Friday Squid Blogging: New Squid Species off the New Zealand Coast

There's a new diversity of species.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on April 19, 2019 at 4:27 PM • 80 Comments

Comments

Mike AckerApril 19, 2019 4:52 PM

we focus heavily on the activities of these "Computer Hackers". In that we are focused on the symptoms. The cause is INSECURE SOFTWARE and poor or non-existent security practices.

e/mail is one of the biggest offenders, perhaps the biggest: messages are often written in HTML format and then include notes to "click here to access your account".

these links, -- for customer convenience -- are not a good idea

the e/mail should just tell the user to log onto his or her account if there is something that needs attention. it's too easy for phishing messages with included hot-links to re-route customer to bad places.

lurkerApril 19, 2019 6:54 PM

@Mike Acker

it's too easy for phishing messages with included hot-links to re-route customer to bad places.

At the risk of sounding like a boring old fart I have to say it's been going on for a long time; 20 years ago in another place I had problems explaining to people higher up the pecking order than me, why I could not just put a clickable link in an email for them to watch an in-house video. a) my email client was plaintext, so I never clicked anything, b) they were being kept partly safe by corporate IT security scrabbling to update the firewall blacklist. There's a direct correlation between the price of the suit, and the speed of "Clicking Here"

Clive RobinsonApril 20, 2019 4:19 AM

Was Julian Assange subject to mind games by the Ecuadorian regime?

At least one of their diplomats has sad so publically,

https://news.sky.com/story/julian-assange-put-through-hell-at-embassy-says-former-diplomat-11698113

Oh and as we know "money talks" have a look at the history behind the IMF and other US backed finance organisations loans to Ecuador. Lenin is very proud of them, but most Ecuadorians have long memories of previous "loans with strings". Oh and Lenin is just about to launch major austerity and privatisation, all directly out of the recipe book that has failed badly in the EU, to the gross enrichment of a very few...

Clive RobinsonApril 20, 2019 4:20 AM

Was Julian Assange subject to mind games by the Ecuadorian regime?

At least one of their diplomats has sad so publically,

https://news.sky.com/story/julian-assange-put-through-hell-at-embassy-says-former-diplomat-11698113

Oh and as we know "money talks" have a look at the history behind the IMF and other US backed finance organisations loans to Ecuador. Lenin is very proud of them, but most Ecuadorians have long memories of previous "loans with strings". Oh and Lenin is just about to launch major austerity and privatisation, all directly out of the recipe book that has failed badly in the EU, to the gross enrichment of a very few...

https://www.reuters.com/article/us-ecuador-imf-idUSKCN1QA05Z

Clive RobinsonApril 20, 2019 4:23 AM

@ Moderator,

Sorry, "fat finger syndrome" has struck again.

Of my two posts about Assange / Ecuador, can you remove the one which lacks the second link.

Thank you.

Clive RobinsonApril 20, 2019 4:59 AM

Dunning-Kruger at Boeing?

From the IEEE, a pilot and software developer's view on the 737Max tragadies,

https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer

As he notes of the software engineers at Boeing,

    The people who wrote the code for the original MCAS system were obviously terribly far out of their league and did not know it.

As well as the probable reason "money" for what in effect was the reason the MACS was effectively a secret,

    Put in a change with too much visibility, particularly a change to the aircraft’s operating handbook or to pilot training, and someone—probably a pilot—would have piped up and said, “Hey. This doesn’t look like a 737 anymore.” And then the money would flow the wrong way.

Remember the 737 first flew back in the 1960's, a pilot certified to fly those planes is still certified to fly the 737Max even though in reality they are in no way the same aircraft from a Pilot's point of view...

Clive RobinsonApril 20, 2019 5:42 AM

@ Bruce and the usual suspects,

The PDF Association has released a report on the security asspects of an officially released document that was done in a way that conflicts with the correct legal procedure for doing so (ie requirment for disability access).

In essence they went for the next nearest thing to "Paper Paper never data" they could and still end up with a PDF, many many times bigger and actually of lower quality and usability, than a properly printed docunent.

It's a worthwhile read and although it covers a number of things mentioned on this blog in the past, it does it in one handy place.

https://www.pdfa.org/a-technical-and-cultural-assessment-of-the-mueller-report-pdf/

Clive RobinsonApril 20, 2019 7:27 AM

Utah ban warrantless digital searches

As some know, in what is potentially good news, at the end of last month Utah's Governor signed the "Electronic Information or Data Privacy Act" (House Bill 0057) into law. In the House vote it passed without any dissenting votes.

https://le.utah.gov/~2019/bills/static/HB0057.html

From what has been said this closes the loop hole in the 4th Amendment that many and especially the FBI have tried to force many cases of what would be illegal searches of paper and other documents.

Obviously this is not going to be popular with some, so no doubt all sorts of funny cases are likely to appear as various LEO's try to find work arounds (what's the guessing on "Parallel Construction" becoming popular).

Anyway there is a lot more to it, which Forbes has a piece on,

https://www.forbes.com/sites/nicksibilla/2019/04/16/utah-bans-police-from-searching-digital-data-without-a-warrant-closes-fourth-amendment-loophole/

DennisApril 20, 2019 7:52 AM

Re; Assange

It is my belief that it's already known these "hold up" situations are nothing more than bargaining chips for the hosting party. What do you do when you have a little something somebody else wants, you hold it and look for a deal. This is what we learned from this and previous presidencies. I'm of the few to think that 2016 election was the final straw for Mr. Assange.

Who?April 20, 2019 7:56 AM

@ Clive Robinson

From the IEEE Spectrum article:

Boeing’s solution to its hardware problem was software.

We know it does not work, as proved by the failed workarounds to rowhammer, meltdown, spectre, spoiler and so on attacks. Vulnerabilities must be fixed at the level they happen.

Hardware must be fixed at hardware level, software at software level and firmware at firmware level. Users remain mostly unfixable.

DavidApril 20, 2019 9:05 AM

https://www.washingtonpost.com/technology/2019/04/19/how-whatsapp-facetime-other-encryption-apps-shaped-outcome-mueller-report/?utm_term=.a90f845d2b7a

The Washington Post talks about how encryption shaped the outcome of Mueller's investigation.

And this:

"The rise in end-to-end encryption has made collection of data from devices themselves more important for investigators."

In a way, that is good news.

And this tidbit: Manafort got nailed because his incriminating messages got backed up into the Cloud.

FaustusApril 20, 2019 9:49 AM

@ Clive

I am not a big fan of locking people up, but Marcus Hutchins pretty clearly was involved in widely disseminating banking trojans and profiting from them. It is reprehensible to steal money from people like that, turning a lot of struggling people's lives upside down.

I'd say some punishment is definitely warranted, particularly so young people know the cost of such deeply antisocial crimes.

The fact that this occurred when he was younger and that he has straightened up since then seems to have been taken into account. He will probably receive a lot less than the maximum. This is appropriate.

Good for him for taking responsibility. When he completes his sentence I'd say he should be allowed a fresh start.

Denton ScratchApril 20, 2019 10:51 AM

@Faustus

I am not a big fan of locking people up. Full stop.

Prison is a waste of money; most locked-up criminals behave worse after they are released than they were before. There are some prison regimes that take seriously the need for rehabilitation; but they are far and few. And locking people up is fantastically expensive - it's like putting them in a 3-star hotel. Completely mad.

I am also opposed to extraterritoriality. You shouldn't be subject to US criminal procedures, if the thing you're accused of was not done in the US.

gordoApril 20, 2019 1:08 PM

Federal Facebook investigation could hold Zuckerberg accountable on privacy, sources say
By Tony Romm, The Washington Post, April 19, 2019

Federal regulators investigating Facebook for mishandling its users’ personal information have set their sights on the company’s chief executive, Mark Zuckerberg, exploring his past statements on privacy and weighing whether to seek new, heightened oversight of his leadership.

https://www.philly.com/news/nation-world/federal-investigation-facebook-zuckerberg-privacy-20190419.html

---

I wonder if community service is out of the question, e.g., identity theft hotline; content moderation queue; etc.

WTTCL(AGCL)April 20, 2019 1:47 PM

SECURITY

Please beware of images and/or digital (or non-digital) vandalism or litter used to incite hostilities. Nevertheless, also please be AWARE that OTHER similar and DIFFERENT images and/or digital (or non-digital) vandalism EDITs or litter EDITs are NOT used to incite hostilites, and could convey or communicate just about anything else.

Last but not least, beware of alleged lyrical transcribings.
The results tend to vary wildly for a very large list of reasons, too complex to explain at this time in the small formspace allowed.

Here is an alternative transcription, for educational and security purposes, of a song I purchased legally with my own funds on compact disc digital audio double album. I still remember the music to this day, and was able to look it up, with much effort.

https://i.postimg.cc/sgSKYwNh/MINDPHASER-COM-PNG.png

The transcription is NOT text nor audio. You may take a look.
Sincerely,

WTTCL(AGCL)

The PullApril 20, 2019 2:07 PM

@Mike Ackers, and any interested parties

"we focus heavily on the activities of these "Computer Hackers". In that we are focused on the symptoms. The cause is INSECURE SOFTWARE and poor or non-existent security practices."

I can't help but put this in context of the 2020 election process. Russia really dared do a number on the US in 2016. What will they do, and what have they been doing this election cycle?

In this case, the issue very much is the people and resources a government brings to the table in regards to hacking.

I agree with analysts who state that Russia is trying to undermine the very concept of Democracy, and so liberty. America just happens to have been their target; America, and some other nations Russia targets.

It is important for these cases to be focused on.

On insecure software, a government is going to find a way to hack into almost anything they want to.

I work in the field of application security, and it is a wasteland, in this context. There are not enough solid tools nor people to make all the software secure. 'More complex a system, more likely for error'.

As for hypocrisy on the matter: If America did this to Russia, it would be bad news. If China did this to America, or Russia, it would be bad news. The size and power of these nations matter. It is akin to nuclear standoffs. It is stressful and bad when nuclear capable nations face off, seriously, against each other. While it is not as worrisome when non-nuclear capable nations face off against each other.

The Pull

The PullApril 20, 2019 2:14 PM

@lurker

On html instead of plaintext, clicking on links, etc... 20 years ago, versus today...

20 years ago I was, admittedly, a vigilante hacker. I created the first suite of html trojans. I released these as proof of concept tools, partly for deniability. But, I also felt the government was not playing hardball with pedophiles and neo-nazis as they should. So, I did a batman thing.

Hacktivismo was my AA.

Everything was html, and we could own entire groups of bad guys simply by sending a single email or usenet post.

So, you were right in your paranoia.

Today, there are still vectors like this possible. Because technology continues to be monolithic, and have a lot of extraneous features which are forgotten, or never used... and so poorly QA'd.

The Pull

A90210April 20, 2019 3:55 PM

@Clive Robinson

"Utah ban warrantless digital searches
As some know, in what is potentially good news, ..."

From your Forbes Utah link above:

"In a major win for digital privacy, Utah became the first state in the nation to ban warrantless searches of electronic data. Under the Electronic Information or Data Privacy Act (HB 57), state law enforcement can only access someone’s transmitted or stored digital data (including writing, images, and audio) if a court issues a search warrant based on probable cause. Simply put, the act ensures that search engines, email providers, social media, cloud storage, and any other third-party “electronic communications service” or “remote computing service” are fully protected under the Fourth Amendment (and its equivalent in the Utah Constitution).

HB 57 also contains provisions that promote government transparency and accountability. In most cases, once agencies execute a warrant, they must then notify owners within 14 days that their data has been searched. Even more critically, HB 57 will prevent the government from using illegally obtained digital data as evidence in court.

In a concession to law enforcement, the act will let police obtain location-tracking information or subscriber data without a warrant if there’s an “imminent risk” of death, serious physical injury, sexual abuse, livestreamed sexual exploitation, kidnapping, or human trafficking.

Backed by the ACLU of Utah and the Libertas Institute, the act went through five different substitute versions before it was finally approved—without a single vote against it—last month. HB 57 is slated to take effect in mid-May.

Ensuring that the Fourth Amendment is still relevant can sound like an obvious, common-sense reform (and it is). Yet Utah’s new law is also a surprisingly radical break from the status quo. Thanks to the “third-party doctrine,” in 49 states and on the federal level, the government can access a striking amount of private data without a search warrant, simply by working through third parties.

Back in the late 1970s, the U.S. Supreme Court issued a pair of decisions (United States v. Miller and Smith v. Maryland) that upheld the warrantless searches of bank records and dialed phone numbers. In both cases, the court ruled that the defendants’ Fourth Amendment rights were not violated because they had no “legitimate expectation of privacy,” since they had “voluntarily conveyed” the information at hand to third parties."

[...]

Unfortunately, HB 57 does not extend to medical or financial records held by third parties, leaving Utahns still vulnerable to warrantless snooping.

Last year, the Supreme Court narrowed the third-party doctrine in Carpenter v. United States. By a margin of 5-4, the court ruled that accessing time-stamped mobile phone records known as “cell-site location information” (CSLI) qualifies as a search under the Fourth Amendment. “A person does not surrender all Fourth Amendment protection by venturing into the public sphere,” Chief Justice John Roberts wrote for the majority.

“When the Government tracks the location of a cell phone it achieves near perfect surveillance,” Roberts warned, “as if it had attached an ankle monitor to the phone’s user.” If the government wants to access CSLI, the chief justice bluntly told them to “get a warrant.”

In Carpenter, Roberts acknowledged that CSLI “does not fit neatly under existing precedents,” since it’s a form of “personal location information maintained by a third party.” As a result, the court “decline[d] to extend Smith and Miller.” “Given the unique nature of cell phone location records,” he wrote, “the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.”


First, CSLI is automatically recorded any time someone uses their phone, without any input from the user,

[...]

Roberts convincingly explained why the third-party doctrine is a poor fit for CSLI. Yet even though many of those detailed reasons also apply to other forms of electronic data, the chief justice was adamant that his decision was a “narrow one.” Carpenter explicitly states that it does not directly consider the constitutionality of the government obtaining less than seven days’ worth of cell-site records, real-time CSLI, “conventional surveillance techniques and tools,” or business records, though many of those law enforcement tools are now covered by HB 57 in Utah.

[...]

While Carpenter’s long-term impact on digital data will largely depend on how the Supreme Court reconciles the decision with its woefully outdated precedents, in Utah, the Electronic Information or Data Privacy Act has already struck a major blow against the third-party doctrine. Utah’s sweeping reform warrants becoming a model for other states."

A90210April 20, 2019 4:06 PM

More positive news

https://www.eff.org/deeplinks/2019/04/victory-house-representatives-passes-net-neutrality-protections

"In a vote of 232-190, the House of Representatives passed the Save the Internet Act (H.R. 1644) [9 April 2019]. This is a major step forward in the fight for net neutrality protections, and it’s because you spoke up about what you want."

Now its up to McConnell, other Senators, and, perhaps, us, and/or others you know, contacting them about how:

"We want our Net Neutrality" or something like that

https://www.congress.gov/bill/116th-congress/house-bill/1644 (USG)
https://rules.house.gov/bill/116/hr-1644 (USG)

HellaboutApril 20, 2019 4:41 PM

@clive

that indictment of @malwaretech is damning. Many people were saying it was a case of government overreach, that he was just studying malware, etc. etc. That is most certainly not what he plead guilty to. What he plead guilty to was trying to digitally rob banks and then cover his tracks by working with a partner. I have to wonder if @emptywheel is going to admit that she was wrong.

A90210April 20, 2019 4:54 PM

"Was Julian Assange subject to mind games by the Ecuadorian regime?"

https://theintercept.com/2019/04/15/julian-assange-health-medical-care/

"While the British government and Assange’s many critics say that it was his choice to stay in the embassy, [Sondra] Crosby [ an associate professor of medicine and public health at Boston University and an expert on the physical and psychological impact of torture ] argues that Assange was denied the fundamental right to health care that should have been afforded to him as a refugee.

In her April 8 letter, Crosby wrote that the “highest priority” for Assange’s medical care was his “critical need for an oral surgery procedure,” adding that “the severe daily pain” from his dental condition is “inhumane.” She had consulted with a dentist who had examined Assange, she wrote, and learned that the dental surgery could not be performed in the embassy. In her letter, Crosby says that the British government had repeatedly rejected requests to give Assange safe passage to a hospital for treatment.

In addition to Crosby, Dr. Brock Chisholm, a British clinical psychologist who was previously retained as an expert witness in a case involving allegations of torture at CIA black sites, evaluated Assange over the past two years. Dr. Sean Love, now at Johns Hopkins School of Medicine, initially met with Assange and arranged for an introduction to Crosby and Chisholm, but did not conduct any of the evaluations. Love said that Assange and WikiLeaks gave the doctors permission to make Crosby’s affidavit and letter public.

Love criticized the British government for denying Assange medical care while he was in the embassy.

“Whatever you think of his politics, he is a human being,” Love said, “and under international law, he deserved to be treated fairly and not in cruel or inhumane ways.”"


and, another reference about the money,

https://www.bloomberg.com/news/articles/2019-02-21/imf-to-lend-ecuador-4-2-billion-amid-lean-times-for-opec-nation

In addition, I thought I heard about about another 25 billion USD, or so, recently, but I can't find the link

Clive RobinsonApril 20, 2019 6:48 PM

More bad news about Boeing.

It appears that the 737Max is not the only safety SNAFU Boeing has.

The 787 Dreamliner also has manufacturing issues that some consider safety critical production system defects,

https://www.nytimes.com/2019/04/20/business/boeing-dreamliner-production-problems.html

So this is the second bad news story and effects areas unrelated to the 737Max, which is worrying. Because if they were related then it would indicate a failure at one point, however unrelated suggests that it is a managment or cultural issue that effects the company in a much more general way...

Bad news stories have a habit of comming in three's so heaven only knows what's going to come seeping out of Boeing next.

One interesting point to come out is that the libertarian ideal of "small Government at all costs" clearly has down sides, as does not paying competative enployment, packages. Either way you lose oversight and independence of audit, accountability, etc. It's a bit difficult to expect people 'to bite the hand that feeds them' especially when you consider the track record on whistle blower. Which means in general those who regulate within a commercial organisation can not operate 'without fear or favour' even if it is at an almost subconscious level.

Whilst I am not in favour of Max-Gov as it tends to turn into make-work jobs, I am concerned that when it comes to scientific and technical matters, you need not just the right staff but also sufficient of them to cover the industries etc concerned.

It's fairly clear that there are many regulatory agencies failing due to lack of suitable staff in not just the US but UK and other nations. Thus the question arises as to what consumers and citizens realy want?

David April 20, 2019 7:05 PM

@A90210

On Assange

Notice that Manning and Assange are both in jail. Our little mockingbird in Moscow is next, and he can surely sense that his noose is being lowered.

It would be interesting to know how much money the U.S. has spent in bringing Assange down, and to whom some of that enormous sum went in fat paper bags. If you were to weigh one million U.S. dollars in one-hundred dollar bills, you would discover that it comes to about twenty-two pounds.

Remember that photo of the Ecuadorian president eating lobster for breakfast in a European hotel? It is just a guess, but very plausible.

That troika did an enormous amount of damage to American power and caused deep ongoing embarrassment to the U.S. intelligence community. All of them are doomed. Deep pockets, a lot of folks, and rage are going to cut short their days in the light.

AndersApril 20, 2019 9:40 PM

Heads up - today, 21 April is second the round of the Ukraine presidential election.

Russia has meddled with US elections, now it is meddling with Ukraine elections.
From this election depends whether Russia gets Ukraine for free on the silver platter or not.

MarkHApril 21, 2019 1:23 AM

@Clive, @Who:

I suspect that the author of the Spectrum article may be out of his own league. There are numerous precedents for pleasure pilots overestimating their understanding of jet transport operations. In any case, he seems to have gotten at least some of the facts wrong.

Focusing on claims and conclusions:

• All practical aircraft have some degree of aerodynamic instability. The 1903 Wright flyer (which achieved the historic "first flight") evidences pitch instability in the films the Wright brothers made of their tests. As common sense suggests, instability -- as compensated by aircraft systems -- must be kept within manageable limits.

• Jet transports have either (a) "artificial feel", or (b) no feel at all (Airbus "joystick" cockpits). The direct force feedback the author enjoys in his 4-seat plane isn't practical for big jets. To my knowledge, artificial feel has not been a safety problem.

• From the early days of jet transports (that is, during the past 6 decades) jets have routinely had onboard systems not only for artificial feel, but also to make the planes simpler, safer and more docile for pilots to control. There is no design principle that all problems must be solved in the same domain: aerodynamic iinstabilities have been tamed by electronic (or in the early days, less reliable electromechanical) systems for a long time with an excellent safety record.

• I see no justification for the claim that the "people who wrote the code" for MCAS were "terribly far out of their league." It's possible -- and I think quite likely -- that they did a professional and competent job of realizing the functional requirements submitted to them. Those requirements were the product of a grossly flawed system design and review process. Rotten coders create a lot of bad rubbish with negligible accountability; it would be a grim irony to blame the software engineers in a case where they perhaps did their job without flaw. In a giant organization, the software team probably won't be staffed by experts on aerodynamics and aircraft systems. There are other departments responsible for those matters. As far as public information shows, those departments failed.

DennisApril 21, 2019 3:55 AM

@David wrote, "Notice that Manning and Assange are both in jail. Our little mockingbird in Moscow is next, and he can surely sense that his noose is being lowered."

They had to lock him up before he do anymore damage to the 2020 election.

Clive RobinsonApril 21, 2019 4:17 AM

@ MarkH,

I suspect that the author of the Spectrum article may be out of his own league. There are numerous precedents for pleasure pilots overestimating their understanding of jet transport operations. In any case, he seems to have gotten at least some of the facts wrong.

The article has been reviewed by professional pilots, and I assume that they don't see things the way you do.

As for his usage of the Wright flyer, well there is lot's of myth surounding it and people therefor mistakenly use it as a "touch stone". However as history actually shows it was by no means the first flying machine. As the Smithsonian Institution takes care to point out, the aircraft was (1) the first powered (2) heavier-than-air machine to (3) achieve controlled, (4) sustained flight with (5) a pilot aboard. Thus much like Marconi it was in effect a collection of others work.

The way the Wright's did things with the canard and wing warping was as far as I know 'original to them'. However it was very unlikely to move forward in time, for the same reason we knew long befor then that you don't put rudders on the front of boats whose engines are at the back, and horses go before the cart, and why we call it 'drag' not 'push'. Doing it the other way around is not a naturaly stable condition in fact it can be shown to be chaotic and require continuous physical corrective input from the pilot in what would very quickly become tiring, as well as making some interesting 'self destructing rocket' films just a few years later. I suspect most engineers with any real world practical experience with feedback systems would know this, but software developers as a general case probably not, and oddly perhaps most pilots don't either, such is the myth behind the Wright's Flyer, and thr care engineers have taken to design out such issues. Which is possibly why the Smithsonian Institution used "controled" but not "practical" in their "claims" list. It's known that others had already solved this particular 'self stability' problem, and not having known about it, it's probably the reason why the Wright Flyer crashed almost immediately on it's maiden flight and had to be repaired before it made it's actual first flight. What the Wright's should have a claim to fame for but don't is the use of "moving picture cameras" in engineering development work. It's the fact they filmed things that give what we now call 'conspiracy theorists' the excuse to say it was all rigged...

As for the use of the force feedback system, my view is that he was using it to make the point that it was about taking the primacy away from the pilot and giving it to the dog... That is a system with less, and unreliable inputs than the pilots, was making incorrect decisions on that bad information, and the pilots had no 'natural way' to overcome it. The actual mechanics of how such primacy should be returned to the pilot were not that important, though he did note that in his planes system it would automatically return control to the pilot is it detected an error. His repeated point however was the Boeing system lacked any ability to detect any errors due to too few inputs.

It followed from the fact that Boeings software developers actively chose not to use the information available, thus remove any possability of error checking in their design and worse chose to implicitly trust a known to be unreliable input. All things that are contrary to "Standard Practice" in the rest of the industry for very good reason, which is what caused the author to say that Boeings software developers were clearly "terribly far out of their league"... Put simply they obviously were.

Trying to argue against that view point is a little pointless. Arguing they were working to a specification is a little like arguing 'they were only following orders', it's not an acceptable legal or moral defence...

Unless you can show without doubt that they were totally issolated from knowing about what the code they were writing was to be used for, and what the industry regarded as "Standard Practice" at the time. And lets be honest here fault tolerance in the pressence of unreliable components was a solved problem befor they or anyone else working at Boeing was born. It was solved by voting systems back in the early days of electromechanical exchange equipment by the New York Telephone company.

Ergo SumApril 21, 2019 8:50 AM

@The Pull...

On insecure software, a government is going to find a way to hack into almost anything they want to.

That depends... They don't need to do that, if the software has a built-in backdoor...

On html instead of plaintext, clicking on links, etc... 20 years ago, versus today...

All email clients have settings for reading emails in plain-text, that effectively disables HTML, scripting, etc. Most email clients also allow changing the view to HTML on a case-by-case basis, should the end user desire.

MS Outlook has settings for disabling links connecting to external resources; external as in outside of the local computer. The link can be copied and pasted in a browser, if the end user so desire.

The point is, that current email software does have built-in "security features", that are better in my view than any A/V, or other third-party security protection. People, who depend on default application and/or third-party security protection deserve what's coming their way. I know, this is harsh, but it is what it is...

maqpApril 21, 2019 10:06 AM

TFC 1.19.04 is now released.

  • Moved platform to *buntu 19.04 and Python 3.7.
  • The TCB configuration installation is now noticeably faster.
  • The Argon2 KDF is now used according to best practices.
  • Updated dependencies fix two CVEs.
  • It turns out /wipe command during traffic masking was broken. That has now been fixed.
  • Refactored the code a bit and fixed a couple of broken tests.
  • The project got it's first pull request -- I'm really glad about this!

As always, more details in the update log.

vas pupApril 21, 2019 12:05 PM

How superstitions spread

Even seemingly irrational beliefs can become ensconced in the social norms of a society:
https://www.sciencedaily.com/releases/2019/04/190418131334.htm

"In their model, Morsky and Akçay assume that individuals are rational, in that they do not follow a norm blindly, but only do so when their beliefs make it seem beneficial. They change their beliefs by imitating successful people's beliefs. This creates an evolutionary dynamic where the norms "compete" against one another, rising and falling in prevalence through the group. This evolutionary process eventually leads to the formation of new social norms."

See who funded research:
"Support for the research came from the Defense Advanced Research Projects Agency (Grant D17AC00005) and Army Research Office (Grant W911NF-12-R-0012-03)".

I see it as if you generate artificially some kind of event connected to superstitions of e.g. enemy combatants, you could manipulate their action/inaction to some degree.

gordoApril 21, 2019 12:11 PM

Carole Cadwalladr at TED2019
Facebook's role in Brexit — and the threat to democracy

. . . and we were one day ahead of publication. We got another legal threat. Not from Cambridge Analytica this time, but from Facebook. It told us that if we publish, they would sue us. We did it anyway.


(Applause)

Facebook, you were on the wrong side of history in that. And you were on the wrong side of history in this -- in refusing to give us the answers that we need. And that is why I am here. To address you directly, the gods of Silicon Valley.

(Applause)

Mark Zuckerberg ...

(Applause)

and Sheryl Sandberg and Larry Page and Sergey Brin and Jack Dorsey, and your employees and your investors, too. Because 100 years ago, the biggest danger in the South Wales coal mines was gas. Silent and deadly and invisible. It's why they sent the canaries down first to check the air. And in this massive, global, online experiment that we are all living through, we in Britain are the canary. We are what happens to a western democracy when a hundred years of electoral laws are disrupted by technology.

Our democracy is broken, our laws don't work anymore, and it's not me saying this, it's our parliament published a report saying this. This technology that you have invented has been amazing. But now, it's a crime scene. And you have the evidence. And it is not enough to say that you will do better in the future. Because to have any hope of stopping this from happening again, we have to know the truth.

https://www.ted.com/talks/carole_cadwalladr_facebook_s_role_in_brexit_and_the_threat_to_democracy/transcript?curator=MediaREDEF

Related story:

https://www.theguardian.com/uk-news/2019/apr/21/carole-cadwalladr-ted-tech-google-facebook-zuckerberg-silicon-valley

---

Big Tech's contribution to 'democracy': Influence laundering at scale.

As metaphors go, rather than America's 'Citizens United', a more accurate rendering, and extending beyond the U.S., might be: 'Oligarchs United'.

In the scheme of things, the Russians were small potatoes.

The PullApril 21, 2019 12:28 PM

@Ergo Sum

"That depends... They don't need to do that, if the software has a built-in backdoor..."

Well, they don't have to code in backdoors when their main tech agency, the NSA, for instance, is in charge of performing security reviews for a lot of software.

They can just turn any vulnerability into a backdoor.

And having worked in many companies, gov, and otherwise, to find and help dev fix vulnerabilities... I can tell you, it is too easy -- if anyone wished to do that.

This is especially true when security QA on the app has been very heavy. Because they means they have a backdoor very hard to find.

Code their own, and they do not have as much assurance.

"The point is, that current email software does have built-in "security features", that are better in my view than any A/V, or other third-party security protection. People, who depend on default application and/or third-party security protection deserve what's coming their way. I know, this is harsh, but it is what it is."


I stand by 'more complexity, more chance for error' view, so what you are sugesting is less complexity. If you roll on 'no javascript' browser these days, a lot of sites do not work well.

JS has so much functionality these days...

But, even plaintext is not assurance one hundred percent. I have found bugs which were in plaintext parsing systems. But, that does remove an enormous amount of complexity, to be sure, so is far safer.

From sec ops, though, which is more 'spy' oriented, at Hacktivismo, we all agreed to keep everything on the up and up. And assume surveillance at all times, as we were targeting China with our propaganda.

I usually keep to that standard, then.

Clean the inside of the cup, so the outside is clean too.

China, Russia, US could hack me up, but they would never find anything.

The PullApril 21, 2019 12:44 PM

@vas pup

Right, they want to be able to do what Russia does so well, and have for well over a hundred years back to the Czar days... which is to be an agent of influence.

The US does not need this, however, as we have Hollywood. Hollywood naturally siphons off the intrinsic spirit of the good of the nation, and puts that into their depiction of 'the hero'. And, into the depiction of 'the adversary'.

People all over the world see our movies (from our nations), and have hope for a better life, and a better future.

Trying to overtly manipulate enemy groups, is limited in capability, and if the intent is truly malicious -- it will just backfire too much.


Besides nlp/conversational/ericksonia "hypnosis" methodologies, really what they miss in their paper is the simple fact that people will believe whatever they want to believe according to their preferences.

Russia did that in 2016.

Learn your enemy's preferences, and you know how to lie to them and get them to do what you want them to do.

Hacktivismo worked on these principles, and we did a good job at it. It worked.

The Pull


Sed Contra April 21, 2019 2:19 PM

@gordo

Cadwalladr, TED etc.

Please allow me a moment of skepticism. TED (or is it tiède) is, it must be said, the Tech Lords’ debate capturing formula, where they just spout their utopian schemes in pablum form ad captum vulgi. Cadwalladr is either a useful idiot or pseudo-opposing voice. She does nothing except further their ends. Their “outrage” is purely calculated.

Sancho_PApril 21, 2019 4:38 PM

Re: Utah and the Third Party Doctrine

While Utah’s HB 57 is an important step of common sense against the TPD, it is strange to regulate only government entity’s access, but not the access in general.
Privacy is privacy, be it LE or others.

- To punish LE while absolving business has the odor of corrupt lawmakers.

But for LE / justice it would be mandatory to always (not only in “most cases”) officially inform all persons being subjected to this warranted surveillance within 14 days.
That means especially all persons caught up in the broad dragnet of communication surveillance on the other end of the line of the suspect, because their privacy was collected without particular warrant or suspicion.

- Our principle of deterrence mandates awareness of limits, consequences of (further) wrongdoing and knowledge of being in the focus (and why). Respect and fairness are principles of our society.

- Only information is a suitable means of controlling LE. There must be an independent organization (like ACLU, EFF) with a official mandate to investigate possible LE overreach.
Trust needs control, control needs knowledge and feedback.

Clive RobinsonApril 21, 2019 6:20 PM

@ vas pup,

How superstitions spread

It's also highly relevant to security and the judicial processes.

Have a think about the myths surounding "Best Practice".

In essence you perform a survey by questionnaire, where the results are quite biased as the responses are "voluntary" thus mainly very few and many are self serving/promotion.

You then take these biased results and analyse them by some method which is again biased as there is no agreed or sound measurand[1].

Having ranked the responses you then look for what the top responders claim to do, and then call this "Best Practice".

Simply because you hang such a label on your realy shody non-research, that does not rate sufficiently for "yellow journalism" it confers by the process of "magic pixie dust" a legitimacy it does not in any way deserve, hence it's myth status of false/unknowing belief.

[1] Saying the AV your site uses reported X suspicious events blocked is not a valid measureand for a whole heap of reasons. Not least because it does not count it's failures only it's partial successes. Further and quite importantly it's not independent of other factors that would make a site more or less attractive to attackers, and a whole bunch of other factors, that to be honest currently form an incompleate set. Thus as a figure it is fairly usless for anything other than "fill" in a managment report. ICTsec abounds with these non measurand numbers and yet apparently nobody wants to push for actual measurands that are of use for analysis.

gordoApril 21, 2019 6:44 PM

@ Sed Contra,

That TED is the venue-of-choice for faux-outrage is duly-noted. Big Tech wants nothing more than hands-off regulation that strengthens their market position while at the same time absolves them of any wrongdoing. Cadwalladr says as much while at the same time pleading with them for their acquiescence which gives away the play. Lest we forget, Big Tech has its own set of self-interested and self-absorbed oligarchs for whom the industry media is just that. Put simply, these platforms, and the people who run them, were not taken unawares.

Clive RobinsonApril 21, 2019 7:06 PM

@ The Pull,

If you roll on 'no javascript' browser these days, a lot of sites do not work well.

Interestingly the sites that fail the hardest or work least well are those that are natorious for one of two things,

1, Using JS to get user PII.
2, Using JS to serve adverts.

With regards the adverts is the issue of,

A, Malware.
B, Bandwidth.

It's not in the intetests of those serving the adverts to end users to put in place checking methods for Malware. But worse for those with slow data rates or capped bandwidth (something like seven tenths of nations Internet provision) is the excessive data the adverts bring. Thus a simple text web page with 2K-4K of actual data the end user wants, comes with 3M-10M of unwanted data if they have JS enabled.

Thus dumping JS is most definitely not just the sensible, but logical thing to do.

All the noise you hear against such a policy is generaly fostered by those making money out of abusing the users.

From that perspective, making their sites unusable is actually self defeating, because they actually reduce their audience.

I have finally "De-Googlefied" myself because of Google Managments stupidity in this respect, and worse for them I will talk about Google's stupid policy with others, and promote their competitors who do not behave in the same stupid way. In this it appears I am far from alone as finding others doing simillar anti-Google things is relatively easy.

This one actually struck me as quite amusing,

https://strugee.net/blog/2019/04/make-recaptchas-im-not-a-robot-accurate

Further other people are realising that the World Wide Web Consortium W3C has sold out to the likes of Google, and HTML5 being riddled with PII stealing opportunities are not upgrading to it.

Whilst people like features they like identity theft a lot lot less. Stories about Facebook spending millions on how to make their PII stealing platform more addictive likewise are turning people off of new features. I guess people will start to see the Internet as more and more like they do addictive substances A.K.A "Drugs" and will start behaving differently. Eventually sufficient people will realise just how realy evil Google, Facebook and the other big Silicon Valley companies realy are, and will reduce or stop using them, at which point the reason for their existance (making money off of PII) will stall and go into a decline.

For me turning off both cookies and JavaScript were easy choices several years ago. Has it hurt my use of the Internet, not realy as a general case very little usefull information is "single sourced" thus I see both cookies and JavaScript in the same way I do paywalls, "just a small and mostly unimportant bump in the road, that's easy to evade".

The PullApril 21, 2019 8:56 PM

@Clive Robinson

Long time lurker, first time poster (sometimes I have jumped in before, but never used a nick which anyone could identify me with until now):

Under another nick of mine, osioniusx, I came up with this 'proof of concept' attack tool:
https://packetstormsecurity.com/files/11526/godmessage.zip.html

I post, because you might find it amusing. [The papers accompanying the trojan].

I sure did rely on JS to get that running, though later found ways to hack via my job at the leading security forum where one might just view an image to be hacked... or html without javascript. (I did not use these against anyone, but responsibly disclosed them.)

That said, you have a high degree of assurance of security running without JS.

These guys are not like you or me, they want money, and do not care how they get it.

Paying employees is a good cause, but Zuckerburg has a track record from his college days abusing privacy. In nasty, ruthless ways.

You can guarantee a guy like that is doing all he can do to get away with it.

In fact, this latest disclosure from them was reported by a noble security researcher who saw FB was stealing email credentials from noobs.

Random PII attacks are not what my major threat is. My major threat is that Russia or China might use my PII to figure out who I work with, and how we communicate, and who we work for.

But, of course, that is exactly what nation state hackers have been doing with a lot of these latest disclosures. Asus, Outlook.com, etc... wide sweeps for small Very Interesting People. I would not put it past Zuckerburg to have payment from one of those nations for this same reason.

Aurora was China trying to get information on unknown American spy groups. The theft of the sf-86 database was such an attempt. [Mine was pulled, beforehand, however, though some remnants of data of mine remained.]

These guys give companies which are ruthless money to betray their own country.

That little PII can be used to map out sensitive networks. More you know about someone, easier to hack em. If you know who their friends and family are, you can build out your map. Find out who else is involved.

Just saying, these guys are not being sloppy and greedy, alone. They are almost certainly being paid for these invasions of privacy by hostile foreign powers.


On your comment about much of the world does not have the capacity to walk the swamp of JS bloat:

Very good point. I was just running a javascript less browser yesterday, after putting Linux on my chromebook, and was very frustrated. Google actually did OK, but Steam was horrible.

Google, of course, is bad. I just bought a thirty dollar card, and of course, they do not integrate it well into the system. They limited viability of it, simply to sell you a beefier computer or handset.

Steam, the company I mentioned - you are right - are big time hogs on PII, and also put getting money and information on people over giving good product.

(For instance, if you buy a game from them, you really have them own it, as you can not play it without also running their bloatware interface.)


The Pull

aka OsioniusX, aka ? [ http://www.metrolyrics.com/burn-lyrics-the-cure.html ]

of Hacktivismo, Cult of the Dead Cow, eEye Digital Security-- and a bunch of other places nobody wants to know about ;-)


Alyer Babtu April 21, 2019 9:03 PM

@Clive Robinson

sold out

Besides the capture (captcha ?) of the internet and its users by Ggggglll etc., I am told by users in what would be considered an allied area that telecoms are trying to take over and monopolize/monetize the part of the radio spectrum that has been always left for ham operators.

The PullApril 21, 2019 11:14 PM

Really cool article on the readiness of intel & mil for this upcoming US presidential election, and the anticipated cyber espionage war to takeplace:

"Spies, Lies, and Algorithms"
https://www.foreignaffairs.com/articles/2019-04-16/spies-lies-and-algorithms

Good quote:
"At the same time, U.S. intelligence agencies are facing new challenges generated by breakthrough technologies. In 2007, the word “cyber” did not appear once in the annual intelligence threat assessment. In 2009, it was buried on page 38 of the 45-page document, just below a section on drug trafficking in West Africa. Yet by 2012, barely three years later, then Secretary of Defense Leon Panetta warned that a “cyber–Pearl Harbor” could devastate the United States’ critical infrastructure without warning. Today, an assortment of malign actors perpetrate millions of cyberattacks around the world every day. Cybercrime now generates more revenue than the global illicit drug trade."

The report does not dig into military response in these regards, nor NSA, and the CIA source for it performed his duty and left before CIA reorganized towards a stronger technical stance.

Regardless,the article brings up very interesting attack & defense scenarios, though mostly on the social media aspect of the problem.

Morrell, the CIA source, was though, an analyst, and so this is a high quality article.

Another snippet ppl here might enjoy:

"Separating the true from the spurious will only become more difficult. AI is giving rise to a deception revolution. Russian disinformation ahead of the 2016 election pales in comparison to what will soon be possible with the help of deepfakes—digitally manipulated audio or video material designed to be as realistic as possible. Already, commercial and academic researchers have created remarkably lifelike photographs of nonexistent people. Teams at Stanford University and the University of Washington have each used AI and lip-synching technology to generate deepfake videos of Barack Obama saying sentences he never actually uttered. As with other technologies, access to simplified deepfake code is spreading rapidly. Some programs are easy enough that high schoolers with no background in computer science can use them to generate convincing forgeries. Even the high-end computing power needed for more sophisticated deepfakes can now be acquired at relatively low cost."

"It does not take much to realize the manipulative potential of this technology. Imagine watching a seemingly real video that depicts a foreign leader discussing plans to build a clandestine nuclear weapons program or a presidential candidate molesting a child just days before an election. Their denials could easily be dismissed because the evidence seems incontrovertible—after all, seeing has always been believing."

Clive RobinsonApril 22, 2019 2:06 AM

@ Alyer Babtu,

I am told by users in what would be considered an allied area that telecoms are trying to take over and monopolize/monetize the part of the radio spectrum that has been always left for ham operators.

It's rather more than "allied" we are seen as the same enemy by the same people... But first a quick history and overview of the current situation / battle ground,

The Amateur radio spectrum has been under threat for longer than I've held a call sign and thats four decades. In fact longer than I've had an interest in radio, so you can add atleast another decade. It is a war of atrician that the various National Amateur Radio associations (ARRL, RSGB, et al) have had to fight every day for years, just to try and slow the process down.

The big issue is the tricks those attacking use. For instance in some countries power companies have made the HF band useless by "data over powerline" systems. Which range from home systems for the control of lights and other gadgets through Smart Power Meter systems all the way up to the equivalent of DSL etc. All of which put high levels of RF noise in urban ares that raise the Noise Floor by between a thousand and ten thousand times, effectively making the bands unusable unless you can get a couple of miles from it in every direction (thus work mobile/portable which can be difficult for some such as the disabled who use Amature Radio to have some form of social life).

Then there are all those house hold and commercial premises "gizmos" ising LED lights, displays and screens spewing out RF Noise. Many of these start out quiet but as the cheap capacitors dry out / break down in a year or two of a ten or more year life cycle... The same applies to florescent lights, energy saving lights and more recently Smart Meters and our new friends the IoT devices... It's a never ending list.

As you know politicians are very short sighted at the best of times and 'lobbyists bearing gifts' are almost always listened to especially when the gifts are campaign funds or prewritten legislation etc. AT&T I'm told are one of the worst offenders in this regard in the US, especially when it comes to killing off "Community Internet" by making it illegal...

The simple fact is the RF spectrum is finite and most of it that was usable at the time was allocated out. This has been going on for a century, with Amatures being given parts of the spectrum that were considered "unusable" by then Government and Commercial interests. Amatures then by their own inventivness made the best use of the slim pickings they had been thrown. As they made the spectrum usable Governments and Commercial interests took the alocations to Amature radio operators back. By the mid 1980's most of the spectrum had been allocated beyond the microwave bands, with just a tiny fraction allocated to Amatures, compared to other users such as public broadcasting, the military, maritime and aircraft communications, and commercial Private Mobile Radio (PMR).

Then three things happened, firstly Space started "opening up commercially", secondly "personal communications" became mobile and individuals started having excessive "personal data usage" requirments.

Then perhaps the most mindless event in the history of radio happened, the first of the "spectrum auctions" happened. Some major Telco organisations lost all reason and sense and things went bid feaver crazy. Suddenly radio spectrum was a gold mine for national treasureries, as everybody wanted it... Soon the military was loosing bandwidth, as was law enforcment and first responders. Then national broadcasters began loosing bandwidth. Over the air or through cheap leaky cables RF spectrum was being swallowed up to alow animations of dancing hamsters, cute kittens and the like along with innane conversation about Z listers private lives.

Back in the 1960s through 80's the image projected by many was housewives during the day and teenage girls sitting at home yacking all early afternoon and early evening with their school friends over fixed land lines. Then in the 80's nerdish boys and their modems were seen as the next land line hogs... Whilst these images are not exactly true their was enough truth in them to drive the industry. I was involved with trying to get data over analogue cellular radio to work. Basically it was failing to work because of the issue of "in band signalling" what realy solved the issue was switching from analogue to digital. As some know, the Europran originated GSM standards effectively won the mobile standards war and effectively global dominance which put more than a few noses out of joint in the US and one or two other places where people holding fistfulls of patents were assuming they were going to get ten cents on the dollar of billions of mobile phones...

GSM in current use is 4G / 4G-LTE and the specification alows a handset user to have hundreds of megabits of data per second. There is not the bandwidth below the microwave bands to support this sort of data rates. Which is why 5G is going to need vast amounts of microwave spectrum. For various reasons the microwave bands were not previously of much use to commercial users which is why Amature Radio was given the spectrum it was in these bands. Telcos had in the 70's to 90's used them for phone line "trunks" but the advent of fiber optics rendered that mainly unused this century. So 5G is looking to use as much if not all the bandwidth it can grab between the satellite televison bands at 4Ghz (C Band) and 11 Ghz (X-band) as well as spectrum above and below this, including the ISM and Amature bands.

But the mobile phone operators are not the only game in town there are various Silicon Valley interests that want to put up helium balloons and run Internet connectivity in areas where installing fiber optics would be expensive (ie they actually mean everywhere) so they want bandwidth in the same region of the microwave spectrum. They likewise see the amateur and ISM spectrum as impediments to their profits hence their keen lobying for that spectrum.

But there are "cuckoo's in the nest" in the HF bands. There are a lot of very "silly sailors" who think taking over the amature radio spectrum will give them the Internet on their boats... I won't go into the details but there has been a lot of upset in the ARRL some of whom were apparently in favour of turning the entire HF spectrum over to the worst of propriety data modes, just as long as they could use it to in the very short term leverage more members...

So yes there are people after the Amature Radio Spectrum, and believe it or not it's become an issue in the US-China trade war and the very bad feelings about US politics... Enter stage left the "prepers" who believe rightly or wrongly that very very soon the SHTF event will happen and the compleate breakdown of "US life as we know it" such that it will be on par with "The Zombie Apocalypse" with the loss of all civil infrastructure for communications. They are buying up equipment aimed at the Amature Radio market and "Broadbanding" it which is use it illegaly and in spectrum areas outside the Amature Radio allocations. With them are a whole bunch of others such as sail plane pilots, dirt bike, offroading, paintballing and similar enthusiasts and many others wanting the convenience of mobile comms they get from mobile phones in areas where there is no or poor coverage. The real issue is the FCC rules, the US has become a minority market place and low cost equipment manufacturers don't want the hassle of the FCC rules that are frankly from the long past of "Market protectionism" which failed around about the time Japan started making Colour TV tubes if you are old enough to remember them... Nobody wants to make fifty different two way radios for tiny segments of the radio spectrum if they can make one that covers all the spectrum used by two way radios. Enter the likes of Boefang with it's thirty dollar VHF/UHF 5watt handsets that also do both digital and tone squelch and any repeater / band split shifts you care to use... The same handset will do all the Private Mobile Radio (PMR) both VHF and UHF, VHF Maritime, VHF 2meter and UHF 70cm Amature bands, and all those silly home user "unlicenced band" systems used in childrens toys.

They have been tested to meet the various international standards on power, emmission quality, audio quality and modulation depth etc. Thus on the technical side they meet every national regulatory body standards. They also meet most of the non technical additions because they have to be "programed" to work on any frequency. Thus they have been certified for use to European CE and other standards world wide. Including FCC regulations...

However the current administration has decided that such equipment is now illegal for various reasons and the excuse is "Amature Radio users" where as the actual cause of problems is the prepers and others I mentioned above. Their view being if I can spend a hundred bucks for four Chinese radios that give me thoudands of channels, twenty five times the power and come with decent life LiPo4 batteries, and I can put a realy big antenna on, why should I spend sixty bucks on two toy radios with only eight channels, so little power out it barely goes down the street, runs off of expensive AAA batteries with a realy short life and only has a tiny tiny non changable antenna?

Such users know not quite enough to be a danger to themselves, they are however frequently a danger to many others due to their ignorance or stupid malice.

One of the reasons an Amature Radio licence requires study even at the lowest level is to ensure you have enough knowledge not to be a danger to anyone with radio equipment...

Amature Radio Operators are under attack not just from Commercial intetests and the deliberate conflation for political ends, even the Main Stream Media get it wrong quite deliberatly so. Take a popular series like NCIS quite deliberatly passing off the worst of CB behaviour as Amature Radio... Why do we know the passing off was deliberate, well it happens that some of the people working on the series are licenced amatures and they talked to people and the story came out...

So yes I'm not surprised you heard Amature Radio Spectrum is under threat because it is, from all sides and some of those doing the attacking have multiple billions at their disposal to achieve their ends, whilst all most Amatures have is the ability to try and engage the publics attention and educate them against the half truths and outright lies put out by various self interrsted parties.

It's an endless battle and one Amature Radio operators fight continuously day in day out and in comparison the efforts in the Crypto Wars has been "small potatoes". It's a lesson that every person who reads this blog and cares about privacy etc should get to know and understand because the same people are also comming after the Security Comnunity using the same tactics, and honestly I don't think the Security commubity is even close to being ready to fight the war.

AndersApril 22, 2019 9:27 AM

www.thehackernews.com is not readable any more
without javascript.

The last thing infosec community wants is to get owned
while reading fresh infosec news.

Seems like owner doesn't get this. Sad.

Clive RobinsonApril 22, 2019 10:40 AM

@ Bruce and the usual suspects,

This story is about a small ultrasound device that costs around 2K USD called the Butterfly iQ which connects to a mobile phone as the display etc and fits easily in a pocket. Thus is very portable and also a lot more robust than more traditional ultrasound scan heads.

Although according to the article it was designed for "frontier" type medicine in places without healthcare systems. I can not help thinking about just how useful it would be for physical security,

https://www.nytimes.com/2019/04/15/health/medical-scans-butterfly-iq.html

One to keep an eye on and maybe a little investment speculation if you've a few dollars you don't mind taking a risk on.

Clive RobinsonApril 22, 2019 11:32 AM

TurboTax untrstworthy security risk?

Around a week ago, somebody indicated that TurboTax was behaving oddly on their machine.

Remember that oddity when reading,

https://www.propublica.org/article/turbotax-just-tricked-you-into-paying-to-file-your-taxes

Ask yourself if "free is realy free"?

The company Intuit has gone to such lengths to stop you getting the free service they have legally promised the legislators, that it is all to easy to believe they would monetize your PII in some way to make back that 50-200USD they have spent so much lobbying on to get...

It would be wise of people to write to their polititions advising them of the caulmany of these companies and suggest they are significantly harming the image of not just the IRS and Federal Governmant, but also calling into disrepute any politicians that vote in favour of what these companies want. Importantly mention the very deliberate confusing situation of "Third Party" documentation that would not exist if the IRS provided the service. Also ensure as a foot note not only do you reserve all copyright, but importantly the right to diseminate freely as you see fit.

Hopefully enough imput from concerned citizens will make the legislaters think a little more wisely about the more than 300,000,000USD these two companies fully intend to scalp of individuals as is what is in effect what they are trying to make an illegal tax.

A90210April 22, 2019 2:56 PM

@David

""The rise in end-to-end encryption has made collection of data from devices themselves more important for investigators."
In a way, that is good news."

Are you suggesting we add something like the fifth horseman to the 'Four Horseman of the Apocalypse.' Something like: since politicians, or their staff, sometimes encrypt their messages, criminally at times, technologies should have backdoors?

A90210April 22, 2019 3:36 PM

Manning in the news
https://mobile.twitter.com/ZoeTillman/status/1120299815680843779/photo/1
"NEW: A federal appeals court rejected Chelsea Manning's appeal of an order finding her in contempt for refusing to testify before a grand jury about WikiLeaks. She's been in jail since early March — the court also denied her request to be free on bail"


https://assets.documentcloud.org/documents/5973431/4-22-19-Manning-Order-4th-Circuit.pdf


9 years ago, a video was released. A lot can happen, obviously, in 9 years

https://en.wikipedia.org/wiki/Collateral_Murder
https://www.youtube.com/watch?v=Ha8tviXbV48 TL;DR with Spanish Subtitles
https://www.aljazeera.com/programmes/general/2010/04/20104159123873370.html
https://web.archive.org/web/20100804234651/http://www.wikileaks.org/wiki/Collateral_Murder,_5_Apr_2010

The Old ProgrammerApril 22, 2019 3:50 PM

@ Clive Robinson
Sad that the Butterfly IQ requires Apple iSomething as far as I could tell. You need a subscription as well. It would be nice to be able to buy the chip only and thus build an array of chips and get a more powerful scan for "physical security". Have you every applied other ultrasound devices for scanning?

1&1~=UmmApril 22, 2019 4:19 PM

@A90210: "10.2 billion here 42 billion there, pretty soon your talking real money"

It's not the money that counts, that's just numbers in a computer these days manipulated at whim.

But what realy counts is the debt owed and what leverage it gets you as the paper holder.

Lenin has foolishly mortgauged up Equadorian great grand children yet to be born, for a few short weeks maybe months before the fixer comes calling for the first of a never ending series of paybacks that will have Equador stripped naked of everything it owns, and forced further into debt.

When will people realise the IMF are the equivalent of street sellers for the nastiest of drug manufacturers, and once you've had your first fix, their primary job is to keep you hooked untill everything of value has been taken away from you for not even pennies on the dollar of it's real value and you are older, further in debt and not realy any the wiser...

A simple rule of thumb is if you are going into debt you can not borrow your way out of it, you have to earn/trade your way out or sell all your assets to buy your way out. The second simple rule is, never borrow money from someone who can control your earning ability, because it's not in their interest to let you earn your way out of debt, it's far more lucerative to "fire sale" your assets at faux markets to their friends to vastly profit by.

If people don't get this, then take a look at Southern Europe, certain vested interests in Northern Europe encouraged Southern European nations to get into debt to join the club. Then cut off the money supply and ordered them to sell all their assets to those in Northern Europe...

It's a stratagem directly out of the play book of the economists that advised the New German Government from the 1930's untill the colapse shortly before Russian tanks crossed the boarders from the East. They then disappeared only to reappear a few years later to advise those building the new Europe and make the same old plays to turn Southern Europe into agrarian penury providing very cheap food for the affluent industrial North. A North that had in practice become the invading overlords of the South, and those in the South beholdent to the North as something less than surfs.

Sancho_PApril 22, 2019 4:39 PM

@A90210

Regarding Ecuador /Assange:
The 42bn are (link)click bait, in fact it was 4.2bn “only”.
Anyway, it’s not real money, as @1&1~=Umm said.

A90210April 22, 2019 5:02 PM

On a lighter note, some train songs

Take the 'A' Train
https://www.youtube.com/watch?v=vsBELI7BZyg
https://www.youtube.com/watch?v=YKDSfx5d2pc

Chattanooga Choo Choo - Glenn Miller Orchestra
https://www.youtube.com/watch?v=-XQybKMXL-k

OT, although about a 3:00 a.m. train trip, Gates, Kilimnik, etc., and the Mueller Report
https://mobile.twitter.com/qjurecic/status/1120409785789186049/photo/1

OT2, I've got a Gal in Kalamazoo, w/the Nicholas Brothers
https://www.youtube.com/watch?v=fFv_PoZ2iP0

OT3, Robin Williams on Carson w/ Jonathan Winters 1991
https://www.youtube.com/watch?v=qzv6EhE7Cbo

Clive RobinsonApril 23, 2019 4:08 AM

@ The Old Programmer,

Have you every applied other ultrasound devices for scanning?

Yes, as a trainee engineer more years ago than I care to remember my first "project" was to build a proximity detector.

Whilst they course tutors were happy to let me do it, they were puzzeled as to my fixation of trying to make it as small and light as possible. Eventually the Chief technician in charge of the labs who was a lot wiser than most and had spent most of his career in industry, recognised the symptoms of a "homer project"[1]. He came across and chatted and asked me why and I said I was building what was later called a "micro mouse", that is a simple maze solving robot. A long conversation followed which went into his field of expertise which was mechanical engineering about how the mechanics should be made.

He chatted to the head of department and as a result I was given the very rare privilege back then of not just "computer time" but also access to the local polytechnic electronic labs where they were working on what we now call manufacturing robots you could actually conect hardware to a PDP11 that at the time was worth more than a semidetached house... They were an eclectic bunch and more than happy to have a keen teenager working alongside. I learned a lot more through practical practice than I would have done through books alone. It later stood me in a good position when involved with designing inspection crawlers for nuclear fascilities and "wheelbarrows" for bomb disposal. Where I was also to meet fairly eclectic proffessors, one of whom happily and practically demonstrated the use of plastic explosives, not just for destroying things, as he noted that was mostly easy, but in a very controled way to move things in a known direction and distance and how to not just cut metal but weld it as well.

As you get older you start to look back and realise all those little kindnesses, that although you did not realise it at the time were realy major door openers.

[1] An old British engineering term for something done at work during work time often using work stores that was realy destined to be something for use by the individual outside of work often at home hence a "homer". To which many employers would turn a blind eye as it usually was a sign of an engineer who was at the very least improving their skills and knowledge. One or two employers I later worked for actually set up "work clubs" to actively encorage such self development. Often they would be called something like the "radio club" or "model railway club" and were like the "works football team" in that they had an across the hierarchy social asspect.

vas pupApril 23, 2019 11:13 AM

@Clive Robinson • April 23, 2019 5:47 AM
I wish him victory over irresponsible giant.

vas pupApril 23, 2019 11:36 AM

@Clive Robinson • April 21, 2019 6:20 PM
Thank you. Agree.
That is related to you point:

Artificial intelligence can diagnose PTSD by analyzing voices:
https://www.sciencedaily.com/releases/2019/04/190422082232.htm

"The study authors say that a PTSD diagnosis is most often determined by clinical interview or a self-report assessment, both inherently prone to biases.
==>>This has led to efforts to develop objective, measurable, physical markers of PTSD progression, much like laboratory values for medical conditions, but progress has been slow."

"The speech analysis technology used in the current study on PTSD detection falls into the range of capabilities included in our speech analytics platform called SenSay Analytics™," says Dimitra Vergyri, director of SRI International's Speech Technology and Research (STAR) Laboratory. "The software analyzes words -- in combination with frequency, rhythm, tone, and articulatory characteristics of speech -- to infer the state of the speaker, including emotion, sentiment, cognition, health, mental health and communication quality. The technology has been involved in a series of industry applications visible in startups like Oto, Ambit and Decoded Health."

vas pupApril 23, 2019 11:45 AM

How humans reduce uncertainty in social situations:
https://www.sciencedaily.com/releases/2019/04/190422112746.htm

""Humans are predicting machines -- our whole lives are spent trying to figure out what is the best move to do next," said Oriel FeldmanHall, an assistant professor of cognitive, linguistic and psychological sciences at Brown. "In general, another person's motivations, desires or beliefs are hidden, so we have to figure out how to navigate through the world when we're interacting with other people without that knowledge. What our next action is going to be depends on how others respond."

"The three ways people reduce social uncertainty range from automatic, almost instinctive processes to more cognitively demanding processes.

The authors define the first method, =automatic inference, as the process of predicting another person's behavior based on their appearance and the social norms of the environment.
=The second method, controlled inference, is the process of updating initial impressions using new information such as putting yourself in the other person's shoes and imaging how you would behave in that situation.
=Social learning, the third method, involves updating your beliefs and actions using past experiences or secondhand information of the person's past behavior. People use all three processes to different extents in order to reduce their social uncertainty."

albrechtApril 23, 2019 3:17 PM

We, as commenters, in my opinion, here, at this Google BBS, are not much other than the chaff for the winnowing of others. We are their data exhaust. However, I prefer to not be toxic. We of course, are, in fact more than the chaff for the winnowing of others. We are much more than their data exhaust. But you wouldn't know I made that comment had you just read a brief chunk of the gestalt.

Case in point: https://i.postimg.cc/cChjCg6x/Blustery-PNG.png

This is an example of some brainstorming on the concept of ____________________.

Any questions for me to NOT answer?

Sincerely,

albrecht

DennisApril 23, 2019 10:18 PM

@1=1 wrote, "When will people realise the IMF are the equivalent of street sellers for the nastiest of drug manufacturers, and once you've had your first fix, their primary job is to keep you hooked untill everything of value has been taken away from you for not even pennies on the dollar of it's real value and you are older, further in debt and not realy any the wiser..."

While IMF is a good example, this scheme isn't limited to it. All forms of debt based financing systems are similar in this type of behavior. Some shrewder third degree democracies have demonstrated to have learned to postpone if not circumvent this debt-calling cycle thru clever hedging mechanisms. As in most if not all man-designed systems, there are ways left, intentionally or unintentionally, which leaves paths that can be exploited its participants. The clever ones have learned to survive before the system catches on. Others who failed can be seen in a trail.

1&1~=UmmApril 24, 2019 1:09 PM

Would AT&T lie to you?

You bet they would...

https://arstechnica.com/tech-policy/2019/04/atts-fake-5g-icons-arent-going-away-despite-settlement-with-sprint/

AT&T have quite deliberately namrd it's third rate 4G system '5G e' since adding LTE features that other service providers have had for some time.

That is AT&T is trying to 'pass off' an antiquated 4G network as a new 5G network (of which there are not any currently functioning for users).

Whilst two of the other three main service providers T-Mobile and Verizon have mercilessly ripped into AT&T, the third Sprint went to court saying

'"AT&T's false and misleading statements deceive consumers into believing that AT&T now operates a 5G wireless network and, through this deception, AT&T seeks to induce consumers to purchase or renew AT&T's services when they might otherwise have purchased Sprint's services."'

But it appears AT&T have made Sprint an offer it can not refuse, to drop the case. What that offer is is currently not public, but it 'sure makes you wonder'...

1&1~=UmmApril 24, 2019 1:45 PM

Will 5G happen for you?

Probably not...

Both T-Mobile and Verizon have become a lot lot more cautious about 5G just recently.

Verizon have implied that the millimetric microwave side up around 30GHz will probably only ever happen in certain locations in a limited number of urban areas in just a few cities.

https://arstechnica.com/information-technology/2019/04/millimeter-wave-5g-isnt-for-widespread-coverage-verizon-admits/

But worse the only handset that works up there appears to be very tempremental in usage with the current test systems.

So unless you have a certain Fanboi mentality that waves logos around as status symbols, you might wwnt to forget about 5G untill out of desperation they start throwing it at you for free.

In essence by far the majority of the US and much of Europe will not see 5G any time soon if ever. Also handsets for one 5G service won't work with another suppliers 5G service so no 5G Roaming etc.

In otherwords most reading here will continue to see 4G and 4G-LTE if they are lucky for the foreseeable future.

A90210April 24, 2019 3:32 PM

@1&1~=Umm, Sancho_P

Regarding my billion dollar errors about Ecuador, one good thing about this site is that false or mis-information is often called out.

A90210April 24, 2019 4:02 PM

On Venezuela, characters like John Bolton (current National Security Advisor) and Elliott Abrams keep show up

Regarding Bolton, Bolton's Political Action Committee (PAC) was, among other things, "one of the earliest" (around 2014), large (1.2 million USD; 2014-2016), Cambridge Analytica customer.
https://www.nytimes.com/2018/03/23/us/politics/bolton-cambridge-analyticas-facebook-data.html
and
"Noam Chomsky responds [2 November 2018] to John Bolton's remarks calling Cuba, Venezuela and Nicaragua a "triangle of terror": "It brings to mind the axis of evil speech of George Bush back in 2002… laying the groundwork for the invasion of Iraq, the worst crime of this century"
https://mobile.twitter.com/democracynow/status/1058335624099479552

Regarding Abrams, "Zamel [Psy-Group's former owner] was a skilled networker. He cultivated relationships with high-profile Republicans in the U.S., including Newt Gingrich and Elliott Abrams, who served in foreign-policy positions under Ronald Reagan and George W. Bush, and whom Psy-Group listed as a member of its advisory board. (The Trump Administration recently named Abrams its special envoy to oversee U.S. policy toward Venezuela.)"
https://www.newyorker.com/magazine/2019/02/18/private-mossad-for-hire

Alyer Babtu April 24, 2019 4:31 PM

@Dennis

debt based financing systems

One might add that debt based financing is intrinsically dishonest, and unreal, because it is based in the myth that money makes money. Rather, natural resources, productive ingenuity, and labor make real goods that can be exchanged for other real goods, that is, real wealth makes real wealth. That real wealth can then be exchanged temporarily for “money”, as a gesture to flexibility. Since life is uncertain, debt, and in fact all contract forms of fixed obligations, are unrealistic and tend to the immoral. A realistic and moral scheme would be partnership with all sides sharing responsibility, risk, and reward equitably, and insurance for the inevitable croppers that will arise. Basically this is what the classical (Aristotle) and medieval (Aquinas) worlds teach about usury.

Clive RobinsonApril 24, 2019 5:14 PM

@ Bruce and the usual suspects,

An interesting article on Quantum Computing,

https://arstechnica.com/science/2019/04/electron-qubit-non-destructively-read-silicon-qubits-may-be-better/

Unfortunately the paper it's based on is hidden behind a Usurious paywall.

It's the last couple of paragraphs that are of interest. As followers of QC know electrons have issues as Qbits and are often discounted as Qbits because of the need for significant error correction. Well it appears that the papers authors think that if they use silicon then they can have a system whereby the error correction is not required... If true then it will be an important step forward, especially as we know more about silicon and electrons and how to practically use them together than any other element.

R2DetourApril 24, 2019 7:26 PM

PRUDENCE REALISM REVIVAL: https://www.darpa.mil/program/our-research/darpa-and-the-brain-initiative

R2Detour

(Proof of truths which were denied for several decades before; some yet not all lives were lost and damaged by such procedures and prototypes; wait long enough in this world, if you have the time, and you will be vindicated by your own foreknowledge)

This did not previously halt existing as both a serious cultural matter and a scientific reality with specific social and ecological results or consequences.

Denial and deniability is not a sustainable pattern of choice.
As a sentient being myself, I am not critical of affected lives, per se, yet I am fortunately still wary of the insidiousness of the true history.

Nevertheless, no group of sentient minds is 100% unanimous, except in very rare circumstances and perhaps in very small groups. If and only if and when this changes, that's when the time would indicate a more tragic circumstance. Yet the injuries and cultures are real and they/we deserve respect and survivable supports.

[eot]

lurkerApril 24, 2019 8:56 PM

@1&1
ATT, 5G impersonation...

In our part of the planet when 4G-LTE arrived there was a temptation to call it 4.5G, but a higher authority (yup, we had one back then...) told the telcos: Don't try to fool the punters.
It became 4+

lurkerApril 24, 2019 9:07 PM

@Clive Ribinson

The 787 Dreamliner also has manufacturing issues...

There's a story that one reason for building the Charleston SC factory was to avoid the Union "problems" at the Everett WA plant. I have sometimes flown with an airline that buys planes built at both places This airline has a reputation for reliable engineering, and they got their purchase contract to read having their own engineers inspecting the planes being built.

MikeApril 25, 2019 5:23 AM

@Alyer Babtu wrote, "That real wealth can then be exchanged temporarily for “money”, as a gesture to flexibility."

There is a common assumption that money is a fixed narrative. While this can be true under some special circumstances, money isn't fixed both quantitatively and qualitatively. Thus, when one exchanges "wealth" for money, one is exposed to its devaluation cycle commonly referred to as inflation. In addition, modern terms, what we view as equitable creations were created from fixed contractual obligations (you can ask a farmer). And much of it's like a blindman's view of an elephant, truth is rather obscure and unfathomable due to lackof/limited information.

vas pupApril 25, 2019 3:30 PM

Dentists can be the first line of defense against domestic violence:
https://www.sciencedaily.com/releases/2019/04/190425133034.htm

"The oral biomarkers that could help dentists potentially identify domestic violence victims include tears, fractures, breaks and chips in the teeth and mouth that would be inconsistent with personal history and, therefore, raise the index of suspicion. Obvious signs of violence that may indicate brain injury include jaw or tooth fractures, trauma to nerves in the mouth and jaw, as well as damage to the nasal bone. Tooth discoloration, blunted roots and pulpal necrosis, which is the death of cells and tissues in the center of a tooth, also may be signs of a previous dental trauma warranting further investigation."

My take: same for victims of police extreme force applied, violence in prisons/mental health facilities/nursing homes.

vas pupApril 25, 2019 3:39 PM

Bosses who put their followers first can boost their business:
https://www.sciencedaily.com/releases/2019/04/190425073631.htm

"Bosses who are so-called 'servant leaders' create a positive culture of trust and fairness in the workplace. In turn, they benefit through creating loyal and positive teams. This type of manager has personal integrity and is also keen to encourage staff development. The new research shows clear evidence of a link between this style of leadership and an increase in productivity."

""Our work shows that, as we expected, a 'servant leader' style of management which is ethical, trustworthy and has a real interest in the wellbeing and development of staff brings about real positives within the workplace," said Dr Allan Lee, the lead author of the report and Senior Lecturer in Management.

"Employees are more positive about their work and therefore also often feel empowered to become more creative. The result is a rise in productivity."

"The results also suggest that it would benefit organizations to create, or reinforce a culture that positively promotes [!!!] trust, fairness,[!!!] and high-quality working relationships between managers and staff."

I guess trust excludes permanent intrusive surveillance and fairness required objective criteria for evaluation of performance.
That is KEY to management of loyalty in any business, including IC,LEAs, ITs.

Keepsakes and AbacusesMay 2, 2019 6:22 PM

https://www.democracynow.org/shows/2019/4/25

I remember how there was the reminded comment that an alternative to security is increased efforts such as upper law enforcement and counter-terrorism* (against terrorists) efforts.

The linked set of articles may be of intellectual and technical and ethical help:
https://www.democracynow.org/shows/2019/4/25

It ought to resolve to democracynow (domain) prefixed by "wobbledy", and affixed by "dot org".
The date of publication ought ot be this year (2019 A.D.; gregorian calendar :-) for the day of April 25th, which was probably a Thursday.

If you have difficulties accessing the public page, there is always the "wayback machine" on the public site:
archive (dot) org

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.