Recent Comments


Note: new comments may take a few minutes to appear on this page.

February 20, 2019 11:03 PM

Jason Campbell on What is a Hacker?:

I currently have my ex’s cellphone linked to my computer, all thanks to Arthur Vitali, a professional Russian hacker. If you ever need a hacker to rely on, contact Arthur EMAIL-quickarturhack ATgmail,com OR KIK- Arturquickhack
This man has helped my best friend hack 3 company accounts and websites. I promised to paste his contact everywhere I could. He offers many other services, you can contact him for details

February 20, 2019 3:42 PM

Jesse Thompson on Details on Recent DNS Hijacking:

@Humdee

So if your advise is for Gmail to change it's defaults, it sounds like you are saying they should turn email auto-update *off* by default, is that correct?

If not, then I personally have a challenging time imagining somebody knowing enough to understand the security difference between autoupdates being on or off being confused by the concept of installing a third party email client which offers that security advantage.

EG: if you need the switch to be so close to hand, are you liable to understand what the switch is even for?

How many people who...

Read More →

February 20, 2019 3:08 PM

Untitled on Cataloging IoT Vulnerabilities:

You need to be careful about pasting "IoT scare!" onto everything.

Neither the construction crane hack nor the electric scooter hack was anything to do with the "Internet of Things". The machines aren't connected to the Internet. The crane hackers hijacked the specialised local radio communication between crane and controller – no IoT there. The scooter hackers sent unauthenticated commands over Bluetooth – no IoT there either.

February 20, 2019 1:52 PM

Juhani on Estonia's Volunteer Cyber Militia:

From what I understand they also learn how to organize and communicate.

Budget 150k, this is a voluntary organization. That 150k is rent etc. Estonian official median salary is in 12k/year range, but foreign companies who expect to hire at 2-3x the median salary have found they could not find anybody qualified to hire. This is not London salary, but even blue-collar builders can take a ferry to Finland and many do. Just look at google streetview on Tallinn cars, in residential areas.

Trust, example H.Simm, head of department of national secrets was a Russian...

Read More →

February 20, 2019 11:59 AM

Arclight on Details on Recent DNS Hijacking:

It doesn't help that ISPs seem to love messing with, redirecting and otherwise diddling DNS requests whenever they want to communicate with their customers or to inject tracking cookies/ads. DNS-SEC that actually works end-to-end would go a long way here. Also, it seems like we're approaching the point where e-mail verification is just as bad as SMS when real money is on the line.

February 20, 2019 11:10 AM

CB on Blockchain and Trust:

Many people here advocate cryptocurrencies as a mean to help people under government duress. But cryptocurrencies need a reliable and secure access to the Internet.

If you're under government duress you don't have that secure access.

@Faustus
A block-chain doesn't allow you to cancel a transaction by writing a negative transaction of the same amount. Each transaction comes with a fee. Writing two transactions to the blockchain means you pay two fees. So the overall result is not identical to a cancellation of the initial transaction. The miners keep the fee for the...

Read More →

February 20, 2019 10:45 AM

Humdee on Details on Recent DNS Hijacking:

@me "security should be more than luck."

Well of course security should be about MORE than just luck but luck enters into the equation; it is intrinsic to the notion of risk. So all I take your comment to assert is that you and I have different risk profiles and that is banal.

"but as far as i know if you enable imap on the web interface you can use thunderbird"

Security should be more than using obscure settings and little used programs. This attack worked precisely because most people use the default client and under Android the default gmail client is gmail and...

Read More →

February 20, 2019 9:40 AM

me on Details on Recent DNS Hijacking:

> I hope this incident prompts Google to retink it horrible practice of not allowing access to gmail unless autoupdates are turned on.

??? i don't have gmail (i use posteo, which has dns-sec) but as far as i know if you enable imap on the web interface you can use thunderbird and configure it for manual or automatic updates, i have a "disposable" gmail account configured that way, so that i have to click "check new emails" in thunderbird. while for the posteo account i have configured it to sync on thunderbird open and every 15 min.

i don't find that your opsec is very...

Read More →

February 20, 2019 9:02 AM

Humdee on Details on Recent DNS Hijacking:

Two brief remarks on the opsec of this situation. First, I feel vindicated with my practice of turning on email auto upate only when I want an update and not let it sit in the background. Yes this is a PITA but it decreases attack surface. I hope this incident prompts Google to retink it horrible practice of not allowing access to gmail unless autoupdates are turned on.

Second, regarding the fact no one noticed the one hour window. @bruce wrote years ago about how technology was so buggy it was often impossible to tell what was bug and what was attack. This case is a beautiful...

Read More →

February 20, 2019 8:36 AM

Me on Cataloging IoT Vulnerabilities:

This is why I was initially horrified when I heard about our companies services that allow connecting industrial plants to the web, to allow alerts and check ins etc.

I was not initially placated when they mentioned "data diodes" they put in place to ensure that the connection was entirely one way (data out of the plant, not instructions in). However, when they mentioned that the data diodes were physical (basically a one way fiber optic system, without all the actual fiber), I started to realize that someone here actually took security seriously. I had assumed software diodes,...

Read More →

February 20, 2019 6:15 AM

Denton Scratch on I Am Not Associated with Swift Recovery Ltd.:

Looks like Swift Recovery Ltd. of Edmonton in North London may have gone bankrupt in 2017:
https://www.thegazette.co.uk/notice/2801927

There appears to be/have been at least two other vehicle-recovery firms by that name operating in the UK, one in Manchester and one Southampton (in Hampshire). I think the Manchester one went phut in 2004. The Hampshire one may still be operating.

You generally can't safely trade as 'X Limited', if there is already another company operating under the same name in the same line...

Read More →

February 20, 2019 5:10 AM

Jon PAUL on Reconstructing SIGSALY:

Hi there!

Off topic: Bruce, many thanks for decimating the off topic comments.

High Voltage: I have worked on HV as a power electronics consultant, to 55kV. Lethal to make mistakes. Nikola Tesla kept one hand in his pocket and used rubber mats, etc.


To Jure Juric Many thanks to point out my mistake of IT security in the link!

http://crypto-museum.org/QUANT/ has been scrubbed and ALL files you have accessed were non-public and (c). Please be so kind to delete any info downloaded, apologize for my...

Read More →

February 20, 2019 4:05 AM

Wesley Parish on Friday Squid Blogging: Sharp-Eared Enope Squid:

@usual suspects

completely off the Wall, which while being Security Theatre, is not only bad security, it's also bad theatre - no one would pay five cents to see such a ghastly performance in any theatre house, and no respectable theatre house would survive putting on such a show full of whiny self-pitying characters such as Trump and Spence ... even Punch and Judy has a villainous villain!!!

As I say, getting back to the topic of security news:

Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken...

Read More →

February 19, 2019 11:47 PM

David Walsh on Friday Squid Blogging: Sharp-Eared Enope Squid:

a brief news article about attribution by 'cyber defence' in Australia and how they tell it's a state actor. this is in the wake of supposed attacks on parliament house in Australia and both major parties - which was immediately suspected as being of China (of course)
they acknowledge that Australia does not have the skills to contend in a 'cyber war' scenario

https://www.abc.net.au/news/2019-02-20/cyber-activists-or-state-actor-attack-how-experts-tell/10825466

February 19, 2019 8:18 PM

Tõnis on Estonia's Volunteer Cyber Militia:

Interesting. A grass roots style group of enthusiasts who want to help. Yet the NSA with all its resources concerns itself with spying on Americans but can't be bothered to shut down and obliterate cybercriminals who are shaking down hospitals and other critical institutions with ransomware.

February 19, 2019 6:36 PM

Sed Contra on Cataloging IoT Vulnerabilities:

Re: freezers a solid application of IoT

Obligatory

In regard to freezers especiallly, it had better be.

February 19, 2019 5:45 PM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Alyer Babtu

What one misses not being in school anymore! Your link leads a fascinating book. It has a totally different perspective on proofs from my usual one, it is full of useful proof steps, and it is a limpid survey of so many areas of mathematics. Thanks for passing it along.

Of course, what I want my system to do is to intuit solutions from scratch. This book contrasts nicely with that mindset.

February 19, 2019 4:56 PM

bttb on Estonia's Volunteer Cyber Militia:

@VinnyG

Potential typo

Perhaps "not" works in the following sentence: "Perhaps there is an effective strategy that Estonia does [not] want to reveal for fear of granting an advantage to an adversary, but we should all by now be familiar with the weaknesses of "security by obscurity."

February 19, 2019 3:37 PM

bttb on Estonia's Volunteer Cyber Militia:

OTTOMH: a) Some people, perhaps because 1) of youthful indiscretions or 2) other reasons, may have no interest in security clearances.

b) In countries like the five eyes, BRICS, Israel, Saudi Arabia, smaller countries, etc., who's going to watch the watchers (or allow others to watch the watchers)?

c) In countries like the five eyes, BRICS, Israel, Saudi Arabia, smaller countries, etc., I imagine the spooks, and others, could sometimes use professional input or professionally aquired evidence; or might kill to prevent that.

d) Because of the 1) mole problem, 2)...

Read More →

February 19, 2019 1:57 PM

vass pupp on Estonia's Volunteer Cyber Militia:

Moles could be created out of already lowyal members of militia by applying standard set of MICE tools.Lvoyalty is not static but rather dynamic quality which required loyalty management/monitoring within any security related unit.

February 19, 2019 1:14 PM

herman on Reconstructing SIGSALY:

The complexity of the Sigsaly encryptor is amazing.

I like to build simple radio circuits with 1 to 5 thermionic valves. Long ago, I worked with a Radar system that amongst other things, implemented a full adder using valves.

Calibrating and setting up complex circuits like that is not fun at all - it is hard work.

Anyhoo, my workshop has a rubber floor mat and I always solder bleed resistors across the PSU capacitors to discharge them quickly after power off. Getting zapped with high voltage is something you never forget.

February 19, 2019 12:17 PM

Impossibly Stupid on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

In other words, you are asking my system to do something that is impossible by definition.

Not impossible. I'm simply asking what level of "adversary" your system would represent when it comes to the problem of figuring out what is and isn't random noise. I would hope you understand how important that kind of analysis is when it comes to applying intelligence of any kind.

I might reframe the challenge as "Given a sequence of numbers, find the rule that determines how it is generated". That is a problem that my system can...

Read More →

February 19, 2019 10:11 AM

Impossibly Stupid on Estonia's Volunteer Cyber Militia:

Sans details, I'm not sure I see the point of this. Low level attacks are happening all the time, and addressing them would go a long way towards stopping bigger, more directed attacks in the future. But if you have people who are still falling for spam and thumb drive attacks, no active "militia" or expert advice is going to do a lick of good.

There really aren't any "Security Lessons for the Rest of Us" here. Nothing about firewalls or networks that are the source of attacks. Nothing about policies that make people unemployable in positions of authority if they don't follow...

Read More →

February 19, 2019 10:03 AM

allgreenrecycling on How to Secure Your Computer, Disks, and Portable Drives:

Once I stepped on the rake when selling a computer, I thought that deleted all the data from the hard drive, but it was not so :( Then a couple of weeks later I saw personal photos on the network... Now I always give hard drives before selling to companies that are engaged in the destruction of all data and only then sell! Don't repeat my mistakes!

February 19, 2019 8:51 AM

Petre Peter on Estonia's Volunteer Cyber Militia:

Maybe this is what we need in the US, especially if the volunteers must have some sort of security clearance to deal with potential moles.

February 19, 2019 8:29 AM

VinnyG on Cataloging IoT Vulnerabilities:

@Joseph Julicher re: freezer power management - What safeguards are in place in that arrangement to remove any incentive to maximize profit by diverting power away from the freezers to the point that food quality, and possibly safety, is compromised? Without some kind of independent monitoring, that consequence is inevitable. Worse, the power "broker" may be in a position to avoid liability for any damages that occur as a result of that kind of conduct. I would be quite reluctant to purchase frozen food from a market that participates in such an arrangement without strong assurances on those matters.

February 19, 2019 8:17 AM

VinnyG on Estonia's Volunteer Cyber Militia:

One crucial detail absent from the article is the method used to prevent "moles" from infiltrating the volunteer defense group. Perhaps there is an effective strategy that Estonia does want to reveal for fear of granting an advantage to an adversary, but we should all by now be familiar with the weaknesses of "security by obscurity." Certainly, independent black hats and Putin-affiliated hackers will make efforts to infiltrate, and the latter would likely lay low, learn, and bide their time until some kind of massive surprise offensive is unleashed.

February 19, 2019 3:11 AM

1&1~=Umm on Military Carrier Pigeons in the Era of Electronic Warfare:

@Iron Tofu:

"this RFC was issued on April Fools Day (1 April)?"

Most back then were eagerly awaiting it's release, because every year an April Fools Day RFC was issued, jusy for the fun of it, like an "Easter Egg" it was a gift of a smile.

The point about a good April Fools Day joke is it should be not only possible to do, but just on the in field side of credible.

As it turns out though, technology and time makes fools of us all, and now it is not just possible and practical it actually has advantages as has been pointed out above.

February 19, 2019 2:10 AM

Weather on USB Cable with Embedded Wi-Fi Controller:

Celos
The chip can say its a keyboard, so send instrument,
It can say after its Ethernet,and send payload, based on firewalls down, ans port 145,355 open, ie sh, what I like is they can fit a 2.4ghz in a USB cable

February 19, 2019 12:13 AM

Celos on USB Cable with Embedded Wi-Fi Controller:

@Clive Robinson:

As unfortunately is the norm when it comes to more intricate matters of technology, your advice is worse than useless. Of course any sane secure revision of this attack device is going to not be detectable with simple instruments. For example, isolating the data-lines from the chip when there is no power is trivial. Doing some high-resistance line snooping before connecting to them is a bit more difficult but also not hard to do at all. Getting such a device to withstand, say, 1000V across the power lines is harder, but still doable.

February 18, 2019 8:34 PM

Alyer Babtu on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

I don’t use any automated assists, just work things out on paper, like doing an argument in mathematics, then code from that. Also, the principles appy to any situation, batch, interactive, databases, etc. The programming problem itself determines the structure i.e. point of view on the data and the design uses that. It is not necessarily the “obvious” structure the data might seem to carry.

Not wanting to risk fatiguing the blog unduly, I’ll finish with this.

February 18, 2019 8:29 PM

Bruce Schneier on Cataloging IoT Vulnerabilities:

@Brooke

"I think internet connected freezers is actually a solid application for IoT."

I think they're all solid IoT applications. I just want them to also be secure.

February 18, 2019 6:58 PM

ted on Cataloging IoT Vulnerabilities:

"The industry is now being urged to build more robust systems."

Urged. URGED! This is heavy construction equipment not an IOT camera. Government regulators ought to say "You've got 90 days. Fix it or shut it down".

February 18, 2019 6:03 PM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Alyer Bantu

That is wild! I thought uml and such won out the design sweepstakes. Do you use the Jackson code generator? If not, so you do all the detail in JSP and then code it afterward or do you stop design at a less detailed level?

A lot of the 90s were structured methodologies for me, in large projects. In the end I didn't find them that helpful, though I was a true believer for a while.

How does Jackson play with agile? Does it work well with sql? My understanding is that it makes program design parallel the data structure. Also that it is for batch...

Read More →

February 18, 2019 5:47 PM

Alyer Babtu on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

I doubt if you

I use Jackson’s design analysis+synthesis approach as outlined in his Principles book whenever I program, which until recently was most of the time. I find it invaluable in bringing to light what the problem context really is asking to be coded. It leads generally to a habit of inquiring into the real nature of the problem. Once that is obtained the coding is always straightforward.

All the best with your project!

February 18, 2019 5:14 PM

jure juric on Reconstructing SIGSALY:

Great work, very interesting. Thank you very much for sharing.
I found out that by accessing http://crypto-museum.org/QUANT/ some interesting files including pictures and sound recordings can be reached. I hope it was intentional. If not I appologize to the author for the inconvinience.

February 18, 2019 5:01 PM

tazer2000 on Cataloging IoT Vulnerabilities:

@Denton In a future where information is the ultimate tool, then it stands to reason that maximization of captured data correlates to levels of power/control. The more data you have, the better your simulations/models become. The explosion of AI wasnt just because better hardware, but also about more data being available for the training of the neural nets. Sooo, with 5G coming online and likely something like a magnitude increase in the data to mine, i'd say things are gonna get interesting pretty quick. lol...buckle up.

February 18, 2019 4:59 PM

Flavio Castro on Blockchain and Trust:

Nice article. Reasonable skepticism is always good

Crypto currencies are undoubtedly a way to escape from government-backed currencies. Understand that although people born and raised in developed countries don't know how good they have it by never having to care about government abuse of power. Some people need to live through hyper inflation scenarios.

That said, I urge you to travel to Venezuela and tell them cryptocurrencies are useless.

February 18, 2019 3:53 PM

Denton Scratch on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus:

OK, that'll have to do for me. I'm not OK with you countering my reasoned positions with insults; I have not insulted you, as far as I am aware. I'm not here for a scrap, and until about a week ago I thought you were a person who shared my views.

Anyway, I am detaching myself from this discussion with you, as of now. Let's see your website, and the details of your invention (you are claiming it's patentable, which implies it really is an invention). Maybe you'll be interested in re-opening a channel after you've published.

February 18, 2019 3:06 PM

vas pup on China's AI Strategy and its Security Implications:

@all:
Some related quotes of Chines wisdom:

"It is more shameful to distrust our friends than to be deceived by them". Confucius

[that was before wiring friends by authority}

"He who does not trust enough, Will not be trusted." Lao Tzu

[yeah - trust is two-way street]

"There is no instance of a nation benefitting from prolonged warfare." Sun Tzu

[Wow! Is this applied to exceptional nations as well? Soviet Union in Afganistan, US in Vietnam, you name it.]


February 18, 2019 12:54 PM

Zusah on Cyberinsurance and Acts of War:

Anyone surprised that an insurance company is trying to avoid to pay out what they should by trying what
has enough odds to just *might* work ?

Rest assured that zurichs legal team balanced the odds before they placed that war pin.

This boils down to plausible deniability, zurich claims NotPetya was a nationstate cyberattack tool & it will be interesting to read the court of laws ruling for this case.

By definition, an act of war, as war itself is nation state business.

If the insurance claim was made by a nation state, a judge might imho rule in...

Read More →

February 18, 2019 12:27 PM

roberts robot double on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

Seeing as how your data structure is an AST, perhaps you can pattern match the output trees with a set of known structures that you build up over time. Maybe something like, "this looks like a loop that counts over an array" or somesuch. I imagine it would require a different flavor of knowledgebase than the one that builds your inputs and would, therefore, require experienced programmers just as your input set needs curating by yourself. Being a logically distinct processing step would also allow it to evolve by itself with updates being able to be applied retroactively...

Read More →

February 18, 2019 12:01 PM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Impossibly

I do not believe in blacklisting people solely for having opinions that disturb me, but I also am busy and I am finished with word games.

As far as your challenges go: Take distinguishing random from pseudorandom and consider the definition of pseudorandom:

"In theoretical computer science, a distribution is pseudorandom against a class of adversaries if no adversary from the class can distinguish it from the uniform distribution with significant advantage."...

Read More →

February 18, 2019 11:38 AM

Joseph Julicher on Cataloging IoT Vulnerabilities:

There is at least one IoT freezer business case that is happening in Europe.
Essentially it is energy frequency trading. By managing a large number of freezers, you can start and stop large blocks of electricity at a moments notice. This allows you to buy energy cheap and sell it dearly at a moments notice. You keep the freezers energized off the profits. When the energy you are using to freeze food can be more profitable selling it, your turn the freezer off and sell the energy. The freezer will keep the food cold for a while. If you offer to manage all the freezers in a...

Read More →

February 18, 2019 11:16 AM

roberts on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ roberts

Thanks for your best wishes!

Comprehensibility is a mixed bag. I am thrilled when my system finds novel algorithms, but they can sometimes look like the results of a "shortest apl program" contest if not the same contest in Brainf*ck!

I have various output formats. Code that is incomprehensible in one can be clearer in others.

A longer term plan is to score a few hundred sample output programs for clarity and then feed them back into my system to evolve a metric that captures what humans...

Read More →

February 18, 2019 10:56 AM

David Rudling on Cataloging IoT Vulnerabilities:

@Brooke
All the noise in the world from consumers won't do the trick.
The amount of compensation awarded by the courts to the dependents of the deceased are the only thing that will be listened to by otherwise deaf corporate ears.

February 18, 2019 10:37 AM

Brooke on Cataloging IoT Vulnerabilities:

I think internet connected freezers is actually a solid application for IoT. Think about a grocery store that has a couple massive freezers/fridges in the back and then all of the display stuff. It would be amazing to send an alarm for temperature over something all of the stores have already, network connections home to the store mothership. Wouldn't it be nice if the freezer could tell you what was broken before you even dispatched a tech so they had the right parts, or you could turn on another chiller to compensate for the downed/failing portion?

I think the applications are...

Read More →

February 18, 2019 10:11 AM

roberts robot double on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

Cool, I'm glad I could add to your compendium. It sounds like you really are developing something grounded in reality with your system targeting specific language design environments (and their specific runtime environs as a result).

My primary question is simply whether or not your generated code will be comprehensible by humans? Of course, technically, *all* source code is comprehensible if the reader is given enough time, but my question is whether generating understandable code is a part of your design criteria.

Regardless, I wish you all success.

February 18, 2019 9:56 AM

Rob on Cataloging IoT Vulnerabilities:

Sheesh, the freezer will give you a map of the floor it's on without the password.

Next time I plot out a heist...

February 18, 2019 9:06 AM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ roberts

I am at heart a mathematician. I am interested in the algorithms more than the implementation. I will add the suggested string problem to my queue of demo problems. That is the kind of program my system writes.

As far as the details of a particular language go: My system does all of its work in abstract syntax trees. A particular language comes into play only in the output generation phase.

Problems of heap allocation and the like could be modeled as separate problems. Or I could work with the really low level ops that C provides, and solve the...

Read More →

February 18, 2019 8:45 AM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Rach El

To be clear, when I said "I believe that bias stems from insufficient data, not pernicious algorithms", I was talking about AI. In humans, there are genetic and social learning components to bias.

February 18, 2019 8:28 AM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Rach El

Cognitive bias is an interesting question. I'd say my system models cognitive bias rather than avoids it. Our brains are wired to try to simplify information. My system works similarly. In cognitive biases the information is over simplified or generalizations are made with insufficient information.

If I fail to provide rich enough data my system often simplifies the processing in a way that won't work when the data set is enlarged. For example, when I trained a system with lists that were 10 to 25 integers long, one of the resulting programs didn't work with...

Read More →

February 18, 2019 8:14 AM

Buzlaighe on Blockchain and Trust:

Dear Schneier,

I would really appreciate if you could provide more details for the following points:

1) you defined the "public blockchains" as those providing i) "a distributed (as in multiple copies) but centralized (as in there's only one) ledger", ii) "the consensus algorithm, which is a way to ensure all the copies of the ledger are the same" and iii) "the currency as a necessary element of a blockchain to align the incentives of everyone involved". Then you defined "private chains as those that use the blockchain data structure but don't have the above three...

Read More →

February 18, 2019 8:07 AM

Denton Scratch on Cataloging IoT Vulnerabilities:

Re. Supermarket Freezers: Cool hijack. (sorry).

It's not clear to me why supermarkets, hospitals and pharmacies think they need internet-connected thermostats. And hospitals and pharmacies in particular should have managers with a bit more clue about these matters; clueful managers in supermarkets are unfortunately far and few.

February 18, 2019 7:16 AM

bttb on Friday Squid Blogging: Sharp-Eared Enope Squid:

From https://www.emptywheel.net/2019/02/17/malwaretechs-judge-seems-more-sympathetic-on-the-intent-of-prosecution-than-the-law/ :

"MalwareTech’s Judge Seems More Sympathetic to Hutchins about the Intent of Prosecution than the Law


JP Stadtmueller, the judge who will preside over MalwareTech (Marcus Hutchins’) case, last week denied his pretrial motions to get his post-arrest interview and all the charges of his indictment thrown...

Read More →

February 18, 2019 7:02 AM

269841 on USB Cable with Embedded Wi-Fi Controller:

google up Bash Bunny. It can emulate things like 2 gigabit Ethernet, serial, flash storage and keyboards. You can emulate any USB device you want, only limitations are space and your imagination.

February 18, 2019 5:13 AM

roberts robot double on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus et al

Here is an example I will present as a generalized problem:

Write a function that takes three inputs: a list of strings, a string to search for and a string that replaces each substring occurance thereof. After replacing all substring occurances in the list of strings, return both the number of lines where one or more replacements occurred and the total number of replacements overall.

Now, as a longtime programmer, my analysis of this problem starts with "What is the context this function will execute within?"

As a master C programmer, am I...

Read More →

February 18, 2019 5:03 AM

Denton Scratch on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

"But nobody has to explain the reasoning behind the test cases. The system figures that out."

That's not how it works. Test cases are constructed by a developer/designer who knows where the weak points in a system-design are. They aren't just a bunch of random examples, that some AI is supposed to use as the basis for divining a system definition. Test cases are specifically designed to prove that a design doesn't fail when confronted by a particular, challenging case. The test-cases and the design work as a complementary pair. If the design is derived...

Read More →

February 18, 2019 4:09 AM

Wesley Parish on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Rach El

Thanks. I'd need to do a lot of research on Steve Jobs, though - I know next to nothing about him.

@herman, I presume your remarks were aimed in my general direction: you need to upgrade your information. The Great Wall of China did wonders in keeping out the Mongol Empire, didn't it? Hadrian's Wall in the north of what is now England, and had forts every five miles or so: it worked while it was manned by Roman troops. When they were all called back during one of the periods of civil war over which general became emperor during the collapse of the Roman Empire,...

Read More →

February 18, 2019 2:28 AM

Maki on Using Gmail "Dot Addresses" to Commit Fraud:

I think this behaviour as the right choice by google.
The risk of fraud in the alternative scenario is far greater. Better to allow people to differentiate addresses for these shared email services using additional letters or numbers that the use of periods.
This is the behaviour I would prefer as the account holder, as I would receive all mail to these addresses that can easily be mistaken for mine, and I can act on the information if I choose to.

February 17, 2019 6:35 PM

Thoth on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Unmasked Underflow, Clive Robinson

You can find the usual discussions between @Clive Robinson and me regarding In/Secure Enclaves via searching for our usual posts. Trying to keep the post shorter otherwise there will be people who will complain about long posts.

This is not a new "ARM feature" as it is dated 2017 and I have been looking around and recent STM32 chipsets that are "open and friendly" and well-liked by "open HW/SW" projects (if you really believe in "open") comes with these additional In/Secure Enclave extensions. The access are mostly abstract and who knows...

Read More →

February 17, 2019 5:42 PM

Rach El on Friday Squid Blogging: Sharp-Eared Enope Squid:

thank you everyone

Wesley Parish

admire your lucid absurdity. What about creating a story of present day world where Steve Jobs, and therefore his distortion-abberations upon the physical reality sphere, never existed. ( Apparently he had a 'reality torture field' )


February 17, 2019 4:54 PM

Impossibly Stupid on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

My system writes programs with the proviso that they can be tested against some expression of the user's intention. Test cases work well. Otherwise, how would the system know what was being asked of it?

By expressing the only thing of value that would be a breakthrough: intelligence. Otherwise, all you'll be offering up is the same sort of "automatic programming" nonsense that went nowhere after the first AI bubble burst.

(It is not telepathic technology. Maybe Release 2!) But nobody has to explain the reasoning behind the test...

Read More →

February 17, 2019 4:47 PM

Alyer Babtu on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

... have problems solved in a certain way ... the average commercial setting ...

Jackson rather is giving something like a scientific account (i.e. explanation through causes) of what is involved in any programming effort, which account applies in any setting whatsoever. The relationship to programming is analogous to the mathematics underlying numerical algorithms.

@Rach El

... the inventor of Skynet is set up as the worst villain the world has ever seen ...

It hit me more that the film was saying that...

Read More →

February 17, 2019 4:45 PM

JG4 on Friday Squid Blogging: Sharp-Eared Enope Squid:


@Rach El

I hadn't seen the scientist character in that light, but your point is well taken. To his credit, as soon as the implications of his work were made clear, he gave the last full measure of devotion in an attempt to contain/limit the problem.

I like seeing people of all races solving problems. It couldn't have been lost on the audiences for T2 that the majority of technicians, scientists and engineers building technology for the peasant extermination programs (human extinction programs?) are Caucasian, as am I. It would have been about thirty-three years...

Read More →

February 17, 2019 4:19 PM

Rach El on Friday Squid Blogging: Sharp-Eared Enope Squid:

Faustus

Thank you for articulating your vision
You request challenge, and hinky thinking.
Although, so far (and, no doubt, neccessarily) your overview has been far too broad for me to ascertain your scope in practical terms.

Here is a question. Can your tool deal with cognitive bias aka prejudice as it manifests socially and demographically.

Which in the overarching realm of security is a critical flaw whichever level or strata it manifests in. Macro, micro, Turtles all the way..
Macbeth didn't expect his enemies to be hiding AS a forest,...

Read More →

February 17, 2019 2:52 PM

patron on Friday Squid Blogging: Sharp-Eared Enope Squid:

What would you do for a loved one setting up their first cell phone account. Person is not computer savvy.

Threat model- unknown.

Ease of use, bill payments (automatic renewal), etc. important

Use a new email?

Use the loved ones landline phone # on the application?

The person will be using their cell phone mainly near their residence.

Get an alias named credit card, from an existing credit card, ala Julie Angwin, and use that name and email address.

'Angwin did ask her credit card company to issue her a new card on her existing...

Read More →

February 17, 2019 1:38 PM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Sherman

"Thanks for your posts, I'll be paying attention to yours and others insights into 'AI' in hopes of gaining enlightenment in that area."

Thanks for the encouragement!

February 17, 2019 1:32 PM

Clive Robinson on Hacking the GCHQ Backdoor:

@ @ Bong-Smoking Primitive Monkey-Brained Spook,

Time for your 319 suggestion...

February 17, 2019 1:14 PM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ Alyer Babtu

Perhaps that is what he meant. I have made clear what I mean.

If somebody can nominate a precisely defined problem that you think doesn't fit in my model I'll see what I can do with it.

Jackson's approach is attempting to have problems solved in a certain way. What makes perfect sense in the average commercial setting where consistency reduces work and increases accuracy. (In the case of Jackson, as long as you are doing batch processing on a mainframe 20 years ago.)

But have you read the papers? Holy moly, what a way to make the simple...

Read More →

February 17, 2019 12:23 PM

Bruce Schneier on Reconstructing SIGSALY:

@Clive Robinson:

I just deleted a chunk of one of your comments, above. Please keep off-topic politics off this blog.

February 17, 2019 12:20 PM

herman on Friday Squid Blogging: Sharp-Eared Enope Squid:

Walls keep out simple people. It works as a high pass filter and keeps out lots of people who would be a drain on society. Smart people don't need to climb over a wall, they can follow the regular immigration process. In between these two groups are the crooks - they are at least slowed down a bit.

February 17, 2019 12:04 PM

Chris2 on Prices for Zero-Day Exploits Are Rising:

Sorry, I should have noticed the post before mine (made 15 Feb) was made by someone else called Chris. He didn't make the one on 17 Feb.

Chris 2

February 17, 2019 11:56 AM

Chris on Prices for Zero-Day Exploits Are Rising:

The T&C for proprietary hardware and software *should* say that bugs must be reported to the vendor before telling anyone else about them. That gives some chance of brokers like Zerodium being sued for damage done by bugs they sold instead of reporting them. It won't solve the problem but might help a little.

Chris

February 17, 2019 11:29 AM

Alyer Babtu on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Faustus

Re correctness

A clear, defined intention is not enough. The program design has to match the problem being addressed. Perhaps that is what @Denton Scratch meant in some of his comments.

Never tiring of plugging that most esteemed treatment of what programming really is, Michael Jackson’s “Principles of Program Design”, I offer this quote

“Getting a Program to Work Versus Getting it Right

The beginning of wisdom for a programmer is to recognize the difference between getting his program to work and getting it right. A program which does not...

Read More →

February 17, 2019 10:54 AM

Faustus on Friday Squid Blogging: Sharp-Eared Enope Squid:

@Denton

Come on, Denton. Don't be grumpy.

You really refuse to consider things that don't match your preconceptions, don't you?

I, and others, use "golang" to avoid the ambiguity of the word "go". A search on the word "go" is pretty hopeless.

It is a pretty trivial statement that you cannot write correct programs without a clear intention. I didn't think it required comment. Of course I agree. No, I obviously don't expect a compiler to fix that.

Since you have taught programming I understand that you have been exposed to a lot of this...

Read More →

February 17, 2019 10:39 AM

Unmasked Underflow on Friday Squid Blogging: Sharp-Eared Enope Squid:

ARM introduced a new extension called Secure EL2

https://community.arm.com/processors/b/blog/posts/introducing-2017s-extensions-to-the-arm-architecture

I can't decide if this is a good or bad thing. It is effectively support for 3rd party secure-hypervisor so that a compromised hypervisor can't snoop on a secure OS.

However, is this not also a tool for a state actor to snoop on a common user without detection? Common user and even private market...

Read More →

February 17, 2019 10:26 AM

Clive Robinson on Friday Squid Blogging: Sharp-Eared Enope Squid:

@ bttb,

    Dan Coats Still Refusing to Provide the Evidence that Russia Didn’t Affect the [ 2018 ] Election

Common sense says that there is a spectrum of activities that might or might not have been aimed at the rather dull 2018 US mid term elections. Thus three answers are possible,

1, No evidence.
2, Indeterminate evidence.
3, Definite evidence.

But 1&2 are in most cases likely to be very broad and arguably evidence will be missed. Or misinterpreted, which effects all three. So I suspect no definitive report will get issued on...

Read More →

February 17, 2019 8:29 AM

bttb on Friday Squid Blogging: Sharp-Eared Enope Squid:

From https://www.emptywheel.net/2019/02/15/dan-coats-still-refusing-to-provide-the-evidence-that-russia-didnt-affect-the-election/ :

"Dan Coats [ Director of National Intelligence (DNI) ] Still Refusing to Provide the Evidence that Russia Didn’t Affect the [ 2018 ] Election


Last month, I [ emptywheel ] noted a troubling exchange between Martin Heinrich, Dan Coats, and Richard Burr in the Global Threats Hearing....

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.