Friday Squid Blogging: How the Squid Lost Its Shell

Squids used to have shells.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on May 11, 2018 at 4:17 PM • 54 Comments

Comments

WeskerTheLurkerMay 11, 2018 5:19 PM

Might the NSA have already achieved exascale computing?

Its a question I've been wondering after having gone over the leaks about WindsorBlue and WindsorGreen from last year, and having come across this publicly available paper from 2014 which has a part describing the WindsorBlue architecture: http://www.dtic.mil/docs/citations/ADA614747

To sum it up, each WB ASIC "tile" has 528 cores in a 16 x 33 layout, and a full machine has 250,000 tiles, for 132 million cores; the leaks say "around 128 million", so some of those 528 cores are probably redundancies or used for system assists.

The reason why I've been wondering if this is exascale has to do with a few reasons. First of all, the first (coming) generation of exascale computers are predicted to have a core count somewhere in the 100 million range, which WB clearly fits in. Secondly, some quick-and-dirty calculations done by scaling the Blue Gene/Q system to WB's size gave me a number of around 1.5 exaflops. And finally, a couple minutes of casual searching online led me to a reference to the "Windsor Blue Exascale Supercomputer" project on the OSPEC graveyard known as LinkedIn (I know, its flimsy evidence, but I wanted to include it anyways).

To me, this doesn't seem too far fetched, though how IBM and the NSA would be able to keep power consumption below the 100 MW mark is beyond me. But, I'm not a computer engineer, so I might be missing something here. Either way, I thought it'd be something interesting to bring up.

StevenMay 11, 2018 5:26 PM

Someone used the USPS change-of-address form to move the headquarters of UPS to his apartment. It was three months before people caught on.

Link here.

Maxwell's DaemonMay 12, 2018 12:01 AM

@WeskerTheLurker

Perhaps related to the reports of fires at the NSA's Utah data center? Somewhere around here I had the volumetric flow rates that they're using for coolant. That, tied with the temperatures of the water, could give an indicator of heat-sink capability.

Sh4kaMay 12, 2018 4:42 AM

A shell, possibly the most basic measure of defence. Your enemy can't hurt you if your skin is harder. After the shells we built walls around the cities and that helped us to defend against our enemies, but unlike the shells of the animals, we couldn't make them wider if we needed to. After the walls we modelled our firewalls. We basically leave the enemy outside by building a set of rules that deciding what goes on and out. Infosec is no different from building walls and being attacked by catapults, we just use fancier tools but the principles are the same. Thank you for this blog Mr Schneier

StevenMay 12, 2018 9:01 AM

Does Gmail's New 'Confidential Mode' Make It Easier to Phish?


Gmail's new confidential mode lets its users create "expiration dates" for emails, or require recipients to provide an SMS passcode.


The problem arises since non-Gmail users cannot directly receive Gmail confidential mode messages. Instead...when a Gmail user wants to send a non-Gmail user such a message, the non-Gmail user is instead sent a link, that when clicked takes them to Google's servers where they can read the confidential mode message in their browser.


The potential risks for any service that operates in this way are obvious. Those of us working on Internet security and privacy have literally spent many years attempting to train users to avoid clicking on "to read the message, click here" links in emails that they receive. Criminals have simply become too adept at creating fraudulent emails that lead to phishing and malware sites.


We're never going to get ahead of this stuff, because while we're fixing individual security holes, the vendors are opening up whole new categories of them.

StevenMay 12, 2018 9:12 AM

Microsoft Adds Support For JavaScript Functions in Excel


Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine.


"Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."


The attack surface of Excel-with-JavaScript will be the Cartesian product of the attack surface of Excel and the attack surface of JavaScript.

echoMay 12, 2018 9:17 AM

This is all well and good but what is Rifkind hiding? He seeks advantage and the limelight but why and why now and why the sudden development of a spine? It's not for anyone else's benefit I'm sure.

https://www.theguardian.com/world/2018/may/12/abdel-hakim-belhaj-rendition-ex-minister-calls-for-inquiry

The former foreign secretary Malcolm Rifkind has called for a parliamentary inquiry into the rendition of the Libyan dissident Abdel Hakim Belhaj. Human rights groups, meanwhile, say there needs to be a broader inquiry, independent of government.

echoMay 12, 2018 12:22 PM

Oh, my. This is a long read. If you can penetrate the ticking off of famous thinkers and concepts and handwaving about history and new technology or ‘Circular Causal and Feedback Mechanisms in Biological and Social Systems’ as as high forehead type coined it you may wish for a stiff whiskey with your scrambled brains. Or as the rest of us in the cheap seats do go for a walk outside.

https://mondediplo.com/2018/05/07fake-news

The truth about fake news
How to escape feedback

The first experiment on the effect of feedback on the social amplification of messages meant to make Americans react to the threat of nuclear attack.

Bauke Jan DoumaMay 12, 2018 1:41 PM

@echo
What's there to investigate anymore? Better, send Tony BLiar and Jack Straw to prison immediately. Where these criminals belong.

TazMay 12, 2018 2:50 PM

GrayKey - Looking for insights.


Assuming ios 11.4 does contain that 7 day lockout on the USB port, How many PIN digits will be required to stay safe.


These long PINs are a pain in the ass. All courtesy of our tax dollars.

Alyer BabtuMay 12, 2018 3:06 PM

@Taz

Not that it will ultimately matter, but it is not hard at all to use a PIN of 8 random characters fron the complete keyboard (omitting white space), and only a bit harder to go to 12 characters. Once there, it is a small step to 16, as natural as writing someone’s name really. Repetition does it and “muscle memory” takes over.

another Open Wireless fanMay 12, 2018 6:39 PM

Places with non captive portal WiFi include:

A) +1 Apple Stores (sometimes, iirc, picky with user's choice of DNS servers when trying to update user devices on-site)

B) +1 Wegmans (96 locations)
https://en.wikipedia.org/wiki/Wegmans

Does anybody know any other USA options like A) and B) above?

misc. links from an open portal wifi search:
https://serverfault.com/questions/596844/ssl-certificate-errors-in-captive-portals
https://en.wikipedia.org/wiki/Captive_portal

misc. links
https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
https://openwireless.org/
"What about captive portals?
Oftentimes, logging onto an open wireless network in an airport or cafe takes you to a login page where you either have to enter your credentials or click an "I agree" button (agreeing to certain terms of service) before being connected to the Internet. This is known as a captive portal (or a catch-and-release).

The Open Wireless Movement seeks to create an environment where devices can connect to "openwireless.org" networks seamlessly and easily; captive portals, which are a barrier between the user and a connection, are the antithesis of good design for openness.

Captive portals interfere with Internet security and protocol innovation—and the efficiency that lies at the heart of the Open Wireless Movement—without providing many benefits, and we discourage their use, especially for networks named "openwireless.org""

Any comments about the above quote?

Are home or commercial ISP customers at much risk in the USA if they provide guest WiFi with ssid "openwireless.org"? Should they consider doing it? Is this too idealistic in today's world?

It would be nice if someone knowledgeable chimed in here about "Reasons for Open Wireless"
"It will bring about a new era of innovation +
It benefits businesses and economic development +
It is crucial to user privacy +
It benefits emergency services +
It conserves a scarce public resource: radio spectrum +
It helps bridge the digital divide +
It helps travelers and passersby +"
as found at https://openwireless.org/

Two ThingsMay 12, 2018 8:49 PM

Perhaps support your local bookstore or Barnes & Noble
https://www.theguardian.com/books/2018/may/12/barnes-noble-bookstores-retail-amazon
"Perhaps this is what it means to be a bricks-and-mortar retailer in 2018. It’s a feelgood customer experience and a showcase for online purchasing – but the sound of cash registers ringing? Not so much."

It's complicated
https://www.nytimes.com/2018/05/12/sunday-review/when-spies-hack-journalism.html
"What does this mean for journalism? The old rules say that if news organizations obtain material they deem both authentic and newsworthy, they should run it. But those conventions may set reporters up for spy agencies to manipulate what and when they publish, with an added danger: An archive of genuine material may be seeded with slick forgeries."

WeskerTheLurkerMay 12, 2018 10:28 PM

@Maxwell's Daemon

I never even thought that up, very interesting point! Heat management is definitely an issue; incidentally, that seems to be the goal with WindsorGreen IMO.

Something we should look too at is Norway with their STEELWINTER WindsorBlue derivative computer, which was leaked back in 2013. Any unusual fires or power supply issues with the NIS?

echoMay 13, 2018 1:39 AM

I have repurposed my tower system to a fileserver and have my docked laptops in use. I'm still making sense of my network. I don't believe this is helped by useability and documentation issues! For good or ill my ISP blocks default SMB at the network level. (They allow custom ports through but this requires a seperate active decision).

I'm still using Windows because it works with less hassle than Linux and the current version of Linux Mint has fumbled Samba and SSL. You can't be more secure than not working!

As for the internet I am skittish about attaching a server at the best of times. Wake on sleep decided to stop working. (Why?) It now spends most of the time switched off apart from occasional systems admin or a brief client-server synchronisation. Not that this is amazing either as not even a ten second Window will protect from threats as I have read and know from experience. On the other hand if something funny erupts from nowhere this helps give a larger warning window.

https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploit-wannacryptor/

It’s been a year since the WannaCryptor.D ransomware (aka WannaCry and WCrypt) caused one of the largest cyber-disruptions the world has ever seen. And while the threat itself is no longer wreaking havoc around the world, the exploit that enabled the outbreak, known as EternalBlue, is still threatening unpatched and unprotected systems. And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017. [...] This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool.

https://www.bleepingcomputer.com/news/security/one-year-after-wannacry-eternalblue-exploit-is-bigger-than-ever/
Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. [...] EternalBlue is also most likely one of the reasons Microsoft reacted by shipping new versions of the Windows OS with SMBv1 disabled, which was the protocol that EternalBlue targets.

65535May 13, 2018 9:08 AM

@ Alyer Babtu

“And who else is accessing this API ?”

Probably a lot of people from police down to peeping-toms.

“Securus’ location service as used by law enforcement is also currently being scrutinized. The service is at the heart of an ongoing federal prosecution of a former Missouri sheriff’s deputy who allegedly used it at least 11 times against a judge and other law enforcement officers… Friday, Sen. Ron Wyden (D-Oregon) publicly released his formal letters to AT&T and also to the Federal Communications Commission demanding detailed answers regarding these Securus revelations. "To access this private data, correctional officers simply visit Securus’ Web portal, enter any US wireless phone number, and then upload a document purporting to be an official document giving permission to obtain real-time location data," Wyden wrote…”-Arstechnia

https://arstechnica.com/tech-policy/2018/05/senator-furious-at-polices-easy-ability-to-get-real-time-mobile-location-data/?comments=1

Poorly redacted indictment of sheriff [Deputy?] Cory Hutchenson.

This a sad commentary on cops, cell phone app makers, digital ignorant judges, and large telephone companies - to name a few of the bad guys.

[No hope of fixing intentional typos in the text below]

[long, typo-ridden indictment text snipped by moderator]

see actual indictment linked below.
https://assets.documentcloud.org/documents/4457113/Hutcheson-41-Snlj-Acl-0.txt

Equally poorly redacted pdf
https://assets.documentcloud.org/documents/4457113/Hutcheson-41-Snlj-Acl-0.pdf

Location data laws and other privacy laws must be tightened!

(required)May 13, 2018 5:29 PM

"These long PINs are a pain in the ass. All courtesy of our tax dollars."

Wut? Long pins are your friend. If people were forced to remember 16 digit pins in normal life,
the world would be a better place and average people would be marginally more intelligent to boot.

https://imagesvc.timeincapp.com/v3/mm/image?url=https%3A%2F%2Ffortunedotcom.files.wordpress.com%2F2016%2F03%2Fcha-03-15-16-featured.png&w=900&q=85

Plus, services for drunks/fools locked out of their homes and bank accounts could become a niche industry.
It's a win/*hic/win. Your tax dollars are buying Scott Pruitt's goldfish a security detail meanwhile.

(required)May 13, 2018 5:32 PM

Without being overly political or divisive in asking, why is Trump trying to bail out ZTE?

It's a Chinese Govt' owned manufacturer with always-terrible security and alleged backdoors.
What exactly is the burning need to help them sell in the US market again all about?
Does anyone know?

justinacolmenaMay 13, 2018 8:11 PM

I'm appalled. We've got to do something about this.

Screenshot: https://www.colmena.biz/las_imágenes/cisco-malware.png

Cisco is cracking, censoring, and blocking encryption on the Net for the purported goal of fighting malware.

Surely they have everywhere-valid-for-everything SSL certs already... Not only are so phreaking proprietary with their expensive IT training certs and all, but they create more problems than they solve with their heavy-handed standards-smashing approach. They ride roughshod over open standards and heaven forbid open source.

(required)May 13, 2018 9:42 PM

"ZTE paid over $2.3 billion to 211 U.S. exporters in 2017, a senior ZTE official said on Friday."

I answered my own question. We're going to help protect a Chinese company that violated sanctions,
because US exporters were hurt by blocking sales, but we're going to then impose sanctions on Iran also,
unilaterally enforcing them against allies in Europe (and companies in the US) in that same boat.

Remember when picking winners and losers was supposed to be bad? This is nutty.

RatioMay 14, 2018 8:00 AM

Apparently there is a *massive leak* inside PGP/GPG. Everyone should update right now!

(Drama++ mine.)

The paper is a little underwhelming. #HYPEfail

AlexTMay 14, 2018 8:32 AM

Quoting Protonmail team: "t is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation." - Can't put it better

Squid ApprenticeMay 14, 2018 9:03 AM

I saw that video, and thought to myself: That's odd self, I haven't seen that linked in Schneier. Now the universe has corrected itself and I can sleep at night.

carlaMay 14, 2018 9:19 AM

Anyone have a mirror of the efail attack paper? They're blocking anonymous users.

JG4May 15, 2018 6:47 AM


Thanks for the great discussion.

https://www.nakedcapitalism.com/2018/05/links-5-14-18.html

...

New Cold War

How the C.I.A. Is Waging an Influence Campaign to Get Its Next Director Confirmed NYT. A Times reporter comments: “Funny how CIA sometimes is willing to step out of the shadows, or at least part-way out of the shadows….” Indeed.

Did the FBI Have a Spy in the Trump Campaign? National Review

The public case against Trump Axios

Game Over, Trump: An Ancient Order Of Franciscan Monks Has Released A 13th-Century Tapestry Depicting Donald Trump Colluding With Russian Officials ClickHole

...

Big Brother Is Watching You Watch

What Google is doing with your data Queensland Times. Yikes:

Australian Competition and Consumer Commission chairman Rod Sims said he was briefed recently by US experts who had intercepted, copied and decrypted messages sent back to Google from mobiles running on the company’s Android operating system.

The experts, from computer and software corporation Oracle, claim Google is draining roughly one gigabyte of mobile data monthly from Android phone users’ accounts as it snoops in the background, collecting information to help advertisers.

A gig of data currently costs about $3.60-$4.50 a month. Given more than 10 million Aussies have an Android phone, if Google had to pay for the data it is said to be siphoning it would face a bill of between $445 million and $580 million a year.

OK, Oracle wants to stick the shiv in. That doesn’t mean they’re wrong on the facts.

Newsagents to sell ‘porn passes’ to visit X-rated websites anonymously under new government plans Independent. “The 16-digit cards will allow browsers to avoid giving personal details online when asked to prove their age. Instead, they would show shopkeepers a passport or driving licence when buying the pass.” What could go wrong?

How ProtonMail is pushing email privacy standards VentureBeat

...

vas pupMay 15, 2018 9:36 AM

http://www.bbc.com/future/story/20180514-do-long-prison-sentences-deter-crime
“King says countries like the US needs to look at alternatives – more violence prevention so that crimes aren’t committed and people don’t end up in jail in the first place. “I don’t mean hiring more cops and prosecutors,” King says. “Relying on police coming in is a reactive response. Doing something more proactive requires deeply investing in these communities.”

Clive RobinsonMay 15, 2018 10:21 AM

@ vas pup,

    “Relying on police coming in is a reactive response. Doing something more proactive requires deeply investing in these communities.”

The US already knows the answer to this problem.

Studies carried out in the past show that every dollar spent at primary school level and below saves ten-fifteen dollars that would otherwise be spent in crime prevention police / judiciary / prisons.

The research was quashed during the Ronny "Raygun" Reagan "Mad Maggie" Thatcher era. As a result the US now has a known not to work "tough on crime" political stance, and more importantly what turns out to be a highly profitable but corrupt private prison service giving "kick backs" to the judiciary amongst others for longer and harsher prison terms.

It is going to be very difficult to pull this back in and make the savings not just for the tax payers, but those who are victims of crime, and those who will otherwise become criminals. Because as has been observed "It is difficult to make a man see what he is doing is wrong, when his main income is derived from being wrong".

Gerard van VoorenMay 15, 2018 10:39 AM

@ Moderator,

There is a bug in the friday squid section. When you post a message there is only the Submit button, but not the Preview button.

And can these long text messages be turned off, I mean with that you can show these all on?

ModeratorMay 15, 2018 1:42 PM

@Gerard van Vooren: Checking in Chrome, IE and Tor, I see both buttons. What browser are you using? Re your second question, please clarify.

Gerard van VoorenMay 15, 2018 3:52 PM

@ Moderator,

I am using Firefox with Ubuntu 18.04. But I am sorry. After a reboot this problem disappears. I don't know what did happen.

I mean in "100 Latest Comments". Every long message is being shortened. And then you got this "Read More" button. The problem that I notice is that you don't know the size of a message. Clive Robinson for instance can make quite large messages but they are also, most of the time, very interesting.

Before this update the "100 Latest Comments" would be better because then that page simply showed all the pages entirely.

I would be more than happy with a simple RSS reader that also would read all messages instead of only the headers, but AFAIK that isn't possible.

WhiskersInMenloMay 15, 2018 5:09 PM

Apparently malware has arrived to Ubuntu.
According to a tweet from Naked Security...:

😱 Malware on Linux? Impossible! pic.twitter.com/9QNXK9iD9P

— Naked Security (@NakedSecurity) May 15, 2018


Some 2048 Ubuntu packages contain a bit coin mining hook.

Wesley ParishMay 16, 2018 5:42 AM

Someone's trying to kill me:

http://www.theregister.co.uk/2018/05/15/trump_zte_tweet_2/

Did I say Chinese jobs? I meant American jobs says new Trump Tweet
Jobs, schmobs: ZTE's about national security, stupid, say Republicans

I suffered a sudden fit of laughter after reading this, and fortunately it was not uncontrollable, therefore I did not die of it.

I can't seem to take such shenanigans seriously. Did Obi Ben Kenobi say to the US political establishment, "May the Farce be with you."? CE's so riddled with backdoorable vulnerabilities it wouldn't make a lick of difference whether the vulnerabilities are from the USA or PRC.

RatioMay 16, 2018 7:00 AM

More information in Spanish (contains atrocious punctuation and some unconventional spelling):

Dato curioso:

[...] contratos con las empresas Blue Cell Seguridad, una compañía española —cuyo nombre mantenemos en reserva— y PromSecurity, [...]

We ain’t telling but instrad we’ll just link to stuff that’s about UC Global.

JG4May 16, 2018 9:23 AM


I was happy to see my favorite purveyor of doom porn pick up the Securus story. I tried to warn them, but they all just laughed at me.

https://www.nakedcapitalism.com/2018/05/ecuador-hints-may-hand-assange.html

https://www.nakedcapitalism.com/2018/05/links-5-16-18.html

...[approaching peak irony, mind the event horizon]

Big Brother is Watching You Watch

Police facial recognition system ‘risks damaging public trust’ Daily Mail (JTM)

Angry nurses want Mark Zuckerberg’s name removed from a San Francisco hospital South China Morning Post (J-LS)

Google Employees Resign in Protest Against Pentagon Contract Gizmodo (Judy B)

...["A trillion here and a trillion there and pretty soon you're talking real money" -with apologies to Senator Everett Dirksen]

Imperial Collapse Watch

The Pentagon Can’t Account for $21 Trillion (That’s Not a Typo) TruthDig (J-LS)

...

Clive RobinsonMay 16, 2018 11:11 AM

@ JG4,

Ecuador hints may hand Assange

Actually Equador has said very little if anything formally, though some US market research says mote than 3/4 of Ecuadorians want Assange out of the London Embassy...

What has happened is that the currebt Ecuadorian leader Lenin has said Assange is a stone in his shoe etc, not much is being said other than another comment of "Not my shoe, not my stone".

What has been said both in Equador and other places is that the US "interfered with the Equadorian election" and various sums between 80 and 100million USD have been indicated as the sums spent by the US to get rid of the original leader. There are also stories of the US Fed Reserve sticking the boot in on Ecuador (which uses the USD). Others have noted that the US put the scare on the population via what it is doing to another South American country that it disfavors, and that even Brasil is getting nervous.

What the truth of each of the stories is is unknown. As for the US and UK press you have to more or less forget about them as they are apparently "running scared" of their respective governments, likewise the Australian press. All three have been reported as wanting to see Assange "dissapeared" or some how be tourtured to death as an example to others.

But it appears there is a lot of shenanigans going on. Assanges leagle team have obtained copies of documents from the UK Criminal Prosecution Service" which show that Sweeden wanted to drop proceadings for extradition against Assange half a decade ago but the CPS official stoped the Swedish authorities from doing so. Apparently there is sufficient evidence to show "Malfeasance in Public Office" which is quite a serious charge, if it can be brought into an unbiased court...

Speaking of bias in courts, apparently there are also big questions over the judge that threw out the request to have the arrest warrant against Assange quashed on grounds it was not in the public interest. From what I understand she was very selective about what evidence she would accept, and as a result may have put the UK in an untenable position with respect to human rights treaties it has signed. As well as showing considerable bias with respect to not alowing evidence on US intentions, especially with regards to keeping secret US plans waiting to hijack Assange and get him to the US on what would be at best a show trial.

It would be nice to get theses stories verified one way or another but so far there is insufficient information being provided...

So we will have to wait and see...

Oh and to add fuel to the fire, some have suggested Assange's best option if he can get out of the UK without getting nabbed is to pop over to Russia and join various people there...

k15May 16, 2018 9:24 PM

Is there any group that has an interest in making the U.S. postal service more secure, in situations where it might not be? The Postal Inspection Service deals with crimes after the fact, but I am wondering if any group has an interest in making the system more secure before that.

RatioMay 17, 2018 6:00 AM

More interesting, but in Spanish:

And once again:

En septiembre de 2012, la empresa española contratada para la vigilancia y seguridad de Julian Assange —cuyo nombre mantenemos en reserva— envió los primeros reportes a la Secretaría Nacional de Inteligencia (Senain) de todo lo que el creador de Wikileaks hacía en la embajada ecuatoriana.

La firma domiciliada en Cádiz, España, fue contratada por la Senain, [...]

Random factoid: UC Global is based in Jerez de la Frontera, in Cádiz, Spain.

Fiodor FukinMay 17, 2018 9:11 AM

Russia is considering making smart meters mandatory. ETA is 2019, maybe 2021 year, new buildings first, then those that fall under the 'major renovation program' or something. Others will receive theirs during the eventual replacement of old meters.

The law will probably be signed in Q2 2019. The stated reason is theft of resources.

No link right now - all available material is in Russian.

ThothMay 17, 2018 10:20 AM

@Clive Robinson

Interesting read on renting out "Secure Enclaves" as a Service and be paid.

Would be nice if this can be adapted for the Prison Model to somehow create a sustainable way of having enough funds to keep the system up and running.

My idea is to allow every participant in a sort of distributed Prison Model where everyone purchases a smart card with open source Prison applets installed and using some form of blockchain or a tangle (alternative to the blockchain model that claims to be more superior), to create a highly distributed and decentralized Prison Network.

Considering that the original Prison Model would call for a centralized unit stuffed full of tiny embedded security processors with a central router, the central router becomes a single point of failure and the security processors as Prison Cells all being centralized in a single location within a single central machine is going to be allow a single point of failure thus the idea of allowing participants to carry or possess their own smart cards with the specially crafted applets loaded and then using a network just like recent cryptocurrencies.

The problem would be verifying secure executions without leaking them and also planning for incentivising the pariticpants without the woes of Bitcoin, Ethereum and the likes of other currently cryptocurrency models.

Link: https://arxiv.org/abs/1805.06411

RockLobsterMay 18, 2018 1:07 PM

This is something that has been bugging me.
My coding skills are a little hazy to say the least, so I could be wrong about this.
This is the source code for the TLS implementation of AES.
[URL]https://tls.mbed.org/aes-source-code[URL]

If you scroll all the way down to the key schedule code and the switch.

switch( keybits )
{
case 128: ctx->nr = 10; break;
case 192: ctx->nr = 12; break;
case 256: ctx->nr = 14; break;
default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
}

That would appear to pertain to 10, 12 and 14 rounds to aes128, aes192 and aes256 respectively which as we know is the standard implementation but if you scroll down further to the next switch,
Case 10 does have 10 iterations

switch( ctx->nr )
{
case 10:

for( i = 0; i

But case 12 only has 8
for( i = 0; i

and Case 14 only has 7
for( i = 0; i

RockLobsterMay 18, 2018 1:11 PM

Well, that got messed up, the for loop code I posted was cut off short, but if you look at the code via the link I posted you'll see it.

RatioMay 18, 2018 8:30 PM

Ecuador to remove Julian Assange's extra security from London embassy:

The move was announced a day after an investigation by the Guardian and Focus Ecuador revealed the country had bankrolled a multimillion-dollar spy operation to protect and support Assange, employing an international security company and undercover agents to monitor his visitors, embassy staff and even the British police.

Over more than five years, Ecuador put at least $5m (£3.7m) into a secret intelligence budget that protected him while he had visits from Nigel Farage, members of European nationalist groups and individuals linked to the Kremlin.

Assange's guest list: the RT reporters, hackers and film-makers who visited embassy:

Julian Assange received more than 80 visitors in the seven weeks leading up to the release of hacked Democratic party emails by WikiLeaks, including two journalists from the Kremlin-backed broadcaster RT, the documentary film-maker Michael Moore, the philosopher Slavoj Žižek and a German hacker.

Visitor logs seen by the Guardian and Focus Ecuador show a frenetic period for the WikiLeaks founder in the summer of 2016, around the time he declared that he would release emails from Hillary Clinton’s US presidential campaign. Assange has been holed up in Ecuador’s London embassy since 2012.

(Visitor log covering the period June 1–July 3, 2016 from the Focus Ecuador article Assange en el centro de una conspiración mundial I mentioned earlier.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.