Friday Squid Blogging: Piglet Squid Video

Really neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on August 2, 2019 at 4:20 PM • 87 Comments

Comments

2 August 2019 00:00:00August 2, 2019 5:30 PM

https://news.yahoo.com/fbi-documents-conspiracy-theories-terrorism-160000507.html - includes a two minute and 14 second video

"The FBI for the first time has identified fringe conspiracy theories as a domestic terrorist threat, according to a previously unpublicized document obtained by Yahoo News.

The FBI intelligence bulletin from the bureau’s Phoenix field office, dated May 30, 2019, describes “conspiracy theory-driven domestic extremists,” as a growing threat, and notes that it is the first such report to do so. It lists a number of arrests, including some that haven’t been publicized, related to violent incidents motivated by fringe beliefs.

The document specifically mentions QAnon, a shadowy network that believes in a deep state conspiracy against President Trump, and Pizzagate, the theory that a pedophile ring including Clinton associates was being run out of the basement of a Washington, D.C., pizza restaurant (which didn’t actually have a basement).

“The FBI assesses these conspiracy theories very likely will emerge, spread, and evolve in the modern information marketplace, occasionally driving both groups and individual extremists to carry out criminal or violent acts,” the document states. It also goes on to say the FBI believes conspiracy theory-driven extremists are likely to increase during the 2020 presidential election cycle..."

2 August 2019 00:00:00August 2, 2019 5:59 PM

https://www.npr.org/2019/07/31/746878763/how-tech-companies-track-your-every-move-and-put-your-data-up-for-sale - audio 36 minutes and 25 seconds

"This is FRESH AIR. I'm Terry Gross. If you ever get the creepy feeling you're being monitored when you use your computer, smartphone or smart speaker, our guest Geoffrey Fowler is here to tell you you are. Fowler writes a consumer-oriented technology column for The Washington Post. He's been investigating the ways our browsers and phone apps harvest personal information about us even while we're sleeping. And he discovered that Amazon had kept four years' worth of recorded audio from his home, captured by his Alexa smart speaker, including family conversations about medications and a friend doing a business transaction.

Geoffrey Fowler joined the Post in 2017 after 16 years with the Wall Street Journal, writing about consumer technology, Silicon Valley, national affairs and China. He writes his technology column from San Francisco. He spoke with FRESH AIR's Dave Davies.

DAVE DAVIES, BYLINE: Well, Geoffrey Fowler, welcome to FRESH AIR. You have a recent column. The headline is "I Found Your Data. It's For Sale." What kind of personal data did you find available for sale on the Internet?

GEOFFREY FOWLER: I found all kinds of things that normal people would consider secrets and that corporations spend a lot of money - millions and millions of dollars - to try to keep out of the hands of their competitors and criminals. I found people's flight records. I found people's records from their doctors prescribing them medications. I found people's tax documents that they were - thought they were only sharing with their tax preparer. And they were available with one click. I could have opened them up and downloaded them.

DAVIES: Right. And where did this data come from?

FOWLER: It came from their Web browsers. And what we discovered along the way is that there is a giant hole in people's Web browsers that we're installing ourselves, and they're called extensions. These are these little apps, these little programs that you add into Chrome or into Firefox that are supposed to help you do things on the Web more easily, like keep track of your passwords or, you know, maybe get discounts on certain websites.

A lot of them do that, but it turns out a surprisingly large number of them have a side hustle in your data. And they were in the business of watching everything you did on the Web, sending it out somewhere else and then that site was sending it on to someone else, who then made it available for sale.

DAVIES: So when we click on the I agree box after not reading all - the long thing, what does that allow the add-on to harvest from us?

[...]

And, you know, you can't really tell just from the reviews or from sort of the presence in those [app] stores what they're up to. You know what other kinds of software is frequently in the business of tracking you is actually VPN and other kinds of security software; sometimes antivirus software even. You'll think these are the companies that I trust to protect my privacy and security, but they may be paying for it by taking data about what you're doing on your computer and selling it.

[...]

Now, as of a couple of weeks ago, it [Firefox] changed its default settings so that when you install it, it blocks those cookies by default, the ones that are involved in tracking. So in the case of my week of web surfing, the 11,000 cookies that Chrome would've let through, Mozilla let through none.

[...]

They [Apple and Google app stores] don't do that vetting for us. And unfortunately, we as consumers can't really see that, either. To figure out what my phone was doing while I slept at night and also during the day, I had to hack my phone. I went to a guy who used to work for the NSA. His name is Patrick Jackson. He now works for a technology company called Disconnect. And he showed me how to do something called a man-in-the-middle attack on my iPhone that basically, you know, kept a copy of all of the data going in and out of my phone while I slept at night so that we could look through it together.

That's the level I had to go through to figure out what kind of data was flowing out of my phone and what trackers were running. I couldn't learn any of that from - either from Apple's software or from reading the privacy policies of these companies..."

Does anybody know how to, and willing to share a recipe for how to, "man-in-the-middle attack on my iPhone" from the second to last paragraph above?

jOshAugust 3, 2019 2:01 AM

"The document specifically mentions QAnon, a shadowy network that believes in a deep state conspiracy against President Trump, and Pizzagate, the theory that a pedophile ring including Clinton associates was being run out of the basement of a Washington, D.C., pizza restaurant (which didn’t actually have a basement)."

This is very much like a used strawman tactic to pollute the opposition position with ridiculousness in order to root them all out. We've seen this same FBI tactic used in the aforementioned "Dossier" which led to a complete full-blown investigation witch hunt.

Fool me twice, shame on me...

Clive RobinsonAugust 3, 2019 3:25 AM

@ Josh,

Fool me twice, shame on me...

From the FBI et al, point of view P.T.Barnum's alledged[1] view of,

    There's a sucker born every minute...

Is how they think and work, especially as the birth rate in the US is about seven times[2] that these days...

To them every fresh crop of suckers is an opportunity just waiting to be exploited in some way as a "Fund Raiser".

[1] The story behind the misatribution is actually quite funny. The line apparently originated with a banker named David Hannum, over a fake giant he and four others had obtained an interest in. P.T.Barnum apparently tried to buy the "Cardif Giant" and having failed had some one copy it and was charging people to see the copy. Amongst other things Barnum claimed the the Hannun giant was a fake and that he had the real giant... Hannum and his associates sued Barnum for calling his giant a fake, but the judge with rare perspicacity told Hannum to get his giant to swear to his on his own genuineness before the court if he wanted a favorable injunction... The story behind the original fake is just as crazy,

https://en.m.wikipedia.org/wiki/Cardiff_Giant

[2] According to the CDC the number of births in the US in 2018 was 3,788,235, down 2% from the 3,855,500 in 2017. So about 7.2 every minute.

JohnAugust 3, 2019 4:16 AM

"Does anybody know how to, and willing to share a recipe for how to, "man-in-the-middle attack on my iPhone" from the second to last paragraph above?"

Install Kali - it has plenty of tools to MitM anything you want, and install the certificate authority as a trusted CA on your phone. You should be able to google your way with this info.

Now mind you this won't MitM everything, since more and more apps are smart enough to check a bit more on the certificates they get on a connection - for example the built-in mail app will stop working. But for the purpose of seeing exactly the contents of what apps send out to data harvesters it is very informative.

Clive RobinsonAugust 3, 2019 5:56 AM

@ Ismar,

Disgraceful to the point that somebody should pay with their jobs

Six seperate "bugs" that when combined give in effect access to all areas without the user having to do anything insecure?

That stretches credulity...

As they say Once is chance, twice is coincidence, three time suspicious. Six sounds very much like "carefully planed and deployed for the purposes of intentian gain".

I guess when we know more we will know at what level.

I guess the question is "Has Apple had been owned?".

AlejandroAugust 3, 2019 9:58 AM

@Anders

I like the idea of the facial id resistant sunglasses. Seems blocking IR light is quite important and I didn't know it.

The only thing I can come up with is a Chewbacca mask. Admittedly, the concept needs work.

My face is in the FBI data base. What was my crime you ask?

Getting my drivers license renewed. I wondered why the cop doing the booking, I mean processing, was so insistent I NOT smile and look perfectly straight ahead.

AlejandroAugust 3, 2019 10:26 AM

Jan 25, 2019

"SAN FRANCISCO — Mark Zuckerberg, Facebook’s chief executive, plans to integrate the social network’s messaging services — WhatsApp, Instagram and Facebook Messenger — asserting his control over the company’s sprawling divisions at a time when its business has been battered by scandal..."

"The services will continue to operate as stand-alone apps, but their underlying technical infrastructure will be unified..."

https://www.nytimes.com/2019/01/25/technology/facebook-instagram-whatsapp-messenger.html

Still having a hard time understanding how this will work.

"The plan — which is in the early stages, with a goal of completion by the end of this year or early 2020 — requires thousands of Facebook employees to reconfigure how WhatsApp, Instagram and Facebook Messenger function at their most basic levels..."

Now this is where it gets really deep for me, "Zuckerberg has also ordered that the apps all incorporate end-to-end encryption,..."

Meanwhile, "...employees gathered around microphones at the WhatsApp offices to ask him why he was so invested in merging the services. Some said his answers were vague and meandering. Several WhatsApp employees have left or plan to leave because of Mr. Zuckerberg’s plans, ..."

I would say something is definitely up at FB, as usual. Lots of people bailing out, several at the highest levels.

I still want to know FB will moderate user content protected by E2E encryption? I doubt an answer will be forthcoming any time soon.

vas pupAugust 3, 2019 1:58 PM

Drones could be used in terror attacks, EU security chief fears:

https://www.dw.com/en/drones-could-be-used-in-terror-attacks-eu-security-chief-fears/a-49876427


"Biological attack

Welt cited a scenario outlined by France's counterterrorism agency in which unmanned drones carrying biological agents may drop their payload over football stadiums.

Citing informed sources, the newspaper said France's coordination unit for the fight against terrorism (UCLAT) had issued a secret report last December to the European Parliament's special committee on terrorism warning of such a possibility.

King said the Commission is supportive of efforts by EU states "to build networks for sharing information, increasing international engagement, and to provide funding for projects to counter the threat of drones."

"Drones are increasingly used for criminal activities. Organized crime gangs have deployed the technology to smuggle drugs, cigarettes and other high-value goods across borders and even into prisons.

Other malicious use of rogue drones included the 30-hour disruption to flights at Britain's Gatwick Airport in December 2018.

The increased threat from drones has prompted several companies to invent technologies that can force the aircraft out of the sky. They include hand-held weapons, drones fitted with nets to catch offending vehicles, and [that is my favorite - vp] electronic fences that jam drone signals."

By the way, same technology could be utilized by drones weaponized with all range of less-than-lethal technology for crowd control/riot fighting. In that case there is no direct clashes of rioters and police forces, operation of drones could be remote, application of payload (tear gas, stench loads, rubber bullets, stun projectiles, etc.) could be targeted more precisely from above at instigators.


AlejandroAugust 3, 2019 5:13 PM

People must show ID when they register to vote, then they get a card and are in the book.

The recent voter ID laws have clearly been aimed at creating barriers to vote. Time and again.

Has nothing to do with fraud which is the excuse. As far as voter turn out goes, I dispute the finding the restrictive laws have no impact on turn out. On face value that's doesn't compute.

Clive RobinsonAugust 3, 2019 6:04 PM

@ vas pup,

With regards,

Other malicious use of rogue drones included the 30-hour disruption to flights at Britain's Gatwick Airport in December 2018.

You quote from the article, it appears there never was a drone only collective imaginings and an over zealous police force no doubt driven on by a private company that had control of the airport and were "stock price sensitive".

Speaking of "over zealous" currently "multi-blade coptor" drones are the favourite object of "OMG think of the children" "Security Theater Thinkers". No doubt they will find a new object to fixate upon in the near future, but for now it's those "multi-blade coptor" drones of any size and shape, and some people are getting quite wealthy on the marketing of deterants and counter measures, which realistically will only work against "stock drones".

The simple fact is that for typical military and terrorist pay loads the "muti-blade coptor" drones are actually not of much use (hence most military drones look like aircraft/gliders). Most are not even of any real use as kinetic weapons or platforms for even low caliber kinetic weapons.

The deployable payload niche they do fill is for precision delivery of low mass high value objects by unskilled operators in very close proximity. Hence the use for drug and mobile phone drops into prisons.

But it is important to note that whilst 5Kgs of pure cocain is very valuable to some it is a pasive payloads just like a large bag of sugar on a supermarket shelf. They are not active payloads that need to be activated in some way at a given point in space and time requiring control circuits batteries and actuators etc.

Ever since WWI over a century ago there have been military and other stratagists that have talked up the potential of chemical, biological and after WWII nuclear waste or radiological payloads. The simple fact is with all the worlds militaries and their budgets such non kinetic weapons realy have not found an realistic delivery systems that are even close to such weapons potential. In fact the closest is conventional kinetic weapon delivery systems that have been repurposed as Fuel Air Explosive munitions...

The thing is that such "OMG thinkers" gloss over a bumber of inconvenient facts.

Firstly and importantly non kinetic NBC weapons don't send messages the way kinetic attacks do. That is they don't immediately send a visceral message of blood and guts on 24Hour News channels. Nor do they have pictures of devastation of torn and shreded cars, buildings with holes in them and broken glass and blood on the ground or fire and smoke billowing out of windows on front pages of newspapers.

Secondly and very importantly the making of any NBC payload is at least as hazardous to those making / deploying such weapons as it is to the potential targets unlike conventional kinetic weapons. Worse the complexity of the actual payload is generaly such that it is at best very sub optimal or even fails to function at all even with the simplest of activation systems.

For instance it's easy to talk about aerosol sprays to deliver NBC weapons. Well the problem starts not just in making the aerosol system but filling it etc long before the start of an attack.

As with most preasurised systems you have significant issues to do with actuators. Those of reasonable reliability thus safety are fairly heavy and need quite a bit of electrical power to operate thus batteries and control circuits add to the weight which reduces the actuall payload size significantly.

You could using RC servo parts or even tiny motors try make your own actuators. But even if you are a skilled designer and machinist there are power to weight issues on restraining preasurised liquids or gases (try making one to clip over the top of a standard under arm deodorant spray to see why). Also such homebrew actuators are likely to be of low reliability and go off unexpectadly at any point in time. Which is not exactly what your average semi-skilled or skilled terrorist want's, their aim being highly news worthy campaigns not unknown suicide.

But even if you solve that actuator issue, there is also the question of how you fill the canisters in the first place without getting milligram level releases of the agents which would be up in the LD50 or more range for effective chemical or biological agents. It's why military systems almost always tend to be atleast "two part" systems in most cases. Which significantly adds to weight and size, thus very much reducing the payload agents.

As has been observed "You'ld do better to take a 55 gallon drum drop ten pounds of sugar in it, two thirds fill it with petrol mix it thoroughly and put a stick of dynamite on a short fuse in a plastic bag in the middle, and chuck it out the back of a helicopter" (essentialy what Syria ended up doing at one point in time).

But these are not theoretical issues that can be hand waved away by "OMG thinkers" we have actuall knowledge of what can and does go wrong. If you look up a well funded well back Japanese "Death" Cult (Aum Shinrikyo). They had many top graduates from elite Japanese enginering and science Universities, they tried all sorts of things that failed and eventually ended up chucking bags of chemical weapon (sarin) around subway trains, stabbing them with sharpened umbrellas to activate them... Apparently they did not even cause much in the way of an alarm at the time of the attack and all perpetrators escaped (one was effected by the agent but survived). This was despite a previous open air sarin attack not that long before and warning letters of further attacks actually pointing out that subways were potential indoor targets.

During the Tokyo Subway attacks hospitals actually turned many victims away as they had no real idea as to what was happening. It was only when a doctor who had experience of sarin started sending faxes to Tokyo Hospitals that they started being able to treat primary victims and those who had become secondry victims by cross contamination by helping them.

https://en.m.wikipedia.org/wiki/Tokyo_subway_sarin_attack

Whilst there were deaths and some long term illnesses the casualties were actually very few compared to the capability of the chemical agents and quantities involved (~120,000 LD50 doses). Also the cost was entirely disproportionate to the results, when compared to more conventional terrorist weapons.

Whilst the larger industrial drones that can be readily obtained could carry around 130,000 LD50 doses of sarin the delivery mechanism will detract from that. Further flying the drone over even an ideal target such as a sports stadium would not result in anything like a remotely optimum delivery. Further many hospitals and first responders are now well trained on how to deal with chemical agent attacks. The cost of producing that much sarin would be very significant and realisticaly beyond anything an ordinary laboratory with well trained staff could produce. Plus the equipment and precursor chemicals are much more closely controled and monitored these days.

Making and deploying a truck bomb would be cheaper, easier, involve considerably less people, be safer and a lot quicker, whilst getting physical destruction and probably many more deaths and thus get a much higher news rating at the time of the attack.

AlainAugust 4, 2019 5:47 AM

@Clive Robinson

Correct, why bothering with drones if you can go to a few malls and poison some food products there. The farther the malls are from each other the more effect.

Or if you keep it to a stadium, just poison some food/beverages in the food stands at the stadium. The employees from those stands are probably not screened.

Who?August 4, 2019 6:55 AM

Facebook may be the product of a secret DoD-related project:

https://aim4truth.org/2019/06/13/facebook-insider-confesses-all/

What a surprise! Soon we will discover Google is another perfect self-surveillance platform were those stupid apes we call human beings publish anything about themselves and, what is worse, about anyone they know with a supreme disregard for privacy.

By the way, WhatsApp is owned by Facebook. It makes not a lot of sense asking ourselves if it can be a secure communication platform, don't you agree?

2 August 2019 00:00:00August 4, 2019 7:07 AM

@John, Ismar, Clive Robinson and Alyer Babtu

John wrote regarding MITM smartphones:

"Install Kali - it has plenty of tools to MitM anything you want, and install the certificate authority as a trusted CA on your phone. You should be able to google your way with this info.

Now mind you this won't MitM everything, since more and more apps are smart enough to check a bit more on the certificates they get on a connection - for example the built-in mail app will stop working. But for the purpose of seeing exactly the contents of what apps send out to data harvesters it is very informative."

Thanks for the feedback.

It looks like iOS 12.4 (latest version; and 12.4 might 'fix' the bugs above discussed by Ismar, Clive Robinson and Alyer Babtu in iOS 12.3 from the Kaspersky article) might not need to be jailbroken to play with this stuff.

1) A DuckDuckGo (DDG) search yielded:

https://xapax.github.io/blog/2017/08/22/MITM-a-phone.html

https://security.stackexchange.com/questions/84082/is-it-possible-to-perform-a-mitm-attack-with-a-smartphone

https://blog.heckel.io/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/

https://www.protectimus.com/blog/mitm-prevention-and-detection/

Does anybody recommend one of the above 'cookbooks' or another cookbook?

2) Another DDG search yielded:

https://www.thesslstore.com/blog/trust-manually-installed-root-certificates-in-ios/ iOS 10.3

https://support.apple.com/en-us/HT204477 iOS >= 10.3

In Addition:

https://www.kaspersky.com/blog/ios-security-explainer/23811/

"Why there’s no [Kaspersky Lab] antivirus for iOS"

2 August 2019 00:00:00August 4, 2019 8:19 AM

Last week's Squid, https://www.schneier.com/blog/archives/2019/07/friday_squid_bl_687.html#comments , talked about climate change. Here are two more links:

https://www.democracynow.org/2019/8/2/greenland_melting_climate_crisis_jason_box
"Climate System “Getting Unhinged” as Massive Heat Wave Causes Record Melting of Greenland Ice Sheet"

https://www.nytimes.com/2019/07/30/opinion/trump-climate-change.html
"Opinion
The White House Blocked My Report on Climate Change and National Security

Politics intruded on science and intelligence. That’s why I quit my job as an analyst for the State Department.

Ten years ago, I left my job as a tenured university professor to work as an intelligence analyst for the federal government, primarily in the State Department but with an intervening tour at the National Intelligence Council. My focus was on the impact of environmental and climate change on national security, a growing concern of the military and intelligence communities. It was important work. Two words that national security professionals abhor are uncertainty and surprise, and there’s no question that the changing climate promises ample amounts of both.

I always appreciated the apolitical nature of the work. Our job in the State Department’s Bureau of Intelligence and Research was to generate intelligence analysis buttressed by the best information available, without regard to political considerations. And although I was uncomfortable with some policies of the Trump administration, no one had ever tried to influence my work or conclusions.

That changed last month, when the White House blocked the submission of my bureau’s written testimony on the national security implications of climate change to the House Permanent Select Committee on Intelligence [HPSCI] ..."

Clive RobinsonAugust 4, 2019 8:22 AM

@ All,

On something kind of related to security.

French Inventor Franky Zapata on his second try has got his "jet hoverboard" from Sangat France to Dover UK (no jokes please)

https://www.bbc.co.uk/news/world-europe-49225001

Apparently he developed the board three years ago.

And for the security side. If you consider the average man in Europ weighs around 70Kg (154lb) he could easily be replaced with a light weight control system.leaving a carrying capacity of atleast 50Kg... Unsurprisingly the French Military have taken an interest and given his company a grant of ~1.4millionUSD. Peanuts by US defence grants which makes me wonder how long it will be before the IP gets stolen...

Clive RobinsonAugust 4, 2019 8:27 AM

@ Alain, vas pup, All,

I made my commets yesterday unaware of what people in the US have woken upto today,

https://www.bbc.co.uk/news/live/49227583

I'm aware people tend to behave in more extream ways as tempratures rise but three such incidents in a week is to put it politely not just shocking but very worrying.

2 August 2019 00:00:00August 4, 2019 8:33 AM

@JOsh, Clive Robinson

From Micah Lee and today's Intercept: https://theintercept.com/2019/08/04/whistleblowers-surveillance-fbi-trump/

"The Metadata Trap
The Trump Administration Is Using the Full Power of the U.S. Surveillance State Against Whistleblowers

Government whistleblowers are increasingly being charged under laws such as the Espionage Act, but they aren’t spies.

They’re ordinary Americans and, like most of us, they carry smartphones that automatically get backed up to the cloud. When they want to talk to someone, they send them a text or call them on the phone. They use Gmail and share memes and talk politics on Facebook. Sometimes they even log in to these accounts from their work computers.

Then, during the course of their work, they see something disturbing. Maybe it’s that the government often has no idea if the people it kills in drone strikes are civilians. Or that the NSA witnessed a cyberattack against local election officials in 2016 that U.S. intelligence believes was orchestrated by Russia, even though the president is always on TV saying the opposite. Or that the FBI uses hidden loopholes to bypass its own rules against infiltrating political and religious groups. Or that Donald Trump’s associates are implicated in sketchy financial transactions.

So they search government databases for more information and maybe print some of the documents they find. They search for related information using Google. Maybe they even send a text message to a friend about how insane this is while they consider possible next steps. Should they contact a journalist? They look up the tips pages of news organizations they like and start researching how to use Tor Browser. All of this happens before they’ve reached out to a journalist for the first time.

Most people aren’t very aware of it, but we’re all under surveillance. Telecom companies and tech giants have access to nearly all of our private data, from our exact physical locations at any given time to the content of our text messages and emails. Even when our private data doesn’t get sent directly to tech companies, our devices are still recording it locally. Do you know exactly what you were doing on your computer two months ago today at 3:05 p.m.? Your web browser probably does..."

2 August 2019 00:00:00August 4, 2019 9:02 AM

"Please [consider] contact[ing] Rep. Schiff's office and tell him to remove the dangerous provision and stand up for press freedom [ https://freedom.press/news/tell-rep-adam-schiff-to-remove-this-dangerous-secrecy-provision-from-this-years-intelligence-bill/ ] ahead of next week’s vote. [The vote may be early next week.] The contact information for Rep. Schiff and his office are below. The House may vote on the IAA [This year’s Intelligence Authorization Act] as soon as early next week.
Phone: (202) 225-4176 Twitter: @RepAdamSchiff or @AdamSchiff"

Also from the above link:
"Freedom of the Press Foundation’s executive director Trevor Timm released the following statement about the controversial provision.

'The press is critical in holding intelligence agencies like the CIA accountable for breaking the law, and this bill is a clear attempt to stifle press freedom. It’s an open invitation to the Trump administration to hide government criminality behind official secrecy and potentially prosecute reporters for revealing it. Anyone in Congress who cares about press freedom should vigorously oppose this dangerous bill. We urge Rep. Adam Schiff to do everything in his power to withdraw this misguided provision.'"


Why would Adam Schiff insert a provision in this year's intelligence bill that threatens press freedom? Because:

1) He wants a cost for President Trump, et al., to out CIA assets, in general, or to get them fired?

2) He is beholden to President Trump, et al., or the Military-Industrial Complex?

3) He thinks press freedom is obsolete, quaint, or other?

4) Fill in the blank.


Also https://freedom.press/training/-depth-guide-choosing-web-browser/

Clive RobinsonAugust 4, 2019 9:22 AM

@ 2Aug...

Most people aren’t very aware of it, but we’re all under surveillance.

Even when they are made aware of it they ignore it as "lazyness and convenience" trumps what would be called "common sense".

Even when you tell someone directly because they keep pushing you to get on XXX as the best thing since sliced bread, you get in effect either "I don't care" or "You are paranoid" back from them.

As Ed Snowden showed, to be a successful whistleblower with enough of a trove of documents to actually be believed by some, you have to have very good OpSec and practice a lot of caution.

But once you are known as a whistleblower or publisher of such documents, as can be seen with Julian Assange the US Executive will spend billions on trying to get their hands on you. Not for justice, but petty revenge and message sending.

You need to be well informed and practiced in OpSec to have a chance. Which can take years to get right. Thus "spur of the moment" whistleblowers are usually doomed before they even look for the documents, that most either won't believe or won't care about.

But this is not realy new news, a look back at the 1980's showed similar behaviour. Only the scope the Government had in surveillance over individuals was a lot lot less.

Contrary to the myth of "Keeping US Citizens safe" almost the sole reason is "Keeping US IC and LEO employees out of jail". Such behaviour is very much not those of "The Good Guys" but those who know "We do evil every day".

The rest of the Western World is probably on average better informed about the behaviours of US IC and LEO employees than the average US Citizen. Because the US MSM mainly does not touch such stories if they can avoid doing so...

Thus the US Gov IC and LEO entities are now due to technology "beyond a tipping point" that we are ever likely to cross back.

We can see this in other WASP nations, UK and Australian law is such that as far as our now rapidly expanding digital lives are concerned there is "No right of silence"...

Bruce SchneierAugust 4, 2019 10:34 AM

@FAKE NEWS SPOTTING and @Leon Friedenstein:

I deleted several of your comments. Cool it.

2 August 2019 00:00:00August 4, 2019 11:19 AM

Regarding domestic terrorism, does the following have merit? Unintended consequences?

https://twitter.com/SeamusHughes/status/1157811616022482944
"@SeamusHughes skips the reflexive “thoughts and prayers” response and instead offers up some practical, we-could-do-this-tomorrow steps to improve our response to domestic terrorism. Anybody on the NSC staff at the White House paying attention? Read this thread...do what he says."
[Nicholas Rasmussen added]

[...]

Seamus Hughes
Verified account @SeamusHughes
Good legislation takes time. Here’s 4 relatively simple bureaucratic policy changes the Administration could do tomorrow to better address domestic terrorism. 1/5

Rise the stature of the domestic terrorism coordinator position within DOJ, including giving him having a staff of detailees from DHS and FBI.

You can watch the current Coordinator’s talk here at @gwupoe

https://extremism.gwu.edu/events/discussion-dojs-domestic-counterterrorism-coordinator2018

[2/5]

Bring back the DOJ’s Domestic Terrorism Executive Committee and give it some teeth.


[3/5]

Push out the domestic terrorism prevention strategy at DHS that’s in draft. To its credit, it deals with both international and domestic terrorism. Couple it with a legislative outreach strategy to ensure funding.

[4/5]

And finally, publicly announce the National Counterterrorism Center’s expansion of mission to include all forms of terrorism, including domestic. Do so with a major policy speech.

[5/5]

[Seamus Hughes goes on to say:]

If it helps, I’ll [Seamus Hughes] take off work Monday, give me a one day blue badge as a NSC Senior Director, will convene the Deputies Committee, put into into a SOC, and be home in time for dinner..."

AlejandroAugust 4, 2019 12:20 PM

@Who

I read, or at least skimmed most of that very long article, "Facebook Insider Confesses All"

IF 10% of it is true, it would bring down FB and a whole lot of other people and entities.

Of course the problem is it's...anonymous. So, there you go. Another is, on face value some of it seems, to say the least, a bit over the top.

Last, I think this blog, in particular, has beat up on FB enough. At least for this weekend.

I am going to go back and see if I can independently verify some of the revelations in it. Honestly, I think I won't get very far and I am no fan of the man we know as Zuckerberg.

vas pupAugust 4, 2019 2:23 PM

@Clive on drones. Thank you for your opinion and input on the subject.

As I understood out of Japanese preparation for biological warfare (WWII), they used kind of ceramic bomb filled in with insects infected by viruses to start epidemic on enemy. Bomb was dropped and supposed to break apart by force of hitting the ground, and insects should get out.

For terrorist biological plot scenario the purpose is to create just panic on stadium utilizing harmless but very unpleasant insects (e.g. bed bugs). The rest is done by crowd stampede. Delivering could be by balloons attached to the drones kind of gliders, and the pierce above stadium. By the way, same could be done by advertisement balloons and/or Zeppelin/blimp usually utilized to fly above stadium and other similar mass events.

Conclusion: biological agent is used just as trigger of panic and stampede which become basic source of casualties.

Suggestion: all listed above should be consider as possible tools of attack and screening and other precautions should be taken by local LEAs in advance of event.

AlejandroAugust 4, 2019 5:59 PM

I don't want to close out the weekend without mentioning what I found while doing some fact checking on the anonymous article, "Facebook Insider Confesses All".

Basically, my finding is: a very interesting and entertaining piece of untrustworthy historical fiction.

Probably not a good idea to use it as a source or quote it.

PS: As I said before, definitely NOT a Z. fan.

m codeAugust 4, 2019 10:56 PM

@Clive Robinson

"The rest of the Western World is probably on average better informed about the behaviours of US IC and LEO employees than the average US Citizen. Because the US MSM mainly does not touch such stories if they can avoid doing so..."

That may be true, but black parents often have 'the talk' with their black children.

https://www.youtube.com/watch?v=Mkw1CetjWwI
Dear Child - When Black Parents Have To Give "The Talk" 3:05

https://www.youtube.com/watch?v=_sNNTpORtDQ
Alabama Shakes - Gimme All Your Love (Live on SNL [Saturday Night Live]) 4:22

http://acltv.com/wp-content/themes/austincitylimits/youtube.php?video_id=u5JQGGCop1Y&title=Buddy%20Guy%20-%20Behind%20the%20Scenes&slug=buddy-guy
Buddy Guy | Behind the Scenes at Austin City Limits 1:01

http://acltv.com/wp-content/themes/austincitylimits/youtube.php?video_id=bz2UnydkfQM&title=Buddy%20Guy%20-
Buddy Guy on Austin City Limits "Born to Play Guitar"

http://acltv.com/wp-content/themes/austincitylimits/youtube.php?video_id=ybzQyti34vY&title=Buddy%20Guy%20-
Buddy Guy on Austin City Limits "Nine Below Zero"

and so on at http://acltv.com/artist/buddy-guy/

CallMeLateForSupperAugust 5, 2019 1:05 PM

"Vendor it out" is a popular means to an end. Popular because, let's face it, what business wants to reinvent itself in order mediate, in-house, a problem that is beyond its experience?(1) Call in a specialist to squash the problem. Oh, but first... you do have robust policies and procedures for vetting prospective vendors, right?

"Understanding and Managing Third Party Vendor Risk"
https://www.infosecurity-magazine.com/next-gen-infosec/third-party-vendor-risk/

(1) My first job "out of the green" (Hi, @Clive;-) ) was electronics technician at a major optics-oriented business. I was in a cozy group comprising 4 PhDs, 2 EEs, 2 mechanical techs. and 2 electronics techs. When it came to marrying optics with electronics, we were it. The first project I worked on required marrying a minicomputer with "everything else". The first tasking "my" engineer got was to bash out a video monitor interface card for the minicomputer. Neither of us had any experience with computers nor video monitors nor interfaces between the two, but our boss held that "We are "electro-optics lab; we can do it." Well, our ad hoc interface refused to work, and ten days of o-scope probing and head scratching and swearing through gritted teeth zero effect. So at lunch time, on a personal whim, I phoned the monitor mfgr. and inquired about Model-XYZ interface card to HP-2116 mini. Not only was it stock, it cost just under $80.00. We should have purchased one at the outset.

Clive RobinsonAugust 5, 2019 4:56 PM

@ Anders,

With regards "Facebook knows more about you than the CIA"

There are some points to note,

Firstly the CIA remit is foreign not domestic so they really should not know anything about you unless you have "unsavoury foreign contacts".

Secondly since the GWB executive reorganised the US Intel Community and created the DHS etc the CIA realy does not need to keep records on you. It's only if you come up on their radar for your "unsavory foreign contacts" will they need to pull your records from the rest of the IC and LEO agencies and other federal and state agencies, and that might be done "as a courtesy" via a domestic agency such as the FBI. Much as the NSA did to get NSL's on Telcos and the Silicon Valley Big-Corps of GAFAM et al.

Thirdly you may remember that Sentor Diane Fink pushed through legislation protecting companies from civil action or criminal prosecution with regards collected data that they freely handed over to the US Domestic Intel agencies. So you can make a reasonable assumption that everything Facebook has collected directly has been handed over to the Domestic IC agencies (not that they are too woried about that, the crown jewles / money game is in the results of their processing it, and that they sell only to certain people as the Cambridge Associates debacle revealed).

So the question realy should not be how much more does the CIA know about you compared to Facebook but the FBI or other domestic agencies.

One thing we do know for certain though is that for certain parts of the US such as LA, Peter Theil's Palantir certainly knows more about you than the Domestic IC and LEO agencies, because it has them directly entering all their intel about you into Palantir's systems. Whilst Palantir also pull in all sorts of other data about you from commercial agencies etc. These data sources Palantir then slices dices mixes matches and blends into a much more delectable dish that they then sell on to other Domestic IC and LEO agencies.

What the kick back from Palantir to the CIA is either in money or information or both we don't know, But we do know that the CIA has significant interests in Palantir one way or another...

So the story is kind of bogus in many respects, and is in effect cheap shot journalism aimed at the current "idiot in the barrel" as that will "sell copy, thus advertising". It's not serious investigative journalism breaking more profound issues about those hiding in the twilight like something realy nasty in the wood pile...

Clive RobinsonAugust 5, 2019 6:32 PM

@ Anders,

No matter how good their intentions are, they have no chance changing anything from inside [Facebook].

I would (and have) said that is a given, but shareholders can in limited ways[1]. The structure of FB in equity, financial, and operational terms, tells you that. As it puts all the control in a very very limited number of hands, that think they have a winning formular that there is no reason to change only prevaricate about (which is why the recent whining from Whatsapp people is "so sad" because they are deluding themselves).

The point is the article title is in effect irrelevant to the objective of the article (bashing FB) to the point of being effectively "clickbait".

Likewise the questions are "chat show host" in nature not "investigative". Nor importantly is it comparing and contrasting other major players to FB. Thus if FB does get another drubbing that will in most peoples minds be "the swamp drained" where as nasty as they are FB is but a small part player in a much much larger tragedy play. Thus focusing on FB could be seen as a ploy to give a pass to the rest of the swamp dwellers...

[1] https://www.schneier.com/blog/archives/2019/02/facebooks_new_p.html#c6788553

ThothAugust 6, 2019 12:04 AM

To put into perspective, the currently heavily centralized Internet relying on centrally controlled DNS servers, hosting providers, service providers, security providers (including Cert Auths) are the pain to handle.

Existing decentralization technologies (P2P, blockchain, TOR, et. al.) are not going mainstream and many of these technologies can't cut it in terms of handling loads or security.

The drama of centralized Internet infrastructure on 8chan continues ...

Nothing much we can do except make more noise here and elsewhere :)

There's a reason why these big Internet companies stay big and powerful, because there is actual demands and they are flushed with cash and resources.

There is a saying that money (resources) is everything including "bribing the dead".

Link:
- https://techcrunch.com/2019/08/05/8chans-new-internet-host-was-kicked-off-its-own-host-just-hours-later/

Clive RobinsonAugust 6, 2019 2:41 AM

@ Thoth,

ditch the use of Cloudflare ... permanently

For various reasons like I heard "bad stuff about GoDady" I've heard "bad stuff about Cloudflare" going back quite some time, but this was "technical" bad stuff not moral.

The problem is avoiding them...

With GoDaddy you can remove their root cert from your system which gives you warning of sites hosted on their systems. Unfortunatly avoiding Cloudflare is not as easy as they are a common service carrier for not just content providers but telecommunications service providers as well.

But if the ARS article is,correct, Cloudflare's CEO Matthew Prince has made a number of mistakes in his statments,

    "They [8chan] have proven themselves to be lawless, and that lawlessness has caused multiple tragic deaths."

Reprehensible as 8chan may or may not be --I'm not making judgment--
they have not actually caused multiple tragic deaths. It's the directing mind of the gunman that caused the finger to squeeze the trigger on the gun. To blaim 8chan would be like blaiming the owner of a wall for racist behaviour because on the wall racist graffiti has been scrawled. 8chan as far as I am aware does not claim to be a "publisher", in effect it tries to act a content distributor like a postal, parcel or courier service, that is they would probably claim they are acting as a "common service carrier" (until either a judge or regulator decides otherwise).

Mr Prince is acting as, judge Jury and executioner, and that is never a good idea as it can lead to real legal issues for him and Cloudflare...

However Mr Prince compounds things by also saying,

    "Some have wrongly speculated this is due to some conception of the United States' First Amendment. That is incorrect. First, we are a private company and not bound by the First Amendment. Second, the vast majority of our customers, and more than 50% of our revenue, comes from outside the United States where the First Amendment and similarly libertarian freedom of speech protections do not apply."

The only first ammendment issue is if Mr Prince has made factually incorrect statments in writing and has he caused harm by so doing?

In many of the jurisdictions Cloudflare operates in there is as Mr Prince has noted in his second point no right of protected speech... Mr Prince has claimed on behalf of Cloudflare that 8chan is not just responsible for the deaths but also unspecified lawlessness, something tells me he can not substantiate those claims to the required level. Thus if 8chan can show harm in one of those jurisdictions without that level of "protected speech" such as say the UK Mr Prince could find himself on the end of a very nasty law suit that effects not just him personally but Cloudflare, it's owners and shareholders...

But Mr Pribce is also wrong in his first point reasoning as well. Cloudfare has set it's self up for legal reasons as a common service provider, with that protected legal status comes legal obligations. One of which is to carry all traffic without regards to content provided it is "under cover" which SSL etc would provide. Thus provided 8chan can pay for service, there is no specific legal impediment in place, and 8chan are not an endangerment for verifiable technical reasons "at the demark" then Cloudflare has to accept the business. Or face loosing it's common carrier status in any jurisdiction 8chan might chose to refer Mr Prince and Cloudflare to the jurisdiction's telecommunications regulator...

But Mr Prince has clearly not thought things through far enough. His statments may well have unfortunate side effects with regards more authoritarian jurisdictions, by in effect claiming that Cloudflare is not a common service provider but a company that can excercise discretion it leaves Cloudflare open to all sorts of potential pit falls. For instance some jurisdictions have anti-discrimination laws, which if 8chan for instance carries religious, alternative gender etc traffic means further potential problems with claims of discrimination. Likewise there is the opposit problem, by acknowledging that it knows what sort of traffic 8chan provides it means Mr Price has declared "editorial control" thus has made Cloudflare a "publisher" thus from now on will have to "moderate" all traffic to the requirments of all legislation in all the jurisdictions it operates in...

It's why Mr Prince should have informed appropriate Law enforcment claiming a third party had informed him or made complaint, dropped it all into the law enforcments lap, then sort legal remedy from a court. Then and only then make public statment to that effect...

Unfortunately for Mr Prince he has,left the ball in 8chan's court, what they do with it is upto them. My guess is that they will first find another service provider that understands the obligation of being a common service carrier (8chan have a legal obligation to take reasonable steps to limit harms if they decide to go after Mr Prince or Cloudflare).

As I've noted what Mr Prince and Cloudflare should have done is refer 8chan as a matter of legal priority to Law Enforcment in the US and then use that to seek a protective judgment in a court to get an appropriate legal remedy that would have enabled them to disconnect 8chan without further issue. Which importantly would then also have alowed Cloudflare to block all 8chan traffic from being carried across their networks if routed via a third party telecommunications supplier.

Sometimes getting the horse before the cart has actual extra advantages rather than just avoiding disadvantages.

AlejandroAugust 6, 2019 1:46 PM

@Clive Robinson

I ran into a buzzsaw at another forum trying to explain how Mr. Prince's dictatorial hack of 8chan was wrong. (several of my comments were voted down and removed interestingly enough.?)

Most people think he's quite a hero.

Doesn't bode well for the right to free speech and free association for the entire world, not to mention contractual obligations, when one guy, on his own personal whim, can take down an entire website because he doesn't like what one person said, which was protected speech in the USA, regardless.

It's a bad sign.

What if every CEO, or other high person, providing service to the internet pipe could summarily take down entire websites, and then expect the world to cheer him on?

vas pupAugust 6, 2019 2:33 PM

German authorities turn to AI to combat child pornography online:

https://www.dw.com/en/germany-new-ai-microsoft-combat-child-porn/a-49899882

"One could view Germany as behind nations such as the United States and China in the application of AI — from cybercrime to education and healthcare, Tyson Barker, trans-Atlantic and digital program director with the Aspen Institute Germany, told DW.

But Germany is "well served" in practicing a bit of caution, he said: The societal implications of AI technologies — such as privacy concerns, government abuse and the erosion of democratic values — are being discovered in real time around the world.

Without a national framework for AI development and implementation that protects democratic values, nations such as the US and China "are changing the tires on the car as it's moving," he said.

A 2016 investigative report by ProPublica revealed racial bias in AI algorithms for analyzing whether inmates should be eligible for parole in the United States. Meanwhile, a report by The New York Times uncovered Chinese efforts to use AI to identify and intern members of minority groups.

"These things are still in experimental phases," Barker said. Though AI allows "you to drill through the layers of encrypted [child pornography] much more easily ... there has to be humans in the loop, as well as a sophisticated judicial process between the courts and the executive."

"Once that's in place, you'll have the basis to do something in Germany," he added."

AlejandroAugust 6, 2019 2:57 PM

@vaspup

AI moderation, in the name of the children, et al, seems to me to be the next big thing towards world wide intense censorship of all electronic content in the world. I am guessing the new system will make the Chinese jealous.

The technology is coming up to speed, so they can. And will.

Encryption is non event if all content must be sent, in plain text, in parallel to big brother, to make us safe.

It appears to me Germany, England, the USA and Five Eyes in general are implementing it right now. I am guessing several big tech companies have fallen into line or are ready to do so...

Stay tuned.

Or, maybe my tin foil hat is on a little too tight today.

lol?

vas pupAugust 6, 2019 3:23 PM

@Alejandro: Thank you for your input.

This is important part:
"there has to be humans in the loop, as well as a sophisticated judicial process between the courts and the executive."

So, AI will NOT do final decision or just be a tool. Good.
Judicial process should provide kind of due process if not just rubber stamping what LEAs submitted.

By the way, what kind of training input they suppose to provide for AI? Meaning, child in North countries and child in South countries with the same age could look quite different. As usually, devil was/is/and will be as usually in details.

vas pupAugust 6, 2019 4:06 PM

Former FBI Porfiler James Fitzgeral discussed on Tucker Carlson show menatl health issues and their contributing factor in mass shooting:

https://www.youtube.com/watch?v=GWdZG6qQOro

Strating min 10:00 to min 14:50.

That part of the show is based on PROFESSIONAL opinion of the expert. No political BS is in this part.

name.withheld.for.obvious.reasonsAugust 6, 2019 5:12 PM

Policies and attitudes that are part of an administrations profile can be expressive when it comes to outcomes. With the current spat of violence that is on scale with individuals can be reflective of what will occur at scales orders of magnitude greater. Nation state reactions are as susceptible to manipulation and coercion as are the actions of individuals. The fact that the state is populated with individuals where either a breakout of a group think model (weakened majority) or that the group think model embraces an individualistic behavior (strengthened individual). We've yet to see the poverty of ideology, the push out actions resulting from the continued entertainment of poor or impoverished thinking.

Put on your best diapers, get some wipes, and seek rational retreats.

2 August 2019 00:00:00August 7, 2019 3:40 AM

@mild, JOsh, Clive Robinson
Two links that pertain to 'shame on you; shame on me'

1) https://www.emptywheel.net/2019/08/06/on-same-day-peter-strzok-sues-for-his-termination-judicial-watch-releases-mostly-redacted-list-of-fbi-leakers/

2) https://www.emptywheel.net/2019/08/06/the-transcript-the-frothy-right-claims-exculpates-george-papadopoulos-instead-damns-him/

From 1): "Peter Strzok [remember the FBI employee who was texting his FBI girlfriend Lisa Page (with both using, AFAIK, government issued phones)] is suing the Attorney General, FBI Director, and DOJ for his termination, arguing two key things. First, the government overrode the decision of OPR Assistant Director Candice Will, who should have been the “deciding official.” He’a also arguing that the decision came as a result of relentless pressure from the President and with evidence of bias.

To demonstrate bias, Strzok notes that Trump has not responded even when people — he points to Kellyanne Conway but notes she’s just one of numerous examples — who has been found to violate the Hatch Act.

'The Trump Administration has consistently tolerated and even encouraged partisan political speech by federal employees, as long as this speech praises President Trump and attacks his political adversaries. For example, President Trump rejected the recommendation of his own Office of Special Counsel that advisor Kellyanne Conway be removed from her job for repeatedly violating the Hatch Act by attacking former Vice President Biden and publicly advocating for and against various U.S. Senate candidates. When asked about the OSC’s recommendation, Mrs. Conway responded “blah, blah, blah…If you’re trying to silence me through the Hatch Act, it’s not going to work. Let me know when the jail sentence starts.”'

But he also claims that “no actions have been taken” against the FBI Agents who showed bias against Hillary Clinton during the election, not even those who leaked negative information about her."


From 2): "Last Monday, Republican huckster lawyer Joe Di Genova promised — among other things — that the documents the frothy right has been promising will blow up the Russian investigation would be released Wednesday — that is, a week ago. The frothy right — which for some unfathomable reason is following sworn liar and all around dope George Papadpoulos like sheep — believes that a transcript of the interactions between him and Stefan Halper somehow includes evidence that undercuts the case that there was probable cause that Carter Page was an agent of a foreign power.

An exchange from Sunday, however, confirms that the transcript in question shows that Papadopoulos was actively lying in September 2016 about his ties to Russia. In an exchange with Papadopoulos, Maria Bartiromo confirmed that the transcript in question is the one on which the former Trump flunkie told Stefan Halper that working with Russia to optimize the release of emails stolen from Hillary would be treason."

CallMeLateForSupperAugust 7, 2019 10:10 AM

Oh goody ... another hole punched in speculative execution .

"Security researchers are warning of a new speculative execution vulnerability affecting all modern Intel processors which could allow attackers to access sensitive data stored in the kernel.

"The CVE-2019-1125 flaw bypasses all mitigations put in place after the discovery of Spectre and Meltdown in early 2018, according to Bitdefender. It’s said to affect all processors built since 2012, running on Windows, Linux or FreeBSD laptops and servers – meaning consumers and enterprises are at risk.

"It could enable a side-channel attack that abuses a little-known system instruction called SWAPGS, exposing data in privileged portions of the kernel memory such as passwords, tokens, private conversations, encryption and more."

https://www.infosecurity-magazine.com/news/new-intel-swapgs-flaw-spells-bad/

Clive RobinsonAugust 7, 2019 11:19 AM

@ CallMeLate...

Oh goody ... another hole punched in speculative execution .

There's a reason I called it the "Xmas gift that keeps giving", I see it's still bringing you joy ;-)

Realistically I can see another three years at least of these sorts of revelations, probably longer maybe a decade or so if the younger readers here are unlucky.

As I've said befor there is no way modern platforms be they PCs, Laptops, tablets, Smart Phones or Smart Watches are secure, nor can they be in their own right with this sort of hardware issue. Thus the rule to remember is,

    If it's connected you are OWNED.

It's simple to remember and with a little thought about,

    Geting your Security End Point out of reach of your Communications End Point.

You will realise that,

    Energy Gapping will substantially reduce your risk.

Not just to "known attacks" or the latest "zero days" but a substantial number of "future attacks" that are genuinely not yet known (yup read that again, it's true).

That is something AV, Firewalls, data diodes and security apps and other software don't in any way get even close to offering in the way of security.

So if you want privace rather than Data Rape in your future, at the end of the day,

    You pays your money and you makes your choices...

Believe it or not with a little thought you can make an old Win XP laptop that does not even have WiFi more secure than anything you can buy on the consumer market today. It will also once you clear off the bloatware crap perform more than well enough for day to day work and administrative functions.

    You just have to know how!

Which I've mentioned on this blog a few times over the years amongst other places.

vas pupAugust 7, 2019 1:49 PM

Russian drone Okhotnik makes maiden flight:
https://www.dw.com/en/russian-drone-okhotnik-makes-maiden-flight/a-49935124

"The wedge-shaped drone developed by the Sukhoi company is a big step forward compared to other unmanned aerial vehicles previously developed in Russia.

Russian media reports claimed that Okhotnik weighs 20 tons and can travel up to 5,000 kilometers (3,100 miles).

The drone has advanced reconnaissance and stealth capabilities and was airborne for 20 minutes."

I guess nothing prevents to weaponize it as well.

vas pupAugust 7, 2019 2:11 PM

New test to snare those lying about a person's identity:

https://www.sciencedaily.com/releases/2019/08/190807105618.htm

"A new test could help police to determine when criminals or witnesses are lying about their knowledge of a person's identity.

A team led by Dr Ailsa Millen, Research Fellow in Psychology at Stirling, conducted a study to establish whether liars could hide their reaction when shown a photograph of a familiar face -- and found that they could not.

Dr Millen said: "Police officers routinely use photographs of faces to establish key identities in crimes. Some witnesses are honest -- but many are hostile and intentionally conceal knowledge of known identities. For example, criminal networks -- such as terrorist groups -- might deny knowledge to protect one another, or a victim might be too afraid to identify their attacker.

"Our study tracked people's eye movements when they denied knowledge of someone they knew. Instead of looking for signs of lying directly, we looked for markers of recognition in patterns of eye fixations -- such as how individuals looked at a photograph of someone they recognized; compared to someone they did not.

"The main aim was to determine if liars could conceal recognition by following instructions to look at every familiar and unfamiliar face with the same sequence of eye fixations -- in short, they could not."

They used a process known as the concealed information test (CIT), in which participants' eye movements are tracked while viewing photographs of familiar and unfamiliar faces on a computer screen. In each test, participants denied knowledge of one familiar identity while correctly rejecting genuinely unfamiliar faces, by pressing a button and saying 'no'.

The team found that most liars could not fully conceal markers of face recognition -- either spontaneously, or during explicit strategies to look at every face with the same sequence of eye movements. Moreover, these explicit attempts uncovered more instances of concealment than spontaneous attempts to hide knowledge."

vas pupAugust 7, 2019 2:22 PM

Seeing how computers 'think' helps humans stump machines and reveals AI weaknesses:

https://www.sciencedaily.com/releases/2019/08/190806104905.htm

"Researchers have figured out how to reliably create questions that challenge computers and reflect the complexity of human language through a human-computer collaboration, developing a dataset of more than 1,200 questions that, while easy for people to answer, stump the best computer answering systems today. The system that learns to master these questions will have a better understanding of language than any system currently in existence.

In the new interface, a human author types a question while the computer's guesses appear in ranked order on the screen, and the words that led the computer to make its guesses are highlighted.

For example, if the author writes "What composer's Variations on a Theme by Haydn was inspired by Karl Ferdinand Pohl?" and the system correctly answers "Johannes Brahms," the interface highlights the words "Ferdinand Pohl" to show that this phrase led it to the answer. Using that information, the author can edit the question to make it more difficult for the computer without altering the question's meaning. In this example, the author replaced the name of the man who inspired Brahms, "Karl Ferdinand Pohl," with a description of his job, "the archivist of the Vienna Musikverein," and the computer was unable to answer correctly. However, expert human quiz game players could still easily answer the edited question correctly.

By working together, humans and computers reliably developed 1,213 computer-stumping questions that the researchers tested during a competition pitting experienced human players -- from junior varsity high school trivia teams to "Jeopardy!" champions -- against computers. Even the weakest human team defeated the strongest computer system."

My take: could we train machine to be good interrogator?

CallMeLateForSupperAugust 8, 2019 10:34 AM

"A series of vulnerabilities in WhatsApp which could permit hackers to tamper with conversations have been made public.

"On Wednesday, Check Point security researchers Dikla Barda, Roman Zaikin, and Oded Vanunu revealed three methods of attack exploiting these vulnerabilities.

"[...] Vanunu said that the vulnerabilities have existed for a year, despite responsible disclosure in 2018.

"Facebook said the WhatsApp bugs were due to "limitations that can't be solved due to their structure and architecture," according to the Financial Times."


Can't be solved. Huh?!


"WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations"
https://www.zdnet.com/article/whatsapp-vulnerabilities-puts-words-in-your-mouth-lets-hackers-tamper-with-text/

CallMeLateForSupperAugust 8, 2019 11:03 AM

@Clive
"I see [the Xmas gift that keeps giving] is still bringing you joy ;-)"

Only to the extent that doing a faceplant expresses joy. (But working your oft-used phrase, "wearing the green", into my post *was* fun. :-) )

This morning I read an article about 5G and the current $$ cost to early adopters. Gawd I am so blessed that cellular, LTE, 5G, IoT, and other wet dreams "like autumn winds they blow right through me:.

"I'm just sittin' here watching the wheels go 'round and 'round
I really love to watch 'em roll
No longer riding on the merry-go-round
I just had to let it go"

Clive RobinsonAugust 8, 2019 11:18 AM

@ CallMe...,

This morning I read an article about 5G and the current $$ cost to early adopters.

There used to be a valid saying,

    A fool and their money are soon parted

Then MBA course tutors worked out how to make it a standard business model to teach to boomers and millennials.

The key behind it is the ability to "lie with impunity", just get your slice up front and then bribe a politico with it to grant you rent seek privileges in perpetuity...

PatriotAugust 8, 2019 11:30 AM

The relationships between China/USA, South Korea/Japan, and China/Japan are fraying at the same time. Many Japanese factories have recently decided to pull up stakes and soon move out of the PRC. This is a clear indication of how bad the current conflicts really are.

This instability is not going to be helpful in preventing military conflict in the South China Sea or elsewhere in the Pacific. The U.S. is clearly trying to contain China. And if you read the Washington Post (which was recently blocked in China--rightfully, to my mind), you will get a shockingly unfair and deliberately misleading take on what is going on in the Far East. The WaPo tries to paint China as another North Korea, and that is simply not the case at all. The WaPo's Looney Tunes reportage on the Far East is driven by their domestic U.S. political agenda. I think this is really bad.

The Yuan got devalued this week past 7.00. This last happened in April of 2008, if memory serves me. Something is afoot, and it is not good. The most interesting of these moving pieces is South Korea. If one did not know better, one might conclude that it was moving away from its alliance with the United States!


Clive RobinsonAugust 8, 2019 12:28 PM

@ Bruce and the usual suspects,

Time to learn a new "attack vector" name and meaning,

https://techcrunch.com/2019/08/06/warshipping-hackers-ship-exploits-mail-room/

It's not exactly a brand new attack method back in the 1970's it was not unknown for a parcel containing a desk clock or similar to be sent to an exec or director of a company. Supposadly from a supplier or similar that contained a bugging device (variation on "Great Seal" attack on US Embassy in Moscow).

Likewise supply / repair techs have been known to hide similar equipment under desks, plugged into the mains. A Britsh "building Society (mutual bank) had this done to them.

Again it's not to disimilar to an attack a large Supermarket had when prepay-SIMed cellular phone modules were somehow put in a shipment of ePOS terminals.

It's why I advise Security People including Pen-Testers to learn how to use Software Defined Radio units and log-periodic IQ antenna systems for automated direction finding (traditional bug sweepers just don't cut the mustard these days).

The simple fact is a couple of hundred euros will get you four SDR dongles and four 0.5-5GHz LPDA's and the cables. There is Open Source "radio astronomy" software that you can modify to make a "Long Base Line" style RX unit that will give a very acurate direction. This has the performance of very high price "Electronic Warfare" units from just a decade or so ago.

Clive RobinsonAugust 8, 2019 1:05 PM

@ The usual suspects,

Fresh from Google's Project Zero, an interesting posting about several Apple iPhone issues from Natalie Silvanovich,

    While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities.

https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html

Clive RobinsonAugust 8, 2019 1:19 PM

@ All,

Is Google Evil? Is a valid question, just as often as you find them doing something usefull, you find them doing something decidedly unsavour, imoral and illegal in quiye a few jurisdictions.

A case in point,

https://www.theguardian.com/business/2019/aug/07/monsanto-fusion-center-journalists-roundup-neil-young

Monsanto the AcroChem GMO company is not exactly liked by many, and the fact it's now been taken over by a European Company does not appear to have improved it's behaviour.

Monsanto set up a "fusion center" to not just target journalist but actively attack them. Google was quite happy to take a fat cheque from Monsanto to actively debegrate the journalist and their work...

The whole story tells you one thing, Big-Corp be they AgroChem, Silicon Vally or Big Pharma, care nothing about the truth, the law or the harms they know they are causing and will attempt to destroy people without a thought just to hide their harmful activities.

Clive RobinsonAugust 8, 2019 2:01 PM

@ For those interested in QC,

A personal investigation by Gil Kalai as to why Quantum Computing may not actually go anywhere,

    We give a computational complexity argument against the feasibility of quantum computers. We identify a very low complexity class of probability distributions described by noisy intermediate-scale quantum computers, and explain why it will allow neither good-quality quantum error-correction nor a demonstration of "quantum supremacy." Some general principles governing the behavior of noisy quantum systems are derived. Our work supports the "physical Church thesis" studied by Pitowsky (1990) and follows his vision of using abstract ideas about computation to study the performance of actual physical computers.

https://arxiv.org/pdf/1908.02499

Clive RobinsonAugust 8, 2019 4:11 PM

More contractors listen in

The other week we learned what had been suspected that contractors to the Big Silicon Valley companies were listening to people in their homes via the likes of Alexa...

Well this week surprise surprise it's Nicrosoft Contractors listening in to Skype calls,

https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls

What increasing numbers of people believed likely after Microsoft took over Skype and started making visable changes that suggested the likely reason was to "snoop" on traffic. Some only thought meta-data others a little more worldly wise thought communications (which technically is in breach of US wire tap legislation).

Clive RobinsonAugust 8, 2019 4:34 PM

@ All,

I mention from time to time that you do not own the Smart Device in your pocket. The OS and the Apps are controled by the OS Developer, is known to most people implicitly even though they might not have thought about it explicitly.

Likewist the "Over The Air" (OTA) transceiver is controled in part by the hardware design entity who programed the interface microcontroler. But mainly control is by the microcontroler on the SIM the "service provider" supplies you with. Which puts your service provider in the driving seat.

Or does it, because the SIM is the slave half of a Master - Slave relationship. If others can get control of the master at ISO OSI level 6 or above then they own the Smart Device interface.

As it's been discussed on this blog one way or another over this past week, it's interesting to see it's also a subject coming up on other security web sites,

https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/

As Brian Krebs points out, whilst in theory the service provider is in control the veey weak security controls they have in place make it all to easy for criminals to take control of your phone and put it beyond your control,

https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/

gordoAugust 8, 2019 7:25 PM

Appeals panel: Facebook must face class action under IL privacy law over face-scanning photo tags
FEDERAL COURT
By Jonathan Bilyk | Aug 8, 2019

"Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA,” the judges said.

https://cookcountyrecord.com/stories/512918162-appeals-panel-facebook-must-face-class-action-under-il-privacy-law-over-face-scanning-photo-tags

See also:

https://www.courthousenews.com/ninth-circuit-advances-35-billion-privacy-suit-against-facebook/

Clive RobinsonAugust 9, 2019 12:49 AM

@ gordo,

Facebook must face class action under IL privacy law

It certainly looks like they have broken the law and 350billionUSD in damages might actually get through a certain persons sociopathic behaviours, or if not certainly those of his financial supporters.

Speaking of such behaviours it's generally believed that Joseph Stalin was both psychopathic and paranoid. His "A single death is a tragedy; a million deaths is a statistic" comment was certainly revealing in that respect. Which makes you wonder who in Facebook crossed it with the Banking Crisis defence of "To Big to be alowed to Fail" and tried it on as a defence with,

    The Menlo Park-based tech giant argued that users should not be allowed to bring a class action that could make it liable for an absurd amount of damages.

You honestly could not make this sort of stuff up... But based on the trends of Silicon Valley Big Corp financing, I wonder how much longer it will be before they try some kind of "Sovereign Immunity" claim.

Clive RobinsonAugust 9, 2019 12:59 AM

@ All,

Want to escape the chains of confinment you feel on a *nix box?

Well this list might help,

https://gtfobins.github.io

It claims to have,

    The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.

And yes it has it's own stylized jail break logo, using the hash of a root shell prompt.

Wael August 9, 2019 3:55 AM

@Clive Robinson,

why Quantum Computing may not actually go anywhere

The jury is still out on that one!

2 August 2019August 9, 2019 7:51 AM

Approximately, voting problems in at least 35 counties or three swing states. Didn't somebody say something like 'it is who counts the votes that matters.' Obviously, paper, that can be audited, ballots are a 'fly in the ointment' for some.

https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials
https://twitter.com/KimZetter/status/1159523838410948608
"Exclusive: For yrs ES&S, top voting machine maker in US, has been saying its vote tabulators and election-management systems are not connected to the internet. That appears not to be true. Researchers say they found what appear to be 35 online."

2 August 2019 00:00:00August 9, 2019 9:31 AM

https://alexaobrien.com/archives/4053

"Breakdown of currently known forensic and circumstantial evidence related to Count 18 against Julian Assange, Conspiracy To Commit Computer Intrusion (18 U.S.C. 371 and 1030)

A December 2017 criminal complaint, as well as March 2018 and May 2019 indictments against Julian Assange, demonstrate that prosecutorial theories related to a criminal conspiracy involving civilians have indeed survived the Chelsea Manning court-martial. I had reported and discussed the surviving theories after her court-martial.[1] One is the foundation of the existing superseding indictment.

Lets take a look at Count 18. Underlying that surviving theory is the allegation that Manning was in direct contact with Assange "during large portions between on or about November 2009 to May 27, 2010."

WikiLeaks IRC Chats

[...]

She searched again on March 17, 2010 but there was no evidence of data transferred. Based on the court record, the only search of the CENTCOM server related to Farah (a province in Afghanistan that relates to two espionage charges against Manningone for the video of a 2009 cluster bombing she was acquitted of and another for documents related to the investigation of the same incident she was convicted of)."

2 August 2019 00:00:00August 9, 2019 9:59 AM

For "Russiagate", not Watergate, fans or foes:

https://twitter.com/emptywheel/status/1159808153388802053

"Ever since HJC [House Judiciary Committee] said that [former white house counsel] Don McGahn (the content of whose testimony we have a pretty good idea) was their most important impeachment witness, I've been mulling who's higher on the list (curious to hear your suggestions).

One big person for me is OLC [Office of Legal Counsel] head Steven Engel.

[...]

And no.

Jr is NOT the witness, especially not until Congress gets his Trump Org emails directly from Microsoft.

Note, John Kelly is also high on my list. But still thinking it through.

[...]

[with gossip from other commenters. For example Rick Gates, Jim Mattis, Stephen Miller]"

Clive RobinsonAugust 9, 2019 10:01 AM

@ Wael,

The jury is still out on that one!

Well the jury might be "retired" a very long time on that one...

@ Alyer Babtu,

the universe is strange-er and more charm-ing than one expects

Yes the strings on my instrument appear to be very dimensionally challenged.

vas pupAugust 9, 2019 12:47 PM

@Clive Robinson • August 8, 2019 1:32 PM
Thank you!
Looks like it was unsuccessful testing of rocket engine utilizing nuclear power.
That is god article related:
https://arstechnica.com/science/2018/03/best-bad-idea-ever-why-putins-nuclear-powered-missile-is-possible-and-awful/

"If the Russian designers of the engine for the as-of-yet-unnamed nuclear-powered cruise missile did not have any concerns about radiation shielding for anything other than the avionics, a small nuclear reactor could be incorporated into a cruise missile design. The missile could be launched with a booster and wait until it is at speed to take its reactor critical, as was planned with the SLAM."

So, booster could be liquid fuel engine as claimed by Russian Defense Ministry in the bbc link, but that should be better explained by CIA to POTUS and by DIA to Secretary of Defense I guess.

vas pupAugust 9, 2019 1:23 PM

Iceye satellites return super-sharp radar images:
https://www.bbc.com/news/science-environment-49253951

"The company's radar satellites are now returning sub-1m resolution images of the Earth's surface.

This level of performance is expected from traditional spacecraft that weigh a tonne or more and cost in excess of one hundred million euros.

But Iceye's breakthrough satellites are the size of a suitcase and cost only a couple of million to build.

When Iceye has 18 spacecraft in orbit, it will be able to re-image the same spot on the Earth's surface every three to four hours. Every eight hours, one of the satellites will get a chance to view the target with exactly the same geometry, or look angle.

Radar data has all kinds of applications, from rapid mapping in the aftermath of an earthquake to providing financial intelligence on economic activities - such as the comings and goings at big ports."

My take: all respected bloggers could see other security applications as well.

Wesley ParishAugust 10, 2019 5:41 AM

@vas pup, @Clive Robinson

re: nuclear-powered jet aircraft, cruise missiles, and the lot.

It looks like Heath Robinson and Rube Goldberg had a love-child. With such, you can either have safe but unflyably heavy, or unsafe and still unflyably heavy. What a crock.

Clive RobinsonAugust 10, 2019 11:32 AM

@ Wesley Parish,

It looks like Heath Robinson and Rube Goldberg had a love-child.

More than one...

The first born was named Pluto, and as normal behind every insanely high flyer is a pusher, in this case by the name of Tory,

https://en.m.wikipedia.org/wiki/Project_Pluto

There are some documents obtained under FOI linked to from some other sites that appear to be repositories of the wierd, wonderful and highly lets just say curious...

https://www.theblackvault.com/documentarchive/project-pluto-nuclear-ramjet-engines/

It's known that the Communist Russia States (CCCP) likewise looked into such "SLAM" systems, and in both the case of the US and USSR wiser heads prevailed and development got stopped long befor things got to "Operational test beding".

Which is why some think that Russia under Putin has re-opened old projects...

The one that concerns me most was the oil tanker wirh upto 50 Tzar Bomba on board as the ultimate MAD "Doomsday Device". The Tzar Bomba was the Western name for the USSR RDS-220 hydrogen bomb, which was a 100 Mega Ton device... The design for the Tzar bomba (Vanya) came about after it's preceding device of a mega tsunami Wave (T-15) torpedo was found to have various operational problems. The Russian's built and tested a half power version that lacked the U238 tamper and for various reasons --such as it weighed 60,000lb was 26ft long and the only delivery mechanism was an aircraft that could not out run the delayed blast at optimal hight,-- decided not to go for the full scale device. Only one device was ever tested back in late 1961 and it's effects were recorded all over the world and by an unfortunate US spy plane that just happened to be in the air in the vicinity and thus had "It's tail feathers scorched" by the blast.

https://en.m.wikipedia.org/wiki/Tsar_Bomba

The question thus arose what to do with a hydrogen bomb to big to be sent against the enemy? A Russian scientist came up with an idea of having several oil tankers each loaded up with several of these hydrogen bombs. All rigged to explode fully automatically if there were any signs of nuclear detonations etc that indicated "Mother Russia" had been attacked. The idea was these tankers would sail in areas of moderately shallow water such that the effect would be to turn the sea water into vast radio active clouds that would drop lethal radioactive products all over the world... The ultimate in scorched earth weapons.

Whilst Nikita Khrushchev had approved the final design and test of the Tzar Bomba to give the US politicians a "wake up call". Because of the US policy idea of "Out bomb the CCCP" in the number of wareheads etc was realy a non flyer when considered in the frame of asymetric resourced warfare.

When the idea of the ultimate Doomsday device came across Khrushchev's desk his answer was no, in that neither he nor more importantly his son could see a way to make the "fail safe" system work without the significant problem of it either failing to trigger or worse getting falsely triggered.

It was a leason the US was going through with it's Permissive Action Links (PALs) and other "fail safes" designed to stop stolen weapons being used or rouge commanders going postal etc. At one point it was estimated that well less than one third of US devices would actually work. Which was also the reason for the "out bomb" doctrine backed up by a lot of false "capability assesments" given to US politicians by various intelligence sources.

But things have changed since the 1950's and 60's. Nuclear devices have become physically smaller for the same yield. Whilst ICBM's and IRBMs are increadably expensive and have many issues, "cruise missiles" whilst smaller and way less expensive are actually these days a preferable deployment vehicle for "intermediate range" delivery systems. A smaller version of Pluto's Tory engine which would now be possible would combine the advantages of cruise missiles and ICBM's with much less of the disadvantages...

Also there is a prevailing and increasing belief that radioactive weapons usage is more appropriate than it used to be due to fall out radiation not being as harmful as previously thought.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.