the more side channels you will create especially time based ones"

The Prison Model I formulated on smart cards wouldn't be terribly fast either. Yes it is clustered but once you have chips trying to verify each other's computations, it is going to slow down. That being said, the Prison Model was never intended to be fast anyway as the main goal was security. My plans did not include the "Speed" factor as we all know this "Speed" factor only serves as a trip up for the "Security" factor.

I have been trying to sniff out hints of interest but it seems when presented with "Speed vs. Security" choices, the natural option is "Speed". I don't think I would make much of a cent or dime off the Prison Model because the secure computations will definitely be pretty slow but that being said, it's a very interesting proposition and experiment I wish to undertake to see if a practical solution for Prison Model built out of a cluster of Smart Cards would actually be workable and usable in real life instead of just theories.

"If you think back a little it was not that long ago when large corporates would set two hundred in house legal sharks on you rather than actully fix quite minor problems with their product."

I wonder if they have already weaponized all their exploits and spread them into the wild. I wouldn't be surprise if weaponized exploits for all these "Secure Enclaves" are already doing their job infecting hardware.

Clive RobinsonMarch 14, 2018 9:30 AM

@ Ratio,

Alongside rapiers and pistols. Ciphers at dawn.

Yup you get the throw right and,

    I cannot forecast to you the action of a rush in. It is a ride ill wrapped in a mystery inside of which an enigma; but perhaps there is a key.

(With appologies to Winston Churchill).

MarkMarch 14, 2018 9:31 AM

@Thoth maybe, but the concerns highlighted since the DTCA(Act) DSGL adoption of cryptology, is that in the long run, the policy will ( and already is ) under mining the core of collaborative security research, home grown cryptology, and causing a hell of a lot of red tape / delays for no reason other than 'Australia's' adoption of the WA.

@Ratio ignore more freudian slip, although, Cyphers at dawn, would make for an interesting comedy skit.

echoMarch 14, 2018 11:44 AM

@Thoth, @Clive

Yes, I follow these castle versus prisons discussions as best I can. It's also not unlike organisational theory of gatekeepers versus communities. There's a lot of conceptual overlap although I lack the formal language to discuss this in more precise terms. The psychology of all this is very interesting too.

I also enjoy reading Thoths ongoing attempt to consumerise a secure off-device endpoint.

Being ripped of can be annoying. This gets (or did get) under my skin as much as jobsworths. The thing is as been noted on this blog and other places too is it's one thing to copy and another thing to have the creative understanding and skill. My view is too many in the establishment professions exhibit this kind of flaw which sends us all around the loop back to castles and prisons.

I think this kind of reasoning is why I'm keeping an open mind on the Russian thing.

HmmMarch 14, 2018 5:41 PM

"They also expose their offices as a greenscreen production using stock backgrounds."

Gotta love that.

Competing Wives, Massage in a brothelMarch 14, 2018 8:32 PM

On the topic of the extraction validation and identification of metabolites, how much blood exactly may one find in a turnip?

Micrograms, Nanograms? Assuming it's 8+ times more powerful how many mics does it take to get to the center of a shared non lethal dose of an exposure?

ThothMarch 14, 2018 9:07 PM

@echo, Clive Robinson

Whatever the on-going noise about thwe issue of AMD's PSP In/Security, what you are looking at is noise from both sides which serves to distract us from the issue of how much security these "Enclaves" actually provides.

Recently I had wanted to use one of these "Enclaves" due to my customer's request to work with sensitive data on their smartphones but after comparing the features, most of these "Enclaves" do not fully implement all the necessary protection and specifications that ARM TrustZone specifies in the products of derived implementations (even in implementations of big players).

What is good if the supposed security implementations that claim to contain "Enclave implementations" that doesn't cover all the spectrum it is suppose to provide and leave so much holes.

These dramas are just part of the noise and hopefully people would actually take a good and hard look at whatever these so-called "Secure Enclave" blackboxes are in their true colours but as per usual, the NDAs with fees are the killer.

Once the noise and drama have died down, the issues with "Enclaves" would become another past event where people would be all too complacent and reluctant to look into these issues.

If these "Enclaves" could really solve the issue, then why are there still issues with mobile banking and financial apps on smartphones that are suppose to be protected with "Enclaves" still having news of breaches ?

The Security Industry is still asleep in it's own deluded state. That's my final conclusion and this delusional dream is something the customers, governments and industry all had a hand in to create these problems.

Back to square 1 :) .

Clive RobinsonMarch 14, 2018 10:41 PM

@ echo,

This article notes how the security company was registered and unavailability of published numbers.

Those "investagative journalist" basics appear to have caught who ever it is in a web of their own making.

Thus as you suspected there is a motive in place which I would call "profit at AMDs expense".

Thus as I indicated they have enterrd into a financial position that will cause them to try to continue, either that or "cut and run".

I suspect another few days will bring in sufficient evidence to show what they are upto.

The last time I saw wording like that used in the PDF it was a "Pump and Dump" type operation.

However it needs to be said this is not the first "Rodeo" of this sort. If you think back an investment organisation did similar with a Medical electronics company.

So whilst I'm going to wait for more evidence about the "alledged but unsupported" technical accusations, it certainly does look like somebody is not just "playing fast and loose with the truth" they are being deliberatly deceptive in the way they are going about it. Way more than if they were worried about "shooting the messenger" type attacks...

So on balance of probability based on the little we currently have I'd say that this has a very strong "profit motive" behind it.

Clive RobinsonMarch 14, 2018 11:11 PM

@ Thoth,

Whatever the on-going noise about the issue of AMD's PSP In/Security, what you are looking at is noise from both sides

There is certainly a lot of "noise" from the other side to AMD and that the noise is a case of "over egging the pudding" on the technical side.

I would guess to in effect "create smoke without fire" then use the smoke to hide behind having taken a "financial position". Thus in all probability it is a "Make noise to Make profit" attack.

Which as you note is a real problem,

which serves to distract us from the issue of how much security these "Enclaves" actually provides.

This can also lead on to the "little boy who cried wolf" problem.

If people read through the documents they will find what the investagative journalist found, they might not. Either way damage will be done, somebody will make a profit on share dealing from their financial position.

In the mean time that "smoke" will cause the architecture issues with not just AMD parts but Intel, ARM and others, to not just "get overlooked" but worse cause people to make invalid security evaluations in future. Thus aby legitimate research in future may get discounted, which will have further knock on effects such as making researchers release rather more "Proof of Concept" code to get things across. Thus enable the creating of "Me to" malware as we have seen from the release of the "Shadow broker" information.


Clive RobinsonMarch 15, 2018 12:06 AM

@ echo, Thoth,

This "pump and dump" on AMD is not good.

Some of us on this blog know CPU architecture is --as noted here for sometime-- "crap" security wise. The issue with that is we are mainly "Preaching to the Choir" not the "Congregation" on this blog.

The real problem with this is it is the latter that realy need to "get the lesson" being given out. So they can be aware of what purgatory awaits them if they don't take the lesson on board.

As our host @Bruce has not in the past people are naturally over trusting, whilst also not thinking things through because they just want to get their work done to keep their jobs etc...

We thus have a major storm brewing. With what appears as little or nothing we can do to change the situation.

I noted that Spector and Meltdown where "The gift that keeps giving" because to me it's fairly obvious why they have happend. Worse whilst I can explain where the issues arose in various levels in the "Computing stack", I'm in effect powerless to do anything about it. Which I find to be very frustrating as I'm sure others here do to.

Which leaves the question as to if there is anything we can do to change this state of affairs?

Wesley ParishMarch 15, 2018 4:19 AM

@hmmm

re: Trump fires Tillerson: I took it as proof that Donald Trump has become institutionalized as a Reality-TV host whose only meaningful interaction with the rest of humanity has been to utter those words: "You're Fired!"

I wonder what he'll say to Kim Jong-un.

As further proof that he's slipping further into the depths of second childhood:

Trump Says US May Need a 'Space Force'
https://www.space.com/39966-trump-space-force-for-us.html

(You notice he used the wrong word: anyone who knows anything about orbital dynamics and whatnot knows that he really meant to say "Space Farce". You blow up a satellite in orbit and the pieces'll still be there for quite some time to help you deny yourself access to that orbit: you disable a satellite in orbit and the chances are it'll ram one of yours quite by accident, because anyone stupid enough to disable a satellite in orbit is going to be too stupid to get out of its way. Ask NASA. And anyone stupid enough to start up a Space Farce is also going to be too stupid to keep NASA's eyes on space debris open.)

And since this is the same reality that got the space objects up there in the first place, and since NASA has been going on about space debris for over a decade, and since disabling the US ground/Earth-based military by virtue of colossal acts of stupidity is verifiably giving aid and comfort to the US's named enemies, it may be that US President Donald Trump has openly and verifiably committed High Treason to the United States of America.

(Is there a lawyer in the house? If so, please get a dictum from the local friendly Supreme Court on whether disabling the US military etc, does constitute High Treason.)

Clive RobinsonMarch 15, 2018 5:12 AM

@ Thoth,

As you know I talk fairly often ;-) about the problems with connected devices and that the "Communications End Point" (CEP) an attacker can exploit remotely is almost always capable of getting directly at the "Human Computer Interface" (HCI) with such devices. Thus a remote attacker can see any applications plaintext as the CEP is beyound any apps "Security End Point" (SEP) also the same is also true of the OS as well.

Which is why I talk about taking the SEP of any such device and into a non connected device or a human usable system such as "pen and paper" manual systems. The usual example I give are the One Time Pad (cipher) and One Time Phrase (code) because they are known to have a reasonable proof of security.

Whilst this is true "One Time Systems" have a significant down side which is due to KeyMan isses.

Thus something different is needed and I've suggested a modified version of the VIC system as it has interesting features and is easy to look up and read about.

Well there are other systems that use more modern techniques. I was reminded of one when passing my eye down the Hacker News sight earlier.

Last year Alen Kerminsky came up with one that would be of intetest to you,

https://eprint.iacr.org/2017/339.pdf

The paper is worth the read not just because of the final product, but also it goes into the thinking behind it.

ThothMarch 15, 2018 5:16 AM

@Clive Robinson

re: VIC system

This will be an interesting read while enjoying a pot of tea.

Thanks.

echoMarch 15, 2018 7:34 AM

@Wesley Parish, @Clive

Brad Templeton suggests ways in which lawyers might be used productively. This essay may be worth thinking through when issues of large companies versus indivduals are concerns, and may help lead to points of view on how to movie discussions forward on potentially actionable security weaknesses before they become a bigger problem.


Never ask a lawyer how much lawyering you need, and other advice on the use of lawyers
http://ideas.4brad.com/never-ask-lawyer-how-much-lawyering-you-need-and-other-advice-use-lawyers

@Thoth

I read a comment under one social media article where one person asked a friend who was in the financial industry what was happening. While his friend was not an expert he pointed out the short notice given to AMD, and very carefully targetted press releases around the time when financial news tracker bots would pick up the negativity and begin shorting the stock.

As for Dan Guido, the CEO of Trail of Bits, I have witnessed backscratching wherean independent third party was used as PR cover for internal recruitment and development problems a high profile company wanted to deny.

Pardon my very slanted and sceptical view.

ThothMarch 15, 2018 8:06 AM

@echo, Clive Robinson

Whatever conspiracy theories behind the AMD flaws which I am less interested in whatever people are talking about the researchers whom exposed the flaws and the people who were given the vulnerabilities by the researchers, there is only two things that will happen as @Clive Robinson have mentioned.

It is either people becoming more distrusting of flaws which is a boon for malicious actors or people becoming more concerned of flaws (for the right purposes) which is a bane for malicious actors and boon for everyone.

I find the attack vectors rather very plausible and in fact it might open a bigger gap for malicious actors to compromise the "Holy Trinity" and their so-called "Secure Enclaves" which is essentially snake oil they are marketing.

If, by putting some ARM chip into a chipset's North Bridge and calling it a "Secure Processor" is enough for security, then why would the militaries, governments and banks bother to use more higher assurance dedicated machines for their sensitive applications instead of just running them off these "Enclaves".

Also a note, the Apple's Secure Enclave processor is using some sort of ARM chip and AMD PSP also relies on some ARM chip architecture embedded and then go on to claim it's a "Secure Processor".

If it were that easy then Qualcomm took it a step further probably due to realizing how frequent people were discovering flaws in the ARM TZ and in it's latest Snapdragon 845 it introduces another ARM chip architecture called the SC300 which is essentially an embedded Smart Card chip in a bid to strengthen it's security.

The main thing is not look at the people but the plausibility that @Clive Robinson and myself have been banging on since years ago.

The problem is people just wouldn't listen and as usual, history definitely and inevitably will repeat itself forever.

What I hope people can take away from the ARM flaws that have been released is not about the drama but the truth that these industries have been selling us snake oil security for decades and the reason that modern computing despite existing since the 1960s till now have never had it's security improved is the depths at which the business of selling snake oil security runs deeply.

The hardest thing to cure is not the security side but the ignorance that have lasted for so long.

echoMarch 15, 2018 10:08 AM

@Thoth, Clive

This is a multiple domain problem as Bruce's new AI topic alludes to. I also believe this is one reason why the OURSA conference listed a range of topic areas for discussion. Discrimination cases often touch on intersectional issues and may involve inadequacy and irrational decisions. There is often a loop of stereotyping, habit, and ignorance which can take a lot of effort and time to overcome not unlike the issues Clive and yourself raise with regard to security flaws and this latest incident.

Clive RobinsonMarch 15, 2018 2:48 PM

@ echo,

Discrimination cases often touch on intersectional issues and may involve inadequacy and irrational decisions.

In my experience helping people through Industrial / employment tribunals the disputes almost always are...

echoMarch 15, 2018 4:18 PM

@clive

Divorces too including the "he said, she said" argument which seems to be doing the rounds with the Russian issue. Parliament is also in the middle of a bun fight over who should be Speaker because of partisan and career advantage.

On to more technological things. Intel is announcing it is introducing "walls"into its processors to prevent exploits while still using speculative executive techniques. This is the kind of thing I was alluding to in my comments in the AI topic when discussing formal systems to assess security. While many systems are viewed from a top down perspective by necessity such a system should also be able to cope with ad-hoc bottom up design.

I tend to agree this is one of those over lunch discussions to mitigate linear and beaurocrat reasoning.

https://www.geekwire.com/2018/intel-says-partitions-new-chips-will-correct-design-flaw-created-spectre-meltdown/

After security researchers were able to exploit design flaws in modern processors that lay undetected for up to 20 years, Intel said it would redesign future chips to correct those flaws, and on Thursday it provided a little more information about how that will work. Starting with the Cascade Lake version of its Xeon server processors later this year, Intel will incorporate “protective walls” in its hardware that prevent malicious hackers from using speculative execution techniques to steal private information from the secure part of the processor.

echoMarch 15, 2018 6:22 PM

I won't clutter the AI topic with these links so am adding them here. By chance I watched 2001: A Space Odyssey again this week for the first time on a big screen with quality resolution. After the hustle and bustle of an always on instant world this movie was a refreshing experience. The first article which caught my eye covered 'observer selection bias' which is a lovely trot through everyday events, cosmology, and the very unpleasant concept of 'vacuum decay' and 'quantum death'. The second article on humankinds cultural leap discusses we may already have had the capacity and that a trigger was needed to stimulate us moving past cultural stagnation, and the leap facilitating building broad and more resilient networks mitigating resource issues.

Why Earth's History Appears So Miraculous. The strange, cosmic reason our evolutionary path will look ever luckier the longer we survive
https://www.theatlantic.com/science/archive/2018/03/human-existence-will-look-more-miraculous-the-longer-we-survive/554513/

A Cultural Leap at the Dawn of Humanity
https://www.theatlantic.com/science/archive/2018/03/a-deeper-origin-of-complex-human-cultures/555674/
When Rick Potts started digging at Olorgesailie, the now-dry basin of an ancient Kenyan lake, he figured that it would take three years to find everything there was to find. That was in 1985, and Potts is now leading his fourth decade of excavation. It’s a good thing he stayed. In recent years, his team has uncovered a series of unexpected finds, which suggest that human behavior and culture became incredibly sophisticated well before anyone suspected—almost at the very dawn of our species, Homo sapiens.

ThothMarch 15, 2018 7:46 PM

@echo, Clive Robinson

re: Intel adding additional "protective walls"

This is the reason why the industry never learns because they do not target the problem at it's roots. They are only all too busy with new marketing and sales hype.

In fact, the "Enclave" is itself a protected walled garden but the issue is that the very architecture of the "Enclaves" at it's core is the main problem where delegating so much obscenely excess authority and access privileges to the "North Bridge" or "Enclaves"is the main issue.

How these "Enclaves" work is to implement a protective wall using multiple CPUs in the same silicon for different processing. These "Enclaves" with it's overreaching access becomes a choke point as it could access low level devices like RAM memory, Ethernet, Hard Disk, USB ports and so on which it filters the information off and hand it over to the "South Bridge" which is using Intel's terminology which is different but almost the same in other Enclave architectures descending from ARM TZ soft IP blueprints.

When the "North Bridge" or the "Super Powerful Walled Garden" gets breached, one can literally embed hardware based malwares which is akin to drug resistant viruses in a body. The "walled gardens" must guarantee very strong security and not be breached otherwise it would compromise the entire system but this is not the case in real life.

They could implement as many "walls" as they like which as @Clive Robinson have many times akin it to building castles on sandy and unstable grounds which is of no use when the enemies could simply dig under the castles or find other means of attacking a castle that have weakened foundations.

In fact, the "Walled Garden" of these Enclaves also contain multiple "inner walls" in the "Walled Garden". The kernel typically used to run the "Walled Garden" is some form of Minix or L4 microkernel and for the case of Intel SGX, we know that it had commissioned some modifications from the creator of Minix and quietly incorporate Minix microkernel into the "North Bridge" as it's kernel. Trusted Applications which are applications designed to be run within the "Walled Garden" have to be NDA-ed and contracted with Intel to get their Trusted Application binary certified by Intel before being allowed to load into the "Walled Garden" and each Trusted Application is suppose to be protected by the inner walls within the "Walled Garden" in an attempt to protect exploits internally in the "Walled Garden" if the soft IP blueprint were followed through.

The ARM PSP and ARM TZ which pretty much used Trustonic's t-base product would use L4 microkernel as the kernel of choice for the "Walled Garden" and would have the same properties of walling off each Trusted Application as per theory that a separation microkernel is suppose to allow loaded signed Trusted Applications to run in each inner wall compartments without the risk of having a malicious or vulnerable Trusted Application affecting the rest.

This security assumption is thoroughly voided with the introduction of two factors namely the obscene amount of power given to the "Walled Garden" to potentially access all low level operations including those of the "South Bridge" or a.k.a "Userspace Kernel" and the appearance of hardware silicon vulnerabilities like the Meltdown and Spectre attacks.

The Metldown and Spectre attack is the classic bubbling up attack scenario where low level vulnerabilities affect everything upwards the computing stack thus no amount of additional walls would do any good if the roots of the bubbling up attacks is not fixed right away.

This is also a reason why @Clive Robinson and myself have been working on developing further the Prison Model because we are surrounded in our day-to-day life with so much insecure devices that we have to think of a way to use multiple nodes to compute as the "Castle" architecture used by itself is of limited protection and assurance unless used together with "Prison" setup. My use of Smart Card clusters to implement a modified Prison model is effectively the fulfillment of the best of both worlds as each single Smart Card node is a "Castle" and when used in a "Prison" setup, it combines the best of both worlds in the C-And-P strategy (not C-v-P) by taking it one step further to integrate both Prison and Castle to work together.

Another option I do approve of for Castle construct is to go with the tried and true Smart Card environment scenario as per the GlobalPlatform standards. The GP standards for Smart Cards is somewhat the same as the TZ but much more older and different with higher security and isolation in mind. The Smart Card environment do not have the concept of a super user with obscene amount of privileges and access rights. In fact, each of the inner walls of the Smart Card environment has it's own tiny universe and there is no concept of "North Bridge" or "South Bridge" as it's goal is to ensure that an affected application running in a Smart Card will only impact the small partition and not the other partitions and definitely not other systems because it has no access to low level operations and devices unlike the flawed ARM TZ design thus fulfilling the mitigation of the first risk I listed above of having overwhelming privileges to the point that an affected Trusted Application may affect more than what it should be allowed. In fact, the GP Smart Card standards appeared way earlier than the ARM TZ architecture and I am hugely surprise on why the designers of ARM TZ never actually use the GP standardized design to fully isolate affected Trusted Applications from the other partitions and other systems it is attached to and also made a contradicting decision of empowering the "Walled Garden" with dangerous privileges.

RachelMarch 15, 2018 8:45 PM

@ Wesley Parish

thank you banging your drum. I really enjoyed the percussive edge of your hand, judo style. Please continue to share as appropriate. How much of the biographical details of the character were true to meatspace?

@JG4, @Clive, @ Albert et alia

OT, won't link as unsure which source is most definitive. Interesting study into identical twin, one an ISS astronaut for 12 months, other one on earth. ISS guys DNA changed by %7 with changes considered permanent. Only thing that surprised me was that it made it public. Remember when they concealed all the effects of antigravity post Apollo missions for PR reasons?


@Wael hope the absence is intentional and for supportive reasons

@ Dirk Praet
we think of you and wish you continued success

Clive RobinsonMarch 15, 2018 8:58 PM

@ echo, Thoth,

It appears Linus shares a similar overall out look as we do but from a slightly different view point.

I thoroughly agree with his view point about "bug finders" and in the security case their diva type behaviour.

http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

As for a simple solution to all the enclave root issues, it is "hardware segmentation" by which I mean segmentation in the TEMPEST / EmSec "segregation" sence not Intels original 8086 "poor mans MMU" sense of "segmentation registers" that get used to produce the external memory addresses.

If each "enclave" has it's own memory in a fully segmented way such that each enclave had a dedicated RAM chip then one process would not be able to reach down or around to another processes memory.

To ensure this using seperate CPU's with their own dedicated memory as well makes the process a lot easier.

Especially when the CPUs and their memory are designed to a higher security level than the main CPU.

So yes "Castles with/and Prisons" is a way to get functional improvment over "Castles-v-Prisons" which I like. Not sure what @Nick P or @Wael would think, hopefully they will drop by to have a chat about it.

C-v-P was never ment to be "cast in stone" but a research work in progress. Effectively it was just a personal exploration of ideas for a vastly improved system architecture designed to be very much more secure but importantly parallel in nature, so it could be effectively scaled up.

It just happened to use Microchips PIC processors as they were when I started very fast and very cheap. That is nolonger the case, thus a different way should be thought of. I must admit that the likes of a $10 or less system based around the likes of a "Broadcom" chip set and USB hub with low cost PIC chips with inbuilt USB, that acted as MMU and "letterbox" style stream based communications, for newer base CPU chips, had crossed my mind from time to time. As it would reduce complexity and increase communication speed immensely in about the cheapest way possible. That said Smart Cards would reduce the physical foot print immensely whilst also offering an easy hardware upgrade path.

The fact you can get not just quite powerfull hardware with a very standard hardware interface it also has a degree of security certification as well. All relitively cheaply and quite small, makes secure USB based cards more than just desirable, they effectively "future proof" many parts in the community.

Gerard van VoorenMarch 16, 2018 6:28 AM

@ Clive Robinson,

About the Linux kernel: The question right now is to ask "what can they do"? I mean, it's such a massive code base, the kernel, and with the zillion closed source "enhancements", just to get for instance the wifi working. And they can't just simply start over, the only thing to do is massive refactoring, which got us to today in the first place...

Well, I don't have the answer but IMO it isn't gonna be "nice".

echoMarch 16, 2018 10:37 AM

@Clive

I perceive similar issues across multiple industries to lesser or greater degrees. If the subject and industry was changed Linus could be talking about the medical industry where a lot of narrow minded prima donna behaviour occurs and the concept of "do no harm" is a pretext for dgma and sit on backside. They have no idea of 'risk management' other than working to a box tick so they can claim a 'get out of jail free card' when litgated against. Not every 'medical professional' is like this as indeed not every security researcher or other specialist is like this but when it occurs I would hope people take a pause.

@Gerard van Vooren

Nobody especially beaurocracies like refactoring. (The C++ committee dug itself a progressively deeper hole from the beginning which they can't extract themselves from and Clive's comments on the WWWC heading the same way seem reasonable.)

Because the UK is insitutionally not very candid I feel forced to always turn to American sources. This short video on NASA versus SpaceX illustrates the different mindsets.

Dan Rasky: SpaceX's Rapid Prototyping Design Process
https://www.youtube.com/watch?v=SMLDAgDNOhk
Dr. Dan Rasky worked as a Senior Scientist for NASA on COTS. Commercial Orbital Transportation Systems (COTS) was a NASA-industry partnership to develop safe, affordable, reliable space transportation access to Low-Earth Orbit. NASA was the lead investor in the COTS project, much different from traditional government-owned and operated systems. The COTS lessons are applicable to similar capability development projects and may not be suitable for traditional government contracts.

echoMarch 16, 2018 11:09 AM

@Rachel

It seems from the media rush to write a headline we have been misinformed. Itseems changes in 'gene expression' are not unusual on Earth and are driven by environmental reasons (or activities such as SCUBA diving). A number of other changes were noted including composition of intestinal bacteria.

No, space did not permanently alter 7 percent of Scott Kelly’s DNA
14 comments. There’s a lot of miscommunication going around
https://www.theverge.com/2018/3/15/17124312/nasa-twins-study-dna-scott-kelly-international-space-station

The protective caps on the ends of his DNA strands — known as telomeres — increased while in space. But space didn’t permenantly alter 7 percent of his DNA.

RatioMarch 16, 2018 2:40 PM

Police launch murder inquiry over death of Nikolai Glushkov:

Police have launched a murder investigation into the death of the Russian businessman Nikolai Glushkov after a pathologist concluded he died from compression to the neck, suggesting he may have been strangled by hand or ligature.

[...]

In a sign that the Glushkov case is also becoming politicised, Russia’s [I]nvestigative [C]ommittee announced on Friday that it had opened a murder investigation into the death.

Clive RobinsonMarch 16, 2018 2:50 PM

@ Gerard van Vooren,

Well, I don't have the answer but IMO it isn't gonna be "nice".

Certainly not in the supposadly "first world" that is so addicted to it's ICT where people show all the signs of addiction, not just at a personal level but all the way up through companies and government entities...

How ever those pushing goats up hill "not so much as you'ld notice".

Thus the real problem is "It is a First World Sickness" for which as yet there is no medication. Thus it leaves entire societies extreamly vulnerable...

I could point the finger at Managment, Accountants and Share Holders, but that would be like putting a bandaid on a broken leg...

Wesley ParishMarch 18, 2018 12:57 AM

@Rachel

Glad you enjoyed it.

How much of the biographical details of the character were true to meatspace?

I have been to Narrabundah College - it is a very nice secondary school campus on the east side of Canberra. I've never been an RAAF officer, though I did consider that as a career while I lived in Canberra. The interactions between Thomas and Helen O'Keefe are of course purely imaginary. :)

I've been seriously tempted to write a novel as a sequel to it - revolving around the question of whether the USN gal is looking at Thomas as a woman at a man, or as a gourmet at lunch ...

Wesley ParishMarch 20, 2018 4:11 AM

@Rachel

Completely Off-Topic, natch: I'm wondering if I can ask a favour of you?

If possible, could you translate my little story "You Can't Always Get What You Want" into French and attempt to interest some French magazine or other in publishing it? I'm curious about the French reaction to some of the toxic aspects of the standard Western obsession with pterorism: in the Anglophone world we don't hear much of the Francophone world, and too often it sounds like we're stuck in an echo chamber. (If there are any royalties from such a sale, you'd be yours in return for the effort you put in.)

Thanks

bttbMarch 29, 2018 4:05 PM

Regarding comparing DVD checksums between a downloaded Knoppix iso and a Knoppix DVD found in a magazine

@Cassandra wrote:
"You raise a very important and subtle question. The simple, and quite possibly incorrect, answer, is to run a checksum program on the DVD and compare the calculated checksum with the one published on the Knoppix web-site. However, ultimately, it is turtles all he way down.

There are three checksumming methods in general use for doing what you want:

md5
sha1
sha256"

All three appeared to match the Knoppix mirror values. For example:
A) in Downloads $ openssl dgst -md5 KNOPPIX*.iso
B) in Downloads $ openssl dgst -sha1 KNOPPIX*.iso
C) in Downloads $ openssl dgst -sha256 KNOPPIX*.iso

"The results of checksumming a Knoppix 8.1 ISO image are available on the various download mirrors where Knoppix itself is available - for example, http://mirror.switch.ch/ftp/mirror/knoppix/DVD/ "

I also compared sha256 result from there to a 'https' site:
https://mirror.koddos.net/knoppix-dvd/

"How to checksum an ISO image and verify that it is legitimate is covered in the the Knoppix downloading FAQ here: Knoppix Downloading FAQ

However, note that you do not have an iso image, but an actual physical DVD, so you need to be aware of a couple of things.

1) You do not necessarily know that the Knoppix 8.1 on the DVD is meant to be exactly the same as the Knoppix 8.1 you can download. There could be minor differences which change the checksum. On the other hand, if the DVD and the ISO contain exactly the same data, the checksum will be the same - so if the checksums do match, you can use the procedure in the FAQ."

Here I got 'lucky'.
1)$ mount --> told me the DVD was /dev/disk2
2)$ openssl dgst -sha256 /dev/disk2
was run using Knoppix from the magazine and a burned dvd from the downloaded Knoppix iso. I think I ran 2) with -md5 and -sha1, too.
3) The results from 2) between the magazine Knoppix and the locally burned Knoppix appeared to be the same, but different from A)to C) above.

"2) The layout of data on the DVD can be (an often is) different to the layout of an ISO image file on a disk. Essentially, one or the other can be padded with zeros so that the data fits exactly into an integer multiple of the minimum block size of the device the data is stored on. If the checksum program reads all the storage blocks including the zero padding, then if the block-sizes are different, you will get checksums that do not match. You are not the first to come across this issue, and solutions are outlined here, as you yourself found: Calculate md5sum of a CD/DVD"

I got stuck trying to verify things here with OSX, I think, but since the checksums appeared to match with 2) above I moved on, eventually.

"Verifying the checksum using md5, sha1 and sha256 and verifying the PGP signature are probably 'good enough' for your purposes. However, if you are the subject of interest of people who can influence your Internet connectivity and physical post, it is difficult to ensure the information you obtain through those methods is untampered with, which is why I made my 'turtles all the way down' comment.

Clive Robinson's comments about using software from magazine covers (assuming the magazine is bought from a random vendor) ensure that it is less likely that you will receive software that is specifically tailored for you. It does not protect against generic tampering.

Note that the checksumming programs, and PGP signature verification programs you use should also be trusted by you, so you would need to think about where you source those from, and indeed, the status of the computer you execute the programs on. The precautions you take will depend upon your level of (justified or not) paranoia. If you are an average law-abiding citizen, then downloading a couple of well known 'Live CD' or 'Live USB' Linux or BSD distributions and using the checksumming and PGP programs included with them is probably 'good enough'.

Cassandra"

Thanks

bttbMarch 29, 2018 4:22 PM

@keiner

"To me it is not 100% clear what you want to "confirm" by this exercise."

In hindsight, I think I wanted to confirm my 'standard' procedure (download iso, PGP verify (sort of), use of checksums, and so on, appeared to match to a physical Knoppix DVD in a magazine purchased at a retail location.

bttbMarch 29, 2018 4:24 PM

@Lycos
"1/6/2016, fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec"
Thanks


bttbMarch 29, 2018 4:30 PM

@Gunter Königsmann

"If the internet provider exchanges both the program and the md5 (https://m.heise.de/security/meldung/Opera-VLC-WinRAR-7-Zip-Skype-Tuerkischer-Provider-ersetzt-Downloads-durch-Spyware-3990285.html) checking the checksum won't help. If the CD was made with someone with a different provider it will maybe."
Thanks

bttbMarch 29, 2018 4:41 PM

@WhiskersinMenlo wrote

"@Cassandra

A DVD can sit and the researchers can work on validating it and the contents.
If nothing else sitting on the shelf for a month can do no harm and still allow
checking by canary users.

Containers and VMs can allow mixed system cross validation.

It is not silly to boot a read only live-DVD from two years ago and use it
to validate the latest DVD image download.
It is not silly to keep that old laptop and use it only (behind a firewall
or air gap) to build the check and install bootstrap tools to improve the
confidence of the new distribution.

While it is common to say that it is turtles all the way down some
of the turtles can be snapping turtles and some of the turtles can stand
on hippos, alligators and crocodiles.

Mono culture was one of the reasons the Dutch Elm disease killed so many elms
so quickly. Had cities large and small planted a mix of alternating trees some
culling might have stopped or drastically slowed the progress of of the infection.
https://www.forestry.gov.uk/fr/beeh-9u2k3p
Chestnuts too.

This mono culture problem is way too much like the current operating system and
communication tool set. The success of Microsoft gives joy to those that wish
to hack and attack. Like Apple should Microsoft allow the escape of software crypto keys
a lot is lost.

Oh and do not forget the flood of IOT devices that like the Trojan Horse need only carry
a small set of tools to get behind the well locked gates and open them to let the larger
army in."

Thanks for that post to Cassandra


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.