Recent Comments


Note: new comments may take a few minutes to appear on this page.

June 25, 2018 12:46 PM

Bob on Secure Speculative Execution:

@Who?

What I'm getting at is that wishing is even less effective than patching.

June 25, 2018 12:45 PM

Bob on Secure Speculative Execution:

@Who?

I agree. Unfortunately, we're stuck working with a reality in which speed is a consideration.

June 25, 2018 12:34 PM

Who? on Secure Speculative Execution:

Remember, processors were considered secure until a few months ago. Caches did not leak until it proved otherwise.

June 25, 2018 12:26 PM

Who? on Secure Speculative Execution:

The only secure design is one that fully avoids speculative exection. Right now there are clearly two users groups:

  1. Those that want high-performance architectures (gamers, staff working in the HPC field, ...); and,
  2. people that wants secure computing platforms.

The first group either depises security (gamers) or run huge computing clusters in which compartimentation is not critical (each computing node has a single user and does not run multiple jobs concurrently). The second group, the security conscious users, deserve a secure —even if slow...

Read More →

June 25, 2018 9:58 AM

bttb on Are Free Societies at a Disadvantage in National Cybersecurity:

The Wiretap Rooms
The NSA's hidden spy hubs in 8 U.S. Cities, from The Intercept:
https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/

"The secrets are hidden behind fortified walls in cities across the United States, inside towering windowless skyscrapers and fortress-like concrete structures that were built to withstand earthquakes and even nuclear attack. Thousands of people pass by the buildings each day and rarely give them a second glance, because their function is not publicly...

Read More →

June 25, 2018 9:41 AM

TRX on Friday Squid Blogging: Capturing the Giant Squid on Video:

> "Florida's busiest airport is becoming the first one in the nation to require all passengers on arriving and departing international flights, including U.S. citizens, to submit to a face scan"

---

This was a topic on the comp.risks group back in the mid-1990s. Several airports were mentioned, and also that various Federal buildings had facial recognition systems.

So, they abandoned the old system? Forgot it was there? Or just ignoring it while making PR for the new one?

June 25, 2018 6:41 AM

Thoth on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Clive Robinson

Re: Link

Thanks it will be very useful for me as well.

Regarding wildcards, I don't like regular expressions and I heavily limit or ban their use in the codes I personally cut for this particular reason.

I went to the point of re-coding stuff that I need (i.e. parsers) and prefer to look through the bytes than to use the normal and common style of parsing files and URLs which is mostly regexp here and regexp there ... not my style as it doesn't have the precision I want and opens whole new world of bugs from the system's underlying regexp...

Read More →

June 25, 2018 5:11 AM

Clive Robinson on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ ALL, Thoth,

A little more on TLBleed, from the OpenBSD "friendly dictator" Theo being less than friendly towards Intel.

Hardly suprising really,

https://www.itwire.com/security/83347-openbsd-chief-de-raadt-says-no-easy-fix-for-new-intel-cpu-bug.html

He brings up an issue I mentioned years ago prior to the first news of Google's Chrome web browser. The OS can not fix certain kinds of security problem such as shared threads because the...

Read More →

June 25, 2018 5:01 AM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Sancho_P

“From the ruling:

But there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.
(Syllabus, page 3)

“Here is the sad part, hidden in these two words: „casually collected“
“One would immediately have to ask: Why do they collect it at all? And:
Is piling up customers‘ private data legal? Who collects, gov or private business? On whose behest? Unlimited? Is it still legal if the person is a...

Read More →

June 25, 2018 4:46 AM

Name (required) on The Effects of Iran's Telegram Ban:

@Telegram

>Why Iran and China and Russia ban Telegram and don't ban Signal and WhatsApp?

Because of its broadcast channels probably.

June 25, 2018 4:00 AM

Sancho_P on Friday Squid Blogging: Capturing the Giant Squid on Video:

re historical data, Carpenter vs. US

From the ruling:
But there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.
(Syllabus, page 3)

Here is the sad part, hidden in these two words:
„casually collected“

One would immediately have to ask: Why do they collect it at all?

And:
Is piling up customers‘ private data legal?
Who collects, gov or private business? On whose...

Read More →

June 25, 2018 4:00 AM

Clive Robinson on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Thoth,

On an entirely different subject, as you probably know busybox wraps a whole load of seperate command line functions into a single program which has quite a few advantages but one or two disadvantages.

On disadvantage is that not all command line arguments are supported for individual commands and there is variation in the documentation as to what is and is not supported. Which means sometimes things are there which are not in the documentation. Thus an eagle eye on the source code can spot a few things. Some of which have no meaning to those who started...

Read More →

June 25, 2018 3:43 AM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ gordo, MrC, Clive R. and others
“…Gorsuch's dissent is only a "dissent" insofar as Carpenter failed to raise what Gorsuch thinks was the winning argument. The difference is down to lack of foresight on the part of Carpenter's lawyers…”-MrC

True.

But, this case dates from 2011 until 2018 and is one of hundreds of cases winding their way through the legal gauntlet. Carpenter may not have had the absolute best lawyers money can buy or the financial resources to raise every legal point in the book such as the intricate parts of the Stored Communication Act and the...

Read More →

June 24, 2018 10:45 PM

Oaf on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Major @trsm
With GDPR cutting off the data-flow from Europe, the big-data miners have doubled their efforts to monetize those who are left unprotected.

With Google built binary blobs, Chrome and Chromium are toxic regardless of privacy add-ons. Chrome latest control scam is automatically download news articles (into tabs) that have their targeted ads. Yet many Linux distributions include Chrome - as the number of websites being supported by Google-Analytics increases.
I'm fed-up with news and product reviews which are increasingly restricted and biased, in that...

Read More →

June 24, 2018 9:15 PM

Hmm on The Effects of Iran's Telegram Ban:

" because they participate in a much needed market force. "

Privacy isn't nearly the market force it ought to be. Maybe someday.

June 24, 2018 9:00 PM

Namagemo on Friday Squid Blogging: Capturing the Giant Squid on Video:

@65535

IMO, cell phone data (including location data) is declining in value ...

Now it's all about the photons. The cell phone data is (almost) trivial now, except as it is used to bolster photon based coordinates. Cell phones won't be needed very much longer even for that - a few more years at the most. The cell phone data is like the technology used by Sherlock Holmes, and the photons are more in line with today's TLAs.

Except that - all that photon stuff has been offloaded to the corporates. So, what do those TLA guys do anyway?

June 24, 2018 8:04 PM

Thoth on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Clive Robinson

Re: TLBleed

I would prefer they use very high level language codes as well. A simplified markup or markdown language or something along the lines of batch scripts that you suggested might be useful and restrict the rest of the access.

I would prefer a stripped down version of markup/down languages to do the trick as HTML and Javascript is something familiar with most people. Instead of inheriting all the problems of Javascript and HTML, the form of the syntax can follow those but the essence would be different with more security focus.

I...

Read More →

June 24, 2018 6:50 PM

Tõnis on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Taz,

"Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes."

It's disappointing that on the various tech sites where discussions center around back doors the consensus seems to be that when government wants access to suspects' data anything is okay so long as there's a warrant. We are in the times when one must take matters of security into his own hands and not just expect that those acting in the name of governments will behave justly or honorably. Judges routinely rubber stamp all...

Read More →

June 24, 2018 5:38 PM

Winston Smith on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Taz

"Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes."

That pretty much sums it up for me too.

It's not that all individual rights come from government and only those first 10 listed in the constitution are given to the people as some politicians see it... nay, quite the contrary. These so-called "rights" are nothing more than restrictions on government's reach and authority, and all other individual rights were considered to have been granted by God at the time of its...

Read More →

June 24, 2018 2:41 PM

Clive Robinson on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Thoth, All,

[Intel] do not care about security or they are deliberately creating holes (most likely a mixture of both) in their products.

There is a third option in that the hardware architecture is so convoluted that they "can not" do anything about it, other than rip it out and start again...

So on to "TLBleed" it is certainly a new attack method and one that in effect defines a new form of Cache based side channel.

But the interesting bit, the one that is also going to become "A Solstice day gift that keeps giving" is the use of AI....

Read More →

June 24, 2018 2:27 PM

Taz on Friday Squid Blogging: Capturing the Giant Squid on Video:

Re: Winston Smith

I really want to believe government will obey the law. Seriously.


But it may be too late for myself (perhaps others). Have seen too much that I never believed possible. Always followed by a bullshit rationalization.....


Our Bill of Rights means exactly what it says. The idea that we must beg those judges almost monthly for rights already owned speaks volumes.

June 24, 2018 1:06 PM

MarkH on Friday Squid Blogging: Capturing the Giant Squid on Video:

.
Weaponized IoT

NY Times on Digital Tools of Domestic Abuse

"One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why ... Internet-connected locks, speakers, thermostats, lights and cameras that have been marketed as the newest conveniences are now also being used as a means for...

Read More →

June 24, 2018 11:00 AM

bttb on Friday Squid Blogging: Capturing the Giant Squid on Video:

From Snowden's Twitter feed:

Secret Origins of Evidence in US Criminal Cases
https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-evidence-us-criminal-cases (with 296 footnotes)

"Judge: [I]f, you know, there was an illegal search … followed by a legal search, but that was only obtained because now that you had the illegal search, you knew something about [the case], that would be a concern to the Court.… And that is the fruit of the poisonous tree,...

Read More →

June 24, 2018 10:35 AM

GregW on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Alejandro
Chrome also tends to ignore your local /etc/hosts file on the Mac (which ive used to block certsin sites) and use DNS. And newer versions no longer provide any way to turn this behavior off.

It remains utterly ambiguous in my eyes whether they have removed this user control for security purposes or self serving antiadblocking revenue ones. Or both. I personally am unhappy with the removal of control from me to them.

The effect has seemed somewhat intermittent in my experience.

June 24, 2018 9:02 AM

Alejandro on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Major

Re:"...increasing annoyed by Google Chrome's incessant efforts to get me to log in..."

Chrome creeps me out. I tried to use it yesterday for a certain LAN purpose, thus blocking all connections to the WAN, but it persistently wanted to connect to two or three google ip addreses regardless. Also, I've noticed google maps is not giving full results unless you sign in now.

I figure it's all part of the "If it's free, you are a target" syndrome.

Meanwhile, Google and all the other big players are getting HUMONGOUS multi-billion dollar contracts with...

Read More →

June 24, 2018 8:26 AM

Thoth on Friday Squid Blogging: Capturing the Giant Squid on Video:

@all, Clive Robinson

Another reason to be fully skeptical about the security guarantees by Intel et. al. and their products. They do not care about security or they are deliberately creating holes (most likely a mixture of both) in their products.

New variants of side-channel attack can cause keys to leak from CPUs and Intel seems to care less of doing anything to fix problems that people found.

Not surprisingly, Intel et. al. products are gifts that simply keep giving infinitely.

Link:...

Read More →

June 24, 2018 5:33 AM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ gordo

Re: historical cell phone location data v. Real-time cell phone location data and the criminal v. civil side of cases.

“Who knows! For example, Stingrays have apparently been around since at least the mid-1990s[1]. Their days (or rather years), however, may be numbered[2][3].”-gordo

I agree that we really don’t know. That is a big subject. Let’s carefully think about it.

This cell phone tracking and spying is a multifaceted problem that will take years to solve. We did not really know much about the extent it for the last few years [say, since the...

Read More →

June 24, 2018 5:07 AM

sark das on Security Orchestration and Incident Response:

AI's application in terms of military would enable the forces to carry out precision strikes with minimal loss of life, as AI matures further it would enable to carry out maximum damage to the adversary with zero military losses but mountain of civillian casualties could be the possibility.

June 24, 2018 4:59 AM

Sancho_P on Friday Squid Blogging: Capturing the Giant Squid on Video:

re Carpenter vs. United States

Never heared from Gorsuch before, but in my opinion he got the basics right without the need of technical details:
The Third Party Doctrine, as argumented e.g. by Orin Kerr, is simply wrong.
It seems by dissenting Gorsuch wanted to stress this fact.
Only a few will take notice:
It is too late to scrap the TPD. The 4th is dead.
With the 4th went our protection against exploiting our privacy by big business.
Why should LE have less access as business? Because they don‘t pay?

Probably it was the other way...

Read More →

June 24, 2018 4:27 AM

Bob on The Effects of Iran's Telegram Ban:

@Telegram

As far as i know, signal is banned in iran, and i would not be surprised if it is banned in china and russia now that they do cannot count with domain fronting. As to why russia bans telegram, the founder of telegram is russian and a critic of the russian government, seems like a good reason.

@Hmm

I understand, but what i tried to say is using the best method available, like the one clive described, will not do a thing against fascist politics (except you are an activist, maybe). Using the best method is good if you want to preserve your freedoms, liberty...

Read More →

June 24, 2018 4:21 AM

gordo on Friday Squid Blogging: Capturing the Giant Squid on Video:

@65535

how “historic” records and “real-time” cell phone locations records will be defined and handled in both criminal and civil cases with this new SCOTUS decision.

Who knows! For example, Stingrays have apparently been around since at least the mid-1990s[1]. Their days (or rather years), however, may be numbered[2][3]. Given that, it's entirely possible that SCOTUS will never rule on the constitutionality of their usage by law enforcement.

Regarding mobile carriers, location data, aggregators, LEOs and federal agencies, with respect to the...

Read More →

June 24, 2018 3:45 AM

Clive Robinson on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Bauke Jan Douma,

I'm not at all familiar with the life and times of John McAfee.

Boy have you missed out ;-)

But I also doubt that John McAfee is all that familiar with his "official" life, as he has been known to party very hard and be way way out of it one way or another when in Belize[1], where a neighbour died in odd circumstances and according to John the local "corrupt officials" decided it was him because they were told to...

It's not clear exactly which gangs and criminal enterprises he has rubbed up the wrong way at one time or...

Read More →

June 24, 2018 12:16 AM

MrC on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Winston
@ (required)

Please take Anon's comment to heart. Gorsuch's dissent is only a "dissent" insofar as Carpenter failed to raise what Gorsuch thinks was the winning argument. The difference is down to lack of foresight on the part of Carpenter's lawyers (who should have been ready for "Let's throw out Katz; do you still win?" even under the assumption that Scalia would still be around).

Gorsuch sets out a rule that's more coherent, more likely to be applied consistently, and ultimately more protective of privacy than the majority decision.

This leaves...

Read More →

June 23, 2018 10:18 PM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Winston Smith

When stepping back and delving into Carpenter v. United States ruling it is a win for privacy advocates.

I am particularly encourage that some of our top judges are now see effects of invasive digital devices and their omnipresent negative consequences.

Most lawyers and judges don’t know the difference between a megabyte or terabyte or the magnitude of difference. They are still stuck in megabyte era when that has long past and we are in terabyte to petabyte world. We are in a world where it is possible to map out the movement of most if not all...

Read More →

June 23, 2018 9:40 PM

Hmm on The Effects of Iran's Telegram Ban:

@Bob

What Clive is saying is that he's obviously hiding something and is therefore supposed guilty
because he put pencil to paper rather than keeping it in his otherwise externally deniable mind.

I'm paraphrasing badly but he understands that I'm ribbing him to toughen him up for the real world.


June 23, 2018 8:58 PM

Tim Dellinger on Friday Squid Blogging: Capturing the Giant Squid on Video:

"Orlando International Airport to Scan Faces of US Citizens"

"Florida's busiest airport is becoming the first one in the nation to require all passengers on arriving and departing international flights, including U.S. citizens, to submit to a face scan"

https://www.usnews.com/news/best-states/florida/articles/2018-06-20/face-scans-for-international-travelers-at-florida-airport

Oh, boy. I wonder if they have a document...

Read More →

June 23, 2018 4:54 PM

JG4 on Domain Name Stealing at Gunpoint:


I missed the two best pieces on the first pass:

https://www.nakedcapitalism.com/2018/06/links-6-22-18.html
...
The Billionaire Class is Not Fit to Rule – Paul Jay Real News Network. A fundraising pitch, but very good regardless. And if you are flush, TRNN is a worthy cause.
...
The man who was fired by a machine BBC
...

The story about being fired by a machine has elements of Robert DeNiro in the movie Brazil, Catch-22 and 1984 all mixed together.

We might...

Read More →

June 23, 2018 3:53 PM

Margus on Kalyna Block Cipher:

I find it so amusing to see such hot discussions about whether one cipher is more secure than another, when EVERYONE knows, that ALL computers we use nowadays are compromised by Intel Management Engine or its equivalents. They have access to storage, memory, network - everything and that even when the computer is turned off. Especially convenient is AES, which is built into the chips - so you tell them to do the operation and please - here is the key.
The capabilities are there, we simply don´t know, whether they are being used or not.

So please, before going into...

Read More →

June 23, 2018 3:28 PM

bttb on Friday Squid Blogging: Capturing the Giant Squid on Video:

Reality Leigh Winner, 26, was the first person prosecuted in President Donald Trump's war on leakers.
Reality Winner to take a plea deal in NSA leak case”
https://www.ajc.com/news/national-govt--politics/reality-winner-take-plea-deal-nsa-leak-case/RZTSuqgFtagE9FEZ7VyN2I/
and
“VOTERS ACROSS THE country were shocked to learn last year, through the disclosure of a top-secret NSA document, details of an intricate plot by Russian military...

Read More →

June 23, 2018 2:54 PM

bttb on Friday Squid Blogging: Capturing the Giant Squid on Video:

“Facebook Built A New Team To Spot Problems Before They Arise
Silicon Valley’s giants are looking for future crises before they happen.”

From https://www.buzzfeed.com/alexkantrowitz/facebook-hired-a-team-of-ex-intel-officers-researchers-and :

“In an attempt to spot vulnerabilities in its system before bad actors exploit them, Facebook has hired a team of ex-intelligence officers, researchers, and media buyers, and set them loose on its products....

Read More →

June 23, 2018 2:15 PM

(required) on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Winston

"Such a shame, though, that right vs wrong is obfuscated by conservative vs. liberal, left vs. right, the politics of identity and/or "political correctness", and other sensationalist, consuming arguments."

I can't agree with you more.

We're intentionally and forcefully distracted from the morality of these decisions.
Right / wrong are deliberately conflated by powerful gluttons for selfish purposes.
Whataboutism is a tactical version. Tribalism appeals to hungry troglodyte instincts.

It's a sobering realization that our societal...

Read More →

June 23, 2018 1:35 PM

trsm.mckay on Friday Squid Blogging: Capturing the Giant Squid on Video:

Speaking of privacy, I have been meaning to post this for a while:

Omron Blood Pressure applications have no opt-out when it comes to uploading personal medical data to the web. They technically notify you of this collection, but it is hidden in the middle of a long privacy policy. They also collect GPS coordinates, a verified email address, and any other information that has been supplied. They require filling out fields like age, weight, etc. before the application will function (at least these can be faked), but also the app will not function unless GPS access is granted....

Read More →

June 23, 2018 1:25 PM

PeaceHead on Friday Squid Blogging: Capturing the Giant Squid on Video:

Regarding these posts and discussions today:

In the year 2018, the FBI is not really the problem. This isn't cointelpro days.
They are typically part of the solutions. While I believe protecting dissidents is EXTREMELY important, protecting criminals and terrorists and corporate kleptocracy with cryptostego is really a bad idea and decreases security of the masses in terms of actual safety of livelihood and personal data.

Law enforcement matters and is important.
Sure there are plenty of bad cops, but surely NOT all.
There are many many fine...

Read More →

June 23, 2018 11:59 AM

RG on Friday Squid Blogging: Capturing the Giant Squid on Video:

Purchasing Your Current Coordinates to Build Location Datasets

Analyst Rich Mogull of Arizona-based Securosis LLC said telecom providers track and sell location data as a matter of course, with a wide range of businesses including Google extensively attempting to compile location datasets on consumers.
"We are all tracked, all the time, primarily for marketing purposes, by such a large number of companies I'm not sure I would even know where to start the math," said Mogull.
Location data from Verizon, AT&T and other carriers makes it possible to identify the...

Read More →

June 23, 2018 11:52 AM

bttb on Are Free Societies at a Disadvantage in National Cybersecurity:

Finally, two from emptywheel:

"Far more likely, Mueller is ensuring one of his A Teams — including Dickey, DOJ’s best cyber prosecutor — will be able to move on to more important tasks on the central matters before him."
https://www.emptywheel.net/2018/06/22/mueller-frees-up-the-troll-team/
and
"Amid the ongoing family separation crisis, I want to look back at something that raised a few eyebrows among the more generalized nausea at Trump’s behavior at the G-7."...

Read More →

June 23, 2018 11:43 AM

Major on Friday Squid Blogging: Capturing the Giant Squid on Video:

I am getting increasing annoyed by Google Chrome's incessant efforts to get me to log in to google to manage my security, when of course not logging into google is a key security decision. They especially do it on private windows. "Let us log all the information that you are explicitly avoiding sharing."

It's evil and fraudulent. I like some of what google does or did (the Go language for example) but the more they make these deceptive moves designed to ensnare the naive people who trust them the more I am ready to sign on to regulations that whack them and their data...

Read More →

June 23, 2018 11:10 AM

Winston Smith on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Clive,@65535, et. al.,

"That will be put in place due in part to previous tricks such as making the border zone a hundred miles wide. Thus all records will still be taken but not "collected" and sorted such that non-US persons and those communicating with them will still be treated as though they are outside the USA so in effect "open season" on tourists and more importantly business travelers etc."

The Supreme Court's task was to define a ruling based on Constitutional law, and to a large extent its tenets are necessarily couched in idealism when considering its...

Read More →

June 23, 2018 10:47 AM

Anon on Friday Squid Blogging: Capturing the Giant Squid on Video:

As far as dissents go, Gorsuch’s opinion was barely a dissent. He strongly implied he might have ruled in favor of Carpenter, if Carpenter had made a different legal argument in court, property based V.S. Katz based.

June 23, 2018 10:46 AM

bttb on Are Free Societies at a Disadvantage in National Cybersecurity:

@Usual
I enjoyed your post

Rat f?cking and elections is nothing new, of course. It is hard to predict, however, how rat f?cking will manifest itself in future elections. Big money (Mercers, Kochs, Putin, Fortune 10, and so on), intelligence (not stupid), or powerful technology (you name it), of course, can create formidable actors.

Turkey has elections tomorrow.
https://www.nytimes.com/2018/06/22/world/europe/turkey-elections-erdogan-opposition.html...

Read More →

June 23, 2018 9:52 AM

bttb on Are Free Societies at a Disadvantage in National Cybersecurity:

Food for Thought ("'FFT'"), for example, from above
A) Goldsmith and Russel
B) Goldsmith

A) and B): no mention of either 'Cambridge Analytica' or 'Brexit', afaik, in either paper. Not noteworthy?

From A) an interesting reference. What would the consequences have been?:

"North Korea was reportedly one spelling error away from stealing $1 billion from
the New York Federal Reserve in 2016. 25 ...
25 ​Sanger, Kirkpatrick, and Perlroth, “The World Once Laughed.”" presumably in reference to...

Read More →

June 23, 2018 9:28 AM

albert on Friday Squid Blogging: Capturing the Giant Squid on Video:

"...Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations...."

See: https://fas.org/blogs/secrecy/2018/06/jcs-cyberops/

No, I don't have time to peruse 104 pages of MIL-Speak either. Download it and save it for reference later.

The US-MIL usually speaks in more positive terms (and are...

Read More →

June 23, 2018 6:18 AM

Bob on The Effects of Iran's Telegram Ban:

@Clive Robinson

Sincerely, all that information is valuable and interesting. The bad part is i dont see much relation between it and what i said, except for the first sentence, which clarifies our misunderstanding but does nothing more.

June 23, 2018 4:26 AM

Sancho_P on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Winston Smith, re Carpenter vs United States

Good news, thank you!
This is the first time that law twisting non-techies got a corrective lesson regarding „voluntarily“ shared data (e.g. Orin Kerr, selling the TPD to his baffled students).
Also his shocking attempt to level human perception + memory and digitally stored data (http://www.scotusblog.com/2017/08/symposium-carpenter-eyewitness-rule/) is rebuked by this ruling.

Yes, 5 to 4 is sad, but I‘m not sure if it‘s left vs. right or simply not understanding technology.
Should be a beginning, anyway.

June 23, 2018 3:19 AM

Clive Robinson on The Effects of Iran's Telegram Ban:

@ Bob,

I think i dont understand at all what you said... ...To me, it is an example of what i refer to with "the second".

It was your use of the word "tool", to most people tool is an object you use rather than something you do which would be a method.

Thus a pen is a tool and the method that uses it would be writting or drawing.

I assumed by tool you ment an object such as a physical device such as a token or an information device such as a piece of software.

To me the difference is important. A physical token or piece of software...

Read More →

June 23, 2018 2:12 AM

Clive Robinson on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Winston Smith,

Finally, some good news regarding privacy in the USA.

For whom? I suspect there will be "exceptions for the non exceptional"...

That will be put in place due in part to previous tricks such as making the border zone a hundred miles wide. Thus all records will still be taken but not "collected" and sorted such that non-US persons and those communicating with them will still be treated as though they are outside the USA so in effect "open season" on tourists and more importantly business travelers etc.

@ 65535,...

Read More →

June 23, 2018 1:55 AM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ gordo

I would like to agree with Jennifer Lynch's line, “...reset the parameters of the third-party doctrine for the digital age – or do away with it altogether…” should lean toward doing away with the third party doctrine altogether.

This so call "third party doctrine" has been grotesquely stretched in the digital world to make it fit any situation the FBI to local police desire. It could be dangerous to civil rights lawyers and report's physical well being.

“…in order to access CSLI business records, held in what @Clive Robinson might call "surveillance time...

Read More →

June 22, 2018 11:42 PM

gordo on Friday Squid Blogging: Capturing the Giant Squid on Video:

Last year, Jennifer Lynch, a senior staff attorney for the Electronic Frontier Foundation, wrote:

[T]he main challenge for the Supreme Court in Carpenter will be to figure out how to reset the parameters of the third-party doctrine for the digital age – or do away with it altogether....

Read More →

June 22, 2018 11:12 PM

65535 on Friday Squid Blogging: Capturing the Giant Squid on Video:

@ Winston Smith

“Finally, some good news regarding privacy in the USA.”

I agree.

But, the news is not extremely good. I believe the SCOTUS decision is only about “historical” cell phone data location and not real time cell phone data tracking which leaves a large hole.

“…the majority at least left open the prospect that police might not need a warrant to get information about where someone was on the day that a crime was committed…Roberts emphasized that today’s ruling “is a narrow one” that applies only to historical cell-site location records. He took...

Read More →

June 22, 2018 9:32 PM

Winston Smith on Friday Squid Blogging: Capturing the Giant Squid on Video:

@Required

http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/

Kennedy, Thomas, Alito, and Gorsuch all dissented.

Politically, all are considered conservatives with the exception of Kennedy who generally follows the middle of the road.

Such a shame, though, that right vs wrong is obfuscated by conservative vs. liberal, left vs. right, the politics of identity and/or "political correctness", and other sensationalist, consuming arguments.

Mankind...

Read More →

June 22, 2018 7:17 PM

Bob on The Effects of Iran's Telegram Ban:

@Clive Robinson

I think i dont understand at all what you said. To begin with, "as I have noted on this thread and several previously there are other scenarios". Is "use external "One Time" codes/phrases in what appears plaintext" an example of what you refer to? To me, it is an example of what i refer to with "the second".

June 22, 2018 6:47 PM

Winston Smith on Friday Squid Blogging: Capturing the Giant Squid on Video:

Finally, some good news regarding privacy in the USA.

"The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information."

https://www.eff.org/deeplinks/2018/06/victory-supreme-court-says-fourth-amendment-applies-cell-phone-tracking

There are still plenty of privacy/security problems to resolve in order to protect individual liberties, but this...

Read More →

June 22, 2018 6:32 PM

Clive Robinson on The Effects of Iran's Telegram Ban:

@ bob,

The first scenario raises the standard, the second does not. I believe, in the long run, the second strategy is determined to fail at preserving your freedoms, liberty and life.

But as I have noted on this thread and several previously there are other scenarios so it is possible to preserve your freedoms, liberty and life, without using an application or physical technology of any privacy / security level at all, let alone one that raises some standard. And importantly do it without raising the suspicion of an observer hostile or otherwise. Which...

Read More →

June 22, 2018 6:00 PM

Clive Robinson on Friday Squid Blogging: Cephalopod Week on Science Friday:

@ Bob Paddock,

Any insights here Clive?

As an engineer by training as I did not have the money to put myself through University at the usual age to become a scientist, I tend to make decisions based on what I can measure in a manner that is of experimental use.

As I tell trainee engineers and scientists, the most important thing they need to learn is "testing techniques", not only is it a fundemental part of the scientific method, you do not learn anything new when things do not go wrong or you don't fix them when they do.

It's one of the...

Read More →

June 22, 2018 5:10 PM

bob on The Effects of Iran's Telegram Ban:

@bruce

"It's interesting that the analysis doesn't really center around the security properties of Telegram, but more around its ubiquity as a messaging platform in the country."

If the point of the analysis is the negative consequences of state control, centering on the security properties of telegram would be beside the point, yes? Also, it would be read by many as "good riddance".

@Clive Robinson

"Yes I know good OpSec is a hassle but if you want to preserve your freedoms, liberty and life, you have to ask "Would you use anything less?"."

My...

Read More →

June 22, 2018 2:47 PM

Petre Peter on The Effects of Iran's Telegram Ban:

Because in cities i trust systems more than people, coruption turns institutions into a form of reputation inheritance that ensures the passing of genes instead of knowledge. Just who has been behind the Telegram?

June 22, 2018 2:22 PM

Clive Robinson on The Effects of Iran's Telegram Ban:

@ Bruce,

It's interesting that the analysis doesn't really center around the security properties of Telegram, but more around its ubiquity as a messaging platform in the country.

The actual security of Telegram --which is weak anyway-- is mainly irrelevant to the users, it's the perception of securiry real or otherwise that more or less defines the usage.

For years Microsoft and others used ROT13 to hide information from view along with ":" colon extensions to create hidden files. Prior to that "Ctrl Z" to give false file endings in MS .txt files...

Read More →

June 22, 2018 1:59 PM

Erasmus B Dragon on Domain Name Stealing at Gunpoint:

You can kill or rape someone in the US and be sentenced to less than 20 years.

What an f-d up world this is.

June 22, 2018 1:58 PM

Denton Scratch on The Effects of Iran's Telegram Ban:

Harrumph.

I think it's interesting to compare the way Russia's and Iran's attitude to Telegram is presented (argh censorship); with the way Western governments and IGOs have been leaning on TwatFaceTube to actively interfere more and more in user-contributed content (ho hum, too bad but clearly necessary).

Just sayin.

June 22, 2018 1:53 PM

Clive Robinson on Terrorists, Data Mining, and the Base Rate Fallacy:

@ Cochise,

It is to provide additional information,... retroactively,

That's why for years I've refered to blufdale etc as a "Virtual Time Machine".

The real point though is to realise it has little or nothing to do with discovering "potential terrorists".

It's real purpose is to do with MICE on not just US but other nations citizens. It's thus just a giant "blackmail" database to be used as and where and more and more as the IC and LEO entities get the legislation they are chasing bit by bit.

We know this from the definitions they...

Read More →

June 22, 2018 1:45 PM

albert on Algeria Shut Down the Internet to Prevent Students from Cheating on Exams:

Re: Students cheating on exams.

When I was a lad, students did try to cheat on exams, but we didn't have cell phones or calculators. You could use your slide rule:) And you had to show your work. Not many multiple choice questions, but lots of questions required lengthly, hand-written answers. Imagine the work teachers had to do to grade those tests.

'Showing your work' in math meant you needed to understand the -concepts- behind the various procedures you used to get the answer. Rote memorization of formulas can work, but I've always found conceptualizing is better. But...

Read More →

June 22, 2018 1:19 PM

albert on Algeria Shut Down the Internet to Prevent Students from Cheating on Exams:

Algeria has government monitor and control capabilities "baked in" to its Internet system.

"...ISPs responsible for the sites they host, and requires them to take “all necessary steps to ensure constant surveillance” of content to prevent access to “material contrary to public order and morality.”..."

(see https://en.wikipedia.org/wiki/Internet_in_Algeria)
Read the section in 'Surveillance and filtering'

So it's trivial for them to shut down the Internet.

OT, but interesting: Algeria...

Read More →

June 22, 2018 12:40 PM

Clive Robinson on Thomas Dullien on Complexity and Security:

@ Noone,

So, replacing that by three different CPU architectures with three different SW architectures to build a voting system is a bit too far from reality.

Actually it's more dependent on the system requirments analysis than it is on anything else like relative costs. That is it should consider financial risk as a proportionate factor, which has had a very major shove since May 25th this year.

The fact that SOHO and home users have rarely done a full requirments analysis upto now, is something that is likely to start changing over the next few...

Read More →

June 22, 2018 11:47 AM

Cochise on Terrorists, Data Mining, and the Base Rate Fallacy:

The purpose of "signals intelligence" is not simply to discover potential terrorists proactively and out of the blue. It is to provide additional information, retroactively, about connections and contacts after other forms of intelligence (e.g. from human sources) have identified potential terrorists, or even after terrorist acts have been committed.
It's not as much about "monitoring", it's more about gathering and storage, for retrieval and examination at a possible later time, when it becomes relevant.

June 22, 2018 11:46 AM

Clive Robinson on Domain Name Stealing at Gunpoint:

@ Bruce, Even, me,

Speaking of illegal acts with regards Domain Names, have you looked into what ICANN has been upto with regards compleatly failing despite well over two years warning to become Compliant with the GDPR?

Apparently ICANN decided that a good prevarication approach having been rejected several times by the EU is taking legal action against a subsidury of Tucows that is a Internet Register for ICANN and thus pays the supposed "non-profit" income.

The German court unsprisingly took little or no time to reject ICANN's delaying tactic as it was an obvious...

Read More →

June 22, 2018 11:41 AM

Major on Domain Name Stealing at Gunpoint:

The first thing I thought of was the faceless people who hold data of dubious accuracy about me, spreading it far and wide, and releasing key info that can be used in identity theft against me, collecting money all the while and having absolutely no accountability. They hold a gun to MY head. It's their business model.

June 22, 2018 10:51 AM

Petre Peter on Domain Name Stealing at Gunpoint:

Pointing a site under gun point seems like another form of dereferencing the pointer. What's the pointer? Forget about mice pointing the way and move to the right trackpad.

June 22, 2018 10:14 AM

me on Domain Name Stealing at Gunpoint:

@evan
>WHOIS simply provided some measure of accountability

yes, but now that it is not visible to anyone still does the same thing.
the only difference is that is visible only to police on specific motivated request and not just anyone.

>that accountability has become less relevant.

true... well i think that facebook runs the platform and "knows" who is behind any group: they have ip and police can ask facebook for ip, and isp for who physically own that ip. but i don't know how police work, and anyway the fact that is international slow down everything.

June 22, 2018 9:28 AM

Clive Robinson on Are Free Societies at a Disadvantage in National Cybersecurity:

@ Wesley Parish,

Shortly before the time of the fall of the Berlin Wall I happened to be in West Germany on business as part of work involving electronic locks for the hospitality industry. Chatting to a taxi driver getting me to the customer, I told him about the fears in the UK and US that the CCCP would "push back" against those nations alowing "free passage" to East Germans to the West. And the fear that if it happened there might be armed conflict by the West as a response, leading to larger conflict.

It turns out the taxi driver was an escapee from the east to west,...

Read More →

June 22, 2018 9:23 AM

Evan on Domain Name Stealing at Gunpoint:

@me

I think the main appeal of WHOIS is simply that it provided some measure of accountability - it's somewhat harder to do a lot of nefarious things on the net if the information about who owns or operates a domain is open for all. But, of course these days there are ways around that. Furthermore, as the Internet has consolidated into fewer and fewer companies providing platforms for content instead of content directly, essentially creating another layer of abstraction, that accountability has become less relevant. You can know who Facebook is, but you don't know who's behind a...

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.