Recent Comments


Note: new comments may take a few minutes to appear on this page.

June 30, 2015 2:15 PM

CJD on Twitter Followers: Please Use the Correct Feed:

I have it on good authority that it is actually an NSA account that is used to hit people that care about security with the quantum insert attacks.

*by on on good authority I mean that I completely made this up, but that it wouldn't be shocking at all.

June 30, 2015 2:14 PM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ J on the the river Lieth,

With regards "poo on a stick" yes it's fairly low risk unless you try to collect the sample "contortionist style". A colonoscopy has about a 1 in 1000 risk of death, and obviously much greater risk of injury due to perforation or rupture... You can blaim the advance in chemical marker anylsis technology (should be called "poo on a chip" ;) for the reduction in "nine foot garden hose upssies".

As for "black tea" it's all teas including nettle and one or two others (pine needle tea can give you CJD as well). The reason why it's more prevalent with black tea is partly to do with the fermentation process breaking down cell walks, but mainly due to the fact we mostly use tea bags... Basicaly to get the "tea quick" each bag if steeped properly for 3-5mins will make around two liters of tea, but will make about 250ml if steeped for only 10-20secs. But the tea is what is known as "dust" which has effectivly been mechanically cut and milled, the result is the bad parts of the tea come out way faster than the good bits, and worse they tend to float to the top hence that funny blue glint brown scum on top of a "bag in mug" cupper but not when poured from the bottom of a pot. It's why using a proper tea pot, proper tea leaves and proper steeping is so important (oh and a lot less expensive).

As for Kale... why oh why do people hear something is health and then go compleatly over board and do stupid things???

First of eating 3lb of kale a day is ridiculous especially if your mad vegie smoothy diet also includes effectivly cutting back on iodine and selenium...

Anything more than 6onces of any one raw veg at any one time is not a good idea due to dietry leaching effects, likewise 20onces of any one cooked veg.

To get the iodine and selenium up add about a half inch of dulce stem and an almond to the smoothy. Oh and make sure you still eat a balanced diet. Oh and watch out for harrico beans and similar pulses and soya they have the same kidney harming properties.

As the old saying goes "A little bit of what you fancy does you good" but a lot of anything will kill you including to much water. Fad diets from "A list Stars" does not equal common sense or sound nutritional advice.

June 30, 2015 2:12 PM

Bill P. Godfrey on Twitter Followers: Please Use the Correct Feed:

You could add an item on the RSS with a title encrypting the IP of the requesting client. (So each client that requests the RSS is given a different article title that identifies their source.)

Once the robot publishes their own IP to twitter, you can then redirect future requests to a special RSS feed that does nothing but post regular "Please follow @schneierblog for all future updates."

I'm not sure all that is worth the effort.

June 30, 2015 2:09 PM

Archon on Twitter Followers: Please Use the Correct Feed:

Rip the band-aid off, Bruce. The problem has only become twice as bad in two years, and while I'm not a Twitter user myself, from what little I know you don't really have alternatives. (If anyone has any better an understanding, please correct me.)

While the user seems harmless and might well be, they've set up a MITM attack with a potential of hitting almost 30,000 victims. Do you really want to put yourself in a spot where one day you have to explain why you didn't do anything about a (very public) MITM until after Fake!Bruce posted a link to CryptoLocker suggesting it was a new firewall or password safe everyone should have?

You've given warning with this post, so pull the plug. I'm sure anyone who didn't just blindly follow you will find you again easily enough.

June 30, 2015 2:05 PM

John B on Tracking the Psychological Effects of the 9/11 Attacks:

If you look at things separately it makes little sense, only when you look at our troubles as parts of a greater whole does the picture become clear.

Our military organization today bears little relation to that known by any of my predecessors in peacetime, or indeed by the fighting men of World War II or Korea.

Until the latest of our world conflicts, the United States had no armaments industry. American makers of plowshares could, with time and as required, make swords as well. But now we can no longer risk emergency improvisation of national defense; we have been compelled to create a permanent armaments industry of vast proportions. Added to this, three and a half million men and women are directly engaged in the defense establishment. We annually spend on military security more than the net income of all United States corporations.

This conjunction of an immense military establishment and a large arms industry is new in the American experience. The total influence -- economic, political, even spiritual -- is felt in every city, every State house, every office of the Federal government. We recognize the imperative need for this development. Yet we must not fail to comprehend its grave implications. Our toil, resources and livelihood are all involved; so is the very structure of our society.

In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the militaryindustrial complex. The potential for the disastrous rise of misplaced power exists and will persist.

We must never let the weight of this combination endanger our liberties or democratic processes. We should take nothing for granted. Only an alert and knowledgeable citizenry can compel the proper meshing of the huge industrial and military machinery of defense with our peaceful methods and goals, so that security and liberty may prosper together.


Dwight D. Eisenhower, 1960

June 30, 2015 2:00 PM

Andrew on Twitter Followers: Please Use the Correct Feed:

Since the fake @Bruce_Schneier twitter user only produces a portion of the headline, I think you really need to be short and punchy with your headlines in order to get it across to the followers (if the take @Bruce_Schneier publishes it.)

Something like:

"Fake @Bruce_Schneier fools twitter followers" will alert the people following the fake account, even if it is cut to two words.

I didn't fully compare the two, but for Twitters "n followers you know" blurb on both pages, most of the people Twitter thinks I know follow both @schneierblog and @Bruce_Schneier, so you aren't losing a full 10K of people by closing the fake account.

June 30, 2015 1:53 PM

Justin on Twitter Followers: Please Use the Correct Feed:

@Bruce Schneier

I'll say it straight out. Complain and have that fake account deleted as soon as possible. Anything else is a waste of time. It's a case of identity theft. Someone is impersonating you and communicating with others in your name. Don't let vanity get in the way. As you well know (and have reported yourself) the followers on the fake twitter account may be fake themselves. If they want to follow you, they will simply have to find the correct feed.

You've just duly notified anybody who is actually following your blog and reading it here. If you're a well-known personality in the security field, and you are going to be active on "social media," you need to be pro-active about your own personal security, too.

June 30, 2015 1:53 PM

newkidtown on Tracking the Psychological Effects of the 9/11 Attacks:

@Rufo Guerreschi,

NSA's success has been to catch a couple of dumbwitts who wired a few hundred $ and went to take a plane to go to AQ or ISIS areas. As for failures suffice to say that China has the personnel records on tens of millions of USG employees and contractors.

June 30, 2015 1:31 PM

Rob Douglas on Twitter Followers: Please Use the Correct Feed:

Yes, you should have the impersonation account deleted and you should also have Twitter mark (blue check mark) your account as a Verified account.

June 30, 2015 1:29 PM

andrew rich on Twitter Followers: Please Use the Correct Feed:

Unfortunately Twitter doesn't have any facility to merge accounts. They'll delete an impersonator (eventually) if you report it, but can't merge. They might possibly allow you to take over the account without deleting it though.

June 30, 2015 12:57 PM

Jesse on TEMPEST Attack:

@Meee

> If they don't get in it just means you're not that important.

All that you are doing here is restating the foundation of all security planning: there exists no perfect security, only a capacity to make a compromise *more expensive* for the attacker.

So, for every hook, nook, or cranny that you seal from intrusion you are increasing the value of "that" in the "you're not that important" equation.

June 30, 2015 12:52 PM

Anonymous Cow on TEMPEST Attack:

...Even the AC power outlets in your home or office could be used...

Does your home/office have a smart meter from the power co.? Some of them can transmit data back to the power co. over the service lines; they don't need to connect even with wi-fi to your internet gateway.

June 30, 2015 12:20 PM

J on the river Lethe on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@clive. I held out hope for years. Fiber optic or the Israeli camera pill. Instead now apparently pooping on a stick is enough. No blood or cell culture? No plumbing up the bum. ( Billy Connelly describing the prostate exam is hilarious. ) Btw. Who knew kale is bad for kidneys? And black tea. I figure coffee washes away a lot of ill will. ;)

On topic sorta. With the latest stories of huge hacks. I am beginning to lose confidence that our government is giving as good as it gets in relation to China, Russia, etc. efforts. Too sad for sarcasm or lol.

June 30, 2015 11:51 AM

albert on Tracking the Psychological Effects of the 9/11 Attacks:

@Rufo Guerreschi, @CJ,
Your naivete is disappointing. The only reason we haven't been targeted is that no one is willing to target us at this time. ISIS is doing quite well with US weapons, and there's plenty of cash for their efforts. 911 was a brilliant tactical move, but there are many other avenues of attack that you haven't even considered, and won't read about until afterwards.
.
@CJ,
Good catch!
.
...

June 30, 2015 11:14 AM

Arthur on Tracking the Psychological Effects of the 9/11 Attacks:

It is hard for me to even begin reading a paper where the very first sentence includes a typo:

Terrorism did not become a significant public
concern in the United States until the attacks of
September 11, 2011.

June 30, 2015 11:02 AM

CJ on Tracking the Psychological Effects of the 9/11 Attacks:

It took me less than a week. I took my cue from the fourth plane. The one big security innovation was the folks on the Pennsylvania plane that fought back. This pretty much ended / transformed hijacking. Prior to this, you had a passive plane load of people flying to Cuba. I am still ready to jump someone, if necessary.

June 30, 2015 10:48 AM

Rufo Guerreschi on Tracking the Psychological Effects of the 9/11 Attacks:

to be fair we cannot exclude that some of the post 9/11 security measures have had a very substantial effect in preventing major terrorist attacks.

In fact, the atrocities committed by the US in Muslim states and the huge funds potentially available in oil-rich muslim states should have in theory increased radically the number of terrorist acts, which did not happen.

NSA capabilities in open sourced data mining, bulk surveillance and non-scalable targeted surveillance may have actually delivered, at least technically and at least so far.

June 30, 2015 10:43 AM

albert on Tracking the Psychological Effects of the 9/11 Attacks:

@chuck,
.
Indeed!
.
"...
Although the management of terrorism events certainly in-
volves risk assessment, it is equally important to un-
derstand how both actual terrorist attacks and threats
are perceived by the general public. This understand-
ing can help governments guide societal responses to
terrorism as well as develop optimal policies for mit-
igating and responding to the threat...." - from the paper.
.
What a feeble attempt at justifying this waste of time and trees (or electrons).
.
This should be a clue of upcoming BS from the social 'scientists'. Populations are "guided" by the US governments pronouncements, and their lapdogs, the MSM. The "optimal policies for mitigating and responding to the threat" are, and have been well known, and ignored.
.
Please, can someone find useful employment for these people? Maybe they could go to the ME, and research the feelings of folks who are homeless, hungry, sick, or blown up and shot.
.
Come to think of it, maybe they could do that right here.
.
...

June 30, 2015 10:40 AM

d33t on Tracking the Psychological Effects of the 9/11 Attacks:

The other day while in a "Target" store pharmacy (only pharmacy for miles), I read a big sign on the wall alerting me to the blanket of Patriot Act provisions that cover the pharmacy under the guise of "terrorism". I instantly had the same physical / emotional response I had when I realized that anthrax was being used in the US to forcibly pass the Patriot Act as a group response to "terrorism" in 2001. My feeling of overall dread, nausea and repulsion returned immediately. I remember realizing that it was the beginning of the end to paper civil rights in the US in 2001. This sign called out the seeking of pseudoephedrine by fraud as an act of terrorism specifically and all of the huge financial fines and jail time possible for being involved in such a crime. Pseudoephedrine of course being one of the components that is commonly used in the manufacture of "Crystal Meth". "Crystal Meth", a favorite replacement drug for many of the poor, chemically altered people who were subjected to "Ritalin" and "Adderall" experiments by physicians for the last several decades. I've met many Bipolar, Borderline, ADD / ADHD (other), patients who started their journey down the spiraled rabbit hole with drugs used to "treat" hyper activity in children. Many of the others I've met got there by exposure to things like nasal sprays manufactured by a huge drug company that were used as post nasal drip remedies in the 1970's. Some of those remedies used speed as a main ingredient too.

I still find it odd to see a public misinterpretation of an illegal act of congress pasted to the wall of a generic pharmacy naming a precursor substance used to manufacture a drug that is commonly sought out by people who have been chemically altered by big pharma. I mentioned that to the pharmacist and he smiled.

Ever since 9/11 to this day, still living thousands of miles away from ground zero, I feel like I've been making the best of living in a novel written secretly by Kafka, Burroughs, Thompson, Bernays and Orwell while tapping away at a machine designed by Turing in an attempt to reanimate his dead friend funded by WWII. Sometimes when I hit the right combination of keys with the right timing, digital biosurvival tickets appear in my federal reserve account. I feel lucky to at least realize my situation, and that I haven't been subjected to any kind of irreversible chemical alteration myself yet. Big pharma won the US elections fair and square in 2008 though, so it's likely just a matter of time before all of those bad feelings about 9/11, the Patriot Act, and the loss of my paper civil rights get "treated" and I too can go on my happy way down the rabbit hole toward what ever it is we're doing to ourselves right now.

It is amazing how a sign about 9/11 and "terrorism" can trigger such a deep response in a person as jaded as me.

June 30, 2015 10:32 AM

Gerard van Vooren on Tracking the Psychological Effects of the 9/11 Attacks:

@ 65535

"In a sense, the Terrorist have won..."

The problem with the polarization politics in the US is that they just said: the terrorist. Like with the communist or whatever. It is a thought terminating cliché.

If you mean with the terrorist Al Qaida I don't think they have 'won' at all.

But who did win? Like with every war the War Against Terror was/is a racket. Who won were the suppliers of this war. The rest, as usual, lost.

June 30, 2015 10:21 AM

albert on Tracking the Psychological Effects of the 9/11 Attacks:

@65535, (are you a 16, 32, or 64 -bit number, signed or unsigned?)
.
"...The terrorists did huge damage to the USA with lasting effects to its citizens via manipulating the US government to over-react with measures only hurting its own citizens and its economy. ..."
.
And the worst is yet to come. 911 was a boon to the IC and DOD contractors. They continue to rake in billions. With a permanent Terror Threat now in place, other benefits include the militarization of police forces, access and control of all citizens personal information, the ability to squash protest and criticism....
.
Real change in the US system will come from without, totally as the result of failed US foreign policy, and the US-controlled Ponzi banking system.
.
Does anyone wonder why there are so many conspiracy theories regarding the 2 WTC attacks, the Oklahoma City bombing, the anthrax attack...?
.
...

June 30, 2015 10:14 AM

jones on Tracking the Psychological Effects of the 9/11 Attacks:

But this isn't just measuring the psychoogical effects of the attack: most Americans don't live in New York City. This is measuring the psychological effects of the media, since most people saw the attacks -- over and over and over again -- on the TV.

June 30, 2015 10:13 AM

CallMeLateForSupper on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Washington Post home page has gone SSL. Remaining pages will transition to SSL over the coming months.

(delete the extra "h")
hhttps://www.washingtonpost.com/blogs/the-switch/wp/2015/06/30/washington-post-starts-to-automatically-encrypt-part-of-web-site-for-visitors/

June 30, 2015 9:56 AM

albert on What is the DoD's Position on Backdoors in Security Systems?:

@Clive,

I can see like a hawk close up, but the good old days of trace cutting are long past. A good stereo microscope and watchmakers hands are minimum requirements today. :)
.
How about an IR LED tap emitting through a vent hole?
.
...

June 30, 2015 8:50 AM

Clive Robinson on TEMPEST Attack:

@ Bob S,

Be wary of strangers carrying pita bread.

If I remember correctly the original was,

    Be wary of Greeks bearing gifts

Which might be sage advice currently if you are a senior official in Germany, the European Central Bank or International Monitary Fund.

And as for one senior European official saying "A slow death is better than suicide" to the Greeks, he realy should have his brains examined by a Dr, before a Greek comes along and does it with a hammer and chisel.... We realy do not need moronic EU officials trying to "pour oil on troubled waters" when the Greeks are standing on the shore "burning with anger", it's only going to cause a conflagration which may have world wide repercussions, the very least of which might be another recession.

June 30, 2015 8:36 AM

Clive Robinson on What is the DoD's Position on Backdoors in Security Systems?:

@ albert,

BTW, it's quite simple to intercept serial data, and it's easy to decode. It's right in the data sheet:)

For the sufficiently technicaly skilled, yes you can cut it and insert a device that stores, checks and forwards/drops. But that is way way harder than cutting a single PCB trace based on a photo you've downloaded from the web, which for instance is what many Ham transceiver band extention and games console work arounds used to be.

It puts you in the the "Inline Media Encryptor" or "forensic tool" domain where prices alone are upwards of anual minimum wages.

But then it still leaves you with a backdoor trust issue because you come back to using somebodies untrusted SoC...

Which means that in effect technology is now beyond verifiable trust...

And people wonder why I've older hardware built into fire proof security safes with extra anti-tamper devices which I've given a general outline of before on this blog (search for Nick P and my names pluss the word thermite).

Oh and when you go to old junk fairs etc start buying up old kit, if people ask you why say you are an artist or some such and you build them into art pieces, suculptures, etc. Or you do it to support old computers in charities etc ( might get it for less if not free ;-)

June 30, 2015 8:10 AM

Clive Robinson on TEMPEST Attack:

You could hide all of this not in a Pita but one of those nice leather bound writing pad holders.

That nice "welted" edge would be a realy nice place to put the magnetic loop antenna, and reasonable sized batteries and a micro memory card put under the sprung pad holder. The fact that most such holders have a stiff internal board and padding under the leather would mean that the board could be double sided FR4 PCB with all the electronics being surface mount. You could also have. Miniture "reed switch" in the pen holder such that a small magnet in a very expensive Monte Blanc etc pen could be used to turn it off and on.

Whilst putting a pita in range of the laptop might be odd and prone to discovery, putting an expensive pad holder down next to or close to the laptop to take notes most certainly would not.

Oh and the range of magnetic antennas goes up proportional to the area of the loop, so with around ten times the area the range is going to increase by between 10^-3 and 10^-2 which is pushing it up to the meter range. Also if you have two loops one in either cover and you hold them at around ninty degrees to each other you can feed this data into a few interesting computer algorithims such that you can "notch out" even quite strong interfering signals providing you don't hit the receivers end stops on dynamic range...

I could make it even more senitive using other tricks...

However if I was to manufacture such items how much would you think folks would be willing to pay? I recon 10,000 USD would not be unreasonable with the appropriate software. Oh and for say 5000 more I could add encryption to the data going onto the memory cards.

As for "copper pipes" remember they have insides as well as outsides, the inside will make a rather good 12Ghz and up waveguide. Further if you have two pipes run as a parallel pair they will act rather more efficiently as a high impedence "transmission line" than an antenna. Which means that they will carry the signal way way way further for any given power as well as dificult to find with most "bug hunter" receivers, and such low power would mean a long battery life or better still a couple of thermo couples using the heat differential between the pipes and other fixings...

June 30, 2015 7:56 AM

65535 on Tracking the Psychological Effects of the 9/11 Attacks:

“However, over time, as security measures became more intrusive (such as with the implementation of the Patriot Act), the public became less tolerant of such policies [That is an understatement of the year! –Ed]. Over time confidence in government decreased [drastically! – Ed], mirrored by a shift in public attitudes regarding the sacrifice of various civil liberties to allow for more effective investigation of potential terrorist activities. Even in recent years there has been much debate over the legitimacy and potential violation of personal privacy through the use of full body scanners and other invasive TSA measures [Enormous debate, irritation, loss of time, loss of income, and a number legal battles!]” –USC

See page 13 of pdf:
http://create.usc.edu/sites/default/files/publications//thedynamicsofevolvingbeliefsconcernsemotionsandbehavior.pdf

I have added a few editorial remarks to the text to better reflect reality.

In a sense, the Terrorist have won by causing the huge invasive TSA Cattle lines at airports, extensive waste of billions of tax dollars spent on “Security Theater,” shredding of the Fourth Amendment and other parts of the US Constitution with little or no actual improvement in security – as demonstrated by the Boston terror attack!

The terrorists did huge damage to the USA with lasting effects to its citizens via manipulating the US government to over-react with measures only hurting its own citizens and its economy.

June 30, 2015 7:17 AM

chuck on Tracking the Psychological Effects of the 9/11 Attacks:

"Although most of the correlations are significantly different from zero (alpha = 0.01), none of the correlations indicate a strong relationship
among any of the six response variables."

In other words, the data presented are a Rorschach test.

June 30, 2015 6:46 AM

Bob S. on Tracking the Psychological Effects of the 9/11 Attacks:

I wonder how much purposeful government fear propaganda impacts personal perceptions and behavior?

For decades media and police dutifully warned parents and kids about needles and razor blades in apples/candy on Halloween, only to find out no such risk ever existed.

Of course, we have had various real attacks by deranged criminals over the years, but not that many.

What would be a fair and reasonable estimation of the risk of such an attack? My estimate would be less than getting hit by lightning.

Many high officials are using the media to beat the fear drum for the upcoming holiday. I'll just say it, it makes me want to puke. If there's some specific and legitimate threat, the government should deal with it rather than deliberately trying to ruin the holiday with fears of bogeymen lurking behind every bush.

Happy Independence Day all!

June 30, 2015 5:51 AM

anon on Other GCHQ News from Snowden:

@Skeptical At worst, they're exploring using non-violent means to prevent persons from joining violent movements and to disrupt existing violent and criminal organizations. That's not a terrible thing.

Let's have a government agency manipulate public opinion, give them vast resources and let them operate in secret.

Surely, nobody will ever exploit this.

June 30, 2015 3:31 AM

tyr on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

I'm not sure what to make of this. I'll have to re-read for
the implications but it is good to see this stuff exposed
to scrutiny.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

@ Clive

The specialization that has occurred between abstraction
and mechanization has a lot of built in traps for the unwary.
Software types think it is all deterministic and the mech
aware have seen the timing problems of any useful implementation.

Automagic software just makes the problem worse and layering
it with tech illiterate management is not a help to anyone.
Sometimes a simple mechanical solution is superior to the
software creep induced by the old adage about the man with
a hammer wants every problem to be a nail. Anyone who thinks
that software can solve all problems is a Platonic delusionist.
A machine that combines superb software and hardware is a
joy to use and work with but there has been loads of badly
designed junk foisted on the unaware.

I worked on a lot of metallic ion deposition facsimile machines
but never cared much for the exposed high voltage of their
Rube Goldberg construction. Your plan sounded like a better way
once you got past the timing problems.

The wallet is the limiting factor on some experimentation.

June 30, 2015 2:46 AM

Wesley Parish on TEMPEST Attack:

And there I was thinking that pita bread was only used for making felafel and the like ... boy, was I mistaken! What happens if someone actually tries to eat it? (It is a big bigger than I was led to believe. I was picturing something the size of a hearing-aid.)

One counterattack is to buy up big in pita bread whenever you suspect someone's going to scatter inedible pita around. Then feed the surplus to random beggars and sundry strangers. That way, if you were served up with a helping of eavesdropping pita, you can use your loaf and let some beggar curse you for giving him a lump of inedible electronics - though if said beggar has nous enough, he'll sell the electronics to some random recycler and $PROFIT$ from someone else's stupidity.

June 30, 2015 2:37 AM

65535 on TEMPEST Attack:

@ Nick P

“Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.”

Ha!

A lot of things can serve as a “wire” to send data down. Even the AC power outlets in your home or office could be used.

“Barbed wire telephone lines were local networks created in rural America at the end of the 19th century and beginning of 20th century. In some isolated farmers' communities, it was not cost effective for corporations to invest on the telephone infrastructure. Instead, the existing extent of barbed wire fences could be use to transmit electric signals and connect phones in neighboring farms.” –Wikipedia

https://en.wikipedia.org/wiki/Barbed_wire_telephone_lines

June 30, 2015 2:23 AM

65535 on TEMPEST Attack:

@ parrot

“This was my thought at first, but after some though I wonder if this isn't all that hard to do. One could imagine a state actor who has full view of the network could simply watch and wait for ciphertexts that match their needs (e.g. a large amount of ones). Then, through other means, they install their EM sniffing devices and just correlate what it sees on the network with what emissions the sniffer sees… I'm assuming that this attack isn't just possible for low-bandwidth PGP, but potentially high bandwidth TLS applications where signatures are made constantly by a highly trafficked server…”

That’s a good possibility.

@ Thoth

“These are very common problems with cryptography on any electronic devices. @Clive Robinson have spoken a lot about this problem very widely and for a very long time. EMSEC is something hard to get right and even the "EMSEC-protected" machines may use fixed methodologies which one may be able to adapt and re-issue an adapted attack vector.”

I agree.

Here is Clive’s idea to solve the distance problem with a device to “call home” or to “store and forward” the stolen keys to out:

“…the application the researchers developed for the "smart phone connected to an AM band radio audio output" could be easily modified to "do an ET" and phone home or act as a "store and forward" so that it can be called up… You could also put the sensor in a laptop power supply addaptor, and just send out the information via "Home mains networking" or short hop HF through UHF bugging device to a couple of Km wih little or no difficulty as you have an inbuilt power source and antenna...

“It is when all is said and done just another "end run" attack, just like putting a miniture WiFi CCTV camera in the "smoke detector" in a hotel room where it can see what the weary business traveler types in on the keyboard when downloading their email etc… [1] Think of the bits inside of a "Mobile Broadband Dongle"(MBD), it would not take any kind of genius to "augment" one to act as an appropriate EM detector as an extra function, likewise the Near Field Conectivity(NFC) in dongles and now being built into mobile phones as standard would be ideal as sensing heads. It is something I've been thinking about off and on for a few years due to some work I was asked to do for an organisation that was contracting services to a state level organisation. Oh and as the Chinese make by far the majority of the MBDs NFCs and almost certainly the IoT devices as well, we might well not be talking "in the future tense" it might well have happened already...”

https://www.schneier.com/blog/archives/2015/06/friday_squid_bl_483.html#c6699014

There are probably a lot of ways to ex-filtrate the keys via some modified cell phone, hacked router, hidden device connected to a bot net’d box and so on.

June 30, 2015 2:03 AM

qb on Migrating from SHA-1 to SHA-2:

@Me

> That is, we will be able to solve NP-hard problems in P-time

That's not true. At least, most complexity theorists believe it's not. Don't believe everything "journalists" spew. See e.g. https://en.wikipedia.org/wiki/BQP . We may be able to do away with currently dominant flavors of asymmetric crypto (cf. Shor's Algorithm), but there are schemes not amenable to quantum computers, even if those can be built and scaled (e.g. lattice-based crypto).

June 30, 2015 1:05 AM

Wael on TEMPEST Attack:

@Nick P,

Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.

As a matter of fact, water pipes are a threat! Remember the toilet-bowl bug? (the last paragraph.) They could be used as antennas or transmission lines as well...

June 30, 2015 12:55 AM

Wael on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@Figureitout,

Anyone w/ a desktop computer can look in at the power switch and note the twisted wires to deal w/ RFI/EMI. Interesting to see the concept cross over different mediums; also the constant circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

Because everything in the universe is sinusoidal (I am not sure it's true, but one of my teachers told us that a long time ago.)

And because different disciplines obey the same laws. You'll end up solving the same set of differential equations whether you're doing mechanical engineering or electrical engineering. One of the areas that amazed me a while back was that one can prove trigonometric identities the classic way or using probability or using Fourier / Laplace transforms. I don't remember the details but I am sure you won't have a hard time finding the ways.

Speaking of twisted wires, they do form a transmission line. You may also notice ferrite beads at the ends of the wires, especially high frequency / bandwidth ones such as your monitor cable (mostly embedded in the connector ends) to reduce stray fields.The equations you use for these won't be dealing with Voltages and Currents. They'll be dealing with Electric Fields and Magnetic Fields, because as the frequency goes higher, and the wavelength becomes comparable to the physical dimensions of the circuitry, then Field theory is the way to go.

circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

It's doubly spooky ;)

June 30, 2015 12:38 AM

MorePower on TEMPEST Attack:

@comment
The range can be extended *slightly* by the use of more powerful equipment

Hamburger buns? Or perhaps a Bagel?

June 30, 2015 12:38 AM

Wael on TEMPEST Attack:

@Jack L,

hmm so this could be pulled using the radio inside cell phones

Probably not without modifications.

June 30, 2015 12:36 AM

Wael on TEMPEST Attack:

@Slime Mold with Mustard,

You can build your own [...] (If you have a 6 figure budget)

Or you can visit your military surplus store and keep an eye on a Security Tent. And if you convince the clerk that it's a camping tent, you may even get it for $20.00...

June 30, 2015 12:12 AM

It's Meee on TEMPEST Attack:

> I wonder if this isn't all that hard to do.

Jack, if they want into your computer, they're gonna get in, by hook, nack, or cranny. If they don't get in it just means you're not that important.

June 29, 2015 11:05 PM

Slime Mold with Mustard on TEMPEST Attack:

@ Jack L

You give your cell phone to the "attendant" (the guy with the gun) before you go in. I have seen magnetometers installed to help people remember. Also, they can't transmit from inside, although they can certainly record and photograph.

Oh, and turn it off. We don't want to drive the guy with the gun nuts.

June 29, 2015 10:47 PM

Slime Mold with Mustard on TEMPEST Attack:

You can build your own SENSITIVE COMPARTMENTED INFORMATION FACILITY (SCIF)
(If you have a 6 figure budget)
This from the Department of Homeland Security 2004

http://fas.org/irp/offdocs/dcid6-9.htm

There us a 2007 version out there somewhere.

Could some one save this link and post when this comes up on the Squid Thread - as it almost always does!

June 29, 2015 10:38 PM

Jack L on TEMPEST Attack:

Article quoted by Bruce:


The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle.

hmm so this could be pulled using the radio inside cell phones (the one that communicates with the cell towers)...

in other words, better not to have your cell phone close to your laptop when logging into secure sites...

June 29, 2015 9:09 PM

Figureitout on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Nick P
appreciate the effort you put into proving my point, though
--Thanks it took like 0.000000035 seconds on google, so long as point is that Lisp can be just as bad if not worse than C, depending on the programmer and the logic s/he injects in the CPU. These were macros wrote in 1990's and 2015. And also it's only used in niche communities b/c it doesn't jive w/ majority of human beings who still use C, 40+ years later...Do a better more objective comparison next time that's expected of you.

Justin
--Good I don't know you either (did you sell cars in another life or is that another Justin?). I don't care what worthless trolls say, so long as they don't say my name; I want nothing to do w/ them.

tyr
--Thanks, interesting. Pretty funny what simple screwing around can do lol.

Clive Robinson
--Thanks, interesting as always. You've mentioned needing a reliable time source in past, is an external XTAL it? Like if I can't see the damn crystal to not trust? If you're always relying on some other reference you can't really trust it not to be tampered if the full spectrum of attacks are considered.

Another question, got some school stuff I'm working on and going to finish up a little HWRNG research hopefully while summer lasts (spoiler, it sucked. My assumptions were wrong and I couldn't *obviously* tell I affected output (I was limited by my 1980's radio and my $8 "spectrum analyzer", which is a frickin' joke for real research anyway, but I couldn't get down to bands below 24MHz and trying to get to the harmonic was too far away) but you have to collect so much data to see the patterns and I didn't want to get so comically obvious like pointing a goddamn microwave horn antenna blasting the circuit point blank and "hurr durr, it caused some problems" even though I was touching antennas on power rails to circuit w/ 100W CW, so I'm going to come back to it) but also connecting a radar 2 modules w/ G/FSK (I'm using firmware w/o OOK). I'm going to try w/ arduino first just to see it works which I'm expecting nearly 100%.

Anyway the question, I can't predict all the attacks and deal w/ that in firmware. Using mostly the given protocols (I'm not sure if I'd have to change SPI one which involves like hex opcodes that don't make sense at all immediately), I have a couple ideas. First I want to take in a "password" that's stored in EEPROM that needs to be transmitted before initiating any other comms, this is manually inputted basically anytime you want, weekly, monthly, etc. I think I could make this upwards a 32bit number, or longer (but I can extend that later of course, just want to see this working). Second, for jamming attacks, if "master" initiates and doesn't receive ACK, to keep switching bands and modulation types. On modern systems this is automatic and way more advanced but I want to do it in my basement. This can be done fairly simply w/ switch statements I *believe*.

Lastly, OT. A little observation you and others may like. I like when concepts intertwine w/ each other and especially when equations cross disciplines like chemistry, biology, electronics, etc.. Well was on a boat past week and we have some straps that oscillate in the wind, really annoying. It can be essentially quelled by simply twisting the strap, which you can visualize by the twists inverting and cancelling out the waves. Anyone w/ a desktop computer can look in at the power switch and note the twisted wires to deal w/ RFI/EMI. Interesting to see the concept cross over different mediums; also the constant circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

ugh
--I've been dealing w/ this for years so it's not really a new concern I'm not already aware of. You know they don't exactly face me in person, well I confronted one at a bar one time and he got all scared and if I catch one at night one of us is going to die or go to hospital.

No I won't change my nick or go to other sites. This is my social network, pathetic but I don't care; few years I'll probably be gone or when blog goes down permanently. I don't facebook, twitter, instagram, just made a reddit, going to make another github, and have a blog. The troll can go to other sites like 4chan and be a worthless waste of space for all I care; just keep my name out of his/her worthless mouth.

June 29, 2015 9:05 PM

DoNotEnter on TEMPEST Attack:

"Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha."

I once worked on a project with a real paranoid client. We worked in the basement behind double sets of steel doors with 6 digit combo locks on each. One day the client visited and freaked out when he saw two copper pipes that went to the outside A/C compressor. No air ducts, just the cooling freon pipes. The air would get so stagnant that late at night we would momentarily hold all the doors open with fans blowing just to get some fresh air inside. We were told to remove the pipes because someone might use those as signal conduits. even though the building was buried deep in a campus of high security buildings.

June 29, 2015 8:39 PM

Nick P on TEMPEST Attack:

The Hacker News and Reddit threads seemed quite clueless. We've had a nice information page for a long time:

http://www.jammed.com/~jwa/tempest.html

Might be a good side project for someone to use Wayback Machine or ask people for cached copies to produce a nice zip file (or series of them) with all the relevant information. A number of those companies still exist. One that did classified training on TEMPEST said general TEMPEST info got unclassified and they can teach whoever. They have a book for sale on it. The Swedish shielding company's office enclosures were pretty nice. As are the descriptions of shielded PC cases people acquired in surplus.

Universities need to be working and publishing on this subject en masse. Especially trying to figure out what the "seismic" category is. Or pushing limits of active attacks that bounce a beam off the electronics. Also, remember that ultrasound is a more recent threat that government panicked on. I don't think they're looking into infrasound yet so get on that now to earn your black patent. ;)

Note: Even your water pipes are a threat. Someone needs to circulate a "Restrooms considered harmful" paper in ACM or IEEE. Mwahahahaha.

June 29, 2015 7:55 PM

Justin on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Milo M.

Re: inBloom Wikipedia deletion

As far as the Wikipedia article is concerned, maybe people just don't care. But if you are looking for a conspiracy, sure they wanted a glowing article that "read like an advertisement" while the project was still viable, but when the project failed, some business interests wanted to leave as little record of the failure as possible. Perhaps the idea is seen as still viable, and something that the venture capitalists would want to fund again, if they can put a more positive spin on the privacy aspects and disclaim any connection to the old project.

June 29, 2015 7:36 PM

Thoth on TEMPEST Attack:

@all
These are very common problems with cryptography on any electronic devices. @Clive Robinson have spoken a lot about this problem very widely and for a very long time. EMSEC is something hard to get right and even the "EMSEC-protected" machines may use fixed methodologies which one may be able to adapt and re-issue an adapted attack vector. It is kind of a cat and mouse game in the end.

The best protection is active offense which is to generate tonnes of noises with lots of redundancy (multi-core processors with huge amount of redundant and dynamically changing steps) which me and @Clive Robinson have suggested for active protection systems.

June 29, 2015 4:20 PM

gordo on TEMPEST Attack:

@ parrot

Pita bread is such a weird thing to compare it to.

Portable Instrument for Trace Acquisition (Pita)

The idea to actually cloak the device in a pita—and name it as such—was a last minute addition, Tomer says. The researchers found a piece of the bread in their lab on the night before their deadline and discovered that all their electronics could fit inside it. (Wired article)

That also brings these to mind:

The Practice of Everyday Life

"Today's NSA secrets become tomorrow's PhD theses and the next day's hacker tools."

June 29, 2015 4:05 PM

Comment on TEMPEST Attack:

@parrot

The range can be extended *slightly* by the use of more powerful equipment but with it comes interference from other nearby devices.

It would have to be concealed under a desk or maybe in a wall to be effective. And even then it would need to pick up the keys at just the right time.

June 29, 2015 3:41 PM

parrot on TEMPEST Attack:

@Bob S.

I know, right? Pita bread is such a weird thing to compare it to. Maybe they're hackin' folks in Greek restaurants doing their online banking.....

June 29, 2015 3:33 PM

Bob S. on TEMPEST Attack:

Today's OPSEC lesson:

Be wary of strangers carrying pita bread.

June 29, 2015 3:22 PM

parrot on TEMPEST Attack:

@orcmid

Hmm. This was my thought at first, but after some though I wonder if this isn't all that hard to do.

One could imagine a state actor who has full view of the network could simply watch and wait for ciphertexts that match their needs (e.g. a large amount of ones). Then, through other means, they install their EM sniffing devices and just correlate what it sees on the network with what emissions the sniffer sees.

Of course, I'm assuming that this attack isn't just possible for low-bandwidth PGP, but potentially high bandwidth TLS applications where signatures are made constantly by a highly trafficked server.

And that being said, browsers control one-half of the channels with servers. They may have some power here to force a useful message to be signed during the TLS handshake.

June 29, 2015 3:17 PM

BrotherChew on TEMPEST Attack:

@ orcmid


Um, when the abstract gets to sending "carefully-crafted ciphertexts" to the target computer, I am left wondering exactly how does *that* happen in an unobserved way?

From the article: "GnuPG is often invoked to decrypt externally-controlled inputs, fed into it by numerous frontends, via emails, files, chat and web pages. The list of GnuPG frontends contains dozens of such applications, each of them can be potentially used in order to make the target decrypt the chosen ciphertexts required by our attack. As a concrete example, Enigmail (a popular plugin to the Thunderbird e-mail client) automatically decrypts incoming e-mail (for notification purposes) using GnuPG. An attacker can e-mail suitably-crafted messages to the victims (using the OpenPGP and PGP/MIME protocols), wait until they reach the target computer, and observe the target's EM emanations during their decryption"

Looks like some basic knowledge of what's running on the system is required, although you'd probably have that requisite information anyway if you were to execute this targeted attack.

June 29, 2015 3:04 PM

orcmid on TEMPEST Attack:

Um, when the abstract gets to sending "carefully-crafted ciphertexts" to the target computer, I am left wondering exactly how does *that* happen in an unobserved way?

This would seem to require a highly-targeted attack and a few other conditions beside proximity.

June 29, 2015 2:49 PM

albert on What is the DoD's Position on Backdoors in Security Systems?:

@Clive,
As I know from experience, doing it in software beats doing it in hardware every time, cost wise. If a human had to move a jumper to reprogram an embedded system (even if done remotely) it would go a long way towards securing that system. Physical access used to be the only way to program a PLC, and it's still the most secure way. Now we have, in our PCs, embedded systems in our disk drives, graphics cards, communication boards, and any external devices we care to plug in. Most can be flashed remotely. Many are integrated on to the MB. Nightmares. It looks like all but the cheapest embedded systems now use generic SOCs, with additional boards for specific I/O. This is good, as long as you know what's in the SOC. BTW, it's quite simple to intercept serial data, and it's easy to decode. It's right in the data sheet:)
.
...

June 29, 2015 2:47 PM

parrot on TEMPEST Attack:

@Comment

I presume that more money can buy you at least a few meters of distance. That might be interesting in a multi-tenant hosting environment or in a corporate cube farm.

June 29, 2015 2:35 PM

Comment on TEMPEST Attack:

I remarked upon this in another thread when the story was first released. It seems an extremely practical attack although is somewhat stymied by the proximity required to extract the keys.

June 29, 2015 1:36 PM

me on Other GCHQ News from Snowden:

England is truly lost. It's not even a controversial statement.

America... Despite the evidence piling up, I'm still in denial that they are post-constitutional. I have a sinking feeling though I'm going to hit F5 and ...

June 29, 2015 1:09 PM

Milo M. on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@CallMeLateForSupper • June 28, 2015 10:51 AM

A bit of explanation of the delete here, reached from the link you supplied:

https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/InBloom

"Looks like it was a student database that failed due to privacy concerns. I don't think a worthwhile article can be made on this topic - it would be just a re-hash of one of the news articles."

THe links 2, 3, and 4 in the Wikipedia page:

April 2014:

http://bits.blogs.nytimes.com/2014/04/21/inbloom-student-data-repository-to-close/

"Financed with $100 million in seed money from the Bill and Melinda Gates Foundation along with the Carnegie Corporation of New York, the venture promised to streamline how teachers and administrators accessed student records."

June 2013:

http://www.washingtonpost.com/blogs/answer-sheet/wp/2013/06/09/privacy-concerns-grow-over-gates-funded-student-database/

and America's version of the Daily Mail (though folded more compactly for reading on the tube) in March 2013:

http://www.nydailynews.com/new-york/student-data-compiling-system-outrages-article-1.1287990

June 29, 2015 12:57 PM

Gerard van Vooren on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Nick P

When it comes to modules I forgot two things, one is namespaces, which should be of course the name of the module and the other one is macros in the API file. They should be namespaced as well to avoid the header file inclusion order problem. But to make a seamless refactoring possible it should be possible to localize the namespace such as "use module as local;" and let the preprocessor/compiler generate errors with API conflicts. Well, it's just an idea but everyone is free to shoot at it ;-)

About UNIX

I like the UNIX philosophy. Implementation wise... there are not so many good examples of it ;-)

This is a discussion place about security. So let's talk about TCB and the UNIX philosophy. The Linux kernel for instance with its ~15M LOC isn't a good example of UNIX philosophy of doing one thing only and do it well. It is also a massive TCB. And let's face it, it is patched 80's technology. Like Rob Pike said a long time ago "OS design is dead". There are many initiatives to really deal with the shortcomings of current OS design but they are all small scale. Oberon for instance has GC on OS level, not at PL level and MINIX-3 has a reincarnation server to deal with dead servers, plan-9 did have a large array of new technology and now Ethos as well. There are lots more of these really good initiatives. What is missing is a big wave of cooperative breaking new and simplistic technology to really deal with the 80's technology of today. What we are creating instead is DNA. A massive patched codebase that gets larger and larger and that mutates every day. The only big wave we have seen lately is *ouch* systemd and that only deals with PID-1, something that is partially irrelevant with a microkernel OS.

June 29, 2015 12:55 PM

gordo on The Secrecy of the Snowden Documents:

@ TomTrottier, you wrote:

your nuanced Wired article was obfuscatory. Just say, "China & Russia probably had all of Snowden's 'revelations' long before Snowden gave them to the journalists."

Was Mr. Schneier nuanced or contextual?

I want to focus on the actual question: Do countries like China and Russia have copies of the Snowden documents?


I believe the answer is certainly yes, but that it's almost certainly not Snowden's fault. (par. 1-2)

Was Mr. Schneier obfuscatory or stating plainly?

Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside. After all, the NSA has been a prime target for decades. (par. 7-8; emphasis added)

@ TomTrottier, you also wrote:

Since the revealed documents are mainly management stuff (rather than program/maintenance documentation) used by probably 2nd level managers and above, it seems likely that even with 10k employees in the NSA, maybe only a hundred or three used them, with only 3-6 system admins to manage the systems and files, depending on how they were organized. One of these few was Snowden. They probably did watch the sysadmins' finances, marriages, & travels, but missed any warning signs.

...digging back in time, a bit:

US doesn't know what Snowden took, sources say
Michael Isikoff, Matthew Cole, and Richard Esposito | NBC News | Aug 20 2013

NSA had poor data compartmentalization, said the sources, allowing Snowden, who was a system administrator, to roam freely across wide areas. By using a “thin client” computer he remotely accessed the NSA data from his base in Hawaii.


One U.S. intelligence official said government officials “are overwhelmed" trying to account for what Snowden took. Another said that the NSA has a poor audit capability, which is frustrating efforts to complete a damage assessment. (par. 5-6; hyperlink added)

http://www.nbcnews.com/news/other/us-doesnt-know-what-snowden-took-sources-say-f6C10964007

See also:

Both These Things Cannot Be True
Published August 20, 2013 | By emptywheel
https://www.emptywheel.net/2013/08/20/both-these-things-cannot-be-true/

Lastly, like Sunday Times' discrediting itself and NSA's past poor security hygiene, this discussion is nothing new:

How Snowden got the NSA documents
A report confirms what was likely all along, that Edward Snowden's contractor job gave him unrestricted access to a mountain of sensitive materials for which he had no legitimate need.
Larry Seltzer | ZDNet | August 26, 2013

Right now, based on the NBC News article and what Snowden was able to get away with, it appears that very little scrutinizing is going on at the NSA. With 2 levels of security access, "Top Secret" and "Unfettered", it's surprising that a Snowden-like leak didn't happen long ago. Perhaps it has happened, but all of those leakers went straight to the Chinese and Russians and didn't bother with the press. (par. 8; hyperlink added)

http://www.zdnet.com/article/how-snowden-got-the-nsa-documents/

June 29, 2015 12:07 PM

Clive Robinson on What is the DoD's Position on Backdoors in Security Systems?:

@ albert,

IIRC, a flash chip can be write protected by simply lifting the Write Enable pin. Ideally, a jumper would be used :)

Sadly those days are coming to a close... due to serial interfacing and other cost saving measures.

I actually have an "abomination" design sitting in my little shop of horrors, and for my sins I designed "The beast that shall not be named" on specifications from the customer...

Put simply it has a keyboard and LCD display as a control board, that has it's own SoC with plenty of spare flash ROM in it and uses a quasi DMA interface to a system board with quite a few CPU chips on it. To save money none of these CPUs on the system board has any ROM just bucket loads of RAM...

So when the system is powered up the control board comes out of reset first, and loads from it's SoC flash a minimal loader into the memory of one of the system board CPUs. This CPU then loads in a copy of the BIOS into the top of RAM from the control board SoC flash, and a stage two loader program into the bottom of RAM. This program then copies the BIOS to all the other CPUs and unique ID's etc. The program then pulls in a second program from the control board Soc flash which is the equivalent of a PXE loader that it then writes it into the bottom of RAM on all the other CPUs. And then off it all kicks...

This sort of "cost saving" makes certain types of "bean counter managment types" have dreams we mear mortals can only get from more human fantasies... so expect it on a system near you sometime soon.

June 29, 2015 11:19 AM

ugh on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Regarding:

I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J' and I have a Verizon phone (I opened myself up here as a defense mechanism when I felt like they were going to kill me after repeated break-ins, stalking, and threats. So a bunch of people on here know exactly who I am and where I live, etc...especially after bloodstains on my bedsheets around my ears and ankles and feeling groggy when I woke up; that really mentally disturbed me and it didn't register until a long time later what the hell that could've been).

I think some people would be better served to just stay away from this discussion blog, if they actually can be affected to this degree by what other people post here.

In fact if someone would want to pester another person...and they know sufficiently about that other person to identify the 'nick' of that person on a no-logins-required site such as this, then their postings here at schneier.com should be the least worry.

At this site you could easily change your nick, for example. Unless you think the moderator at schneier.com is in cahoots with the stalker:-)...in which case its probably best to spend time on some other sites.

June 29, 2015 10:52 AM

albert on What is the DoD's Position on Backdoors in Security Systems?:

@John Galt III,

IIRC, a flash chip can be write protected by simply lifting the Write Enable pin. Ideally, a jumper would be used :) This assumes you have a 'safe' BIOS to begin with. Same for any device with 'writeable' flash memory.
.
...

June 29, 2015 10:30 AM

Nick P on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ necula

Good call. The Last 100 is almost useless now. Know or Believe's post above you is a perfect example of the disruptive trolls: a whole page of text saying absolutely nothing of substance. Moving on.

@ Wael

Fair point. I tried to dig up one for comparison but they're not easy to get a hold of. Maybe when I have more time...

@ Gerard

re modules

Yeah, that's one way they could do it. Solving modules would certainly have simplified man things as Wirth's Modulas showed us.

re MinamaLT vs web standards

Putting them to shame is an understatement. One looks like effort was put in by people that know something. The other looks like shit very distracted people did in their spare time while putting off real work.

re UNIX

That was Kemp's point. At one time, even UNIX was a cathedral. Just took a focus group of people ensuring it stayed what it was supposed to be and improved. To that effect, a person in the HN discussion pointed out DragonFly BSD was doing a lot more than fixing concurrency. Their Wikipedia article (see System Design) shows they're applying a lot of good lessons to it. Might be a great UNIX someday. Meanwhile, another writer implied that OpenBSD is the last true UNIX due to focus on simplicity, proper UNIX style, and consistency.

The original discussion actually centered on a "better" libc called musl. Here's a link to it. Good numbers in the comparison page in terms of what it supports and efficiency. Looked at their printf implementation out of curiousity: same. Did find this file with tons of regex's and state machines for characters. Might be the actual printf implementation. A true monster of a function. The first enum alone attempts to construct a NP-hard problem of source understanding. The next one doubles up on that. And then I quit reading. Library's specs are still nice, though. And with MIT license!


@ Clive Robinson

That's hilarious. Would a gay activist mock anti-gay, religious fundamentalists by using their artistic style on a flag full of dildos and buttplugs? Why certainly! Did the CNN correspondent say something to that effect? Not really. Instead, focused on the ISIS-like nature of the flag, the concern, and that nobody else was concerned. Right to fear-mongering & pushing Administration's tow-line it is!

June 29, 2015 9:40 AM

Me on Migrating from SHA-1 to SHA-2:

@Curious

Yes, the promise of QC is that of non-determinism. That is, we will be able to solve NP-hard problems in P-time, that is cracking a password (brute force) will be about as hard as testing a given password, instead of exponentially harder.

So far, the QCs they have seem too small scale to worry about (less than a dozen q-bits), but if they scale up (to even 256), and if efficient algorithms can be developed, we could be in for a world of crypto-hurt.

June 29, 2015 9:32 AM

CallMeLateForSupper on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@Clive Re: "safety stop" controlled by software instead of hardware

I smiled broadly when I read that. As you said in the same post, "Been there; done that."

Back in the early 80's, two engineers in the dev. part of "the house" were designing an interface card that would connect line printers to the S/370 "channel". They wanted to control the "I'm in deep doo-doo; reset me" line ("Disconnect_In") with a hardware "watchdog timer", independant of the uC; management wanted the line to be controlled by software, for $$ reasons. I joined the designers' in battle, and eventually management yielded.

Model 3262 was tHe first printer to get that card. I did the "channel attachment" portion of the alpha test of that printer. The (uC-controlled) printer was young and buggy and prone to "wander in the weeds". BUT!... thanks to h/w watchdog timer, the printer never hung my channel.

Thanks for the memory. :-)

June 29, 2015 9:22 AM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Nick P,

You might like this story,

http://www.dailymail.co.uk/news/article-3142221/CNN-confuses-black-white-flag-covered-sex-toy-symbols-ISIS-London-gay-pride-parade.html

Put simply a Female CNN "journalist" covering the London Gay Pride march, she spotted a black flag carried by a man dressed in black and white. She then had an OMG moment and called it an ISIS flag...

Now I don't know who her optometrist is but she might want to pay a visit to get her perscription checked...

Turns out that the "white arabic writing" she could not make out was actually "shadow images" of sex toys, and it was part of a satirical protest....

As trainee journous are repeatedly told "don't belive your eyes, and check your sources"....

June 29, 2015 7:35 AM

Curious on Migrating from SHA-1 to SHA-2:

I remember learning on youtube that quantum computing will/might be the end to relying on the hardness of discrete logarithm problem for security; I wonder, would the introduction of quantum computing be the demise of hash algorithms in general if the issue of hypothetical hash collisions allow for the use of forged digital certificates?

I guess an answer might be that crypto solutions simply scale up periodically to match some desirable hardness level. Would perhaps be interesting if it didn't work this way, with the prospect of "practical" use of quantum computing.

June 29, 2015 7:08 AM

Clive Robinson on Migrating from SHA-1 to SHA-2:

@ Nathan Buuck,

. We saw this past week that Microsoft pushed a significant set of new third-party CA certificates to customers through Windows Update. Administrators should be reviewing these changes to their PKI and reconfiguring as appropriate for their organization's trust model.

This has caused more than a few questions to be raised, and so far --as far s I'm aware-- MS has failed to provide sufficient reason not to send them direct to the bit bucket.

I got fed up with MS's "paternalistic patch attitude" years ago, the trouble is their choice of method is about the most difficult I've seen to "break out" what your site may require from the rest of the crap... As no doubt others will have horror stories of, this has ment that patching "business critical" systems, has had days or weeks delay whilst the patch gets tested and aproved or not. In the meantime, "kidies will play".

June 29, 2015 6:57 AM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ tyr,

At the time printers were mechanical with minimum electronics so a programmer had to do all of the movement commands as well as the data stream. We hadn't got to the peripheral chip part of the class yet.

Been there done that atleast twice, the first time was with a prototype robot arm, some twit decided the safety stop signal should be not hardwired but done by the software... the graunching of hundred dollar geared stepper motors can be a lot noisier than a bowl of Captain Crunch.

The second time was with a dot matrix printer, I was making a "Wether Fax" receiver and print out system using a relativly low cost 80col dot matrix printer in "graphics mode". Unfortunatly the manual was incorectly written thus the head moved before the pins had been retracted, thus they bent, and ripped the print ribbon. The cost of the ribbon I could live with but a replacment printer was about the equivalent of half a weeks gross pay...

As they say "These things are sent to try us" with the silent "and bankrupt" before the "us" ;-)

June 29, 2015 6:53 AM

Nathan Buuck on Migrating from SHA-1 to SHA-2:

I included a reference to another article from a member of Microsoft's Directory Services team in a recent presentation I gave on hardening Active Directory environments. It's a shorter article but has some good guidance on considerations administrators should make before jumping into the process of reconfiguring their internal PKI for SHA-2. I do like the included justification ("Why You Need SHA-2") in the article you linked to, however, as I get a strong sense from customers that there's not much interest in migrating their internal PKI to signing with SHA-2 as of today.

Something that I emphasized in my presentation was that internal PKI based on Windows Server is a not a fire-and-forget solution. Even with Windows Update, adapting to changes in cryptography requires recurring and consistent administrator intervention. We saw this past week that Microsoft pushed a significant set of new third-party CA certificates to customers through Windows Update. Administrators should be reviewing these changes to their PKI and reconfiguring as appropriate for their organization's trust model (for example, un-trusting new CA certificates from CAs that have a history of issuing certificates to unverified parties).

June 29, 2015 6:40 AM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Curious,

... had me wondering; can network traffic be intentionally delayed by some party in the middle, by simply manipulating the notion of the time somehow?

Yes fairly easily by increasing the "path length" also known as a "delay line".

Whilst it would at first glance appear fairly pointless, there are some places where it's a major billion dollar attack strategy.

In High Frequency Trading (HFT) time is critical and shaving a few nano seconds --1nS is about 1foot at the speed of light-- can make a real difference. So much so people have tunneled through mountains rather than go around or over them.

I can outline an attack for you which is rumored to has happened. Imagine you have a competitor who has a pathlength 1mS longer --three hundred meters or a drum of coax equivalent-- than you do. With modern computing and networking you could get their trade, make a counter trade and have it at the exchange before them. Do this ten or twenty times a second and make a thousand dollars per trade and you are looking at around a million dollars a day profit you would not otherwise have made...

However the same sort of trick could be carried out by the NSA or other FEYE nations, your web page request gets seen and sent along a long path route in the mean time they send what they want you to see on the short path route, due to the way the network protocols work, you see the first packet to arive which is there's, and the real packet gets dropped silently by your computer. Now imagine that the pages they do this to are for the likes of pubkey certificates, you get the NSA fake one and then they do a standard MITM attack on your traffic...

It's just one of the reasons the PKI of the CA model is broken beyond what you would expect. Thus you should always use a secure second or out of band communications channel for KeyMat, and the only way to get it to work that we know of is "initial hand delivery" to a trusted recipient. Of course the NSA et al could intercept the courier or the recipient is untrustworthy in some way from just being careless through to being a paid agent running a sting on you to frame you in some way (a not unknown tactic by the politicaly inspired arm of the FBI etc).

June 29, 2015 5:53 AM

Zenzero on Other GCHQ News from Snowden:


@Skeptical
"If anything the goal seems to be to experiment with ways of defusing threats."


I think it's a lot more then that when you also take this document of previous disclosures:

https://firstlook.org/theintercept/document/2014/07/14/jtrig-tools-techniques/

Some operations revealed:

“Change outcome of online polls” (UNDERPASS)

“Ability to artificially increase traffic to a website” (GATEWAY) and “ability to inflate page views on websites” (SLIPSTREAM)

“Amplification of a given message, normally video, on popular multimedia websites (Youtube)” (GESTATOR)

There's a virtual grab bag of active and some (at the time), in development tools. The small selection above show that they are used, planned, developed with a lot more the just small experiments aimed at defusing a threat.

It should be remembered that GCHQ/JTRIG need to be considered as a whole, looking at all available data, not just one point in the data set.

June 29, 2015 5:08 AM

Curious on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Because of my lack of technical insight into the internet, I hardly dare putting forth a non specific problem here, but I can't help myself:

Speaking of timing. Having read what Clive Robinson wrote, it had me wondering; can network traffic be intentionally delayed by some party in the middle, by simply manipulating the notion of the time somehow? (time/clock/timestamps) Could network throttling work in this way by manipulating time and stall traffic? (I guess it currently might be simply infeasible.)

I don't really have a eh good problem to put forth, but reading what was written above made me think of something that I guess had me sort of worried some time ago: of risking having ones traffic routed around into a predictably and unnecessarily-"long"-path, for the purpose of someone having time to spoof/fake a web page to serve you, but now I was thinking it would be simply easier to maybe somehow fake the timing to stall or end your outgoing traffic.

I guess in the end, this vague stuff of mine would have to be a true technical issue to be meaningful, so as to be a truly interesting problem. I would think though that such a vague problem might perhaps be interesting for anything Tor related, which seem to rely on working in a specific manner.

Iirc Tor is promoted as being an anonymity tool, but also not for being a privacy tool, is this not correct? Or did I perhaps get this wrong?

June 29, 2015 3:41 AM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Figureitout,

, but it's not *that* bad considering every computer needs something like a time reference to make sense of anything ... ... it needs it until we discover another fundamentally different way to compute b/c I don't buy "this is it". If it needs a time reference for every single thing (or some kind of way of spacing time), it needs to be coddled w/ some init stuff that isn't good on the eye, just isn't.

There are several "times" computers need to know and it can get very complicated when relativity gets involved. The basic classes of time a computer uses are,

1) Firstly it's "clocking rate" that is usually defined by it's external XTAL. Usually used to control internal state changes and keep signals synchronized.
2) The Second is it's local time reference that is how it sees local time passing so it can communicate localy.
3) Third and often not considerd by many is it's relative time to other points it communicates to that are not in it's local time refrence.

The underlying issue is one of communication even if it's to just another logic cell on the same chip. The faster information can be transfered the smaller the local time reference is. There are two types of communication we talk about Synchronous and Asynchronous. And people get confused about them and time. They both need a time refrence to communicate, the difference is in synchronous communication the transmitter at one end of the Shannon Channel provides a time refrence to the receiver at the other end of the channel, in the case of asynchronous communication there is an assumption that both the transmitter and receiver share a common passage of time ie that it is local to them, thus the time duration of symbols can be reasonably estimated.

As anyone who has designed communications systems for systems where the transmitter and receiver are non local and move in different speeds and directions and thus don't have a common passage of time can tell you finding a way to establish a common refrence of time is vital. The simplest way to see this is to think of doppler effects then move up to the consequences of Einstein's thinking which effects GPS systems and mobile phones.

Whilst for single communications paths it can be fairly easily dealt with, not so multi point/channel systems, they realy need to be spacially aware with respect to a common fixed refrence point. Then use this awareness when communicating with the other points in the system by adjusting both it's TX and RX timings accordingly.

People have tried to design logic systems that lacked an external clock reference but even these are "self timed" due to the gate delays and other implicit time refrences. You can get away with it with chain, ladder or cascade logic that has no storage, feed forward or feed back and transition noise can be ignored. That is the logic systems are stateless but such systems are very limited in functionality and thus utility. One of the founding definitions of Turing engines is that they move from state to state, thus they must have an implicit time refrence, thus all computers do.

One of the rules of our physical universe as we see it is that everything physical is constrained by time and forces, so we can not get away from the issues of time, Einstein saw time as the fundemental measure of the universe and it's a view that still predominates even when we don't realise it.

June 29, 2015 3:15 AM

TomTrottier on The Secrecy of the Snowden Documents:

While you may be the reigning guru of security, your nuanced Wired article was obfuscatory. Just say, "China & Russia probably had all of Snowden's 'revelations' long before Snowden gave them to the journalists."

I still disagree. Traversing air gaps is hard without a human agent. There are likely layers upon layers, shells around shells, gap after gap, protecting each of Snowden's documents - and others. Only someone with admin access could accumulate a substantial number of them, and only then over a substantial amount of time.

Since the revealed documents are mainly management stuff (rather than program/maintenance documentation) used by probably 2nd level managers and above, it seems likely that even with 10k employees in the NSA, maybe only a hundred or three used them, with only 3-6 system admins to manage the systems and files, depending on how they were organized. One of these few was Snowden. They probably did watch the sysadmins' finances, marriages, & travels, but missed any warning signs.

Then again, would the journalists appreciate low-level documentation? More keeps coming. It stands to reason that the management presentations are easier to analyse and present, but the material is aging...

June 29, 2015 2:11 AM

tyr on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:


@Figureitout

The program was simple get contents of a memory location
convert to ascii output to printer and Bump memory pointer
and loop. None of that unnecessary stuff like paper advance
print head movement or line feed carriage returns.

It made a horrible racket.

At the time printers were mechanical with minimum electronics
so a programmer had to do all of the movement commands as
well as the data stream. We hadn't got to the peripheral
chip part of the class yet. It just proves everyone has a
mad scheme that will not work. It was Intels ISIS development
system. I think Kildall wrote a good part of it because it
looked a lot like a multi-user version of CP/M. The 8"
floppy interface was horrible though but I didn't know it
at the time. It sounded like a junkyard dog with a bone
every time it did something.

June 29, 2015 12:18 AM

Justin on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Figureitout, Moderator

Moderator RE: "Satan" and trolls
--I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J'...

For one thing, Figureitout, I have no idea who you are or where you live. (If I ever knew from this forum, which I doubt, I've long since forgotten.) In any case, it is not my business. For another, I have similar bad memories to what you just mentioned. That individual's posts (some of which were directed at me) are more a not-entirely-unwelcome acknowledgment of reality to me than anything. I do not feel threatened by them, and I do not feel that was the intent behind the posts, although I understand if they are triggering to some people. At some point we need to get beyond the trigger stage.

I feel it is up to the moderator if topics such as surveillance techniques and countermeasures (or whatever else) are allowed to be discussed here. I know I don't have much if anything to say on such matters. Realize, too, that not every post is going to be intellectually stimulating to every reader. Certainly mine are not.

June 29, 2015 12:01 AM

Nick P on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ Figureitout

"And people think LISP is hard to read... Shit, you'd think the authors were trying to write 60's-style LISP in C macro's lol. " (me)

/\ /\ I'd think that quote would've told you how bad the LISP stuff could get. I appreciate the effort you put into proving my point, though. :P

June 28, 2015 11:53 PM

Curious on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

I solved my issue. Comparing certificates used by my browsers, I see I had apparently moved two essential certificates into the untrused folder in Windows by mistake it seems (highly likely). After trying to make sure the certificates were exactly the same, I moved the two DigiCert certificates back into the 'intermediate' folder.

Heh, glad I don't work as a sys admin, because moving them back seemed a little iffy, given how little I know about certificates.

June 28, 2015 9:46 PM

Figureitout on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Moderator RE: "Satan" and trolls
--I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J' and I have a Verizon phone (I opened myself up here as a defense mechanism when I felt like they were going to kill me after repeated break-ins, stalking, and threats. So a bunch of people on here know exactly who I am and where I live, etc...especially after bloodstains on my bedsheets around my ears and ankles and feeling groggy when I woke up; that really mentally disturbed me and it didn't register until a long time later what the hell that could've been). I've dealt w/ these psychopaths for so long by myself only telling one person in meatspace when I broke down and cried (I used to enjoy blowing their covers and whatnot, I used to play "spy" as a kid and for a time wanted to join CIA until they told me how much falsehoods we have to do and how unprofessional they are today), but it's really a toxic waste of time and I ignore now. Not to mention his/her comments have *zero* intellectual worth and are pure troll-bait. I know you just warned him/her but maybe another warning; I just skip his/her comments anyway but even those 2 seconds are a waste of my time I'd rather have back.

PS: Sorry for cursing, I c*ver it up w/ stars.

Nick P RE: using C for complex projects
--As we've said, how much embedded stuff have you done w/ C? How many chips? My fave is radio chips w/ LCD screens and buttons, you can run just below an OS and do some small application and it should almost totally flow in your head. W/ enough memory on the chip I can do crypto, hashing, PRNG (a bad one but still I'd like to see someone predict it and you can always just "add it to another sausage grinder"), RF comms transferring data from one board to another, interfacing a lot of peripherals (ie: attached to other computers), and as I said a small "menu-like" application for all that. The compiler and build environment is still shaky but you can dig in and it can get murky, but it's not *that* bad considering every computer needs something like a time reference to make sense of anything (this concept confused me for awhile but can be visualized very easy w/ an arduino and a 8-ohm speaker, you can play notes and small jingles on it, just remove all the timings for your little jingle and you get freaky-garbage noises), it needs it until we discover another fundamentally different way to compute b/c I don't buy "this is it". If it needs a time reference for every single thing (or some kind of way of spacing time), it needs to be coddled w/ some init stuff that isn't good on the eye, just isn't.

I say this b/c of course operating systems on motherboards are going to be complex no matter what frickin' language you choose! So much fast signals!

RE: Lisp printing
--Wanted to find some similar article on printing to the screen in Lisp so you could actually do a comparison of the 2 to "the evil virus C", of course I found some articles that love to shield me from what's actually happening in the computer and I can just call a print function and elegantly and magically and safely I got text on screen! How nice! Does it spit out a lollipop too and I can skip-along and laugh like a kiddy?! No, well, I'd have to use the "format" command actually, and specify to not return if I just want to print 1 time, and and gets a little more murkier and weird from here...I liked this line: "Format always returns nil unless its first argument is nil, in which case it prints nothing and returns the string instead of printing it"--U wot m8

But I wanted more, I wanted to see some OS's in Lisp seeking out some of this ugly library code, found a couple, this one hasn't had a release since 1998, and has some version that runs on Linux?

https://en.wikipedia.org/wiki/Genera_%28operating_system%29

http://www.symbolics-dks.com/

But I found this one on github (love github, just get to code quickly) and you can read some of it yourself, *spoiler* some of the comments read "..ugly...FIXME..." macros and of course the very clear to read and won't ever cause bad bugs ")))))))" at the end of some macro; in case you get a seizure trying to count it's 7 parentheses and you can't immediately tell which one goes for what. That is worse than C. I can't describe what's happening well either since I don't know Lisp.

Not to rag on this guy's project either though, directly purely at Lisp language.

https://github.com/froggey/Mezzano/blob/master/system/pprint.lisp

This "printer" is nice too: https://github.com/froggey/Mezzano/blob/master/system/printer.lisp

tyr RE: printer burns
--Lol, what the heck did you do?

June 28, 2015 9:32 PM

Buck on Other GCHQ News from Snowden:

@Skeptical

There's nothing in the documents to suggest that this could somehow cause more threats. If anything the goal seems to be to experiment with ways of defusing threats.
I really doubt that more data would ever help us in this situation. With so many variables in constant flux, how long will we hold out hope for anything resembling reliably reproducible results in matters as complex as the human psyche?
At worst, they're exploring using non-violent means to prevent persons from joining violent movements and to disrupt existing violent and criminal organizations. That's not a terrible thing.
Yeah, what could possibly go wrong, right?

Well, I would posit the idea that people are generally kind to their neighbors... That the root cause of terrorism is actually a failure of chemical and psychological experimentation committed against potentially dangerous target populations -- all done in the name of security, of course... There's another kind of terrorism too though -- the one where well intentioned officers of various agencies step on each other's toes during sting operations gond bad. Be it because of funding battles and old turf wars or over the top compartmentalization, it's obviously all done in the name of security... Heck, in this context, it's essential that we spy on France and Germany! How ever else could the left-hand possibly hope to learn what the right-hand is doing and vice-versa..?

Admittedly, my theory is also impossible to prove, yet it isn't falsifiable either...

June 28, 2015 8:11 PM

Golgi on Other GCHQ News from Snowden:

@ Iron Eagle

"This is such a site where you might come under surveillance."

MAN, you write a lot. But u gave this site too little credit. Every reader is surveiled here. Every poster knows this.

June 28, 2015 7:37 PM

Skeptical on Yet Another Leaker -- with the NSA's French Intercepts:


@Tyr: I think you're trolling me here, but what the hell:

First, Albright did not become Secretary of State until 1997. When Hussein invaded Kuwait, Albright was a professor somewhere.

Second, Hussein's invasion of a neighboring country isn't an "internal affair" anyway.

Third, Hussein invaded Kuwait on 2 Aug 1990. The coalition did not attack until 17 Jan 1991. He had plenty of time to understand that the US did not want him in Kuwait.

June 28, 2015 6:42 PM

Clive Robinson on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

@ BoppingAround,

I also think it has not been 'finished' yet. Perhaps the surface will grow even more.

It's almost guaranteed to, both the lead developers have indicated it will in perpetuaty be a work in progress. That is they appear to view it as being a life long meal ticket. They both have undesirable charecteristics identified by well known and well respected Linux developers of a form which strongly indicates that the Dunning Kruger effect is alive and well. Especially as alienating the community by ignoring security critical bugs and calling others 455holes in public appears to be their "stock in trade".

The big problem with it is that is way way way to Linux, GNUlib and Gnome specific, which means you are not going to find it on any other *nix varieties such as BSD or Mac OS X etc. Further it's assumptiond are highly focused on an area Linux is weak in, which is desktops, and effectivly rules out it's use in the areas Linux is strong in (embedded, smart devices and servers). It also grates badly against "Unix Philosophy" of small applications doing one function and doing it well, their work gives the "Jack of all trades master of none" saying a fine example.

So why is it popular with "Desktop Distributions", one argument is it saves distro maintainers a lot of work... If this is the reason then Linux is heading for a major "road crash".

Oh it's not just the two distro's you mentioned, most "specialty distros" like Puppy Linux are having nothing what so ever to do with it, because it takes "bloat" to new levels.

Hopefully RedHat will see the dark clouds building on the horizon and take steps to stop Linux getting washed out to sea by it...

June 28, 2015 6:34 PM

J. Angleton on Other GCHQ News from Snowden:

@Again I say...

Priceless, man, priceless. There are a lot of bots, trolls, bottrolls and trollbots on here, but you _definitely_ ain't one of 'em. ^o^ AUTHOR! ^o^ AUTHOR! ^o^

NOTE TO FIVE EYES: Start injecting more darkly curmudgeonous smartassery to avoid detection.

June 28, 2015 5:55 PM

tyr on Yet Another Leaker -- with the NSA's French Intercepts:

@ Skeptical

I watched Madelaine Albright (Sec of State) tell
Saddam the USA had no interest in getting Involved
in his local actions in the Middle East on TV.

He was our poster boy and took that as a carte
blanche guarantee we wouldn't intervene. Then he
invaded Kuwait and then we stabbed him in the
back for the crime of believing the US. It was
the slickest bit of Machiavellian nastiness she
ever pulled on a sucker.

If you look at his history and not just recent
propaganda you'll see he has been a USA sucker
from the beginning not just a sorry piece of
trash.

June 28, 2015 5:14 PM

BoppingAround on Friday Squid Blogging: Classic Gary Larson Squid Cartoon:

Gerard,
It seems it's not just 'a lot' but almost all major distributions have switched to it bar Gentoo and Slackware; for the former it is possible to use both OpenRC (their default init system) and systemd; for the latter Volkerding expressed reservations but he also said the switch is possible in the future. It seems the 'battle' is really over.

Clive,
To add to that, I also think it has not been 'finished' yet. Perhaps the surface will grow even more.
(I didn't know it can do the VM management too now. Who knows what else it will do in the future.)

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.