Friday Squid Blogging: Squid Comic

It's not very good, but it has a squid in it.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on May 25, 2018 at 4:18 PM • 97 Comments

Comments

echoMay 25, 2018 6:03 PM

I noticed a panic stream of emails and stupid pop ups this past week.

US news sites block EU readers due to GDPR
http://www.osnews.com/story/30404/US_news_sites_block_EU_readers_due_to_GDPR

Whenever a site blocks EU users, you can safely assume they got caught with their hands in the user data cookie jar. Some of these sites have dozens and dozens of trackers from dozens of different advertisement companies, so the real issue here is even these sites themselves simply have no clue to whom they're shipping off your data - hence making it impossible to comply with the GDPR in the first place.

The GDPR is not only already forcing companies to give insight into the data they collect on you - it's also highlighting those that simply don't care about your privacy. It's amazing how well GDPR is working, and it's only been in effect for one day.

https://www.bloombergquint.com/business/2018/05/25/blocking-500-million-users-is-easier-than-complying-with-gdpr#gs.3w_eFcU

BobMay 25, 2018 6:26 PM

You have covered this story, but this was published after your post. And, you said "I'll post other commentaries and analyses as I find them", so you may be interested. It's recommendations from phil zimmermann and the devs of the main email encryption tools, to rival eff's recommendations.

https://protonmail.com/blog/pgp-efail-statement/

AlejandroMay 25, 2018 7:23 PM

Facebook, Google hit with GDPR complaint

http://www.theregister.co.uk/2018/0/25/schrems_is_back_facebook_google_get_served_gdpr_complaint/

Already! Good!

Apparently this fellow Max Schrems is a bit of an activist. I hope he wins. It will cost the companies billions in any currency you can name if they lose.

I wish the USA would get back to supporting the personal data, privacy and security of Americans, but that seems to be long gone and a lot of other stuff.

Strict regulation of the big internet players should be a key goal of our government.

Wesley ParishMay 25, 2018 11:00 PM

You made some comments earlier in the peace, @Bruce, about the way the NSA was insulting everybody's intelligence by believing and claiming that backdoors could be kept from adversaries. Now we've got the FBI (Feral Bullshit Inspectors, iirc) telling people to reboot their routers and suchlike to kill off a Russian malware infestation:

https://mobile.slashdot.org/story/18/05/25/2217205/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500000-devices

https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

https://www.ic3.gov/media/2018/180525.aspx

Will the NSA eat its words? Wouldn't it have been simpler to make the devices less vulnerable? And how easily are the devices to infect anyway? If easy as, then they'll be re-infected soon as.

Gunter KönigsmannMay 26, 2018 1:33 AM

@Wesley Parish: that was the problem with the German government at least twice: somebody was using an advanced persistent thread and as every system was riddled with security holes that in the end weren't NOBUSes alll one could do is watch.

If the first stage of the router malware is persistent: Is it guaranteed that rebooting does help?

Clive RobinsonMay 26, 2018 2:45 AM

@ Wesley Parish, Thoth,

With regards,

Possibly nobody has mentioned it because the SEVere attack developers descriprion given is a little difficult to get your head around on first read.

However reading it I think that put simply the error is that the developers have worked out a way to use the SoC as an Oracle just by memory address (I will mull it over for a while).

However the bit at the bottom about using existing "Secure enclaves" made me smile as, Intel, ARM and AMD have had problems in their implementations and that little "Xmas gift that keeps giving" of Spector and Meltdown.

As I noted back then I fully expect more "hardware" issues to be found over the next half decade or so, as academia and young researchers start digging, through what are in reality a compleatly hopeless cludge of "go faster" incompatibilities, that were thought out individually rather than as a coherent whole.

This is one of those "new" attacks around MMUs that will in all likelyhood develop into it's own class of attacks...

Clive RobinsonMay 26, 2018 3:59 AM

@ echo,

I noticed a panic stream of emails and stupid pop ups this past week.

Yup the GDPR is starting to bite, apparently Max Schrems is launching a few new court cases at one or two silicon valley --now assumed to be-- crooks...

Having had cookies and javascript disabled for some time I did not get to see the likes of these panicking sites anyway, as they blocked me, or more correctly their advertisers did. But tests I did elsewhere suggest that the actuall amount of such junk added to the pages by such crud is getting closer to 100%. As for page load times well, lets just say "the lunatics have taken over the asylum" on that as the bulk of background "web traffic" is now from adware type activities (very hard to get firm figures on though).

As for Bloomberg doing a "chicken little" it makes me smile at their partisanship, after all these companies were given plenty of warning as to what was comming their way. It's also not as though they did not know from previous issues their actions were considered not just reprehensible but contrary to formal legislation.

But the,Bloomberg "500million" is like other aspects of their story "a little off of the mark".

The number of people effected by the GDPR is actually larger than those resident in the European Union nations and even the population of many of those nations is an unknown.

For instance it's not hard to find articles that say things like,

    Europe is the third most populous continent behind Asia and Africa. Its population in 2016 is estimated at 738 million, which accounts for 11% of the world's population. The continent is currently growing at a rate of 0.3%.

Which would make it upwards of 740million even without recent immigration taken into account.

But... The important quote,

    Russia is a very interesting situation, as its population is very hard to determine with Russian and CIA estimates varying by 3 million.

Which applies in various ways to a lot of the citizen numbers in the old CCCP/USSR that for the Eastern part of Europe and EU.

But I guess the US are starting to realise that some people are not happy with their attitude on privacy etc... Something the other entities in the extended Five-Eyes that use corporates to front their activities should maybe take note of.

echoMay 26, 2018 5:58 AM

@Clive

Ouch, yes to all of this. For people who didn't follow the link Thom didn't have much good to say about Bloomberg either.

wetsuitMay 26, 2018 6:27 AM

Bunch of UK based news sites still running this morning, even tho they use many dozens of trackers on every page (mostly DNS based). I guess I don't understand the nuances of the law yet. The welder's goggles don't help a bit with this one.

RealFakeNewsMay 26, 2018 6:42 AM

I have one problem with the GDPR: it appears that as long as a website says they're taking your data, it's legal. Does anyone actually read them?

Also, given it is the web browser that makes all this spying/data collection possible, just why are they not regulating/forcing browser developers to tighten things on their end???

Fix the source of the problem: web browsers are too powerful and users have too little control.

Alyer Babtu May 26, 2018 9:20 AM

Interesting. In the never ending quest to double triple check everything, I tried to access some of the GDPR non-complying US news sites via EU located servers provided by my VPN provider. For some of these servers, the news sites did not block. Apparently some of the VPN servers listed as in the EU function as if they are in the USA. Amazon posts where it thinks you are and also showed those servers as in the US. Maybe time for a different VPN provider ...

MikeAMay 26, 2018 10:28 AM

@RealFakeNews -- I believe your conjecture is correct (Sites can do almost anything as long as they tell you, buried in the modern equivalent of a EULA) as has always been the case, putting them in the same class as Bond Villains describing exactly their plans to wreak havoc before doing them. Much better said by the mouseover on https://xkcd.com/1998/

JG4May 26, 2018 10:30 AM


Wishes everyone who observes Memorial Day a sobering reflection on the cost of war. As always, I appreciate the excellent discussion, even when I am too busy to comment. I will travel to Arlington National Cemetery on Monday for some sobering reflection. We have been enmeshed in an information war at least since Bernays, but that is somewhat better than a shooting war.

@Clive - I think that you'll appreciate this more than most.

GOTO 2018 • Old Is the New New • Kevlin Henney
https://www.youtube.com/watch?v=AbgsfeGvg3E

No surprises here for the astute.

https://www.nakedcapitalism.com/2018/05/links-5-26-18.html

....

Big Brother is Watching You Watch

Google and Facebook accused of breaking GDPR laws BBC (David L). Quelle surprise!

YouTube in hot water over reordering subscription feeds RT. Kevin W: “Many tweet images.”

Google zooms by Amazon in smart speaker shipments, report says ars technica

Now playing: a movie you control with your mind MIT Technology Review. I see way too much police state potential in this sort of technology.

...

I want to get HIGHER!May 26, 2018 10:38 AM

"High security" gains a whole new meaning at an ICBM base:
Security troops on US nuclear missile base took LSD
Boredom is a chronic hazard at nuclear missile bases everywhere. There have been multiple reports of behavioural problems among US Air Force nuclear missile launch officers in recent years.
The most surprising part of this story is that the nuclear missile corps were able to score some LSD, a drug no one has seen in almost twenty years and the US military has stopped testing for in its soldiers more than ten years ago.
Moral of this story: don't brag about your illicit drug use on Snapchat. That's how this drug ring was caught.
To me, the scariest part of this story is that the US has nuclear weapons in the first place.
Nuclear weapons violate an important security principle: Mistakes are inevitable, so set up the situation such that the consequences of failure aren't catastrophic.
"And when it comes to that fantastic bit where the rabbit bites its own head off, I want you to throw that fuckin' switch!"

japanese emoji taking over unicodeMay 26, 2018 12:05 PM

This is a blowfish emoji: 🐡.

There appears to be a somewhat unusual kanji for the same thing, 鰒, as well as the katakana フグ, but the character 鰒 apparently refers to a different sea creature altogether in Chinese than it does in Japanese.

So are the emoji another writing system, next in line after the kanji, hirigana, and katakana for the Japanese language?

japanese emoji taking over unicodeMay 26, 2018 2:28 PM

@I want to get HIGHER!

multiple reports of behavioural problems among US Air Force nuclear missile launch officers

You spell in British or international, not American English. Besides, we're so much at law in the military nowadays, let's just be frank about this issue. YOU TAKE THE DRUGS YOU'RE DEALT on a military base like that if you want to live to see another day. That's the only law there is at a place like that.

nuclear missile corps were able to score some LSD, ... don't brag about your illicit drug use on Snapchat

Let's just put it this way: there is enough of a haircut already in the military.

To me, the scariest part of this story is that the US has nuclear weapons in the first place.

The U.S.? Not N.K, Russia, China, Japan, Iran, Saudi Arabia, France, Germany, and so on and so forth?

Nuclear weapons violate an important security principle: Mistakes are inevitable, so set up the situation such that the consequences of failure aren't catastrophic.

Guns are banned, too. Freedom has always been catastrophic for despots.

"And when it comes to that fantastic bit where the rabbit bites its own head off, I want you to throw that fuckin' switch!"

Sounds like some lesbian girl sitting in an electric chair on a murder charge. The Nazis, Shugun, Kamikaze, and all. They've even got a swastika in unicode 卐.

AlejandroMay 26, 2018 2:46 PM

The "Chicago Tribune, Los Angeles Times, New York Daily News and Orlando Sentinel cut off access to most European internet traffic on Friday"...due to GDPR non-compliance.

They had, at least, two years to get ready.

OTOH... "Facebook and LinkedIn, have already taken steps to move their non-E.U. users outside of the reach of European regulators."

https://www.nbcnews.com/tech/tech-news/chicago-tribune-los-angeles-times-block-european-users-due-gdpr-n877591

Let's hope GDPR is the beginning, not another failure in the making.

A Nonny BunnyMay 26, 2018 2:51 PM

@RealFakeNews

I have one problem with the GDPR: it appears that as long as a website says they're taking your data, it's legal.
That's not quite true, I think. They need to specify what data they (want to) collect, as well as what they will use it for. And they need to do so in language that is understandable by regular people. And I think you need to give consent before they can start collecting it (beyond the bare necessary to serve a webpage.) Another important aspect is that you have the right to view what data they have collected about you (in a reasonable data-format), as well as the right to correct that data if it is wrong, and the right to have it deleted.

So if a website just shows a one-time popup with "We're going to collect every bit of data about you we can, muahahaha!" without the option to say "No thanks", then I think they're infringing on your GDPR rights. (But, I'm not a lawyer.)

65535May 26, 2018 3:03 PM

@ echo, Aledjandro, Clive Robinson, RealFakeNews, Alyer Babtu, RockLobster and others

Regarding GDPR privacy rules against USA style data mining:

Probably the most accurate indications of damage to USA corporations that collect and track users will be in the stock market. Some the damage was built in to stock prices before this week end but It looks like the damage of losing 500+ users in the EU will be high. We will have to see how the stock market reacts on Monday.

Any, guesses on the damage to stock values of USA companies that are in the data tracking game?

High Damage 50 % price decline
Medium Damage 25% price decline
Low Damage 5-10% or less price damage

Place your bets.

Specific GDPR comments:

“Smart move by Microsoft.” – RockLobster

“…users now have access to a privacy dashboard that allows you to easily regulate or opt out of any data collection. You can delete all of your search history and data or move it somewhere else.” -Techrepublic

https://www.techrepublic.com/article/microsoft-extending-gdpr-protections-to-all-global-customers-heres-how/

On the surface is looks like a good move but, will Microsoft secretly retain a copy for “National Security” matters? Who does this effect, Window 10 users and office 365, Bing search users or all users from Windows 7, 8/8.1 and so on? This make me wonder because a lot of metadata is collection on other systems other than Win 10 or office 365 users.

@ Clive R.

Re:
“[German researchers] they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP requests to a web server running in a second guest on the same machine.” –The register

“While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.”- Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, Fraunhofer AISEC, Garching near Munich, Germany

https://arxiv.org/pdf/1805.09604.pdf

or

http://www.theregister.co.uk/2018/05/25/amd_epyc_sev_vm_encryption_bypass/

“the bit at the bottom about using existing "Secure enclaves" made me smile as, Intel, ARM and AMD have had problems in their implementations and that little "Xmas gift that keeps giving" of Spector and Meltdown.”-Clive R.

Did you also notice:

“They then modified the system's KVM hypervisor to observe when software within a guest accessed physical RAM.” – The Register

I have away thought web based KVM switches were an accident waiting to happen. This not good for cloud providers and goes back a few threads to “Another Spectre-Like CPU Vulnerability”

See:
https://www.schneier.com/blog/archives/2018/05/another_spectre.html

And commenter neill notes:

“…everything "in the cloud" is unsafe. we don't know what CPU we're using, which VMs are running on the same, what OS or other vendors (NAS,LAN,WAN etc) are involved ... and since that's much of our data (willingly or not)(and metadata as well) we must assume that we're all screwed.” –Neill

https://www.schneier.com/blog/archives/2018/05/another_spectre.html#c6775695

I believe Neill is essentially correct. Putting any sensitive data on the so called “cloud” or various server farms is not advisable. The server farms are juicy targets for many players including Carders, Crooks, the NSA, CIA and FBI.

As most posters know Spectre and Meltdown were caused by CPU manufactures trading security for speed of data execution.

To fix or patch this security hole the server takes a big performance hit. Some posters estimate as large as 80% performance reduction. In retrospect it looks like the big CPU makers made a huge mistake.

For data centers with bare metal hypervisors hosting guest Operating Systems it now appears that the number of virtual machine software and hardware exploits has gone up drasticaly to a point where using said cloud providers is a real security issue.

It appears that large corporation and small business should have kept their data in house despite the “cost savings” of server farms or “cloud” providers. Time will tell.

@ Wesley Parish

“@Bruce, about the way the NSA was insulting everybody's intelligence by believing and claiming that backdoors could be kept from adversaries. Now we've got the FBI (Feral Bullshit Inspectors, iirc) telling people to reboot their routers and suchlike to kill off a Russian malware infestation… Will the NSA eat its words? Wouldn't it have been simpler to make the devices less vulnerable? And how easily are the devices to infect anyway? If easy as, then they'll be re-infected soon as.”-Wesley Parish

Yes, it does look like the NSA/FBI should eat its words. It also looks like they are trying to play both sides of the street. The NSA/FBI has asked for backdoors and now found they are more dangerous to both the public and themselves. Thus, they are trying to cover-up their mistakes.

I say cut the NSA and FBI’s budget by 30% or more. These TLAs are causing more harm than good – while enriching and entrenching themselves.

TimmyMay 26, 2018 4:31 PM

I have a questions for the experts. Does a full hard disk on the phone or other device makes it harder to infect.

For example an Android Phone with just 16mb free space. You can't install new apps cause of the limited space left. Would that makes it harder for an adversary to install malware?

ThothMay 26, 2018 7:52 PM

@Clive Robinson

The AMD SEVere attack is what I call a half-done effort at memory security.

I never liked the idea of moving sensitive content to computer DRAM memory. I prefer a bigger SRAM cache in the Security Processor and for the code cutters to do due diligence of NOT MOVING THE ENTIRE OS into Security Processor. It was never meant to handle a full blown OS in Secure Execution Environment.

The idea of an SEE is you take code snippets that are sensitive and move them into SP to load and run all within the supposedly tamper resistant security confines of the SP backed SEE. That is how all HSMs work but it is not practical to take HSM standards and impose it onto a COTS CPU right ?

So why even bother to run any sensitive codes in a COTS CPU not graded to run sensitive materials ? These COTS CPUs are not even certified in the first place and tested to meet security criteria for CC and FIPS which dictates how data should bed securely processed.

ARM and Intel got it right by only allowing small applets to load and run off their TZ/SGX environment but AMD got it horribly wrong.

I remember there were issues with Intel SGX in the past with their SGX Enclave encrypted RAM memory having the same issue (although I can't remember where I read about it for now).

End of the day, if there is an SP to run an SEE or sensitive codes, keep the sealed codes and data within the SP's caches and never export them to DRAM even in any cryptographically sealed form as this will add complexities and even errors as you now see with AMD SEVere.

Encrypted VM is simply a gimmick anyway because that means you are running another possibly vulnerable X86 inside the SP unit and that's another juicy attack vector to exploit.

ARM/Intel/AMD et. al.'s SP/SGX/TZ/PSP are the great gifts that simply endlessly keeps giving.

If you want a SEE environment on an SP, use a HSM or Smart Card because they never export memory off-unit even in sealed format to host computer DRAM as this is a huge taboo and a breach of security. For Smart Cards, there is a TEM module I mentioned before that exports sealed memory of the card processing data which I do not agree thus I have began building my rudimentary version of Secure Execution on Smart Card that keeps memory in the card where it is suppose to be many months ago.

I am not surprised this would occur as this is purely bad design decision thus why I did not rush to post as I find it more of a Snake Oil Security being exposed than some breach in proper but badly implemented security as the entire design of AMD's security modules are nonsense and not robust in my opinion and will never be because they are after-all bound by the wills of the 5Eyes snoops and thus, the 5Eyes will never want a COTS processor to have robust enough security to keep them out of reach.

As we know, myself and a few others including maqp have been trying hard to build practical and reasonably secure environments and not simply blindly use these COTS products. To such extend, we have to sometime build things from scratch.

It is weird to thing that reasonable security can be achieved by fully assuming and trusting the security of the product used for the projects which gives rise to designs like Data Diodes and Castles-&-Prisons Models as additional security layers.

Clive RobinsonMay 27, 2018 5:17 AM

@ 65535,

Probably the most accurate indications of damage to USA corporations that collect and track users will be in the stock market.

The problem with looking at the stock price is it's rapidly reactive and has a very short term memory. It also uses "positive feedback" mechanisms that gives inherent instability and the rise to oscillitory behaviour at the best of times. The legal side of things is sometimes glacialy slow to react and the results are usually of an existential or almost existential nature for the target. It's feedback mechanism is somewhat interesting, in that it causes a damped ringing effect. There is an initial overshoot due to the reporting in the media etc, then things die down to a steady state, to await the fate of the next target.

Thus the initial spike from the conclusion of stages in the legal proceadings causes significant change in the stockmarket, but only after the event has happened. Worse usually the reaction is significantly biased towards the negative. That is the announcment of the start of legal proceadings causes significant negative reaction, that is almost never reversed even if the target is fully exonerated at a later date. In effect "5h1t sticks" and raises a bad smell for a long period of time, it also splatters and sticks to others in near proximity.

Thus legal proceadings are almost always a disaster, one way or another. Which raises the question of can they be avoided or mittigated?

There is a saying about "The three sign posts to disaster". In essence the first sign post only becomes visable long after the disaster as it is much like the beat of a butterflies wings. The second signpost is visable to those who are both looking and have sufficient wisdom to see where it is heading. The third is obvious to all who care to look but importantly not those who don't.

Finally you have the disaster but interestingly as we saw with say SCO those on the inside keep up with the pretence for various reasons, thus the disaster hit's much harder than it otherwise should, and recovery is thus made impossible way more often than not and then the vultures move in to strip the bones.

Stockmarket prices tend to be based on a mixture of the last signpost and behaviour of those inside, thus only give a short term warning which can be used to get out with more than your shirt. However as we know "the market" more or less mindless to consequences has now moved to "High Frequency Trading". Where the time it takes light to travel is a critical factor... Thus you do not have time to read the stock market ticker before disaster has arrived...

With a little further thought you realise that if you can control the legal process in some way then yes you can mitigate the effects. Thus if you are sufficiently knowledgable to have the equivalent of forsight then you can in effect spot likely first signposts and mittigate them by controling the legislators. In effect that is what the financial industry has done and continues to do. Even though we had Banking Crisis one and two, it's still the same game, with a few near meaningless fines being thrown around from time to time.

Thus it can be seen that the way to win with the stockmarket is to rig the came in your favour by controling the legislators. Thus if you are not in the position to rig the system, you are in effect a loser to those who are...

With regards,

I believe Neill is essentially correct. Putting any sensitive data on the so called “cloud” or various server farms is not advisable.

I've been saying for so long that the Cloud is a disaster in the making, that I've got an almost "chicken little" reputation with some. The simple fact is as with privacy, if you let others get access to your information then you've lost control of it forever.

Thus you have the three basic things you can do with information,

1, Communicate it.
2, Store it.
3, Process it.

Whilst the likes of encryption might give you a degree of extended control with the first two, it currently can not help you with the third.

But is that degree of extended control worth it when it comes to storing your information somewhere not under your direct control? The answer appears to be "no" in all but the short term. And the trouble with "short term" is once it's out there under somebody elses control it's realy become "long term"...

Thus if your information is truely short term in that it will be made fully public in say two months, then there might be some benifit. The reality is though that information that falls into this type is quite rare, and usually of small size. Thus the associated costs of setting up Cloud Storage for it are probably greater than keeping it "in house".

Thus the "use cases" for the Cloud and sensitive / proprietary information are realy very small indead if you take a realistic security view point...

But as we know "short sighted" is the hallmark of Western behaviour especially from one quarter to the next at corporate and Governmental size. Thus security rarely gets to see the table let alone get a seat on it. As for setting the agenda, well I think we all know the answer to that.

Put simply the Cloud might look nice to a corporate bean counter for the next quaters figures. But it's a pact with the devil and you are almost certainly not the piper[1]... Thus it's best avoided if you want a future.

The fundemental idea the Cloud is supposadly based on is "sharing" to reduce cost. But as people should know from various health advisories, "sharing is taking avoidable risk that could kill you".

Sadly the "marketing dream" has raised the supposed up side to giddy hights, but the down side very real and significant risk is ignored[2]. The result is the all to frequent "XXX million user records stolen" or similar. But that hides the real losses of Intellectual Property that is both hard won and costly to lose. This tends to be kept hidden but Industrial Espionage is both very real and very costly. The likes of the "Internet at every desk" and "Cloud Services" are Industrial Espionage enablers...

[1] Unless of course you have real leverage, thus the US Gov via various techniques have real leverage and maybe one or two other superpower governments do as well but the rest of us no, we don't. Thus like charity, security "should start at home"[2]

[2] A question everybody should ask is "What does the Internet give me?" and the bad should take preference over the good in any list. In most enterties there is actually little or no good in having Internet connectivity and internal systems mixed, when you consider the bad. I know it's not a popular view point, but it's something "due diligence" is bringing to a tipping point.

Trust No. 1May 27, 2018 6:33 AM

@echo, @A Nonny Bunny
apropos to consent or lack thereof...

Australians now have a three-month window in order to opt out of government-hosted health records. The one and only chance to do so is from mid-July to mid-October 2018.

Australian Privacy Foundation, 2018-05-18
https://privacy.org.au/2018/05/18/media-release-governments-my-health-record-no-consent-required-opt-out-withdrawal-of-consent-deadline-is-15-october-2018/

The article should have been titled "An Inconvenient Consent".
Initially, people volunteered their records, but there was not a good amount doing so. Therefore, to improve upon this it was changed to "opt-out".

For now, it appears that details of an opt-out "option" as a potential footnote to the upcoming media spots promoting the benefits of "My Health Record" will be the new "informed consent". Hopefully enough people are paying attention if they would like to withdraw the consent they never gave.

The stupidity continues®

echoMay 27, 2018 7:31 AM

@Trust No. 1

The way medical records are possessed by the UK state sector is just another form of owning you. I utterly loath doctors. Most men won't notice because men view medicine as problem with X, X is patched up, X is now fixed. Women's healthcare really reveals doctors side which is all about control of your body and mind. Doctors utterly love control and finessing law to enable that control. Women also visit doctors much more regularly and are exposed more to this brainwashing which men don't notice because they are men.

I have a real problem with the Lancaster University paper on poker. They have missed basic underpinnings of the field by focusing solely on men because it's "easier". The authors really have no clue how this subject area works and are just enabling the continuation of medical sexism. I would suggest they read up on Isis and the history of discipline and punishent in schools. As an example women were guility of driving young girls extra hard and punishing more severely on top of rote elarning. This was finally regulated against (in the 1980s?) by education authorities. Last year one headmistress attempted to bring back this ethos because she viewed young girls as undisciplined. I am completely surprised by the lack of comment this generated. Modern academics know that rote learning in schools is still an issue with women's education and that individualism and intellectual creativity lack in young girls which of course has knock-on effects with women's developmental psychology. This has implications for business management theory and practice too, and perhaps even the courts and sentencing and prison policy.

I would be more than happy to name the doctor (and doctors) if I thought it would make a difefrence who thought it was funny and laughed when I fumed at an essenital care plan being ripped up because they were too lazy to do it (which led to predicatable chaos and distress and god knows what), and their laughing even more when I sat there flip flopping between fuming with anger and terror at their six foot tall plus menacing fat bulk.

It's also a legal requirement for UK doctors to note any disagreement in a medical record. Almost all don't as far as I am aware due in part, I believe, to covering their tracks ahead of potential medical negligience prosecutions.

While claiming medical records are confidential the UK NHS has certainly dipped into the patient population data to dig for dirt to "prove" a medical legal argument when a patient who is bringing a lawsuit against them. There has also been at least one major legal case wherean NHS Trust paid an "academic research company" to mug up an "authoritative" report they could use which the judge twigged was a load of nonsense. I am not aware of any healthcare staff losing their jobs over this but the lawyer responsible for this work was fired.

So possession, control of the narrative by direction or omission, and access to the pool of data can certainly be abused.

CallMeLateForSupperMay 27, 2018 8:31 AM

"[...] even if you [...] disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL. I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote-content loading is disabled." - Micah Lee
https://theintercept.com/2018/05/25/in-apple-mail-theres-no-protecting-pgp-encrypted-messages/

You might have seen Jaron Lanier on CBS' "60 Minutes". This Guardian article provides him an additional opportunity to express his view of predatory social media. Bummer: Behaviours of Users Modified, and
Made into an Empire for Rent

Six reasons why social media is a Bummer
https://www.theguardian.com/technology/2018/may/27/jaron-lanier-six-reasons-why-social-media-is-a-bummer

TLDR - "[...] you don’t need to give up your smartphone, using computer cloud services, or visiting websites. Bummer is the stuff to avoid. Delete your accounts!"

I daydream of citizens wiping the scales from their eyes, reflecting on their personal situation and deciding that, fun though it was to ride the social media wave, it brought trouble beyond all reason. And one by one, in a long stream of defections, they abandon the Bummers, and over-paid Wunderkind at those "enterprises" find themselves with correspondingly less do. Lights out. Curtain.

MarkHMay 27, 2018 11:18 AM

The large-scale router attack, estimated by Cisco to have infected about 1/2 million routers, has been attributed by the US gov't to APT28 a.k.a. Fancy Bear. In other words, an intelligence service of the Russian Federation.

OK, so here's my pre-emptive bucket of Pavlovian drool:

1. Internet attack attribution can never be trusted, especially when made by The Great Satan.

2. It's a "false flag" attack, launched by the Cruel Wicked West, to discredit Poor Innocent Russia.

3. It appears that most of the affected routers are in Ukraine. Only an IDIOT would believe that the country that is militarily occupying and making war against Ukraine could be behind such an attack.

There, I saved somebody the effort of typing all this!

Alyer Babtu May 27, 2018 1:54 PM

@all

Re @CallMeLateForSupper the Guardian article on Lanier -

Will the issues raised in the article be treated at the SHB 2018 conference?

For instance, Lanier’s account of people’s internet behavior “A is for Attention acquisition” doesn’t seem adequate.

Clive RobinsonMay 27, 2018 3:26 PM

@ MarkH,

Only an IDIOT would believe that the country that is militarily occupying and making war against Ukraine could be behind such an attack.

Well you could ask "What idiot did nothing about the long term vulnerability?".

The real question is did the vulnerability get in those routers "By accidemlnt or design?". On the off chance it was "accident" then the next question is "When did the likes of the Wests SigInt agencies become aware of the vulnerability?". Which naturaly leads into "Why did they not do anything about the vulnerability?"

There is the age old question about the apple store suffering from pilfering, of "Who's to blaim for the pilfered apples when there is no lock on the door?".

The modern equivalent is who is to blaim when known vulnerabilities get exploited by cyber criminals? You often hear of unpatched systems getting exploited and their administrators getting the blaim. You also hear of major software houses getting the blaim for taking to long to fix vulnerabilities. You also hear the crooks getting blaimed. But how often do you hear of the SigInt agencies getting blaimed for not just sitting on these vulnerabilities but actively building attack malware to exploit the vulnerability?

What many appear to forget is that to have a worthwhile attack strategy, you must first have a strong defence strategy. Something the West's IC establishments tend to ignore for their own short term strategy...

65535May 27, 2018 4:45 PM

@ Clive R

“The problem with looking at the stock price is it's rapidly reactive and has a very short term memory…uses "positive feedback" mechanisms that gives inherent instability and the rise to oscillitory behaviour at the best of times. The legal side of things is sometimes glacialy slow…” –Clive R

The above is generally true. But, losing 500+ million customers will cause a fair degree of business damage.

The stock market is the main indication of public companies future no matter the oscillatory nature. The oscillations do dampen over time and worldwide stock prices tend to be fairly accurate. In short, the stock market is the indicator we are stuck with… unless you have some other indicator.

Wait till next week and see what the outcome is in the stock market at the end of the week. I say place your bets and take your chances.

“I've been saying for so long that the Cloud is a disaster in the making, that I've got an almost "chicken little" reputation with some. The simple fact is as with privacy, if you let others get access to your information then you've lost control of it forever.”-Clive R

I cannot disagree with the above.

[to repeat a fairly well stated observation]

Commenter neill notes:

“…everything "in the cloud" is unsafe. we don't know what CPU we're using, which VMs are running on the same, what OS or other vendors (NAS,LAN,WAN etc) are involved ... and since that's much of our data (willingly or not)(and metadata as well) we must assume that we're all screwed.” –Neill

https://www.schneier.com/blog/archives/2018/05/another_spectre.html#c6775695

I believe Clive R. has hit upon most of Neill’s points but in a fragmented and complex fashion. Neill summed up the situation neatly. The so called “cloud” is no utopia as Clive R. has been saying for years.

I do agree with Clive R that if you want to keep you data to yourself don’t give it out in the first place.

Now being swindled or robbed of your data is a completely different problem. The GDPR may help some problems but trying to thoroughly “erase” your data that is in the wild maybe quite difficult.

echoMay 27, 2018 5:58 PM

@65535 @Clive

I have been trying to break a story. This is personally difficult and involved some negotation to arrange a meeting. I was only willing to discuss highlights to secure a meeting and show documents on a secure laptop without further discussion and signed contracts. The journalist tried to undo progress by grabbing for a story and go racing off to investigate so I declined.

I was warned by a business friend of Clive (the other one not foghorn) to avoid the media at all costs. Having just double checked with another newspaper who were interested I note their editorial skew has taken a turn for the worst.

I don't mind my data being pinched. It mostly achieved what I wanted even if I didn't get credit which I can assure you is incredibly annoying. It also means other people are in the newspapers for all the wrong reasons!

Phew. Narrow escape!

Mark V Jr.May 27, 2018 6:33 PM

@MarkH

You forgot

4. Internet attack attribution can never be trusted. It's not an "Advanced Persistent Threat" but a "false flag" attack, launched by the Cruel Wicked Teenagers, to discredit Poor Innocent Router Manufacturers. It appears that most of the affected routers are just as vulnerable as the rest. Only an IDIOT would use a hard-coded domain name as the sole C&C channel for a militarily important cyber attack.

Clive RobinsonMay 27, 2018 8:47 PM

@ Thoth,

The AMD SEVere attack is what I call a half-done effort at memory security.

Personally I would not put it as high as "half-done" ;-)

I never liked the idea of moving sensitive content to computer DRAM memory. I prefer a bigger SRAM cache in the Security Processor and for the code cutters to do due diligence of NOT MOVING THE ENTIRE OS into Security Processor. It was never meant to handle a full blown OS in Secure Execution Environment.

As with many things in life "Trying to be all things to all men is a recipe for chaos". The same applies to confidentiality of information.

My take on it is much the same as yours and is as follows,

As I keep saying there are three basic areas where encryption can give some but not all information confidentiality[0] and these are,

1, Information Communication.
2, Information Storage.
3, Information Processing.

But encryption it's self is best viewed as a pushable "stream component"[1] with several information channels such as the head and tail (plaintext/ciphertext) control, errors and exceptions. Each instance of an encryption stream component further has it's own storage issues such as,

A, The mode the algorithm is used in.
B, The Current Key(s).
C, The initial seed(s).
D, The running seed(s).
E, The Initialisation Vector(s).

Which quickly tots up but is over and above the state storage the algorithm and mode might require. It also falls under the very tricky to get right Key Managment (KeyMan) area which is another post or two in it's own right.

All of these "hidden variables" have their own awkward issues, of being variable in number and size which makes data managment and the underlying memory managment complex at best and difficult to keep secure. Often this calls for the use of stack structures of self describing variable size and type structures which is a nightmare to handle in a secure way at the best of times. It can also be beyond the theorem / proof tools to analyze.

Whilst this memory size requirment might be managable in on chip SRAM in a single instance of a well formed communications application it's not the only memory issue that comes up. There is also the issue of buffers for both plaintext and ciphertext and these can be quite large. Especially if dealing with storage or processing of information.

For instance the manipulation of an image could easily involve buffers in the megabyte region.

Which means the "all things to all men" requirment is the same as it is for physical system memory DRAM and the attendant Virtual Memory (VM) system. As you are aware VM requires the use of not just the DRAM but a Memory Managment Unit (MMU) it's "Page Tables" in known to be vulnerable "shared memory" and hard drive page buffers.

After more than a third of a century of commodity computing we are still not getting OS Security in the VM area right and applications are way worse. So how the heck we expect to get encryption managment correct within VM in a multithreaded, multitasking, multi user system is way beyond wishful thinking.

Which brings us around to,

The idea of an SEE is you take code snippets that are sensitive and move them into SP to load and run all within the supposedly tamper resistant security confines of the SP backed SEE.

Whilst "code snippets" might reduce some of the VM size issues, it increases the complexity, not just in the application code but in the memory managment and key managment as well. Which is actually more likely to decrease security than encrypting a whole process space.

So like you I consider it a "gimmick" or "auditors check box filler" rather than a usable security feature.

[0] As with most usage of encryption without other measures being applied it only give confidentiality to the basic "content" not to the meta data or above information associated with the basic "content" information.

[1] By "stream" I'm talking about a communications stream such as a AT&T Unix labs "Unix IO stream" stack with pushable units, not "stream encryption".

RockLobsterMay 27, 2018 11:17 PM

I have a question for everyone, well actually it's a puzzle. Answer below so no cheating lol.

Ok, you have two videos. One where the accused perpetrator of a crime claims responsibility for it.
The other, he claims he was innocent.
One is fake but would you know which one?

RockLobsterMay 27, 2018 11:23 PM

Answer
If the one where he claims responsibility was the real one, that would mean both the accuser and the accused agree he did it, so neither side would have cause to make a video contradicting that.
Therefore the existence of two, contradictory videos means the one where he claims responsibility HAS GOT TO BE, the fake one...

If any of you figured that out, well done, because most of the world obviously didn't...lol


justinacolmenaMay 28, 2018 1:00 AM

F.B.I.'s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware

https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html

How incredibly stupid can our government get? Just when I though it couldn't go any lower than this. Is this the same FBI who pulled every trick in the book to weaken our computer security and install "back doors" AND officially warranted front-door access to ALL our computer systems on behalf of itself and its big-business buddies?

And NOW all of a sudden they are the experts in cyber-defense against the same foreign nation-state enemies to whom they pimped us out year after year while we struggled with big-business obstacles to basic computer security.

Maxwell's DaemonMay 28, 2018 2:21 AM

@JG4

I completely enjoyed the Kevlin Hanney video. All the hard lessons I had to figure out the hard way are right in there.

blocked EuropeanMay 28, 2018 2:48 AM

I hope the blocking of European users in response to the GDPR will be lasting and widespread. Tor would become more mainstream at least in Europe, and 'the ordinary citizen with nothing to hide' will finally understand the importance of Tor and similar technologies.

echoMay 28, 2018 3:44 AM

@Maxwell's Daemon, @JG4

Which Kevlin Hanney video is this?

Navigating bureaucratic systems can be tricky. My brain is still recovering from yesterday. I also had to navigate a massive life altering confidence drop over the whole of last week triggered by existential anxieties. One problem I have found is people who have confidence in a system (or themselves and their view of the system from their relative position) when they themselves are excluded from the effects of the system or experience different effects. Small and sometimes very difficult to spot effects can have very disproprtionate costs. On balance I have found if something doesn't quite gel with what the formal not often internally documented standards are and doesn't feel right it almost certainly isn't.

Maxwell's DaemonMay 28, 2018 3:56 AM

@echo

GOTO 2018 • Old Is the New New • Kevlin Henney
https://www.youtube.com/watch?v=AbgsfeGvg3E

I can't address the systems issue. I'm extremely, literal-minded which is why I get along well in bureaucratic systems and the military (bureaucratic^3). That and knowing how to manipulate the system which any career sailor has to figure out.

echoMay 28, 2018 4:54 AM

@Maxwell's Daemon

Thanks very much.

I do know what you mean. I'm much more straightfoward and accomodating (while on the surface being a bit intense with a bad temper if I'm triggered) so tend not to get along with office politics.

I have written up a summary from top to bottom. My focus has shifted to the almost invisible games people play. I have drilled down from a meta view of this fight down to the orginal data (which includes logs and acadmic papers and various media and covert recording and various sources which is a huge mountain of material) so it's all very loose. Because I have deep domain knowledge I can spot the issues and why people missed the issues and how everything joins up at the various levels. This is normally the function of a public enquiry and quite a task my not being an experienced judge and not having staff to process the material. It's almost all what is already known but nobody explains the whys and hows, and in some instances I am fairly sure either miss this during investigations or it has been sucessfully be obscured by how events fanned out from the causal event.

Some of the security matters discussed on this blog have helped my understanding both of the value of "collect it all" and what is involved in the presentation of analysis, and the politics and bureaucratic language and tricks which often litter the narrative especially in the governmental public domain. I'm fairly sure I'm covered by policy so it's really a question of working with the grain which is something I spotted ages ago. The problem is on an everyday basis you are fighting continuous organisational failures of policy and staff understanding which makes interaction havoc. The thing is this is all useful data even if it can be a painful and costly process to collect. I have my eye on the end goal not short-term expediency and this is what has kept my going.

Alyer Babtu May 28, 2018 10:30 AM

Re “Old is the New New”

One might add to this a consideration of M. A. Jackson (“not the singer”) and his book Principles of Program Design (1975). Jackson points out that most treatments of programming never really treat design. While they may be things one observes in good code, modularity, object orientation, keep it fast and constrained, make it open for growth, etc. don’t much help one understand what module, object, fast thing, open thing is needed. That understanding is what design is really about. Using the principles outlined in Jackson (do thou go read) is an instant understanding enhancer , bug de-multiplier, code reducer, maintainability invigorator, test burden reducer, etc.

Putting on my heavy wing-framed spectacles: And what is this faddy constant disparaging of Perl that I hear ? Larry Wall studied (human) languages and that looks to have informed Perl. For example, real language has the subtle aspect of equivocation. Equivocity is a requirement of rational understanding (see Aristotle). Perl embodies a kind of reflection of this in its nice way of handling names and “funny symbols” $, @, % etc. It goes some way to enabling orderly treatment of the same thing from different points of view.

Of course, the language of the future is ML. And somehow (mathematical) Category Theory’s liberating and unifying point of view needs to enter computing.

Who?May 28, 2018 10:34 AM

@ blocked European

I hope the blocking of European users in response to the GDPR will be lasting and widespread. Tor would become more mainstream at least in Europe, and 'the ordinary citizen with nothing to hide' will finally understand the importance of Tor and similar technologies.

I do not agree with your point of view. Do you really understand the importance of tor? You are suggesting the use of tor as a mean to help the United States violating our privacy. I feel much safer now. This global blocking of european users should be extended to other citizens around the world. Google, Facebook and so on should block european users too.

Internet is now much safer in Europe for the ordinary citizen.

echoMay 28, 2018 11:44 AM

I'm weeding my book collection down. I have a copy of The Sigint Secrets I'm only keeping because I'm a pseud. It is likely going as I will never read it again and nobody I know has an interest. It was the first book (or anything) I remember reading on signals intelligience. I never bothered buying Spycatcher. Is this any good or all dated now? I also bought Baby Bio for the new perimeter defense cactus in the kitchen window.

Oh, this not nice. Improving the customer experience? No sorry. This story only ends one way and I don't like it.

Huawei will no longer allow bootloader unlocking
https://www.androidauthority.com/huawei-bootloader-unlocking-869169/

blocked EuropeanMay 28, 2018 11:51 AM

@Who?

I understand what you mean and I agree at some level. What I was trying to say is that the US among others remain technically capable of violating our (= EU citizens) privacy no matter GDPR and any other no European directive. Short of an unlikely EU directive making it illegal for any European intelligence/security/police/military agency to exchange information of any non-EU counterpart. Therefore we need to assume they will simply keep doing it, and keep shielding any commercial entity who plays their game.

Tor serves different purposes for different people. What I'm suggesting is that one of these uses is to circumvent geographic blocks, thus allowing consenting people to keep being exploited by marketeers in return for 'free' online entertainment of some kind. What I deem positive is that by dong this the common person who could naively buy the 'nothing to hide' argument will realize how anybody may wish to cover their actual identity/location/history without any underlying criminal intent.

justinacolmenaMay 28, 2018 2:48 PM

@blocked European

I hope the blocking of European users in response to the GDPR will be lasting and widespread. Tor would become more mainstream at least in Europe, and 'the ordinary citizen with nothing to hide' will finally understand the importance of Tor and similar technologies.

You cannot use Tor in jail.

Defendants and their attorneys in criminal cases in the United States are in practice allowed no privilege or confidentiality whatsoever in their communications with each other or in their preparation of legal defense for court. Furthermore the office of any defense attorney is generally co-opted into participating in and representing the prosecutor's side of the case against the defendant.

Meanwhile, prosecutors work closely with police officers and judges to maintain an extreme degree of secrecy for their own side of the case against the defendant.

Despite the name "General Data Protection Regulation," there is no hope whatsoever that reams and reams of fine-print legislation by unelected Eurocrats will lead to a better situation in Europe than what prevails in the U.S.

Under the GDPR, what happens to the use of VPN services ?

Oh, I'm sure their use is highly regulated and limited. It's almost as if the Swiss Guard from the Vatican took over all of Europe because of a perceived "crisis of the faith." You are simply supposed to "believe" what your government tells you, and you are an "infidel" if you ask any questions.

echoMay 28, 2018 5:58 PM

Myanmar police had powers under their official secrets act but this refers to an arrest not search. Therearealso chain of custody issues with the search plus no evidence the reporters used messenger apps on the phone from which some evidence was obtained. Allegations ahve also been made that senior police officers plotted to plant evidence.

Myanmar police witness says searched Reuters reporters' phones without warrant
https://uk.reuters.com/article/uk-myanmar-journalists/myanmar-police-witness-says-searched-reuters-reporters-phones-without-warrant-idUKKCN1IT1G1

ThothMay 28, 2018 8:33 PM

@echo

Bootloader locking is the ARM TZ so-called Trusted Boot sequence. Perfect everyday cheap backdoors. This is one reason to not trust it.

Wesley ParishMay 28, 2018 9:21 PM

Just popped over to Techdirt for a look, and look what I found:

For the first-adopters amongst us:
https://www.techdirt.com/articles/20180525/07525839907/amazon-alexa-instantaneously-justifies-years-surveillance-paranoia.shtml

That said, nobody should ever labor under the false impression that good opsec involves leaving always on, internet-connected microphones sitting everywhere around your house.

One Portland family learned this the hard way when their Amazon Alexa unit recorded a part of a private conversation and randomly sent it to somebody in her contact list. According to local Seattle affiliate Kiro 7, the family was contacted by a coworker who stated that he was receiving audio files of private conversations that had occurred in the family's house:

and for the cellphone phanatic:

https://www.techdirt.com/articles/20180523/10003339890/wireless-carrier-abuse-location-data-makes-facebook-cambridge-scandal-look-like-amateur-hour.shtml

As we've noted a few times now, however bad the recent Facebook and Cambridge Analytica scandal was, the nation's broadband providers have routinely been engaged in much worse behavior for decades. Yes, the Cambridge and Facebook scandal was bad (especially Facebook threatening to sue news outlets that exposed it), but the behavior they were engaging in is the norm, not the exception. And watching people quit Facebook while still using a stock cellphone (which lets carriers track your every online whim and offline movement) was arguably comedic.

Perhaps this should become a matter for investigation internationally: how often do the telecommunications providers in Europe, Asia, Africa, South America, the Pacific, routinely track users?

And one last thing: any board gamers here (not not bored gamers - that's the next room: check your local Monty Python skit chart)? They mentioned an adaption of a declassified CIA training board game. I'm thinking of getting a copy myself, but I'm not sure the people I've played board games with in the past are sufficiently paranoid ... :)

echoMay 29, 2018 1:59 AM

@Thoth

I find it very sad that ARM cashed out. I know some people refuse to IPO because they don't want to feed conglomerates growth and hollow out the economy. ARM is also a licensed template IHVs can mix and match and alter and anyone who thinks UK gov or any government isn't on this like a rash may be being taken advantage of.

@Wesley Parish

I wondered about this board game. This kind of thing might be entertaining too for people who wish to navigate the UK establishment and bureaucracy. Then again most people don't want to know how dirty this game can be and I don't blame them.

65535May 29, 2018 2:00 AM

@ Wesley Parish and Posters in the UK

“Perhaps this should become a matter for investigation internationally: how often do the telecommunications providers in Europe, Asia, Africa, South America, the Pacific, routinely track users?”

Apparently, all the time in the UK by the company Pageone. See poster United Kingdom from Krebs on Security below:

“In the UK the equivalent to LocationSmart is a company called Pageone (pageone.co.uk/lbsterms), owned by Capita Plc, which kindly sells our mobile location to third parties on our behalf.”- United Kingdom

https://krebsonsecurity.com/2018/05/mobile-giants-please-dont-share-the-where/comment-page-2/#comment-467728

or see commenter United Kingdom in Krebs on Security’s “Mobile Giants: Please
Don’t Share the Where” May 22, 2018

https://krebsonsecurity.com/2018/05/mobile-giants-please-dont-share-the-where/

Can anyone in the UK verify the above company does the same as the USA based LocationSmart?

echoMay 29, 2018 2:17 AM

@65535

Oh do they? These people really are spivs aren't they? Just when you think wife beating and corrupt estate agents are solved problems they change the rules of the game.

echoMay 29, 2018 5:35 AM

@Ratio

I read this too! The law is a little opaque but there is a fundamental issue with "sharia courts" (which are not courts at all more a rigged mediating service) which trap women in marriages they don't want. This works because the bench is rigged by men and if a woman decides to leave her husband or divorce she faces the peer pressure of her relatives and community. There is a legal argument that this is false imprisonment and as such is a breach of the European Convention and UK laws. All of this is a known known so why isn't this fixed? It's also not the only example of this kind of reasoning.

65535May 29, 2018 7:02 AM

@ echo

“Oh do they?” [sell real time cell phone location data on UK citizens]

That is what one poster at Krebs on Security says. I would like someone from the UK to cross check the company and other companies in the UK that sell cell phone location data. I wonder how deep the cell phone location data rabbit hole is.

gordoMay 29, 2018 11:11 AM

I'm American, but for others who might be better-versed . . . . From The Register in 2016:

Mobe and Wi-Fi firms flog your location data to commercial firms, claim reports
That's why you're seeing loads of massage parlour ads
By Alexander J Martin 5 Apr 2016 at 11:44

Two reports by privacy campaigners into mobile and Wi-Fi services' location tracking activities have revealed practices of questionable legality and security.

https://www.theregister.co.uk/2016/04/05/mobile_wifi_firms_sell_your_location_data_advertisers_others/

echoMay 29, 2018 12:59 PM

Another Reuters. This time on sexism in the tech industry in China. This kind fo thing isn't anywhere as near so bad in the UK but does follow a very similar pattern in my experience. I have had expereinces which are very difficult to believe happened and nobody would believe if I told them yet everyone knows they happen. It's very frustraing.

In China's booming tech scene, women battle sexism and conservative values
https://www.reuters.com/article/us-china-tech-gender/in-chinas-booming-tech-scene-women-battle-sexism-and-conservative-values-idUSKCN1IU0HJ

Clive RobinsonMay 29, 2018 5:40 PM

@ Ratio, echo,

I'm far from surprised, to be honest.

Two things you need to consider. Firstly "the age of marriage", most of the non western nations don't have what we would call sensible "ages of consent" if they even have one. Likewise sensible minimum ages for marriage, again if any.

I'm sure you are aware of which ethnic / religious grouping gives Sharia Law presidence over secular law, and even try to do so when in secular nations. They further believe they have rights of ownership where ever they place their feet on land that is not already "owned" by their sect of their faith.

Well in total they represent a quite small part of the population in the UK. But the young men represent a significant fraction of the prison population and have disproportionately high levels of convictions and similar. But only come from one or two sects of the religion. Frequently these young men have been caught being involved quite seriously in drugs, prostitution, people trafficing and various forms of thugsh behaviour, intolerance to others and making threats etc. The sort of crimes you would expect from "junior mobsters"

Whilst it might be argued they are being victimized, the percentages and evidence given tends to suggest otherwise.

As people in other Western Nations are well aware these young men have a "sense of entitlement" and when they run into people who belive they should fit in with the secular behaviour of the nation they can and do get quite angry / violent. Unsuprisingly such a mental outlook makes them easy picking for radicalization. But many "self radicalise" and do so compleatly ineptly, thus become "known to authorities" who generaly do not have the reaources to adequately keep an eye on them. The result as I'm sure you are aware have been attacks on the civilian population of a number of European Nations.

Speaking of which, you might want to check the calander with respect to one such atrocity,

https://en.m.wikipedia.org/wiki/Manchester_Arena_bombing

It is why people are currently asking questions as to "Why do we tolerate such people?" and "Why do we let them in?" drummed up by various media concerns. Further why things such as "sex discrimination" carried out not just in religious venues but also state funded schools is getting questioned but not prosecuted. There are also other queations about "dress" and similar. You may be aware that France banned various items of clothing.

What you may not be aware of however is that the British Law Society guidence on Sharia law matters, actively discriminates against women. Which was quite a shock when I found out about it.

Shocking as it is, as has been noted, these issues arise from one or two sects. With the others being largely more law abiding than other minority groups in the UK.

It's a complex subject with even more complex solutions being discussed and thankfully being rejected.

65535May 30, 2018 2:29 AM

It looks like the GDPR fines and sanctions will probably be a while in coming and only hit the most egregious violators first [Facebook, Google, and institutions who leaked credit card data] according to Darkreading-infoweek.

My guess that there will be quite a lot deals cut and lobbying of EU regulators so we will not see a huge number of USA based companies hit and when they are hit they will probably cut deals to, shall we say, plea-barging down to a much less fine.

“The GDPR grace period ends today. Experts take their best guesses on when data protection authorities will strike - and what kind of organizations will be first to feel the sting of the EU privacy law.”

[But farther down the article]

‘Aminzade doesn't expect the authorities to be quick on the draw, however. His guess is that the first action won't happen for 12- to 24 months. "The European Union along with major industries and other stakeholders knows full well that not everyone is quite ready, so to hammer an organization early on would make less of an impact." …"The first monetary penalty is sure to sting to make a point, but unlikely to be the maximum – that will come further down the road," he predicts.”- Darkreading

https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898

It looks like kid gloves treatment for violators of privacy the first year and not much enforcement. Time will tell.

echoMay 30, 2018 2:42 AM

@Clive

The European Convention and what passes for a European Union constitition aren't too bad, and do address many fundamental issues in a helpful way. The principles of lowest competent authority and regional development address over-centralisation and also create opportunity for improvement. For some reason the UK seems not to get this politically or instititionally. Austerity versus German rectitude don't help either. Soros for all his faults has put his full might behind a second referendum. Thank you Mr Soros.

Yes, UK legal advice on human rights and discrimination issues have been traditionally very poor. Both mechanisms were hijacked and turned into their exact equal and opposite. I can think of a few NGOs whose legal advice was extremely poor. The Law Society like the BMA is basically a union and some of their advice is woeful. Via the House of Lords (which has now been replaced by the Surpeme Court which is theoretically independent but actually a Parliamentary hijack of having the final say due to the doctrine (or more properly convention) of "parliamentary sovereignity", and the General Synod and GMC who everyone forgets are actually part of parliament, the system is rigged from the beginning.

I have spotted one big problem with regulators and NGOs and even the media. With regard to individual cases and adequacy (with effective remedy floating in the background) at the administrative level the exceptional rule has become the general rule. The net result is blocking individual cases, blocking cases without a court judgment, and blocking advocacy for career protection reasons under the guise of "ethics". The police can be extremely bad (and the NHS equally so) where when read the riot act by management instead of staff "getting it" they instead "double down" believing that doing the same thing only harder is somewhow working when it is in fact the complete opposite of what they should be doing.

Parliament now has very few engineers. Most career politicians seem to emerge from the twin tracks of unions or state sector, or lawyers in hock to the City. Parliament has recently opened up a clinic for its members staffed by psychiatrists. I will let the reader draw their own conclusions.

bttbMay 30, 2018 1:02 PM

More on Net Neutrality in the USA

From the University of Maryland and PPC (12/12/17):
"Overwhelming Bipartisan Majority Opposes Repealing Net Neutrality
[...]
At the conclusion, 83% opposed repealing net neutrality, including 75% of Republicans, as well as 89% of Democrats and 86% of independents.
The survey of 1,077 registered voters was conducted by the Program for Public Consultation at the University of Maryland (PPC), and released today by the nonpartisan organization, Voice of the People."
http://www.publicconsultation.org/archive-of-public-consultations/

From Mozilla (05/16/18):
"Update on Fight for Net Neutrality in U.S. – Senate votes to save net neutrality, now it’s up to the House"
https://blog.mozilla.org/blog/2018/05/16/update-on-fight-for-net-neutrality-in-u-s-senate-votes-to-save-net-neutrality-now-its-up-to-the-house/

From Mashable (05/17/18):
"Here's why the Senate's vote for net neutrality is a really big deal
[...]
What about Trump?

Of course, even if the House manages to pull off a net neutrality victory, there's still the question of whether the president would actually sign it into law when Trump's administration undid the rules in the first place.

But not everyone's so sure. As Tim Wu, the Columbia Law professor credited with coining the term "network neutrality," points out on Twitter, Trump might not have much incentive to support Pai and Comcast.

'Contrary to reporting, I'd say that if Net Neutrality restoration makes it to the White House, all bets are off. Does anyone really think Trump is loyal to Ajit Pai (who?) and Comcast (MSNBC) ... it just becomes a whole new and very unpredictable game
— Tim Wu (@superwuster) May 16, 2018'

Falcon agrees. "He doesn't have loyalty to the people who serve within the administration," he says of Trump. "At the end of the day, the president will look at where his base is." According to that University of Maryland Poll, 75% of Republicans want net neutrality.

Even without White House support, there are other reasons to remain hopeful about net neutrality."...
https://mashable.com/2018/05/16/senate-vote-net-neutrality-matters/

65535May 30, 2018 9:24 PM

Zuckerberg is in the news again. Although not directly related to GDPR the government of Papua New Guinea [PNG] is shutting down Facebook for one month to examine the effect on pornography, news manipulation, and the like on its citizens.

“FACEBOOK users in the country can expect a month’s shutdown access to the site in PNG in order for the Communications and Information Technology Department to carry out research and analysis of its use… Communications Minister Sam Basil said that the shutdown would enable the department and National Research Institute to conduct further research on how the social network was being used by users..."time will allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed… Mr Basil said that his Ministry was trying to enforce the Cyber Crime Act which was legislated in 2016... Act has already been passed, so what I’m trying to do is to ensure the law is enforced accordingly where perpetrators can be identified and charged accordingly. We cannot allow the abuse of Facebook to continue in the country.”-postcourier

https://postcourier.com.pg/shutting-facebook-png-reality/

Wapo says only small percentage of PNG citizens use Facebook

“According to government estimates cited by the Australian Broadcasting Corp., about 600,000 to 700,000 people in Papua New Guinea use Facebook, out of a population of roughly 8 million.”-Wapo

https://www.washingtonpost.com/news/the-switch/wp/2018/05/29/the-government-thats-banning-its-citizens-from-facebook-for-a-month/

I did not see any exact dates for the PNG month long shutdown of Facebook. We will have to see if Zuckergerg cuts a deal to prevent the actual shutdown. This should give some indication on how powerful Zuckerberg’s PR team is. It Zuckerberg’s PR team is weak then more shutdowns could follow.

Bergdörfern May 30, 2018 9:43 PM

Why is it always Zuckerberg and never Sandberg, in as much as it is the latter who is the COO and presumably is the guiding genius of Facebook’s activities ?

Maxwell's DaemonMay 30, 2018 10:10 PM

@Alyer Babtu re: https://arstechnica.com/gadgets/2018/05/intel-finally-announces-ddr4-memory-made-from-persistent-3d-xpoint/

The problem isn't in memory as I understand it but in the speculative optimization that the processor is using for speed. No telling, at this point, what the Xeon chip is going to look like until we get more about their design and implementation. As with Bruce, I believe this class of exploits will have a very long run.

What we need to do Really Soon Now is go back to basics on how you can take advantage of the properties of persistent memory in the operating systems. If you go through, for instance, "The Design and Implementation of BSD 4.3" (a book I'm rather proud to own) there are entire broad ranges of assumptions about the electronic characteristics that are hardwired into the operating system design. I have to feel a bit sorry for Linus and his kernel design in Linux. Monolithic designs are a pain and technical debt is a cast-iron b*tch.

I've stated this elsewhere on many occasions and gotten shut down. Not many people can see the "systems approach" you have to have to examine the broad range of implications in all the various forms of IT-engineering. And then you have to go back to thinking about the implications of those and their effect on how you design the electronics elements. As usual in engineering there are positive and negative feedback loops, what's worse is that it's spread all over the engineering disciplines.

Intel, as many a large enterprise in the past, apparently is going to use server CPU's, operating systems, and other current design elements if what they've put out so far mean anything. HP, before it split up, was nibbling around the fallout from a radical, new memory class in what they called "The Machine."

There's zero chance I'll ever get to see the components to play with around here. I've neither the money let alone the health to persue it. I can dream though.

echoMay 31, 2018 2:28 AM

@Bergdörfern

Zuckerberg may be treated like Branson. Beyond being the controlling entity with emotional reactions Virgins operation for years was run by Bransons COO. I forget his name and there was a falling out and a few years ago he was replaced for I assume, from Bransons point of view, business as usual. I suspect the skill of both is persuading or enticing people to do their work for them or hand over their valuables for essentially free. Both seem to have developed a cult where it's all about them. I guess some people stop developing the day they hit 21.

@Maxwell's Daemon

I agree in principle. I see a lot of this dealing with political issues even at an everyday level.

65535May 31, 2018 2:58 AM

@ Bergdörfern

“Why is it always Zuckerberg and never Sandberg…”

I guess one could include Sandberg but then why not include co-founders Dustin Moskovitz and Chris Hughes? As I recall Moskovitz was one the youngest billionaires out there.

My point was see exactly how powerful Facebooks PR team is compaired to a relatively small soveriegn nation of Papua New Guinea. Will Facebook's PR team entice Papua New Guinea into droping their ban on Facebook? If you are with Facebook give us some odds.

Klaus SchmehMay 31, 2018 3:19 AM

Snake Oil or poorly written article? German highschool students win youth science competition with crypto software

For those who speak German: According to an article in the local press, two students from the Rottweil area have won an award at Germany's most renowned youth science competition, Jugend Forscht, with a chat encryption software.
https://www.schwarzwaelder-bote.de/inhalt.rottweil-schueler-zeigen-es-sicherheit-im-netz-moeglich.4880a767-8fba-4c19-ad00-1fba3367687c.html

The article doesn't say much about the technology the two young programmers used. I'm afraid, they invented an encryption algorithm of their own ("the new thing is that the encryption method is aware of letter frequencies in the German language"). This sounds a lot like snake-oil cryptography. Or is it just a concept the author of the article misunderstood?

The two award winners willl present their solution at the CeBit: https://www.cebit.de/aussteller/jugend-forscht-baden-wurttemberg/N468258

AnuraMay 31, 2018 4:49 AM

@Klaus Schmeh

I can't read German, but if they are talking about letter frequency at all then you should probably avoid it. Modern ciphers are completely immune to frequency analysis in the first place. If letter frequency is a concern then I'd guess it's just some sort of polyalphabetic cipher.

Klaus SchmehMay 31, 2018 7:06 AM

@Anura:
>if they are talking about letter frequency at all
>then you should probably avoid it.
This is exactly what I thought. I still hope that this is a bad newspaper article about a good crypto solution, and not a bad crypto solution.
Jugend Forscht is the biggest youth science and technology competition in Europe. I hope, the jury didn't make a mistake.

echoMay 31, 2018 7:50 AM

I am still in the process of peeling myself off the ceiling after reading about UCAS discrimination. Putting aside all issues and focusing simply on the system I cannot believe nobody not only did not spot spot skewed outcomes but also continue to parrot the line of "industry standard software". I am also concerned the media do not get this and the Independent in spite of their coverage is guilty too with their fence sitting. Opposition parties are using this issue as a bully stick to target the government when I'm not personally convinced they get it either and suspect their protests are just disguised electioneering.

What bothers me is the discrimination everybody suffers (and by this I do mean everybody) and how "the system" works in practice. I'm also curious why the more technical aspects of this are not front and centre. Why are engineers and security experts not consulted or involved with the dialogue because these disciplines can add value due to the traditional sources having blind spots.

https://www.independent.co.uk/news/education/education-news/black-students-university-uk-racism-ucas-application-a8376501.html

Clive RobinsonMay 31, 2018 8:25 AM

@ bttb,

With regards your "What about Trump?" question on net neutrality.

It is becoming clear that one major Trump Policy decision is to "undo Obama". That is to in effect take action to do the opposit of what Obama did as President to effectively wipe out any legacy[1].

Thus as the named commenters in the piece you quoted appear not consider this, it puts the validity of their decisions in question.

[1] This policy choice appears in line with Donald Trumbs objections to the Opama Presidency from the get go, and his active support of the birther agenda etc.

echoMay 31, 2018 11:34 AM

The DWP is using supermarkets surveillance systems to spy on claimants. Note how Sainsbury hide behind bland one size fits all legal boilerplate.

This is the same Sainsbury whose CEO sang "We're in the money" when a merger deal with ASDA went through. Note the extremely low number of investigators dedicated to investigating the super rich and the huge amount the wealthy go walkies with. It's all a little convenient isn't it?

https://www.theguardian.com/commentisfree/2018/may/31/benefits-claimants-fear-supermarkets-spy-poor-disabled

echoMay 31, 2018 1:25 PM

Survelliance tech seems to have a lot of upfront backing from technology companies in China. At least the Chinese are honest about it!

https://uk.reuters.com/video/2018/05/30/in-china-a-race-to-supply-surveillance-t?videoId=431629637&videoChannel=4000&channelName=Technology

A recent police equipment fair in Beijing offers a peek into the race to supply Chinese security forces with technology to monitor and punish behavior that runs against the ruling Communist Party. As Reuters' Pei Li explains, companies are racing to outdo each others' abilities to track people.

ThothMay 31, 2018 9:28 PM

@echo, Clive Robinson

re: Survelliance tech seems to have a lot of upfront backing from technology companies in China. At least the Chinese are honest about it!

Welcome into the Chinese's Social Credit System.

Enabled and empowered by the ARM chips in all the smartphones leveraging off the Chinese endorsed phone apps like WeChat, Alipay and so forth that routinely fingerprints the chips via hardware backed cryptography and ARM TrustZone et. al.

What is worrying is most security professionals I have interacted with wave their hands and told me that worrying about the abuse of ARM TZ et. al. (including Intel ME/SGX and AMD PSP) is just paranoid and nothing to worry about ... this is how well the marketing ARM et. al. have been doing and pushing to a point, what worries me is the knowledge of security would one day disappear and become 100% market controlled perception and smoke and mirrors.

Clive RobinsonMay 31, 2018 10:06 PM

@ Thoth, echo,

What is worrying is most security professionals I have interacted with wave their hands and told me that worrying about the abuse of ARM TZ et. al. (including Intel ME/SGX and AMD PSP) is just paranoid and nothing to worry about

Well they are either NOT engineers, or they are to inexperienced to hold valid views.

I'm sorry if that upsets security experts / gurus but they have been so often so way behind the curve on security issues that their viewpoint is as ill informed as most people walking down the street.

As one or two posters on this blog have regularly pointed out --you and I included-- there are a lot of nasties in modern macro CPUs.

Atleast we few posters have tried to be proactive about it. Unfortunatly our reward appears to be having academics rip off our ideas and in effect "pass them off" as their own. What makes it especially gauling as I have found out is you can be accused of plagiarism by others of their ilk...

Apparently academics have their own special meaning of "Published"[1] which alows them to plagiarize to their hearts content and get away with it...

Thus academics form a very closed shop to protect their little patch of dirt in the larger field of endevor. It's a shame but then I guess like all pirates and thieves they feel the need of a gang / den of iniquity for self protection.

[1] Their form of "publishing" is quite closed shop, more so than some of the older publishing houses that would steal all your rights. Many "online" systems are by "invitation only" as just one of many barriers.

JuiceMay 31, 2018 11:37 PM

Ultrasound-firewall for mobile phones

Defence against unwanted audio tracking by acoustic cookies

The SoniControl project of St. Pölten University of Applied Sciences has developed a mobile application that detects acoustic cookies, brings them to the attention of users and if desired, blocks the tracking. The app is thus, in a sense, the first available ultrasound-firewall for smartphones and tablets. "The most challenging part of developing the app was to devise a method that can detect different existing ultrasound-transmission techniques reliably and in real time", said Matthias Zeppelzauer, Head of the project and Senior Researcher in the Media Computing research group of the Institute of Creative\Media/Technologies at St. Pölten UAS.

echoJune 1, 2018 6:01 AM

@Clive, @Thoth

My issues are more with other kinds of systems of the bureaucratic and discrimination kind. I have noticed similar systemic issues such as both of you describe (which require translation to criss-cross domains but are close enough) and silencing is a real issue. Monopolies and inexperience don't produce happy results and human rights abuses are not far behind.

I'm familiar with manufacturer obstruction to maintain market dominance and being ripped off too. It's not very nice, I agree. To some degree carrying projects forward in spite of this is one skill which the best Hollywood producers and others in a similar position possess.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.