Friday Squid Blogging: Chinese Squid-Processing Facility

China is building the largest squid processing center in the world.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 1, 2019 at 4:24 PM • 53 Comments

Comments

bttb March 1, 2019 4:40 PM

Continuing the phone discussion from last weeks squid https://www.schneier.com/blog/archives/2019/02/friday_squid_bl_664.html

Regarding hardening Android (or indirectly
iOS), I enjoyed skimming this a couple of years ago: https://blog.torproject.org/mission-improbable-hardening-android-security-and-privacy

Layman's thoughts:

1) Install few (or no extra) apps on your Iphone/Ipad
1b) Perhaps forgo an Apple ID

2) Perhaps use your Iphone/Ipad's cellular modem as a Wi-Fi hotspot for other devices (that don't have cellular modems).

3) OT iirc a Microsoft employee recently told me in his opinion Windows works very well on Apple computer hardware (presumably this includes used hardware).

Is it better to use a cellular modem vs. free or paid for wi-fi when traveling from home, in general?

Sed Contra March 1, 2019 4:57 PM

Largest the facility may be, but is the squid of the highest quality? Gourmet diners want to know.

HumdeeMarch 1, 2019 7:41 PM

The tattletale imbroglio that has engulfed Australian politics has now taken on a security angle. For those who want the quick summary, a prominent criminal defense lawyer was in the pay of the federal police for more than two decades.

https://www.abc.net.au/news/2019-03-01/lawyer-x-informer-3838-identity-revealed-nicola-gobbo/10826958

"Her plan, she told the Supreme Court, was to hide in plain sight."

The problem with hiding in plain sight, as she is now learning to her cost, is that it offers no forward security. When one hides in plain sight one is hidden just up until the exact moment one isn't, then one never was.

Sherman JerroldMarch 2, 2019 11:29 AM

The U.S. post office is older than the u.s. gov't. It has provided excellent service to the nation. However, congress has tried to destroy and privatize it for a decade. And, now they are providing a Dangerous new service.

https://consortiumnews.com/2019/02/28/john-kiriakou-neither-rain-sleet-nor-snow-will-stop-the-post-office-from-spying-on-you/

You can sign up to receive notices of the mail that will be delivered to you a few days before you get it. The Danger is that it is easy for someone else to sign up for it before you do and divert all that sensitive info to themselves and you never know it.

Another Danger is (See article url above) that EVERY piece of mail is photographed and is available to a number of gov't agencies so they can spy on you.

The sneaky, creepy cousin to Big Brother.

albertMarch 2, 2019 11:32 AM

"...the largest squid processing center in the world...."

Great, but does Chinas long-term planning allow for the plants conversion to Soylent Green when we run out of squid?

. .. . .. --- ....

Another MouseMarch 2, 2019 2:59 PM

@sherman
Do you think that's a real threat because now all letters will be scanned? I rather think this service is a free side effect of the nsa mail scanning program.

1&1~=UmmMarch 2, 2019 3:06 PM

@Sherman Jerrold:

"The U.S. post office is older than the u.s. gov't. It has provided excellent service to the nation."

History shows us that whilst not older than the UK Gov, the UK Post Office is the oldest in the world to have "uniform rate" by what we now call "Postage Stamps". And at one point was held in very high esteem by nearly every one who used it[1].

Which brings us around to,

"However, congress has tried to destroy and privatize it for a decade."

A look at more recent history of the Post Office. Under 'Mad Maggie' Thatcher, the government of the time having sold off other parts of what was the old 'General Post Office' tried prepering to sell of The Royal Mail or postal side. For various reasons it did not happen, but it was already clear by then, that 'Fax Machines' were cheaper and faster[2] than the Mail Service, especially as various Governments via 'The Post Master General' had caused much harm to the Royal Mail. Most often for purely political rhetoric come policy reasons that the politicians frequently and mostly incorrectly blaimed the work force for.

Well the UK Political party thay want's to 'Sell the farm' for very short term gain is back in power and they have after further damaging the Post Office have finally sold it off at well below the market value.

For various reasons mostly political it is in effect a 'Lame Duck' that has been quite deliberately legislated against such that other commercial entities can 'Cherry Pick' the profitable parts out of the Postal System, leaving the non lucerative 'last mile' delivery to the Post Office.

However as with similar cherry picking in the UK National Health Service the whole thing is yurning into a disaster area, with the typical 'race for the bottom' disaster spirals / tail spins happening.

I feel confident bassed on what has happened to US Health Care in recent times to predict the US Postal Service will come to a similar fate as that of the UK Post Office.

But getting back to,

"You can sign up to receive notices of the mail that will be delivered to you a few days before you get it."

On the innocent face of this it is at best a gimmick of no useful utility. Actually less usefull than 'Parcel Tracking'.

So as all Governments are at best like Janus and have two faces it's fairly easy to see why you might look on the opposit to innocent face and come up with,

"EVERY piece of mail is photographed and is available to a number of gov't agencies so they can spy on you."

You would be correct. If you look a little more broadly some FirstvWorld Governments of which the US are but one have decided to not just 'collect it all' but 'track it all' as well. It's why one of the more famous bank note printers is looking at how to make bank notes trackable, not just at tills and bank counters but actually as you 'walk through the door' or similar portal. The US already has laws where LEOs can take cash off of people without reason or recompense, so such technology would make traditional paper currancy highly tracable, as much if not more so than credit card information.

It's one of the failings of 'block chain' ledger technology that few want to talk about. That is every transaction of a digital crypto currency the likes of such Governments will alow is going to have a fully auditable transaction chain thus fully traceable.

You could say 'It's just the way society is heading', the problem is that society as we knew it and prefered last century has already gone and been replaced by a more totalitarian surveillance society. Thus society as we remember and prefer is gone, and is going to be further destroyed untill it is either fully gone or some counterbalancing effect happens. At which point the view point on the refreshing of the tree of liberty by tyrants and patriots alike, appears increasingly a more valid predictor of the future. As does the litriture a couple of centuries later by George Orwell.

I think many if they have taken a little time to think about it would agree that society is regressing. Specifically under the power of insecure technology and the greed to which some are putting it to, which some Governments believe they have the right to 'free load off'. Which is kind of covered by your final comment of,

"The sneaky, creepy cousin to Big Brother."

[1] It was hardly surprising five delivery times in one day alowed you to send a letter in the morning and have a reply by lunchtime or mid afternoon enabling you to reply to the reply the same day. The only thing faster was the "semaphore" telegraph from the Admiralty Building in London to the fleet HQ in Porstmouth, not far off the speed of sending an SMS these days. So the Post Office as The Royal Mail was not to far off of what most people do with EMail today. It's an important point most forget about Victorian Communications both prior to and subsequent to the taming of electricity for the purpose.

[2] The thing about Fax machines is that just at the point ~1990 the technology had brought the price down to where you might have one in your mom-n-pop size small business or home, their death knell had been sounded. The use of computers and modems in the 1980s was providing faster less costly and more reliable and secure sending of documents, that printed out as well remotely as they did from the originators printer. Thus fax machines had maybe five to fifteen years of popular success. Now we find that even the early style use of computers and dial up modems is gone, even the Internet on dial up is gone, even mobile phone SMSing is effectively on the decline as services like WhatsApp are seen as being both better quality and more secure. Leaving the obvious question of 'What and Where and Why?' will replace secure messaging apps. The big scare for Governments is unbreakable encryption and any kind of communication, with some seriously thinking about the fairly nascent 'Mind control over technology' which might well be taught to babies and very small children in the near future.

Sherman JerroldMarch 2, 2019 4:27 PM

RE to: @1&1~=Umm and @Another Mouse

Sadly, I find everything that both of you wrote quite true. In one of my more creative moments I decided that we (here in the united slaves of america) live in a powerful 'deteriornation'. I am trying to help people 'kick the habit' of farcebook and google and practice safer computing. But, that just melts the tip of the iceberg of the spying we are subject to. As I understand it, now that Net Neutrality has been destroyed, even the ISPs will (or are already) selling customer (victim) logs of info. Thus, I'm no longer bothering to line my hats with foil. GRC (Gibson Research) and EFF (electronic Freedom Foundation?) have some tools to help with privacy. But again they are just partial solutions. I hope that by some prudent steps: running a distro from CD and carefully using a neighborhood organization connection I can keep a low profile and not attract attention.

Best wishes to all who contribute to this excellent blog.

bttbMarch 2, 2019 4:57 PM

Hidden microphone in Nest Secure home-security from https://www.theatlantic.com/technology/archive/2019/02/googles-home-security-devices-had-hidden-microphones/583387/ :

"Google apologized Wednesday to customers who purchased its Nest Secure home-security system. The device is equipped with a microphone that has gone unmentioned since it went on sale in 2017. Earlier in February, Google announced on Twitter an upcoming software update that activated the microphone, making the Nest Guard responsive to voice commands and Google Assistant technology. The tweet startled users, who were never told the system could pick up sound.

“Have I had a device with a hidden microphone in my house this entire time?” one user asked.

Missing from the Nest account’s response was the word yes, but to be clear: Yes."


Related links:

https://www.engadget.com/2019/02/20/google-nest-secure-mic-forgot/

https://www.zdnet.com/article/google-says-secret-microphones-in-nest-home-products-an-error/

bttbMarch 2, 2019 5:42 PM

From https://twitter.com/carolecadwalla/status/1101850948736028673 :

"NEW: How Facebook buys influence around the world. Vast global lobbying operation revealed in explosive internal docs obtained by @ObserverUK & @ComputerWeekly"

And from https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment :

"Revealed: Facebook’s global lobbying against data privacy laws

Social network targeted legislators around the world, promising or threatening to withhold investment

[...]

Facebook has targeted politicians around the world – including the former UK chancellor, George Osborne – promising investments and incentives while seeking to pressure them into lobbying on Facebook’s behalf against data privacy legislation, an explosive new leak of internal Facebook documents has revealed.

The documents, which have been seen by the Observer and Computer Weekly, reveal a secretive global lobbying operation targeting hundreds of legislators and regulators in an attempt to procure influence across the world, including in the UK, US, Canada, India, Vietnam, Argentina, Brazil, Malaysia and all 28 states of the EU. The documents include details of how Facebook:

• Lobbied politicians across Europe in a strategic operation to head off “overly restrictive” GDPR legislation. They include extraordinary claims that the Irish prime minister said his country could exercise significant influence as president of the EU, promoting Facebook’s interests even though technically it was supposed to remain neutral.

• Used chief operating officer Sheryl Sandberg’s feminist memoir Lean In to “bond” with female European commissioners it viewed as hostile.

• Threatened to withhold investment from countries unless they supported or passed Facebook-friendly laws...."

maqpMarch 3, 2019 5:09 AM

@Nick P, @Clive Robinson, @Thoth, @Sancho_P, @65535, @All

TFC 1.19.03 is now released. Update log.

This is mostly a bugfix release. Highlights are


  • Fixed timing attack in URL token iteration. This attack allows existing users to determine how many contacts user has added before them. All users should reinstall Relay Program on Networked Computer.

  • Fixed security issue with Terminator configuration file permissions in local testing mode. All users of local testing configuration should reinstall TFC.

  • The issues with PGP key servers were fixed by loading the public keys from GitHub (for TFC), and Tor project's Onion Service (For Tor's APT repository).

  • More secure installer one-liner and faster and more secure installation process.

  • Replaced asserts during runtime with conditional expressions.

  • Fixed developer environment's configuration files.

  • TFC no longer reserves the global configuration file for Terminator.

  • Installer configurations look identical to the point where the TCB configuration cuts network connection. This makes attacks louder when it's hard to predict which of the three computers is going to be Source Computer.

  • Fixed usability issue with confirmation codes that were not displayed by Relay Program if Transmitter Program crashed.

@Thoth
I experimented a bit with the PureOS support but ran into too many tiny issues. I'll take another look once dependencies like Tor 0.3.5 flow down into Ubuntu's main repository. Hopefully by April when 19.04 is released. Otherwise it'll probably have to wait until 19.10 and Tails Buster are released.

65535March 3, 2019 6:12 AM

@ bttb

‘Google put a microphone in Nest Secure and forgot to tell anyone…Google's decision to bring Assistant-enabled voice controls to its Nest Secure system is causing a stir almost a year after the integration was rolled out. The problem is no one actually knew the security device, launched in September, 2017, packed a microphone in the first place. Google built a mic into its Nest Guard -- a small hub with a keypad on top that communicates with the other sensors in its Secure system -- but failed to mention it in its product materials, reports Business Insider. Asked about the microphone's existence, Google said it was "never intended to be a secret."’-Engadget

https://www.engadget.com/2019/02/20/google-nest-secure-mic-forgot/

“Well, Giggle, Giggle, Giggle…it is just like the hundreds of “un-documented commands” in home routers and IoT devices across the world. We never intended it to be a secret… Giggle, Giggle... snicker… Giggle. We have these devices in a few California political leader's homes and some law offices….”

Giggle corporation is letting its mask slip as one of the world largest spy companies. It has flushed its customers down the toilet. Gad, what a den of data thieves.

65535March 3, 2019 6:17 AM

@ maqp

Good stuff.

I will get on to testing it as soon as job/life get out of the way.

David WalshMarch 3, 2019 7:29 PM

Apologies for being slightly off topic but we get regular US politics posts here that [yawwwwn]...zzzzz oh! were was I?


5 Striking Things You Didn't Know About Venezuela

[ Ted Snider has a graduate degree in philosophy and writes on analyzing patterns in US foreign policy and history ]

https://original.antiwar.com/Ted_Snider/2019/02/14/five-striking-things-you-didnt-know-about-venezuela/

Basically, there was nothing illegitmate about Maduros electoral win. The only illegitmate thing were the strings the US pulled beforehand, agreeed to by the Opposition. The plan only partially succeeded.

FaustusMarch 4, 2019 1:25 PM

@ David Walsh

I don't think this is the place for a political propaganda war. Maduro has very little to do with this blog. As it is, posters are being scared away to be replaced by spam. I suggest it is time to focus on less divisive matters and ones closer to the topic of this blog.

vas pupMarch 4, 2019 3:02 PM

@Humdee • March 1, 2019 7:41 PM
Thank you for the link provided.
I guess Confidential Informant and Lawyer are mutually exclusive roles.
Lawyer has a duty to report to authorities if and only if client tell about a violent crime which is either in progress or is planning to commit to prevent potential psychical harm including death.
Same applied to the duty of psychiatrist when patient could be dangerous to himself or others.
Undermining sacred confidential relationships between Lawyer-client, doctor-patient, etc. could bring only short advantage, but undermine pillar of such relationship as trust in independent advocacy/medical practice.

That is why when admitting to the Bar, ALL past involvement as police informant, source of information should be stopped immediately, and in case of violation - person should be disbarred forever.

To be honest, I am just puzzled with all things taking place around former POTUS lawyer starting with raiding his office on the civil case related issue and up to his testifying in Congress about his former client moral qualities based on information obtained when being in lawyer-client relationship.

American Bar Association is silent. At least they should developed kind of guidelines for similar cases.

C U Anon.March 4, 2019 3:12 PM

@ David Walsh,

Avoiding talking about Venezuela is probably a good idea, atleast one frequent commentator here does not like the idea that as the US has built a glass house for it's self, it "realy should not throw stones".

1&1~=UmmMarch 4, 2019 4:06 PM

@vas pup:

"I guess Confidential Informant and Lawyer are mutually exclusive roles."

It's actually not legal in many jurisdictions, lawyers like priests and supposadly journalists have a legaly protected status. Whilst a "duty of confidentiality" can be put in contracts, they can usually be overturned by a court via "contempt" or other legal measures. The aformentioned group have a right of "Absolute" duty of confidentiality, which means not only are they protected from "contempt" they can actually be prosecuted quite harshly if they do break the duty of confidentiality.

Which brings us to,

"Lawyer has a duty to report to authorities if and only if..."

No they have at most no more duty than an ordinary person would have which is usually fairly limited. Actually the reality is they have less a lot lot less because of their duty of confidentiality is normally considered to be broader than just their client, but also those known to their client because it can lead to messes like this one because of the conflict that naturally arises.

What CI-3838 had cooked up with the police was highly questionable at best and probably criminal. Put simply it relied on putting a very narrow scope on the duty of care to only her direct clients and what they said. She quite deliberatly socialized with her clients to hear what everybody said and watch what they did. Thus if she heard an associate tell her client something she reported it to her handlers unless and only unless her direct client told her...

Needless to say many in the legal profession are decidedly unhappy with her, especially when she had been warned off for her behaviour by her senior colleagues on a number of occasions as it endangered the lives of others in the proffession.

The fact she is now trying to get compensation for her chosen[1] behaviour from the authorities, is rather more than quite a number of her past colleagues in the profession can stomach. Which is why they are agitating for changes to the way things work so it can never happen again.

[1] She has been very unclear as to why she became a CI, apparently she was charged with involvment of 1.4kg of drugs in the dwelling she shared with others, they got charged and prosecuted she did not. Which has led to others thinking she was in effect blackmailed, however she has had a number of opportunities to either confirm or deny this without the fear of retribution. But she has repeatedly avoided availing herself of such opportunities and has yet to provide any real explanation. She does however alude occasionally to the fact that she wanted rid of the drugs cartels but in a way that implies those she had as clients only. Many of whom may now walk out of jail because of her behaviour, that she should have known would have this result if her CI status ever became public. Something anyone with half a brain and knowledge of security would know eas more likely than not (drugs cartels have their own intelligence services that tend to be way more efficient than those of the authorities).

David WalshMarch 4, 2019 10:39 PM

CU Anon

the US has built a glass house for it's self, it "really should not throw stones".


excellent point, thanks for raising it. I for one am hard pressed to disagree with you, as I would imagine would most participants here. By your reasoning this would indicate one should continue contributing posts about Venezuela, which confuses me a little.
Respectfully I won't mention the subject it any further, but I can say with no understatement it is a extraordinary situation relevant as the most relevant 'non-technical' subjects commented upon here. The US has used its external intelligence apparatus to set up an overthrow of en elected government, and has threatened total kinetic action if the government and military don't roll over. that article I linked to, demonstrated the pretext was a fraud. This is Security related on a high level.
Many major governments are supporting the US. It's more overt than the justifications for Iraq and Afghanistan put together. It's no different than the US threatening to take over Canada, or Australia, or France.
I run a (mostly technical) security consultancy here in Melbourne Australia and we're already needing to keep our eyes on this - it will directly affect our work

Moderator I will leave it there.

Rach ElMarch 4, 2019 11:55 PM

I was a bit concerned to read on the most recent thread about Nest microphone. Fire alarms pinging every 5 minutes as per new laws in Germany. It's the automated, potentially IoT component of the fire alarms I find so concerning.

Specifically, the article Nick P posted about 18 or more months ago. The Nest firealarm and why its a hazard to life and property.
The standard fire alarm can be considered a completed product and Nest was rendering it inoperable with all sorts of useless IoT trimmings

I cannot find the reference in a search of this site. I did however find all sorts of fascinating gems I feel compelled to search. Gosh I love vintage Schneier!


https://www.schneier.com/blog/archives/2010/05/scene_from_an_a.html

https://www.schneier.com/blog/archives/2015/07/rabbit_beating_.html

https://www.schneier.com/blog/archives/2016/01/sean_penns_opse.html

https://www.schneier.com/blog/archives/2010/03/eating_a_flash.html

If anyone has the Nest firealarm article could they please post it to the Squid for the benefit of a Debora Weber-Wulff

JG4March 5, 2019 7:34 AM


Is it my imagination, or is 1&1~=Umm channeling Clive's spelling style?

like priests and supposadly journalists
have a legaly protected status
quite deliberatly socialized
however alude occasionally
know eas more likely than not

https://www.nakedcapitalism.com/2019/03/links-3-5-19.html
...

Disputed N.S.A. Phone Program Is Shut Down, Aide Says Charlie Savage, NYT. “The agency has not used the system in months…. Since ‘the sky hasn’t fallen’ without the program, [Christopher Augustine, an N.S.A. spokesman,] said, the intelligence community must make the case that reviving it is necessary.” Absolutely jaw-dropping and a must-read.
...

bttbMarch 5, 2019 8:57 AM

From https://twitter.com/emptywheel/status/1102928196536860672 :

"This @JaneMayerNYer piece on Fox is--as all her work is--a tour de force. https://www.newyorker.com/magazine/2019/03/11/the-making-of-the-fox-news-white-house … But two things deserve more attention.

First, Chris Wallace actually is a FAR BETTER Trump interviewer than a slew of other mainstream journalists.

It's also worth considering the number of times (which I suspect is increasing) where WSJ's editorial page has criticized Trump. Maybe both these things reflect Lachlan's [Murdoch's son's] approach? But those are two seeds in Murdoch empire where right wing can be brought back, IMO...."

Sherman JerroldMarch 5, 2019 5:13 PM

The news that Clive has left the form is a great disappointed. There are so many of you that make substantive positive contributions to this forum and Clive was one of the best. In this world of ever greater abuse of people's privacy and security by the corporate players, to have hateful trolls add to the degradation is greatly distressing. Bruce himself is a driving force as evidenced by his efforts to further "Cybersecurity for the Public Interest".

I hope those that contribute to this blog in a constructive way won't be disheartened and give up.

Referencing Bruce's laptop sticker regarding Woody, another great folk musician, Pete Seeger, had written on his banjo, "This machine surrounds hate and forces it to surrender".

ThothMarch 5, 2019 7:09 PM

@Jacob

Cloudflare is in fact the Western version of the Chinese Great Firewall.

I have spoken about the dangers of Cloudflare in the past which can be searched in the search bar above.

I am highly suspicious of their products they are trying to sell to the naive public and unsuspecting engineers.

Joanna *nixMarch 5, 2019 10:14 PM

One of the links in a message above is an old blog post, a great read about Bruce experiencing the TSA first hand.

I looked up an Australian comedian many of you will be familiar with. He has a little piece about his experience with the TSA. It's insightful and very funny, about 3.5 minutes.

https://www.youtube.com/watch?v=nGGQWfLzkeE

In the search results I learnt the comedian had made a full segment about the TSA.

(He deviated from his stand up to host a weekly show where he tears down current affairs in a satirical way. It's good but does not compare to his stand up work)

I viewed the TSA segment and noted the comedian referred to the TSA as security theatre!

To my delight, a few moments later Bruce made an extended appearance!!!

'What's the point of the TSA'

https://www.youtube.com/watch?v=FS9Mk6-w3wc

Joanna *nixMarch 5, 2019 10:18 PM

I was fascinated to learn Bruce has an United States of North American accent. For some reason it seemed a surprise. But then, it was also a surprise to hear he didn't have a 'Southey' Boston accent, like some of the police in the film 'The Departed'.

CallMeLateForSupperMarch 6, 2019 11:33 AM

Faceplant (A.K.A. Facebook) just cannot get it right. No matter how much or how often Sugarmountain is cajoled or lead to the conclusion that his big project is anti-security and anti-individual, he and his crew manage to dream up and implement "new and exciting" features and policies that more firmly cement Zuc's and Faceplant's antisocial reputation. To wit:

"Users are angry that Facebook is letting others, including advertisers, look up users via the phone numbers they provided to enable two-factor authentication."
https://motherboard.vice.com/en_us/article/kzdxjx/facebook-phone-number-two-factor-authentication

"If you check your privacy settings, under “Who can look you up using the phone number you provided?” there are only three options: Everyone, Friends of friends, and Friends. “Everyone” is the default."

Yeah Zuc, you do provide your members with options.... but not good ones.


CallMeLateForSupperMarch 6, 2019 11:36 AM

@Joanna *nix
Cambridge, MA ain't Southy, and Bruce ain't a cop.

bttbMarch 6, 2019 1:52 PM

fwiw, from https://motherboard.vice.com/en_us/article/gyakgw/the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days :

"Mathew Solnik stood next to two of the best iPhone hackers in the world and addressed the question the hundreds of people watching him were all wondering.

“The white elephant in the room: How exactly did we get it?” Solnik, a well-known security researcher, said as he wrapped up one of the most anticipated talks at the Black Hat security conference in Las Vegas in early August 2016. In attendance, among hundreds of security professionals and hackers, were researchers from a company that sells iPhone-cracking services to cops around the world, and Apple’s own employees.

The thing that his team had been able to analyze for the first time was the iPhone’s Secure Enclave Processor (SEP), which handles data encryption for the iPhone. How they were able to do this was a valid question given Apple’s notorious secrecy, and the fact that the SEP is one of the most important and most closely guarded components of the iPhone, the most secure smartphone on the market...."

1&1~=UmmMarch 6, 2019 2:09 PM

@CallMeLateForSupper:

"Users are angry that Facebook is letting others, including advertisers, look up users via the phone numbers they provided to enable two-factor authentication."

I think quite a few people saw that one coming down the log flume, so never did that type of 2FA (with hindsight how apt the 'FA' is ;-)

They were either wise, paranoid or lucky, or everyone else there is a golden rule for their obeyance they should regard as a law,

'Information you give away about your self can only end up being used to abuse you... So don't give it away no matter what benefit you think you are getting.'

Whilst some people can mitigate effectively, most can not, because they just can not think 'that evil'. So most should be aware of the Dunning-Krueger effect implications.

bttbMarch 6, 2019 2:10 PM

@CallMeLateForSupper

"Faceplant (A.K.A. Facebook)"

iirc, FaceBook, let's all sh!t on FaceBook now, told users something like phone numbers were required for security, 2FA, or sh!t like that.

How does this rank with sh!tty Google hiding microphones in their consumer home-security systems?

For good measure, why don't we take a good crap on both of them the next time we need to go? Perhaps with a Post-It, or confetti, on the wall saying something like: 'Think of Google & Facebook & their smaller wannabees when doing #2'

1&1~=UmmMarch 6, 2019 3:37 PM

@bttb:

From the end of the Motherboard article, is a couple of quotes from an iOS security researcher called Viktor Oreshkin

“To be honest everyone benefits from Apple’s lousy supply chain management”, “Except Apple, obviously.”

It kind of says it all as supply chain security on verious Apple products has been a problem for Apple for decades now...

In fact if I was the Chinese or other Government looking to 'bug' US military personnel, the iPhone would be up quite high in my list of targets, after those 'Personal IoT Bling' that others have already used.

name.withheld.for.obvious.reasonsMarch 7, 2019 3:02 AM

@Sherman Jerrold, @TUS (the usual suspects)
I too am concerned with the Brexit of Clive, his contribution (and his book collection) is significant.

Patient to a fault, his guild-like tenor and a more than casual but less than formal style was probably a great benefit to the community in general. I feel as though I am eulogizing, my bad, but I cannot help that this is the culmination of events that seemed predictable...Bruce's new found hobby is probably the best example.

I don't say this to be demeaning to Bruce, he has stood nearly alone in his role as explainer of things too complex for most. But, for nearly two decades I have been railing against the absence of educated and informed individuals and even founded a start-up in the year 2000 with the goal of making people out of geeks. The basis was formed out of a cyber security research group we formed out of highly motivated students and the rise of Napster. I also considered the development of an undergraduate course in ethical technological development that might provide wider lenses for the technologists.

CallMeLateForSupperMarch 7, 2019 8:54 AM

@bttb
"How does [Facebook's abusing users' phone#] rank with sh!tty Google hiding microphones in their consumer home-"ecurity systems?"

Personally, I think the giggle microphone dust-up amounts to nothing. It is not as though Giggle was caught spying; if it were caught, I'd be on the barricades too. Traces and pads were included in the PCB design for possible future use. This sort of thing - with various kinds of hardware components, not necessarily mics - has been done for decades, by many companies, and is not remarkable.

All that said, I must also point out that actually placing hardware components on those traces/pads - completing circuitry that is useless without firmwre - is a "cost adder" to a relatively cheap device. That is a little harder to justify, but only a little. One should then ask themselves, what about the case where the pennies components had *not* been soldered in, but weeks or months later management "rolls out" a feature using the mic. The company would have to be prepared to:
EITHER
-- recall the devices, add the required components, and return the devices
OR
-- let customers swap their incomplete device for a complete device. (Company either reworks the incomplete devices or "eats" them.)

So, spend pennies from the get-go with no benefit for anyone, or spend dollars later. I'd do the former.

--------------------------------------------
"[...] why don't we take a good crap on [Facebook and Google]"

Picture that for a moment. How would it go? It's ridiculous.
(IMO, the 3-4 feces-centric references indicate pathology.)

VRKMarch 7, 2019 11:58 AM


ODE in Dmux

We would doubtlessly find ourselves in an increasingly grave position if, when we are peppered with friendly fire, we should think of a friend or ally as we think of the obstacles that face us all. The blows we receive may not be as faithful if the road they choose should diverge from ours, on this round planet.

In fact their shouts, that are caused by their own priceless wounds, are more often a veracity of their mettle.

I beg that ALL assets strike a roadway into this wilderness aligned, personal grievances embraced.

David WalshMarch 7, 2019 2:15 PM


named.witheld.for.obvious.reasons

Bruce's new found hobby is probably the best example.

What's Bruces's new found hobby?

Sancho_PMarch 7, 2019 3:25 PM

Re: Clive’s Schnexit

- If true, that’s sad.
Much of my joy to participate here was because of his expertise in a bunch of fields.
OK, sometimes lengthy, but hey, I can skip lines / postings if I’m short of time.
But the really sad part is that he likely left because some(one) can not.

MarcMarch 7, 2019 4:26 PM

Anyone have any comments on news reports of something call Triton?

In attacking the plant, the hackers crossed a terrifying Rubicon. This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk.

Just Hype?

1&1~=UmmMarch 7, 2019 6:10 PM

@Marc:

Oh I forgot to mention that a year later they had changed their minds and said it was Russia,

https://motherboard.vice.com/en_us/article/9k74az/triton-malware-russian-government-saudi-arabia-petrol-plant

Which caused various comments on this blog,

https://www.schneier.com/blog/archives/2018/10/was_the_triton_.html

So maybe it will be North Korea or China next week, or even Australia / France / Germany / Holand / Israel / UK / USA / Zimbabwe pick your favourite that will promote you best in the press.

The two important things to remember are,

1, Remain sceptical.
2, Duck as it goes kinetic.

David WalshMarch 7, 2019 6:51 PM

https://www.abc.net.au/news/2019-03-08/domestic-violence-victims-reluctant-to-use-tracking-devices/10881260

Australia. challenging use of technology. tracking device warns victims and informs police, if abuser is in the vicinity. However very few are willing to use it.

from a PTSD perspective, it makes sense this would be highly problematic. it would keep the abuse neural pathways lit up like a christmas tree, prolonging a trauma response essentially indefinitely

David WalshMarch 8, 2019 12:25 AM

@ JG4

thankyou. I believe you've done a find job of describing entropy in this section; maximisation or other. I like certain phrases you use. including 'blue marble' and 'your planet'

Unfortunately unable to provide an etymology for Walsh. It is not my surname. A creative twist on a nickname. This being a public space and all (not that this should be an issue necessarily)

i did however check an etymological dictionary, online, which is a useful resource to mention here. I found no pertinent results for Walsh

www.etymonline.com

JG4March 8, 2019 5:10 AM

Thanks for the kind words and good discussion. I was pleased to see last night that everyone was hours ahead of me with the Triton story.

File under "Their lips are moving again." I'm pretty sure that this link was posted some days ago, but not with my colorful comment.

https://www.nytimes.com/2019/03/04/us/politics/nsa-phone-records-program-shut-down.html

Not mentioned in the article, but the reason that the metadata program is shut down is that it is redundant with Spookwerks Utah, which has a complete set of content with metadata. Far more powerful.

The slimebag Christopher Wray, who rose through the ranks of the liars, thieves and murderers, is peddling disinformation. Every piece of hardware sold anywhere in the world is compromised. I hope that I've used the term "strip-mining the future."

https://www.nakedcapitalism.com/2019/03/links-3-6-19.html
...

Study: Nuking Asteroids Into Smithereens Harder Than Previously Thought Sputnik (Kevin W)
...

Big Brother is Watching You Watch

FBI Director Christopher Wray On Encryption: We Can’t Have an ‘Entirely Unfettered Space Beyond the Reach of Law Enforcement’ CNET. Glad to have that clear.

Disputed N.S.A. Phone Program Is Shut Down, Aide Says New York Times (David L). Bill B points out:

The lack of hue and cry regarding the USA Freedom Act indicates that spies have [secretly] established more effective ways to get the same data. Snowden was largely a public relations crisis for elites: CEOs assumed combative stances, lawmakers proposed empty statutes to “fix” things, and spies went to ground.

If anything, things have gotten worse. The apex predators of our system will need it to keep a lid on things as the economic strip-mining continues.

The Cybersecurity Industry Makes Millions, But Is It Keeping Us Safe? Motherboard (resilc)
...

[signal and channel integrity; that feedback path with dollars and dopamine is dangerous]

What Makes Fox News So Dangerous Washington Monthly (resilc)

Silicon Valley lobbies hard to kill off California privacy rules Financial Times (David L)
...

[file under signal integrity]

Fake News

This Viral Video of Ducks Waiting for a Green Light to Cross the Street Is Totally Fake Gizmodo (chuck419). But cute!

Why Only Fools Trust America’s Mainstream ‘News’ Media After the 2003 Invasion of Iraq The Saker (Kevin W)
...

1&1~=UmmMarch 8, 2019 6:15 AM

@JG4:

"FBI Director Christopher Wray On Encryption:"

"'We Can’t Have an Entirely Unfettered Space Beyond the Reach of Law Enforcement.’"

He's blowing bubbles from his lower extremities. In fact nearly all space in the US is both 'Unfettered' and 'Beyond the reach of law enforcment', as he should very well know.

He's obvioulsy not done his high school civics course any justice. There are oh a couple of ammendments that you usually get taught, that due to the way English Forces behaved laid a requirement on law enforcment officers to present a case to a judge for a warrant before the LEO's can have access to private places. Even then many places and behaviour in public places are still off limits to LEO's.

What he is trying to do is 'snow' people by making out that there is some 'mystic place' like a country with no extradition treaty with the US, where criminals lurk or hide out hatching secret plots where Law Enforcment are going to be forever unable to touch them.

It's frankly complete 'hog wash' and just like his predecessors back at least as far as Louis Freeh, it's continuation of not just unwanted but bad behaviour. Look on it as that of a 'patent medicine man' going from town to town 'selling miracle cure all ills potions' which do more harm than good and become known as 'Snake Oil'. In past times when caught such people would face the 'rough music' and justice, and be stripped of goods and clothes, tarred, feathered and run out of town tied on a rail (fence post).

I guess it's a sign of the times that you can not do this to the low life types like Christopher Wray, it's a shame because you never know he might actuallt learn practically what he missed in theory in his civics classes ;-)

War GeekMarch 8, 2019 12:14 PM


The Sacklers had laughably bad operational security when it came to controlling the paper trail surrounding both the marketing plans and payments for the opioid based products. I think that TV show was just a funnier than average way of pointing out the obvious.

More interesting to the list as a whole might be a discussion of what good/functional operational security at the corporate level looks like in the post panama papers era. Who's doing it well and how are they doing it.

Bruce SchneierMarch 10, 2019 12:49 PM

@Everybody:

The opoid crisis is an important discussion topic, but not for this blog.

wowowMarch 13, 2019 2:07 PM

I find the "processing" of squid to be extremely disastrously disturbing.
Cephalopods, and especially squids and similar are SENTIENT BEINGS of a HIGH ORDER. Genocide of them is nothing for anybody anywhere to bragg about.

Thanks for providing this info because I otherwise would not know.

These genocides are sincerely troubling in ways that can't be expressed easily.
I stand by my word, that the "NAZI algorithm" is unfortunately a current problem in this odd year of 2019. When will this end? ZOHAR OLAM.

P.S. =

aikido
alternate
always
antecedent
averted
audio
be
being
benevolence
bomb
bombastic
bringing
chaff
clipped
clutter
coil
compute
contemplation
defend
delay
describe
destroy
diminish
disaster
earth
einheit
escape
evade
even
ever
feisty
field
finally
foe
freedom
friendship
gear
god
gone
good
grey
grounded
hahahaha
halfway
hall
heat
hellish
how
i
identified
independent
individual
intellectual
internal
jamming
javelin
jump
justice
justified
juxtaposition
kelp
killer
kilogram
kilometer
kindness
know
lamington
lasting
lilting
linguistics
love
lullabye
malevolent
manipulated
me
mentality
move
multiplex
never
nice
nixed
no
now
nuclear
obstructed
oh
opulent
organic
organs
original
pet
population
precaution
preliminary
pretty
prudent
qualify
quality
quantity
queer
questions
queue
reluctant
resist
rest
restitution
reticent
revealed
stamina
stop
stressful
strong
structured
survive
tempermental
tethered
timber
time
timeless
tools
ultra
unaffected
understanding
understood
united
us
vain
validated
valor
valuable
vital
vivid
what
when
where
who
why
wounded
x
xml
xenophile
xenophobe
xmas
xylophone
yank
yawn
yes
yonder
you
youthful
zen
zenaide
zenith
zig-zag
zither
zone

0123456789 !@#$%^&*()_+[]\{}|;':",.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.