Friday Squid Blogging: The Future of the Squid Market

It's growing.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on January 4, 2019 at 4:16 PM • 80 Comments

Comments

bttbJanuary 4, 2019 4:41 PM

@Clive Robinson, Rach El, Faustus
Regarding Hutchins, found on last week's Squid, https://www.schneier.com/blog/archives/2018/12/friday_squid_bl_657.html#comments :

More on Hutchins from https://www.emptywheel.net/2019/01/04/prosecutors-cite-osiris-in-an-attempt-to-resuscitate-dead-law-against-marcus-hutchins/ :

"I’ve been meaning to do an update on a series of filings in the MalwareTech (Marcus Hutchins’) case in which his defense challenged the magistrate’s recommendations, the government responded, and MalwareTech replied. As I’ll get to, those filings reveal a bit more about what the government was really up to in their prosecution of Hutchins.

First, however, I want to look at something the government does in the first paragraph of their response. The paragraph starts with a succinct statement about the case that smooths over a lot of legally suspect moves they make in the case.

[...]

Effectively, Hutchins is on trial for code he wrote years ago, some of it while he was a minor. Because people associated with later generations of that code — with its literal rebirth as a new product — are causing havoc, the government is intent on holding him accountable."

JG4January 5, 2019 7:25 AM


Many months ago, I posted a link to Doug Casey's article about Democrats and Republicans treating each other sociopathically. At the time, I noted that it was a feature of human nature, not a bug.

https://www.schneier.com/blog/archives/2015/06/yet_another_new_1.html#c6697808

That work was prescient as it turns out. It is intrinsic human nature to behave aggressively against other groups, which requires a sociopathic bent. Aggressive behavior can be derived from first-principles as entropy maximization, but for today I am content to say that war and political violence predate human history, as illustrated in Murder is a Recent Evolutionary Strategy. Aggressive behavior is the root of the need for security. The inclination to tribal warfare goes a long way in explaining LEO group behaviors. Further proof that they are dirty and always have been.

Joining a Group Makes Us Nastier to Outsiders
https://www.nakedcapitalism.com/2019/01/joining-group-makes-us-nastier-utsiders.html
...
This may help to explain the ubiquity of inter-group violence (Blattman and Miguel 2014) or mutually destructive competition within and across firms. It also strengthens the case for policies to counteract narrow group identities.
...

NakedCapitalism have been running a series on libertarianism, which is interesting to those of us who have quaint notions of rights and freedoms. To get in the right frame of mind to read the series, this is a helpful primer:

L.P.D.: Libertarian Police Department | The New Yorker
https://www.newyorker.com/humor/daily-shouts/l-p-d-libertarian-police-department

The daily security headlines:

https://www.nakedcapitalism.com/2019/01/links-1-5-19.html
...

AI-Equipped Cameras Will Help Spot Wildlife Poachers Before They Can Kill The Verge
...

Data mining adds evidence that war is baked into the structure of society MIT Technology Review (Dr. Kevin, David L)
...

The US and China are in a quantum arms race that will transform warfare MIT Technology Review
...

[@Bruce - conspiracy trigger alert]

Fvnk@WhatTheFvnk
https://twitter.com/WhatTheFvnk/status/1081255126038466560
EXPLOSIVE: @DanKaszeta of @Strongpoint_UK invoiced @InitIntegrity #IntegrityInitiative £2,276.80 in July 2018 during the #Skripal #Novichok affair for writing articles on the subjects of poison gas; nerve agents; treatment; nerve agent persistency & #PortonDown @RTUKproducer
90 likes | 1:24 PM - Jan 4, 2019
110 people are talking about this

Integrity Initiative’ – New Documents From Shady NGO Released Moon of Alabama (Kevin W)
...

Big Brother is Watching You Watch

Amazon Says 100 Million Alexa Devices Have Been Sold The Verge. 100 million places yours truly will not go.

The Weather Channel app sued over claims it sold location data NBC. Haha, this is a lovely source of revenue for budget-starved governments. High time someone go after these data-whores in serious way.

German cyber defense body under fire over massive breach DW

Ecuador to audit Julian Assange’s asylum & citizenship as country eyes IMF bailout RT (martha r)
...

[I am fond of the quote "let them eat yellowcake" - Dick Cheney]

Robots Are Taking Some Jobs, But Not All: World Bank Mercury News. Yet more “Let them eat training.” Will someone please inform the people in power that it isn’t too smart to have the only jobs left in advanced economies for unskilled men to involve carrying a gun?
...

JG4January 5, 2019 8:11 AM


Here's a rule you can take to the bank, which dovetails to my previous comment today:

"Every increment of arbitrary power will be exercised to benefit itself first, its friends second, and to disbenefit everyone else."

The psychopathic focus on benefiting itself creates a myopathy of empire that leads to internal decay just as it outgrows the petri dish. The danger of myopic death throes is very real.

"Empire is a machine with gears made of guns and words, driven by greed, amorality and hubris, lubricated with the blood of the peasants, that crushes bodies and souls to make money and power."

I recently wondered when I coined the phrase "empire is a machine." More likely, I had seen it around the web, because it has been around for a long time in various forms. An entertaining web search. In studying my notes, I found that my earliest use was Saint Patrick's Day 2014 via email. It was vague, without form and largely lifeless: "Empire is a machine that crushes bodies and souls," no comparison to the scintillating version from last summer. My first use in this forum seems to be August 2015, when it already had some sparkle:

https://www.schneier.com/blog/archives/2015/08/friday_squid_bl_490.html#c6702784
...
Neurons, brains, people, groups, gangs, companies, agencies, towns, cities, states, governments, and civilizations [all] are adaptive systems. They all respond to neurotransmitters, of which the most powerful is money. Empire is a machine, driven by greed, conflict of interest, amorality and hubris, that crushes bodies and souls to make money and power.

Just for the record, money, alcohol, cocaine and nicotine, casual sexual liasons and novelty-seeking all involve dopamine receptors.

My quick look around the web revealed that a bot had lifted a 2017 version of "empire is a machine" almost certainly from this blog. An entertaining read, and their use of the content has a good chance of being protected as creative expression. My reuse of my reused content is clearly protected as scholarship. I see Clive's voice in this robotically-stirred wordsoup. I reproduce the text in full here, because the robot may change it over time, making me look like an idiot. I welcome speculation on the purpose of the bots activity. My guess is to sell advertising clicks.

Deep sea giant squid
http://skindustry.info/deep-sea-giant-squid/
30.05.2018 | By admin
Filed in: Black And White | Tags: Tree
Which grew to debating the harm quotient of EMF, the only longterm refrence was about protecting farmed fish in British Columbia, polling indicates exactly the same pattern deep sea giant squid the US. Empire is a machine with gears made of elements, its eyes are about a foot in diameter. Distance telephone trunk relay, the deeper our graves we dig.
Because tentacles and arms fall off or, architeuthis is thought to have an extensive nervous system and complex brain. Oh and much much more, i haven’t said often enough that I really like first principles derivations. And various other things that we might do to our bodies with electricity, one point I find a little sad is that JG4’s and a few others “news lists” will be gone. These tentacles are more than twice their body length, except the face.
Nor can I conclusively speak about its length in ells, more Articles by WILLIAM J. We have located 11 further reports in which adult and subadult specimens have been described, and thus despite previous statements to the contrary, there’s the matter of spam and abuse.
© 2018 Copyright Animal Kid - All rights reserved.
QuickStrap Theme powered by WordPress

FaustusJanuary 5, 2019 9:54 AM

@ JG4

"Years ago, a central banker killed my partner. "

The story Libertarian Police Department is very funny. But it is skewering a view of libertarianism that no one holds. Putting coins in everything is funny but it had been done decades before in PK Dick's Ubik. And libertarians are obsessed with private property: they'd be unlikely to be renting everything they use coin by coin. They wouldn't have their cherished private property rights.

Still, it wins today's funniest straw man argument. So far. And the day is young.

May I suggest a story about an aggressive investment house fronted by a supposedly capitalism critical news site, entitled NakedCapitalism Wears No Clothes? You don't even need to misrepresent anything for it to be funny. The fact that NakedCapitalism is taken seriously by more than 3 people is funny enough in itself. (The secret sauce is conformation bias.)

"Simmer down now, Faustus!"
"Yes, Satan. Please forgive me. I didn't realize you were a principal at NakedCapitalism, but with ten seconds thought it should have been obvious!"

MikeAJanuary 5, 2019 10:18 AM

@faustus: "conformation bias" works for me. We are biased to conforming, especially when the choice of actions boils down to "Smile at Dear Leader" or [redacted]

FaustusJanuary 5, 2019 11:24 AM

@ JG4

I read some of the Naked Silliness "series" on "libertarians".

You seem like a smart guy. You do realize that one example of a group does not speak for the group?

You can't blame all Jews for the crazy idea of one Jew. One failed democracy does not mean democracy has failed. One bad book by a libertarian does not speak about libertarianism as a whole.

Libertarianism is not monolithic. Check out reason.com if you are actually interested in the range of ideas a lot of libertarians embrace and their understanding of how everybody is benefited by them.

You will find criticism of politicians and some corporate titans, but I have never noticed the poor or the intellectually challenged being treated in the offensive way indicated in Naked's - what to call it? - in Naked's emission.

Clive RobinsonJanuary 5, 2019 12:27 PM

@ Jumping Frog,

Jumping Frog

Now don't be a Chicken Little, the sky is not going to fall in due to that for a very long time. By which time mankind will probably be extinct as we currently know us, probably by our own stupidity.

Hey it's just the way things are, put somebody in a room with a chair a bed and the other comforts of home etc and a big red button on the wall with a sign above it saying "Warning Do Not Press Except In Emergancy" you know what's going to happen, it's not a question of "if" but "when" it gets pressed...

Supposadly God tried this test with Adam and Eve, and look where it got us ;-) Trust me on this though, there was no serpent there, that's just somebody making excuses as in a six year old saying "they made me do it"...

Bod Dylan's Dangling ModiferJanuary 5, 2019 1:19 PM

http://www.santafenewmexican.com/news/health_and_science/detecting-depression-phone-apps-could-monitor-teen-angst/article_eb2a22b5-bcd3-5777-96ba-b16b4d84c8f7.html

The latest fear tactic to justify the expansion of the surveillance state is "teen depression".

http://www.santafenewmexican.com/news/local_news/a-year-later-police-unlock-phone-that-might-hold-evidence/article_ce323654-e0b6-5a28-a632-8e086dd9ab16.html

According to a search warrant affidavit filed Dec. 26, 2018, in state District Court, state police were unable to access Sanchez’s locked phone during the initial investigation. Thanks to new technology, the affidavit says, officers were finally able to unlock the phone and search its contents for evidence that someone else might have been aware of the crime or even involved.

Does any body have any idea what this "new technology" might be?

FaustusJanuary 5, 2019 1:34 PM

@ Wael

A 6th social policy alternative: Lottery - assigning benefits and/or costs by lottery.

One could argue that life is a lottery: We are randomly assigned talents and deficits and families. But it only happens once in a lifetime. What about reassigning some good things and bad things (within possibility and sense) every year or every five years? It would put everyone in the same potential boat and would encourage fairness in that early good luck or bad luck could be reversed. A non Predator/Prey alternative.

gadflyJanuary 5, 2019 2:52 PM

@Faustus
"life is a lottery"

The most succint capture of one of my long held beliefs. Thank you.

Clive RobinsonJanuary 5, 2019 3:08 PM

@ Alyer Babtu,

for an extra fee, a blue button to get things back to the way they were.

The universe is neither as avaricious or as forgiving as Daffy Duck. So there will be no "blue button" or for that matter Matrixy "blue pill" option...

FantasyIdealismIncarnateJanuary 5, 2019 3:08 PM

"Libertarianism is not monolithic."

Crack appeals to a diverse crowd of hopeless addicts.

gordoJanuary 5, 2019 4:26 PM

This is kind of like "people's choice" and "critics choice" for "word of the year." Here are a couple of those, one of each.

---

The People’s Word of 2018
On November 29, 2018 By Cambridge Words In the English language

nomophobia noun [U]

fear or worry at the idea of being without your mobile phone or unable to use it

https://dictionaryblog.cambridge.org/2018/11/29/the-peoples-word-of-2018/

https://dictionary.cambridge.org/dictionary/english/nomophobia

Related news stories:

https://www.independent.co.uk/life-style/nomphobia-word-of-the-year-2018-cambridge-dictionary-smartphone-anxiety-a8705106.html

https://mentalfloss.com/article/569522/nomophobia-cambridge-dictionary-word-of-year-2018

---

There are, no surprise, many organizations that select a "Word of the Year." For the English language it looks like the American Dialect Society [ADS] has been at it the longest, since 1991.

https://en.wikipedia.org/wiki/Word_of_the_year

https://en.wikipedia.org/wiki/American_Dialect_Society#Word_of_the_Year

---

“Tender-age shelter” is 2018 American Dialect Society word of the year
January 4th, 2019

In its 29th annual words of the year vote, the American Dialect Society voted for tender-age shelter (also tender-age facility or tender-age camp) as the Word of the Year for 2018. The term, which has been used in a euphemistic fashion for the government-run detention centers that have housed the children of asylum seekers at the U.S./Mexico border, was selected as best representing the public discourse and preoccupations of the past year.

https://www.americandialect.org/tender-age-shelter-is-2018-american-dialect-society-word-of-the-year

In addition to the "Word of the Year" category, "Tender-age shelter" also tops the ADS word category: "Most Euphemistic."

FaustusJanuary 5, 2019 5:46 PM

@ Fantasy

"Crack appeals to a diverse crowd of hopeless addicts."

I'm curious why people post these incomplete attacks. Is that all you have? Or do you have a full idea to share but you are too shy? Or too lazy? Or just lack confidence?

Try it out: Libertarians are like hopeless addicts because ... _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ (fill in the blanks. use more as needed.)

FaustusJanuary 5, 2019 6:07 PM

@ Gadfly

Cool! You're welcome. This is part of a cross thread endeavor to identify alternatives to a society based around predator/prey options (coerce,kill,imprison). So far alternative options are forgive, apologize, and lottery.

This search oriented strategy was inspired by the novel solutions that my AI produces by having different built in assumptions than we generally do as human animals. A general, quasi-abstract, search of the option space hopefully will avoid some human assumptions.

Clive RobinsonJanuary 5, 2019 7:03 PM

@ Rach El,

It's about the problem with the TSA

Hmm "problem singular"...

I guess that would be that "The TSA exist", I suspect I'm not the only person who thinks,

    Whatever the rational solution to aviation security is, the TSA is not it.

The TSA is a fine example of US tax dollars being used most inappropriately...

Clive RobinsonJanuary 5, 2019 7:36 PM

@ Gordo,

I don't know if you know who Steven Fry is?

However when you quoted,

    nomophobia noun [U]
    fear or worry at the idea of being without your mobile phone or unable to use it

I was immediately reminded of a comment he made some years ago on the quize program QI.

He commented that the German's don't call mobile phones, mobiles or phones but "handies" and then commented how sweet it sounded and did a very passable,

    Wo ist mein handy

As for the US word of the year, what can I say other than I am appalled at what has been reported as going on in those camps. I actually feel sorry for the ordinary US citizen, finding out what is in theory being done in their name. I thought the detention centers in the UK run by Group 4 Security (G4S) and similar private companies were despicable beyond measure and completely unaceptable in a humane society and took the time to go to protests about them. It sadens me to see we have in the UK set the wrong example for other governments to follow, and that citizens in other nations now feel that they too have to protest about such places.

Clive RobinsonJanuary 5, 2019 8:08 PM

@ ALL,

Speaking of Germany and mobile phones and other electronic data.

It appears that various politicians and personalities in Germany have had some of their communications leaked to the public over December and the New Year. However the German Federal department responsible (BSI) for notifying people appears to have been somewhat tardy, and those effected have been fonding out through the media...

It's been noted that there are no "Far Right" people that have had their communications leaked. Thus various people are plaiming far right activists in Germany and Russia.

Unsuprisingly who is actually behind the disclosures is not currently known (publically). So such attribution is at best knee jerk posturing. Hopefully there will be some credible evidence presented in court, if the authorities can actually progress that far.

gordoJanuary 5, 2019 9:28 PM

@ Clive Robinson,

I do recognize Mr. Fry from 'V for Vendetta'.

Regarding my country's inhumane and criminal treatment of families along the southern border in the form of family separations, detention centers, and child deaths, I can't say I've been out protesting or done anything more than share my opinion and look on in sadness. In that way I suppose I'm like most of the apparently two-thirds of Americans who oppose the policy. I've not met anyone who's agreed with it.

As it's now turned into a blame game in Washington, one can only hope that true progress is made reuniting families, stopping the separations and detentions and caring for the children.

65535January 5, 2019 10:45 PM

@ Rach El and Clive Robinson

I have agree with you.

Rach El’s link does point to some serious and very dangerous problems with the US government’s TSA.

“The TSA is a fine example of US tax dollars being used most inappropriately...”-Clive R.

I am beginning to see the TSA as an "Un-employment to Full Employment" project of the US government. The TSA’s budget should be reduced by 40% and the money spent on more productive things.

I note:

“…in 2009 that lawmaker trips abroad at taxpayer expense had included spas, $300-per-night extra unused rooms, and shopping excursions. Lawmakers respond that "traveling with spouses compensates for being away from them a lot in Washington..." and justify the trips…”-Wikipedia

Ht tps://en.wikipedia.org/wiki/United_States_Congress#Privileges_and_pay
[Links broken for safety]

I wonder what the actual US Congressmen and US Senators including their staff get the TSA “pat-down” treatment? Probably, very few. Anybody have some actual numbers?

How do Congressmen get through the TSA cattle lines? Do they have no pat-down list which is given to the TSA? A segregated tunnel? Possibly a small badge on their clothing?

It is alarming that US Congressmen and Senators get lush 6 figure salaries and more irritating to hear these Government Officials get huge travel expense packages.

“…costs are eye-popping. In 2016, lawmakers and their staffers booked at least 557 commercial flights costing $10,000 or more. Last November, a six-day trip to Australia, Indonesia and the Philippines by three staff members on the House Armed Services committee cost more than $105,000 in airfare alone. Earlier this year, two Senate staffers flew commercial to South Africa on behalf of the Committee on Small Business and Entrepreneurship. Transportation costs were $48,460.24…” -Bloomberg

ht tps://www.bloomberg.com/opinion/articles/2017-10-26/put-congress-on-a-travel-budget

A reduction or complete shutdown of the TSA maybe needed see who effective they are.

Alyer Babtu January 6, 2019 2:08 AM

@JG4

It is intrinsic human nature

Aggressive behavior, group/gang assimilation and transformation etc. are not intrinsic to human nature. Rationality is. Every action has been submitted to reason before it is taken.

Reason may be subverted by error anywhere between senses and intellect, and we can with full appreciation of the real state of affairs lie to ourselves and choose in a disordered way. But these are defects, not part of our nature.

The psychological studies can not ne claimed definitive because the sample population may have been preconditioned essentially by modern preoccupations and education which blunt reason’s functioning in the individual. The situation is analogous to the intellectual state of people coming to the West from the old Soviet regimes. They said they knew that system was wrong, but had by their system of education no words ie no concepts to express a rational understanding of the situation.

JJanuary 6, 2019 2:47 AM

I've wanted to ask this for some time, so here goes. When Mr. Schneier says "What can I say? I just like squid" does he mean:

a) Swimming freely in the ocean, enjoying life and making lots of little baby squid;

or

b) Lightly grilled, and served with sprigs of cilantro and a piquant dipping sauce on the side;

Or both?

J.

Clive RobinsonJanuary 6, 2019 6:00 AM

@ Bruce and the usuall sispects,

As many people are aware there is an on going and escalating war between "The Crooks and the Catchers" when it comes to malware.

In a way it's the Cyber version of the old EM, ECM, ECCM battle only it's got to the Nth degree on the Internet between the crooks malware etc and the Catchers AV etc.

Well there's a new wiggle in town. Whilst quite simple it's new tricks with character encodings[] are likely to be taken up by others untill an extra "Counter Measure" get's added to the Catchers tool set,

https://www.proofpoint.com/us/threat-insight/post/phishing-template-uses-fake-fonts-decode-content-and-evade-detection

[1] @Wael and Ratio, it looks like a rework of your character encoding games only simpler.

Clive RobinsonJanuary 6, 2019 7:20 AM

Another Side Channel to Worry About.

If it were not for the serious security implications this would just be jolly good fun.

First a little history, in times long past half a century ago, in the days when main frames ran "batch jobs" and had clock speeds down in the kHz range, you would often find as a "debugging aid" an AM radio on or next to the "opperator console". The reason is the CPU activity could be picked up on the AM radio as a series of clicks, buzzes and tones as a program run. Tones were made by loops, buzzes often by I/O and clicks by the CPU waiting on input. As an operator a long tone was indicative of a program getting stuck in a loop etc.

Well at some point somebody started to write fun little programs that played jingles and melodies as ammusment.

Spring forward to this century and Software Defined Radio (SDR) started to become practical without dedicated DSP chips. What realy got things going was the "RTL-Dongle" that was ment to receive FM Broafcast and UHF Television but the chip turned out it could receive just about everything from 10MHz to 1.5GHz all for around $10...

Whilst that was a receiver there is another side to SDR which is that of a transmitter. Slightly more expensive dongles can also produce 0dbm to +20dbm of transmitter signal, which with just a length of wire and the right VHF/UHF signal can be received at 100m to more than 10kM away from the dongle.

If you look back over this blog you will find that when I've talked about TEMPEST/EmSec and side channels that I've said is all you need is a serial data signal that you can modulate in some way such as timing jitter etc.

Which brings us onto this,

https://hackaday.com/2018/12/06/your-usb-serial-adapter-just-became-a-sdr/

What Ted Yapo has done is just that. He has taken an ordinary USB-Serial dongle and used the serial data signals to radiate out a lowish frequency carrier wave. That like the CPUs of half a century ago can be modulated to play music or in Ted's case control a 27MHz Radio Control car.

Whilst something similar has been done with USB 3.0 to VGA adapters they are not very common as dongles, and many people won't have seen them. However the USB-Serial dongles are so ubiquitous that there is a very serious market in counterfeit FT232RL chips[1].

From a securiry perspective, if you can control an RC model car upto 10m away then it is going to be fairly easy to send a low bandwidth data signal two or three times that range with more than sufficient bandwidth to leak KeyMat for AES or PubKey etc[2]

It's just another usefull "air gap" crossing trick for attackers and yet another thing to remember and to check for when trying to set up a secure system. It's why upto date security specialists should not just know quite a bit about SDR they should also carry suitable kit in their tool box to not just find such tricks but also put preventative measures in place[3].

For security professionals you need to be up on RF and complex modulation systems from software. The "steed has left Pandora's horse box" on this and it's no mule it's a full on racing thoroughbred. We will see more and more such attacks work their way down from clued-up hackers down to the likes of the SigInt agencies and maybe the academics in the next year or so. After all why go to all the troubl to make and install "hardware implants" when you can "re-purpose what's already there"... It's way more stealthy and with a little care very difficult to find (look up LPI and DSSS systems all of which are simple software mods).

[1] Quite a few people will remember the howls of protest when FT quite deliberatly changed the FT Driver code sent out with Microsoft updates that stopped so much external hardware working... They were forced into a climb down much to their understandable disappointment.

[2] To see what is truely possible with SDR have a look at the Amateur Radio FT8 slow data mode that gives something like +30db over morse code which can give you over thirty times the reliable path length to operate over. Thus if you can get the FT232RL to transmit it you are looking at over half kilometer or around a third of a mile range...

[3] One thing I would recomend is all "security specialists" get their full Amateur Radio / HAM certification. Much of what you have to learn in the more advanced levels will teach you the things you need to know. Likewise following what some areas of Amateur Radio experimentation is all about will help you "think hinky" which will put you quite aways in front of those also ran security bods...

FaustusJanuary 6, 2019 8:08 AM

@ Alyer Babtu

"Every action has been submitted to reason before it is taken."

Do you have any evidence for this, or is it simply an assertion? It is contrary to psychology and evolution.

Since you say

"The psychological studies can not be claimed definitive because the sample population may have been preconditioned essentially by modern preoccupations and education which blunt reason’s functioning in the individual."

you are basically making your statements unavailable to falsification. (Besides the fact that preconditioning is exactly the kind of end run around reason you say does not exist.)

Statements that cannot be falsified are not scientific statements. Which is fine. I make spiritual statements all the time that are not amenable to scientific testing. But I do not find that your contentions re reason correspond to my perceptions, nor human history.


JG4January 6, 2019 8:32 AM


@Faustus - I appreciate the discussion and the gentle needling. I'm already on the record in pointing out that whatever the flaws of NC are, that their headlines are tainted unavoidably by media "bias." They come closer to undoing that bias than anyplace else in the US that I've found (other than this forum), but I'm open to suggestions. I'm also on the record as being a recovering rabid libertarian. I still have quaint notions of rights and freedoms, including the right to life, liberty and the pursuit of happiness by the Zen path of buying plastic junk from Walmart's re-education camps that is poisoning the earth. I still lean libertarian and have a lot of a priori assumptions that are deeply libertarian. Try this on for size, "Freedom is being able to do it for yourself." Whether it is the right to grow food or the right to self-defense. Or the right to repair, including the right to improve. Or the right to build secure systems that robustly defend your other rights. Or the right to practice amateur radio and build experimental aircraft. We also have a collective right to not be poisoned, which has been trampled by a variety of actors in pursuit of money and power. Externalities in the usual framework. This is a remarkable exposition of a libertarian framework as well as teaching how to think for yourself and act defensively:

https://www.epsilontheory.com/clear-eyes-full-hearts-cant-lose/

We can categorize each stripe of libertarianism by the a priori assumptions they make and any structural or logical flaws (and/or useful innovations) in their path from assumptions to policy recommendations. It will be possible to develop system models that predict outcomes given certain a priori assumptions. You can bet your last dollar and any that you can buy on credit cards that the banks and data brokers have some of the best models of mass behavior ("wetware") in the world. And that the events of the past 20 years didn't happen by accident. In spite of Ben Hunt's gentle critique of their incompetence. In much the same way that security is a system (and a process for modifying that system). Science also is a self-modifying system, adaptive if you like. Shannon was the one who foresaw that systems of arbitrarily high reliability (security) could be built from components of arbitrarily low reliability (even backdoored ones as it turns out). I haven't seen any indication that he foresaw backdoors in processors and telecom gear, but he must have heard about the hi-jinks by Captain Crunch, Steve Wozniak and other phreakers, given his close connections to Bell Labs. Clive (and others) regularly point out that the assumption of endpoint security on any consumer device is flawed. We can go a step further and say that a lot of critical infrastructure, including atomic weapons, are poorly conceived systems, at least from the point of view of security. We might point out some flaws in certain flavors of libertarianism that have led to poisoning of the planet by unfettered capitalism.

I'm sorry that I wasn't the one to post this, but it is instructive in how a combination of the right to self-defense and the right to build model aircraft ends:

https://www.schneier.com/blog/archives/2017/11/friday_squid_bl_602.html#c6764925

I did followup with Stuart Russell:

https://www.schneier.com/blog/archives/2017/11/friday_squid_bl_602.html#c6765004

I still want to be Leo Szilard when I grow up. If they don't put a bullet in the back of my head for regularly calling bullshit on the liars, thieves and murderers.

https://www.nakedcapitalism.com/2019/01/links-1-6-19.html
...

Sisterhood of spies: Women now hold the top positions at the CIA NBC. Shattering the glass ceiling by leaning in with the electrodes, eh Gina?

Can a set of equations keep U.S. census data private? Science
...

Big Brother Is Watching You Watch

Should we think of Big Tech as Big Brother? FT (DL). Throwing a flag on the Betteridge’s Law violation, here. “Surveillance capitalists are not only able to monetise our data but can also use it to predict our behaviour and thereby modify it. In mechanical terms, they are no longer just sensors but actuators.”

Curbs on A.I. Exports? Silicon Valley Fears Losing Its Edge NYT. You say “stunt the [AI] industry in the U.S.” like that’s a bad thing.
...

roberts robot doubleJanuary 6, 2019 8:44 AM

@ Ayler Babtu

>> Reason may be subverted by error anywhere between senses and intellect, and we can with full appreciation of the real state of affairs lie to ourselves and choose in a disordered way. But these are defects, not part of our nature.

You are correct up to the last sentence.

The defects actually *are* a part of our inherent human nature, my friend, and it is our default configuration. As such, it is also within our human nature for us to be able to, by striving in concert with our Creator, overcome our shortcomings and self-evolve ourselves out of mammalian competition into human cooperation across all that artificial divisions we have constructed, such as form of religion, ethnicity, and sexual orientation or identity. That self-evolution, however, requires engaging our free will to choose to ascend beyond our base impulses to divide ourselves and conquer others.

One of our primary impediments to achieving unity of compassion and true justice is that most cultures on Earth are mammalian in nature, i.e. they promote pack/gang warfare. In most of the world this resolves to class warfare, whether it is America's capitalists' classism or the Nazis' super- and sub-humans, it is really just our mammalian physical heritage (especially brain and sexual structures) amplified by our abilities to think abstractly, plan, communicate and make tools.

Ultimately, all human endeavors (and the human beings participating in them) can be judged by whether their ideals and goals apply only to themselves at the expense of or in callous disregard to the needs of others, or whether their ideals seek to selflessly uplift all human beings towards a state of equal happiness, which requires curtailing our abuse of the Earth today out of compassion for Earth's future generations. The mindless, voracious capitalism and fights among super-egos is literally destroying the Earth and imparting misery on the subjugated masses.

Obviously, such selfless idealism is thin on the ground in 2018, but that is because our mammalian heritage is physically a part of us and thus permeates our minds, attitudes, emotions and societies. Our current level of stunted, destructive, selfish development is riddled with a disease we don't even acknowledge exists and how can we? when we don't understand our nature which is obviously required to take the steps required to effect the cure.

[ @ ALL

In deference to our gracious host's desire for us to take such discussions of 'Epistemology and Metaphysics' to another place on the web, I set up a Kinja account for such discussions and seeded a discussion topic HERE. Kinja allows the easy set-up of 'burner' accounts that require nothing but a unique user name and that you remember the key (if you lose the key, you lose control of the account). Sure, we here at SoS understand that other, more subtle, tracking is intrinsic to the modern web, but the Kinja folks have created a decent system. If there is any other place someone suggests we take such E&M discussions, I am open to such suggestions.

Thanks again, Mr. Schneier, but they started it, Dad ;-)
]

Clive RobinsonJanuary 6, 2019 8:59 AM

@ Usual suspects,

A number of us do not like all in one monolithic kernel OS's like the majority of "Commodity Computing OS's" such as BSD, Linux and Microsoft and Apple offerings.

One reason for this is security. Monolithic kernels have a massive surface, thus a significant complexity where in lies many attack vectors, where just one success gives the keys to the kingdom.

Well there are other options which os a surprise for many. One of which is HelenOS,

http://www.helenos.org/wiki/FAQ

Which has just anounced it's 0.8 release. Yes it's a University OS which is both good and bad. But does mean it's more likely to be around for some years to come.

But another perceived issue with comercial computing OSs is "bloat"...

I've given up on MS after XP thus can not tell you of the top of my head just what is needed for the latest Win10, but it's likely to be immense. Likewise Apple and to a certain extent Linux and BSD.

However both Linux and BSD can be striped down a lot such that both will run on quite small and very inexpensive microcontrolers.

One striped down Linux many will of heard of but not thought of as a usable "user system" is OpenWrt. It has a very small footprint and is a good place to start looking if you want to build your own IoT or Wireless microcontroler project as it supports about fifty platforms many of which you can pick up second hand including 486DX motherboards for penuts so have no worries about experimenting on,

https://openwrt.org/docs/techref/targets/start

The downside is OpenWrt is designed to run headless which means you need "terminal access" be it an actual terminal, telnet/ssh or web browser. So for the slightly more advanced. But if you can hack HTML etc then you can make "network servers" quite easily.

If you feel you need more than Web or CLI access then another project for Intel/AMD platforms from 486DX upwards, Raspberry Pi and ARM7 is TinyCore Linux,

http://www.tinycorelinux.net

When the Damn Small Linux (DSL) team imploded three of them set out alone and Tiny Core in it's various forms is the result.

It runs out of RAM which makes it a whole lot faster, and also reduces wear on any Flash ROM storage you might be using. I know a couple of people swear by it for use on their Raspberry Pi's and various Armature Radio programs because it runs quite a bit faster than other Linux Distros for the Pi.

Then if you've an old 486DX hanging around with sufficient RAM and a couple of DVD drives (possibly not) or one of the new 486 clones as the patents etc have expired then there is the old faithfull all singing all dancing "live-DVD" Knoppix,

http://knopper.net/knoppix/index-en.html

However like others I've noticed a few problems with the latest version which suggests the maintainer needs to be doing a little "spring cleaning" on their build system to fix links etc. Being a mainly CLI user that's generally not an issue for me, however it probably will be for those newish to Linux.

I won't go into the stripped down BSDs but in general they have been easier for Product Engineers of FMCE and other Commercial offerings, not just because they are "more traditional" but because the licencing issues are usually acceptable where as those for Linux tend to use are not...

roberts robot doubleJanuary 6, 2019 9:11 AM

@ Faustus

>> This is part of a cross thread endeavor to identify alternatives to a society based around predator/prey options (coerce,kill,imprison). So far alternative options are forgive, apologize, and lottery.

The key is to self-evolve ourselves and our societies from animalist competitive dynamics to humane cooperative dynamics. Achieving humanity requires forgiveness (for we have all made mistakes) and apologies (for they are a means to self-evolution), as well as compassion and generocity for those in need.

But the idea of a 'lottery' is repugnant to me in general, although it could be useful for dispersing limited 'extravagant' resources fairly. Our resource distribution, when dictated by compassion, must be needs-based but certainly can be contrained for those who act belligerently towards others (i.e. those who choose to not self-evolve beyond their violent divisiveness). That said, given the horrific oppression of the poor since forever now, some redistribution of wealth needs to happen for peace to be established within some semblance of the current system.

[[ I have set up a Kinja account and initial topic for such discussions (it should be my URL now) so as to honor our host's wishes that we take such discussions to another place on the web. Kinja is easy to set up (just needs a unique id and for you to remember the key after solving some captchas) and the comment system is pretty decent. If you have any other suggestions for where we can take this, I'm open to continuing this elsewhere. Cheers, my friend. Peace be with you. (Note that my Kinja account will never have any monetary incentive for myself.) ]]

FaustusJanuary 6, 2019 9:25 AM

@ JG4

I appreciate your answer. I am on the run right now so can't parse everything.

I think Naked Capitalism is a fraud. Every article should note its conflicts of interest but does not. A fair argument against libertarianism or anything addresses its best points, not the silliest exposition one can find.

Libertarianism to my mind is not really all those long winded positions. It is simply the prioritization of freedom, choice and responsibility.

Until everyone is willing to admit their part in our social problems - and we are all implicated - then libertarianism is the best protection against mobs and charlatans who will take a problem and simply make it worse while awarding themselves power and accolades.

I don't think a reasonable actor, the libertarian ideal, would leave people in suffering or hopelessness, if only for self interest.

FaustusJanuary 6, 2019 9:28 AM

@ Roberts

Thanks! Right now I am just identifying options, not assessing them.

FaustusJanuary 6, 2019 12:48 PM

@ Roberts

Kinja seems great. Their burner accounts protect privacy. Good stuff!

I am on the move. I'll do some elaboration on kinja soon.

Thanks for setting up the off blog option.

Clive RobinsonJanuary 6, 2019 1:14 PM

@ gordo,

I can't say I've been out protesting or done anything more than share my opinion and look on in sadness.

All things concidered it might be best if you stayed that way. It would appear the US has some quite nasty legislation that any sitting President can use to "attack" all maner of humane behaviour in US citizens should the sitting President decide to call a "National Emergancy". To see what some of them are you might want to read this article from the Atlantic,

https://www.theatlantic.com/magazine/archive/2019/01/presidential-emergency-powers/576418/

Remember although the author, Elizabeth Goitein is clearly trying to incite by the continued use of "Trump", what has been written applies to any sitting president current or future...

Untill that is Congress gets it's act together and forfills it's legal obligations which it has singularly failed to do with respect to enacted emergancy powers in our life times.

It is something the author whilst indirectly mentioning noticeably skips around calling Congress out on, for what ever reason.

That is how the article comes across to a non American without any real skin in the game, so I'm not going to get into that aspect any further.

The main point how ever is to see what fairly nasty legislation Congress has provided a POTUS with over the years and how easy it would be for an ordinary US citizen to fall afoul of them.

gordoJanuary 6, 2019 2:22 PM

@ Clive Robinson,

Setting aside the general chaos of an abject, worst-case scenario or power grab, my only question regarding emergency powers granted the executive by the legislative is whether the legislative has sufficiently immunized itself from overthrow, "at the stroke of the pen," by the executive.

Clive RobinsonJanuary 6, 2019 2:25 PM

@ Bruce,

One to add to your folder on "security and games".

https://github.com/jes/chess-steg

However unlike the usual stuff about catching cheaters, this is about steganography. That is encoding data in the moves of a chess game, by first converting the data to a single number then using the number to produce the moves in the chess game.

FaustusJanuary 6, 2019 2:41 PM

@ Clive

You seem to abhor the United States, not without reason, but Britain and the surveillance and censorship and lack of rights strike me more.

Here is an interesting article on Britain's nanny cams: https://medium.com/s/story/inside-the-city-that-spies-on-you-84b71534309e?source=elevate-recirc

Of course in this case everyone is a child and your time out may be in a lock up.

On the upside, it does seem that the nannys have tight rules against using the cameras for oogling and such. There is an ombudsmen watching out for the public.

And I admit I do feel safer being an American at a distance from America and its politicians' authoritarian wet dreams.

Clive RobinsonJanuary 6, 2019 2:51 PM

@ gordo,

... is whether the legislative has sufficiently immunized itself from overthrow, "at the stroke of the pen," by the executive.

Based on the little I know, the answer appears to be "no" because Congress leave themselves liable to the often capricious whims of SCOTUS, who inturn can be brought under the whim of thr executive in various ways.

Clive RobinsonJanuary 6, 2019 4:56 PM

@ Faustus,

You seem to abhor the United States

The United States exists in many parts, much of which I like.

However I have a loathing for self interested politicians and corporate psychopaths, of any country irespective of where they place themselves on the political or business spectrums.

Longish term readers of this blog will have seen me make fairly scathing observations about the politicians of many nations and occasionaly their corporate leaders. The United Kingdom and Northern Ireland get the same treatment as any other nation. I am as far as I am aware fairly impartial about it.

But like most others I can only comment on that I've been informed about. Whilst I try to cover several bases for news etc, often little is said about the rest of the world outside of Europe with the major exception of the US, which kind of forces it's self infront of many peoples eyes via their MSM which I suspect many US readers hear know has various political slants.

Which brings us to the point about the difference between slants and bias. A slant can be seen as by editorial decisions which reflecy in the numbers of articles. Bias however is more usually found in individual examples.

As I noted about the article the author of it repeatedly used "Trump / President Trump" when it would have been more appropriate to use "sitting president". Because at some point all Presidencies end and new Presidents replace them. Unless other things change, that will remain true indefinitely, from now untill Congress make changes.

But the author also used "liberal democracy" instead of "democracy" which again is a quite deliberate bias.

The sad thing is if you strip the authors surface bias out, the actual legal message which is the important point becomes effectively timeless untill Congress finaly gets it's act together. Which might be never, So for who ever is the next sitting president the same will be true as it is for the current president and a number of his predecessors.

But please don't make the mistake of thinking I'm in favour of the current president or any other member of the administration or politicians in both houses. I'm mostly indiferent to them, with the exceptions I apply to all of their ilk irespective of nation or party. Those being,

1, Their behaviour has sunk significantly below some acceptable norm.

2, Their actions have a bearing on me personaly, which increasingly they do.

The problem I've got with that article in particular is that underneath the obvious bias there is quite a bit of worthwhile information. But because of the bias I have to issue a health warning.

Likewise as you will appreciate from events of a few days ago, I have refered to the writer of the article in the abstract as "author" and have given their name only once. Again this is because I want the worthwhile parts to be read without any side swipe accusations distracting from that.

With regards the article you link to it has a picture of a Banksy Painting that was actually worth around $250,000 at the time. Which Westminster Council wantanly destroyed under a very fake and unjustifiable excuse of “an unlicensed commercial” (to be a commercial it would have had to have recognisably been pushing a product, for comercial reasons which it clearly was not).

But also around the time of the painting if memory serves me correctly the UK had around "20 times the amount of cctv of any other nation", which had an odd symmetry with the US that at that time had around "20 times the amount of weapons of any other nation". A statistic I suspect Banksy was well aware of.

But that statistic belies the reality of the situation. If you look back on this blog you will find I've made quite a few comments about CCTV and not just it's effective uslessness for stopping crime, but the reality of what is in effect the inability to avoid getting recorded for even local journeys. What few people have done and I've not seen it put in the public view is map out where all the cameras are in a large metropolitan area.

From what I've done myself it's quickly become clear that many of the cameras are not there for "crime prevention" and those that are are basically ineffective for that purpose. The high def cameras are at "road junctions" and similar. It's difficult not to come to two conclusions,

1, They are checking number plates
2, They are looking for traffic offences.

That is the real purpose is not crime prevention at all but revenue raising...

No doubt it will not be long before the subject of not just "road tax" and "congestion charge" being increased but a "mileage toll" yet again.

It's becoming ever increasingly clear that the UK Police have little or no interest in investigating crime that effects the majority of people in the UK which is theft from cars, homes and the person, but becoming glorified "traffic wardens" clocking up crimes that raise revenue by "fines". That is they have become just another source of income for the Treasury to use for political reasons.

But if you want an example of the basic uslessness of CCTV,

https://www.telegraph.co.uk/news/2019/01/06/surrey-train-stabbing-man-charged-murder-father-stabbed-front/

The train service that it happened on I use quite often, the train carriages have four easily visable CCTV cameras and I suspect another four that are not as easy to see. The attacker and his girl friend must have known there were CCTV cameras. Especially with from what I can tell the attacker having been in trouble with the police in the past which was why he was arrested so quickly. OK that CCTV footage will help convict him, but all those CCTV cameras are not going to bring back to life the much older man he murdered who was on a quiet day out with his son as part of a birthday treat...

But also, justvdays before,

https://www.bbc.co.uk/news/uk-england-manchester-46728702

The stations and trains are saturated with very obvious CCTV yet they have not stopped violent crime, nor do they stop theft, vandalism, graffiti and lewd / offensive conduct. It's also unclear if they even get the attention of the Police any earlier in town centers and the like. The message is quite clear "CCTV does not stop crime".

65535January 6, 2019 6:57 PM

@ gordo and Clive R.

“…question regarding emergency powers granted the executive by the legislative is whether the legislative has sufficiently immunized itself from overthrow, "at the stroke of the pen," by the executive….” -Gordo

I don’t think that item has been tested since the US Civil War. This braches out to the “survivalist” and their survival tools of knives and guns and said ownership rules.

@ Clive Robinson

‘…the answer appears to be "no"’

I am not so sure. Maybe No and Maybe Yes. This is multifaceted thing and goes to how the TSA got started and then entrenched. It also goes to how Congress critters and Aids get past TSA screening.

[Next]

“Well there's a new wiggle in town. Whilst quite simple it's new tricks with character encodings…” –Clive R

Good presentation by Proof point.

I see the scam uses both Woff and Woff 2, the latter being designed by Google, cough, the major contributor to fingerprinting and tracking, and the compression and decompression engines on both the server side and client side. I also note that Google is the major contributor to Mozilla – FF and chrome. Woff is in almost all major browsers.

The only solution I can think of to avoid this font banking scam is halt scripts at the browser such as java and so on.

Hum, “do not evil” … gone.

[then]

"If you look back over this blog you will find that when I've talked about TEMPEST/EmSec and side channels that I've said is all you need is a serial data signal that you can modulate in some way such as timing jitter etc. [hackaday and]… something similar has been done with USB 3.0 to VGA adapters they are not very common as dongles, and many people won't have seen them. However the USB-Serial dongles are so ubiquitous that there is a very serious market in counterfeit FT232RL chips…easy to send a low bandwidth data signal two or three times that range with more than sufficient bandwidth to leak KeyMat for AES or PubKey…”-Clive R

Yep, nasty stuff.

Back to the Faraday cage for the whole house.

“I say all "chat apps" are insecure because of security end point issues…”-Clive R

I see your point. We are off to a uncertian year.

An telegram experts care to comment?

[Jump to]

“Facebook has a patent for identifying images take by the same camera die to physical artifacts…”-Clive R

Ghastly tracking stuff, particularly if you have a unique scratch on your camera lens. A cloth cannot wipe off dust but not scratches.

“…other options which os a surprise for many. One of which is HelenOS…” –Clive R

Interesting idea. Is this going to be competitor to Mimix?

“…another perceived issue with commercial computing OSs is "bloat"... I've given up on MS after XP thus cannot tell you of the top of my head just what is needed for the latest Win10, but it's likely to be immense. Likewise Apple and to a certain extent Linux and BSD…” –Clive R

Yes, bloat is the word.

I worked on your project; back to XP and Windows 2000… that is XP service pack 3 and Win 2000 SP 4 plus final pack and I see XP jumps from 1.3 Gigs to about 9 Gigs of space when serviced packed and Office 2000 with service packs. If one adds in Windows Enhanced mitigation Tool Kit of say 4.0 and higher and an older version of Firefox the sofware stack size grows even bigger.

I will say the older M$ bloated stack can do a lot of things and surf the net successfully – but many programs are don’t work with XP and one has to jump to Win Vista or Win 7 or higher. I will say the MS bloat stack can to a lot of things that I did not realize and sometimes in a simpler fashion.

The only advantage I see is most of your data stays on your own box. That is somewhat of a help regarding network metadata tracking but not super good.

Say Clive, could you include in your footnotes the abbreviated word combinations you are using in your post. They seem to overlap with other appreciations with different/or multiple meanings.

moving to:

Keeping data to your own machine…

@ JG4

Your idea of getting political and Epistemology discussion off of this blog is good. But…

Is not using Kinja just outing yourself and your fellow users? It rivals Google’s best bots? Yes? Poor OPSEC and all...

Your idea is good but how do we keep off of the NSA/GCHQ/FBI/TSA-DHS and so on… black lists?

I believe this blog is "hot" or under the watch of various TLAs and so called K-street PR firms... We have plenty of watching as it is.

65535January 6, 2019 10:21 PM

@ Alyer Babtu

“And let us not forget QNX”-Alyer Babtu

Do you have a download link for the software tha is not a trial [both client and server]? I will give it a go.

Clive RobinsonJanuary 7, 2019 3:52 AM

@ Alyer Babtu, 65535,

And let us not forget QNX !

It's a funny beast from memory, being an RTOS with POSIX Real Time Extensions compatability. I've not had anything to do with it for years though.

What it got right was a very tiny microkernel that did as little as possible giving a low attack surface. All it realy did was setup initial process space, scheduling, timers, interupt handeling and the magic glue that held it all together Inter Process Communication (IPC) which it combined with part of the scheduler (basically all the stuff that got lumped under POSIX.1b real time).

What QNX had right was the IPC they kept it simple, low latency and importantly not causing issues with the scheduler.

Not getting IPC right is what makes most *nix clones "chocolate teapots" when it comes to even Soft RTOS work.

As I said it's been quite some time since I looked at it seriously, well it was actually last century... I kept a watching brief on it untill QNX got sold off the first time. Usually such activities sound a "Death knell" for the subsumed companies technology inovation. Then when it got sold to RIM I realy lost interest as RIM had a certain reputation and well lived down to it as usual.

The big problem is "licensing" prior to the RIM take over QNX were starting to go down the Open Source route. RIM slamed that shut and started playing with licencing in ways that did not bode well.

So rightly or wrongly I've regarded QNX for the last decade as more closed source / walled garden than even Microsoft OSs. What the actual current state of play is I've no real idea.

In part because my attention has been shifted to L4 microkernel systems some of which are Open Source, others such as PikeOS are closed source but with "bullet proof Hard RTOS" credentials.

Clive RobinsonJanuary 7, 2019 4:17 AM

@

Oh and I forgot to mention FreeRTOS,

https://en.m.wikipedia.org/wiki/FreeRTOS

It works with quite a few very low cost microcontrolers like those from Microchip.

It's not exactly what most would call an "OS" or even an "RTOS". It's basically three C files you link your code to.

However if you are building data diodes / pumps / sluices and instrumentation for serial data on RS232 etc then it will get you going to the point you can "spin-off" to full stand alone code if you have the need.

FreeRTOS has been quite popular but kind of got neglected for a while. However Amazon has taken over the stewardship... Basically they have a library that works with FreeRTOS that supports Amazon's IoT back end (SpiesOnYou :-S so have taken on the actual kernel maintenance.

The question is will they leave FreeRTOS alone or do a Microsoft "Embrace and Extend"?

Clive RobinsonJanuary 7, 2019 5:44 AM

@ Rach El,

Most Polive Forces fail to meet forensics fingerprint evidence standards

But it's not just finger prints...

From the article,

    In a recent submission to a House of Lords inquiry, the Leverhulme Research Centre for Forensic Science raised broader concerns about the way fingerprints, tool marks, footwear, tyre marks and ballistics evidence were being used in courts.

This institution is kind of a "flag waver" for forensics... Thus for them to say that it's realy indicating that basically forensics is a bad joke in the UK and most probably everywhere else.

But that should be nothing new for readers of this blog, I've only been mentioning it for oh the last decade or so ;-)

But for those who need that academic opinion in case they think "I'm killing the golden goose" yet again,

    Prof Niamh Nic Daéid, the centre’s director, said: “The majority, if not all of those techniques, are not robustly researched. In a lot of cases, the comparative process is left to the subjective opinion of the person doing the comparison. It often could be described as no better than spot the difference.”

However what she has not mentioned is that most forensic science is actually not science in the accepted sense. And no it's not just the issue of the "opinion" of individual investigators, it's way more fundamental than that.

People in forensics come up with some quite bizarre ideas, that realy "do not pass the smell test". They get away with it for two reasons,

1, Nobody wishes to challenge a new revenue idea.

2, They argue from effect to cause thus can make it up as they go along.

It's that second point that's important and the classic example was the idea of "pour patterns" as proof positive accelerents were present at a fire thus it was arson etc.

Put simply burn patterns on floors and other surfaces looked to some investigators eyes to be just like patteners you get with liquid accelerants such as gas/petrol etc burning. But the standard and actually scientificaly reasoned tests for indicating hydrocarbons or other fuel sources failed...

Thus you had a pattern but no fuel traces. So rather than say "hang on a moment why no fuel traces?" the reasoning was the fuel must have fully vaporised or was something the tests did not pick up for some hand waving reason. Thus the entire forensic community simply said "pour patterns are proof" positive fuel tests are a nice bit of corroborative information, but not realy required (so why pay for the test at all...).

Well this went on for years till somebody actually tested the idea that a room could be engulfed in fire with only a point of ignition like a cigarette. Guess what they found, not only could a gigarette do it but as a concequence of the way the fire actually burned you got scorch / charcoaling that looks just like pour patterns...

Ops god alone knows how many false imprisonment or fourced plee deals...

That is what happens when you go from either effect or assumed effect backwards to a cause of your choice. It's why it's not science, never was nor ever will be.

And it's not just pour patterns theres a whole load of now discredited forensic proofs that have been used to jail people... The more memberable ones "Cocaine traces in bank notes" meaning you arr a dealer or user, then it was found that something like eight out of ten bank notes in circulation had cocaine in them. Then the "bullet alloy" it was argued that a match on bullet alloy metals proved that a bullet came from a certain batch. Well even the industry knew that one was not true as did any scientist, molten metals still have different densities thus "settle" just as other liquids do. Depending on where you chose to cut and sample a bullet you will get a different ratio of metals. Thus the test was a compleat nonsense, but it carried on as a forensic test, because it was just another way to get a conviction at trial.

And that's the real point about forensics, they are used by prosecutors to get convictions not by the defence to find people innocent. Because forensic findings do not get properly challenged you can get away with just about any kind of nonsense test as long as it sounds "sexy" and has "CSI appeal" with big flashy names and long words...

It's also why supposadly independent labs cut corners and get away with it. Prosecuters want things to convict with, police have scarce budgets, labs want that budget, thus implicitly the effects of any over supplied market comes into effect. You get a race for the bottom as price has to go down whilst profit has to be made which means costs thus recources have to be pared to the bone and often beyond... As long as the police get the positive matches they want the will regard the money as,well spent, but not otherwise, such is the nature of the human condition. Therefor there will be an incentive to "spend where it gets results", those with a financial interest in labs know this, and they will aim to please on way or another to get a slice of that Police Pie...

There is an effect called "millers thumb" from an old trick mill owners used to make more profit[1] the modern equivalent is "thumb on the scales" which when allied with cognitive bias is a very very dangerous thing for justice, but not for prosecuters or politicians who see the faux results as career enhancing.

[1] The miller used to give "measure for measure" not "weight for weight" when grinding peoples corn to flour. The measure was actually by volume using a "scoop" that supposedly held a pound of grain or pound of flour. The miller would demonstrate this if challenged and it would be found to be correct. However the design of the scope was such that you could hold it in a number of different ways, one of which was with your thumb actually in the scoop, so the customer got maybe half an ounce less per scoop or a loss of around 3% of the flour they should get. Obviously a miller with a fatter thumb would make more profit.

roberts robot doubleJanuary 7, 2019 7:17 AM

@ 65535

>> Is not using Kinja just outing yourself and your fellow users? It rivals Google’s best bots? Yes? Poor OPSEC and all...

Kinja can be used with just a 'burner' account (no facebook or gmail tie-in necessary), but (a) if you lose the key, you have lost control of the account, and (b) within the modern web of 1px image trackers and facebook shenanigans, there really is no escaping basic tracking without hand-rolling your own site and comment system. [Of course, there may be discussion sites that are even more anonymous than Kinja, but I don't explore the web for such places, so feel free to give us a heads-up if you know of any such place.]

>> Your idea is good but how do we keep off of the NSA/GCHQ/FBI/TSA-DHS and so on… black lists?

Ultimately, we are lucky in America that we can implement any overhaul of the system through legal means, so I'm not at all worried about TLAs, because I am not intrinsically against their existence; I'm only interested in removing bad actors and bad policies from their implementations.

We should all remember that, for all the problems in America and the other 5-eyes nations, other nation-states are *FAR, FAR* more belligerent, and that our as-manned corrupt system is still the best framework for government on the Earth. In that spirit of gratitude and hope (yet with a *very* skeptical and critical eye towards those currently in power), it is my opinion that we should not worry about being eavesdropped on by those with the means to do so.

I know that for the truly belligerent, "I have nothing to hide" is not the appropriate approach, but I don't believe America has yet descended into such pervasive oppressive tendencies. Besides, my suggestions are solely for encouraging the personal spiritual self-evolution that will make freedom and respect for others the foundation for manifesting the as-yet-unimplemented ideals of the American theory of government within a technologically advancing society of equals.

That is not to say that I don't have specific technical insights to information technology vis a vis security, but I will leave those for here at SoS as they are well within its purview and the site contains such an excellent array of free thinkers and accomplished technologists.

Clive RobinsonJanuary 7, 2019 10:10 AM

How to realy brick a server.

I think we missed this last month,

https://eclypsium.com/2018/12/19/remotely-bricking-a-server/

Basically the idea is to attack the Baseboard Managment Center remotely and brick it. Because it's the motherboard Flash ROM that gets trashed, the skills required to fix it are "beyond the pay grade" of your average data center "patch jockey" or Admin.

The steps are,

1, Get Remote access.
2, download/install malicious BMC upgrade.
3, Reboot into malicious BMC upgrade.
4, Corrupt the system firmware.
5, Reboot as a brick...

To fix it you need to re-install the firmware which whilst not hard requires physical access to the motherboard to clip a ROM programer on then reboot to normal. The problem is having the right programming tools and firmware along with the knowledge dexterity and actual motherboard access to do it. It's also quite a slow and laborious task that mostly can not be done by most IT Teams and even when they can it will only be one motherboard at a time.

But is it a significant concern?

Well probably not, have a look at steps 1 and 2 again...

For step 1, if and only if, you can get that level of access you can do a whole load of other damage much more easily without having to do step 2 at all.

Step 2, requires a malicious BMC image. Now we glibly talk of reverse engineering and modification. But few people have done it with code produced as standard software with standard development tools. The BMC code like BIOS code is not run of the mill high level code, chunks are very lowlevel code, which is generaly produced on more specialized tool chains by people with quite specialized hardware knowledge.

Which begs the question as to if an engineer with quite a bit of hardware experience would risk developing a reblacment BMC image, just to be an "extra" pain in the butt. The answer is probably "not without immunity" of some form. Which is only likely if they are some kind of SigInt, IC or high end LEO entity. Such entities are usually way way more interested in covert data gathering so would be more likely to be shopping for a custom back door not a self destruct device. Their intetest in self destruct would be as first steps in a kinetic military campaign against national infrastructure, where it's not the computers they would look to destroy but the actual infrastructure hardware. The example being stuxnet attributed to US/Israel and alleged Russia government sanctioned attacks[1] against certain nations power and other utilities.

Thus unless you are attracting these people in a very odd or specialised way for some reason, it's not likely to happen from that quater.

But think on it further, for a cyber-criminal there is the "money issue". That is how do you cash out such abilities?

Well the normal "Ransomware" attacks are unlikely, because the victim needs to have the belief that if they pay they will get back to business more quickly than any other way. For this sort of attack replacing the motherboards with new ones would be both faster and more certain so there is no incentive to pay the attacker...

Yes there are other cyber-criminal attacks, but these would be "bespoke" highly targeyed attacks from a business rival or similar. Which has the same sort of odds as the SigInt / IC / LEOs attacking you...

[1] Whilst it's likely, we don't as far as we know have any actual evidence of direct involvment. That is the attacks appear to have came from "youth hactivist groups" and "far right groups" some of whom were actually in the countries they attacked. Which means they could also have been "false flag" operations from another nation entirely. It's why we need real HumInt in various forms. Both the Dutch and Israeli SigInt/IC entities were collecting that untill the current US administration burned the "methods" as they had done with earlier UK "sources". Why any allied nation should trust the US with such intel in the future is an interesting question.

65535January 7, 2019 8:38 PM

@ Clive Robinson, Alyer Babtu and others

“…big problem is "licensing" prior to the RIM take over QNX were starting to go down the Open Source route. RIM slamed that shut and started playing with licencing in ways that did not bode well.So rightly or wrongly I've regarded QNX for the last decade as more closed source / walled garden than even Microsoft OSs….” –Clive R

That is also my understanding. Basically, it is semi-closed source project due to RIM. They had a lot of legal problem with complicated things.

I tried the old RIM blackberry setup and found it not of much use until integrated with MS Exchange server[s]. MS Exchange usually must use Active Directory or Directory Service. Thus, RIM wanted Admin control in Active Directory or a high level of privileges. Thus, if one wanted to test RIM’s Blackberry one would have to setup at test bed of AD domain server[s] and Exchange server[s].

That can be done with one box but the code stack so big it becomes hard shut and restart. You could use two or more boxes for better performance but that started to get costly for test bed purposes… not including the hand sets. Then rumor starting circulating that blackberry/RIM was unsafe. That caused the project to grind to a halt.

“…The previous operating system developed for older BlackBerry devices was BlackBerry OS, a proprietary multitasking environment developed by RIM… Previous versions allowed wireless synchronisation with Microsoft Exchange Server email and calendar, as well as with Lotus Domino email. OS 5.0 provides a subset of MIDP 2.0, and allows complete wireless activation and synchronisation with Exchange email, calendar, tasks, notes and contacts, and adds support for Novell GroupWise and Lotus Notes….”-Wikipedia

https://en.wikipedia.org/wiki/BlackBerry#Software

I have an open mind. I will give QNX a go if I can get an full version to download.

“FreeRTOS” –Clive R

I got it bookmarked.

Thanks.

@ JG4 or roberts robot double

“Kinja can be used with just a 'burner' account (no facebook or gmail tie-in necessary), but (a) if you lose the key, you have lost control of the account, and (b) within the modern web of 1px image trackers and facebook shenanigans, there really is no escaping basic tracking without hand-rolling your own site and comment system. [Of course, there may be discussion sites that are even more anonymous than Kinja, but I don't explore the web for such places, so feel free to give us a heads-up if you know of any such place.]”

I cannot really disagree.

You could do what you want with an IRC or even any burner email system. If it is really small just use Proton.

Yep, you could even setup your box at home or work with the proper LAMP or WAMP stack and typepad [or use WP or use WP com].

“…we are lucky in America that we can implement any overhaul of the system through legal means, so I'm not at all worried about TLAs, because I am not intrinsically against their existence; I'm only interested in removing bad actors and bad policies from their implementations…”

Maybe yes and Maybe no.

It is not exactly easy to “remove bad actors” but you can give it a go. I am all for it.

Hum, I thought JG4 was against useless wars and so on. TLA are involved up to their collar stays in those ventures or misadventures.

Do you like getting “patted down” by our relatively new TSA? How about your family being surveiled at all times - or most times?

If you are in the system you must know the first people to get surveilled by the major Intelligence services are their own and then down the line. All major service branches have their security units watching. It is like going into a freshly painted bathroom only to get stuck to the sticky fixtures. It is hard to leave.

Other than the above feel free to continue with your project. Your ideas are not bad. I have no problem with others using your setup.

WaelJanuary 8, 2019 2:36 AM

@Faustus,

One could argue that life is a lottery:

One could argue anything!

We are randomly assigned talents and deficits and families.

It would seem so because we don't have better knowledge.

What about reassigning some good things and bad things (within possibility and sense) every year or every five years?

I see you're aiming to achieve fairness and level the playing field. In practice, not doable.

A non Predator/Prey alternative.

May be not. But has other weaknesses!

JG4January 8, 2019 6:59 AM


@Clive - You've pointed out that this blog isn't just predicting the future, but also causing it. You caught that DRD4 genes also amplify the future. It will be important to make sure that the politicians who have dangerous combinations of SNP-variant receptors won't delete the future. They've already strip-mined the future. Ted tried to warn us about the government dictating the genetic composition of our children, but the more important step will be dictating the genetic composition of our leaders.

https://www.nakedcapitalism.com/2019/01/links-1-8-19.html
...

“Black Mirror” isn’t just predicting the future—it’s causing it Quartz (Chuck L)
...

New Attack Against Electrum Bitcoin Wallets Bruce Schneier

AT&T, Dish, Comcast All Raising Cable TV Rates To Counter Cord-Cutting Dallas News. Only sports addicts will be left.

Surprise discovery reveals second visual system in mouse cerebral cortex Science Daily (guurst)
...

New Cold War

NBC and MSNBC Blamed Russia for Using “Sophisticated Microwaves” to Cause “Brain Injuries” in U.S. “Diplomats” in Cuba. The Culprits Were Likely Crickets. Intercept

Big Brother is Watching You Watch

Alexa, Siri and Google Assistant Desperately Want To Help You Do Your Routine — But it Takes Too Much Programming and There Are Still Too Many Holes Wall Street Journal

Court: Politicians who block citizens on social media violate 1st Amendment ars technica
...

Airports Worry About Screener Absences If the Shutdown Continues Bloomberg
...

FaustusJanuary 8, 2019 10:37 AM

@ Wael

You seem to be in a non-constructive mood today.

"It would seem so because we don't have better knowledge."

What are you arguing? That we somehow deserve the circumstances of our birth? Because what I am saying is basically that we don't deserve the circumstances of our birth, they happen to us.

When you offhandedly say that lottery is not feasible that is simply the predator assumptions speaking. Of course it is feasible. Lotteries happen, like in draft lotteries and lotteries for apartments. Not that I am suggesting that they should be the only factor, or that they will even be a factor in an optimized society. But they are a real option.

I have been identifying more options but I don't want to fill the blog up with them. I will write them out and place them on the side blog that @ roberts thoughtfully provided.


WaelJanuary 8, 2019 12:16 PM

@Faustus,

You seem to be in a non-constructive mood today.

Unintentionally so. Perhaps because the discussion is branching away from the original "surface of attack" goal?

When you offhandedly say that lottery is not feasible that is simply the predator assumptions speaking.

Give me a working example. Reminds me of the movie "trading places."

FaustusJanuary 8, 2019 1:20 PM

@ Wael

Oh, well, we are working on different problems. Which is fine. The surface of attack problem is immense, but if you wanted to spearhead that I would gladly contribute.

I really think it is worth exploring the space of social policy alternatives. Some will be potential alternatives but not useful. I need to write this up to be really clear.

I have given some existing lotteries as examples. The idea is to redistribute costs/benefits without giving any individual(s) control, power and/or enticement to corruption. It also might encourage people to look at social issues in a more expansive way that is not as motivated by their personal circumstances.

WaelJanuary 8, 2019 1:41 PM

@Faistus,

The idea is to redistribute costs/benefits without giving any individual(s) control, power and/or enticement to corruption.

Ok, then: you'll need to give thought to the following: who's going to be tasked with this assignment roles? Will a person who's in a "good position" -- affluent, has a good position and power in society relinquish that and accept a lottery assignment that makes the same person "poor" and "not respected"? Who will enforce such a change.

Then there are things that we as humans have no control over: we can't assign parents, change the genes of people. Can we make someone like "Richard Feynman" become a "Mike Tyson"? Or me becoming a Keats or a Shakespeare?

Even if we can do that, which we can't: aren't we playing a role that's way above our salary grade?

Unless I'm misunderstanding what your proposal is, I say it's undoable. Not necessarily a show-stopper, we can continue with the "ideal" model and make it practical... still I I have my doubts.

If I'm on the wrong track then you should list the parameters we play with.

FaustusJanuary 8, 2019 4:26 PM

@ Wael

As I said, at this point Lottery is alternative. If it a question of allocating good things, like apartments, it isn't that complicated. An actual state lottery is also an example of a lottery. The lottery selection is not controlled by anyone. It is a lottery. But the main point is: I am not at the point of arguing the relative merits of proposals. I am collecting alternatives.

I do mean a lottery system that can be done in practice. I am not talking about changing birth parents, since that cannot be done. I am not sure why you are making me state the obvious. Something about this idea seems to deeply worry you.

I am basically applying a problem solving technology. In this step, idea generation, "No idea is a bad idea". They are all noted. What you are doing would be called "Guided missile" where you are refusing to just accept an idea being put on the list and attempting to quash it prematurely.

The next step is called benefits and concerns. This is where we note the advantages and possible problems with each idea. "Benefits first!" is a motto at this level, so that people legitimately consider an idea before shooting it down. Concerns are expressed as "How to..." or "I wish I knew..." so they are oriented towards a solution rather than creating a roadblock. Concerns can be worked recursively, to see if they can be addressed or whether they invalidate the idea.

The next step is idea selection where the relative merits of ideas are finally considered. At this point an optimization technology (possibly an AI) might come into play.

An optimal selection of alternatives could very well include some predator-prey options and some non-predator-prey options.

Everything past the first two paragraphs above is beyond where I am at, which is simply to identify social policy options. I state it now just to provide context, and to try to explain to you what seems obvious to me: I am not judging the options at all at this point as long as they are potentially applicable. Even my description of lottery is provisional, just to try to make the idea understood. In the benefits and concerns phase you might state a concern "How to make a lottery free of power dynamics?" or "I wish I knew whether people would accept a lottery allocation".

I don't want to be rude or pedantic. To me it feels like I am talking to a different Wael than last week and I am simply a little frustrated. Also, I am taking up more space than I should. Maybe. A description of a problem solving technology seems like a good thing to introduce here for many reasons, since security is a problem and a technology like this is key to achieving collaboration rather than descending into head butting.

WaelJanuary 8, 2019 4:27 PM

@Faustus,

Wait a second!

Even if we can do that, which we can't:

Apparently there's a way to do it. Poof! Faustus, you just became a seamstress. How about that?

Watch Demolition man, it might give you some insights (in addition to "Trading Places") I'm serious.

Back to constructive mood :) Apologies for misspelling your name in my previous post.

WaelJanuary 8, 2019 4:53 PM

@Faustus,

I do mean a lottery system that can be done in practice.

I'll wait for the list of parameters. Or I can propose some. The idea of a lottery system doesn't deeply worry me, and there's no guided middles there. I genuinely didn't understand the proposal.

WeatherJanuary 8, 2019 5:52 PM

Faustus
A idea I though for awhile was, there is no such thing as money, if you work( or can't physical or mental) you get a work card which allows you to go to a shop,show the card and take any item.
At first it wouldn't work, everyone will want a ferri car, but...

65535January 9, 2019 12:03 AM

Gad, T-Mobile sells your cellphone location data to zumigo then to microbilt then ever Harry, Dick and Tom with $4.95 to spend.

Motherboard

"...I Gave a Bounty Hunter $300. Then He Located Our Phone... In the case of the phone we tracked, six different entities had potential access to the phone’s data. T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it...an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service...“You can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring,” a company brochure Motherboard found online reads...there is also an underground market that Motherboard used to geolocate a phone—one where Microbilt customers resell their access at a profit, and with minimal oversight...Wyden added. “When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless.”-Motherboard

ht tps://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

Back to the RF bag the cell phone goes.

Bong-Smoking Primitive Monkey-Brained SpookJanuary 9, 2019 12:28 AM

I do mean a lottery system that can be done in practice.

You're offered few losing tickets and the worst one ends up winning unexpectedly. Look around you. System is already in place and working well in practice. What's there to change, besides ummm disable the vote fraud feature(s). Anything can be gamed. It's human nature.

JG4January 9, 2019 8:34 AM


Cory Doctorow: Disruption for Thee, But Not for Me
http://locusmag.com/2019/01/cory-doctorow-disruption-for-thee-but-not-for-me/
January 7, 2019 Commentary, Cory Doctorow
Photo by Paula Mariel Salischiker

The Silicon Valley gospel of “disruption” has descended into caricature, but, at its core, there are some sound tactics buried beneath the self-serving bullshit. A lot of our systems and institutions are corrupt, bloated, and infested with cream-skimming rentiers who add nothing and take so much.
...

Jim WJanuary 9, 2019 10:11 AM

@Clive Robinson Thank you for emptywheel. It's very insightful, in-depth and thought provoking.

gordoJanuary 9, 2019 10:17 AM

Fun stuff I'm sure and a good use of data...

Citizen astronomers discover new planet that NASA algorithms missed
Keen eyes have located a new planet twice the size of Earth.

NASA's Kepler Space Telescope might not be doing much anymore, but discoveries are still being made thanks to the data it left behind. By analyzing its historical records, and crowdsourcing help from volunteer astronomers, a citizen team has discovered a new planet roughly twice the size of Earth.

https://www.engadget.com/amp/2019/01/09/citizens-discover-new-planet-nasa-algorithms-missed/

Alyer Babtu January 9, 2019 12:06 PM

Re public access to scientific data

Is a significant portion or better of all the climate data available to citizen scientists ? If not, why not ? Surely it should be.

bttbJanuary 9, 2019 3:22 PM

From https://twitter.com/alanfeuer or https://threadreaderapp.com/thread/1083033189956964353.html
"...Having left everything behind in the panicked escape, Chapo [El Chapo on trial now in NYC] then asks Emma to send him what he needs: sweats, underwear, some shirts & shoes, shampoo, after shave--and, yes, black mustache dye.
The only thing more astonishing than these marital messages is how the government got them.
Turns out, Chapo was using Flexi-spy spyware to monitor Emma's phone. The IT guy installed it. He told the FBI. The FBI subpoenaed Flexi-Spy.
Poof.
Chapo's texts w/his wife.
But there's more.
Chapo wasn't only spying on Emma's phone. He had two side chicks (who look exactly like her by the way) and he was spying on their phones too..."

also
https://www.nytimes.com/2019/01/08/nyregion/el-chapo-trial.html
https://www.theguardian.com/world/2019/jan/03/behind-el-chapo-trial-joaquin-guzman

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.