Friday Squid Blogging: Eating More Squid

This research paper concludes that we'll be eating more squid in the future.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on November 2, 2018 at 4:08 PM • 89 Comments

Comments

JG4November 2, 2018 4:40 PM


https://www.nakedcapitalism.com/2018/11/200pm-water-cooler-11-2-2018.html
...
New Cold War

“Mystery of the Midterm Elections: Where Are the Russians?” [New York Times]. “Whether a Russian change of tactics is unfolding is just one of many mysteries surrounding this first national election in the United States after the most sophisticated effort ever discovered to divide Americans, and ultimately seek to alter the outcome, by a foreign power.” • Personally, I think South Carolina’s “Fire Eaters” had a far more “sophisticated effort” to “divide Americans” in 1860; they deliberately split the Democrats Lincoln won, and the South seceded. Nixon’s “Southern Strategy” was pretty good, too. I don’t think Obama’s comments on “bitter” “cling to” types, or Clinton’s on “deplorables” are in the same league, but the impulse to “divide Americans” is clearly there. The efforts of “foreign powers” — or, as the latter-day Jim Crow types put it, “outside agitators” — aren’t even trivial by comparison. They are tiny pin-pricks compared to great bludgeoning blows by powerful and well-funded political actors. For pity’s sake.

“The CIA’s communications suffered a catastrophic compromise. It started in Iran.” [Yahoo News]. “From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite warnings about what was happening — until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials… The disaster ensnared every corner of the national security bureaucracy… One country where the impact appears to have been contained is Russia.” • With leak like this, you always have to wonder why now (the Friday before election day) and what sort of disinformation it is. Taking the story at face value, the intelligence community is just completely hosed, institutionally. So how come its leadership gets to be authoritative anonymous sources for RussiaRussiaRussia! stories in the papers — I did note, and quote, the careful exclusion of Russia from the debacle — or swan around being talking heads on cable? It’s like treating our Generals like Napoleon when they keep losing very expensive wars.
...

Sheesh, peopleNovember 2, 2018 4:49 PM

What opportunities would someone embedded with the U.S. Postal Service have, if they could scan the name, home address, and signature of every voter whose vote-by-mail ballot went through their system?

What additional opportunities would they have if they could get this information while they had the ballot in hand?

Edward HasbrouckNovember 2, 2018 5:01 PM

Re: USPS -- An attacker wouldn't need to be embedded in USPS to get scans of mail.

USPS already scans mail for its "Informed Delivery" program, even if the recipient hasn't opted in, and without notice to either sender or recipient:

https://informeddelivery.usps.com/

There appears to have been no serious threat modeling for "Informed Delivery".

It's easy for an identity thief to set up an "Informed Delivery" account claiming the target's address, which gives them the de facto equivalent of a remote mail cover operated for them by the USPS and viewable from anywhere on the Internet

The canonical attacker via USPS "Informed Delivery" is probably a stalker or domestic abuser (who may be a former dmoestic partner who has old ID or mail pieces showing the target address from when they lived there, and thus will find it easier to set up "Informed Delivery" for mail at the target address), but it could be leveraged for many types of attacks.

Sooner or later, someone is going to get murdered in an attack enabled by "Informed Delivery".

FaustusNovember 2, 2018 8:20 PM

@Edward Hasbrouck

Charming! "Biff: We are already collecting all the cover information for our domestic spying program. Why not monetize it? Boff: Brilliant!"

Question: How did people survive when they weren't the products of a global super-political-economy? Answer: They watched less TV!

stineNovember 3, 2018 7:19 AM

re: Milo M.

Not because of me, they won't. I don't eat squid often because it has alwasy been, imho, hard to find a restaurant that cooks it properly.

ItsjustobviousNovember 3, 2018 9:16 AM

@ ismar : "An example of how sophisticated video manipulation has become ..."

A lot of people don't realize what an excellent tool Blender has become, relative to video editing. DaVinci Resolve needs very good GPU to run well. Blender will do video editing w/o any GPU at all - although the wait is really good coffee time. It'll run on a smart phone :-)

I've switched to Blender for all my color grading, and other mods as well.


JG4November 3, 2018 9:27 AM

Knocked off a pound of halibut last night, which led to some better than average writing. Time for a run.

I want to again recommend an excellent book about one of the most important scientists of the last century, who is somewhat under-recognized. Claude Shannon, at the tender age of 21, wrote what is regarded by some as the most important masters' thesis of the past 100 years. In it, he observed that simple arrangements of switches can be used to implement Boolean logic. That set the stage for the microcircuit revolution and was a key step in the progression of AI. Around age 31, he wrote a paper demonstrating the use of entropy in analysis of communication systems, setting the stage for the telecom revolutions, in particular the fiber optic one. There are multiple tie-ins to AI, but one interesting one is that Claude cut his teeth on analog computers for aiming naval guns. The last naval engagement with manual aiming was the Battle of Jutland. The great war involved a variety of automated aiming systems, some of which were able to observe (typically via radar), orient, decide and act. The intermediate operations were filters, and the actuator was electromechanical ignition of a chemical propulsion system. These were able to shoot down the V-1 buzz bombs, which also implemented a primitive AI. We could trace AI further into the past, but it will be crystal clear that one of the earliest applications was war. That may be the primary driver at each step in the AI progression. Arms race, if you prefer. There are compelling arguments that knowledge of good and evil drove the conflict between bipedalism and childbirth in an earlier arms race. In this case, good would be defined as the ability to cooperate within the tribe and evil would be the ability and inclination for war.

Like all of the industrialized wars, both WWI and WWII included tragic loss of life and destruction of wealth at unprecedented scale. We may note that AI will be deployed to accelerate both economic activity and war. No better example than Amazon's uncanny ability to anticipate just exactly which bit of shiny colorful plastic junk (or stack of dead trees) we will want to buy next. In various venues, it has been explicitly mentioned that war and destruction of the environment are bigger threats than AI, but I suggest that history shows that AI will accelerate both, at least in the short term. This is a very good book:

A Mind at Play: How Claude Shannon Invented the Information Age Hardcover – July 18, 2017
by Jimmy Soni (Author), Rob Goodman (Author)
4.3 out of 5 stars | 41 customer reviews
https://www.amazon.com/Mind-Play-Shannon-Invented-Information/dp/1476766681

see also:

Feedback Control of Dynamic Systems (5th Edition) it's only $10
https://www.amazon.com/Feedback-Control-Dynamic-Systems-5th/dp/0131499300

My use of the Amazon link is not endorsement of their "data policies" or their labor practices, although I do like the part where they are fast and cheap. The quotes are to indicate that the Five Horsemen of the Tech Apocalypse are practicing a very powerful type of AI, largely out of the public's perception.

One interesting tie-in between the microcircuit revolution and the telecom revolution (hereinafter "Twin Revolutions") is that both are based on ultra-pure versions of the same element. In time, better materials may be found, but silicon was magical for both, largely because of the adherent oxide. The Twin Revolutions are well covered in these two books:

Microcosm: The Quantum Revolution in Economics and Technology First Edition Edition $0.01 (it's difficult to beat that price)
by George Gilder (Author)
4.4 out of 5 stars | 9 customer reviews
https://www.amazon.com/Microcosm-Quantum-Revolution-Economics-Technology/dp/0671509691

TELECOSM: How Infinite Bandwidth will Revolutionize Our World Hardcover – September 11, 2000 $0.01
by George Gilder (Author)
3.4 out of 5 stars | 54 customer reviews
https://www.amazon.com/TELECOSM-Infinite-Bandwidth-Revolutionize-World/dp/0684809303/

I know that this is a lot to chew and that we haven't even begun to approach the root issue of entropy maximization. I was delighted to see that Dorion Sagan did original work in the subject area, not that Lars Onsager or Ilya Prigogine didn't provide some powerful insights. With apologies to von Clausewitz, "War is the continuation of entropy maximization by the most powerful means that humans have ever conceived."

bttbNovember 3, 2018 9:46 AM

@JG4 wrote:

““The CIA’s communications suffered a catastrophic compromise. It started in Iran.” [Yahoo News]. ...“

From emptywheel https://www.emptywheel.net/2018/11/02/confirmed-listening-to-whistleblower-john-reidy-could-have-saved-the-lives-of-numerous-cia-assets/ :

“… Yahoo describes that Iran and China likely traded technology, which is how China proceeded to use the same technique to target CIA assets.

While Yahoo doesn’t emphasize it, it seems likely that if SAIC and Raytheon hadn’t had so much power when Reidy first started warning of this compromise, it would have been addressed far more quickly. Instead, he lost clearance and was fired.

Which, on top of a lot of other lessons, seems to be a superb example of how ignoring a whistleblower can have catastrophic consequences.”

FaustusNovember 3, 2018 11:29 AM

@JG4

Thanks for the recommendation! I'll give the Shannon bio a look.

Is your copyright notification serious?

Do you think it would be effective?

Especially since JG4 is anonymous.

My understanding is that such a notice is redundant and that copyright applies automatically where appropriate. But I am not sure.

bttbNovember 3, 2018 3:26 PM

@Anders

Relatively old, but this Inspector General report may interest you:


IMPROPER HANDLING OF CLASSIFIED INFORMATION [iirc downloading pornography to a CIA issued laptop at home] BY
JOHN M. DEUTCH [Former Director CIA]
(1998-0028-IG)
February 18, 2000

https://fas.org/irp/cia/product/ig_deutch.html :

"... SUMMARY

4. (U/ /FOUO) The discovery of classified information on Deutch's unclassified computer on December 17,1996 was immediately brought to the attention of senior Agency managers. In January 1997, the Office of Personnel Security (OPS), Special Investigations Branch (SIB), was asked to conduct a security investigation of this matter.1 A technical exploitation team, consisting of personnel expert in data recovery, retrieved the data from Deutch's unclassified magnetic media and computers. The results of the inquiry were presented to CIA senior management in the spring and summer of 1997..."

FaustusNovember 3, 2018 3:51 PM

@ Timothy

It would be lovely if Google refused to allow apps in the Play Store that required privileges beyond their function. It is no accident, I'm afraid, that Google does not. As it is I only install the most essential apps.

It is too tempting to developers to monetize our privacy, but they would get by if they and their competition were simply not allowed to do it.

I assume Apple allows these shenanigans too. Or are they really less surveillance friendly?

I used to think Google was better than Apple on privacy, but now I am suspecting that maybe I should take a bite of it and leave Spygle in the dust. Any opinions?

Sed Contra November 3, 2018 5:51 PM

@stine

hard to find a restaurant that cooks

There is a place in Athens on the approaches below the Parthenon that does superlative squid.

Bruce SchneierNovember 3, 2018 6:38 PM

I just deleted a bunch of comments that were off topic for the blog, including song lists, musings about President Trump, and a discussion about the potentially harmful effects of cell phone radiation. Surely there are better places on the Internet for those comments.

TimothyNovember 3, 2018 8:31 PM

Hello @Mr. Schneier

Was my comment about the TikTok app not appropriate for this blog? It appears to have been deleted in your clean up. I posted the artlcle because the app, even more than West Virginia’s Voatz app, gave a huge, truly huge IMO, number of permissions, which seemed not entirely neccessary esecially for the market demographic. The app surpassed the popularity of apps like Facebook and Instagram, seemingly out of the blue, and we hear all to often about the security vulnerabilities and data guzzling economics of social media, and this usually a day late and a dollar short. Additionally its ownership was company headquartered in China, with whom the U.S. is currently having extensive trade, IP, espionage, and supply chain dealings. I think you may have also recently blogged about Google’s reaction to Android apps whose behavior was not exactly on the up and up. I guess these are the reasons I thought it was relevant. If it was not appropriate could you give me a few pointers as to why?

FaustusNovember 3, 2018 9:33 PM

@ Timothy

Your comment seemed relevant. Maybe it was deleted accidentally. It certainly appears to be an example of an app that demands many more permissions than it needs in order to monetize you.

Notice I'm not saying the app name. It might be a Witch!!

If you've seen Mile 22 (recommended if you like smart action) the last accusal will be more meaningful.


TimothyNovember 3, 2018 10:48 PM

@Faustus

I'm sorry for the delayed response, as I had to head off to work right after I posted earlier today.

Do you look at the permissions before you decide to install an app? I didn't know apps could have so many permissions (some apps have even more I'm finding) and honestly the permissions are both descriptive and general enough to fixate me on the horrible possibilities.

Dun-dun-duuuun (sound effect)

FaustusNovember 4, 2018 5:33 AM

@ Timothy

I mostly look at the list of permissions before I decide NOT to install an app.

I run an unlocked original Google phone from 2011. It has a few mainline Google apps that came with it that I can't uninstall easily.

Besides that it runs only Kindle, Signal, Wolfram-Alpha, A quick note app, and I just installed a drone control app with minimal permissions.

I don't do banking, cryptocurrency, or anything particularly important on the phone. I don't think consumer phones can be made secure.

Every added app makes you less secure. I feel the same way about browsers. I avoid addons beyond NoScript and EFF.org security addons.

TimothyNovember 4, 2018 10:23 AM

@Faustus

Thank you Faustus. It is so helpful to have a thought-process blueprint for more secure computing with modern, everyday devices and apps.

It does seem wise to document hardware/software/network/config settings, and yes, to look more deeply at apps and add-ons with the understanding that less is often more.

Android’s developer website provides a guide on app permissions, including greater detail on normal vs. dangerous permissions -- dangerous where there is greater risk to user privacy or the device's operation. Here is Android's list of dangerous permissions.

The TikTok app appears to have some dangerous permissions, but I am still looking for a direct translation from the programming language to the user-facing permissions descriptions and what they mean exactly (ie: ‘READ_CONTACTS’ vs. ‘read your contacts’ or ‘READ_EXTERNAL_STORAGE; vs. ‘read the contents of your USB storage’).

Some of TikTok’s permissions that seem to correlate to Android's dangerous permission list are:

  • Identity: find accounts on the device, add or remove accounts
  • Contacts: find accounts on the device, read your contacts
  • Location: approximate location (network-based), precise location (GPS and network-based)
  • Photos/Media/Files (and Storage): read the contents of your USB storage, modify or delete the contents of your USB storage
  • Camera: take pictures and videos
  • Microphone: record audio
  • Phone: reroute outgoing calls, read phone status and identity

And there are more.

GenieNovember 4, 2018 11:10 AM

@Bruce Schneier

President Trump, ... potentially harmful effects of cell phone radiation. ... better places on the Internet for those comments.

It is my understanding that you are a bit of a "lobbyist" on tech policy issues, if that is the right word for it. A lot of your published books advocate or promote certain policies on computer-related technical security matters.

I don't necessarily find fault with the policies you advocate that decision-makers "should" adhere to, but as you well know, there are "stakeholders" on various sides of the issues you do blog about, and not all of them have a good heart and wish peace and goodwill to humanity.

A lot of mundane or rule-of-thumb "Policy" has a tendency to make its way into "Basic Law," where it continues to be enforced harshly long after the technical justification for it ceases to be applicable.

Personally, I am most concerned about others (murderers for hire) being able to track me down from the effects of my cell phone radiation, rather than any alleged "cancerous" effects from it.

Cancer is Latin for crab, and it is my observation that a squid does not have fins and scales any more than a crab does. Sorry to ramble, please delete if you are not interested, but please do not take offense if your blog attracts comments.

Definitely other places for discussion on topics you do not wish to be burdened with, though.

Clive RobinsonNovember 4, 2018 1:14 PM

@ All iPhones users runing 12.1 OS,

It would appear that Apple have left an inadvertant back door in one of the apps that can be used to bypass the passcode...

https://www.hackread.com/ios-12-1-passcode-bypass-hack-discovered/

In other news there is an Ex-Cop still in jail having not being charged with anything, because he has declined to hand over his password that authorities believe on the word of his sister contains evidence and that he can remember his password. A judge has ruled --unwisely-- that he should remain in jail indefinitely for contempt on what is realisticaly a nuisance. So I guess we will have to see if it makes it's way up to SCOTUS and what they decide to do.

https://www.hackread.com/ex-cop-child-porn-suspect-in-jail-until-he-decrypts-drives/

What is not clear is the prosecution claim that their forensic investication shows that the contents of the drives have check sums that corespond to indecent images. Im not sure that they can make that assertion if the files are encrypted and if they could then why have they not charged him...

The problem of course is that the nature of the alleged contents of the hard drives is clouding the legal issue which the prosecution are no doubt using to push to get a ruling that they would not otherwise get, that they can then use in any future cases irrespective of what the files may hold.

CliveNovember 4, 2018 1:34 PM

@Clive

I always MAC (hash) after encrypting. This is a good example of how a hash might leak information. Also, not protecting the ciphertext with a MAC leaves the ciphertext malleable, leading to a bigger exposure to attacks.

TimothyNovember 4, 2018 4:05 PM

The 8 tech firms responsible for a significant rise in stockmarket equities value since 2013, have reported a 21% drop in value since the start of September. This is a loss of $900bn. The 8 companies include Alphabet, Amazon, Apple, Facebook, Microsoft, Netflix, Alibaba, and Tencent.

The losses have extended to smaller companies like Xiaomi whose value has fallen by half from its peak. “More ominously, Wall Street forecasts for medium-term earnings are also falling as analysts take a more realistic view of tech business models… Predictions for Facebook in particular have sunk by 18% to reflect the cost of sanitising its platform—hiring more moderators and carrying less virulent (and appealing) material.”

A third of the value decline is attributed to real interest rates. The remainder of the value loss is attributed to three tech-specific factors including decelerating growth, falling profit forecasts, and rising capital intensity. All but Microsoft have slowed their rate of growth.

Summarized from the November 1st article "Big Tech’s sell-off."

Bruce SchneierNovember 4, 2018 8:09 PM

@Timothy

"Was my comment about the TikTok app not appropriate for this blog?"

I just reread it. It says nothing about security.

Yes: rereading it in light of your post above points to a clause that was kind of about security, but that was not obvious when I first read it.

I guess the general advice is to stay on topic.

If you want to reply, please do so in email.

Clive RobinsonNovember 4, 2018 8:30 PM

@ Ergo Sum,

While I understand that this exploit impacts cloud-based computing with its VMs, what is the impact for PCs, laptops, etc.?

How good is your memory? going back to the time when the AES competition winner was announced.

Well a couple of weeks later somebody wrote a "proof of concept" that could get the AES key by timing delays visable across the network.

The way it worked was by causing a "resource contention" just as this new hyper threading attack does. Only back then it was in the cache memory, we now call it a "cache timing side channel attack" or similar. To stop it requires code be very carefully written so that the code execution time regardless of bit state in the key or plaintext does not cause unequal branch times or other similar timing problems that will leak information bit by bit.

Whilst Intel are correct to say this new time based side channel caused by yet another resource contention can be solved by carefull writing of software it's actually quite disingenuous.

Because each time you have to "carefully write software" you are in effect "boxing yourself in" and it becomes geometrically harder with each new resource contention issue you have to deal with.

But that pales into insignificance when you consider how many hundreds if not thousands of applications or libraries have to be "re-written" and just how many never will. Because although the applications are being used the software developers will not want to provide fixes except for the latest versions (think about Microsoft, XP and ransomware as just one example).

The reality is that many programers will not know how to fix this problem properly. Some still have basic problems with threads or any other kind of non sequential processing.

At some point the software industry will have to get a grip on it's self and realise what the implications of the word "engineer" realy means and why "cutting code" nolonger can be considered either a safe or reasonable practice.

The reality at the moment is the only secure "work around" is "segregation". That is you remove the time based side channel entirely from the "outside view".

This requires in effect channel "reclocking" or "store and forward" techniques. Neither of which is either easy or practical to do...

ThothNovember 4, 2018 11:10 PM

@Hungdog

Re: Onion3G

That is a good idea but there is the problem of downloading malware to smartphone over data abd then force phone to connect over WiFi to defeat Onion3G or do side/alt channel attack.

ThothNovember 4, 2018 11:37 PM

Re: Onion3G

Instead of using a random TOR bridge, the Onion3G uses it's own Brass Horn TOR bridge. Good luck resisting ghe UK govt when they start kicking down the door and wants the TOR Bridge services bugged and controlled. This is no different than a VPN over SIM service which already exists.

It seems most likely that the Onion3G is used as a key management service as well as to translate some of the traffic to TOR protocol wrapped in 3G data packets but due to the limitations of SIM cards only having 2KB to 4 KB RAM and less than 40 to 80 KB of memory storage on chip, it is impossible to execute both the entire 3G protocol and TOR protocol on the chip and so my guess is most of the execution is offloaded onto the phone application while the key management is done by the SIM card. End of the day if the protocol process is offloaded, it has an even bigger room for attacks.

Is Onion3G better than nothing. Of course. So why all the negative vibes put forth above ?

I am not pourong water over a project and its actually rather respectable that they can push out a new smartcard product these days and I respect them.

I just want expectations to be curbed because their marketing claiming than the UK govt cant get at the communications and the security level they present is overhyped and false.

It is a good idea but the marketing is simply incorrectly done and overhyped.

If you want secure comms, you shouldnt even be using a smartphone in the first place.

Wesley ParishNovember 5, 2018 2:54 AM

Real doozy courtesy of slashdot:

Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History
https://motherboard.vice.com/en_us/article/zm9jd4/old-school-sniffing-attacks-can-still-reveal-your-browsing-history

What’s worse, the vulnerabilities are built into the way they structure links, meaning that major structural changes will have to take place in these browsers in order to protect user privacy. The only browser that was immune to the attacks was Tor Browser, as the browser does not keep track of a user’s internet history.
The vulnerabilities have to do with why, for instance, unclicked links appear blue while visited links appear violet: there’s a different set of rules and style that apply to links depending on whether they’ve been visited or not. However, a bad actor building a web page can manipulate this faster loading time for visited links by “sniffing,” or inferting your browsing history. In essence, sniffing is finding and exploiting proxies that reveal your web history.
Interesting question: how do you exploit the value of retaining a "cache" of visited web-sites, without letting external uninvited "visitors" to your browser access it? I'm wondering if the technique used in Linux's shadow password system might not be worth a look at, here. Hash the locations, and disallow external uni9nvited "visitors" the right and ability to walk down the list.

Merits thought.

Clive RobinsonNovember 5, 2018 5:20 AM

@ Wesley Parish, Reader,

Old School 'Sniffing' Attacks Can Still Reveal Your Browsing History

And even a decade and half ago the idea behind the attacks was far from new.

As I point out from time to time,

    We repeatedly make the same old mistakes, thus appear to be not learning from our history. Which in most cases is well within living memory

Too much "code cutting" not enough "engineering", or even thought as we build our "Castles in the air"?

Put simply this is another example of a "timing channel" attack, which is quite deliberatly "self inflicted". It's what I've been warning about with,

    "Security -v- Efficiency"

for so long now it's got a longer beard than Gandalf.

What the attackers are looking for is a difference in time it takes your browser to respond to each link in a bunch of links they send. If you've visted the link before the browser responds with a different time than to one it has not visited before. As long as the time difference is measurable and it often is on modern networks then they have enumerated you over the subset of links they use.

The time difference is most often caused by "short circuiting" needless computation, and compilers build simple versions of it into executables as optimisations (think how OR "||" and AND "&&" operators work in C for instance since the late 1960's and thus all languages written in C since as well as nearly all the applications written in those languages...)

Look on it with a simple thought experiment, say you have a large file refrenced in a URL there are three places the client software can get the file from,

1, The server in the URL.
2, A cache in the network.
3, The local client cache.

It's fairly easy to see that the times to obtain the file is slowest in the top and fastest at the bottom. Likewise efficiency wise the worst is the top and the best is the bottom. It's one of the reasons people design caches into nearly all protocols where they can. It's why for instance DNS works the way it does which has been around since BIND in the early 1980's which is longer than web browsing has by a long way. And yes the timing in DNS even when traffic is encrypted leaks information about which sites have been visited.

As I said this "Security -v- Efficiency" is a long known issue and every little while we see a variation of it being used as an attack vector. It works across the entire "computer stack" from attacking security in the CPU with Meltdown / Spector all the way up through the presentation layer and into user and above behaviour...

Each time such a security fault occurs it is "self inflicted" because the system designers go for either "speed" or "efficiency" or both, and with them they open gaping time based side channels that haemorrhage information to not just active but also passive attackers.

Whilst you can in theory see active attackers if you know what to look for, because of the way the Internet is designed you can not see passive attackers. Worse as only content gets encrypted but routing port and traffic type meta data does not a passive attacker sitting at or beyond the next upstream node from either end gets quite a lot of information without being seen. It's why the passive approach is favoured by the likes of the Five-Eyes SigInt entities in their "collect it all" quest.

We've known about this timing channel issue since the 1960's and arguably since the early 1940's (traffic analysis), and in recent years varients come up several times a year, yet we appear to be incapable of learning from it...

Clive RobinsonNovember 5, 2018 6:26 AM

@ Bruce and the usual suspects,

You might find this of interest,

https://eprint.iacr.org/2016/1136.pdf

It's about Vietnam and cryptography used from 1945 through two quite devistating wars to it's final unification and independence.

It's written from the side of the Vietnamese forces about how they not only protected their own communications but also successfully attacked the communications of the two great powers (France and US) that sought to destroy the Vietnamese forces for their own colonial and proxy war interests.

RG-2November 5, 2018 7:37 AM

Ed Snowden investigated the US Government Intelligence Community internal whistleblower system. He found it completely ineffective. The IC leadership (Clapper and Brennan) testified this was the route Snowden SHOULD have taken and that it WAS effective.

Now fast-forward to today and we learn who was truthful:
The Hill:
Falsehood shames Clapper[1], Brennan[2] and pledge to protect whistleblowers
In the summer of 2014, then-Director of National Intelligence James Clapper sent a letter assuring Sens. Charles Grassley (R-Iowa) and Ron Wyden (D-Ore.) that enhanced monitoring of Intelligence Community workers was designed to find leakers and insider threats, and was not intended to thwart lawful whistleblowing[3].
It turns out that entire pledge was false and disingenuous. And it took us four years and a new presidential administration to get the truth[4][5].
https://thehill.com/opinion/white-house/414737-falsehood-shames-clapper-brennan-and-pledge-to-protect-whistleblowers

Gimme Some Truth
Today there epidemic of flat-out-lying and deception throughout America[6]. Brennan and clapper successfully spun losing their security clearance as political retribution. To salvage his reputation Brennan bluffed legal action while continuing spreading carefully crafted lies on the major news networks.

[1] self-admitted perjurer in sworn testimony before US Congress - which directly led to the Snowden document dump
[2] former CIA Director John Brennan is currently a paid polarizing contributor to NBC and MSNBC News
[3] The real message is if you risk speaking-up through the official system it will likely end your career. That or live in permanent exile
[4] Under Clapper and Brennan leadership hundreds of CIA assets were tortured, imprisoned and executed by simply using advanced features of Google Search. An utter, complete and total intelligence disaster!
[5] Brennan also led a secret spy operation against their Congressional Oversight Committee(!) - to limit damaging torture information
[6] Unlike Silicon Valley, security clearance holders are expected to be of excellent character, truthful and ethical above all reproach

Clive RobinsonNovember 5, 2018 10:49 AM

Should you develop a mobile app?

To many of us the answer is a simple "No" because we've been through it and come out the otherside with the scars to prove it.

But that is not what many would call a convincing argument... So you would want lots of arguments...

Well to save me the effort a few days ago David A. Wheeler did just that,

https://dwheeler.com/blog/2018/10/23#no-mobile-apps

Important to not when he says the "UK banned", it's not quite as it reads. What was banned was UK Gov departments wasting exorbitant amounts of money and resources developing apps for phones etc. If you follow that link though you will find that the viewpoint makes a lot of sense.

VRKNovember 5, 2018 11:09 AM

Reality check.

"CSIS has been illegally storing information on untold numbers of Canadians who pose no threat at all," ... "They’ve been doing so for over a decade." ... "the information stored and analyzed on these servers [is] “deeply, deeply invasive information”..." [more...]

What's curious is how this could remotely be a surprize to anyone. Sure seems synonymous with this story from June, about mass surveillance.

Not even sure I'm even connected to the "other end" anymore, if I CAN connect after my registration is hijacked. At times my tests indicate I'm conversing with the mid point only. I'm supposed to be CIVIL about this??? [much censored content]

Over...

CanuckistanianNovember 5, 2018 4:19 PM

@VRK

Check out Bill Robinson's CSIS blog at

https://luxexumbra.blogspot.com

Once you read through that especially the 2016 court case notes, you will find cause to believe that the honourable minister quoted in the Vice article is lying.

(Note for others: VRK has not noticed the dates of his/her links are all 2016. Not recent.)

Clive RobinsonNovember 5, 2018 4:21 PM

@ bttb,

Noam Chomsky Condemns Trump for Pulling Out of Landmark Nuclear Arms Treaty

Actually whilst it makes a good sound bite it actually makes sense when you analyze the issue.

The treat is the one for Intermediate Range Balistic Missile (IRBM) limitations.

It has in effect two signatories Russia and the US. The principls behind it is MAD / runnaway build up. At the time of signing it made a great deal of sense for both Russia and the US. Now there are other players that have not signed it disadvantages both the US and Russia. The big problem is China whose main stratigic defence is nearly all IRBM pointing at Russia and the non nuclear nations around the South China Seas, that the US has via other treaties signed it's self up to protect.

Whilst there is a lot of noise about Russia cheating, it's realy only an excuse. Why Both Russia and the US did not terminate it by mutual consent is realy a matter of "gulling the US and other Western civilians.

The fact that both Russia and the US can now develop IRBMs and cruise missiles to balance China and site them close to it's boarders brings back the MAD balance which in turn will hopefully bring China to the treaty table, or atleast dissuade it from any kind of first strike activity.

Bad as it might sound on balance it probably will give more stability to the world than we currently have...

MarkHNovember 5, 2018 4:22 PM

@Reader:

Thanks for the link! I wouldn't have guessed that helium would be a hazard to any kind of electronics ... a big surprise. I was also unaware of MEMS oscillators, so this was quite educational.

Helium is used in a variety of applications. I wonder how often iPhones get killed by it?
___________________________

@bttb:

I've studied nuclear arms control efforts for almost 40 years. Recently, I've come to the conclusion (in part due to a presentation from a group of academic policy analysts from the US and Russian Federation) that treaties limiting strategic (long-range) nuclear weapons have grown less important, and are hardly worth pursuing. [Short version: the treaties are difficult to get, and because nukes are practically useless, unilateral steps are a plausible avenue of progress.]

However, I side with Chomsky here because "theater" or intermediate nuclear weapons are far more dangerous, in the sense that there is greater risk that they will be fired in a crisis, or diverted by non-state actors.

It's worth pondering, that withdrawal from the treaty is a gift to Putin, who has expressed the desire to withdraw for several years ... whereas withdrawal confers no benefit to any Western state, including the US.

The Executive Branch faithfully pursues the Kremlin's policy goals.

bttbNovember 5, 2018 5:05 PM

From https://fivethirtyeight.com/features/election-update-democrats-are-likely-to-make-big-gains-in-governors-races/ :

“Welcome to our final Election Update for the 2018 governors races!

The big story about the 36 governors races this year is that Democrats are very likely to win control of several governorships from Republicans — and the GOP may not pick up any from Democrats. Indeed, it’s almost certain that more Americans will have a Democratic governor than a Republican governor in 2019. According to FiveThirtyEight’s “Classic” forecast,1 195 million Americans will have a Democratic governor after the 2018 elections, compared to 134 million with a Republican one. Democrats are forecasted to control 24 states, on average; Republicans to control 26. (Currently, 33 states have Republican governors, 16 states have Democratic governors and one (Alaska) an independent.)

If the election goes as expected, the GOP’s grip on policy at the state level is likely to be severely weakened. According to Ballotpedia, about 48 percent of Americans currently live in states where Republicans have total control of the state government,2 compared to 21 percent where Democrats have full control…”

This could be a big deal. For example, regarding re-districting, voter suppression (or relative lack thereof), and so on.

If you are registered to vote, please vote. You might encourage family and friends to vote, too. And to vote their interests, which may include 1) affordable healthcare or 2) against Trump's tax cut, aka the "donor relief plan of 2017".

Regarding Trump's tax cut or the "donor relief plan of 2017", from https://www.democracynow.org/2018/11/5/noam_chomsky_on_midterms_republican_party :

"So, take the legislative achievement that the Republican Party is most proud of: their tax bill—as [Nobel prize winning] economist Joseph Stiglitz described it, the donor relief plan of 2017. It’s an enormous gift to wealth, corporate power, including real estate interests, incidentally. Enormous gift, frankly. And it has the secondary advantage—as the Republican leadership was quick to point out, it has the advantage of creating a huge deficit, which can be used as a pretext for getting rid of social spending. U.S. social spending is already very meager by world standards. We’re down at the bottom of the OECD, the 30 rich countries, along with Greece and Turkey, in social benefits spendings. But there’s something there, so let’s get rid of it. Let’s undermine Medicaid, which goes to the undeserving poor; let’s undermine Social Security, which working people just rely on for survival—all because we have to lavish gifts on the super-rich and ensure that the corporations have profits bulging out of their ears. The claim of the pretext for the tax scam was that it was going to sharply increase investment. That was pretty outlandish. To start with, corporations already have—are just overflowing with profits and wealth. And predictably, it did nothing of the sort."

Does anybody know what voter suppression efforts will need to be overcome before the election ends tomorrow?


bttbNovember 5, 2018 5:36 PM

@MarkH

You wrote "I've studied nuclear arms control efforts for almost 40 years. Recently, I've come to the conclusion (in part due to a presentation from a group of academic policy analysts from the US and Russian Federation) that treaties limiting strategic (long-range) nuclear weapons have grown less important, and are hardly worth pursuing. [Short version: the treaties are difficult to get, and because nukes are practically useless, unilateral steps are a plausible avenue of progress.]

However, I side with Chomsky here because "theater" or intermediate nuclear weapons are far more dangerous, in the sense that there is greater risk that they will be fired in a crisis, or diverted by non-state actors.

It's worth pondering, that withdrawal from the treaty is a gift to Putin, who has expressed the desire to withdraw for several years ... whereas withdrawal confers no benefit to any Western state, including the US.

The Executive Branch faithfully pursues the Kremlin's policy goals."

Regarding what you said, here's Chomsky, https://www.democracynow.org/2018/11/5/a_march_to_disaster_noam_chomsky :

AMY GOODMAN: “I asked him [Chomsky] to respond to President Trump’s recent decision to pull out of the INF, the Intermediate-Range Nuclear Forces Treaty, that landmark nuclear arms pact signed in 1987 by President Ronald Reagan and Soviet leader Mikhail Gorbachev.

NOAM CHOMSKY: Well, the INF treaty was a very important development. You may recall that in that period, in the early and mid-'80s, the short—this has to do with short-range nuclear missiles. They were being installed in Western Europe, Pershing II missiles in Western Europe, which had a few minutes' flight time to Moscow. If you think what that means, the Russian detection systems are, first of all, far more primitive than ours, but even sophisticated—if they had had sophisticated detection systems, it would have given them barely a few minutes’ warning before a possible heavy nuclear strike, even a decapitation strike, against Moscow. And the Russians were doing the same. They were building short-term missiles aimed at Western Europe. Notice the—not at the United States. This was internal to Europe, short-term—short-range missiles. Well, the 1987 INF treaty ended that extreme peril, sharply reduced it. Missiles were reduced and so on. This was an important step forward. Breaking the treaty reinstates that system.

Now, there’s an obvious way to deal with the problem. Namely, it’s called—it’s kind of a bad word; maybe I ought to spell it—it’s called diplomacy. There have been—the way to deal with the problem is quite straightforward: Do what has not been done as yet—have technical experts from both sides, and neutral ones, investigate the claims that are being made by both sides, and determine if they’re valid. And to the extent that there are, negotiate a way to overcome these violations of the treaty, and then enforce the treaty even further. Carry it further. We should be moving towards eliminating nuclear weapons. Remember that the New START treaty is coming up for renewal. That’s a very important one. START has led to the sharp reduction of nuclear weapons—by no means anywhere near far enough, but nevertheless quite significant.

We should also recall that Trump’s pulling out of the INF treaty has a precursor, namely, the Nuclear Posture Review of the Trump administration, which already called for developing new weapons, tactical nuclear weapons, which themselves greatly increase the threat of a possible war. A target of these missiles can’t know whether they’re conventional or nuclear, or whether they’re short-range or much more powerful missiles. You have a few minutes’ warning time to make these decisions. You look over the history of the nuclear age, and it is practically miraculous that we’ve survived this far. There’s been case after case where we came very—both sides came very close to making a decision to launch nuclear weapons, which means basically terminating human civilization. And miracles like that can’t go on forever. And enhancing the threat is just beyond insanity. Ending the INF treaty not only opens the door for the United States and Russia to develop more dangerous lethal weapons, but, of course, for others to join in, as well, greatly increasing the hazard to all of us. And there are diplomatic options that have not been pursued. And they are the ones that—they are the ones that should be uppermost, not vastly endangering ourselves and everyone else.


[…]

And now it’s worse. The Nuclear Posture Review, the revelation, since that time, that the U.S. actually has developed a first-strike potential, which could prevent—could eliminate any deterrent to a first strike, then Trump’s Nuclear Posture Review, which calls for extending the nuclear threat, and now this latest step—this is a march to disaster, which is only paralleled by the moves of the administration to race towards the cliff of environmental destruction with eyes open. They know exactly what they’re doing. Trump himself is a firm believer in global warming; the others, as well. But just in order to fill a couple of overstuffed pockets with more dollars, they’re willing to threaten the existence of organized human life. There’s just no words to describe these two drives to destruction in parallel, or, in fact, to describe the fact that they’re barely discussed in the electoral season, as, surely, these are the two most important issues.”

Finally, I am curious why nukes might be considered "practically useless". For example, nuclear winter?

bttbNovember 5, 2018 6:16 PM

Warning: Willie Nelson leans, afaik, to the left. Although filmed at a Beto O'Rourke rally [O'Rourke is running for the U.S. Senate against Ted Cruz] in Austin, Texas, imo, the lyrics are neutral.

Vote 'Em Out by Willie Nelson (about 2 minutes)
https://www.youtube.com/watch?v=ssVO5qnyQss

https://www.rollingstone.com/music/music-country/willie-nelson-beto-rally-new-song-vote-em-out-731208/

Does anybody know the security implications of Canada legalizing marijuana? iirc, years ago a retired General, also a former United States Secretary of State under President Ronald Reagan, Alexander Haig, said something like: The War on drugs is a failed war; we spend more money on it and the problem get's worse. I think Haig advocated legalizing drugs.

Finally, https://www.youtube.com/watch?v=tuMDG5RvdXs , "It's All Going to Pot" Willie Nelson & Merle Haggard (about 3 minutes)

https://lyricstranslate.com/en/willie-nelson-its-all-going-pot-lyrics.html (lyrics)


JG4November 5, 2018 6:22 PM


The discussion of nuclear treaties reminded me of the Gipper. "Trust, but verify" is good advice for security of endpoints and everything on both sides of them. I must have posted the story of the air rescue pilot ("cojones the size of Alpha Centauri") who raised the profound and timeless question of what constitutes a lawful order. And the book dedicated to him, styled "How The End Begins." If not, I was mired in profound and continuing dysfunction. I hate to advocate for dysfunction, but it can be better than no function.

I'll repost my discussion of entropy maximization (and the disturbing link to diffusion of helium through glass) once I can make sure that I have clearly written a first-principles derivation from non-equilibrium thermodynamics of the origin of the need for security. I skipped the replicators, but you know some of them. And I did mention Murder Is A Recent Evolutionary Strategy. It got nixed in the purge of off-topic comments. I believe that Gibbs free energy is the underpinning of our physical reality, which goes a long way toward explaining the oil wars and a lot more.

@Faustus - nice elucidation of some aspects of self-ownership. You might have a look at single-nucleotide polymorphisms (SNPs) of the dopamine receptor. They lead to good stories, of which there are many as yet untold.

https://www.nakedcapitalism.com/2018/11/links-11-5-18.html
...

Our Famously Free Press

What Empire Loyalists Are Really Saying When They Bash Julian Assange Caitlin Johnstone

Big Brother IS Watching You Watch

Proposed data privacy law could send company execs to prison for 20 years Ars Technica
...

Imperial Collapse Watch

The U.S. Military’s Empire of Secrecy Truthdig Maj. Danny Sjursen
...

A lot of interesting points in this interview. I'm open-minded about blockchain and consensus algorithms. More pointedly, I don't have a dog in this fight, but it is worth noting how timely this is given my comments on AI and two of Gilder's books. I'd hope to be able to match his running ability by the end of the year, but he's got twenty more trips around the sun behind him.

Why Technology Prophet George Gilder Predicts Big Tech's Disruption
https://www.forbes.com/sites/richkarlgaard/2018/02/09/why-technology-prophet-george-gilder-predicts-big-techs-disruption/

He mentions in the following interview that he ran two 5Ks in a day, running about 9:11 miles, as he says, Not bad for a 78-year old. Just for the record, it has been a long time since I could do that. Being in that kind of physical condition is good for blood glucose management and cognitive ability. It will add life to your years and years to your life.

Simulation #52 - George Gilder - Wealth is Knowledge, Money is Time at COFES
https://www.youtube.com/watch?v=fs0RFtMgEss

George Gilder: Forget Cloud Computing, Blockchain is the Future
https://www.youtube.com/watch?v=cidZRD3NzHg7

bttbNovember 5, 2018 7:52 PM

@Clive Robinson, JG4, MarkH

Nuclear treaties and Intermediate Range Ballistic Missiles (IRBMs) are well beyond my area of expertise. Regardless, the thought of having, perhaps, at best, a few minutes for a country to decide whether to launch, and against who, a nuclear counterstrike is not reassuring.

iirc Daniel Ellsberg said in the 1960s, or so, something like the movie Dr. Strangelove could be a documentary. I recommend Ellsberg’s book The Doomsday Machine, Confessions of a Nuclear War Planner.

Dr. Strangelove Trailers:

https://upload.wikimedia.org/wikipedia/commons/3/3a/Dr._Strangelove_%281964%29_-_Trailer.webm ; download

https://www.youtube.com/watch?v=98NaJ8ss4sY

bttbNovember 5, 2018 7:56 PM

An Opinion piece by Ian Samuel, Associate Professor of Law at Indiana University, https://www.theguardian.com/commentisfree/2018/nov/04/america-minority-rule-voter-suppression-gerrymandering-supreme-court :

“Rigging the vote: how the American right is on the way to permanent minority rule

Underhand Republican tactics – gerrymandering, voter suppression, more – underpin a vice-like grip on power

The American right is in the midst of a formidable project: installing permanent minority rule, guaranteeing control of the government even as the number of actual human beings who support their political program dwindles.

[…]

Taken together, this is a powerful set of tools. Draw maps that let you win even when you lose. Use the resulting power to enact measures to suppress the vote of the other side further. Count on a minority rule president to undercount your opponents in the census, and a minority-rule Senate to confirm justices who will strike down any obstacles to the plan.

With the deck this stacked, it isn’t enough to win. Wresting control back from the entrenched minority will take overwhelming victory. It may take, in other words, a genuine political revolution.”

Clive RobinsonNovember 5, 2018 9:26 PM

@ bttb,

Finally, I am curious why nukes might be considered "practically useless". For example, nuclear winter?

First of nearly all WMD outside of conventional kinetic munitions[1] are "practically useless". Either they don't work as expected, to slowly, or there is no workable delivery mechanism.

Stratigic nukes are usually "hydrogen bombs" or fusion devices, very large, very heavy, inordinatly expensive, and very unreliable devices. The delivery systems are consequently very large, very heavy, inordinately expensive, very unreliable devices, that are realy not mobile and also very slow to deploy...

Various reports for US weapons have put the odds of a strategic nuke actually getting on target and detonating as quite low, some as low as 10% and some even less. To save embarrassment they usually quote physics package reliability and delivery system reliability in entirely seperate documents that get seen by different people... Where the % reliability for each part looks a lot better... It's actually quite hard to find an assesment of how many would be lost to a first strike attack from Russia or China, but it could be very high.

What we do know is Russian nuclear weapons in general are considered markedly more reliable. The reason being they don't have the six or more fail safes that US nukes have...

But the important point to note is the mass of a stratigic device is not linear with it's yield you double the yield and the mass goes up by a volumetric (^3) measure. The largest device ever tested was the Tzar bomb that was 50mega tonnes and for it's yield the cleanest nuke ever fall out wise. Whilst it's yield sounds a lot, it's thoroughly impractical as a device. It's so heavy 27tonnes and so large 28ft by 7ft putting it on a missile of any kind is not realy practical and the extra rub, if dropped by a plane it needs a massive parachute that weighs just under a tonne to give the aircraft sufficient time to get away when it has drifted down to it's optimum altitude.

Modern anti aircraft and anti missile systems would find the very slowly descending bomb an easy target to shoot out of the sky. A small tactical fission nuke like the US Davy Crockett ways in at under 60Kg and it would not be difficult to make them smaller and lighter such that they could be put on moderatly sized missiles used for anti-ship weapons. Exploding such a device near the descending stratigic bomb would probably be more than sufficient to "disrupt it" to the point where even the primary (fission) stage would not go off. Such a small device can also be designed to produce minimum fallout. What is left of the disrupted stratigic weapon realy does not pose that much of a threat either.

But the problem with stratigic nukes is they are not kinnetic weapons but EM energy weapons, the damage they do is not as great as simplistic calculations would suggest. In the case of the Tsar bomb it was dropped from 8Km up to exoload at 4Km up. Due to various effects the fast shockwave bounces off the ground and reflect much of the energy back up... To do wide spread damage an energy weapon needs to pick up debrise from the ground and send it out sidewase at relatively low angles (10-15 degrees) with the fast blastwave bouncing energy back up, the coupling to debris is comparatively low. Thus higher yield stratigic nukes are in effect "self defeating"... Further the nuclear winter effect is actually due to debrise getting thrown up at very high angles thus with the bounce effect no where near as much debrise ends up at sufficient altitude even though the mushroom cloud might be between 50-70Km, which puts it well above the stratosphear effectively wasting a very significan proportion of the energy. That said it was destroyin wooden houses and ripping the roofs of of stone and concreate buildings out to 250Km and breaking windows out to a 1000Km as the shockwave bounced and was ducted in the atmosphere and went atleast three times around the world.

The most effective use for such a device would actually be to explode it in space at an altitude where the EMP pulse exceeded 1000V/m over most of the US which would be around 450Km or a little under the hight of the International Space Station. It would do very little physical damage but communications in the US would cease, power would cease, thus gas, water, and sewerage would also cease. Food deliveries would also cease and the US would probably become "disease central" within three to seven days and there would be insufficient medical supplies to stop it. The upside is there would not be a nuclear winter as such, and there would be colourful glowing skys for quite a while. But it's not just the US that would be effected many satellites would as well, this might be of interest,

http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA531197&Location=U2&doc=GetTRDoc.pdf

Tactical nukes which IRBM and cruise missiles are designed to carry are a very different story. The flight time of an IRBM is measured in just a few minutes which makes them near impossible to respond to. Cruise missiles can using "ground hugging" more or less evade detection except from AWACS and some satellite systems due to their manoverability and the limitations of AWACS and satellite systems the "salvo" flying of 20 or 30 cruise misiles will mean that around 50% will get through. As they can be targeted to explode in a particular wide area pattern in a coordinated way their overall effect would be considerably greater than from a single stratigic nuke with the same yield as the total of the cruise missiles.

[1] US law has a generaly not accepted else where definition of WMD. Basically any device --except a 2nd Amendment gun-- that can kill more than one person is a WMD under US legal reasoning. It's what might politely be called "over reach". Thus if you were to let off a large firework that goes into a persons house then you've used a WMD, thus the question arises of intent or accident...

MarkHNovember 6, 2018 1:39 AM

@bttb, who wrote

I am curious why nukes might be considered "practically useless".

The basis of their inutility is much more political than technical. In almost all cases, the motivation for war is political. To the extent that decision makers about war are "rational actors," a decision to engage war -- or vastly intensify it -- is based on a projection that some politically defined outcome will be better, than if that step had not been taken.

In 1945, the U.S. had a sort of "free pass" to escalate the World War into the first (and so far, only) nuclear war -- with the luxury of having a monopoly on such weapons.

In the decades since, the costs of making first use of nuclear weapons has consistently appeared to be gigantic.

The only exception to this, is the hypothetical scenario of a nuclear weapons state faced with the threat of actual obliteration, in which the costs could seem worth incurring.

In any situation where a government is tempted to start nuclear combat, I can't imagine leadership failing to wonder "once we start this, what will happen in the following hour, or week, or year?" The likely developments are invariably grim.

In the case of the U.S., its conventional armamentarium is sufficient to inflict intolerable damage against any state on Earth. No nukes needed, thanks!

Likewise for the Russian Federation: its conventional strength is more than adequate to any plausible defense situation. In the implausible case of a second Bonaparte or Hitler approaching its frontier -- or a Western leader considering a nuclear first strike -- the retention of perhaps 20 or 30 nuclear missiles would preserve the ability to inflict intolerable damage on the attacking state, at sufficiently high probability that only a madman would proceed.

And of course, these weapons impose terrible dangers of accidental use, unauthorized use, or theft. To borrow Bruce's language, they are toxic assets: the fewer, the better.

Wesley ParishNovember 6, 2018 4:06 AM

@bttb

I am curious why nukes might be considered "practically useless".

In addition to the above, nuclear weapons have a built-in proliferation effect. Raymond Garthoff in Detente and Confrontation
https://books.google.co.nz/books/about/Detente_and_Confrontation.html?id=mGG-x_tuNUcC&redir_esc=y
mentions an implied threat of the use of nuclear weapons the USS Enterprise carrier group made towards India at the time of the Bangladeshi War of Independence. The result was that India decided to develop its own nuclear deterrent.
Indian National Security Policy: Minimal Nuclear Deterrence
https://www.idsa-india.org/an-nov9-2.html
Third, the US sent the nuclear powered USS Enterprise to the Bay of Bengal on December 10 as part of gunboat diplomacy to force India, as claimed by Nixon and Kissinger, to declare a cease-fire in the war with West Pakistan.8

And the result of India developing its own nuclear deterrent was that Pakistan decided to develop its own nuclear deterrent. happy happy joy joy, it's a never-ending story. (I was ten when I analyzed escalation - in terms of the school bullies, of course, but the analysis was valid for all that - and concluded it would never conclude.)

Besides all that, nuclear weapons happen to be "äbsolutist" in nature, without much graduation.

My own thoughts on lightweight nukes can be read at

War On Terror Just Blows Me Away
https://pandora.nla.gov.au/pan/10063/20180620-0000/www.antisf.com.au/the-stories/war-on-terror-just-blows-me-away.html

Some asylum is missing its lunatic.

MarkHNovember 6, 2018 4:45 AM

On Monday, mining company BHP Billiton intentionally derailed an iron ore train about 50 minutes after it "ran away" (proceeded downhill with no one aboard) at an average speed of about 100 km/h.

The 2,800 meter train consisted of 272 units, and would typically weigh 43,000 metric tons. No one was injured, but physical and economic damage appears to be substantial.

It's startling to me that such a train (longer than any in the U.S.) has only a single operator, who in this case had stepped off the train to inspect a mechanical issue.

In the 21st century, it ought to be quite manageable to incorporate some failsafe mechanisms and/or emergency remote controls. [Though the train lacks remote controls, the derailment was commanded from a faraway control center. It's quite typical for modern rail systems to have switches and signals controlled from operations centers which may be quite distant.]

Because of the remoteness of the area in which this train operates, there was reportedly no danger to the public. Even so, the lack of safeguards is difficult for me to credit.

Some failures are difficult to anticipate, or to prevent ... this was not one of them.

Clive RobinsonNovember 6, 2018 7:13 AM

@ MarkH,

Some failures are difficult to anticipate, or to prevent ... this was not one of them.

One of the problems with being a design engineer is managing not just complexity but failures.

We can think up all sorts of realistic failure modes quantify them and thus have probabilities for them.

But because of the complexity issues, we further try to group failure modes into classes. Because the effect of mitigating a class of failures is much more efficient and considerably less complex than mitigating individual instances of failure modes.

This can have an apparently perverse effect on design priorities. That is you can have a very large group of low probability instances, that as a probability class has a much larger probability than a single high probability instance. As an engineer which do you chose to mitigate?

Further you can not mitigate even a fraction of the realistic failure modes. Inn part because some are contradictory[1] but in the main the required sensors rapidly take complexity to the point where sensor failure becomes the more probable failure mode...

Long trains have a speed issue due to inertia and curves. It is fairly easy to see that as a train enters a curve a pulling engine will quite quickly be tangental to the point where it would pull the more distant part of the train off of the rails. Likewise a pushing engine would push and buckle the train off of the track. The trick is to approach the curve at a safe speed and maintain the pull or push just sufficiently to overcome losses such that each carriage effectively coasts around the curve at a safe speed. A train due to how the load mass is distributed can have a very complex speed profile for any curve, the loading rule of thumb being keep the mass even or if not possible the largest mass carriages close to the engine. This obviously becomes very complex very quickly when you have both pull and push engines that are needed to get the train actually moving (loose coupling take up effect means you only have to deal with the innertia of one carriage or a few carriages at a time). Because of this an engine can and often does move at a different speed to the carriages a long distance away. That is the train can be viewed similarly to a spring or multiple pendulum dynamic energy storage system, which means you are back in the world of resonance and nonlinear load effects especially when push engines are involved. It is known that the dynamics of the system are too complex to model and you could not have sufficient sensors to do it anyway. Back in the 1940's through 60's this "POGO oscillation" problem was the main reason liquid fuel rockets blew up in the change of acceleration phases. Likewise why gin turrets and other weapons mounts were slow to avoid "hunting" and other oscillitory "chase your tail" effects.

The solution for trains and ships back in the 1980's was "fuzzy logic" a more modern method would be a dynamic learning system. Effectively low level fuzzy logic under an adaptive AI system, which works but we have no real understanding as to how... and worse we know there is insufficient time in the universe to test for every condition let alone the life time of the product. Thus as engineers we just grimace, cross our fingers, throw the dice and look the other way...

[1] People glibly talk of "fail safe" systems but most do not realise that many things can not be designed to be fail safe. Because if you fail in one direction you create a danger of a different nature, fail in a different direction and you create a danger in a different direction. Thus there is no linear non complex line from active to stopped... A typical class of such contradictory systems are "mid-range regulators" for preasure, speed etc. Think about a long drive shaft it has speeds at which it is resonant and if not carefully controled through each resonance the shaft will flex in various modes creating massive loads not just on the bearings but the shaft. How you get such a shaft through a resonance is dependent on not just rotation speed but it's direction with respect to the resonance frequency, which unfortunatly also changes with load and the loads energy storage capacity --flywheel effect-- and the shafts energy storage (think torsion spring as well). You end up with a quite complex dynamic map with numerous moving no go zones --which move depending on not just where the system is currently at, but also on where it was some time prior--, that you have to navigate. In times past you tried to "stay in a safe corner" below all resonance frequencies. However this suffered from the "artisanal effect" which you see with Victorian beam engines, massively over engineered, very slow and very inefficient. However modern systems can take the shaft up past several resonance frequency domains but require multiple distributed sensors. If you are up in the high speeds and something goes wrong such as load failure from balanced to unbalanced you can design the shaft drive control system to work with no sensor failures or at most two sensor failures after that you are probably in cascade fail territory where bits start to fly as there is no fail-safe run-down curve... You get similar problems with gas pipe lines where you have to know what is happening not just localy at the pump but along the line and at the far end...

FaustusNovember 6, 2018 9:01 AM

Massively hypocritical and frequently risible as it is, boingboing does occasionally have good links, if you can distinguish them from the identically formatted ads telling poor unfortunates that a high paying career is just one boingboing store purchase away.

https://boingboing.net/2018/11/05/plan-s-is-go.html includes a link to seemingly pirated scientific studies presented in the name of open scientific journals. I totally support the initiative S for various funding sources to only support journals that make their contents available for free to the public. I am not particularly concerned that someone is apparently providing pirated journal contents.

But when I clicked on the link for the apparently pirated journal site, remembering Barrett Brown and link taxes and such "...." I will let you find the link in the article yourself, I find that the convenient search box is unfortunately our of service and I need to use their unvetted browser addon in order to access the science.

So I need to install spyware in order to look at the science I probably funded. No mention or warning about this from boingboing. Maybe this is not an article, but indeed another ad formatted as an article? Maybe the pirate site is a honey trap so that angry "rights (sic) holders" can beat me about the head with sticks, put me in jail for 20 years, claw back my income, and/or remove several inches of each of my children's femurs?

I don't know. But my former hero, Cory Doctorow, seems to be somehow involved in a shady site. Does he even know? This from the author of Little Brother?

bttbNovember 6, 2018 10:09 AM

Two more things:
1) “6 Types of Misinformation to Beware Of on Election Day. (And What to Do if You Spot Them.)
Be careful of rumors and hoaxes about the voting and polling places. Here are some tips for spotting and avoiding false information.”
https://www.nytimes.com/2018/11/05/us/politics/misinformation-election-day.html

2) “Former GOP Defense Secretary Blasts Trump's 'Folly' of Sending US Military to the Border — Says He Treats the Troops Like 'Pawns’

Hoping to excite his supporters in the face of midterm danger signs, President Donald Trump is sending 15,000 troops to the border in order to combat the Honduran "migrant caravan" that is not even here yet, will probably disperse before arriving, and is not in any way a national security threat. Trump is even encouraging them to use excessive force, saying that U.S. soldiers will shoot anyone who throws rocks.

[…]

"My reaction in listening to that, coming from the commander in chief of our forces, President of the United States, is one of disgust," said Hagel. "That's a wanton incitement of unnecessary violence, it's a distraction, it's a distortion. It's a rank political distortion to use our military like this, and to say those kinds of things is really astounding. Not in my lifetime have I ever heard those kinds of words from a president of the United States."

[…]

"This is folly," Hagel said. "This is political distraction of the highest magnitude. The fact is, taking thousands of American troops who are trained on the cutting edge all the time, and sending them down to a border where there is no need, there's no threat to an invasion of the hordes coming in from Latin America, which is a joke — and they are of limited utility anyway, because of the constitutional issues involved here as to what our active military can and cannot do — and so, it's clear to me that he's using our military and our troops in a very political way that, it really casts a lot of questions about the competency of his leadership."

"I know the kind of sacrifices these men and women are involved with every day, and their families," Hagel went on. "And to use them as political pawns like this, as a complete fabrication, is really wrong.””

https://live-01.alternet.org/news-amp-politics/chuck-hagel-troops-border-migrant-caravan

bttbNovember 6, 2018 10:22 AM

And from https://www.nytimes.com/2018/11/06/us/politics/reporting-voter-intimidation.html :

“Voter Intimidation: What It Looks Like and What to Do About It
Well before Election Day, voters in Texas and North Carolina had already started reporting facing harassment.

The federal government prohibits such acts of intimidation, but what that entails isn’t always clear. In some cases, it can mean threats of violence. In others, it can be attempts at coercion. This kind of harassment may be uncommon, but voting rights advocates say voters should be vigilant.

[…]

Anyone who tries to “intimidate, threaten, or coerce” individuals to interfere with their right to vote can face up to a year in prison under the federal law against voter intimidation. And such intimidation can take many forms.

“It’s a lot easier to explain what it is by general examples, because it’s pretty amorphous,” said Sophia Lin Lakin, a lawyer with the American Civil Liberties Union’s Voting Rights Project. “There’s not a lot of specific case law around this.”

Anyone who tries to “intimidate, threaten, or coerce” individuals to interfere with their right to vote can face up to a year in prison under the federal law against voter intimidation. And such intimidation can take many forms.

“It’s a lot easier to explain what it is by general examples, because it’s pretty amorphous,” said Sophia Lin Lakin, a lawyer with the American Civil Liberties Union’s Voting Rights Project. “There’s not a lot of specific case law around this.”

According to Ms. Lakin, intimidation can include aggressive questioning about people’s qualifications to vote, including their citizenship status, criminal record or residency requirements.

Spreading false information or posing as an election official can also cross the line, she said, as can unreasonable requests for forms of identification that aren’t required by law.

Intimidation can also include “questioning, challenging, photographing or videotaping” a person at a polling site, “especially under the guise of uncovering illegal voting,” according to the office of the United States attorney in Arizona.

[... including examples]"

RG-2November 6, 2018 7:21 PM

China Government Telecom Diverting Western Traffic to Mainline China

‘China Telecom has either knowingly or otherwise engaged in BGP leaks that have affected large chunks of Internet traffic for a sustained period.

The domestic US traffic, in particular, “becomes an even more extreme example,” he told Ars. “When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental? It’s definitely concerning. I think people will be surprised to see that US-to-US traffic was sent through China Telecom for days.”

https://arstechnica.com/information-technology/2018/11/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom/

Id then Data-Mine
Under the guise of 'our' security Google, Amazon and now China is forcing everyone to use Javascript and discontinue using VPNs.

Why couldn’t Western security professionals immediately detect this massive and sustained scale rerouting?
Or the crack NSA GCHQ teams just itching to attack?
Can you say deep-packet inspection?
Do the Five-eyes countries allow smart-phones to distract from their job protecting citizens?
Think what would occur during a national emergency guys?

Personally I’m ashamed and embarrassed by our leaders being so easily duped. And worse on a long term basis. The situation is bound to deteriorate as the trade war intensifies.

Juvenile Solution
Quit looking at porn and put the damn smart-phones down
Task a new-hire to design an automated ping and traceroute alert program. Rather than looking for key words like ‘whistleblower’ look instead for ‘China Telecom’

Clive RobinsonNovember 7, 2018 1:47 AM

@ RG-2,

China Government Telecom Diverting Western Traffic to Mainline China

You are making an assumption that it was China Telecom... Which is why what you quote says,

    China Telecom has either knowingly or otherwise engaged in BGP leaks...

It's one of those problems with "attribution" even if you see traffic comming in on a given port, all you realy know is what that upstream box is "apparently" pushing to you. What you don't know is,

1, If it is actually the box you think it is.
2, Who is controlling the box.
3, Why the traffic was sent.

The article goes on with a quote,

    “When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental?

Actually there are other options than just malicious or accidental, it can happen because it's supposed to by the design of the protocal specified in the standard.

Overly simply China Telcom has a number of Points of Presence in the US, which is expected if you want traffic to and from China to carry out ordinary business and you want a degree of fault tolerance. The routes advertise themselves by capacity and load. If for some reason a route in the US decreased it's available capacity then fault tolerance kicks in and traffic gets sent via another route, which could be China Telecom or a US carrier or even a European carrier. So it might have happened without any action from China Telecom at all. We just have to chalk it up to "unknown cause" unless some one goes public with verifiable evidence which is unlikely (it's actually hard to do, for various reasons, which is why the Western SigInt entities tend to hack other peoples routers).

However you also need to remember that from various bits of information that have surfaced the NSA are "alleged" to re-route US-US traffic for various reasons such as ensuring their packet gets to your box befor the packet from the box you are trying to communicate with. But also routing US-US traffic out of the US so they can record it within the --stretched-- rules of oversight.

So it's actually important to know exactly what happend for a number of reasons.

Which brings us onto your question of,

Why couldn’t Western security professionals immediately detect this massive and sustained scale rerouting?

You are again making an assumption, I assume they probably did thus the question would turn to,

    Why did the SigInt entities not take action?

Well aside from "they never do" there are quite a few answers including "because they or other people wanted it to happen"...

Which brings us onto your point of,

Personally I’m ashamed and embarrassed by our leaders being so easily duped. And worse on a long term basis. The situation is bound to deteriorate as the trade war intensifies.

You again assume that "our leaders being so easily duped" is actually the case. But even if it is true you should ask "By who?" and go through the "Means Motive and Opportunity" triad along with the "follow the money" question you would do for a criminal investigation. But don't forget to then ask the political question of "Who gains advantage?", there is after all "Plausable Deniability" to consider as well.

Because you have a second assumption there of "bound to deteriorate as the trade war intensifies". This could actually be a "shot in the war" by the US as a pretext to taking other action.

Look up the stories of the "yellow cake" and "Iraq's WMD" both of which were "false flag" operations by the IC as a pretext to other "Kinetic" actions. Oh and remember so far it's only the US during the Obama administration that has threatened to escalate cyber-crime to kinetic-war, which could be advantageous for a country other than China or the US.

As I point out from time to time "atribution is at best very hard" we know the "US IC has False Flag tools" so it's "highly likely other nations do as well". We also know that the US has a history of inadvisable military actions in foreign nations for fifty years or more as a method of "Projecting Power". As a senior US military leader put it "bomb them back to the stone ages" about action in Vietnam or an earlier commander demanding the use of nukes in Korea the US does have an overly belligerent Foreign Policy and are quite happy using WMD against the civilians of nations that do not have such capabilities...

Wesley ParishNovember 7, 2018 3:48 AM

Just a couple of interesting pieces care of Slashdot as pointer:

Did You Vote? Now Your Friends May Know (and Nag You)
https://www.nytimes.com/2018/11/04/us/politics/apps-public-voting-record.html

Whom Americans vote for is private. But other information in their state voter files is public information; depending on the state, it can include details like their name, address, phone number and party affiliation and when they voted. The apps try to match the people in a smartphone’s contacts to their voter files, then display some of those details.

Worrying. If I was any closer to the US political process than having a paternal great-grandfather born in Nebraska (or perhaps in Boston or New York - the details are far from certain), I'd be panicking.

Once, when using all this was a matter of digging through current phone books, political party registrations, etc, it would hardly seem possible. You'd need dedicated party members, and those don't grow on trees.

For one thing, he said, people could use the apps to create contact lists of acquaintances, strangers or public figures they do not like and maliciously publicize their voting histories. As a hypothetical example, he said, religious leaders might be outed for registering with a political party whose platform runs counter to their institution’s doctrine.

How terrible. They'll know I voted for William Shakespeare this time whereas last time I voted for John Donne!!! And Geoffrey Chaucer before that! Yikes! I'll vote for The Straitjacket Fits next time! Or the Verlaines!!! No, I'll vote for The Chills!!!!! :)

Speaking as a Kiwi with some aspects of Kwaussie status, I see rather interesting things ahead, provided of course, that it is available across national boundaries. What's to stop Vladimir Vladimirovich Putin getting a text from someone in Trump Tower, reminding him to vote in the next US Presidential elections? I mean, we've already had dead musicians signing RIAA statements,
http://www.lessig.org/2006/12/ok-so-im-wrong/
and according to some reports, there are places in the US of A where voting isn't mandatory for the living, but it is for the dead ...

Still on the Voting Fits, we now turn to:

Blockchain-Based Elections Would Be a Disaster For Democracy
https://politics.slashdot.org/story/18/11/06/2233250/blockchain-based-elections-would-be-a-disaster-for-democracy

Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.
In a weird kind of way, it is comforting. The United States has - with the (un)declared Global War of Terror - declared that national sovereignty is an outdated concept and can be obliterated with a compliant military base provider and missile-armed drones. Now the world can repay the compliment and treat US claims of national sovereignty with the contempt it requires.

Be careful what you ask for. You just might get it. Do I hear the strains of The Sorcerer's Apprentice lingering on the spring air?

RG-2November 7, 2018 6:00 AM

Clive,
As usual your logic and reasoning (coming from many perspectives) is complete.
Well almost complete. If I could fault you in one area it would be for seldom offering practical solutions[0].

Every engineering issue is not technically hopeless.
You like great, awesome depth while I strive for clarity and simplification.
You are the Devil’s best advocate but management wants solutions (or at least workarounds)!

Problem Statement
The rerouting of massive amounts of sustained Western critical infrastructure Internet packets through potential adversaries communications networks is both a National Security and NATO issue[1]. This is unacceptable.

In times of stress the China Communist Government is able to completely isolate the massive Chinese Internet, with just the flick of their Firewall switch.
Yet they can attack, modify and reroute the West’s open networks. How quickly can you scream ‘Uncle’?

Chinese Solution
By design, China’s Great Firewall already prevents this routing issue from becoming a National Security issue. That is China’s internal traffic is not foolishly re-routed outside China [2].

USA/West Solutions
This extensive Great Firewall solution is both unneeded and unwanted in the West. However we do need similar telecom capability to sharply restrict mass re-routing.
The Five Eyes leadership and cyber commands should receive instant, automatic notifications of mass external rerouting violations[3].

[0] There is no real perfection in humans. Trust in AI!

[1] While American Big-Data wants one Internet to eavesdrop on the world, the Internet has become irreversibly segmented. The USA stumbling block Silicon Valley needs to accept this GDPR/Firewall data integrity reality and move on!

[2] a logical simple a common sense solution

[3] because of current network infrastructure limitations, some countries data must travel externally. Ideally the Internet data should take shortest, most secure path between two points

Clive RobinsonNovember 7, 2018 11:45 AM

@ RG-2,

If I could fault you in one area it would be for seldom offering practical solutions[0].

Back err some quater of a century ago there was a sort of joke which was,

    What ever the question is... The answer is not Microsoft[1]

Well back about then is when the Border Gateway Protocol (BGP) Version 4 happened, and suprise suprise they are both still with us. Microsoft has changed a lot BGP4 not so much but it has been augmented.

For various reasons including security issues BGP4 is realy nolonger "fit for purpose" coming up to the third decade of this century. But it is not alone, in fact most protocols before ~RFC2K were never designed for todays environment and they are all creaking at the seems fit to bust.

Thus the obvious thing to say is the same as the Red Queen did to Alice which is "Off with their heads", but that is not going to be practical for a whole heap of reasons some of which we saw with Y2K.

Which is a big problem, because Managment as you note "want solutions" and their view is you "install them PDQ" collect your bonus and move on. Engineers also want to solve problems however they know you have to "instill them over time" otherwise chaos is the most likely result...

The result of the difference of view point is what we see with IPv6 which is also of the same generation as BGP4, which could be expressed as "It ain't there yet, nor is it ever likely to be".

The issue with IPv6 is again multifold but security is sitting quite high in the list.

So yes I can make suggestions for solutions but if I cross from the general to the specific I know as an engineer "It ain't ever going to happen" because first of all managment will never go for it in todays business environment[2]. Secondly because of the first issue as history tells us we are talking "human lifetimes" for structural change to start but new "neat" technical changes having life times of a year or so at most, which reflects back on structural change, which thus can never realy catch up, so legacy wins, and new structural changes needed for security just don't happen.

I don't know about you but I'm fresh out of solutions for those two issues...

But there is a third issue, those that might have the power to enforce change, don't realy want the changes to happen for both political and commercial reasons.

Likewise not sure what to do about that in the way of solutions that will happen, though the EU is in some respects "nibbling at the edges".

The one thing you can be quite certain of though, is that the US will fight tooth and claw to keep as much of the core of the Intetnet in their jurisdiction as they can. Failing that the will try to keep it in the Five-Eyes jurisdictions. Oh and it's not just the IC / SigInt entities that will fight, it's the big global corporates as well, as nobody want's what they consider their cattle rustled out of their lands and hands.

[1] Which was I've been told, a "re-boiling" from a decade before but the target way back then was IBM...

[2] It's the same reason most of the US infrastructure is just "One gopher bite from cascade failure", and come the next peak solar activity well you do know how to get and light a candle without using Amazon and an Internet app? ;-)

FaustusNovember 7, 2018 1:01 PM

@ Wesley Parish

re: Blockchain-Based Elections Would Be a Disaster For Democracy

Whoever wrote that article knows nothing about the blockchain. Assuming a transparent blockchain: Somebody voting with my credentials could be easily detected and the vote nullified. And the totals retallied in a flash.

By transparent blockchain I mean a blockchain that can be read by anyone. And voters would be able to create their own anonymous reference key that they could use to check that their vote is correctly registered in the blockchain. Perhaps a lookup on the order of state/voting location/reference key to help make uniqueness very highly probable. And anyone would be able to create their own programs for verification and tallying and run them independently.

How do I know that I am running on the correct blockchain? Answer: The hash on any blockchain record secures all previous blockchain entries. Any changes, like corrections for stolen votes, would be done by appending the appropriate record types.

The fact is that a transparent blockchain is the ONLY voting approach that allows voters the guarantee that their vote has been registered correctly AND that the overall count of votes is correct.

WE HAVE NO WAY TO VERIFY THAT NOW.

The fact that people are being led to be up in arms about this amazing advance in voting security really makes me wonder if current votes are being tampered with. In our current system there is no way to be sure that my vote was counted and that somebody didn't change who I voted for. Such an assurance is the basis of any meaningful election security.

bttbNovember 8, 2018 7:13 AM

from two twitter.com/emptywheel retweets:

https://www.washingtonpost.com/world/national-security/attorney-general-jeff-sessions-resigns-at-trumps-request/2018/11/07/d1b7a214-e144-11e8-ab2c-b31dcd53ca6b_story.html

1) @mattzap :

“So many new details in our Sessions piece [above]:
*Sessions asked to stay on until week’s end & was told no
*Trump told advisers Whitaker is loyal & wont recuse
*Sessions shared concerns about Mueller pace, but felt he was protecting Russia probe by staying”

2) @NoahShachtman :

“The Acosta thing [CNN Chief White House Correspondent Jim Acosta has his press credentials suspended] is important. It totally pales in comparison to the firing of the Attorney General. Focus, people.”

Also:

https://www.emptywheel.net

https://www.DemocracyNow.org ; usually starts at 8:00 AM et M-F

https://newrepublic.com/article/151929/trump-fires-mueller ; "If Trump Fires Mueller"

Cincinnatus_SPQRNovember 8, 2018 7:54 AM

@ JG4 and bttb

It is good to see that some people are alert to what is important in the news.

The CIA ran a clownshow from 2009 to at least 2014. They turned out technically incompetent agents who took enormous risks with their sources.

No one got in trouble for it. Panetta was an operator for the Democrats, and no one was going to fry him. It would have made the whole lot look bad--to include Obama. If you take this fiasco and compare it to the OPM disaster, and to Hillary's server at home, and to Podesta using Pa$$w0rd for his password, then you get a real picture as to what went on inside the U.S. government in those dodgy years of security neglect.

It's a national disgrace ladies and gents. And no one wants to talk about it because it makes the CIA look like clownshoes, which they sometimes are. It sends a chilling message: take the money, yeah, but you might die for it. Want to defeat a U.S. intell juggernaut with deep, deep pockets? It will cost you twenty bucks.

But at least sexual harassment training is going well and diversity is increasing. Thank goodness!

The U.S. has not been served well by those jokers, and it really is disgraceful.

JG4November 8, 2018 8:35 AM


I read my comments last night on entropy maximization and I couldn't find anything over the line. Did anyone grab a copy of that while it was up? I have the predecessor version, which missed a few inspired edits. Which may prove impossible to replicate.

https://www.epsilontheory.com/control-point/
...
This NY Times piece is a long, fascinating account of how Alastair Mactaggart, an Oakland, California resident, “became the most improbable, and perhaps the most important, privacy activist in America” … a great read on a super important topic that gets into the nuances and quite some details.
...

TimothyNovember 8, 2018 1:34 PM

The leader of New Zealand’s largest opposition party is accused of accepting a $67,000 campaign donation from a businessman with ties to the Chinese government, breaking campaign finance laws and raising concerns about Chinese meddling.
- NY Times "Campaign Contribution Raises Concerns About China’s Meddling in New Zealand"

Australian authorities are careful about strategic investments proposed by China, having banned a Chinese firm from buying part of the power grid, Huawei and ZTE from helping build the 5G mobile network, and Huawei from building a nationwide broadband network.
- The Economist "Australian politicians fear having to choose between America and China"

U.S. trade agencies are investigating mattresses from China sold at less than fair value (LTFV).
- Federal Register Document Citations: 83 FR 55910 & 83 FR 52386

lurkerNovember 8, 2018 3:29 PM

No, not eating more Squid: on October 12 2018 Bruce Schneier posted:

Eat Less Squid, or as the linked article said Eat More Polk.
So, what are you eating Bruce?

Cincinnatus__SPQRNovember 8, 2018 7:58 PM

About the CIA using Google, getting hacked, and a lot of people who had taken money from American hands having their body hit the floor:

The point is not just that it was incredibly careless. The point is that a lack of leadership and supervision at CIA, indeed a lack of common sense, allowed it all to happen and continue for years.

If the agents and sources were known, then the priority intelligence requirements were known too. That itself was incredibly damaging.
Further exploitation must have been easy.

That black hole of an intell gap on North Korea now has even more of an explanation, it seems. The animus towards Iran is also a little more understandable now. Getting smacked down by Iran does not play well on the evening news, which partly explains the silence.

Let's see how long it will take the Washington Post to report that their beloved Panetta and Hayden were running a carnival. Don't hold your breath.

Clive RobinsonNovember 8, 2018 10:20 PM

@ Timothy, ALL,

... breaking campaign finance laws and raising concerns about Chinese meddling.

I think "The US Cyber Existential threat country" is about to change, from Russia to China.

Ad I've noted in the past the US had an Orwellian approach to "Existential threat actors" countries. That is they have a list of four China, Iran, North Korea, and Russia. But only ever have one of them at any one time being the "Existential Threat" which obviously defies logic. But is directly out of the George Orwell 1984 play book...

As of late there has been nothing realy new about Russia (though Mr Sessions falling on his sword might be considered that way). But we are starting to see an upswing on Chinese stories of almost exactly the same type as we had with Russia...

Hence my small bet is the US is about to chang from Russia to China as well see more "Pump Priming" stories about China enter the MSM...

However there is still the "Missing In Action" story about Cambridge Analytica and American billionaires money with atleast one of whom is alleged to be "close to Trump". There was interesting stuff coming out of the UK police investigation with respect to them and money going to amongst other places Russia, to come back in various ways. When suddenly and without good reason the investigation got killed, allegedly by direct intervention of UK Prime Minister Mrs May... What ever the truth is like the Salisbury Poisoning suspect story it's gone MIA... Which has kind of spoiled "the thrill of the chase" with "The fox gone to ground".

MarkHNovember 9, 2018 12:47 AM

@Clive:

Thanks, for a sophisticated overview of train dynamics ... though I sincerely wonder to what extent the people who drive those machines are aware of such technical considerations.

Probably when they are taught their jobs, it's boiled down to a list of simple rules (and perhaps some computer algorithms at the dispatch center, concerning weight distribution along the train's length). In the U.S. at least, train drivers need neither a high education nor a very lengthy course of job-specific instruction.

Insofar as a failsafe against runaways, I believe that the perfect is the enemy of the good.

In the Real WorldTM, when a person or road vehicle is on the tracks -- or a string of cars comes uncoupled -- all of the brakes go to maximum, with a ripple effect front-to-back because it takes some time for the pressure drop in the air lines to propagate through each car. As you explained, this is far from optimal for a long train on a curve ... but as far as I'm aware, in the vast majority of such cases, everything stays on the rails (unless dislodged by impact with an obstacle).

To me, this implies that even a "dumb" failsafe would usually work well. If a runaway isn't stopped, the probability of derailment is very high indeed.

If it were a remote emergency stop system, it could provide a few seconds delay during which the driver (if any) would have the opportunity to override.

I can think of a few ironies, concerning the lack of a remote stop capability:

1. In my neighborhood, almost all freight trains have an "end of train" unit which performs a variety of functions. One of these is to dump brake air for an emergency stop; in this case the ripple effect works from both ends toward the middle. This again is not optimal, but probably reduces the risk of derailment and, most importantly, reduces stopping distance. These are radio controlled (by intention, only from the drivers cabin).

2. The long ore trains in Australia can't put all of the locomotives at the front, because this configuration would exceed the capacity of the couplers. So there are helper locos far from the front, which of course are remote controlled. I guess the control link is radio, but haven't looked into how they do this.

3. The same company that deliberately derailed its own runaway already has a controversial plan to go to driverless trains!!! Apparently, paying the one bloke is too extravagant ... probably these driverless trains will have some radio control capability.

In sum, it's not such a giant leap from current practice to add a remote (or simple automatic) emergency stop.
____________

The potential for malicious exploitation of train radio controls -- present, and prospective -- is another can of worms.

Clive RobinsonNovember 9, 2018 12:56 AM

@ ALL,

As our host @Bruce has noted over on the "iOS 12.1 Vulnerability" thread,

This is really just to point out that computer security is really hard:

It would appear from this article that "price" has little influance on that observation,

https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/

What it further reenforces is the point I make from time to time, that "secure apps" on communications devices are not secure for various reasons.

Which is why I still recommend that you use communications devices only for communications and not for any kind of security benifit that might be advertised for them.

If you need "secure" communications then the security end points must be beyond the communications end points, "no if's, no doubt's, no maybe's"

Break that rule then the chances are you are going to regret it, if you have good reason to need "secure" communications.

What you need is some "secure device"[1] that is atleast "air gapped" from the communications device. Where the user reads an incoming message off of the communications device and then enters it into the secure device to get the plain text message. To reply the user types the message into the secure device, reads the ciphertext out of it and enters it into the communications device.

Such an "air gap" will prevent any "end run attacks" in the communications device. However if the secure device is mechanical, electrical, or electronic it will need to be designed such that it can not leak any information that the communications device might be configured to detect. Such leakages can be by acoustic, mechanical, electrical, electronic, RF, light, and even gravity channels.

Which means that even with a pencil and paper secure device the noise from the pencil on the pad, the operator muttering under their breath, or their finger tracing across a lookup table will leak some information. Likewise the table or writing board across the operators knees can couple not just the mechanical equivalent of the acoustic channels, it can additionaly send "tip and tilt" or other movment into the gravity sensors in the communications device. But there is often a pair of cameras in modern "smart devices" that get used for communications. Even if it cannot see the paper you are writing on it could ses hand movment or reflections and shadows arising from hand movment.

Thus you have to consider "energy gapping" where you do not allow any kind of energy to form.a channel between the communications device and the secure device.

Thus for pencil and paper, writing down the cipher text from the communications display is OK. But you should then take the piece of paper into another room to the communications device and shut the doors befor doing the decrypt. Likewise for the encrypt you do it in a seperate room and only bring the ciphertext into the room with the communications device in it.

It sounds not just laborious, but easy to get wrong, and it is in both cases. It's why I also say that Operational Security (OpSec) is hard to not just get right but to always get right.

If you break the rules even once then you can open a crack in your security that a patient and capable adversary will exploit to their best advantage, not yours. Which is why you need to practice other forms of OpSec such as "duress codes" and much more besides.

Nobody who knows anything about security has ever said that it is easy, which is why adverts for "secure apps" and "secure devices" are mostly "Snake Oil".

[1] The "secure device" could be as simple as a secure pencil and paper cipher system such as the One Time Pad through to a bespoke MIL/DIP encryption system that has a keypad and display and secure "Crypto Ignition Keys". The important point is that it should be "secure" to the level "deemed necessary" for the use to which it is to be put.

FaustusNovember 9, 2018 9:40 AM

I have been watching Homecoming with Julia Roberts on Amazon Prime. It was created by the same people as Mr. Robot. Both are excellent multilayered works. And both are immersed in paranoia, but in Mr Robot the protagonists have power (though their hacking skills) while in Homecoming they are largely powerless observers and pawns.

The paranoia aspect makes me think of this blog and its comments. We feel like we face a powerful and largely unknown enemy (or enemies). This enemy is so powerful that it could be anywhere, at any time, despite all our precautions. It walks through our walls on any form of energy; it's in every device, already.

How does this feel? To me there is a certain excitement in it, to think we are engaged in a constant battle, to think we are important enough that shadowy entities rummage in our underwear and bug our toothbrushes.

It is not that far from the delusions of reference of a schizophrenic, where everything has a significance, and that STOP sign has a personal message for us.

But I do think this enemy is real, not a figment of our imaginations. The surveillance is real. That STOP sign may in fact recognize us.

Truths like this may first shock us, but after a while the adrenaline goes back to normal. Most people forget there was anything there at all.

What is the healthy responsive to pervasive surveillance? Surveillance that increases every day. We were once tracked by our devices. Now we are tracked by our appearances. Soon we will be tracked by our brain waves. Tin foil hats may have been insane only in being ahead of their time.

What is the healthy response to this? Are there any good books about the psychology of being under constant surveillance? Is there ANY reason to think this will end well?

X-MouseNovember 9, 2018 10:44 AM

@MarkH: In the U.S. at least, train drivers need neither a high education nor a very lengthy course of job-specific instruction.

There's a labor union, it's closed shop, and the required documentation and hours of apprenticeship greatly exceed the average bachelor's degree or similar education. It's a position of extreme responsibility, and even a suggestion of mental illness is enough to disqualify a worker for life from the whole industry. Ironic, because the railroads are among the worst of the worst for running people into mental institutions, concentration camps, and other places of massacre, carnage, and mass murder. It's that same old Holocaust mentality of the enemy Axis of WWI and WWII.

TimothyNovember 9, 2018 12:15 PM

Hi @Clive Robinson

Ad I've noted in the past the US had an Orwellian approach to "Existential threat actors" countries. That is they have a list of four China, Iran, North Korea, and Russia. But only ever have one of them at any one time being the "Existential Threat" which obviously defies logic.

Yes, after I posted I actually thought much of the same thing.

The U.S. Treasury’s Assistant Secretary for Terrorist Financing spoke before Congress on Goals for Major Sanctions Programs a little over a month ago. The three countries of primary focus were: Iran, Russia, and North Korea.

There are more concrete details in his testimony about what the concerns are and how the U.S. is using economic tools to shape less aggressive behavior.

Marshall Billingslea also testified on U.S.-Russia Relations in August.

China appears to be showing up on the radar in a lot of arenas where there is detailed and expert-level evaluation and analysis. For example, there were multiple congressional hearings this last year on China’s behavior and what it may mean; at my early counting the number of hearings was in the double digits. For example, there was a hearing on June 27, 2018 titled “ZTE: A Threat to America’s Small Businesses.” Here is an excerpt of witness testimony from that hearing:

I will start with a story to which I imagine many of you will easily relate. My former boss, House Intelligence Committee Chairman Mike Rogers, first became interested in the activities of ZTE and Huawei not because he was a former U.S. Army officer or Federal Bureau of Investigation (FBI) special agent. Initially, his interest did not even stem from his position on the Intelligence Committee, but because a Michigan company approached him with a problem.

As each of you would do, he listened to that small business owner carefully. As it turned out, Chinese telecommunications companies –ZTE and Huawei – were bidding to build cellular telephone towers in the most rural parts of Michigan, far from population centers like Detroit. This small business owner was happy to compete but said the Chinese telecoms were coming in not just under his price, but under what the materials would cost to build the towers.

That got a former FBI agent thinking: why on earth would they be doing that?

There have also been recent mentions about China’s investments in Europe, including investments in Heathrow airport and media, infrastructure, and industrial companies. This 2:40-minute video from the article discusses the risks such financial positions could pose.

Do you think that the focus on the behaviors of these countries, China particularly, is unreasonable or that it could be handled more constructively?

WeatherNovember 9, 2018 4:20 PM

Timothy
The place I work ordered from China,to make it fit to design spec we had to readjust the angle,the weld sheared off,the local engnnier fixed it,but there are system they use were they will natural undercut, yes I did bring it up,and I think fixed

Clive RobinsonNovember 9, 2018 5:46 PM

@ Timothy,

Do you think that the focus on the behaviors of these countries, China particularly, is unreasonable or that it could be handled more constructively?

I try to maintain a dispassionate eye and study the evidenve available, which is problematic currently.

Whilst I have no illussions that Nation States spy on each other both on government and industry. I'm aware that some tend to get accused of having their fingers in the cookie jar, whilst others lie outrageously and claim a moral high ground they have absolutly no right to.

I'm also aware that nations plan for their own "national security" to replace other nations incumberent industries and that a long list of countries including Israel, Japan, South Korea have sold at cost or below cost to "kill off" another nations incumbent industry, or to get and hold a market. In the later case many are well aware of what inkjet printer manufacturers and games console manufactures do by way of selling "the box" under value and the consumables/games at a very high rate. Thus "selling below value" is an accepted business practice which US and other US friendly nations indulge in against amongst others US citizens.

The evidence against China that you will find is ~90% political rhetoric, ~9% hearsay, and very little or nothing in the way of evidence that would stand up in an unbiased court... (Which with US courts being staffed by political appointees, it's difficult to see how bias could not get in).

That is not to say China is not obtaining US and other western nations IP, but the way they ate doing things is as far as the limited evidence indicates is "sharp practice" not "illegal practice". And the distinction is a quite critical point that people realy should get to understand.

If you search this blog for "China" and "Rare Earth metals" you will find I've been warning against China's "sharp practice" and other activities for some time, so I'm not as some would no doubt claim "a supporter of China" (likewise Russia or North Korea etc). It's kind of sad when having spent time warning and being told I did not know what I was talking about to then later be criticized as a supporter, as some would say "go figure"...

One reason that has been pointed out is that the US alowed US corporates to in effect give China significant IP. The US could have passed legislation at any point in the past decade and a half to stop it but chose not to as it kept share prices high. Now US share prices are being harmed the squawking and political faux indignation has started. Whilst the trade war the US inadvisably started does not appear to be getting anywhere by the lack of reporting in the US MSM...

My interest is primarily in verifiable evidence and the laws of the respective nations and what treaties they have signed upto and honoured. Which is where it can get fun.

For instance South Korea has some very forward looking law to do with not just industrial espionage, but also rights on "digital property" like the objects in games. That is if you steal a "magic crystal" in an online role playing game you are in trouble, their law asigns it real market value thus brings it into the existing "criminal law". Likewise you copy / counterfeit in game objects then likewise you are in trouble. Obviously most other countries do not yet have such legislation or case law for various reasons, that in the US once favoured the practices of large Silicon Valley Corporates.

But the South Korean anti-industrial espionage laws are quite strong as Israel amongst other found out. The US does not have such laws and people should ask themselves why, especialy as their lack encorages "sharp practice" and even industrial espionage. Thus people should ask "Why?" and who has benifited --upto quite recently by the lack of such laws-- in the US.

China like Russia is not short of fine minds and inventive abilities, and thus does invent stuff of their own. That the US has in the past failed to acknowledge and has used it's own court systems, to enforce unsurprisingly, a particular US centric view point. The US now claims, or tries to claim, some "moral high ground" against other countries that are doing a small fraction of what has been done by the US in the past...

Thus we have to ask ourselves a series of moral questions. Such as, if one country A does not recognise the laws of another country B, can country A realy complain when another country C does not recognise A's odd laws within country C's own jurisdiction?

Especialy when Country A has a poor history of honouring treaties it's voluntarily entered into. But screams at another country for not abiding by a treaty it has not signed upto...

Or worse still because it wants to pull out of a mutual treaty, it blaims the other country as an excuse or sop to home politics... The real problem being that the mutual treaty serves neither country any longer due to the activities of a third country C that has not signed upto the treaty...

Thus the third country C is now mass producing weapons, that the two mutual countries, agreed by self interest, some considerable time ago it was unwise to make. Due to proliferation issues and the potential to break the MAD stability.

Now the third country C is making the weapons and the mutual treaty country A signed effectively ties it's hands the MAD stability is effectively lost, and proliferation is one sided. Thus giving country C a lot of unrestrained power, that if it is anything like country A was, it will use it without qualms whilst it has the advantage...

Politics is a dirty game that relies very much on keeping your own citizens misinformed. A quick read of the George Orwell "political play book" 1984, then Machiavelli's earlier "political play book" The Prince, should provide many with an understanding of how their government uses propaganda against them. Then a review of the more contempory "Yellowcake" and "Iraq WMD" political incidents should provide fairly good examples of how they are used in modern times. Oh and have a look at the actual reasons for Stuxnet and how political plays are sometimes done through a third country (the real US target was actually "The Hermit Kingdom" not Iran as such, because Iran gave the most probable attack route that could be used). But also on what is the corporate level. Cambridge Analytica would have made a very good example of "arms length" political manipulation, but sadly just as it started to get interesting and certain American billionaires faces started fitting frames the investigation was killed off. It's been alleged by a number of people that it was on the direct authority of the UK PM Mrs May. With the subtext that it was the US yanking on the "special relationship" chain and shackles...

Which is why I urge people repeatedly to wait for evidence not hearsay and then critically evaluate it before making any judgment calls.

But so far whilst the Ed Snowden trove has indicated that the US are in it way beyond their necks and that various US IC leaders have committed what is from a practical perspective repeated occurrences of perjury. The actual evidence against China for illegal acts is to be blunt so far not evidence but supposition and hearsay.

The US case against China is not helped in International eyes because of the use of "patsy organisations" to make claims they can not legaly justify then claiming it is evidence...

But the problem with that arms length organisations supposed "evidence", is it has a habit of pointing the way the US politico's want it to point, at the current Orwellian "Existential threat". Maybe it's "cherry picking" maybe it's not, it all depends on people and their belief, in the independence of the US MSM and arms length organisations from political "suggestion"...

What happens over the next few weeks will prove interesting. The US media is starting to focus on China and apparently has lost interest in Russia. Arguably because the Russia story is going preciecly nowhere at this point in time... In part because a great deal of what has been previously claimed has now been "debunked" in one way or another, and firther there is nothing going on publically at the moment that can be reported (other than Jeff Sessions resignation, two days ago that gave a little blip and not much since. Which however appears to be causing consternation in some quaters).

However Bloomberg appears set on running "anti-China" stories that like earlier ones are probably going to get debunked. Which brings up the "Doubling down -v- Political influence" debate yet again. The one thing it does not appear to be is "responsible journalism". But then why should people expect reasonable journalism in the current political climate, of apparently "fake news" directly out of the Whitehouse over the "mic grab" incident, and alleged "censoring of journalists" by the withdrawal of a press pass, all after the US President got a little flustered over a question or two...

It just makes a pantomime out of the whole thing where the first casualty is truth... Thus evidence hardly gets to see the light of day or critical analysis it once did in the US MSM...

All of which makes trying to make a reasoned judgment at best difficult if not impossible.

TimothyNovember 9, 2018 11:04 PM

@Clive Robinson

Which is why I urge people repeatedly to wait for evidence not hearsay and then critically evaluate it before making any judgment calls.

You make some very valid points pertaining to evidence, full disclosure, political machinations, and pervasive operating schema. I agree that it is important to consider the situation with a more developed framework that incorporates realistic, nuanced, and global perspectives.

To be more specific and evidence-based, there was an unclassified open hearing this summer that presented specific and documented examples of China’s acquisition of foreign government and private sector research. There were four witnesses for the hearing.

One witness Michael Pillsbury, the Director of the Center on Chinese Strategy at the Hudson Institute, has written a book titled “The Hundred-Year Marathon: China's Secret Strategy to Replace America as the Global Superpower” based on Chinese documents, defectors and interviews.

The second witness Michael Brown, the former CEO of Symantec, co-authored a Pentagon study on China’s Technology Transfer Strategy.

The third witness James Phillips, Chairman and CEO of NanoMech, Inc., testifies: “Not long ago the FBI showed up in force at NanoMech Industries headquarters to report to us they had observed we were the 2nd most hit firewall by the Chinese cyber-militia in the Southern U.S.”

The fourth witness Elsa Kania, Adjunct Fellow at Center for a New American Security, submitted 25-pages of written testimony, 7 of those pages being reference notes, that document the techniques and specific encounters that substantiate illegal, or at least problematic, Chinese strategies for transfering sensitive and strategic technologies.

I concede that this hearing only sheds light on a singular facet of a multi-sided and dynamic situation. I'll have more reading to do and appreciate you providing extensive real-world considerations that anchor the breadth and scope of the forces at work.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.