Friday Squid Blogging: Squid Mural
Large squid mural in the Bushwick neighborhood of Brooklyn.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Comments
Colonel Panik • July 19, 2019 4:38 PM
Mr. Schneier, In the past you have been supportive of Protonmail. Do you still
feel the same now?
Thank you.
Peace
Alejandro • July 19, 2019 5:33 PM
“Safe Deposit Boxes Aren’t Safe” -New Yotk Times
https://www.nytimes.com/2019/07/19/business/safe-deposit-box-theft.html?searchResultPosition=2
Couldn’t help but compare the relatively safety of safe deposit boxes and cloud storage when I read this article.
Some key points:
- The victims understanding and contract was the only way the safety box could be opened is when the owner, later victim, and a bank employee turned separate keys. (sound familiar?).
Yet, millions of dollars worth of watches, money, etc simply turned up missing one day. Seems, there was a dispute with another customer and “by mistake” the innocent owner’s box was opened (lock drilled), looted for some of the property and the rest sent off to storage. He did get some of his $$$property back after a very long battle with the bank.
-A woman put millions of dollars worth of jewels and cash in a safe deposit box. Then one day, the bank closed and over $7 millions worth of property simply turned up missing. The box was drilled, the bank torn down, her possessions sent off to storage. All kinds of rules and laws were violated which the bank simply addressed by declining comment. After years of court wrangling she was awarded $4.5 million compensation.
-Even otherwise worthless papers like the deed to the house and family pictures can turn up missing with little or no explanation or recourse.
-The rental agreements put strict limits on losses, usually a few thousand dollars. The entire contract favors the bank.
So many parallels to storage in the cloud. Who has the key(s)? Who can access the data regardless of who has the key? What if the cloud business changes hands or simply goes out of business, what about the data? What does the contract say? What legal protections are available for cloud data, if any? What safety precautions are in place? Does it really matter to the cloud owner?
Frankly, I wouldn’t store anything of personal or monetary value in a safe deposit box or the cloud ever, let alone pay someone to do it.
Even your collection of 8,000 cat pictures aren’t safe because one day the bank or cloud owner may simply lose track of them without explanation and you have little to no recourse.
Conversely, it seems renting cloud storage might be lucrative field because the law, rules, technology, politics and culture are all in the owner’s favor.
DeathStar • July 19, 2019 6:17 PM
Google, Facebook & Oracle Innovate in the Bedroom
‘Trackers from tech companies like Google and Facebook are logging your most personal browsing details, according to a forthcoming New Media & Society paper, which scanned 22,484 pornography websites. Where that data ultimately goes is not always clear.
The study’s other authors — Jennifer Henrichsen, doctoral candidate at the University of Pennsylvania, and Tim Libert, a Carnegie Mellon computer science instructor — found that 93 percent of the pornography websites they scanned sent data to an average of seven third-party domains. The authors used webXray, an open-source software tool, which detects and matches third-party data requests to scan sites.
The study found that Google (or one of its subsidiary companies like the advertising platform DoubleClick) had trackers on 74 percent of the pornography sites. Trackers from the software company Oracle showed up on 24 percent of sites, and Facebook, which does not permit pornographic content or nudity on any of its platforms, had trackers on 10 percent of the sex websites scanned by the study.
The study found that only 17 percent of the 22,484 sites scanned were encrypted, suggesting that troves of user data could be vulnerable to hacking or breaches.
What these companies might be doing with pornography-site browsing data is a mystery. Hmm…
Oracle, which owns a number of large data brokers and has been called a “privacy DEATHSTAR,” could, for example add data collected by trackers with its current profiles.
Facebook and Google denied that potential information collected by their trackers on pornography websites was used for creating marketing profiles intended to advertise to individuals [1]. Google spokeswoman wrote in a statement. “Additionally, tags for our ad services are never allowed to transmit personally identifiable information[2] to Google.”
Oracle did not respond to multiple requests for comment.’
https://www.nytimes.com/2019/07/17/opinion/google-facebook-sex-websites.html
Traditionally this honeypot type of information has been used to compromise and control individuals through extortion and blackmail. It’s highly likely these types of crimes are occurring today by organized third parties, but are much harder to detect and prosecute. Who wants to be a poster boy for watching porn on Saturday night then going to church on Sunday?
When Congress used to be effective leaders, they passed a law to prohibit the release of video rentals.
[1] Pure deceptive spin. What IS sexual data used for?
[2] The disingenuous lie of big-data. Google positively and trivially id’s through fixed and unique ip address
H-less • July 19, 2019 7:26 PM
This blockchain secure voting app reminds me of your original online secure voting app in Applied Cryptography.
https://developer.ibm.com/patterns/how-to-create-a-secure-e-voting-application-on-hyperledger-fabric/
Kev • July 20, 2019 3:19 AM
https://www.theguardian.com/uk-news/2019/jul/20/scotland-yards-twitter-account-breached-in-series-of-bizarre-posts – Posts sent out on Scotland Yard’s twitter feed on account of users gaining access to a fourth party service that is used for sending press releases out to multiple media streams.
Gunter Königsmann • July 20, 2019 3:39 AM
I don’t understand why everybody is upset about Google for tracking porn sites: they just offer a tracking service and everyone else is adding them to nearly every site you ever visit.
That they get nearly all of everybody’s surf history this way is what preoccupies me more.
20 July 2019 00:00:00 • July 20, 2019 8:55 AM
https://www.cyberscoop.com/hal-martin-sentence-nsa-shadow-brokers/
“Former NSA contractor sentenced to 9 years for theft of government info
Former NSA contractor Harold T. Martin was sentenced Friday to nine years in federal prison for his role in a massive theft of classified documents.
Martin was responsible for one of the largest leaks of U.S government secrets, collecting up to 50 terabytes of classified government documents over the course of two decades.
[…]
Attacks linked with the tools and clues about who may be behind the group, however, continue to surface. At least a year before the Shadow Brokers released the tools en masse in April 2017, a hacking group with ties to the Chinese government known as BuckEye was already using the tools, according to Symantec research issued this year.
It is still unknown how the Shadow Brokers gained access to the tools, whether the group had access into an NSA server to steal the or obtained them from an insider at the agency. The group is at the center of a counterintelligence investigation, as CyberScoop previously reported. The FBI would neither confirm nor deny the existence of the probe.
[…]
Bennett [US District Judge] noted Friday he had concerns about the case regarding whether Martin’s alleged hoarding problem, noting that for someone who is a hoarder, he seemed well organized.
[…]
Martin spoke at length Friday, reading directly from his allocution, apologizing to friends and family. He noted his methods were “uncanny” and “unauthorized, warning “please do not copy this” and that “loose lips sink ships.”
Many other NSA contractors have been caught for leaking classified information in recent years.
Last year, Reality Winner, a contractor for Pluribus International Corp., was sentenced to more than five years in prison after leaking a classified report on Russian spearphishing in the 2016 election cycle. Former NSA employee Nghia H. Pho was also sentenced last year to five-and-a-half years in prison for stealing classified hacking tools.”
Bruce Schneier • July 20, 2019 10:04 AM
@Colonel Panik:
“Mr. Schneier, In the past you have been supportive of Protonmail. Do you still feel the same now?”
I don’t remember ever being supportive.
I actually have no opinion. I haven’t looked at ProtonMail at all.
Rachel • July 20, 2019 3:23 PM
Colonel Panik
I believe I read in tech news, Protonmail had talks with Mr Schneier, or (more likely) hired him, when they were getting established. This doesn’t equate to ‘being supportive’ in the way we use the phrase
Mr Schneier
Thank you for directly answering the enquiry by Colonel Panik
Alejandro
Clive Robinsion has explained we cannot equate the rules or properties of the information world with the physical world. (to paraphrase). I get the sense this conflation is occurring with your comparison of apples and oranges (clouds and safety deposit box)
As to the latter. The breaches you refer to are more than exceedingly rare, numbers wise. How many such instiutions, how many safety deposit boxes exist in the world – and how many are breached in the way you described?
However such breaches are probably founded on ‘dumb trust’ in the bank. Or should I say, ‘ignorant trust’. There are a number of steps that could be taken to mitigate such losses. Even if only after the fact, at least to protect things with no sentimental value (cash, bonds etc)
the box holder can serve lawful notices on the institution holding the goods,when opening the secure box. Such notices assure the box contents are secure,under risk of penalty. Only as secure as all the claims made by the institution. Won’t sign? I guess you don’t believe your own hype then.
(this can be done without a lawyer) templates are easily available, just requires a Notary. Inventory of box contents with photographic proof: how many box holders bother to do that? I’ll let your imagination think of more
MikeA • July 20, 2019 4:41 PM
@Alejandro @DeathStar
The juxtaposition of your posts reminded me of my youth, or shall I say, “something I read in my youth” (roughly mid 1960s). A novel use of a Safe Deposit Box.
It seems a “Lady of the Night” (well, more like a “Lady of the Nooner”) rented a Safe Deposit Box in a bank central to the Financial district in San Francisco, and would “entertain gentlemen” in a room reserved for the users of such boxes to examine or alter the contents of their boxes. She could simply place the fee for services in the box itself, thus not carrying cash out of the bank.
There are uses for privacy that do not involve cat memes.
(Yes, folks, despite what you may have heard, some people in SF in the 1960s paid, or were paid, for sex)
Rachel • July 20, 2019 10:35 PM
From the Guardian.
Netflix documentary. The Great Hack. Goes behind the scenes of Cambridge Analytica situation
Brexit backer Arron Banks threatens court action against Netflix for Great Hack doco
https://www.theguardian.com/uk-news/2019/jul/20/arron-banks-netflix-threat-great-hack-documentary
sybg • July 21, 2019 12:39 AM
Hackers breach FSB contractor, expose Tor deanonymization project and more
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
SyTech, the hacked company, was working on research projects for the FSB, Russia’s intelligence service. Hackers have breached SyTech, a contractor for FSB, Russia’s national intelligence service, from where they stole information about internal projects the company was working on behalf of the agency — including one for deanonymizing Tor traffic…
Clive Robinson • July 21, 2019 4:17 AM
@ sybg, All,
Hackers breach FSB contractor
The “contracting out” of this sort of work has been the Russian way for the past decade or so. It’s also what the FBI and others have done rather than go to the expense and risk of trying to develop “in house expertise”.
Speaking of the FBI they contracted out for Tor de-anonymising tools some years ago. As I’ve noted in the past Tor is vulnerable to various kinds of attacks by it’s basic design (if people want to know they can go look them up I’m tired of listing them).
The “Tax3” idea is not new and various Western governments including the UK have “special status” people who’s Government records are kept away from the records for other people, so that only “Specially Authorized Personnel” can access them. The official reason is to stop “the curious”. The excuse is that those of fame, infamy or status have value to newspapers and the like, thus their records have a similar high value, thus extra protection should be given to them. The problem is mostly it’s not Celebs as such that appear in these lists.
The tool that does interest me is “Hope”. As I’ve mentioned in the past the 2014 UN ITU meeting in Doha was more than a little fractious. Basically the US and Five Eyes nations have a real espionage advantage because of the “all roads lead to Rome” nature of the Internet where by far the majority of traffic ends up going through US controled networks/nodes, Five Eye controled networks/nodes or both. You can see this by looking at the Sub-Sea cable landing points and geostationary satellite “over spill” footprints. In Doha a number of nations expressed interest in leveraging away from the US and Five-Eyes much of the normally not seen by users infrestructure such as DNS. The Five-Eye and US Governments put up a strong fight to stop the break up, but they had help from what at the time appeared to be an odd “Knight in shining armour” for their cause Google, (we now know why, but that’s a subject for another time).
The point is we also had Obama talking about his big “Molly Button”[1] or “Internet Off switch” to “shut down the Internet” if the US felt it should regardless of the rest of the world (typical “It’s my bat and my ball…” thinking that politicians love). The excuse was as usuall being “Defence from others” but as anyone who cares to think about it would realise it’s actually more likely to be used as an offensive first strike “Blitzkrieg” weapon (deny the target information so a defence can be mounted and create panic in the target civilians).
Thus “Hope” can be seen as a nation state self defense tool, that you use it to find “holes in your national information border / perimeter”. Thus if you decide to issolate your national network from the rest of the world you know where all the doors are that need to be closed.
The only way the Obama Molly Button could work is by sending out the equivalent of “self destruct” or “Kill codes” to activate APT payloads in the likes of routers and switches all around the world that kills the transport of information (or “all but approved” information, much as the “anti-terrorist” or “national emergancy” switch for mobile phone networks does).
Thus “Hope” helps find all those doors back or front by which such “kill codes” could be delivered and thus try to prevent Russia’s network being killed off.
Unfortunately like all such technology “Hope” is “agnostic to use” a “Directing mind” puts it to. So “Hope” can also be used as “An enabler of oppression” much like the “Great Fire Wall of China”. Because those same doors that could let “kill codes” in can let citizens inside get information from outside without it being censored etc.
But either way “Hope” is evidence that Russia has every intention of progressing with it’s plans for full autonomy on it’s national information network to it’s borders if not further.
Thus the Intetnet will almost certainly become “fractured” or “balkanized” by state/governmental self interest fairly soon. With the result that the US and Five-Eyes will get less of a free ride that the current “All roads lead to Rome” Internet structure gives them. It also means that the 1980’s political “wet dream” of “data taxing” becomes more likely with all it’s negative consequences which certain corporates will no doubt look forwards to gleefully as it will create a “faux market” that they can rig and exploit in a typical “rent seeking” business model that will make the old Telco models look simple.
[1] The deffinition of a “Molly Button” may not be known to that many people these days. It comes from the definition of a “Molly Guard” which you see over “A Big Red Button” you can read a synopsis of the story behind it here,
https://www.webologist.co.uk/blog/molly-guard-installed
The subtle difference between a “Molly Button” and “A Big Red Button” is the desire or motivation to push it. A Big Red Button such as an “Emergancy Shutdown” or “Red Shutdown” button in control centers is that for those around it they know what it does and the consequences of using it, so they don’t have a desire to press it other than for the intended safety/emergancy purpose. A “Molly Button” is one not used for emergancies only. like a “workshop shut off switch” you throw at the end of the day, it’s protected not just from accidental use by it’s design but usually it’s in a place where few have access to it. But it’s function represents “power/status/control” to the person who has access to it, and unfortunately that person coverts the power/status/control it brings to them (Walter Mitty types). Further they know that for them their position effectively frees them from the consequences of pushing it, thus the temptation to do so is high, very high.
Alejandro • July 21, 2019 6:46 AM
@Rachel
“Clive Robinson has explained we cannot equate the rules or properties of the information world with the physical world. (to paraphrase).”
(did he really?)
I was thinking in regards to safety deposit boxes and the cloud, for example, the parallel of a public and private key, dealing with the corporate rules and mind set, hardware compared to brick and mortar, etc. It worked for me.
The NYT article didn’t deep dive into government intrusions regarding safety deposit boxes much, but for example in some places access is denied when the owner denies, until a state auditor can inventory the box to make sure the state gets their full share. Ugh! Meanwhile, our government constantly monitors the internet and the cloud to make sure we are all under control, always.
Anyway, it’s no cloud and no safety deposit boxes for me.
Personally, I think physically hiding stuff is a much better way to store property and local encryption (with backup thumb drive hidden) a much better way to protect personalcomputer data.
For businesses it doesn’t seem to matter, because if they lose everyone else’s stuff, no one seems to care much. And the fine, if any, in a major breech is the equivalent to a parking ticket. No problemo!
Are you the same Rachel who does webpage design? If so I tried so of your stuff.
@Clive
Thus the Internet will almost certainly become “fractured” or “balkanized” by state/governmental self interest fairly soon.
Good!
I don’t see a downside for that from my perspective. Whatever personal or business computer interactions I may need do not involve the vast majority of the rest of the world. Why do I need access to Zambia on the internet to do my bank transactions, for example? More importantly, why does Zambia need (potential) access to my internet bank transactions?
I am just going to say it right out loud: Fire-walling entire countries and continents works to cut down a very significant amount of spam, attacks, scanning and all manner of garbage without ANY loss to normal communications.
In sum, what is the downside of balkanization?
Sherman Jay • July 21, 2019 11:00 AM
I (and most of you) have been warning people about the dangers of ‘cloud computing’ for quite a while now. This is just what we expected:
https://krebsonsecurity.com/
Jul 19 2019
QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack
Accountants and bookkeepers are blasting them by the hundreds.
Tõnis • July 21, 2019 11:02 AM
@Alejandro,
Your analogy works for me. When it comes to so-called safety deposit boxes, an even simpler deterrent to their use than your examples of outright theft by banksters is that I would not put my property in the hands of third parties who will dutifully hand it over every time they are presented with a rubber-stamped court order or unsigned note from a tax agency.
“Personally, I think physically hiding stuff is a much better way to store property and local encryption (with backup thumb drive hidden) a much better way to protect personalcomputer data.”
I agree.
Bruce Schneier • July 21, 2019 11:23 AM
@Rachel:
“I believe I read in tech news, Protonmail had talks with Mr Schneier, or (more likely) hired him, when they were getting established.”
I never did any wor for ProtonMail. (At least, I don’t remember ever doing any work for ProtonMail.)
Tõnis • July 21, 2019 11:52 AM
@Colonel Panik, is there some reason, some current event that would make you think one should reconsider his prior opinion of Proton Mail?
vas pup • July 21, 2019 12:22 PM
@Tõnis • July 21, 2019 11:02 AM
said” When it comes to so-called safety deposit boxes, an even simpler deterrent to their use than your examples of outright theft by banksters is that I would not put my property in the hands of third parties who will dutifully hand it over every time they are presented with a rubber-stamped court order or unsigned note from a tax agency.”
Agree 100%.
Based on some Hollywood movies, it is better to rent a storage space, put there car, and hide in that car what you’ll hide otherwise in safety deposit box. Moreover, put temper proof seal/tape on all car locks.
Spread the risk by utilizing multiple locations.
Regarding ANY agreement with the bank, that is not agreement at all because agreement implies negotiating power on both sides.
You have zero such power with bank, big corporation, big utility company. They do have developed by their so-called pro-forma contracts which you could either sign (and basically have close to zero power to win in a court in the case of dispute due to bleeping legalize, vagueness for average Jane/Joe or even lawyers) or refuse to have any relationship with them on their terms at all, but when provider of service either monopolist or all of them just follow the same pattern, then you have very few options to chose.
vas pup • July 21, 2019 12:46 PM
How expectation influences perception
Neuroscientists find brain activity patterns that encode our beliefs and affect how we interpret the world around us:
https://www.sciencedaily.com/releases/2019/07/190715114249.htm
“Statisticians have known for centuries that Bayesian integration is the optimal strategy for handling uncertain information. When we are uncertain about something, we automatically rely on our prior experiences to optimize behavior.
“If you can’t quite tell what something is, but from your prior experience you have some expectation of what it ought to be, then you will use that information to guide your judgment,” Jazayeri says. “We do this all the time.”
Researchers believe that prior experiences change the strength of connections between neurons. The strength of these connections, also known as synapses, determines how neurons act upon one another and constrains the patterns of activity that a network of interconnected neurons can generate. The finding that prior experiences warp the patterns of neural activity provides a window onto how experience alters synaptic connections. “The brain seems to embed prior experiences into synaptic connections so that patterns of brain activity are appropriately biased,” Jazayeri says.
Tõnis • July 21, 2019 1:24 PM
@vas pup,
I don’t care for banks at all. It’s amusing how many people think that the money in their bank accounts is their money. When you look into state law, it becomes evident that funds on general deposit in a bank are the property of the bank, and the relationship of an accountholder to a bank is one of creditor to debtor. Were it the other way around, the depositor could just walk into the vault and help himself to “his” money. Instead, he has to ask for it back. He could be denied for various reasons. The depositor has his account, the bank has his deposits.
Alejandro • July 21, 2019 1:51 PM
“An entire nation just got hacked”
https://www.cnn.com/2019/07/21/europe/bulgaria-hack-tax-intl/index.html
The records of more than 5 million Bulgarians got stolen by hackers from the country’s national tax revenue office. There’s only 7 million people in the whole country, so basically everyone’s data was lost. Last year the country’s Commercial Registry was brought down in a similar fashion. An arrest has been made.
One annoying facet of governments demanding and collecting ever more data is that they control very basic functions everyone needs to get done these days: buy or drive a car, buy a house, pay taxes, pay a parking ticket. Yet, they constantly lose our data with only the most vague explanation and no apology or civil recourse. It’s just…gone.
Recall the US Department of Veterans Affairs lost the personal data of more than 26 million people in 2006. Just gone, no recourse, no one to sue, no one to arrest, just…gone.
VinnyG • July 21, 2019 2:08 PM
@vas pup re: storage space security – Such storage facilities are even more laughably vulnerable to a trivial law enforcement records and search request than a bank safe deposit vault. This has been so since the heyday of the “war on drugs” since an early recourse of clever dealers was to these relatively anonymous (at that time) sites. I guarantee that once admitted to the bay, a locked car would provide no physical, legal, or ethical (laughable, I agree) impediment to any LEO or other official stooge…
Tõnis • July 21, 2019 2:39 PM
@VinnyG,
I think @vas pup means when the use of such locations is unknown to the interlopers. Speaking from experience, I can tell you that mostly secure commercial spaces the ownership and control of which is obscured Panama Papers style make for excellent locations for private vaults and creative hiding places. One doesn’t need Mossack Fonseca to avail himself of the numerous benefits that shell companies and flags of convenience have to offer.
Clive Robinson • July 21, 2019 3:26 PM
@ VinnyG, vas pup,
I guarantee that once admitted to the bay, a locked car would provide no physical, legal, or ethical (laughable, I agree) impediment to any LEO or other official stooge…
There is no place you can hide things –including yourself– when US stooges acting for otherwise impotent US politicians are involved, and there is a paper or other trail to a location.
As someone mentioned just the other day the Kim Dotcom incidents in New Zeland are a prime example. It’s been reported that NZ LEO stood outside the Dotcom residence whilst FBI goons wandered in and “filled their boots”.
Then on a more human basis do I need mention the US hard on for Julian Assange, and their attempts to find any reason to try to come up with an extraditable offence (which by the sounds of it they are having to lie about and try and force others into false testimony).
So far Ed Snowden has the protection of another super power but the question is how long will that last?
So you have to do three things,
1, Convert fiscal wealth into as small a physical package of real wealth as you can.
2, Convert / disguise the real wealth package into something that if found looks worthless.
3, Put the worthless package somewhere that has no trail back to you.
During WWII two nobel scientists escaped from what became Nazi occupied Europe. Back the Nobel medals were struck in near pure gold. A colleague who stayed behind got two jars disolved the medals in aguareigia and put the resulting sludge into the jars, but a lable on them that said something innocuous and put them on a shelf in a university laboratory. Where they remained undiscovered despite various searches untill after the war, when the gold was recovered and returned to the Nobel institute that re-struck it back into medals.
The simple fact is most official goon brains are like box cars runing behind the organisational engine. As with most such hierarchies standing out from the crowd is not recommend if there is any risk behind it. When you look in those box cars you find trained minds, but they have been trained to work in limited domains. Thus knowledge of proceadure, law and limited scene of crime work. Their brains are rarely trained in science or highly technical subjects, if they see something “normal” looking then they tend to regard it as what it looks. They might examine it for contact evidence, but won’t test the object unless some reason to do so comes up like it is suspected as the object of having been used as a weapon.
As someone once pointed out to me, would you expect a “crock of gold” under an old tumble down cottage wall?
The answer is “probably not”, but it turns out Victorian builders would use any old junk in the bottom of a trench to start foundations on. Some of that old junk like glass bottles are now highly desirable collectors items.
The thing about walls is whilst the do sometimes get knocked over or repaired the foundations are rarely dug out even when the wall is demolished and something entirely different put on top.
Thus the thought occurs that somewhere like a garden wall foundation with the package disguised to look like old building rubble being used as hard core could be left undisturbed for way more than a hundred years.
Sadly the most obvious candidate which is diamonds set in plaster / morter and broken brick won’t work these days… Because these days diamonds like other stones of value increasingly have microscopic serial numbers engraved inside them by laser, thus they carry their own trail…
But a mind that can use science well and think well outside of a box car stands a better chance of success than any trail less goons who don’t get out of the box car.
Oh and keep away from gold. It just so happens that just an atomic number or two away is another metal that whilst not being totaly worthless has a sufficiently similar density that embeding rods of it in bars of gold bullion has enabled people to get away with doubling or trippling the value of the gold they actually used. Such bars did turn up in gold repositories and had verifiable certificates that had been sold. The result is that once gold has been accepted into a bullion repository nobody in their right mind touches it they just swap the verified certificates and pay the repository storage fees… Such certificates are because they are verified highly traceable… Similar issues exist with other precious metals.
A90210 • July 21, 2019 3:53 PM
@Colonel Panik, Rachel, Tõnis
I finally realized Colonel Panik might be related to a Panic family. (disclaimer: I don’t have any additional information about equal or better substitutes)
In the USA, perhaps Gmail, Hotmail, Icloud, or whatever, email accounts might draw less unwanted attention.
Rachel • July 21, 2019 6:44 PM
Mr Schneier
Thankyou for responding.
RE: My comments on Protonmail. I was sure I read a single sentence reference to Protonmail enlisting you, via The Guardian.
I have however found the following reference to your meeting with ‘Protonmail’
https://protonmail.com/blog/notes-protonmails-meeting-bruce-schneier/
20 July 2019 00:00:00 • July 21, 2019 7:27 PM
Regarding email
Years ago, Nick P, AFAIK, used to recommend vendor Kolab, from Switzerland.
https://en.wikipedia.org/wiki/Comparison_of_webmail_providers
Tõnis • July 21, 2019 7:59 PM
@A90210,
“In the USA, perhaps Gmail, Hotmail, Icloud, or whatever, email accounts might draw less unwanted attention.”
Agreed. I have my two Outlook accounts (1 for most important, 1 for kind of important stuff), 1 Gmail (kind of important), 2 yahoo (mostly junk), 2 aol (1 important former Verizon email, 1 mostly junk longtime aim/aol), and my yandex account (reserved, occasional use, not junk). The use case scenario separation is part of my not all eggs in one basket strategy.
I also have my protonmail account (reserved & earmarked for important) which would get more use were I to get it going on my smartphone. All the other accounts are in use on my phone using Exchange ActiveSync/IMAP. Strangely, my most important stuff is still on my “important” outlook account. I guess I’m conditioned to believe that Microsoft is the provider least likely to steal from me since I’m such a loyal Windoows 10 user haha.
Alyer Babtu • July 21, 2019 11:10 PM
@ several
Re: hiding places
Like the London black-cab driver in a certain recent mystery story who establishes an unfindable pub called the Knowledge, you have to come upon – probably by accident – a place that, in the complications and long times of its environment, has slipped from recollection.
Clive Robinson • July 22, 2019 1:04 AM
@ Alyer Babtu,
a place that, in the complications and long times of its environment, has slipped from recollection.
I’m old enough to remember several places from the late 1960’s,to early 1970’s in London, that even though they are still there the entrances have been replaced and all signage removed, so have in effect disappeard from “common memory”.
They were places of minor common interest, like a Roman bath house excavated under a Georgian style house, that had been found when the house was converted to offices. There was a simple door with steps down to a simple viewing platform. The door was unlocked and hooked back in the morning and closed and locked in the evening but otherwise unattended during the day. So you could just wander in, which on a hot busy summers day was a “god send” as it was a cool quiet haven to hide away in for a little while.
Then this happened,
http://news.bbc.co.uk/onthisday/hi/dates/stories/october/31/newsid_2464000/2464143.stm
Whilst the Tower is still there and remained an “Official Secret” for a couple of decades, it was prior to the bomb the busiest “Public Attraction” with a rotating restaurant and viewing galleries. After the bomb the public viewing areas were closed effectively permanently as was the restaurant when the operating lease expired.
Due to the fact the bomb had been hidden in a public area and not found despite a search, privately owned public access places of minor interest that were not attended closed. And appart from legal requirments for historic monuments are not likely to ever open as they did ever again.
The tower it’s self is not the former glory as I remember it, the majority of the microwave antennas ceased to be used and eventually after a protracted legal process were removed on health and safety grounds, nore does it stand out like it used to do, as other larger buildings have effectively hidden it over the years (which is the reason it was built in the first place, “to get signals over new buildings” back in 64, that as they say is “progress”).
Rachel • July 22, 2019 2:09 AM
Clive Robinson
Thankyou for the beautiful story about the Nobel gold medallions! Elegance personified.
It reminds me of an old book from Loompanics Press, still able to be found online in somwhere like Scribd, about hiding objects. The book used the phrase ‘cognitive ju-jitsu’ – in essence advocating an approach of manipulating perception, as you describe more eloquently (and enjoyable)
Tangential to the rest of your post, it seems a less than talented rapper with a funny name, from the US is in custody in Sweden for alleged violent assualt on the street, caught on film. The acting president of the US has tried to influence Sweden to let him go, having received requests from the minor celebrity class. Swedens minister has responded that their judicial system is proudly autonomous, impervious to politicals and unable to be affected by requests such as these, even from an acting president, and thus custody will be continued.
At least they are consistent on the custody aspect
love, your fan
Rachel
Rachel • July 22, 2019 2:24 AM
Clive Robinson
as a hypothetical curiosity, what about using raw uncut gemstones to avoid the issue of laser etched serial numbers.
your reasoning for staying clear of gold is not widely discussed! As you say, provided people can continue to swap the certificates, mum is the word.
Similiar issues abound with purchasing ‘digital’ gold, resembling something akin to scrip or fiat currency
Sancho_P • July 22, 2019 3:01 AM
Who or what is right when two claim the the same thing?
National Guard, State of Emergency, LRAD (bought as a PA „loudspeaker“):
Tears are shed on both sides when protesters act peacefully …
Be warned, heart-wrenching:
https://mauinow.com/2019/07/20/dlnr-veteran-officer-situation-on-maunakea-is-emotionally-difficult/
Tatütata • July 22, 2019 9:34 AM
A colleague who stayed behind got two jars disolved the medals in aguareigia and put the resulting sludge into the jars, but a lable on them that said something innocuous and put them on a shelf in a university laboratory.
A lot of tomfoolery goes about with customs tariffs, in particular with dairy products, sugars, and other goods generally submitted to import quotas and licences. The trick is to blend or process the substance into a composition that is subject to a more favourable duty rate or whose importation isn’t limited in some way. Ideally, the composition is directly usable in some industry, or its components are trivially separable. Who would’ve thunk that customs tariff directories made fun reading?
65535 • July 22, 2019 10:06 AM
@ Rachel, Colonel Panik and others
The third party email providers are a bit sketchy [in bed with the NSA/CIA/FBI… LE by nature of CALEA and other laws].
As VinnyG notes:
“Such storage facilities are even more laughably vulnerable to a trivial law enforcement records and search request…”
Yes, that is true.
It also applies to large email providers. All of the big ones are susceptible to NSLs, court orders of various jurisdictions.
Next, is the problem of scanning text for advertisement -cough- sell to the customers data to the highest bidder or to LE. All of big email providers are attackable to some extent.
I and my customers have tried and number of them – some are fairly good but don’t transmit life or death data over them. I remember when Lavabit was NSL’d out of business. But, they reappeared the last few years.
ht tps://lavabit.com/consumer.html
[links broken to hinder bots]
The first hurtle is personal OPSEC so paid email provider are a problem unless you have multiple front companies, or for individuals use gift debit cards or the like.
Next, is the USA CALEA problem so Hush and proton are an option. Hush is surely NSL prone. I don’t know about proton.
[Expire after number of days problem]
Hush expires fast – so you should log on every 14 days for the free version. Proton is better because of 1 month to 3 month expiration date.
Google, Hotmail, yahoo, AOL, and others all depend on ad revenue are useable but don’t count on much privacy. Your text will be bot’d and used for ads. If you set up an email with them and they require verification try to use a throw-away email account that you don’t need. You can use certain throw-away for awhile as dead drops – then let them expire.
@ Tõnis
[Proton]
Only, serious thing I have heard about Proton is DDos attacks. That is about all.
Proton is somewhat out the USA’s reach but who knows. My customers starting using Proton instead Hush mail.
The original offering from proton included a two step log on process. One for the email account and a second password for the actual email box. That’s fairly secure but a hassle to use. Proton switch to a single sign on. Proton does have a longer period of inactivity before it expires.
The list of email providers from Wikipedia by ’20 July 2019 00:00:00′ seems a little light.
For example most or all ISPs have email services for their customers Comcast, Verizon, and so on. Not listed in Wikipedia.
Even though Lavabit is back – it is not listed or I did not see them.
ht tps://en.wikipedia.org/wiki/Comparison_of_webmail_providers
Next, this blog has discussed private email servers – from a small business or home. They can offer good privacy under certain conditions.
They are more difficult to setup and some ISPs block port 25. But, you can look through this blog and find them being used.
The Hillary Clinton home server was the most famous [it is rumored she or her underlings used Bleachbit to shred the files before investigation and discovery].
“During her tenure as United States Secretary of State, Hillary Clinton drew controversy by using her family’s private email server for official communications…” – Wikipedia
ht tps://en.wikipedia.org/wiki/Hillary_Clinton_email_controversy
[and]
“…Until October of 2010, based on historic DNS records viewed by Ars, Clinton’s e-mail server was in fact at a static IP address provided by Optimum, a Cablevision subsidiary, that corresponded to the Clintons’ Chappaqua address [Her Real Home address -ed]. The domain was registered on January 13, 2009, just days before Clinton’s confirmation as secretary of state—but it did not gain a certificate for secure client connections until March. The current certificate for clintonemail.com was issued by GoDaddy in 2013 just as the original certificate was about to expire. [Note Clinton is use a private SSL certificate before buying a well known Certificate so it a bit misleading to say she used an unsecure connection – unless at some point she used plain http -ed]”-arstechnica
ht tps://arstechnica -com/information-technology/2015/03/clintons-email-hosted-on-exchange-2010-server-now-not-in-chappaqua/
These home email servers can be built on Linux or M$ base products. Here is one discussion of many on this blog:
[Part of 65535’s post in 2014 about port 25 blocking by ISPs and home email servers]
“…The two customers I found both used Micros@ft Servers with Exch@nge and a dynamic IP with a “No-IP” type of DNS service. Their email servers do work – but both are using SSL/TLS only over standard ports. ..To maintain confidentiality for the customers I can only say one client uses a deprecated SBS 2003 with exchange over 443 and RWW ports [remote web workplace]. And, doesn’t use a mail forwarding service [Active Directory, DNS with A records – I did not ask about reverse look-up records]. The individual’s email recipients must use a Pro version of Micros@ft client OS and accept the self-signed certificate, join his “domain” or be in his AD database [and accept the related security template for AD]. I assume the recipients reach the server by port 80 then go to port 443. The other client was more reserved in commenting. This individual uses Server 2008 and Exchange 2007 [with AD or directory services, DNS and so on]. This individual does use an email forwarder and “No-IP” style of dynamic DNS update via router [I forgot to ask about the certificate – probably has small group email base].
“I would guess very few people have access and an old SBS 2003 [or newer Server 2008 server with Exchange] plus the skills to make it work…These people had a fair understanding of Microsoft products routing, DNS, SSL/TLS, avoiding DDoS attacks and a small number of trusted users and some of the users had to accept self-signed certificates. I assume it was more of a business thing than a wide open service like say Proton mail. …I also got the idea these owners of home email servers put in a lot of work and didn’t want to talk too much about their equipment….Yes, home servers can be done but it is not easy to setup and run…”
https://www.schneier.com/blog/archives/2014/11/isps_blocking_t.html#c6682858
@ Sherman Jay
“I (and most of you) have been warning people about the dangers of ‘cloud computing’ for quite a while now. QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack…”
https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/
Yes.
I have tried to convey the need for both privacy and IT security on many posts. Privacy and IT Security go hand in hand and are very important in our daily lives [iNSYNQ ransomware story].
Now, we are see CPAs, Tax Accountants, Payroll bookkeepers put their trust in the cloud or “datacenters” only to find payroll datacenters are delicious targets. Just holding up one bi-weekly payroll report – and possibly payroll checks can be very damaging to the average Jane/Joe.
These working people, payroll bookkeepers or their employers could be knocked into default and in trouble with the IRS, and state taxing authorities – from a payroll cloud provider who did not take the proper steps to secure their customers extremely sensitive payroll tax data. This is horrible.
First up is the funny but rude chat log from Krebs poster Canada:
[part of chat log]
Justin [insynq]
“…What brought you here to check us out?”
Brian Krebs
“Your dumpster fire on Twitter”
Justin [insynq]
“Cool. Are you already using an application hosting service like insynq?”
Brian Krebs
“No”
[The chat log goes down hill from there to the end]
Chat Log: https://ibb.co/Cm0pNtG
“The Cloud Is Just Someone Else’s Computer”
by Canada July 19, 2019 at 6:36 pm
“QuickBooks Cloud for years and it’s largely fallen on deaf ears….Depending on if/when service is restored, the present attack will cause some number of business bankruptcies. Some of these will be small businesses that trusted their accounting to accountants who in turn trusted someone else’s computer. There will also likely be loss of businesses’ customer information including financial information, leading to attacks on their customers. So: you bought a widget from ABCco, paid via debit card, your debit card is in their cloud file: uh-oh, bye-bye to your checking account…”-Gray
Probably. Payroll accounting is very intimate, Social Security and other tax numbers, name and address, employer, and employer tax ID numbers. That is a gold mine for Carding scammers.
“Cloud nine was ransomwared sometime in 2017 and was offline for nearly two weeks. The MSP I work at migrated the data to a new on premise server that cost less than half of what the annual fee to C9 was and is significantly faster to boot as I employed tiered storage for VMs with solid state drives.”-Tony
ht tps://krebsonsecurity[.]com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/#comment-493027
Yep, if the server is on a local lan it will respond quicker. Most small business is high risk data [Tax, medical, PII and so on] should probably use their own server.
“The inhouse servers don’t go down. So I don’t normally recommend cloud services…”-Catwhisperer
ht tps://krebsonsecurity[.]com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/
@ Clive Robinson
“…keep away from gold. It just so happens that just an atomic number or two away is another metal that whilst not being totaly worthless has a sufficiently similar density that embeding rods of it in bars of gold bullion has enabled people to get away with doubling or trippling the value of the gold they actually used. Such bars did turn up in gold repositories…”
I mostly agree with the bulk for your post Clive, but Bars of gold Bullion? Is not that a bit expensive? 4 million USD? Most people in the 1990s just bought simple Maple Leaf gold coin with no serial number.
“A bullion coin is a coin struck from precious metal and kept as a store of value or an investment rather than used in day-to-day commerce” – Wikipedia
ht tps://en.wikipedia.org/wiki/Bullion_coins
[and]
“The Gold Maple Leaf is legal tender with a face value of 50 Canadian dollars. The market value of the metal varies, depending on the spot price of gold. Having a .9999 millesimal fineness (24 carats), in some cases .99999, the coin is among the purest official bullion coins worldwide.” -Wikipedia
ht tps://en.wikipedia.org/wiki/Canadian_Gold_Maple_Leaf
[For those people with big bucks and big muscles]
“The Big Maple Leaf (BML) is a set of six $1 million (CAD) gold coins each weighing 100 kilograms (220 lb) (3,215 troy ounces). They were produced by the Royal Canadian Mint (RCM) in 2007, at their Ottawa facility where the first BML produced remains in storage. As of March 2017, the market value of a single Big Maple Leaf had reached approximately $4 million (USD).”-Wikipedia
ht tps://en.wikipedia.org/wiki/Big_Maple_Leaf
[or Bar of Gold]
“The standard gold bar held as gold reserves by central banks and traded among bullion dealers is the 400-troy-ounce (12.4 kg or 438.9 ounces) Good Delivery gold bar…”-Wikipedia
ht tps://en.wikipedia.org/wiki/Gold_bar
In general gold holds its value. It does go into periods of flux but then settles down. I would not rule it out as a store of value. Sure, a house or real estate is also good store of value. But, some gold is not bad. Other than that I agree with Clive Robinson’s post.
Clive Robinson • July 22, 2019 10:30 AM
@ 65535,
The current certificate for clintonemail.com was issued by GoDaddy in 2013
If I remember correctly, back then GoDaddy generated the key pair and installed the Private Key for you (they would not let you do it any other way apparently).
Thus the privacy was compromised befor you even got started…
As for gold, as in most things in life it’s “buyer beware” unless you know how to test it and verify it you would be unwise to trust it outside of a gold repository vault.
Whilst Canadian gold coins are well thought of, where are you going to buy them without leaving a trail or taking a risk. Premium product is ripe for forgery and as the UK knows you can get 25% forgery in circulation –old £1 coins– if the economics are right…
VinnyG • July 22, 2019 11:09 AM
@Tatütata re: Aqua Regia – I understand your point, but I think that I’d rather risk the confiscation of precious metal than cart that mixture around…
VinnyG • July 22, 2019 11:15 AM
@Clive Robinson re: concealment of physical objects – In North America, at least, there remain ways to accomplish concealment, although convenience of retrieval may be sacrificed. Lots of obscure waterways, lots of remote nationalized wildlands. Of course, ease of retrieval will likely be compromised, and if you come under constant surveillance in the nonce, may become difficult or impossible without being observed.
Bruce Schneier • July 22, 2019 11:21 AM
@Rachel:
Re ProtonMail. Thanks for that.
The article says: “Yesterday, Co-Founders Wei Sun and I had a brief opportunity to meet with renowned security expert Bruce Schneier at MIT. Bruce was around to give a talk for the MIT IEEE/ACM Joint Seminar Series and we were on campus to meet with a couple MIT based security experts.”
My guess is that “a brief opportunity to meet” meant that he shook my hand — and posed with me for photo — at a talk I gave at MIT.
Certainly possible. I would not categorize it as “meeting with ProtonMail.”
VinnyG • July 22, 2019 11:23 AM
@65535 @Clive Robinson re: gold – In the US, an individual may purchase up to $9999 USD in gold at a time without a requirement on the seller for Federal reporting. I know of several precious metal processors within a one hour drive that both buy and sell. While fraud is always possible, it would be massively counter to its long term interests for such a business to cheat on measure, or to sell adulterated or counterfeit commodities…
Sherman Jay • July 22, 2019 12:19 PM
“Oh, what fools these mortals be” —
a secure investment!?!?! —
Decades ago there was a business in the L.A. calif. area that sold rare coins and gold as a secure investment. They would show a customer gold in a canvas bank bag, weigh it, tag it, seal it up, sell it to the customer and make a show of putting it in their ‘very secure’ vault on site. The problem arose when someone found out that they were unsealing and selling the same single bag of gold to many different customers!
Tatütata • July 22, 2019 1:40 PM
Proton mail claim: On that logic, I could claim multiple weekly encounters with the Prime Minister.
We went to the same sports centre at the end of the day, near to the closing time…
VinnyG • July 22, 2019 3:08 PM
@Sherman Jay re: gold scam – imo only a moron would make an investment that is predicated on a profound lack of trust in the financial system, i.e., gold, then trust a third party to maintain physical possession. If you decide to hold gold, buy from a reputable vendor who can ill afford to scam customers, or to vanish, such as a reprocessing/refining foundry. I have dealt with an outfit that has been in the same location for over a century. BTW, also imo gold is ill-suited to be an investment instrument, but has potential value as a hedge or short-term liquidity instrument should the current system go to h311 in the proverbial hand basket…
65535 • July 23, 2019 1:49 AM
@ Clive Robinson
“If I remember correctly, back then GoDaddy generated the key pair and installed the Private Key for you (they would not let you do it any other way apparently).”
Yes, I believe that is the case with GoDaddy certificates.
What I was trying to make clear is the fact that if MS Exchange on a MS server[s] in general default set-ups, can create a self-signed certificate which can be used on said Exchange email servers by close friends/associates for SSL/TLS encryption [it is not widely accepted as Digicert, Symantec, Lets Encrypt, certificates]. But, there is a question of whether Clinton used SSL at all times. The same certificate thing is true of enterprise firewall vendors such as Palo Alto.
I am trying to stay away from the political side Hillary Clinton’s and her home email server [government record retention laws and so on]… I just used Hillary Clinton’s email server as an example of home email servers.
One the gold issue, I have never seen anybody that I know invest money in heavy bars of gold or heavy bags of gold. These people just don’t have the cash on hand to do so. They just buy a 1 oz. Maple Leaf coin[s]. Yes, people do actually buy gold Maple Leaf coins for a store of value.
Seriously Clive, do you have millions of dollars to buy bars of gold? I am sure gold products in the millions of USDs such as a 439 oz gold bar[s] or “bags of gold” are a nice target for thieves. Maybe, Peter Thiel, Mark Zuckerberg or Bill Gates can afford them but not me or my circle of clients. So, melting and re-casting gold with similar heavy metals is a fairly low probability – as far small bullion coins go.
@ Tatütata
I am not expert on proton but it is used by people and has been discussed on this blog before. If you have some information -good or bad- about it please feel free to share it.
Rachel • July 23, 2019 2:54 AM
Tatütata
Proton mail claim: On that logic, I could claim multiple weekly encounters with the Prime Minister.
We went to the same sports centre at the end of the day, near to the closing time…
Ahh, the casual, normal nature of a European country. Can you imagine such a scenario in the US? The whole centre would be closed for 24 hours before and after each visit, and et cetera. In your case, I can imagine the PM had to use a membership pass like everyone else. Was greeted by staff by first name, and (after Tatütata got their bluetooth bike chain working) bicycled home just like Statsminister Birgitte Nyborg of Borgen
Rachel • July 23, 2019 3:11 AM
I can’t find the Guardian article on Protonmail that had a reference to Mr Schneier. Reaping the unexpected harvest, I did find a privacy guide
It’s technical yet simple, aimed at a broad audience. Written by a former NASA rocket scientist and easy to understand. Even the most literate of you may appreciate having so many references in the one place.
‘Privacy Guide’
touches upon NIST, ‘perfect’ forward secrecy, encyrption, Snowden, HTML5, clearing cached DNS, eTags,
And remarkably, says really uncommonly common sense things like
‘Note that if you use either NoScript or uMatrix then it is not necessary to also use uBlock Origin and Privacy Badger’
https://proprivacy.com/guides/the-ultimate-privacy-guide
To the lucidity of this guide.
Ali G interviewed a NASA rocket scientist once. The scientist was obviously relaxed and unphased ‘I’m just having a normal chat with a normal person’ , more than any single person Ali G interviewed, really says something for the kind of hinking thinky brain someone like that must have
(Noam Chomsky was the only other interview subject just as natural)
Rachel • July 23, 2019 3:19 AM
Clive Robinson
GoDaddy
I find the guy used to advertise the product on billboards so creepy I’ve been sworn off recommending them. Lucky for me I guess. Even the name is creepy!
Clive Robinson • July 23, 2019 1:59 PM
@ 65535,
I am trying to stay away from the political side Hillary Clinton’s and her home email server
You and me both..
Seriously Clive, do you have millions of dollars to buy bars of gold?
Not yet 😉
But then I could buy some of these,
https://m.alibaba.com/showroom/tungsten-gold-bar.html
There’s obviously a market for a tungstan alloy at exactly the same density as gold, which China is happy to supply.
But seriously though, when you are looking for something that is high value, small, easily transportable, and easily convertable into other more day to day currency without the serious devaluation issues of paper money or awkward questions, then precious and semiprecious metals and stones would have been high on your list less than a decade ago.
As for buying gold or diamonds I’ve purchased them in small quantities in the distant past, when involved with someone who increased their value a lot by turning them into custom jewelry. I met them when involved with gold recovery from electronic scrap. You realy would be surprised at just how much gold was in early IC’s that you could pick up at auctions of bankrupt stock. Likewise other high value metals from PCB edges and the connectors they got plugged into. If you have computers from the 1970’s and 80’s that your other half may think of as “old junk” there is probably enough gold in there to make a nice set of jewlery. Not so modern electronics where the price of gold and other precious metals is way to high and other metals including aluminium have replaced them and in the process halved the reliability figures.
But you realy had to be carefull even back then, there was a series of VAT frauds doing the rounds. In the UK one of the things that did not get a 15% hit for VAT was gold coins, thus criminals were buying up coins melting them down adding a little copper or some other metals to hide the origins of the gold[1] then taking it to legitimate refiners as “recoverd scrap” to be refined further which was a speciality of Kenneth Noye and Brian Reader[2]. The criminals would then sell on the refined and certificated gold as bullion subject to VAT and sell it to jewllers and the like for a small fraction less but make a fat profit on the VAT. Oh and it was also a way to fence out stolen jewlery that would get thrown in the mix.
Thus in precious and semiprecious metal and stone markets criminality covers the entire range from 8crt from house breaking cheap jewlery through 24crt from safe deposit boxes and quite a few people including the Tax man takes very detailed interest.
However it’s insurance companies that have taken the biggest interest in getting stones etc not just certified but serial numbered. De-Beers had a real scare a few years back. Somebody discovered that by heating certain lower value stones up you could make a diamond change colour etc from a lower value bottom end not realy jewelry market to much higher value stones. Thus another way to fence stolen jewlery at an even higher value for those who had access to the very specialised equipment –in Russia and Ukrain– to stop the diamond turning to near worthless graphite. Initially De Beers found a test using a specialised fluroscope to tell stones that may had been heated. Then someone discovered heating them up to a higher temprature for longer stopped that particular test working. But by then laser marking had become practical. If you want to know a little more on the subject then,
https://gci-gem.com/pdf/diamond%20color%20treatments%20and%20identification.pdf
[1] Look up Kenneth Noye, you might well be shocked at what you find out. All in all he was not a very smart crook and murdering police officers and drug dealers was more along his original stock in trade. Even petty crooks are smarter than that these days thanks to the use of technology. But he had learnt a lot about how to launder gold. I was asked back then to spec up specialised surveillance equipment that would work from Spain where he was assumed to be holed up and London without using the telephone network as at the time it was assumed that Noye and his associates had bribed officials etc from his behaviour in the UK.
[2] https://www.theguardian.com/news/2016/apr/04/brinks-mat-how-mossack-fonseca-helped-hide-millions
Clive Robinson • July 23, 2019 4:19 PM
@ Rachel,
I find the guy used to advertise the product on billboards so creepy
I think the whole company is creepy at the very least.
I think I’ve mebtioned on this blog before they had a center in London, and some rather worrying security incidents were traced back to the same building.
Somebody I know has a relative that worked there for a while and it transpires that they did not have nice things to say about them. With the least being along the lines of “needing a shower after work to try to feel clean, normal and human again”.
They are an organisation where finding ICT horror stories is not difficult. So let’s just say like Santa I have two lists and they are near the top on the “nothing for you” list…
joe random • July 23, 2019 4:42 PM
Here’s a question for you:
Should a company ever provide you with your Google authenticator Secret Key via email as confirmaion of the setup process, or is this something that should only ever be seen on the screen during setup so you can enter it into your authenticator application?
Jon • July 23, 2019 6:30 PM
Bruce Schneier on Lawfare:
https://www.lawfareblog.com/attorney-general-william-barr-encryption-policy
HEAR HEAR!!
Attorney General Barr’s statements are, to be blunt, crap. Here’s to Mr. Schneier’s attempt to introduce intelligence into the debate. I try to do my part, but he’s better at it than I am. Thanks. J.
20 July 2019 00:00:00 • July 24, 2019 11:38 AM
There appear to be a lot of spooks, ex-spooks, and people familiar with the Intelligence Community, in general, on this blog. The below includes foreign interference in the 2016 US election.
Robert Mueller to testify, in about 7 minutes, before the House Intelligence Committee
Around 3 hours
Live on TV, radio, or streaming near you.
https://www.c-span.org/video/?462628-1/robert-mueller-testifies-house-judiciary-committee&live
https://www.pbs.org/newshour/politics/watch-live-robert-mueller-testifies-before-congress
Sherman Jay • July 24, 2019 11:54 AM
responding to:
joe random • July 23, 2019 4:42 PM
Here’s a question for you:
Should a company ever provide you with your Google authenticator Secret Key via email as confirmaion of the setup process, or is this something that should only ever be seen on the screen during setup so you can enter it into your authenticator application?
As a former long time employee of many companies (some good, most abusive) I understand that we all must be abused gears in the corporate shredding machines in order to ‘make a living’ –
BUT
It is the STRONG opinion of my organization (based on observed privacy violations) that the term “Google Secret Key” is in itself a laughable self-contradictory phrase.
and (as I’m sure most on this blog will agree) Third Parties controlling your security credentials and sending them over E-mail is just a recipe for disaster.
vas pup • July 24, 2019 1:48 PM
@Clive:
This part below form your post is amazing! Thank you.
“During WWII two nobel scientists escaped from what became Nazi occupied Europe. Back the Nobel medals were struck in near pure gold. A colleague who stayed behind got two jars disolved the medals in aguareigia and put the resulting sludge into the jars, but a lable on them that said something innocuous and put them on a shelf in a university laboratory. Where they remained undiscovered despite various searches untill after the war, when the gold was recovered and returned to the Nobel institute that re-struck it back into medals.”
As best of my memory, Saudi Arabia or Emirates have vending machines where you could by gold.
Joe • July 25, 2019 1:42 AM
@Clive Robinson wrote, “But seriously though, when you are looking for something that is high value, small, easily transportable, and easily convertable into other more day to day currency without the serious devaluation issues of paper money or awkward questions, then precious and semiprecious metals and stones would have been high on your list less than a decade ago.”
The problem with “precious metals” is that its markets had long been polluted by “paper pushers” who trade derivatives based on real metals so as to govern its price on the promise of IOU. As a result, buying “precious metals” is not immune to sudden spikes in devaluation issues because the underlying mechanism that govern its price is heavily influenced by digitized markets. This digital/paper mechanism is prone to manipulation on a large scale because in order to provide “liquidity” to the market, rules were logically relaxed to de-peg them from their physical counterparts, thus they are subject to the same type of inflatoin/deflation phenomenon as fiat currencies.
Gerard van Vooren • July 25, 2019 10:00 PM
Now that Apple has bought the Intel Modem 5G division I immediately got a rather nasty taste in my mouth. Why was that? Well, Trump did made a very hard position against Huawei, with lots of accusations without any proof (as usual coming from US politicians). But what if he knew about the Apple/Intel deal? What if this was just a big joke at the expense of China, only to make tons of money? I agree, my accusation is rather far fetched, but …
Joe • July 25, 2019 10:53 PM
Speaking of “far fetched”…
I was under the impression that the Intel xG modem tech is 6 months to one year behind Qualcomm, so I don’t know if this news means making money for anyone with pre-knowledge.
The act agains Huawei is part of an overt operation to bring down China from its ecnomic and technical peak, IMHO. Prez. Trump was reportedly a close student of Henry Kissinger who is very “well versed” as an architect in such Asian Pacific regional conflicts. This seems like an “old establishment” act.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
AlexA • July 19, 2019 4:36 PM
Don’t think you’ve talked about Bulgaria’s security breach. Anybody have thoughts on that? Looks like an instance of poor security on the governments part rather than extraordinary hacking.