Friday Squid Blogging: Giant Squid Stealing Food from Each Other

An interesting hunting strategy:

Off of northern Spain, giant squid often feed on schools of fish called blue whiting. The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep. The squid must ascend to hunt, probably seizing fish from below with their tentacles, then descend again. In this scenario, a squid could save energy by pirating food from its neighbor rather than hunting its own fish, Guerra says: If the target squid has already carried its prey back to the depths to eat, the pirate could save itself a trip up to the shallow water. Staying below would also protect a pirate from predators such as dolphins and sperm whales that hang around the fish schools.

If a pirate happened to kill its victim, it would also reduce competition. The scientists think that's what happened with the Bares squid: Its tentacles were ripped off in the fight over food. "The victim, disoriented and wounded, could enter a warmer mass of water in which the efficiency of their blood decreases markedly," the authors write in a recent paper in the journal Ecology. "In this way, the victim, almost asphyxiated, would be at the mercy of the marine currents, being dragged toward the coast."

It's called "food piracy."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 23, 2018 at 4:06 PM • 125 Comments

Comments

A Very Nice Human BeingMarch 23, 2018 7:09 PM

Yo,

how to block Facebook by altering the “hosts” file on your computer:

https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

block the DNS lookups of all the various IP addresses used by Facebook on its servers around the world (“0.0.0.0”)

The Hacker News commentariat:

https://news.ycombinator.com/item?id=16632677

this is far superior to using a browser plug in.


jmdugan has hosts files modifications for facebook and also google, microsoft, pinterest and cloudfare ( which may have unintended consequences)

To get all the text files go to a directory you want to store them in and execute:

git clone https://github.com/jmdugan/blocklists

This will place a directory named blocklists in your desired location. The hosts file modifications are then in the directory blocklists/corporations.

you can obtain git for your operating system at
https://git-scm.com

Bare in mind Microsoft subverts DNS blocking at the OS level

KilroyMarch 23, 2018 7:42 PM

Even Bruce has a Facebook page! https://www.facebook.com/bruce.schneier

Anyway, you need to not only hosts file FB, but use your firewall to block ALL of their IP ranges, and there are a lot.

Here's a good start from github: https://gist.github.com/Whitexp/9591384

Elon Musk is a pretty smart guy. Just today, he wiped the company's FB account entirely. Seems like another smart move to me.

Anyway, Mr. Z. is saying the same old stuff he alway says when caught screwing the dog. He will say the same stuff next time. Don't wait around to feel treated like a dog.

Ditch FB.

A Very Nice Human BeingMarch 23, 2018 7:57 PM

Kilroy

Thankyou

Perhaps he/they don't care about Trump, don't care about data or users or X or Y consequence? But they are just genuinely truly truly sorry, they were caught & in public?


ThothMarch 23, 2018 11:05 PM

@Clive Robinson

I am thinking of a manually operated gear and cogs style LC4. It will make using it easier.

Regarding the Power 9 processor from IBM, not sure how it will fair security wise. It is another CPU built for speed, not security.

HmmMarch 23, 2018 11:12 PM

https://www.nytimes.com/2018/03/23/world/europe/cambridge-analytica-search-london-facebook.html

British investigators on Friday night searched the London offices of Cambridge Analytica, the data-analytics company that harvested data from 50 million Facebook users to develop psychological profiles on behalf of political campaigns, including that of President Trump.

About 20 investigators from Britain’s data watchdog, the Information Commissioner’s Office, descended on the company’s offices on New Oxford Street after obtaining a search warrant from the High Court.

“We are pleased with the decision of the judge, and the warrant is now being executed,” the office of the information commissioner, Elizabeth Denham, said in a statement. “This is just one part of a larger investigation into the use of personal data and analytics for political purposes. As you will expect, we will now need to collect, assess and consider the evidence before coming to any conclusions.”

#You still have facebook?

James DeanMarch 24, 2018 3:32 AM

Stones as a school security solution. No kidding.

http://www.bbc.com/news/world-us-canada-43523797

Blue Mountain School District Superintendent David Helsel told state lawmakers earlier this month that some classrooms had been given river stones to throw at attackers.

He said the stone defence was intended as a last resort if evacuations failed.
The unlikely defence was revealed amid a national discussion on gun violence.

The national gun debate was re-ignited after 17 people died in a school shooting in Parkland, Florida, last month.

https://www.huffingtonpost.com/entry/teens-killed-since-parkland_us_5ab54cd5e4b0decad049d34c

73 teens shot in weeks since the incident in Parkland.

https://qz.com/898207/the-psychology-of-why-americans-are-more-scared-of-terrorism-than-guns-though-guns-are-3210-times-likelier-to-kill-them/

https://www.washingtonpost.com/blogs/plum-line/wp/2018/03/02/this-major-new-report-on-gun-deaths-should-shock-and-anger-us-all/

https://www.cnn.com/2017/10/03/americas/us-gun-statistics/index.html

PMarch 24, 2018 5:35 AM

Editing hosts files is old school and has to be done for each computer. A much better solution is to run pi-hole on a raspberry pi and protect every device without installing software or editing files. Pi-hole can also run on docker or a VM.

Pi-hole.net

Installs with one command, then just point your router's DNS setting to it.

KilroyMarch 24, 2018 6:23 AM

@P

re: Pi-hole

Good tip. It does remind me of the olden days when consumer routers could be used to firewall by wan address. Quite impossible now with my new-ish netgear. And, the site block feature only works sometimes. Meanwhile, it's been found some expensive high end routers, with firewalls, have been compromised up the kazoo.

As for the pi-hole solution: Learning a whole new hardware technology probably won't get a big following. I briefly reviewed the set-up on pi-hole and noted the usual vast gaps of nothingness to get it working. I am sure to cover those gaps there are several helpful comments that in effect say, "format and re-install everything".

Back to routers, I am pretty sure consumer routers are easily compromised these days. My goes nuts fairly often. Changing the password and some other tweaks seem to help for awhile.

mozMarch 24, 2018 6:31 AM

Ismar's link is unfortunately broken but the article is still findable by search if you like to study these things. Summary: The Cambridge analytic story is overblown / the breach wasn't a beach because other developers (ab)used it too / Obama used Facebook too (getting consent but not really telling people what for) so whatever Cambridge did with Facebook is okay / conclusion: maybe just maybe Facebook data isn't as powerful as the experts think.

The primary value seems to be as a clear case of whataboutery. Trying to equate legal data use, most of commenters on this blog would be unhappy about and aimed at increasing own voter turn out with illegal data use designed to reduce oponent turn out is very telling of a loss of moral authority by one group. Stating as fact things supported only by Cambridge Analytica press statements and which appear to be deliberately misleading (Trump probably didn't "use" the original Cambridge Facebook data which would already be out of date, instead he probably used the model derived from it matched to up to date data) shows that medium.com lacks basic journalistic standards.

If you want to understand what Cambridge was trying and probably partially succeeding in doing these tweets from a Google AI expert probably help. It's likely that soon that will be a power reserved for Facebook. Don't be distracted by the moving cups.

JFMarch 24, 2018 8:38 AM

@moz

"The primary value seems to be as a clear case of whataboutery."

Correct. The distinction between what Obama's campaign had done and what Cambridge Analytica did is substantial on at least two fronts. First, Obama's campaign efforts were not secretive, and were paid for out of campaign funds. CA's effort were secretive, apparently used illegally obtained personal data, and second, also probably violated campaign finance reporting rules of in-kind contributions.

Additionally, there is question about the legality of foreign nationals' work on a presidential campaign.

Clive RobinsonMarch 24, 2018 9:49 AM

@ JF,

Additionally, there is question about the legality of foreign nationals' work on a presidential campaign.

I know Barack Obama, had UK nationals working on part of his re-election campaign.

Thus I suspect if it is illegal it is a question as to what position they hold within the organisation. In the case of the UK nationals I know of they were in effect high school/college students from a South London School who had won the chance to be involved as volunteers.

http://youngcitizens.weebly.com/camilla-yahaya.html

Coyne TibbetsMarch 24, 2018 10:42 AM

I have a general complaint. I do not like software that pops up anonymous dialogues asking for sign on. (I'm talking about you Microsoft.)

Where I'm working now I'm kind of straddled halfway between two different Microsoft domains; I sign in on one domain and my email is in another domain. As a result, and despite the fact that Outlook and Skype have both been told otherwise repeatedly, they pop up dialogues for me to sign in to the correct domain. But those dialogues do not say whether I'm signing into Outlook or Skype or something else. Worse, I have received pop-ups from other software, that I didn't even know what it was, and from browser sessions that look similar, that I have refused to even use because I didn't know what I was accessing.

The dialogue should should at least say something like, "Signing into Outlook," (or Exchange or Skype) anything else is a risk for phishing.

But even that would really not be enough. I need the OS to certify what I'm signing into. Like it's done with https.

bttbMarch 24, 2018 10:44 AM

Three things from the Electronic Freedom Foundation

https://www.eff.org/deeplinks/2018/03/how-change-your-facebook-settings-opt-out-platform-api-sharing

https://www.eff.org/deeplinks/2018/03/how-congress-censored-internet ; SESTA/FOSTA

https://www.eff.org/deeplinks/2018/03/responsibility-deflected-cloud-act-passes
"And, as we wrote before, this is how the CLOUD Act could work in practice:

London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.

Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued.

This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress."

echoMarch 24, 2018 10:51 AM

There is a strong link between lack of education about an issue and unlawful decisions and discrimination. Irrational fear and poor communication may also be factors.

https://www.theguardian.com/us-news/2018/mar/23/donald-trump-transgender-military-ban-white-house-memo
The White House has announced orders to formally ban transgender people from serving in the military, following up on Donald Trump’s controversial policy pledge that sparked widespread backlash last year from civil rights groups and US defense chiefs.

Ricky Gervais' new 'transphobic' jokes are causing outrage
https://www.indy100.com/article/ricky-gervais-transphobic-joke-netflix-special-transphobia-8269016

bttbMarch 24, 2018 10:58 AM

And one thing from the New York Times, 9:59 ET

"Justice Dept. Revives Push to Mandate a Way to Unlock Phones"
https://www.nytimes.com/2018/03/24/us/politics/unlock-phones-encryption.html
"Against that backdrop, law enforcement officials have revived talks inside the executive branch over whether to ask Congress to enact legislation mandating the access mechanisms. The Trump White House circulated a memo last month among security and economic agencies outlining ways to think about solving the problem, officials said."
[snip]
"The deliberations shed new light on public remarks by Trump administration officials in recent months. In October, Mr. Rosenstein, the deputy attorney general, argued in a speech that permitting technology companies to create “warrant-proof encryption” was endangering society.

“Technology companies almost certainly will not develop responsible encryption if left to their own devices,” he said. “Competition will fuel a mind-set that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.”

And Mr. Wray, the F.B.I. director, has twice given speeches this year in which he pointed to Symphony, an encrypted messaging system for banks. Pushed by a state regulator, several banks agreed to give copies of their Symphony keys to law firms. Because Symphony keeps a copy of encrypted data on its servers, that arrangement created a backup means for investigators to gain access to the messages if necessary.

Advertisement
Continue reading the main story

“At the end, the data in Symphony was still secure, still encrypted, but also accessible to the regulators so they could do their jobs,” Mr. Wray told a cybersecurity conference in Boston this month. “I’m confident that by working together and finding similar areas to agree and compromise, we can come up with solutions to the ‘going dark’ problem.”

The Symphony approach, however, would not work for millions of ordinary smartphone users. But one alternative being worked on by Mr. Ozzie and others is receiving particular attention inside the government.

The idea is that when devices encrypt themselves, they would generate a special access key that could unlock their data without the owner’s passcode. This electronic key would be stored on the device itself, inside part of its hard drive that would be separately encrypted — so that only the manufacturer, in response to a court order, could open it.

Law enforcement officials see that idea as attractive in part because companies like Apple are already trusted to securely hold special keys permitting them to push operating system updates to devices like iPhones.

Still, Ms. Landau argued that creating such a system would create significant additional security risks. She noted, among other things, that updates are relatively rare but police would want seized phones opened every day — so many more tech company employees would need access to the powerful new keys, increasing the risk of theft or abuse.

The Obama administration never agreed on asking for legislation mandating access mechanisms. Military and cybersecurity agencies worried that weakening security would create new problems, and commerce officials worried about quashing innovation and making American tech products less competitive.

Still, in 2016, the Obama administration’s deliberations also came to focus on the idea of access keys on devices, a participant said, but stalled because of difficult technical questions about the details. They included how to prevent criminals from deleting the access keys on their devices or from using phones that do not have the mechanism because they run on outdated software or were built for foreign markets.

But one Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing. ..."

bttbMarch 24, 2018 11:05 AM

When using 'free' WIFI on a laptop, Apple and non-Apple hardware, as a general rule is it better to use:
1) battery power
2) ac power with battery removed
3) it doesn't matter
4) other?

echoMarch 24, 2018 11:20 AM

@bttb

So the issue is the high ups decided watering down security was a bad idea and that the focus should be on capturing the low hanging fruit? None of the assualts on security is about "national security" but petty criminals and half baked opportunists, and middle manager types in the state sector who want to outsource the work of doing their own job to the criminals they expect to catch while neglecting to mention this may justify a budget cut?

The UK police have similar issues. They are only just now beginning to grasp the idea of "intersectionality" and the fact the general population is by and large better educated than the police. I have sat in a room with police officers and had these discussions including linking unlawful behaviour with discrimination data in an attempt to get the police to codify this in a position statement or report, and the police went around the houses and bragged then dumped the work they should be doing on my lap which wasn't the point of the meeting. The police also have the cheek to issue position statements in the media asking more people to come forward but the reality as studies and my own experience prove is that you may as well talk with a brick wall.

I complained years ago about the police and other involved organisations inability to join the dots in case meetings. The letter from the police denied this yet six months later the National Audit Office produced a report which confirmed the view that case meetings were inadequate. (Did I recieve an apology? No.) What is even more unbelieveable is only this year there was an enquiry into a very serious incident where the police and local authority were identified as being at fault and their best response was they would "produce a policy" to address these issues. This was a decade after my initial complaint and they only did this because they had been caught red handed at fault when somebody had died!

HmmMarch 24, 2018 11:40 AM


@bttb

"Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued."

That's how it is already, so "predictably" sure does apply.

If you communicate over national border lines, you subject that to many sets of laws.
If you're communicating with someone credibly accused of a crime, that can be caught up.

In the US for example if a police officer 'in good faith' comes across evidence of a crime in the erstwhile exercise of their duties, it's usually fair game even without a warrant.

It's kind of a similar situation if a foreign government passes along evidence of a crime from one of their investigations, although local prosecutors still have to make individual determinations to bring local charges based on the strength of evidence.

@Keiner

I don't know about the death penalty over there, but it sure makes Roger Stone look like more of a dumbass than his Nixon tattoo ever could. *zing*

https://motherboard.vice.com/en_us/article/a3ygmp/guccifer-2-russian-military-intelligence-gru-vpn

It wasn't just failure to activate his VPN that one time, that was the cherry on top.
Get enough eyeballs on your every word choice and lying becomes all the more difficult.
Gucci at least seemed reasonably cagey about communicating too much, though he did so.

It becomes increasingly apparent that some collusion is provable within the administration, what with Steve Bannon running the Cambridge Analytical program entirely and also being the campaign chairman and strategist... Roger Stone the bag man, excitable Don. Jr broadcasting his hand in emails... they seemed more to expect top-down protection than rely on OPSEC to keep themselves out of spotlights.

"And we would have gotten away with it too, if it weren't for Kislyak and you meddling kids with your foreign intelligence surveillance programs that everyone involved should have known about.."

keinerMarch 24, 2018 12:32 PM

@Kilroy

https://opnsense.org/


....and feel free again. REAL firewall rules. DNS of your choice. IDP/IPS. And and and. So much fun to configure your own networks and get FULL control on which device can go where... :-D

SheeshMarch 24, 2018 2:05 PM

"But one Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing. ..."

The problem with this strategy has a name and that name is evolution. Because an "ordinary" target is not a fixed target but a moving one. Criminals learn and they learn much faster and are more adaptable than investigators because they have more at stake (their freedom or their lives).

Back in the 1940s at the height of the gangster era the FBI and IRS took down Al Capone and the message was clear: if we can convict the biggest and the baddest we can convict anyone. Now those geniuses at the DOJ want to turn this on its head and say "we'll ignore the biggest and the baddest and fill the jails with small fry and then declare victory and go home." I bet that has everyone shaking in their boots (sarcasm).

echoMarch 24, 2018 2:07 PM

Cambridge Analytica may have used the Canadian based shell company AIQ to evade the law with respect to the Brexit referendum. What puzzles me is how they are getting away with this when principles embedded in tax law rule these types of businesses out.

In the UK certain types of shell companies are unlawful as they are used for tax evasion. Independent contractors are also subject to law which disallows self-employed tax status if they are effectively an employee of a larger contracting organisation. A case hinges around determining the "primary purpose" even if it is disguised behind pretexts and indirect organisational arrangements.

https://www.theguardian.com/uk-news/2018/mar/24/aggregateiq-data-firm-link-raises-leave-group-questions

He then set up AIQ with his business partner, Zack Massingham, to work on SCL and later Cambridge Analytica projects. “Essentially it was set up as a Canadian entity for people who wanted to work on SCL projects who didn’t want to move to London. That’s how AIQ got started: originally to service SCL and Cambridge Analytica projects,” said Wylie.

[...]

Until 2016, AIQ had no clients other than Cambridge Analytica. The lack of a website, Wylie claims, was because at the time of the referendum it was operating almost as “an internal department of Cambridge Analytica. It didn’t have a website and no contact number. The only public contact number was SCL’s website.” However, AIQ says it has had a website since it was founded in 2013.

justinacolmenaMarch 24, 2018 2:11 PM

Iran. Russia. China. North Korea. Meanwhile Germany continues to bully and boss the rest of the "European Union" around while playing the innocent victim to the hacking game — 5,500 "registered members" of the Chaos Computer Club. And that Mother Merkel just sort of smugly keeps an eye on that German computer man cave to make sure things don't get too far out of hand.

"Brexit." Indeed. It's about time. My own family, years ago, never got along with the railroad or with city hall. And we didn't play that political "Jew" game, either. Nowadays, people get circumcised and stick their nose up at pork and bacon, and all of a sudden they're Jews and everything's kosher. Sorry, it doesn't quite work that way.

Clive RobinsonMarch 24, 2018 2:23 PM

@ Hmm,

Phishing emails, the $5 wrench that keeps on cracking skulls efficiently even in 2018.

Does it realy matter who has been stealing the secrets?

The UK government SigInt agency GCHQ has a list of something like fourty nation states that are involved with APT etc.

In otherwords it's way way to easy to carry out these kind of attacks. Perhaps people should be asking pertinent questions about the 5h1t awful quality of products from US companies that alows these sorts of things to happen.

In most cities these days where you can get insurance against theft from within a property. The insurance companies have a list of requirments about not having wide open avenues of attack like unlocked and open front doors. They make it abundantly clear if you do use poor quality security products / behaviours it is you that they blaim for being burgled, thus not only will they not pay up they will either cancel the policy or significantly up the premiums...

Perhaps it is time the same view is taken with software etc. You buy cheap crap and you get robbed it's your loss, your problem and it's up to you to fix it...

There are atleast four major US companies that immediately spring to mind for peddling crap products. As well as several smaller web browser suppliers along with W3C themselves for making truly awful standards to please those same big companies...

As long as they are all in business we will be reading about Western IP going walkies, untill even our great grand children have great grand children of their own with many of those with long white flowwing beards etc...

Of corse it does not help that the syate that gets into more computing devices than any other just happens to be the US it's self. Who remembers the embarrassment of the US gov seniors as they wriggled on a hook and tried to take some form of moral high ground by claiming they don't use such information. I realy do not know what they were smoking but they were sure inhaling on those days.

I realy do not know what the USG hopes to gain by these grandstanding stunts, it won't be long before other nations retaliate and come up with their own sanction agreements with other nations.

Look at it this way Russia has laws that say it can not just take legal action against individuals in foreign nations, they can also send out people to pass sentance by execution etc... Sooner or later some nation is going to escalate the situation then the US will have egg on it's face. It's realy a matter of when not if.

HmmMarch 24, 2018 2:55 PM

"Perhaps people should be asking pertinent questions about the 5h1t awful quality of products from US companies that alows these sorts of things to happen."

Are you trying to say only US-based software is affected... by phishing campaigns?

I tend to doubt that.

echoMarch 24, 2018 3:25 PM

A spin on "security theatre" - "accountability theatre".

https://harrystottle.wordpress.com/2016/09/04/accountability-theatre/

1 Setting up mechanisms, in order to pacify public demands for accountability, which are supposed to audit sundry claims and reassure the public that proper consideration and due process have been applied. But…

2 The mechanisms lack any provision for realistic forensically verifiable means of validating such claims. So…

3 The public are required to Trust the declarations of the auditor and the auditor is required to trust the limited evidence s/he is permitted access to.

4 Specifically, there is no mechanism for ensuring that the evidence accessed by the auditor is both complete and unedited.

5 In the most egregious examples, the auditor is also a member of or closely allied with the organisation they are supposed to audit.

rMarch 24, 2018 5:42 PM

@bttb,

Assumption here, but let's say inverter w battery removed.

Happy sniffles.

65535March 25, 2018 12:25 AM

@ Clive Robinson and others

We know most SS7 cell/home phone conversation can be monitored, is it possible to speak in code to the other person? For example Coded messages of WW2.

“Shortly before the D-Day landings of 6 June 1944, Radio Londres broadcast the first stanza of Paul Verlaine's poem "Chanson d'automne" to let the resistance know that the invasion would begin within 24 hours.]
Les sanglots longs
Des violons
De l’automne
Blessent mon cœur
D’une langueur
Monotone.
Blessent mon cœur d'une langueur monotone ("wound my heart with a monotonous languor") was the specific call to action. By late 1944, Allied victory in France sounded the end of Radio Londres." *Wikipedia

https://en.wikipedia.org/wiki/Radio_Londres

What is the structure of such codes and how to adjust them for general civilian use? Do you have links or guides on this subject?

[Next]

Could a “SIGSALY” system be simplified for cell phone and fix phones?

“SIGSALY used a random noise mask to encrypt voice conversations which had been encoded by a vocoder. The latter was used both to minimize the amount of redundancy (which is high in voice traffic), and also to reduce the amount of information to be encrypted. The voice encoding used the fact that speech varies fairly slowly as the components of the throat move. The system extracts information about the voice signal around 25 times a second.
• ten channels covering the telephone passband (250 Hz – 2,950 Hz)
• another signal indicating whether the sound is voiced or unvoiced;
• if voiced, a signal indicating the pitch; this also varied at 25 Hz."

"Next, each signal was sampled for its amplitude once every 20 milliseconds. For the band amplitude signals, the amplitude converted into one of six amplitude levels, with values from 0 through 5. The amplitude levels were on a nonlinear scale, with the steps between levels wide at high amplitudes and narrower at low amplitudes. This scheme, known as "companding" or "compressing-expanding", exploits the fact that the fidelity of voice signals is more sensitive to low amplitudes than to high amplitudes. The pitch signal, which required greater sensitivity, was encoded by a pair of six-level values (one coarse, and one fine), giving thirty-six levels in all…”-Wikipedia

https://en.wikipedia.org/wiki/SIGSALY#Operation

Could a system akin to this be used with Software-defined radio stack and some coding? Some setup that is not too costly?

I know we have supposedly good text systems like WhatsApp, Telegram, Slack focuses on messaging, Blackberry Messenger and many others. These app tend to stickout and stick out, monitored and possibly backdoor’d. Some of these apps require banking exchanges to purchase which blows-up your OPSEC.

Does anybody have any ideas how to safely communicate without destroying your OPSEC?

Excuse all the mistakes.

JG4March 25, 2018 7:20 AM


I probably said already and a couple of times that I'm back from the dead. The craziest part is that when I get enough potassium and magnesium, I'm not crazy, hypertensive, bitter, or diabetic. I still believe that low-carb would benefit the 75% of Americans already affected by insulin resistance. At least some of that insulin resistance comes from eating a diet deficient in minerals. More of it comes from 6 hours of TV a day. Sugar, omega-6 oils and hydrogenated oils don't help.

I think that I'm on the record that the NRA are lying when they say that the only thing that can stop a bad guy with a gun is a good guy with a gun. Not that that isn't one of the things that can, but it is far from the only thing that can. And it certainly isn't the safest or best. In the robotic present, it would be easy to build water jets into a building to defeat intruders. I've pointed out before that you can buy a radar system from Amazon for $7.99. It's a short step from there to a hidden radar-based metal detection system that scans everyone who enters the building. When I posted the link to NakedCapitalism recently, I probably didn't spell out the concept of putting tasers on drone swarms. Those dots connected as a result of the entertainment provided by the bucket-of-rocks defense system recently put in place (newsclip below - and thanks to whoever posted the equivalent some days ago).

Perhaps they should keep the buckets of rocks locked up lest the students practice some prickly desert justice. At least the classic version required a consensus and a quorum. If you haven't seen the prickly desert justice in Lawrence of Arabia, I endorse the film as a fascinating glimpse of history.

In another time, and another desert, using a different energy-projection medium, it was called frontier justice. The difference was that the new power was more nearly individual, not that it also wasn't dispensed liberally by crowds.

David taught the giant a lesson in threat modeling, in place where it should have been obvious that 10,000 hours of practice with a technology capable of delivering 200 miles per hour into a 15-cm probability circle at 30 meters was more effective than any sword or spear. And not much less effective than a Peacemaker. Note that the major league pitchers can deliver 100 miles per hour into a smaller probability circle. All that the leather strap does is improve the lever arm. It's the 10,000 hours of practice and over a million swings that works neuromuscular magic.

One of the many correct answers to protecting schools from crazed gunpersons is swarms of taser drones. Of course, that assumes a few facts not in evidence, like robust operating systems. There will be spectacular accidents on the path to best practices.

https://www.extremetech.com/extreme/265216-think-one-military-drone-bad-drone-swarms-terrifyingly-difficult-stop

Apparently, Cain and Abel lived in Spain 430,000 years ago.

Prehistoric skull with puncture wounds could be world's first murder mystery
Pieced together from 52 fragments found in cave in northern Spain,
430,000-year-old skull seems to show victim was bludgeoned to death
https://www.theguardian.com/science/2015/may/27/prehistoric-skull-puncture-wounds-murder-spain-neanderthal

Better than nothing.

Superintendent Says Students Are Armed with Rocks In Case of a School Shooting
http://wnep.com/2018/03/22/superintendent-says-students-are-armed-with-rocks-in-case-of-a-school-shooting/

CallMeLateForSupperMarch 25, 2018 9:34 AM

@65535
"is it possible to speak in code to the other person? For example Coded messages of WW2."

Yes. Codes. There's your solution. And one-time codes are more secure than ones that don't change.

That said, if you further stipulate that the obfuscation used - in the case, codes - should not bring you up on the adversary's radar, then you will have to noodle very hard on the particular codes you use. For example, imagine that you are the black hat and you spot the following in a communication: "Kiss the sky. Think peppermint." Queue the klaxons; this guy is talking in codes.

[next]
"Could a “SIGSALY” system be simplified for cell phone and fix phones?"

Maybe but my knee-jerk is I doubt it. More to the point, why even attempt it? Remember @Clive's frequent reminder (it deserves a Rule#) about "security endpoints". (Take over here, Clive.)

Don AlejandroMarch 25, 2018 11:36 AM

Facebook Sued, hopefully up the Kazoo

"Cook County, Illinois, has joined the parade of lawsuits filed against Facebook in the wake of the ongoing Cambridge Analytica scandal....(it) lays out similar allegations to the six other cases currently pending in federal court. Cook County argues that Facebook, Cambridge Analytica, and the SCL Group, its corporate parent, violated users' privacy en masse when they violated Illinois laws against fraud."

https://arstechnica.com/tech-policy/2018/03/cook-county-illinois-sues-facebook-and-cambridge-analytica-over-data-breach/

Good news indeed. Clearly, the FEDERAL government has become dysfunctional, isolated and non-representative thus leaving it up to state and local governments to take on the mass surveillance beast.

The lawsuit in Illinois is good because it was done, but also because it becomes a prototype for other government units to take on secret mass surveillance of the entire world. We've all wondered how it could be legal. I'm thinking we may get some court decisions declaring that it is not.

Clive RobinsonMarch 25, 2018 11:36 AM

@ 65535,

We know most SS7 cell/home phone conversation can be monitored, is it possible to speak in code to the other person?

Yes easily so if you put in the practice, but you'd be better off talking to voice mail.

To understand how to go about it you first have to know what the difference is between a code and a cipher and why One Time Pad systems have problems, yet are in theory an unbreakable cipher.

A code is in effect a combination of of a compression system and a limited simple substitution cipher. To make one you analyze your ordinary plain text for frequently used words, part sentences and full sentances. You order these alphabetically and randomly assign each one a four character string. Thus to send a message you look up the word, sentance or part sentance and write down it's four character string instead. You then take the code and armour it in some way such as super encipherment and send it to the recipient. On receiving a communications the recipient strips off the armour to get the code. They then look up the code in the book to get the word, part sentence or sentance it has substituted for. You then write this down to recover the message. To make the process more efficient the "code book" is divided into two. The first half is sorted by the words, part sentances and sentances to be coded followed by the four character string. The second half is the sorted by the four character substitution code followed by the plaintext that will replace it on decoding.

The problem with code books is in part trying to have the correct words, part sentances and sentances in them well in advance pf nredong them such that they can be securely issued. This is problematic in the first place and then using the code book prone to the whims of the coder who is almost always in a rush.

With computers there are ways to automate the generation of codes as the message is sent and received[1] using "Huffwords" as for efficiency the codes are based oh Huffman coding. They can be built in a number of ways using a blank pr preagread doctionary, that remains syatic or is dynamically upgraded. Such "Dictionary Codes" are found in many compression programs like ZIP. The Two most frequently quoted are LZ77 and LZ78.

The problem with traditional codes is that being simple substitution ciphers they are fairly easily cracked by cryptoanalysts as they are "re-used" frequently.

The secure way to implement a code is as a One Time Phrase. This has the theoretical security of the One Time Pad but has significant disadvantages. During WWII One Time phrases were used for securely sending messages to the SOE units as "Message to our friends" by the BBC Overseas Service.

However secure they are they are inflexible in use, but if the code is in fact another common place sentance they can be hidden inside of an ordinary phone call etc in what is on effect a form of Steganography. However unless well practiced it is best not to use such codes in a conversation as they can give themselves away due to "hesitation and deviation" from what would be a natural phone call etc. Thus they are best used in a one way system such as "Voice Mail", where you have time to compose things to sound normal.

A cipher on the other hand can not be easily hidden in plain sight because one of it's major aims is to turn understandable plaintext into random ciphertext via an algorithm and secret key. They generaly work on fixed size blocks and ignore any structure in the plaintext. Their security rests on the cipher algorithm and secret key.

Could a “SIGSALY” system be simplified for cell phone and fix phones?

The simple answer is it won't work where the channel is coded in some way as nearly all Digital Comms system are to reduce bandwidth. They generaly use a variation of CELP which will not reproduce audio with any kind of fidelity. If you look at the 16Kbit ITU version it indicates it can carry the old 2400bit modem signals with extended correction. Like all lossy companders the trick is to make an approximation to the audio nothing more.

Do you remember the kickstarter funded "Jack Pair" from back in summer 2014? I indicated it was unlikely to work back then due to problems with trying to send a signal accurately down a GSM or other coded channel (what you put in is definitely not what you get back)...

As far as I'm aware they never realy got it working for the reason I suspected, and thus did not put it into production...


[1] https://en.m.wikipedia.org/wiki/Dictionary_coder

[2] Basic info on CELP,
https://en.m.wikipedia.org/wiki/Code-excited_linear_prediction

bttbMarch 25, 2018 12:14 PM

@r

"Assumption here, but let's say inverter w battery removed.

Happy sniffles."

Thanks for your input.

Wonderful. If I understand you correctly, I might 1) carry around a 12 volt car battery in a 2) figure it out sized backpack that contains a 12 vdc to ac converter that 3) attaches to my laptop charger that 4) has a wire emitting from the backpack to attach to my laptop.

Perhaps I will need a bicycle or a wheel device (like for baggage) like I used to use with 'luggables'.

This configuration might also work with late model devices with hard to remove batteries, w/ or w/o batteries.

Also, it looks like I may need to carry a car battery charger with me, too, or, perhaps, a spare motorcycle battery. Wonderful.

echoMarch 25, 2018 12:16 PM

Is the drive to power, status, and wealth a noxious triad?

Here are links on violence and abuse ata UK military college, sexual harassment at work and across different cultures, the uptick of smoking cigarettes in entertainment (Ridley Scott's Alien: Covenant was the most blatant and Netflix is the worst offender on the small screen), and that psychopaths may have empathic understanding while in pursuit of a goal so they can better understand how to manipulate their victims.

https://www.theguardian.com/uk-news/2018/mar/23/teenage-army-recruits-make-50-allegations-of-ill-treatment-at-college
Staff at the army’s foundation college were accused of 50 cases of assaulting or mistreating teenage recruits between 2014 and 2017, the Guardian can reveal. Allegations made by 16 and 17-year-old soldiers or their parents and guardians about staff at the Army Foundation College (AFC) in Harrogate, north Yorkshire, included assault, battery and ill-treatment. The revelations follow the collapse of court proceedings earlier this week against 16 AFC Harrogate instructors who had been accused of abusing recruits.

https://www.theguardian.com/commentisfree/2018/mar/25/billie-jd-porter-vice-dark-side-sexual-harassment
“We need a shift in culture so that every single instance of sexual harassment is investigated and dealt with.” What’s more, across the board it seems that the processes in these investigations desperately need to change. Apart from anything else, a key consideration should be just how awful it can be to force yourself to recognise a situation in which you have been wronged. Meanwhile, we should no longer be surprised – if we ever were – that supposedly cool, edgy publications that publish feminist content might foster a heinous undergrowth of sexual harassment.

and

http://www.spiegel.de/international/tomorrow/almost-every-egyptian-woman-is-subjected-to-sexual-harassment-a-1198328.html
"As an Egyptian woman, you spend your entire life dealing with sexual violence," says the 24-year-old. "My mother is in her mid-fifties and she still gets harassed." According to a 2013 study by the United Nations, more than 99 percent of all Egyptian women have been the victim of harassment -- which is to say, basically all of them.

https://www.theguardian.com/tv-and-radio/2018/mar/20/netflix-criticised-for-too-many-smoking-scenes
Netflix has been singled out for criticism by an anti-smoking organisation, which released research that claims the streaming giant’s original programmes have more than twice as many scenes featuring smoking as its rivals.

https://www.sciencealert.com/study-shows-psychopaths-empathise-when-they-desire-advantages
Researchers at Yale University may have come up with an answer in a new study, published in the journal Proceedings of the National Academy of Sciences. Psychopaths have typically been thought of as lacking in social awareness, but the results of the new study suggest they may simply not automatically empathise with those around them. If given good enough reason, they are likely to pick up on social cues as well as anyone else.

Bauke Jan DoumaMarch 25, 2018 1:24 PM


"The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep."

Using metric and imperials units in one statement always makes me chuckle. But not without a bit of embarrassment.

HmmMarch 25, 2018 1:47 PM

The thing with FB scraping all calls/texts on all Android platforms..

You have to expect they're not the only major app doing that.

Something as mainstream as FB has been doing it for YEARS NOW without getting caught?

Take a good long look at your app access permissions. Who do you trust and how do you justify it?

EagleMarch 25, 2018 1:54 PM

https://www.washingtonpost.com/news/powerpost/wp/2018/03/25/mnuchin-pitches-line-item-veto-congress-could-pass-a-rule/

“I think they should give the president a line-item veto,” said Mnuchin.

“That’s been ruled unconstitutional by the Supreme Court,” Wallace said.

“Well, again, Congress could pass a rule, okay, that allows them to do it,” Mnuchin said.

“It would be a constitutional amendment,” Wallace said.

“Chris, we don’t need to get into a debate,”

Does Mnuchin not understand this isn't a debatable item? It's been ruled unconstitutional.
He wants it anyway without a debate. Mindless.

Clive RobinsonMarch 25, 2018 2:23 PM

@ Bauke Jan Douma,

Using metric and imperials units in one statement always makes me chuckle. But not without a bit of embarrassment.

So the fish are around a quater the depth of the squid (mile is approx 1609m).

Then of course as it's maritime they could have used Nautical miles (NM/nmi was one minute of latitude 1/(60x360) of earths circumfrance or aprox 1013 fathoms but was standardized at 1852m).

Oh it's "British Imperial" for reasons that realy are more archaic than you would think. Because the "Imperial" not "Empire" takes it back to the size of a Roman Legionairs pace... Oh and that "British Pound" you keep hearing some Brexitering twit wittering on about is actually from LSD of the Latin words librae, solidi, denarii which came about from the remains of the Roman Empire and was the first European trading currancy (which every Victorian School Boy would have known).

JFMarch 25, 2018 3:16 PM

There is much in the news and in commentary here regarding M Zuckerberg and FaceBook, and their culpability in the Cambridge Analytica affair, of which I feel sure there is much more we will learn.

I am wondering whether YouTube was not similarly manipulated? They have algorithms to decide which video(s) and ads to feed to the viewer next. Can that algorithm be hacked, or user data scraped? Does YouTube sell or otherwise distribute user data?

Bauke Jan DoumaMarch 25, 2018 4:25 PM

@Clive

Or, maybe the fish just make their measurements in metric units, while the squid make theirs in imperials. The fish prob. regard the level of their schooling topmost ...

Anyway, it's the end of the weekend, let's have a pint... ;-)

65535March 25, 2018 4:30 PM

@ easy

“Learn Navajo, then teach all your friends.”

Hum. Is that like learning Mandarin Chinese and teaching it to all of my friends? I don’t know if it would work.

@ CallMeLateForSupper

“Yes. Codes. There's your solution. And one-time codes are more secure than ones that don't change. That said, if you further stipulate that the obfuscation used - in the case, codes - should not bring you up on the adversary's radar, then you will have to noodle very hard on the particular codes you use. For example, imagine that you are the black hat and you spot the following in a communication: "Kiss the sky. Think peppermint." Queue the klaxons; this guy is talking in codes.”

That sounds good. By chance a friend of mine was watching some old WW2 move and the speaker and listener were radio communicating in the clear. The code appeard to be akin to "Kiss the sky. Think peppermint" But repeaded several times at 5 second intervals. The listener would then repeat the word sequence a different number of times and the difference in number of repeats means Go or No Go as I understood it.

Your idea has merit. Thanks.

@ Clive Robinson

‘Yes easily so if you put in the practice, but you'd be better off talking to voice mail.’

That sounds like a good idea. I like the voice mail part.

I read your post several times along with your links and the Dictionary coder was very interesting. The LZ77 to LZW is neat. I would guess 7zip program uses parts of that frame work or Lempel–Ziv lossless data compression algorithm. That is a lot of data to digest but very useful. I am thinking that the LZ77 to LZW could be adjusted slightly so only person who have the correct encoder and decoder could read the message. I did the sliding window code example.

“…you analyze your ordinary plain text for frequently used words, part sentences and full sentances. You order these alphabetically and randomly assign each one a four character string. Thus to send a message you look up the word, sentance or part sentance and write down it's four character string instead. You then take the code and armour it in some way such as super encipherment and send it to the recipient. On receiving a communications the recipient strips off the armour to get the code. They then look up the code in the book to get the word, part sentence or sentance it has substituted for. You then write this down to recover the message. To make the process more efficient the "code book" is divided into two. The first half is sorted by the words, part sentances and sentances to be coded followed by the four character string. The second half is the sorted by the four character substitution code followed by the plaintext that will replace it on decoding.”

Neat, that is a good idea. I will have to test it out.

“The problem with code books is in part trying to have the correct words, part sentances and sentances in them well in advance pf nredong [proof reading-?] them such that they can be securely issued.”

I see. I guess the best was is just the KISS method [Keep it simple stupid]. These can be proofed by modern desktops and then encrypted and hand delivered. I did remember that legally compression algorithms can be forced out of you in the USA. But, exterminating with well used ones are probably not.

[next to SIGSALY]

“The simple answer is it won't work where the channel is coded in some way as nearly all Digital Comms system are to reduce bandwidth. They generaly use a variation of CELP which will not reproduce audio with any kind of fidelity…If you look at the 16Kbit ITU version it indicates it can carry the old 2400bit modem signals with extended correction. Like all lossy companders the trick is to make an approximation to the audio nothing more.”

I see what you mean that is why is suggested Software Defined Radio in say the ham operator band. But, looking deeper it is a matter of breaking them into small pieces.

"See also
•MPEG-4 Part 3 (CELP as an MPEG-4 Audio Object Type)
•G.728 – Coding of speech at 16 kbit/s using low-delay code excited linear prediction
•G.718 – uses CELP for the lower two layers for the band (50–6400 Hz) in a two-stage coding structure
•G.729.1 – uses CELP coding for the lower band (50–4000 Hz) in a three-stage coding structure
•Comparison of audio coding formats
•CELT is a related audio codec that borrows some ideas from CELP."-wikipedia

https://en.m.wikipedia.org/wiki/Code-excited_linear_prediction

[and]

"G.728 is an ITU-T standard for speech coding operating at 16 kbit/s. It is officially described as Coding of speech at 16 kbit/s using low-delay code excited linear prediction."

“Technology used is LD-CELP, low-delay code excited linear prediction. Delay of the codec is only 5 samples (0.625 ms). The linear prediction is calculated backwards with a 50th order linear predictive coding filter. The excitation is generated with gain scaled VQ. The standard was finished in 1992 in the form of algorithm exact floating point code. In 1994 a bit exact fixed point codec was released. G.728 passes low bit rate modem signals up to 2400 bit/s. Also network signaling goes through. The complexity of the codec is 30 MIPS. 2 kilobytes of RAM is needed for codebooks. Mean opinion score for G.728 is 3.61…RealAudio 28.8 is a reduced-bitrate variant of this standard, using 15.2 kbit/s…”-Wikipedia

The above would not be great but may do in a pinch. There is a coding comparison chart. Possibly one of the free and open source could be adjusted to make it obscure and transportable.

https://en.m.wikipedia.org/wiki/Comparison_of_audio_coding_formats

All of this is quite interesting. The main problem would be to make it useable – which may not be an easy job.

Thanks Clive R.

Excuse the mistakes.

bttbMarch 25, 2018 5:25 PM

Regarding Time Magazine or Time.Com, do you trust the Koch Brothers to maintain editorial independence?

afaik the Koch Brothers may have something to do with the massive confusion around global warming in the United States of Amnesia ("'USA'")

"I360
Follow the money in the Koch wiki.
i360 is a data analytics company that maintains "a database of over 250 million 18+ adults, including the 190 million who are registered to vote" sourced from "multiple consumer data compilers."[1] It was dubbed the "Koch's data mine" by Politico.[2] The for-profit company was founded by Michael Palmer, former chief technology officer of John McCain's 2008 Presidential campaign. Following the 2008 election, it was merged with the Koch-funded nonprofit Themis, a right-wing voter database project.[2] The Koch's Freedom Partners is a major investor in i360, according to Politico.[2]

Many observers think the project has already eclipsed the voter lists maintained by the Republican National Committee, posing a risk for some candidates and to the party's influence.
Koch Wiki

The Koch brothers -- David and Charles -- are the right-wing billionaire co-owners of Koch Industries. As two of the richest people in the world, they are key funders of the right-wing infrastructure, including the American Legislative Exchange Council (ALEC) and the State Policy Network (SPN). In SourceWatch, key articles on the Kochs include: Koch Brothers, Koch Industries, Americans for Prosperity, American Encore, and Freedom Partners."
https://www.sourcewatch.org/index.php/I360
&
"U.S. media company Meredith said on Sunday it will buy Time Inc, the publisher of People, Sports Illustrated and Fortune magazines, in a $1.84 billion all-cash deal backed by conservative billionaire brothers Charles and David Koch.

The deal is a coup for Meredith, which held unsuccessful talks to buy Time earlier this year and in 2013."
http://fortune.com/2017/11/27/meredith-is-buying-time-inc-for-1-8-billion/

Wow. It looks like Fortune Magazine and Fortune.Com were also purchased by the Kochs.

bttbMarch 25, 2018 5:41 PM

Stormy Daniels, afaik, tonite on 60 Minutes, 7 pm et
http://www.cbsnews.com/60-minutes/
https://www.emptywheel.net/2018/03/25/stormy-weather-ahead/
Also search for "SLAPP Stormy Daniels and emptywheel.net"


"A strategic lawsuit against public participation (SLAPP) is a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.[1] Such lawsuits have been made illegal in many jurisdictions on the grounds that they impede freedom of speech.

The typical SLAPP plaintiff does not normally expect to win the lawsuit. The plaintiff's goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs, or simple exhaustion and abandons the criticism. In some cases, repeated frivolous litigation against a defendant may raise the cost of directors and officers liability insurance for that party, interfering with an organization's ability to operate.[2] A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat. ..."

from SLAPP at Wikipedia

JG4March 25, 2018 6:47 PM


@bttb - The same playbook has been used by big tobacco, big sugar, big chemical, big oil and big coal. It is a derivative of Bernays' work. I can't recall what I've had to say on this topic before.

In court, oil companies accept climate science but rewrite its history
https://arstechnica.com/science/2018/03/in-court-oil-companies-accept-climate-science-but-rewrite-its-history/

An Australian climate scientist tipped me off to watch the movie verstion a few years ago. Sadly, I still haven't. My standard Amazon disclaimer applies.

Merchants of Doubt: How a Handful of Scientists Obscured the Truth $5.84
on Issues from Tobacco Smoke to Global Warming Paperback – May 24, 2011
by Naomi Oreskes (Author), Erik M. Conway (Author)
4.5 out of 5 stars | 353 customer reviews
https://www.amazon.com/Merchants-Doubt-Handful-Scientists-Obscured/dp/1608193942/

Merchants of Doubt (2014) - IMDb
Directed by Robert Kenner. With Frederick Singer, Naomi Oreskes, Jamy Ian Swiss, Sam Roe. A documentary that looks at pundits-for-hire who present themselves as ...
https://www.imdb.com/title/tt3675568/More results

Merchants Of Doubt (2015) - Rotten Tomatoes
Inspired by the acclaimed book by Naomi Oreskes and Erik Conway, Merchants of Doubt takes audiences on a satirically comedic, yet illuminating ride into the heart of ...
https://www.rottentomatoes.com/m/merchants_of_doubt


It’s for Real FolksMarch 25, 2018 10:20 PM

As a post claim last week anonymous/privacy maintaining web sites IP address are indeed being blocked from Schneier on Security. Now add a massive number of VPN servers. If you READ only then there is no blocking of this site. But posts using a made-up email address, then the entire VPN in a major city/country is then blacklisted. Usually at first for a month then permanent. Like Facebook or Google verified identities or three strikes and you are out buddy. Another secret Great Firewall?
I suspect either an Internet backbone/DNS filtering issue or at this site.

Please lets not plead ignorance as this issue is real and those responsible are expending considerable effort to censor. In other words these posters comments were effective and rattled the powers that be. Even the NYT rescinded an accurate article last week because it offend a Facebook executive. Responsible free speech is dead in big-data America.

RachelMarch 25, 2018 10:33 PM

this is OT, just a one off thanks.

Wesley Parish

just found your message. I would love to help. As we will all agree, being of service is always a true delight
You actually asked for two tasks. It's a very worthy objective. I don't really have the time for the second. I may be able to co-opt someone into helping. More importantly I am not certain i am competent to translate your story into French whilst retaining the mood, flavour, tone,colour, et cetera. French and English don't get along very well. You've made some very specific decisions in your writing that deserve to be honoured. Again, it's possible I can get some help. Answer: I promise to try. I can't promise desireable outcome.

Apt comment about the comms diode that is Anglo:Francosphere. Good observation.
You'd like to know what the natives of France think about the Welcome To The Terrordome?
It's a difficult question to answer. The country hosts such a diversity of opinion. You would be aware of the number of events that have taken place in the country recently which influences thinking on security. You probably know Macron has also changed laws in response.
All airports and major train stations and city centres have military trained security forces patrolling, for quite some time now. We don't comment much about it but I understand people are happy they are there.
I have wondered, if something happens, are they allowed to open fire with their automatic weapons amongst civilians? Or are they taught to use diplomacy first? Many seem to be straight out of school.
Some have raised questions about the event in Paris. They say a lot of things don't add up. Ever seen how effective a local council is at organising something quickly? (not very) Well, what about governments all around the world managing to have the flag of France lit up over the public monuments all at the same time, immediately after an incident? Think about how many trucks of red tape that would involve. Not even Archangel Michael could make that happen.

http://freedom-articles.toolsforfreedom.com/false-flag-formula-15-ways-to-detect/

http://freedom-articles.toolsforfreedom.com/paris-shooting-10-signs-false-flag/

I later regretted prying about your biography but my motive was - I had a lover whom went to your College! He reported it was the school you went to if you wanted to study Arts but preferred to do 'all the naughty things' instead of actually studying.

JG4March 26, 2018 7:39 AM


@Hmmm - The beginning of wisdom is to call things by their right name. I prefer the terms propaganda and brainwashing, but they call it manufacturing consent. Heads they win, tails you lose. The system will need a lot more transparency if you want to keep foreign influences out of the picture. Aaron Schwarz was working on transparency, but they killed him. Bernays is a key step in the progression of manufacturing consent.

https://www.nakedcapitalism.com/2018/03/links-3-26-18.html
...
Big Brother IS Watching You Watch

As countries across the world forge ahead with digital ID projects, where does privacy fit in? Scroll.in Part 2 of a 4 part series.

Aadhaar Analytica: Why both data protection scandals should deeply disturb everyone Scroll.in

Sticking to your diet? This tooth-mounted food sensor could transmit the truth Ars Technica. Creepy! Who would seriously want to do this?
...

Gerard van VoorenMarch 26, 2018 7:42 AM

@ 65535,

The problem that you have is time.

What you can and should do is watch the following documentary: The Vula Connection

There is everything explained.

Now, why is time an issue? That's because it isn't full duplex, but it does work. The modularization / demodularization can be done with ordinary hardware, the only thing that you need is a couple of memory disks and tape recorders.

HmmMarch 26, 2018 10:40 AM

@JG4

I tend to agree, it's not so much that foreign powers are exerting influence in the election, (which is of course a 1:1 external security concern for the government and civilian political base to both contend with in their way,) but it's the fact that they're able to do so in secret while pretending to be a US-born legitimate political party and with the cooperation of that party to keep the secret... that is undermining our government's succession process and its laws to benefit a foreign power and in this case major adversary. It's treason without the war declared. It's turning the Manchurian candidate into the sanctioned Manchurian party.

If the intelligence services hadn't frankly gotten lucky this might not have been exposed at all.

Isaac KudryashovMarch 26, 2018 2:05 PM

The NSA Worked to "Track Down" Bitcoin Users, Snowden Documents Reveal

Internet paranoiacs drawn to Bitcoin have long indulged fantasies of American spies subverting the booming, controversial digital currency. Increasingly popular among get-rich-quick speculators, Bitcoin started out as a high-minded project to make financial transactions public and mathematically verifiable - while also offering discretion. Governments, with a vested interest in controlling how money moves, would, some of Bitcoin's fierce advocates believed, naturally try and thwart the coming techno-libertarian financial order.

It turns out the conspiracy theorists were onto something.

Archived: https://archive.fo/z5zzo

Sancho_PMarch 26, 2018 3:04 PM

@It’s for Real Folks, re blocking / blacklisting from Schneier on Security

”Now add a massive number of VPN servers. If you READ only then there is no blocking of this site. But posts using a made-up email address, then the entire VPN in a major city/country is then blacklisted.”

I haven’t experienced blacklisting myself. It may depend on your made-up email address, often sites check if the given address accepts messages to that account. Probably @Moderator could comment?

To avoid such issues, try a genuine address, check with: https://www.mailinator.com

65535March 26, 2018 6:20 PM

@ Gerard van Vooren

Thanks for the link.

First let me correct some mistakes in my last post. I have an limb injury with broken wood causing all sorts of problems and I have to use an on screen keypad which is not error free.

To CallMeLateForSupper

“Codes. There's your solution…if you further stipulate that the obfuscation used - in the case, codes - should not bring you up on the adversary's radar, then you will have to noodle very hard…” -CMLFS

Yes, and any ideas would be welcome.

To Clive R.

This sentence should read: “I did see the script sliding window code example” in the Wikipedia page on Lempel–Ziv compression. See my above post for links.

“[SIGSALY]The simple answer is it won't work where the channel is coded in some way as nearly all Digital Comms system are to reduce bandwidth…”-Clive R

That is why I would use SDR in the HAM band or CB band for short range communications. I suppose a modified G.728 compression coder and decoder could be used in a pinch.

Previous post.
https://www.schneier.com/blog/archives/2018/03/friday_squid_bl_617.html#c6772879

SDR with all of its bells and whistles. This could be used for more secure communications with some work.
https://en.wikipedia.org/wiki/Software-defined_radio

To Gerard van Vooren

I remember prior discussions on that subject. I check your links and they are good. Here is the direct YouTube link to the Vula connection.

https://www.youtube.com/watch?v=29vrvKsKXPI

Yes, time is a factor. The answering machine, One Time Pad and so on all contribute the time problem.

I am not sure if Vula strong of an encryption method is necessary for my purposes – but better safe than sorry.

As Clive R. has stated there a number of code books and methods out there. I think the problem is making them efficient and usable is the key factor. The NSA/CIA/FBI/local police have voice codes of varying strength and versatility. I am now looking into to those. I will work backward from the simple to complex and see if there is a sweet spot. Again, usability is the main factor.

Thanks for your input.

Excuse all of the mistakes. I am recuperating.

gordoMarch 26, 2018 8:48 PM

Common Cause Press Release and source documents:

DOJ & FEC Complaints Filed Against Cambridge Analytica for Violating Prohibition on Election-Related Activities by Foreign Nationals in Work for Trump, Others
Posted on March 26, 2018

In addition to alleging violations of campaign finance law, the complaint filed with the DOJ notes that certain U.S. nationals operating and/or working for Cambridge Analytica and its political committee clients, including the Trump campaign and the John Bolton Super PAC, may have aided and abetted foreign national offenses against the U.S., conspired to commit offenses against the U.S., and/or attempted to conspire to commit offenses against the U.S. in violation of the U.S. criminal code.

http://www.commoncause.org/press/press-releases/doj-and-fec-complaints-filed-against-cambridge-analytica-for-violating-prohibition-on-election-related-activities-by-foreign-nationals-in-work-for-trump-others.html

There was no mention of Russians in either of the complaints; just Brits, Canadians, JOHN DOE(S), unknown foreign nationals [including Canadians, Brits and other Europeans], and certain U.S. nationals.

Related press coverage:
https://www.theguardian.com/uk-news/2018/mar/26/cambridge-analytica-trump-campaign-us-election-laws

HmmMarch 26, 2018 11:54 PM

"There was no mention of Russians in either of the complaints"

Russia doesn't have any extradition possibilities. This is targeted at what it caught.

ThothMarch 27, 2018 4:46 AM

@Clive Robinson

The "Speed vs. Security" paradigm is simply a gift that keeps giving.

BranchScope is a new predictive branch side channel attack on chips similar to variants of Spectre.

All modern commercial grade high speed processor chips should be considered unsuitable for security purposes. Who knows what other types of hardware level attacks would be dug up after this.

Link: http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

JG4March 27, 2018 6:56 AM


@Hmm - I think that you're overlooking some serious foreign money flow to the other party. I avoid partisan political discussions and generally believe that the two parties of the two sides of the same coin. Maybe their corrupt practices are slightly different, but they are no less corrupt and no less corrupting.

There an interesting free speech issue lurking in there. You can't block communications from foreign nationals, even if you block the flow of work and the flow of money. With the changing nature of work, and code being protected speech, it can't be directly blocked.

With the right safeguards, this would be a good idea. We are light-years from the right safeguards.

https://www.nakedcapitalism.com/2018/03/links-3-27-18.html
...
Big Brother is Watching You Watch

Great, Now an Airline Is Normalizing Casual Fingerprinting Gizmodo
...

echoMarch 27, 2018 7:04 AM

There are a lot of legal problems with the Brexit issue. A lot of this discussion and legal action isn't actively discussed in the media but includes constititional issues such as parliaments authority and mandate and a lot of contestable detail about the administrative process. Within an EU context this may possibly mean the legitimacy of Brexit may be against the provisions of Article 50.

Vote Leave 'cheating' may well have swayed EU referendum result, Wylie tells MPs - Politics live
https://www.theguardian.com/politics/blog/live/2018/mar/27/tony-blair-tells-tories-to-block-brexit-if-they-want-to-avoid-corbyn-government-politics-live

BeLeave revelations taint the Brexit result. There must be another vote - Gina Miller
https://www.theguardian.com/commentisfree/2018/mar/27/beleave-revelations-taint-brexit-result-shahmir-sanni-disclosure-funds

@Thoth

My security is Swiss cheese for three reasons: A.) A security threat may whizz straight through and out the other side and B.) My security is so poor I put a security threat off its "A" game and C.) It's so poor that a security threat at any level feels immediate contempt and takes a pass because I'm not worth its time.

I'm joking, sort of...

echoMarch 27, 2018 7:24 AM

Memory and comprehension may be improved in a stable and calm atmosphere? This has implications for learnign and democracy. In turn this may prevent attacks on 'the system' using ignorance and emotions as exploits.

'We give access to a lost world': Assassin's Creed's new life as a virtual museum
https://www.theguardian.com/games/2018/mar/27/assassins-creeds-origins-discovery-tour-virtual-museum-ancient-egypt-ubisoft
It has the potential to be an extraordinary learning tool, as its developers discovered when they ask educators and researchers at schools, museums and universities to offer feedback on the early designs. When 300 10-year-old students in eight different schools played around in Discovery Tour’s ancient Egypt as part of their classes, their teachers found that it helped students to retain a lot more information – plus, what 10-year-old wouldn’t enjoy playing games in class?

Rules matter, and if Vote Leave cheated, that’s a scandal
https://www.theguardian.com/commentisfree/2018/mar/26/vote-leave-brexit-funding-democracy-sovereignty-parliament
That, ultimately, is the nature of the rule of law: like a seatbelt, it’s not interesting until you need it. Disasters aren’t averted by equally passionate forces hurtling from the other direction; rather, by the sober measures put in place in calmer times, to ensure that heady rhetoric and base cash at least undergo the scrutiny and challenge of representative democracy before they carry the day.

VinnyGMarch 27, 2018 8:17 AM

@It’s for Real Folks re IP blocking. There is clearly _something_ going on that results in certain IP addresses or address blocks not being allowed to connect to the "schneier.com" domain, but I think your conclusions are flawed. They certainly are not supported by the evidence I see. I use a VPN that allows me to select (in a quite broad sense) the regional geolocation of the IP address that will be used. When my access is blocked, I do NOT have read access with posting restricted, I get a "not found" browser error (FF.) While some of those selections result in a block more frequently than others (to the point that I can delierately select a region that will result in a blocked or unblocked address with significantly > 50% accuracy) it is not absolute, either by location or by IP block owner/provider. I very much doubt that if this was some mechanism designed or specifically requested by Bruce, it would work in such a haphazard fashion... To me it smells like some kind of automated, poorly designed and/or implemented filter in use by some provider a good distance upstream from schneier.com. I suppose it is possible that what I am seeing is browser or add-on specific, but I doubt it...

VinnyGMarch 27, 2018 8:32 AM

@bttb re inverter with battery removed. Security is not easy. If it was, this blog wouldn't exist. But this option doesn't neccessitate lugging a 70 lb lorry battery into the connected caffeine emporium. Depending on the power consumption of your LT and desired run-time, there are any number of economical LiPo jump-starter-with-inverter devices with reasonable AH capacity for not a lot of shekels. If you wanted to go ultra cheap, 12V batteries removed from consumer grade UPS are typically 7AH. Those are sealed lead-acid (SLA,) so some handling care needs be taken. I use two of those in my little power boat, one for the LED running lamps and the other for the fishfinder/GPS. Of course, if you were willing to sit in your auto in the Starbucks/Panera/whatever parking lot (beware of surveillance cams) you could just tap into the 12V supply of your vehicle...

gordoMarch 27, 2018 10:00 AM

@ Hmm,

Russia doesn't have any extradition possibilities.

I suppose the Crown will have first crack followed by Americans who also have extradition possibilities.

ThothMarch 27, 2018 10:13 AM

@all, Clive Robinson

I used to theorize that QR codes are vulnerable to attacks and due to them being a 2D code displayed in the public, it is possible to use a black marker to add some unwanted data or to completely swap out the QR codes.

The modified code could be used to direct users to dangerous sites ladened with malware.

Researchers have discovered that Apple's Qr Readers have a problem parsing certain type of links embedded into QR codes which can be used for exploits.

Link: http://www.theregister.co.uk/2018/03/27/apple_ios_camera_app_qr_codes/

Bruce SchneierMarch 27, 2018 11:27 AM

Re Censorship and VPN Blocking

Dreamhost is getting a high volume of credential stuffing attacks on their login mechanisms, and is blocking the IPs that these attacks come from. People who are blocked will be unable to see the schneier.com website at all. Since a large percentage of this traffic comes from VPNs and Tor, those users are disproportionately affected.

Unfortunately, we do not know what percentage of VPN IPs are involved -- although it sounds like maybe Private Internet Access (PIA) is the main one. They are blocking specific IPs, not ranges or providers, so changing IPs can help -- especially with Tor. Dreamhost suggested that PIA users could use this approach for more control over their IP addresses:

https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219016568-Can-I-configure-the-VPN-connection-to-always-use-the-same-IP-address

Dreamhost also said: "We understand the concern for allowing VPN traffic to your server. A more targeted approach is something we are working on. We have also requested IP information from the head of PIA, but didn't get a response after we provided them with evidence of the activity we were regularly seeing."

But this definitely has nothing to do with using a fake email, or with commenting in general. My sysadmin just tested it to be completely sure that heavy use of the comment form wasn't being mistaken for an attack, and could not trigger a block no matter how fast he resubmitted the form. There is a separate mechanism that can block you *from commenting* if if you hit the comment script really fast, but that one is very short-term and doesn't prevent you from reading the site.

VinnyGMarch 27, 2018 1:54 PM

@Bruce That is an accurate characterization of my VPN provider :) Speaking only for myself, since I began experimenting with different VPN "locations," the behavior is not a problem, or even a serious inconvenience. I simply disconnect from the offending location and connect from one of three specific others, which fixes the issue for me >90% of the time. I guess that I would question whether it is an effective strategy for Dreamhosts to counter the log-in abuse, since I can defeat it so easily... Google is much more annoying in this regard. I have a Google News url for a specific news location that excludes (via "-" switch) several sources of annoying non-news promo stories that show up when I select "local" from the GN menu. Google's algorithm decides that is "abuse" even though the same url without the extra arguments (from the menu) succeeds. My tailored url nearly always fails from the "Eastern" location selection. However, it nearly always succeeds from the "Chicago," "Atlanta," or "Texas" locations. FWIW, in neither case have I ever been able to change the blocking behavior by toggling a new IP address within the same "location." That suggests to me that both blocking mechanisms are working at the level of regional IP blocks assigned to a given provider, not on individual IP addresses.

echoMarch 27, 2018 3:17 PM

The UK state sector are past masters of budget manipulation and collusion. I expect there is a rich vein of experience to draw on when analysing Vote Leave's fraudulent campaign.

Pesky things, facts.

https://www.theguardian.com/uk-news/2018/mar/27/brexit-groups-had-common-plan-to-avoid-election-spending-laws-says-wylie
Vote Leave has repeatedly denied allegations of collusion or deliberate overspending. [...] Cummings responded during the hearing by writing in a blogpost that Wylie was a “fantasist-charlatan”. When put to Wylie by a member of the committee, Chris Matheson, Wylie said his evidence had been “fact checked by the Guardian, the Observer, the New York Times, Channel 4 News and the ICO [the Information Commissioner’s Office]”.

bttbMarch 27, 2018 3:27 PM

@JG4
"In court, oil companies accept climate science but rewrite its history"

Thanks for that Ars Technica link for some current info. Some older links regarding 'dark money', Koch Brothers, or climate change include:

https://www.newyorker.com/news/news-desk/in-the-withdrawal-from-the-paris-climate-agreement-the-koch-brothers-campaign-becomes-overt ; Mayer 2017

https://www.theguardian.com/environment/planet-oz/2015/aug/07/maybe-koch-isnt-worried-about-climate-change-because-he-doesnt-get-the-science ; 2015

https://www.politico.com/story/2014/05/harry-reid-koch-brothers-climate-change-106441 ; 2014

https://www.theguardian.com/environment/2012/feb/15/leak-exposes-heartland-institute-climate ; 2015

https://www.newyorker.com/news/news-desk/koch-pledge-tied-to-congressional-climate-inaction ; Mayer 2013

https://www.scientificamerican.com/article/who-funds-contrariness-on/ ; 2010

It appears that Koch money was spent successfully. At least from their perspective, but, perhaps, to the detriment of much life on this planet.

bttbMarch 27, 2018 3:50 PM

@VinnyG

"But this option doesn't neccessitate lugging a 70 lb lorry battery into the connected caffeine emporium."
I'm interested, please tell me more.
" Depending on the power consumption of your LT and desired run-time, there are any number of economical LiPo jump-starter-with-inverter devices with reasonable AH capacity for not a lot of shekels. If you wanted to go ultra cheap, 12V batteries removed from consumer grade UPS are typically 7AH. Those are sealed lead-acid (SLA,) so some handling care needs be taken."
Thanks. I hadn't thought of those options.
"Of course, if you were willing to sit in your auto in the Starbucks/Panera/whatever parking lot (beware of surveillance cams) you could just tap into the 12V supply of your vehicle..."
Another option. Thanks again.

For variety, curious looks, or whatever using TENS, Tails, or other, I might run off of the laptop's battery, with the charger attached to the laptop, but with the ac plug dangling in the backpack.

justinacolmenaMarch 27, 2018 5:23 PM

Re Censorship and VPN Blocking

Dreamhost is getting a high volume of credential stuffing attacks on their login mechanisms, and is blocking the IPs that these attacks come from.

I am on Vultr.com. My domain name is unfortunately something of a "honeypot" (or "beehive," if you will) and most of my traffic is from botnets attempting to exploit known vulnerabilities in common PHP software on the Web or else performing dictionary attacks on SSH.

There is a relatively new blogging platform, https://github.com/TryGhost/Ghost/ which I may experiment with. It is developed on slightly different "stack" of Ubuntu, NGINX, MySQL, and server-side JavaScript.

I am wondering how secure it is....

AnuraMarch 27, 2018 6:36 PM

@justinacolmena

Well, the "@TODO: replace with crypto.randomBytes" worries me. Seriously, no, using a proper, secure RNG is not a "to do", it's the first damned thing you should do; it's only a few extra lines of code to properly turn random bytes into an integer range (although not a problem to be left to amateurs).

Unless there was a serious audit, assume insecure, but that's not to say it's less secure than what you are using.

carrotsMarch 28, 2018 5:22 AM

@All

I wanted to write more verbosely about the snake oil product advertised here last week. Here is my post. I must warn you, it's quite long.

bttbMarch 28, 2018 9:07 AM

"Who Will Stop the US-Russia Arms Race?"
https://www.nakedcapitalism.com/2018/03/will-stop-us-russia-arms-race.html
Stephen Cohen speaking to Aaron Mate:

" ... But again, Aaron, I mean, if it’s true, and I have no reason to think it’s not true, though the stages of development of these weapons is a little unclear, it’s true what Putin said about these four or five new weapons systems. We are now in a completely new era, because since the end of the Soviet Union the United States has tried to develop at least the capacity of a first strike capability at Russia using these missile defenses. That is over. It’s not possible any longer. Trillions of dollars have been wasted.

By the way, I forget which administration, Bush or Obama, made missile defense a NATO project. It started out as an American project. But it officially gave it to NATO. Why? Because where NATO goes, the missile defense installations go, and NATO has expanded right to Russia’s borders.

So this is an historic turning point, assuming what Putin said is largely true. Though you wouldn’t know it. I guess you had on professor Theodore Postol of MIT. And I mean, Ted is excellent on this stuff but you don’t get any of this in the mainstream media. Putin’s speech was read as an act of threatened aggression against the United States. It was just the opposite.

AARON MATE: Right. And you know, I think what we often forget, too, is that as this missile system , defensive missile system, whatever it’s called, was developed, especially under Bush number two, George W. Bush, it was billed to Russia for so long as being targeted towards Iran. Which seems like a pretty tough sell to accept when, when it’s actually being positioned so close to Russia.

STEPHEN COHEN: Look, it’s bogus. It’s fiction. It’s B.S. It’s disinformation. It’s American propaganda. The reality is this: Russia has been protesting about the, once we left, Washington left the Antiballistic Missile Treaty, Russia has been protesting what we’ve been building. We told Russia, why are you worried? It has nothing to do with Russia. This is all about Iran and, quote, rogue states, unidentified. Russia said, OK, in that case let’s build it together. We actually have better radar facilities than you have. We’ll build it, we’ll manage it together. We refused that systematically.

Every attempt Russian made to join in the creation of a missile defense system was rejected by Washington. Everybody, unless, you know, you believe in the Easter Bunny, I guess, that this system as it was expanded, increasingly, and it branched out, was directed at Russia. I mean, maybe it would have worked against Iran, too, but that was going to be a bonus. This was about Russia. The Russians knew it. You and I knew it. Everybody knew it. Do you know what is an indestructible weapon system?

AARON MATE: No I don’t.

STEPHEN COHEN: One funded in all 50 states. All right. That’s what this missile defense has been. They farmed out manufacturing of it everywhere from Paducah Kentucky to Israel. Everybody gets a piece of the action. Therefore you get no protest in Congress because it’s constituency politics. And that’s true of a lot of the weapons systems we make. They’re indestructible when all 50 states get a piece of the action, and that’s what you have with this missile defense stuff.

AARON MATE: OK, so, speaking of Congress. If there is to be any push for Trump to engage with what Putin said seriously and try to restart some sort of arms control talks, including the New START treaty, which Trump has indicated little interest in advancing, you’d think that it would be Trump’s opposition party who would be pushing him towards that.

Now, recently there were some Democratic senators to call for a new round of strategic arms talks with Russia. But I want to read to you a quote from the Senate Democratic leader Chuck Schumer, where he is greeting the news of Mike Pompeo now being the secretary of state. And instead of pointing to Pompeo’s open disdain for the Iran nuclear deal and his hawkishness on things including Russia, this is what Chuck Schumer said. He said: The instability of this administration and just about every area weakens America. If he’s confirmed we hope that Mr. Pompeo will turn up we’ll turn over a new leaf and will start toughening up our policies towards Russia and Putin, unquote.

So Professor Cohen, as we wrap, that is the top priority from the leader of the opposition party Chuck Schumer, for the new nominee to be secretary of state to be tougher towards Russia.

STEPHEN COHEN: Well, but it’s not just Schumer. And Schumer is not to make this distinction as statesmen. He is a kind of local politician risen way above his pay grade when it comes to foreign affairs. It was outrageous what he said. But a lot of the Democratic leaders are saying this sort of thing.

I mean, let me make the point you made before. One reason this situation is so dangerous, Aaron, so dangerous, is that in the ’70s and ’80s, and I participated at a junior or younger level, the debate over Cold War or detente in the United States, that the pro-detente people, the anti-Cold War people had lots of very senior allies many in Congress. Even in the State Department. Even among presidential aides. It was always a fair fight.

There is no one today. Only the Schumers and the Pelosis. And they have become with this Russia gate stuff, claiming that Putin attacked America and it was like Pearl Harbor or 9/11. I mean I never call people names, but this is warmongering. That’s exactly what it is. If you claim Russia attacked America, the assumption is we have to attack Russia. And we’re talking about nuclear war potentially. So what kind of political leadership is, we have descended into a morass of degraded commentary on Russia that has never even when the Soviet Union existed, even during the worst days of the Cold War, we didn’t have this kind of discourse.

AARON MATE: We have to leave it there. Professor Stephen F. Cohen, professor emeritus of Russian studies at New York University and Princeton University. Thank you.

STEPHEN COHEN: Pray a lot, Aaron.

AARON MATE: Will do. And thank you for joining us on the Real News."

https://en.wikipedia.org/wiki/Stephen_F._Cohen
https://www.democracynow.org/2013/1/29/the_gatekeepers_in_new_film_ex ; Mate again: oldie, but goody
https://en.wikipedia.org/wiki/Theodore_Postol
http://sts-program.mit.edu/people/emeriti-faculty/theodore-postol/

bttbMarch 28, 2018 9:15 AM

From the Office of Inspector General, Justice Department
https://oig.justice.gov/reports/all.htm

"March 27, 2018
A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation, Oversight and Review Division Report 18-03 — Full Report | Press Release"
https://oig.justice.gov/reports/2018/o1803.pdf ;PDF, full report
https://oig.justice.gov/press/2018/2018-03-27.pdf ;PDF

JG4March 28, 2018 1:11 PM


https://www.nakedcapitalism.com/2018/03/200pm-water-cooler-3-28-2018.html
...
The crapification of the Internet experience [Hacker News]. “It seems like the web is being optimized for casual users, and using the internet is no longer as skill you can improve to create a path towards a more meaningful web experience.” Many horror stories that readers may have shared.

“Bring back the landline. When we moved, my landline number was retained, but I understand the line itself was moved from copper to digital – which obviates the point of the exercise: namely, when Sandy hit, and the electricity went out, I disconnected my portable phone system, plugged in an old standard phone I retained against just such an eventuality, and could communicate with the outside world” [MidasWatch]. Amen.
...
The usual news from the Internet of Sh*t:

Internet of Shit@internetofshit
i... cannot...

Good news from the Internet of Sh*t:

Internet of Shit @internetofshit
EXCITING NEWS
...

RatioMarch 28, 2018 4:01 PM

Ecuador cuts off Julian Assange's internet access at London embassy:

The Ecuadorian government said in statement that it had acted because Assange had breached “a written commitment made to the government at the end of 2017 not to issue messages that might interfere with other states”.

It said Assange’s recent behaviour on social media “put at risk the good relations [Ecuador] maintains with the United Kingdom, with the other states of the European Union, and with other nations”.

The move came after Assange tweeted on Monday challenging Britain’s accusation that Russia was responsible for the nerve agent poisoning of a Russian former double agent and his daughter in the English city of Salisbury earlier this month.

The WikiLeaks founder also questioned the decision by the UK and more than 20 other countries to retaliate against the poisoning by expelling Russian diplomats deemed spies.

(Previously on Ecuador y el problema heredado Assange)

Clive RobinsonMarch 28, 2018 4:55 PM

@ Anders,

There is the usuall from the onion about Mr Z and true red blooded American's say "I'ts worth it to see the little Zucker squirm..."

But I look at it this way contrary to the old saying about "not having a pot to p155 in" somebody will give him a pot just so they can "p155-n-Miss" mind you the que will be long very long and not so much yellow rain as golden rain...

RatioMarch 28, 2018 8:11 PM

Britain shares ‘unprecedented’ Skripal intelligence with allies:

The UK not only shared detailed scientific analysis of the nerve agent used in the attack on Sergei Skripal and his daughter Yulia on March 4 in Salisbury but also intelligence reports that backed up London’s claim that Russia has been running an “explicit” state-backed assassination programme, said the senior British official, who declined to be identified.

For the first time these intelligence assessments were shared with senior ministers and officials in the EU and at Nato over the past two weeks, added the official.

“We released unprecedented degrees of intelligence to our allies in order to be able to persuade them of the case that there was no plausible alternative other than this was the Russian state,” said the official.

In spite of repeated denials from Russia, scientists from the UK’s defence, science and technology laboratory at Porton Down have concluded that the poison used in the attack was from the Novichok family of nerve agents produced by the Soviet Union in the late 1970s and 1980s.

The level of intelligence shared by the UK with its allies still varies from country to country. Through its Five Eyes agreement with the US, Canada, Australia and New Zealand, the UK shares headline assessments from its main intelligence agencies — MI6, MI5 and GCHQ — as well as underlying data. Britain shares less information with some EU countries.

(Partially) declassify and release on the day the OPCW report comes out?

Clive RobinsonMarch 28, 2018 10:04 PM

@ Anders,

I have just a perfect image for that golden rain :)

Ahh "little boy blue". The sooner he finds out "what goes around comes around" in buckets the better, it will be...

I tell you what based on the little we do about how The Little Zucker has humiliated people in the past I see atleast two things happening,

1, A lot of people "fist pumping"
2, Others practicing their "dance moves"...

I'm thinking the Little Zucker should write in his will he wants to be buried upright in an unmarked grave with it's location kept secret ;-)

I wonder if he will get to the point he is more detested than Margaret Thatcher...

Sancho_PMarch 29, 2018 7:34 AM

@carrots

I’m a nob here, but you’ve vanished some smoke and smell, thanks.

VinnyGMarch 29, 2018 7:55 AM

@JG4 re Crapification - this is news? It isn't just that it's optimized for casual users, but casual users on smartphones. It will only get worse, Google just announced that they are committed to producing primary search results that are optimized for smartphones. They don't say that those results will be very much sub-optimal for computer users, but that's a given. The web has been progressively dumbed down since I began using it in 1997 or so. It is now to the point that if I didn't have an established routine and footprint of doing things a certain, well-accustomed, way, I'd ditch it in a minute. It could come to that soon, anyway - I've considered it enough times. BTW, my combination voice/DSL line is still copper to the nearby CO, but I'm sure it is digitized at that point, or not very far upstream from it.

@VinnyGMarch 29, 2018 8:32 AM

@Anders re FB future There are a few possibilities. Either they will be heavily regulated, get their own house in order, lose so much value that they will be acquired by another internet giant, or ultimately be overtaken by a competitor. Any regulation would need to apply generically to similar businesses, not be exclusively directed at FB. Current FCC (et al) politics makes effective regulation highly improbable. Even if such regulation was implemented, I see FB resorting to the venerable game of "buy a regulator," probably effectively. Frankly, everything I see about FB indicates that the development and coding "expertise" behind it is just as execrable/excretable as what passes for its ethics (admittedly this evaluation is based on the behavior of the UI - I have not seen any of their internal code.) Their pathetic half-hearted plea to "regulate us, please" just reinforces that conclusion. That makes it improbable imo that they have the ability to fix their problems even if they so desired. If the market value slides to the point that MFuckerberg & co decide to bail, Google or some other huge entity might possibly buy them. I think there would be huge anti-trust issues if that was attempted. I also think that the only improvement in user privacy would be cosmetic, the result of a buyer with better PR skills. I think a dedicated competitor with sufficient resources could, in theory, overtake FB. Unfortunately, those resources would need to be formidable. FB has a currently insurmountable advantage in terms of number of subscribers, coupled with the "chicken/egg" problem that hardly anyone will want to switch to an alternative provider unless the core of their social group also switches. My gut feeling is that most of those social groups are just decentralized and the members risk-adverse enough that it is unlikely of them will be willing to be the pioneer who takes the leap. That leap represents a significant investment of time that would be lost unless the majority of the group follows. Unfortunately (I despise FB even though I make very limited use of it) I don't think that even the union of those scenarios constitutes an =>50% probability over the next 5 years or so. My expectation is that we are going to be stuck with FB in approximately its present form for the nonce.

Clive RobinsonMarch 29, 2018 9:30 AM

@ VinnyG,

The web has been progressively dumbed down since I began using it in 1997 or so. It is now to the point that if I didn't have an established routine and footprint of doing things a certain, well-accustomed, way, I'd ditch it in a minute.

Yup, I'm moving back to "other hobbies" as it were, where those that know where to look on the dial can find me...

The problem with "dumbed down" is that it enables many more dummies to spring up and it's getting difficult avoiding them. Oh and by dummies I don't mean those who are making their first steps in a new area, and would be expected to make the odd stumble. No it's those who would be bottom feeders if they had the brains/social skills to rise that far.

What has not helped is the current state of politics, and to be honest I think many older Internet users realy get sick and tired of those pigs noses pushing into yet another trough...

I notice that atleast one regular poster here has effectively moved to an invitation only site, and other previously regular posters are just not posting any more...

As a social experiment the Internet has kind of proved yet again that no matter what the idealists hope, they are going to get drowned by those who are at best mediocre, and then the parasites come in to feed off of them...

It won't be long before many people just turn the lights out on the Internet, as they leave either for other more rewarding activities or because they finally realise that the likes of the "little Zucker" are worse than parasites but are by no means the darkest things in the swamp....

echoMarch 29, 2018 10:16 AM

@Clive

A group can be as clever as the cleverest member of that group but only as smart as the average.

I remember a specific point in time where a usenet newsgroup populated by industry leading experts and lots of amateur expertise experienced a sharp decline over a six month period. This began to be felt over web based forums too within a year. The sense was industry leaders and academics and others who were competent had pulled back to their bubbles or disappeared off to other distractions. I don't know how to adress this other than suggest education and outreach and psychologically filtering everything else. The problem is once a decline begins it can become a self-fulfilling prophecy. People have their limits and I have both experienced this myself and witnessed this within an NGO context as frustration and burnout rise when little seems to change. If I can paraphrase a political comment I read today "history repeats but not in the same way".

While the issues as described remain a common point between what I am pursuing offline and the security domain is that previously specialist subjects have become mainstream and that there is a rise in the general public taking up these issues even if they are in different ways to historical experts and assorted "stakeholders". This has its frustrations of a "may you get what you wish for" kind of thing but also contains new albeit different opportunities.

Governments and political parties have to adjust to this change too. They have to cope with pressure and greater scrutiny of legislation and other administrative tricks they have been used to pulling, or infighting and careerism. Of course they resist this change because they fear a decline of power or relevance but this is history in the making as todays inconvenient becomes tomorrows orthodoxy.

If instead of perceiving loss perhaps this is a win and the real battle has moved on from winning the political argument to winning the implementation argument and this is where real understanding and expertise can be meaningful.

bttbMarch 29, 2018 11:21 AM

Two links regarding the Mueller Investigation

From https://www.emptywheel.net/2018/03/28/mueller-prepares-to-reveal-the-first-cards-in-the-hack-and-leak-conspiracy/

"For weeks, I’ve been having a persistent exchange with people, including editors. They say there’s no evidence of collusion between Trump and Russians. I say it wouldn’t be collusion anyway, but conspiracy. They say there’s no evidence of conspiracy either. Then I point to Rick Gates’ guilty plea on conspiracy to defraud the US. I note that Gates effectively pled guilty to hiding the fact that he and Paul Manafort were working for pro-Russian Ukrainians while pretending to be engaging in politics for independent reasons. My interlocutors always say, in spite of the fact that Mueller has always insisted this went through the election period, that that doesn’t have anything to do with the election.

Yesterday’s news that Rick Gates and Alex Van Der Zwaan believed that Konstantin Kilimnik, the Oleg Deripaska crony with whom they were engaging through the entire period Manafort and Gates were working on the Trump campaign, was a current or former Russian military intelligence agent, should put that canard to rest. As the government sentencing memo in Van Der Zwaan’s plea explains,

'That Gates and Person A were directly communicating in September and October 2016 was pertinent to the investigation. Federal Bureau of Investigation Special Agents assisting the Special Counsel’s Office assess that Person A has ties to a Russian intelligence service and had such ties in 2016. During his first interview with the Special Counsel’s Office, van der Zwaan admitted that he knew of that connection, stating that Gates told him Person A was a former Russian Intelligence Officer with the GRU.'

Worse still, and less commented on in the coverage of this, at some point, Kilimnik actually worked for Manafort’s company! ..."

Second, an opinion piece: "Nelson W. Cunningham has served as a federal prosecutor in the Southern District of New York, general counsel of the Senate Judiciary Committee and general counsel of the White House Office of Administration."
https://www.washingtonpost.com/opinions/a-mueller-report-may-never-see-the-light-of-day/2018/03/14/54e88cba-2639-11e8-b79d-f3d931db7f68_story.html

Clive RobinsonMarch 29, 2018 1:36 PM

@ Anders,

I wonder how many people these days get the refrence to FaceCrook and Co by the founder and CEO of Open Xchange, Rafael Laguna of,

    "So they invented their own protocols to do a Hotel California"

[For those who don't, in the words of the song one set of words that are relevant are "You can check out any time you like but you can never leave" (illegal data retention) an other more recently could be "This could be heaven or this could be Hell" with the emphasis on the latter (now people have woken up). But the real grabber with the share price dropping faster than a meteor heading for the white house would be,

    And she said, 'we are all just prisoners here, of our own device' And in the master's chambers, They gathered for the feast They stab it with their steely knives, But they just can't kill the beast
]

echoMarch 29, 2018 1:40 PM

Timothy Garten-Ash is always good value which as a historian and Professor of European Studies at Oxford University he should be. He also works for the American Hoover Institition.

We have six months to foil Brexit. And here’s how we can do it - Timothy Garton Ash
https://www.theguardian.com/commentisfree/2018/mar/29/six-months-foil-brexit-vote-parliament-influence-mps

The “framework for the future” is vaguer than an Anglican prayer, with lashings of Brussels fudge and the deafening clang of cans being kicked down the road.

VinnyGMarch 29, 2018 2:10 PM

@echo I came to the web a bit after usenet began to ramp up in popularity. The reason for the delay was that that I was perfectly happy with the Byte Information Exchange (BIX)forum. There was a myriad of competent+ people among the Bixen; from authors such as Jerry Pournelle to techies like Joanne Dow, who was the hardware architect of the Commodore Amiga, and pretty much every discipline in between. I was awed. I did by best to keep my virtual mouth shut, listen, and learn. At some point, after Byte sold out to McGraw Hill, MH began to get in financial difficulties; the bean counters began depriving BIX of resources and raising subscription rates, and I departed for usenet. I found that there were a lot of competent posters to be found there, as well. It was less civil and not as well structured as BIX, but for the most part, the worst one had to put up with was an intelligent person who didn't have much regard for the opinions of others. I've found over the course of time that I can manage to tolerate profound stupidity, or terrible rudeness, but not at the same time from the same source. Which pretty much sums up my opinion the internet today :

VinnyGMarch 29, 2018 2:12 PM

I came to the web a bit after usenet *gateways* began to ramp up in popularity.

echoMarch 29, 2018 2:45 PM

@VinnyG

Our positions are similar-ish although different. This blog is one of the few places I can visit which interactively stretches my mind.

echoMarch 29, 2018 3:11 PM

I don't believe it is a good diea to keep selling out to bigger companies some of whom use leveraged capital to fund a buy out. This hollows out the industrial ecosystem and creates a loss of social and economic opportunity. There is a lot of weakness in UK takeover legislation. "National security" is being used to drive calls to block this takeover as well as "British national interest".

https://www.theguardian.com/business/2018/mar/29/gkn-shareholders-accept-melrose-takeover
One of Britain’s oldest engineering firms is to be taken over by a company that has been labelled an “asset-stripper”, prompting calls for the government to block the £8.1bn deal on national security grounds.

RatioMarch 30, 2018 1:00 AM

Minneapolis FBI agent charged with leaking classified information to reporter:

[Terry James] Albury, who was assigned as Minneapolis-St. Paul International Airport liaison working on counterterrorism matters, was charged this week by the Justice Department's National Security Division with one count of "knowingly and willfully" transmitting documents and information relating to national defense to a reporter for a national news organization. Albury was also charged with a second count of refusing to hand over documents to the government.

Albury is the second person charged with leaking secret documents to The Intercept. In June 2017, an intelligence contractor was charged with leaking a classified report about Russia's interference in the 2016 election to The Intercept, the first criminal leak under President Trump.

The Intercept does not discuss anonymous sources, editor-in-chief Betsy Reed said in a statement posted on their website.

[...]

In January 2017, The Intercept published a series titled "The FBI's Secret Rules," based on Albury's leaked documents, which show the depth and broad powers of the FBI expansion since 9/11 and its recruitment efforts.

[...]

One of The Intercept's FOIA requests, dated March 29, 2016, asked for copies of a specific document classified as secret. The document, titled Confidential Human Source Assessing, gives tips for agents on how to cultivate informants.

From the application for a search warrant (included in a follow-up article, titled Federal documents outline steps FBI took to investigate one of its own):

17. On or about March 29 and 30, 2016, a presumed U.S. Person (USPER1) representing an online media outlet (News Outlet) made two separate requests for copies of specific documents from the FBI pursuant to the Freedom of Information Act (FOIA), 5 U.S.C. § 552. The requests contained specific information identifying the names of the particular documents that had not been released to the public. Subsequently, the FBI identified approximately 27 FBI and U.S. Government documents published online by the News Outlet from on or about April 2016 and February 2017. Of these approximately 27 documents, approximately 16 are marked classified. The FBI believes that the classified and/or controlled nature of the documents indicates that the News Outlet obtained these documents from someone with direct access to them. Furthermore, reviews of FBI internal records indicate ALBURY has electronically accessed over two-thirds of the approximately 27 documents via trusted access granted to him on FBI information systems.

18. One of the FOIA requests, dated March 29, 2016, requested copies of an identified document classified at the SECRET level (hereinafter DOCUMENT1). According to information obtained directly from the News Outlet’s website, DOCUMENT1 was uploaded to an online document repository on January 26, 2017 by another individual working for the News Outlet. The electronic copy of DOCUMENT1 posted on the News Outlet’s website identified a creation date of August 17, 2011 on the first page. Based on the investigation, the FBI believes that the News Outlet, prior to the March 2016 FOIA requests referenced above, had obtained a cache of FBI documents, which included classified documents, such as DOCUMENT1. The News Outlet then used its knowledge of such documents to create the FOIA requests.

19. Of note, the electronic version of DOCUMENT1 published by the News Outlet includes a gray highlight across one row of text on page four. This gray highlight is not present in the original document. DOCUMENT1 was available to authorized FBI users on such a system. If the user accessed DOCUMENT1 in this available web interface, left clicked on the mouse, took a screen shot, and pasted the image, the gray highlight would be preserved in the pasted document. As detailed further below, a review of FBI internal audit records indicates that not only did ALBURY electronically access DOCUMENT1 via an FBI information system classified at the SECRET level, but ALBURY also conducted cut and paste activity on DOCUMENT1 that could have resulted in the capture of a gray highlight in a saved electronic copy of DOCUMENT1.

Déjà vu at The Intercept.

JG4March 30, 2018 5:45 AM


It is important to understand that reality is a tradespace, even how trust is scaled. The short answer has been "badly." I think that I'm on the record on multiple points, two especially important ones being the most persistent inefficiencies on the old blue marble. The difficulty of transducing solar power into useful energy and the inability to scale trust. I'm optimistic about the first and I've been pessimistic about the second. I'd welcome some comments on this approach to the second problem:

A Simple Explanation of Hashgraph with Pictures
https://www.youtube.com/watch?v=wgwYU1Zr9Tg

File under Byzantine fault tolerance. Financial security is not so different from computer security which is not so different from physical security. We can think of these as tradespaces where e.g., convenience and speed are balanced against security. In the financial markets the purported transfer functions are risk and rate of return. But the thimble-riggers actually are playing a game of heads, we win, tails, you lost already. I'll define tradespace as a combination of transfer functions that are balanced to optimize fitness for purpose.

The rabbit hole starts here. These are some of the sharper knives in the drawer. The free trial is a good deal, but not cheap if you slip up on canceling:

https://www.realvision.com/the-big-story-the-incredible-future-of-india
https://www.realvision.com/the-drive-toward-a-digital-india
https://www.realvision.com/the-genomics-revolution-investing-in-crispr
https://www.realvision.com/ETF-Innovator-on-the-future-of-passive-investing
https://www.realvision.com/exodus-from-us-assets/

See also:

The Big Story: Edge of The Cliff | Real Vision Video
https://www.youtube.com/watch?v=vBJ-p0ybhzs

The Law of Unintended Consequences Part 1 | Raoul Pal Presentation
https://www.youtube.com/watch?v=JK_cc_1UNT0

Mark Cuban In Conversation With Kyle Bass | Real Vision Video
https://www.youtube.com/watch?v=PAcZPUjLdf4

VinnyGMarch 30, 2018 9:20 AM

@JG4 re Real Vision - is that a promotion of some kind? If so, I'd personally expect some kind of disclaimer about whether or not you have a relationship with the provider, and if so, its nature. Others' mileage may vary :)

Clive RobinsonMarch 30, 2018 3:26 PM

FaceCrook is not enough...

With all the noise about CA, Facebook and SCL in the news, you might have missed a little event about your "personal data" and the battle to "own it all".

In what may well be the Personal Data equivalent of Dantes Seventh Level Hell is,

https://techcrunch.com/2018/03/30/iot-devices-could-be-next-customer-data-frontier/

The idea appears to be to give you the data subbject a tiny smidgen of more utility you will surrender everything in your life to "the great data gods in the clouds". And by everything they realy realy do mean everything...

I'll leave others to work out what this will mean for the Data Grabbers and Society it's self.

But one thing you can be sure of I will not be playing their game for as long as I can opt out in any which way I can.

Clive RobinsonMarch 30, 2018 3:51 PM

@ Bruce and the usual suspects,

This might be of interest,

https://techcrunch.com/2018/03/29/nyc-secure-new-york-cybersecurity-app-de-blasio/

Apparently NYC has had a bit of a cyber bashing this week, and coincidently the City has announced it is launching a Cybersecurity Application this summer.

From what has been said it will be no more than pop up advice as the old "Public Service Broadcasts" used to be.

However I'm realy not sure that what they say about users and their data is actually true as it's intended to be in effect a "broadcast system" which would normally be a push not a pull system.

I guess we need more details.

Oh IBM and it's participation in Quad 9 Public listed[1] DNS gets a mention as well.

[1] Simplisticaly Quad 9 has "White lists" and "Black lists" of Domain names and IP addresses. But it augments it with a "Gold list" which sounds like a hardwired "white list" from the "marketing speak" explanations. Such a Gold List could prove problematic if attackers are "a little bit smarter than the average bear". It's the embodiment of "Every rule should have exceptions" problem.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.