Friday Squid Blogging: Squid Prices Rise as Catch Decreases

In Japan:

Last year's haul sank 15% to 53,000 tons, according to the JF Zengyoren national federation of fishing cooperatives. The squid catch has fallen by half in just two years. The previous low was plumbed in 2016.

Lighter catches have been blamed on changing sea temperatures, which impedes the spawning and growth of the squid. Critics have also pointed to overfishing by North Korean and Chinese fishing boats.

Wholesale prices of flying squid have climbed as a result. Last year's average price per kilogram came to 564 yen, a roughly 80% increase from two years earlier, according to JF Zengyoren.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on April 20, 2018 at 4:26 PM • 73 Comments

Comments

Mario LacroixApril 20, 2018 4:45 PM

APT activities are usually associated to strategy industry attacks. Why attacks on industry, that causes disruption, fines, and even reduction of commercial activities are not pointed as part of cyber war too? Disrupting the enemy finances and commercial operations is as bad as fake news when attacking democracy, right? Any protection against those from the government point of view? RIA?Thoughts on the theme?

PeaceHead (again)April 20, 2018 6:40 PM

THANK GOODNESS for living life and those who tend to agree with such PEACEFUL sentiments.

As for squids and SQUIDs (super quantum interfereence devices),...
"..let live and live;live and let live..."
Sure sounds good to me.

I wish I knew how to say, "I cannot be made to eat squid!" in Japonese.
However, for now I can print "Heiwa" with an honest grin (in Kanji, albeit, Chinese).

Sometimes Peace Really Does Prevail Realms of Existence.
Even Peace Hath Her Victories.

:)

Seredic LabingiApril 20, 2018 10:28 PM

Tails Linux version: 3.6.2
(and confirmed in some previous versions)
Bridge use in clients exposes more in logs than should:

- Warning Message:

"[warn] Your log may contain sensitive information - you're logging more than "notice". Don't log unless it serves an important reason. Overwrite the log afterwards."

- Source: /var/log/tor/log
- Problem: When using obfs4 bridges, log level is set to a high (probably 'debug') level.
- Solution: properly configure log to the 'notice' level when using obfs4 bridges
- Reproduce-able?: Yes

echoApril 21, 2018 9:46 AM

There's nothing new in the two articles I'm linking to which isn't already covered by books such as Robert Cialdini's 'Persuasion' and principles contained within the European Convention.

One big annoyance I have really began increasingly noticing over this past week is there is hardly a pop science or technology article which doesn't lead in some way to sombody trying to sell something or a new business venture they are trying to attract capital to. I have also began noticing the path a lot of news makes from its original source through to major social media outlets and mainstream media. This is all very disconcerting!

Mind Games of the 1 Percent: Psychology Gone Bad
Progress depends upon resisting and debunking the 1%'s manipulative appeals.
https://www.psychologytoday.com/us/blog/dangerous-ideas/201804/mind-games-the-1-percent-psychology-gone-bad

UK Officials Reveal 5 New Principles for Businesses Working With AI
These guiding principles may be the first step towards codified laws governing businesses’ use of AI.
https://futurism.com/videos/uk-new-principles-businesses-ai/

echoApril 21, 2018 9:54 AM

Oooh. Before I forget! I thought this was funny. The boss class didn't though.

https://www.independent.co.uk/news/world/americas/us-air-national-guard-woman-oath-dinosaur-puppet-video-robin-brown-tennessee-a8313226.html
Three US Air National Guard members have been disciplined, and one of them fired, for an incident involving a children’s dinosaur puppet.

Master Sergeant Robin Brown, a senior non-commissioned officer (NCO) with the Air National Guard, was removed from her position at the Tennessee Joint Public Affairs Office after video circulated of her taking her enlistment oath with a tyrannosaurus rex puppet in hand.

http://time.com/5246268/dinosaur-puppet-oath-national-guard/

Three members of the Tennessee Air National Guard have been removed from their posts after a video of an oath-taking ceremony involving a puppet dinosaur went viral.

(Video on Facebook. Aaaagh) https://www.facebook.com/AirForceForum/videos/934187223421585/

CallMeLateForSupperApril 21, 2018 10:28 AM

@Bruce
Maybe they are fishing only in traditional/convenient locations? ISTR a report w/i the past several months of a squid species being found north of Britain, whereas it had been fished further south heretofore.

We are seeing some species migrate toward the poles. Imagine mosquito swarms in the Arctic. (I am only half-joking.)

echoApril 21, 2018 11:19 AM

@vas pup

There is more on EU privacy concerns with the UK from the shady billionaire Barclay brother owned Telegraph. (Paywalled in a shoot yourself in the foot way to stop the rest of us being brainwashed by accident.)

Gievn how wriggly the UK is with regard to European law (and this is just the microscopic areas I am aware of) I'm not surprised the EU doesn't trust the UK!

https://www.telegraph.co.uk/politics/2018/04/21/eu-warns-uk-cannot-trusted-sensitive-data-hopes-fade-future/

Britain’s hopes of building a deep security partnership with the EU have been cast into fresh doubt after Brussels issued a warning to EU member states that the British government cannot be trusted to handle sensitive crime data, the Telegraph can reveal.

albertApril 21, 2018 11:26 AM

"...By definition, scientists who perform classified research cannot take full advantage of the standard practice of peer review and publication to assure the quality of their work and to disseminate their findings. Instead, military and intelligence agencies tend to provide limited disclosure of classified research to a select, security-cleared audience.

In 2013, the US intelligence community created a new classified journal on cybersecurity called the Journal of Sensitive Cyber Research and Engineering (JSCoRE)...."

https://fas.org/blogs/secrecy/2018/04/jscore-toc/

. .. . .. --- ....

Boofery April 21, 2018 12:04 PM

Since Cloudflare has been in the news with its 1.1.1.1 DNS server I took a look at encrypted DNS. What I discovered was that most people who are using Cloudflare's new service are not encrypting. According to this tweet only .04% of users encrypt.

https://twitter.com/grittygrease/status/983058814592266241

The annoying part is trying to verify that one's connection is in fact encrypted. One has to go into Wireshark and inspect packets.

https://askubuntu.com/questions/105366/how-to-check-if-dns-is-encrypted

https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/3/

Seems to me beyond the average users.

Supposedly Mozilla is going to bake in encrypted DNS in FF 60 but I wonder what they will do to reassure users that the connection is encrypted?

Alyer BabtuApril 21, 2018 12:13 PM

Could Facebook and other Big Tech actually give a complete list of who gets access to its collected data ? Or does nobody have a total view ?

Sancho_PApril 21, 2018 1:11 PM

@RockLobster

Think twice, here is the point:
We do not need evidence because we know they are guilty!
[Communists employing capitalistic methods (e.g. buy ads) are evil,
without any doubt.]

echoApril 21, 2018 6:05 PM

I have no idea how data from price comparison websites could have been used by Cambridge Analytica unless the data provided additional insight into people's demographics and who might be more persuadable?

It's interesting that Brittany Kaiser's allegations are denied. In other contexts I have both been told and have witnessed events which have subsequently been denied. If these leadswerepursued they would lead to claims of contempt of court and gross professional negligience (and possibly fraud). I am extremely skeptical of the personalities behind and affiliated with Cambridge Analytica and give a wide margin to anyone with a plausible allegation.

https://www.theguardian.com/politics/2018/apr/21/price-comparison-data-may-have-been-used-leave-eu-brexit-cambridge-analytica
Personal information gathered from price comparison websites may have been used without people’s knowledge or consent by pro-Brexit campaigners in the European referendum.

65535April 21, 2018 6:07 PM

@ RockLobster

"IMO that should raise more questions about Twitter than it does about Kaspersky.”

That could be true. I am sure Twitter is not immune to NSLs and has probably received them.

‘In a letter to Twitter CEO Jack Dorsey on Friday, CEO Eugene Kaspersky expressed he was dumbfounded by the decision: “One thing I can say for sure is this: we haven’t violated any written—or unwritten—rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them.”’-gizmodo

With the current government investigation into Facebook I would guess Spitter is covering its rear end.

@ Gunter Königsmann

“Bavaria (a region of Germany) a new law permits to use Trojans and drones for surveillance…”

Yes. In the States both north and south boarders are droned with cameras and dirtboxes/stingrays [hopefully not armed with missiles].

“On 14 October 2013, an MQ-9 began patrolling the Manitoba portion of the U.S.-Canada border… In January 2014, Customs and Border Protection grounded its UAVs temporarily after an unmanned aircraft was ditched off the coast of California by the operator due to a mechanical failure…”-Wikipedia

https://en.wikipedia.org/wiki/General_Atomics_MQ-9_Reaper

@ Anders

As seen over on Krebs on Security Facebook has a bad odor. I don’t use it but family members do and I consider it a risk.

@ Boofery

“Supposedly Mozilla is going to bake in encrypted DNS in FF 60 but I wonder what they will do to reassure users that the connection is encrypted?”

Yes, I would like to hear about the crypto DNS in FF 60 from some of the FF experts on this board. Does it work?

Mark CApril 22, 2018 7:44 AM

An intersting element in the story of "the largest foreign bribery case in history" is the apparent use of what appears to be a custom built encrypted software system by the large Brazilian corporation Odebrecht.

The system - named as "Mywebday" - was operated by a department known as the Division of Structured Operations. In effect this was a whole formal separate department set up to manage corruption with a departmental budget said to be around $600million. If the reports so far are borne out by the full story then this starts to sound like something from the movies: ie for Spectre or Quantum just read Odebrecht DSO...maybe a little less murder and mayhem but this really was a substantial corporate department tasked purely with taking over countries.

It's reported that although investigators have made some headway on the case thanks to what appears to be carelessness on the part of an Odebrecht secretary (who printed off hard copies of documents) they're still stymied by the encryption on Mywebday. The reports sort of imply that Mywebday is a software suite that includes a payment or ledger element, although this isn't entirely clear.

Two points:

(1) Basic web searches seem to turn up nothing about Mywebday other that stories related to the Brazilian corruption scandal. So I'm assuming it was a bespoke system created by or for Odebrecht rather than an established commercial crypto product. Of course I could be wrong and maybe they just used that name for what is, in fact, an off-the-shelf product.

(2) Among the snippets of wisdom I've heard most often from crypto professionals is that DIY systems can be a fool's errand - the best route to security is through components and implementations that are open. But here we seem to have a one-off system that's presenting a major challenge to cryptanalysis. And if, as seems likely, the Brazilians are being assisted by US agencies then we're talking about a genuine challenge.

It wouldn't be the first time that a genuinely strong system has been constructed in a closed environment but it would still, surely, be unusual - especially as this seems to be not just an encrypted communications system but some sort of corporate software suite.

http://www.bbc.co.uk/news/business-43825294

Alyer BabtuApril 22, 2018 1:54 PM

Eight random letter+number+special characters seems to be more or less instantly memorable. But sixteen characters seems much harder. Why isn’t it just twice as hard as one eight character ?

Clive RobinsonApril 22, 2018 7:13 PM

@ Mark C,

Among the snippets of wisdom I've heard most often from crypto professionals is that DIY systems can be a fool's errand - the best route to security is through components and implementations that are open.

There are two parts to your statment that could be treated differently.

Think of crypto primatives in a system as bricks out of which you build a building. It would be foolish in the extream to make your own bricks without a great deal of knowledge as they would have unknown properties. However the information on how to use bricks to make basic walls and simple structires is readily available and if followed will make a reliable building structure.

It's a similar case with crypto primatives, you'ld be ill advised to design them outside of certain constraints, but you can use existing well tested ones to build systems with.

One of the constraints to making your own primatives is knowledge and it's interpretation. Many primatives are easy to design, but the knowledge of how to test them is as they say a whole different ball of chalk. But testing is in turn easy compared to thinking up new tests specific to your primitive, often it involves the interpretation of others work from other fields of endevor, and you realy do need to read those maths and combinatorics journals as avidly as others read the National Enquirer ;-)

Further back than 2000 there were very few higher education courses in computer security, even less taught what was involved with the design and test of crypto systems and the use of the primatives. Nearly two decades later that has changed a lot. Therefore getting a grounding in such skills is not as hard as it once was.

But skills alone do not systems make or break, most engineers "see" their designs quite literally in drawing form not lines of code. Importantly how they arrange the drawings often has considerable bearing on how the system not just gets built but functions as well. The old addage of "it it looks wrong it probably is" applys to all engineering subjects, and would do to code cutting if they actually tried to visualize rather than extemporize.

You can look on it as part of a "Quality Process", and as I've warned for decades now "Security is a Quality Process" which means "The organisation has to fully buy into both Security and Quality from before project day zero".

But lets look at things a little differently, we kind of accept there are two basic types of modern cipher systems these days. Those in effect based around interesting mathmatical ideas that give us Public Key crypto and those based on the old Claude Shannon maxims of "substitution and permutation", whilst consigning the older mechanical and hand ciphers that realy were security nightmares to history.

Current history would indicate it would be very unwise to mess around woth mathmatical cipher parts as they have a tendency to break in unexpected ways even for those skilled in the art. Have a look at the search for Post Quantum Computing Crypto to see the ideas proposed and shot down. There are hundreds if not thousands of brains hunting in that space, because to find "the one" will give fame and probably fortune to the lucky person.

But there is that other group of modern ciphers, based around the Claud Shannon maxims of repeated substitution and permutation. We see these most often in "Block Ciphers" and some "Stream Ciphers" (see NESSIE for a range).

Block ciphers crudely are very similar they consist of two main structutes the Fiestel Rounds and the Key Schedule that converts the user crypto key into individual rounds keys.

The two are in most cases effectively independent of each other provided that the round keys end up in the right number and form. This gives an opportunity for people to "make changes" whilst retaining the strength of the Fiestel Rounds structure. There are various books around that will tell you sufficient information that if you are reasonably smart and knowledgeable will give you the opportunity to play at a level way way above that which the investigators can hope to deal with.

There is also lessons to be learned from those historical ciphers. Some surprisingly are still valid today such as the One Time Pad, it has quite a few disadvantages but none that will stop you turning it into a quite usable system. Others like the VIC cipher survived the attentions of a SigInt agency for it's used life time. When you look at it you ask yourself "how could it?" but it did.

The point is it defeated the experts not investigators of the time. Which is probably going to be the same fate as those investigating the current crime you mention. Because they are very few and not experts in such areas and to be blunt any expert helping them out would be doing little more than "lipservice" rather than committing resources as there is little or nothing to be gained by an expert except long hours and little or no benifit. At the end of the day a man has to take care of his own business and this current crime does not fall in the area for crypto experts unless paid well, extreamly well, and it sounds very much like the current investigators lack such resources.

But to get back to the Don't Role Your Own Crypto, go back a couple of centuries and you come up against the sage advice from which it came. In the 19th century Auguste Kerckhoffs came up with a series of ideas about crypto systems, one of which is known as his principle,

    A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Systems were a lot lot simpler in design back then they had to be as technology was not there to support anything complex. Many systems back then relied on the fact that analysing ciphertext was a purely mind and hand excercise. Thus were aimed at over complexity rather than security. Put simply they were often codes that were then subject to a very rudimentry super enciphernment based on ciphers writing the code sequences in rows and columns then trasposing them in various ways.

Such techniques only become secure as Claud Shannon realised if done many many times repeatedly. He also realised that it's easy to make mistakes both in design and usage that undo what you have done if you are not careful. Take modular addition for instance, it cycles through the modulus so there is only a finite number of times you can use it before you get back to where you started. The simplest is of course the XOR function every other addition of the same value gives back the original value...

Then of course you have to write code in a sufficiently competent manner it's not got a hundred and one black spots that are potential attack vectors.

But that only takes you up to the point were you have to start thinking about the actuall protocols you are going to use, and that's a whole shipload more security fun...

Alyer BabtuApril 22, 2018 8:32 PM

This looks like good reading (comes out in May) for us mere mortals trying to understand computing better

What Can Be Computed?: A Practical Guide to the Theory of Computation, John MacCormick, Princeton U. Press

Learn by example using Python.

Synonymous April 22, 2018 9:33 PM

@ Gunter Königsmann

Bundesgerichtshof

Can someone please explain this to me? I don't know much German, but I try to break a long word into parts.

I understand "Hof" as a very ancient word for some kind of court or authority. The other portions of the word seem to me to mean that the court is "directed" (gericht) under some kind of "oath" or "sworn service" -- I may be way off but that word "Bunde" does not really leave a whole lot of room for interpretation.

FrancesApril 23, 2018 12:43 AM

@Synonymous, my German dictionary translates Gerichtshof as Court of Justice. The Bundes = federal. So, Federal Court of Justice. But I don't know what it's jurisdiction is.

WinterApril 23, 2018 2:01 AM

"So, Federal Court of Justice. But I don't know what it's jurisdiction is."

It is more or less comparable to the Supreme Court of the USA.

http://www.bundesgerichtshof.de/EN/Home/home_node.html


The Federal Court of Justice (Bundesgerichtshof – BGH) is Germany’s highest court of civil and criminal jurisdiction, i.e. “ordinary jurisdiction”. The Federal Court of Justice was instituted on 1 October 1950 and has its seat in Karlsruhe.


The task of the Federal Court of Justice is primarily to ensure uniform application of law, clarify fundamental points of law and develop the law. In general, it reviews rulings of the lower courts only with regard to errors of law. Even if the binding effect of the judgments and rulings of the Federal Court of Justice is technically confined to the respective case decided, in practice the lower courts follow its interpretation of the law virtually without exception. The far-reaching effect of rulings of the Federal Court of Justice is also due to the fact that, particularly in the field of civil law, legal practice is often guided by these rulings. Banks and insurance companies as well as landlords and divorce lawyers respond to a “ruling from Karlsruhe”.

Clive RobinsonApril 23, 2018 3:16 AM

@ Boofery, 65535,

Supposedly Mozilla is going to bake in encrypted DNS in FF 60 but I wonder what they will do to reassure users that the connection is encrypted?

There is little or nothing they can do...

Look at it this way, to many large ISPs the information and control they get through the DNS is "Money on the table". Thus for many of them not blocking encrypted DNS systems would be bad business...

Mozilla for all it's claims is first and foremost about "user experience". Thus Mozilla will have to build in a "fall-back" mechanism for "backwards compatability" to work seamlessly with the existing legacy DNS service. This fall-back system will be as automatic as possible for "user convenience", thus almost certainly "auto-negotiated" across the wire...

As I've warned several times in the past such auto-negotiation is the devils playground for attackers...

65535April 23, 2018 4:33 AM

@ Cliver Robinson

“…to many large ISPs the information and control they get through the DNS is "Money on the table". Thus for many of them not blocking encrypted DNS systems would be bad business...”- Cliver R.

I see your point about the profits. This could be a problem. I do wonder at what point it would make it non-profitable for ISPs to not block encrypted DNS?

Look at Dyn DNS and all of the DVR camera traffic generated… not to mention DDos attacks. Cleaning up DDOS attacks could cut their profits.

Next, is Duck Duck go and start page. If you are basically correct about ISPs controlling DNS why would they allow semi-obscured look ups and then https connections. Why wouldn’t those services be on their list next?

“Mozilla for all it's claims is first and foremost about "user experience". Thus Mozilla will have to build in a "fall-back" mechanism for "backwards compatability" to work seamlessly with the existing legacy DNS service. This fall-back system will be as automatic as possible for "user convenience", thus almost certainly "auto-negotiated" across the wire...” –Clive R.

But we live in a world of problematic backs compatibility in all layers of the SS7 and internet space. Is that going away anytime soon? I doubt it.

FF has plenty of problems but they are one of least dangerous browsers. Further, I thought most ISP sold bits or “bandwidth” so wouldn’t increasing the traffic be good for ISPs?

Here is a question: would it be legal for ISPs to block any encryption including DNS encryption?

Clive RobinsonApril 23, 2018 6:02 AM

@ Bruce,

A hardware paper for you to peruse at your leisure.

As most consumers of battery operated computing know, batteries never last long enough and must wonder where it all goes other than making the device to hot to handle comfortably.

Well as has been highlighted by the various CPU bugs, shifting data from core memory into the CPU for processing is a major task thus bottle neck. Especially with high resolution images data movment takes way more power than processing at around 3/4 of the battery output...

As I've mentioned before there are ways you can get around such things, in effect by making "data local" to a low power CPU. As memory in the main does not have the same area / power issues as high end CPUS it makes sense to stud low power task specific CPUs within the memory area thus spreading the "heat death" issues.

The problem was though the issue of the speed of light it limits not just the clock speed but the distance and power required to shift data. Put simply whilst the gains on a single chip are worthwhile we can do oh so much better if we go high rise.

This paper looks into the speedup and power reduction potential not in super computers but ordinary consumer devices using "stacking" which will provide interesting gains.

https://people.inf.ethz.ch/omutlu/pub/Google-consumer-workloads-data-movement-and-PIM_asplos18.pdf

However the low power devices they are looking at to do Processing In Memmory (PIM) are without caution going to open up a new and even more interesting attack space, as they can be configured to be a virtual CPU. We have seen this before with Intel chips and their memory managment systems.

Clive RobinsonApril 23, 2018 6:39 AM

@ Bruce,

Now for something even more off silicon, this time into organics... You might have heard of neurostimulators, they are wired into the persons nervous system to help with things like Parkinson's Disease.

Well like many implantable medical devices they need adjusting and fine tuning via a communications port....

And guess what... the manufacturer of some devices appear to have relied on the much famed "security through obscurity"...

Something you think the message would have got out about by now but hey it's just humans getting wired, unfortunatly with the usual quite predictable result that the security in the comms interface turns out not be secure at all...

Yet again we get the result of a hackable device connected directly to someone’s brain. The researchers at KUL (including Bart Pteneel) have come up with some possible attacks, and also importantly alternative secure mechanisms.

If it sounds crazy that this should be happening, well the attacks do sound like they come from some future dystopia sci-fi novel / movie. But that is the future we are plainly heading for with or without the moody effects of Bladerunner.

https://www.esat.kuleuven.be/cosic/publications/article-2803.pdf

Maybe you should start a non fiction section for the Movie Plot competition.

VinnyGApril 23, 2018 7:48 AM

@Clive Robinson re: 2FA I agree that the codes don't appear random. It isn't just too many obvious sequences, but my impression (no research) is that the selection of numerals is skewed beyond random. It's more than possible that I tend to see patterns in numeric strings when none exist :) OTOH a few years ago I noticed that there was a fixed relationship between Dell Service Tags and Dell Express Service Codes by staring at a handful of examples for a few minutes. I will try to get around to reviewing the TOTP standard cited. Not mentioned in the article is the crucial issue of how the risk might increase if 2FA strings are significantly unrandom. A 6-digit numeric string has only 999,999 possibilities anyway, so the computation part of a brute forcing attack wouldn't seem to present a problem for any adversary.

echoApril 23, 2018 8:14 AM

This is a worrying watering down of standards to cover abuses of power and beaurocratic inadequacy.

With regard to a completely different issue I have a paper trail which A.) Denies holding data relevant to discrimination for "data protection" reasons and B.) Refusal to answer a question (which may be treated as an FOI request) about the data destruction policy when documents were erased from multiple seperate systems critical to decision making with no explanation. I am also aware of C.) Data being destroyed by state employees to make the government of the day look negligent in support of demands for a pay rise. Last but not least I am also aware of D.) Complaints and investigations being thwarted so issues rolled past recorded calls being automatically destroyed without notification after the three month retention policy.

Home Office data exemption sparks fears of further Windrush scandals
Rights groups say new data protection legislation will lead to further miscarriages of justice
https://www.theguardian.com/uk-news/2018/apr/23/home-office-data-exemption-sparks-fears-of-renewed-windrush-scandals

The Home Office is to be given sweeping data protection exemptions that will prevent anyone seeking information about their immigration status in future, campaigners for the Windrush generation are warning.

[...]

“And immigration enforcement teams will find it even easier to secretly access confidential information collected by trusted public services like schools and hospitals.”

CallMeLateForSupperApril 23, 2018 9:00 AM

Interesting article re: passwords, how people have chosen passwords, common passwords, more...

"What 10 million passwords reveal about the people who choose them"
https://wpengine.com/unmasked/

Another:
https://www.wired.com/story/why-so-many-people-make-their-password-dragon/


Shamelessly glib comment: Why do people cling to the practice of generating a passphrase of the form word+digit or word+number (e.g. "dragon6" or "dragon666")?
Doing
digit/number + (pseudo)word [1]
or
(pseudo)word + digit/number + (pseudo)word
Is no more difficult to do nor more difficult to remember (IMHO).

And keep in mind that, with passphrases (and some other things ;-) ), size matters "moocho".


[1] pseudoword: misspelled word, e.g. "mariage" (marriage).

Clive RobinsonApril 23, 2018 10:21 AM

@ 65535,

I do wonder at what point it would make it non-profitable for ISPs to not block encrypted DNS?

With the USG little changes to legislation in effect providing a defence for companies that also hand the info over to the USG free gratis, the answer I suspect is that the non profit point has disappeared over the horizon for quite some way...

It kind of playd on the liability and insurance asspect, which brings us onto,

Cleaning up DDOS attacks could cut their profits.

Yes the loss of income and system clean up would take a smallish bite but insurance --in theory-- covers that. Their big concern would be littigation for what is in effect negligence, currently I don't see them over worried about that as "It's a rough sea that rocks all boats" which means yould have to find some exempler of "best practice" they are sufficiently at variance with. Not easy when in effect they are all lowest common denominator out of choice / self protection.

With regards,

Next, is Duck Duck go and start page. If you are basically correct about ISPs controlling DNS why would they allow semi-obscured look ups and then https connections. Why wouldn’t those services be on their list next?

An https return from a search engine does not realy tell them very much However the user clicking on a link and getting a DNS or similar recognisable re-direct tells them what does interest the user. So the likes of Duck Duck are not going to dig into the ISPs profit in that respect.

FF has plenty of problems but they are one of least dangerous browsers.

That's not realy the point, the issues with "fall-back" and user "ease of use" is almost on par with security by obscurity when it comes to security issues. So it's one company today a different company tommorow, the problem persists decades after we should have solved it...

Further, I thought most ISP sold bits or “bandwidth” so wouldn’t increasing the traffic be good for ISPs?

No they sell "the illusion of a service" that is they have business models that have contention rules built in. So you might think you are paying for 20Gbit/sec but thr chances are it will be 100Gbit/sec shared amoungs fifty users at any one time.

Here is a question: would it be legal for ISPs to block any encryption including DNS encryption?

In the US yes they just put it in their terms of service, which for some reason they believe to carry the force of criminal law due to other poorly worded legislation...

Even if not they can as they are not strictly "common carrier" status free to terminate your contract when ever they see fit.

simpsonApril 23, 2018 10:50 AM

There was an English Inquisition to identify individuals who so much as experimented with ciphers. If the officials found evidence you had so much as discussed cipher design you would be dragged before a tribunal of hooded justices and condemned. Often the accused was subjected to physical torture beforehand.

The perpetrators of these practices survive even today, yet in disguised form. At first they attempt to embarrass and publicly humiliate. If that fails there is a room somewhere in dark government offices into which cipher experimental designers disappear. Some officials frequent discussion blogs such as this, with the intention of ferreting out anyone who would dare "roll their own." Be careful.

Clive RobinsonApril 23, 2018 5:32 PM

@ VinnyG,

A 6-digit numeric string has only 999,999 possibilities anyway, so the computation part of a brute forcing attack wouldn't seem to present a problem for any adversary.

It may be less than one in a million, it might be one in 512K for instance, or one in say 2^18 bits grouped in octal digits with an addative of some form.

So whilst it fills the full range in some number base, it is presented in base10 where it does not fill the full range. So it would be possible to add two 18 bit numbers of a calculated secret key and time and then convert the result to base10 then just add another secret fixed or otherwise digit by digit mod10. The result would look biased but that is simply due to redundancy. I've seen this sort of thing before years ago with time based security locks, somebody wrote the algorithm in BASIC for the BBC Model B home computer and it was somewhat of an anoyance rewriting it in Pascal when the system got upgraded.

ThothApril 23, 2018 5:59 PM

@Clive Robinson, VinnyG

Not if you were to build your own chip with it's own time source attached to set a lock out after some amount of time and increase a 6 digit to 12 digit code and storing some sort of random secret nonce in a secure partition of sorts like how Apple does it's Secure Enclave where a secret nonce is baked into the chip.

Problem is the Apple's Secure Enclave is based on ARM TZ and I dont like how it looks and the ARM TZ's time source is shared with the main CPU and thus it does not constitute the above use of a separate and independent time source.

That can only prevent logical bruteforce if you can make your own hardware-based enclave similar to the reproduction of the Secure Enclave chip's operating environment.

You can do that with a PIC/ARM 32-bit chips under the Cortex M0 or M3 family for the Enclave CPU and limit the I/O surface for requesting for credential authentication to a properly built microkernel (seL4) just like what Apple's Secure Enclave is using.

Physical attacks are possible once you lay hands on the setup physically and also via a short distance EM attack.

ThothApril 24, 2018 1:06 AM

@all

Microsoft with it's Virtualization-Based Security wades deeper into ARM TZ et. al. technologies.

More pervasive spying and DRM from the hardware level.

Link: www.securityweek.com/microsoft-announces-new-windows-platform-security-technology

Wesley ParishApril 24, 2018 2:37 AM

Ah, the joys of Slashdot. I found these interesting articles courtesy of Slashdot humint:

https://theoutline.com/post/4255/what-happens-if-satellite-hack-cyberspace

They are a bit defeatist. https://fas.org/nuke/control/salt1/text/salt1.htm SALT I established the usage that satellites were in a neutral territory

Article V

1. For the purpose of providing assurance of compliance with the provisions of this Interim Agreement, each Party shall use national technical means of verification at its disposal in a manner consistent with generally recognized principles of international law.

2. Each Party undertakes not to interfere with the national technical means of verification of the other Party operating in accordance with paragraph 1 of this Article.

3. Each Party undertakes not to use deliberate concealment measures which impede verification by national technical means of compliance with the provisions of this Interim Agreement. This obligation shall not require changes in current construction, assembly, conversion, or overhaul practices.

SIPRI made some interesting points:

https://www.sipri.org/publications/1982/outer-space-new-dimension-arms-race

https://www.sipri.org/publications/1987/space-weapons-and-international-security

The technology and situations they addressed in those books don't exist today, but those books provide a useful jumping-off point.

These urls deal with identity. Let us hope that Hollywood doesn't decide to take this as a topic and as usual with Hollywood, thoroughly screw things up beyond all recognition:

https://www.technologyreview.com/s/610784/this-algorithm-automatically-spots-face-swaps-in-videos/

https://deadline.com/2018/04/deepfaking-technology-sag-aftra-actors-union-fighting-back-1202371117/

The right of publicity is a property asset, designed to protect the livelihood of our members from misappropriation and theft, and it should be exclusively or non-exclusively licensed or passed down to heirs, much like a copyright.

They're already part of the way to what I've been arguing for some years now, that one's digital deeds and actions are copyrighted and thus protected.

Wesley ParishApril 24, 2018 2:40 AM

Corrigendum:

"The technology and situations they addressed in those books don't exist today, but those books provide a useful jumping-off point."

should read "The political situations they addressed in those books don't exist today, and the technology has advanced, but those books provide a useful jumping-off point."

JG4April 24, 2018 8:23 AM


Nothing here should be a surprise.

https://www.nakedcapitalism.com/2018/04/links-4-24-18.html

...

Big Brother is Watching You Watch

Google Accused of Showing ‘Total Contempt’ for Android Users’ Privacy Bleeping Computer

Amazon Has a Top-Secret Plan to Build Home Robots Bloomberg (Kevin W)

YouTube says computers helped it pull down millions of objectionable videos in three months Recode

Google discloses Nest finances, and they aren’t great MarketWatch (Kevin W)

...

echoApril 24, 2018 10:11 AM

One or the other of these developments would be very worrying on their own but both are very alarming.

https://www.independent.co.uk/voices/brexit-lgbt-rights-uk-leave-eu-charter-gay-equality-theresa-may-a8317711.html
LGBT rights are on the line today in the government's Brexit bill. A new report concludes that the UK’s journey towards full equality for LGBT people could not have happened without the EU: so what happens when we leave?

https://www.theguardian.com/law/2018/apr/24/english-justice-hanging-on-by-fingernails-warns-top-judge
English justice 'hanging on by fingernails', warns top judge. Funding cuts to criminal courts could undermine quality of entire system, says Lady Justice Hallett

RatioApril 24, 2018 12:00 PM

Military grade firearms increasingly available to terrorists in Europe - report:

“In western Europe the traditional closed character of criminal gun markets has partially eroded in recent years and we have observed an increased availability of military-grade firearms. These weapons have then also ended up in hands of terrorists,” said Nils Duquet, the editor of the report and a senior researcher at the Flemish Peace Institute, an independent research institute that coordinated the study.

Two trends particularly worry researchers: the “trickling-down” of the possession and use of firearms to lower-level criminals in several EU member states, especially in western Europe, and the growing overlap between Islamic extremists and the criminal underworld.

[...]

The report concluded that terrorists generally rely on previously established criminal connections to obtain firearms on illicit markets. It identified prisons as places that offered new opportunities for extremists who did “not yet have the necessary criminal connections to acquire firearms”.

[...]

According to a separate report, also released on Tuesday, by analysts at the Geneva-based Small Arms Survey, criminal and terrorist networks on the continent obtain firearms from two major sources: weapons smuggled from south-east Europe after the Yugoslav wars of the 1990s, and the more recent trade in converted firearms, some of which originate in EU member states.

The reports:

JonKnowsNothingApril 25, 2018 7:14 AM

@Moderator

Updating that this site is still blocked with at least one browser. I am posting this under FireFox which for the moment appears to be able to access the site.

I have no idea why this site would be blocked... well, actually anyone reading this site would know why it is blocked but there isn't anything here other than open information.

I have no technical information to provide other than I get a "site not found" (404) message. The same browser can access major news, commerce+retail and other tech sites like Ars, El Reg. So I can only presume it's something between here and there.

It's a sad state when web sites become browser dependent, even if they don't intend to be so. Worse is when a publicly important site goes "blank" and the publishers/authors have no idea that the site is "blanked out" somewhere along the backbone. It is a convenient way to silence information without anyone noticing or bothering about it.

Move along, nothing to see here: literally.


echoApril 25, 2018 7:57 AM

This may be an interesting test of bureaucracy versus Eurocracy.

https://uk.reuters.com/article/uk-germany-airshow-eurofighter/eurofighter-doesnt-expect-u-s-to-use-nuclear-certification-to-tilt-german-jets-bid-idUKKBN1HW139

The head of Eurofighter on Wednesday said he did not expect the United States to slow certification of the European fighter’s ability to carry nuclear weapons as a way to influence a competition to replace Germany’s ageing 90 Tornado jets.

VinnyGApril 25, 2018 9:04 AM

@JonKnowsNothing re: 404 - I can't speak for @moderator, but I have this same issue. If you are using a VPN or similar IP obfuscation tech, it is probably because an IP block you are within has been flagged (correctly or not) for abuse by Bruce's provider. In many cases I find that when this happens to me at this blog, I am also prevented from running any multi-term queries at Google (redirection to ipv4.google.com) You might try that as a test. My solution is to switch to a different apparent location (thereby changing IP address and block) in my VPN client. It takes some experimentation, and isn't foolproof, but I find that there is a common pattern and that I can continue to access this blog (and Google search, which seems to be even worse wrt this issue) with minimal (>0) inconvenience.

VinnyGApril 25, 2018 9:08 AM

@echo re: Eurofighter - Meh. You may rest assured that Lockmart has a clear strategy on this, and that the US Pentagon/DOD will follow its scripted part in that strategy to the letter...

VinnyGApril 25, 2018 9:17 AM

@JG4 re: Big Brother is Watching You Watch - NTM that Amazon has recently extended its "Key" service to allow delivery to the customer's (unattended) car trunk. What could possibly go wrong? (that phrase is utilized so often I think it easily merits an acronym of its own, so proposing: WCGW/WCPGW.)

vas pupApril 25, 2018 10:16 AM

@eco: Thank you for your input. Yeah, UK can't be trusted by EU just because all fiber optic transatlantic cables are going through UK, and I guess GSCQ(pardon if I misspelled acronym) had always 'right of the first night' on the data coming through and intended for others, not UK.

That is very good article on hot subject of mass shooting - proactive approach for prevention:
http://www.bbc.com/future/story/20180423-the-unique-way-the-dutch-treat-mentally-ill-prisoners
I love bbc articles for very informative links inside as well.

echoApril 25, 2018 10:45 AM

The Netherlands has been years ahead of the UK across the board for a long time.

The psychiatric regime in the US essentially admitted faults whereas the bestthe UK can do a decade later is a report from the psychiatrists that they may be "perceived" as harsh and cruel plus other reports where "esteemed colleagues" essentially admit to weak leadership and not standing up for their patients best interests as they might. Multiple complaints of corporate mansalughter have been "no crimed" by UK police in spite of a very quiet report admitting that a punative and cost saving orientated regime was both harming patients and failing the most severely ill patients who in some cases after being ignored and abandoned by the system either committed a crime of violence or committed suicide.

To its credit the UK government has acted (a right wing Conservative government no less!) to reform the system. The problem in many ways is dogma and staff scared of speaking out against abuses and also management who use trickery to steal money from mental health ringfenced budgets to prop up more mainstream healthcare knowing full well that patients lack the resources to challenge this or are a relatively small cohort unable to gather enough support to overcome marginalisation.

I fear in the UK the old guard coasting to retirement love their instititions. The old Victorian buildings may have gone but the top down contain and control do as you are told or be punished regime still exists in their heads.

It is only within the past couple of years that mental healthcare staff themselves have been subject to pschological assessments to determine their fitness to practice and anything resembling a quality assurance scheme.

Everything I have said is available in offical published reports, annual reports, and in some respects even policies. None of this is a surprise. Nothing is new. They are all known knowns.

echoApril 25, 2018 10:55 AM

@vas pup

I would need to check this but I understand under both the German constition or more directly the European Convention rigged decisions are unlawful because a "fair trial" or "fair hearing" is a guaranteed right. I'm not persuaded the US wanting to be top dog is a good enough reason to thwart this. German foreign policy tends towards being supportive rather than directly intervening which has been reinforced by the German foreign minister in very recent public interviews.

I wonder if the Germans are happy with Eurfighter being nuclear certified because this would be a good enough capability whereas a more stealthy aircraft on Russias doorstep might raise tensions because of its first strike capability?

I don't know enough about enough to comment really. I'm sure these and other questions have or will be considered by people with expertise.

Synonymous April 25, 2018 6:56 PM

@Frances • April 23, 2018 12:43 AM

@Synonymous, my German dictionary translates Gerichtshof as Court of Justice. The Bundes = federal. So, Federal Court of Justice. But I don't know what it's jurisdiction is.

"Bunde" is still an oath, a binding oath, to use the cognate English word. Even "federal" has that sense of an oath, almost as if it were a "confederacy," that is, a conspiracy or plot undertaken on oath.

"Gerichtshof" is to me more an enforcement of obedience to authority than a court, rather like the "Department of Justice" in the USA, which administers the FBI, DEA, ATF, and other federal law enforcement agencies, but not the court system itself, which is supposed to be impartial between prosecution and defense, and is actually run by the General Services Administration.

Nevertheless the US DOJ has assumed more or less a position of final arbiter of justice, which, so dispensed, in actual practice, is simply railroaded through the court system proper.

JonKnowsNothingApril 25, 2018 9:45 PM

@VinnyG Thank you for the response. The only thing I can do is reboot my router. AT&T has the rest of the pathway.

I am also glad to find another person with a 404 type error because after years of being in the software business I am more than familiar with the It Works For Me Syndrome. The number of times I've run into the Engineering Wall attempting to expose stuff that wasn't working (at all, much less to spec) and being stoned as an incompetent heretic endangering the stock option value of the (not working) product.

There is one other site I can absolutely not access via that browser; only via FF. It's a niche game site recently acquired by a company in the UK. It is conceivable that accessing the international pipes has lead to some "blockade" but it only affects that particular game site and now this one. I am more than able to access EU/UK/GR/El Reg/Ars/Krebs and other sites without any noticeable interference.

When it doubt reboot the router....


CassandraApril 26, 2018 4:14 AM

I think the weekly FSB entry is a good place to mention this:

Collect It All - A competitive card game based on the CIA's declassified training game: Collection Deck.

The CIA designed a classified card game which they use to train their analysts. They recently declassified it and we’re adapting the game so you can play it too.

I was pointed to it by a posting on Soylent News: Kickstarter for CIA Operative-Training Card Game

It might be of interest to some of the contributors here. At present, it is only planned to be available in the USA. I am not involved in the Kickstarter in any way.

Cassandra

echoApril 26, 2018 7:10 AM

This is a remarkable outbreak of honesty froma government minister. I have noticed that men tend to misbehave like they own the planet and women who for better or worse can prop up the system can also be more open and tend to carry the can for what was originally mistakes laid down by men who have since scarpered behind a cloud of Old Boys Network. I'm not saying women are wholly innocent but what is the "first cause" of this and similar antisocially agressive government policies which parties of all colours have been guility of promoting? Can we dig a little deeper behind the performances and obscurities please?

https://www.theguardian.com/politics/2018/apr/26/amber-rudd-admits-home-office-set-local-targets-for-deportations
Amber Rudd faced fresh calls to resign after admitting the Home Office set strict local targets for removing migrants who were in the UK illegally, having previously told MPs her department did not set targets.

gordoApril 26, 2018 11:50 AM

Schumpeter
America’s antitrust apparatus prepares to act against big tech
A University of Chicago conclave of experts debates how far to go
Apr 26th 2018

Here is a prediction. An alphabet soup of different consumer, privacy and media regulators will slowly try to ensnare the big tech firms. At the same time the antitrust regulators (the DoJ and the competition arm of the FTC) will make it nearly impossible for the big five companies to acquire smaller ones. They will also seek to enforce mechanisms to ensure there can be a safe transfer of data and customers between the big incumbent tech firms and their potential competitors so that newcomers can prosper.

https://www.economist.com/news/business/21741173-university-chicago-conclave-experts-debates-how-far-go-americas-antitrust-apparatus

Lately, and other benefits aside, I've been wondering how "mandatory opt-in consent" could possibly stifle innovation, i.e., competition. On that, I haven't got a clue.

Synonymous April 26, 2018 5:31 PM

http://www.businessinsider.com/trump-threatens-to-intervene-in-justice-department-2018-4

Trump makes cryptic comment about getting involved with Justice Department

Trump isn't that happy about it, either. At this point, there is just too much hostility after Jefferson Sessions' firing of 46 attorneys general, and the departure of Eric Holder, the massive leak of government personnel records under Katherine Archuleta, the polygraph lie detector, the Myers-Briggs personality fit test and other hocus-pocus used in court or for employment purposes, fingerprints and DNA leaked to hostile foreign parties, and so on and so forth.

We can mince words all we want, but we really have to start talking about a hostile foreign occupation of the U.S. Department of Justice. Sometime last year I ran into some guys from the Marine Corps who were saying that a coup d'état had taken place in the U.S., and I'm still not entirely sure they were exaggerating, because there is a worldwide situation of TMI* on U.S. citizens.

*TMI = Too Much Information

ThothApril 27, 2018 6:38 AM

@Clive Robinson, all

Clipper chip v2.0 is coming and is being patented.

In fact, the ARM TZ family (including Intel SGX and AMD PSP) are already a form of Clipper chip v1.5 and all of us are already happily and voluntarily carrying them in our pockets (smartphones), on our wrists (smartwatches), laptops (Chromebooks) and even build communities around single board computers (RaspberryPi et. al.) without even thinking of the implication.

In fact, Clipper chip 2.0 does even need to be a chip. It is already there around us (via ARM TZ et. al.).

Just need to push a law into existence and strong-arm all Trusted Execution Environment Operating System (TEE-OS) developers to ensure that the ARM TZ et. al. family of technologies they are using has the firmware based Clipper chip feature enabled since ARM Cortex A series and the TZ et. al. is effectively a Clipper chip by design.

Links:
- https://www.wired.com/story/crypto-war-clear-encryption/
- https://arstechnica.com/information-technology/2018/04/why-ray-ozzies-plan-for-unlocking-encrypted-phones-wont-solve-the-crypto-wars/

echoApril 27, 2018 7:33 AM

@Thoth

This strategy of implementing control systems outside of the owners reach seems to me to be implementation of the OODA loop in practice.

ThothApril 27, 2018 8:22 AM

@all

Since we are talking about Clipper chips and backdoor in the form of software, firmware and hardware, here is a blueprint for an fClipper (firmware Clipper) that probably already exists using the wonderful ARM TZ et. al. technology without making much changes while still providing the function that Clear (linked below) also provides without needing additional changes to existing environments (i.e. Chips, firmwares, softwares ...etc ...) and thus reducing cost of implementations.

Yes, I know that @Nick P has also came up with high assurance backdoors/frontdoors designs and probably those would be rather expensive to implement with lots of infrastructure changes and customization whereas my design of the fClipper uses COTS setup and almost no overheads or extra equipment or changes to firmware and the existing ARM TZ's TEE-OS.

What the fClipper has to do:
- Prevent further use of device and chip
- Prevent logical level erasure of data
- Allow LE access once a valid warrant is submitted

Most LEA schemes do not take much consideration into Key Management which is the managing of the cryptographic escrow keys and this scheme implicitly includes KM as part of it's security threat model.

The setup for Law Enforcement Key Restricted Escrow Management (LEKREM) is to use a COTS HSM :) .

Yes, it's that simple :D .

All HSMs have authorized roles and all HSM admins are not allowed to peak, utilize or export keys belonging to Crypto Users because the HSM admins only have rights set for administering the HSMs but not the rights to utilize, export or in any form handle the key material of other Crypto Users.

A national level HSM would be installed in the USA and the quorum of administering custodians of the national HSM would be chosen by the President and Senate Councils via voting.

Every company manufacturing their own devices would be issued a Crypto User partition in the national HSM which would only allow them to access their own keys and also protect them against the administrators as per the requirements of a certified HSM by FIPS PUB 140-2 standards.

All key materials must be generated using the national HSM.

The companies would need to provision their own devices, sign their own firmware and software and inject their own keys into their devices and to prevent overloading the central national HSM, all companies are to acquire a FIPS 140-2 certified HSM with KMIP protocol (Key Management Interoperability Protocol) feature enabled. The companies' own certified HSMs would first need to be registered to the national HSM before being allowed to negotiate over KMIP to the national HSM to gain a session and have a company of their keys securely synchronized to their companies' HSMs for their daily use and after it's use the HSMs would automatically wipe the keys from their local HSM keystores.

This essentially solves all the Key Management issue in a very practical manner.

Now, we continue to the actual fClipper firmware itself. The fClipper firmware is simply a TEE-OS with additional features without needing to rewrite the current existing TEE-OS firmware.

The fClipper would feature another OS partition called the Firmware based Law Enforcement Access Operating System (FLEA-OS) that is to be included into the TrustZone's Trusted Bootchain so that everytime the device boots, the FLEA-OS partition would be checked during the ARM TZ's Trusted Boot sequence. The signing key that allows chaining the FLEA-OS boot information to the main Trusted Bootchain would be the company's signing key that is generated and stored in the national HSM.

The FLEA-OS would be a minimalist UNIX based Operating System that includes basic tools for Law Enforcement use (i.e. copying out encrypted PINs, keychain and keystore materials, phone books and files to hand over to the respective companies for decryption). Decryption is not done directly on the device because it poses a security threat to the key material and access to the national HSM is needed which a normal LEA officer may not have the privilege to do so.

The FLEA-OS would also has the ability to blow the digital fuse (one time programmable eFuse) on the ARM TZ which would essentially switch the device to "Forensic Mode" and normal operations and access would not be allowed and all data access is done in read-only mode. Only encrypted data can be exported out of the device.

Normal booting procedures would be detected by the ARM TZ and disallowed from continuing normal boot and would automatically push the Forensic Boot Procedure which launches the FLEA-OS once the digital fuse is detected to be triggered.

The device's RNG would be derived using a cryptographic key with the device ID and sprinkling some "magick pixie dust" via a bunch of SHA3 hash functions over the "secret powder" to generate a unique device RNG key to feed the device's hardware RNG. This ensures that all randomness are controllable as needed and the master RNG key for each company is stored in the national HSM in each company's Crypto User account in the HSM.

The device would have a baked in Company Root Key (RSA-2048 Public Key) or what we know as an OEM Root Key. This allows attestation of firmware and updates as well as allowing a secure channel to be establish to negotiate secure sessions between the device and the company's backend. This also allows generation of securely sealed data (i.e. encrypted and MAC-ed files, pins, keystores ...etc... ) that only the company can decrypt.

The reason that RSA-2048 is chosen is because most chips in the market are known to have a maximum RSA key length of 2048 bits and to increase it into the 4096 bits range is going to drive up production cost and the support for on-chip ECC key function is still not mature thus the most common asymmetric key algorithm available is RSA-2048 bits.

LEA officers would need to use a special tool to plug into the device physically over the USB or Lightning ports and a secure channel would be opened to the FLEA-OS to trigger the irreversible "Forensic Mode" for the first time. The forensic tool would contain a digital certificate signed by the national HSM with a government controlled Crypto User called the "GovtUser" role that would issue certificates (RSA-2048 bit keys again due to the limitations of device chips in the market) to forensic devices.

In the event the forensic devices were to fall into the wrong hands, it cannot do much harm as it's main role is to trigger the "Forensic Mode" which would allow the secure copying of digital data which are sealed (encrypted and MAC-ed) where only the company can use their own Crypto User accounts in the national HSM to decrypt these data on a case-by=-case basis if a legal warrant is valid.

This is the entire fClipper blueprint I have designed and placed into public domains where it's rights is assigned to the public.

This blueprint have economic and political implications if implemented as the use of national HSM, while allowing a true NOBUS access would definitely make other Governments and countries upset and inevitably also increase the chances of other countries nationalizing their own commercial production and also probably even enhance the effects of trade wars waged by powerful nations as they feel threatened by such designs ????

Also, a disclaimer, this fClipper design "has a water-resistance of only 5 ATM" if you know what I meant ;P .

A very careful look would reveal the "tightness of the seals" :D .

Good luck for those trying to repeat history of implementing NOBUS LEA capabilities.

It rarely ends well and the "water seals are rarely tight".

65535April 27, 2018 5:17 PM

@ Clive Robinson

I do agree with some of your statements and you do have a rather dim outlook for the technology giants that fleece their customers. But how do you fix it?
Let’s start with your last statement first:

[question: would it be legal for ISPs to block any encryption including DNS encryption?] -65535

“In the US yes they just put it in their terms of service, which for some reason they believe to carry the force of criminal law due to other poorly worded legislation... Even if not they can as they are not strictly "common carrier" status free to terminate your contract when ever they see fit.”- Clive R.

The common carrier part maybe correct but would you like to expound upoN the part about using US civil law as US criminal law. I would like to get a second opinion from a real lawyer.

Blocking all encryption including DNS encrypted packets sounds a little sketchy to me as a lay person. It might happen under USA martial law or possible a “National Security” situation. Other than that I don’t see the likes of Microsoft shutting down their encryption of metadata or Google turning off their AJAX and so on.

“They [ISPs] sell "the illusion of a service" that is they have business models that have contention rules built in. So you might think you are paying for 20Gbit/sec but thr chances are it will be 100Gbit/sec shared amoungs fifty users at any one time.”- Clive R

That is a somewhat realistic picture of how ISPs swindle their customers. I cannot really disagree on that one. How does a business consumer or household consumer change this?

It is generally done by switching ISP companies to get the best “bang for your buck” so to speak. This is by no means a perfect solution.

I will stay the bigger and more resource filled customers can cut better deals than the average Jane/Joe. That’s just democracy and oligopoly type capitalism in action [IPS tend to form monopolies or oligopolies like the old big 3 auto manufactures which crumbled under greater competition].

[FF has plenty of problems but they are one of least dangerous browsers]- 65535

“That's not realy the point, the issues with "fall-back" and user "ease of use" is almost on par with security by obscurity when it comes to security issues. So it's one company today a different company tommorow, the problem persists decades after we should have solved it...”- Clive R

Poverty and disease should have been stopped after centuries of time. A lot of things should have been solved but were not. I don’t like it as much as you. If you have a solution to the compatibility problem or fall back nature of our not so perfect technology situation please speak up.

Why should FF not try to clean up DNS? I would guess trying to fix a known problem is better than doing nothing and letting the situation get worse. Who knows, may FF will make it work and there will be more eyeball on the project plus its outcome.

“With regards [to Duck Duck go and start page] https return from a search engine does not realy tell them very much However the user clicking on a link and getting a DNS or similar recognisable re-direct tells them what does interest the user. So the likes of Duck Duck are not going to dig into the ISPs profit in that respect.” – Clive R

That may be true and maybe not. If everyone is in the business of data mining why would that not be true. If one data miner can eliminate her/his competition why not to do so? Duck Duck go knows what exactly was searched for and which link was clicked. If ISP are data controllers why not thin out their competition? But, if you are saying search engines are the instrument of which ISPs ride search engine’s coat tails you could be correct.

[Cleaning up DDOS attacks could cut their profits]- 65535

“Yes the loss of income and system clean up would take a smallish bite but insurance --in theory-- covers that. Their big concern would be littigation for what is in effect negligence, currently I don't see them over worried about that…” –Clive R

I agree this is a forked issue and maybe difficult to argue concisely. Take the Ford Pinto gas tank fireball issue where a small incremental cost saving eventually turned into a huge legal loss.

Because of the many facets of “Save costs now v. Pay more in the end” it is hard to legally predict. This type of thing only comes out in the end. I will grant you that.

Sancho_PApril 28, 2018 5:19 PM

@65535

Why would you want to encrypt the DNS lookup?
I mean, where is the advantage, is it security? Privacy? Both? Or other?
Is it to starve your ISP while enriching either Google or Cloudflare?
What could we hide from whom?

65535April 28, 2018 6:19 PM

@ Sancho_P

Look at Boofery’s post. It has been discussed on various forums. It is for security reasons first and privacy second. It is a project in progress. Who knows if it will work.

“The Mozilla Foundation is testing a new mechanism for securing domain name server traffic that uses the encrypted HTTPS channel. It is an attempt to speed up the internet, reduce the threat of man-in-the-middle attacks and keep prying eyes from monitoring what users do online.”- Threatpost

https://threatpost.com/mozilla-tests-dns-over-https-meets-some-privacy-pushback/130765/

65535April 29, 2018 5:59 AM

I will move the FF60 crypto DNS post to the newer squid for more eyeballs on the subject.

Clive RobinsonApril 29, 2018 9:58 PM

@ 65535,

would you like to expound upoN the part about using US civil law as US criminal law. I would like to get a second opinion from a real lawyer.

As I understand it the terms of service between you and the ISP form a contract under what would be civil law. However part of those tetms of service include what you can or can not do on their computers. Other criminal legislation due to it's overly broad scope then regards those terms not as a civil contract but if breached as harms subject to criminal sanction.

It's kind of the difference between tresspass (civil) and breaking and entering (criminal) or trespassing and causing harm or other damage (criminal trespass).

That is when the trespass involves violence or injury to a person or property, it is always considered criminal, and penalties may be increased for more serious or malicious acts. Which leaves the question of "intent" under some statutes Criminal intent may have to be proved to convict, thus other circumstances might need to be considered such as was a tool or instrument used and did the person bring it with them etc.

I think it was the Chicago Law Review that had the "cybertrespass" article that pointed out the parallels between existing tangible physical world tresspass and that in the intangible information world.

As for what encryption an ISP could decide to block, it depends on their terms of service, many have a universal "get out" clause based on protecting their equipment or others equipment or for engineering reasons. You see this happen with Tor nodes and even VPNs, go and have a look at what Cloudfare are reputed to do, and in the main they have no contract or terms of service with you or even your ISP but they still block traffic they don't like or try to force it into plaintext in some manner...


With regards,

Why should FF not try to clean up DNS? I would guess trying to fix a known problem is better than doing nothing and letting the situation get worse.

I've no objection to FF trying to sort out a technical issue, provided it actually works and does not break anything. Otherwise you get the sort of problems the UK's TSB bank has just suffered from.

But look at it this way, either FF has to setup an entire new DNS service that is entirely encrypted at every level in some form of mix-net form or privacy will leak at some point in the process. Likewise to maintain the privacy FF would have to use a mix-net to keep both the originator and destination IP addresses private.

I'm not sure that FF are likely to do much or any of that so the users privacy will be leaked at some point. Thus the questions of where, by whom and when arise. Followed by what gain can or can not be made by doing so.

Which brings me onto,

If one data miner can eliminate her/his competition why not to do so? Duck Duck go knows what exactly was searched for and which link was clicked.

Firstly you only eliminate competition when it is profitable to do so. The mear fact someone choses a different search engine they give the ISP information which can be used to profile the individual even if the search and it's results can not be seen by the ISP. But it is an assumption that the search engine will gain a lot from the search it's self or even get to know which one of the links the user clicks on.

There are both positive and negative searches that can give answers with no further action. For instance if I googled just the word "dystopia" then did not click on any of the returned links google will not know it I am usining it as a glorified spell checker or to search for a band or something else. Google only gets to know if I follow one of their links if I actually click on it. With javascript off I can copy the link into an editor and "top and tail" the google stuff off of the link and just pasye the actual site I want to go to into a blank FF window etc.

To be honest I realy do not know why someone has not writen the equivalent of a "google link stripper" as a plugin just to save data bandwidth and round trip delay time.

Your final paragraph is the fun one because it tells you a lot about the managment mind set,

Because of the many facets of “Save costs now v. Pay more in the end” it is hard to legally predict. This type of thing only comes out in the end. I will grant you that.

We all know if we drop something more dense than air it will eventually hit the ground. That is both the feather and the hammer reach the bottom of the tower at some point in time, but they could be seconds appart. Senior managers know that their actions will hit the ground at some point it's just a question of when and how hard. Many of them figure that as long as the feather floats for three or four quaters, they can make profit in the first two quaters and then pull out a mitigation or scape goat in the third quater, or make like a rat on a sinking ship.

That is there is a very definit "short term" thinking going on, to the point they will rob the future ten times over just to double todays profit. It's kind of like sawing the branches of the apple tree in january to sell as firewood, knowing full well you will not have apples to sell in the autumn. But you don't care because you will be gone in the spring with bonus in hand...

It sounds mad but if you look at a lot of companies where the directors are not founders or shareholders in it for the longterm then this is what you see them doing in business...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.