Friday Squid Blogging: Squid Lollipops

Two squid lollipops, handmade by Shinri Tezuka.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on January 18, 2019 at 4:41 PM • 94 Comments

Comments

J. PetersonJanuary 18, 2019 5:19 PM

So, Amazon CEO Bezos announces his divorce. Presumably a factor in that divorce was the revelation in the National Enquirer of Bezos having an affair. A source for the Enquirer was private text messages between Bezos and his mistress.

President Trump openly dislikes Bezos because the Bezos-owned Washington Post reports unflattering stories about the president. Trump is also known to collaborate with the owner of the National Enquirer (e.g., buying & burying stories from Trump's mistresses).

Could Trump have used national security infrastructure to capture Bezos's private text messages and hand them over to the National Enquirer? Plausible?

Clive RobinsonJanuary 18, 2019 6:24 PM

@ J. Peterson,

Could Trump have used national security infrastructure to capture Bezos's private text messages and hand them over to the National Enquirer? Plausible?

Daft as he can be from time to time I doubt the line of actual thinking bodies linking Donald Trump to National Security sources would alow that to happen. So without other information I'd go with unlikely that he would have done it himself (but somebody else might have done for other reasons).

Lets be honest there is a very long line of people who would stand in a que just to get a xhance to take a pop at Bezos, including a lot of his employees at all levels. There is not a lot of love out there for the man these days.

If you look back at what happened in the UK a few years ago with the "Phone Hacking Scandal" which News International were involved with upto and beyond the eyebrows, getting such texts whilst harder than voice mails,is not exactly difficult for those working for or with newspapers to do.

But the easiest people to release such communications are the two involved parties. The next line of easiest are generally people who share their lives sufficiently with the two involved parties. That is to get access to the phones when the owner is asleep in the bath, out the room etc etc etc.

Anyway look at it this way Bezos getting divorced is not exactly the sort of revenge that would satisfy some one who is in effect portrayed as a narcissist by many.

Mind you that said I still think the biggest driver of Donald Trump into the White House was actually Barack Obama and a certain White House dinner where Obama mocked Trump. Almost the first thing Trump did when gaining power was to start undoing anything done by President Obama.

RGLJanuary 18, 2019 6:39 PM

NYT: Employees Caught Posting 5-star Amazon Reviews for Facebook Surveillance Product
New York Times columnist Kevin Roose tweeted Wednesday that several 5-star reviews for Portal, a video chat device, were posted by people with the same name as Facebook employees. 
The incident adds to Facebook’s history of deceptive practices. However it also indicates a systemic dishonesty issue permeating rank and file at all levels[1]. https://www.cnet.com/news/facebook-employees-appear-to-have-left-5-star-amazon-reviews-for-portal/

Perversely the one-star Amazon reviews are the most revealing: ‘I have not had one successful call - this is turning on when not prompted (eavesdropping) & when I voiced my concern about my rights being violated to the Facebook team THEY DELETED MY FACEBOOK PERMANENTLY for having justifiable complaints on a product I purchased.’ https://www.amazon.com/Portal-Facebook-Hands-Free-Calling-Built/product-reviews/B07HFWGBST/?ie=UTF8&filterByStar=one_star&reviewerType=all_reviews#reviews-filter-bar

Marketing Land: Study finds 61 percent of electronics reviews on Amazon are ‘fake’. The problem appears much larger than most consumers realize and presents a huge challenge for honest sellers. https://marketingland.com/study-finds-61-percent-of-electronics-reviews-on-amazon-are-fake-254055”

The Verge: Dirty Dealing in the $175 Billion Amazon Marketplace https://www.theverge.com/2018/12/19/18140799/amazon-marketplace-scams-seller-court-appeal-reinstatement

Washington Post: U.S. regulators have met to discuss imposing a record-setting fine against Facebook for some of its privacy violations. The penalty is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. https://www.washingtonpost.com/technology/2019/01/18/us-regulators-have-met-discuss-imposing-record-setting-fine-against-facebook-some-its-privacy-violations/?noredirect=on

[1] Employees got caught by foolishly posted with real-name accounts

Jonathan ThornburgJanuary 18, 2019 7:44 PM

Good example of "security theater":
https://www.cbc.ca/news/canada/british-columbia/fishing-licence-not-marriage-licence-accepted-as-id-for-woman-blocked-from-westjet-flight-1.4981034

Synopsis:
Canadian woman's new driver's license is delayed in the mail. She has a temporary license, but it doesn't have a photo on it. She wants to checkin for a commercial airline flight... but the airline says they need valid photo ID, or (alternatively) two pieces of goernment-issued non-photo ID instead. So she brings her marriage license & her temporary driver's license... only to be told that the airline doesn't accept marriage licenses.

But the (very helpful!) airline supervisor told her the airline would accept a fishing license, and that she could get that license right at the airport. The supervisor even escorted her to the correct office to get the fishing license. She did so (there was no verification whatsoever of the information she provided, and the fishing license doesn't include a photo either). She now returns to the airline checkin... but by now boarding has closed for the flight. So she reschedules her trip, returns to the airport the next day, and boards successfully using her fishing license (still with no verification of the information on it).

After this, a family member gave her a fishing lure as a present to "capture the humour of the situation".

VinnyGJanuary 18, 2019 8:32 PM

I have reached an age at which I yield with increasing frequency to temptation to try and discover "what happened to?" past elements that had some importance in my life, whether people, or organisations such as former employers (one often leads to the other.) I once worked in IT (so long ago it was called "Data Processing":) for a company named Telnex, which was nominally in the business of designing and manufacturing data matrix switches for the recently divorced "Baby Bell" companies. I say nominally, because an insider's view strongly suggested that the real business was eliciting investment from a procession of naif venture capitalists for no value returned. I'll leave the details to your imagination... Eventually that gravy train ran dry, and the officers/principals managed to convince General Signal, a then Fortune 500 concern (long gone) to acquire Telenex. General Signal was in turn acquired by SPX Corporation, still in business. One of SPX' subsidiaries, TCI, markets a drone detection technology named "Blackbird" to (among others) the US government. Drones, and detection of same, being much in the news of late, I thought that was very interesting, but beyond stating that they somehow use RFI signatures for detection, TCI is quite sketchy on details. After doing some scratching around the web a bit, I located a 2017 paper detailing what I suspect is a very similar technology system named Matthan, which appears to use changes in RF (specifically WIFI) carrier generated by drone body aspect changes during typical maneuvering, in addition to other inadvertent signal manipulation, to passively identify and locate a drone. My first wade through the paper was fascinating. I'll need to read it at least once more in depth, and possibly try to wrap my old brain around some of the formulae. I think anyone who wants to understand how to detect drones, anyone who might want some clues on how detection might be evaded, and possibly anyone else who merely has a general interest in the technology might find the paper interesting, or even useful.

Blackbird Geolocation and DRONE DETECTION system:
https://www.tcibr.com/blackbird-integrated-geolocation-drone-detection-system/

Matthan: Drone Presence Detection by Identifying Physical Signatures in the Drone’s RF Communication:
https://nsr.cse.buffalo.edu/mobisys_2017/papers/pdfs/mobisys17-paper13.pdf

Clive RobinsonJanuary 19, 2019 1:16 AM

@ VinnyG,

"RF" not "RFI" - fingers galloped ahead on their own...

Just pretend it's "TLA Overload" and the "I" stands for "Inference" ;-)

As for the Colorado Uni paper, unless you are into "Baseband signal recognition" then the desscription of their Matthan system will be of little interest to you.

So, I'll very briefly cover what they don't which is how the baseband signal ends up modulated on any transmitter connected to the drone.

In essence all you need to know is "Do drones create mechanical noise?" to which the answer is "Yes" and "Do such signals end up on any signals transmitted by the drone?" to which thr answer is again "Yes".

So the first thing to note is this Matthan system only works if,

1, The Drone transmitts a signal.
2, You know the frequencies in use[1].
3, The baseband signals contain the characteristics the signal the system recognises.

So there is no guarantee the system will work with a drone modified by someone who knows what they are doing as many radio engineers and RF Design engineers and hobbyists would. Or for that matter with larger commercial drones which will have disimilar baseband characteristics[2].

Knowing there is mechanical noise is one thing seeing it on thr baseband signal is as simple to realise. However knowing how it gets cross modulated onto the transmitted signal is another "kettle of fish altogether".

The first method an engineer might consider is it gets into the transmitter circuit not as mechanical noise but electrical noise on the power supply or colocated wiring or control circuits. This can be verified in a similar way to the ISM measurments they made, but with an electrical sensor rather than a mechanical sensor.

The second method an engineer might consider is "microphonics in either the "Refrence Xtal Oscillator" or the "Synthesizer VCO".

However there is a third method that many engineers might miss. If an object moves in "free space" it changes the "free space field" if it is metallic or dielectric in nature. So both metal and plastic propellers will distort the "near field" of the transmitter signal. I've mentiond this a couple of times on this blog in the past to do with tracking equipment antennas that are syntactically rotated at around 48,000 RPM which is approximately eight times the speed of the small propellers on toy drones.

The first method which is EMI can be reduced by adding surface mount EMC filtering components, --which are often left out as a cost saving measure by FMCE manufacturers-- and rerouting of cables and power subsystem wiring.

The second of microphonics is a bit harder, and depends on which component are causing the problem. When I was involved with making control systems for the "drivers POV cameras" for Formular One motor racing XTAL oscilators were with just a little foam added fairly insensitive. Not so the inductor of the VCO which needed "bees wax potting" to stop it behaving like a spring. The other way is to change the frequency synthesizer feedback loop charecteristics. I suspect that they are incorrect because the manufacturer again for cost reduction will have minimised component and probably used the chip manufacturers "Recommend Circuit". Opening the loop bandwidth up so it is above the microphonic noise frequencies will help significantly in reducing it.

The third problem of close in free space field distortion caused by moving mechanical parts can often be significantly reduced by simply moving the antenna. In the case of a drone using a proper quaterwave antenna or even a Zep antenna that hangs two wavelengths below the drone will probably be sufficient, as it will get the propellers out of the antenna near field. Such an antenna will also increase the ERP thus increasing the usable range. As I mentioned in the alledged Gatwick Airport Drone thread on this blog you could also make a coax colinear or curtain array antenna which would with a little thought by the drone opperator give their position a maximum antenna lobe, whilst giving the drone detecting equipment a fairly good null.

I hope the above was of interest.

[1] For the toy drones they played with the radiated RF signals are in the 2.5GHz ISM band, because the chips are "dirt cheap" and no licencing is required below a certain signal power.

[2] Characterizing the baseband signals for larger heavier commercial drones will actually be no different than they have for the toy drones, however they will probably be in a lower frequency sub audible band, which might get blocked by the SDR type receivers they use or fall within the transmitter synthesizer loop bandwidth filtering.

Clive RobinsonJanuary 19, 2019 1:26 AM

Hmm,

Fat/fast finger syndrome strikes... In my above "syntactically" should be "synthetically"

JohnJanuary 19, 2019 11:00 AM


I'm tempted to add a VPN So that I don't disclose surfing info on my ISP.

Is this useful or just moving info from my ISP to the VPN service provider?

VinnyGJanuary 19, 2019 12:53 PM

@Clive Robinson re: drone detection - Thanks! That confirms several of my thoughts on my first pass through the paper. I also thought that if their algorithms are biased toward quadrotor devices, there might be a handicap re fixed wing, particularly if the craft is capable of gliding for significant distances. I also had thought of mucking with the antenna, although I was thinking of something much cruder, such as using a trailing flexible wire, on the theory that the wire would likely have its own harmonic characteristics and a signature that might not match any on file...

VinnyGJanuary 19, 2019 12:58 PM

@John re: vpn - if that is a serious inquiry, the answer to your question is "yes" (to both parts) Devil is very much in the details, and a vpn is only a piece of a security posture for an individual. You might begin by asking yourself who you want to mask your browsing from: spouse; ISP; local LE; NSA??? The difficulty, expense, and even possibility of the solution depends among other factors on the answer to that question.

Clive RobinsonJanuary 19, 2019 3:10 PM

@ John, VinnyG,

I'm tempted to add a VPN So that I don't disclose surfing info on my ISP.

Sadly from your side you can not stop the ISP from "tagging your out bound packets" --even if they are encrypted-- as they pass through the ISP. Certain large US ISP's have tagged, and a number of VPN's simply passed the tag along.

The way to de-tag is to in effect run your own VPN from the otherside of the ISP where you can chop off the tagging.

The simple fact is though with the way things currently are, large companies see you as two income streams, the one you pay them and the extra they get from selling you without your permission or often knowledge.

Oh and you also have ISPs and backbone providers that think stripping your privacy away "is their entitlement/right" and they will block your VPN traffic "for technical reasons" if you don't feed their entitlement. If you persist they will at some point just drop you or worse say you have breached their T&Cs or TOS, which strangly can be treated as a criminal offence in the US...

It's because of things like the above, I actually know of people in the US that send small amounts of traffic out as "Ham or Maritime" operators on HF to gateways in the old Eastern Europe of the CCCP and other parts of the world, rather than put it through any US provider of communications services. Some of those gateways are run in a similar way to early Tor entry points, but you have no way of checking.

Lets put it this way, if I send a plain text message to you via one route that is innocuous. You can then "Whiten it with a shared secret then hash the result" you can end up with a string you can use as a symmetric crypto key and IV / Seed value depending on what mode you use the symmetric crypto in. If I send the innocuous message via HF Email then send you an encrypted message via a mixnet I get a little bit more privacy / security, not just now but in the future "post Quantum Computing world" should it ever happen. A time when key agreement algorithms based on mathmatics are likely to nolonger be secure, and "Collect it all" has kept records of your asymetric crypto usage.

It's this sort of thing some people --rather more pessimistic than I am-- are looking into using rather than use VPNs... I can not say I agree with it due to the normal human failings with OpSec, but then other ways are just as convoluted and error prone.

You have to make your mind up about your privacy and the level of risks you are prepared to accept. But keep a weather eye on legislation it can change faster than you might expect, and what yesterday was a legitimate way to have a degree of privacy might tommorow be illegal. I would say that it's a racing certainty that many if not nearly all US VPNs are in some way beholdent on the US IC and SigInt agencies, likewise many in other countries as well. There are ways you can mitigate this but not with ordinary browsing.

[1] Obviously people don't have to use HF Email --which has it's own problems-- a couple of burner phones will do a similar job via SMS. The hard part in most cases is getting the shared secret for whitening to the other person, but also hiding your Geo-location is a concern for some.

GorgonJanuary 19, 2019 3:23 PM

@Clive

Don't start correcting your spelling, we'll never get a word in edgewise for years...

AndersJanuary 19, 2019 3:47 PM

@John

"I'm tempted to add a VPN So that I don't disclose surfing info on my ISP."

One option is to use trusted computer somewhere you access via RDP.
Your ISP does not have the capability to break RDP encryption on the
fly, also in this way you are not leaking to them info via side channels
(DNS etc). Rent somewhere VPS, install there OS you like and use it remotely.

Currently lot of Russian developers use this method to bypass the IP blocking
Russia has implemented.

MephistoJanuary 19, 2019 5:09 PM

@Clive

I don't follow how this tagging could work. The VPN data is encrypted and encapsulated. The ISP could tag the outer encapsulation but it is stripped at the VPN provider and goes no further. The encapsulated encrypted data cannot be changed without causing a Message Authentication Code error.

If you really think this is a thing could you please give us a link? Thanks!!

JohnJanuary 19, 2019 5:53 PM

@VinnyG : I want to limit the information the ISP get's. Definitely not the spouse or the NSA. That also means that I don't want the VPN to be worse than the ISP.

@Clive : Info about tagging would be useful.

65535January 20, 2019 12:49 AM

@ Clive Robinson, John, VinnyG, Anders and others

“…from your side you can not stop the ISP from "tagging your out bound packets" --even if they are encrypted…US ISP's have tagged, and a number of VPN's simply passed the tag along.”-Clive R.

I believe Clive R is correct.

Most, ISP will add a string to packets that is eventually identifiable. I think that subject has been mention on this site before. The very minium is the ISPs and the probably the government can ID your location and probably more.

Also, others have stated that ISP usually leave a front facing shell open on the customer’s ASDL/cable/or G4 internet modem/multifunctional internet connections – not only for trouble shooting but for advertising/snooping/tracking purporses - and are traceable. Clive’s other points appear to be correct also.

John, you could go to a large instituition that may have open or generally multi-person use non-identifiable computers with no user specific ID and generic passwords and use those to gain some security by obscurity but only to a certain point. But, any internet capable device, mobile phones, or burner phones attached to your business records are probably traceable.You can try VPNs, “Hide My Arse,” UltraSurf, proxies and so on but, you usually leave a trail.

Note, your content can be encrypted, but your approximate location and time are not easily hidden.

The exact method of tagging is not clear. I would guess it is proprietary to some extent – somewhat like color printer’s use tiny yellow dot codes. Maybe someone in a higher paygrade can answer that.

Anders idea of Remote Destop Protocol versions 8 to 10 may not be broken on the fly. But, I would guess the RDP packets can be tagged as Clive R has mentioned.

No, solution is perfect. Your security posture should be adjusted and your OPSEC should be as best as possible. There is no siver bullet. These are helpful but not perfect.

@ Anders

“Check your network closets!”

That is interesting.

Was that R-Pi and board used for harvesting Bluetooth/wifi passwords/doggle codes? An airgap jumper? Was it part of a full CNC multi-downloader system to plant nasty bugs? I was a bit confused. Care to guess?

PinnochioJanuary 20, 2019 3:28 AM

"If you really think this is a thing could you please give us a link? Thanks!!"


-Crickets...

AndersJanuary 20, 2019 6:15 AM

@65535

Tagging RDP packets doesn't help the ISP much, it sees anyway where i'm going to
(= RDP server) and i don't want to hide this fact anyway. But the ISP can't see any further from the RDP server, where i'm going from the RDP server since from there the new network connection starts. This is different from VPN, which is network layer protocol where i get foreign network IP address at my NIC. From that level it's easy to tag packets and trace them since VPN is basically only encryption layer around your original network level connection.

With VPN you start the network connection from your home computer.

With RDP (or VNC or any other remote desktop connection protocol) you start network connection from the remote computer.

FaustusJanuary 20, 2019 6:43 AM

@ John, Clive et al

I have written my own security monitor to dissect all the packets on my system and to extract the important packet data and identify ip endpoints, dns resolutions, arp activity, user agents, servers, etc. It logs a wide variety of information into mongodb.

VPNs effectively extend your local (Levels 1 and 2) network through level 3 devices like routers so users can share a LAN over great distances and therefore enter the public internet far away from their actual location. The data you enter in NYC for example can appear to originate in Moscow.

VPNs are usually implemented as VLANs. VLANs usually, but not always, lead to an insertion of a 32 bit tag in the layer 2 of the packet. This is known as 802.1Q protocol. https://en.wikipedia.org/wiki/IEEE_802.1Q The first 16 bits are unvarying x8100. The next 3 bits are a class of service. The next bit is drop eligibility. Then there is a 12 bit internal identifier. It is hardly a unique identifier, and the egress end of the VLAN strips it off anyhow with all your other layer two information such as Mac Address. This is just the way IP works.

There are various attacks for systems that are on the same level 2 network: i.e. breaking into one VLAN from another that runs on the same infrastructure. https://web.archive.org/web/20110608051916/https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39042

However these attacks are no worse than directly accessing the internet if you are solely using a VLAN to obfuscate your IP address (or hide your browsing from your ISP) and most likely much better. To be safest, your security boundaries should be at your devices, rather than solely relying on an external firewall and such.

VPN providers could collude with ISPs and others to keep a log that exposes your actual ip address, or exposes the key that encrypts your data. But this is unlikely with a well chosen VPN provider if you are just a normal non criminal/non terrorist who is simply seeking personal privacy (and maybe some pirate bay downloads) and for such a user a VPN is at worst no worse than directly connecting to the internet yourself and probably much much better.

If you are trying to maintain a clean layer 2 network, VPN attacks may allow someone to enter that network. A high level of knowledge seems to be needed to avoid this.

So I recommend the use of a highly regarded VPN provider for your personal, non-NSA attractive, single machine privacy needs. Beyond this, a significant level of knowledge could be needed to configure your VPN correctly.

"Certain large US ISP's have tagged, and a number of VPN's simply passed the tag along."

Statements like this are basically meaningless without more information. It is not the VPN's job to remove data from packets. Clearly, if you give a site personally identifiable information, it will identify you, VPN or not. But ISPs cannot add tags inside encrypted data. They have to have been there before the packets reached the VPN.

Ergo SumJanuary 20, 2019 7:45 AM

@Clive...

Can DNA Ancestry be Trusted?

"Snake oil" has been selling since, well, the beginning of the time...

The better question is, how long will it take these ancestry related companies to morph in to service companies, that offer DNA based identification for private investigators and other interested parties? They are not there as of yet, but once their databases become a sizable one, it's just question of time.

The chances are, that the US DHS (or DOHs as I call them) gets the ancestry databases as well. They've been vacuuming up biometric data for a while...

https://www.eff.org/deeplinks/2018/06/hart-homeland-securitys-massive-new-database-will-include-face-recognition-dna-and

AndersJanuary 20, 2019 10:51 AM

Hey spammer...do you realize that you are messing with
the world top hackers here...Do you really want that we track you
down and make you public? If you pissing us off there's nothing that
could stop us.

DavidJanuary 20, 2019 11:47 AM

out of all the websites in the world to interrupt why choose this one - a place of ethical & higher learning? some people have a choice to do good, or choose to do nothing - the ones that choose to actively harm others in society are destroying their own future and there always are consequences, whether they believe in karma or not.

Moderator, calling your attention

Sherman JerroldJanuary 20, 2019 1:37 PM

The defacement of this excellent, informative, civil blog is a sad reflection of the incredible deterioration of the honesty, security and decency of our society. There are powerful people that are supporting, encouraging, and enabling hateful destructive forces. I hope Bruce will find a way for this blog to prevail and continue in the face of these senseless onslaughts by barbarians.

Obligatory truculenceJanuary 20, 2019 2:28 PM

"do you realize that you are messing with the world top hackers here"

I got a good chortle out of that, lol.

SwissCheeseJanuary 20, 2019 3:37 PM

"Hey spammer...do you realize that you are messing with
the world top hackers here...Do you really want that we track you
down and make you public?"

Software and hardware engineers provide users with such insecure shite in the modern era, with so many open attack vectors, that hacking one's ass is as difficult as stealing candy from a baby.

Couple that with the shrugging of CEO shoulders every time another billion accounts are hacked due to slopping coding & security practices, and the "skills" of black hats are very much cast into doubt i.e. any turd who can download Kali Linux or remote exploit tools can probably penetrate most targets at will.

Yep - great claim to fame...

Sherman JerroldJanuary 20, 2019 6:44 PM

I remember a post by Bruce a couple of days ago that the moderator was only part-time. And, this is Sunday. We should probably exercise a little patience. It's Bruce's site and I'm sure he will handle all this appropriately.

AlexTJanuary 20, 2019 11:32 PM

@Clive

> If you are trying to maintain a clean layer 2 network, VPN attacks may allow someone to enter that network. A high level of
> knowledge seems to be needed to avoid this.

Not exactly sure to understand this one - could you expand ?

> "Certain large US ISP's have tagged, and a number of VPN's simply passed the tag along."

> Statements like this are basically meaningless without more information. It is not the VPN's job to remove data
> from packets. Clearly, if you give a site personally identifiable information, it will identify you, VPN or not. But
> ISPs cannot add tags inside encrypted data. They have to have been there before the packets reached the VPN.

My view exactly - anyone with some specifics on this ?

CassandraJanuary 21, 2019 6:42 AM

@AlexT and others

Re: 'tagging' of VPNs

Most VPN traffic is relatively easily identifiable as VPN traffic. Solid evidence of this is the success of the Great Firewall of China. It does not need to be 100% correct to be effective and/or useful to signals intelligence.

Given VPN traffic is identifiable, it is not beyond the bounds of imagination for there to be equipment connected to ISP networks that (a) identifies VPN streams and (b) takes copy. In other words, the VPN traffic is earmarked, or 'tagged' for current or future analysis.

Much VPN traffic uses Diffie-Hellman key exchange to set up the shared secret, and there is a reasonable argument that signals intelligence agencies are able to decrypt at least some VPN traffic (See Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice.). Again, from a signals intelligence point of view, being able to decrypt any is of benefit; and having an archive of old streams that can be re-analysed in future is useful, as decryption techniques get better with time.

If you want an actual tag, how about:

1) Equipment controlled by SIGINT agency located on an ISP's network identifies a VPN stream of data
2) Said equipment takes a copy and slaps an MPLS tag on the copy that puts it in the private, non-secure SIGINT MPLS network that plausibly pervades all of $country's MPLS network.
3) SIGINT agency has large datacentre attached to MPLS network that hoovers up all data sent to it.
4) Decrypt VPN traffic at leisure for analysis.

Identifying VPNs is pretty easy - first of all, VPN providers helpfully have a list of nodenames and/or IP addresses you can use. Obviously, capturing all the traffic to the known nodes is a good idea. Secondly, VPN setup protocols are well known, so examining traffic for those and capturing streams that match is a good idea (and update a list of non-advertised nodes to watch). Thirdly, much VPN traffic has a distinctive signature, and can be captured by traffic analysis heuristics - this will catch people who use non-standard port numbers and/or non-standard software. The Chinese firewall is pretty good at doing this. You don't even need to be able to identify concealed stuff in real time - just capture everything, throw out everything you can immediately identify in real time as NOT worth keeping, and keep the rest, which you can mine later for unusual signatures, and update the real time drop-uninteresting-stuff filter to improve accuracy as your analysis proceeds. You don't need to be 100% successful at decrypting everything.

None of the above is difficult. The technology to copy data at line speed from large pipes is well known, semi-commercially available, and definitely in use.

Cassandra

FaustusJanuary 21, 2019 10:37 AM

@Alex T

Concerning clean layer 2 networks my post above contains a link to a Cisco document explaining potential VPN attacks.

@ Cassandra

I don't disagree with what you say about capturing or attacking VPN traffic, but that does not involve placing a tag on a packet passing on the public internet.

Obviously anyone can set up a VPN on an IP they control which is not on a list. My provider assigns me my own unshared or very lightly shared address. If it is identified they assign me another. It works well circumventing blocks on VPNs by various services.

Of course here I am concerned with traffic that has been transferred to the public internet after passing through the vpn. My concern is that the end point does not know my real ip address and my isp does not know who I am talking to or the content of my communication.

I would not trust a VPN to protect me against a nation state actor.

bttbJanuary 21, 2019 10:56 AM

1) https://twitter.com/emptywheel/status/1087156604376633344

2) https://www.emptywheel.net/2019/01/18/compromise-before-trump-won-his-first-primary-putin-collected-his-first-receipt/

From 1) "I [emptywheel] noted the other day that before the first vote was cast in GOP primary [ 1 February 2016 ] , Michael Cohen had told Putin Trump was willing to work w/sanctioned banks [ VTB or GenBank ] and former GRU officer [ Evgeny Shmykov, a former general in Russian military intelligence (GRU); the same agency that attacked the Democratic National Committee (DNC) ] for a $300M [ licensing fees? ] deal."

From 2) "What Cohen’s plea deal makes clear is that Putin pocketed the first of those receipts — a receipt showing Trump’s willingness to work with both sanctioned banks and the GRU — even before the first vote was cast. Even before GRU hacked its first Democratic target (though APT 29 [ FSB? ] had been spying on the Democrats since the previous summer [ 2015 ] ).

Discussing a real estate deal is not, as Trump has repeated, illegal. If that’s all this were about, Trump and Cohen might not have lied about it.

But it’s not. Even before the GRU hacked John Podesta, even before Don Jr told his June 9 visitors that his dad would consider lifting sanctions if he got elected, Michael Cohen let a key Putin deputy know that Trump would be happy to discuss real estate deals that involved both partnering with the GRU and with sanctioned banks.

And Putin has been sitting on that receipt ever since."

bttbJanuary 21, 2019 5:08 PM

More on the Trump Moscow project from https://www.nytimes.com/2019/01/20/us/politics/trump-tower-moscow-cohen-giuliani.html :

"...For the Moscow project, Mr. Trump appears to have relied on Mr. Cohen to be the lead negotiator, and interviews, emails and court documents show that Mr. Cohen made a vigorous effort to try to get the blessing of the Kremlin for the project and even tried to arrange a trip to Moscow for Mr. Trump.

His partner in the effort was Felix Sater, ...

In late 2015, months after Mr. Trump announced his presidential candidacy, Mr. Sater sent an enthusiastic message to Mr. Cohen bragging about how he would tap his Russian connections for the tower project and “get all of Putin’s team to buy in on this.”

“Buddy,” Mr. Sater wrote, “our boy can become President of the USA and we can engineer it.”

[...]

According to emails reviewed by The Times, Mr. Sater sent an urgent message to Mr. Cohen in late 2015 saying that Mr. Shmykov was on the phone and he needed passport information for Mr. Cohen and Mr. Trump so they could receive visas.

Mr. Sater said that, for diplomatic reasons, the Kremlin could not issue the visas. Instead, he said, a Russian bank could provide the documents as part of “a business meeting not political.”

The Moscow trip for Mr. Trump and Mr. Cohen never materialized, but court documents released in November as part of Mr. Cohen’s guilty plea showed that Mr. Cohen pursued the Moscow project well into 2016.

[...]

Mr. Cohen told prosecutors that the discussions lasted at least until June 14, 2016, when he met with Mr. Sater in the lobby of Trump Tower in New York and told him he would not be traveling to Russia “at that time,” according to court documents. On the same day, The Washington Post reported that Russian operatives had infiltrated the computer network of the Democratic National Committee — the first public evidence of Moscow’s campaign to disrupt the election.

Now, based on Mr. Giuliani’s remarks on Sunday, it appears that the negotiations over the Moscow skyscraper deal continued even months beyond that..."

65535January 21, 2019 9:27 PM

@ Cassandra, Clive Robinson, Anders, John and others

‘“Re: 'tagging' of VPNs… Most VPN traffic is relatively easily identifiable as VPN traffic…Much VPN traffic uses Diffie-Hellman key exchange to set up the shared secret, and there is a reasonable argument that signals intelligence agencies are able to decrypt at least some VPN traffic…’- Cassandra

Yes, that is my understanding.

For example the NSA’s “Treasure Map” project and its “Toygrippe” – Repository of VPN endpoints. Oddly, this repository of VPN endpoints is available via paid services according to some documents.

'“Treasure Map is a vast NSA campaign to map the global internet. The program doesn’t just seek to chart data flows in large traffic channels, such as telecommunications cables. Rather, it seeks to identify and locate every single device that is connected to the internet somewhere in the world—every smartphone, tablet, and computer—”anywhere, all the time,” according to NSA documents.”'-The Intercept

https://theintercept.com/document/2014/09/14/treasure-map-presentation/

From the above link you can download the Treasure Map pdf and look for Toygrippe on page ~16 see the various way it works. That was in 2014 so it has probably been upgraded or duplicated by open source security companies. I doubt that there are infinite VPN end points and they can be traced.

Next to tagging by ISPs

EFF:

“Late in 2016, the FCC passed rules to protect your privacy from invasions by your ISP. The rules—which prohibited things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile… The telecoms’ lobbying relied on easily disprovable myths that also echoed the rhetoric they offered during the debate on net neutrality. (In particular, the incorrect claims that the Federal Trade Commission (FTC) would be an adequate safeguard and that companies are unable to compete under the current laws). EFF provided a memo to congressional staffers to rebut these misconceptions. Despite the obvious benefit the rules provided, in March, Congress rushed through and passed S.J.Res.34, which overturned the hard-won protections issued by the FCC the previous year…” EFF January 2018

The situation has not gotten any better with the USA’s new president. The tracking headers are probably the old Verizon and At&t super cookie on steroids.

You can just google ISP tracking and find volumes of information on those old X-UIDH or UIDH

“The Unique Identifier Header or UIDH is a digital identification technology consisting of a unique identifier of about 50 letters, numbers and symbols that can be used to track a user's Internet browsing. Much more efficient than the cookie…” -Wikipedia fr

and

“..X-UIDH[33][34][35] Server-side deep packet insertion of a unique ID identifying customers of Verizon Wireless; also known as "perma-cookie" or upercookie" -Wikipedia

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

UIDH trackers from techdirt

https://www.techdirt.com/articles/20150115/07074929705/remember-that-undeletable-super-cookie-verizon-claimed-wouldnt-be-abused-yeah-well-funny-story.shtml

ISP tracking:

“Your ISP tracks your clicks for a number of reasons. For them, you browsing history is a revenue stream. Many ISPs compile anonymous browsing logs and sell them to marketing companies. Some Internet providers are even moving to make privacy a premium add-on, using your Internet history to market to you in much the same way websites do, unless you pay an additional monthly fee. What’s more, the data your ISP collects may be accessed by outside organizations, such as the police department or another government agency. If provided with a subpoena, your ISP is legally required to provide whatever information they have on you.”-Privacypolicies

https://privacypolicies.com/blog/isp-tracking-you/

Internal ISP methods of tracking:

stackexhange

“Many ISP have recently been creating their own private subnets between your router and the WWW. Recently a ISP stated this is for IP4 addressing issues, such as running out. So, they have placed their private subnet right outside the router leased to customer. Which not to create a panic, this means they could technically monitor anything they want http or https. The average customer isn't looking for this. Just to point out…”-stackexchange

https://security.stackexchange.com/questions/107065/what-information-can-my-isp-see-when-i-visit-a-website

I think both Cassandra and Clive Robinson have a good handle on this tracking stuff. I would not discount their comments.

Sure, RDP and VPNs are a help but I wonder about newer capabilities of ISPs and TLAs. What is necessary to prevent them from spying on customers? These newer laws relaxing ISPs sale of customer history is concerning and getting worse.

I an no expert at deep packet implants so I will leave to some experts in a higher paygrade. Maybe the EFF or Bruce S. could be of help.

Last, someone commented on my handle and some spammer that has been here for over two weeks. If you look through this blog you will find the story to its origins. There is no mystery in that number. Further, I and my wiser half [larger headed half] are no Sir John Gielgud and will have English mistakes through the posts. You can recognize my posts by the poor English. We are also not the majority like Sancho P and feel the grip of TLAs and their surveillance power. I am strongly for internet privacy and do support the EFF.

WeatherJanuary 22, 2019 12:43 AM

All
Has much happened with Ip6 ,looking back through memory it doesn't have Nat ,are you allowed to send it on the Internet, most kernels have it built in know, is there a Ip4 to 6 translator?

Clive RobinsonJanuary 22, 2019 8:02 AM

@ John,

Sorry for the delay in replying, I've been unable to open this page due to length issues (not all browsers are created equal in magnitude of resources).

You say,

I want to limit the information the ISP get's.

If you take a step or two back to get a higher level view, you will see all you would be doing is "Shifting the problem" from the ISP[1] to the VPN provider.

Look at it this way a VPN can be seen as a leaky hose pipe with a tap at the end that you connect to the tap on the wall at your home. Your ISP is the tap on the wall and the VPN provider is the tap at the end of the pipe. Appart from what leaks at the tap on the wall the tap at the other end sees everything that flows along the pipe... So you've not solved the security issue you've merely moved it down stream to the VPN provider where you have even less control, unless you run your own VPN service at a remote site. Thus to decouple your home IP address you would need a VPN to another VPN, which is in effect an "Onion" process, which can get expensive (which is why some people where they can use Tor or mixnets to in some cases a VPN service provider).

Whilst VPNs are not "Rocket Science" sometimes working out orbital parameters from first principles does feel easier (trust me on this one ;-)

As we know those such as Comcast and other major US ISPs have not been an exactly honest lot since first getting caught adding "PermaCookies", logging DNS requests and just about everything else they could to monetize their paying customers. With one even offering for anorher 20USD a month not to do it "maybe". Since then in the US atleast the hard won privacy protections the FCC had in place are now shreeded and blow to the four winds, much to the joy and pure profit of the large ISPs...

However keep in mind quite a few VPN suppliers are just as bad if not worse. One with paying customers were actually selling on other users bandwidth...,

https://www.cnet.com/news/security-researchers-claim-hola-operates-as-insecure-botnet/

Great for the person buying your bandwidth if they are doing illegal things, because you just became their "cut out" and you had no idea and probably would not have untill the FBI sent a 10-20 man SWAT team into your house "not to arrest you but just have a cosy chat (See current shenanigans with Harold Martin III, oh and the NY DA has done simillar intimidation tactics whilst trying to get a software developer to break the law and put a totally illegal back door in his system).

The serious point to note is most VPN suppliers you are going to come across are in extended Five-Eye Nations thus required by law to keep logs for years. Also as with many "Security Entities" the VPN service providers own corporate security is likely to not be as good as they are supposadly selling, thus those logs probably won't be that well protected...

You also need to watch out for VPN suppliers who are in effect nothing but fronts for data gathering and traffic re-routing... As a general rule of thumb, where there is a penny to be earned questionably, especially when there is close to zero risk for them there will always be some one working out how to profit by it. It's what we repeatedly see with "No name China Knock Offs" and "ET phone home" Chinese IoT devices, Oh and those of Amazon and other large Silicon Valley corporates "home assistants" and the like, even that little robot vacuume cleaner with it's upwards looking ankle hight cameras...

Don't think I'm trying to denigrate an entire industry, I'm not, but you only have to look at the issues a little bit further out with Certificate Authorities to know that they are "targeted" by attackers of all levels, VPN providers are not realy any different. But also in a market with small or only nominal profits you will find "bottom feeders" who will say one thing and do another and you will only find out after the fact, as we have seen with IoT devices. Remember you need an ISP to access the Internet, but a VPN is an extra at around 11USD a month average for the supposadly better VPN providers. The real question is what you get for 130USD/year? It realy might not be what you think, and you might get better value for money setting up your own remote "point of prescence" via a co-host company that alows you to not just run Linux but have your own mail server etc.

Which brings me onto the point that there are three basic ways you can put a VPN on your computer,

1) The first is you roll up your sleeves and dig into the guts of your OS and network stack and configure it yourself.

2) The second is to use a series of scripts for your OS that you download from various places, configure and run.

3) The third is an application you get from your chosen VPN supplier that supposadly does what is required to the OS and stack for you.

Some people also think --incorrectly-- there is a fourth way such as installing a browser with an inbuilt VPN[2].

The three have a decreasing level of knowledge required by the computer operator to set up. But an increasing level of "trust" that the operator has to give, which can be abused silently behind the operators back.

Thus if you use the third --VPN supplied App-- option you have little or know knowledge of what it does and how any OS patches will effect it.

Also the majority of people going down this route would have no idea of how to test it etc. Oh and likewise of course is the issue of you having to get the app in a secure way to start off with. Which may be harder than you think, then keep it patched and upto date only with legitimate code (often Email is not covered by your VPN which means phishing and other Email/social attacks work as some bitcoin wallet holders found to their cost recently)

Also most "Paid for" services also require each computer to be licenced in some way which makes the VPN App, which means the VPN supplier has given each of your machines it's own special uniquely identifing number... It also means "Billing" so there is financial tracability back to you unless you are quite a bit better than average at financial engineering (that is there are legal ways as well as illegal to operate a financial firewall).

That as they say in the theatre is "The prologue to set the scene"...

@ All,

Now the previous privacy regulations of the FCC have been effectively blown out of the water, the question arises as to how the larger ISPs are going to profit by it. Because the one thing you can bet on is their shareholders will not let them not profit by it, and the law favours the shareholders above everyone else appart from the Government and "Preferential Creditors" such as Banks and Hedge Funds...

The easy way is for them to stop you using VPN's or Tor or other mixnets and anonymity systems. Technically it's very easy to do with traditional VPNs etc because spotting their traffic is easy.

Politically though blocking your access to Privacy Enhancing Technolog (PET) systems is for a short while not going to be a good thing to do. However other FCC net neutrality regulations have also been blown out of the water, which gives them an opportunity to coerce you out of using VPNs. The easy way is to "down grade them" in comparison to "Premium Services". Because the majority of their customers will use the same device --PC / laptop / tablet / Smart phone-- to watch movies, listen to music and do the other things that they wish to keep private from their ISP, even if as it is in my case doing research on what ISPs are upto... At some point the user will not turn on the VPN to carry out their private business, and not only will the info get snatched by the ISP logging system, the chances are it will run faster and with less issues. Thus the ISP will build in a "Pavlovian Response" in their customers. It's why I'm frequently seen to make comments about people should have two computers one for public and one for private activities. It holds valid for all sorts of reasons and activities because it cognatively reinforces an OpSec mind set.

Another trick the larger ISPs have to hand is their relationship to network provision. If your ISP and your VPN provider use the same backbone access provider then then they can see traffic moving from your IP into the VPN systems and out again as normal traffic. Remember for some large corporates being an ISP is just a sub-business to being backbone suppliers, likewise VPN services. The point being for the large corporates their major/traditional business is supplying communications, setting up ISPs, VPNs and other customer facing businesses when alowed is just a way to make more profit. It's why they scare the Cable Companies into all sorts of lobying tactics.

But "Premium Services" also gives the ISP another little trick which is "telemetry" to "grab and tag" your network traffic by. In effect since MS and others are spying on users privacy "to improve the service" this alows the larger ISP to have an application on your device for accessing "Premium Service" that also "ET phones home" with all your IP Addresses etc of other traffic passing through the network stack "to improve the service", if you think back to CarrierIQ and mobile phones from US service providers you can see that atleast one of those involved with that debacle are also an ISP.

There are several other tricks they can do along those lines, and that will happen as large ISPs try to force you into their walled gardens just like early providers such as AOL did back in times past. It's the kind of mental model marketers work on, put simply "If they don't own you they are leaving money on the table" and shareholders don't like that and the law is on their side not you as a customer, so you can guess who calls the shots at director level.

But even then there are some technical tricks they can pull to get information without having to get any closer to your computer than their router that your home router talks to.

As I've mentioned before there are "instances" of attacks that fall into "classes" of attack, and as a "defender" you need to make your defense plans against "classes" not "instances". So I'm only going to talk about "classes" of attack.

I've also mentioned in the past about "Security-v-Efficiency" where as a general rule of thumb the more efficient you make a system the less secure it is. The usual argument I give is about "time based side channels" that alow attackers to see a process executing by it's cache behaviour thus detetmin encryption keys. I've also talked about how "efficiency" makes systems "transparent". The classic example of this was Mat Blaze and his students to send secret information from a PC keyboard microcontroller, through the PC and out onto the network just by "jittering" the time the keyboard sends a key press into the computer.

What I've also talked about in the past is how "outputs" become "inputs" due to "error and exception" processes. And also how security devices like Data Diodes can also be attacked from the down stream side, to be used to send signals back upstream in the reverse direction in a Data Diode.

Most people developing software have a great deal of trouble getting their heads around this issue because they've been taught more or less from day one things move from "data sources" on the left of the page, through the process in the middle of the page to "data sinks" on the right hand side of the page. It's also not helped by the way Claude Shannon's information theory describing transmission channels are taught.

Remember as I've pointed out with "transducers" such as speakers being used as microphones and microphones being used as speakers, DC motors/generators and LED's being used as photo detectors as well as photo emitters, many things work in both directions even though in our heads they are not supposed to...

Some one who is not constrained by such thinking is also likely to be able to "think hinky" and have the abilities to make things work in reverse etc.

All a VPN is, is "A Shannon channel inside another Shannon channel down which confidential information --you wish to keep private-- flows". That is from your computer to your intended destination. However all along the way is "error correction" for both Shannon channels, and importantly any error or exception that effects the outer Shannon Channel, effects the inner Shannon Channel and in turn the flow of confidential information. Thus if your ISP deliberatly adds timing jitter to your computers out bound packets at the their router, you can not see it. However they can see the timing changes on any traffic that comes out the other side of the VPN going of to your intended destination. They can do this attack in both directions and with care all you would see is long latency on your VPN usage.

It is a simple attack but requires the ISP to see the network at both sides of the VPN to make it work easily. Which makes this simple attack only available to major US and EU telcos and a limited number of National SigInt agencies. However what it does is start getting you to see is that both the ISP and VPN providers can do "Man in The Middle" attacks by using timing side channels, which VPNs were never designed to mitigate on their own.

But ask yourself what else VPNs were never designed to mitigate, bearing in mind they were only originally designed for data confidentiality not service or user anonymity.

Well, they were certainly never designed to stop meta-meta-data. One aspect is "service signitures" that is different services behave in different ways that can easly be seen in packet length and timing. And yes people have looked into it,

https://www.researchgate.net/publication/316041873_Identifying_Users_by_Network_Traffic_Metadata

But as important as service timing information is in normall operation ask yourself about how services handle errors and exceptions and the different types of signalling involved. Put simply it's not that difficult to "fingerprint" major services through VPNs from single user computers is not difficult under both good and bad usage.

But is there anything else to be gained? For instance look up how "ping" works, then look at what would happen if your service provider decided to change the MTU or even just fragment your packets going to the VPN service? And how these would get reported back to your computer or in the other direction to the service you are using...

There is a whole gnarly little world hiding in there and not all VPNs work in a way that would stop information leaking due to them.

There are a whole bunch of other attacks that can be tried to "fingerprint services" a user is connected to, often knowing the users details --through billing etc-- can quickly strip away any service anonymity, which leaves open other corelation techniques.

Remember from the ISPs point of view "user content" is still "untouchable" but "user meta-data" is fair game 24x365.25...

[1] Not every one calls them ISPs, forinstance the FCC’s term of choice is BIAS (“broadband Internet access service”). Which to me has a certain irony about it.

[2] DO NOT make the mistake of thinking that applications like Web Browsers with "built in VPN" is a real VPN, it's probably not. Mostly the protection is only for the traffic from that application, that is only some of your traffic and traffic not covered can leak meta-data about traffic that is. The reason for using such a built in is either to hide the geo-location or user end routing of just the browser traffic (which can mean that your ISP sees your DNS requests and all sorts of traffic from the OS and other applications).

Clive RobinsonJanuary 22, 2019 11:56 AM

@ Bruce and the usual suspects,

Apparently after pushing the blockchain like a runaway rhino for a couple years, McKinseys has come around to my way of thinking ;-)

Which also is that of others around here for similar reasons...

https://www.theregister.co.uk/2019/01/16/mckinseys_blockchain_warning_irks_crypto_hipsters/

As for the "crypto-hipsters" it's only the second time I've seen the term and lets just say it projects the worst of both...

I will now "duck and head for cover" ;-)

Clive RobinsonJanuary 22, 2019 12:29 PM

HiTech Watch nails Iceman

I fully expect to hear more stories like this in the comming years, untill evolution runs it's course...

A sous-chef nick named the "Iceman" was a prodigious runner and part time gangland murderer.

For some reason we don't know either he failed to understand what his Garmin GPS enabled watch did or he foolishly thought it would "never happen to me".

He wore the watch for staking out the place he murdered one person at for a couple of times a day for a number of days before hand, and the Garmin faithfully recorded the fact...

https://www.theregister.co.uk/2019/01/19/who_watches_the_hitmen_garmin/

VinnyGJanuary 22, 2019 1:25 PM

@Clive Robinson et al re: billing anonymity - Just a note on this subject. We're all aware that many services that we might want to use to help ensure our privacy and anonymity will require a payment to be made on-line. Obviously, the most anonymous common transfer medium, cash, will not work in that situation :) Conventional credit card accounts require registration to a real person, and are typically used for a variety of purchases over a longish period of time, so those are unsuitable. Cryptocurrency might be an option, however, acceptance leaves much to be desired (among other issues.) It is still possible to buy a widely accepted "gift card" (i.e., VISA or MASTERCARD) for cash, at Walmart and other venues. Typically such cards do not require registration before use. There is, of course, a small premium charged for a gift card. For cases when a one-time registration is required (meaning the user will need to reply to an email,) I have had some success using email accounts in the "mailinator" family. If a registration service is "smart" enough not to accept one of their domain variants, sometimes vendors for legit email services will offer free limited period trials without themselves requiring any real proof of identification. Smartmail, for example, frequently offers a one-week trial, more than long enough for most confirmation processes. There are also some anonymous payment brokers, such as Paygarden, who will accept a CC payment and in return for a fee, transfer a sanitized payment to the vendor of your choice. The rub there is that the vendor must accept payments from that broker, which is usually quite limiting. I should add the usual disclaimer that none of this is foolproof in any absolute sense, positing an adversary with unlimited resources and a strong desire to see what you are doing. And all of this has costs denominated in money, convenience, or both, but in an increasingly nosy world, I'm happy it's still possible to muddy my tracks at all...

bttbJanuary 22, 2019 3:31 PM

More2 on the Trump Moscow project from https://www.emptywheel.net/2019/01/22/rudy-is-relying-on-tapes-to-claim-buzzfeed-is-phony-but-there-arent-tapes-of-everything/ :

Yesterday, I [emptywheel] noted [ https://www.emptywheel.net/2019/01/21/trump-raised-concerns-about-testimony-they-shouldnt-know-is-phony-or-not-with-muellers-office/ ] that Rudy [ Giuliani; President Trump attorney ] could not be sure the Buzzfeed story [ https://www.buzzfeednews.com/article/jasonleopold/trump-russia-cohen-moscow-tower-mueller-investigation ] was phony when Trump’s lawyers called Mueller’s office Friday, because the White House should have no knowledge of what Michael Cohen said in his interviews with law enforcement.

Today, the New Yorker [ https://www.newyorker.com/news/the-new-yorker-interview/even-if-he-did-do-it-it-wouldnt-be-a-crime-rudy-giuliani-donald-trump-robert-mueller-moscow-buzzfeed ] provided Rudy’s latest splutter explaining why he believed he could be sure the story was phony.

[...]

And that’s the basis on which the White House contacted Mueller’s office Friday: Having reviewed everything seized from Cohen’s raid [ April, 2017 in NYC ], including any tapes Cohen made of conversations with Trump, they believed they could assert to Mueller’s office that the Buzzfeed story was not true.

This also explains why Mueller set the bar on Cohen’s allocution where he did. Cohen may well have told Mueller that he believed Trump ordered him to lie. Trump likely did! Certainly, Rudy is not denying that happened. But unless Cohen recorded that conversation — as he did for the hush payments — then Mueller is not going to set himself up to have to prove that. That necessarily partly explains (in addition to the issues I raised here) the difference in how SDNY [ Southern District of New York, a Federal Court ] allocuted Cohen and how Mueller did. SDNY has tapes, courtesy of Cohen, of Trump ordering him to pay off his sex partners; Mueller does not have tapes, courtesy of Cohen, of Trump ordering Cohen to lie to Congress.

That said, Rudy still should have no basis for asserting what Cohen has said to one or another law enforcement agent. While it’s not clear what Cohen’s status was at various times of this process, he would only have been recorded by the FBI if he was in custody. And the White House should not have his 302s (nor might they have all the other materials from others who have been interviewed, though admittedly would have lot from having done Trump Organization’s document production and being in a joint defense agreement with most of the relevant people).

One more thing: The degree to which Rudy emphasizes that Trump would not have reached out to Mueller’s office makes me believe we’re shortly going to learn he did reach out to Big Dick Toilet Salesman Matt Whitaker [ Acting United States Attorney General ] ..."

WeatherJanuary 22, 2019 5:48 PM

Win 2k3 DNS server has a byte overflow in the cache.
When you request a address it runs the name through a basic hash, and stores that in a block in heap,
If you have different names but the same hash it increment a counter up to 7, but tests for greater than 8 ,if the server receives a different name hash the counter gets set to zero and a new heap block gets allowed,
Each malloc in windows has two swords at the bottom of the block, one a pointer, by making 8= it overflows the pointer.

Clive RobinsonJanuary 22, 2019 11:42 PM

@ VinnyG,

And all of this has costs denominated in money, convenience, or both, but in an increasingly nosy world, I'm happy it's still possible to muddy my tracks at all...

There is another way, which whilst it has costs it's generally a "no questions 'ever' asked" senario.

Under most Western originating legislative systems there is a convenient fabrication of a "legal entity" or as they say in European legislation "Any person legal or natural". A company especially a limited liability partnership (LLP) is alowed to hold bank accounts and other financial accounts in many jurisdictions. However UK LLP's are a bit of an oddity because they can exist hold accounts and even have financial transactions but still be declaired as quiescent for UK tax purposes thus not need to file such transactions. Further because it's a partnership it does not have "Company Officers" in the conventional sense.

They can also be used to administer amongst other things "trusts" and "off shore accounts" and numerous other financial vehicles.

The result is a partner with the consent of "the patners" can in effect run their financial life through the LLP as effectively an "Off Shore Trust" beholdent to virtually nobody. Also the LLP can be the Director of other limited liability companies which own assets like houses, cars, yachts, jets and all the other trappings of life that some aspire to have.

The point being you can in effect own the lot, without being legaly attached to it for liability purposes. Such LLPs have frequently been run through London by foreign tyrants, dictators, war lords and other less desirables like executives of near anonymous corporates, all quite legally...

There are quite a few banks in Europe into which you can walk with a bond issued by them on behalf of a Government or other Institution. They will effectively "cash the bond" and hold it in a temporary account so you can then dispurse payments. Whilst not an old style "numbered account" pretty much all that is needed is the account "withdrawal book" and a "signiture of record"...

It was Euro bonds and the facilities that surounded them that destroyed "Bretton-Woods" and paved the way to our current economic mess.

https://en.m.wikipedia.org/wiki/Bretton_Woods_system

Gerard van VoorenJanuary 23, 2019 1:18 AM

@ Thoth,

About Google Chrome, the argument of "you have got to make a buck" has completely got out of hand and that is because of the furious competition. Do you remember that the IE guys planted an IE board in the garden of Netscape? And now the same IE guys are going to "borrow" Google Chrome by itself...

Well anyway, there is still Firefox (but don't look at the term "mozilla" in about:config, because that could scare you off. And there is also Iridium, a German based Chrome version without any (at least they try) trails to Google.

That's about it, I think of what you can do to "ungoogle (or better: unGAFAM) yourself" in the Browser. Except you can always turn down JS (but today that becomes pretty unusable by its own) and you can turn off cookies.

Gerard van VoorenJanuary 23, 2019 1:33 AM

@ Thoth,

"France has decided to issue an official Cyber War openly."

I have an issue with that. How-come it is *almost always* that the offense got a much larger sum than the defense? I think it is because of ... well you can figure that out by your own.

For instance, why is almost every party involved with Microsoft cr*p, even today? Almost all aspects of a Microsoft product has got an even good or much better equivalent. I still remember (in the Win 7 days) that when I opened a zip file from MS it took way longer than that from gzip in Linux. So, why does everybody still use Microsoft? Beats me, but the financial savings of not using MS could have been huge.

CallMeLateForSupperJanuary 23, 2019 6:57 AM

8 Jan 2019
"T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country."

article: I Gave a Bounty Hunter $300. Then He Located Our Phone
https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

-----------------------------
10 Jan 2019
article: AT&T to Stop Selling Location Data to Third Parties After Motherboard Investigation
https://motherboard.vice.com/en_us/article/nepab8/att-stop-selling-location-data-tmobile-sprint-microbilt-zumigo


-----------------------------
11 Jan 2010
article: Google Demanded T-Mobile, Sprint to Not Sell Google Fi Customers' Location Data
https://motherboard.vice.com/en_us/article/d3bnyv/google-demanded-tmobile-sprint-to-not-sell-google-fi-customers-location-data


-----------------------------
18 Jan 2019
"The Senator expressed 'disappointment' and 'disbelief' at CEO John Legere’s unfulfilled promise to end the sale of geolocation data to 'shady middlemen.'

article: Senator Wyden Hammers T-Mobile For Empty Promises on Sale of Cell Phone Location Data
https://motherboard.vice.com/en_us/article/d3mgkv/senator-wyden-hammers-t-mobile-for-empty-promises-on-sale-of-cell-phone-location-data


*****************************************************
This resembles the "carder" and "credential stuffer" businesses. They are illegal.

The telcos sell their customers name, address and REAL-TIME geographic location to "aggregators" and throw some terms of service at them. Telcos don't audit their customers' use of that data.

The aggregators turn around and sell access to that data to others.... with TOS, of couurse, that they fail to enforce.

And on and on, aggregator to aggregator. And the name, address and current location - that would be *your* data - are passed down the line just like an "easy" girl at a frat. kegger. Well, except *she* knows about the abuse while it is happening, but *you* do not know when your telco abuses you.

And it's all legal in the U.S. Once again we see that letting businesses control themselves begets ... trouble.

VinnyGJanuary 23, 2019 8:34 AM

@Clive Robinson re: LLPs - Interesting, but usefulness would seem to be on an entirely different scale. I suspect one would need 5MM USD, maybe 10, to shield before this would be a practical alternative? Also, isn't the immunity more financial than legal, and more dependent on legal precedent than zero knowledge on the part of the accuser? I don't see that as viable for someone who just wants to anonymously pay for some individual security service, or purchase an OpenWRT router to replace or supplement what was provided by the ISP. I'm not impoverished, but I don't have that kind of money to allocate...

VinnyGJanuary 23, 2019 8:54 AM

@ Gerald Van Vooren & Thoth re: browsers - I am currently reluctantly using a FOSS browser named "Cliqz" that is based on Mozilla. They are upfront about selling data, but claim to do so only in aggregate, after scrubbing PI. I have no way to confirm that, but my (thin) reasoning is that an entity that admits to this conduct is less likely to be hiding more nefarious behavior. Cliqz does have some data sharing defaults that I don't care for, but which I can opt out of, and works with Ghostery for ad blocking. Ghostery itself needs to be reconfigured from defaults to be maximally effective. A year or so ago I was done with Firefox (and Seamonkey) because Mozilla had stopped supporting my chosen ad-blocking and privacy add-ins. I was looking at viable text-only browsers, and seriously considering coding my own (I don't use a lot of on-line multi-media stuff, and could live without what I do use.) Cliqz is far from perfect, but so far it has worked adequately for me, and I don't see any ads...

Clive RobinsonJanuary 23, 2019 12:12 PM

Fully Bi-deniable Interactive Encryption

This slipped out on the penultimate day of last year so got missed I guess,

https://eprint.iacr.org/2018/1244.pdf

However at 250 pages, the paper by,

    Ran Canetti, Sunoo Park and Oxana Poburinnaya

Is not a light read... However the subject of bi-deniability Encryption systems is an important one, and has been considered an Open Question for a couple of decades or so in the academic community (probably more like a century else where). As crypto moves out of the shadowy worlds of espionage, diplomacy and warcraft to every day life beyond that of comnerce to that of human rights defenders, journalism and the odd smarter than average criminal, various forms of deniability become highly important. That is when people become subject to the ministrations of the investigating guard labour and judiciary with potentially life altering if not terminating consequences deniability in many forms becomes ever more important, especially that where the likes of plea deals and states evidence are used as inducments to give rise to what often is factually misrepresented or falsified information.

From the papers intro,

    While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker that has no knowledge of the communicating parties’ keys and randomness of encryption, deniable encryption [Canetti et al., Crypto’96] provides the additional guarantee that the plaintext remains secret even in face of authoritative entities that attempt to coerce (or bribe) communicating parties to expose their internal states, including the plaintexts, keys and randomness. To achieve this guarantee, deniable encryption is equipped with a faking algorithm which allows parties to generate fake keys and randomness that make the ciphertext appear consistent with any plaintext of the parties’ choice.

In the case of most standard symetric encryption algorithms and modes this is a difficult if not imposible thing to do.

However in the case where keu expansion encryption algorithms are not used, it's almost trivial which makes it easier to show the various forms of deniavility can be achieved.

That is the example of a stream cipher where the bits are not generated by a symetric crypto algorithm or determanistic bit selection process. One such is the One Time Pad where each bit of the Key Stream is selected by a non-determanistic method with near unbiased statistical properties.

When each bit of the plaintext is XORed with the coresponding bit of Key Stream,

Cliphertext = Plaintext xor KeyStream

The ciphertext result to a third party extetnal observer is efectively as indistinguishable as an equivalent length of nondetermanistic Key Stream. Thus inverting the argument gives rise to the result of "For any given ciphertext, all plaintexts of the same length are equiprobable".

That is the important result that,

    Any Key Stream the same length as the ciphertext could give a valid but entirely different message.

      As Key Streams are never sent "over the air" and should be destroyed immediately after the message is encipherd by the sender and after the message has been deciphered by the recipient, there should be no way for the investigating guard labour or judiciary to be able to say which of any ciphertexts matches any messages a suspect at either end has other than by the message length which can easily be avoided [2]. However for deniability having Key Stream around that produces "innocent / duress messages" from the over the air ciphertext makes the investigating guard labour job harder.

      Thus for each over the air message two key streams are required one to give the correct message and one to give the duress message a little though indicates why that is not possible.

      What you have to do is send the duress / innocent message, under one Key Stream and a second message that is the difference between the duress message and the real message under a second Key Stream.

      However coming up with a crypto algorithm that will generate the equivalent Key Stream and Difference Stream from two short seeds or keys is effectively impossible. That is you have to have the Keys atleast as long as the plaintext as you do with the OTP (there is a simplistic proof of this but, darn no margins when you need them ;-)

      But there is a problem as there is with any symetric crypto algorithm, which is the need to securely communicate at the very least an initial secret for the two parties to use.

      The paper shows amongst other things that this can be done using asymetric crypto. As well as another form of deniability were each of the first two parties apparently cooperate with the investigating guard labour. However one claims P1 was sent and the other claims P2 was sent, there is no way either party can prove that their version is true

      [1] There are many simple fixs for the message length issue thought up over the years with OTPs, involving standard length blocks, message padding and randomized and out of order sending of blocks.

Clive RobinsonJanuary 23, 2019 12:20 PM

Sorry folks, looks like I SNAFU'd an html tag in my above.

That is after,

    Any Key Stream the same length as the ciphertext could give a valid but entirely different message.

It should come back to the standard width, not indent again.

Clive RobinsonJanuary 23, 2019 1:18 PM

@ VinnyG,

Interesting, but usefulness would seem to be on an entirely different scale.

I don't know what scale you operate at ;-)

But a friend who works in a fraud analysis unit of a major bank, kind of shocked me by just how little it costs to set up and annual running costs. His comment was he was supprised that most US Citizens working abroad did not avail themselves of the advantages of LLPs... He pointed out that with a little care the filling requirments, were less than for standard US tax forms, and most certainly did not require an accountant...

As for legal / illegal when it comes to finance the grey zone is large, for instance "tax planning" is quite legal how ever doing exactly the same thing but to defraud the tax authorities is not legal... That is it's not what you do but why you say you are doing it pluss a few bits of sleight of hand.

Look at it this way, a company has a whole load of quite legal tax deductables and write offs that individuals do not get. As long as there is enough of a business functioning to claim it's a company then you get away with it, the rest of the time in effect it's for you to use as you see fit. Oh and if a company does not make much of a profit if any, which many don't during their start up years, then what it pays in tax is likewise not much if any...

It's why hedge fund managers pulling in billions a year can pay less tax than an ordinary working stiff in NY who earns a little over average...

JG4January 23, 2019 10:08 PM


The first link here is for Bob Paddock and Rachel. I usually am very skeptical when people start talking about brain frequencies, but this article seems to be in-line with transcranial magnetic stimulation and the other performance enhancing brain treatment that was discussed. I am not discounting the likelihood of unintended consequences, which are a perennial problem on your planet. Magnetic EEG/ECG-guided Resonant Therapy, or MeRT seems kinder and gentler than electroshock therapy. Or, as Lee Atwater called it, getting "hooked up to jumper cables." I've probably mentioned that he would have been a heavy cell phone user in the 1980's. A sad, but in some ways fitting, end. I'd guess that the new therapy described here doesn't cause electroporation, but electroconvulsive therapy might.

Zap: How Electric Therapy Is Curing Navy SEALs of PTSD … And Could Remake Brain Science
https://www.defenseone.com/technology/2019/01/zap-how-electric-therapy-curing-navy-seals-ptsd-and-could-remake-brain-science/154301/?oref=d-topstory
...
Your dominant frequency is how many times per second your brain pulses alpha waves. “We’re all somewhere between 8 and 13 hertz. What that means is that we encode information 8 to 13 times per second. You’re born with a signature. There are pros and cons to all of those. If you’re a slower thinker, you might be more creative. If you’re faster, you might be a better athlete,” Won says.
...

The usual daily compendium.

https://www.nakedcapitalism.com/2019/01/links-1-23-19.html
...

Drone sighting disrupts major US airport BBC
...

Big Brother is Watching You Watch

I Tried to Block Amazon From My Life. It Was Impossible. Gizmodo. Important. Also notice family dependence on Alexa.

China reportedly made an app to show people if they’re standing near someone in debt — a new part of its intrusive ‘social credit’ policy Business Insider (Kevin W)

DHS Issues Security Alert About Recent DNS Hijacking Attacks ZDNet

Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently The Register (Kevin W)
...

65535January 23, 2019 11:09 PM

@ CallMeLateForSupper

“18 Jan 2019… "The Senator expressed 'disappointment' and 'disbelief' at CEO John Legere’s unfulfilled promise to end the sale of geolocation data to 'shady middlemen.'”- CallMeLateForSupper

I was supprised cell phone company's CEOs were lying to a US Senator. That is rank, and dishonest behavior. I saw the motherboard items a little while ago and felt sick. That is horrible. I made short comments.

https://www.schneier.com/blog/archives/2019/01/security_vulner_19.html#c6787608

and

https://www.schneier.com/blog/archives/2019/01/friday_squid_bl_656.html#c6787500

VinnyGJanuary 24, 2019 10:01 AM

@Clive Robinson @bideniable interactive encryption - I've only read the intro so far (I will get around to the rest, given time) but the goal seems quite familiar. Not too long after the time of the Canetti paper, there was a gent in your neck of the woods named Peter Fairbrother, who claimed to be a highly skilled mathematician. Fairbrother was proposing a system that could translate secure, two-way text communications into plausible, but incorrect, alternative documents via steganography. The project was called "moot" and it had a web site m-o-o-t.org (original proposal and initial discussion was on Usenet.) After a few months of discusion, Fairbrother claimed he had refined the technology, but was unwilling to deploy it (or release the design details and code) until/unless RIPA-3 was enacted/enforced in the UK. Fairbrother continued to post intermittently on the subject for a couple more years, then vanished from public view. The site was around several more years, and the content on a different site even longer, for all I know, it may still be up somewhere. I don't know if Fairbrother was "got to," if he was a charlatan and his design was worthless from the get-go, or whether the deployment method - he intended to have the data repositories and services distributed to different sites internationally (I seem to recall Bahamas mentioned specifically) - in what today we would call the "cloud" was infeasible. I'm pretty sure I've mentioned moot on this blog in the past, I apologize for any unnecessary repetition.

Rach ElJanuary 24, 2019 1:06 PM

Clive in the yellow vest

'You also need to watch out for VPN suppliers who are in effect nothing but fronts for data gathering and traffic re-routing'

Hotspot Shield by Anchorfree

The T&C / EULA explicitly spells it out, if one bothers to read them

Clive RobinsonJanuary 24, 2019 2:35 PM

@ VinnyG,

Peter Fairbrother... The project was called "moot"

Yup our host @Bruce got asked for comment by the UK New Scientist magazine over it,

https://www.newscientist.com/article/dn2335-anti-snooping-operating-system-close-to-launch/

I was never entirely sure what moot was all about. Nor do I think anyone else was either.

Both @Nick P and myself had had frequent discussions about putting secure storage out of juresdiction and importantly came up with a way where a user could demonstrate to a court, that they had no access to the keys that the system used so could not hand them across to a judge even if they wished to.

On another aspect of this there has been an article about using an AI system to encrypt information into the moves of a realistic chess game. Thus the question arises can an AI likewise encrypt information into the words and sentences of a realistic letter "home to mum" etc. I rather suspect it can thus it would be somewhere between encryption and non graphical stenography.

I remember back at the turn of the century getting annoyed about "digital watermarking" and it's failings because it was independent of the media it was watermarking. Thus I started investigating the idea of using fractal image compression and the digital equivallent of Direct Sequence Spread Spectrum modulated with a signal. It showed initial promise but I got bogged down in other things[1] and had more or less forgotton about it nearly two decades later.

Surprisingly to many is just how much redundant information there is in images and in fractals as well. Together there is great oportunity to hide information out of sight in a way that other algorithms for detecting stego or digital watermarks won't be able to recognise.

Any way it's water long long under the bridge and way out to sea by now.

[1] Not least of which was trying to recover from being nearly killed by an attacker who karate kicked my head into a streat sign pole and the cognative impairment it and the PTSD caused.

Clive RobinsonJanuary 24, 2019 3:07 PM

@ Rach El,

I vaguely remembered "hotspot" for some reason, so did a quick google for their terms page. Which google responded to without problem. However It's on the "5ecret 541t l15t" of the mobile service supplier (Vodafone UK). They have two lists one produces an "adult setvices" message that you can get lifted by proving you are some kind of insensible adult by flashing your credit card at. The second is one that works just the same way as The Great Firewall of China slaps an RST out the nanosecond it realises your request, which makes the browser display a "you are off line message" faster than you can blink. So they are for what ever reason preventing access to a VPN that people might need for their on safety. I'm assuming that Vodafone UK don't have the "tener cojones" so is instigated from some part of the UK Gov. As I know some Vodafone UK staff read this blog, perhaps they would care to comment...

Anyway as I could not get to the "terms" I went and read this instead,

https://www.zdnet.com/article/privacy-group-accuses-hotspot-shield-of-snooping-on-web-traffic/

And yup what a bunch of...

Simple advice to people "give this one a miss folks" especially as it leaks other user information over unencrypted links...

Rach ElJanuary 24, 2019 5:37 PM

Hallo Clive
Thank you!
Ah, I remember those pages in the UK. Slashdot gets one in France

Hotshield

T & C

https://www.hotspotshield.com/terms/

Whilst still offensive, I can't find the passages that were as incriminating as I recall. They did say, explicitly, to the effect of
'All your stuff belong to us. We give it everyone. You do nothing.'


Their longevity is slightly surprising, and unfortunately they are one of the better known ones. Honey pot.

Clive RobinsonJanuary 25, 2019 8:44 AM

@ JG4 and others,

The subject of TEL anti-pinking agent in petrol that has been associated with low level lead poisoning in urban environments has come up before as a security issue.

Specifically violent crime that rose and fell with the use of TEL with an appropriate time lag.

Well lead is still in urban soil because of it and other non industrial use contamination. And yes it appears to make wild life more violent...

https://www.eurekalert.org/pub_releases/2019-01/maf-mtr012319.php

On another note Alzheimer's is not a pleasent way to die, and although there is disagrement about the percentage of the population that will get it in future years, it would appear one third of us were on track to suffer, with upto 50% in over 85 year olds with some form of dementia. There are two basic types of Alzheimer's early onset and late onset, with the numbers of the latter rising as the average age increases.

Well maybe not for late onset, recent research has concluded that it is caused by the gingivitis bacteria that in the mild form causes gums to bleed when you brush your teeth,

https://www.newscientist.com/article/2191814-we-may-finally-know-what-causes-alzheimers-and-how-to-stop-it/

And if you want to try and avoid the possability,

https://www.newscientist.com/article/2191842-gum-disease-may-be-the-cause-of-alzheimers-heres-how-to-avoid-it/

CallMeLateForSupperJanuary 25, 2019 9:29 AM

@65535
"I was supprised cell phone company's CEOs were lying to a US Senator."

I don't think that it can be said that Sprint lied. Sprint promised something, and 6 months(?) later had not delivered, That's disingenuous or slow-walkin', at best, but not necessarily lying. I think no "fix by" date was claimed. "That's how they get you."

bttbJanuary 25, 2019 11:17 AM

1) tl;dr Regarding the Roger Stone indictment from https://twitter.com/neal_katyal :

"Neal Katyal @neal_katyal
Neal Katyal Retweeted Donald J. Trump

A simple 3 step guide to understanding the morning’s news:
1. Read tweet below
2. Read Mueller indictment of Roger Stone [ https://www.justice.gov/file/1124706/download (about 25 pages) ]
3. Ask yourself why a sitting President of the US would have felt compelled to tweet the below. At some point, # of criminals surrounding Trump not coincidence

Neal Katyal added,
'Donald J. Trump
Verified account @realDonaldTrump
“I will never testify against Trump.” This statement was recently made by Roger Stone, essentially stating that he will not be forced by a rogue and out of control prosecutor to make up lies and stories about “President Trump.” Nice to know that some people still have “guts!”'

2) otherwise:

https://www.emptywheel.net/2019/01/25/mueller-plays-hardball-with-roger-stone/

https://www.emptywheel.net/2019/01/25/reading-rogers-indictment/

bttbJanuary 25, 2019 11:49 AM

Security and 30 overruled, previously rejected, top-secret applications from https://www.nbcnews.com/politics/donald-trump/officials-rejected-jared-kushner-top-secret-security-clearance-were-overruled-n962221

"WASHINGTON — Jared Kushner's application for a top-secret clearance was rejected by two career White House security specialists after an FBI background check raised concerns about potential foreign influence on him — but their supervisor overruled the recommendation and approved the clearance, two sources familiar with the matter told NBC News.

The official, Carl Kline, is a former Pentagon employee who was installed as director of the personnel security office in the Executive Office of the President in May 2017. Kushner's was one of at least 30 cases in which Kline overruled career security experts and approved a top-secret clearance for incoming Trump officials despite unfavorable information, the two sources said. They said the number of rejections that were overruled was unprecedented — it had happened only once in the three years preceding Kline's arrival..."

VinnyGJanuary 25, 2019 12:27 PM

@Clive Robinson re: (bi)deniability - unfortunately, like much else in security and privacy, the practical usefulness of even an airtight bideniability scheme will likely come down to the identity of your adversary, and how badly they want your information. If an "intelligence" service of any of probably a dozen or more nation-states (including all of the five-eyes) decides that you have information that they critically and urgently need, and "conventional" methods of extracting it from you have failed, they are just going to use "extraordinary" methods of persuasion on you in some gulag or foreign soil prison camp until you cough up something with which they are satisfied. In such a circumstance, giving them plausible decrypted info that demonstrably comes from the encrypted info they provided won't do you a bit of good unless it overcomes their skepticism and meets their expectations, whatever those might be.

JG4January 25, 2019 8:59 PM


@Clive - Thanks for the Alzheimer's link. Somehow I found it very early yesterday morning and circulated it to the usual suspects. I generally am excited to apply my skills, such as they are, to biomedical pursuits.

https://www.nakedcapitalism.com/2019/01/links-1-25-19.html
...

Big Brother Is Watching You Watch

Amazon Can’t Fix Facial Recognition Cathy O’Neil, Bloomberg. “[T]he whole ecosystem of artificial intelligence is optimized for a lack of accountability.” That’s not a bug. It’s a feature.

New technology uses lasers to transmit audible messages to specific people Phys.org. What could go wrong?
...

WaelJanuary 25, 2019 9:17 PM

@JG4,

New technology uses lasers to transmit audible messages to specific people Phys.org. What could go wrong?

Ummm... let's see: absolutely nothing! In fact it could be beneficial for the myopic eye, see! ;)

Clive RobinsonJanuary 26, 2019 1:58 AM

More Bad Forensics

Some of you know I very much question the notion that "good science" has anything to do with forensics. In fact I've said forensics works the wrong very unsound way from effect to cause, and that science for very good and sound reasons works from cause to effect.

However prosecuters and those working in the DoJ think that an entirely factually unsupported examiners "intuition" should be reason enough to convict a person.

Further how prosecutors go "opinion shopping" to get "intuition" that matches their career prospects, deny conflicting or disproving evidence to the defence and generaly behave in ways quite contrary to not just good justice, but justice at all.

I'm not the only one, various credible reports and investigations have shown that many forensic claims are not just of little worth they are effectively thought up by people who can not show actual fact just their unsuported opinion based on intuition, that they know is favourable to the prosecution, which of course will progrees both carreers.

We have prosecuters arguing that because we have done things that way for fifty years we should carry on that way. Perhaps he should consider that we used to beat children to the point of permanent scaring for a lot longer than that in the name of justice, yet we don't do that now, perhaps he should consider why.

Any way all that and more,

https://www.nbcnews.com/news/us-news/we-are-going-backward-how-justice-system-ignores-science-pursuit-n961256

@ JG4,

Thanks for the Alzheimer's link.

That's alright, and thank you in return for your links.

Clive RobinsonJanuary 26, 2019 5:09 AM

@ Rach El,

Their longevity is slightly surprising, and unfortunately they are one of the better known ones. Honey pot.

My viewpoint on "VPNs" is both good and bad[1] but as far as they go they are the best we've got for data privacy, but not identity privacy[2][3].

As for service privacy, as an individual I'm not to fussed if anyone has a secret fettish for shiny leather items, or cute fury things that they feel guilty or ashamed about as long as it's not hurting people. That unfortunatly is not the view of the "Total war" types who see every citizen as an enemy of the state, who "collect it all" so that not just every stone but grain of sand can be looked under, not just now but in your entire future, to find those levers and fulcrums that can be used to move the citizens in the desired way. VPNs can not hide the tempo or quantity of traffic thus the fact you are connected to a service that streams etc is fairly easily seen in the VPN traffic. This Traffic Analysis (TA) is generally way more powerfull than people realise and can show future intentions when the person being analysed is not even aware they have them.

But TA is very resource intensive, it's something you need to do on an industrial scale if you want to find "thought/pre-crime" in the population in general. Thus even for major "see all" telcos TA is not something that easily fits in commercial profit models. Not that they realy want what TA produces, it's still just a bit to nebulous for marketers (but give them time and friendly legislation...).

The old saw of "There ain't no free lunch" almost always applies as does "When you sup with the Devil, use a long spoon" when any kind of entity that is not of your "immediate tribe" applies. It harks back to the "Hunter gatherer" phase of mankinds existance, thus either you are hunted as prey or the fruits of your labours are gathered to "feed the beast", either way you are not at the apex of the food chain by a long way. When you also consider that entities with morals are derided as much as "unit of work resource" employees these days by the "self entitled" the capatalist mantra is "never leave money on the table". Which means they would not only sell their grannies teeth for the gold, they will be around when you are not looking for yours. Thus your privacy they see as "money on the table" and as we have seen with the major mobile telcos selling of phone location data they figure "What you don't know you won't scream about" so they do their best to stop you finding out...

Thus the logic about any VPN that is not 100% controled by you is they will profit by you every which way they can... They also know that whilst your privacy has value to you and them, it does not to a US court or arbitration tribunal. Who will at best hand out not even token ammounts of compensation (which is why the EU GDPR came as such a shock to most US entities).

As an individual you can thus consider this in your plans. Obviously if you can not aford your own remote VPN structure you need to consider how to mitigate the down sides of entities you are forced to use but have no real control over.

On way is for a US individual to "chain VPNs" that is you have one VPN on your PC and a different one on your outbound router. The effect is to tunnel your PC VPN traffic through the router VPN to the PC VPN end point. This process denies the router VPN any information other than that it can get from TA and billing information. However because of "billing" the PC VPN sees you and your PC traffic. The only way to stop the "billing info" issue is for the end VPN supplier to not have any.

It does not take much of a thought to realise you are infact building an "Onion routing" system but with rather more built in flaws than that offered by purpose designed privacy networks that not only use onion routing, they also use mix-nets to partially evade TA.

Are there better privacy protection network systems than onion routing and mix-nets, well yes, but they've not been built for mainstream use yet.

But as a general rule of thumb about VPN or any other service providers it's way way more than "You get what you pay for" that you have to keep in mind. Modern capatalist thinking is based on "hidden advantage" thus you are playing in a rigged game, you will not get what you think you are paying for, even when you can directly measure it, which with privacy you can not. Therefor you have to apply "trust principles" of the security thinking kind... Which basically boils down to in more human terms,

    I know they will betray me, therefore how do I mitigate the betrayal?

Which unfortunatly puts the responsability back on the individual. Because privacy is a "first part risk" that you can externalise to any other party...

To think otherwise is shall we say not taking the perfidy of capatalism seriously.

A case in point being Mark Zuck-a-butt and his FaceCrook empire. He took over a number of privacy related businesses on the assurance to amongst others "regulators" that he would not do certain things... Which apparently he has changed his mind on, 2019 will be the year of FaceCrook integration, which can only mean the weakening of privacy... No if's, no but's, no maybe's 100% copper bottomed guarentee on that.

[1] As far as I'm concerned the "bad" of VPNs is not the fault of VPNs but other people trying to use other technology for what it was never inyended to do. The prime example is the "assumed" geo-location of IP addresses. No where in any of the technical discussions about IP addressing will you find refrence to them being valid for geo-addressing... It's an assumption by "licencing" minded people who don't like their nasty little geo-regioning profit schemes being shown up for the grubby little sham they are.

[2] A new year resolution, I'm going to try where I can to stop using the words "secrecy", "anonymity" etc... As "The War On Words" (TWOWs) has given them such negative connotation, even though their denotation is noth. Instead I will use "privacy" which TWOWs has been less successful at giving negative connotation, and importantly most people grok why you need "privacy" when you mention examples of basic biology we all do, but tend not to want to do in public. You know they've got the message when their face cringes up and they say TMI increasingly loudly ;-)

[3] What we have so far, for identity privacy is far from adiquate, and frankly has been ill thought out from theoretical idea to real world implementation. Sadly as with "free VPNs" people have not actually thought about the "flip side". For years now I've pointed out that certain well known identity privacy systems are inadequate, but was given the "chicken little" treatment by the fanbois. Now those inadequacies are like the proverbial chickens "comming home to roost" the fanbois appear strangely absent...

Clive RobinsonJanuary 26, 2019 4:37 PM

@ JG4, Wael,

New technology uses lasers to transmit audible messages...

Hmm remind me photo accoustics involving a medium such as water is a heating effect from radient energy, Yes?

So,

    Next, the researchers plan to demonstrate the methods outdoors at longer ranges. "We hope that this will eventually become a commercial technology,"

The energy density in a radient source drops as 1/(r^2) for any given angle of divergance. So at twice the range four times the power to get the same dbspl at the recipients ear (unless the can collimate the beam to the same area by halving the angle of divergance).

So from 2m to say 63m would need 1000 times the power... What would go wrong as you walked through the beam at only 2m away... Hmm now let me think, what was the line from the Platters song,

    I of course replied, something here inside, can not be denied, smoke gets in your eyes.

WaelJanuary 26, 2019 10:20 PM

@Clive Robinson, JG4,

photo accoustics

I need to take a small break. Up to my ears in other things...

Oh, regarding the second story: made up my mind, some stories best remain untold. Not worth the headache.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.