Schneier on Security

JonKnowsNothing • July 18, 2020 11:46 AM

re: How to brick old tech with XML

MSM report on the “surprise bricking” of old Samsung Blu-ray players.

There were several possibilities about why older players suddenly bricked into terminal reboot loops. This report flags an error in a boot up XML file. The file contains and empty list element that the older machine parser doesn’t recognize and fail overs the system to restart. Since the file is parsed each boot up cycle it cascades into a never ending reboot.

There is no fix. Customers have to send the machine in for an update/repair to the firmware.

Along with the interesting analysis is this question:
  Machines were bricked that NEVER did the faulty firmware update.
  How did that happen?

Well it turns out that Samsung was sending “hidden telemetry” and “log files” if the machine was connected to the internet, even if certain options were “OFF” or “Not ON”. Routinely on boot up, if the system was connected to the internet, it would fetch the remote XML file and apply it as well as transmit user logs.

[If you] don’t accept the privacy notice nor download a software update, but do connect the device to the internet, your player will still routinely fetch the logging policy file.
…
players that never performed a software update nor used a network service, and were simply connected to the internet, were bricked.
…
The firmware routinely automatically fetches, stores, and parses the logging policy file regardless
…
“Players were bricked even though the users never performed a network update. It was enough for the player to be connected to the internet. Samsung never asked the user if it was OK to download”.

ht tps://www.theregister.com/2020/07/18/samsung_bluray_mass_dieoff_explained/
(url fractured to prevent autorun)

JonKnowsNothing • July 19, 2020 3:56 PM

@Clive @All

re: Apple 2FA authenticator fob connects to Lightning port

disclaimer: color me skeptical that this is secure

MSM review of a Apple based 2FA Authenticator FOB. It covers a lot of territory and much of it historically has had “difficulties” in different iterations.

1. FOB vs SW
2. authentication routines (security protocol)
3. authentication procedures (storage on icloud / google)
4. validation
5. recovery
6. port theft/scanner
7. port and connector hijack
8. authenticator firmware hijack

There are lots of reasons and places using or needing 2FA, but I am not that sure that the downsides have been dealt with any deeper than the cosmetic plastic housing.

ht tps://arstechnica.com/information-technology/2020/07/apple-has-finally-embraced-key-based-2fa-so-should-you/
(url fractured to prevent autorun)

JonKnowsNothing • July 20, 2020 9:44 PM

@MarkH @name.withheld
re:

how is rendition on U.S. soil of U.S. citizens, a thing?
I think you just gave a pretty good definition of the legal term “arrest.”

Rendition
  In law, rendition is a “surrender” or “handing over” of persons or property, particularly from one jurisdiction to another

Extraordinary rendition
  Extraordinary rendition, also called irregular rendition or forced rendition, is the government-sponsored abduction and extrajudicial transfer of a person from one country to another with the purpose of circumventing the former country’s laws on interrogation, detention and torture.

Arrest
  An arrest is the act of apprehending and taking a person into custody (legal protection or control), usually because the person has been suspected of or observed committing a crime. After being taken into custody, the person can be questioned further and/or charged. An arrest is a procedure in a criminal justice system…. an arrest must be made for a thoroughly justified reason

Distinction between arrest and detention [USA]
  In the United States, there exists a distinction between an investigatory stop or detention, and an arrest. The distinction tends to be whether or not the stop is “brief and cursory” in nature, and whether or not a reasonable individual would feel free to leave.

The situation in Portland, Oregon, USA is fluid and accurate information is lacking.

It is clear, that military-style-attired persons, carrying a multitude of armaments with no or minimal visible identification are taking people from the streets.

It is reported that some of the military garbed persons are not part of the local policing establishment but send by the Federal Government.

There are conflicting reports of cooperation between the military-garbed persons and the local policing establishment. Reports of both physical on the street cooperation and intelligence sharing between them.

Exactly what sort of intelligence sharing, how it was acquired, to what extent is used to target individual(s) is unknown.

Under which laws are the military-garbed persons taking persons off the street is also unknown. There are reports of Border Patrol, ICE (immigration), US Marshals, FBI each with a specific jurisdiction and mandate for enforcement.

Which persons are subject to which jurisdiction is unclear. Reports that persons are taken to a “holding area with in a Federal Compound” indicating that they are under Federal Arrest Jurisdiction rather than Local/City/State Jurisdiction. Specific Agencies, Cause for Arrest or Detention in unknown with released persons receiving a blanket “Show Up Here” notice.

Reports of the involvement of John Yoo, the lawyer who wrote the memo justifying torture, extraordinary rendition etc. as Legal Methods, is currently advising the Trump Administration on How to Rule by Edict/Decree.

ht tps://en.wikipedia.org/wiki/Rendition_(law)
ht tps://en.wikipedia.org/wiki/Extraordinary_rendition
ht tps://en.wikipedia.org/wiki/Arrest
ht tps://en.wikipedia.org/wiki/Arrest#Distinction_between_arrest_and_detention

ht tps://www.theguardian.com/us-news/2020/jul/20/trump-john-yoo-lawyer-torture-waterboarding
ht tps://en.wikipedia.org/wiki/John_Yoo

John Choon Yoo attorney and former government official best known for authoring the so-called Torture Memos, which provided a legal rationale for the torture of detainees during the War on Terror.

(url fractured to prevent autorun)

JonKnowsNothing • July 21, 2020 5:44 AM

@All

re: Operation Legend

It appears that the Federal Response in Portland, Oregon USA has a name:

The influx of officers may be part of an initiative by the U.S. Department of Justice called Operation Legend. In July, a press release described Operation Legend as “a sustained, systematic and coordinated law enforcement initiative across all federal law enforcement agencies working in conjunction with state and local law enforcement officials to fight the sudden surge of violent crime.”

There are 6 known or named target cities but the full list for deployment is unknown. Portland, Oregon was not on the known list.

1. Baltimore, Maryland
2. Chicago, Illinois
3. New York, New York
4. Detroit, Michigan
5. Philadelphia, Pennsylvania
6. Oakland, California

While it may be an exercise in trivia, it might be interesting to speculate what sort of tech surveillance is in use or available.

1. Command Center. In normal times this is manned by police but indications that a federal officer was in the command center but is no longer there.

This would have an area of surveillance, CCTV, mobile phone trackers (Stingray, DRTBX etc) and many cities have deployed surveillance enabled street lighting systems with wifi-connections enabling voice, audio, camera, sound trackers with RT Feedback to a command center.

1. Federals certainly have Stingray, DRTBX tech in use collecting cellphone data and geolocation information. Normal daily/weekly FBI, US Marshal and DEA fly overs to collect massive cellphone information and location would certainly provide a coordination matrix.
2. Undercover officers. This is standard operating procedure for both city and federal agencies. After 50+ days, there will be a good number of embedded agents or contractors such as Tiger-Swan.
3. Group to Group / Member to Member direct communications. At least the Federal Agents would have sophisticated grouping communications. No one there is holding a cellphone so it’s incorporated in their helmets.
4. Weaponry. Lots of that. How much of it is Hi Tech is beyond my pay grade.

5. Battle gear and equipment. Lots of bulky stuff in the pockets and of course large bundles of zip ties on display.

6. Timing and Coordination. Mass charges out of buildings and “round em up” drive arounds are not likely random nor randomly engaged by the agents.

7. Coordinated geolocation and ID of everyone within a good radius is certainly one of many displayable maps.

8. Direct pipeline to other Federal Agencies and the NSA. CIA is supposed to stay outside of box but they’ve been known to enjoy some action too. Internet Network traffic analysis, along with tracking specific persons (reporters and local officials) would be on the NSA detail.

9. Cyber-command may be gearing up to control the lighting and electronic infrastructure. Turn out the lights and shut down the water distribution maybe a tactic. Water distribution control was key in the Bosnia Wars.

ht tps://www.newsweek.com/what-operation-legend-trump-may-use-federal-forces-us-cities-1519219
(url fractured to prevent autorun)

JonKnowsNothing • July 22, 2020 4:05 PM

@Clive @MarkH @All

re: The Death of the Bank of Mom and Dad

I’ve been researching the economic benefits of all the COVID-19 Dead that is expected to fall into the laps of the neoliberal economists, the Herd Immunity Policy, Swedish Ideals, No Masks 4 Me, and Get A Move On and DIE group as the pandemic rolls along.

I found some interesting articles that shed some light on what is actually a complex topic of Inheritance and Wealth.

Early on in the pandemic economic analysis was published:
1 USA Worker == $10Million USD.
100,000 deaths == $1Trill USD economic loss
100,000 deaths == 200Mill lost unrecoverable labor

As some economies push to Open Up or Else, the Bank of Mom and Dad which fueled a lot of the pre-COVID19 economy will no longer be around to fuel consumption of goods and services.

The average value of inheritance in the UK (July 2020):

• £136,000 those born in the 1980s
• £107,000 for those born in the 1970s
• £66,000 for those born in the 1960s.
• note: Those born in 1980s added no wealth to the pool.
  Their wealth level was inherited from 1960s-70s.

The inherited wealth of the group 1980s represents about 14% of their overall lifetime earnings from work.

X*14% = £136,000       X=£1,000,000 

So a UK worker is expected to make £1Mill lifetime earnings, much less than a USA worker makes and depending on exchange rates.

From this 3 items:
1. In Bank of Mom and Dad is worth £136K
2. £136K is what the neoliberal economists are expecting to free-fall into the laps of the 1990s.
3. Some portion of the £136K will be clawed back in the way of taxes (progressive, regressive, fixed, threshold and other methods.

For the dead with no-surviving family the inheritance falls directly to the government by escheatment. Rules of inheritance are complex and vary by country.

“It is natural parents want to hand a legacy to their kids, but at some point we need a grown-up conversation about wealth. As we build back from the economic shock of coronavirus, politicians should use the tax system to tackle inequality and support high quality public services.”
  Robert Palmer, executive director of the campaign group Tax Justice UK

The amount of lost labor per worker dying is approximately 14ys(w) – 17yr(m)
(Australia May 31, 2020).

While things don’t always align, using the UK life time earning of £1Mill as a base and a generous 80yrs from a life table(2017) .

17/80yo = 21%    £1Mill * 21% = £210k lost wealth. 

So one conclusion that might be drawn is that the Lost Economic Value from COVID19 Impacts will be recovered from the residual value from the Bank of Mom and Dad. There is no recovery for the lost years of labor or investments (compounding interest annuities etc).

This does not cover all the economic losses of course. It does indicated the desperation for Reopening the Economies, forcing people to chose between homelessness, hunger, safety and to gamble on the outcome of a COVID-19 infection and the callous attitudes of those who do not think COVID-19 will touch their wealth or family.

“When they go to school – they’re not going to the hospitals. They’re not going to have to sit in doctor’s offices. They’re going to go home and they’re going to get over it … We gotta move forward.”
  Governor Mike Parson of Missouri

It is worth noting that M Bezos earned $10Bill in 1 Day. His accumulated wealth is greater than the GDP of countries. The Empire of Bezos would rank 51st in the order of GDPs. (July 2020)

Other economic numbers are also surfacing in regard to the advantages of dying early and often, to the economy.

Expected School Related Deaths = 2-3% increased mortality
note: the base is unknown. Either (mortality of children) or (overall mortality due to death of children + family).

Continued Opening the Economy with increased deaths = 3%, 4-5%, 7% .

For each additional death, the Bank of Mom and Dad falls into the Economic Recovery Bucket but will not fall into the bank accounts of any survivors.

disclaimer: I am not a statistician. I am not a lawyer. I know nothing. ymmv.

ht tps://en.wikipedia.org/wiki/Escheat

Escheat is a common law doctrine that transfers the real property of a person who has died without heirs to the Crown or state.

ht tps://www.theguardian.com/australia-news/2020/jul/23/australian-coronavirus-victims-lost-more-of-their-expected-lifespan-than-those-dying-of-coronary-heart-disease-dementia-and-stroke

ht tps://www.theguardian.com/commentisfree/2020/jul/21/americans-coronavirus-pandemic-workers-safety

ht tps://www.theguardian.com/inequality/2020/jul/22/one-in-10-born-in-80s-to-inherit-more-than-half-average-lifetime-earnings

ht tps://www.theguardian.com/world/2020/jul/22/us-reopening-politicians-volunteering-peoples-lives-coronavirus

@Clive and Others
ht tps://www.schneier.com/blog/archives/2020/03/friday_squid_bl_722.html#c6808282
ht tps://www.schneier.com/blog/archives/2020/04/friday_squid_bl_725.html#c6809748

100,000 people and losing a trillion dollars of wealth
losing 100,000 people is losing a 200 million hours of production
value of a statistical life = $10 million USD

(url fractured to prevent autorun)

JonKnowsNothing • July 23, 2020 9:35 PM

@Clive @MarkH @All
re:

Death of the Bank of Mom and Dad
Returning Children to Schools will increase mortality rates.

Expected School Related Deaths = 2-3% in increased mortality.
As noted previously, the base in unknown. Either (mortality of children) or (mortality of children+family)

A new study indicates that UK children could ‘lose 3% of lifetime earnings’ due to lockdown school closures.

This is calculated as

• Average annual earnings in the UK £30,000 (2019)
• a 3% reduction would amount to a loss of around £900 per year
• the working lifetime of a UK person is about 45 years
• equals lost earnings of up to £40,000
• normal lifetime earnings of £30,000 * 45 years = £1,350,000

The value of the 3% reduction of £40,000 over 45 years out of potential income of £1,350,000 = New Reduced income is £1,310,000.

No one likes a pay decrease but getting a £75 or more per month pay increase in time isn’t out of expectation.

What is hidden under the demand to Open the Schools Now! is the value of the lost taxes on £40,000 and of course the profits when the mortality rate hits and the neoliberals pocket not just the £40,000 decline in earnings but the entire full amount of £1,350,000 for each death.

UK Deaths = @45,500
+3% extra deaths = 1365
Value of Death Earnings 1365 * £1,350,000 = £1,842,750,000
Value of Bank of Mom and Dad = £136,000
No Inheritance Value 1365 * £136,000 = £185,640,000

Total In Hand Cash Savings = £2,028,390,000

disclaimer: I am not a statistician. I am not a lawyer. I know nothing. ymmv.

ht tps://www.theguardian.com/education/2020/jul/24/uk-children-could-lose-3-of-lifetime-earnings-due-to-lockdown-school-closures
(url fractured to prevent autorun)