Friday Squid Blogging: Capturing the Giant Squid on Video

In this 2013 TED talk, oceanographer Edith Widder explains how her team captured the giant squid on video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 22, 2018 at 4:07 PM • 95 Comments

Comments

Winston SmithJune 22, 2018 6:47 PM

Finally, some good news regarding privacy in the USA.

"The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information."

https://www.eff.org/deeplinks/2018/06/victory-supreme-court-says-fourth-amendment-applies-cell-phone-tracking

There are still plenty of privacy/security problems to resolve in order to protect individual liberties, but this is a good step in the right direction. Disconcerting, though, is that of the 9 judges, 4 were dissenting.

Winston SmithJune 22, 2018 9:32 PM

@Required

http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/

Kennedy, Thomas, Alito, and Gorsuch all dissented.

Politically, all are considered conservatives with the exception of Kennedy who generally follows the middle of the road.

Such a shame, though, that right vs wrong is obfuscated by conservative vs. liberal, left vs. right, the politics of identity and/or "political correctness", and other sensationalist, consuming arguments.

Mankind can construct an aircraft carrier, set a man on the moon, and engineer a machine to learn but he simply cannot manage his own life-- he is missing a moral compass and possesses a carnal heart.

65535June 22, 2018 11:12 PM

@ Winston Smith

“Finally, some good news regarding privacy in the USA.”

I agree.

But, the news is not extremely good. I believe the SCOTUS decision is only about “historical” cell phone data location and not real time cell phone data tracking which leaves a large hole.

“…the majority at least left open the prospect that police might not need a warrant to get information about where someone was on the day that a crime was committed…Roberts emphasized that today’s ruling “is a narrow one” that applies only to historical cell-site location records. He took pains to point out that the ruling did not “express a view on” other privacy issues, such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time.” -Scotusblog

http://www.scotusblog.com/2018/06/opinion-analysis-court-holds-that-police-will-generally-need-a-warrant-for-cellphone-location-information/

What is to stop the FBI from renting space at the Utah compound and just recording all US based cell phone conversations from now forward and putting them in google maps for tracking purposes. This mapping and tracking sounds like a stretch but I would not bet against some large company or front company for the government to do such a task. It could happen.

I think the whole “third party doctrine” need to be re-examined and changed since, as the Judge notes:

"Roberts suggested, because people carry their phones virtually everywhere with them, cell-site location records provide the government with “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user” – not only going forward but also going back up to five years…Roberts emphasized, a “garden-variety request for information from a third party” because of the “seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years.” When the Supreme Court decided the cases establishing the doctrine, he explained, it was dealing with relatively “limited types of personal information”; no one could have envisioned that cellphones would be so ubiquitous and provide so much information about their users for so long. And, he added, because cellphones are such a pervasive part of life “that carrying one is indispensable to participation in modern society,” it can’t really be said that a cellphone user is voluntarily sharing information about his location with his carrier – another rationale for the third-party doctrine. Because of the “unique nature” of cell-site location information, Roberts concluded, the third-party doctrine does not apply, and the acquisition of the cell-site location records was a search within the meaning of the Fourth Amendment…”-scotusblog

http://www.scotusblog.com/2018/06/opinion-analysis-court-holds-that-police-will-generally-need-a-warrant-for-cellphone-location-information/

Hopefully there will be more fourth amendment and privacy litigation to follow because this decision is the start of long needed privacy debate in the USA.

gordoJune 22, 2018 11:42 PM

Last year, Jennifer Lynch, a senior staff attorney for the Electronic Frontier Foundation, wrote:

[T]he main challenge for the Supreme Court in Carpenter will be to figure out how to reset the parameters of the third-party doctrine for the digital age – or do away with it altogether.

http://www.scotusblog.com/2017/08/symposium-will-fourth-amendment-protect-21st-century-data-court-confronts-third-party-doctrine/

The Court's opinion in Carpenter recognizes "the exhaustive chronicle of location information casually collected by wireless carriers today" and goes on to limit the unmitigated acquisiton of such human tracking data by law enforcement. Also from the Court's opinion:

Critically, because location information is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation—this newfound tracking capacity runs against everyone ... Whoever the suspect turns out to be, he has effectively been tailed every moment of every day for five years ... Only the few without cell phones could escape this tireless and absolute surveillance.

https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

Though third-party doctrine antecedents remain intact, now, in order to access CSLI business records, held in what @Clive Robinson might call "surveillance time machines", "the Government must generally obtain a warrant supported by probable cause before acquiring such records."

If that last quote is all that the Carpenter opinion says, then it might be enough to say that a sense of dignity, in this instance, has been returned. One hopes, as always, that there are more decisions like this yet to come.

65535June 23, 2018 1:55 AM

@ gordo

I would like to agree with Jennifer Lynch's line, “...reset the parameters of the third-party doctrine for the digital age – or do away with it altogether…” should lean toward doing away with the third party doctrine altogether.

This so call "third party doctrine" has been grotesquely stretched in the digital world to make it fit any situation the FBI to local police desire. It could be dangerous to civil rights lawyers and report's physical well being.

“…in order to access CSLI business records, held in what @Clive Robinson might call "surveillance time machines", "the Government must generally obtain a warrant supported by probable cause before acquiring such records."

[and]

“If that last quote is all that the Carpenter opinion says, then it might be enough to say that a sense of dignity, in this instance, has been returned. One hopes, as always, that there are more decisions like this yet to come.”

I agree.

The line, ”...generally obtain a warrant supported by probable cause before acquiring such records” is not well define at best.

I am still having a hard time understanding how “historic” records and “real-time” cell phone locations records will be defined and handled in both criminal and civil cases with this new SCOTUS decision.

I can see where historic records are just laundered by a third party and given to the police by private investigators and so on. Realtime cell phone records could just be collected and sold by re-named sleazy companies like Securus or Locationfart.

The SCOTUS decision seems fairly narrow and only deals with criminal cases but probably drips into civil cases. Let’s hope the out-dated “third party” doctrine will be curtailed in the near future. Mass survailance is a bad thing done by any government or corporation.

Clive RobinsonJune 23, 2018 2:12 AM

@ Winston Smith,

Finally, some good news regarding privacy in the USA.

For whom? I suspect there will be "exceptions for the non exceptional"...

That will be put in place due in part to previous tricks such as making the border zone a hundred miles wide. Thus all records will still be taken but not "collected" and sorted such that non-US persons and those communicating with them will still be treated as though they are outside the USA so in effect "open season" on tourists and more importantly business travelers etc.

@ 65535,

I believe the SCOTUS decision is only about “historical” cell phone data location and not real time cell phone data tracking which leaves a large hole.

Yes one of many that no doubt the authorities will drive an army of computers through.

However what concerns me is the "asymetric" aspect. Courts have steadily taken a less encompassing view on "Disclosure to the Defence" and also the Gov entities taking the "No Standing" defence if challenged. Whilst warrants etc become more encompassing with time.

I can easily see a defendent not given access to such records even though the prosecuters have access. So that whilst a defendant in what would ammount to a conspiracy case might be given access to their cell records, the records of other alleged co-conspiritors will be denied them. Thus if a supposed co-conspiritor in a plea deal says he met the defendent at a cafe etc the defendents cell record will show that their mobile was in the vacinity. But because of the co-conspiritor claiming to be there in both written and verbal testimony it is unlikely that the defendebts council will be given access to the co-conspiritors cell records to verify / challenge the co-conspiritors statement.

As we know judges are quite happy to turn a blind eye to questionable if not illegal activity by prosecutors when it comes to plea deals...

@ gordo,

"the Government must generally obtain a warrant supported by probable cause before acquiring such records."

Which leaves wide open the "parallel construction" hole via "probable cause".

What some judges and magistrates will accept as "probable cause" appears to be of falling quality year by year, and no challenge is generally possible by the subject of the warrant.

I can easily see the "immediate records" being faked up from "stored records" much as fake eye witness accounts etc can. Thus as the fake immediate records will be acceptable as "probable cause" by a judge the LEO's get full access to a persons mobile phone records.

Such "immediate records" would be from the likes of "secret equipment" such as a communications test set / stingray passively recording all cell registration and communication data in the area. Thus a simple Python script would take a short run of stored records and make them appear identical to the simple output of such test/intercept equipment would have received if realy in use.

The point is that such equipment records can not be verified, the equipment does not provide any kind of security seal verifiable independently, nor if you think about it can it be... Thus there is no chain of custody that can be independently verified...

Sancho_PJune 23, 2018 4:26 AM

@Winston Smith, re Carpenter vs United States

Good news, thank you!
This is the first time that law twisting non-techies got a corrective lesson regarding „voluntarily“ shared data (e.g. Orin Kerr, selling the TPD to his baffled students).
Also his shocking attempt to level human perception + memory and digitally stored data (http://www.scotusblog.com/2017/08/symposium-carpenter-eyewitness-rule/) is rebuked by this ruling.

Yes, 5 to 4 is sad, but I‘m not sure if it‘s left vs. right or simply not understanding technology.
Should be a beginning, anyway.

albertJune 23, 2018 9:28 AM

"...Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations...."

See: https://fas.org/blogs/secrecy/2018/06/jcs-cyberops/

No, I don't have time to peruse 104 pages of MIL-Speak either. Download it and save it for reference later.

The US-MIL usually speaks in more positive terms (and are surprisingly objective in most matters).

I believe they 'see the handwriting on the wall'.

. .. . .. --- ....

AnonJune 23, 2018 10:47 AM

As far as dissents go, Gorsuch’s opinion was barely a dissent. He strongly implied he might have ruled in favor of Carpenter, if Carpenter had made a different legal argument in court, property based V.S. Katz based.

Winston SmithJune 23, 2018 11:10 AM

@Clive,@65535, et. al.,

"That will be put in place due in part to previous tricks such as making the border zone a hundred miles wide. Thus all records will still be taken but not "collected" and sorted such that non-US persons and those communicating with them will still be treated as though they are outside the USA so in effect "open season" on tourists and more importantly business travelers etc."

The Supreme Court's task was to define a ruling based on Constitutional law, and to a large extent its tenets are necessarily couched in idealism when considering its application to a wide audience. This ruling stopped short of truly preserving privacy freedoms and upholding the 4th amendment in the spirit in which it was written in 1787.

So specifically, historical location data is off limits without a warrant, but not real-time data. And your observation about the 100 mile Constitution free zone is accurate and damning: https://www.aclu.org/other/constitution-100-mile-border-zone

This brings to light another problem aside from efforts to lobby for legislation which protects individual freedoms in alignment with the Constitution: that of the perversion of power, mission creep, and devilish agendas within the Deep State. A Supreme court ruling such as this cannot hold such in abeyance. There is too much "wiggle-room" at ground zero. Still the news of this case is indeed good news, a step in the right direction. However, in my opinion the only way to preserve Constitutional freedoms is for America to purge the ranks of the Deep State. They will not change, therefore they need to be removed altogether. Good luck to that.

Written 10 years ago and still timely, "The Constitution in the National Surveillance State":

http://digitalcommons.law.yale.edu/fss_papers/225/

MajorJune 23, 2018 11:43 AM

I am getting increasing annoyed by Google Chrome's incessant efforts to get me to log in to google to manage my security, when of course not logging into google is a key security decision. They especially do it on private windows. "Let us log all the information that you are explicitly avoiding sharing."

It's evil and fraudulent. I like some of what google does or did (the Go language for example) but the more they make these deceptive moves designed to ensnare the naive people who trust them the more I am ready to sign on to regulations that whack them and their data thieving/scamming kind with a big stick.

RGJune 23, 2018 11:59 AM

Purchasing Your Current Coordinates to Build Location Datasets

Analyst Rich Mogull of Arizona-based Securosis LLC said telecom providers track and sell location data as a matter of course, with a wide range of businesses including Google extensively attempting to compile location datasets on consumers.
"We are all tracked, all the time, primarily for marketing purposes, by such a large number of companies I'm not sure I would even know where to start the math," said Mogull.
Location data from Verizon, AT&T and other carriers makes it possible to identify the whereabouts of nearly any phone in the U.S. within seconds. Popular commercial uses for the information include keeping tabs on packages, vehicles and employees; bank fraud prevention; and targeted marketing offers.

The carriers left most of Senoror Wyden's questions unanswered — such as how many of their customers had been affected by location sharing they never agreed to.

The boom line here your location may be used to validate a financial transaction but then repurposed to your Location Dataset.
Along with HIPAA protected medical information, your highly sensitive Location Datasets must be among the most prized and valuable. People could easily be ruined using pre-trial discovery subpoenas.
Does GDPR regulations prevent this abuse in Europe?
https://www.cnbc.com/2018/06/19/verizon-pledges-to-stop-some-selling-of-phone-location-data.html

PeaceHeadJune 23, 2018 1:25 PM

Regarding these posts and discussions today:

In the year 2018, the FBI is not really the problem. This isn't cointelpro days.
They are typically part of the solutions. While I believe protecting dissidents is EXTREMELY important, protecting criminals and terrorists and corporate kleptocracy with cryptostego is really a bad idea and decreases security of the masses in terms of actual safety of livelihood and personal data.

Law enforcement matters and is important.
Sure there are plenty of bad cops, but surely NOT all.
There are many many fine officers of a wide variety of types.

They are part of the noble rescuers and should not be forgotten.
Increasing cryptostego widely and indiscriminately in a macro way is dangerous to life, liberty, and the pursuit of happiness because it enables the most dangerous types of people to become way too evasive.

I hope this sentiment is understood for it's objectivist slant.

Of course, it depends upon which country you are in and which country you are talking about, and which area, and when, and who was involved. Corruption and tyranny should not be given the upper hand. It worries me when lives are at risk. This issue should not be taken lightly. Cryptostego for freedom-seekers and peaceful progressive types is really important and ought to be protected. Those who are trying to dodge being physically harmed and captured by criminal stratocracies need to be protected without fussy disputes when it's lives on the line.

The FBI are the type of people who understand the subtleties. Apple, Google, Microsoft, Cell-phone companies, rich corporations, they don't necessarily give a damn. Those who are motivated primarily by profits have little in common with those motivated by primarily by ethics and survival needs.

Whatever happens, I hope that our motivations here are decent as much as possible and not merely cosmetic.

To any dissidents who might be reading this: Peace be with you, I hope you have success with alternative means (steganography, blindspot techniques, chafing & winnowing, other so-called "dead drop box" techniques. )

Trustworthiness has to mean something.

trsm.mckayJune 23, 2018 1:35 PM

Speaking of privacy, I have been meaning to post this for a while:

Omron Blood Pressure applications have no opt-out when it comes to uploading personal medical data to the web. They technically notify you of this collection, but it is hidden in the middle of a long privacy policy. They also collect GPS coordinates, a verified email address, and any other information that has been supplied. They require filling out fields like age, weight, etc. before the application will function (at least these can be faked), but also the app will not function unless GPS access is granted.

The privacy policy claims that they will keep your data private once collected (though it has the usual weasel-words because we all know how difficult it is to secure internet connected webservers). They also provide a few opt-out options after they have collected your data (but these don't include not collecting the data in the first place, or provide any method of deleting the data once collected).

In conclusion - consider the lack of clear notice about PII collection, the lack of a method to opt out, the requirement to collect non-essential PII like body attributes and GPS coordinates, and the lack of a method to delete PII. Does this sounds like a company that should be trusted with medical PII?

PS: The app and privacy policy originated before GPDR took effect, as of this writing has not since been updated. It would be pretty easy to conclude that they are not GPDR compliant.

(required)June 23, 2018 2:15 PM

@Winston

"Such a shame, though, that right vs wrong is obfuscated by conservative vs. liberal, left vs. right, the politics of identity and/or "political correctness", and other sensationalist, consuming arguments."

I can't agree with you more.

We're intentionally and forcefully distracted from the morality of these decisions.
Right / wrong are deliberately conflated by powerful gluttons for selfish purposes.
Whataboutism is a tactical version. Tribalism appeals to hungry troglodyte instincts.

It's a sobering realization that our societal backbone is weak enough for it to succeed.
But it's a personal realization for me (and game theory I really haven't read enough of)
that really the only way for our own needs to be met long term is for all of us
to work towards meeting those of our neighbors instead of only worrying about ourselves.

The idea of the Republic is to give up power for the good of all in a regulated balance.
Some push back with all their might against this idea for various reasons. Ayn Rand, etc.
Ultimately selfishness = will to power and leads unchecked directly to fascism, a concentration.

I think we've seen enough of what purely selfish ideologies are capable of, don't you?

bttbJune 23, 2018 2:54 PM

“Facebook Built A New Team To Spot Problems Before They Arise
Silicon Valley’s giants are looking for future crises before they happen.”

From https://www.buzzfeed.com/alexkantrowitz/facebook-hired-a-team-of-ex-intel-officers-researchers-and :

“In an attempt to spot vulnerabilities in its system before bad actors exploit them, Facebook has hired a team of ex-intelligence officers, researchers, and media buyers, and set them loose on its products.
Facebook calls this group the "Investigative Operations Team" and has directed its members to find the worst possible things that can be done using Facebook, and to help the company prevent them.”

bttbJune 23, 2018 3:28 PM

Reality Leigh Winner, 26, was the first person prosecuted in President Donald Trump's war on leakers.
Reality Winner to take a plea deal in NSA leak case”
https://www.ajc.com/news/national-govt--politics/reality-winner-take-plea-deal-nsa-leak-case/RZTSuqgFtagE9FEZ7VyN2I/
and
“VOTERS ACROSS THE country were shocked to learn last year, through the disclosure of a top-secret NSA document, details of an intricate plot by Russian military hackers to infiltrate American electoral systems. New emails obtained by The Intercept through public records requests illustrate the disturbing extent to which potential targets of the attack were caught unaware, having apparently remained in the dark alongside the voting public.”
https://theintercept.com/2018/06/20/state-election-russia-hacking-voting-system/

Tim DellingerJune 23, 2018 8:58 PM

"Orlando International Airport to Scan Faces of US Citizens"

"Florida's busiest airport is becoming the first one in the nation to require all passengers on arriving and departing international flights, including U.S. citizens, to submit to a face scan"

https://www.usnews.com/news/best-states/florida/articles/2018-06-20/face-scans-for-international-travelers-at-florida-airport

Oh, boy. I wonder if they have a document called "potential unintended consequences and other risks"?

65535June 23, 2018 10:18 PM

@ Winston Smith

When stepping back and delving into Carpenter v. United States ruling it is a win for privacy advocates.

I am particularly encourage that some of our top judges are now see effects of invasive digital devices and their omnipresent negative consequences.

Most lawyers and judges don’t know the difference between a megabyte or terabyte or the magnitude of difference. They are still stuck in megabyte era when that has long past and we are in terabyte to petabyte world. We are in a world where it is possible to map out the movement of most if not all people with smart phones down to the actual street they travel.

It is somewhat of a comfort that Judge Roberts realized that, as in writer Amy Howe’s words:

‘Roberts suggested, because people carry their phones virtually everywhere with them, cell-site location records provide the government with “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user”’-scotusblog

http://www.scotusblog.com/2018/06/opinion-analysis-court-holds-that-police-will-generally-need-a-warrant-for-cellphone-location-information/

Most judges get wrapped around the axel of the 40 year old “third-party doctrine” so much so they can't see the forest for the trees.

They don’t realize how far technology has come and how invasively it can be used by bad actors. Most federal judges have clerks, staffers and secretaries and the judge never talks on the cell phone but to their inner circle. They are in a bubble. That seems to have changed in Judge Roberts thinking. This is a step forward in and of itself.

When the SCOTUS makes a decision it is taken very seriously through the legal community. But, the narrow nature of this case and the dissenters mean the decision is not written on tablets. We will have to see how similar cases resolve in the near future.

I have not plowed through the 119 page opinion but I will soon.

Carpenter v. United States:

https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

@ Clive Robinson

Re: Historical data off limits v. real-time data is fair game.

“Yes one of many that no doubt the authorities will drive an army of computers through.”

Yes, I agree with you. Your other statements seem logical also. It is going to be a roller-coaster legal battle. We will just have to see what happens.

MrCJune 24, 2018 12:16 AM

@ Winston
@ (required)

Please take Anon's comment to heart. Gorsuch's dissent is only a "dissent" insofar as Carpenter failed to raise what Gorsuch thinks was the winning argument. The difference is down to lack of foresight on the part of Carpenter's lawyers (who should have been ready for "Let's throw out Katz; do you still win?" even under the assumption that Scalia would still be around).

Gorsuch sets out a rule that's more coherent, more likely to be applied consistently, and ultimately more protective of privacy than the majority decision.

This leaves me with a lot of mixed feelings. On the one hand, I hate that Gorsuch's seat was stolen for him, I hate the cretin who appointed him, and I fiercely disagree with most of his positions. On the other hand, Gorsuch got this case exactly right, and he seems to be the only one with the guts to admit Katz is just wrong and jettison it. (According to Harlan's clerk, "a reasonable expectation of privacy" was Harlan groping for a way to end a sentence, and he never intended those four words to rewrite the Fourth Amendment.)

Clive RobinsonJune 24, 2018 3:45 AM

@ Bauke Jan Douma,

I'm not at all familiar with the life and times of John McAfee.

Boy have you missed out ;-)

But I also doubt that John McAfee is all that familiar with his "official" life, as he has been known to party very hard and be way way out of it one way or another when in Belize[1], where a neighbour died in odd circumstances and according to John the local "corrupt officials" decided it was him because they were told to...

It's not clear exactly which gangs and criminal enterprises he has rubbed up the wrong way at one time or another but he most certainly has done somewhere.

He's also rubbed the US SEC very much up the wrong way and unsuprisingly called them out for corruption.

It would appear that after being one of the founding fathers of AV Software he wanted a more challenging life. It is known that he has a considerable interest in Crypto Currencies and there were roumours at on time he might have been the mind behind Bitcoin.

I suspect it will not be long before he gets seriously into "Hard Crypto Systems" not just because he is aware of just how insecure the current crop of supposed ICTSec secure products are through his current involvment with the claimed "Unhackable Bitcoin Wallet"... But it will be a suitable challenge as well as rubbing many that he sees as corrupt to the core up the wrong way.

But then there was the 2016 Presidential thing[2]... There most people are thinking it was only the "Doh gnarled" with the shetland pony hair that was a "rank" outsider going for gold...

But he could just have been sniffing "The Bath Salts"...

If you do even a minimal search on "John McAfee" you will discover enough to keep you bemused for hours, because he realy is larger than life entertainment on two feet (for now).

[1] Apparently this time in his life will be turned into a film called "King of the Jungle" and Pirates of the Carabian star Johhny Depp will play him. Even better it will be written by Scott Alexander and Larry Karaszewski who wrote "The People v. O.J. Simpson" who should be able to set the style McAfee would like to see. Oh and to raise those eyebrows a little further do you remember "Bad Santa"? well Glenn Ficarra and John Requa from it are apparently going to be the directors...

[2] https://gizmodo.com/everything-we-learned-from-john-mcafees-maniacal-campai-1729873498#_ga=2.118413325.541471115.1529771631-1076331486.1502759282

gordoJune 24, 2018 4:21 AM

@65535

how “historic” records and “real-time” cell phone locations records will be defined and handled in both criminal and civil cases with this new SCOTUS decision.

Who knows! For example, Stingrays have apparently been around since at least the mid-1990s[1]. Their days (or rather years), however, may be numbered[2][3]. Given that, it's entirely possible that SCOTUS will never rule on the constitutionality of their usage by law enforcement.

Regarding mobile carriers, location data, aggregators, LEOs and federal agencies, with respect to the Fourth Amendment, whether by letter or spirit of the law, each have failed in their responsibilities.

As so, the modus operandi exhibited there, and in so many other places these days, maybe like a bad habit, seems to be this:

It's easier to ask forgiveness than it is to get permission.

Diagnosis:

The transitive trust model is broken[4].

I don't expect much, if anything, from the current FCC on any of this, i.e., from this executive branch agency. What the reconstituted FTC does with the likes of Facebook, Google and others remains to be seen. Proving harm for civil cases for these kinds of issues in the courts seems next to impossible. Carpenter came out of a criminal case. It takes a long time for the right kind of case or argument that the Supreme Court wants to rule on to develop in the lower courts. In a manner of speaking, lots of trial and error. In that regard many thanks to those in the legal community working on these issues. Near term, it may be that Congress, spurred on by GDPR, is ready to pass some basic privacy legislation. Time will tell[5][6].

---

@Clive Robinson, 65535,

Which leaves wide open the "parallel construction" hole via "probable cause".

Regarding the use of parallel construction, I sometimes wonder what's actually taught at some police academies. Maybe it comes as part of advanced field training, if not contractual agreements[7][8].

Due, in part, I imagine, to the fact that NDAs had been leaking out for several years[09], the FBI announced in a 2015 press release that warrants would be required for the use of cell-site simulators[10]. Not surprisingly, given the ruling from SCOTUS in Carpenter, it[11] and the FBI policy enhancement now share a particular phrase: "warrant supported by probable cause". One's for real-time, immediate information collection and the other's for historical, stored records acquisition, to wit:

FBI/policy: law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator.
SCOTUS/Carpenter: the Government must generally obtain a warrant supported by probable cause before acquiring such records.

It's in the FBI's guidance document[12], however, which is attached to the press release, that we see a "'parallel construction' hole via 'probable cause'":

When the equipment is used to identify an unknown cellular device, all data must be deleted as soon as the target cellular device is identified, and in any event no less than once every 30 days.

One possible procedure: On a rolling basis look for IMSI numbers that show up in logs from more than one or two IMSI catcher deployments, etc. I suppose one might refer to such activity as "location chaining".

As of March 2018, 25 of 50 U.S. states are known to have cell site simulators in use by state and/or local police departments[13]. Of those, as of 2016, only four had laws on the books requiring warrants for their use[14].

---

[1] http://www.slate.com/blogs/future_tense/2013/02/15/stingray_imsi_catcher_fbi_files_unlock_history_behind_cellphone_tracking.html

[2] https://www.zdnet.com/article/stingray-spying-5g-will-protect-you-against-surveillance-attacks-say-standards-setters/

[3] https://www.ericsson.com/research-blog/protecting-5g-imsi-catchers/

[4] https://krebsonsecurity.com/2018/06/verizon-to-stop-sharing-customer-location-data-with-third-parties/

[5] https://www.theregister.co.uk/2018/06/01/wyden_ss7_stingray_fcc_homeland_security/

[6] https://krebsonsecurity.com/2018/05/why-is-your-location-data-no-longer-private/

[7] https://theintercept.com/2016/05/05/fbi-told-cops-to-recreate-evidence-from-secret-cell-phone-trackers/

[8] http://2z1lgh2b70k6l35213d2eghg.wpengine.netdna-cdn.com/wp-content/uploads/2016/04/OKCPDFBI-MOU.pdf [see the second-to-last bullet point on p. 2 of the pdf]

[9] http://www.cehrp.org/non-disclosure-agreements-between-fbi-and-local-law-enforcement/

[10] https://www.justice.gov/opa/pr/justice-department-announces-enhanced-policy-use-cell-site-simulators

[11] https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

[12] https://www.justice.gov/opa/file/767321/download

[13] https://www.aclu.org/issues/privacy-technology/surveillance-technologies/stingray-tracking-devices-whos-got-them

[14] https://en.wikipedia.org/wiki/Stingray_use_in_United_States_law_enforcement#State_governments

Sancho_PJune 24, 2018 4:59 AM

re Carpenter vs. United States

Never heared from Gorsuch before, but in my opinion he got the basics right without the need of technical details:
The Third Party Doctrine, as argumented e.g. by Orin Kerr, is simply wrong.
It seems by dissenting Gorsuch wanted to stress this fact.
Only a few will take notice:
It is too late to scrap the TPD. The 4th is dead.
With the 4th went our protection against exploiting our privacy by big business.
Why should LE have less access as business? Because they don‘t pay?

Probably it was the other way round, first business wanted to exploit privacy, so LE (government) may take advantage from this abuse?

65535June 24, 2018 5:33 AM

@ gordo

Re: historical cell phone location data v. Real-time cell phone location data and the criminal v. civil side of cases.

“Who knows! For example, Stingrays have apparently been around since at least the mid-1990s[1]. Their days (or rather years), however, may be numbered[2][3].”-gordo

I agree that we really don’t know. That is a big subject. Let’s carefully think about it.

This cell phone tracking and spying is a multifaceted problem that will take years to solve. We did not really know much about the extent it for the last few years [say, since the Snowden documents of 2014]. It is hidden and hard to examine.

Let us remember we went through the 9/11 war period where the USA had a hard line President in place and the elected what we thought was a liberal President to reverse all of that cell phone spying.

In the later stages this liberal president turned out to be little or no different than the previous president to the military industrial complex and our growing industrial spy complex.

Now, oddly we have flipped to a conservative President who dislikes the industrial spy complex for spying on him. He is worried for his own position and for various reasons. The US is in a time of political flux. We don’t know what will happen next.

The Judiciary structure is now only seeing the start of the dark under-workings of the industrial spy complex for the last two presidents and digital innovation strides of both good and bad areas of the silicon valley complex.

Your 14 point footnote post is very complex and will take me a while to digest let alone answer. As you note:

‘It's in the FBI's guidance document[12], however, which is attached to the press release, that we see a "'parallel construction' hole via 'probable cause'":

“When the equipment is used to identify an unknown cellular device, all data must be deleted as soon as the target cellular device is identified, and in any event no less than once every 30 days.

‘One possible procedure: On a rolling basis look for IMSI numbers that show up in logs from more than one or two IMSI catcher deployments, etc. I suppose one might refer to such activity as "location chaining". As of March 2018, 25 of 50 U.S. states are known to have cell site simulators in use by state and/or local police departments[13]. Of those, as of 2016, only four had laws on the books requiring warrants for their use[14].-gordo

See gordo’s post

https://www.schneier.com/blog/archives/2018/06/friday_squid_bl_629.html#c6777105

This is a complex post in most aspects. I will try to add to it as more information is available and digested. I am still working the Carpenter v. United States case.

https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

ThothJune 24, 2018 8:26 AM

@all, Clive Robinson

Another reason to be fully skeptical about the security guarantees by Intel et. al. and their products. They do not care about security or they are deliberately creating holes (most likely a mixture of both) in their products.

New variants of side-channel attack can cause keys to leak from CPUs and Intel seems to care less of doing anything to fix problems that people found.

Not surprisingly, Intel et. al. products are gifts that simply keep giving infinitely.

Link: http://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/

AlejandroJune 24, 2018 9:02 AM

@Major

Re:"...increasing annoyed by Google Chrome's incessant efforts to get me to log in..."

Chrome creeps me out. I tried to use it yesterday for a certain LAN purpose, thus blocking all connections to the WAN, but it persistently wanted to connect to two or three google ip addreses regardless. Also, I've noticed google maps is not giving full results unless you sign in now.

I figure it's all part of the "If it's free, you are a target" syndrome.

Meanwhile, Google and all the other big players are getting HUMONGOUS multi-billion dollar contracts with DoD and other government agencies to the extent I think it's not too far fetched to view the google, et al, as privatized government agencies, doing the government's bidding, for a price.

For example, I would really like to see their contract to feed DoD with google user search data. I bet it's an eye popper.

GregWJune 24, 2018 10:35 AM

@Alejandro
Chrome also tends to ignore your local /etc/hosts file on the Mac (which ive used to block certsin sites) and use DNS. And newer versions no longer provide any way to turn this behavior off.

It remains utterly ambiguous in my eyes whether they have removed this user control for security purposes or self serving antiadblocking revenue ones. Or both. I personally am unhappy with the removal of control from me to them.

The effect has seemed somewhat intermittent in my experience.

bttbJune 24, 2018 11:00 AM

From Snowden's Twitter feed:

Secret Origins of Evidence in US Criminal Cases
https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-evidence-us-criminal-cases (with 296 footnotes)

"Judge: [I]f, you know, there was an illegal search … followed by a legal search, but that was only obtained because now that you had the illegal search, you knew something about [the case], that would be a concern to the Court.… And that is the fruit of the poisonous tree, potentially.

Prosecutor: I respectfully dispute that point.… [I]n fact, I don’t have any concern about that.

—Hearing transcript, United States v. Lara (Northern District of California), December 2013"

MarkHJune 24, 2018 1:06 PM

.
Weaponized IoT

NY Times on Digital Tools of Domestic Abuse

"One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why ... Internet-connected locks, speakers, thermostats, lights and cameras that have been marketed as the newest conveniences are now also being used as a means for harassment, monitoring, revenge and control ... Abusers — using apps on their smartphones, which are connected to the internet-enabled devices — would remotely control everyday objects in the home, sometimes to watch and listen, other times to scare or show power. Even after a partner had left the home, the devices often stayed and continued to be used to intimidate and confuse."

TazJune 24, 2018 2:27 PM

Re: Winston Smith

I really want to believe government will obey the law. Seriously.


But it may be too late for myself (perhaps others). Have seen too much that I never believed possible. Always followed by a bullshit rationalization.....


Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes.

Clive RobinsonJune 24, 2018 2:41 PM

@ Thoth, All,

[Intel] do not care about security or they are deliberately creating holes (most likely a mixture of both) in their products.

There is a third option in that the hardware architecture is so convoluted that they "can not" do anything about it, other than rip it out and start again...

So on to "TLBleed" it is certainly a new attack method and one that in effect defines a new form of Cache based side channel.

But the interesting bit, the one that is also going to become "A Solstice day gift that keeps giving" is the use of AI. This potentially can be applied to all cache based attacks and quite a few other side channel attacks as well not just hardware attacks.

The only solution currently appears to be to turn off "Hyperthreading" which a number of security savvy people have already done.

From what has been said about turning Hyperthreading off it is a bit of a mixed bag performance wise anyway, and frequently does not have the real world advantages some claim of it. That is "if you write your code oneway you get a tiny win, anotherway you lose and it could be big".

Rewriting code to make it side channel safe has to be done on a side channel by side channel basis. That is what might work for time based side channels is probably not going to work for data position dependent side channels, and it's quite possible that fixing one will make the other worse in any given segment of code.

Worse for code writers a fix that will work on one CPU chip, may not work on another chip from the same manufacturer.

I've been aware of a simillar problem for quite some time, and it's one of several reasons why in Castles-v-Prisons (C-v-P) I talk about using "tasklets". There are very few people who are experts on writing security code and writing tasklets for more generic programers to use would be the most effective way to leverage their hard earned skills.

Whilst a C-v-P system using high end CPU chips is not available this type of security coding could work in interpreted languages like Python. In essence the security coders abstract the interface away from the CPU faults fixing them at the interpreter thus solving the problem for generic coders.

But the funny part to me is the AI part of TLBleed, in C-v-P I talk about code having a run time signiture that can be used to detect if malware has tried to get into a tasklet. I envisioned a hardware based hypervisor solution to do this, however the AI code for TLBleed could be repurposed to do a similar job on high enf CPU's with Hyperthreading. It was not an idea I originally thought of doing, so a "Hat Tip" to the TLBleed researchers at at the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, they have given me an interesting an novel thought, which is very rare these days.

To outline it a little more, if you have a CPU core that can run two threads effectively simultaniously and you can control which threads run where at any given time you can have a "program thread" and a "security thread" designed specifically for the program thread to watch over it. The security thread in effect sees the signature of the running program thread and can using certain minor tricks with the TLB see into the program thread's process space etc. Thus it can tell when malware or even some code exceptions happen.

But back to Intel, their attitude to the researchers at the Systems and Network Security Group at Vrije Universiteit Amsterdam, is shall we say not just distinctly unfriendly but a throwback to much earlier "head in the sand" days which gave rise to the "Full No Warning Public Disclosure" movment, that ended up with "responsible disclosure" that most of us rely on today.

If I was daft enough to have shares in Intel I would seriously consider getting rid of them, because their current attitude is very likely to have a negative impact on their value. But then the senior managment in Intel know this, as atleast one of them dumped his shares towards the end of last year before the first of the "Xmas Gift that keeps giving" dire news hardware faults were alowed to become public... What this says about Intel Managment and their suited sharks I will leave others to make up their own mind.

However having got Intel out of the way the reserchers at Vrije Universiteit, have made clear they have only tested TLBleed on a limited number of Intel CPU chips. This means that it is now quite likely that other researchers will find similar with AMD and possibly some ARM based CPU cores, or their investigations will throw up other just as interesting side channels, using AI techniques.

@ Bruce,

When the researchers at the Systems and Network Security Group at Vrije Universiteit publish their results, can you give them and TLBleed a thread? I suspect it will be more than worth it just on the AI aspect alone.

Winston SmithJune 24, 2018 5:38 PM

@Taz

"Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes."

That pretty much sums it up for me too.

It's not that all individual rights come from government and only those first 10 listed in the constitution are given to the people as some politicians see it... nay, quite the contrary. These so-called "rights" are nothing more than restrictions on government's reach and authority, and all other individual rights were considered to have been granted by God at the time of its writing. The framers knew that the tendency was to continually encroach on individual liberties, and so they designed the document appropriately.

@Clive,

Indeed, Intel CEO sold shares in 2017:

https://www.cnbc.com/2018/01/04/intel-ceo-reportedly-sold-shares-after-the-company-already-knew-about-massive-security-flaws.html

And interestingly, 3 days ago he resigned... reportedly for having sex with another employee:

http://money.cnn.com/2018/06/21/technology/intel-ceo-out/index.html

To be honest, that's a curious reason to report publicly. I'm thinking he foresees the sea-change in the market over the next decade and the security flaws in X86 chips are one Albatross around his neck.

TõnisJune 24, 2018 6:50 PM

@Taz,

"Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes."

It's disappointing that on the various tech sites where discussions center around back doors the consensus seems to be that when government wants access to suspects' data anything is okay so long as there's a warrant. We are in the times when one must take matters of security into his own hands and not just expect that those acting in the name of governments will behave justly or honorably. Judges routinely rubber stamp all types of warrants. The people need options without back doors. If your secure data gets confiscated because some attorney in a black dress rubber stamped a warrant, and you still feel that you're morally obligated to give the government meaningful access to your data, you can choose to grant access. This is similar to what I read in a book on asset protection more than a decade ago. The author, an attorney, wrote that while some people will argue that people are morally obligated to satisfy judgements against them, they should protect their assets anyway. Unjust judgements are handed down all the time. When one's assets are protected, he can still elect to make them available to satisfy a judgement if he feels he has a moral obligation to do so. If his assets are not protected, he doesn't have the option, and he's screwed.

ThothJune 24, 2018 8:04 PM

@Clive Robinson

Re: TLBleed

I would prefer they use very high level language codes as well. A simplified markup or markdown language or something along the lines of batch scripts that you suggested might be useful and restrict the rest of the access.

I would prefer a stripped down version of markup/down languages to do the trick as HTML and Javascript is something familiar with most people. Instead of inheriting all the problems of Javascript and HTML, the form of the syntax can follow those but the essence would be different with more security focus.

I wouldn't want to give something like Python, Lua or Java to a tasklet developer because those are simply too powerful for them to handle.

The main thing is to decouple actual memory access with how the scriptlet interacts with memory to prevent things like buffer and cache attacks and this is how most smart cards and HSMs with scriptable modules handle. You wouldn't be given native access to the memory and instead a security certified VM would handle everything.

Regarding detection of compromised scripts being executed, an AI to detect compromise would be faster but can be easily corrupted by a malicious manufacturer whereas my approach of making quorums of the executing chips to vote and "append to a local blockchain" the result of the local interaction would be slower but this allows a decentralization capability where the chips can be sourced from multiple manufacturers and the chips are split into tiny "execution islands". The chips would have a local ledger just like Bitcoin but it would not have the Proof-of-Stake or Proof-of-Work inside. What it would use to incentivise correct checking and to dissuade cheating amongst the chips would be a point-based system based on integrity of work (a.k.a reputation). The higher the reputation of a chip displaying it's integrity of work, the more likely the chip would be given a chance to execute the next task. If a chip is found to have integrity issues, it's reputation would be degraded. If a chip is found to deliberately down-vote another chip's work by attempting to false-flag another chip, it would also have it's reputation degraded.

An "execution island" can be running a script execution task while another "execution island" can be running a "witnessing" job on the execution produced by the "execution island" running the script execution task and this will ensure every task executed will have a quorum of witness.

The quorum of witness assigned as the "witnessing island" watching over the "executing island" would be in-charge of "mining the task" by creating a consensus over the executed task they witnessed and would include to the ledger's block the executed task as a quorum of votes. The next block containing the next task(s) would be tagged behind the latest block (edge node) as in a Merkle tree. The longer the branch, the more trusted in the task as with normal blockchain applications like Bitcoin.

In this manner, it forms a sort of self-contained and self-sustained integrity checking environment without the woes of the Bitcoin ledger needing a Proof-of-Stake or Proof-of-Work that would be rather resource intensive.

I have not fully described the system above as we know people are observing us and are hungry :) . The above information are repeats of what I described in the past with nothing new added anyway.

In simple, my idea of using a ledger and reputation to keep the chips in check for their integrity of execution is a little slower than a centralized AI chip or checker but it expands on the ability for allowing a variety of chips to come together and is closer to the essence of the Prison model which in the first place was to decentralize the power of a single chip and thus using an internal ledger, it comes even closer to decentralizing power of all chips to the trust of a single ledger co-signed by the original quorum of chips within the system as a root of trust as it's "genesis block" in a ledger.

Public trust in Intel is at it's lowest but the ubiquitous nature of Intel chips makes it the current reigning supreme until hopefully something like am open source SPARC or RISC chip can appear and manage to wrangle market shares but at that time, due to how bloated and corrupt organisations become as they grow, it will inevitably be the same anywhere it goes.

End of the day, we still have to move over to the C-&-P model soon ... when my time avails :) or if someone manages to sneak up and bring a little nasty surprise by already having worked out our ideas and making them a reality (even partial) just like some professors and scholars backed by national institutional funds whom have attempted to make a half-baked version of our vision.

NamagemoJune 24, 2018 9:00 PM

@65535

IMO, cell phone data (including location data) is declining in value ...

Now it's all about the photons. The cell phone data is (almost) trivial now, except as it is used to bolster photon based coordinates. Cell phones won't be needed very much longer even for that - a few more years at the most. The cell phone data is like the technology used by Sherlock Holmes, and the photons are more in line with today's TLAs.

Except that - all that photon stuff has been offloaded to the corporates. So, what do those TLA guys do anyway?

TyeJune 24, 2018 10:30 PM

@clive side channels, I even gave a example, but there are other that will be better, google search unavailable...

OafJune 24, 2018 10:45 PM

@Major @trsm
With GDPR cutting off the data-flow from Europe, the big-data miners have doubled their efforts to monetize those who are left unprotected.

With Google built binary blobs, Chrome and Chromium are toxic regardless of privacy add-ons. Chrome latest control scam is automatically download news articles (into tabs) that have their targeted ads. Yet many Linux distributions include Chrome - as the number of websites being supported by Google-Analytics increases.
I'm fed-up with news and product reviews which are increasingly restricted and biased, in that all roads lead to Google. There is zero mention from web sites as they monetize away our privacy.

I never use any software which requires a permission log-in to use, install or update.
I also tire of the drumbeat saying all practical security is compromised. Can’t we at least take effective countermeasures against data-mining?
I’ve had excellent success with Debian Stretch with the updated programs (like Pale Moon and Kodi) in the mx-17 repo. http://mxrepo.com/.

For Raspberry Pi this Palemoon ARM version is three times faster than doggy Firefox 52. Use with Secret Agent, uBlock Origin and uMartix add-ons. Install Synaptic. Connect with a VPN and disable JavaScript with PreBar button. Install Kodi. ftp://archive.palemoon.org/third_party/RasPi/ Not bad for $70!

The best streaming media players are Linux/Android based using the Realtek 1295 chipset. The Zidoo x9s reliably plays everything. No compromised PCs or Google account required. It’s immensely rewarding to escape from being exploited.

65535June 25, 2018 3:43 AM

@ gordo, MrC, Clive R. and others
“…Gorsuch's dissent is only a "dissent" insofar as Carpenter failed to raise what Gorsuch thinks was the winning argument. The difference is down to lack of foresight on the part of Carpenter's lawyers…”-MrC

True.

But, this case dates from 2011 until 2018 and is one of hundreds of cases winding their way through the legal gauntlet. Carpenter may not have had the absolute best lawyers money can buy or the financial resources to raise every legal point in the book such as the intricate parts of the Stored Communication Act and the possible necessity of the government needing a legal warrant for 120+ day cell tower dumps.

It easy for the SCOTUS judges to look down their noses as one small corner of this stored communication acts contained and snicker at the defense team.

I have finished the last pages of 119 page opinion where Justice Grouch’s tears apart both Smith and Miller and Katz and shows the illogical manner of the patchwork "legal time windows" style law that Katz and the “third party doctrine” have produced. I believe Justice Gorsuch opinion is the most coherent of all the opinions in many respects.

Justice Gorsuch clearly notes the logical mess of the third-party doctrine [all page numbers from the consolidated pdf decision linked below]:

[Carpenter decision]

Page 102 to 109

[The third-party doctrine horrible wrong]

‘ In the years since its adoption, countless scholars, too, have come to conclude that the “third-party doctrine is not only wrong, but horribly wrong.”’-Justice Gorsuch

[And]

“...the Court adds that it can’t say whether the Fourth Amendment is triggered when the government collects “real-time CSLI or ‘tower dumps’ (a download of information on all the devices that connected to a particular cell site during a particular interval).” Ante, at 17–18. But what distinguishes historical data from real-timedata, or seven days of a single person’s data from a down¬load of everyone’s data over some indefinite period of time? Why isn’t a tower dump the paradigmatic example of “too permeating police surveillance” and a dangerous tool of “arbitrary” authority—the touchstones of the majority’s modified Katz analysis? On what possible basis could such mass data collection survive the Court’s test while collect¬ing a single person’s data does not? Here again we are left to guess.”- Justice Gorsuch

[Actually CPNI is forbidden to be disclose and possibly is the property of the individual and no one else. That defense argument was not raised in this long twisting case.]

Page 118 to 119

“It seems to me entirely possible a person’s cell-site data could qualify as his papers or effects under existing law. Yes, the tele¬phone carrier holds the information. But 47 U. S. C. §222 designates a customer’s cell-site location information as “customer proprietary network information” (CPNI),§222(h)(1)(A), and gives customers certain rights to control use of and access to CPNI about themselves. The statute generally forbids a carrier to “use, disclose, or permit access to individually identifiable” CPNI without the customer’s consent, except as needed to provide the customer’s telecommunications services. §222(c)(1). It also requires the carrier to disclose CPNI “upon affirmative written request by the customer, to any person designated by the customer.” §222(c)(2). Congress even afforded customers a private cause of action for damages against carriers who violate the Act’s terms. §207. Plainly, customers have substantial legal interests in this information, including at least some right to include, exclude, and control its use. Those interests might even rise to the level of a property right. The problem is that we do not know anything more. Before the district court and court of appeals, Mr. Carpen¬ter pursued only a Katz “reasonable expectations” argument. He [Carpenter - ed] did not invoke the law of property or any analogies to the common law…”- Justice Gorsuch

https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

It is now clear that the stored communication act was probably abused by the government but it frustrating to learn this information at the end of the long Carpenter decision.

Carpenter could have really stuck it to the government if his defense team had brought that point up while in front of the SCOTUS.

Link to bio of Gorsuch:

https://en.wikipedia.org/wiki/Neil_Gorsuch

Clive RobinsonJune 25, 2018 4:00 AM

@ Thoth,

On an entirely different subject, as you probably know busybox wraps a whole load of seperate command line functions into a single program which has quite a few advantages but one or two disadvantages.

On disadvantage is that not all command line arguments are supported for individual commands and there is variation in the documentation as to what is and is not supported. Which means sometimes things are there which are not in the documentation. Thus an eagle eye on the source code can spot a few things. Some of which have no meaning to those who started SysAdmining after around the early to mid 1990's.

As you possibly know engineers especially older engineers know many things they tend not to talk about for various reasons, not least of which is that it should be obvious to those who have learned the foundations of the subject.

Well a problem I've mentioned before is the foundations tend not to get taught as much as they used to. Due these days the perception of mastery of a "tool" is deemed more important by employers and course sponsors. So the issue of "forgotton knowledge" comes up, much as it did when old pre-network malware propergation techniques came back and bit a whole bunch of new generations...

I was reminded of this due to something somebody posted, which helpfully has this text document that might help them catch up on some old timers,

http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Sancho_PJune 25, 2018 4:00 AM

re historical data, Carpenter vs. US

From the ruling:
But there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.
(Syllabus, page 3)

Here is the sad part, hidden in these two words:
„casually collected“

One would immediately have to ask: Why do they collect it at all?

And:
Is piling up customers‘ private data legal?
Who collects, gov or private business? On whose behest?
Unlimited?
Is it still legal if the person is a lawyer, judge, politician, senator, president?
A family member of said persons?

What is the liability if such data is shared, „stolen“ or lost, single or in bulk,
to business or news? To the Russians?

And the contrary question:
What is the liability (and the legal consequence) if such data is not available any more, regardless why, when needed, e.g. to prove innocence of an accused person?

Do we fully understand that those data belong to a device, not a person?

And the questions for the techies:
Can digitally processed data fail?
Using standard systems, not certified for such use? Win$$$? Other SW, Internet on the same machines?
Could such data be faked?

Clearly, collecting personal data is a liability.
Are those who do it aware of?

TyeJune 25, 2018 4:54 AM

Thanks but getting Linux isn't going to help, self plug: if you are in nz I could use a job

65535June 25, 2018 5:01 AM

@ Sancho_P

“From the ruling:

But there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.
(Syllabus, page 3)

“Here is the sad part, hidden in these two words: „casually collected“
“One would immediately have to ask: Why do they collect it at all? And:
Is piling up customers‘ private data legal? Who collects, gov or private business? On whose behest? Unlimited? Is it still legal if the person is a lawyer, judge, politician, senator, president? A family member of said persons?” -Sancho_P

Those are all good questions.

Can you link to the “Syllabus and page 3 so we can see the data?

From what I can see Carpenter's defense would have had a huge win if his defense teams brought up 47 U. S. C. §222, CPNI),§222(h)(1)(A), §222(c)(1), §222(c)(2), and §207. "Plainly, customers have substantial legal interests in this information, including at least some right to include, exclude, and control its use. Those interests might even rise to the level of a property right."- Justice Gorsuch

See link to Carpenter pdf
https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf

Clive RobinsonJune 25, 2018 5:11 AM

@ ALL, Thoth,

A little more on TLBleed, from the OpenBSD "friendly dictator" Theo being less than friendly towards Intel.

Hardly suprising really,

https://www.itwire.com/security/83347-openbsd-chief-de-raadt-says-no-easy-fix-for-new-intel-cpu-bug.html

He brings up an issue I mentioned years ago prior to the first news of Google's Chrome web browser. The OS can not fix certain kinds of security problem such as shared threads because the application has taken the security task on --very badly in a single process space-- from the OS (which did it well in multiple process spaces).

So if you have multiple browser windows/tabs open the OS sees them as being in the same security context whilst the browser actually needs a security context for each window/tab.

Thus as Theo points out you could have a sensitive thread running on a "shared" core with a javascript malware thread exploiting the "shared" link to get at data in the sensitive thread.

Theo also points out that it was in effect Intel's cheeseparing behaviour to "share" rather than duplicate the TLB cache etc that gave rise to TLBleed...

But as we know these "Intel Gifts" will keep on giving so TLBleed will mark the start of a series of further exploits, most of which we can expect to improve things for the attackers, not the defenders.

So a gift at Xmas and the Summer Solstice six months on, any one care to guess if the next major Intel Gift will be before or after Xmass 2018?

My bet will be sooner, as adjusting to a new problem domain has a lead in time for researchers...

TyeJune 25, 2018 5:26 AM

Some points taken to, but that's not interesting, I'm behind the ball with computer but that is floss, but I can catch up, New program for a tech

ThothJune 25, 2018 6:41 AM

@Clive Robinson

Re: Link

Thanks it will be very useful for me as well.

Regarding wildcards, I don't like regular expressions and I heavily limit or ban their use in the codes I personally cut for this particular reason.

I went to the point of re-coding stuff that I need (i.e. parsers) and prefer to look through the bytes than to use the normal and common style of parsing files and URLs which is mostly regexp here and regexp there ... not my style as it doesn't have the precision I want and opens whole new world of bugs from the system's underlying regexp engine and what surprise it may spring.

Re: Theo de Raadt

His choices were very conservative and his decisions are much appreciated to produce one of the more resilient OSes that we currently have in the public domain for free without resorting to exotic hardware like HSMs and smart cards.

I have a feeling that by observing the current trends, more attacks will become targeted at the CPU level to cause it to glitch and become even harder to protect against. A hardware level attack via the software level is the most desired and it would be better if it can be done in a large scale attack with ease.

Re: Bruce Schneier's call to make companies accountable for their products

I guess this isn't happening as quickly as we are seeing more nasty stuff hit the fence. Will Intel et. al. feel the pain if they are fined by some authorities over the recent bugs in their CPUs ?

No ... they are too rich and powerful to fail ...

I guess we need a better approach because whatever it is to try and make companies accountable isn't nearly working as well as planned.

I think this strategy needs a re-think whatever the case it might be.

TRXJune 25, 2018 9:41 AM

> "Florida's busiest airport is becoming the first one in the nation to require all passengers on arriving and departing international flights, including U.S. citizens, to submit to a face scan"

---

This was a topic on the comp.risks group back in the mid-1990s. Several airports were mentioned, and also that various Federal buildings had facial recognition systems.

So, they abandoned the old system? Forgot it was there? Or just ignoring it while making PR for the new one?

Weather June 25, 2018 3:35 PM

Hi all I haven't been in the computer industry for 11 years, I would like to get back into it as a technician, a lot of programs have changed has anyone got links to forums where I can catch up?

gordoJune 25, 2018 9:27 PM

@ Sancho_P,

"Never heared from Gorsuch before, but in my opinion he got the basics right without the need of technical details:
The Third Party Doctrine, as argumented e.g. by Orin Kerr, is simply wrong.
It seems by dissenting Gorsuch wanted to stress this fact.
Only a few will take notice:
It is too late to scrap the TPD. The 4th is dead."

Some have noticed; all may not be lost:

Ten Thoughts on Today’s Blockbuster Fourth Amendment Decision – Carpenter v. United States
BY LIOR STRAHILEVITZ & MATTHEW TOKSON · JUNE 22, 2018

9. Wither the third party doctrine? The most important sentence in Justice Gorsuch’s opinion appears at page 20: “Nor can I fault the Court today for its implicit but unmistakable conclusion that the rationale of Smith and Miller is wrong; indeed, I agree with that.” Justice Gorsuch is going to be on the Court for a very long time and he is signaling that in a properly presented case he will reject the third-party doctrine. That’s huge. What is less certain is whether his characterization of the majority opinion is apt. I suspect his description applies to some but not all of the justices in the Carpenter majority.


10. A New Fourth Amendment. At the end of the day, it’s that last point about the third-party doctrine that is the real show-stopper. Carpenter upsets the apple cart of Fourth Amendment jurisprudence in a fundamental way. In some previous cases the lower courts had pushed back against the third party doctrine (think of Warshak – the 6th Circuit’s email case, to which the DOJ acquiesced) or individual justices had done so in concurrences (Justice Sotomayor in Jones, most famously), but presumably many scholars are going to regard Carpenter as the beginning of the end for the third-party doctrine. Verizon and AT&T and Apple and Google and Amazon are collecting an enormous quantity of sensitive information about all of us, and the Supreme Court is now saying explicitly that our sharing of that information with these companies is not tantamount to consent that it be shared with the government. We are moving towards a world of the Internet of Things, automated license plate readers, proliferating facial recognition software, drone delivery, connected self-driving cars, and rapid further technological change. The lengthy Carpenter opinions are a treat to read. But they will be the gift that keeps on giving — Today the Court just made Fourth Amendment law a lot more interesting for the next decade or three.

https://concurringopinions.com/archives/2018/06/ten-thoughts-on-todays-blockbuster-fourth-amendment-decision-carpenter-v-united-states.html

---

Also echoing your concerns about what's at stake:

10 Reasons Why the Fourth Amendment Third Party Doctrine Should Be Overruled in Carpenter v. US
Daniel Solove Founder of TeachPrivacy November 28, 2017

The U.S. Supreme Court will be hearing arguments this week in Carpenter v. United States, which is one of the most important Fourth Amendment cases before the Court. The case involves whether the Third Party Doctrine will remain viable. If so, the Fourth Amendment will fade into obsolescence in today’s digital age.

https://teachprivacy.com/carpenter-v-us-10-reasons-fourth-amendment-third-party-doctrine-overruled/

Sancho_PJune 26, 2018 5:24 AM

@65535, gordo

My quote is exactly from the pdf you‘ve referenced, the Syllabus (headnote) at the beginning, page 3, first paragraph (starting with „(2) The Government contends ...“), it’s the second sentence.
My understanding of legal English is close to zero, and I don‘t know who wrote that, but the word „casually“ seems to be unusually fuzzy in such a context.
Obviously the provider wouldn‘t collect it casually, but by purpose.
But what is the purpose, is it to get in trouble? Very unlikely.

To limit the collection of personal data is the central part of the GDPR, albeit they got it deliberately fuzzy, so that their own breed (lawyers) can make a living from it.
But the base line is: Don‘t collect what you do not absolutely need.
IIRC years ago @Bruce made a similar suggestion.

Capitalism would be:
- Those who order it have to pay for, plus tax has to be collected.
- Accountability and liability are part of the (any) business.

So my thinking is not to cut out the LE, and not the survival of the 4th
(this is an internal, US only issue).

Data must not be collected if it not necessary for business.

JG4June 26, 2018 7:35 AM


Thanks for the great discussion and teaching. I particularly like the concurrency article.

https://www.nakedcapitalism.com/2018/06/links-6-26-18.html
...
New Cold War

Exposing the Russian Hacking Fraud by Publius Tacitus Sic Semper Tyrannis

Big Brother is Watching You Watch

AT&T collaborates on NSA spying through a web of secretive buildings in the US TechCruch (David L)

OpenBSD chief de Raadt says no easy fix for new Intel CPU bug ITWire
...

Clive RobinsonJune 26, 2018 10:14 AM

@ Thoth,

I went to the point of re-coding stuff that I need (i.e. parsers) and prefer to look through the bytes than to use the normal and common style of parsing files and URLs which is mostly regexp here and regexp there...

Whilst having a regexp "off the shelf" is nice *nix generaly has several which is very unfortunate, and a big "security hole by assumption" as it encorages a subset of checking rather than full checking. It also causes me to whince when I see people using AT&T Unix Labs Sys5R4 and later, where the mix and match the BSD compatability and Sys5 command line utilities... Worse when a SysAdmin decides to use a shell that's something other than the tried and true --but limiting-- "sh". Bash for instance has more than one gotcher for the unwary...

@ JG4,

Exposing the Russian Hacking Fraud by Publius Tacitus

Yes the timeline is correct as are the players... That one month period of "in action" by crowdstrike struck alarm bells of the "WTF were they doing?" nature. I still think Crowdstrike were "making up as they went along" and As others have argued against I've said the evidence was not there to support what was being claimed, and I suspected a gross "mis-attribution" if not "Red-Flag" operation.

As for discrediting the "Doh gnarled" well both the GOP and DNC payed Steel before he went off the reservation... Which still makes me deeply suspicious that he was actually part of the plot as it were rather than an unwitting tool of two legal firms.

On another note a quick look at Marcy Wheelers blog shows that Muller appears to be doubling down and that the sandwich he is prosecuting is not "Ham" but "Cheese and Ham" which in reality is "All Cheese and no meat". Apparebtly his latest wheeze is "Conspiracy to Defraud the United States" not exactly something that trips of the tongue as "ConfraudUS". Essentially it appears to be one of those "last resort" pieces of legislation that are so broad in scope you could apply it to two people walking down the street who simply nod as they pass, it also appears from what others have indicated that it is in effect legislation that assumes the defendents must have "perfect knowledge" at all times. That is if you start in on a simple business deal and are in the discussion stage and get an odd feeling that the other party is not who or what they say they are and you either pull out or try to discover what is going on then you are still guilty... Further nobody appears to be clear on what "Defrauding the US" is actually all about it appears to be what ever the prosecuter can contrive it to mean... From what others have said it appears that the more the Special Prosecuter does in fringe activities the stronger it makes the "Doh gnarled" not just in the eyes of his significant number of supporters but also in those who have no real party affiliation... Some even think this means he will go for a second term and succeed... It makes you wonder what the SP is actually playing at and what his real agender actually is.

How history will play this out in the end I have no idea but I still can not see anything of substance happening before the mid-terms and some polsters are suggesting that the opposition are not going to realy change the status quo at the mid-terms...

So maybe more cheese sandwiches to follow, me I'm going for another bowl of popcorn, whilst you can still get it in the UK, as Brexit now two years in, is getting further into the mire with idiocy abounding on both sides as they try shaving their noses off...

echoJune 26, 2018 11:52 AM

This is very sci-fi. I'm sure this has more applications than stealth but also as decoys.

https://newatlas.com/metamaterial-stealth-sheet-invisibility-cloak/55180/
https://onlinelibrary.wiley.com/doi/10.1002/adem.201800038

Metamaterials that cloak people and objects from radar, visible light or infrared are usually thick and heavy, but now engineers at the University of Wisconsin-Madison have developed an ultrathin, lightweight sheet that absorbs heat signatures and can even present false ones.

echoJune 26, 2018 12:04 PM

This is an interestign study showing how “High dehumanization and low prejudice is the perfect profile of paternalism". The essence is people believe a "zero tolerance policy" is natural and that the people concerned are less deserving of moral concern.

Denying humanity: The distinct neural correlates of blatant dehumanization.
Bruneau, Emile,Jacoby, Nir,Kteily, Nour,Saxe, Rebecca
Journal of Experimental Psychology: General, May 31 , 2018

http://psycnet.apa.org/doiLanding?doi=10.1037%2Fxge0000417

Recent behavioral work demonstrates that many people view low-status groups as less “evolved and civilized” than high-status groups. Are these people using blatant expressions of dehumanization simply to express strong dislike toward other groups? Or is blatant dehumanization a process distinct from other negative assessments? We tested these competing hypotheses using functional neuroimaging. Participants judged 10 groups (e.g., Europeans, Muslims, rats) on four scales: blatant dehumanization, dislike, dissimilarity and perceived within-group homogeneity. Consistent with expectations, neural responses when making ratings of dehumanization diverged from those when judging the same targets on the other related dimensions. Specifically, we found regions in the left inferior parietal cortex (IPC) and left inferior frontal cortex (IFC) that were selectively parametrically modulated by dehumanization ratings. The pattern of responses in the left IFC was also consistent with animalistic dehumanization: high responses to low-status human groups and animals, and lower responses to high-status human groups. By contrast, a region in the posterior cingulate cortex was parametrically sensitive specifically to liking. We therefore demonstrate a double dissociation between brain activity associated with judgments of blatant dehumanization and judgments of dislike.

PeaceHeadJune 26, 2018 2:26 PM

Man, if I was a GIANT SQUID, I'd hide away as much as possible too!
I hope they are NEVER FOUND again. In my daydreams, I'd like to believe that they know how to hide within deepsea underwater subduction zones beneath the earth's plates.

And in my sci-fi fantasy daydreams, they'd go from their into naturally blackhole wormhole areas where they'd teleport out of our dimensions entirely (kidding(?)) :-)

Cephalopods are amazing. I bet they could also outlife a nuclear war. I sure hope they do if one happens. Beings that graceful and stealthful and shy and introverted (in a way) deserve to continue *their* civilization which is several millions of years older than ours anyhow.

By the way, why are those crazy particle physicists still trying to create miniature black holes?
That would not be very nice if they imploded our entire world just because they are curious about stuff.
Anybody know much about that conCERN? They just don't give a damn...

You can't reverse engineer a black hole. You can't wrangle a black hole. You can't monetize a black hole. You can't map out a black hole. You can't ride a black hole, and you can't believe that anybody can know all there is to know about black holes. By every of the most fundabmental aspects of what it is to exist, to learn, to know, and to discover, it's impossible. Everything about them wreaks of VERBOTEN.

And yet these fanatics who lack common sense would risk our entire planet's existence just to guess at what the universe is "made of". I don't trust them. Didn't they learn from Einstein and Oppenheimer? Weren't atom bombs enough? Isn't fission dangerous enough? We don't need any more quantum weapons.

I really wish all the particle accelerator and black hole and white hole labs would all be shut down.
Believe it or not, for that reason, I'll sleep easier knowing that S. Hawking is no longer with us. I think he was too fearful of AI and not fearful enough of quantum physicists.

Peace be with ya'll
MAY установление мира PREVAIL WITHIN ALL REALMS OF EXISTENCE.
*(peacemaking)

RGJune 27, 2018 1:48 AM

California’s Version of GDPR
“California Consumer Privacy Act, or CCPA, a certified ballot initiative that would usher in the strongest consumer privacy standards in the country, from going before state voters this November.
The initiative allows consumers to opt out of the sale and collection of their personal data, and vastly expands the definition of personal information to include geolocation, biometrics, and browsing history. The initiative also allows consumers to pursue legal action for violations of the law.”
Moving with a frantic urgency, the tech industry has met in secret to water down the ballot measure by authoring alternative bill AB 375. All lobbying is through the cover of industry trade groups to avoid the reality their livelihood is dependent upon selling out privacy. This uniquely Democrat fiasco show they too are highly dependent on lobbyists for funding their reelection campaign.

The Ads that Feed
Notably the secondary news-sites (of all political persuasions) which typically relish exposing the naked truth are also silent. Ad-blockers show the root cause of this addiction. In essence the press is being paid to NOT report significant stories by their de facto employer. This is serious issue of survival. Truth be dammed my dear honeypot!

https://theintercept.com/2018/06/26/google-and-facebook-are-quietly-fighting-californias-privacy-rights-initiative-emails-reveal/

1010 gallon 2 cent hatJune 27, 2018 6:57 AM

@Peacehead

physicists.


Peace be with ya'll

A minor grammatical note. You are presumably addressing multiple persons in wishing peace, so a plural is required. I am reliably informed by a native Texan that the plural of “ya’ll” is “all ya’ll”.

65535June 27, 2018 7:11 AM

@ Sancho_P and gordo

I did not fully understand Sancho_P’s broken English language point on page 3 of the “syllabus” which has no legal standing regarding the actual case except building a background on certain arguments which include the Fourth Amendment and the so called “third-party doctrine” which gives up all rights to data given to a third party until gordo's post.

With gordo’s links to epic and the wired article I can better understand Sancho_P and godo’s information.

I agree that the Third-party doctrine is out of control and rolls over the Fourth Amendment of the US Constitution.

If you actually read Justice Gorsuch’s opinion starting at page 100 to page 119 he destroys the outdate “third-party doctrine” in several way including:

“…countless scholars, too, have come to conclude that the “third-party doctrine is not only wrong, but horribly wrong.”’-Justic Gorsuch

[Note, the best part of the opinion at the last 19 pages of the 119 page document so it is best to start at the end a read toward the beginning regarding most legal documents]

The third party doctrine idea demonstrates it is over-reaching and can be twisted to mean almost anything all to the harm to the Fourth Amendment and other important parts of individual’s rights.

As Anon points, out Justice Gorsuch concludes that Carpenter’s lawyers failed to note the fact that Customer Proprietary Network Information or CPNI is protected under provisions of Federal laws and should not have been abused by police without a warrant.

If Carpenter or this lawyers would have presented this argument Justice Gorsuch would probably have voted with the majority. Also, if Carpenter or his lawyer’s brought this point up this fact alone would have provided a solid victory over the police.

Unfortunately, Carpenter and his lawyers forgot this little fact while bringing the case to the SCOTUS - which would have won the case hands down.

But Carpenter and his defense team forgot this point in the many points used in Carpenter’s appeal to lower courts and the SCOTUS and as such Gorsuch could not join the Majority opinion or helped Carpenter win.

I noted in my post that Carpenter came from a poor Midwestern state and probably could not have afforded the top of the line lawyers in the USA and simply missed his chance to win big and trash the outdated “third-party” doctrine.

I also noted that it was easy for a highly intelligent and highly trained SCOTUS Justice to dismiss this simple failure of Carpenter and his legal team given his status. Not every case before the SCOTUS have the very best lawyers to present their client’s case. That is just a guess upon my part.

In summary I now see what Sancho_P was driving at. It was a little oblique until gordo made his post. Thank you.

PeaceHeadJune 27, 2018 11:20 AM

@1010 gallon 2 cent hat

Thanks for the grammar note.
I had some problems with the post.
I don't know if I mistyped all of that because I was in a hurry or if it got modified in transit.
Usually I hardly have any typos. Many times none whatsoever. It was the first time I posted anything in Russian (from a translation service). They say "ya'all" where I'm from too. But I hadn't heard "all ya'all" as much.

Thanks for reading and for the linguistics.
Peace be with all ya'all.

P.S.- sorry if the post was too far left outfield. not everyone can relate. but it's true, scientists at CERN are trying to create miniature black holes, as if they are safer if they are smaller. WRONG. Hypercompressed density and gravity and heat/light-sucking hypercoldness is more dangerous the smaller it is. They wouldn't be any safer if they were the size of Jupiter, however. Black Holes are NOT SAFE!

I used to read about the topic off and on over the years... I still do. After the LIGO breakthroughs, some of the others have been publishing a lot more about the fringes of physics.

I consider safety issues within the spectrum of security concerns.

echoJune 27, 2018 12:33 PM

The best of the current science says microscopic black holes evaporate too fast to be dangerous. While I'm sure our knowledge of the universe is incomplete as far as things go science is very reliable. Wecan leap at ghosts as much as we like but as Bruce says about cryptology: trust the maths.

RGJune 27, 2018 4:09 PM

California Has 48 24 Hours to Pass This Privacy Bill or Else

For those who care about privacy the next 24 hours is pretty exciting as the USA states begin to implement GDPR type regulations.

Status
“If the bill passes before Thursday, we will withdraw our privacy initiative. If it doesn’t, we will proceed to the November election,” said author MacTaggart in a statement. “We are content either way, as we feel that both the legislative solution, and our initiative, provide tremendously increased privacy rights to Californians.”

Among those who have donated to the ANTI-privacy cause are Google, Facebook, Amazon, Verizon, Comcast, Cox Communications, AT&T, Microsoft, Uber, advertising associations, and industry groups for people who make and sell cars.

Amendments to AB 375 suggested by Mactaggart were scrapped ahead of the committee hearing after a coalition funded by technology giants decried them, demonstrating their influence in the Capitol. Jackson and the other Democrats on the committee supported the bill, but she said she believes it still has an “enormous” number of problems lawmakers would need to address before it takes effect in 2020. WP

The cynical view is lawmakers pass a law then proceed to water it down before it takes effect in 2020. Same old corruption...
If Californians pass the initiative in November the army of lobbyists would have to accept it lock, stock and barrel. https://gizmodo.com/california-has-48-hours-to-pass-this-privacy-bill-or-el-1827117016

Hero In The Making
Real estate developer Alastair Mactaggart became alarmed about the Internet's threat to personal privacy while chatting with a Google engineer at a cocktail party.
"I asked, 'What's this deal with all the privacy stuff? Is it anything to be worried about?'" Mactaggart recalls. "I expected him to say, 'No, it's not a big deal.'
"Instead he said, 'If people only knew how much we know about them, they'd really freak out.'"
"I was taken aback," the developer says. "That got me interested."
Many participating in this security site have been alarmed for decades. It took like forever for the public to understand. This is a historic moment for privacy in the wild-west data-mining USA. How about a write-up Bruce?

echoJune 27, 2018 5:08 PM

In UK case law following a state sector decision there is an entitlement to disagree and discuss the issue to reach a different decision within three attempts. Thereis also case law surrounding decisions made "in the round". In my personal experience I have discovred a lot of inadequcy within the state sector both within knowledge of the law and making rounded decisions. Often the decision comes down to "We're right, you're wrong" and "What are you going to do about this hah hah". Decision makign can also fall prey to "follow the leader" and information being misused both my misinterpretation and abuse of information given in confidence for a specific well reasoned purpose. As a result my confidence in both the courts and the police to manage this proposed anti-terrorist law is very low.

http://www.theregister.co.uk/2018/06/27/tech_giants_should_pull_illegal_content_in_six_hours_says_labour_mp/

This included the period over which the three viewings have to take place and the circumstances in which people have not committed an offence. Corey Stoughton of Liberty told the committee that exemptions should include academics and journalists, as well as people who were viewing to gain a better understanding or did so "out of foolishness or poor judgement".

[...]

In contrast, the Metropolitan Police's assistant commissioner for counter-terrorism, Neil Basu, said that he would "be nervous about absolute time limits" because some people may have been viewing content many years ago – but added that the police were "adept at looking at the full intelligence picture".

Clive RobinsonJune 27, 2018 5:21 PM

@ PeaceHead,

not everyone can relate. but it's true, scientists at CERN are trying to create miniature black holes, as if they are safer if they are smaller.

Depending on who you ask, you might just be surounded by a veritable sea of point sigularities (in effect miniture black holes). Others are a little less enthusiastic and say one or two every once in a while.

The point being theoretical physicists think that they are fairly normal these days along with seceral other things that were once "funnies".

As for them being dangerous go look up the strong electric force and just how much power goes into a gravity wave before it becomes measurable...

In other news time may not be what you think it is...

https://www.newscientist.com/article/2166665-why-now-doesnt-exist-and-other-strange-facts-about-time/

Alyer Babtu June 27, 2018 6:19 PM

Motion is real, but time, at least as far as has been shown, is only a number in the mind, i.e. a measurement, just as material objects have real extension, but measured length is just a number in the mind. Real things are compared to obtain measurements, but from the point of view of nature, the comparisons are odd, since naturally given phenomena are compared with artificially contrived ones like rulers and clocks. The way this is pursued seems like a confusing Cartesian inheritance. I’ll compare this natural thing to my artificial standard, then compare this other thing to my artificial standard, and then from the two measurements I’ll have an indirect comparison of the two natural things. The background “grid”, space, time, and space-time, become central, but only exist in the mind. It’s true modern (last 300-400 years) “science” has using these odd methods revealed many important things, but one wonders what might have been found by going directly to nature and avoiding the artificial grids.

65535June 27, 2018 9:11 PM

@ RG

‘California Has 48 24 Hours to Pass This Privacy Bill or Else’

‘Status

'“If the bill passes before Thursday, we will withdraw our privacy initiative. If it doesn’t, we will proceed to the November election,” said author MacTaggart in a statement. “We are content either way, as we feel that both the legislative solution, and our initiative, provide tremendously increased privacy rights to Californians.”

‘Among those who have donated to the ANTI-privacy cause are Google, Facebook, Amazon, Verizon, Comcast, Cox Communications, AT&T, Microsoft, Uber, advertising associations, and industry groups for people who make and sell cars.

‘Amendments to AB 375 suggested by Mactaggart were scrapped ahead of the committee hearing after a coalition funded by technology giants decried them, demonstrating their influence in the Capitol.”'

https://gizmodo.com/california-has-48-hours-to-pass-this-privacy-bill-or-el-1827117016

This an interesting bill or ballot initiative. It's like the David and Goliath battle. Sure AB375 could possibly get passed.

I like privacy advocate MacTaggart idea of ballot initiative. But, unlike the David and Goliath story with a happy ending Google, Facebook and the rest of Silicon Valley usually out-spend the little guy and kill-off any privacy enhancing legislation. Goliath always seems to win.

I am doubtful that largest Data Miners’ in Silicon Valley are going to quit selling the public’s data to the government and car advertisers anytime soon.

Google, Facebook, Apple can turn ugly in a split second if their position on the ladder is challenged. But, it will be a good story to monitor. I would even guess Snowden would be interested in this privacy battle.

If this privacy legislation makes it out of California and heads toward the rest of the nation it would be a huge story to follow.

Alyer Babtu June 27, 2018 10:27 PM

I have long maintained AI are just big lookup tables, like switchboards.

This point of view is dazzlingly validated by this:

https://arstechnica.com/gadgets/2018/06/google-duplex-is-calling-we-talk-to-the-revolutionary-but-limited-phone-ai/

It’s an artificial version of this:

https://m.youtube.com/watch?v=ISZ9UOBwRFA

But seriously, the potential for unexpected concatenative security disasters seems to be steeply increasing. And your device being hacked is soon you being hacked.

WesJune 27, 2018 11:05 PM

@usual suspects

Just came across this and thought you might find it interesting, and since no one else has posted this link:

What 7 Creepy Patents Reveal About Facebook
https://www.nytimes.com/interactive/2018/06/21/opinion/sunday/facebook-patents-privacy.html

A review of hundreds of Facebook’s patent applications reveals that the company has considered tracking almost every aspect of its users’ lives: where you are, who you spend time with, whether you’re in a romantic relationship, which brands and politicians you’re talking about. The company has even attempted to patent a method for predicting when your friends will die.
I see a bad moon a-rising I see trouble on the way
Taken together, Facebook’s patents show a commitment to collecting personal information, despite widespread public criticism of the company’s privacy policies and a promise from its chief executive to “do better.”
Looks like we're in for nasty weather An eye is taken for an eye
But with more than two billion monthly active users, most of whom share their thoughts and feelings on the platform, Facebook is amassing our personal details on an unprecedented scale. That isn’t likely to change, said Siva Vaidhyanathan, a professor of media studies at the University of Virginia. “I’ve seen no indication that Facebook has changed its commitment to watch everything we do, record everything we do and exploit everything we do,” he said.
There's a bad moon on the rise ...

65535June 27, 2018 11:38 PM

Although this story has been around a little while I note Microsoft had build a refined off 365 tool to investigate email and other intrusions into it the office 365 line of products while failing to document the tool for small business. Thus, if an intrusion into office 365 email occurred only a select group of “specialists” who knew how to use the Microsoft API and inspect the logs.

Hackernews number 5:

https://news.ycombinator.com/

"Major insurers and law firms started to screen forensics firms based on whether or not they had “the secret tool.” Only a handful did — the rest were shut out. Over and over, forensics professionals started to hear, “Sorry, we can’t send you cases if you don’t have the secret tool.” And yet, there were no details, and no one with knowledge of the tool would even confirm its existence… Ten days later, CrowdStrike released a beautiful blog post about the unmasked Activities API. “[W]e recently discovered a capability within Office 365 that allows for the retrieval of Outlook mailbox activity logs that far exceeds the granularity provided by existing, documented Office 365 log sources…” they wrote. “This capability represents access to an always-on, mailbox activity recording system that is active by default for all users.” Along with details of the new API, they released a Python module to automate retrieval…As soon as CrowdStrike’s Python module was published, LMG’s team immediately downloaded it. Forensic analysts Ali Sawyer and Matt Durrin ran it against an Office 365 test instance set up in LMG’s research laboratory. It contained the granular details that we had only dreamed existed — and more."-HN/lmgsecurity

https://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

I note the British have used office 365 in government and probably was not given this tool until the NSA had it.

Thanks a lot Microft for your buggy Windows 10 that leaks data like the Titanic and for your invasive “patches” which seem to wreck older machines and some new machines making small business buy even newer ones.

I though Steve Ballmer was bad but Nadella takes blame of turning Microsoft shop in dependent “cloud” style of computing rip-off system. If you don’t buy office 365 and an expensive subscription to one of Microsoft’s services you are out of luck.

CEO Nadella should be replace with someone fresh and privacy concisious and Microsoft should be ashamed of its grab for money, power and customer data. Nadella has turned the Micrsoft name into a hated company.

Back to tracking email breaches and such, Hacker news points to the Unicorn Tool and other scripts to get into the details of office 365 instead of hiring an expensive data breach team. Thanks again Micro$haft for your well hidden and undocumented tool.

Magic Unicorn Tool:

https://github.com/LMGsec/Magic-Unicorn-Tool

Sancho_PJune 28, 2018 4:25 AM

@65535

I try to keep comments short, together with my jumping mind and bad English that may give an awful cocktail. Sorry for confusing you.
In the past I‘ve written several times here about the TPD, especially the famous law professor (GWU) Orin Kerr with his cynical attempt to sell the TPD to his students and the public (be careful, don‘t read the introduction directly after having a meal):
https://repository.law.umich.edu/cgi/viewcontent.cgi?article=1348&context=mlr
(mind you, we are all drug dealers and criminals, so LE generally has to have access)

At scotusblog, re the Carpenter case, there you‘ll find two other horrible contributions by O.K.:
Brief amicus re Carpenter:
http://www.scotusblog.com/wp-content/uploads/2017/10/16-402-bsac-Orin-Kerr.pdf
and another big fail regarding eye wittness, TPD and Carpenter:
http://www.scotusblog.com/2017/08/symposium-carpenter-eyewitness-rule/

The problem is that O.K. is a renowned scholar since decades and no one with authority had the balls to question „his“ doctrine (or interpretation of).

Re justice Gorsuch, where was he before, was he working in the tourist business or as a mason, when he just now found out that the TPD might be basically wrong?
Will he speak out then or silently close the books?

Does it need court procedings where the petitioner correctly argues against the TPD, or a private plaintiff with deep pockets, to convince the US justice that something is deeply wrong here?

It is too late now, hundreds of convictions have been based on that flaw, no chance for a clean cut. At best they will ad tons of small print to make sure each case has to be seen individually, to make more money for law twisters.
O.K. hints at it when he now stresses that the ruling is more a equilibrium-adjustment because of new technology (nearly GPS accuracy), not a fundamental one regarding the TPD:
https://www.lawfareblog.com/understanding-supreme-courts-carpenter-decision (by Orin Kerr, June 22)

I know the TPD is „only“ regarding us criminals versus the honorable government,
but it basically strips ownership from data:

Whatever Alice tells Bob is fair game when Eve has access.

Don‘t forget the ad industry, without O.K.‘s interpretation (like „If you don‘t hide your data it‘s not your data, hahaha“) they wouldn‘t be where they are.
God bless the copyright, but it‘s only for big business.

JG4June 28, 2018 6:27 AM


Just like the Phreesia scam. And likely a CVS scam. A few burnings at the stake would have a salutory effect on behavior.

https://www.nakedcapitalism.com/2018/06/links-6-28-18.html
...
Big Brother is Watching You Watch

Facebook, Google, and Microsoft Use Design to Trick You Into Handing Over Your Data, New Report Warns Gizmodo

Facebook’s Latest Problem: It Can’t Track Where Much of the Data Went Wall Street Journal

Facebook Patent Imagines Triggering Your Phone’s Mic When a Hidden Signal Plays on TV Gizmodo. Man, am I glad I don’t watch TV.
...

65535June 28, 2018 6:48 AM

@ Sancho_P

I agree.

The Third-party Doctrine [TDP] is a legal monster created by the courts and is out of control.

Kerr also mentions that the TPD doesn’t apply to 7 U.S.C. § 222 to Customer Proprietary Network Information or CPNI - or to say that this cell phone tower refined information is protected already by law § 222. How it got into police hands is an ugly story of cell phone companies stabbing their customers in the back.

http://www.scotusblog.com/wp-content/uploads/2017/10/16-402-bsac-Orin-Kerr.pdf

I noted in my post that Carpenter came from a poor Midwestern state and probably could not have afforded the top of the line lawyers in the USA and simply missed his chance to win big and trash the outdated “third-party” doctrine or TPD.

I also noted that it was easy for a highly intelligent and highly trained SCOTUS Justice to dismiss this simple failure of Carpenter and his legal team given his status. Not every case before the SCOTUS have the very best lawyers to present their client’s case.

The defense of Carpenter could have won big time but Carpenter’s lawyers just forgot to bring that legal point up during the very long road to the SCOTUS. This was a mistake and lost a few points. But, now the SCOTUS threw out carpenter’s conviction and is now better informed on data for sale to police game from cell phone companies. The Carpenter Win could have been much bigger.

“too late now, hundreds of convictions have been based on that flaw, no chance for a clean cut. At best they will ad tons of small print to make sure each case has to be seen individually, to make more money for law twisters. O.K. hints at it when he now stresses that the ruling is more a equilibrium-adjustment because of new technology (nearly GPS accuracy), not a fundamental one regarding the TPD:
https://www.lawfareblog.com/understanding-supreme-courts-carpenter-decision (by Orin Kerr, June 22)… I know the TPD is „only“ regarding us criminals versus the honorable government, but it basically strips ownership from data: Whatever Alice tells Bob is fair game when Eve has access. Don‘t forget the ad industry, without O.K.‘s interpretation (like „If you don‘t hide your data it‘s not your data, hahaha“) they wouldn‘t be where they are. God bless the copyright, but it‘s only for big business.”- Sancho_P

I agree with the thrust of you above statement. TPD has hurt a lot of people it should not have hurt. We will have to see if courts re-evaluate some of these abusive convictions.

Clive RobinsonJune 28, 2018 12:44 PM

@ echo,

Firstly I hope your holiday provided you with that you were looking for.

With regards,

Castle or prison? The Zoo tower...

Technically a true castle (ie a defensive position not a home). But for any civilians inside it must have felt like hell thus a prison.

But in the words of a song, "He built her a castle, but she felt it a prison". It does not matter how guilded the cage, if you can not freely leave the cage, it is just a prison... Thus in many cases the difference is just a state of mind or even point of view.

echoJune 28, 2018 1:37 PM

@Clive

Yes, kind of. Thanks. I needed a break and doing everything I can to not dig myself back into the psychological hole I was in before I went on holiday.
I took one of my laptops with me and glanced at this blog to see what I was missing. This blog was busy with lots of good stuff but I was to fuddled in the head and enoying the sun and wildlife too much to participate.

Yes. This is very true, what you say. (Excuse the Yoda-itis.) I had this attitude when I was on holiday having swapped one set of rules for another set of rules. It was lovely in spite of one of the front desk staff catching me pressing pressing my boobs against a window as a joke with one of the male guests staying there and when checking out the same staff trying to rob me of my baby cactus plant I brought with me, claiming it was hotel property.

LindaJune 28, 2018 11:31 PM

Why is Tails 3.8 still using Tor version 0.3.2.10-1~d90.stretch+1 and not 0.3.3.7?

Is it safe to update to the current version of Tor within Tails/Synaptic?

#

Tails 3.8: Torbirdy - why is the old version (0.2.1) installed and not the newest version (0.2.5)?

This happened with 3.7 & 3.7.1 releases, too!

Gerard van VoorenJune 29, 2018 5:36 AM

@ echo,

"This is also known by the term "legal drift" (and also related to "deep law" which makes for a very different topic)."

That is what I meant with what @RG said with his story about Google and FB [1][2]

Contrary to what you are saying, I seriously believe that the EU can handle these tech giants. But the UK made the incredibly stupid move to go Brexit and I don't think that the UK can handle that.

About the argument of the Flak Towers, you can take a look at this link[3]


[1] https://www.schneier.com/blog/archives/2018/06/friday_squid_bl_629.html#c6777223
[2] https://www.schneier.com/blog/archives/2018/06/friday_squid_bl_629.html#c6777224
[3] https://en.wikipedia.org/wiki/Flak_tower

echoJune 29, 2018 8:03 AM

@Gerard van Voore

Thanks for your clarification. It's easy to get jargon and wires crossed.

I do tend to agree with you that the EU is robust against major corporations and the UK not so much.

Thanks for the flak towers link. After a brief skim it's interesting to note the dual use of the towers (being both a military installation and civilian refuge) would be unlawful under international law today. I suspect future strategic weapons developed by advanced nations will try to OODA loop their way behind the kind of dual use of civilian installations by rogue states and terrorists which is a speculative issue beyond the scope of this topic. Also as with the flak towers the Berghof bunker system was also deemed unfeasable to demolish. They have only been partially demolished to prevent reuse and are largely in an unsafe and unmapped condition. As the documentary I watched noted the psychology of the buildings provided an interesting insight into the mentallity of the high command who would have sought refuge in the complexes.

Gerard van VoorenJune 29, 2018 10:21 AM

@ echo,

"I do tend to agree with you that the EU is robust against major corporations and the UK not so much."

I think that the UK is quite capable of killing itself but legally they are "up in arms". I only think that the EU, weak as it is, is more up to the task of dealing with Google, FB and the rest of the Big Five / Big Seven. The US is ofc quite helpless in this area, except when they are trying to deal China.

About the flak towers. This was Hitlers idea and he did have more economical disasters such as the Schwerer Gustav and the V2. The problem of Hitler is that he was being elected. That's it.

Alyer Babtu June 29, 2018 2:27 PM

@echo @Gerard van Vooren

Obligatory sillyness - would the Schwerer Gustav have been able to destroy the Flaktürme ?

Alyer Babtu June 29, 2018 3:20 PM

I guess it might have been able. Per Wikipedia, the gun was designed to punch through 7 m of reinforced concrete whereas the towers had walls of “only” 3.5 m thickness.

I hope the design documents for these devices and facilities gave due nod to da Vinci who worked both sides of the arms race also.

I guess it wasn’t until Star Wars that both concepts were finally united at the appropriate scale.

Gerard van VoorenJune 29, 2018 3:25 PM

@ Alyer Babtu,


"Obligatory sillyness - would the Schwerer Gustav have been able to destroy the Flaktürme ?"

Only the NSA is able to do that. I called them, but the answer was ...

Clive RobinsonJune 30, 2018 8:21 AM

@ echo,

and when checking out the same staff trying to rob me of my baby cactus plant I brought with me, claiming it was hotel property.

I hope the cactus is safely restored to it's more usual home.

However being of a certain mind set that tends to releve stress in humour that is sometime bawdy, I'm biting my tongue to stop me asking the obvious pickle joke ;-)

I don't go on holiday these days for various reasons like being baned on health grounds from flying or going more than a couple of thousand feet above sea level, and the physical disability stops ordinary walking let alone that of hill or fell and the joy of mountains is now a closed book to me.

I would go sailing or canoeing off shore but due to the full syncope issue that has put me in hospital more times than I can remember my risk of drowning is about 1 in 40.

As my son used to say "snot fair" but then life never was so you need to grab it by the ears and hang on for the ride whenever you can, as you never know when the music will stop.

JG4June 30, 2018 5:32 PM


https://www.nakedcapitalism.com/2018/06/links-6-30-18.html
...
Big Brother is Watching You Watch

UK’s pressure on US over leaked drops to Julian Assange The Australian (furzy). Google the headline…

WikiLeaks @wikileaks
Democratic Senators who demanded today that @JulianAssange's asylum be revoked in violation of international law. Remember them.
5:25 PM - Jun 28, 2018
8,255
7,419 people are talking about this

Here is the full letter. Bill B:

Note the language: “WikiLeaks continues its efforts to undermine democratic processes globally.”

Allow me to offer a translation in layman’s terms: “We resent having been exposed as a cabal of money grubbing toadies who could care less about unions and growing inequality. We will not tolerate being exposed as such.”

DECEIVED BY DESIGN: How tech companies use dark patterns to discourage us from exercising our rights to privacy Norwegian Consumer Council (hat tip Bruce Schneier)

Edward Snowden describes Russian government as corrupt Guardian
...

echoJuly 2, 2018 8:16 AM

@Clive

Yes thanks. Baby cactus is back in the kitchen window having surivived me nearly stepping on the poor thing in the back seat of the taxi.

PeaceHeadJuly 11, 2018 7:57 PM

@ responders to comments about artificial blackhole creation...

Yes, I am also one of those people who believes that naturally-occuring blackholes are probably as routine as to be harmless(?) if left alone.

However, that is very different from trying to create blackholes in the lab.

As for the speed at which they supposedly "evaporate". Speed analysis is irrelevant when talking about black holes. Speed, acceleration, deceleration, graphs of rates of speed, they are all irrelevant when talking about black holes. According to what we know, black holes don't interact with time or space or light as we expect to comprehend.

So I am highly skeptical of claims that they "evaporate" or dissipate in terms of radiation. yeah, they probably have outer zones of influence where there are bizarre forms of radiation, yes, probably ionizing radiation at that, which is not harmless.
It's probably gamma rays or worse.

How could it be worse? I think black hole phenomenon is sometimes a hyperdense item flowing backwards in time. It doesn't "evaporate", it evades our perception and comprehension.

Consider pressure measured in pounds per square inch or pounds per meter. A black hole is this magnified as a process which doesn't stop, it's a form of acceleration towards more cold, more density, and it flows backwards in time, dragging heat and light and matter with it into it's collapsing snakehole of shredded doom.

Even if there's a stabilised accretion "disc" (ridiculous terminology, of course, it wouldnt' be a nearly 2-dimensional disc, since it's at least a 4 to 12 dimensional concept! It would likely be 3D + dimesional. But anyhow, ... even if there was a stabilised accretion, that would be rather non-definable in human terms, except as kind of a "bullet" that gets faster and faster and sharper and sharper because it gets smaller and smaller and denser and denser.

And as it sucks light and heat and matter, it's not necessarily entirely "cold" per se, but to most of the rest of the "common" universe it sure is! Certainly with respect to what life can sustain it's superhypercold. Considering the whole electromagnetic spectrum, it's not just the visible spectrum that gets sucked and ripped away.

However, it's possible that most planets are accretion "discs", it's just that they are fine to live and walk upon as long as they aren't disturbed by EXOTIC QUANTUM physics experiments that risk their equilibrium.

Atoms are VERY harmless too, UNTIL SOMEBODY SPLITS OR JOINS THEM!!!!! So yeah, people like me, prefer for that nonsense to CEASE AND DESIST!

Different topic, however...
https://www.rt.com/usa/430643-mcafee-poisoning-attempt-enemies/

I sure hope John McAfee is alright these days.
He was allegedly poisoned during about the week time of this blog entrie's debut. That's why I'm posting this here now.

John, if you're reading this, I hope you're alright. I don't know if we ever met or not. Probably not. I've been poisoned before also. Serepticiously as well as in terms of blatant medical malpractice similar to chemotherapy hypetalk.

I take your article seriously. I'm a latecomer, but I tried to start sharing it with some others who might have some Leverage with a capit{a|o}l "L".

Peace be with you and your family and friends and acqaintances.
May Peacefulness Prevail Within All Realms of Existence.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.