Recent Comments


Note: new comments may take a few minutes to appear on this page.

February 9, 2016 3:50 PM

jones on The 2016 National Threat Assessment:

> The consequences of innovation and increased reliance on information technology in the next few years

It's funny, the rate of technological growth is a policy matter...


>Devices, designed and fielded with minimal security requirements and testing, and an ever

Time for software product liability laws!

You'd think the Aurora zero day hack -- a hole in Internet Explorer -- would have been impetus enough:

The attack has been aimed at dozens of other organizations, of which Adobe Systems,[4] Juniper Networks[5] and Rackspace[6] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley[7] and Dow Chemical[8] were also among the targets.

https://en.wikipedia.org/wiki/Operation_Aurora#Attack_analysis

If a car has a sticky gas pedal, we see product recalls... but if the software for the F16 is compromised... NOTHING!

Liability would slow the rate of growth, but then again, there are negative

> consequences of innovation and increased reliance on information technology


February 9, 2016 3:49 PM

Daniel on Large-Scale FBI Hacking:

https://www.washingtonpost.com/news/morning-mix/wp/2016/02/08/who-planted-drugs-in-the-pta-moms-car-upscale-parents-and-for-the-strangest-of-reasons

A sobering tale of what all the FBI apologists on this thread want to promote.

“They are both highly educated attorneys,” Peters’s attorney, Rob Marcereau, told ABC. “Went to top schools. They should know better. They believe they’re above the law — that they can do anything to anyone.”

The woman was lucky. Imagine if these people had been part of the security state. Then everyone would have been told to look the other way.

But let us be clear here. No child is born believing they are above the law. They learn that behavior. And they learn it because they get away with it time and time again.

February 9, 2016 3:46 PM

End of innocence on Large-Scale FBI Hacking:

@Johannes Sebastian
"I would not complain if such tactics were used on sites that promote violent revolution against the US or other countries, especially with groups like ISIS with a past history of standing by their preaching of violence. Nor could I complain much about similar severe cases, like this and related sex trade. Who really can?"

I guess we would not have US of A, if your tactics had been used by the British, oh, back in 1776. Just project the same tactics to 2025, or any other years in the future...

@Mission Creep
"4. When it all goes bad, and it will, the untouchables will regularly start planting material on the computers of people they don't like - framing them with impunity. It is a piece of cake for these guys to manufacture IP/MAC addresses and accounts that marry up with targets they intend to take down."

That's probably the ultimate goal for law enforcement; they will file charges and you'll have to prove that you're innocent. If you cannot, you're guilty as charged. You know, like they do in communist countries...

Never mind that the IP/MAC address does not identify a person. The FBI will know you did it, they have planted the evidence there...

February 9, 2016 3:42 PM

palm daniel on Hiring Hackers:

Have you guys checked this guy Amir Hagay @ theblackhatcreator000@gmail.com.dude's totally the word hack.Does from yahoo,facebook,gmail,hotmail,aol,twitter,instagram,snapchat hacks.Does bank jobs and credit card tops as well.he's doing paypal acct payments as well.cashout everyweek.He's currently upgradieng a nephew's schoolgrade.lol.Top class hack tool he is..Top secretive and discreet jobs...daniel referred you.

February 9, 2016 3:30 PM

Johannes Sebastian on Large-Scale FBI Hacking:

The actual quote is:

First they came for the Socialists, and I did not speak out— Because I was not a Socialist.


Then they came for the Trade Unionists, and I did not speak out— Because I was not a Trade Unionist.


Then they came for the Jews, and I did not speak out—Because I was not a Jew.


Then they came for me—and there was no one left to speak for me.

I think the posters equating pedophilia pornography with consensual adult - adult pornography; or, "socialist" and "jew" with "pedophile" and "sex trader" are actually probably serious, and genuinely can not differentiate the differences.

Likewise with the poster that can not differentiate between pedophile porn and normal, legal adult porn.

Both are painfully pretentious in their self-righteousness, yet clearly self-deluded about this. And both exhibit in their statements, behaviors which are endemic with people engaged in some really reprehensible behavior themselves.

Don't know any other sort of person who entertains really extreme self-righteousness like that.

100% negative indicator, zero false positive chance.

They embrace these attitudes because they don't just have skeletons in their closet. They have rotting corpses they badly need to hide the scent of. By embracing extreme self-righteous stances, this helps them do this, and is the only reason for anyone to embrace such absurd stances.

February 9, 2016 2:51 PM

Jesse Thompson on Large-Scale FBI Hacking:

@Terrence
> It's a lie. Pornography is a scourge, period.

You can't even *define* pornography though, can you?

If my wife and I snap nudes to trade with one another via MMS, is that pornography? If Miley Cyrus twerks her flat ass on cable TV is that pornography? Calvin Klein underwear advertisements on Billboards? Classic artwork: (NSFW) http://www.huffingtonpost.com/2014/01/16/famous-erotic-art_n_4598450.html ? The UK Sun's Page 3 girl? Tijuana Bibles? South Park / Family Guy / American Dad / Rick and Morty? (.. and have you seen their pilot?) Photographs from a clothing-optional beach? FHM, Maxim, today's Playboy, Yesterday's Playboy, Penthouse, Hustler?

Child pornography has a clear dividing line: children cannot legally consent to the activities being filmed, nor to the publicity of the filmed material. Therefor every viewer is not only a peeping tom, but peeping on one of the most horrific acts of violation of trust around: one that the subject given time and experience is inevitably going to suffer psychological harm from having publicized.

If I take a nude picture of myself, as an adult I have sufficient agency to consent to share this image with my wife, or with whatever audience I choose, and I can even sign a model release form to that end. I also have sufficient agency to calculate the risks of informational leakage, in case the images fall into unwanted hands.

So that's the line that we draw: consent to perform the actions in the image to begin with, and consent to publicize the event in the image. What line can you possibly draw to tell "any kind of pornography" from "any kind of rap music video"? :P

February 9, 2016 2:20 PM

ToCasey on Large-Scale FBI Hacking:

@casey: "For example, if any of the IPs belonged to FBI agents family members, the same process must be applied"

of course it is false, especially for rich families: otherwise, the plaintiffs may sue up to the federal courts and jeopardize the legality of the whole FBI methods.

February 9, 2016 2:07 PM

CJD on Large-Scale FBI Hacking:

Niemöller’s Modified Statement

In the US, first they skirted the law and came first for the pedophiles, but I didn't speak up because I wasn't a pedophile.

Then they skirted the law and came first for the sex slave traders, but I didn't speak up because I wasn't a sex slave trader.

Then they skirted the law and came first for the prostitutes, but I didn't speak up because I wasn't a prostitute.

Then they skirted the law and came first for the drug traffickers, but I didn't speak up because I wasn't a trafficker.

Then they skirted the law and came first for the major drug users, but I didn't speak up because I wasn't a major drug user.

Then they skirted the law and came first for the recreational drug users, but I didn't speak up because I wasn't a recreational drug user.

Then they skirted the law and came first for the activists, but I didn't speak up because I wasn't a activist.

Then they came for me, and by that time no one was left to speak up...

February 9, 2016 1:56 PM

Johannes Sebastian on Large-Scale FBI Hacking:

@Daniel

Second, I object to the general principle that the people responsible for upholding the law can break the law in the process. I call this the "Freeh doctrine" because former FBI director Freeh was most adamant about its morality. It's bullshit.

I covered your other points in my new, initial two posts above. (I do not expect much, if any debate or criticism on my posts.)

On this, I absolutely hate corrupt cops and officials. There is nothing more reprehensible.

Knowing evil is much worse then ignorant evil. The person who doesn't know they did wrong is worthy of less punishment, then the person who knows what wrong it is they are doing and said, "I will do good", but did that wrong. As is anyone entrusted with governmental power and authority.

So, we talk about serial killers as if they are more as zoo animals, but we really represent true evil with figures such as Hitler and the SS.

If Freeh winked at cop evil, claiming that no FBI could ever do any wrong, then he clearly was kissing ass to the troops and not a real leader at all. A democratic, of sorts, brown noser. One of the uglier sort of creations we sometimes find in democracies.

But, really, this is not the case in this case. It is surrounded by slippery slopes, but if a sex trade house was busted in real life, I do not think you would bat your eye. Problem is just this is virtual. Same ethics.


This is not withstanding we have all witnessed, lately, some truly despicable arguments by some very corrupt officials using the worst of crimes to bypass and shortcut thinking, reasoning, and all morality to make arguments for boundless, dragnet, domestic surveillance.

Their arguments go, "Serial killers are the reason we need stingrays off the books", where they typically will go into great detail of horrific crimes. As if there is a line there between the horrific crime... and the crime they wish to perpetuate themselves. The simple minded and those incapable of reasoning certainly are waylaid by such argumentation. But, for everyone else, their tactics are transparently vile. As is revealed about their true character when they make it.

But, this, too, does not appear to be the case here.


February 9, 2016 1:43 PM

Johannes Sebastian on Large-Scale FBI Hacking:

Secondary issue:

Reading quickly through the comments reminded me of the issue which bothered me when I initially read of this case -- the fact that the FBI had to run a child porn site and so serve up child porn material for the matter of time they did.

I do not believe this was an issue of entrapment. We have seen that a lot recently in some very bad cases. Granted, I do believe that matters on the site and specifically on the liklihood someone visited the site intentionally to trade and engage in child porn.

But, this is a very ugly fact of child porn investigations, and there seems little way around that.

Nobody would shrug a shoulder if US intelligence compromised a valid foreign target site and used zero day watering hole attacks on it.

But, criminal authorities have a higher standard to uphold.

Primarily there is a good reason for this: while, yes, sometimes espionage does engage in manipulation works, usually it is pretty passive. Whereas with criminal investigations, that work is not passive, and it is routine to - shock - put people in jail for very long periods of time. Improper investigative methods can certainly put innocent people in jail.

There is little way to avoid this sort of investigation, however. I would not complain if such tactics were used on sites that promote violent revolution against the US or other countries, especially with groups like ISIS with a past history of standing by their preaching of violence. Nor could I complain much about similar severe cases, like this and related sex trade. Who really can?

This sort of method is actually far cleaner work then actually posing as a terrorist or pedophile, as well. The site would have been there anyway. They are effectively just observing - as ugly as it is - what is already going on.


February 9, 2016 1:33 PM

Johannes Sebastian on Large-Scale FBI Hacking:

I think it is fair for the FBI to operate a watering hole, zero day attack from a site so egregiously bad as a pedophile site, even if that means they just use one warrant to do so.

It can skirt the boundaries, as dragnet surveillance is a severe problem, and legislation in all related areas is extremely poor, but this seems pretty cut and dry. Largely because the liklihood of innocent people visiting such a site, which probably is on the darknet, is so extremely low.

Applying the same methodology to more mixed environments is a very different matter.

I do believe, for me, my major concern about such activities is their potential for abuse. Specifically in regards to abuse in having out of control authorities use surveillance technology to undermine the government, including undermining basic principles of the government. (Such as using dragnet surveillance against civil rights heroes or other "targets" that are absolutely not unlawful people or groups. Using dragnet and targeted surveillance to control domestic politicians and other VIPs and VI groups. Etc.)

Busting up a sex trade house in real life, nobody would have a problem with, and this is the equivalent.

Hiding stingray technology, having zero accountability for it, or using dragnet/watering hole zero day attacks on mass civilian, domestic populations on facebook? Not good.

February 9, 2016 1:20 PM

Terrence on Large-Scale FBI Hacking:

@Graham Anderson

I recall a National Geographic magazine article in which the descendants of cannibals were interviewed. They recalled how the Japanese occupied the N part of their island during WWII and they had witnessed the Japanese eating human flesh. When they were reminded their own ancestors had been cannibals they replied "yeah, but our ancestors cooked the flesh before they ate it. The Japanese ate it raw."

Death row inmates frequently compare themselves to one another - murdering someone is justifiable, but raping a child is not. Gang members murder a passerby in cold blood as a rite of passage, but lying to someone in the gang is unforgivable.

Most men think child pornography is bad, and say so because they know everyone will agree with them automatically. But "regular" pornography? Oh, that is OK because doesn't everyone watch pornography?

It's a lie. Pornography is a scourge, period. But don't think I don't know how many are addicted to it. That's why they'll scream like hell when someone tells them it's wrong. "Who are you to tell me I shouldn't look at pornography?" And then they'll want you to think they're a good person because they condemn child pornography. It's a lie.

The gov't? They can give you a dozen reasons why gambling is bad, but then they operate their own schemes to soak the poor under the guise of helping education. It's a bigger scam then Madoff.

February 9, 2016 12:59 PM

googleFacilitatesAbuseThroughTheirProcesses on Exploiting Google Maps for Fraud:

@Daniel
it is long past time that we nationalized Google.

It's already de-facto nationalized by the Alphabet Agencies

February 9, 2016 12:53 PM

e=mc2 on Exploiting Google Maps for Fraud:

@Bruce Schneier:
This is exactly the sort of market failure that government regulation needs to fix.

Can't this be fixed through "market action"?

E.g. that people stop using Google for this (and other) purposes?

Google has a long history of discontinued "projects" that they ended shelving when it became apparent that they were not very popular (or that Google's implementation of the "service" was not all that great, or other reasons).

Like Google+, a good example of a zombie service. It's alive, but yet not really.

So they will discontinue this service as well if enough people abandon it.

Also, I could be wrong but a problem with more government regulation is that it (by its nature) leads to explicit specifications that somehow (typically) needs to be enforced by the government. This in turn leads to more taxation that is required to pay for the enforcement.

February 9, 2016 12:50 PM

Peter A. on Large-Scale FBI Hacking:

@B: "Entrapment is a practice whereby a law enforcement agent induces a person to commit a criminal offense that the person would have otherwise been unlikely to commit."

This may be the legal definition somewhere; but in my opinion it is not exhaustive nor it is the only action that should be prohibited (and severely punished). "Fishing expedition" is another action that can be considered entrapment.

Let's do it the other way: try to define what is allowed, because that's the normal way of defining what government or its agents can do. "Sting" or "police provocation" or however it may be called in my opinion shall be only allowed:
1. Against an identified person or organization,
2. that is already strongly suspected of committing crimes repeatedly,
3. in case of serious crimes,
4. when other methods of obtaining strong evidence fail,
5. in the same area of criminal activity that's already suspected or for which there's insufficient and/or weak evidence.

So, for example, in case of suspected illegal trade in something really dangerous or heinous, it is OK in my opinion to set up a new false transaction with the suspected party in order to catch the already suspected perpetrators red-handed. It is not OK to set up a general false transaction offer to catch just any and all who show up - this is fishing, that is generating new crime just to have results in detecting crime. It is not OK to set up suspected dealer(s) to attempt committing a murder just to catch THEM for any reason - this is framing and entrapment in the "ends justify means" spirit.

Said that, from what can be read from the article, FBI definitely violated my rules 1. and 2. They haven't disabled new signups! They haven't even arranged to take action only against those that have actually downloaded or uploaded some CP, simply logging in was sufficient! This is clearly fishing. It is tantamount to, having seized a huge batch of whatever chemical substance is currently en vogue, cutting it into single doses and sending undercover officers to deal it in the streets, only to arrest anybody who just stopped by and talked to them!

The case also shows the weakness of judicial oversight in the USA and really immoral practices of the law enforcement. The FBI actively seeks the weakest links in the court system, approaching carefully selected, somewhat gullible, not technically savvy, low-order judges, just to have their papers rubber-stamped.

February 9, 2016 12:42 PM

BoppingAround on Friday Squid Blogging: Squid Knitting Pattern:

Clive,
> On ad-ware executive has publicly called the use of ad-blockers an
> anti-constitutional crime because in his view you are preventing his "free
> speech rights"

Whoa. That's some heavy BS. Their right to 'free speech' does not mean I have
to listen to them.

February 9, 2016 12:29 PM

Anura on Large-Scale FBI Hacking:

@Voglin

I agree, if government employees driving emergency vehicles that have flashing lights and sirens are allowed to run red lights, civilians driving emergency vehicles that have flashing lights and sirens should be allowed to run red lights.

February 9, 2016 11:49 AM

Nick P on Friday Squid Blogging: Squid Knitting Pattern:

@ Clive Robinson

re nukes

Pretty strange I had never heard of that one given the testimony from late 90's. Mind-boggling that only the film industry was allowed to know. This also reiterates that they'd kill many Americans for their military and political agenda. This is a point Americans refuse to swallow in discussions of conspiracies and so forth. Yet, federal and local governments have consistently shown a willingness to murder their own citizens... usually slowly... to achieve the goals of a few. This is yet another piece of evidence of that and more detail of our nuclear program.

re Wired

Well, it's a legit response given people know ads pay for the site. People want the sites to deliver their part without them doing theirs. Now, trying to dodge the ads for whatever reasons is fine. People just can't expect that would happen without industry responses. Turning off cookies led to Evercookies. Adblock increasing led to Fuckadblock. And the game continues.

I like the idea Google is testing where you subscribe to their ad network, which covers lots of ads, then it serves you your own ad whenever it sees you. So, you kind of pay into the existing system directly to avoid 3rd party stuff but without a new model like Patreon. Not sure if they've rolled it out further. Original reference was here.

@ Thoth

A browser written better would be nice. Haskell would be overdoing it as we're not sure how to secure Haskell yet. ;) Good architecture with safer, imperative language plus the usual assurance techniques would be fine. Far as architecture, I think IBOS comes closest to what your wanting where the result is sort of an OS and a browser at the same time. Here's a list for those interested in secure browsers:

The DarpaBrowser

Note: Combex does capability-based security, came up with PowerBox's IIRC, and builds on E language a lot. Smart folks.

Designing and implementing the OP and OP2 web browsers

Note: Chrome was based on OP but weakened for performance.

The multi-principal OS construction of the Gazelle web browser

Note: Microsoft Research shows they got more brains than the rest of the company as usual. ;)

Tahoma - A safety-oriented platform for web applications

Note: Virtual machine approach that applies to entire web applications.

Trust and protection in the Illinois Browser Operating System (IBOS)

Note: From same university as OP, IBOS aims to further reduce TCB by eliminating most underlying code and mapping web abstractions directly to hardware. While I originally worried about that, the recent research on hardware/software combo's might make such systems easier to secure given they're close to protection mechanisms.

So, yall have fun with those. :)

@ Gerard

"I don't know but I do know that I won't be seeing a browser written in Haskell, Rust or whatever anytime soon (my choice of safe language would be Ada and/or Go btw)."

The "soon" part might still be true but there's effort underway: the Servo project. It's a Mozilla effort to write a browser engine in Rust. Results from that are feeding back into Rust itself. Then, there's links above you may find interesting where some focus on reducing or eliminating TCB while using and mediating unsafe components.

February 9, 2016 11:47 AM

Voglin on Large-Scale FBI Hacking:

@SAM

... it's generally lawful for ordinary citizens to use force in defense against direct violence against persons/property -- so too for police, under the same legal rules as citizens face.

If ambulances/cops/firemen can run red-lights under 'emergency conditions' -- then ordinary citizens should have the same legal waiver for 'emergency conditions'. All should face the same legal/judicial risk of any false use of the "emergency conditions' waiver.
It is fundamentally wrong to have different traffic laws for different persons.

If the FBI agents permitted the illegal porn site to continue operation when the FBI had direct control of it -- then they were an accomplices.. that is a direct violation of the law and dereliction of duty.

February 9, 2016 11:40 AM

{ continue; } on Large-Scale FBI Hacking:

Agent 1: "..just doing my job. All I did was put a round in the chamber."

Agent 2: "..just doing my job. All I did was position the barrel."

Agent 3: "..just doing my job. All I did was pull the little bitty trigger thing."


I am reflecting on Attkisson's description of how well the gov't controls employees by merely hinting that their retirement benefits are at stake. I think that is how the Communists controlled the Church in Soviet Russia - they put the priests on a stipend. And that is how politicians win elections, if they can succeed in frightening the retired into believing their opponent intends to cut their Social Security benefits.

February 9, 2016 11:19 AM

{ continue; } on Large-Scale FBI Hacking:

@65535
Read about operation "Fast and Furious" gunrunning by agencies including the FBI that deliberately placed weapons into the hands of Mexican Cartel, ostensibly to penetrate the organizations. Agents screamed don't do this. They did it anyway. It was only a matter of time before one of our own was gunned down by one of the weapons. Many cynical now believe the intention was ultimately to create a link between gun sales in the US with violence in Mexico. They believe there is a lot of other evidence to support their assertion the WH would do anything to control guns in the US. In other words, the road to Hell is paved with good intentions.

February 9, 2016 11:17 AM

Daniel on Large-Scale FBI Hacking:

First, I think that what happened here legally is a old fashioned "general warrant" which is illegal. Nick Weaver tries to solve this problem by saying he would staple the database of users onto the back of the warrant but that doesn't actually solve the problem because the 4A requires a particularity analysis not only in regards to what (the IP address) but also in regards to who. I realize that this is an area where people can and do disagree but I object to it for the same reason I object to red light cameras. It is abusing the innocent in order to capture the guilty.

Second, I object to the general principle that the people responsible for upholding the law can break the law in the process. I call this the "Freeh doctrine" because former FBI director Freeh was most adamant about its morality. It's bullshit. For one, it creates a real "who shall guard the guardians" problem that we have consistently seen out of DC, with those guardians abusing their power whether that be spying on Congress (the CIA) or FBI people looking up data on their spouses to get ammunition for a divorce. Second, it creates an entitlement mentality that is scary. Police shoot people and then take the 5A in case they get charged with murder. So it becomes next to impossible to hold them accountable for their actions.

The FBI engaged in the knowing distribution of child pornography. The distribution of child pornography is illegal. So the FBI broke the law. When the legal authorities can break the law and not be held accountable their authority does not rest on morality but brute force. Might makes right--it's not illegal when they do it.

February 9, 2016 11:12 AM

Mission Creep on Large-Scale FBI Hacking:

What have we learned?

1. "One warrant to rule them all". Expect that under DOJ lead that this behaviour is/will become the norm. The days of specific warrants are over - fitting the new Police state model.

2. Feds will happily host kiddy porn material - facilitating a disgusting crime no less - to get their bad guys. The ends justifies the means kind of stuff you have come to expect from cowboy cops in Hollywood movies.

3. The Internet is one big honeypot and all is fair game under the new model. The surveillance state demands no limits on their behaviour, thus, laws will be adjusted to fit the new paradigm they seek.

4. When it all goes bad, and it will, the untouchables will regularly start planting material on the computers of people they don't like - framing them with impunity. It is a piece of cake for these guys to manufacture IP/MAC addresses and accounts that marry up with targets they intend to take down.

5. Judges will sign off on anything and remain clueless to the implications due to their lack of technological know how. Like secret courts, Judges will continue to rubber stamp anything and refuse to comment after the fact. This probably stems from dirt files they have been handed in the recent times to remind them of their patriotic duties, much like the scum-bag politicians who just can't wait to sign off on any new Stasi laws with gusto. This is not a coincidence.

6. If the feds will host kiddy porn for weeks and infect 1000s of computers at a time, then paralell construction is also highly likely to be par for the course, especially since proving it is nigh on impossible.

The Internet and government institutions are all broken beyond repair. Nobody is answerable to the people anymore - perhaps they never were. The disordered thinking of the intelligence appartus reminds me of that guy out of Enemy of the State:

Thomas Reynolds: We never dealt with domestic. With us, it was always war. We won the war. Now we're fighting the peace. It's a lot more volatile. Now we've got ten million crackpots out there with sniper scopes, sarin gas and C-4. Ten-year-olds go on the Net, downloading encryption we can barely break, not to mention instructions on how to make a low-yield nuclear device. Privacy's been dead for years because we can't risk it. The only privacy that's left is the inside of your head. Maybe that's enough. You think we're the enemy of democracy, you and I? I think we're democracy's last hope.

February 9, 2016 10:59 AM

Daniel on Exploiting Google Maps for Fraud:

I agree that regulation is not the right answer but that is because I believe it is long past time that we nationalized Google.

February 9, 2016 10:59 AM

Anonymous Cow on Large-Scale FBI Hacking:

...only provides sufficient information to identify the computer and user...

Computer yes. User not always assured; a computer set up with one account could have more than one user. And if the IP or MAC address belongs to a gateway or router and not a PC or other device then identifying the user gets trickier. Did the FBI hacks include activating any attached camera to snapshot the user? Or any attached microphone to record and voiceprint the user?

February 9, 2016 10:53 AM

sam on Large-Scale FBI Hacking:

@Voglin

> If something is illegal for an ordinary citizen to do -- then it MUST also be illegal for a government person to do. Otherwise, you have established a privileged class of citizens above the law (unequal) -- and lost the fundamental rule of law in a society.

Yes, we need to reign in abuse of power in law enforcement. But no, your general statement is farce. You'd have ambulances unable to get to emergencies because ordinary citizens aren't allowed to run red traffic lights. You'd have police unable to use force *of any kind* because for a regular person that'd be assault.


The problem isn't that the FED left the site running - it'd then be a pretty standard move to get warrants for the 1,300 connecting IPs - TOR and VPNs and proxies aside - the issue is that they deployed NIT.

February 9, 2016 10:46 AM

B on Large-Scale FBI Hacking:

What Nicholas Weaver said. Also, with respect to the question about "60000" users - as I understand it it was not simply logging into the site that caused your computer to be infected. You had to first log in to the web site (with a name so creepy I won't type it) and then click on the picture of an underage kid to access the CP downloads. In fact one issue raised by a defendant was that the picture you clicked on went from "actual CP" to just "super creepy picture of a child about to be abused." The judge was unmoved.
Also, entrapment: you keep using that word, i do not think it means what you think it means. "Entrapment is a practice whereby a law enforcement agent induces a person to commit a criminal offense that the person would have otherwise been unlikely to commit." By allowing the server to run the FBI certainly was complicit in the distribution of CP but they hardly entrapped anyone. The users already had accounts, logged in, and click download. All the FBI did was keep the lights on and keep track of the people who downloaded CP.

February 9, 2016 10:38 AM

Voglin on Large-Scale FBI Hacking:

Equality-Under-the-Law is the issue here -- everyone in the U.S. should be equal before the law, including all government employees... especially law enforcement personnel.

If operating a child porn website is illegal, then it is also illegal for persons carrying an FBI badge. "Sting" operations with police performing illegal activities should be totally banned & prosecuted wherever they are found.

If something is illegal for an ordinary citizen to do -- then it MUST also be illegal for a government person to do. Otherwise, you have established a privileged class of citizens above the law (unequal) -- and lost the fundamental rule of law in a society.

Of course that's exactly the current American situation -- government law enforcement persons are explicitly & de facto exempt from many laws that are vigorously enforced against everyone else.
Tyranny is the political term for it.

February 9, 2016 10:38 AM

Nicholas Weaver on Large-Scale FBI Hacking:

To defend the FBI here for a minute.

I, as a technology savvy person who probably understands what is going on as well or better than the FBI agent writing the warrant application, if I was the judge, I would sign this warrant with the possible addition of "staple the user database to the back", since every single user meets a probable cause criteria, plus there is also a corresponding wiretap order on the site, and this is how you get the necessary information for a proper wiretap: the identity of the other communicating party.

Additionally, the NIT used is remarkably non-intrusive. Although it does have to exploit the target's browser, it doesn't just do an arbitrary search but instead only provides sufficient information to identify the computer and user. Thus although the search does touch a lot of computers, it doesn't search a lot of data on each computer.

Finally, its not like the FBI can use this trick arbitrarily: Although this was before Tor got really agressive on auto-updates, now it pretty much takes a zero-day to pull off, and every time you use an 0-day you risk it no longer being valuable. So the FBI is not going to use this technique very often, but only in very limited contexts (such as child porn on Tor) where the risk/reward is sufficiently high.

February 9, 2016 10:25 AM

Mailman on Data and Goliath Published in Paperback:

"It's to maximize revenue. At every step, there are people who would rather pay more money and not wait"

Makes sense. Like with movies that first come in theaters, publishers start by selling the most inconvenient medium first, at a premium, and hold the more practical options for later.
With that thinking though, you'd think they'd also wait a few months before releasing the EBook version, instead of it coming out at the same time as the hard cover.

February 9, 2016 10:12 AM

Malleus Veritas on Large-Scale FBI Hacking:

There is a line between a sting and entrapment, and this is awfully close to the line, if not over it.

We have laws against entrapment for a reason. We prohibit general search warrants for a reason. And that reason is the potential for abuse. Our founding fathers knew all too well the dangers of unrestrained executive powers. We forget their lessons at our own peril.

The police are a necessary watchdog for our society. But we must never forget that dog is a vicious animal that can turn on it's master in a second, and it needs to be leashed and muzzled so that it doesn't wind up doin more harm than good.

February 9, 2016 10:08 AM

Cyberpocalypse Horse on Large-Scale FBI Hacking:

On its face this appears to be a general warrant. Seems the FBI got ansy and decided to skip a few steps. They should have collected the logins and locations, as they did, then proceeded to get warrants(1,300) of them for the offenders, not rely on the single warrant for all 1,300 offenders, after they obtained the needed pii.

February 9, 2016 10:03 AM

Mark on Large-Scale FBI Hacking:

So if the government runs such sites it's legal? That doesn't sit well with me. I know that they want to catch people, but they're helping people download (and hence distribute) horrific material.

Yet more of Americans attempting to re-write the English language. What are these bullshit "network investigative techniques"? The term isn't even close to what it means.

And a single warrant?

February 9, 2016 8:25 AM

65535 on Large-Scale FBI Hacking:

Child pornography is certainly a vile crime.

But, I really don’t like the idea that the FBI hosted said child pornography videos and vile images on their own servers for some time – increasing the number Child Porn views or hits [and arrests]. I also don’t like the idea of a judge signing a warrant for mass groups of unknown individual which allowed a hacking of said individual’s computers.

What will be next? Will the FBI takeover a 'Silk Road' style drug site and continue to sell drugs from the FBI’s headquarters? Will the FBI again use a bulk warrant to hack individual’s computers to boost their drug arrest stats? That would be bad policy.

I believe Clive mentioned a similar type of Child Porn sting in the UK that really did not work out well [Clive can give us the details on that one].

February 9, 2016 8:24 AM

Gerard van Vooren on Friday Squid Blogging: Squid Knitting Pattern:

@ Thoth,

A browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for it's core (probably compiled to a verifiable C language or executable) would be a good step forward.

If I remember correctly in 1999 Microsoft had 1000 people working on IE6. They beat Netscape simply by manpower. The problem with browsers is that it is an OS on its own. There are so many protocols and file formats (and they keep on coming) that it's just impossible to make something that comes even close to Firefox, Chrome or IE, no matter what language it is written in.

Okay you say, then just use a subset of the web or even create a new one. Well, who is using that web in that case? It's a chicken and an egg problem. What can be done to solve this problem? I don't know but I do know that I won't be seeing a browser written in Haskell, Rust or whatever anytime soon (my choice of safe language would be Ada and/or Go btw). And even the safest browser doesn't solve bugs in protocol specs.

February 9, 2016 8:24 AM

casey on Large-Scale FBI Hacking:

What happened to the remaining 60000 users-- did the FBI serve the materials in good faith to the paying members? There must also be a way to ensure that all 1300 collected IPs got the same justice. For example, if any of the IPs belonged to FBI agents family members, the same process must be applied. I am less bothered by the fact that 1300 events were addressed with one document than I am about the secrecy in the next steps taken.

February 9, 2016 8:14 AM

Camilo on Large-Scale FBI Hacking:

@ M@: While you might think it "seems legit", the "seems legit" dos not constitute a formal or specific criteria, let alone a legal rationale. Nor should it.
The vagueness of what "seems legit" is precisely what Bruce is pointing to as what requires transparency and oversight, and the fact that any of us gets creeped out by pedophiles and the mere spelling of the name of a website like this, shouldn't stop us from thinking and reviewing any action taken out of mere disgust or contempt.

February 9, 2016 7:56 AM

M@ on Large-Scale FBI Hacking:

While the near-warrantless hacking of 1300 presumably-American computers seems pretty unwarranted (punny, I know), keeping a trap site running and trolling for [ab]users seems legit.

February 9, 2016 7:54 AM

ianf on Friday Squid Blogging: Squid Knitting Pattern:


@ Thoth rhapsodizes over […] “a browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for its core (compiled to a verifiable C language or executable)… security measures to control attempts to do direct resource access attacks… security plugins to easily spoof HTTP headers, scan incoming network traffic, script blocking and script spoofing to bypass aggressive anti-script block measures to force users to lower their browser's defenses would be highly desirable. Control of cookies … and cookie sanitization.

There is such a browser, it's called Pipe Dream, and it works wonders. Unfortunately, it doesn't fit in its developer parent's company intent to continue being a part of the business community, which sees end-user customers (here of any browser) as just one of many revenue streams on which businesses depend to maximize their profits. Because, let's face it, all these security extras that make Pipe Dream such a fast, end-user-friendly (indeed, user-protective) browser, are highly unfriendly to derivative third-party abuse. So the Pipe Dream browser remains a pipe dream, while the competent independent hardware and software-capable hackers keep dreaming up ever newer, clever, theoretically safer ways to do business—if only there was a tool to do it with.

February 9, 2016 7:24 AM

Thoth on Friday Squid Blogging: Squid Knitting Pattern:

@BillW
Qubes is a good "Secure OS" to use but the problem is the use of Xen hypervisor but Xen has not been very clean in terms of security nor built with security from the core but afterall that is one of the more practical "Secure OS" in terms of availability for now. A better hypervisor technology built with security in mind from the Genode project would be a very good option for them to look into.

February 9, 2016 7:16 AM

BillW on Friday Squid Blogging: Squid Knitting Pattern:

I've started switching my browsing machines to Qubes . Browsing from a disposable VM with user agent randomization and optional VPN and/or Tor seems like it should be pretty good.

Cheers

BillW

February 9, 2016 6:52 AM

Thoth on Friday Squid Blogging: Squid Knitting Pattern:

@Clive Robinson, Nick P
Wired was on my reading list (as a respected site I visit) but I simply click the (X) button and it's gone :) .

Why not do the reverse instead. We don't need someone to throw their problems and weight around. There are better technology news sites out there besides them.

I have discussed with @Nick P a while ago (probably last year).... or maybe my memory lapse (I wonder) regarding higher assurance web browser (albeit the locked down state it presents).

Switching OSes to command line terminals running off an Ardunio or RPi running a microkernel wouldn't be here for a while and not many people would tolerate running news readers on black and green terminal consoles off a security microkernel OS with some command line news reader.

Trying to get chips to do it right is even harder as there are too many things and too much resources into the chip business so that's another area that's hard to get in and get right.

What is probably left on the table for now for the rest of us is using the utility around us and some higher assurance techniques like application and code firewalls, microkernels and readily available consumer ARM chips (hopefully with security stuff like ARM TrustZone or SecurCore). Of course if you guys have the 1970s or 1980s old chipsets that are still working, all the better but the fact is not many of us have them.

A browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for it's core (probably compiled to a verifiable C language or executable) would be a good step forward. Adding security measures (i.e. no direct memory or filesystem access) would make it easier to control attempts to do direct resource access attacks that most browsers are not designed to protect against. Additional security plugins to easily spoof HTTP headers, scan incoming network traffic, script blocking and script spoofing to bypass aggressive anti-script block measures to force users to lower their browser's defenses would be highly desirable. Control of cookies by binding cookies to their issuing website and not allowing other websites to request any other cookies other than theirs (unless allowed by owners) and cookie sanitization and other form of sanitization would also be highly desirable.

The better method is to personally segregate different access methods according to a military style of security (Restricted, Confidential, Secret, Top Secret) in a personalized way and to have a computer for each levels of security but this would be very difficult to manage and very difficult to implement for ordinary users so I guess for now, the better method is cleaner codes with security baked right into the core.

February 9, 2016 6:33 AM

hoodathunkit on Data and Goliath Published in Paperback:

Off thread :

Analyzing individual caucus voters in Iowa, their behavior and their friends, by tracking their cell phones. The CEO says it's all OK because it's "anonymous" tracking.

http://www.usatoday.com/story/news/politics/onpolitics/2016/02/08/company-tracked-iowa-caucusgoers-phones/80005966/#

"Dstillery [formerly Media6Degees], which has not worked with political clients, mainly sells targeted advertising to large companies, including Microsoft, Citibank, Comcast and Verizon."

February 9, 2016 6:15 AM

Stephen on Exploiting Google Maps for Fraud:

Aside from the deceit of charging more than their quote, businesses where the service is mobile often try to appear local.

Our local newspaper would have classified advertisements for the local locksmith, plumber, electrician, etc. All had the same area code on their phone number. When you looked through the listing you would avoid the unfamiliar area code because you knew they were from across town.

Having a free call phone number solved that. You could appear local, advertise locally, but get customers from anywhere in a larger area without scaring them away by having a distant area code.

The twist here is that the advertisers are gaming the system. Pay for your Ad Words by Google instead of gaming the "crowd sourced" map listing. Blacklist the cheaters until they bid their way back in.

February 9, 2016 5:57 AM

dj on The Internet of Things Will Be the World's Biggest Robot:

Anyone see: The Machine Stops - https://vimeo.com/6299587

- What will be the useful life of these Internet of Things?
Whereas a toaster previously a decade or 2, a IOT-toaster will last, if you are lucky, 5 years?

- How much will it cost to repair, or will it be "cheaper" to get new?

- Do we have an IOT-recycle plan, or will these end up in the landfill?

- How will they ensure the device is secure (hacker-proof)? Will we now have monthly bills to maintain our IOT-toasters?

- Will the IOT-devices spy and record data in our homes? Will they have a backdoor entrance for admin? Can we access to maintain? Will tech support be in India?

- Will driver-less cars work in snowy winters? If there is an accident, who
is responsible? If hacked, are we responsible? How will this impact our insurances? Rather than driver-less cars, why not just invest in mass transportation?

- Will we own the IOT-devices?

"...John Deere and General Motors want to eviscerate the notion of ownership.

In a particularly spectacular display of corporate delusion, John Deere—the world’s largest agricultural machinery maker —told the Copyright Office that farmers don’t own their tractors. Because computer code snakes through the DNA of modern tractors, farmers receive “an implied license for the life of the vehicle to operate the vehicle.”

It’s John Deere’s tractor, folks. You’re just driving it."
http://www.wired.com/2015/04/dmca-ownership-john-deere/

- Our utilities use 1-way amr that sends once a day. They are investigating 2-way so they can send signals to the house too.

http://stopsmartmeters.org/

- Will we never have quiet in our homes with IOT-devices? Are there health concerns with RF radiation? If your house has the "collector meter" in the "Smart Meter Mesh Network", thus receiving more radiation exposure, will it be required to be documented in the property records so potential buyers can opt whether they want the exposure risk?

- There was an article written up in Nuts & Volts magazine about a guy who hooked up his chicken coop (using coopboss) so the lights & doors could be operated via smartphone. Ahhh... getting back to nature ;-)

Glad someone is thinking about this.... Department of Technology Policy!

February 9, 2016 4:42 AM

Academic on Data and Goliath Published in Paperback:

I prefer paperbacks because they're more comfortable to hold/read whereas hardbacks are better for longevity. Most people only read this type of book once (it's not a reference book) so a paperback is, in my opinion, more suitable.

I've put off purchasing books before because there has been no paperback in publication.

Nowadays I prefer to read books electronically on my iPad mini because it's:

- far lighter than a conventional book
- stores multiple books/volumes
- pages don't become detached
- easier/more convenient to carry around
- has an integrated dictionary (by just tapping a word)
- more secure (for when reading sensitive work documents)
- good in low-light conditions
- adjustable font size / background colour (e.g. 'paper' effect)
- multi-purpose (have music playing in background etc.)
- easy to annotate PDF's

I wonder how much longer the traditional publishing industry has left considering the advancements in tablets and e-readers.

February 9, 2016 3:36 AM

doctor slock on Friday Squid Blogging: Squid Knitting Pattern:

Hotmail and Outlook is down for users across the world ATM. Some users said they got a message it was attacked and to reset passwords, some just to reset passwords, and some can't connect at all.

Another marvellous transition care of Microsoft.

February 9, 2016 1:45 AM

r on Exploiting Google Maps for Fraud:

@moz,

You make me wonder if some of these entities aren't operating outside of their DBA. In my state you either need a state LLC I believe (certain cases may require a PLLC.) or a DBA per county of operation.

At least that's how I understand the DBA rules, the LLC's I'm not too sure about.


@Joe K,

I would never search for a trained equipment wielding locksmith on the same site that people purchase prostitutes and stolen merchandise from: I don't care how long I've lived here. IF a real business can't afford real advertising or a real listing I'm certainly not going to pay someone on Craigslist who simply claims that they can. There's absolutely no review system there and thus one would likely be far better off with "Angie's List" for things like this.

To be fair, I buy sell and advertise on CL from time to time myself... But the best advertising I've seen is word of mouth and in all fairness I have seen some insane custom concrete and solo'd stamp work... even what I assume is shotcrete/gunite done on the LOW... So maybe with the right presentation CL wouldn't be an immediate NO but they would require one hell of a web presence, references, business card, portfolio, etc. Not just some lame white van w vinyl stickers or magnets on the side.

February 9, 2016 1:38 AM

Tim Bradshaw on Data and Goliath Published in Paperback:

Well, if you buy a book a week, the saving is $500/year, which is not nothing, especially if you're a student or something (in particular it's about 28 $18 paperbacks). Other people have mentioned that paperbacks are more pleasant to read for many people: they are also easier to carry with you and, significantly, they use less shelf space. I suspect that shelf space might cost more than books do in some cases.

February 9, 2016 1:26 AM

Clive Robinson on Friday Squid Blogging: Squid Knitting Pattern:

Is Wired losing the plot?

Wired is apparently tired of maybe 20% of readers visiting their site having "ad-blockers" on, thus they are going to throw the toys out of the pram and you either pay them $52/year or whitelist their site,

http://www.wired.com/how-wired-is-going-to-handle-ad-blocking/

The problem is they "don't get it" as to why many of the 20% have ad-blockers. It's not "the better browse speed experience" nor is it "the less interfearing visuals" that make people use ad-blockers.

No... The term "ad-blocker" is a term promoted by the advertisers to somehow depict their victims as being the "anti-social" ones. On ad-ware executive has publicly called the use of ad-blockers an anti-constitutional crime because in his view you are preventing his "free speech rights"... Rather than the truth that he like most criminals want's to break into your private domain, steal you energy, bandwidth CPU cycles and any PII he can get his thieving fingers on to enrich himself at your expense.

Ad-blockers are not "anti free speech" they are "anti intrusion" technologies to defend a user from digital theft and worse. They are very much the equivalent of Anti Virus and other Anti Malware technology.

But it gets worse, the definition these people use for "ad-blocking" is very broad... Don't have javascript enabled for good and proper security reasons that's classed as ad-blocking. Similarly other very high security risk software such as Java, Flash and even Adobe Reader.

What these people are saying is that you should be as insecure as possible so that they can steal from you to their hearts content.

Wired are not alone in wishing to support "criminal enterprises" at your expense other more popular OnLine systems have tried less intrusive methods of PayWalling and are now turning them off because readers left in droves.

The one that made me laugh was hearing about the UK's Telegraph owened by the "Evil Duo" Barkley twins, they not only want you to pay a subscription to use their p155 p00r site, they have just stopped those who have subscribed from viewing unless they alow the "Evil Duo" to steal the subscribers resources as well.

What these "you can't use ad-blockers" people don't realise is that they are kicking off a war of attrition for which there will be only one eventual loser "them".

What will happen is that those who write the security software that stops the illegal advertising intrusion will simply find a way to make it appear to the website detectors that the ads are not being dumped. This will escalate just like the old ECM / ECCM / ECCCM technical war and at each stage the reputation of these websites will go down, the users will decrease, and at some point either the site owners will wake up to the fact they are slowly commiting suicide or they will succumb to their self inflicted wounds. It is at the end of the day their choice to live or die by what they do.

Scumvertising is a "dead man walking" business model, they chose at various times to use increasingly criminal acts to make money. Because the authorities chose not to respond effectivly, as in the "Old Wild West" people have started to protect themselves against these "Robber Barons" and drive them out of town. The Barons may not be happy but they only have themselves to blaim...

There are other revenue raising methods that work, that don't hurt your reputation by aligning yourself with the criminals. Perhaps the Wired managment should think about how to go about implementing them rather than continue the "gallows walk" as "partners in crime" to the Scumvertisers...

February 9, 2016 12:09 AM

Clive Robinson on Friday Squid Blogging: Squid Knitting Pattern:

As some readers will remember I occasionally warn about "resource wars" and the unexpected effects they can have. The two I normally mention are "energy" and "rare earth metals". And I've repeatedly mentioned that people shoukd keep an eye on what China and Russia are doing in these resource wars and how they use them politicaly.

As you might also be aware some have been shall we say "sceptical" of resource wars and how they effect politics.

Well somebody has finally written a readable book on the subject of rare earth metals and their economic and political effects that you might find an enjoyable read. However rather than just give the details, I'll give a link to a review of the book,

https://literaryreview.co.uk/unobtainium

February 8, 2016 11:49 PM

Clive Robinson on Friday Squid Blogging: Squid Knitting Pattern:

@ Nick P,

Based on things you've said befor I think you might want to add this one to your link farm,

http://www.imaging-resource.com/news/2013/02/26/not-so-secret-atomic-bomb-tests-why-the-photographic-film-industry-knew

I know it sounds mind boggling that a Gov would do that sort of thing, even back then but recent comments about the Flint water supply, makes the point it's still going on big time if your local area does not have big corporate muscle etc to keep the elected honest.

February 8, 2016 10:05 PM

Clive Robinson on Data and Goliath Published in Paperback:

@ Bruce,

It's to maximize revenue. At every step, there are people who would rather pay more money and not wait.

The first point is correct, if you only count "publisher revenue" as few authors benifit from hardback pricing.

The second point of "who would rather pay more..." has a dark side to it as I've mentioned before.

There are some people who can "not wait" such as Law and Research organisations, who are in effect compelled to purchase the latest books at any price a publisher cares to ask for. I used to be lucky in that I got pre-publish copies "for approval" so that they would get included in citation databases etc I was involved with.

However one or two "academic publishers" who shall remain namless have caught on to a nice little scam. It's "short run publishing" of very expensive hardback books for University etc libraries. They scour published paper sources for "fresh meat" researchers and cold-call them about writing a book. What the book is does not realy matter as long as it can be produced quickly and sold as "shelf space filler" to research libraries at 300-500USD/book type pricing. The books are never produced in quantity because they are only designed to get money out of library and research budgets.

The scam works for a couple of reasons, modern publishing methods can produce books in very very short runs economically (runs of 10-50 are very profitable) with in some cases single copy reproduction being quite viable as can be seen by some "self publish" Internet sites. Secondly "fresh meat" academic writers will write a book for in effect "free" just to have a book on their CV. When you consider the cost of making such a book is maybe 10USD each but a few hundred can be sold at 300USD profit each that's, over 60,000USD income for the publisher for very little work and one "sales rep" can do twenty such books a year that's a nice little income of over 1 million USD/year per rep...

If the rep gets lucky there is "student editions" that can be milked as well where the same book gets sold in a slightly different cover in course volume of 50 or 100 book lots to a University book shop for 2000-5000USD profit per course lot...

It's a nice game for the publishers currently. But not for the academic authors or the research budgets or student pockets. Which is why one or two academics are "going it alone" with their books, it will be interesting to see how it goes.

February 8, 2016 9:58 PM

k15 on Exploiting Google Maps for Fraud:

So Google could charge a few bucks for a "Paid Business" variant, that has a photo of shopfront with the business name on it, and the business license #? And mark these differently, on the map?

February 8, 2016 7:33 PM

James on Exploiting Google Maps for Fraud:

Regulation might help but one problem is that regulators sometimes err so giving them the power to fine or close down businesses might prevent people from doing business with providers of their own choosing. Another problem is that people might be stuck with some regulator with standards that don't meet their needs.

A workaround for the first problem would be for the regulatory agency in charge to have no enforcement authority but let the agency give out certificates saying "After careful consideration, even if we could shut down XYZ locksmith corp, we wouldn't." People who trust regulators would gain the full benefit of regulation because they could refuse to do business with anyone not in posession of that certificate.

An added benefit of not requiring enforcement powers is that it also takes care of the second problem. Since it's perfectly legal for anyone to give certificates, anyone could start up a competing certifying organization at any time if the government run regulator didn't do a good job. People who find government regulators more credible than private sector regulators could still rely on the government run regulator but no one would be forced to if they preferred not to.

February 8, 2016 7:21 PM

Magnus on Exploiting Google Maps for Fraud:

"who've been a thorn in the Internet's side for over a decade"

That is really rich coming from Google.. a thorn in the side of Google's business model of exploiting mass amounts of free labour is more accurate.

February 8, 2016 7:15 PM

Bruce Schneier on Data and Goliath Published in Paperback:

"the movies are also distributed in multiple steps. Theaters, VOD, DVDs, then finally on air."

It's to maximize revenue. At every step, there are people who would rather pay more money and not wait.

February 8, 2016 6:51 PM

ianf on Friday Squid Blogging: Squid Knitting Pattern:


ADMINISTRIVIA posted FOR THE RECORD—others IGNORE (3k text)

Long story short: yesterday at 08:50 AM, one hitherto unknown Horte Pueblo posts a two-liner about some unheard of raccoon intestinal worm being a bioterrorism threat.

I read the referenced Wikitext, quote from it, declare it "hardly a tool for bioterrorism," and compare to the threat represented by the uncontrollably self-spreading zika-virus.

Soon I am being admonished by the worrywart to pause to think before posting, then lectured on the worm (no more bioterrorism though); decried that I probably am "an AI annoyance bot" (why, thank YOU!), and invited to “lick around various raccoon latrines and experiment with the results,” presumably because nothing beats HP's empirical knowledge of that. The excremental ad hominem arguments signal directly that he's a head case rager with no case. Case closed.

Only signal not to all… because Bob Paddock then pounces on this ready opportunity to argue with part of my Wikipedia quote, that it doesn't apply to his experience with “treatment of Plague and Antrax with Fluoroquinolone Antibiotics Levaquin, Cipro etc,” some of which, treatments or antibiotics, may or may not have contributed to the premature death of his wife, there links aplenty. In whose name and memory he now raids various blog fora to spread his own omnidirectional rage at the pharma industry. Or something to that effect, don't ask me, because I have my own pet causes to promote, only not in this forum.


Another poster, Godel, then points out that stipulated "human ingestion of worm-contaminated soil of feces" does not "sound like a promising infection method for a bio [never mind terrorist] weapon."

    For that s/he earns a "Shill" badge, as said HP is unable to face any form of criticism. This is followed by direct—am pretty sure wholly unrequited—ass-kissing [feces et al?] of Clive and Nick P, whose "otherwise thoughtful commentary, worthy of being compiled into a sellable book" so contrasts with Godel's and mine presumably though-devoid ones. I kid you not.

Then HP throws the entire to him known range of bio threat buzzwords at us: cultivation; formaldehyde; weaponized prions by the bushel; even a politically-correct madwoman hatching a plot, no doubt no less devious than the CIA-released whooping cough in Tampa Bay in the 1950s. The original charge of a bioterrorism weapon (in the form of appetizing lickable raccoon latrines) no longer rates a mention, not even in the concluding disclaimer of "responsibility for his suspicions." NOTED.

Meanwhile Bob Paddock rants on, while the unpronounceable "r” entity decodes him more or less correctly to be a link farmer. Farm on, only elsewhere.

BTW. anyone comes across remaindered book bins with those Clive's and Nick P.'s ETERNAL COMPILED BLOGPOSTS, give us a holler.

February 8, 2016 5:53 PM

Clive Robinson on Data and Goliath Published in Paperback:

I buy hardbacks out of habit.

Back when I first had sufficient disposable income to buy books there was a very marked difference in quality of hard backs over paper backs. It was not just in the quality of binding, but in the paper stock and print quality. So that is where my prefrence for hard backs came from the higher quality of the product.

Some several decades on I look in my dead tree cave at books from back then. Whilst the hard backs are still usable as books, the paper backs are most definatly not. The paper in the paperbacks has decaded, and gone brown and very brittle almost like Autumn leaves, the glue in the binding has become at best gritty dust and pages just fall out. The paper backs cannot be repaired or easily preserved, whilst some of my early hard backs have been repaired and rebound --by me-- and whilst not in daily use still get regularly used as refrence material.

If you want either type of book to survive, the first lesson is "clean hands" or cotton cloves, and don't ever lick your fingers... it's just plain nasty when you think about it. Second lesson is never ever lay an open book flat, irrespective of if it is hardback or paperback, nor carry it open. Don't under any circumstances write in them, underline sentances or paragraphes, use postit notes or sellotape to add marks, or worst of all fold pages. As for those who write in books with ink pens or fold corners over to mark their place, they should never be alowed near a book ever again.

When you take a book with you "be nice" put it in a clean cotton cloth bag to protect it from other items in your "carry bag" such as shopping or hard items like keys, phones, netbook/pad computers and other dirt and detritus of everyday life. Further don't alow books to get to warm or cold to damp or dry and most definatly keep them out of sunlight. And try not to let them get contaminated by tobacco smoke, spice food vapour or crumbs/grease or spilled tea/coffee etc etc. Either store them flat in small piles or standing upright on their ends supported in a book case. Never ever allow them to lean over at an angle even for a very short time as this will damage not just the covers but the spine as well. If they have floppy disks or optical media these are best removed and kept seperatly, because both they and books emit vapours that are harmfull to each other. Likewise do not cover books in "stickyback plastic", like sellotape it's dreadfull stuff and does real harm to a books longevity. Likewise don't use those PVC clear plastic lose covers... And never ever put paper in as a mark that has been through a laser or injet printer or photocopier as time and preasure transfers the "ink" to the pages in the book.

If you do these simple things, then there is a good chance your books will outlive both you and your children, and possibly pay for your great grandchildren to be educated to a standard you would find acceptable.

As for hardback "dust covers" look after them carefully judging by current old book prices they can be worth three quarters of the selling price on rare books if they are in good order...

February 8, 2016 5:41 PM

moz on Exploiting Google Maps for Fraud:

The regulation that's needed is criminal law and the government intervention needed is to enforce it. I don't see why that should be exciting or controversial. This is large scale fraud.

The problem is that since it's diffuse fraud the individual people who should be reporting it don't care enough and the people that they could be reporting it to don't realize the scale if they ever do hear of it.

Basically this is the criminal version of problem that class action lawsuits were designed to handle. There is something wrong with the idea that if I steal $10,000 I'm a big criminal, but if I steal $5 separately 100,000 times then nobody cares, but it's completely true.

February 8, 2016 5:19 PM

Tracking Your Own Internet Surveillance Instantly on Friday Squid Blogging: Squid Knitting Pattern:

A Great Traceroute Tool Maps the Cities Where your Data Travels
Canada is having second thoughts about The Five Eyes membership in Violating Canadian Citizens Privacy Rights
https://www.ixmaps.ca/tour.php

My data goes through TeliaNet/Telia Sonera Europe and
VERSATEL Versat... in Germany

Does not look good!

February 8, 2016 5:13 PM

tyr on Friday Squid Blogging: Squid Knitting Pattern:


@CallMeLateForSupper

Found this in the Krebs post comments:


"Mr. Freeze
February 8, 2016 at 5:40 pm

Probably not a big deal in a home setting. In a corporate environment energy savings can be significant if you can do climate control over the internet. It also can save maintenance staff a trip out to the workplace on the weekend if someone is there or an event is going on and room temperatures need to be adjusted."

I can't think of anything more wonderful for a corporate
entity than having their building thermostats open a
huge hole into the corporate networks. Maintenance will
love the idea right up to the point their job disappears
because of the data hemorrage.

Just exactly how are the Security personnel supposed to be
able to secure things when every randomly selected change
of things beyond their control introduces new vulnerabilities
and undermines any basis of maintaining safety ?

It might be interesting to see how many of these are in the
Fort Meade complex or have been installed in GCHQ as new
wonderful money savers.

February 8, 2016 3:59 PM

Sara P. on Data and Goliath Published in Paperback:

I had to buy the hardcover so you could sign it at Defcon this last year! :) I considered it well worth it. I have most of your other books in hardback. I tend to prefer either hardback or electronic. Hardbacks just hold up better.

February 8, 2016 3:31 PM

John Macdonald on Data and Goliath Published in Paperback:

I almost never buy hard-cover books. Often I look at the hard cover and decide to wait for the softcover. Sometime it is many years later before I happen to think of it again. There are book series where I have lost track of which ones I am waiting for and just give up on. I wonder if the publishers really gain enough from the people who buy it in hardcover just because the softcover is not available yet to make up for the sales they lose completely, even at the lower price. Unfortunately, they probably do - treating customers obnoxiously usually has a profit motive behind it, and that motive is not always unjustified.

February 8, 2016 3:22 PM

Jan Willem on Data and Goliath Published in Paperback:

Although I prefer to read a physical book, and I agree with Mark that a softcover is more comfortable to read, I am glad that I bought the Kindle version. Now I was able to take this book, together with some other ones, in my hotel room and during my holidays.

February 8, 2016 3:07 PM

Mike Totman on Data and Goliath Published in Paperback:

I find softcover books more comfortable or convenient to read, that's why I prefer them, it's not the cost. Perhaps that's why they sell better?

February 8, 2016 2:51 PM

Mailman on Data and Goliath Published in Paperback:

This is something I have never quite understood with the publishing industry. Books often come out in hardcover first, and only later in paperback format.
I don't really see the point of having two editions with different cover rigidities, but if publishing houses insist on offering that choice, why not release them at the same time?

February 8, 2016 2:44 PM

Anonymous Coward on Exploiting Google Maps for Fraud:

As a related aside, the reviews on Google Maps have required careful use for some years now. Massive numbers of fake reviews exist. Their style is distinctive and they tend to cluster on whom-ever has paid for them; if you see a business with say 100+ reviews and 5 stars, and all the reviews are one paragraph long, reasonable English and capitalize each letter of the company name - that's a business to avoid like the plague.

You need to find the business which has five or ten reviews, tops, about four stars, where some of the reviews are clearly written by semi-illiterates ;-)

"YEAH ITSS GOOD I went there top marks Steve"

Actually, getting back to the original problem, I think a significant factor now in all of this is the ongoing absence of a viable, widely accepted and zero-effort to use micropayment system.

February 8, 2016 2:39 PM

Anonymous Coward on Exploiting Google Maps for Fraud:

> This is exactly the sort of market failure that government regulation
> needs to fix.

I am of the view in general that State regulation is always or almost always worse than no action.

We have in the mind a fantasy of the "right" regulation being enacted, whatever that is, and that it will have and only have the desired effect.

This is *never* so, in either respect.

I agree fully Google basically can't care, because they bear no economic loss. The basic problem then is that users are using a free service. If the service was paid for, the provider would care, and the service would be so much higher quality. If people *wish* to use a free service, and continue to wish this since the cost of paying for such a service is greater than the fraud they bear, then it is their free choice to do so - and this seems to be the outcome. What's really needed are better customers :-)

February 8, 2016 1:51 PM

Johannes Sebastian on NSA Reorganizing:

I have pondered this a bit here and there since it came out. I was going to point out how maybe it is 'much ado about nothing', but read the WP article before posting and saw this:

“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”

This is a horrible idea, and a terrible understanding of the nature of security vulnerabilities. I hope this is his own, uninformed, unadvised opinion.

If you find a security vulnerability in an application, that does not mean it is an opportunity for hacking. It means that - very likely - someone else has already found that security vulnerability. Very "possibly", is a better term then "likely".

Further, when you use such attacks, there is a strong possibility the attack could be detected and then the attack could be used by the target.

It is akin to discovering your local airport has an open door with easy access to the airfield. Or that your local water treatment plant has a physical vulnerability in it. Maybe, on friday nights, you discover an area local teenagers have been using to go and smoke pot there. Where terrorists could find the same spot and throw who knows what into the water.

Or, if you are inspecting your house before a vacation and discover you forgot to close a front window.

Literally, such parallels have to be made, because for whatever reason the abstract concepts otherwise do not make it into the brains of those who do not work around these matters on a regular basis.

So, if NSA hacks Russia with vulnerability X in Android and Apple OS, and Russia detects that, then Russia might swing around and hit the very same systems across the US.

Or, if NSA hacks a well organized terrorist group like ISIS, they might turn around and hit up the whole world with it.

Or, if this scenario was not ISIS or Russia, but the mix of them, North Korea.

And who makes Android, but Google, an American company. Who makes IOS, but Apple, an American company. The mandate is to protect, not leverage weaknesses of companies to engage in espionage.

In software security the ever pushing challenge is vectors like "time to fix".

TTF. It even has an abbreviation and is used in *any* software shop which is competent.

The faster the company knows about the vulnerabilities, the quicker the company can get it fixed. And you do not want to be against that. If anything, as an auditor, you want to force them to get off their hineys and get to work and fix it.


Why, is the NSA auditing code, for that matter? Because it is mandated for code which runs on DoD systems, that is why. It is not a mere friendly gesture. It is a military focused defensive gesture.

A good example of sabotage there might be when the US and Brits got a line in the telco traffic of East Germany, but a mole in the British intelligence told East Germans about the *vulnerability* and the East Germans used that to tamp the damage and send time and resource wasting disinformation attacks against them. The entire operation ended up being self-destructive.

Another good example is when a Japanese cult integrated themselves into positions of contracting for their government and put in backdoors and other destructive code into military code. You may recall that cult. They were the one's who released sarin gas in a packed Japanese subway some years before.


What can DoD software vulnerabilities end up doing? Taking over drones, is one bad scenario. Disengaging gps defenses on any manner of air traffic, is another. Opening backdoors into core military networks, is yet another. But the list here could go on and on.


So, bad idea from this level.


On the good idea level, sure, they could use all of that vulnerability data to tune and enhance systems designed to find vulnerabilities for purely offensive nature.

That would be incredibly valuable. More good, strong sample sets, for any such system, as people might be able to imagine, the better.

And, fact is, for vulnerabilities which are critical but also very difficult to find and exploit, that is the sweet spot they want. Very likely, they will have to keep those very difficult to find and exploit vulnerabilities away from being fixed so quickly.

Logically, if you have intelligence relying on vulnerabilities for signals intelligence, that would have to be done. And it is very difficult to argue that - placed right, done right - there is not a legitimate need for that.


February 8, 2016 12:36 PM

Joe K on Exploiting Google Maps for Fraud:

Am a little surprised to see an article about an online tool for finding local services make no comparisons (pro or con) with craigslist.

Lead gens have their deepest roots in locksmithing, but the model has migrated to an array of services, including garage door repair, carpet cleaning, moving and home security. Basically, they surface in any business where consumers need someone in the vicinity to swing by and clean, fix, relocate or install something.

I have no idea how widely used craigslist is, globally. But my impression is that it is, in the US, a pretty much bog-standard tool for finding precisely that sort of service.

Craigslist itself is not without problems, scams, etc. But a comparison would have been informative.

February 8, 2016 12:22 PM

CallMeLateForSupper on Exploiting Google Maps for Fraud:

@Robert Walter

The typical link gen supplies you with a (more or less) local person who might or might not know what she is doing, who might or might not be bonded, and who you cannot check out ahead of time. And while the typical link gen. often advertises a not-necessarily-excessive price, the responder is free to charge whatever she thinks she can extract from the hapless caller.

The hapless caller should share the blame; it's not all on the link gen. miscreants and their associates. That said, mankind would be better off if the hammer of Thor were to fall on every unscrupulous businesses

"[...] do they claim google maps have wrong address data ..."

That could come into play- perhaps, but I haven't seen it raised in this context.

Google does mismatch locations/street addresses very often. Yesterday I searched "locksmiths in" and specified a random town in a random state. Looking at the marked site in Street View, I saw a closed super market and empty parking lot. I know it was a super market (or was in the past) because the large sign in the lot said so. The photo included in the link showed another view of the empty parking lot and lifeless market, but it was so tiny that one could not read the sign. Had I found a scam location? No (darn it!). The actual, brick-and-morter store, a little cube reminiscent of 1-hour photo shops of decades past, was further down the block.

Link gens do compete with local businesses. There is no question.

February 8, 2016 12:11 PM

Rare Presentation from NSA Tailored Access Operations Leader on Friday Squid Blogging: Squid Knitting Pattern:

“NSA tiger teams follow a six-stage process when attempting to crack a target…”

Doughnut Coffee & Facebook
“At the end of the day it all boils down to knowing your network, he said, and it’s vital that IT administrators pick up their game and get PARINOID about attacks.”

Snowden Reality
Ironically the crazies are the critics of tin foil hats… LOL!

Stingrays in War Zones or Stopping Addictions
Might I suggest military commanders and intelligence agencies ban personal cell phones from all premises? New Motto: Radio Silence Saves Lives!

http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/

February 8, 2016 11:34 AM

paul on Exploiting Google Maps for Fraud:

@Robert.Walter:

The fake location means that they appear on your map when you look for a business near you to help you with your lockout (or other problem, now that the technique is spreading to other fields). Then, when they ultimately arrive, they can use common social engineering techniques to get you to pay more than the advertised fee. Sure, you could tell them to take a hike, but then you'd still be locked out, in the company of an annoyed criminal, and with no guarantee that anyone else you called using information from Google maps would be legitimate.

February 8, 2016 11:30 AM

Clive Robinson on Exploiting Google Maps for Fraud:

@ Bruce,

This is exactly the sort of market failure that government regulation needs to fix.

Whilst it is without doubt one form of market failure (that economics it's self fails with, hence the "Internet market problem"). Is regulation the right answer?..

To decide this you have to look at, What the perceived problem is? Why it is perceived as a problem in the specific case? But also if it will still be perceived as a problem in the more general case? Further if it is always a problem? That can be easily identified and clearly and specificaly codefied?

A failure or ambiguity on any one point, history has taught us is going to give rise ti bad legislation that will be poorly or selectively applied and thus will cause more harm than good.

Then the what and how of remidies available under the regulation enabling legislation. After all whilst a 10,000USD fine will kill small honest organisations. Dishonest organisations will never attend court or pay fines, they will just morph into a different name/business/area and carry on with out hinderence. Whilst large organisations will just see it as another tax on operation and work a deal or way around it...

Thus you have to be clear of thought and action at every step of regulation otherwise it will fail to do much more than become a pile of paper or weapon of favouritism in the hands of authorities. Neither of which will achieve what those calling for regulation intended.

February 8, 2016 9:45 AM

Robert.Walter on Exploiting Google Maps for Fraud:

how does the fake location of a "local" business that will come to my house work against me?

Is it that over time real local businesses will be squeezed out, thus leading to an extra charge for mileage, or do they claim google maps have wrong address data and this already claim a surprise mirage surcharge?

February 8, 2016 9:34 AM

Winter on Exploiting Google Maps for Fraud:

@Andrew
"You had me until the last sentence. This is the kind of thing that should view government regulation only as a desperate last resort."

I mistyped. I wanted to say "no use to me". I have never sued anyone in my life. And we did cancel the booking.

February 8, 2016 9:27 AM

CallMeLateForSupper on Exploiting Google Maps for Fraud:

I caught this very story at BoingBoing yesterday morning.
https://boingboing.net/2016/02/06/superb-investigative-report-on.html

In that article Doctorow references an article he posted in March 2014:
https://boingboing.net/2014/03/31/google-maps-spam-problem-pre.html

I want to say, up front, that I do not use Maps at all, preferring Earth. Nor do I search Earth for businesses, because I discovered early on that the feature was not ready for primetime; too many inappropriate "hits". Example from yesterday: search for "locksmiths" in my area coughs up an "NNP"(Neonatal Nurse Practitioner); a collision repair; a small grocery; two dentists. 'Nuf said.

Two of the "locksmith" hits had the same name, Minute Key Inc., were one block apart in buildings that I recognize as Walmart and Lowe's (a home improvement). Some investigation explained this: Minute Key is a self-serve, key duplication machine. Definitely *not* a locksmith.

Another "hit" also picqued my interest because of its location: my local U.S. Post Office. Does a USPO rent space to a locksmith? Not this one. The business's listed address is the p.o.'s street address plus a "Suite" number. Translation: p.o. box. The search "hit" includes a web site link and a photo of the business's site. The photo of the site is so small that one cannot see the foot-tall letters "United States Post Office: engraved in the facade. The copious text on the web site aims to inspire confidence but fails, for three reasons that I won't exercise here.

Yes, as long as persons continue to click on search results, Google makes $$ and has little incentive to clean up its ad business.

February 8, 2016 9:05 AM

India Tech Successfully Fights American Bias on Friday Squid Blogging: Squid Knitting Pattern:

Another One Bites the Dust

"Critics of India’s Facebook ‘Free’ Basics, which had been suspended while the regulator's consultation was continuing, include many of India's leading technology entrepreneurs, with activists describing it as a "poor Internet for poor people".
The TRAI's ruling was a clear victory for net neutrality advocates, who seek to prevent companies from restricting access to the Internet, with the regulator saying it had been "guided by the principles of net neutrality".
It added that it sought "to ensure that consumers get unhindered and non-discriminatory access to the Internet".
https://news.yahoo.com/india-regulator-deals-blow-facebook-internet-row-114811286.html

Facebook, Google, and the other Internet titans have ever more sophisticated and intrusive methods of mining your data, and that’s just the tip of the iceberg:
http://www.thedailybeast.com/articles/2016/02/08/scary-new-ways-the-internet-profiles-you.html

February 8, 2016 8:51 AM

Jon on Exploiting Google Maps for Fraud:

Untrue claims work just fine for Scientology (and pretty much every religion), and given that one major fraudulent firm (who had most of the accused flee the country) was based in Clearwater, Florida, one is inclined to wonder about their branching out for profit.

A criminal conviction is great - If you can find (and grab) the criminal.

In short, Paul, that's fine, unless there's an organization dedicated to obfuscating everything and concealing the accused.

If the Mafia springs to mind, that may not be a coincidence.

J.

February 8, 2016 8:48 AM

paul on Exploiting Google Maps for Fraud:

For some resources, open access simply isn't workable. The cost of creating map spam is probably already sinking to the cost of spending spam email. And the size and composition of the user community isn't sufficient for crowdsourcing verification. (And you don't want the change/deletion step to be too easy, or that will just mean everybody defacing their competitors/enemies/etc).

In the Old Days, the Bell System (mostly) solved this problem by charging real money, having a secondary hook into advertisers, and having people who could verify the information in question directly.

February 8, 2016 8:34 AM

Paul on Exploiting Google Maps for Fraud:

Isn't there already a law against making untrue claims in order to profit? Could the businesses or people in question be prosecuted for Fraud for their false claims about their location - particularly in the context of the other dodgy practices in the article?

A civil claim for fraud would not get much for each offence, but surely a criminal conviction could lead to more severe penalties?

February 8, 2016 8:30 AM

r on Exploiting Google Maps for Fraud:

The experience I have with Google correcting data, in this case about a local catering and butcher shop Google took the position of it being the shop owners responsibility to fix the incorrect map data... Now that may be a separate case due to it being a separate service but the shop owner himself had expressed frustration to me about trying to get them to correct the data prior to me trying to assist them in that manner.

Either way, I was not impressed with Google's handling of the situation.

February 8, 2016 8:26 AM

Terry Green on Exploiting Google Maps for Fraud:

I agree with previous posters, regulation sounds like a broken record. And what if they don't care? Someone near me had cctv of someone breaking into their house and stealing their stuff but the SJ police wouldn't do anything.

Have you noticed how retailers hijack any search term entered into Google? You could search almost anything like spent nuclear fuel rods and WalMart will pop up. But they don't sell any. That's a form of lying too.

February 8, 2016 7:55 AM

Andrew on Exploiting Google Maps for Fraud:

You had me until the last sentence. This is the kind of thing that should view government regulation only as a desperate last resort. Concerned over where a hotel is? Check it on another search engine. Wondering if a business is legit? Read some reviews.

As in any business, there are a few bad apples, but don't let them be an excuse for the government to step in and ruin it for the other 99%.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.