Recent Comments


Note: new comments may take a few minutes to appear on this page.

July 26, 2016 4:40 PM

Anura on Russian Hack of the DNC:

@Queen of Mena

The person who had a significant lead in the polls for the entirety of the Primary, and won the popular vote by roughly the same margin stole the election? Again, this is more proof of Clinton Derangement Syndrome - ignore all common sense, ignore reality, and look for the faintest evidence to confirm your bias.

July 26, 2016 4:24 PM

james on Hiring Hackers:

i want to share my story with you all, i got married to this wonderful man 10years, when i was pregnant with our first daughter i noticed some strange behaviour from my husband so i started suspecting he was cheating, i told my cousin so he told me about this military technician colleague who was is friend and who happened to help him hack his cheating wife's phone. i got in contact with him and he helped to hack my ex husbands phone,you would not believe the things i discovered with the help of Mr Lyon, he is the best out there ,you can also contact him for any other issue relating to hacking , thank me later…you can contact him on cryplyonhackers@gmail.com or text him on +12059009736

July 26, 2016 4:20 PM

The Blue Angels F-35 Precision Yaw and Crater Squadron on Cyberweapons vs. Nuclear Weapons:

Capital! Always nice to have the viewpoint of the 3rd-rate beltway ASVAB waivers who are dishonest enough to be bankers but not quite smart enough. Let's float on red-white-and-blue cotton candy clouds and fly with the eagles, fly, fly, in their fantasy world! Let's see, hmm...

Lots of not-even-wrong, like the typical childish soldier boy catchphrase picking a fight, cherished by international law ignoramuses. And even now, after an overwhelming referendum in Crimea and a domestic Crimean accession decision in full accord with international law and precedent ( http://www.icj-cij.org/docket/index.php?p1=3&p2=4&case=141&p3=4 ), beltway losers are still parroting their 'invasion' Big Lie. They're still rubbing their contused b-ttcracks because they took over Ukraine and wound up with the Exclusion Zone.

Ah. And hybrid warfare. If you're smart enough for government work - just smart enough - that means Russia not taking any sh-t because they can kick your a-s in any real war, like Syria, and you can't do sh-t and you know it. Losers.

And what would a skeptical post be without delusional bombast: Europe has been prodded from its slumbaahs...

Zzz, Zzz, Zzz, Hmh? snort, scratch, stretch, f-rt, cut off the power to Incirlik, slough off Trident, drop illegal US sanctions, get to work on South Stream, celebrate Russia day in Rostok, sneer at 2%, roll over and go back to sleep. Nice work - for an ASVAB 20. Your fake democracy is still a laughingstock, even among your bought-and-paid-for satellite regimes.

July 26, 2016 4:20 PM

Jesse Thompson on Tracking the Owner of Kickass Torrents:

> The interesting takeaway is that a few small op-sec failures that are years old can be easily pieced together into a full picture.

Woops, sorry you appear to have misspelled "Parallel Constructed" there. :3

July 26, 2016 4:17 PM

it's a free for all on Russian Hack of the DNC:

"The guys who are responsible for this should be brought to a "fair" trial."

I'm sorry, we have fair trials? I missed that memo. The trials that we do have are more like uphill battles where the government is concerned, and that's if there's even a trial or an investigation to begin with.

July 26, 2016 4:02 PM

Igor on Russian Hack of the DNC:

Surprisingly, in this case the best security measure against the consequences of this hack/leak would have been a fair democratic process that didn't involve working in the shadows against Bernie. But that's probably too much to ask.

July 26, 2016 3:48 PM

flambe on Russian Hack of the DNC:

They were asking for a data breach with Exchange. Funny how no one gets fired for buying Microsoft.

July 26, 2016 3:45 PM

Gerard van Vooren on Russian Hack of the DNC:

@ Brian Madison,

"Agreed. Wait, are we talking about the Russians or the DNC?"

True, very true.

The major problem is that the Americans are being f**ked by their own political elite. I really feel sorry for Sanders. He didn't have a fair chance. The guys who are responsible for this should be brought to a "fair" trial.

July 26, 2016 3:39 PM

Ted on Russian Hack of the DNC:

STATEMENT BY SECRETARY JEH C. JOHNSON REGARDING PPD-41, CYBER INCIDENT COORDINATION

"As Secretary of Homeland Security, I am often asked “who’s responsible within the federal government for cybersecurity? Who in the government do I contact in the event of a cyber incident?”
"Today [For Immediate Release July 26, 2016], President Obama’s Presidential Policy Directive/PPD-41, United States Cyber Incident Coordination, clarifies the answer to these questions. The PPD spells out the lines of responsibility within the federal government for responses to a significant cyber incident, and specifies who to contact in the government in the event of an incident. The PPD delineates between “threat responses” and “asset responses.” A “threat response” essentially involves investigating the crime, so that we can hunt down the bad actor. As the PPD spells out, federal law enforcement is the key point of contact for a threat response. The Department of Homeland Security, through our cybersecurity experts at the National Cybersecurity and Communications Integration Center, will act as the point of contact and lead coordinator for asset response. “Asset response,” like a threat response, is crucial. It involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others."

July 26, 2016 3:39 PM

Joshua Bowman on Tracking the Owner of Kickass Torrents:

The interesting takeaway is that a few small op-sec failures that are years old can be easily pieced together into a full picture. But I wonder if he has any recourse to say, "No way, I sold everything years ago, including the Apple account that's required to manage it."

When you think about it, it seems like common sense to start with VPNs and Tor and anonymizers and bitcoin/stolen cards, but most of these sites are started by people who are young and naive; Kickass was founded when he was 24, if they have the right guy, and I'm sure it was meant to be a hobby project until it blew up. And of course, the FBI and NSA have been actively subverting and infiltrating all of those defenses the whole time, so it might not have even helped.

The best defense when you suddenly get the security religion might be to attempt to cover your tracks, but to make it look like you sold it and washed your hands of it. (Or actually sell it.)

July 26, 2016 3:37 PM

I'm with Kimmie Queen of b on Russian Hack of the DNC:

Grauhut wins the thread. In fact, all signs point to Mossad trying to frame Russia with hokey clues after two thousand baked 4chan punks pwned Hillary and the DNC. Rid speculates his ass off about Russians tampering with documents, but it never occurs to him to question those open-source X-Tunnel links and cyrillic 'fingerprints.'

Rid's job as hack is to yell, Look! Over there!! and divert attention from the sub-Bozo ineptitude of the DNC and its head international money-launderer. For Rid, 'sabotage' means exposing electoral perfidy and corruption in breach of ICCPR Article 25(b) and the RICO Act - what any minimally-competent law enforcement agency would do. If the US had one.

If the US had evidence they could take it the ICJ. They don't, so they won't.

July 26, 2016 3:29 PM

Wael on Decoded, by Mai Jia:

@Clive Robinson,

The likes of Richard Feynman, Richard Dawkins, the late Christopher Hitchens, Sam Harris...

Incomplete sentence. What I meant to say:

The likes of Richard Feynman, Richard Dawkins, the late Christopher Hitchens, and Sam Harris pushed the concept of the "God of the gaps". Sam Harris is one whom intellectuals like Noam Chomsky and David Berlinski don't take seriously.

July 26, 2016 3:23 PM

Grauhut on Russian Hack of the DNC:

@All: Help, i need to understand something... :-)

Why were these servers still online if the were long time "russian spy assets"?

"They then linked this deceptive domain to a long-known APT 28 so-called X-Tunnel command-and-control IP address, 45.32.129[.]185.

One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address—176.31.112[.]10—that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers."

http://www.ipaddressden.com/ip/45.32.129.185.html -> San Jose, US
http://www.ipaddressden.com/ip/176.31.112.10.html -> Paris, France


Why were they allowed to continue to function? Were they monitored?

And if they were monitored, why did nobody stop the DNC hack? LIHOP? ;)

July 26, 2016 3:07 PM

Brian Madison on Russian Hack of the DNC:

Takes a lot of cojones to so blatantly interfere with the US elections.

Agreed. Wait, are we talking about the Russians or the DNC?

July 26, 2016 2:53 PM

Daniel on Russian Hack of the DNC:

Thomas Rid's piece doesn't summarize the evidence, it is a hit piece designed to make Trump look bad and I say that as someone who doesn't plan on voting for the man. Although the headline says "all signs" point to Russia there is in the analysis precious little actual data that fingers Russia. Indeed, the only factual evidence seems to be links to IP addresses that have been in the past associated with Russian intelligence. Moreover, Rid's piece uses a lot of hedges like "allegedly" so there is wiggle room in the future.

I think it is a huge stretch to say that Russia is behind it based upon the available evidence.

July 26, 2016 2:52 PM

Gerard van Vooren on Tracking the Owner of Kickass Torrents:

Here is a movie plot for the next Homeland series.

Carrie makes passionate love with Kickass, the site owner of a second-rate pirate bay clone. Afterwards, while Kickass sleeps, Carrie steals the master password of the site, but after that she immediately goes back into bed and let him take her one more time. Meanwhile, Sal looks through a secret camera to this scene with his pants to his knees.

Quinn assassins the kitten of Kickass with rat poison in the milk. "Hawk" Dar Adal works together with a massive Mossad expert team to design a computer virus for DDOSsing the site for at least a couple of hours, in case Carrie fails in her mission. Dar is also the master mind of a smear campaign.

In the final episode, that plays ten years in the future, Carrie dies of cancer because she smoked too much.

---

Or would this be a bit too much reality?

On one hand, I am okay with that the reality is very less dangerous than the Homeland fiction where well organized terrorists try to "take over the world", on the other hand, the reality is much more hypocritical.

Maybe this is what Obama meant with "Yes We Can".

July 26, 2016 2:48 PM

albert on Tracking the Owner of Kickass Torrents:

@Ross,
"...Using Homeland Security personnel to enforce this is absurd...". So is using FBI personnel. To quote a former head of the FBI, in 2002:

"...Understanding this basic fact is essential to evaluating how the FBI fits into the President's proposal to establish a Department of Homeland Security and what we will provide to ensure this new department gets from the FBI what it needs to succeed. That is our obligation. Or put more bluntly, the FBI will provide Homeland Security the access, the participation, and the intelligence in whatever form and quantity are necessary for this new department to achieve its mission of improving and building domestic preparedness against terrorism in America...."

and:
"...Simply put, our focus is now one of prevention..."

So it removes some BS from the feebs, and puts it on the homeys.

. .. . .. --- ....

July 26, 2016 2:44 PM

Anura on Russian Hack of the DNC:

@wayward710

Well, they are inventing bullshit stories to rationalize it. A popular theory today is that Putin is blackmailing Hillary. Their proof is basically stated as follows:

1) Hillary is corrupt (no evidence provided, this is just assumed to be true because the media has been suggesting it since 1992)
2) Hillary had a private email server
3) There is no proof that Russians hacked her email server.
4) Given that 3) is not proof that Russians did not hack her email server, it proves that the Russians did hack her email server.
5) Given that Hillary is corrupt, this means she must have had deeply incriminating evidence on her email server.
6) Given that there is no evidence of 5) and given that 4) proves Putin has Hillary's emails, it means that Putin must be holding onto incriminating evidence
7) The only reason why Putin was holding onto incriminating evidence is if he was blackmailing Hillary

Q.E.D.

July 26, 2016 2:44 PM

Darren Chaker on Tracking the Owner of Kickass Torrents:

Indeed, why is Government enforcing copyrights law? Sure it is a law, but today's events in the word dictate resources are put elsewhere to prevent terrorism, not do what Hollywood can do on its own - file a lawsuit, get an injunction, take down the site.

July 26, 2016 2:42 PM

David Schwartz on Visiting a Website against the Owner's Wishes Is Now a Federal Crime:

"By using a public name, there is implicit permission to use the site. The same is true by having a visible letter box on your front door. there is implicit permission for postpersons and others to deposit material into it, thus permission to approach unless other measures are in place."

I agree, there was implicit permission, but that permission was explicitly revoked by the cease and desist letter. We don't want a world where people have to lock doors and put up fences to have the enforceable legal right to keep others off their property. We want a world where unambiguous notice and clear boundary markings are sufficient. That's just way better for everyone.

This case is more like someone soliciting in a bank lobby under a "no soliciting" sign, and when the bank asks them to leave, they refuse claiming that one of the bank's customers said they could be there.

Facebook's web site is open to the public, like a bank lobby. Some people can get services from the bank that others can't, just like people who have Facebook accounts.

July 26, 2016 2:36 PM

David Schwartz on Russian Hack of the DNC:

xizzhu: You are assuming that this is the only leak of DNC emails that will occur. What if this is the first of several?

July 26, 2016 2:33 PM

albert on The Economist on Hacking the Financial System:

'Attribution' doesn't lead to mitigation, or any kind of solution. It functions only to apply -retribution- to the enemy. We have many enemies, both within and without. Military states like us need enemies, otherwise we can't maintain the war economy. Sovereign states are good; they put faces on the enemy. Wars against concepts, like terrorism and drugs, also need faces. The Unwashed Masses respond to better to countries as enemies when they see 'those foreigners' on MSM 'news'.

Current bogeymen are Russia, North Korea, and China, all major geopolitical forces. There are at least dozen or so minor states which I don't feel like enumerating, but that you know about.

So, I'm sick and tired of hearing about attribution; I'd go so far to say it's meaningless as far as hacking is concerned. It -is- useful to maintain the bogeyman status of our enemies, and to redirect the publics 'attention' away from actually useful mitigation and correction efforts.

Speaking of which, where is the factual information about what's being done to prevent more OPM attacks? Or did it serve its purpose?

I can't research this myself, because I don't want to dilute my cynicism, which took decades for me to develop and fine tune.

. .. . .. --- ....

July 26, 2016 2:30 PM

wayward710 on Russian Hack of the DNC:

It's amazing how little Trump's supporters seem to care about this.

July 26, 2016 2:30 PM

Ross Snider on Russian Hack of the DNC:

It is common practice for nations to influence elections of one another. The United States does this - in Russia, in Ukraine and elsewhere.

An especially common practice is to oust political parties and aspirants by publishing evidence of corruption.

While Russia denies its role in the hacks, it can always point to the leaks as having been a good deed, as they implicated political corruption within the DNC and Hillary Clinton campaign.

July 26, 2016 2:25 PM

John on Russian Hack of the DNC:

If politicians didn't constantly bend the rules to their own advantage this wouldn't happen, they only have themselves to blame for these dumps. No wonder people are voting for anti establishment candidates they have had enough of this rigged game.

July 26, 2016 2:21 PM

xizzhu on Russian Hack of the DNC:

If this leak is really to influence the election, it just happened way too early. How many can still remember this after few months? As a comparison, anyone still talking about the Panama Leak? Anyone? Hello?

I know, I know, you can easily suggest that the leaked emails are manipulated, but so far I haven't seen DNC to do so (they can easily show original copy and prove the leak as fake). So, yep, whatever the leak's aim is, we can only say DNC already manipulated the primaries, among other dirty things.

To make it even more interesting, CNN reported that US officials warned DNC "months before the party moved to try to fix the problem".

July 26, 2016 2:19 PM

Wael on Decoded, by Mai Jia:

@Clive Robinson,

It is interesting to note that two thirds of China's population do not have religious belifes some polls put the number in the US as little as one in seventy five people. Similar low numbers are reported for most western countries.

Statistics aside, there are historical reasons why the western world , to some extent, stopped believing in a supreme being. The first one is the blatant dissonance between scriptures and well established scientific facts. The second being: How would a benevolent all-loving God allow atrocities to happen to innocent people. For example, why would God allow Hitler (or more accurately, Himmler) to do what they did to the "chosen people"? I choose this example because it relates to the book in question.

It is interesting to note that as mankind evolves in sophistication of material control, that the gods worshiped also evolve in sophistication.

There are two main perspectives to this: The Theist perspective and the Atheist perspective. The Atheist perspective can be summarized in the concept of the "God of the gaps", which you're alluding to by "evolving sophistication". The likes of Richard Feynman, Richard Dawkins, the late Christopher Hitchens, Sam Harris whom, incidentally, intellectuals like Noam Chomsky and David Berlinski don't take seriously. It's also worth noting that those who adopt the concept of "God of the gaps" are themselves guilty of what they accuse Theists of: "Science of the gaps"! We can elaborate later...

The Theist perspective branches into several sub-branch perspectives. Again, a subject for another day...

What is it in the human mind that needs or craves for deities?

Excellent question! Perhaps it's instincts or ancient knowledge that was passed from generation to generation. Evolutionists cannot explain instincts or "initial conditions": Who programmed the chick to know how to hatch from the egg and follow its mother along. Examples are abundant. "Natural selection" is not the answer!

Before anyone sends me a link to any of the debates, I can tell you that I watched the majority of them.

Back to the subject proper: What was @Bruce interested to hear about the book?

July 26, 2016 2:11 PM

Alex on Russian Hack of the DNC:

The main thing is not to get carried away, and to start using encryption.

Remember: these minor problems are a small price to pay in order to address the legitimate needs of law enforcement to gain access to citizens' computers.

July 26, 2016 2:11 PM

Sattar on Russian Hack of the DNC:

If you are using Active Directory or Exchange, you are fuxked. No obe talks about the elephant in the room.

July 26, 2016 2:06 PM

Carlo Graziani on Russian Hack of the DNC:

From Thomas Rids piece:

"...American inaction now risks establishing a de facto norm that all election campaigns in the future, everywhere, are fair game for sabotage—sabotage that could potentially affect the outcome and tarnish the winner’s legitimacy."

The idea of some kind of tit-for-tat retaliation for this bit of tactical sabotage by Russia frames the issue poorly. Clearly, Russia views the US as a strategic threat to be undermined, and equally clearly the US must do what it can to undermine the Putin regime. The question is how to do so effectively.

In my view, the answer is "By driving oil prices down". The Russian oligarchy is heavily dependent on the mineral resource extraction that underpins the Russian economy. That oil wealth is the only way that the Russian government can provide even the relatively primitive economic well-being that constitutes the claim to legitimacy of its nationalist program. By pressuring oil revenues, the West can create economic turmoil and popular discontent, while at the same time creating dissension and loyalty conflicts among the oligarchs, many of whom stand to lose vast amounts of money. Putin's power, which seems so absolute now, would certainly come to seem much more fragile in the event of a return of Soviet-era consumer poverty.

Hence, driving down oil prices should become a principal strategic goal of U.S. policy. One important tool to do this is to implement a carbon tax immediately. The US government should announce that gasoline taxes will increase by, say, 10 cents per year for the next 10 years. This would depress demand for gas while driving research and development of zero-emission vehicles -- said research needs a predictable future run of fuel prices to reduce investment risk. While such tax increases are of course unpopular, they are justifiable on grounds of U.S. National Security objectives, which should help sell them politically.

New revenue from Federal gas taxes should fund major increases in Federal research funding in green energy, as well as Federal incentives for investment in zero-emission vehicle and infrastructure development -- think recharging and Hydrogen refueling stations, as well as high-speed rail and urban public transport.

All of this would also, of course, contribute to alleviating the carbon climate crisis, an important goal in its own right. Higher oil production, through fracking-type techniques, is less helpful in this regard, but fracking is with us anyway, and contributes to the strategic security goal driving oil prices down, so it should not be discouraged, although it should also not be exempted from carbon taxes, so as not to compromise the goal of lowering carbon emissions.

The fact that the same set of policy choices could alleviate the climate crisis while simultaneously sticking it to Russia, a corrupt and kleptocratic state that measures the extent of its own security by the degree of insecurity that it can induce in its neighbors and peers, makes it an irresistible package, in my opinion. If this is to be a war, let's for once fight the war with oil, rather than for oil.

July 26, 2016 2:00 PM

Zd on Russian Hack of the DNC:

It's hard to understate how huge is this story if confirmed to be true. Takes a lot of cojones to so blatantly interfere with the US elections. And Wikileaks will have some 'xplaining to do about their role here.

July 26, 2016 1:51 PM

Dan3264 on Tracking the Owner of Kickass Torrents:

@Daniel,
You are correct. That is definitely what people doing stuff like that should do. Unfortunately (for them) you can't just become a expert on something overnight. It is hard to get good advice on defending oneself from advanced persistent threats. Also, most people would not actually follow such advice, even if they have to defend against advanced persistent threats. And you don't really get second chances when dealing with advanced persistent threats.

July 26, 2016 1:16 PM

Doug Coulter on The Economist on Hacking the Financial System:

@Tim Bradshaw
I'm responding to your earlier comment about "state sponsored hacking".
There are still quite a few of us around who, back in the day, did embedded programming and almost by-definition could reverse engineer nearly anything, as when you were working at the bleeding edge back then, the vendor documentation wasn't so great. As you point out, brains and ability to use them are not a monopoly of the state, by any means, if anything, it's the opposite of that.

The well-known Bunnie Huang isn't the only guy out there who can do this kind of thing by quite a long shot. You just have to know your stuff and want to. His hack of SD (and by extension USB) memory wasn't even difficult by the standards we used to hold ourselves to: https://www.bunniestudios.com/blog/?p=3554
(which gently implies that not only is USB security broken, it can't be fixed without breaking all existing devices)

I admit to having a bit of amusement about "russian hackers" and the DNC emails. As if attribution were a sure thing...and as if it mattered who did it if the content is actually factual. The recent stir and resignations seem to say "yup, and we're afraid there's more, we know what we did". It's the cockroaches that scatter when the light is turned on.

Sure maybe some exfiltrated data hit a russian IP address at some point, which wouldn't surprise me one bit. When I ran a software consultancy, I sometimes hired Russians (or nearby) nationals as contract labor - and darn, those guys were GOOD. Doesn't mean their government (of which most of the ones I knew had a fairly dim view) had to be involved.

No matter who did it, perhaps they did us a service. Transparency rarely offends me, no matter who the lens is pointed at.

I admit to being a bit sick that we tolerate virtually anything as long as we know who to point a finger at (let's fix the blame, not the problem), and are even easily manipulated in that. Is it the hacker's fault that whatever was revealed was truth? And not just this case.

Example - Snowden might have messed up a few careers in the TLAs, but did he harm our security? That's pretty arguable, and golly, these TLA Guys think they ARE the USA, not our servants. So harm to them == harm to USA. Not the case.
Yet all too many but that.

July 26, 2016 12:41 PM

Ross Snider on Tracking the Owner of Kickass Torrents:

Using Homeland Security personnel to enforce this is absurd, and goes to (continue to) show that ownership of the infrastructure of every aspect of society needs to be controlled and that anything else is considered a National Security threat.

This is where Karl Marx, Richard Stallman and Amish Philosophy overlap: ownership and control of the industries that provide protection and security, entertainment, nourishment and comfort is important to the freedom of the individual.

When these things are privatized and monopolized, be they Facebook for or the power grid for comfort, they are abusable and the individual depends on having the same interests as the rent-controlling entity in perpetuity.

Information distribution entities from Google to Facebook to Hollywood have been thoroughly infiltrated by national intelligence, who use these industries for surveillance, propaganda and information warfare.

To keep them solvent though, they need to engage in protectivism until a successor can itself be infiltrated. Some day there may be a sanctioned torrent site. It will happen when the tracker engages with elements of power and 'chooses' to curate and distribute content in a matter pursuant to national security and interest.

July 26, 2016 12:38 PM

nome_de_peinture on Tracking the Owner of Kickass Torrents:

Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site.

I can't imagine the years of training that took at DHS. If only there was a way to search for domain owners....

The media cartel lose beelions due to torrent websites and pirating.

This isn't news to most, but beyond making purchasing rights easy, which most don't, the people pirating end up being paying consumers anyway.

Practical software companies know this. They make the software hard enough to steal it's inconvenient for most. The ones that are still determined very likely end up being customers anyway. It's practically speaking a form of marketing.

July 26, 2016 12:03 PM

Appeos on Stealing Money from ISPs Through Premium Rate Calls:

This is not a new idea and reminds me of a big issue that telecoms companies were having in the late 1990's.

People were setting up premium rate numbers, then getting cheap international dialling accounts to call them. The telecom companies weren't sophisticated enough to filter out international premium rate numbers, so were vulnerable and lost many millions of dollars.

I was building a carrier billing system for a global telecom company when I noticed this issue. Someone had a bank of laptops with modems in Switzerland calling a UK premium rate number 24x7. Only spotted it by accident after six million dollars was lost. Assume many other telecom companies hit too for similar sums.

July 26, 2016 11:41 AM

albert on Tracking the Owner of Kickass Torrents:

@James Hare,
The answer to your question is: Apple, Facebook, and the movie studios. The FBI has always investigated copyright violations for the Big Boys. Check out those warnings at the beginning of each movie. The BBs lose beelions due to torrent websites and pirating. Didn't you know? This is much more important than national security.

@Keith,
According to the complaint, Vaulin -did- actually copy and distribute some works. Rule Number One for torrent sites: Don't do that! Let the -users- do the copyright infringing.

Seems like Vaulin did everything wrong, at every step of the way.
. .. . .. --- ....

July 26, 2016 11:32 AM

Remo on Tracking the Owner of Kickass Torrents:

@Daniel

So it is not enough to be "fully paranoid" one must be fully paranoid from the moment one first connects to the internet in any capacity.

For those of us who have lived most of their lives connected to the internet, this is the thing that concerns me the most. I know I'm showing my age but this will be an even larger problem for many others who are even younger than me. We've been encouraged to sign up for services using accounts that can easily be linked back to us and used to map all of our activity across the internet without our full understanding of the consequences. By the time we realize how deep it goes it's too late to take back our privacy.

I'm aware that many people of all ages are in the same boat but I can't help feeling particularly bamboozled when I was making these decisions before I was allowed to drive a car.

July 26, 2016 11:27 AM

Skeptical on Cyberweapons vs. Nuclear Weapons:


@RD: That was the reason for Putin's pointed leak of the concept when 3rd-rate beltway shitheads started telling Europe let's you and him fight.

Pointed leak of a 60 year old concept that happens to undermine his entire case against ABM systems. Brilliant move on his part if that was the point. Right up there with invading Crimea and Ukraine - which, by the way, was actually picking a fight with Europe, notwithstanding your belief in the power of "third-rate beltway etc".

The "leak" was theatre for the masses, a burnishing of Russian national strength, part of the same old program.

But then, nuclear confrontation isn't really the game here. Russia wants the ability to continue to wage forms of hybrid warfare, to varying degrees of intensity, against those near neighbors that the ruling circle perceives as having improperly broken from Russia, compounding their sin by adopting democratic institutions and closer relations with the West. Cowing Europe is part of that plan.

Of course, it has backfired. Europe has been prodded from its slumber, and Putin has accomplished what no one else could: he has reinvigorated NATO.

But, it will help keep him in power, and insofar as he equates his own grip on power with Russian stability and progress, perhaps the cost of Russia's relationship with the world is worth the benefit in the eyes of some.

July 26, 2016 10:43 AM

albert on The Economist on Hacking the Financial System:

@ianf, furloin, Garrett,

As long as the 'banking system' (and that includes the private Federal Reserve and their govt lapdogs) continues as it is, there will be bubbles, bursts, and bailouts*. The current fad among large corporations is stock buy-backs with interest-free loans (to keep stock prices up). This e-money is even more fiat than our greenbacks. That's why some folks are recommending buying gold (the metal) as a fallback position. They recommend to keep 10% of your portfolio in gold. Precious metals retain their intrinsic value. (1)

Of course, your average Joe is just trying to stay alive. Unfortunately, the bank owns his home, car, and anything else he bought on credit. The (smart)rich buy hard assets. The US dollar is fairly stable, -for now-, but who knows what tomorrow will bring?

It would be very interesting to see what would happen if the e-banking system collapsed by hacking. I suspect the results wouldn't be as serious as portrayed. Who stands to lose the most? It's the one-percenters, of course.

Let's see, Trump gets elected, the banking system fails....

Armageddon?

I don't think so.

------------
*the three B's of modern banking.

1. That $20 gold piece your great-granddad paid for his bespoke suit in 1930 will buy a bespoke suit today, for around $1300.
That house your dad bought in 1951 for $18,000 in silver in 1951, can be replaced today for the same amount of silver, worth $270,000.

. .. . .. --- ....

July 26, 2016 10:40 AM

Daniel on Tracking the Owner of Kickass Torrents:

@Dan3264

I think there is a more specific moral at work. If we compare this case with the Silk Road case we find a striking similarity. In both cases the key breakthrough came when the person created an account that could be traced back to them individually, then later tried to go back and "erase" those connections.

So to me the lesson is that one must bake in anonymity from the first step. So it is not enough to be "fully paranoid" one must be fully paranoid from the moment one first connects to the internet in any capacity. Operational security is not something one can accomplish by going back and covering one's tracks.

July 26, 2016 10:28 AM

RD for poseurs on Cyberweapons vs. Nuclear Weapons:

@Clive, Tsar Bomba was 50 MT half-cocked. And the contemplated use of it you described was as a 100 MT torpedo that could eradicate a US seaboard. But far from being completely mad, the inventor was pre-eminent refusenik Andrei Sakharov, who certainly knew what he was doing when he reduced the nuclear arms race to an absurdity. That was the reason for Putin's pointed leak of the concept when 3rd-rate beltway shitheads started telling Europe let's you and him fight.

http://www.moonofalabama.org/2015/11/russia-resuscitate-long-dead-nuclear-torpedo-restablishes-nuclear-deterrence.html

As for turning down the power of nuclear devices, that's been the stable trend for decades. Overpressure is a spherical bubble, so big warheads waste a lot of energy blowing up birds and clouds. To optimize death and destruction on the ground you don't want a few big bubbles, you want suds. When you look at what beltway traitor Marc Grossman peddled to all comers, in manifest breach of the NWC, it's nothing like Tsar Bomba. It's little firecrackers.

https://www.corbettreport.com/who-is-marc-grossman/

July 26, 2016 9:19 AM

ianf on The Economist on Hacking the Financial System:


@ furloin […] “due to how the system works the debt could never be re payed *WITH* interest, look it up.

Before you progress to be giving advice, perhaps first learn the basics of grammar and spelling in your native (I assume) tongue? It's repaid here, and nothing else. As for repayments of—that's just it, some nations, notably but not solely the USA, are by now so indebted to others, that there isn't half a chance in eternity, that the principal, let alone the interest, will ever be repaid.

Loan givers and loan takers essentially are in cahoots for relatively short-term gains, at the expense of future major bills due. We are living in a self-perpetuating bubble of interdependent trusts, until it bursts. That's the message of Lionel Shriver's book, and her vision of how such an "debubbled" America would look like (except not so much out West, where most post-apocalyptical road movies take place, but in a crumbling urban setting.)

    Lastly, if unsure you feels the need to shore up own arguments with some 3rd party fodder, you do not tell me to "look it up," but look up [whatever it you had in mind] yourself, and cough up a URL. Otherwise you just talk the talk, and not very coherently at that.

July 26, 2016 8:57 AM

Ted on Decoded, by Mai Jia:

@Clive Robinson

Thus it is what is of most interest to me is the "What is it in the human mind that needs or craves for deities?" to be led by

Hi Clive. I think that is a particularly interesting topic also. I would like to give more thought to your questions about the actual numbers of people who believe what they do, why they believe (or want to believe) what they do, and how these human belief systems are evolving with mankind.

In the meantime, I wanted to offer these moderately condensed history animations for you. The first one shows the diffusion of the world’s five major religions since 3000 BCE. I don’t often consider the events in my life as having been cradled in a history with that kind of dept.

The animation under that covers the rise of civilization to the present day. That one is pretty long, but good if you want to know more about how humanity got to where it is. A family member sent those to me.

Animated map shows how religion spread around the world [2:35]
https://www.youtube.com/watch?v=AvFl6UBZLv4

History of the World: Every Year [16:35]
https://www.youtube.com/watch?v=ymI5Uv5cGU4&feature=youtu.be

(I ordered the Decoded book. I will start reading it when it is delivered.)

July 26, 2016 8:37 AM

Dan3264 on Tracking the Owner of Kickass Torrents:

@jayson,
The moral of the story appears to be: "When doing something that could get the attention of powerful people(in a bad way), anything less than fully paranoid is not good enough".
You are welcome to suggest alternative morals to the story.

July 26, 2016 8:36 AM

ken on Decoded, by Mai Jia:

Yes, I read it when it came out. I believe it came recommended in the Economist or something.

Anyway, it's horribly written. Awful. First I thought it was a novel, but it was so bad that I had to look up whether it was fiction. There's an interesting part on the Chinese cultural revolution, but don't read this book for it.

Avoid it, I'd say, read a decent novel or some wikipedia articles instead. Only a Chinese person with a twisted sense of patriotism could like this book.

This book actually kept me from reading recent asian novels for a while.

July 26, 2016 8:27 AM

jayson on Tracking the Owner of Kickass Torrents:

It's a challenge to ignore the breathtaking legal overreach in this case and discuss the methodology. Is the moral of the story to not use American servers when conducting online business?

July 26, 2016 8:25 AM

Garrett on The Economist on Hacking the Financial System:

@albert:

There's a difference between a recession or depression, and what's being talked about here. What you're referring to as a collapse usually involves a lot of people unexpectedly losing a lot of money or assets all at once. What's being described here is where a lot of people no longer have the ability to know what assets they (or anybody else) have. That's vastly different.

July 26, 2016 7:55 AM

Keith Glass on Tracking the Owner of Kickass Torrents:

Interesting, that they're claiming that HE illegally reproduced and distributed over a billion dollars' worth of content. Any torrent tracker hosts nothing but pointers to persons who are individually hosting a torrent.

One can also find torrents via Google or other search engines, but perhaps I've missed the owners of those sites getting extradited. . .

July 26, 2016 7:48 AM

ianf on Decoded, by Mai Jia:


I really can't get embroiled in this your “if there is a allegedly almighty god, why doesn't it erase me for denying its existence, and other recurring forms of so-called blasphemy,” so I'll just point you to this wonderful tale of a Jehovah Witness missionary's attempt to explain Western Christian celestial concepts to the godless Chinese. Wonderfully long, too.

http://www.believermag.com/issues/201302/?read=article_scorah

PS. I haven't read the book, but don't understand what the fuss is all about. It's science-fiction, isn't it, that literary genre where, whenever the author writes himself into a corner, the easiest way to get out if it is to transgress/ abolish/ extend the laws of physics by coming up with some hitherto unknown new principle (Wesley Parish has the details). Or, in terms of crypto: it'd be open source, verified to be working, leaving no MITM-vector breadcrumbs behind, only that nobody can understand how it works – but, as long as it works, Hallelujah!

July 26, 2016 7:21 AM

James Hare on Tracking the Owner of Kickass Torrents:

Why are "homeland security" investigators involved in enforcing copyrights? Seems like a fairly indefensible way to prioritize limited resources. Couldn't the copyright holders police their own copyrights like the law intended? Is there really any way that national security is implicated by torrent site operators?

July 26, 2016 7:18 AM

Tim Bradshaw on The Economist on Hacking the Financial System:

@ianf: Banks (at least some of them) certainly maintain their own systems, and critical parts of those systems are still in COBOL. At least fairly recently (8 years ago) there was still System 360 assembler as well (all running on some Z-series system).

July 26, 2016 6:08 AM

ianf on Cyberweapons vs. Nuclear Weapons:


Thank you, Clive, for that wonderful nighttime-is-scary-time fable of a “Russian doomsday device, a fusion bomb of almost unimaginable scale that needed a ship the size of a large oil tanker to hold it.” I shall entertain my grandchildren with it, as soon as I get some.

    One thing that you apparently deemed still too secret to share with us was what color the vessel? Logic tells me its hull must've been fully covered in maritime-camouflage mirrors of different grey-blue-green colors, to better reflect its watery surroundings, and thus enhance its undetectability by hostile forces.

But then I'm no Russian, and, judging by your erudite explanations, those “whacky Russian Nuclear scientists under various military egos" could not have been expected to act in any rational fashion, hence may now not be subjected to post-pre-annihilation color-spectrum analysis of any default type. Cable back yes if you don't know, no if you do—I'll keep a dedicated Ack Ack in store for you.

July 26, 2016 5:49 AM

Clive Robinson on Decoded, by Mai Jia:

@ Wael,

(for the atheists here, I'm aware the last two references are redundant -- so consider your unposted comments received.)

Hmm there is a thin thread between theism and atheism on which all of humanity in it's broad spectrum supposadly hangs.

It is interesting to note that two thirds of China's population do not have religious belifes some polls put the number in the US as little as one in seventy five people. Similar low numbers are reported for most western countries. Though some tend to claim all men have a religion even if it is just that of economics or self interest.

It is interesting to note that as mankind evolves in sophistication of material control, that the gods worshiped also evolve in sophistication. Thus beliefs in the gods of Sun, nature, planets and stars has given way to the gods of supra-humanity. As it can be shown that all life on this planet came from the elements from supernova suns and the energy from our own sun those that worshiped the Sun and the stars atleast had some justification, but supra-human beings? are they not the imaginings of story tellers of many kinds, who earn their living by their imaginings?

Thus supta-human gods appear to be hung like the carrot from a stick forever just in front of the ass or donkey's nose. No matter how hard the beast strives the all to human hand that controls the stick keeps the carrot forever out of reach. Strangely it appears to be that many humans need a carrot to keep them moving, the stick forever in another persons control. Thus you have to wonder and reason why, especially with western religions. What causes the need to be led by the nose?

Thus it is what is of most interest to me is the "What is it in the human mind that needs or craves for deities?" to be led by, and "At what point such a craving becomes self harming?" especially when it is very clearly exploited by others for their own benifit...

The Hawks and Doves model does not sit comfortably on this except as a very loose first approximation.

July 26, 2016 4:54 AM

One Body, No Problem on Decoded, by Mai Jia:

@Daniel

+1 for The Three Body Problem

July 26, 2016 4:08 AM

Drone on The Economist on Hacking the Financial System:

Don't worry, Big Government will make thousands of pages of regulations and zillions in new taxes to fix the problem - just as soon as they can chase away all the bad people from Russia infesting their servers to help Donald Trump.

July 26, 2016 3:59 AM

Wael on Decoded, by Mai Jia:

@Bruce,

30% through it. Got it with one click after it was referenced here. I thought it was a novel. Apparently it isn't. Has some inconsistencies, inaccuracies (and spelling mistakes), as well as self contradictions (which I will not comment on because they involve race.) Apart from that, it has many cultural, religious, and superstition references (for the atheists here, I'm aware the last two references are redundant -- so consider your unposted comments received.)

I got the book because the weather is lousy where I'm taking a break. If the weather improves, I might not finish the book this week. Besides, I have a few left in the queue...

Has anyone read this book?

Well, it's not a yes / no answer you're looking for! What might that be? The story of some math prodigy used to break cipher (from the Arabic word sefr, meaning zero) isn't exactly new, nor is it unexpected.

July 26, 2016 3:51 AM

Clive Robinson on Cyberweapons vs. Nuclear Weapons:

@ Albert,

NO! Nothing compares to the devastation of a nuclear holocaust

Ahh the Tzar Bomb, the one tested was only half the power that was designed. The reason for the half size has been debated by historians. However those whacky Russian Nuclear scientists under various military egos came up with the idea of a fail safe deterant.

Their doomsday device was a fusion bomb of almost unimaganable scale, it needed a ship the size of a large oil tanker to hold it. It was to sail a route where by if it was triggered it would convert a considerable quantity of water into radioactive fall out that would have been globe straddling.

The failsafe mechanism was supposadly unstoppable by humans, and was triggered by various events such as an increase in background radiation lack of certain radio broadcasts etc...

Why was it not built, well it appears the Russian senior politicians on being told and seeing the plans, thought the idea and the people behind it to be compleatly mad...

Now the question is when did you hear of US Politicals turning down the power of nuclear devices, the US after all has more of them than anyone else...

July 26, 2016 3:28 AM

Winter on Decoded, by Mai Jia:

@Daniel
"The 2015 Hugo Award winning "The Three Body Problem" is a brilliant novel by a Chinese writer and one doesn't need to have interest in China to love the book."

I would like to propose: The Fat Years by Chan Koonchung. Also a SciFi, banned and very, very good.

https://en.wikipedia.org/wiki/The_Fat_Years

July 26, 2016 2:48 AM

ianf on Another Side-Channel Attack on PC Encryption:

@ MODERATOR :: another brace of SPAM

    Regarding special defenses in place: perhaps filter out URLs, telephone numbers AND overt email addresses at once? (incl. instances of "handle AT gmail dot com"?)

July 26, 2016 1:27 AM

rino19ny on The Economist on Hacking the Financial System:

trying to solve this with technology alone will not do. a change of work attitude and expectations MUST be implemented.

we all know that security is inversely proportional to ease of use. and to a lot of companies, users insists on ease of use.

so if a company really is concerned with security, they know what to sacrifice.

draconian yes but necessary. crackers don't care anyway.

July 25, 2016 11:39 PM

digital on The Economist on Hacking the Financial System:

@Alien Jerky Cash is not king it's mostly digital. If god made a man in his own image why aren't we all like.... INVISIBLE. I chose the road less traveled... Now I don't know where the hell I am :)

July 25, 2016 11:12 PM

furloin on The Economist on Hacking the Financial System:

@albert

*Puts tin foil hat on*

Well those FEMA camps will be the Americans version of concentration camps.

*takes tin foil hat off*

@ianf

First due to how the system works the debt could never be re payed *WITH* interest, look it up.

As history has shown peasant rebellions usually result in most of the peasants being murdered and being a complete and utter failures depending on if the upper class/nobles/whatever they were called during that time period supported it.

Although I found something arguing for a longer cycle this time around.

July 25, 2016 8:01 PM

Daniel on Decoded, by Mai Jia:

I have not read the book but I strongly disagree with the author's thesis. "Yet almost none of the thousands of translated works has held its own as a novel that book-lovers with no special interest in China will relish."

Rubbish. The 2015 Hugo Award winning "The Three Body Problem" is a brilliant novel by a Chinese writer and one doesn't need to have interest in China to love the book. In my not so humble opinion the best sci-fi novel the century so far, in any language.

July 25, 2016 7:52 PM

Thoth on Friday Squid Blogging: Sperm Whale Eats Squid:

@Dumber than ...
For a soft start (for less painful learning), you might consider one of the following practical activities to get started with:

- Write your own cipher library for learning how algorithms work.

- Write a password manager or fils encryption program in Python. You may use OpenSSL or other crypto libraries off the shelf.

- Write a file shredder software. You may use the shred command found in GNU utility tools. This allows you to understand how filesystems and hardware level can make ahredding a pain.

- Write a simple web server (you may include SSL support from OpenSSL) to understand the impacts of networking protocols and theie security.

- Write an experimental secure file transfer and secure chat program to understand how to better secure network traffic.

- Write a secure data exchange (for calendaring, contacts, internal memo, notes) portal to run off a RaspberryPi. For additional difficulty, the portal needs to run off a secure web session. For even more difficulty, the crypto of the portal server should be provided by an off-the-shelf smart card over PKCS11.

- Write a simple smart card applet in JavaCard with accompanying client API for PKI functionalities.

- Design and implement a secure chat and data exchange portal on a ARM based SOC chip of your choosing.

I have given some practical ideas for implementations rating from the easiest at the top to the most difficult below. It is no point just ranting about security and not get your fingers and brains moving so a little practical will help you a long way. It is up to you to choose something to do or you can choose your own implementation and ignore mine above which is also fine.

Main thing is to get up and start moving as that's the only way to start learning and being more capable on security.

July 25, 2016 7:30 PM

Dirk Praet on Friday Squid Blogging: Sperm Whale Eats Squid:

@ Andy, @Wanna_some_input, @ Markus Ottella

Set up a hardened Wifi access point that routes everything over Tor and keeps no logs of devices that connect to it.

What your describing is an Onion Pi. You can build one yourself or buy it from Adafruit. Quite handy when you're on the road. An RPi based Whonix Gateway would be interesting too, but I haven't looked into that yet. Another option is an OpenWRT Tor transparent proxy+bridge. Those who wish to avoid Linux can go with BSD-based pfSense, which you can also set up as Tor proxy.

Also Qubes requires a ton of RAM. It's definitely not for the average netbook.

Not just a ton of RAM, but also quite specific hardware to make full use of all features. They kinda promote the Librem 15 open source laptop that with 16Gb of RAM sells for 2,168 USD. That's not really cheap. Debian-based PureOS also has Tor pre-installed. And have you tried the latest Subgraph OS alpha yet?

July 25, 2016 5:33 PM

ianf on The Economist on Hacking the Financial System:


@ albert,
               the big deal is the (slowly approaching) v. much real risk of a total systemic collapse, an financial Extinction Level Event, not one of the recurring grave, but ultimately "recoverable" burst bubbles/ market crashes. The fabric of trust in never to be repaid debt is getting thinner all the time…

EXHIBIT A: "The Mandibles," post-financial apocalypse America novel by Lionel Shriver (Mexico erects a wall along the border to keep out fleeing Yanks and other such previews of coming distractions. Don't believe this could happen
               It happens as we speak on the border of Venezuela, one of the oil-richest yet badly managed countries in the world, and Colombia, in perpetual war with gangsters over coca. It's the Venezuelans, 35000 last weekend, who cross en masse to Colombia to purchase food that's absent at home… take a look at the map.)

July 25, 2016 4:54 PM

albert on The Economist on Hacking the Financial System:

What's the big deal?

The global financial system collapses by itself every so often, instigated by greed and corruption. Politics isn't the only show playing. It's all theater.

No hackers required.

. .. . .. --- ....

July 25, 2016 4:43 PM

Frans Badenhorst on Decoded, by Mai Jia:

I read the 'Decoded' when it was released and thought it quite good. It's a novel so human interest and character are more the thing, i.e., it's about a character that is a mathematical genius and a cryptographer, but it's about him. I think this review is quite a good guide, i.e., if you want to decide whether or not to commit to spending time on the novel: https://www.goodreads.com/review/show/1485758093?utm_campaign=reviews&utm_medium=widget&utm_source=us.macmillan.com

July 25, 2016 4:31 PM

Zertrin on Decoded, by Mai Jia:

Yes I've read the french version about 7 months ago. Not bad but in the end there is no focus on the interesting (read technical) content (as expected). This is a story focused on the life and emotions of this lone genius.

7 months after, I have retained little detailed recollection about the details of the story. Nice but not on my top 15 of favorite books.

July 25, 2016 4:24 PM

Skeptical on Cyberweapons vs. Nuclear Weapons:


From the article:

Indeed, Cold War-style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.

Deterrence is part of US strategy. But there's nothing particularly "Cold War" about it, much less anything indicative that "cyberthreats" are being treated akin to nuclear threats.

In fact, US strategy in this domain is profoundly unlike nuclear deterrence. Nuclear deterrence in the Cold War was predicated upon "deterrence by punishment." Hence the obsessive concern about "first strike" capabilities upsetting a balance of power by eliminating capacity for an annihilating retaliatory strike.

By contrast, US deterrence strategy in the cyber realm includes both "deterrence by denial", i.e. preventing an attack with network defenses and other measures, as well as "deterrence by punishment." Moreover, as to the punishment involved, a broad spectrum of responses are elucidated by US strategy, covering the full range of diplomatic, economic, and military possibilities, from the least destructive to the most, from the covert to the resoundingly overt.

For example, the agreement by the PRC to reduce certain types of cyber operations, which according to some reports they seem to have followed through with, was motivated by various components that form part of US deterrence, the threat of trade sanctions among them.

The article threads together a few out-of-context remarks by officials in order to show that some seriously consider nuclear and cyber threats to be closely analogous, but in fact the US Department of Defense does not appear to agree with that assessment, and I cannot think of anyone who does.

@Daisy: ... not since the nuke the US used at Baghdad airport after Saddam annihilated the 3/7 Cav and fought the attacking army to a standstill.

Sure, that nuke.

July 25, 2016 4:22 PM

Nick P on Friday Squid Blogging: Sperm Whale Eats Squid:

@ Dumber than

"PS: I suggest you pick a different handle. Something more positive such as "Smarter than ianf" ;)"

I second that one. I get it was a complement but it does look like I'm insulting someone at very start. Should focus on individual asking like "How to be better/best at hardware or security"

re "I just want to be able to understand.I am more interested in hardware though. It seems like its going to be really important. I'll take journey one step at a time from python."

Alright. Well, you can certainly do some good in that area even if you do nothing but port what old commercial or state-of-the-art academia do into FPGA's or ASIC's. It is the most important area right now given most software, security issues trace back to fact that hardware is intrinsically bad at preventing, detecting, or containing them. I've been forced to absorb tons of shit about digital and analog hardware without enough time to learn to use it. I see the opportunities & issues, though.

I'd say where to go at this point depends on your ultimate goal. If you want to understand it fully, then you'll have to learn digital and analog electronics. If just at gate & digital level, you only need to learn digital. Note that the I/O blocks are usually mixed signal that contain both types of circuits. If doing ASIC, probably need to learn both unless you can partner or contract out analog parts. If just FPGA, esp on pre-made kit, then digital will mostly be fine.

For digital, you should get a book on digital design with Verilog or VHDL. Learn both but I can't say which is best first. Verilog seems more popular. Make sure the book tells you how to go from abstract state machines to mealy/moore state machines to gates. It's the main way you do it manually. Read papers on so-called C to hardware or C to Verilog systems to see other ideas for going from algorithm to circuits. Experiment in a good, Verilog simulator so you don't break anything if that's even possible (idk). Get the "high-speed, digital design" book plus one on verification with good reviews that covers at least formal, equivalence and gate-level testing. Learn to use logic analyzer or whatever to verify the waveforms since the tools screw up. Once comfortable with Verilog concepts, switch to a tool like Chisel HDL (Java) or MyHDL (Python) to get some benefits of high-level language. Pick at least one FPGA book that has examples that look useful and let you learn incrementally. Also, Google around for differences between doing FPGA and ASIC HDL code so you can make your designs work on both. Free papers exist. Get at least a Spartan6 so available logic slices don't hold you back.

For analog, I'm still working on that. It either has no shortcuts, nobody tried to create them, or I just haven't found them. Wael sent me electronics kits that have common components & use battery to avoid power management (or electrocuting you). That's nice. However, Chris Gammel's approach of mixing top-down and bottom-up seems to be best one I've seen based on user feedback. It's a paid course that's a series of lessons and projects using open-source KiCad. Wael's recommendation of Malvino's Electronic Principles was a good one as it keeps things simpler than many books with useful heuristics. Older copies can be dirt cheap. Regardless of your approach, there will be lots of trial-and-error with a learning process that takes patience and significant amount of time. So, if you're learning digital + analog, I recommend you do them in parallel while beginning analog as soon as possible. Digital, since you're mainly coding or mastering techniques, will get you the continuous highs that will be a break from painful analog learning. Analog's highs will be better given you worked hard for each of those successes even if just a PCB with some blinkenlights. ;)

Once you know enough digital, you can try to build some CPU's. Even embedded. Start with a Forth processor or Wirth's stack machine as they're simple. Then you add some security (eg memory safety) or availability (eg triplicated CPU's w/ voter logic) to it. At this point, depending on analog skill & money, you can design your own usable CPU with RTOS or ucLinux port on FPGA or ASIC with shuttle run. Do a RISC processor next like DLX. At some point, do some accelerators for simple compression, encryption, or A/V codecs to get an idea of how custom HW benefits you. Your final goals at this point might be (a) designing a full SOC w/ CPU, I/O, accelerators, and better security; (b) improving whatever OSS CPU (eg RISC-V Rocket) is most mature with better features or security; (c) improving or even designing OSS HW tooling for PCB's, digital synthesis, verification, and so on as it all needs work (shit, even UI improvements go long way); (d) working on dedicated tooling for highly correct or secure hardware that's easier to use than prior work but will need formal methods experience for this probably (Haskell's pretty solid though & Bluespec is Haskell). Note that a parallel track exists where you might explore general-purpose analog computing of which there's a few examples & basically no interest despite their promise of insane performance/power/transistor ratio for niche applications (eg math coprocessors, neural netowrks).

Far as security, it's a process with a few elements. I'll start on it but others can chime in given this is a brainstorm. The safety or security of a system requires you to understand how the system itself works abstractly, understand it's implementation with associated risks, understand how people will use (or abuse) it, be able to express a clear policy for how that should work safely/securely, and convincingly argue it will via design and/or mechanisms. Your tools are learning domain knowledge, experimentation, documenting/testing any assumptions about what's already there, methods to clearly specify requirements/design, architecture/structure in your code/hardware that keeps interactions few & simple to ease analysis, re-use of any battle-proven techniques/code/HW-blocks, simple implementation techniques subjectable to any automated analysis, careful inspection for quality at each of these steps, testing of each function (esp interface testing!), and where secrets are involved covert channel analysis to find leaks. And watch out for physical attacks, administrators, or TEMPEST-related issues. You'll learn that stuff latter, though. :)

Far as books or guides, I'd start with this a summary or reminder of steps I listed in process with focus on EAL5-7 parts. The best, generalist work is still Security Engineering by Ross Anderson. Code Complete book is great on proper coding. Art of Testing covers much of that. Write Portable Code is self-explanatory but gets you quality benefit where different compilers catch different problems. Plus avoids lock-in. SPARK knocks out defects in software with static, memory allocation whereas Rust catches dynamic and concurrency issues. Use static analysis and fuzz-testing of your interfaces where possible. If you *must* use C, follow coding guidelines from secure or safety-critical communities. For HW, use their equivalent of these with high-level HDL for ease-of-use and always stick to synthesizable subsets to avoid useless hardware. Use mockups in languages like Haskell, ML's, or Java to leverage their security-analysis tools & techniques to spot issues before conversion to HW. Example are Haskell's QuickCheck or Java concurrency checkers. If you get EDA access, use Synopsis Design Compiler for behavioral synthesis, Mentor Precision for logic synthesis, and Mentor Calibre for physical checks as it's most, common combo for successful ASIC's. Can't say best or good due to NDA's but I see it a lot. Try Qflow as it's OSS flow. Also, remember you can always google "vunerabilities in (tech/product here)" or "secure coding/implementation/considerations of..." to get a quick idea of problems and solutions.

Note: If you request, I'll post some PDF's of various hardware modifications for safety or security plus maybe robust, hardware methods to give you an idea what approaches you might take. Once again, Wael had some good advice that the best method for a hobbyist is probably whatever one is simplest to implement. We can always stop the other threats later while using software protections in meantime. So, maybe most expensive (in SW) or memory-safe defenses first.

You need to maximize your mind to be effective, too. Important considerations are ability to work with people, communication/persuasion, logic, statistics, creativity, intuition, philosophy and ethics. For people, I recommend Goleman's Emotional Intelligence to understand how it works & why it's important. Put it to use with Carnegie's How to Win Friends and Inlfuence People + Van Fleet's Lifetime Conversation Guide. Cover lots of ground. Plenty of books or free articles on clear communication or persuasive writing a Google away. Learn to spot logical fallacies more than anything else although formal logic can help with formal verification later on. I had Capaldi's Art of Deception for that. Find a great guide on statistics & research methodology given they're basis for most stuff you'll believe. Then read "How to lie with statistics" cuz most will be bullshit. Creativity training is really about verbally or visually looking at information in different ways to see connections you might have missed. Michalko's Cracking Creativity had many techniques & is probably cheap by now. Intuition is your brain's muscle memory which can be trained as taught in works like Intuition at Work. Philosophy just opens your mind up and teaches you to ask the right questions. Empiricism & skepticism are also foundational in science with wisdom to learn exploring those. Ethics and continuous introspection will help you decide who you want to be and how you will make the hard choices hopefully before you run into that.

So, there's some resources. Hit me with questions if you have any.

July 25, 2016 3:42 PM

Moderator on Data and Goliath Is Finished:

@ianf Thanks for calling out this particular spammer. Some extra defenses are now in place.

July 25, 2016 3:17 PM

ianf on The Economist on Hacking the Financial System:


@ wiredog is “worried about legacy Cobol code running the banks that no one can maintain because the original authors are dead. Of old age.

I wouldn't worry about that, as the banks, if anything, have gone through several hardware generations, and no COBOL code, even were it recompiled for newest platform, would be speedy enough for their needs. I used to maintain a couple of similar FORTRAN routines, precursors to FEM-analysis of similar age, which were not time-critical, but I never heard of anyone trying to extend life of COBOL programs. Banks (the sole example I ever knew from inside) are certainly pretty conservative, but I don't think they run their data services themselves any more… that's all been outsourced to financial DP off-shots of giants such as Deloitte, KPMG, Cap Gemini etc.

July 25, 2016 3:07 PM

Gerard van Vooren on Friday Squid Blogging: Sperm Whale Eats Squid:

@ Wael,

"PS: I suggest you pick a different handle. Something more positive such as "Smarter than ianf" ;)"

Do "we" need someone smarter, as in more assertive and punctual, than ianf? The goal can be set much higher than that. Why not smarter than Wael? Or maybe even better why not smarter than "myself", for the poster I mean. (I think I better quit now ;-) )

July 25, 2016 2:53 PM

Deimos on Decoded, by Mai Jia:

The author's name is Mai Jia, not Mai Jai.

July 25, 2016 2:52 PM

Brooke on The Economist on Hacking the Financial System:

"Cash is king" is fine for normal issues or smaller issues but if something like describeed happens don't be shocked when your dollars, or other currencies, are totally worthless or not trusted/accepted as a payment for anything. Major US banks go down, US dollar goes down, local places might accept payment for a little while but it'll snowball quickly. Stores and hospitals and other things you rely on may be unable to purchase from anywhere in or out of country. Collapse of economic systems in a hurry.

July 25, 2016 2:25 PM

wanna_some_input on Friday Squid Blogging: Sperm Whale Eats Squid:

@Andy

Thanks for your fast response and links.
https://www.schneier.com/blog/archives/2016/07/friday_squid_bl_536.html#c6729182

I have never used a Chromebook but I appreciate the fact that you and Bruce (in his Ruin Podcast he recommends, I think, Chromebooks for dissidents).
https://www.schneier.com/blog/archives/2016/07/im_on_an_adam_r.html

I haven't worked with with a Raspberry Pi yet.

Regarding below, please substitute, for "Chromebook", "Chromebook, iOS, Microsoft OS, and/or other OS".

Regarding your input (edited):
"A simpler DIY setup
Chromebook -> Tails machine sharing Wifi, running Tor, and directing all traffic through Tor -> Modem -> Internet"

I haven't tried that, and I assume it is consistent with sharing Tails' wifi. I also assume you are implying a ethernet cable between the "Tails PC -> Modem" above.

Because of a MiFi modem (without an ethernet port) the setup of interest is:

Chromebook -> machine running macOS, linux, or BSD sharing wifi (with an ethernet cable connection to the Tails machine) -> Tails machine directing all traffic through Tor (with a wifi connection to the Cellular Modem)-> Cellular Modem -> Internet"

On this blog I have learned that Opsec is hard and from a Opsec standpoint this potential design might suck. Regardless, I have grown to like Apple hardware, little snitch, running VMs in Virtualbox, and Apple corporate polices.

One design goal is to sort-of trust the security update provider and their signing process (or whatever), but not much else for security updates. Of course, numerous hardware and software substitutions could be made in an attempt to harden things.

Misc.

Many elderly can "readily" navigate Tails, at least compared to some
other OSs. In addition, I like the ease of downloading, and trying to verify, an updated DVD about once a month.

July 25, 2016 2:20 PM

ianf on Data and Goliath Is Finished:

@ MODERATOR :: an octet of same old SPAM.

    Would it be too much for you to write a simple cumulative URL-extractor from manually reported spams, then pipe successive posted URLs through that file, and automagically redirect these posts to a SPAM garbage file? It seems this SPAM robot has primed itself on this blog, and will be reposting this stuff forever. Rollover the file once a fortnight or so?

[links deleted by moderator]

July 25, 2016 2:09 PM

albert on Cyberweapons vs. Nuclear Weapons:

"...Can we screw up the Internet of Things badly enough so that cyberweapons become comparable to nuclear weapons in the future?..."

NO! Nothing compares to the devastation of a nuclear holocaust. It's effects can (in human terms) last forever. Hiroshima and Nagasaki were firecrackers compared to the weapons we have today ( See https://en.wikipedia.org/wiki/Tsar_Bomba ) and that was 1960s technology. I'm sure -we- can do better!

See:
http://www.counterpunch.org/2016/07/22/the-big-boom-nukes-and-nato/

Two points:

US foreign policy is being set by psychopaths in the CFR and USDOS. There's no other way to say it. Let's hope there are DOD folks who can resist them.

There seems to be a blind faith in computer technology as the solution for everything. Nuclear war decisions should not depend on computers. Humans, imperfect though they may be, have saved our sorry asses in the past. Here's hoping they can in the future.

. .. . .. --- ....

July 25, 2016 1:46 PM

Markus Ottela on Friday Squid Blogging: Sperm Whale Eats Squid:

@Andy

"An idea I just had for a secure system: proxying a Chromebook over Tor. Chromebooks already have great security, so adding Tor for anonymity would be awesome."

Chromebooks are like GMail, secure from hackers but not private from Google/government.

Furthermore, the Chromebook is everything a government watchman could want—even without Google Apps data and Gmail, it could give those with network monitoring capabilities a way to pinpoint the location of a credential-holder via 4G wireless (thanks, Verizon).

>Set up a hardened Wifi access point that routes everything over Tor and keeps no logs of devices that connect to it. (ie. Anonabox or similar or DIY.) Connect the Chromebook to this network.

Stay away from Anonabox. Run Tails on any generic laptop and you're much more secure than with Chromebook and Anonabox.

Also Qubes requires a ton of RAM. It's definitely not for the average netbook.

July 25, 2016 12:44 PM

Bagehot's screaming skull on The Economist on Hacking the Financial System:

This is so when Deutsche Bank's €18 billion net derivatives exposure and 11.5% capital ratio blow up and counterparties use netting and closeout rules to loot the enterprise, its insurers, and the fisc, again, clueless aspirational Economist readers will let them get away with it, again, because this time everybody's screaming RUSSIAN HACKERS!!!1!

July 25, 2016 11:44 AM

Lev on The Economist on Hacking the Financial System:

Debt of Honor by Tom Clancy had an attack like this, however on the exchanges more than the banking sector. So does this make it a "Movie Threat"?

July 25, 2016 11:31 AM

Wael on Friday Squid Blogging: Sperm Whale Eats Squid:

@Dumber than Nick P and Clive Robinson,

Challenging claims is important although i found that this is rarely done.

It's rather common. Start challenging, regardless!

PS: I suggest you pick a different handle. Something more positive such as "Smarter than ianf" ;)

July 25, 2016 10:56 AM

sle on The Economist on Hacking the Financial System:

@Jayson
"The apathy about security in finance is palpable. And with good reason."

While I agree that the risk is probably lower than exposed in the article. However my perception is that European clearing houses were taking security seriously.

They are big facilities inducing a systemic risk that they are trying to reduce. And they have some motives to do so, at least in order to reduce their assurance costs.

For example: the insurer may release his responsibility if "the company is an obstacle to justice or police investigations", in IT that was translated in a very good technical traceability… which was a good feed for the SIEM, which was monitored by the reactive SOC.
Once, they caught me using inadvertently an improper chain of accounts to log in on prod. I was very surprised and afterward I didn’t want to try anything weird that may put me back on their radars. While I was working above my corruption level (an average day was 100 billions of USD), they reduced the insider risk, at least with me.

Add some segregation of duties and defense in depth,then even an administrator cannot attack alone (or without monitored traces). And you can’t attack in group either as everybody prefer recurrent yearly bonus than hypothetical gains with any hazardous attack. On the IT side, the insider risk starts to be residual.

This and other measures were packed in a continuous improvement process. That gave me a perception of security willingness, probably driven by assurance costs…

July 25, 2016 10:50 AM

Andy on Friday Squid Blogging: Sperm Whale Eats Squid:

@wanna_some_input

"a) Is Anonabox available in big box stores?"

I don't think Anonabox is in stores. No info on their site about it. Not sure.

"how might one prevent interdiction of such a product?"

It depends, but if a person's threat level is high enough that their packages are at risk of being interdicted, then this system probably isn't for them. That person has bigger problems and should use Tails. Tails on a USB or DVD bought in a store with cash is nondescript and unlikely to arouse as much attention as purpose-built products like Anonabox.

"b) DIY- Might something like this work: wifi Network sharing (laptop B) -- ethernet cable -- (laptop A) running tails (tails wifi) -- cellular modem"

Do you mean this:
Chromebook -> laptop B with Wifi sharing -> laptop A with Tails -> cellular modem -> Internet

That probably would work, but it seems complex. And if you're going to be using Tails anyway, then why bother with all this to set up an anonymous Chromebook? Just use Tails as it was intended and forget the Chromebook.

A simpler DIY setup:
Chromebook -> machine sharing Wifi, running Tor, and directing all traffic through Tor -> Modem -> Internet

There are tutorials on DIY Tor Wifi access points, most involving Raspberry Pi: 1, 2, 3.

"d) Would major providers of software updates be likely to allow security updates to a device via tor routing?"

I don't know, good question. I guess you mean updating the Chromebook over Tor. There's potential for malicious exit nodes to tamper with the updates. If Google allows it, I'd trust them to verify updates properly. But other providers might not do it right, I wouldn't feel combfortable updating Android over Tor.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.