Recent Comments


Note: new comments may take a few minutes to appear on this page.

August 4, 2015 8:39 AM

wiredog on Shooting Down Drones:

Be aware that the FAA considers quadcopters to be aircraft, and the FAA takes a very dim view of shooting down, laseing, and otherwise harassing aircraft.

August 4, 2015 8:35 AM

Clive Robinson on Vulnerabilities in Brink's Smart Safe:

@ Arclight, Karellen,

*if the connection were on the inside of the safe*.

And that's the rub...

Even old mechanical locks reliable as they are suffer from failure due either to mechanical fault or loss of key.

Electronic locks have the same failings but additionaly suffer from others such as battery failing, or electronics failing due to static etc.

Older safes had "secret" weak points that a lock smith in the know could drill. But as "we know" that is security by obscurity, and as we frequently tell people "it is a bad idea".

But is it, when somebody decides that this means a method of over ride for an electronic lock can be just put on the front panel, but has insufficient understanding of what that realy means...

I have at home an early generation table top electronic safe, however if you know which piece of plastic to pop out you will find an old fashioned very very cheap two posibly three pin lock that can be picked in a very short time... I would say that it is actually more secure than this Brinks safe, simply because the level of skill to pick the cheap lock is somewhat higher than pluging in a USB device...

August 4, 2015 8:32 AM

Dirk Praet on John Mueller on the Overblown ISIS Threat:

@ Clive

I'll let you decide, but we are not talking about a handful of tanker trucks etc, thus satellite observation would provide a lot of information.

The source I referenced seems to be partially based on a paper called ISIS Export Gateway to Global Crude Oil Markets by two researchers from the University of Greenwich, London. They point at the Turkish port and oil terminal of Ceyhan as one of the the most likely gateways for IS oil exports. The crude apparently gets there by convoys of tanker trucks that just like the oil wells themselves - but contrary to basic processing facilities - are not being targeted by US/NATO air raids. Other sources mention an alternative route through Jordan.

It would seem that Kurdish traders are the prime facilitators for the export, and from where the oil disappears further into Turkey and Iran. Although the authors of aforementioned paper have no proof for collusion with Turkish and KRG authorities, it's obvious that both are well-aware of what's happening and that at least at the lowest level corrupt Peshmerga commanders as well as border officials are getting paid to let transports through.

As you say, it is highly implausible that satellite observation has not already provided detailed information of convoy routes. And some decent SIGINT/HUMINT which parties exactly are behind the trade. As usual, it would seem that oil-related national and commercial interests of certain parties trump any other considerations. Stopping IS begins with bleeding their oil income dry, not by backdooring encryption. And unlike the latter, the former is perfectly feasible, and without any drawbacks for the population at large, except to those engaged in this illicite trade. It just takes the political will to do so.

August 4, 2015 8:20 AM

Haggishunter on Help with Mailing List Hosting:

Dear Mr Schneier: I wrote it elsewhere but here it is more appropriate. May I suggest you try something similar to the website www.takimag.com . That seems to work quite well. Best Regards.

August 4, 2015 8:18 AM

Haggishunter on Backdoors Won't Solve Comey's Going Dark Problem:

@Dirk Praet: BTW: German encryption firms already must incorporate a back door. Sources, please?

Hello Dirk, That started in Western Germany in the Mid 90s. I remember having an encryption software from a company based in Western Berlin (that was in 1989 / 1990). They then closed the firm and the owner told me that "he had to close" the business "because". You certainly will find information on Google. It is a law that has been encated I guess more than 15 years ago. I just red on FAZ 10th Aug. 2013 that the planned law never was enacted but that happened much earlier. Sorry, I am not familiar with German law, since I am not German but I am sure about that law.

On a sidenote: Most file shredding software also have got backdoors. Believe it or not but a programmer working for such a firm told me...

August 4, 2015 8:11 AM

Clive Robinson on Vulnerabilities in Brink's Smart Safe:

@ Bruce,

And that's the problem with Internet- of-Things security: it's often designed by people who don't know computer or Internet security.

At the risk of "Preaching to the Choir" this is a problem not just with the "IoT", but "Smart Meters", "Implanted medical dvices", "Medical equipmment in General", "Industrial Control Systems", "Aviation Systems", "Maritime Systems", "Space Systems", "Terestrial Vehicle Systems" oh and quite a few "Military Systems"...

I know I bang on about it from time to time, but unlike the safe and many IoT systems, all of those I've listed can quite easily be used to kill you, your loved ones and many others...

Oh I recently saw demonstrated the NFC system in one particular mobile phone being used to talk to implanted medical equipment, that had no confidentiality, authentication or authorisation... as a person present commented "Dial M for murder, has a new plot line".

The real issue is anybody can pick up a tool chain and with no training, cobble together something that vaguely works. That is it's like a juvenile stick person drawing, a very poor picture of reality at best.

Yes we have some regulation, but it's usually a "paper chase" excercise, where the designer picks the threats they are going to mitigate, then waffles about method. Thus, it's harder to get a UL rating on an electronic lock than it is to get regulatory approval for medical electronics in most places.

August 4, 2015 7:58 AM

Winter on John Mueller on the Overblown ISIS Threat:

@The return of The Infidel
"Please get real. ISIS represents the nastiness form of human madness in our lifetimes."

Sorry, but I would rather propose Charles Taylor for this role:
https://en.wikipedia.org/wiki/Charles_Taylor_%28Liberian_politician%29

HE almost invented the use of drugged children in war.

Or Idi Amin? Jean-Bedel Bokassa?
https://en.wikipedia.org/wiki/Jean-B%C3%A9del_Bokassa

Or the Duvaliers from Haiti?

Or Pol Pot?

ISIS is just the last of a very long pedigree of psychopathological regimes that defy understanding by normal humans.

@The etc
"The claim that one should worry more about being struck by lightening is beyond dopey."

No, that is hard statistics. Very hard statistics.

August 4, 2015 7:57 AM

Moshe Y on John Mueller on the Overblown ISIS Threat:

The American Revolution was a failure, according to this author, because the clever British conceded territory to the revolutionaries and therefore compelled them to defend it.

The cognitive dissonance of defenders of the Obama administration is truly something to behold.

August 4, 2015 7:48 AM

The return of The Infidel on John Mueller on the Overblown ISIS Threat:


If ISIS had a way of marrying the genome of small pox with ebola and disseminating it to the western world, do you think they would?

Since the echo chamber feels compelled to take on a straw man rather than the actual question allow me to answer my own question:

Yes. ISIS is a sick collection of the world's worst right-wing conservatives. And if they could, they would destroy the permissive western world in a NY minute.

The claim that one should worry more about being struck by lightening is beyond dopey. And goes a long way to explaining why we will probably never have a liberal US President. If you think that way, you can't be taken seriously...

Here's a thought experiment: Back in the early 1930s if Hitler had been strapping bombs to Jewish children and remotely blowing them up in crowds would you be equally willing to poo-poo the threat away as "over blown" (no pun intended) ?

Please get real. ISIS represents the nastiness form of human madness in our lifetimes.


Side notes on the real threat of a metastasizing ISIS:

1) Boko Haram (basically now an ISIS affilitate) in Africa's most popululated country:

Zeid Ra'ad Al Hussein told a special session of the U.N. Human Rights Council in Geneva that his office had received reports of Boko Haram using children as its first line of attack, as "expendable cannon fodder".

"Bodies of children around 12 years old have been found strewn across such battlefields," Zeid said. Boko Haram has been attacking towns and villages in northern Nigeria and border regions of neighboring Cameroon, Chad and Niger.

http://www.reuters.com/article/2015/04/01/us-nigeria-boko-haram-abuses-un-idUSKBN0MS53220150401

2)

FBI agents took one look at Benitez’s Facebook page — with postings such as “We are the islamic state. We are isis Muslims” — and directed an undercover operation that would lead to Monday’s arrest of a 23-year-old Key West man whose real name is Harlem Suarez.

Suarez, aka “Almlak Benitez,” was charged with trying to use a backpack bomb in a planned explosion on a public beach in Key West, but he also allegedly discussed carrying out a terrorist-style attack in Marathon or Miami Beach on the Fourth of July, according to the FBI.

http://www.miamiherald.com/news/local/community/florida-keys/article29166250.html

Hat tip to the FBI: Nicely done folks!

August 4, 2015 7:11 AM

Clive Robinson on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ Curious,

"for a purpose prejudicial to the safety or interests of the state"

The problem you are having is that words change their meaning in peoples heads by usage.

The word "prejudice" has the same roots as "prejudge", "prejudicate" and "prejudicial"

All are to do with making choices befor a valid judgment.

We most frequently hear "prejudice" with respect to discrimination against individuals or groups, often over race, gender and sexual orientation, though in more recent times we are now hearing it over "other 'isms'" such as status, class, size, and the way people speak, dress, behave etc.

Thus it is loosely related to a "harm" or "harms" the target of the specific "ism" suffers as a consequence of what is at the end of the day a "knee jerk" reaction / judgment.

The "isms" arise in three basic ways,

1, Somebody suffers a harm from a person in a differentiable group.
2, Somebody is taught to blaim/hate a person from a differentiable group.
3, Somebody for personal gain uses the differentiation to their own advantage.

The thing to watch out for is those of the third group, who make declerations that legislation should not favour differentiable groups as a smoke screen to doing exactly that. An example is you differentiate on a secondary charecteristic such as wealth, a game you can see the neocons playing everyday, by buying legislation through elected officials. They claim it's fair because anybody can have wealth... however as we know this is actually a lie, recources are finite thus a balanced share would get worse with any increase in population. However we see through prejudicial legislation for the very wealthy, they form a closed group that corals resources to stop others gaining wealth. It's one of the reasons new technologies are called "disruptive" because it upsets the old order of closed group wealth accumulation.

And the "prejudicial" in that phrase means exactly that, anything that "harms" that closed group's intrests, and thus that of their purchased very self interested representatives.

August 4, 2015 7:10 AM

The Carlton Williams Meritorious Service Award on John Mueller on the Overblown ISIS Threat:

Yes, we appreciate your proactive admission of ignorance. The next baby step is to give up when you've failed and let grown-up countries fix what you you fucked up.

We know how you love to blow shit up, but do it at home. There's another Boston Marathon next year.

August 4, 2015 7:02 AM

Winter on John Mueller on the Overblown ISIS Threat:

@Clive
"Maybe, just maybe, if the circumstances demand it we might get improvments in biological and chemical weapons to the point they become marginaly effective compared to kinetic weapons in two hundred to a thousand years..."

But we do not have to wait that long for the MOVIE!

There are wonderful new movie threat ideas appearing:

CRISPR germline engineering
http://www.bio-itworld.com/2015/6/10/outpouring-commentary-crispr-germline-editing.html

http://www.nature.com/nbt/journal/v33/n5/full/nbt.3227.html

Wait for the moment that the Terrorist Threat Of The Day will be suspected of trying to change the very DNA of all the good and hard-working people (i.e., us)!

Meanwhile, cigarets and alcohol kill more Westerners than all the enemies of the West combined. And that is even more true in the non-Western world. Yes, the tobacco lobby is the real enemy of the human race.

August 4, 2015 7:00 AM

Zack on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@curious

Watergate was detected because the burglars made several screw ups. No counter-conspiracy about it. In fact, a great example of how conspiracies often screw up. And so good lesson for those who over inflate the capabilities of others, which is 'all of us'. But can be trained against.

August 4, 2015 6:53 AM

Tony on Hacking Airplanes:

"Sometimes electrical equipment can stop working. Good if are you an electrician, and if no? S4GA introduces
new landing lights in portable pack (http://solutions4ga.com/mini-lightbox/) designed for GA airfields. In-built battery allows
full automatic work. They are ready to use, easy and quick installation, free
maintenance. Remote control by GSM and radio."

August 4, 2015 6:24 AM

Karellen on Vulnerabilities in Brink's Smart Safe:

@Arclight: "Generic USB is much too complicated and heavy for a simple application like this, where a simple serial interface on the inside of the safe would suffice."

Even USB would be fine *if the connection were on the inside of the safe*.

August 4, 2015 6:19 AM

Clive Robinson on John Mueller on the Overblown ISIS Threat:

@ Dirk Praet, Winter,

That is not exactly their plan, we assume. But hey, someone might indeed be mad enough. Aum Shinrikyo was, but even he was unable to do real damage.

As you both probably know, the problem with "biological weapons" is similar to "chemical weapons",

1, Making them sufficiently stable to be weaponisable.
2, Making a reliable delivery system.
3, Ensuring that your own forces and citizens are not harmed.

But it gets worse, we've not had much success with "directed energy" weapons either, no death rays or destructor / disrupter guns etc. After atleast six thousand years we are still working with kinetic weapons, whereby the rapid release of stored energy is applied to a projectile of some form, from sinues via the lever of an arm or throwing stick to a stone or spear, through the bow and arrow, through cannon, gun to unguided rockets. With all our "smarts" our improvments have only extended range, accuracy and size of payload...

Maybe, just maybe, if the circumstances demand it we might get improvments in biological and chemical weapons to the point they become marginaly effective compared to kinetic weapons in two hundred to a thousand years...

August 4, 2015 4:45 AM

Winter on John Mueller on the Overblown ISIS Threat:

@tyr
"He wants stable governance so he can get on with ordinary life."

Actually, it is often even more mundane. ISIL pays well, so local young men sign up for a job there. Not that there is much choice for employment. IT is mostly a choice what army you enlist in.

August 4, 2015 4:17 AM

tyr on John Mueller on the Overblown ISIS Threat:


If you believe humans take actions based on some limited
rationality and self interest the whole ISIS/ISIL is easy
to understand. After a western coalition busts up the
regions governance and trashes the place what does the
ordinary person want ? He wants stable governance so he
can get on with ordinary life. He's not about to trust
the group that made the mess and he's not about to trust
any of the adjoining ethnics even if they were good
neighbors under the previous government clown act. So
they get together and try to re-establish some imaginary
golden age which comes from the areas history. The west
starts pounding on them because they might someday get
enough of the mess sorted out to think about revenge.
I'm sure some of them might fantasize about revenge but
until they get a few things like a functional structure
for ordinary life they are going to forgo such irrational
behaviors. Most of the atrocities are commonplace in the
region the Saudis being prime candidates as an example
to follow. Now this flies in the face of all the media
rhetoric about ISIS is coming to eat your babies next
week but that only works to explain irrational nutters
not someone whose stated aim is a polity called a
Caliphate.

I hear we are going to bomb Assads people to help the
anti-Assad forces. Given the nature of the area it seems
we are going to fly air cover for ISIS. Maybe if the
UN would report a refugee shortage we'd get rational
policies for a change.

What happens if Assad falls, the power vacuum of trashing
Iraq created ISIS and they will exploit his fall. Now
you have NATO right next door to the shiny new Caliphate
who dislikes any other variety of ideology. It also puts
them right next door to the wunderkind led by the mad
vision of Greater Israel. Maybe the new vision is to do
a re-enactment of World War 1 but using Nukes and biowar
instead of HE and poison gas.

August 4, 2015 4:10 AM

Broderick on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

Detekt version 2.0 is out (Jul 28, 2015)

- DETEKT

What is Detekt and how does it work?

"Detekt is a free tool that scans your computer for traces of known surveillance spyware used by governments to target and monitor human rights defenders and journalists around the world. By alerting them to the fact that they are being spied on, they will have the opportunity to take precautions.

It was developed by security researchers and has been used to assist in Citizen Lab's investigations into government use of spyware against human rights defenders, journalists and activists as well as by security trainers to educate on the nature of targeted surveillance.

Amnesty International is partnering with Privacy International, Digitale Gesellschaft and the Electronic Frontier Foundation to release Detekt to the public for the first time."

https://resistsurveillance.org/
https://resistsurveillance.org/faq.html
https://github.com/botherder/detekt/releases
https://twitter.com/botherder/

August 4, 2015 3:46 AM

CouldntPossiblyComment on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@Curious Prejudicial to the safety etc. is indeed derived from the word prejudice. More specifically, an act that is considered prejudicial is believed to introduce prejudice, that is from the literal pre-prior judice-judgement. One can trace most usages of the word back to the basic concept of a prior act influencing, often inappropriately, a subsequent situation.

Legal Dictionary describes prejudicial in a formal legal context to mean harmful, biased, damaging etc. I am not a lawyer, but this is what I could glean:

For example, an act that is prejudicial to my rights might be seen as contravening some fundamental right I possess (thus a future exercising of my rights would have issues). An act prejudicial to my legal case might well put the fairness or unbiased nature of the outcome of my legal case into question. An act prejudicial to the safety of the state is one deemed to put the safety of the state at risk at some future point.

There are also other uses of the terms. A legal case can be closed with prejudice, or employment can be terminated with prejudice (both meaning permanent, they cannot be re-opened). This follows the more literal prior judgement - i.e. a prior judgement has been made that forever bars that person from being re-employed in that circumstance.

This gives rise to 'terminate with extreme prejudice' as in suggesting the person has actually been killed, a prior judgement that is guaranteed to prevent any future recurrence.

The more usual prejudice term of e.g. racial prejudice is referring to a judgement prior to all the facts being available e.g. one believes person X is Y because of their race, rather than waiting to actually know them.

August 4, 2015 2:11 AM

Clive Robinson on John Mueller on the Overblown ISIS Threat:

@ Dirk Praet,

Another essential element in assessing the operational strength of Da'esh (IS) is a full financial audit. They control approximately 60% of Syria’s oil, and seven major oil-producing assets in Iraq, allegedly producing 45,000 barrels of oil a day, raking in as much as $3 million a day in cash by selling the oil at well below market prices.

I'm sure the US amongst others know exactly who is buying it.

Between the US inspired first Gulf war by Bush Senior and the US inspired invasion of Iraq by Bush Junior, the US had major sanctions against Iraqi oil exports. Well Iraq set up a smuggling operation to sell oil, those people are still around as was some of their equipment.

Well "the word on the ground" from those in the oil industry is that China has supplied lots of new equipment and now buys over 50% of the increased oil exports that leaves Iraq.

This oil gets to China via the south China Seas, which China has been making lotsof noise about and has taken action designed to evict US pacific fleet from the area.

So it's more than likely that the IS oil is keeping the smog over China, and to prop up it's slowing economy. The question thus arises are China complicit in the reverse smuggling via their equipment supplies etc, turning a blind eye to it, or genuinely unknowledged about it. As China have a promenent position within the UN you can be sure little will happen there.

I'll let you decide, but we are not talking about a handfull of tanker trucks etc, thus satellite observation would provide a lot of information.

Further if drones with hellfire and other significant weaponry can be targetted against various terrorist leaders in individual vehicals etc, the question must arise why the movment of such quantities of oil have not attracted attention, or caused the US to be scared / unwilling / etc to take action against the movment of the oil.

Journalists are already making sideways comments about IS becoming a recognised autonomous state against which action will not be sanctioned or permitted...

August 4, 2015 1:52 AM

Curious on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

Does anyone know what the following phrase is supposed to mean?
I mean, I can read and write English, however I am puzzled as to what point is being made with this statement? 'Prejudicial' sounds a bit like prejudice.

"for a purpose prejudicial to the safety or interests of the state"

August 4, 2015 1:41 AM

Winter on John Mueller on the Overblown ISIS Threat:

@Dirk
"Anybody with a basic understanding of advanced biological warfare is well-aware that you will most probably be wiping yourself out in the process too. "

Indeed, the Russian had a party with antrax:
https://en.wikipedia.org/wiki/Sverdlovsk_anthrax_leak

We only just prevented a new smallpox outbreak from military research:
https://en.wikipedia.org/wiki/Aral_smallpox_incident

Moreover, the same technology that allows the creation of such plagues also allows the plagues to be contained. Unless, of course, you are living in a poverty hell hole war zone. Which is what these "terrorists" are living in. So indeed, terrorists might be able to wipe out the poor part of the Middle East and North Africa, or Pakistan and Afghanistan, but Europe and the US will survive.

That is not exactly their plan, we assume. But hey, someone might indeed be mad enough. Aum Shinrikyo was:
https://en.wikipedia.org/wiki/Aum_Shinrikyo

But even he was unable to do real damage.

And Aum Shinrikyo is not even exceptional:

Millions of Evangelical Christians Want to Start WWIII to Speed the “Second Coming”
http://www.washingtonsblog.com/2012/02/evangelical-christians-want-to-start-wwiii-to-speed-the-second-coming-and-atheist-neocons-are-using-religion-to-rile-them-up-to-justify-war-against-iran.html

August 4, 2015 1:35 AM

Curious on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

Firstlook.org's 'The Intercept' has a couple of stories about something that apparently is actually called "ECHELON", said to be a reference found in the Snowden documents.

It is at the moment unclear to me what kind of publicity Echelon had had in the years prior.

"Ever since legendary British investigative journalist Duncan Campbell told the world in a 1988 magazine article about ECHELON — a massive, automated surveillance dragnet that indiscriminately intercepted phone and Internet data from communications satellites — Western intelligence officials have refused to acknowledge that it existed."

https://firstlook.org/theintercept/2015/08/03/17-years-reporter-exposed-echelon-finds-vindication-snowden-archive/

&

"In December 2014, I asked fellow Scottish journalist and Intercept reporter Ryan Gallagher to check Snowden’s documents. Was there evidence of ECHELON?"

"There was; the documents included details of the “ECHELON agreement” and more — a batch of GCHQ and NSA documents confirming what whistleblower Margaret Newsham had revealed 27 years ago. ECHELON was indeed “a system targeting communications satellites” that began nearly 50 years ago."
https://firstlook.org/theintercept/2015/08/03/life-unmasking-british-eavesdroppers/


I wonder what role the satellite play in eavesdropping on telecommunications today. I guess I would like to know if relaying data over satellites in some covert way was a feature somehow.

Wondering if perhaps the name Echelon might be random, or perhaps allude to some deeper meaning. Afaik, 'echelon' is associated with being a flight formation and for when advancing groups of soldiers on the ground. (Ofc, there might even be more references.)

Something else that I've been wondering about: How did the Watergate scandal in USA get detected? Could it be that the democrats so to speak, had sort of bugged the republicans first and learned about an upcoming break in beforehand? :) That would be hilarious wouldn't it?

August 4, 2015 12:54 AM

Figureitout on Help with Mailing List Hosting:

mike the goat
--Good to hear from ya finally, you can stop chewing on my shoelace now :p

August 3, 2015 11:22 PM

name.withheld.for.obvious.reasons on Help with Mailing List Hosting:

@ Mike the Goat
Good to hear from you Mike. Fortunately in your absence little has transpired that would cause one to pick up a brick. Will follow-up on a squid...

August 3, 2015 11:21 PM

David on Help with Mailing List Hosting:

Maybe check out Exact-Target?

The seem to be a Tier-1 email service
provider. I find them one of the
least objectionable from an email
recipient/admin perspective: they
support configuring proper reverse-DNS
for IPs dedicated to customers
(so I can easily whitelist desirable
senders) and know how to keep sending
IPs clean and off DNSBLs.

My neighborhood association uses
Constant Contact and they seem
ok as well. Can't be too expensive
if the NA can afford them.

August 3, 2015 9:39 PM

cynical on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ rgaff

>...and why am I answering every troll before they even start to troll?

You're not alone amigo.

We all often make reasonable expectations of others impressions on our marks, as to what good lurks in the heart of wo/men.

There is a polarity matter to sphere as laws of physics. Thus politics is a nonfiction science as a study of polarity and expectations of groups of people not matters.

August 3, 2015 9:24 PM

Slime Mold with Mustard on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ nask
@ piquant bass
@ Who?
@ Dirk Praet

THANK YOU FOR EVERYTHING!

You have all helped not merely a small office, but few couple magnitudes larger number of employees and clients.

I ought to of known that I should go here for the more practical answers!

Luv,

Slime

August 3, 2015 9:18 PM

K.S. on Vulnerabilities in Brink's Smart Safe:

The Brink's safe is an interesting case. Universally, any network device is assumed to be physically secure from tampering. For example, most network equipment will outright grant you CLI over serial, and I don't know of any implementations that would encrypt serial communication with a terminal server, so you could always get valid credentials that are useful for remote access this way.

Whoever designed that safe operated in this mindset. Clearly, it isn't appropriate for a safe. Would we even blink if that was a router? Perhaps we should reconsider common set of assumptions about physical access on all kinds of devices?

August 3, 2015 9:12 PM

Zack on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@GregW, rgaff, whomsoever

'Why security'...

Could it not be that security is just a kind of boundary between the finite and the infinite? A matter which plagues us all? This is the finite world, yet in our hearts and minds we can embrace the infinite.

Infinite gold, infinite beauty, infinite love, infinite good times, infinite joy, infinite water, infinite food, infinite technology... infinite life... we can imagine all these things, or strive to, yet everything is frustrated in this world. It does not fit.

It is not ever as we can imagine, and it never seemingly is.

And there comes in "security".

Z.

August 3, 2015 8:58 PM

Zack on John Mueller on the Overblown ISIS Threat:

@Skeptical

@Zack: It's fiction for now, and based on everything I've read ISIL isn't near achieving any capabilities along those lines, but the thought ties in to a long-term trend - that of individuals and non-state actors acquiring the ability to cause destruction on increasing orders of magnitude.

Ah, of course. "Individuals" and "non-state actors".

Anything but 'state based' actors?

It is a diversion, and one I am sure all 'state based' actors are eager for the US to engage in.


From the original article:

More recently, the focus of fear has shifted from potential returnees to potential homegrown terrorists who might be inspired by ISIS's propaganda or example. However, ISIS could continue to be an inspiration even if it was weakened or destroyed. And, as terrorism specialist Max Abrahms notes, "lone wolves have carried out just two of the 1,900 most deadly terrorist incidents over the last four decades."

That quote, from this article:

http://articles.baltimoresun.com/2011-01-05/news/bs-ed-lone-wolf-20110105_1_lone-wolf-terrorist-group-lone-wolves


The fantasy is propped up by television and the movies, by history books, and the depictions of society, in general. People are not like as others present them. They are all too human. Weak and fallible.

The idea, the fantasy, makes them out to be superhuman.

But even the highest achieving real people are nothing like this. They are human. These are just stories people believe.

Really, as people believe in their real heroes and heroines? Not so far off from the fictions of Hollywood, so unrealistic is their viewpoint.

So, why create fiction out of real people? They have their mental superheroes, maybe they need their mental supervillains, too?


Or, in some situations, maybe they need their enemies to have their imaginary supervillains. So they can be diverted in their focus and waste their time and resources in their efforts.

Z.

August 3, 2015 8:40 PM

rgaff on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

And also, the limits must be set fairly, obviously.... you don't just grant one person the right to murder everyone and everyone else only the right to be murdered, then call that the "rules of liberty".... It has to be fair for everyone, obviously.

August 3, 2015 8:27 PM

rgaff on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

FYI, before stupid people answer, let me just say, anarchy is not liberty. So freedom to murder everyone is not liberty. Liberty has defined rules and limits to behavior... it ends right where another's begins. That's all it is.

August 3, 2015 8:25 PM

rgaff on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ GregW

It is a fair explanation of the famous Benjamin Franklin quote:

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety"

I'd like to note here that the word "deserve" is really denoting a natural consequence, not a punishment. You will ALWAYS naturally become less safe when you give up liberty to get safety, it's a natural law of the universe. That's why ALL people who keep talking like there's a "balance" between the two are dead wrong. There's no "balance"... they are not opposing forces where you either have lots of one and little of the other, or little of the one and lots of the other. Liberty creates safety, without it, there IS NO SAFETY AT ALL.

August 3, 2015 8:07 PM

cynical on Vulnerabilities in Brink's Smart Safe:

@ Alan Kaminsky

a great idea for spies with enough computing to handle fill take, and even greater for public corps with pressure to grow. a no brainer.

iot is a bit counter current to security because cost is an issue at the center, both if which appear unwilling to compromise. Acceptability is another but lesser issue because we have corps that are very creative about getting folks to give up their privacies. In my opinions.

August 3, 2015 7:53 PM

Kurt Seifried on Help with Mailing List Hosting:

So I looked around a lot, and we ended up hosting it ourselves, basic setup is a cluster of small machines acting as inbound servers (running spam filtering and anti virus and whatnot to provide basic sanity), then a list server running mailman, and then a cluster of small machines to act as outgoing servers (so mailman can basically send mail at several thousand messages per minute since it doesn't have to talk to remote mail servers that may be slow/etc.). Total cost to run on AWS is like 200$ a month.

I was unable to find any spam/virus/etc filtering company that doesn't charge by the user as opposed to simple volume (e.g. by the gigabyte). You can outsource deliver to something like Amazon Simple Email Service (SES) but I honestly wouldn't bother.

With mailman you could trivially invite everybody to subscribe, they'd have to click a URL hit "reply" to the email, so you shouldn't lose to many people. This may/may not catch the existing spam traps depending on how smart they are.

August 3, 2015 7:44 PM

GregW on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

Bruce likes to pull from many fields to understand fundamental security/society issues.

In that spirit, here's a quote about the general problem of "security" which I just ran across from a 1951 philosophy text. I immediately thought Bruce and others here might appreciate it:

There is a contradiction in wanting to be perfectly secure in a universe whose very nature is momentariness and fluidity. [GW: read the blog commentary below for more context on what he means by "whose very nature is momentariness".] But the contradiction lies a little deeper than the mere conflict between the desire for security and the fact of change. If I want to be secure, that is, protected from the flux of life, I am wanting to be separate from life. Yet it is this very sense of separateness which makes me feel insecure. To be secure means to isolate and fortify the “I,” but it is just the feeling of being an isolated “I” which makes me feel lonely and afraid. In other words, the more security I can get, the more I shall want.

To put it still more plainly: the desire for security and the feeling of insecurity are the same thing. To hold your breath is to lose your breath. A society based on the quest for security is nothing but a breath-retention contest in which everyone is as taut as a drum and as purple as a beet.

Source: Alan Watts, The Wisdom of Insecurity: A Message for an Age of Anxiety (1951)
Blog article containing the quote: http://www.brainpickings.org/2014/01/06/alan-watts-wisdom-of-insecurity-1/

I just love the last line in that quote. Ha!

Is this a fair synopsis/assessment of why we find ourselves living in an ever-snooping security state?

August 3, 2015 7:38 PM

Skeptical on John Mueller on the Overblown ISIS Threat:


@YetAnotherPseudonym:

I noted the difficulty in assessing ISIL as a threat, and described the information one might like to have in doing so, along with an appropriate response to ISIL given certain assumptions. My comment doesn't subscribe to exaggerations of ISIL as a threat, but is focused simply on what would enable intelligent assessment of ISIL as a threat.

I'm not sure what your response is intended to convey, other than your personal dissatisfaction with US/French/British/German/Saudi Arabian/Jordanian/Qatari/et al "violation" of the current, nominal Syrian regime's rights as a sovereign (long since forfeited in any case). Back in the real world, some of us like to consider actual outcomes and not rely on a simplistically static understanding of int'l law.

@Zack: It's fiction for now, and based on everything I've read ISIL isn't near achieving any capabilities along those lines, but the thought ties in to a long-term trend - that of individuals and non-state actors acquiring the ability to cause destruction on increasing orders of magnitude.

August 3, 2015 7:28 PM

Dirk Praet on John Mueller on the Overblown ISIS Threat:

@ Skeptical

Anyway, that's off the top of my head, but I'd think we would (roughly) want to know such things in assessing ISIL as a threat.

Excellent analysis, actually. Another essential element in assessing the operational strength of Da'esh (IS) is a full financial audit. They control approximately 60% of Syria’s oil, and seven major oil-producing assets in Iraq, allegedly producing 45,000 barrels of oil a day, raking in as much as $3 million a day in cash by selling the oil at well below market prices. (Source here) The questions that need to be answered here are who are they selling to, who is enabling this, which oil companies are involved and how to make it stop.

The main question however is why the general public still hasn't seen any such informed threat analysis. It's not like Da'esh came out of nowhere. Unless the combined intelligence communities of the US and other nations with a vested interest in the situation are utterly incompetent, it is highly unlikely that such reports don't already exist. IMHO, the USG and their partners know exactly what kind of beast they're dealing with and what kind of threat they truly represent both at home and abroad.

Keeping that information behind closed doors and leaving the public debate to paranoid TLA figureheads and political straw men on the payroll of the military-industrial complex - neither of which come with any real information - to me is a deliberate attempt to keep the fear alive that over the last decade for certain groups has proven such a fertile ground to further their own political and financial interests.

In absence of any such authoritative and credible information, the elephant in the room here is that the rampant racism in some parts of the US police force statistically is a much bigger threat to the US public than the neanderthal ideology behind IS-inspired terrorist attacks. It's just less convenient and marketable to capitalize on, which is the exact point @Winter so correctly made too.

@The Infidel

If ISIS had a way of marrying the genome of small pox with ebola and disseminating it to the western world, do you think they would?"

You've been watching too much "24" and "Strike Back". Anybody with a basic understanding of advanced biological warfare is well-aware that you will most probably be wiping yourself out in the process too.

August 3, 2015 7:19 PM

Anura on Vulnerabilities in Brink's Smart Safe:

I think we need to petition the FTC to change the rules so that you can't advertise something as being "smart" if it has an internet connection.

August 3, 2015 6:51 PM

Slime Mold with Mustard on Vulnerabilities in Brink's Smart Safe:

@ Alan Kaminsky
I was thinking IoS, but that is inappropriate for corporate use.

@ Arclight
"This is a perfect example of why not all 'things' need to be 'Internetted of'". Damn straight.

@ Everyone
I guarantee that this was first the brain fart of someone in Marketing. Buzzwords; "cyber-age", "smartphones", "millennials", "ease of use" et al ad nauseam are the tools of the hip and pretty zombies that come up with this crap. Things will not really improve until the rest of us are allowed to defenestrate them.

August 3, 2015 6:43 PM

Zack on John Mueller on the Overblown ISIS Threat:

Some high brow analysis of the problem.

http://www.cracked.com/blog/4-reasons-we-need-to-start-making-fun-terrorists/

@The Infidel

"If ISIS had a way of marrying the genome of small pox with ebola and disseminating it to the western world, do you think they would?"

Or, they could start a strain which causes vampirism to run rampant over New York City. Or, they could introduce a gene to change the way animals think, so they become supersmart, conscious, and with no longer having fear of humankind. Or, they could create synths, get everyone to buy them, then having trojaned coded in a "consciousness" trigger, watch as the synthetics, the androids, take over the planet. ("The Strain", "Zoo", "Humans".)

(Can't add in other currently running Doomsday shows which are current now. Age of Ultron was one. Fantastic Four is coming up. Mission Impossible has some 'very strong annoyance' group with superpowers and capabilities, in their latest. "The Messengers", "Whispers", are two others.)

This is just what is current. Still in theaters or currently in a season.

It is fiction.


I am probably missing some.

This is Hollywood. It is not real.

You are severely disassociated from reality to make such an assessment.


August 3, 2015 6:25 PM

Clive Robinson on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ Dirk Praet,

The French however also had a more refined technique called "petit bucher" to make the agony last as long as possible.

When I was a lot younger than I am today, I had an interest in forensic --supposadly-- science. Amongst many books I had on the subject, one was from the 1950's and dealt with distinguishing between murder and suicide. The obvious ones of slit wrists or throat where a suicide would have many tentative strokes before the one that caused exanquination, whilst murder would not. It also looked into and --we now know correctly-- doubted "spontaneous combustion".

But it also had a couple of chapters on oddities and inventiveness, which would but the Darwin Awards to shame. One of which still haunts my mind with the black and white photos of the scene taken from the police files. An emigray hard down on his luck and with no other means available took the matress and other bedding off the bed frame in his lodgings and put a fresh lit candle under the supporting springs, then lay down upon it and with fortitude lay still with it cooking his spine slowly untill he died...

August 3, 2015 6:01 PM

Clive Robinson on Help with Mailing List Hosting:

@ Mike the Goat,

Nice to hear you are on both the mend and the up.

Just don't make the mistake of trying to do to much, which unfortunatly I did this weekend and only just avoided getting draged off to hospital yet again. Definitely not the way to enjoy what's left of summer, especialy with so much fruit early this year needing to be picked and preped and frozen for a preserve and chutney making marathon this autumn or dried, candied or pickled for biscuit, cake and bread making or to add to game and stews through the winter and spring, wild boar and pickled plum being a much liked celebration table piece :-P

August 3, 2015 5:53 PM

Dirk Praet on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@ Clive

... the least of which was being burnt to death quickly.

Which was not necessarily a quick death either. If you were lucky, you got a bag of gun powder around your neck or died of carbon monoxide poisoning before being roasted. The French however also had a more refined technique called "petit bucher" to make the agony last as long as possibly. In essence, the convict was put on a slow-burning fire and barbecued to death. Jacques de Molay was one of the more prominent people to experience this treatment.

August 3, 2015 5:40 PM

Clive Robinson on Vulnerabilities in Brink's Smart Safe:

@Alan Kaminsky,

Howcabout "Internet of Insomnia" for those much benighted individuals trying "through night endless to wrest the beast from it's ivory tower" and thus "bring peace and equanimity to those who knowest not the fates they would suffer without such selfless striving".

August 3, 2015 5:40 PM

Kai Howells on Help with Mailing List Hosting:

If you're seriously considering MailChimp and the only reason you're not using them is because of their click-tracking, then why not do a soft-launch with them - import your list, or a subset of your list, and send out a few test mailings before doing the real thing.

Alternatively, reach out to them - I'm sure there's at least one person on their staff who are aware who you are, and it's possible that they may be willing to bend the rules as you have a very well established history of sending out email newsletters.

If you want to go the DIY route, then this is relatively easy to do, however that would necessitate sending email from just one or a few IP addresses, which would be easy to get blacklisted if there are spam trap email addresses already in your list.

Running a mailing list could be done on pretty much all but the smallest VPS plans from most providers, but you'd really need to get your list in shape before moving it all over.

August 3, 2015 4:57 PM

Haggishunter on Backdoors Won't Solve Comey's Going Dark Problem:

Well, that is excellent PR for British encryption companies. BTW: German encryption firms already must incorporate a back door. Now, I do not care. My Lotus Organizer 6.1 runs on Win 10, so, in the worst case, I just would keep my current encryption software. It also would run for another 10 / 15 years, I assume. But clearly, the EDP understanding of Cameron of just pathetic.

Mr Schneier: Re your hosting for the newsletter: Maybe a solution like takimag.com would help? Sorry, I am not a specialist. Just trying to give you an idea.

August 3, 2015 4:13 PM

Toto on Vulnerabilities in Brink's Smart Safe:

Why am I not surprised?

Plus ça change...

Twenty-five years ago I pointed out to my boss that the expensive access card gimmicks he got installed were nothing but a joke. The readers were controlled by an accessible serial port, and I could show how one could get into the computer room.

IIRC, the access control and logging software was a childish BASIC application running on an IBM PC, and you could easily figure out what data was obtained from the reader, and what port controlled the door magnet. The cards were based on magnetic stripes, so all you had to do to get in was to dissimulate in the code a literal back door recognizing as valid some random old credit card found on the street, and of course add a "goto" statement jumping over the logging section.

Then I saw that the broker's X25 ports, which cost something like 10k$/month for a 19.2kB/s service, made network management very difficult because of the rigid closed user groups. But if I dialed the shared packet data switch control port at the stock market, which was protected by an impressive zero-character long password, I could configure a connection into any other firms' internal network, or impersonate their trading terminals. Think of the possibilities...

In my next job there was also a "secure" access card system. But the asset that was protected was an RF engineering lab... And the cards relied on a combination of two or three resonators tuned with capacitors, with a maximum of something like 10-15 discrete frequencies. I didn't try making a complete "duplicate", just knowing it was possible was enough. Hacking the photocopier or the manager's printer driver to modify on the fly the spelling of his name was more fun.

August 3, 2015 4:10 PM

BoppingAround on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

Off-topic.

Someone at FSF has attempted an experiment to find out whether people do read the source code.

I'm a bit unsure how good is this one. Ole did only put an obscure line into the comments. Would the results be better or worse, had he put some actual code in there?

August 3, 2015 4:01 PM

Zack on Friday Squid Blogging: Russian Sailors Video Colossal Squid:

@tyr

The crowd at hackerfests are a lot of fun because of the RPG elements involved in the milieu. The fantasy is a normal part of being human and add the tech and esoteric knowledge you get the circus in town. Mostly harmless is the best way to think of them until they fall into the trap I described of passing the buck for responsibility because what they do has real effects on real people.

Ironically, it is the "real" ones who are the most role playing. Their role playing is "real", they take it too seriously. Yet, disconnected from knowing anything, that only enhances the illusion. Part of that disconnect does involve the ambiguous entry and exit points of responsibility.

For others, they are going to be much more aware of the Role Playing Game they are engaged in is "just a game", it is "not who they really are". You can poke them just a bit and they show that. It is not a game they are far too deeply invested in to be able to know "it is not real".

Their responsibilities tend to be far less ambiguous, as are their roles in life. They do not have to fill that uncertainty with a lie just to get along. A hole these others have to feed everyday, every night, year after year.


Z.

August 3, 2015 3:45 PM

albert on Vulnerabilities in Brink's Smart Safe:

I don't know the Brinks business model, but there's a disturbing trend among companies hiring contractors to do the 'computer stuff'. This system looks like a PC slapped onto a safe. As far as I can see, the lock interface is the only unique feature; every thing else is quite standard. XPe can be 'configured' to eliminate unneeded features, i.e. to reduced its footprint. A simple VB application, database, network connection, and a simple hardware I/F for the lock, and you're good to go. Plus, Built-In-Security(tm)....at no extra cost.
.
..
.
..
o

August 3, 2015 3:15 PM

TimH on Vulnerabilities in Brink's Smart Safe:

Alan Kaminsky and @Anura
IDIST not IDIOT is less catchy but more accurate:

Internet of Distributed Insecure Spying Things

August 3, 2015 3:02 PM

Anura on Vulnerabilities in Brink's Smart Safe:

Seriously, how did people even think this was a good idea?

@Alan Kaminsky

Internet of Distributed Insecure Outlandish Things

August 3, 2015 2:49 PM

Arclight on Vulnerabilities in Brink's Smart Safe:

This is a perfect example of why not all "things" need to be "Internetted of." Look at the high-assurance electronic locks for GSA containers made by Mas-Hamilton and S&G. Those are self-contained devices with a small attack surface and small firmware stack. There isn't even a battery terminal. And whatever physical connectors exist are inside the safe itself.

Generic USB is much too complicated and heavy for a simple application like this, where a simple serial interface on the inside of the safe would suffice.

This to me shows a fundamental lack of imagination on the part of the vendor.

Arclight

August 3, 2015 2:32 PM

What gets YOU up in the morning? on John Mueller on the Overblown ISIS Threat:

Wow even our host is trolling skeptical now.

If we are beginning our days by looking at threat reporting, by examining vulnerability reporting, blah blah blah blah, blah blah blah blah, blah blah blah blah blah blah blah blah, again I say, blah blah blah blah blah

On the other hand, if we are beginning our days by looking at probative evidence of US crimes of aggression and coercive interference in manifest breach of the UN Charter, then we can knock off at 11 AM, cuz here ya go:

"DEVELOPMENT OF THE CURRENT EVENTS INTO PROXY WAR: ... OPPOSITION FORCES ARE TRYING TO CONTROL THE EASTERN AREAS (HASAKA AND DER ZOR), ADJACENT TO THE WESTERN IRAQI PROVINCES (MOSUL AND ANBAR), IN ADDITION TO NEIGHBORING TURKISH BORDERS. WESTERN COUNTRIES, THE GULF STATES AND TURKEY ARE SUPPORTING THESE EFFORTS. THIS HYPOTHESIS IS MOST LIKELY IN ACCORDANCE WITH THE DATA FROM RECENT EVENTS, WHICH WILL HELP PREPARE SAFE HAVENS UNDER INTERNATIONAL SHELTERING, SIMILAR TO WHAT TRANSPIRED IN LIBYA WHEN BENGHAZI WAS CHOSEN AS THE COMMAND CENTER OF THE REVOLUTIONARY GOVERNMENT."

https://www.judicialwatch.org/wp-content/uploads/2015/05/Pg.-291-Pgs.-287-293-JW-v-DOD-and-State-14-812-DOD-Release-2015-04-10-final-version11.pdf

Except of course when you're beginning your day beltway-style.

August 3, 2015 2:29 PM

Alan Kaminsky on Vulnerabilities in Brink's Smart Safe:

We should stop calling it the IoT. We should start calling it the IoIT -- Internet of Insecure Things.

That's not a very catchy acronym. Anyone have a better suggestion?

August 3, 2015 2:03 PM

Bob Pickles on Vulnerabilities in Brink's Smart Safe:

Having worked for the aforementioned company in a IT security-related capacity, I am not in the least bit surprised. Remember the diamond heist from the plane being loaded in Brussels a few years back? When senior management at Brink's thinks of security, they think of insurance and guns, not computers.

August 3, 2015 1:57 PM

EchoParalax on John Mueller on the Overblown ISIS Threat:

@ real friends

I want you to know that I agree with everything you've written. There's a reason the retired Pope doesn't leave Vatican City and the old President/Vice doesn't leave the U.S.

Why is the question. Why doth thine civilized countries sow such discord? Taking a cold, hard look at the world: Limited resources and unlimited people. Either increase resource production, i.e. invade Iraq, or decrease population. Or both.

Our entire lives are nothing but lies. We have great freedom, until we step too far, question too much, dare to count the money and inspect the scales. Sudden rule of law changes, ever convienient to the powerful, this is not democracy.

This is one of the smartest blogs on the planet, full of professionals and the retired. The discourse here is above par on all accounts. But even in this hallowed place, all we do is shake our heads at the illlogic, the spin, and do nothing. (this was the most important sentence of this post that you probably skipped over anyway)

Enjoy the enteirtainment/news. Install FREE Win X. Watch Trump's hair in the breeze. Try not to gag on the smell of burning bridges. You can never go back.

August 3, 2015 1:45 PM

Bystander on Help with Mailing List Hosting:

Just wanted to add freelists.org. They are normally not used to such volumes, but asking won't hurt.

I like their general attitude and also their attitude towards privacy. Archive would be included.

@ Mike the Goat
I am just a bystander but it is great to see you back here.

August 3, 2015 1:41 PM

EasyMonet on Vulnerabilities in Brink's Smart Safe:

1. Get some good stock paper.
2. Type out a convincing security company letter, logohead, etc.
3. Mass mail this to any/all targets referencing this safe and general security.
4. By def, anyone who takes you up on this offer to improve their security is now a mark.
5. Rob everyone who replies.

Most of the people who reply will be interested in improving their security, thusly they will be the ones with low security. You could go legit, and take their consulting fee and actually upgrade them with overpriced equipment you're reselling, or you could sneak in after hours and rob them blind...

August 3, 2015 1:25 PM

Skeptical on John Mueller on the Overblown ISIS Threat:


I'd say that it's very difficult to assess ISIL as a terrorist threat in countries like the US without having certain key data available.

Suppose that ISIL can cause terrorist attacks either by (i) directly contacting and recruiting persons in the target society (the US, France, etc.), and then by directing (either loosely or tightly) that person to commit terrorist actions, or by (ii) indirectly "inspiring" terrorist actions by virtue of one-way propaganda that is received by a person in the target society who then, without additional prompting, takes terrorist actions.

The success of either approach depends on factors outside of ISIL's control. Leaving aside the second, one-way propaganda approach, and focusing on the first, two-way contact-recruit-direct approach, we might want to know the following:

(1) Conversion Rate - What percentage of visitors to ISIL's propaganda outlets engage ISIL in additional conversation? What percentage of those "clicks" result in the potential operatives becoming actual operatives?

(2) Explanations - Which theories, if any, best explain and predict which visitors click, and which clicks result in "purchases" (i.e. result in an actual operative)? How can those theories be further tested? What strategies do such theories yield, i.e. what do they tell us about the vulnerabilities of ISIL's ability to "sell"?

(3) Capability Assessments - Of known actual operatives produced by ISIL's marketing, what types of operations have they attempted, and what types of operations are they capable of executing?

(4) Risk Assessments - What are the magnitudes, types, and probability distributions of the damages caused by the various types of operations that would be attempted by ISIL operatives? Include the secondary effects of such operations, such as the political and economic effects.

Anyway, that's off the top of my head, but I'd think we would (roughly) want to know such things in assessing ISIL as a threat.

But some of those things may be quite difficult to know, and we may need to fill in some of the blanks with an educated imagination. If we are beginning our days by looking at threat reporting, by examining vulnerability reporting, those blanks will be filled in very differently than if we are beginning our days by thinking about other things.

In a significant sense, this is really a social science problem, but one for which we have limited data, untested theories with lots of missing details, and which needs to be addressed in a highly political and very complex environment with a certain degree of urgency.

As such, the best response likely incorporates measures that would be effective for a variety of competing theories, that would have very limited harmful side-effects, that would disturb as minimally as possible other national strategic objectives and plans (or still better, advance them), and that would not foreclose opportunities to utilize better understandings of the problem as more information or more analysis becomes available, or as the situation develops.

And from my perspective of great distance and with little information, that seems to be precisely the type of response undertaken by the US and other governments.

All this with the caveat that the above roughly and superficially addresses ISIL only as a potential cause of terrorist actions in nations like the US. A broader evaluation of ISIL as a problem would incorporate the various other ways in which interests and values might be threatened by ISIL as well.

August 3, 2015 12:55 PM

Daniel on John Mueller on the Overblown ISIS Threat:

@Winter (first comment)

See, this is why I still read the comments even if there is a lot of nonsense posted.

Your comment was precise, concise, and best of all correct.

August 3, 2015 12:41 PM

Nick P on Help with Mailing List Hosting:

@ Mike the Goat

Good to see you're making it. Look forward to next convo on Squid thread.

August 3, 2015 12:37 PM

Muffin on Help with Mailing List Hosting:

I feel there's a few choice words that could be said about SpamCop (and blacklists in general) here. They may be a good idea in theory, but in practice, if even Bruce Schneier, whose diligence, technical expertise and trustworthiness I'm sure we can all agree are beyond any doubt, cannot meet their standards, how can mere mortals hope to?

Remember, the point of blacklists is to solve problems for people, not create them. When it comes to spam, false positives are just as much a problem as (in fact arguably a bigger problem than) false negatives are.

August 3, 2015 12:18 PM

MyFirstNameIsPaul on Help with Mailing List Hosting:

I'm not sure what you consider a reasonable price, but I have found the Mailgun service by Rackspace to be very easy to use, but note that my needs are pathetic.

They have a simple pricing calculator you can use to see what the service would cost you. (Note that if you need some small resource to manage other aspects of your list, you could get a $15/month 512 MB Rackspace Public Cloud Server and get an additional 40,000 free Mailgun emails per month ~$20 worth.) Given the level of customer support I have received for my tiny little account, it is hard for me to believe they would boot any legitimate customer, and I have found numerous very large companies using their service to send me transactional email.

For reputation issues, I see that schneier.com currently has no SPF record and your current provider didn't use DKIM on the most recent newsletter.

All the reading I have done states that having an SPF record, DKIM record and DMARC record will help decrease spam rating, plus the aggregated spam reports that large providers send for DMARC can have useful information. Another important factor is reputation of the IP address or addresses that send the mail. (Mailgun has an option for $59/month to have a dedicated IP address.)

Although you could balance all of that against just hiring someone to set up a server with dedicated IP address, since it sounds like you are primarily just doing a monthly blast, so you could space that out over some time (24 hours?) such that even the most anemic server could handle the load.

I'm just an enthusiast, so I don't personally know anyone, but these two people have written stuff I learned a lot from:

Mike Hillyer How To Send One Billion Email Marketing Messages Per Month.

Reason (yes, this person is publicly a handle) has a blog at exratione.com with contact info and articles on various easy-to-implement solutions to email management and other admin issues. Reason runs his/her own newsletter that is plagued with deliverability issues due to the nature of the content, so has even gone so far as to write a Drupal module for managing bounces more effectively.

August 3, 2015 12:01 PM

od74m5 on Help with Mailing List Hosting:

Bruce, another suggestion is the Riseup collective. They've been around since 1999, they care a lot about privacy and security, and they provide mailing lists to activist groups by donation. I'm sure they'd be thrilled to host your list. You can contact them here.

Also, since other commenters are saying you shouldn't even have a mailing list in 2015, I'd just like to say I do value mailing lists. If I don't use Facebook, Twitter, or Kindle because they're all in the business of surveilling users, that leaves only RSS and email for subscribing to this blog. Plus, email is the only way to get a consolidated set of the blog posts for the last month.

August 3, 2015 11:41 AM

stvs on Help with Mailing List Hosting:

Mailchimp was original built using Amazon SES.

SES has granular bounce and complaint handling .

Just use SES yourself and configure as you've indicated.

August 3, 2015 11:37 AM

Real Friends Dont Let Friends Use Windows on John Mueller on the Overblown ISIS Threat:

@ The Infidel

The CIA and Pentagon have decades in arming and training terrorists as US-controlled proxy forces all over the world, the US has assisted in countless coups/illegal wars ("We have always been at war with Eurasia"), killed and maimed innumerable innocents in maintaining the petro-dollar and their global hegemony etc... so, I'm curious how the Arabs are the greatest threat to anyone one right now?

Any risk that is faced by the US is the result of direct foreign policy and military adventurism.

Yes, apparently if you let your government arm, fund and train the mujahadeen, who become the Taliban, who then splinter into other extremist groups e.g. Al(CIA)AEDA, Al-Nusra et al. -> you end up with state-sanctioned propaganda on Fox News (or other approved outlets) highlighting the alleged risks to the homeland.

This is all done as a show to continue feeding the perpetual war machine and the intelligence community. The statistics show any risk is absolutely remote (less than being killed by lightning).

'The Infidel' should perhaps look closer in his backyard at the homegrown naked neo-colonial aggression before getting too excited about imperialist-approved churnalism.

While "ISIS makes super-virus" is great for CSI:Cyber or whatever dross is brainwashing the public right now, it is the stuff of fantasy. You are 1000 times more likely to be shot by your local para-military SWAT-cop than be killed by some disaffected Moslem.

This is despite their legitimate grievances over US war crimes and the sheltering of war criminals (just ask the CIA torturers-cum-murderers who fear to travel to the EU right now for good reason).

Start your education at Wikileaks and get back to us. The Afghain War Diaries is a nice place to start - you know, where you can see your military purposefully blows up civilian innocents on video tape. "Light em up!" etc.


August 3, 2015 11:36 AM

b110 on John Mueller on the Overblown ISIS Threat:

@The Infidel 10.02 AM

Yes, of course organizations like that have existed historically. As to your movie-plot-bullshit-scenario question, why is it interesting to speculate on that?

August 3, 2015 11:29 AM

od74m5 on Help with Mailing List Hosting:

Bruce, the EFF has a pretty big mailing list and I'm sure their technologists and activists have dealt with these types of issues before. You could ask them how they manage it and what systems they use.

August 3, 2015 11:16 AM

Daniel on Help with Mailing List Hosting:

While I understand the business side of it I'm with PT. Take this roadblock to think deeply about whether you need a mailing list at all. Frankly, I haven't subscribed to a mailing list in at least a decade and it is very rare when I find there is something I want to read that is exclusively on a mailing list. But that's just me. I might not represent the norm.

August 3, 2015 10:20 AM

Tyler Menezes on Help with Mailing List Hosting:

Mailgun is a more developer-focused solution, but if you're okay with writing your own subscribe page, it has solid list management built in.

August 3, 2015 10:14 AM

Ignacio Arriaga on Help with Mailing List Hosting:

Hello Bruce,

If you want, I use to follow your site and I am the CTO of a site similar to mailchimp. we can provide service to you without problem with the circunstances that you have.

The goal of the comment it is only to offer you our tool, not to be spammy, so if you want you can write to me on my email and leave the comment unpublished.

Thanks,
Regards.

August 3, 2015 10:04 AM

Mark Newsome on Help with Mailing List Hosting:

Reconfirming your emails probably won't work. It's likely that those spam trap addresses were added to your list intentionally by an attacker who will simply resubmit them.

August 3, 2015 10:02 AM

The Infidel on John Mueller on the Overblown ISIS Threat:

Just curious...

Has there ever been in the history of the world an organization that abducts children and teaches them to behead?

The children had all been shown videos of beheadings and told by their trainers with the Islamic State group that they would perform one someday. First, they had to practice technique. The more than 120 boys were each given a doll and a sword and told, cut off its head.

http://www.huffingtonpost.com/entry/isis-training-children-beheading-in-under-islamic-state-children-trained-to-behead-at-early-age_55ac2795e4b0d2ded39f45e9

Another open question to open-minded infidels:

If ISIS had a way of marrying the genome of small pox with ebola and disseminating it to the western world, do you think they would?

August 3, 2015 10:01 AM

Mike the goat on Help with Mailing List Hosting:

Dirk: at the risk of hijacking this thread, indeed I am. Have been bogged down with mudane life and a medical condition - am much better and am slowly re-engaging with the sec community! I guess I should move this into the Friday column - but yes, I am indeed still alive and doing okay! :) Great to see you again.

August 3, 2015 9:29 AM

Winter on John Mueller on the Overblown ISIS Threat:

@Curious
"I am reading today that NATO Turkey is believed to keep bombing the Kurds in northern Iraq, "

That is simple. Erdogan wants a majority in the parliament to make him Khalif for life. The Kurdish party prevented that, so he now wants to start a civil war against the Kurds to oust them from parliament.

This is a variation of what Putin did to Chechnya and the Russian Duma when his party did not have a majority.

August 3, 2015 9:21 AM

Curious on John Mueller on the Overblown ISIS Threat:

I am reading today that NATO Turkey is believed to keep bombing the Kurds in northern Iraq, after that NATO had/let Turkey bomb ISIS a little in Syria a week ago, or whoever ends up being on the receiving end.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.