It’s not perfume for squids. Nor is it perfume made from squids. It’s a perfume called Squid, “inspired by life in the sea.”
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
William • September 6, 2019 4:39 PM
Interesting article on the new spy magazine as seen through the eyes of a human rights expert.
VinnyG • September 6, 2019 4:49 PM
@ Anders re: CVE-2019-15846 – I’ve always found the Carnegie Mellon Software Engineering Institute CERT database to be a valuable tool in researching vulnerabilities and mitigations:
https://kb.cert.org/vuls/id/672565/
Ismar • September 6, 2019 6:29 PM
Identify theft in Australia
Ismar • September 6, 2019 6:33 PM
Sorry that link should be
TerryTwo • September 6, 2019 7:04 PM
Innovation the Google Way
Summary: Google becomes a silent hidden geo-location tracking partner for basic phone and auto insurance
A major privacy issue today is whether mandatory geo-location tracking is pushed-hard upon consumers in (frequently hidden) all-or-nothing terms of service.
The Light Phone 2 is a BASIC voice and text phone for the outlandish price of $350. No email, Internet or Play Store access. The product marketing (and click-bait press) make zero mention of privacy, location tracking or the underlying OS.
‘A phone is a tool, and it should serve you as the user, not the other way around. The Light Phone II is a phone that actually respects you.’
They omit the most obvious use-case for any basic phone is to increase privacy by (being wonderfully stupid) and omitting location tracking.
The first observation is the Light Phone web-site is heavily fortified against ad-blockers.
Their privacy policy claims ‘they do no not to track your precise location [1] but that they also have (unstated) partners. The next hilarious clue is Google Maps MAY be installed in the future.
Obviously installing Google Maps (to enable precise continuous geo-location tracking) will require agreeing to Google’s (total loss of privacy) Terms of Service [2].
https://www.zdnet.com/article/congress-sends-letter-to-google-for-details-on-sensorvault-location-tracking-database/
Who funded and developed this basic tracking phone? https://www.30weeks.com/
The basic phone cover-story all-makes-sense, figureheads and all.
The major benefit here is, unlike smart-phones Google has exclusive access to location data. Investors label this building a moat around the castle. At $350 its infinitely more profitable than the similarly priced Pixel 3a. Returns are not allowed unless defective/
Mandating Autos Geo-Tracking
How about mandatory auto insurance location tracking? Are hedge fund backed data-mining companies offering an insurance ‘discount’ if they track your every auto move? Then allow partner Google exclusive targeted location based advertising to your $350 basic phone?
https://www.joinroot.com/app-eula
Solution
Congress must quickly legislate laws to prevent these practically-mandatory location tracking schemes. For example auto owners cannot be charged a higher if they decline to be tracked.
Hopefully Congress will rapidly come up to speed to prevent these surveillance systems from feeding into the draconian Chinese Social Credit System[3]. The fact is Google has the surveillance dirt on everyone[4]. This may be the last chance to keep our constitutional freedoms.
[1] Google’s Sensorvault database, which according to the NY Times, also stores “information on anyone who has opted in, allowing regular collection of data from GPS signals, cellphone towers, nearby Wi-Fi devices and Bluetooth beacons.”
[2] Actually the carrier may demand both its own and Google Sensorvault surveillance tracking before service activation. Google’s main competitor here is AT&T which has sold citizen tracking data since the 1980s
[3] the Google and Facebook owned tans-pacific cable directly connecting the USA to China is nearly complete. https://www.straitstimes.com/asia/east-asia/us-justice-dept-opposes-googles-undersea-cable-from-china-citing-security-concerns
[4] many politicians are mysteriously declining to run for re-election. Data is power to control lives.
Sarah • September 6, 2019 7:52 PM
Here’s a slightly different take, however do you artificial intelligence will effect cryptography?
SpaceLifeForm • September 6, 2019 9:37 PM
So, anyone here want to try and convince me that ASLR, PIC, or PIE is NOT Security Theatre?
Ismar • September 6, 2019 10:22 PM
Felt we need some positive stories here as well like one on these guys which are doing their bit to improve internet routing system
“This document aims to capture this collaborative spirit and provide guidance to network operators in addressing issues of security and resilience of the global Internet routing system”
The Real Kashif • September 6, 2019 10:39 PM
@The Real Chris
Your post is yet another proof that spy agencies in 5 Eyes countries have long way to go when it comes to impersonation of mentality ill people
Squid • September 6, 2019 11:29 PM
@Bruce
Perfume has more to do with the squid than you think – I recommend re-reading the article you linked to
TomS. • September 7, 2019 12:18 AM
@SpaceLifeForm
I’ll take a crack at ASLR for you. Perhaps I know PIC & PIE by different names. I come to the field as a consumer, not a prducer of security information, in order to defend stuff.
ASLR is useful and worth the effort. Some history. In the mid-90s, everybody with a copy of netcat fired 5000 “A”s at a port, crashed the daemon/service, dumped the registers and saw EIP full of “414141”. Next step, find routines already in memory that can be utilized for attacker purposes. Kernel libraries/DLLs were reliable and useful targets. It wasn’t trivial to find the right size of buffer overflow to end up near the address of your desired library. Once you had the buffer sized correctly, your attack worked against many installations of that OS & hardware. Then, with the advent of the format string vulnerabilities, positioning the exploit in memory got much, much easier.
Role of ASLR. ASLR randomizes the addresses of those previously reliably locatable functions attack code needs to do things to your system. ASLR disrupts the pattern of write one attack, reliably exploit many hosts. From the attacker perspective, they must chain an information disclosure that leaks memory layout with the original attack. Greater degree of difficulty for them and more code make for a less reliable attack, more noisy (crashes), more likely to be detected attack.
ASLR has downsides, it used to be opt-in by application developers on Windows. I’m not sure if it is mandatory now. Don’t know what *nix defaults are. It can cause crashes when enforced against code not written explicitly with it in mind. Didn’t provide as much benefit for 32bit platforms with smaller address space.
Much of my understanding has come from decades of lurking on BugTraq, following Google Project Zero, and Alex Ionescu’s work, to name a few, and the generous posters here of course.
I am not a C programmer, nor did I stay at any hotel last night. Just a plain old defensive sysadmin.
I hope that answers some of your question. All errors are my own, and corrections are welcome.
Gunter Königsmann • September 7, 2019 3:17 AM
As there was a question about encryption and AI:
AI is not intelligence: it is pattern recognition combined with trying out things and looking if the try improved the outcome.
Since fuzzing (just taking educated guesses at changing random things and looking if that breaks something) already finds many flaws in security applications (what if I set the block size to 190000000, the password size to 0 or if I claim I use a one-bit key?) I guess an AI that has a limited way of learning from the outcomes of what it did might one day be a very effective way of automatically finding flaws. But once you have sent encrypted data over the net nothing can do anything in order to keep make it secure in hindsight. And creating new schemes to secure things imho shouldn’t profit too much from AI: one AI can fully automatically try to encrypt something in a way another AI cannot break by educated guesses and an AI will find totally other ways of getting creative than a human being does. But it takes real intelligence in order to avoid complicated attacks a random human being would invent.
Ned Land • September 7, 2019 5:15 AM
Squid perfume, inspired by the life of the sea – yes, Captain Nemo included it as a complementary gift for the guests booking his “80 Days Under the Sea” tours aboard the Nautilus at the Gold Class level or higher.
VinnyG • September 7, 2019 8:19 AM
@ ergo sum @ parabarbarian re: Obsidian 4 app & ATN scope – If this was a domestic issue, I would have expected BATF to be involved. By purview, they should actually be the lead agency on the request (not ICE,) but I see no mention in the cited article. Also, your comments seem to be more about the scope itself than the app. OTOH, I wouldn’t be surprised if the fallout from this request led to the situation upon which you speculate as a side effect. I wouldn’t be too surprised if Apple fights this. However, I expect the “do no evil that lacks a high return on investment” company to accede to it in hopes of gaining FedGov latitude on antitrust and other issues…
JG4 • September 7, 2019 9:02 AM
@Gunter – You came pretty close to my definition. Intelligence, n., An entropy maximization engine implementing a four-step computational loop made famous by John Boyd. Observe arguably is sensor input, implicit in any data set, orient and decide are filter matrices or tensors. Act implies some change to the real world, although the action could be as tiny as adapting the filter weights in the matrices or tensors. Learning is itself an action. Basic OODA descriptions fail to mention feedback, but that is the process that tunes the filters in the loop (“learning”).
https://www.nakedcapitalism.com/2019/09/links-9-7-19.html
…
L’affaire Epstein
Jeffrey Epstein’s Donations Create a Schism at M.I.T.’s Revered Media Lab NYT
…
Big Brother IS Watching You Watch
Suspicion creeps into the Five Eyes The Interpreter Lowy Institute
Syraqistan
Lebanon’s crisis is almost unstoppable. Drone warfare is on the horizon Independent. Robert Fisk.
…[taking the pilot out will double the airframe performance]
Military Giant Cats@GiantCat9
F-35A
…
CallMeLateForSupper • September 7, 2019 9:07 AM
@TerryTwo wrote “The first observation is the Light Phone web-site is heavily fortified against ad-blockers.”
I wondered just how “heavily fortified” would manifest itself in this case, so I looked up the site(1), loaded it and received “by return mail” 😉 …. an otherwise empty page with the plain text at the top: “You need to enable JavaScript to run this app.” Okay, it’s the old ploy, “We ain’t gonna play with you atall* unless and until you give us the means to do whatever we want with your machine.” Let’s not and say we did.
App? App?!! Apps run on fartphones; I’m on a proper ‘puter. I didn’t run no steenk-ing app.
(1) DDG says the site address is [www thelightphone com] (I removed the two “dots”), but HTTPS Everywhere changed that to [https //www thelightphone com/] so that’s were I ended up.
CallMeLateForSupper • September 7, 2019 9:52 AM
@All assembler hacks, especially “grey-beards”
It happened again. Lately (i.e. not yesterday but not 5 years ago either) whenever my eyes fall on “ASLR” in something I’m reading(1), my brain instantly transfers control to a dottering Acronym_Unwinder which duly coughs up the nonsensical “A_Shift_Left_Register”. Having coded in assembler language for untold years, I used ASRL & ASLL(2) untold times. Now those terms look foreign, but ASLR looks … somewhat familiar.
(1) A poster to this thread mentioned “ASLR”
(2) ASRL = (reg) “A” Shift Right Logical; ASLL = (reg) “A” Shift Left Logical
1&1~=Umm • September 7, 2019 11:58 AM
@TomS: “Perhaps I know PIC & PIE by different names.”
PIC/E is ‘Position Independent Code/Executable’ and it is a technique that long predates ASLR by many decades. Apparrntly it is a rarely taught let alone used technique by most programmers these days (though they do flip on a compiler switch for it so their executable will have a chance of executing in an ASLR enabled OS).
Those programers who do use PIC in anger tend to be compiler writers or those who write code for limitied resource microcontrollers where some form of multitasking is a requirment. Often PIC is written in assembler, and if multiuser operation is required it will often be used to write a higher level interpreter that has the user space protection and gatbage collection mechanisms built in.
In fact knowledge of how to write PIC was esential on early ‘Big Iron’ computers (upto late 1970s). Because they were utterly dependent on it, as were pre 16bit microcontrolers if either had a need for concurrant tasks that needed shared code. Often shared code was the only way to stay inside finite limits such as 16K or less of RAM or ROM. When Intel transitioned from the 8bit 8080 CPU that CP/M ran on, to the 16bit 8086, the major reason for having “segment registers” was to help break out of PIC constraints via limited address translation. That is a kind of ‘Poor-man’s Memory Managment Unit’ (MMU).
PIC is one of the few methods by which you can write code for multitasking computers that do not have Memory Managment Units that need to leverage ‘Code Reuse’. That is –within reason– the code can be placed at any location in memory and when executed functions correctly for any other code calling or jumping to it, thus can be used for BIOS type functions or libraries of shared code such as interpreter cores, maths, graphics, etc.
At it’s simplest level PIC contains only immediate addressing –where fixed data is part of an individual opcode– and the use of only one CPU register the accumulator. Such executable code is essentially fixed in function like a simple maths function y=f(x). Thus it can run from ROM as well as RAM. However it is very limited in what it can do, as in effect it’s get a byte of data in the Acc and either acts on it’s value in a very limited way or modifies the value again in a limited way.
The use of such code was often found in IO drivers where the IO hardware ports / position where either not part of the address range or was permanently fixed in the address range. One such task is to convert an ASCII code to it’s dot matrix equivalent for output to a screen or printer.
The use of more than one register makes such code much more flexible, especially if there are opcodes that support the use of data in registers as addresses (pointers) to other data.
The use of stacks and jump tables where addresses can be passed adds significant utility, but requires the use of extra CPU cycles so can slow code execution noticeably if used injudiciously.
In fact you can write entire programable languages and operating systems using just one “base address” to a structure that contains pointers to data locations. Thus by the use of such structures and stacks you can write not just entire languages but also Operating systems to support them. It also alows the use of multiuser interpreted languages where user spaces are protected by the interpreter not hardware such as the MMU.
As usual there is a Wikipedia page on the subject with all the usual warnings if you want to know more,
JR • September 7, 2019 12:36 PM
Yes and No on PIC
On some platforms/CPU you don’t have to “write” PIC code, it is the default of the compiler/ASM. In many it is is just PC relative addressing. If you have a loop for example and at the ending check you need to jump back to some label, it gets coded as a jump to an address in a register +/- an offset, in this case the register happens to be the program counter. It makes compact code. The offsets are small-is and some cases may only be an 8 bit signed int. It also means that for run time libraries, shared or otherwise, they can be placed anywhere in memory, and the ink/load does have to issue late fix-ups. Less late fix-ups, faster loading, and it also means the code can stay as non-write, exec only. Also each process can load it in any order in any place, thus making it harder for a bad guy to know exactly were a library call is in memory. A minor up date to some unrealted library and the you are targeting is now in a different place.
This was all automatic on some CPUs/OSes. The problem has been that x86 didn’t have a good what to do PC relative without extra coding tricks that slowed things down. That caused MS to base all its runtime libraries, DLLs, at known addresses to prevent late address fix-ups. (Windows will load to a new location a DLL that conflicts with something already loaded, but since all the MS supplied ones are most likely already loaded, it is 3rd party ones that get moved).
In the early days Oracle for example when it complied and linked some run time libraries they thought it was a good idea to base things at fixed address. It wasn’t for all platforms. It cased me much pain. When you install some small OS update that made a RTL bigger, it broke all Oracle code. You had to relink everything from Oracle and any of you local code that called Oracle. When all Oracle had to do was not force a base address and just dereference a pointer when the code started up.
SpaceLifeForm • September 7, 2019 2:00 PM
@TomS
Thank you for your thoughtful reply.
I really don’t have any big complaint about ASLR, as it can deter script kiddies.
But, I’ll note that the recent iPhone exploit chain was able to bypass ASLR.
As to PIC, yeah, you need for non-static libraries.
PIE, I’m not convinced. Apple forces PIE.
I think the safest option is pure statically linked binaries.
Here is Apple misdirecting in denial.
“The attack affected fewer than a dozen websites”
For starters, the attack did not effect websites.
The attack was originated from websites
It is the BILLIONS of iPhones that are impacted, not a dozen websites.
Alyer Babtu • September 7, 2019 9:32 PM
In case this has not come up here before – Bunny Huang’s Betrusted –
“Betrusted is not a phone: it is a secure enclave with auditable input and output surfaces. Betrusted relies on sharing your existing connectivity – such as your phone or cable modem – to access the Internet. Say you’re on the road and you want to securely message a friend. You would tether betrusted to your phone’s wifi, so that the phone is just an untrusted relay for encrypted messages coming too and from betrusted. The only place the decrypted messages will ever appear is on the trusted screen of a betrusted device.”
“Betrusted solves this problem by incorporating easily auditable Human-Computer Interaction (HCI) elements to the security enclave. Betrusted ensures that human-readable secrets are never stored, displayed, or transmitted beyond the confines of the betrusted device: betrusted is a security enclave with human-friendly I/O.”
Does this really address the secure endpoint problem ?
Clive Robinson • September 8, 2019 12:07 AM
Every one should have time for a little fun in their lives, so for number theorists and Douglas Adams fans,
There was, some decades ago, in a place of dreaming spires a challenge issued to all of stout heart.
It was back on 1954 at Cambridge University, and the challenge which whilst simple to describe has proved somewhat difficult to compleate, without it’s own heroics.
The chalenge was to find three cubed numbers that when summed produced a number in the range 1-100 and to find a sum for each number.
Well most numbers in the range were found but 33 and 42. Earlier this year 33 fell leaving just the famed number 42.
Well it to has succumbed using one of the largest computing resources available to scientists and mathmaticians on a shoe string, the globe stradling Charity Engine network of idle computers,
http://www.bristol.ac.uk/news/2019/september/sum-of-three-cubes-.html
[1] I did try using a variation on the “Superman intro” but too naff by far 😉
Clive Robinson • September 8, 2019 12:52 AM
@ Alyer Babtu,
On the surface it sounds like it’s heading in the right direction.
That is it has taken the security end point of a known to be hoplessly insecure thus vulnerable consumer device off of it and placed it onto another device.
So onto my first thoughts based on what you have said (I’ll go visit the link later).
Thus the question arises how secure is this other device, and as always as,”The proof is in the eating of the pudding” how digestable it will be.
I must say that the use of WiFi which is it’s self a not very secure communications channel gives me pause for thought as there are other options, some more secure and some with a much less coverage area.
As I mentioned years ago on this blog and other places when talking about securing banking transactions with a token device, it’s best to put the human between the electronic communications end point and the security end point (hence my frequent comments about using known to be secure pencil and paper ciphers).
What this new device has done is extend the electronic communications end point out via WiFi to the other device where the security end point now is.
Thus the question arises as to “How the new communications end point in this device is segregated from the plain text side of the security end point, and how continued security assurance is maintained?”.
The usual way these days is via three segregated microcontrollers in seperate hardware instances.
The first is untrusted and is responsible for interfacing to the electronic communications in this case the WiFi interface. In effect it strips out the encrypted information formats it to a new protocol and sends it out via a “mandated choke point” communications path like RS232.
The second CPU interfaces to the “mandated choke point” communications and contains the security end point where the encrypted information is converted to plaintext and pushed into the segregated HCI.
The third CPU sits astride the “mandated choke point” communications path and it’s job is to act as a protocol analyzer at all protocol levels. If it spots anything other than it should it’s job is to halt the first two CPUs fire up a warning signal and sometime later reset and check them for changes etc.
tds • September 8, 2019 9:35 AM
@AndrewJ
For links, why not:
https://web.archive.org/web/20190907035047/https://wesupportjoi.org/ https
and https://wesupportjoi.org/ yields:
“Domain Not Claimed
This domain has been mapped to Squarespace, but it has not yet been claimed by a website. If this is your domain, claim it in the Domains tab of your Website Manager.”
You may have seen this link https://www.thedailybeast.com/petition-defending-mits-joi-ito-over-epstein-money-picks-up-big-name-signatures
Wael • September 8, 2019 10:00 AM
@Bruce,
Can you shed some light on the meaning of this picture: https://www.schneier.com/blog/about/ ?
In the left “mirrored” image, you’re not wearing a hat. Yet, in the right “mirrored” image, you’re wearing a hat! What gives? And there’s another Bruce hiding in the trees… What’s he doing there, and why is he staring at me?
You mean you wear different hats? Binary in this case! To “wear a hat” or not to “wear a hat”… that’s the puzzle…
Is it a puzzle of “find 10 differences between the pictures”? An encoded sort of message?
tds • September 8, 2019 10:12 AM
Anybody find a way to ‘securely’ install macOS Mojave on older Apple computers? For example, a MacIntosh Hackintosh. Or what do you think of dosdude1? This was posted last week:
Any thoughts about dosdude1 and its ability to install Mojave on older Macs?
For example, http://dosdude1.com/mojave/ (non-https)
One might be leery of their site because the download Mojave patch (and its hash), for older MacIntosh computers, are also downloaded from ‘http’ sites.
Might there be better or other ways to install Mojave on older Macs?
TomS. • September 8, 2019 11:34 AM
@1&1, @JR:
Thank you for PIC/E explanations and article pointer.
Am I correct that in the MS-DOS world this would be the difference between the old .COM executable memory image format (single segment < 64k, loaded at address CS:0100 always) and the .EXE relocatable image format? Been a long time since I played with debug. (I really wanted to win Ultima III back then.)
@SpaceLifeForm,
Sure, ASLR gets bypassed. I can’t think of a mitigation that doesn’t. It is a matter of how high we can stack the hurdles around the attacker. ASLR makes attacks harder, not impossible. In regards to your question is it Security Theater, I’d have to answer “No”. Now attackers have to chain Info Disclosure attacks or find non-relocatable librarues wirh useful functions in memory already. That is materially better than where we were before.
OpenBSD uses some statically linked binaries and has a reputation for a focus on security. There might be some papers in USENIX about their choices. There were some pointers in 1&1’s linked article. OpenBSD set a tremendous example in the wake of format string, halting dev, building tooling to scan for vulnerable code, releasing that tooling. I didn’t have much experience then, but my sense was that effort genuinely moved the bar. I personally believe it set the tone that enabled Microsoft’s Trustworthy Computing memo and subsequent measures MS took between W2k & W2k3’s Secure by Default posture.
I don’t think statically linked binaries are the answer for the reasons dynamic linking developed. Imagine how many copies of libssl in how many places in the filesystem for each browser, TLS enabled mail, IM client, VOIP, DNS over $Transport, VPN. No thank you. My head hurts just considering that. Not for a general purpose, mixed use computer. Might I consider it for a fixed role server or embedded application? Possibly. I’m not competent enough to know.
We’ve had that problem for years with GDI+ on Windows. It is a high privilege DLL shipped in the OS, but also 3rd party redistributable. It is compromised roughly annually yielding kernel access. Patch Tuesday gets the copies MS deploys in their products, but it doesn’t and can’t replace the vulnerable library in the several other installed 3rd party applications. Some of whom haven’t updated a software toolchain since VB6!
vas pup • September 8, 2019 11:59 AM
@William, @tds
Thank you for interesting links provided.
This is directly related to subject matter in your posts:
https://www.youtube.com/watch?v=qk5QIIgnWtE
Sed Contra • September 8, 2019 8:08 PM
Moneyball, but for courts
Weather • September 8, 2019 10:41 PM
About PIC 0x7ff on the heap is set aside for SEH about the eight sword down, replaced, and then cause a exception, should get control, if not there are heaps of places in there to change.
Sherman Jay • September 8, 2019 11:37 PM
@POLAR
Not to compete with your excellent dilbert link, but I just want to share this for people to enjoy. (even though we all know this already, it’s nice for others to be informed of how they are victims)
ht tps://www.gocomics.com/nonsequitur/2019/09/08
Sancho_P • September 9, 2019 6:57 AM
(FOSS) ” … and has a reputation for a focus on security.”
Um, O.K., but ….
Don’t know if Exim (“the” Linux server Mail Transfer Agent) was mentioned here already?
https://www.zdnet.com/article/millions-of-exim-servers-vulnerable-to-root-granting-exploit/
tds • September 9, 2019 9:48 AM
From Alex Stamos https://www.lawfareblog.com/op-ed-future-election-security
https://twitter.com/alexstamos/status/1169631049485152256
”We spend too much time focused on specific vulnerabilities and not enough on systemic risk, so I tried to make some of the systemic US election risks clear in this speculative fiction piece in @lawfareblog.
Some points I would like to highlight…
First, there is way too much focus on an adversary trying to get a specific candidate elected versus creating chaos and illegitimacy. Throwing the US into a political crisis is a much more realistic goal that benefits from overt activity and poor OpSec by attackers…
Second, while I include an attack against DRE [direct recording electronic] voting machines I also try to highlight the risk posed by interference in the rest of the electoral process, such as attacks against registration and election-day coordination systems…
The reasonable citizen demand for trustworthy elections has been hijacked by unreasonable, poorly-informed activists under a variety of hashtag slogans. As @mattblaze keeps on informing them, replacing DRE machines is necessary but not sufficient…
I also wanted to remind folks that the set of potential adversaries in 2020 has expanded due to the lack of response to Russian activity in 2016. We shouldn’t assume that the rest of the world will just sit on the sidelines while one country influences the global hyperpower…
Thank you to @lawfareblog for publishing the piece and to @qjurecic for the fantastic editing. I highly recommend academics consider Lawfare if they are trying to reach an influential audience with work that doesn’t fit into traditional newspaper opinion sections.”
vas pup • September 9, 2019 12:54 PM
@Sed Contra.
Thank you!
These parts of the article caught my attention:
“But judges appear not to have trusted that system. After the law took effect, they overruled the system’s recommendation more than two-thirds of the time.”
“…judges responded to risk scores differently in different parts of the state. In rural counties, where most defendants were white, judges granted release without bond to significantly more people. Judges in urban counties, where the defendant pool was more mixed, changed their habits less.”
So, regardless of risk scores, decision making was also affected by psychological factors on the judge side.
That is just the first step of utilizing risk assessment in criminal justice system.
to.far.away.to.be.here • September 9, 2019 4:06 PM
ProtonMail: The Ride Never Ends: PM just announced a collaboration (French speakers will know the meaning of that word) with Huawei from Red China (mainland China). The Bloomberg article has been archived: http://archive.is/EfPjy.
There also is an excellent Youtube (“ProtonMail and Huawei: A Relationship Made in Privacy Hell”) that really is a must see! https://youtu.be/7iQD4fdREsc
So, to sum it up, PM is complicit with the communist regime in suppressing mainland minorities (e.g. Uighurs) as well as the general population at large.
The endgame of PM – after having a closer look at the company registry – is clear: A going public asap, but making as much money as possible prior to the going public. The trade register entry also shows that the BOD chairman is a venture capitalist and that the company doesn’t have much to do with CERN anymore.
Use PM at your own peril! #deleteProtonMail
I know Bruce, as a “freelance consultant” with PM, might not like the posting yet I feel it is important to inform the community about what’s going on with PM.
SpaceLifeForm • September 9, 2019 4:08 PM
@Weather
Guessing you are referring to this:
https[:]//resources.infosecinstitute.com/bypassing-seh-protection-a-real-life-example/
I stay away from Windows.
And I stay away from c++ as much as possible.
I prefer C on *nix. Or assembler if needed. I’m old, just shoot me.
SpaceLifeForm • September 9, 2019 5:56 PM
@Weather
I’d consider this relevant and timely
https[:]//www.wired.com/story/ios-security-imessage-safari/
SpaceLifeForm • September 9, 2019 6:11 PM
When these two events happen, you know things are messed up.
Just over $1B bitcoin transaction.
ATT hires Goldman Sachs (the thumb of the invisible hand of the marketplace)
Think • September 9, 2019 7:23 PM
Just another China Note:
The Chinese are serious and if you stand in their way you will be reprogrammed or worse – example — Fan BingBing
Skip the articles if you already know her story.
https://www.foxnews.com/entertainment/disappearance-return-fan-bingbing-chinese-film-industry
Now consider the following – more appropriate to what we will face:
https://segmentnext.com/2019/03/19/why-do-chinese-players-hack-china-player/
Many online game players are very attached to their online virtual games – they will pay real money for status and virtual currency, spend lots of time playing and consider it more important than their daily ‘real life.’ What about a great way to bilk your ‘target’ of their hard earned money.
https://www.vice.com/en_us/article/59p7qd/this-man-has-survived-by-hacking-mmo-online-games
Where does a skilled Chinese game hacker end up or a very dedicated educated cyber graduate — they become part of a large group of state sponsored “hacking” teams or cyber offensive (RED – pun intended) teams — depending on your point of view, ability to attribute the ‘hacking’ activity(ies) or national allegence.
Do you think that those potential future members of skilled computer teams in China don’t look at Fan BingB and either want to go protest in Hong Kong or double down on doing what the state wants – especially if you are good at what you do?
Turn that honed ability to modify a ‘game’s’ attributes into using it on any type consumer of business computer program – any type of computer program that can be attached to and modified) where you take your ‘high score’ or ‘health points’ or virtual currencies or number of items and make them infinite or not exhaustible in order to beat the competition.
There are games where a currency exchange exists allowing exchange from virtual currency to real currency – just think if I could build (read build as ‘hack virtual but valuable resources away from legitimate players playing by the rules) I could build a virtual empire and then sell it off to some poor insecure gamer. Wash, rinse, repeat.
See this article for me information on virtual currency to real money exchanges:
https://hackernoon.com/real-money-trading-in-games-a-cryptocurrency-solution-5fdc719cc4f6
If you think remote code modification isn’t possible – pick up this book and study it – it may be dated (32 bit) – but the techniques are something that can be applied to more modern programs (64-bit) and programming structures.
https://nostarch.com/gamehacking
Think of your online banking program (even if you see something you don’t have as a momentary hack of your actual banking balance – you could be influenced to act, induced to call the bank or give up information to a 3rd party waiting for you to see something you don’t expect). Maybe all I need is your account information to complete a scam for a wire or ach transfer of your (now my) funds.
Think of your PII stored or in motion for any type of application, stock accounts, logon or access credentials, bit coin wallets or even your on line day trading application. I’m sure you could think of many more – any one of your cell phone applications for example.
The endgame is already here.
https://fortune.com/2019/03/01/china-ip-theft/
Now ‘the game’ to hack anything is the real world, ‘the game’ is you and I and our democratic institutions’ inventions and secrets.
Knowledge IS power.
We can’t secure our data, information – personal or private, our inventions — our intellectual property. We can’t control their future uses or the losses that it causes our people, businesses and Democratic Nation States from where it stolen.
Where will this lead?
J. Random Luser • September 10, 2019 1:06 AM
Over the last couple of weeks or so I have noticed many websites, which have been fine for at least a year or two, are suddenly showing components that have untrusted certificates. Seems to be widgets attached to the site pages. (I run without JavaScript , no cookies, ads blocked etc.) Just wondering …
name.withheld.for.obvious.reasons • September 10, 2019 2:48 AM
@ SpaceLifeForm
ATT hires Goldman Sachs
Can anyone guess was this would be a strategic move? What is the potential third-party alliance to this agreement that would hope to structure such a relationship?
Hope this posts, haven’t had a couple in a row go threw…
tds • September 10, 2019 9:52 AM
@nycsouthpaw retweeted
https://twitter.com/futurecanon/status/1171220828106690560 a concise 14 second video
vas pup • September 10, 2019 3:46 PM
Brain hack devices must be scrutinized, say top scientists
https://www.bbc.com/news/technology-49606027
vas pup • September 10, 2019 3:55 PM
Japan under pressure to join campaign against killer robots:
https://www.dw.com/en/japan-under-pressure-to-join-campaign-against-killer-robots/a-50370333
JG4 • September 10, 2019 5:07 PM
I’m OK with toning down the rhetoric. The BIOS Guy directed my attention to the 5-minute mark, but I suspect that the whole thing is worth watching. I’ll send it to Cory and Bunnie.
Inside China’s High-Tech Dystopia
https://www.youtube.com/watch?v=ydPqKhgh9Mg
2,469,655 views
SpaceLifeForm • September 11, 2019 4:24 PM
@J. Random Luser
On the surface, it would appear that you are trying to be more secure by blocking Javascript, ads, cookies. Good idea.
But are you using Windows? Smells like you are using Windows. And Firefox too.
I think you are. Please provide more info.
@name.withheld.for.obvious.reasons
The first ‘third-party’ would likely be Deutsche Bank.
SpaceLifeForm • September 11, 2019 5:07 PM
@JG4
Thank you for the link.
3 things of note (not sure if I caught what you were referring to at 5 min mark)
QR codes to transact. Instant location-ID tracking over cellnet.
Robotic Restaurants. Can the robots smell bad food and throw it out?
Facial recognition. So, one can jaywalk and get their fine for jaywalking in 20 seconds.
JG4 • September 11, 2019 6:23 PM
I’m pretty sure that I posted this before. I don’t mind the lines being defined, but I thought that this contect is spot on.
4 Things That Keep the NSA Up at Night
https://www.nytimes.com/2019/09/10/opinion/nsa-privacy-gerstell.html
Sep 10, 2019 · 4 Things That Keep the N.S.A. Up at Night … the general counsel for the National Security Agency. The piece outlines the “future of war” from the perspective of one of the blackest boxes in …
https://www.nakedcapitalism.com/2019/09/links-9-11-19.html
…
Jamal Khashoggi ‘murder recording transcript’ is published BBC
Big Brother Is Watching You Watch
Sex lives of app users ‘shared with Facebook’ BBC (Kevin W)
…
Alyer Babtu • September 11, 2019 7:12 PM
Hadn’t seen this before
Re the heavy Marketing Tone of the site: Je me sens un peu skeptique. Do we really need any kind of social network ?
And can any good come from blockchain ?
Clive Robinson • September 11, 2019 7:54 PM
@ Bruce,
This “begging letter” By Glenn S. Gerstell the general counsel of the National Security Agency is something you should read,
https://www.nytimes.com/2019/09/10/opinion/nsa-privacy.html?module=inline
But you can skim the story setting and scan down for,
As a place to start, but watch out for the “begging letter” phrases such as,
Yup we are talking along the lines of quadrupling or more the NSA budget but also getting a lot lot less for it,
Is actually not true, many nations will be uneffected by cyber security issues for the next two to three decades, and some a lot longer.
It’s important to realise that it is Western / First World Nations and in particular the US that have the worst of the problems. Due in part to communications promiscuity and lack of usage of known security techniques that is the root cause of the problem. Something that the DoJ and FBI and other US agencies want to actively make worse with demands for “Backdoors” etc.
Heck if the US passed some privacy legislation then IoT shoveling bucket loads of personal information to China would fairly quickly stop. But any such legislation will be fought tooth and nail by Silicon Valley Big-Corp in any and every way including back handers and political interference (see what “Private Equity” have been caught doing in the way of illegal campaigning, then there is the Koch Brothers i360 etc, oh and not forgetting Palantir).
There is a saying about those living in glass houses not throwing stones. Perhaps if the US and other Western nations governments stopped trying to prevent businesses and citizens having privacy we would not be walking into the distopian future that they are trying to make “pre-ordained”.
Clive Robinson • September 11, 2019 8:07 PM
@ Alyer Babtu,
And can any good come from blockchain ?
That depends on your viewpoint. If say you are a “dirty coal” supplier of heavily subsidized electricity who is an active climate change denier then yes, blockchain can mean lots of extra profit…
Most other points of view are swinging around to NO for a good many reasons, not least of which is most things blockchain evangelists claim can be done other often more efficient and effective ways.
Just look on blockchain evangelists in the same way you would purveyors of water that has been mystically blessed thus they claim worth ten bucks a pint or similar…
CallMeLateForSupper • September 12, 2019 8:21 AM
“Denmark frees 32 inmates over flaws in phone geolocation evidence […] imposes two-month moratorium on use of mobile phone records in trials”
“Denmark’s director of public prosecutions [said], ‘This is a very, very serious issue[.] We simply cannot live with the idea that information that isn’t accurate could send people to prison.'”
…
“[Comms companies] insist the errors have mostly stemmed from the interpretation of their data […] Authorities contend that in some instances the data has also been at fault, but Jakob Willer, of the country’s telecoms industry association, said
(here comes the juicy part)
it was not their job to provide EVIDENCE. ‘We should remember: data is created to help deliver telecom services, not to control citizens or for surveillance[.’]” {EMPHASIS mine]
Patriot • September 12, 2019 9:31 AM
@to.far.away.to.be.here
You may have a strong point. Look at Protonmail’s crypto people. Where do they hail from?
vas pup • September 12, 2019 2:24 PM
Project Oberon: UK eyes cluster of military radar satellites:
https://www.bbc.com/news/science-environment-49664409
That part caught my attention:
“Sensing and geo-locating the source of radio frequency (RF) transmissions is an emerging Earth observation technique.
A good example where this can be useful is in maritime patrol.
Pirates and illegal fishers will often switch off their GPS trackers to try to hide from the authorities, but they will still be visible to satellite-borne RF sensors if they are using radios and other equipment to coordinate their illegal activities.” But there is more inside the article.
Clive Robinson • September 12, 2019 5:20 PM
@ vas pup,
… switch off their GPS trackers to try to hide from the authorities, but they will still be visible to satellite-borne RF sensors if they are using radios and other equipment to coordinate…
Kind of true and not true it depends on a number of factors including if the sun is above or below the horizon.
In amateur radio there is the “milliwat per thousand mile” effect. In my younger days when I could still do morse code I worked over to the US on the output from a bench top signal generator.
The point is it takes very little power to be heard five hundred Km away line of sight, which is what you get to the ISS and I know people that have talked to astronauts with a hand held radio, and worked through most satelites with the same radio only pushing out 1/2 watt of power.
Even those cheep Chinese hand helds like the UV5R will in some versions push out 8 watts of power.
Not wishing to be funny but those illegal operarors are mainly compleatly incompetent when it comes to covert operations of any kind. They do the equivalent of a bunch of teenagers starting a bonfire on top of a hill in the middle of a dark night, where the mark one eyeball can see the fire between twenty and fifty miles away…
Put simply very low frequency signals down below 2-7MHz depending on the time of day get trapped by the upper layers of the ionosphere and partially absorbed by the lowest layers of the ionosphere (look up “critical frequency” and “NVIS operating”).
As the frequency goes up two things happen, the first is the ionosphere starts to have less and less reflective or absorbative effects. The second is that whilst the effective range per unit of power decreases with increasing frrquency, the gain of antennas goes up for any given effective appature area. The result is most frequencies between 120-510 MHz whilst being ideal for hand held transverters (HTs) also pass very effectively into space and can be heard in many cases over a thousand miles up. And that is with voice bandwidth Frequency Modulation (FM) which is regarded as very inefficient. Amateur operators use other modes these days that have a 40-50dB advantage over the voice bandwidth FM. Which means they work upto 325 times the range. I’ve used voice bandwidth FM from a hand held transceiver from a hill in North London through a gap in both the North and South downs to a repeater more than 70 miles away with as much clarity as one in South East London that you could see the antenna mast with a naked eye (The old GB3SL up on the Crystal Palace mast). So a more modern mode could for the same ERP be heard in geostationary orbit.
There is now a geostationary orbit satellite (Es’Hail) with amature radio transponders[1]. Through which no doubt there will be people pushing to work through it “portable” just for the bragging rights (and I might just be one of them just for the fun of it).
[1] https://ukamsat.files.wordpress.com/2018/11/amsat-uk_eshail-2_transponder_info.pdf
David • September 12, 2019 10:55 PM
Protonmail clarifies facts about its so called ‘relationship’ with Huawei
https://protonmail.com/blog/clarifying-protonmail-and-huawei/
SMS-only • September 13, 2019 4:08 AM
Bruce, it seems that a big country created malware that is sent as an SMS to mobile phones. Remote execution vulnerability without user interaction, that works with more than a billion phones (dumb phones and smart phones).
https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Anders • September 6, 2019 4:26 PM
Heads up!
https://www.openwall.com/lists/oss-security/2019/09/04/1
https://exim.org/static/doc/security/CVE-2019-15846.txt