Friday Squid Blogging: Extinct Relatives of Squid

Interesting fossils. Note that a poster is available.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 8, 2018 at 4:04 PM • 54 Comments

Comments

EdJune 8, 2018 4:53 PM

Activists demand details on ‘secretive’ LAPD crime-fighting tool
https://www.dailynews.com/2018/02/13/activists-demand-details-on-secretive-lapd-crime-fighting-tool/
A coalition of activists has sued the city of Los Angeles alleging officials have failed to comply with a public records request seeking information about a controversial “predictive policing” strategy in use for years. The lawsuit, filed Tuesday in Los Angeles Superior Court on behalf of the Stop LAPD Spying Coalition, seeks details about LAPD’s Los Angeles Strategic Extraction and Restoration— or LASER — program. Operation LASER tells patrol officers where crime is most likely to occur and keeps track of ex-convicts and others they believe are most likely to commit them through technology such as license plate scanners and cellphone trackers. Hailed by LAPD brass as a smart way to reduce violent crime, it uses CIA-created technology while fusing data collection and street-level intelligence with the aid of the super-fast computer platform Palantir.

echoJune 8, 2018 5:12 PM

The retailer "Lush" began a campaign to highlight how abusive police udnercover workers werein formign sexual relationships with women. Their shops carried a poster to mark this campaign which they have had to withdraw due to staff being approached by random visitors with threats.

Internet search data has revealed how discriminatory attitudes tend to create hostility within communities which can institgate the very problem the instigators claim was happening.

Latest research has created much more realistic fake videos of people talking including body movement and background shadows. The video in the article is very through and uses examples of prominent politicians, Obama, May, and Putin, to illustrate their work. They also show comparison images adn frame analysis to help give you an idea of the relative quality compared to earlier research.

https://www.theguardian.com/uk-news/2018/jun/07/lush-removes-posters-undercover-police-spies-campaign

Using Internet search data to examine the relationship between anti-Muslim and pro-ISIS sentiment in U.S. counties
http://advances.sciencemag.org/content/4/6/eaao5948

https://futurism.com/ai-can-now-manipulate-peoples-movements-in-fake-videos/

Anonymous_paranoiacJune 8, 2018 7:07 PM

So, I was reading a story about suicide on CBC today and followed a link to some suicide prevention site. Might be this one: http://www.crisisservicescanada.ca/en/

And the site refused to show me the page, throwing a CAPTCHA at me instead. Standard Cloudflare anti-Tor shit (where solving the CAPTCHA gets you nothing but another fucking CAPTCHA), but now I'm kinda freaked out. Is this group hoping I'll turn off Tor and reload the site so they can locate me? What possible reason is there for them to prevent anonymous users from simply reading the site and seeing their hotline number? I if I disable Tor, would I get put on Doubleclick's "users who might be suicidal" list and have anti-suicide ads follow me around? Chelsea Manning just had police break into her house with guns drawn when reported as suicidal, so this is worrying.

Did this group consider that there might be, you know, repercussions to immediately accusing a suicidal person of being a robot? People have called me robotic before, and it's not really what I need to hear. Till now I'd considered Cloudflare to be a mere annoyance, but false positives can have serious consequences.

echoJune 8, 2018 7:26 PM

I don't know if anyone watched this interview with Jeff Bezos last month. I noticed Jeff Bezos offers comment on the internet including a few security related points. He says nothing new or unique and I am as capable of cynicaism as anyone but felt clipping the highlights may be of interest.

He says this is a huge deal for civilisation and very horizontal and is concerned about machine learning. Age of the internet and very recent sizable scale. As a civilisation we are still learning how to operate the internet. Fantastic capalities: he gapes at Wikipedia and expresses concern over the ability of governments to meddle in elections. Claims to have a duty on behalf of society to educate regulators while accepting regulation is not his responsibility but will be followed regardless of what the regulation is. Expresses concern regulation favours encumbents. Advocates continued progress. Data security, privacy, encryption: safeguarding physical safety against terrorists and bad actors. Earning trust with customers is a valuable business asset. Never mistreat customers data because they are smart and will figure it out.

From 27.33 to 32.18.

Jeff Bezos Talks Amazon, Blue Origin, Family, And Wealth
https://www.youtube.com/watch?v=SCpgKvZB_VQ

Wesley ParishJune 9, 2018 4:29 AM

Interesting article on "cyberwarfare" from our friends at The Register:

http://www.theregister.co.uk/2018/06/08/gchq_former_boss_infosec_keynote/

InfoSec Europe Former GCHQ chief Robert Hannigan has warned that the emergence of a commodity marketplace for hacking has changed and escalated the threat.

I like to see intelligence in a civil servant:

Since leaving the signals intelligence agency, Hannigan has spoken out repeatedly against the advisability and practicality of encryption backdoors.

CallMeLateForSupperJune 9, 2018 10:23 AM

@Anonymous_paranoiac

Avoiding the Doubleclick beast and the myriad other trackers is not hard to do: surf to
https://www.eff.org
and install their PrivacyBadger, a browser add-on.

echoJune 9, 2018 11:46 AM

@Wesley Parish

As much as I welcome good comments from Robert Hannigan and Jeff Bezos there are always caveats.

The UK state sector is very box ticky and doesn't get history or culture, and can have a "them and us" institutional bias. They also don't get the "market" and in some cases abuse their positions to ensure internal markets are killed and private sector involvement is buried under a wall of rigged contracts. All the reports and studies and publicly available data is there so I'm not saying anything anyone doesn't already know.

I have a suspicion the state sector (and large private sector organisation) mindset can sometimes create more problems than it solves which Jeff Bezos actually alludes to when refering to his own private sector company.

@CallMeLateForSupper

I dislike workarounds. My opinion is that workarounds instead of solutions tend to reward continuing bad design. There is EU legal precedent indicating that an "authority" may not be the sole arbitor of an issue and that the problem may involve multiple sources of expertise. This opens the door to stronger challenging of "authority" decisions rather than encoruagign workarounds or atthe extreme nod along acquiescence with the system which as you might appreciate simply feeds an "authority" who may simply use this as encouragement to become more authoritarian and step further away from a solution. See also: legal drift raising decision thresholds.

CallMeLateForSupperJune 9, 2018 12:06 PM

@Bob
"I still don't understand what brazil's argument against paper ballots is though."

I don't know either. I suspect that any reason(s) pushed forth is/are shallow "alternative facts" that could easily be knocked over by anyone whose normal discourse consists of sentences exceeding, shall we say, four words.

I am speculating here, but Brazilians who promote tech "solutions" to voting are probably not the slightest bit different from Americans who are of the same opinion (except the average American does not speak Portuguese at all and has some difficulty speaking English). So I think the arguments used in Brazil - both pro and con - are probably the same as those used in the U.S.

A Brazilian guyJune 9, 2018 12:17 PM

@Bob

Some of the argments that were made to invalidate the printing of votes in brazil follows:
-It would "undo" secret votes guarantees (as the lawyer that questioned raised the lawsuit said https://oglobo.globo.com/brasil/raquel-dodge-questiona-voto-impresso-no-stf-22366655)
-It would be too expensive for what it gives back (~2 billions of reais: https://politica.estadao.com.br/noticias/geral,impressao-de-voto-vai-custar-r-2-5-bi-diz-tse,70001900669 and/or http://cartacampinas.com.br/2018/02/raquel-dodge-tenta-derrubar-regra-que-garante-confiabilidade-as-urnas-eletronicas/)

I do think that electronics voting machines need to print votes in some way. Brazilian voting machines are complete junk in this regards.

But the TSE (https://en.wikipedia.org/wiki/Superior_Electoral_Court) likes to say to anyone (and a lot on TV) that the brazilian voting machines are the best in the world. Even though it was rejected in every other country that Brazil tried to push to use them (http://blogs.diariodonordeste.com.br/egidio/tecnologia/urnas-eletronicas-brasileiras-sao-rejeitadas/)

Some examples that I took the liberty to translate from the previous link (following the same numbers):
1) US. rules/regulations desqualify the brazilian voting machine because it is not possible to audit the voting independently of the software in it.
2) Germany declared the brazilian voting machine to be inconstitutional because it is not possible to audit the votes in a software-independant way
4) Paraguay abandoned using them after receiving 15000 machines for free. Reason? security faults

If you care to see this 2013 youtube video (in portuguese, but there is english subtitles) "Sucker" talks about the machine and mentions a lot of the problems that there are in the system (added some spaces on youtube links): https:// www.youtube .com/ watch?v=_DQONk4disU

There is also a podcast that "sucker" did with Amilcar Brunazo Filho (a brazilian voting machine expert), it is amazing some of the things that he said happens in TSE when you pose a legal request for information about the machines (I don't think that there are subtitles in this video) (added some spaces on youtube links): https:// www.youtube .com/ watch?v=T4ZkFfrAcqc

There is also the professor Diego Aranha that also found several security problems in the machine and had his findings rejected by TSE. There is a 2012 video about this security issues here (again no english subtitles) (added some spaces on youtube links): https:// www.youtube .com/ watch?v=OI9dh5DzTuA

It is really sad to see Brazil doing this stupid shit... but it is understandable if you consider that deeply corrupt country.

A Brazilian guyJune 9, 2018 12:24 PM

I just noticed that some links that I posted have an unecessary ) in the end... oh well...

@CallMeLateForSupper

I think that there is no argument against paper votes in brazil. It still is used as a fallback if the voting machine in a section fails. People in brazil in general thinks that using an electronic voting machine is a good thing.

I do think that an electronic voting machine is a good thing, but if implemented correctly (which it is not in brazil)

AlejandroJune 9, 2018 3:33 PM

@Brazilian Guy
Re: "I do think that an electronic voting machine is a good thing..."

Yes, with conditions.

To me it's clear the digitization of records is marvelous in many ways. It's the internet that creates problems, especially where money and power is involved.

So air-gapped electronic voting machines collect and count the votes. Then the machine downloads the data to a non-internet connected device. Also, prints up a summary record. THEN, the second machine goes live and electronically, securely transmits the vote to the next level. Thus there is some some redundancy and I would think higher security.

Conversely, letting the voting machine collect, tabulate, do maintenance and communicate the vote over the internet without any paper trail or other trustworthy verification is plain nuts.

echoJune 9, 2018 3:51 PM

The problem with any nuclear weapon launch detection or nuclear weapon detection system is when the capability outsripts the opponent and effectively facilitates first strike. This was a lesson learned during the Cold War. As other states satellite and other detection systems don't advance as quickly or fall into disrepair this hightens difference the in capability or perceptions of capaibility which increases the risk of war.

Deep in the Pentagon, a secret AI program to find hidden nuclear missiles
https://www.reuters.com/article/us-usa-pentagon-missiles-ai-insight/deep-in-the-pentagon-a-secret-ai-program-to-find-hidden-nuclear-missiles-idUSKCN1J114J

BobJune 9, 2018 5:03 PM

@A Brazilian guy

Thanks! I barely understand portuguese but thats a lot of info.

"Dodgy! Raquel Dodge dodges experts" Sounds like a headline from El Reg :P

Now... the paraguay part was big imo. If a country as poor as paraguay rejects your free stuff, it REALLY sucks.

carrotsJune 9, 2018 5:12 PM

@Mark, @All

I'm absolutely amazed that your willfull ignorance about the danger I told your product presents, is of the scale that makes you actually report it to the authorities.

http://www.defence.gov.au/publications/reviews/tradecontrols/Docs/Mark_Lane.pdf

Page 20:

In your email you have referenced a “‘death threat’ against current and future end users of ‘[FC], A Tale Of Cynical Cyclical Encryption’”. If you have any concerns for your safety or the safety of others, you should contact your local police station.

I know you want to feel important. The pseudo-official communication with Australian government, with all that alphabet soup shows it perfectly well. However, the fact is nobody has threatened you or any user of your product, and as a native speaker of English one would assume you have no problem understanding what the comment meant: Your product is dangerous to people who need to rely on strong crypto with their lives. Trying to silence critique with these steps shows your true quality. You're no different from companies that endanger their users by keeping data breaches to themselves, and from those that sue anyone trying to publicize security issues.

If you want me to take my words back, get a peer review by any known expert, or ask Australian government to sponsor ACE/HA evaluation and publish the findings, unredacted. Everyone should see page 23 and how well you handle PR regarding evaluation fees and national security your product could "save". Alternatively, show the previous schneier.com conversation at your local police station at let us know how hard they laughed at your face.

ThothJune 9, 2018 8:31 PM

@carrots

I think it's simply a waste of time to follow that particular Cryptography product and it's drama. If you have noticed, most of us simply ignore it as we clearly know that these products needs more efforts to mature if they really want to be huge sellers.

Also, the current IT Security market is not in the end-user/consumer space for Cryptography. It simply doesn't sell well because security is something most people expect to be bundled and not bought individually.

Selling standalone security products for end-user space have seen a huge hit in business and most businesses that that tries to sell IT Security products for end-users are either facing problems selling their stocks or are moving away to other market segments to create security packages to leverage off big players like Microsoft, Amazon et. al.

It is sad that we have to leverage off big players to sell our wares but that is the reality of IT Security businesses in the current era.

The marketing and sales also would have to be convincing and so far that particular Cryptography product you mentioned would not make the cut in the boardroom nor from an end-user's perspective and would probably not make much sales anyway as it lacks the charm to convince prospective customers and also the drama that surrounds it.

The current biggest buyers of IT Security products are the Government, Financial Sectors, IoT industry, transportation, national infrastructure and so on and they already use much more secure data encryption methods like using HSMs, smart cards and TPMs to encrypt files and so on which makes the use of software backed encryption redundant thus the market for encryption as a whole is currently fully saturated with both software and hardware backed encryption solution and trying to make a dent in the market to get in is like trying to scale a 10000 foot vertical and slippery wall with very little chance of entering the market unless you have some magickal formulaes that big players do not have.

A good example of a not very well regarding product (in my personal opinion) which is the ARM TZ and family of derived technologies manages to drive sales up is due to the excellent marketing and sales efforts they have been driving despite the nature of their technology. Efforts to denting the capabilities of ARM TZ et. al. with the likes of Meltdown and Spectre and other attacks against the TEE-OS (Secure OS) for the ARM TZ have led to little impact on sales of their patent portfolios. In fact, their sales have become stronger and more companies, banks, Governments, financial institutions and IT Security personnels and companies are actually buying into the ARM TZ technology despite it's flaws with increasing demands for using smartphones and IoT devices to access every part of a person's private life despite the flawed design and implementations of ARM TZ et. al.

That is marketing at it's finest in the industry ... to be able to continue sales and increasing the demands exponentially despite hitting problems ... which is very scary to think of in the first place.


65535June 10, 2018 1:34 AM

@ Ed

“The lawsuit, filed Tuesday in Los Angeles Superior Court on behalf of the Stop LAPD Spying Coalition, seeks details about LAPD’s Los Angeles Strategic Extraction and Restoration— or LASER — program. Operation LASER tells patrol officers where crime is most likely to occur and keeps track of ex-convicts and others they believe are most likely to commit them through technology such as license plate scanners and cellphone trackers.”-dailynews

Wonderful, police perusing citizens who are considered guilty until proven innocent in the Laser program. I wonder if the CIA technology includes probably “be on the lookout” for any black or Mexican man that is on the street and stringray him every cell phone call he makes or just harass him into a provocation which leads to death. Which may explain why so many police shootings occur in LA. I wonder how many innocent people get caught up in the Palantir powered program.

“The Coalition is also seeking the names of all databases that the computer platform, Palantir, searches through in the creation of a “chronic offender bulletin,” which is opened up on targeted individuals… According to the lawsuit, individuals are identified as Operation LASER targets through “secretive, pre-determined criteria.” They are not notified they have been targeted and there’s no known mechanism to request removal from the system… “These people are not actively committing crimes,” Garcia argued. “The intense amount of surveillance they are under in the community could lead to a deadly situation.”… “You have a department that has a budget over a billion dollars and over 14,000 personnel, yet they can’t manage to comply with these pretty basic state statutes regarding their obligations to be transparent with the public about their programs,” Colleen Flynn, one of two attorneys representing the Stop LAPD Spying Coalition in the case, said Tuesday.”- dailynews

https://www.dailynews.com/2018/02/13/activists-demand-details-on-secretive-lapd-crime-fighting-tool/

It will be interesting to see what exactly this LASER program consists of and how to be police cruisers will be at a pre-located possible crime scene and “handle” it. I wonder how deep the rabbit hole will be on this project.

@ Thoth

“The current biggest buyers of IT Security products are the Government..”

When all of components of the government and their sub-contractors are added up I would guess the government is the largest buyer of both IT Security and Data Broker information products.

Thomas_HJune 10, 2018 1:44 AM

Had a multi-fail at airport security last night (smallish French airport).

While walking through the metal detector I set it off. The relevant security agent didn't frisk me (fail #1), instead sending me to his colleague - without actually talking to her (fail #2). I had to initiate the conversation, as she wasn't paying attention (fail #3) - could have walked straight through. Now she didn't frisk me either (fail #4).

Instead I got checked for explosives with a small paper swab that got held under a machine that gave her the all-clear. Except that the lady had only a glove on one hand (right hand), took out the paper with the other (glove free) hand, transferred it to the gloved hand, and then stuffed the paper into the machine with the left hand (i.e. the one without the glove). Likely she was left-handed and simply didn't pay attention (massive final fail). So by working that way, if she had a positive result at a certain moment, all subsequent people would test positive because she'd have contaminated herself due to how she handled the swabs...brilliant.

Of course, there also was the huge crowd before the security check, which would have been a much juicier target for a would-be bomber as it consisted of multiple aircraft worth of people...


Once past security I talked to my family about explosives and how moronic the check was in the departure area, which was full of people with almost no security present.

carrotsJune 10, 2018 6:44 AM

@Thoth

I agree the product is a waste of time. However, I have found it important to follow the development of the matter through.

The issue is, this product is in the end-user/consumer space market more than it is selling to companies. The communication with regulatory body of Australia is meant to provide the developer feeling of importance, but it also strives to make it appear legitimate. Another example is, the end user does not see the difference e.g. between submitting the white paper (i.e. the cringe-worthy marketing material) to AsiaCrypt, and it getting accepted. Yet Mr. Lane is advertising the event almost as if the two have more common than the fact he has (most likely) spammed their submission platform.

The larger concern is the fact the likely customer base is average people that might find the green-on-black background appealing. It is the exact sort of people who get frustrated doing file encryption with PGP and look for something where the command is a bit simpler, who are in danger. This includes activists, dissidents and whistleblowers (in that particular order).

The reason I've been vocal about this here, is to show there is a new generation of experts forming that will keep fighting against snake oil. I'm following the product through here as a part-time hobby that helps me organize my thinking of the matter, as a warning to others who might try such a scam, and as a transparent, centralized source of information about the issues within the product. It is helpful for scholars looking to write / update their writings about the development of snake oil in general, and again, it warns people in dangerous situations not just that this particular product is dangerous, but that there is a cottage industry out there that does not have their best interests in mind.

Now I'm not trying to pester anyone here. I mostly read here anyway. I figured stumbling on such official communication was worthy of mentioning.

That being said, I would like to thank you for the thoughtful and eye-opening writing regarding the situation of IT security market.

echoJune 10, 2018 6:55 AM

@Thoth @Thomas_H

Nod along bureaucracy to maintain reputations and headcounts. "Instititional investors" who always vote with the board. Amateur enthusiast lawyers who only read case law and never consult experts.

I have had a senior lawyer attack me and dismiss everything as political when they ignored: A.) UK constititional law on the division of state power and citizens power, B.) Case law on the merit and relevance of beliefs (i.e. a rational view based on structured well informed opinion) C.) Jurisprudence on lawyers legal obligations to answer questions when issues of lawfulness of behaviour are an issue, D.) Jurisprudence and case law on due diligence of a case and financial control relating to equitable expenditure on case resources.

I have a stack of legal commentary and an entire book devoted to analysis of a state organisation among other things on the "nod along" culture addressing the "approve X because it is X" issue while subjecting microscopically important issue "Y because it is Y and not X".

Due to their own lack of policy and training issues I am currently waiting on a referral to the governance board of a major UK political party on an issue relating to Convention rights with emergency/urgent criteria. This is very embarassing for them as it relates directly to a headline party policy, them going back on undertakings, and a breach of privacy case law.

I can assure you with further explaining this gets worse not better.

echoJune 10, 2018 4:00 PM

@Clive

I am not one to deride obsolete hardware and processes if they work. Mind you, my on its last knees desktop now fileserver has decided to develop a critical boot fault (which may be memory or likely power supply). How lovely when I have a meeting I tomorrow I need to have with me critical case files and a promised archive of reference material. Thanks the gods for drive caddies.

The issues I raised about systemic discrimination and abuse of patients (including physical and sexual assault and threats and fraud and police collusion with cover-up of abuse) over the past month or two are all coming home to roost now.

Clive RobinsonJune 10, 2018 5:28 PM

@ Bruce and the usuall suspects,

How simple do you want your replay attacks to be?

How about RF key fobs and the like,

https://m.youtube.com/watch?v=ewY-woG1dNw

Oh and knowing the basics, it's not to difficult to get into the dot wav files and edit them for somebody elses, say your neighbours key fobs.

Back in the mid 1990's as a designer of cordless and similar phones it was a bit harder to do. You would grab a competitors RF signal in a Radio Test Set and output the waveform to a Storage Oscilloscope measure it up and then write a bit of machine code via a timed ISR to send the wave form.

It was not difficult to work out all a competitors functionality including some things that were unused functions or extension functions. Enough to be able to make some competitors phones CPUs to hang up.

It's way way easier today. If you want to get a bit more high tech for under 10USD you can buy from Adafruit or similar multiple output oscilator boards that can be modulated in several ways.

You can also using a Mini Circuits double balanced diode mixer make a "Direct Conversion Receiver" that will let you pull out the baseband modulation into a Hundred Mhz DSO or similar PC sound card and pull the waveform via USB onto a computer you can then use various easily available for free software packages to edit it clean it up and then using the mixer in reverse retransmit your edited signal. In essence a very simple SDR...

If you have a look at this web site you will see just how easy it is to make your own equipment for not much more than pocket change.

http://kv4qb.blogspot.com/2018/03/

three plus onesJune 10, 2018 6:45 PM

from gordo's Chomsky link on another thread
https://www.schneier.com/blog/archives/2018/06/an_example_of_d.html#c6776439

C. J. Polychroniou: Noam, the US intelligence agencies have accused Russia of interference in the US presidential election in order to boost Trump’s chances, and some leading Democrats have actually gone on record saying that the Kremlin’s canny operatives changed the election outcome. What’s your reaction to all this talk in Washington and among media pundits about Russian cyber and propaganda efforts to influence the outcome of the presidential election in Donald Trump’s favor?

Noam Chomsky: Much of the world must be astonished — if they are not collapsing in laughter — while watching the performances in high places and in media concerning Russian efforts to influence an American election, a familiar US government specialty as far back as we choose to trace the practice. There is, however, merit in the claim that this case is different in character: By US standards, the Russian efforts are so meager as to barely elicit notice.


Since that article was published January 19, 2017, I wonder what Chomsky has said more recently.

echoJune 10, 2018 7:32 PM

I remember the violence of Republican supporters outside the Florida counting house which precipitated a chain of events which ended in Al Gore losing the election. This kind of provocative violence is a hallmark of the political right (but also used in other ways by the political left) to influence outcomes. (I seperate the political and psychological wings because both parties contain a mix of profiles who are traditionally associated with the opposite.) On th elft side o the fence I have always wondered if John Kerry was so interested in how Mugabe won because he felt miffed at missing a trick or two. I speculate the Russian paranoia may be caused by guilty minds who may not necessarily have done anything wrong but who may certainly have harboured an ambition or two.

Aaran Banks, a leading Brexit advocate, is up to his neck in being exposed as meeting with the Russians with the tantalising deal of Russian gold mine concessions being dangled under his nose along with Nigel Farage and others of similarly shady predispositions.

I look forward to the day certain people face an honest and fair court.

echoJune 10, 2018 8:01 PM

National security journalist Marcy Wheeler comments on the Hutchins case.

I thought I swore! She needs to wash her mouth out with soap!

https://www.emptywheel.net/2018/06/06/to-pre-empt-an-ass-handing-the-government-lards-on-problematic-new-charges-against-malwaretech/

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

NestJune 10, 2018 8:49 PM

Tatütata
Thanks. I liked openwrt but in my playfulness i managed to softbrick, fix then hard brick the device. My ears are still ringing from the yelling. The good news is i can use the raspberry pi gpio as a jtag and fix the router. The bad news is i have to learn how to solder. :D

gordoJune 10, 2018 10:11 PM

Lecture 25: Neoliberalism and the End of History - Part 6: Populism & Big Data, Facebook's Dark Posts

Description: Noam Chomsky highlights how how mainstream establishment institutions are being destroyed by social forces incubated in neoliberalism. He also foretells 2018's scandal with Cambridge Analytica, Facebook data and political ads.

Instructors: Noam Chomsky and Michel DeGraff

https://ocw.mit.edu/courses/linguistics-and-philosophy/24-912-black-matters-introduction-to-black-studies-spring-2017/class-videos/lecture-25-neoliberalism-and-the-end-of-history-part-6-populism-big-data-facebook-dark-posts/

---

Professor Emeritus Chomsky starts talking about data harvesting at 07:35 into the lecture which is 12 minutes long. In addition to the lecture video, an interactive transcript and a stand-alone transcript are also included.

Clive RobinsonJune 10, 2018 11:01 PM

@ echo,

The issues I raised about systemic discrimination and abuse of patients...

It is becoming more obvious by the day that in the UK and other WASP nations "abuse" of those who can least defend themselves is rife in hierarchical govenance structures of all types.

The closer to the top of a hierarchy an individual is, not only the easier it is for them to by either actively or passively involved but the easier it is for them to get compliance from those below them to "turn a blind eye" to the signs of abuse.

I can not remember just how many enquiries have been held, how many have uncovered abuse, I've simply lost count of the snowflakes in the blizard. Think how many associated senior hierarchy leaders have tritely pledged "lessons have be learned"... But they never are learned, barely anybody gets prosecuted, and the age old issues of hierarchies returns in full force in short order, followed fractionally later by the same old behaviours, but with less accountability more secrecy and weeding out of potential whistleblowers to ensure greater compliance...

The usual trick is that those inside "earnestly" look outside harder and with greater diligence supported by more paperwork. Thus they accuse those outside with more vigour to prove they are being observant, yet fail to look inwards where a veritable orgy of bad behaviours runs rife. This is not the artful behaviour of leaders puting a telescope to a blind eye, but the enforced wearing of blinkers and reigns with a whip hand keeping the beasts in the furrow.

Such is the inbred nature of hierarchies that even if we did cut of the head, and the shoulders and ripped out the guts, they would grow back more venal and considerably worse than before.

Hierarchies are without doubt the worst form of control structure ever invented by humans. But were they invented, or just came about due to abdication of responsability and patronage that breeds compliance?..

I suspect it is the latter, as nearly all hierarchies more than a generation old appear to be dominated at the top by sociopaths or even psychopaths, that have surrounded themselves by either more of the same or authoritarian followers that act drone like, without questioning thought as "guard labour" or "make workers". Selected by thugish skills for the sole purpose of insulating the sociopaths from the results of their actions.

As I've mentioned before, it appears that one fifth of the population are actually creators with a similar number of actuall workers with constructor skills supporting them. Then you have a similar number of pedestrian make workers in the middle, a similar number of guard labour and the remainder being sociopaths wastefully fighting each other up a hierarchy of their own creation.

All of which begging the question of if we have "socialised brut warfare"?. That is we still have kings and their courts and feudalism but with pens and paper cuts, not swords and beheadings.

I know our host @Bruce was starting to look into this new pre-medievalism in the technical world, but has been quite quiet on the subject of late.

echoJune 11, 2018 12:42 AM

UK doctors are trying to redefine the bar for criminal negligience. There are already laws in place doctors lobbied for which gives them the leeway police became used to until one abuse scandal too many ended this regime. To lobby for laws which are the medical equivalent of getting off throwing a patient down the stairs in a one story building I hope is a stretch too far. I trust a doctors patient deaths review panel as much as the police complaints authority which is zilch.

From his comments Prof Sir Norman Williams has no clue about "gross negligence" and is clearly trying to frame the whole issue as a rare and exceptional event which is a trick among others the medical profession have tried to pull before. Gross negligence is not necessarily rare nor is it always a single isolated incident. There is also a much greater burden on the "expert" to be competent than a none expert. Where multiple incidents of negligence which fall below "gross negligence" impacts a large number of people this negligence adjusts upwards to pass through the gross negligence threshold. Exactly where the line is between civil and criminal is a matter of discussion. In that respect the discussion almost certainly likely will involve none medical experts including but not limited to organisation theory, quality control, and perhaps security experts among others. In some cases it may be possible that the healthcare organisation itself attracts charges of corporate manslaughter. UK police utterly loath this discussion and have done everything they can to bury complaints of this nature which itself raises questions about the police who are known within legal circles to fiddle their figures and particpate in practcies such as "no criming" and passing the buck or even refuse to acknowledge a crime exists which itself has been the subject of media interest this week. And lastly, the CQC itself advises that patients no longer defer to doctors as indeed do the EU courts who recognise that complex medical decisions may not be the sole remit of the medical profession.

https://www.theguardian.com/society/2018/jun/11/nhs-patient-deaths-investigated-medical-examiners-jeremy-hunt

echoJune 11, 2018 3:42 AM

I would like to know what the views were that Sajid says he disagreed with and why only a limited number of organisations and people "in the club" were consulted. I would also like to know what the real threat map is instead of hideline figures which do't reveal whether a terrorist attack was a long term plan to destroy London in a cascade of plastic explosive detonations smuggled in via circuitous routes or an Islamic budgie looking suspicious loitering in a locked cage.

Yes I know I make light of these things which may well mean I am not the best qualified to form an opinion. I'm just a bit suspicious of a gung-ho culture I have learned to mistrust the hard way.

https://www.theguardian.com/commentisfree/2018/jun/11/counter-terrorism-orwell-strategy-parliament

We did not just seek the views of the police, the Crown Prosecution Service and MI5 when drafting the bill. We discussed our proposals with the current and former independent reviewers of terrorism legislation – whose job it is ensure that our terrorism legislation is effective, proportionate and serves the public interest.

Wesley ParishJune 11, 2018 3:58 AM

Perhaps OT? I came across this in the independent Israeli net mag +972

https://972mag.com/the-case-against-dismantling-the-iran-deal-a-view-from-israel/135674/

Trump’s decision runs counter to IAEA reports that have established, following hundreds of intrusive inspection visits (including inspections at undeclared sites), that Iran has complied with all clauses of the agreement. It runs counter to IDF Chief of General Staff Lt.-Gen. Gadi Eizenkot’s assessment, which suggests that the Iran deal contributes to Israel’s security by removing the Iranian nuclear threat for the next 10-15 years. Eizenkot’s assessment, given in a Passover interview to Haaretz, rested on that of Israel’s Military Intelligence Branch. In the Israeli decision making system, the Military Intelligence Branch, and not the Mossad, is tasked with providing the National Estimate and with analyzing the situation. This is a point worth taking into consideration in order to separate emotional background noises (“disastrous deal, terrible one-sided agreement”) from real signals.
The IT angle? @Bruce, expect more on the Stuxnet front. Except I expect it won't be quite so targetted, since Trump seems to be working hard at alienating all the US's major European allies. Expect own goals aplenty from the two major actors in this farce.

Clive RobinsonJune 11, 2018 8:10 AM

@ echo,

Yes I know I make light of these things which may well mean I am not the best qualified to form an opinion. I'm just a bit suspicious of a gung-ho culture I have learned to mistrust the hard way.

The telling lie/line is

    whose job it is ensure that our terrorism legislation is effective, proportionate and serves the public interest.

It can easily be shown that it is very far from the "public interest" in just about every way imaginable. Whilst it very much is in the "Political interest" when it comes to back handers etc etc. Simple mathmatics shows that politicians are four times more likely to go to jail than the average member of the public, even with all the nod bys and legal exceptions the politicos get from the establishment. So on a fair playing field they would be ten to fifteen times more likely to go to jail at the very least...

Thus you need to understand the motives of two groups,

1, Those who fund political parties.
2, Those who fund budget holders in various tax payer paid for civil service departments and agencies.

Knowing who they are alowes you to predict almost exactly what all those "experts" were going to say.

It's interesting to note just how many change their tune when "out of the system"...

Thus anything said by in post experts I would regard at the very least of over egging the pudding to the point of scrambled eggs, whilst more seriously self enrichment lies dressed up by various "aids" to cover up the real purpose of diverting billions of tax payer hard earned money into just one or two usless and undeserving pockets.

I will refrain from using "Marcie Wheeler soap speak" as I would get somewhat intempreate enough to earn more red cards than the @Moderator has to hand ;-)

Clive RobinsonJune 11, 2018 8:54 AM

@ Wesley Parish,

Except I expect it won't be quite so targetted, since Trump seems to be working hard at alienating all the US's major European allies.

Except it's a little more "qualified" than that. It is increasingly appearing it is those closest to Obama that are getting the cold shoulder first. As others observed before me The Dough gnarled is actively undoing anything Obama did as a matter of policy (why I did not spot it sooner I will put down to bad health since Oct last year distracting me).

However I've recently been looking at other analysises that like the IDF one point out that "rational actor" behaviour is preferable to "US Syate Dept" behaviour.

Several indicate that Trump has little interest in actual war, unlike more traditional leaders. And would rather negotiate peacfully after shaking the big stick than actually using it. Whilst this might be popular with the average US voter, it's not what the main political classes and their backers want. Put simply peace reduces potential profit, not just in the arms industry but financial and other industries.

Thus it is quite contary to what the War Hawks and their backers want...

However on the security side you have to remember times have changed the War Hawks are nolonger "technology drivers" just "awkward consumers" thus most newer Silicon Valley ventures want little or nothing to do with them as they cause all sorts of issues as Google recently found. Engineers and even code cutters do not see eaons long projects with poor pay and significaint "constraint-n-taint" as being in their interest and do not want to be stigmatized. The old "Salut the flag and die for your country" mentality is not realy present in those under the age of fourty who have got a reasonable education. It's not just the millenials revising the old "Ask not what your country can do for you..." nonsense and even the Protestant work ethic, they are quite rapidly becomeng more "me" focused, and Political Clap Trap does not cut any ice with them any longer.

Even the traditional armed forces pull in of employment and training where none is available in large tracts of the US is getting feet through the door. I suspect that should there be another 9/11 event that the patriotic foot fall to the recruiters office will be a trickle on the "Fool me once..." principle.

The real question to those under thirty will be can Trump deliver on jobs... If he can in the next year and a half then his chance of a second term will be all the greater, especially if he can avoid starting or getting involved with military conflicts.

Thus the question of Trade raises it's head the prevailing view is in the long term war is bad for business even in the US in the long term. More US citizens are realising these days that American Exceptionalism is gone, technology has bridged that gap and the US has burnt it's resources needlessly trying to maintain it in the past. Worse they realise is Big Tech is actually not providing them with any sensible defence. It's all about "attack attack attack" which they further realise is pointless as no defence means no protection from either first strike or retaliation. Yet worse some are realising that "no defence" is a very clear and planed behaviour because their own Government increasingly sees them as the enemy, with corporates regarding them as cattle for the milking...

The smart ones have realised that most politicos are "owned" by the MIC directly or indirectly and as some non US reports indicate, if Trump had not in effect blackmailed his way into office the original political nominees would almost certainly been deploying US young as cannon fodder by now to be a "Great Political Leader" in some other idiots image...

It will be interesting to watch what unfolds from a distance, but I'm not sure what a safe distance would be these days, Pluto maybe...

ThothJune 11, 2018 9:39 AM

@Clive Robinson, all

There is no such thing as public domain works being immune to patent trolls who take publicly available works that are not created by them and shamelessly claiming as their work and then creating patents from the public domain works and making people pay them royalties despite not being the original creators of the work. In some cases, they would shamelessly deny the original creators' claim of work and instead claim it as their own.

Patents done by the rightful owners and creators are the evil necessity to ensure survival of their ideas in this world where here are those whom are seeking to exploit others work for free in shameless manners and then denying credit when due.

Link: https://arstechnica.com/tech-policy/2018/06/inventor-says-google-is-patenting-work-he-put-in-the-public-domain/

Clive RobinsonJune 12, 2018 1:01 AM

@ Thoth,

There is no such thing as public domain works being immune to patent trolls who take publicly available works that are not created by them and shamelessly claiming as their work...

It's another form of "passing off" like plagiarism and fake designer hand bags. Though patent lawyers would argue otherwise (but then they make their money by hair splitting etc).

As an example that is often given,

1, Mr A invents the link chain.
2, Ms B invents a wheel with profiled edge to make driving the link chain of A more efficient.
3, Mr C takes the idea of B and comes up with the idea of a plate chain and sprocket.
4, Ms D takes the idea of C and applies it to the use of a bycicle.

Now A and B show as primary works that in all reality they will never earn money as they will expire befor industry is ready to use them. Although C's work is derived from A and B it has originality in bringing the two together as a new simpler more efficiently application of the idea. This derived work may well earn money.

So we come to D's idea, they could argue they came up with the idea from A and Bs work only thus side stepping Cs still valid patent. But that is most certainly not how C would see it.

Thus D would have to show not just originality but how C's still valid patent does not apply. The ability to do this depends on "argument" and "claims". If C has a claim about peddle power or driving wheeled vheicles etc then you would think D was going to be out of luck. Not so, it could be argued that C's claims were overly broad or more specifically lacked specificity.

You can see from this just how complex things can quickly get, and just how easy it would be for legal types to make money out of it... Supposedly it was Queen Elizabeth the First of England who came up with the seal of approval on the first patent system, but rejected the first application for a machine that knitted stocking on finding out it only worked with wool not silk... Apocryphal as the story might be it does show the idea of overly broad claims.

What further does not help is that in Europe mathmatics and other fundemental scientific tools/methods were not patentable where as in the US some were. Take RSA and other Crypto algorithms, they were not patentable in Europe but were in the US. This gave rise to all sorts of issues which the history of the RSA usage shows up.

But the US system has one wrinkle that has been used to rob people of their inventions have a look at what are called "submarine patents" especially the bit about alowing the claims to be modified, and have a think on just how you could use them to your advantage if you were so minded,

https://en.m.wikipedia.org/wiki/Submarine_patent

The whole patent, copyright and marks of trade IP system is a mess world wide and needs to be rationalised some how. But unsurprisingly, apparently nobody has yet invented a way that would cover all complaints without making eyes through needles that some will drive camels through with just a well payed word or two.

PeaceHeadJune 12, 2018 9:06 PM

Somewhere from this site and clicking around I read about adversarial 3D printing to fool AI pattern recognizers. Considering that lady that got killed by a self-driving automobile because it thought she was a paper bag in the wind, this is yet another reason why WE DO NOT NEED SELF-DRIVING CARS!:

Yeah, a repost:

https://arxiv.org/abs/1707.07397
https://www.labsix.org/physical-objects-that-fool-neural-nets/

Essentially, this will likely ALWAYS be the case.
False positives, galore... kinda like the voice-controlled spoofing also.

Let us not forget the whole concept of "spoofing" (false attribution).
It's not just the realm of how difficult (nearly impossible) it is to know who a hacker is (nested spoofing bolstered by other techniques).

By the way,... Unless the internet truly is STILL a DARPA project, run by the Dept of Defense, then deliberately evasive hackers cannot be easily detected if they are good enough. And just being good doesn't mean somebody works for a government! We know that kids can hack, adults can hack, corporations can hack, disgruntled employees can hack, hobbyists can hack, INTEL organizations can hack, and algorithms can hack. If they can hack, with tools and techniques they can spoof their origins and identities.

Attribution/citation is NOT EASY. That's the modern reality, and with bugs and vulnerabilities increasing as well as being bought and sold, attribution will get even harder UNLESS the internet is still truly a DARPA project, in which case they own the whole thing and can see into the whole thing at every angle.

So which is it? They can't have it both ways. Is it a DARPA enterprise? In which case IoT and everything else is subservient, that is... or is it not, in which case nested spoofed ID's and compound techniques make IDing a source nearly and sometimes actually impossible. ??? Think about it.

Now even the robotics can be fooled.

Wesley ParishJune 13, 2018 1:05 AM

@Bruce

Squid On Topic, IT Security OT.

Some memories I have of my earlier school years are finding cuttlebones and nautilus shells on the beach at Wewak, sometimes at Cape Wom, but mostly on the beach between the central business district and the Windjammer Hotel. I don't think I ever found any at the beach next to Moem Barracks. But the Moem Barracks beach was very pebbly, iirc.

I assume the reason why cuttlebones could not be found at a pebbly beach was because a pebbly beach is not the friendliest to crabs, shrimp, and other cuttlefish prey?

I can't remember finding either cuttlebones or nautilus shells in temperate waters. I presume this is not a sampling bias?

Roger WolffJune 13, 2018 2:57 AM

One of the things not covered in the media...

You know those spam emails: Dear bank-customer, please apply for your new bank card by filling in your details /here/.

And then you get a link to certainly-not-your-bank?

Well yesterday, I got such an Email, and it linked to MY bank (ING.nl) using some DLL on their site that apparently could be tricked to redirect to arbitrary URLs.... The DLL, it seems had been disabled by the time I got around to checking it out.

Sancho_PJune 13, 2018 5:03 AM

Re Football World Cup in Russia:
U.S. counterspy warns World Cup travelers' devices could be hacked!

The FBI+ have warned that Americans traveling to Russia for football’s World Cup „... should not take electronic devices because they are likely to be hacked by criminals or the Russian government.“
(reuters.com)

Is this a joke?
Besides the Russian government, all others are criminals?
FBI, CIA, NSA, GCHQ, DGSE, CNI, ASIO, BND, Mossad, .... ?

But don‘t forget: Use burner devices (= good for business)!
They will be hacked, too, because the criminals are working hard to keep us insecure,
and by accessing your accounts they‘ll identify you anyway.

JG4June 13, 2018 8:18 AM


Yet another genocide with US complicity, if not sponsorship. The War Nerd is a gifted writer and observer.

The War Nerd: Anglo-American Media’s Complicity in Yemen’s Genocide
https://www.nakedcapitalism.com/2018/06/war-nerd-anglo-american-medias-complicity-yemens-genocide.html
...
“Prince Bandar bin Sultan, once the powerful Saudi ambassador in Washington and head of Saudi intelligence…had a revealing and ominous conversation with the head of the British Secret Intelligence Service, MI6, Sir Richard Dearlove. Prince Bandar told him: ‘The time is not far off in the Middle East, Richard, when it will be literally “God help the Shia”. More than a billion Sunnis have simply had enough of them.’”
...

a bit dark - file under guard labor run amok

Seymour Hersh's New Memoir Is a Fascinating, Flabergasting Masterpiece
https://theintercept.com/2018/06/02/seymour-hersh-memoir-reporter/
...
Two cops called in to report that a robbery suspect had been shot trying to avoid arrest. The cops who had done the shooting were driving in to make a report. … I raced down to the basement parking lot in the hope of getting some firsthand quotes before calling in the story. The driver – white, beefy, and very Irish, like far too many Chicago cops then – obviously did not see me as he parked the car. As he climbed out, a fellow cop, who clearly had heard the same radio report I had, shouted something like, “So the guy tried to run on you?” The driver said, “Naw, I told the nigger to beat it and then I plugged him.”
...
Hersh has derived three simple lessons from that rule:
1. The powerful prey mercilessly upon the powerless, up to and including mass murder.
2. The powerful lie constantly about their predations.
3. The natural instinct of the media is to let the powerful get away with it.
...

https://www.nakedcapitalism.com/2018/06/links-6-13-18.html
...

New Cold War

John F. Kennedy and the Question of World Peace Sic Semper Tyrannis (JTM)

Big Brother is Watching You Watch

Router Vulnerability and the VPNFilter Botnet Bruce Schneier
...

vas pupJune 13, 2018 8:32 AM

AI senses people's pose through walls:
https://www.sciencedaily.com/releases/2018/06/180612090723.htm
Their latest project, "RF-Pose," uses artificial intelligence (AI) to teach wireless devices to sense people's postures and movement, even from the other side of a wall.
The researchers use a neural network to analyze radio signals that bounce off people's bodies, and can then create a dynamic stick figure that walks, stops, sits and moves its limbs as the person performs those actions.
Besides health-care, the team says that RF-Pose could also be used for new classes of video games where players move around the house, or even in search-and-rescue missions to help locate survivors.
Post-training, RF-Pose was able to estimate a person's posture and movements without cameras, using only the wireless reflections that bounce off people's bodies
Besides sensing movement, the authors also showed that they could use wireless signals to accurately identify somebody 83 percent of the time out of a line-up of 100 individuals. This ability could be particularly useful for the application of search-and-rescue operations, when it may be helpful to know the identity of specific people.

PeaceHeadJune 13, 2018 6:51 PM

Wow, very interesting comments/commentary this week! Thanks Sancho_P and others. Good links too.
It seems like there's all this stuff that the average persons claim doesn't exist--that it's just speculation. And yet in real life, there seem to be all these actual things happening behind the scenes that can be somewhat verified via articles, books, people, websites, places, gov/mil/int programs. It reminds me of that idea about security via obscurity... but that it relies not upon obscurity, but upon people being pigheadedly ignorant about other people's hobbies, jobs, research, education or connections.

For some of us, when we try to talk to people not aware of the types of topics discussed and published here, they look at us like we are telling them something unbelievable. And yet, the data/info is right there, waiting to be studied by those who choose to look (if they have others kind enough to share/access).

I don't know what the terms are for this phenomenon, but it's seriously important.
I remember when I had to teach my mom and dad what a computer virus or malware or hacking was.
They'd ask me what the terms meant, but they didn't really want to know, and if I tried to explain to them as much as I know, they'd just change the subject midsentence or walk away. Meanwhile, I was trying to do free tech support for them with some minor security updates and changing default (vulnerable) settings, etc.

In other words, I wonder just how pervasive this phenomenon is--people who don't really want to know about digital (or other) security and assume that it doesn't exist until it actually affects them personally.

I feel for in the field security personnel who must tangle with this psychosocial deal a lot.
What are your thoughts on this?

Clive RobinsonJune 14, 2018 12:40 PM

@ All,

Rowhammer goes remote with Nethammer,

https://arxiv.org/pdf/1805.04956.pdf

Another local hardware attack that has been expanded to be remotely exploitable. The same fate pretty much awaits all hardware faults given a little wait.

This is especially true for hardware faults below the CPU level in the computing stack. As such below CPU attacks break any and all security mechanisms so far made available...

Clive RobinsonJune 14, 2018 3:08 PM

@ All,

Guatemala as a new Pompeii?

This is a bit horrific so if you are of delicate sensitivities don't view the pictures etc.

Apparantly the Guatemala "Volcano of Fire" (one of over thirty volcanoes) erupted again on the 3rd of June. However it has taken untill now for photographs and other footage to be released.

Some of which show bodies covered in ash like statues the number of dead and missing is still unknown.

https://www.news.com.au/world/north-america/photos-capture-traces-of-life-trapped-beneath-guatemala-volcanos-ash/news-story/

maryJune 15, 2018 2:53 PM

Local user Tails IP leak

https://labs.riseup.net/code/issues/15635

A compromised local user can leak your IP by using a script to star unsafe-browser hidden in the background and use X11 trickery to leak your real IP without privilege escalation. Most applications exploited on Tails would be capable of this.

deleting /etc/sudoers.d/zzz_unsafe-browser after booting will fix this issue until Tails fixes it themselves

Bug #15635

Feature #7072: Research potential for deanonymization by a compromised "amnesia" user

The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.