Recent Comments


Note: new comments may take a few minutes to appear on this page.

April 26, 2015 8:24 PM

Michael on An Incredibly Insecure Voting Machine:

Entertainment on the same line.

http://www.amazon.com/Floodgate-Short-Story-Matt-Richtel-ebook/dp/B008H4JLYC/ref=asap_bc?ie=UTF8

Book Description
Publication Date: August 21, 2012

It's Watergate. On servers.

On the eve of the presidential election, a conspiracy threatens to alter the outcome of the vote—and the future of American politics. At the heart of the plot is a powerful computer program, aimed at rooting out hypocrisy among politicians to expose their truths . . . and ours. Left to unravel the conspiracy is a bitter, hotheaded former journalist, but he's just not sure he cares enough to get to the bottom of it.


And I have no relationship to author or Amazon.

April 26, 2015 8:15 PM

Petrov S. on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:


"Security Researchers" meaning 'those who find security vulnerabilities in applications' have a few reasons why governments are interested in them. But there are many different types of these security researchers. It is like most security fields where there is deep government engagement.

There are the very rare few who can perform consistently the impossible.

The "impossible" means it is so improbable that it is not even remotely plausible it could have been performed. Plausible by whom? That is the trick. Plausible by low and high strata of consensus of "experts".

As long as such researchers are diligent in being discrete, they do not have a problem being caught because nobody could believe that what they do is even possible.

This invisibility is always a reality in security, because 'the unknown can not be quantified' but people are inclined to always believe it can be quantified. Even if they logically know they can not accurately quantify the unknown. In security, quantifying the unknown is something that is routinely and rigorously performed. Which only enhances the self-delusion.

But the sort who can do what is highly coveted are acutely aware they are highly coveted if discovered.

The more basic problem being faced by the wider range of security researchers is simply that their governments want to restrict their capacity to freelance, at the very least.

They are themselves increasingly relying on security vulnerabilities for backdoor access to targets, so they increasingly see those who find them and who are not working for them to be a threat.

Their problem here is modern security for computers is very much more stringent and demanding then what these old timers understand. So, the factor of finding security vulnerabilities in products is a mainstream trade core to producing applications. They do not understand this. Every software vendor on the planet understands this, but they do not. Which tells you just how much they know. This sort of politician or higher up has such bad information on such a key aspect of their job, they can be chalked off as a fool.

Still, they can be a dangerous fool, so wariness is quite warranted.

Petrov S.

April 26, 2015 6:16 PM

Thomas_H on "Hinky" in Action:

@ Sofakinbd:

The problem is that people with autism might very well behave exactly like a "hinky" person would. They often are not at ease in crowds and unfamiliar places, and getting their personal space invaded may make them react in an inappropriate manner. A patdown might set off a meltdown (all the way from whimpering to full-blown anger outburst), depending on how sensitive to touch they are. Often they can't make eye-contact properly, leading to shifty looking around the face of the other person or just staring in another direction. Furthermore, due to their inability to properly read other people, they are prone to misunderstandings about the other person's intentions (and may as such be a prime victim of evidence planting by unscrupulous law enforcement looking for an easy terrorism suspect).

Now that kind of behaviour also exists with normal people, up to a degree (I personally don't believe in the extreme "neurotypicals vs. aspies"-thing that some people with autism seem to wish to use to put themselves apart from "normal" humans - and thus mostly convince themselves that they really can't get any better), but with autistics all that potentially suspicious behaviour comes together in a single person at the same time.

On the other hand, autism also has its advantages. A lack of outward expression can hide nervousness (they feel excessively nervous yet don't show it) and may also make it nearly impossible for other people to actually read the autistic person's face. Simply not bothering with attempting to read the other person's social signals (body language) is a good way of reducing nervousness in public (much of the nervousness is caused by an inability to properly understand those signals), and in turn may reduce to tendency to fidget.

April 26, 2015 5:50 PM

Pint! Pint of wallop. on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Good points, Jonknowsnothing, but uniformly above Andrew's pay grade. Beyond his comprehension. He's a prole hired to spy on his class and keep his mouth shut about kiddy-raping toffs. His is not to reason why. Andrew was born and bred to take orders.

April 26, 2015 5:50 PM

Wael on Signed Copies of Data and Goliath:

@Anura,

I know you wrote about pencil and paper ciphers a few times... This takes it to an extreme ;) I'd rather have a slide-rule that verifies the signature for me, or perhaps use one of @Thoth's abacuses after he dusts it off... lol :)

April 26, 2015 4:47 PM

Benni on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

This little new achivement of germany's BND might change many things here, for example, it could lead to NSA loosing their access on german networks:


http://www.spiegel.de/international/germany/german-intelligence-agency-bnd-under-fire-for-nsa-cooperation-a-1030593.html

But it was only after the revelations made by whistleblower Edward Snowden that the BND decided to investigate the issue. In October 2013, an investigation came to the conclusion that at least 2,000 of these selectors were aimed at Western European or even German interests.

In spring 2014, the NSA investigative committee in German parliament, the Bundestag, began its work. When reports emerged that EADS and Eurocopter had been surveillance targets, the Left Party and the Greens filed an official request to obtain evidence of the violations.

At the BND, the project group charged with supporting the parliamentary investigative committee once again looked at the NSA selectors. In the end, they discovered fully 40,000 suspicious search parameters, including espionage targets in Western European governments and numerous companies. It was this number that SPIEGEL ONLINE reported on Thursday. The BND project group was also able to confirm suspicions that the NSA had systematically violated German interests. They concluded that the Americans could have perpetrated economic espionage directly under the Germans' noses.

Only on March 12 of this year did the information end up in the Chancellery. Merkel administration officials immediately recognized its political explosiveness and decided to go on the offensive. On Wednesday, the Parliamentary Control Panel met, a body that is in charge of monitoring Germany's three intelligence agencies. The heads of the agencies normally deliver their reports in the surveillance-proof meeting room U1.214.

Panel members suspected something was different at this week's meeting when Chancellery head Peter Altmaier, a cabinet-level position in Germany, indicated that he would be attending. The heads of the parliamentary NSA investigative committee were also invited to attend. BND President Gerhard Schindler, however, was asked to stay away. The day after the meeting, the government announced bluntly that Schindler's office had displayed "technical and organizational deficits."

April 26, 2015 2:31 PM

rgaff on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ Andrew Wallace

So are you British or American? Someone just accused you of being an American, I would think that would be an insult that would be hard not to respond to if you were British...

It's really a sign of the times we live in when it's that hard to tell the two apart...

April 26, 2015 2:24 PM

Anura on Signed Copies of Data and Goliath:

@Wael

For verifying, if he signs a text-only version, you could just manually copy the text into your computer and verify it that way.

"Hmm... Verification failed, let me check... Aha! He had a typo on page 173 that I didn't copy correctly. Now it passed signature verification!"

April 26, 2015 1:40 PM

phil on The Further Democratization of QUANTUM:

@matt: maybe not (easily) for a MOTS attack but packet injection using a MITM attack (like used with China's Great Cannon GitHub attack), it should be possible to block the original package from ever arriving, no? I read on the FoxIT website that duplicate sequence numbers are used to detect if content differs. They talk about TTL and other IP header anomalies as detection method (but those don't sound very robust as a detection method to me). That CheckQuantumInsert of stream_quantuminsert-snort-2.9.7.2.patch looks to me like only checking the sequence number duplication. Maybe I missed the code for checking TTL an others anomalies?

April 26, 2015 12:51 PM

JonKnowsNothing on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

The NYTimes (boggles) actually NAMED NAMES in an article that exposes THE CIA US DRONE KILL program is run by those same upstanding Americans that brought you THE TORTURE program and waterboarding as recreational fun.

The drone kill program of precisely targeted and timed assassinations is so accurate that the US has no idea whatsoever of who the bombs are hitting. The best of the best PREDATOR drones flying precision bombing paths with such accuracy that anything they hit counts. It's such a great feature that the CIA regularly show the SNUFF videos to the Congressional Oversight Committees. Each assassination mission is personally signed off by POTUS Obama with the clear indication that we are supposed to HIT SOMETHING.

note: The drone program uses the best of the best metadata as General Hayden said "We kill people based on metadata". It uses all the latest tracers, tracers, spy works, satellites, IMSI cell towers and everything the NSA can funnel over to the CIA. The CIA has their own internal systems so they can double check that the NSA doesn't lie to them about the metadata and other targeting parameters.

Michael D’Andrea was the CIA Officer in charge of convincing Senator DiFi and others that the targeted drone kill program was actually killing their assigned targets and that civilian casualties were in "single digits".


Mr. D’Andrea was a senior official in the Counterterrorism Center when the agency opened the Salt Pit, a notorious facility in Afghanistan where prisoners were tortured. His counterterrorism officers oversaw the interrogation and waterboarding of Abu Zubaydah, Abd al-Rahim al-Nashiri and Khalid Shaikh Mohammed.

Michael D’Andrea has been replaced by Chris Wood. Wood, was ultimately in charge of Alec Station which ran the interrogation program along with the other Torture Stars. Wood is under investigation for "accidental" targeting of hostages and other SUPRISE! violations.

Best Quote:


When Ms. Feinstein was asked in a meeting with reporters in 2013 why she was so sure she was getting the truth about the drone program while she accused the C.I.A. of lying to her about torture, she seemed surprised.

“That’s a good question, actually,” she said.



Deep Support in Washington for C.I.A.’s Drone Missions
By MARK MAZZETTI and MATT APUZZOAPRIL 25, 2015
http://www.nytimes.com/2015/04/26/us/politics/deep-support-in-washington-for-cias-drone-missions.html?partner=rss&emc=rss&smid=tw-nytimesworld&_r=2

http://en.wikipedia.org/wiki/Snuff_film

April 26, 2015 12:49 PM

singsang on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew
So I think about it this way.
Who has caused more harm, governments in the last 50 years or others. Other includes murderers, pedophiles, terrorist and all the other bad guys. Cambodia? Russia? Cuba? China? Kazakhstan? Saudi Arabia? North Korea?

You may live in America and think that in the last 50 years your government have done more good than harm. But that's not the case for the rest of us, so even if you try to hold up your country's government as something to be followed. For us, that have lived or still do under a government that lied, just like yours. It's hard to tell the good guys the tell lies from the bad guys that tell lies.

I'm not going to argue who are good and who are bad, where the line is or any of it. As long as you can understand where I'm coming from, what fear I feel, then I'll be satisfied. A lot of different people will come to different conclusions when it's about social issues.

April 26, 2015 12:02 PM

JonKnowsNothing on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

re: @Andrew Wallace

I guess @Skeptical is on vacation. Hope he's having a good time in Yemen. Great scenery and lots of daily fireworks: the Disneyland of the M/E.

@Andrew Wallace


https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_475.html#c6694453
If I had 45 minutes to investigate someone before something bad happened.
I would want all the data pre collected to be able to make a quick assessment to pass to Special Branch SO15.
That is the theory behind the mass data collection. It is not about you or I going about our daily routine

Andrew: your timetable is a bit off here. iirc the actual timeframe before "something bad happened" isn't 45 minutes. If it were we wouldn't be having much of a discussion about it. It's 1-2 minutes MAX. Preferably less than 30 seconds. How long do you think it takes to detonate a bomb? Ask the folks in Boston.

Since you are referring to Special Branch (UK) you all have very good notions from your Northern Ireland Troubles which date back to pre-Eliz-I and haven't gotten much better in the last several hundred years. All your centuries of policing hasn't made a dent there.

This issue is encompassed in "Predictive Policing". It's about predicting your future behavior based on your past action and trawling for something, anything that will ID you based on your historical data.

The concept here simple: If Amazon can ID you by your book preferences so can the Police States of the World. If Target can ID and insta-spam pregnancy tests and baby stuff based on a search phrase/word the Police States of the World want to know you just that quickly. The micro-ad-agency-spam-auctions take place so fast that the page can update the ad between the time the page is requested and the time it's displayed on the screen. The Police States of the World want this ability too. And that's not 45 minutes by a long shot.

This ability also called a General Warrant. This is outlawed in the USA and was one of the reasons behind the split from our historically joint King and Country. After which it became your King and Country but not ours, thank you very much. You still have this problem with The Anointed Ones, while we get to deal with the Dreidel Game.

I recommend you increase your knowledge base by reading a great book:

Data and Goliath. Author: Bruce Schneier.


@Andrew Wallace


https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_475.html#c6694447
You can vote in a different Government if you are unhappy with the current government. That is what democracy is for.

Indeed we can vote but how are those votes gonna be counted?

I guess you could ask that really up front Tory Pol who managed to delete the Tory Policy Archive along with his shady web business dealings and has now been "accused" of hacking his own Wiki Pages? He would be an expert on how to fix the elections with the following publically known methodology.

https://www.schneier.com/blog/archives/2015/04/an_incredibly_i.html

So how would someone use these vulnerabilities to change an election?

  1. Take your laptop to a polling place, and sit outside in the parking lot.
  2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
  3. Connect to the voting machine over WiFi.
  4. If asked for a password, the administrator password is "admin" (VITA provided that).
  5. Download the Microsoft Access database using Windows Explorer.
  6. Use a free tool to extract the hardwired key ("shoup"), which VITA also did for us.
  7. Use Microsoft Access to add, delete, or change any of the votes in the database.
  8. Upload the modified copy of the Microsoft Access database back to the voting machine.
  9. Wait for the election results to be published.


Works for votes, works for anything electronic.

If you don't like that we could offer you some "hair forensic specialists" from the FBI to train your guys better. Our guys did superb for 20 some years. We got a few more of those types hanging out in the FBI/CIA too just in case you need more backup.

References:

General Warrant

In general, customs writs of assistance served as general search warrants that did not expire, allowing customs officials to search anywhere for smuggled goods without having to obtain a specific warrant. These writs became controversial when they were issued by courts in British America in the 1760s, especially the Province of Massachusetts Bay. Controversy over these general writs of assistance inspired the Fourth Amendment to the United States Constitution, which forbids general search warrants in the United States.

http://en.wikipedia.org/wiki/Writ_of_assistance

Dreidel Game


Each player spins the dreidel once during their turn. Depending on which player side is facing up when it stops spinning, they give or take game pieces from the pot:
a) If נ (nun) is facing up, the player does nothing.
b) If ג (gimel) is facing up, the player gets everything in the pot.
c) If ה (hay) is facing up, the player gets half of the pieces in the pot. (If there are an odd number of pieces in the pot, the player takes the half the pot rounded up to the nearest whole number)
d) If ש (shin) or פ (pei) is facing up, the player adds a game piece to the pot (often accompanied with the chant "Shin, Shin, put one in"). In some game versions a Shin results in adding three game pieces to the pot (one for each stem of the Shin).
If the player is out of pieces, they are either "out" or may ask another player for a "loan".

http://en.wikipedia.org/wiki/Dreidel

April 26, 2015 11:38 AM

mice on "Hinky" in Action:

I take a oppsite view I think from people on these blog about cops and police, theroll in society does postive things even thought iI could be classed like Thevoid,

The one thing I dont like about the topic is they only prove guilty, they dont prove innonce, the need a blackhat,whitehat system, sure for the intinal start they can be focused based on guilty, based on everone will be guilty of something, but then early on they need to have the other team apart of the inquiry to get abetter hit rate.

April 26, 2015 11:23 AM

Hey on The Further Democratization of QUANTUM:

@Eric

It sounds like what you described is some sort of social analysis tool. It scrutinizes people's viewing behaviors in order to predict fetch when they opt-in to your app. As you've said, this can apply to all sorts of social behaviors, search engine results being one. Neat trick.

But as the old saying goes, prediction is the mother of all farkups. B-)

April 26, 2015 11:21 AM

Supermonkey on The Eighth Movie-Plot Threat Contest:


Who Smells John Gault?

Act one:
A cop sees a man shoot and kill a woman, then stand over the body and laugh. He rushes over and demands the murderer identify himself. The killer pulls out his cellphone and says, "My ID is encrypted! Good luck, piggy!" and laughs like a muppet on meth. The cop shakes his head. He pleads with bystanders who filmed the murder on their cell phones, but they just show him their encrypted folders and walk away. The cop goes into a bar to drink away his sorrow. He formulates a plan.

Act two:
A utopic society in a beautiful green valley. The cop is now a John Gault-type who has created a society with no encryption and no secrets. Everyone walks around happily naked and we see one old man sniff the air and say, "Who farted?" and several people raise their hands contentedly. A young couple walks past the cop and says, “I hope your erection problems get better.” The cop smiles and nods.

Smash cut to act three:
Back in encrypted society, we see that everything has ground to a halt. People cant purchase things with credit cards since the companies have encrypted their databases and no one can access them. Phone calls, emails are all useless because people encrypted everything. One small child sits on the curb and cries because they wanted to be become a doctor when they grew up, but all the information that they wanted to learn in school is encrypted. The scene fades out on Mad Max-types working on home made armoured cars and sharpening chainsaw blades.

Epilogue:
After the credits, we see the cop, now an old man, stepping out from the walls of his free-information Shangri-la with his naked followers into the blasted landscape to bring hope back to the world. As they spread out across the land, the final scene is an old, naked lady who finds a ragged, savage survivor huddled in a pile of cellphones, desperately trying to remember her password and failing. The utopian savior bends down, and whispers to the barely-human survivor “Shaved assholes turn me on….”

April 26, 2015 11:05 AM

gordo on Verizon Tracking Mobile Internet Use:

@ 65535

Snort probably is not made for iphones and may be of little help with mobile carriers.

That appears to be so:

https://stackoverflow.com/questions/29668852/how-to-monitor-packets-using-snort-features

However, the below proof-of-concept might solve that:

DIY-Cellular-IDS [CIDS]:

For less than $300, LMG created a CIDS by modifying a Verizon Samsung femtocell and redirecting traffic to a Linux-based Snort server. To test the effectiveness of the CIDS, LMG infected a smartphone with the Android.Stels malware and developed custom-written Snort rules to detect it.

Source:

Do-It-Yourself Cellular Intrusion Detection System
LMG Security, July 24, 2013
http://lmgsecurity.com/whitepapers/DIY-Cellular-IDS_2013-08-01.pdf
[77 pages]

...and here's the DEFCON 21 demo/presentation on YouTube:

Do-It-Yourself Cellular IDS
Published on Feb 23, 2014
https://www.youtube.com/watch?v=RbmAr-I8A6E
[01:05:39]

April 26, 2015 9:11 AM

Charles Linton on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Thanks, Andrew for the alarming security news. Please tell us more, especially about Britain's pervasive rings of child-molesting predators in high positions getting blackmailed by foreign intelligence organizations. The UK's impressive sources and methods and technical means must provide a lot of important information on that. Thanks again!

April 26, 2015 8:30 AM

anonymous on The Obsolescence of Submarines:

How does NAVY detecting Russian submarines with nuclear weapon in the North Pole Area???

I'm talking about under-ice patrooling. For month or half of year or something.

There are many kinds of special technologies to connect with them, by special sonar with ocean cable.
There are couple of points in the ocean, where submarine would connect to the earth by this cable.

Say, completely autonomous, for year.

April 26, 2015 5:32 AM

Wesley Parish on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew Wallace

I think the major reason I could give for not trusting LEOs with an infinite amount of data is their consistent lack of ability to do anything with what they've previously made do with:
http://www.stuff.co.nz/national/crime/67904722/coroners-probe-why-did-dunedin-father-edward-livingstone-kill-his-children
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11208525
http://www.odt.co.nz/news/dunedin/340047/something-amiss-livingstone

I'm sure others can point you to the case of the Boston bombings, which happened in spite of the two brothers already being known to Russian internal security and this information being passed on to the US authorities.

Plus, one can always use that metaphor of the needle in a haystack; the bigger the haystack, the harder it is to find the needle. The basis for that metaphor is not a given number multiplied by itself: n squared; it's a given number multiplied by itself multiplied by itself: n cubed. Deciding which dog stole my sausage is easy when it's one of three; how much easier it is when it's one of nine; how infinitely easier it must be if it is one of twenty-seven.

April 26, 2015 1:41 AM

thevoid on "Hinky" in Action:

@Anony-mouse

This is "what works" in the sense that it catches some bad people, but how many good people does it also sweep up?

My son is on the Asperger's spectrum, and despite years of working with him on social interactions he is still incapable of looking someone in the eye, and always looks uncomfortable and is fidgety ("hinky"?) in conversations with other people. Will he always be under suspicion? Is he in for a life of additional questioning?

as an aspie myself, sorry to say, he probably will. this has been something that has weighed on my mind for a number of years now, and has even come up on this blog before (once was on a post about a 'nervousness detector').

especially as they use automated behavioral detection, i envision a future where i am always stopped, because some computer flagged me. "our algorithms say you are suspicious" (ie don't act 'normal').

people have too much faith in technology ("but the computer said so!"), and as everything goes to hell, and shit-for-brains run things, i fear being caught up in this myself, because i am really incapable of acting 'normal', even if i wanted to (i don't) and knew how.

i have a good deal of nervous control, but as i approach middle age i still get 'nervous' (but not necessarily anxious). sometimes i worry that people may even think i am on drugs eg coke, meth.

we do get better at some things over time, i couldn't look people in the eye until i was about 17-18. i am still not comfortable with it nearly two decades later, but (slow) improvement.

(and a minor point, it is the "Autism Spectrum" that Aspergers is classified as part of.)


@sofakindb

In conjunction with what @BrentC said, it is not one thing. It is a totality of circumstances much like detecting lying. You need a baseline on how people answer questions truthfully based on reflective type questions. Then you probe and ask harder questions. Aspergers may account for some things but it will not account for all things.

i like your analysis of these mechanisms, it is really quite good, but only applies to non-autistics (neuro-typicals or NTs). i will address individual points below.

we are very different, really a subspecies (probably not the right term, but a natural variation, like a black leopard). our brains are actually structured differently physically.

these tests really would work on NTs, and asking questions as you say does work quite well. in fact, i believe good questions and observation are probably all a good interrogator needs (no need to 'enhance' the interrogation).

they all however rest upon the assumtion that, as you say:

When people lie there is so much to think about it creates increased cognitive load. There is more effort involved in lying than there is to tell the truth.

which is generally true, however...

if we (aspies) are just talking to someone we are probably already in cognitive overload (unless we are talking about one of our 'special interests' in which case we go on and on and on...)

in fact, in the post above, when Bruce relates the story of the potential LAX bomber, i was thinking at first "is this about Autism/Aspergers" until i read further. his behavior really does sound like typical autistic/aspie anxiety from un unstructured social situation.

we are taxed even trying to hold the most basic conversation. stress and anxiety are generally the normal condition for an autistic (in a social situation) so yes, it can indeed account for everything you mention.

nobody has a baseline for autistics and we are fairly rare (or at least uncommon). and that is a problem for us. noone seems to have any knowledge of autism, and there really are too few of us overall for a system of averages to care.

we have trouble with situations where there is nothing really at stake. being profiled is exponentially worse for us than for an NT. any non-structured conversation is stressful, and anything more could easily overload us, especially being singled out.

just saw a doc on pbs about autism/aspergers. one autistic fellow related that the ending of The Jungle Book (the movie) was the saddest thing he ever saw, since Mogli leaves with the humans (i guess into their 'warm embrace'). it was sad to him because he was thinking "you don't want to go with them, trust me" (he certainly would have liked the book though, pretty much the opposite ending, and opposite view of humanity).

many of us see the whole of humanity as basically predatory. we're very often prey, so it is logical. probably one of the main reasons why PTSD is so often a comorbid condition.

the vast majority of people have an instinctual trust of humanity, and don't see this problem (and even if you are the suspicious type, you still have that instinct). NTs take this for granted, you don't know how much of your civilization is predicated upon a certain amount of blind instinctual trust. so you probably cannot understand this at all (though perhaps certain oppressed minorities may).

to us, being singled out by authorities may be about the same as a pack of wolves descending on us. i'd probably be less frighted by the wolves. i understand them, what they want, what the consequences are. life and death, violence. simple.

likewise, i find the rules of the underworld easier to understand, and i am less fearful around it (to be clear, i was born into/live around such elements, i don't associate by choice). i find very real threats to my life to be less stressful than unstructured conversations, and that is not an exageration. i will relive the conversation in post-traumatic flashbacks, but not the life-threatening situations.

and i fear cops more than gangs. maybe the cop is a decent guy, maybe he is an asshole on a power trip. i can run from the gangs. cops not so much. i also have a fighting chance against gangs. once again i'd prefer the wolves (or gangs, this from experience). especially since such threats such as gangs/wolves are localized. with cops you have a whole system against you.

The truth also doesn't change, it is the truth and that is all there is.

we're into philosophical territory here. i believe in an ultimate truth, but as a skeptic don't believe it is really attainable. there is also truth *as we perceive it*. yes, we do know when we are speaking contrary to belief, even if subconsciously, and it does show.

The truth does not need the almighty's endorsement either, "I swear to god!" Lying on the other hand the stories do change.

my idea of what is essential and what another's (NT) idea is are very different. we notice and pay attention to very different things. different things are important to us. "a normal person would have mentioned X" or "a normal person would have done Y" is not applicable to us, since, well, we are not normal. by definition.

and i have been accused of changing my story when i added data that i had not considered or thought necessary to relate originally. really their interpretation of the story changed with more data. they thought the new data should have been obvious for me to relate the first time since it changed the meaning for them, but we lack 'social empathy', and such 'obvious' things are anything but for us.

the biggest Autistic/Aspergers support site is wrongplanet .net. think about that name. (i say: men are from mars, women are from venus, and aspies are from vulcan.)

some of us also have Auditory Processing Disorder, and may completely mishear something. "interrogator: when i asked you X you said yes." this has happened to me a number of times, thankfully in non-critical circumstances, but it has been an issue and caused problems.

There is an excess of words to attempt to sell the lies, "I'm gonna tell you how it went" or "Actually this is what happened, really?"

and aspies tend to be Verbose, and unusually honest (we lack filters). sometimes we just like explaining every aspect of something, in *painful* detail (pun very much intended.)

these are *DIAGNOSTIC CRITERIA*.

back to social difficulties/anxieties, we are often anxious because we don't know exactly how to react, and we tend to over react, and...

for instance, if someone just stares at us, some of us may keep going on because we are nervous, because we don't quite undstand what is coing on, and don't know what else to do. we're not anxious because we know we are guilty, but because of (normal) anxiety we will be seen as guilty.

The cortisol runs rampant through a person, they twitch, they itch, they try to hold themselves tight and not shake or leak damaging non-verbal communication. The skin turns red.

that sounds like the reaction of an aspie/autistic to almost ANY social situation, let alone one where authorities (wolves) corner you. many autistics even shake under normal conditions, let alone under stress.

we get nervous just being in public, moreso when having to deal directly with someone. and being interrogated?

the interrogator is unlikely to overcome his own instinct/conditioning, and probably believes, like most of the populous, that not looking into someone's eyes automatically implies guilt, and we are treated as such.

and we know that this happens. and the fact that we don't know what to do makes us even more anxious. it's a vicious spiral.

Have them draw the story they are telling, it is much easier with the truth. Have them tell you the story they just told you backwards, it is much harder to tell a lie backwards accurately.

this is the one thing that MAY work on an aspie.

unless they are ultra-stressed and in fight/flight/freeze mode. brains on too much adrenaline don't always work properly. that can chemically effect one's brain, indeed one's cognition (we can have 'meltdowns' where the logic centers of our brain may actually be affected).

Maintaining eye contact increases cognitive load, if they are already taxed by lying it adds to the problems they have internally.

and you didn't read what Anony-mouse said. it is taxing for us aspies to look anyone in the eye, ever, for ANY reason. forcing us to keep eye contact is almost torture.

though somewhat strangely, i can look someone in the eye if i sense hostility. the rules are simpler, so i understand them, and know to reciprocate eg stare them down.

just a few months ago i read a scientific article where they causually mentioned eye-avoidance as characteristic of lying. i am a compulsive truth teller, yet have had difficulties in the past (particularly in childhood) with this. normal people seem convinced you cannot be telling the truth, unless you 'look them in the eye'. i'm approaching middle age, and still am uncomfortable with eye contact.

personally, this issue of eye contact pisses me the hell off. that i am constantly judged to be a liar and lowlife, etc just because i have trouble looking people in the eye. and then they feel fully justified treating you that way. if you don't look people in the eyes, in general, that is their automatic judgement ("he's hiding something." "he's up to something.") i would actually be better off staring them down, i really would be judged less badly, as humans/primates prefer assholes to oddballs.

on a (eye-contact) related note, the Wodabi tribe in africa considers looking too long into someones eyes a violation of privacy, and quite rude. they make short, sidelong glances at each other. i would get along well with them.

Think of it all like field sobriety tests. Some people cannot balance, no problem, some people cannot count, no problem, some people cannot do their ABC's, no problem, but everyone can do at least a few of the tests unless they are impaired.

and aspies are almost automatically overloaded if they are even in public. it is taxing to be in ANY social situation, let alone something like an airport, which would tax our sensory sensitivies as well. some also are uncoordinated as well, which perhaps could be read wrongly.

Unless your are dead, there is something, or a few somethings, you can test to determine impairment. The same goes here. You are looking for things that don't fit. Much like I believe you as a parent can tell when your own child is lying. It is not a checklist per se, but more of a collection of things to be aware of. It is easier to check for those from the outside observer, than it is to control them on the inside by the subject. This is why usually in interviews one officer talks and the other observes.

and if they have no idea that Aspergers exists, and how it functions?

we're always going to be 'off'. that's how (most) people react to us. their 'gut' tells them there's "something wrong with him/her." and these are exact quotes, and while sometimes the later one has been said in jest, often it is not. often enough it is said with a sneer.

normal people speak a certain sign language that we are deaf (or rather blind) to, and because we don't speak it, we are almost invarably judged badly. (and, btw, this is the REAL language people speak in. words don't usually matter, this sign language does.)

so we aspies are always 'hinky' to NTs, since we don't speak your 'secret code', or are not on what seems to us your 'psychic network'. so we are outsiders, and many react with (unsurpising) hostility. this is basic primate psychology really, instinct. there is a hostility to anything that doesn't fit in one's ingroup. and we don't know how to fit in a social group at all, so we are pushed to the fringe, bullied, etc. a lot of this is established science (evolutionary psychology).

wanna know why so many of us have PTSD? how many are on anti-anxiety medications?

do you know what it is like for whole groups of people to turn on you, because you don't smile at the right time? or some other, equally stupid, meaningless gesture?

the fact that i am a veritable saint? doesn't seem to matter. because 'they know' better, because their 'gut' tells them so.

the irony, some people who bother to get to know us, usually love us (i speak from experience). largely because we don't have those primate/social instincts, of which for instance bullying is a part. we tend not to lie, we don't play petty social games, etc. we're often 'childlike' in the positive sense of that word (whereas the rest of humanity seems to me to be 'childish').

but because we can be marginalized, the system will pile on us even more, remorselessly, because nobody will really care, since "there is something wrong with you/him/her/them." and since we're rarer than any other minority, noone's going to do shit for us. look how American Indians still get shat on, and there's many more Indians than autistics. and despite some still extant latent racism, Indians are seen more positively than autistics.

but unlike other minorities, we don't even have our own kind to fall back on, we have no support structures.

even medical professionals who are supposed to work with autistics are amazingly ignorant of autism. how much less understanding are you going to get from some rent-a-cop? (or even a real one for that matter.)

i don't envisage anything getter better, and as things get worse overall, once again it will effect we autistics exponentially. do you really think authorities care enough to train their agents properly? not bloody likely.

and i've seen little evidence that institutions can improve on people, and less so now than ever, so i don't see society ever 'wising up' and becoming any more thoughtful and tolerant.


i understand the greater point that Bruce is trying to make, as he's said before, basic detective work is still the best method. but as much i respect Bruce (and he's one of the few sensible people i've read over the years) i cringe when i hear this particular idea of his. i would think a mathematician wouldn't trust people's 'guts', which is what this all boils down to. be on the recieving end of this for a few decades and decide for yourself if their 'guts' have any fucking sense at all. maybe they are right sometimes, some people's might be better than others. but i KNOW i am a saint, by objective criteria. yet what do their 'guts' tell most of them? outsider! enemy! victim! prey! (or sometimes even: predator!)

as Anony-mouse said:

Will he always be under suspicion? Is he in for a life of additional questioning?

sadly, yes. and i would know.

"and many a one who fled into the wilderness, to suffer pangs of thirst amongst beasts of prey, did so in order to escape MAN." -Nietzsche


@Martin Walsh

If the shit designed systems work so well, then why can't they catch the psychopaths that don't appear nervous, EVER?

this is a great point, although the official psychological designation for what you are refering to are "sociopaths" (not psychopaths). indeed, they are incapable of fear or shame (or even pain, btw). they may plant bombs and such, though not the type to be _suicide_ bombers (they are about pure self interest).

some informal studies have found CEOs present at about 4x the rate of the average population.

on a personal note, this bothers me greatly, as sociopaths are generally well liked by the populus, because they can do all those social things. we aspies, who cannot, are generally despised, despite the fact that we have far superior character to socios, by the standard humans SAY they value (ie truth, justice, etc). humans value smiling, lying sociopaths more than blunt, truthful aspies.

April 26, 2015 12:24 AM

Clive Robinson on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ Steve37,

The OS is not a reliable place to catch Stingray etc from.

The reason for this is it effectivly gets the data via the SIM, which can be reprogramed etc via the OTA interface, so could be programed to lie to the OS.

Which is what I would expect to happen if a reliable app to detect ISMI catchers was developed, due to the level of investment the authorities have put into the technology....

On a side note you can get "engineering / development" SIMS that work in ordinary --ie non smart-- phones that display the same sort of information the prospective app does. Such SIMs are currently not that difficult to get hold of and I've five or six of them in my workshop.

For those that want to "roll their own" solution their are "GSM shield boards" for various micro-controler boards popular in the "maker community" such as the Beagle Bone and Raspberry Pi etc. These boards usually have chips on for which the data sheets are available that tell you more than sufficient information to do this.

Oh and the likes of Google already use the cell tower ID info to get an approximate location fix when GSM is either absent or off in a smart phone.

Thus Google has a list of legitimate cell tower IDs which would not include the portable ISMI catchers for obvious reasons.

Perhaps it's time for those volunteers cycling around taking GPS readings for making maps etc started collecting Cell Tower IDs and putting them up on the web as well...

April 25, 2015 11:56 PM

Bob on The Eighth Movie-Plot Threat Contest:

All strong crypto has been banned from private use. This combined with pervasive surveillance and strong AI has brought about a near utopia. Opens with a shot of police work today - the criminal slips a wallet from an attractive woman's purse. The AI alerts local officers and tracks the criminal via public and private cameras. Upon apprehending the criminal, his smart phone is decrypted and a pickpocket ring revealed.

However, the upper echelons of government preserves its right to use strong crypto, and its secrets. Officer Smith responds to a shooting, and the victim removes a nano SD card from her mouth, explains the FBI needs the information to stop the Secretary of the Interior from assassinating the eight people between him and the Presidency, but is shot halfway through revealing the passphrase.

A tragedy, the movie follows Officer Smith and her AI avatar's futile attempt to work in a world they aren't used to, a world where secrets are kept through physical violence and strong crypto.

April 25, 2015 11:06 PM

Thoth on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew Wallace
What is your view on Escrow Encryption Standards ? Will we be heading to EES v2.0 with AES as the cipher for a new EES for everyone to use instead of EES v1.0 that uses Skipjack ?

It is quite amusing to notice how the balance of technology and openness of views can create so much anxiety and especially something that worries Governments of so-called Democratic Societies where the Internet and modern computing technologies have been seen by these Democratic Govts' as threat to civil and national order.

In your view, what do you think the Govts' can do better to on one hand preserve privacy and quell anxieties instead of pushing more paranoia in the open Security Communities and making people so much more uneasy (as you can tell from the comments in this blog) and on the other hand be capable of doing their jobs as "Civil Servants" of their respective Nations and societies ?

April 25, 2015 10:38 PM

Hello World on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Don't shoot the messenger. For he merely deliver messages. @AndrewWallace provides a valuable non-profit service via his twitter feeds, IMHO.

"Why do you think we are undergoing a worldwide transition toward electronic mass surveillance in the image of NSA Collect-it-ALL? (Laws and Rights be damned.)"-Bob S.

My favorite analogy is the arms race back in Cold War days. It is a general census of one-up-man-ship. We've built to destroy ourselves a hundred times over, and it will likely be the same that we will build to watch ourselves 100 times over until we eventually realize it.

"I remember when the vision of technology was to make us freer
better informed and a lot happier. "-tyr

Yes and there is still hope for that.

April 25, 2015 9:55 PM

65535 on Verizon Tracking Mobile Internet Use:

@ Steve Friedl

“If this is working for the cellular carriers, isn't it just a matter of time before the cable/DSL carriers start doing the same thing?”

Eventually, I would suspect these injected headers would be used with DSL/Cable. But, with a fixed location DSL/Cable connection the DSL/Cable companies already have your IP, location and all billing information.

The troubling aspect of any http injection is the chance of a key logger or other malware being load on your cell phone.

I am beginning to hear stories of Quantum family of bugs and other modular malware being put on civilians Androids and iOS phones by private investigators. Packet injection [and/or page/link redirection] could be the infection vector.

This malware is probably used high profile divorce cases where one of the two sides of lawyers is trying to ascertain the next legal move by his adversary.

In short, the Vup@n and the Hacking Te@m style of modular malware are now being used by private investigators on civilian iphones for monetary gain.

@ Nick P

Tangentially, it looks like Fox-IT has made progress with a Snort add-on to detect Quantum injections.

I would like to hear from some experts as to the effectiveness of this software to detect packet injections and remediation. This Fox-IT software appears to work best with man-on-the-side “race condition” http injections.

From what I understand, it flags duplicate packets with payloads 10% +/- differences at the snort firewall.

Take a look at the link Nick P and let me know if this stuff works [to harden against http injections at the office].

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

I don’t know how well the above would work against header injection from a mobile carriers [The AT&T and Verizon’s of this world really control what comes out of your connection - which they control… not to mention their abusive TOS agreements]. Snort probably is not made for iphones and may be of little help with mobile carriers.

April 25, 2015 6:40 PM

Mechanical Purple Turk on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Andrew messed the bed with his nocturnal emission of 5:08. (Andrew's quite the Zulu nightowl, have you noticed?) His 'statutory duty to protect the public' is legaloid baby talk. If Andrew knew what he was talking about, he would be able to reconcile whatever he's trying to say with the European Communities Act 1972 and the precedent of the IPT's first and second Judgment of 5 December 2014. Don't hold your breath waiting. He can't explain his nonsense.

Whether Andrew is a USG persona is a worthwhile question. Several of them have posed as anglophone foreigners. Andrew's twitter feed reads like half-baked pocket litter and his awkward unfamiliarity with state duties and the responsibility to protect makes him sound like a US grunt. That makes Andrew's simpleminded message worth a closer look as kindergarten propaganda.

April 25, 2015 5:23 PM

Moderator on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Andrew is persistent and consistently civil. The fact that he disagrees with many other readers' positions is no reason to ban him. Whether he might qualify as a "shill" or not is beside the point. The devil's advocate is welcome as long as he doesn't get nasty.

Accusations of "shilling" are the equivalent of lay psychiatric diagnoses. It's all ad hom and doesn't work as argument.

Who is not behaving these days are the comment spammers who have been flooding this forum with nonsense posts. Many are coming from IPs associated with malicious activity. I'm doing what I can to minimize their occurrence. Please don't hesitate to call my attention to the latest incarnation.

April 25, 2015 4:53 PM

BoppingAround on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

> Let me put this to you... If a crazy researcher was heading to an airport and you only
> had an hour to investigate an individual, you would be thankful for the mass
> collection programme.

To put it simply, if my grandmother had a dick, she would be my grandfather.

Nick P,
> Strangely, though, they still have defenders despite being caught in numerous lies
> about almost every aspect of these programs.

Altemeyer's The Authoritarians has been mentioned on this blog several times.
If you have some spare time, read it.

You’re not likely to get anywhere arguing with authoritarians. If you won every round of a 15 round heavyweight debate with a Double High leader over history, logic, scientific evidence, the Constitution, you name it, in an auditorium filled with high RWAs, the audience probably would not change its beliefs one tiny bit. Authoritarian followers might even cling to their beliefs more tightly, the wronger they turned out to be. Trying to change highly dogmatic, evidence-immune, group- gripping people in such a setting is like pissing into the wind.

[...]

High RWAs were quite interested in finding out the test was valid IF they
thought they had done well on the scale. But if they had been told they had low self-
esteem, most right-wing authoritarians did not want to see evidence that the test was
valid. Well, wouldn’t everyone do this? No. Most low RWA students wanted to see
the evidence whether they had gotten good news, OR bad news about themselves.

[...]

Authoritarian followers aren’t going to question, they’re going to parrot. After
all, in the ethnocentric mind “We are the Good Guys and our opponents are
abominations”--which is precisely the thinking of the Islamic authoritarian followers
who become suicide bombers in Iraq. And if we turn out not to be such good guys, as
news of massacres and the torture and murder of Iraqi prisoners by American soldiers,
by the CIA, and by the arms-length “companies” set up to torture prisoners becomes
known, authoritarian followers simply don’t want to know. It was just a few, lower
level “bad apples.” Didn’t the president say he was sickened by the revelations of
torture, and all American wrong-doers would be punished?

[...]

And while most Americans came to realize what a mistake the war in Iraq has
turned out to be, high RWAs lagged far behind. They listen to the news they want to
hear. They surround themselves with people who think like they do. They believe the
leaders who tell them what they want to be told.

Sadly it seems I cannot find the exact piece that describes their behaviour. DEL, DEL, DEL. Found it.

12
When bad news spills out about things that high RWAs support, they want to be
told it isn’t true. So some governments have gotten used to issuing “non-denial
denials” and flimsy counter-arguments, because that’s all it takes and it’s so effortless.
If a well-researched paper by a prestigious scientific body concludes that human
activity is seriously increasing the amount of carbon dioxide in the atmosphere, culprit
governments will say “the evidence is incomplete” and they will find someone,
somewhere, with some sort of credentials, who will dismiss a great number of studies
with a wave of the hand and give them the sound-bite they want.

Do read this book if you can.

April 25, 2015 4:05 PM

steve37 on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

BKA chief: State Trojan operational in autumn


Suspects that encrypt their communications on your PC or smartphone, you can no longer rely on the fact that they are not yet spied it in the future. "We develop a tool with which we - after judicial authorization - go to the computer of the alleged offender before its encrypted communications


https://translate.google.at/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FBKA-Chef-Bundestrojaner-im-Herbst-einsatzbereit-2621280.html


BKA-Chef: Bundestrojaner im Herbst einsatzbereit

http://www.heise.de/newsticker/meldung/BKA-Chef-Bundestrojaner-im-Herbst-einsatzbereit-2621280.html

April 25, 2015 4:00 PM

gordo on The Further Democratization of QUANTUM:

@ keiner

Not everyone votes in any democracy, therefore, said states are not democracies?

If voting is compulsory, is that democratic?
.

Here's one sense of meaning maybe closer to the phenomenon being considered:

THE DEMOCRATIZATION OF SURVEILLANCE


The term democratization refers to the broadening accessibility of online
surveillance through a plurality of tools and services that could previously
only be afforded by governments and large companies. This trend reverberates
both in the private and public spheres, and corresponds to a wide range of
rationalities sustained by business-oriented ventures, non-governmental
organizations (NGOs), and social units such as families and groups of friends.
Low barriers of entry to the world of online surveillance are responsible for
this democratization. Contrary to other mass media such as television or
newspapers, the marginal costs for the distribution of information on the
Internet are very low, because expensive proprietary infrastructure such as
satellites, fibre-optic cables, printing presses, and delivery routes are not
required (Benkler, 2006). All providers of Internet services share the same
infrastructure and the same data transfer protocols, also known as TCP/IP
(Lessig, 2006, pp. 143–146). Therefore, large investments in capital assets are
not required to start disseminating information, as millions of bloggers have
found out. (p. 265)

Source:

Hacking the panopticon: Distributed online surveillance and resistance
Benoît Dupont
Surveillance and Governance: Crime Control and Beyond. 2008, 257-278

http://www.benoitdupont.net/sites/www.benoitdupont.net/files/Dupont%20HackingPanopticon%202008.pdf

April 25, 2015 3:44 PM

phil on The Further Democratization of QUANTUM:

If quantum-insert is trying to inject packages by being faster than the original package, wont the original also still arrive? Can't intrusion systems then be made that wait a bit for the other to arrive, compare contents, sound alarm when two packages differ?

April 25, 2015 2:53 PM

albert on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew
"...Those categories seem reasonable. I don't understand the issue here...."
OK, if John Oliver said that, it would be funny, but....

If you quote someone, please use an @ tag with their handle, so we can find it easily.
....
@Productive Elimination
"...Concentration camps are obsolete...."
I was talking about "detention centers". FEMA. The power of the LE/IC to do whatever they can get away with. The MSM propaganda machine is doing a fine job keeping the public in line. The key point for LE is not to overreact (i.e. Stasi/Nazi actions). The fact that the LE continues to allow their members to shoot unarmed black men is somewhat contradictory, unless the motive is to cause an uprising in black communities, in which case it is highly successful. You can deduce the intended LE response to a large black community uprising. Also, we have 25% unemployment, we don't need any more labor:) In that sense, 'labor camps' are outmoded. Do you think Hitler and the Nazis really believed their own propaganda about the inferiority of the Jews and non-Aryans? Or was a means of popularizing the idea that it was OK to seize their money, possessions, land, and labor, and ultimately kill them. Wasn't there already an undercurrent of anti-Jewish sentiment across Europe at the time? This is what the Nazi propaganda built on. There's a similar undercurrent of anti-Muslim sentiment, world-wide, today. Y'all can connect the dots.
.
...

April 25, 2015 2:35 PM

Nick P on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ rgaff

I agree. No censorship. We'll just call his BS on new threads with clear evidence. A post or two should suffice. We've wasted enough time as it is.

@ tyr

Thanks for the link. Interesting viewpoint. I've seen this in my own jobs. The bigger companies can even develop a culture that reinforces and justifies all the nonsense they do. It reminds me of what I learned studying cults, Nazis, and fascists. That's actually not too much a surprise given fascism was government-directed corporatism. Should've taught a democracy what business model *not* to emulate if we wanted our economy and country to be better across the board.

Good news is I have two counterexamples in that industry: Costco and Publix. Costco treats employees well, pays them well, even avoided advertising to pay employees more, and encourages innovation from within. It's highly profitable and rates well for its customers. Publix is an employee-owned company that focuses on high profit, quality, and service level. It treats employees similarly to Costco. Unlike Costco, it doubled its workforce during the recession. Result: highest profit and satisfaction rates in entire industry while being 7th largest private company in U.S. at time of writing.

The above companies treat people like people and giving them strong incentives to get more profit. Well, that's combined with good business strategy and operations as well. Being well-intentioned alone obviously won't cut it. Yet, even in markets with razor-thin margins, companies that respect and listen to their employees are getting more results. This has also been demonstrated by many companies in diverse industries. Toyota's shakeup of automotive production by focusing on people and principles probably deserves mention.

So, American industry is full of assholes creating more assholes. Yet, exemplary companies in American and foreign industry show us that's not only unnecessary: it makes them less money. I hope more companies follow the better examples set by companies above.

April 25, 2015 2:16 PM

steve37 on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

After Hacks,
A Dark Web Email Provider Says a Government Spied on Its Users

The humble little email service is called SIGA​INT, a small but growing email provider for the privacy-minded folks that’s entirely hosted on the dark web and boasts 43,000 users. The service has an obvious paranoid, anti-surveillance ethos, which becomes clear when you visit their site’s contact page.


http://motherboard.vice.com/read/after-hacks-a-dark-web-email-provider-says-a-government-spied-on-its-users

April 25, 2015 1:51 PM

rgaff on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ moderatorplease

I disagree. That is to say, I agree with you that Andrew is shill, but I disagree on asking the moderator to shut him up because of it. This blog so far, as long as I've been here, has generally been a model of mostly friendly open discourse, and to stay that way we must not ban people just because we disagree with what they're saying. Argue with them, sure, censor them, no. Obviously there are lines, but those usually are around not letting it get too nasty, not around not letting certain opinions being voiced.

April 25, 2015 1:38 PM

moderatorplease on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Please remove and block Andrew Wallace from this Blog. His comments are little more than shill, ignorant strawmen arguments. He refrains from responding to the ongoing discourse and instead continues his seemingly internal dialogue. This cherry picking disonance is unwanted and unneeded.

April 25, 2015 1:09 PM

65535 on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ JohnT

“NY Times said 4/23 that the Senate has passed a bill expanding the "authorities" eavesdropping powers to fight human trafficking. The expansion is mentioned in the 5th paragraph. The news item is "Senate Approves Stalled Human Trafficking Bill, Clearing Way for Lynch Vote" pg A16, 4/23… Does anybody have more info on this expansion of government eavesdropping?”

I am suspicious that this bill maybe tied to the dragnet section of the 215 Act which is set to expire on June 1 of this year. It seems very opportunistic – but who knows.

[Techdirt 215 set to expire]

“This is even though the author of the PATRIOT Act, Rep. Jim Sensenbrenner, has said that the Act is being misinterpreted to allow mass surveillance and while President Obama himself has called for the program to be changed (though he has failed to step up and stop it himself, even though he has the power to do so).

“As we've mentioned a few times, however, much of this comes to a head in the next month and a half -- because Section 215 of the PATRIOT Act officially sunsets as of June 1st -- so if Congress doesn't pass legislation renewing it, the program dies…Meanwhile, Trevor Timm has a good overview concerning what's at stake:

‘”The massive phone dragnet is not the only thing Section 215 is used for though. As independent journalist Marcy Wheeler has meticulously documented, Section 215 is likely being used for all sorts of surveillance that the public has no idea about. There are an estimated 180 orders from the secret Fisa court that involve Section 215, but we know only five of them are directed at telecom companies for the NSA phone program. To give you a sense of the scale: the one Fisa order published by the Guardian from the Snowden trove compelled Verizon to hand over every phone record that it had on all its millions of customers. Every single one… the government claims that its other uses of Section 215 are “critical” to national security, it’s extremely hard to take their word for it. After all, the government lied about collecting information on millions of Americans under Section 215 to begin with. Then they claimed the phone surveillance program was “critical” to national security after it was exposed. That wasn’t true either: they later had to admit it has never stopped a single terrorist attack…”’

https://www.techdirt.com/articles/20150408/12031230593/crunch-time-surveillance-patriot-act-renewal-vote-next-month-key-metric-fight-against-surveillance.shtml


@ Nick P

“@ Andrew Wallace: I'm amazed you think it's reasonable for government to spy on people discussing security or critiquing some aspects of their country. These are harmless actions protected by the First Amendment. The only time we've seen law enforcement or intelligence agencies use their power against people in those groups was to (a) suppress dissent or (b) try to prevent exposure of corruption… [The NSA and other TLA’s] still have defenders despite being caught in numerous lies about almost every aspect of these programs. *That* makes paranoid types here start going over the deep end wondering whose a shill and whose just slow. I'm more focused on concrete details. They show people should be *extremely skeptical* of anything NSA or FBI says about these programs, encryption, or terrorism. Based on the military's own intelligence standards, these organizations are intelligence sources of the lowest quality: I rate them at E6 through and through.”

I agree. Nick, that was well put. I will not repeat your entire post – but your whole post surely merits reading.

@ Danger Mouse
“Hello Andrew Wallace… In the spirit of transparency, constructive community outreach and collaboration with the security researchers, please give us the details on the Metropolitan Police use of stingrays in London. How, when, where, who?”

Andrew Wallace since you appear to be making a tax free income from security advice and pump these Intelligence Agencies:

“I tweet about physical security and resilience. I provide not-for-profit protective security advice to cross-sector organisations in business environments.”-Andrew Wallace

Why don’t you expound upon the Metropolitan Police use of stingrays in London. You are the expert and are not “paranoid” explaining things - go at it mate.

April 25, 2015 1:00 PM

A.H.E.I. on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

If I had 45 minutes to investigate someone before something bad happened, a mass policy of compulsory ball-and-chain and 15 ml. of intravenous barbiturates every morning (to conveniently impair judgement) injected to every man, woman and child would help tremendously.

April 25, 2015 12:51 PM

Productive Elimination on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@albert

> "This doesn't mean that all Listees are going to be locked up"

Concentration camps are obsolete.

There are more modern methods for statist control of undesirable individuals.

Psychological manipulation can be used to shutdown precise behaviors while leaving a person in place, able to function for tax paying purposes. These are zersetzung tactics as used by the Stasi, and now by the US.

The statist logic for deploying these methods goes like this: we need to eliminate certain unhealthy elements of society, but why waste the product of their labor? Let us instead eliminate undesirables efficiently for the good of society as a whole.

In history there a couple of examples of such productive elimination. In the 1920's the Soviets rounded up independent Ukranian farmers who refused to work on collectivised farms. They were sent to work on construction projects. Exact calculations were done to determine how much food input was needed to get so much labor output while the prisoners were being worked to death. These expendable people were called "white coal" by the Soviets.

Nazi concentration camps worked the same way, but not a first. It was regarded as a great innovation when some Nazi official pointed out that much labor was lost to society by the immediate elimination of Jews. After that the camps were organized to extract as much labor as possible in the process.

The lesson in all of this is that if you wait for concentration camps to appear before acting, you will miss the new form of productive elimination that is already being used.

History has moved on.

There will be no Panzers rolling down the El Camino when the DHS comes to Silicon Valley.

April 25, 2015 12:47 PM

rgaff on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ Victoria Cross for Inverse Valor

Skeptical was actually far smarter and hard to pin down, whereas Andrew is much easier to get him to trip over his own words... Of course neither will admit to it, they'll just ignore you if you have a point that disproves them, and that does make them similar in that way... But one is more like a high level guy that knows exactly what's going on and what he's doing and the other is more like a low level guy that's just swallowed the company line without thinking too much.

April 25, 2015 12:44 PM

Curious on Federal Trade Commissioner Julie Brill on Obscurity:

I would think that really the only interesting aspect of 'obscurity' in regard to 'privacy', is 'guaranteed obscurity'. The same way 'security' is only interesting, in that it revolves around 'guaranteed' 'security'.

So, having merely a pragmatical approach, wouldn't do, when there is a goal of making something non-obscured.

And so, if one were to think of government initiatives or efforts at collecting data, trying to call it "obscured" because it isn't looked at, makes it obvious that 'privacy' this way doesn't make any sense at all, because an individual have no say in the matter in how data about his person is handled.

April 25, 2015 12:34 PM

Danger Mouse on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Hello Andrew Wallace, welcome to the blog.

In the spirit of transparency, constructive community outreach and collaboration with the security researchers, please give us the details on the Metropolitan Police use of stingrays in London. How, when, where, who? (We know the why.)

April 25, 2015 12:27 PM

Nick P on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ Andrew Wallace

I'm amazed you think it's reasonable for government to spy on people discussing security or critiquing some aspects of their country. These are harmless actions protected by the First Amendment. The only time we've seen law enforcement or intelligence agencies use their power against people in those groups was to (a) suppress dissent or (b) try to prevent exposure of corruption. Surveillance on such people is a cornerstone for a police state. It was present in many regimes we crushed in the past and exists in many today low on the Democracy Index.

So, people have a reason to be anxious about such a position seeing that it's a police-state technique often used to protect corruption and directly contradicting our rights as upheld by 100+ years of case law. That's not counting just how much a waste of resources it is. On top of that, let's remember they promised they were collecting only metadata and only for terrorism investigations. Snowden leaks massively contradicted almost every public statement.

It's not paranoia when their own leaked documents show them to be pathological liars participating in repeated acts of foreign espionage against allies or secret coercion of domestic firms. That's pseudo-police state going on digital offensive against everyone with little proven benefit for the risks they're taking. The costs have been tens of billions in losses to our economy. Every company leaving Five Eye's territory is playing it smart.

Strangely, though, they still have defenders despite being caught in numerous lies about almost every aspect of these programs. *That* makes paranoid types here start going over the deep end wondering whose a shill and whose just slow. I'm more focused on concrete details. They show people should be *extremely skeptical* of anything NSA or FBI says about these programs, encryption, or terrorism. Based on the military's own intelligence standards, these organizations are intelligence sources of the lowest quality: I rate them at E6 through and through.

April 25, 2015 11:54 AM

JohnT on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

I've been waiting for the Squid blog.

The NY Times said 4/23 that the Senate has passed a bill expanding the "authorities" eavesdropping powers to fight human trafficking. The expansion is mentioned in the 5th paragraph. The news item is "Senate Approves Stalled Human Trafficking Bill, Clearing Way for Lynch Vote" pg A16, 4/23. Here's the link if it works.

Does anybody have more info on this expansion of government eavesdropping?

April 25, 2015 11:51 AM

Nick P on Federal Trade Commissioner Julie Brill on Obscurity:

It's good that she's promoting privacy-enhancing legislation. However, it's likely to fail because the obscurity concept is too vague. What she describes is the kind of thing dirty lawmakers and lawyers are going to have a field day with. I'd rather have legislation more along the lines of the E.U.'s data protection scheme. Most of their principles are pretty straightforward to understand, even to lay judges. They're also easy to comply with outside the "secure the data" mandate.

April 25, 2015 11:40 AM

Victoria Cross for Inverse Valor on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

More characteristic indoctrination at 10:51. 'Activities of government,' in reductive abstract, not activities of THIS government. You naturally can't tell the difference - your class and status markers indicate you're destined for guard labor by your SES, so you've been spared the subtleties. But then, Who does learn critical habits of mind these days, aside from St. Paul's boys and their ilk?

April 25, 2015 11:19 AM

keiner on The Further Democratization of QUANTUM:

@gordo

democratize
: to make (something) available to all people :

Democracy is about participation.

Not about consuming (plastic bullshit or whatever). Using the term "democracy" to describe consumerism is a typical neolib perversion of the term, to distract from participation in politics and society and make people think they have "democracy" if they all can buy the same Apple trash and other stuff.

April 25, 2015 11:00 AM

albert on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Everyone
.
ALL govt's are interested in ALL their Citizens. Certain categories are more _interesting_ to them. Here in the US, they are, but not limited to:
.
1. Anyone who talks about terrorism.
2. Anyone who discusses hacking, computer security, and the Intelligence Community.
3. Anyone who criticises the gov't.
4. Anyone who criticises the corporatocracy.
5. Anyone who engages in, or promotes, protest movements of any kind.
6. Anything else the LE/IC deems important.
.
You can get on The List by 'lurking' on certain sites. You don't even have to participate. Isn't that wonderful? So, avoid these things, and you'll be safe*.
.
This doesn't mean that all Listees are going to be locked up**. We haven't reached that point....yet. That's the road we're on, but its a foggy one. Can't see too far ahead. 'There' can come upon us quite suddenly, then it'll be too late.
.
I gotta go watch the Bruce Jenner interview....
.
.............
* Sorry, I shouldn't joke about these serious issues.
** I do believe FEMA has working plans for large-scale 'detention centers'.

April 25, 2015 10:32 AM

Victoria Cross for Inverse Valor on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Interesting, this Andrew character posing at 7:12 as some sort of benevolent authority, undercutting vapid reassurances with portentous warnings. Classic emotional manipulation from the cop slice of the bell curve: stay on our good side and you'll be fine. With an odd, puzzling confidence that people will accept this random internet nitwit as an authority. Reflexively pushing his institutionalized fear back you, that's a cop tic too. Reminiscent of Skeptical, but no doubt that's an artifact of the uniform indoctrination in Anglophone bureaucracies, working on homogenized raw material: OCD and not too bright.

April 25, 2015 10:23 AM

Wael on Federal Trade Commissioner Julie Brill on Obscurity:

@Clive Robinson,

That said there are many other examples of PII "data holes" that can be filled by other badly anonymized data.

PII data de-anonymization and extrapolation is becoming an easier task. So-called "metadata" collection aids as an input to data analytics engines which makes the "data holes" wide enough to drive a truck through them.

April 25, 2015 9:55 AM

Andrew Wallace on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Bob S.

Your point about mass collection of data was answered:

Andrew Wallace • April 25, 2015 9:41 AM

There does seem to be a lot of stress, anxiety and a degree of paranoia on the Schneier blog about what a researcher can and cannot do and those who may be watching them to see that what they can and cannot do is being adhered to. E.g the storage of communications data of all digital interactions in day to day life being stored on databases, seems to have high stress value on this blog. The only reason that data is stored is to save money should an investigation come up. It does not mean you are under suspicion, but true if you are put under investigation your lifestyle can and should be looked into to rule you out of badness.

Andrew

April 25, 2015 9:41 AM

Bob S. on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew Wallace

Re: "The government do not have an interest in you. If the government were to lock up every security researcher there would be no space left in prison.
As long as you study the law and ethics and..."

The hell they don't have an interest in you, and me and everyone!

Why do you think we are undergoing a worldwide transition toward electronic mass surveillance in the image of NSA Collect-it-ALL? (Laws and Rights be damned.)

Mass surveillance begets mass control. Always has, and that's why the powers that be want it and won't let it go,...easily.

Roberts was a fool looking to get slapped...and he did. But, the government didn't need to drag him off to Siberia ....the word of his misdeed spread like fire throughout the whole world..."we are watching and we will mess with you!" Is there any researcher or anyone else in the world who did not get the message?????

As for locking up researchers or anyone else....if they see it's necessary they will do it. Governments have unlimited time, power and resources to take out anyone. No question about it.

It's strictly on a case by case basis now. Publicly crucifying select individuals has a great deterrent effect on the peasantry.

Frankly, I view your post as rather naive and Pollyanna.

The only known antidote for electronic mass surveillance at the moment is mass encryption. Let's hope some really smart guys are working on it.

April 25, 2015 9:41 AM

Andrew Wallace on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Winter,

There does seem to be a lot of stress, anxiety and a degree of paranoia on the Schneier blog about what a researcher can and cannot do and those who may be watching them to see that what they can and cannot do is being adhered to. E.g the storage of communications data of all digital interactions in day to day life being stored on databases, seems to have high stress value on this blog. The only reason that data is stored is to save money should an investigation come up. It does not mean you are under suspicion, but true if you are put under investigation your lifestyle can and should be looked into to rule you out of badness.

Andrew

April 25, 2015 9:15 AM

Donald Ball on An Incredibly Insecure Voting Machine:

Way upstream, Clive suggested that long lines (that is to say, inadequate resources at polling places) won't affect outcomes as it's independent of the partisan preference of the voters. As it turns out, in the real world, or at least in these United States, voting resources are allocated by partisan election boards, and inadequate resources (and increased bottlenecks due to ever more onerous authentication theater) tend to disproportionately affect poor voters, who do have a strong partisan preference.

April 25, 2015 8:55 AM

Curious on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

Though not really computer security news, there has apparently been a robbery of a deposits vault in London recently. It is called the "Hatton Garden heist" in the news. A lot of select stuff is said to have been stolen, and the articles I read pointed out that they had taken off with valuable jewelry.

It would be quite the stretch of me to here try point out that such a robbery might have been done by a state power, but as I read that the alarm was triggered but with no reaction from the police, I just couldn't help myself and thought that something like this might as well be some shady government work if the targeted deposit boxes were really valuable or really interesting. On second thought, now that I think about it, I guess putting stuff in a bank vault offer questionable levels of privacy.

The thieves bored through a 50cm concrete wall, in order to create a minimal opening into the vault, and is said to have stayed inside the vault for hours.

April 25, 2015 8:43 AM

Clive Robinson on Federal Trade Commissioner Julie Brill on Obscurity:

@ Wael,

This wouldn't apply in some countries, such as Sweeden...

There you have an advantage on me, I'm not aware of what the Swedish equivalent of the UK's "Companies House" requires on a companies annual filings. However I suspect the "total" for directors salaries is recorded somewhere as it's quite an important benchmark for investors and shareholders and most western governments track it in some way.

That said there are many other examples of PII "data holes" that can be filled by other badly anonymized data. One being post/zip/area codes and medical spending against age bands and certain treatments. And this is just with one specific data type data base, when you bring in other available databases such as mobile phone location and credit card these can strip the anonymisation quickly and effectively... So much so that it appears to be the case that PII can not be anonymised to a level to protect an individual and have the resulting data be of any use for research etc that might make collecting it of value.

We have had this debate come up in the UK on a number of occasions where the Government feels it has the right to sell PII it has forced out of people with legislation etc to third parties often outside of the UK jurisdiction and any constraints it might apply.

And it's not just the UK Gov, take "work perks" given in lieu of salary etc such as gym membership, or more pertaintly in the UK Health Insurance. If you read the form carefully you find that if you sign the health care form you are giving not just the healt insurer but any interested parties the right to snoop into any and all of your private information they chose at any time and pass it on to other agencies and organisations, including but by no means limited to not just your medical information but bank details property records etc etc...

It will probably be of no surprise to anyone reading this blog that I don't have nor have ever had work or other health care insurance and have no intention of ever doing so with them asking to sign away the entirety of my privacy...

April 25, 2015 8:39 AM

Robert in San Diego on An Incredibly Insecure Voting Machine:

Where I live, ballots are pen based, Fill in the Bubble, type. We used to use punched machine readable ballots, and for one election back in 2003 I think, it was a computer screen. There is a register of voters I sign in on, and the ballots are numbered, but the ballot number isn't linked to my name on the register.

April 25, 2015 8:31 AM

Winter on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@Andrew Wallace
"As long as you study the law and ethics and know what you can and cannot do while conducting your security research there shouldn't be a problem. You should also keep an eye on news within the community to know what law enforcement agencies are sensitive to."

This quote does remind me of the science of Trofim Lysenko
http://nl.wikipedia.org/wiki/Trofim_Lysenko

What we see here is someone from the USA advocating the research ethics under Stalin.

April 25, 2015 8:27 AM

Nicholas Weaver on The Further Democratization of QUANTUM:

Bro's rst tool actually allows payload injection. I build a full suite, including a web interface for searching, some of the NSA's for-Marina metadata extraction, full take, and packet injection using Bro as the sensor.

April 25, 2015 7:12 AM

Andrew Wallace on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

rgaff, Victoria Cross for Inverse Valour

You do seem to have paranoia or anxiety about something. Perhaps you have a worry that because you're a security researcher that the Government have an interest in you and that you may be judged to be a threat to national security.

This is completely untrue. The government do not have an interest in you. If the government were to lock up every security researcher there would be no space left in prison.

As long as you study the law and ethics and know what you can and cannot do while conducting your security research there shouldn't be a problem. You should also keep an eye on news within the community to know what law enforcement agencies are sensitive to.

E.g Don't tweet on a plane about dropping oxygen masks like Chris Roberts decided to do and you should be fine to carry out your lawful law abidding security research.

We look forward to the publication of your research in due course.

Happy hunting.

April 25, 2015 7:07 AM

Thoth on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@steve37, all
That Homeland Security Secretary and those duped US Govt people by the Warhawks or maybe it's all a huge Warhawks' scheme doesn't realize the stupidity of their requests and the impact.

Here's a list of some critical infra that requires security and their stupid request to stop encryption is exactly what will happen:

- Online Shopping and Transactions
- Banking and Finance Security
- SCADA and factory systems
- Transportation Security
- Public Utilities
- Online Gaming and Entertainment

That's only a short list of many other critical systems. Disarming cryptography means all the above and more wouldn't even have proper data security. Golden keys, front doors, backdoors and whatever it is to escrow or weaken data security especially in the field of proper practical cryptography and they have not understood that such a dangerous and insane move would threaten their critical infrastructure and thus worsen the US economy and security overall.

If the Chinese, North Koreans, Israelis, Russians, French, Germans, Iranians ... and other national security agencies would be given a gift, the gift is the direct downfall of US data security sector so these Nations and their agencies and many others would have a walk-over and have their noses to ensure their own benefits.

You can imagine these nation sponsored hackers having an easy way into critical infrastructures due to deliberate weaknesses in the data security mechanisms.

I wonder if thought was put into accessing the impact of sabotaging data security mechanisms in school and in the field.

Not to mention, a lot of COTS security systems uses open source and closed source software that if sabotaged, could pose a huge national threat in itself and the US Govt uses COTS systems regularly and if the backdoors, frontdoors and golden keys are in these COTS system, their enemies could figure that out as well.

Not to forget, a ton of US Govt security systems uses COTS cryptographic products like smartcards and TPM modules for Govt Systems and these systems are dual purpose products that are applicable to critical public sectors and Govt sectors. The act of weakening these security systems would break the security two folds.

That means you could effectively forge protected features in identification system and that can be a huge headache.

I wonder if the madness of curtailing and controlling public access to proper COTS data security mechanisms could extend to preventing teaching and displaying of data security and cryptographic knowledges and restricting free speech. Hmmmm .....

April 25, 2015 5:01 AM

Clive Robinson on Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities:

@ Zaphod,

There are many ways it could have happened.

But the thing with "tweets" is many use their real name or an easily recognisable version of their real name (ie Bob instead of Robert etc). People also have to supply in advance all the details such as real name and address etc when buying their ticket which is then logged into a database that many have easy access to. Further "unhappy tweets" are likely to happen within a couple of hours of expected flight time. Thus linking a "known" tweet to the likely passenger is usually relatively trivial for airport operators / airlines.

The question then is how does a tweet become "known" to the airport operators / airline or other authorities with easy access to the passanger details...

Well this is the bit where the "parallel construction" starts from the authorities or is often covered by the IC name of "Methods and Sources" under "National Security" if the defence pushes hard in court.

The usuall argument from the authorities is the old "anonymous tip off" of somebody who follows the suspect/defendent on line phoning it in. Whilst a judge might accept this as might a jury, people with any kind of knowledge about such things are generally skeptical due to response times.

Well from personal experience I know that under certain circumstances the response can be very fast. I happened to be at a south london hospital as an out patient when some idiot came into a public area and threw a large bag of some unknown substance screamed something and ran away. The hospital went almost immediately into lockdown and within five to ten minutes the first of the emergancy services had arrived to enforce the lockdown and cordon off the hospital site. Shortly there after the London Fire Brigade (LBF) major incident and bio-hazzard teams arrived and within a couple of hours the "all clear" was given as the substance had been analysed by one of the teams and was apparently a large bag of cooking ingredient.

Whilst this was a rapid response time, it was abnormal in that the initial reporting would have followed a "known emergancy" script in the hospitals "disaster plan" which would have had the correct telephone numbers etc to phone. Those who received the call would also have had an emergancy response script for the hospital to follow.

When "joe public" phones in they would phone a general emergency number and this would take quite a while longer to process including some kind of "hoax verification" procedure. Then some kind of "threat verification" and "threat response" proceadures which would take further time. How much is time we don't actually know and it would also depend on what the National "threat level" status is. Prior to 9/11 and 7/7 the response would have been "verify before action" after it would have been "action before verify" which drasticaly shortens response times, but is also inordinately expensive in physical and human resources and vastly increases the likelyhood of collateral damage such as injury or death to members of the public. Which might account for why there is "major sense of humour failure" in the authorities who then come down very hard on people.

However the "actual response" suggests that the authorities are "verifying befor action"... Which calls into question the response time and suggests it's not "joe public" calling in, which leads to the question of "If not then how?"...

This raises further questions such as where the message is being intercepted. If the sender is using a "smart device" then untill quite recently the chances are the message went as "plain text". Thus could have been intercepted on the Airport WiFi / Mobile Phone air interfaces or downhauls "on site"... We know from shopping mall systems that faux certificates etc can and have been used at such places so the technology to intercept is fairly readily avavailable. Likewise we know that bulk twitter feeds are available with various types of filtering.

So we know that the communications path is effectivly "open" to inspection at either end, and in all probability at any point in between as well to the likes of GCHQ. Again however "response time" and "response type" suggest it's more likely to be at the end points of the communications. And if I had to guess I'd go for the twitter end as my first choice because it's going to cover the service not a myriad of individual locations and would thus be less expensive overall, whilst also covering a greater variety of threat types as well as other intel activities.

Arguably twitter feed monitoring would have been put in place as soon as it was possible for "anti-terror" purposes along with the other "bulk surveillance" technologies we are now aware of. Thus what we are seeing with these Police activities are a way of justifing the cost of such a system to the "purse string holders" etc. If that is the case then we can expect to see the scope of such Police activities to increase with time...

April 25, 2015 4:12 AM

MarkH on An Incredibly Insecure Voting Machine:

@notsecret:

Traceability of ballots to voters does NOT accord with my personal experience. If this is the practice somewhere, it is extremely improper.

Where I now live, when we had paper ballots they were not numbered or otherwise uniquely marked. All paper ballots were identical, with the exception of pencil marks made by voters in order to register their vote.

Similarly, with the currently used electronic voting machines (see my comment above), I have seen no provision for traceability. In principle votes could be lined up with the register by the ordering of votes on the paper record printed by the machines. However, there are several machines, and often several voters using them simultaneously, so such correlation could not be done reliably.

My county keeps a publicly accessible database of who voted in each election -- but NOT of how they voted.

In the USA, votes really are supposed to be secret.

If you have evidence of violations of vote secrecy in any jurisdiction, please tell us here, and/or furnish it to the press. That would be an important story, and deserves to be published.

April 25, 2015 4:03 AM

mice on The Further Democratization of QUANTUM:

Scatterbrain, back then there was nemisis and latter tcprelay, so not to many options for injection, the Ids part is abit strange TIME, one packet to exploit and one to check if successful, after two years if the autopwn as not said successful move on.

Just some ramblings, not in the game anymore.

April 25, 2015 2:18 AM

Wael on Federal Trade Commissioner Julie Brill on Obscurity:

@Clive Robinson,

I didn't know what to make out of this discussion. I wonder what Bruce liked about it.

which renders her argument moot

It came across that way to me as well!

The usuall example given is the "total of salaries, for directors"

This wouldn't apply in some countries, such as Sweeden, where salaries aren't perceived as "private" data. As far as I know, salaries are public domain available to anyone. I could be wrong, but that's what I heard when I was there...

April 25, 2015 2:06 AM

Wael on Signed Copies of Data and Goliath:

@Nick P,

Don't be giving Fate ideas

Yup, you're right... Wasn't my intention! I was actually serious (that's why I didn't put a smiley at the end of the question.) Had you written the "Final revision" of the PDF, we wouldn't be having this discussion. I am now relieved :)

As for a "cryptographic" signature: How would you verify it, and what significance would it have besides it bieng "amusing"?

April 25, 2015 1:11 AM

mice on The Further Democratization of QUANTUM:

Would like to say about some blind tcp hijacking experments on a local lan.
I had three box, a target winxp, a linux os(slackware), and a windows 2k7

I mangered to inject one packet into the stream, by send a ack and guessing the seqnum by increment a randomish value picked from packets sent to the server and basic statical anlzed it to prodect the current number based on guessing the ghz and time of packet travel withen the program, the value got incremented to one quator 16bit number, I did the same thing with acknum, I was getting 8,10 hits by cheating and sniffing the sport number of the target, otherwise I contiune loss the race.

The second stage was to remove the weakness of sport, so I targeted the dns authority server to the win2k7 box, by asking for a none cached address, in real life, if I lost the race, would just needto wait ten minutes and then try again, the authroither servers were selected buy picking four, as the lan gave that much speed advgudge to have four, it would be easyer targeting a smaller address down the tree, as the win server if it didnt have a record for a adress but got asked for one and then injected with attacker address a spoofed email, to local resources would pink twice and rediect to the attacker.

All in all a better stactical anlyze of seqnum generation would open the door up.

THE defensive messure, if you are going for speed and just using the tick count of the cpu, add three lines of asmble and hardcode a offset that gets add if the lowest sig bit it one, with a random value loaded to code on windows install, would add 16bit extra work, but only 20-200 millionth of a second delay.

April 25, 2015 12:55 AM

Nick P on Signed Copies of Data and Goliath:

@ Wael

Lol. The final PDF or whatever format he sent to the publisher for this book. Don't be giving Fate ideas: it's terrifyingly creative as it is.

April 25, 2015 12:15 AM

Wael on Signed Copies of Data and Goliath:

@Nick P,

That's a great idea. Bruce cryptographically signing his final PDF

Do you mean his latest PDF, or do you know something we don't? I'm planning to get a copy too in the near future.

April 24, 2015 11:48 PM

Ducky on The Further Democratization of QUANTUM:

I'm surprised governments haven't mandated a front-door / back-door into HTTPS yet. That way the NSA and China can continue to carry out their QUANTUM attacks on encrypted traffic.

The justification for the HTTPS front-door / back-door will be hunting down terrorists and for the safety and security of the citizenry, of course.

April 24, 2015 11:20 PM

Nick P on Signed Copies of Data and Goliath:

@ 06421

That's a great idea. Bruce cryptographically signing his final PDF and that being printed next to his signature would be a nice gimmick for a famous cryptographer. I'd up it to him physically signing it with the digital signature of his book or his name but that's a lot of writing even with ECC. We'll keep it simple with your scheme.

April 24, 2015 11:16 PM

Nicholas Weaver on The Further Democratization of QUANTUM:

Apologies for the typo. When I sent an email describing how to build this to Bruce, I said swap syn/ack, I meant to say seq/ack, and then add packet length to ack (although the latter isn't necessary in many cases, TCP stacks can be remarkably tolerant, they will just think the data was sent by the other side before it received the message).

That is the problem with describing how to code in email: there is no compiler and
regression tests to catch typos.

Also, whats remarkable about the Great Cannon and why it interested us is it is more than QUANTUM (the Chinese equivalent to QUANTUM is the great firewall).

QUANTUM can only add packets, but the cannon is a full Man-in-the-Middle, able to remove packets as well. This is a remarkably important addition, as it allows very nasty things like man-in-the-middle'ing email (and stripping STARTTLS).

Finally, NSA's QUANTUM is actually not that much more sophisticated than the schoolboy version. The big limit of the schoolboy version is it doesn't reassemble TCP flows, so if the trigger is split across multiple packets, the injector won't trigger. [1]. The NSA's version has the same limitation!


[1] Robust TCP stream reassembly is hard. IDSs do it, but its in many ways the most important part of an IDS: reassembling the traffic as the client would.

April 24, 2015 10:58 PM

rgaff on Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid:

@ Victoria Cross for Inverse Valour

You have a point about lower ranks.

The top people that know what they're doing set the policies for those lower ranks though... The more I learn about how the world works the more it really comes down to money. As the old saying goes, it's the root of all evil, right?

April 24, 2015 10:21 PM

ryan on Signed Copies of Data and Goliath:

I purchased your book on Thursday at the RSA conference and was disappointed that you did now up for your book signing that was scheduled for 12-12:30 at Moscone south.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.