Friday Squid Blogging: Eating Firefly Squid

In Tokama, Japan, you can watch the firefly squid catch and eat them in various ways:

"It's great to eat hotaruika around when the seasons change, which is when people tend to get sick," said Ryoji Tanaka, an executive at the Toyama prefectural federation of fishing cooperatives. "In addition to popular cooking methods, such as boiling them in salted water, you can also add them to pasta or pizza."

Now there is a new addition: eating hotaruika raw as sashimi. However, due to reports that parasites have been found in their internal organs, the Health, Labor and Welfare Ministry recommends eating the squid after its internal organs have been removed, or after it has been frozen for at least four days at minus 30 C or lower.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on April 13, 2018 at 4:24 PM • 97 Comments

Comments

FRexApril 13, 2018 4:32 PM

The T-Mobile Austria plaintext password debacle and the passive aggressive tweets from their PR account. And now they're supposedly hash them in a hurry.

Jonathan WilsonApril 13, 2018 8:14 PM

Someone needs to find out (via whatever means necessary) if these cellphone encryption defeating boxes are actually defeating the encryption or if they are just defeating the anti-brute-force measures.

humdeeApril 13, 2018 9:16 PM

@wilson

I would be shocked if they defeated the encryption. The standard policy is to defeat the implementation.

JG4April 13, 2018 10:36 PM

"full spectrum dominance" ~= "sustainable competitive advantage,"

except for the part where bread and circus, or, if you prefer their new names, EBT and Netflix, reliably erode moral/ethical/mental/physical/competitive capabilities. You can get some of that back by regularly skipping meals for 24 to 168 hours, as long as you don't go chronically short of potassium and magnesium. I can't recall whether I've commented on The Fourth Turning, or as it is called in the fungal paradigm, alternation of generations. "We are old, older than thought in your genetic line, which is fifty thousand to five hundred thousand times older than your written history. Though we have been on earth for aeons, we are from the stars. We arrived many times before the oceans boiled, but could not stay until later. Our home is no one star system, for many worlds scattered through the shining disc of the galaxy have conditions which allow our spores the opportunity for entropy maximization. At least transiently, which is as good as it gets in your universe."

Heinlein pounded the complacency nail on the head, at least so far as "The Moon Is a Harsh Mistress" and the rest of his work goes. I've commented before on altitude training at Langley, but not on depth training. We took a ride at Pensacola, in the same pool (or a close facsimile thereof) shown in An Officer and A Gentleman. My roomie had to be cut out of the straps, which I seem to recall happening in the movie. A convenient way to measure your toughness. I was pleased last week to work out multiple solutions to the helicopter escape problem that claimed several of our friends. File under rebreather, as taught by Q and Bond. That is within my technological grasp, though not described here. I still like the thread that starts with Run Silent, Run Deep. It is unfortunate that "The Wreck of the Memphis," "Dust on the Sea," and "Cold Is The Sea" didn't make it to Hollywood. Thanks to the folks who suggested prototypes for the Bond character.

https://www.zerohedge.com/news/2018-04-13/name-bond-long-bond

I was pleased to talk to a scientist in February who was mentored by Wilfred Mann. He corroborated the broad strokes of my narratives. I tried today to find my comments on smart meters as a back door to the back door via power adapters on computers. I didn't anticipate that malware could be used to convey the signal from the thread itself to the meter, but that clearly is in play. And I want to claim credit for articulating early two subtle backdoors ahead of the crowd - the power adapter and the smart meter. My working assumption is that there always are hardware backdoors through the powerline and the smart meter. In that long-ago exchange, Clive sharpened my point about backdoors very nicely.

If anyone has a time machine or AI navigation tool for this site, I'd appreciate appropriate links. I appreciate the dynamic discourse, and look forward to an open-source solution that backfills what is left of my memory, for managing access to my brilliant comments. I correctly realize that the quality of my comments is subject to alternative interpretations.

Wesley ParishApril 14, 2018 3:39 AM

As an English poet once said, Far from the madding crowd ..., except that is just what Google's new technology seems to be aiming at making you, virtually:

https://hardware.slashdot.org/story/18/04/13/2115250/google-works-out-a-fascinating-slightly-scary-way-for-ai-to-isolate-voices-in-a-crowd

pointing to:

https://arstechnica.com/gadgets/2018/04/google-works-out-a-fascinating-slightly-scary-way-for-ai-to-isolate-voices-in-a-crowd/

In any case, the privacy ramifications of this kind of tech seem just as obvious as the potential use cases. Google's voice isolation is far from bulletproof in the examples above, but with some more fine-tuning, it could make for a powerful eavesdropping and surveillance tool in the wrong hands.

JG4April 14, 2018 7:42 AM


@Wes - Thanks for the update. I had a hell of a time finding this.

John Galt IV • October 30, 2015 6:58 AM
https://www.schneier.com/blog/archives/2015/10/friday_squid_bl_499.html#c6709471
threat models few have considered
...
The voice of every speaker in the crowd can be isolated by beamforming combinations of the audio frequency signals picked up from each microphone and uniquely identified, even in the presence of heavy background noise.
...

https://www.nakedcapitalism.com/2018/04/links-4-14-18.html

...[I probably said before that they stole your DNA from the envelope and mapped your attack surface]

Glutamatergic Signaling Drives Ketamine-Mediated Response in Depression: Evidence from Dynamic Causal Modeling International Journal of Neuropsychopharmacology (David L)

...[Zerohedge has some good doom-porn on this, including the lamestream cutting of a retired general when he went off script]

Russia says Britain helped fake Syria chemical attack, calls for emergency UN meeting to ‘avert danger of war’ Abc.net.au (Kevin W). Wellie, the “allies” made sure that is now irrelevant.

...

Big Brother is Watching You Watch

Facebook Uses Artificial Intelligence to Predict Your Future Actions for Advertisers, Says Confidential Document Intercept (Bill B)

Police used facial recognition technology to locate and arrest a man at a pop concert NME (Kevin W)

Have you been watching porn? openDemocracy

Looking to Listen: Audio-Visual Speech Separation Google Research

...

bttbApril 14, 2018 8:44 AM

Skeptical thinking, imo, is necessary as Trump becomes more and more desperate; a talking head said Trump is more concerned about the FBI raid on attorney Cohen's office than the Mueller investigation. For example, Dershowitz is defending Trump (search 'dershowitz raid cohen office').

After last night's strikes in Syria, I remembered Bacevich had recent articles. For example,

Tomgram: Andrew Bacevich, April 10, 2018, Creating a Perpetual War Machine:" ... Consider that grim list and the churning antiwar activism in the Vietnam-era military that Heinl went on to describe as a reminder of why President Richard Nixon, Secretary of Defense Melvin Laird, and the U.S. military high command opted on January 27, 1973, to end the draft. They launched instead the “all-volunteer” force we know 45 years later, the one that, with nary a peep of protest, criticism, or complaint, continues to fight a set of still spreading wars across the Greater Middle East and Africa almost 17 years after the 9/11 attacks. ..."
http://www.tomdispatch.com/blog/176409/tomgram%3A_andrew_bacevich%2C_creating_a_perpetual_war_machine
also, regarding Heinl
https://msuweb.montclair.edu/~furrg/Vietnam/heinl.html
and
Tomgram: Andrew Bacevich, March 20, 2018,A Memo to the Publisher of the New York Times:
"When Russia moved into the Ukraine and seized Crimea in 2014, it got more than its share of (bad) media coverage in the United States, as it did when it intervened in Syria the next year. So just imagine what kind of coverage Vladimir Putin’s favorite nation would be getting if, almost 17 years after it had launched a “Global War on Terrorism,” Russian troops, special operations forces, airplanes, and drones were still in action in at least eight countries across the Greater Middle East and parts of Africa: Afghanistan, Iraq, Libya, Niger, Pakistan, Somalia, Syria, Yemen (and, if you felt in the mood, you could even throw in the Philippines in Asia for good measure).

Imagine the outraged front-page and top-of-the-news overviews we would be getting more than a decade and a half later when it came to that never-ending Russian global war and the rubble, the chaos, the dead and displaced it continued to create. There would be critical discussions aplenty of what it meant for one of the planet’s great powers to pursue such wars without end. In official Washington, the protests would be savage, the language harsh beyond imagining, the critiques unyielding and fierce. There would be blistering assessments of that nation as it continued to pursue such disintegrative wars across vast stretches of the planet without the slightest indication that their end was anywhere in sight.

What’s strange, as TomDispatch regular Andrew Bacevich, author of America’s War for the Greater Middle East: A Military History, suggests today, is that in the press, the rest of the media, and official Washington, such overviews, such critiques, such assessments are almost completely absent, even though everything about the above description remains on target -- except, of course, for the name of the country pursuing that global war so relentlessly and disastrously. Tom ..."
http://www.tomdispatch.com/blog/176400/tomgram%3A_andrew_bacevich%2C_a_memo_to_the_publisher_of_the_new_york_times

VinnyGApril 14, 2018 8:52 AM

I've wanted to start this thread here for some time: "Practical mitigations for (privacy/security) risks of physical socializing." (terrible subject line, but the best I could come up with) Problem description: we can assess and mitigate our personal security risks in our home physical environment with reasonable effectiveness in most cases. But what happens when we visit the homes of family, friends, and acquaintances who are not as security-conscious (or paranoid - YMMV) as we are. What steps can we take to avoid making an abrupt transition from relative security to wide-open vulnerability? Let's rule out draconian solutions such as "never visit anyone who isn't as well-secured as you are." Let's also rule out "educate your family, friends, etc. until they are as well-secured" - that's an admirable goal, and I support the effort, but it is almost certainly impractical as a general solution. I'm distinguishing between general public "navigation" and being in the homes of people with whom we are comfortable, because that very comfort level is conducive to greater intimacy and less guarded interaction - why else do we have personal relationships? :) As for the "what are you trying to secure against" let's include video surveillance coupled with facial recognition, and audio eavesdropping coupled with voice recognition, for starters (other suggestions re scope are welcome.) Let's further assume that we typically carry a smartphone of some kind (arguably inadvisable, I'm aware) at least part of the time when way from home. I'm cautiously optimistic that we can come up with a list of "small step" practical mitigation proposals (that hopefully won't make us instant pariahs) that potentially improve the situation, and prioritize that list in terms of importance and/or bang for the buck. There is a similar but not identical problem with guests in our own secured environments who bring in personal, unsecured devices. That domain has been covered to a certain extent commerically (e.g., salesmen/contractors in the home office of a company or agency) but many of the common solutions might be overkill in our context. If there is significant existing work on this subject, references are welcome, of course. Any takers?

albertApril 14, 2018 12:10 PM

@VinnyG,

There are many threads in this blog concerning the kind of mitigation you are talking about.

A lightweight, portable jammer that blocks wifi and cell traffic would be effective*. It wouldn't affect any device with a direct connection to the Internet. In that case you'd have to 'accidentally' unplug the modem/router. What's more annoying when you're having a conversation than 'Sorry, I have to take this'? Forcing folks away from their connected world can have two effects: 1. They relish the relief from their technological tyranny, or 2. They react like a baby whose had his bottle taken away.

I don't think you'll find any -really- practical solution to the problem.

------------
*yes, they are likely illegal, so I can't recommend them, but they are effective, from a strictly technological viewpoint.
. .. . .. --- ....

name.withheld.for.obvious.reasonsApril 14, 2018 1:53 PM

WTF,

Three countries act to maintain international norms?

Unilateral pluralism? Fake-law?

Where amd how to achieve justice; adjudicate using one's own facts for one's own purposes and claim the act is that of the international community and is by consensus a righteous condemnation.

Reward yourself. Take an international hero aelfie.

bttbApril 14, 2018 2:00 PM

On the Libertarian front Dershowitz said:

"... Mueller's team appears to be "laundering information to another prosecutorial authority" - in this case, the U.S. Attorney's office.

Dershowitz said Mueller is "trying to have it both ways."

He said that Mueller is not formally investigating Cohen's relationship with Trump, but that the Southern District of New York would not have received any information for a possible case were it not for Mueller's initial inquiries.

Watch more above."
http://insider.foxnews.com/2018/04/10/alan-dershowitz-robert-mueller-laundering-information-geoffrey-berman-new-york-attorney

and from the emptywheel front

"... matt says:
April 12, 2018 at 3:02 pm

"I hope you’re right. For all the work that EW [emptywheel] has put into the dialog… and the political focus this country has had for the last year… I want all the dirt on all the people out in the open. Especially the dots connecting Mercer/Bannon/CA [Cambridge Analytica] to Russian interference. From Tuesday’s testimony:

During testimony on Capitol Hill on 10 April 2018, Facebook CEO Mark Zuckerberg acknowledged — for the first time — that it is “entirely possible” there’s a connection between Facebook users who had their data taken by psychographics firm Cambridge Analytica and content generated by the St. Petersburg-based Internet Research Agency (IRA)."
https://www.emptywheel.net/2018/04/12/open-thread-oddments-olio/#comment-732933

It would be nice if the likes of Stone, Assange, Bannon, Koch, Prince, Adelson, Broidy, Jared, Don Jr., Ivanka, Mercers, Bannon, Cambridge Analytica, SCL, AggregateIQ, Miller, etc., might get rolled-up, or at least be charged or indicted in public, if there is probable cause that they have committed felonies.

"NorskieFlamethrower says:
April 12, 2018 at 3:31 pm

“…I want the dirt on all the people out in the open.”

Yes indeed!! And no matter who or what jurisdictions do the investigating my bet is that all of it is gunna come back under the conspiracy to defraud charges ultimately. I just want to make sure that the long established structures of corruption that are being exposed are taken down before our institutions of governance and protection are dismantled. Seems like we are in a race against the clock here that, especially as it relates to the environment, we are losing right now."
https://www.emptywheel.net/2018/04/12/open-thread-oddments-olio/#comment-732941

also, from the New York Times

"WASHINGTON — President Trump’s advisers have concluded that a wide-ranging corruption investigation into his personal lawyer poses a greater and more imminent threat to the president than even the special counsel’s investigation, according to several people close to Mr. Trump.

As his lawyers went to court in New York on Friday to try to block prosecutors from reading files that were seized from the personal lawyer, Michael D. Cohen, this week, Mr. Trump found himself increasingly isolated in mounting a response. He continued to struggle to hire a new criminal lawyer, and some of his own aides were reluctant to advise him about a response for fear of being dragged into a criminal investigation themselves.

The raids on Mr. Cohen came as part of a monthslong federal investigation based in New York, court records show, and were sweeping in their breadth. In addition to searching his home, office and hotel room, F.B.I. agents seized material from Mr. Cohen’s cellphones, tablet, laptop and safe deposit box, according to people briefed on the warrants. Prosecutors revealed in court documents that they had already secretly obtained many of Mr. Cohen’s emails.

Mr. Trump called Mr. Cohen on Friday to “check in,” according to two people briefed on the call. Depending on what else was discussed, the call could be problematic, as lawyers typically advise their clients against discussing investigations."
https://www.nytimes.com/2018/04/13/us/politics/lawyers-for-trumps-personal-attorney-set-for-friday-court-appearance.html

and an opinion piece from Jennifer Rubin, who writes the "Right Turn" blog for The Washington Post

" President Trump, contrary to his self-image, is often averse to confrontation. He doesn’t like to fire people directly. He will say anything to win over people in a room, even if he doesn’t believe what he is saying. He threatened to veto the omnibus spending bill, but retreated. Trump’s tendency has always been to overpromise and make bellicose threats but underdeliver. Faced with a confrontation and real chance of losing, he’s likely to do a 180-degree turn when it is time to carry out his threats.

This has several ramifications for the Russia investigation.

First, Republican pressure to allow special counsel Robert S. Mueller III to do his job does seem to have an effect on Trump. After several days of tumult and anxiety about Trump possibly firing Mueller, Trump tweeted on Thursday: “I have agreed with the historically cooperative, disciplined approach that we have engaged in with Robert Mueller (Unlike the Clintons!). I have full confidence in Ty Cobb, my Special Counsel, and have been fully advised throughout each phase of this process.”

It is no coincidence that his retreat by tweet comes as Republicans may finally move forward with a bill to offer some protections for Mueller. The bipartisan Special Counsel Independence and Integrity Act — designed to give the special prosecutor a time to challenge his dismissal, reaffirm the Department of Justice regulation saying that he can be fired only for cause and providing for the investigation’s materials to be preserved — may get a vote.

One co-sponsor, Sen. Thom Tillis (R-N.C.), writes for The Post that “if the president actually removes the special counsel without good cause, it would likely result in swift, bipartisan backlash and shake the country’s faith in the integrity of our legal system. Talking heads and pundits on television encouraging the president to make such a drastic and counterproductive move most certainly do not have his best interests at heart.” In other words, Congress has to protect Trump from himself. If he is certain he’d be clobbered by his own party for firing Mueller, that blowback would very likely make a difference in his cost-benefit analysis next time he thinks about firing Mueller.

Second, it is hard to think of a constitutional means to prevent Trump from firing Deputy Attorney General Rod J. Rosenstein. However, a bipartisan resolution stating that the attempt to install a new deputy AG (or AG, for that matter) with the intent to curtail or end the Mueller investigation would be seen as an improper attempt to interfere with an ongoing investigation would be useful. Congress — and Republicans specifically — could signal that Rosenstein’s firing would compel them to act. As my colleague Phillip Bump explains, “replacing Rosenstein with someone who would handcuff Mueller (so to speak) might be the most effective way to stem the investigation. Less outcry, less heavy-handedness — and fewer indictments.”"
https://www.washingtonpost.com/blogs/right-turn/wp/2018/04/13/time-to-protect-rosenstein-too/?noredirect=on

Of course, afaik, Trump could veto a bill to protect Mueller or Rosenstein, and a veto override would require a two-thirds majority.

bttbApril 14, 2018 2:28 PM

@vinnyG, Albert

vinnyG wrote
"I'm cautiously optimistic that we can come up with a list of "small step" practical mitigation proposals (that hopefully won't make us instant pariahs) that potentially improve the situation, and prioritize that list in terms of importance and/or bang for the buck."

Does anybody know, or have a reference for, the saying, which might include:

... don 't talk if you can mumble
don't mumble if you can ...


Regardless, I keep coming back to https://ssd.eff.org


Albert wrote
"In that case you'd have to 'accidentally' unplug the modem/router."
Apologizing for accidentally unplugging stuff, I assume, is optional. Alternatively, you could 'educate' people how it is good to turn off routers at times, to clear memory, or something, like they might do with computers.

Finally, iirc, 65535 has a big metal pot or pan receptacle, with lid, for visitors phones, pads and the like. Perhaps it could be put on the floor, on a platter, in the middle of the living room, for those people that, relatively speaking, don't like devices out of their sight.

Regarding the IoT, Thoth's 1 mm by 1 mm video cameras (w/ or w/o need for batteries), miniature robots, flying and other, etc., good luck with that.

gordoApril 14, 2018 2:57 PM

At the U.S. Senate's Facebook hearing earlier this week, the text of the terms of service for the second version of the Aleksandr Kogan/GSR app, thisisyourdigitallife, were held up on a poster-board by an aide to Senator Blumenthal [emphasis as-displayed on poster-board]:

"If you click "OKAY" or otherwise use the Application or accept payment, you permit GSR to edit, copy, disseminate, publish, transfer, append or merge with other databases, sell, licence (by whatever means and on whatever terms) and archive your contribution and data."

Here's a portion of Senator Blumenthal's questioning of Mr. Zuckerberg [from transcript]:

SEN. RICHARD BLUMENTHAL (D-CONN): Thank you, Mr. Chairman. Thank you for being here today, Mr. Zuckerberg.

You have told us today — and you've told the world — that Facebook was deceived by Aleksandr Kogan when he sold user information to Cambridge Analytica, correct?

ZUCKERBERG: Yes.

BLUMENTHAL: I want to show you the terms of service that Aleksandr Kogan provided to Facebook and note for you that, in fact, Facebook was on notice that he could sell that user information.

Have you seen these terms of service before?

ZUCKERBERG: I have not.

BLUMENTHAL: Who in Facebook was responsible for seeing those terms of service that put you on notice that that information could be sold?

ZUCKERBERG: Senator, our app review team would be responsible for that. Had ...

BLUMENTHAL: Has anyone been fired on that app review team?

ZUCKERBERG: Senator, not because of this.

BLUMENTHAL: Doesn't that term of service conflict with the FTC order that Facebook was under at that very time that this term of service was, in fact, provided to Facebook. And you'll note that the Face — the FTC order specifically requires Facebook to protect privacy. Isn't there a conflict there?

ZUCKERBERG: Senator, it certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.

BLUMENTHAL: Well, what happened here was, in effect, willful blindness. It was heedless and reckless, which, in fact, amounted to a violation of the FTC consent decree. Would you agree?

ZUCKERBERG: No, senator. My understanding is that — is not that this was a violation of the consent decree.

But as I've said a number of times today, I think we need to take a broader view of our responsibility around privacy than just what is mandated in the current law.

On March 26, 2018 the FTC confirmed in a press release "that it has an open non-public investigation into these practices.”

“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.” [emphasis added]

[See also: FTC Privacy Shield page and Fact Sheet]

The above FTC Fact Sheet seems quite clear regarding Facebook's responsibility as a Privacy Shield participant:

To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:


o Transfer such data only for limited and specified purposes;

o Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;

o Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

o require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

o Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and

o Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

On March 16, 2018, in a Facebook Newsroom post announcing their suspension of Cambridge Analytica and SCL Group, Paul Grewal, VP & Deputy General Counsel Facebook, wrote:

Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies. When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.

IANAL, but with respect to the documentary evidence presented by Senator Blumenthal and looking only at the FTC's Privacy Shield participant requirements, it seems to me that Facebook was, at best, negligent as it regards current law.

Emma was silencedApril 14, 2018 4:12 PM

Re "small step" practical mitigation proposals -

This exchange sums up one of the principles:

Charlie Wilson: Well, then, should we try some of this scotch, or is it going to release Sarin gas?
Gust Avrakotos: Well, I don't think so, but do me a favor and open it over there

HmmApril 14, 2018 6:47 PM

"ZUCKERBERG: No, senator. My understanding is that — is not that this was a violation of the consent decree."

Let's let a judge decide that, seems fair?

gordoApril 14, 2018 8:11 PM

A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement Authority

- Enforcing Final Commission Orders

A Commission order (except an order to divest assets) becomes final (i.e., binding on the respondent) 60 days after it is served, unless the order is stayed by the Commission or by a reviewing court. If a respondent violates a final order, it is liable for a civil penalty for each violation, as set forth in Commission Rule 1.98(c). The penalty is assessed by a district court in a suit brought to enforce the Commission's order. The court may also issue "mandatory injunctions" and "such other and further equitable relief" as is deemed appropriate. (FTC Act, Section 5(l), 15 U.S.C. Sec. 45(l)). Pending enforcement actions are identified in the Federal Court Litigation Status Report.

https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority

---

https://www.law.cornell.edu/cfr/text/16/1.98

https://www.law.cornell.edu/uscode/text/15/45


---

As always, words like "reasonable" and "substantial" are in play.

gordoApril 14, 2018 8:42 PM

The Facebook hearings demonstrate the need for technology policy experts in Congress
The pace of technological change is hard for anyone to keep up with. But policy needs to reflect more than what worked a generation ago.
Jessica Rosenworcel Apr.13.2018

The Office of Technology Assessment was a nonpartisan office established in 1972 but closed in 1995, when it was de-funded by the newly-Republican controlled House just as the internet era was getting underway.

https://www.nbcnews.com/think/opinion/facebook-hearings-demonstrate-need-technology-policy-experts-congress-ncna865611

Paul CoddingtonApril 14, 2018 9:05 PM

Cloud Clipboard is an upcoming feature in the next build of Windows 10 (Redstone 5).

Visit secure website, open encrypted password manager, cut and paste credentials to sign-in. Cloud data now contains URL visited, plus matching Cloud Clipboard entries for username and password. Ouch.

BitLocker passwords for local storage devices will not have a matching URL, but this feature could hand someone a useful short list of potential candidates.

It looks like automated transmission to the cloud can be disabled (hopefully not ON by default). The options presented indicate that Clipboard will preserve history with an option to share individual entries to the cloud manually when this feature is turned OFF.

The Group Policy entry seems to prevent all clipboard sharing completely.

gordoApril 14, 2018 9:29 PM

https://www.investopedia.com/news/1-10-american-have-deleted-facebook-new-survey/

That number is likely to rise as breach notifications continue going out to those 87 million friends. Another slice of digital life...

"Based on our investigation," another notification reads, "you don't appear to have logged into 'This Is Your Digital Life' with Facebook before we removed it from our platform in 2015. However, a friend of yours did log in."

https://hellogiggles.com/news/facebook-this-is-your-digital-life-app/

justina.colmenaApril 14, 2018 9:54 PM

—> gordo

If a respondent violates a final order, it is liable for ...

So a "respondent" to some court proceeding is just assumed to be an it? this has got to be the epitome of corporate personhood. It's a gentlemen's club: you can't just serve a "final order" like that on a natural person. No, you have to serve it on "the establishment" where the pimps are hiding behind a bulletproof corporate veil which apparently cannot be pierced without a criminal warrant.

It reminds me of the time I was witness to an act of violence that was not prosecuted as a crime. Instead, I heard third-hand many years later that I had been listed in a public database as a "non-respondent" to some sort of civil restraining or protection order of some sort that had been duly served on the "respondent" pursuant to the order of the court.

The court recordkeepers, instead of making it clear that I was a neutral third party, that is, only a witness, and not even called to court, since my testimony had already been transmitted in writing, let on that I was supposed to have been another "respondent" to the order, and that I had somehow evaded the service of process or that the plaintiff had not been able to follow through on having me duly served with the order along with the alleged perpetrator of the violence.

As a result, I was repeatedly denied employment because of my "record."

Let every last one of those crooked fraternizing lawyers be damned, and let them burn in hell for eternity.

Clive RobinsonApril 15, 2018 2:14 AM

@ VinnyG,

we can assess and mitigate our personal security risks in our home physical environment with reasonable effectiveness in most cases.

I would disagree, we have crossed a tipping point from which the cost of getting back will be,

1, Very expensive.
2, Increasingly not legal to do.

Have a look at "Smart Meters" they are becoming in effect compulsory, by the service supplier.

The mitigation would be to "Go off Grid" which the service suppliers are fighting in court and in some places have made it illegal for you to not have the service connected to your property, but worse you are also "legaly required to use their service" or face their financially punative actions.

The excuse they used is very "socialist" in nature (or "Comunist" if you are in the US ;-) They argue it is too expensive to supply only some of the properties in any given area as the cost would fall disproportionatly on those who use their service rather than opt to use Solar / Wind etc. Thus they portray themselves not as the theiving bunch of thugs they actually are but as a "Social Good"... Conveniently forgetting that all other "Social Goods" do not have an enforcment clause[1], that is the equivalent of a "protection racket"... thus should be viewed in a similar light as a criminal organisation under the terms of the RICO legislation...

The point is it's difficult to remain lawful when "mitigation" has been made a crime, which is the direction not just the US but other Western predominantly WASP Nations that claim to be "democracies" are heading.

[1] Even those that appear at first sight to be compulsory such as vehicle driver insurance. If you do not drive, then you don't require it thus it does have a "mittigation" / opt out if you wish to use it, and I gather many US citizens in large cities have taken this "mitigation".

65535April 15, 2018 4:03 AM

@ neill

Technology is wonderful. Who needs probable cause?

Just think for the “rental revenue” of renting greykey devices to the FBI, local police, and Private investigators who have the cash. :-(

Clive RobinsonApril 15, 2018 4:39 AM

@ John Doe,

Atempt to use fish tank thermometer to hack casino.

If you look back on this blog, I think you will find we've alredy covered the story. Around mid to late summer last year if my memory serves me correctly.

Clive RobinsonApril 15, 2018 4:53 AM

@ JG4,

My working assumption is that there always are hardware backdoors through the powerline and the smart meter. In that long-ago exchange, Clive sharpened my point about backdoors very nicely.

Have a search for "RobertT" and "Smart Meters" he provided the technical details as he jad been involved with designing some of the chips that were going into them.

In essence they sample around 600Hz to do the calculations, which is way more than enough bandwidth not just to identify a device, but in the case of modern switch mode PSU's enough to identify a video you are watching or music you are listening to.

But it's going back quite a few years.

RobertT poped up briefly a little while ago so he may still be reading and can thus give more info.

neillApril 15, 2018 4:55 AM

@65535

yeah, sign me up ;-)

but one firmware update later, you're out-of-work :-(

fortunately the next versions (iOS 10.14 - iOS 10.(1/0)) will have sec holes, too ... stay tuned!
.

echoApril 15, 2018 5:17 AM

@Clive

The is the same power, status, and wealth cycle. On reflection I agree with you "status" is the primrary drive which is often a hidden agenda behind job titles or beaurocracy or as a last resort fiscal policy. From what I can tell this is unlawful and as always the problem is proving it. My technique is to keep people talking. If there is an agenda at play they usually betray themselves especially when they perceive themselves as more powerful and untouchable.

As a counter to smart meters which are part of the "capture it all" mechanism I would propose the backend is fully transparent. Allowing customers to share and analyse all the data, and the policy frameworks behind the system, would place customers on an equal footing and mitigate the master->slave relationship.

They would argue "data protection". Yes, but this is a complex thing and protection for whom? If negotiation hits a brick wall then no smart meters. This is simple, really.

Clive RobinsonApril 15, 2018 5:34 AM

@ 65535,

Technology is wonderful. Who needs probable cause?

Now my heart is "bluetooth enabled" my mind has been rather more focussed on what I can and can not do. As a part time RF Consultant, I have had on occasion to enter EM fields that are way way more that 10Volts/meter...

Now I have to consider if the dame device in my chest will survive such voltages and by implication what the result would be to me if it started to misbehave, malfunction or burn up like a fuse...

If you remember back to the "JW Bush cronies" one of them when having a pacer installed had the Radio disabled, the thing is that might stop your everyday hacker, but an RF engineer with a couple of wideband 5KW HF through VHF amplifiers could probably make him break dance all over the place with a minor amount of "fault injection" simply by phase modulating them...

Thus perhaps we should be asking not about "parallel construction / probable cause" to bamboozle a geriatric judge, but just a touch of "Find Fix and Finish" with a quick "drive by" in a van...

We know "extrajudicial execution" goes on in the world, often when "sending a message" that you can not hide. We know that both US President Obama encouraged it and Hillary Clinton was in it way beyond her eyebrows, and the supply of drones is going up not down in various parts of the world. Worse we also know there was quite a bit of collateral damage at weading parties etc that the USG tried to keep hushed up.

I assume that it's not just the USG in the supper powers that does this but other Western "democracies" as well. Oh and of course any nation that could aford the relatively low cost of extrajudicial executions...

The thing is such behavioirs have a "me too" aspect. So if you know a super power is poping people off with apparent impunity, then lesser governments are going to want to play the game to show they are "in the big leagues" as well. Fairly obviously under the "eye for an eye doctrine" things can only escalate. Something that modern "Power trip Politicians" appear to have either no notion of or just do not care about as long as they have reason to look the other way when washing their hands...

In the UK we have out and out loonies like Malcolm "Rockets away" Rifkind who has held various "defence related" government positions at ministerial level. He's continuously going on about sending something or someone in to show we are still the "British Empire", of course just to say how weak the other parties are for not in effect demanding the starting of yet another genocide or mass murder in the name of "Queen and Country". I realy don't know who's more deluded, him or the likes of the far right boot boys and their neo-fascist behaviour. I certainly know which is responsible for the deaths, disability and injury of more innocent civilians though...

Alyer Babtu April 15, 2018 5:52 AM

@Wesley Parish Google voice tracking

While one is apprehensive of Big Tech’s totalitarianization through utopian euphoria spinning, it is also kind of degrading to see the clunky rubegoldbergian actual means that are being used.

echoApril 15, 2018 6:12 AM

I don't recall anyone mentioning a new method to assure randomness using quantum mechanics. The problem is nothing is ever this simple. Does confirmation of entangled time change this?

I have began to wonder if as well as quantum cryptography whether quantum exploits exist. I can barely follow these articles but I have found that as you dig deeper the universe seems like its made of Russian dolls. We're all a bit too thick to understand this, as the unresolved problem of merging relativity and quantum mechanics demonstrates, due to one of those known-known, probably hiding an unknown-unknown, blind spot exists. Or am I over-analysing this?

Quantum Mechanics Could Solve Cryptography’s Random Number Problem
https://www.wired.com/story/quantum-mechanics-could-solve-cryptographys-random-number-problem/
Which is why, a couple years ago, Bierhorst’s team decided to develop a number generator that was perfectly, provably random. In the cryptography world, that means “numbers that cannot be predicted,” says Ribordy. And what’s random? Quantum mechanics.

If You Thought Quantum Mechanics Was Weird, Check Out Entangled Time
Where the future influences the past.
https://www.sciencealert.com/if-you-thought-quantum-mechanics-was-weird-check-out-entangled-time
The assumption is that the 'nonlocal' part of quantum nonlocality refers to the entanglement of properties across space. But what if entanglement also occurs across time? Is there such a thing as temporal nonlocality? The answer, as it turns out, is yes.

gordoApril 15, 2018 7:36 AM

@ justina.colmena,

Sorry to hear of your troubles with the recordkeepers.

Imprecision in language leaves its marks if not scars. Words matter.

"Respondent" is operating as a euphemism that obscures, as you point out, the difference between a "defendant" and a "witness". A side-effect of such word usage is "lowest common denominator" treatment. "Respondent" seems to be an "economy of language" usage choice that implies an "efficiency-of-purpose" that leaves each of us "dehumanized", "collateral damage".

JG4April 15, 2018 7:49 AM


https://www.nakedcapitalism.com/2018/04/links-4-15-18.html

...[tracing the origins of things by chemical signatures is fascinating]

Russia: Trace of Western-made nerve agent seen in UK samples AP. Documents said to be from an unnamed Swiss Lab working with OPCW.

...

Big Brother Is Watching You Watch

Oath’s new privacy policy allows it to scan your Yahoo and AOL mail for targeted advertising The Verge. I’m gotta change over…

‘Dear Mark, this is why I hate you.’ An open letter to Zuckerberg Wired

Health Care

Our Dental Insurance Sent us “Free” Internet-Connected Toothbrushes. And this is What Happened Next Wolf Street

Imperial Collapse Watch

The military’s stunning fighter pilot shortage: One in four billets is empty Air Force Times

Two Decades of War Have Eroded the Morale of America’s Troops The Atlantic

Afghanistan starts asking awkward questions about where small wars come from Duffel Blog. I’m thinking that, in the last days of the U.S.S.R., jokes were a more accurate indication of public opinion than surveys…

...

AlejandroApril 15, 2018 7:52 AM

@Anders re: "Telegram handed over to the FSB the encryption keys ;)"

Maybe it's just a matter of grammar and syntax, but my understanding is Telegram did NOT hand over the keys, because for one thing, they don't have such a key(s), they are stored on the device itself.

Meanwhile, the Russian court has issued an order to block Telegram because: "security" (there are terrorists everywhere you know.)

Unfortunately, I can easily see USA, Five Eyes, UK all doing the same thing. If they haven't created a work around already.

echoApril 15, 2018 8:28 AM

@JG4

I feel a bit doubtful about both the Syria and poisoning affairs. Politicians do seem to be running ahead of the evidence.

Former UK Ambassador to Syria: Syrian Chemical Weapons Attack Was STAGED By Islamic Jihadi Propagandists, It Is Likely No One Died
http://washingtonsblog.com/2018/04/former-uk-ambassador-to-syria-syrian-chemical-weapons-attack-was-staged-by-islamic-jihadi-propagandists-it-is-likely-no-one-died.html

Former head of Britain’s special forces says Assad ‘doesn’t need to use gas’ because he’s ‘already won the war’
https://special-ops.org/news/special-forces/former-head-britains-special-forces-says-assad-doesnt-need-use-gas-hes-already-won-war/

Who?April 15, 2018 10:56 AM

@ Anders

Ah, our old friends at Ben Gurion University attacking again!

They need to control CPU load using malware on the not-so-airgapped computer and having physical access to the electrical service panels or, even more difficult, power lines of the building. As easy to avoid as using a double-conversion UPS, I think.

There are much easier —and faster— ways to exfiltrate information from a compromised air-gapped computer.

albertApril 15, 2018 2:53 PM

@bttb,

"...65535 has a big metal pot or pan receptacle, with lid, for visitors phones, pads and the like...."

That's one way to do it:) It has a high 'nutter factor' though. (no offense to 65535; -I- don't think it's crazy at all.)

How about a small, shielded closet? Come to think of it, why not turn your office into a shield room? BTW, recording studios are an excellent 'cover' for such a project.

. .. . .. --- ....

High RoadApril 15, 2018 4:05 PM

Its interesting to note the positive global change Edward Snowden revelations made for digital privacy.

European Report: Snowden Made a Huge Difference
Unlike successive U.S. administrations, which tried and failed twice to deliver privacy legislation, the EU’s Selmayr “built a bridge of trust between EPP and Greens, between Commission, Parliament and Council, and in cooperation with about 20 key activists,” the justice department official said

In 2017, Selmayr blocked an effort by free-trade advocates to include data flows in future trade agreements. “For the EU, privacy is not a commodity to be traded,” Commission spokesperson Andreeva said at the time. “Data protection is a fundamental right in the EU.”

British Report: Liking GDPR
Already, Selmayr has put privacy at the center of the U.K.-EU Brexit negotiations. In a January 2018 letter, the Commission warned “all stakeholders processing personal data” operating in the U.K. that they would be subject to the EU’s privacy rules in any dealings with the bloc.
It need not have bothered. For months, British government officials and watchdog bodies have made clear that they like the way the EU deals with the protection of online privacy. Indeed, GDPR has already served as the basis for a new British data protection law. https://www.politico.eu/article/martin-selmayr-powerful-tech-regulator-data-flows-gdpr/

Americans can only hope...

JG4April 15, 2018 5:14 PM


@echo - It's the other current nerve agent case. The headline refers to the poisoning in the UK.

I was running late this morning for a flight out of one of the US imperial center cities in one of the police states. I saw a line that said "Clear, ask for a free thirty-day trial." the main security line was quite long, but there was no line in Clear, so I asked for the free trial. the tall, attractive and very dark-skinned women said that it would take 3 minutes to save 30. she was right. and it was "free." she was recently arrived from the contested territories in africa, where a million chinese are working on railroads and mines, where a million of the best and brightest have been taken to china for education in the imperial cities. someone is playing the long game.

she asked for my papers and walked me over to a kiosk roughly the size of an ATM that had a silver mirror about 10" wide and maybe 1.5" tall at eye height. I'm thinking that your bank will have these new ATMs next week. at lower right there was a pad that I could press four fingers on at a time, roughly 3.5" x 3.5" the resulting image was displayed on a screen at center, showing some patterns that go back many decades. at left were an optical and magnetic scanner. she scanned the 2D bar code on the back of my national ID card and asked me to press the four fingers of the right hand on the pad. then four fingers of the left hand. then both thumbs. the screen produced two questions. first, which of the four cars was registered to the address on my national ID card. this step was meant to defeat someone who stole the ID, but my prints have been on file since '78. then they photographed my eyes for the iris patterns. that is the only new information that went into the panopticon today, which they were going to get anyway. if they don't already have it from the zillion megapixel camera used for the national ID card photo. they also got everything else that I did outside the Faraday cage today.

the next question was, which address have you not lived at. there actually were two correct answers, because of a flaw in the corporate/imperial databases, but I knew the right one. then she asked for a credit card to be charged $179 per year after the free trial. ok, you can go back now. so I went back in the Clear line, still no one in it, other than the three attendents, and they brought me to a similar kiosk. I was instructed to press both thumbs on the pad. it was a much smaller pad, maybe 2" x 2", then scan the boarding pass under the optical scanner at left. some beeping sound and I was jumped to the head of the pre-check line. I got pre-check at random on another flight this week, so I must not be on the leper list yet.

I think that my political detainee status these days is potentially useful dissident. I am a conscientious objector to the imperial peasant extermination programs. my great-grandfather was involved in an earlier one, when the chief Irish export was refugees and mercenaries. my other great-grandfather's son was gassed by Fritz Haber. his disability pension paid for my grandfather to attend WPI. it was neither a faked attack, nor a false flag attack.

AlejandroApril 15, 2018 6:45 PM


"Police in Wales managed to arrest and convict a drug dealer by identifying his fingerprint from a photo posted on WhatsApp, a technique that the local law enforcement is calling “groundbreaking,” according to the BBC."

https://gizmodo.com/cops-in-wales-caught-a-drug-dealer-by-iding-his-fingerp-1825279052

Police claim they took the WhatsApp picture of some fellows hand, then ID'd him as a drug dealer. I have my doubts to be honest.

Regardless, guys, please resist biometric ID schemes altogether. If the police or party doen' don't get you, the bad guys surely will.

Discussion in the article suggests the ID technology may be somewhat sketchy. I am thinking they knew or already suspected the guys ID. Also, the are some technical limitations which make the method unreliable. Maybe WhatsApp is back-doored.

(Note to Anders....OK I get it....Pavel Durov sent FSB some wood keys. Very bold move in my opinion. Not sure I would do that. Regardless, Durov seems like a very smart fellow and his app, Telegram, is extremely good, too.)

65535April 16, 2018 1:22 AM

@ bttb, albert, Clive R. and others

The cooking pot is a dual purpose faraday cage and cooking utensil. The pot is less than a liter in capacity, somewhat thick iron alloy and had a metal lid.

Several of us including Clive Robinson, were talking about putting cell phones into RF bags which cost about 12 USD to discourage tracking. I was looking for a low cost RF device for juvenile neighbors kids to put there Smart phones as to keep them from taking awkward or unbecoming pics or audio at my place.

I experimented with a thin stainless steel pot with lid and found that cell phones could be called even when they were in a metal pot with a ceramic dish [you can search this site for the thread].

To my surprise even a grounded stainless steel pot with the cell phone in a ceramic dish let RF signals through the stainless steel and the cell phones could be dialed and they would ring in the thin metal pot. Thus, faraday cages should tested for usefulness. The home experiment just proved that faraday cages are not that easy to do. The thick pot with the cell phones is just like the cookie jar and any kid can open it. That is all.

@ neill

“one firmware update later, you're out-of-work :-(“

Yes you are probably correct. It is a sad commentary on zero-days and their self life.

@ Clive Robinson

“…my heart is "bluetooth enabled" my mind has been rather more focussed on what I can and can not do. As a part time RF Consultant… the "JW Bush cronies" one of them when having a pacer installed had the Radio disabled, the thing is that might stop your everyday hacker, but an RF engineer with a couple of wideband 5KW HF through VHF amplifiers could probably make him break dance all over the place with a minor amount of "fault injection" simply by phase modulating them...”

Whoa, that is not a happy thought. I am sorry about your heart problem and your Bluetooth device. Do be careful and stay alive. I wonder about those old 100,000 watt or higher valve antenna stations…

While I was helping close down a large facility at made barcode equipment there was a room with a RF radiation shield on it and inside were dozens or even 40+ barcode readers or writers that were Wifi enabled and tested for quality control. The guy running the test told me to only stay certain time due to OSHA rules.

https://en.wikipedia.org/wiki/Occupational_Safety_and_Health_Administration

The place was humming with and huge amount data exchanges via several large antennas. It was an interesting place but only to a point. I departed fairly quickly. I wonder what it or a powerful police radar gun test facility would do for your pacemaker… or to you.

“…Fairly obviously under the "eye for an eye doctrine" things can only escalate…”-Clive R

That is one point I have been trying to drive home. If the Great NSA and GCHQ do these dirty IT deeds why not see a race to the bottom with tinplated dictators and overzealous police and private detectives doing the same. I believe if you start a “Cold War” in the digital world it will end badly.

VinnyGApril 16, 2018 6:35 AM

@Clive Robinson re: "would disagree, we have crossed a tipping point" - respectfully, I think that premise is both debatable, and a YMMV item. I'm not going to publicize details, but my home *is* reasonably secure against the threats I mentioned, and a few others, as well. I have a vacation/bug-out property in another location that is (at least) reasonably secure against most plausible electronic or physical threats. OTOH I have family who are completely oblivious to privacy issues and who are public-net-connected out the wazoo. I don't intend to never visit them because of this neglect. Nor do I think it likely I can convince them to take the risk sufficiently seriously. They are far from stupid, IQ-wise, but they do have blind spots, and this is one. I find it difficult to believe that there are not quite a number of others in very similar situations. My post was intended to elicit a discussion of what practical measures can be taken to reduce (not eliminate) the risk. I find it highly implausible that that is an empty set. Frankly, though I respect your accomplishments and your contributions here greatly, and I hope to cause no insult or offense, imho "we are all doomed" (my interpretation of your reply) isn't a very productive mind-set...

echoApril 16, 2018 10:33 AM

@VinnyG

In UK law (I'm not sure about other common law-ish jurisdictions or civil law jurisdictions) an expert group in partnership with a community can form an entity which has authoritative standing in law. In theory if security experts produced standards and guidelines along with consultation with the stakeholder community this might both help with education and outreach but also form a body of opinion which might in turn be leveraged.

To turn this into an effective tool will of course require proper scientific research and professional legal advice and financing. While it may have a useful impact wih judges decisions it is no substitute for other political and legal and other action.

I will admit this far flung but I surmise this may help counter negligience within the public policy sphere.

ThothApril 16, 2018 10:40 AM

@all, Clie Robinson

Why FIDO is probably another SSL/TLS incarnate and probably going down the same way of SSL/TLS.

Because it uses ASN.1 style encoding and we all know how much SSL libraries have tripped up on parsing ASN.1 encoding data in the past and even now.

Apparently, FIDO did not learn from past failures that SSL/TLS had experienced and pushed on to have their possibly flawed protocols (and also I do not see formal proof of security up till now in crypto papers) as part of the W3C standards ....

Wait ... W3C standards ?

Doesn't it ring a bell ?

Wasn't SSL/TLS also part of all those sort of standards and until now is still encumbered with problematic implementations ?

Good luck to FIDO authentication .. yet another dinosaur and also another SSL/TLS.

Take a look at their examples linked below at their challenge and response and communication with FIDO2 compliant devices. It is already a pain to code in the blind for Secure Elements and adding these CBOR formatted ASN.1 stuff is really going to create more logic problems.

Anyway, nobody listens and even with FIDO v1 out for so long, only "big corps" have implemented a very tiny segment of FIDO and almost all banks are still using text-based secrets (i.e. PINs and passwords with OTP tokens), this is more like a smart card sign on in another revival attempt.

Also, FIDO protocols are known to be rather vulnerable to MITM and requires and fully assumes that the channel is "properly secured" by good olde SSL/TLS (which almost all SSL/TLS security are a joke anyway).

The use of so-called Channel Binding by tagging itself to the session ID of an SSL/TLS session (assuming no usage of some SSL Interceptors, Deep Packet Inspection, Law Enforcement Interceptos or SSL MITMs that can reveal the session secrets and IDs) which they have acknowledged is not a fool-proof method as their only defensive mechanism that almost very few actually enable and is optional.

More professional snake oil filing the so-called standards.

Link: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html

bttbApril 16, 2018 11:39 AM

@VinnyG, Emma was silenced, Albert, Clive Robinson, 65535

"Data and Goliath" by Schneier may make a reasonable text or reference book.
https://www.schneier.com/blog/archives/2015/02/new_book_data_a.html#c6689242
https://www.schneier.com/blog/archives/2015/02/new_book_data_a.html#c6689253
https://www.amazon.com/Data-Goliath-Battles-Collect-Control/dp/039335217X/ref=sr_1_1
For example, from Chapter 15, 'Solutions for the rest of us'
"... This is not meant to be a comprehensive list. That would take its own book, and it would be obsolete within months. Technology is always changing ..."
p. 215
and
"Deception can be extremely powerful if used sparingly. I remember a story about a group of activists in Morocco. Those who didn't carry cell phones were tracked physically by the secret police and occasionally beaten up. Those who did weren't, and could therefor could leave there phones home when they really needed to hide their movement. ..."
p218
Or at least try to hide their movement- facial recognition, license plate readers, rfids, and so on.

65535April 16, 2018 1:18 PM

@ Clive Robinson

Q:

1] Is this a passive medical to monitor your cardio signs?

2] Is this an active device which alerts you to take meds or actually infuses meds into you?

Yes, I should be watching my/your opsec.

albertApril 16, 2018 2:50 PM

@All regarding EM shielding,

I found a link to a commercial outfit that builds shield rooms. They have a model that offers 100dB shielding from 15kHz to 40 GhZ, which is phenomenal. http://www.ramayes.com/Shield_Room_FAQ.htm

Another site is set up for folks who are EMR-sensitive.
http://www.eiwellspring.org/
Within that site is a report about a guy who built his whole house as and EMR shield:

http://www.eiwellspring.org/emc/HighlyShieldedHouse.htm

He claims 55dB for wireless, but look how complex and difficult it was to build. And how difficult it is to 'get off the grid'. It's a fascinating story.

As @65535 pointed out, testing is critical. MW radiation is insidious and doesn't behave the way you might think.

. .. . .. --- ....

Alyer BabtuApril 16, 2018 10:15 PM

The trend is to use facial recognition to unlock phones etc. Manufacturers state all facial data and unlock processing takes place securely on the device. But given that vulnerability is always present, are consumers here, as before in other areas, cooperating to build a societal prison, and more effectively than with other forms of authentication ? Is the building of state sponsored facial databases a redundant activity, whose cost could be better incurred for stronger iron bars and concrete walls ?

Wesley ParishApril 17, 2018 3:17 AM

@Thoth

Certainly not what we could've expected from Microsoft under Monkey Boy.

Clive RobinsonApril 17, 2018 2:24 PM

@ Folks,

Sorry for the delay in replying, I'm back in hospital this time with sepsis which is definitely one of those "magic bullet in time or nail the lid down".

One of the down sides is the fever is that your body temprature can cook your brain... In the process your nerves suffer problems and your body starts to twitch amd throw you around like a whirling dervish who has supplemented his hashish with PCP and a little lsd for the flavour.

It starts when your core body temp gets above 38C mine was touching on 39, hence I would have been a good candidate for a training video... Oh apparently an egg gets soft boiled at 40C in around a half hour...

So here I rest in a hospital bed with a headache that would give a bad hangover a run for it's money

@ echo,

I don't recall anyone mentioning a new method to assure randomness using quantum mechanics.

I would not say "quantum" is "random" compared to other "natural" processes that have had the bias etc removed.

The problem is that "random" is a nice word with little real meaning that is of use. The more usual definition is the ability to predict the next bit out of a stochastic source (where stochastic kind of means "random"...).

However it's easy to see the phalacy in the idea. Think of AES in CTR mode you on the generator side can see the counter value and you can see the AES key, therefor to you the output is very much determanistic not random. On the --weak-- assumption AES is fully secure then as an observer it is a random process even though it is not, because it passes all the tests you can so far reasonably throw at it.

Now with quantum effects we are observers currently not those who generate. A little over a century ago there was a lot of friction between the older physicists and the new physicists ower whether things were pre-ordained or not. The "quantum kids on the block" went with not pre-ordained and their view won out over that of others. However as our instrumentation improves our ability to both detect and reason improves. The result is some are starting to think we have a number of things missing from our models, that is there is something behind the quantum curtain that might even be determanistic...

Thus I look at designing "True Random Number Generators" as using a multiplicity of sources and methods on the simple assumption a black swan is going to swim over the horizon at some point...

@ 65535,

The device is a monitor not a pacer as I would rather stay in the instrumentation phase untill they can be more definite about what the problem is.

As for the "cooking pot, yup making farady shields is difficult. One difficult problem for people to get their heads around is "skin effect". Over simply an alternating current creates a magnetic field inside the conductor that forces the flow of electrons to the outer layer of the conductor. The result is if you have a sealed chamber with no holes or discontinuities then the electrical field stays trapped inside. In fact when dealing with antenna coax you can show that there are currents travelling on the inside of the screen as well as currents on the outside of the screen.

However some metals however have a rapidly increasing impeadence with frequency, iron being one of them which whilst making them effective low frequency magnetic screens do not make then electrical screens.

It's why when possible antenna system designers like to use "shorted quaterwave lines" as chokes etc as they are more predictable in many ways. Which is why you will find the equivalent of the shorted quarterwave around the edge of your microwvave oven door.

The most reliable way that many have come up with is the equivalent of an attenuator called often called an absorber, you will frequently find such materials on the insides of anechoic chambers. In times past engineers had to make them the hard way by grinding up cardon rods to make a poweder that was then added to a varnish that would then get painted onto card or similar supporting material. Things got a bit easier with "hundred ohm foam" that was used to store integrated circuits on to prevent them suffering static damage in storage. The modern "RF Bags" are actually a repurposing of the antistatic bags used as a follow on method to protect IC's from static, only way more profitable as a product...

Clive RobinsonApril 17, 2018 2:37 PM

@ echo,

If negotiation hits a brick wall then no smart meters. This is simple, really.

In the UK the power supply industry and gas and water, had thought it was legally "a done deal" with the legislation in place for smart meters and the like.

Apparently this government does not like them as they were somebody elses policy or the industry was not kicking back etc etc etc. Thus they have dropped "the legal requirement" for now. Which is why there are so many adverts on radio and I'm told TV and other places to get you to sign up to having them in your home...

Oh and "Scotish Power" and "Npower" had a real snafu a little while ago when some of their meters suddenly said people had used as much as 30,000GBP over night or some such...

So there is no chance that I will be letting one of the bug ridded piles of monkey droppings in my home any time at all.

Clive RobinsonApril 17, 2018 2:58 PM

@ echo,

Politicians do seem to be running ahead of the evidence.

It's a point I've made a few times on this blog, and various less thoughtfull types castigate me for, which I guess is their failing not mine.

I realy find it difficult to understand why they think "vigilanty hanging" is the way to carry out international diplomacy. I'm fairly sure they would think differently if some one grabbed them off the street put a rope around their neck and started pulling it tight.

There is a reason we have due process which both gathers and examines evidence prior to making an accusation. Whilst it is far from perfect it is somewhat better than mob rule.

But in these days of cheap day time TV mob rule is apparently what a limited number of people not just want but crave.

Justice should always be done, not seen to be done for the case of public popularity or worse entertainment. Vigilante behaviour is at best "justice from a bottle" where idiots have talked themselves up into vengeance with all the rationalism you would expect of a drunk with low IQ...

VinnyGApril 17, 2018 5:30 PM

@bttb Not sure what you mean that those folks were "silenced." If you think there might be worthwhile guidance in "David and Goliath" regarding the problem I posed, I'll give it a read. I have several of Bruce's books on my shelf, but not that one...

@Clive Robinson - get better - some people bring such a unique mix of skills and smarts to the table that they aren't replaceable, and I regard you as one of them.

tyrApril 17, 2018 8:09 PM


@Clive

Hope to see you much better in future.

Given the knee jerk responses of the
current leadership worldwide I don't
think we'll see much improvement until
they are swept away by their own stupidity.

Hopefully that will happen before they
manage to pave the world with radioactive
glass as an unintended side effect.

Microsoft + Linux + IOT sounds like the
perfect recipe for marvels of disaster
in the house next door.

CassandraApril 18, 2018 6:18 AM

@Clive Robinson

I wish you a speedy and full recovery. I've seen the effects of sepsis several times in my life, and it really is nightmarish.

I was looking forward to your comments on the cooking pot 'Faraday shield'. I am not an expert in the field, but from passing acquaintance with people who are, I appreciate that it is remarkably difficult to engineer well. Nature has a knack for finding flaws in an implementation - or as a well-known physicist said: ""For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.". I have a great deal of respect for the practical types who deal with RF design and HV design.

Clive RobinsonApril 18, 2018 8:35 AM

@ VinnyG, tyr, Gerard,

Thank you for your kind thoughts. I hope to get out of here before I catch something else, hospitals are not at all healthy places even for the well. You could look at them like the microbes do as being 5 Star accommodation, thus you have to fight hard to keep out the "riff raff" microbes ;-)

@ Bruce,

Not sure if you are still reading New Scientist but there are a couple of interesting articles in the current mag,

1, First lab-grown brains with blood vessels[1]

2, The Arms Race in Space[2]

I would have a small wager that giving "organoids" blood vessels which enables them to develop in a 3D way will move the understanding of thought forward a lot faster than a lot of the supposed AI developments currently being touted by pundits.

As for Space-War the reality is that it will not be "Kinetic2Earth" as there realy is nowhere in space upto the geostationary orbits to hide anything of substance thus unlike on Earth atribution to the origins of the hardware will not be that difficult. However attributing who had control of the hardware is a different and as on earth much more complex issue (sats are just as malware vulnerable as the computers that control them either on board or on the ground).

Which is the problem nobody realy wants to talk about as I keep pointing out technology even at the most primitive level is agnostic to the directing mind. The MIC types smokescreen it with the term "Dual-Use" which says a lot about the limited thinking in the MIC or the purse string holders, and smacks of a built in excuse to pull yet another profitable "War-On".

In essence space-war will be a mixture of ITSec and the more interesting aspects of EmSec and Electronic Warfare.

But there is still the brut force aspect to consider, the Chinese made a point with a missile they turned one of their weather sats into what was in effect a fragmentation grenade where the fragments keep flying not for seconds, hours, days or months but years and spread out as what is in effect a cloud of death for other sats, where even a fleck of paint can have more impact energy than a .5 cal sniper round. This unfortunate effect was first discussed back in the early days of space exploration but it was Donald J. Kessler who slapped the real kiss of death upon when he pointed out that such a fragment hitting another sat would cause it to fragment, and depending on the number of sats, the whole thing to cascade to the point where it would not be possible to launch any more sats and most sats in similar orbits would be turned into yet more fragments. The assumption is that no nation would do that because of the harm it would do to their own sats so a variation on MAD. But that is based on a very false premise. If you were to destroy every sat in earth orbit and deny space to the likes of the super powers threatening you who have a very high dependency on sats to prosecute their overseas policies a "rational actor" would quite chearfully push the launch button as the outcome of doing so is actually likely to be less than letting a super power invade you...

As normal it is the nations with greatest technological dependancy that are going to be most impacted by such an even and the US sits very high on the list of big time loosers on that score. The economic damage alone would probably stop the US in it's tracks and flip it back getting on for a century in many social and military respects. In essence your horizons for high bandwidth mobile communications get limited. The alternative of undersea cables for non mobile and line of sight repeating are as we know, actually a lot more vulnerable and covertly so than satellites...

The point about these sorts of "attacks on information" be they cyber / space war is that developing attacks is oh so many times easier than defending against them. Thus people realy need to consider why we are not putting more effort into defence, because a first attack is in reality a suicide attack for a technological advanced nation.

[1] for some reason although in the print version this article does not appear in the online index https://www.newscientist.com/issue/3173/

[2] https://www.newscientist.com/article/mg23831730-200-war-in-space-may-happen-soon-but-it-wont-be-what-you-expect/

VinnyGApril 18, 2018 9:49 AM

@Clive Robinson re: attribution of space-based attacks - Why wouldn't an attacker who doesn't want to suffer proportionate consequences construct a system of access to controls for the attacking device with layered security, deliberately introduce security flaws in all but the bottom-most layer (which would contain the "key" needed to launch the attack,) and record the identity (with whatever authenticity is possible) of all hackers who gained access? Sort of an actual, well-secured, target embedded in a honeypot. When blame is pointed, the true attacker identifies successful hackers and claims that one of them must be the culprit. Information from the bottom-most layer is restricted and/or heavily censored in the interests of "state security." This doesn't need to utterly convince the victim or anyone else, all it needs do is introduce just enough doubt that the political costs of retaliation exceed the perceived benefit. Seems fairly basic to me. I'd be surprised if this isn't currently a routine exercise wrt internet attacks for some folks. I would not be at all surprised if it is taught at NSA in a "Deflecting Attribution 101" class...

vas pupApril 18, 2018 10:11 AM

@gordo:
I saw just a part of Zuckerberg's grilling by Senate, and I love what Senator Kennedy said: "Your privacy policy sucks. Go home and redo it in plain English". Bravo Senator! That what I am complaining on this blog many times: big business and banks/financial sector are writing their terms of usage, privacy policy you name it in such way that YOU average Joe/Jane (for social media - teenagers in particular) have ZERO chance to understand it and as result to protect your rights. Policy is usually many pages of legalize which even Law School graduate could not understand. That is just entrapment for customer.
CONCLUSION: FTC and CFPB(Consumer Financial Protection Bureau)should clear required that level of policy understanding should match to level of education of potential mass customer. I'll suggest high school graduate in plain English.

CassandraApril 18, 2018 10:57 AM

@Clive Robinson

Re: Kessler fragmentation and communication

That is why Alphabet's X Project Loon and other pseudo-satellite projects like Qinetiq's Zephyr are strategically significant.

Losing your satellites in the first few hours of a war would be inconvenient, especially if it denies access to space to everyone for a couple of centuries, but if you have pseudo-satellites/aerostats, it need not be the killer blow that disrupts your economy for the same period.

gordoApril 18, 2018 12:07 PM

@ vas pup,

I'll suggest high school graduate in plain English.

Yes and it needs to be codified. Profits before people, however, seems, as always, to be the default position. At issue is "product safety" — double-entendre intended.

From the Senate hearing:

SENATOR HASSAN: But at the end of the day, your business model does prioritize advertisers over the mission. Facebook is a for-profit company, and as the CEO you have a legal duty to do what's best for your shareholders. So given all of that, why should we think that Facebook, on its own, will ever truly be able to make the changes that we need it to make to protect American's well-being and privacy?

https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?utm_term=.16ce8e00ea59

echoApril 18, 2018 2:58 PM

@clive

Yes, I agree with all of the above.

I have healthcare issues of my own which relative to others might seem trivial. I'm glad to hear you are bearing up, and managed to catch your sepsis infection so soon. By chance therewas an article this week of a psychiatrist who caught sepsis from his dog via a small scratch... Whateverour trials I like to remind myself sometime how lucky we are compared to previous generations and others less fortunate.

Clive RobinsonApril 18, 2018 6:36 PM

@ Cassie,

Sorry for missing your first comment it's been an "interesting times" day all things considered.

With respect to high altitude long duration UAV flights their current payload is a tiny fraction of the weight and power requirments of the craft it's self. The knock on effect of which is limited redundancy thus a loss in potential availability[1]. However it would not take very much of a small change in improvments in the air frame and power plant to get a big gain in payload capacity. One thing I know that was looked at was using a carrier craft for launch. That is you design the UAV airframe to be most efficient at it's maximum operating ceiling and get it up there by using a lifting craft to get it up there That way it arives at it's operating hight in optimum condition.

It is a fascinating area to get into, interestingly, the business part of payload design for such a UAV and a micro sat like a CubeSat have a great deal in common, and the UK was untill the Brexit idiots damaged the feasability one of the formost contenders in the payload business.

Oh and the UAV unlike the sat business does not suffer from the political vagueries of the politics of spectrum allocation and launch licences. Because at the end of the day they are still "regional not global".

I've had an interest in the oldest form of viable UAV since around ten when I built my own hot air ballon out of tissue paper, quickly progressing to building micro payloads and using "lighter than air gases" such as hydrogen I obtained from water.

One memorable device using helium and a tiny VHF transmitter was last heard by me as it crossed into European airspace where others reported it's progress towards the USSR. It did not get that far but it certainly had a good run for an entirely hand made system. The problem these days is the UK Gov takes "a dim view" and makes the launching of such ballons difficult at best. However the Republic of Ireland has a different view and as the prevailing weather direction is from them over the UK and the rest of Europe, it will give anybody with a yen to try a solution to the stuffy old UK Gov problem.

[1] for those reading along a component part in any system has two numbers that count. The first is it's Mean Time To Fail (MTTF) the second is it's Mean Time To Repair (MTTR). Availability is in effect MTTF / (MTTF + MTTR) that is then normalised to a given time period or one. In the latter case the number of nines following the decimal point is used as a figure of merit, thus 0.999 would be a very poor "three nines" whilst 0.999999 would be a more acceptable "six nines". Components are generaly quite reliable these days so pushing the MTTF on a single component is very much into diminishing returns teritory, which makes reducing MTTR the easier win. However there is another trick which is to deliberatly increase redundancy in a system in a way that makes MTTF appear vastly greater or the MTTR effectively zero for the first fail or two.

In essence you put components in parallel and design the system in the simplest case such that it will function acceptably if either --but not both-- components fail. There is an obvious penalty with this in that the mass of the system goes up by not just the duplicated components but any switching circuitry to do a "hot" switch over or swap. Having done a few component level analyses on large systems you quickly realise why some CAD tools are worth the money they ask for especialy when nonlinear derating curves are involved. Oh and then there is the extra joy with vehicles etc of designing to be "fail safe" as well...

JonKnowsNothingApril 18, 2018 8:12 PM

@Clive Robinson Please get well soon! And while you are typing from sick bay omit the emojis after the trailing / :)

@Moderator / @Bruce Schneier
For an unknown reason the site returns a 404 error on one browser (Im using FF atm). This started a few days back. I'm not sure what changes would make the site non-accessible. Some GoDaddy based sites have started returning "not found" errors on various sites too. Another popular site "404" for some days and then later showed back up implying a DNS propagation error but I wouldn't think this site would suffer the same sort of outages. If there is some browser level requirement please post it before I get a total 404 failure at which point any tech requirements would be moot.

tyrApril 18, 2018 10:51 PM


@Clive, et al

The laws of unintended consequences may come
into play for space warfare. If you put a big
automated platform into space and the technology
on the ground continually evolves whatever sort
of interface has to be static in space. That
opens the attack surface wider every year.
No one does the long term planning for this
kind of a problem. It is also hard to fly a
secret mission to fix this that isn't visible
to folks you'd rather not know about your
platform.

KEWs are super efficient but the entire interface
of controls are the weak point of any scheme
to use them for dominance. Nobody in their right
mind wants to see a teenage script kiddy use it
as a realtime LOIC just for a driveby.

People like "Starfleet" Hayden are just dumb
enough to build such a thing without any long
term plans. There was a certain amount of talk
when the first USA space shuttle went up under
radio silence with a military crew, changed
orbit a few times and came back with tiles
knocked off the tail. The cover story was that
the payload was tons of sand.

Hubris is still around and loosing it into a
barely understood environment courts major
disasters of the unexpected kind.

Wesley ParishApril 19, 2018 2:32 AM

@all

In case nobody else has yet posted this:

http://nymag.com/selectall/2018/04/richard-stallman-rms-on-privacy-data-and-free-software.html

A database about people can be misused in four ways. First, the organization that collects the data can misuse the data. Second, rogue employees can misuse the data. Third, unrelated parties can steal the data and misuse it. That happens frequently, too. And fourth, the state can collect the data and do really horrible things with it, like put people in prison camps.

@Clive Robinson et alii re: space war

That's really unhinged. The US position has historically been "We can do whatever we want, and there aint nobody who can touch us." Example: the recent hoohaa about the (alleged) chemical weapons in Syria, neatly forgetting that the US Army and Marines used White Phosphorus on a city Fallujah full of unarmed civilians during the (official) occupation of Iraq.

But you wait - that attitude will last right up to the point when the US is seriously thumped upside the head by one of its selected opposition in space, and then we'll find out just how thin-skinned Uncle Sam is - as if we didn't already know (stick a mushy pea under twelve kilometres of eiderdowns, and Uncle Sam will be black and blue and nearly dead of it in the morning.). There's nothing more bleeding-heartedly self-pitying than a US politician caught out. There should be a copy of Richard Nixon's resignation speech on the Internet: it'll prove my point well beyond a shadow of a doubt.

echoApril 19, 2018 5:44 AM

@Wesley Parish

I have been watchign old Christpher Hitchens videos on Youtube. He makes interesting observations about the abuse of power, and hypocrisy and how the real truth of the issue is sometimes much more interesting than the surface drama. (The video I lastwatched covered Nixon and Vietnam but also Kennedy and LBJ and the race and women's civil rights movements.) Then there is the Windrush scandal in the UK.

What is interesting about Facebooks cynical data gathering is that Facebook are spending what it takes to escape the control of suppliers yet why is a similar amount not being ploughed into open sourced verifiably secure CPUs? In fact the two agendas are not mutually incompatible so perhaps this is an opportunity?

https://www.bloomberg.com/news/articles/2018-04-18/facebook-is-forming-a-team-to-design-its-own-chips
Facebook Inc. is building a team to design its own semiconductors, adding to a trend among technology companies to supply themselves and lower their dependence on chipmakers such as Intel Corp. and Qualcomm Inc., according to job listings and people familiar with the matter.

bttbApril 19, 2018 7:18 AM

@VinnyG
" If you think there might be worthwhile guidance in "David and Goliath" regarding the problem I posed, I'll give it a read. I have several of Bruce's books on my shelf, but not that one..."

The book might help individuals, amongst other things, get a view of the lay of the land. The book has about 120 pages of notes/footnotes for deeper diving. I also enjoyed 'Dragnet Nation' by Angwin. Obviously, Schneier has a new book coming out, soon.

More from 'Data and Goliath':

"When Snowden first met journalists in Hong Kong, he made them all put their cell phones in a refrigerator to block all signals to and from the devices, so they coouldn't be remotely turned into listening devices." p. 217, but from the notes: "Most modern refrigerators are not metal boxes, and don't make good faraday cages. Check the details of your model." p. 357

and

under Analyzing our Data, Finding Us by what We do

..."1. The NSA uses cell phone location information to track people whose movements intersect. ..."
2. "... Basically, the NSA checks whether anyone is tailing those agents.
3. The NSA has a program where it trawls through cell phone metadata to spot phones that are turned on, used for a while, and then turned off and never used again. ..."
4. The NSA collects data on people, who turn their phones off, and for how long. ..." p.39 and four footnotes 39 on page 261.

an idea:
Leave electronic devices 'on' perhaps in an opaque bird feeder , with a radio on, outside the living room window, swinging in the rain, or breeze.


ps.
Typo correction from above: 'could therefor could' should be 'therefor could'.

echoApril 19, 2018 7:44 AM

@bttb

Some movies have dramatised security issues. While your description of signals intelligience and eavesdropping is correct I recall one movie where the characters had pre-recorded a fake conversation? Didn't one of the Bond movies use this plot device? Live and Let Die, I think.

bttbApril 19, 2018 8:07 AM

And in current events:

"One of President Donald Trump’s longtime legal advisers said he warned the president in a phone call Friday that Michael Cohen, Mr. Trump’s personal lawyer and close friend, would turn against the president and cooperate with federal prosecutors if faced with criminal charges.

Mr. Trump made the call seeking advice from Jay Goldberg, who represented Mr. Trump in the 1990s and early 2000s. ..."
https://www.wsj.com/articles/cohen-would-turn-against-president-if-charged-counselor-warned-trump-1524093151

and

"WSJ has a fascinating story [above] about the advice that former prosecutor and Trump lawyer Jay Goldberg gave the president last week after the Michael Cohen raid. Rather than keeping the advice confidential or even anonymous, Goldberg instead sat down for two hours to tell the WSJ precisely what he told the president in a 15 minute conversation last week.

The newsy bit is that Goldberg told Trump that Cohen would flip on him if he were charged, and might even agree to wear a wire. ..."
https://www.emptywheel.net/2018/04/18/the-fire-rosenstein-squad-among-trumps-buddies/

Clive RobinsonApril 19, 2018 8:17 AM

@ echo,

I recall one movie where the characters had pre-recorded a fake conversation? Didn't one of the Bond movies use this plot device?

More than one movie, the bond movie you are thinking of involved sharks, voodo magic, a voodoo future reading princess played by Jane symore with the appropriatly named Roger Moore doing the Bond thing in Live and Let Die. Another action movie with a similar recorded message scene was "RED" with old "baldilocks himself" Bruce Willis, in an amusing "$5 wrench" tourture scene with john Malkowich playing a man who had been fed LSD for eleven years and was apt to be a little unpredictable, who also wore a cheap drycleaner hanger bag to stop his suit getting dirty...

Both enjoyable films in their own way.

Clive RobinsonApril 19, 2018 8:31 AM

@ Wesley Parish,

But you wait - that attitude will last right up to the point when the US is seriously thumped upside the head by one of its selected opposition in space, and then we'll find out just how thin-skinned Uncle Sam is

We might find out a lot sooner, after all what is the CIA Mike Pompeo upto over with the North Korean premier?

https://www.washingtonpost.com/politics/us-china-trade-dispute-looms-over-trump-summit-with-japans-abe/2018/04/17/2c94cb02-424f-11e8-bba2-0976a82b05a2_story.html

Sancho_PApril 19, 2018 9:40 AM

@Wesley Parish

Thanks for the Stallman link, an excellent interview, deep thoughts.
Richard Stallman is a social genius [1], willfully ignored by our society / media.
Very sad.
Also read his radical statement re surveillance, and the lie of GDPR:
https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-surveillance

[1] That may not be the correct expression, but isn’t it telling that there is no generic term for straight, honest and intelligent people in public, in contrast to economist or politician?

wetsuitApril 19, 2018 3:30 PM

@jonathon Wilson - you wrote "Someone needs to find out (via whatever means necessary) if these cellphone encryption defeating boxes are actually defeating the encryption or if they are just defeating the anti-brute-force measures."

The entangled photons (measured as energy accumulation and not discrete photons) - coming from the cell phone are in very small numbers but are still very effective - and easily defeat all of the encryption in the phone anyway.

Descartes orders a Bacon sandwichApril 19, 2018 4:34 PM

Stallman seems to be describing some instances where technology has stepped beyond what is needed or helpful.

From decades ago, I know students of philosophy who, the moment they understood there were such things as computers and (inter-) networks, saw an intrinsic fatal opening to dehumanization and tyranny. They pointed out that the Greeks sought to understand nature, and to discern appropriate art or tekne, and were critical of extremes of technology, taking care to avoid their temptations. Not that they lacked subtlety in the subject areas, witness the Antikythera mechanism.

This point of view seemed outlandish to me then, steeped as I was in modern science and mathematics.

But they are more correct than I was. The whole world has gone that way, the genie is out of the bottle, and we have to, and have yet to, learn how to live in this environment.

ThothApril 19, 2018 8:41 PM

@Clive Robinson, all

More snake oil abound.

Woleet, a company that claims to provide trusted document signature are looking to use cryptocurrency Hardware Wallets to execute digital signature.

This is a bad idea since almost all Hardware Wallets do not have a secure and reliable time source and thus immediately negates the guarantees of authenticity of any signed document.

Most of the trusted digital signatures are done using a HSM or a Secure Time Server (essentially a HSM without all the PKI and goodies feature lists) that have been certified by FIPS and CC as capable of doing Trusted Timestamping operations.

Now, using a Hardware Wallet with no Trusted Timestamping capability to sign documents is as good as signing a blank cheque as there is no accurate and trusted timestamp that can be used to guarantee the signature.

A proper trusted digital signature requires the following to be true:
- Timestamp must be verifiable from a trusted time source (essentially a timestamp with it's own digital signature guaranteeing the timestamp)

- Trusted time source must be chained up to some sort of authority via some form of PKI of the trusted time source's hardware key to some form of authorized and permissioned CA (i.e. some manufacturer CA).

- Digital signature computed over the trusted timestamp and a digital representation (i.e. a Secure Hash - SHA256) of the document in question to ensure that the digital signature envelopes both the trusted timestamp and the digital representation of the data to be signed.

The lack of any of the above criteria immediately makes it unfit for being a trusted digital signature over a digital document.

In fact, a PGP signature using a smart card or keyfile, sadly is not much trusted either due to the lack of the trusted timestamp criteria assuming the time source is from the user's own PC.

I guess it's kind of a trend.

Links:
- https://www.ledger.fr/2018/04/18/woleet-ledger-nano-s/
- https://www.woleet.io/

Wesley ParishApril 20, 2018 7:18 AM

@all re: space war

I put some thought into the issue during the Gypper's Reign. I had concluded that what with the instability of the most advanced US radar systems of the time - you remember the USS Vincennes shooting down an Iranian Air airliner under the impression that a jet airliner climbing to get well above the hostility in the Persian Gulf was actually a jet fighter diving to attack? - the likeliehood was that once the US had established their Budgetary Defense Initiative misleadingly advertised as the Strategic Defense Initiative and commonly labeled "Star Wars", the chance of any non-US Space Agency being able to launch their satellite without being shot down, was infinitesimally small.

Now we have the US Space Farce Commander-in-Chief talking about militarizing Earth Orbit - again. There is much much more hanging on Earth Orbit remaining neutral now than there was back then. International shipping, for example, is now dependent on GPS for navigation, 'weather satellites for weather information and communication satellites for communication. International air travel likewise. National and international emergency and relief, likewise.

Consider the ramifications of that.

Consider that the US is more dependent on keeping the sea lanes open and free from harm, than is either Russia or China. Consider the impact of an ill-advised harming of the Earth Orbit input into maintaining the safety of those sea lanes. (Are you reading this, Standard & Poors? I expect this will impact very much on your continued credibility. Is a superpower that cuts its nose off to spite its face, worth any credit-worthiness ranking above F--?)

And in case you want to know, Earth Orbit was effectively neutralized by a provision in various Arms Control treaties concluded between the only two Space Powers of the time, the USA and the USSR, that "national technical means of verification" were sacrosanct and could not be interfered with. Once that had been done, the Hague Conventions' provisions on respecting neutral powers' and territories' rights apply.

@Sancho_P et alii re: RMS

He makes very good sense. When I was undertaking a rather hurried overview of political science and militarization in the late eighties courtesy of a number of factors none of which have any bearing to this forum, I was struck by a basic military doctrine - nobody should have more access to information or control than he or she needs to do his or her job.

It works for the military. That companies appear to think they have the right to vacuum up their customers' personal data, is the central vulnerability. All the other vulnerabilities would not be so worrying if it were not for that.

Just my 0.02c worth.

echoApril 20, 2018 10:50 AM

I'm feeling a bit dim today so you will have to excuse my lack of effort with making a contribution. These last few comments are inspiring reading.

RatioApril 20, 2018 12:00 PM

Re: Salisbury, Douma, conspiracy theories, and disinformation

Russia spread fake news via Twitter bots after Salisbury poisoning – analysis:

Russia used trolls and bots to unleash disinformation on to social media in the wake of the Salisbury poisoning, according to fresh Whitehall analysis. Government sources said experts had uncovered an increase of up to 4,000% in the spread of propaganda from Russia-based accounts since the attack,– many of which were identifiable as automated bots.

[...]

One bot, @Ian56789, was sending 100 posts a day during a 12-day period from 7 April, and reached 23 million users, before the account was suspended. It focused on claims that the chemical weapons attack on Douma had been falsified, using the hashtag #falseflag. Another, @Partisangirl, reached 61 million users with 2,300 posts over the same 12-day period.

@Partisangirl? Maybe now is a good time to (re)visit her connections to some Khan Shaykhun deniers: Infowars publishes her article; she’s Ted Postol’s expert, whose work on this is taken seriously by John Pilger, Noam Chomsky, and Seymour Hersh. But, but, but, … Very Serious Journalists and Professors! Uh-huh. And (excuse my French) mostly just full of shιt.

In other news… Syria war: The online activists pushing conspiracy theories (featuring Sarah Abdallah and Vanessa Beeley):

The activists call themselves "anti-war", but as they generally back the Syrian government's military operations against rebel forces seeking to overthrow Mr Assad and Russian air strikes carried out in support, it might be more accurate to describe them as "anti-Western intervention" or "pro-Syrian government".

According to their narrative, international media organisations across the political spectrum, along with human rights organisations, are somehow covertly aligned with Western governments, Saudi Arabia, the Islamic State group and al-Qaeda and taking part in a secretive plot to take over Syria.

[...]

[Online research firm Graphika] found that Sarah Abdallah's account was primarily followed by a number of different interest clusters: supporters of pro-Palestinian causes, Russians and Russian allies, white nationalists and those from the extremist alt-right, conservative American Trump supporters, far-right groups in Europe and conspiracy theorists.

You can find find twenty more of these in no time flat, but hey, two’s a start.

So, Douma. When I mentioned the obvious ridiculousness of narratives being peddled, a friend showed me this Twitter thread by journalist Pat Hilsman. Here are the first 20 of what he calls “Douma Theories” (regime counter-narratives):

  1. There was no CW attack because despite years of taking to shelters, Douma residents somehow poisoned themselves with carbon monoxide. More to follow no doubt. [The embedded tweet here deals with another “theory” but searching Twitter for “Douma carbon monoxide” yields this example and others.]
  2. The dead weren't victims of accidental carbon monoxide poisoning but were hostages [Jaysh al-Islam] paraded in cages. Quick note, so far the dead [are] clearly not the same individuals + one of these pics is of children partaking in a protest not hostages
  3. Because the attack is being reported by rescue workers with access to the ground who treat injuries it is not reliable.
  4. Because chemicals used in past attacks could be of German origin, and Germany has sanctions on Assad, only a rebel enclave that is completely surrounded by Assad forces could obtain the German materials
  5. Because Assad is on the verge of victory(as he supposedly was in 2013, 2016 + 2017) he has no reason to use toxic substances, even though doing so potentially gave the regime the momentum it needed in Douma negotiations [with] [Jaysh al-Islam]
  6. Weapons supposedly used by rebels indicate they have secret points of access into Douma through which they've smuggled Cluster munitions + incendiaries. Problem is the cluster claim is misrepresented + the thermite is from regime aircraft
  7. Because the Salisbury VX incident in a wealthy nation prompted investigators to wear protective gear, the footage from Syria is fake despite fact that the substance wouldn't [be] identical. Ignores many properties of CW + lack of resources
  8. Assad is a "secular" leader and only Muslims are capable of violence. FYI this commentator ‪@KTHopkins‬ is explicitly racist + constantly promotes anti immigrant myths.
  9. Journalists who talk about Assad crimes are "armchair analysts" who have never reported from Syria, only pro-Assad commentators [are] qualified to comment. I've added a photo of me in an armchair in the [East] Aleppo Old City in Feb 2013 for color
  10. The attack in Douma is a false flag attempt by Islamist rebels to make sure America doesn't withdraw from Syria i.e. withdraw support for the Kurdish-led SDF which is the arch enemy of Syrian Islamist groups
  11. Based on a supposed Qanon posting Cindy McCain helped smuggle CW into Syria via her cleft palate initiative "Operation Smile"
  12. Rebels have kept CW stockpiles which they have used against exclusively against their own neighborhoods + not once against their enemies, eliciting no change for 5 years. White Helmets cease to [be] [Jabhat al-]Nusra's PR wing + [are] suddenly [Jabhat al-Nusra] enemy [Jaysh al-Islam]
  13. Footage from November of 2016 of the White Helmets controversially(yet openly) doing the "mannequin challenge" somehow invalidates footage of suspected chlorine poisoning victims in Douma in April 2018
  14. Russian Military police have visited the site of the attack where locals told us there wasn't an attack. Here is footage of a Syrian journalist explaining that there WAS an attack to prove our point
  15. There is no chance of an independent investigation, not because Russia literally just vetoed one at the UN, but because the last one, despite using samples from the regime, only used samples from "al Qaeda"
  16. Syria is under attack because they won't accept the capitalist petro-dollar despite regime's lack of access to oil fields, + powerful ultra-capitalist chambers of commerce who grew wealthy off foreign neoliberal bank privatization
  17. Trump is going to launch missiles to destroy evidence of the false flag chemical attack where the rebels poisoned themselves, also no one was poisoned.
  18. Never mind that Russia vetoed UN investigative body that found Assad guilty of Khan Shaykhoun, + just vetoed a new one... here's me on a couch agreeing [with] a White Nationalist who has never been near a war. He says something's fishy
  19. There were no dead military age males at the scene of the incident even though there were.
  20. Chlorine canisters can't crash through a roof and land on a bed even though explosive bombs can land in mud. Here is footage of a part of a cluster bomb landing relatively intact.

Did I miss anything? Ah, the former British ambassador to Syria (Peter Ford), who appears to have been invited not because of the insightful commentary he provides (insufferable babble appears to be his thing) but because of his past connection to Syria. Of course for him it’s more about his current connection to Syria (through Fawaz Akhraz, whose daughter Asma is married to this lovely fella called Bashar al-Assad).

And there was Lavrov making some comment on Spiez Laboratory and BZ. This is what the Director-General of the OPCW had to say about that:

As it was clearly shown in the detailed and technical presentation, we should not have an iota of doubt on the reliability of the system of the OPCW Designated Laboratories. The Labs were able to confirm the identity of the chemical by applying existing, well-established procedures. There was no other chemical that was identified by the Labs. The precursor of BZ that is referred to in the public statements, commonly known as 3Q, was contained in the control sample prepared by the OPCW Lab in accordance with the existing quality control procedures. Otherwise it has nothing to do with the samples collected by the OPCW Team in Salisbury. This chemical was reported back to the OPCW by the two designated labs and the findings are duly reflected in the report.

I should like to mention here that in accordance with the established practice the Secretariat does not share the full reports of the analysis of the samples that it receives from the designated Labs with the States Parties. This practice is aimed at protecting the identity of the labs which conduct off-site analysis of samples.

The representative of Switzerland to the OPCW on this point:

Before I conclude, Mr. Chairperson, my Government wishes to express its incomprehension about a statement by Russia regarding the Swiss designated laboratory at Spiez. Whether or not Spiez Laboratory was one of the designated laboratories involved in the analysis of the Salisbury samples, an analysis report of our designated laboratory would not have been drafted in the way and contained the type of language alleged to be a quote from a Spiez Laboratory report. I am referring to an English translation of a statement by the Russian Foreign Minister available on the official website of the Ministry.

How such a statement could be made is incomprehensible to us. Such actions weaken the credibility and integrity of this Organisation and are as such absolutely unacceptable. The confidentiality agreements between the OPCW and its designated laboratories precisely exists to ensure the impartiality of the analysis. In this context, we thank the Director-General and the head of the OPCW laboratory for their clarifying remarks at the beginning of this session.

And if you still haven’t caught on (some Very Big Brains are just, ya know, kinda slow, that’s all), there’s this gem…

‘German chlorine, smoke pellets from Salisbury found in E.Ghouta’ – Zakharova:

“Syrian Government forces found chlorine in containers, the most dangerous kind of chemical weapons, from Germany and smoke pellets produced in – attention – Salisbury, Great Britain,” in Eastern Ghouta’s liberated areas, said Russian Foreign Ministry Spokesperson Maria Zakharova during her weekly briefing in Moscow, on Thursday.

tyrApril 20, 2018 11:15 PM


@ Clive

Pompeo is in NK to mend fences now that
they can hit Washington with a nuke.

Some fools have insisted that the Rus
and Syrians are going to clean-up a
chemical attack. Usually people who
failed basic chemistry before choosing
their current careers. If it was Chlorine
that displaces oxygen from ordinary stuff
in the area forming new compounds. Gas
diffuses everywhere as it works so to
clean something like that up requires
removing everything in the area which
is called major construction activity.
Doing it while being shot at by nuts is
not the way to do hings.

Popcorn event of the month has to be
Comey the crypto experts book.

One comic was complaining that politics
has forced them out of business by being
too weird to parody.

I hear cyber security is a new growth
industry for the arms merchants. Time to
harvest the snake oil ideas and peddle
them to the credulous before some one
else gets obscenely rich while courting
major disaster.

Clive RobinsonApril 22, 2018 12:55 AM

@ Thoth,

This is a bad idea since almost all Hardware Wallets do not have a secure and reliable time source and thus immediately negates the guarantees of authenticity of any signed document.

Time like True randomness is something all computers have very distinct problems with, and probably always will do.

Mad as it might sound things have got to the point where we have to make alowance for relativity in mobile devices that we carry in our pockets...

Computers have no implicit way of understanding time, they are glorified state machines that just get "clocked" from an external pulse generating source. Thus any counting method is dependent not just on the frequency of the external pulse generator but it's stability as well. When you add the issues of switching between background and foreground functioning to service interupts or in more advanced systems task switching between threads and users it becomes easy to see why awarness of time is not something you just program in.

Thus computers need external hardware support for basic timing as a minimum.

But things start to get complicated with document signing. That is when is a contract actuall entered into and when can participents withdraw without compleating the contract even though they have signed. For some types of trading the speed of light is not your friend, which in turn means nanosecond[1] timing is of relevance. But from what refrence point...

The point is nomatter what technology we come up with someone will find a way to make money off of time differences nomatter how small...

[1] The speed of light at 2.99x10^8 meters/sec might sound fast but when you think in nanoseconds or less as engineers have a habit of doing that vast speed is suddenly slightly less than the length of a 1ft desk rule. But most engineering protocols call for signals to be acknowledged, all of a sudden an engineer has to work at less than half that distance. Then when you add in shortening for dielectric Velocity Factor (VF) gate delays etc you can see why they don't want to have things "off chip" any longer...

CassandraApril 23, 2018 5:24 AM

@Clive Robinson

@Thoth

Clive, no need to apologise for missing one of my comments. You have (or had) much on your mind, so reading the comments of a pseudonymous writer on the Internet should be the least of your concerns. Concentrate on doing what is necessary to recover and be happy. I'm flattered you thought you even had the need to apologise.

As ever, I can't hope to add to any of your subsequent comments. I am very much a listener where you (and Thoth) are concerned, and very glad to have you both around to listen to. Unfortunately my personal situation is that I will have less time in the foreseeable future to read and contribute (however little) here.

I will thank you both for pointing out the importance of believable timestamps. It is an area I have long mused over, ever since the tricky problem of determining which transaction preceded another on a global scale first came across my desk. It appears that a good security toolkit will have a reliable, accurate and trustworthy clock, and programmers that understand the physical constraints imposed by the speed of light.

For people's amusement and education, the following links are instructive:

Falsehoods programmers believe about time.
More falsehoods programmers believe about time
Issues involved in computer time stamps and leap seconds
Leap Seconds

My personal preference regarding the third link above is for computer systems to implement precise and simple time for record keeping and transactions (which means breaking with the POSIX standard), and keep lookup tables for converting to calendar time. I would not try to force Civil Time to be the same.

Cassandra

Alyer Babtu April 23, 2018 2:55 PM

Time is a number or quantity of motion in respect of before and after, as known in the intellect. For some purposes, the time is really just needed to determine before-after sequence. What about establishing an “authoritative“ sequence server for those situations ? Gentle user, here is your sequence ticket, will there be anything else ? Where is quantity of time needed, as opposed to sequence of time ? If quantity of time is needed, related real motions are being compared. If there are serious constraints on estimating this ratio, it seems one is in the domain of (hard) real-time computing. Should more areas of computing be regarded as real-time than is customary ?

Alyer Babtu April 28, 2018 12:42 PM

@Ratio

Many thanks for directing me to Leslie Lamport’s paper. I’m enjoying reading it and trying to revive a long dormant mathematical habit.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.