Recent Comments


Note: new comments may take a few minutes to appear on this page.

July 1, 2016 3:34 PM

ЮЪ on Interview with an NSA Hacker:

@Gvv, numbers dude, Not sure what there is to argue about here. If Snowden did get help from CIA, would we be any less grateful for the heads-up that he gave us? Would we esteem him any less?

Let's say we did think CIA was involved. A psy-op seems pointless. Despite the theatrics of Snowden's perils-of-Pauline close shaves, their high profile makes more sense as a means to the end of turf war between CIA and NSA. NSA encroached on intelligence collections at a time when CIA was ceding the HUMINT role to focus on illegal conduct by knuckle-draggers - until that line of business hit the wall of international criminal law. What's more, the gentleman's agreement is off. Russian intelligence has begun to publicize its take to expose CIA criminality. CIA is in deep shit. CIA's best move here is to take over NSA's nice safe suburban commuter job.

So rather than a psy-op, this is more plausible as a war between crime families, Colombo v. Gambino with cheaper suits. That makes Snowden an informant with very good witness protection.

Booz Allen plays a central role as a contractor to NSA and an industrial contractor and source of NOC posts for CIA. For high-level staff of both agencies, Booz Allen is the conduit for revolving-door corruption. Snowden's Booz Allen boss is a 'fellow' under Pierre Omidyar's control just like Greenwald. None of the open-source documentation is inconsistent with Booz Allen taking sides in CIA/NSA conflict. To do more than fail to reject that hypothesis, you have to ask around.

Internecine conflict is our friend and Snowden surfs it. This is how criminal regimes collapse.

July 1, 2016 3:10 PM

Gerard van Vooren on Interview with an NSA Hacker:

@ 977779,

When Snowden starts talking more about everyone running their own email servers at home like Hillary Clinton being a serious way forward for cybersecurity, I'll start believing he isn't just a government sanctioned psy-op.

Yeah, that is too hard for ordinary people to establish. From his POV it is the right thing to do but I admit that setting up your own email server, and monitoring it, is simply too hard.

On the other hand, naming Snowden a government sanctioned psy-op... just doesn't make sense. If that was the case, why is he in Russia right now? Is that part of the operation? There is no way a conspiracy like that could live that long, not with so many researchers and journalists involved. Like the moon landings, Snowden is real.

July 1, 2016 3:10 PM

Michael on Anti-Paparazzi Scarf:

@albert @Ben Well, the right image is not that bad as it is if you play with the curves correctly — and note that this is starting from an image compressed with web-targeting settings, I guess the raws of this image would be even better.

And of course once the camera is in the HDR mode the picture should be perfectly fine even without special postprocessing.

July 1, 2016 2:54 PM

Gerard van Vooren on Interview with an NSA Hacker:

@ 977779,

Wow you are a jerk Gerard.

I don't deny that I like to confront people.

So now you claim that you are informed. Good. At first you had me on the wrong foot because you said that you aren't in the right circle.

July 1, 2016 2:41 PM

Richard on Anti-Paparazzi Scarf:

These ingenious scarfs are the RADAR equivalent of 'Chaff' passive countermeasures.

Unfortunately, as several folks have already pointed out, this simple passive countermeasure could be easily defeated during day time photography by simply NOT using flash (which might be thw whole point with some celebs, who don't mind free publicity photos, but DON'T like being assaulted by migraine inducing barrages of high power flash photography every time they step through a door) - and, sadly, even with flash photography, the scarf could still be defeated using HDR techniques.

... but my original comparison with 'Chaff' leads to thoughts of OTHER similar simple countermeasures which might be employed, as well as other more aggressive ACTIVE E.C.M. type countermeasures.

For example, this scarf undoubtedly utilizes nano-particle sized retro-reflective glass beads, which could be employed even more effectively, in a lady ga-ga style veil.

... and far as discouraging flash photography goes, how about causing the pattern of the retro-reflection ink to spell out something like "(C) Paris Hilton" indicating that she has assertively claimed legal rights to the image. The rights of the paparazzi to take images have been upheld in past cases - but so far as I know, not in the face of this type of affirmative legal assertion of copyright. So, by creating an assertive claim of copyright which would only show up during flash photography, the message to the paparazzi would be crystal clear - hey, asshole, want to avoid a legal quagmire, and potential lawsuit nightmare??? - THEN DON'T USE THAT F'ing FLASH!!!

For celeb's who find that these passive countermeasures don't go far enough - how about a hat with something like a thousand of those tiny SMD ultra bright flash LEDs that are used in cell phone flashes, generating MILLIONS of peak candle power - flashing right back at the paparazzi.

Being an active countermeasure, such a device could be made to respond not only to flash photography, but also to the specific signature of IR and/or Ultrasonic signals used to auto-focus digital cameras and DSLR lenses.

So point a camera at Tom Cruise when he's not in the mood to be photographed - and get blasted right back in the face with twenty million candle power of nausea inducing stroboscopic righteous retribution.

If a silly scarf would sell for 500 bucks, what would that be worth???

July 1, 2016 2:15 PM

977779 on Interview with an NSA Hacker:

and for the record, I've been following theintercept since before the ihuntsysadmins thing IIRC, and have been mirroring wikileaks since collateral murder. Wow you are a jerk Gerard. I'm also pretty sure I'm in the top percentile for wikipedia articles read in a lifetime. Ok, that's really another unknown, but top 10% seems very likely to me. When Snowden starts talking more about everyone running their own email servers at home like Hillary Clinton being a serious way forward for cybersecurity, I'll start believing he isn't just a government sanctioned psy-op.

July 1, 2016 2:06 PM

977779 on Interview with an NSA Hacker:

You just said what your problem is. You are naive. Get yourself well informed. Start with Wikipedia for instance, or Wikileaks or The Intercept. Then you can develop yourself a well informed opinion. All the information is there.

To misquote rummy, the difference between naivete and ignorance is sort of like the difference between unknown unknowns and known unknowns. I look forward to subsequent SOS posts educating me as to the actual polling stats.

July 1, 2016 1:09 PM

Chris Gomez on Security Analysis of TSA PreCheck:

Crowds are a great target. Long lines to get through security are just where you move the attack to. Sure, getting a hold of an aircraft and flying it into a key landmark make for good TV news, but imagine the effectiveness of attacking more targets, more often. People would be afraid to go anywhere or do anything.

The DC sniper(s) had people walking through parking lots in zig zag patterns.

Why haven't terrorists begun attacking so frequently and randomly in the US? They could either be incompetent or not here in large numbers. There could be some effectiveness in law enforcement, but I suspect these would be released as big news stories.

A related NY Times article does point out overall questioning of security theater:

“Perhaps the most cost-effective measure is policing and intelligence — to stop them before they reach the target,” Mr. Stewart said.

July 1, 2016 12:48 PM

Daniel on Anti-Paparazzi Scarf:

@Mindrarker

You notice that Paris Hilton is featured on the website. I wonder how much Paris Hilton has invested in the company. Paris Hilton is a business woman. Paris Hilton.

SEO TAG:

PARIS HILTON, BUSINESSWOMAN, INVESTING

July 1, 2016 12:28 PM

Nick P on Friday Squid Blogging: Bioluminescence as Camouflage:

@ Thoth

According to this...

https://en.wikipedia.org/wiki/OS_market_share

...I think you may not be giving enough credit to how market share might factor in. Numbers are LinuxFreeBSD either 35.9%/0.95% or 96.6%/1.7%. I mean, almost nobody is using, hacking, or filing bug reports for FreeBSD vs Linux. Another factor, which is important, is the amount of features going into Linux vs FreeBSD. A subset of Linux that meets your needs might have similar count if we ignore everything you're not using. What constitutes Linux is pretty huge. Another is that many vendors like Coverity are scanning it for bugs. In a similar vein, I noticed in past year or two is that academics developing bughunting tools usually scan Linux since it's the most popular. Example is Saturn. That one tool, in one run, found 82 leaks in the Linux kernel. What would FreeBSD's numbers look like if academics were focusing on it instead? Probably higher?

So, I don't put too much weight into it. What I do say is FreeBSD team has more conservative approach to developing their OS. They take less chances, take on less cruft, and put stability before features. So, I expect it to have fewer, security issues for that reason. How many fewer are actually there is still an open question. I don't have an unbiased write-up on its code quality.

I did have one on leaked Windows 2000 code showing it was mostly excellent. That went offline with Wayback blocked by robots.txt. Assholes. More interesting, someone pushing Illumos and OpenSolaris pointed out its quality was really high. Sent me this post by a Linux kernel developer saying this:

"The summary of my impression was that I was... surprised. Now I don't claim to be any kind of expert on code per-se. I most certainly have ideas, but I just hack together my ideas however I can dream up that they work, and I have basically zero traditional teaching, so you should really take whatever I say about someone else's code with a grain of salt. Well, anyway, the code, as I saw it, was neat. Real neat. Extremely neat. In fact, I found it painful to read after a while. It was so neatly laid out that I found myself admiring it. It seems to have been built like an aircraft. It has everything that opens and shuts, has code for just about everything I've ever seen considered on a scheduler, and it's all neatly laid out in clean code and even comments. It also appears to have been coded with an awful lot of effort to ensure it's robust and measurable, with checking and tracing elements at every corner. I started to feel a little embarrassed by what we have as our own kernel. The more I looked at the code, the more it felt like it pretty much did everything the Linux kernel has been trying to do for ages. Not only that, but it's built like an aircraft, whereas ours looks like a garage job with duct tape by comparison."

I think that settles any suspicions about Linux's code quality at least. ;)

July 1, 2016 12:16 PM

Gerard van Vooren on Interview with an NSA Hacker:

@ 977779,

I suspect my own social circles leave me furthest from having the best knowledge of this kind of pulse of the public, but I really wonder about this.

You just said what your problem is. You are naive. Get yourself well informed. Start with Wikipedia for instance, or Wikileaks or The Intercept. Then you can develop yourself a well informed opinion. All the information is there.

July 1, 2016 12:11 PM

Tatütata on Anti-Paparazzi Scarf:

For all I know, the celebrity just as well yellow security clothing with 3M reflecting strips.

My way of dealing with the problem of a reflective subject is to point the flash to the ceiling to provide indirect lighting. And if there is smooth surface such as a glass window, you shoot off the perpendicular axis, and if necessary, de-skew digitally.

The general solution to this would be HDR photography, and setting the exposure/opening in advance, but with a non-cooperative subject the multiple exposures would be a problem.

Perhaps with better camera hardware, i.e. two sensors (high-range and low-range) with a splitting mirror?

July 1, 2016 11:22 AM

Ant under magnifying glass on Interview with an NSA Hacker:

@Adam

Reading that article made me feel sick as well.

@Bruce

"Organizations like the NSA play an important role in national security, and are necessary both offensively and defensively. We need to figure out how to make that work."

Most would agree that the NSA has a legitimate mission. The obvious problem is that they've taken that legitimate mission and gone completely off the rails in a taxpayer-coffer-draining/make-everybody-less-safe/collect-it-all-keep-it-all-share-it-all/extra-judicial rampage.

As far as the way NSA conducts itself, there's very little "we" need to figure out as it is "they" (et al) that are doing this "to" us. If they are truly concerned at all with protecting the sheeple (and not just their "customers"), they need to do their part to keep this planet from completely becoming an Orwellian utopia for political and economic espionage, blackmail, and coercion. But instead of doing their best to make our digital lives more secure, they create and collect exploits with no meaningful oversight or repercussions for their criminal actions. As it currently stands, "we" (i.e., anyone non-NSA) are their targets. Along with the terrorists and other baddies, they have made us all their de facto enemy.

I have zero sympathy for how unbelievably far they've strayed from what their mission should be or for their crocodile tears. It's "complicated"? - cry me a river.

@all

Thanks for all your push-back to Bruce's comment above. I have a *huge* amount of respect for the man, but this sentiment smacks of a dangerously apologistic naivety.

July 1, 2016 10:52 AM

albert on Anti-Paparazzi Scarf:

@Ben,

I tried it with gimp. The right hand image is severely underexposed. You can't get detail that's not there. The other commenters are right, these scarfs are trivial to deal with. Paparazzi seem to have unlimited budgets for equipment. Regular fans may suffer, but the pros won't.

It smacks of scam to me. And they aren't stylish fashion statements either.

I'm waiting for one of those edgy female comics to show up in a fire suit, replete with helmet.

. .. . .. --- ....

July 1, 2016 10:51 AM

dumbphone on Anti-Paparazzi Scarf:

Doubts about Android privacy statememts seems they declare to collecting phone metadata ..

http://borncity.com/win/2016/07/01/surveillance-google-collects-meta-data-phone-calls-sms-from-android-phones/

https://news.ycombinator.com/item?id=12016011


"...Log information

When you use our services or view content provided by Google, we automatically collect and store certain information in server logs. This includes:

details of how you used our service, such as your search queries.
telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls. ..."

July 1, 2016 10:42 AM

BoD on Anti-Paparazzi Scarf:

They have pictures of celebrities wearing the scarf. On their website. They are wearing the scarf. ... Pictures!
... Hello???! :))

July 1, 2016 10:38 AM

Mike Barno on Anti-Paparazzi Scarf:

Even if the only effect this has is to get photographers to use low-light settings instead of flash, it will still be a big net benefit to those of us who get glare-stunned by flashes. There are a lot of inconsiderate egotists who seem to think that the fotog is the most important person at the event, and instead of setting their expensive modern cameras to an indoor mode, they insist on blinding the band whom we all came to see and hear, and blinding everyone else looking toward the flash or its reflection.

And as mentioned, the cost is absurd. For that money you could get a full-body Mylar mirror-suit with far more effect.

July 1, 2016 9:21 AM

12345 on Anti-Paparazzi Scarf:

Here is a link to an interview with Aif Siddiqui, Founder, Ishu

http://interlaced.co/project/interview-saif-siddiqui-founder-ishu/
(via https://www.facebook.com/whatstheishu/)

"...

What is your advise to anyone who wants to start in the industry?
Just go and do it. Stop wasting time talking about it. A lot of people are scared for the outcome so they just back up. But no one else is going to do this for you. There are billions of people on this planet but there isn’t anyone who is doing what you’re doing the way you want to do it. If there was, you’d already know about it. So even if it goes bad, the world doesn’t end after one decision. Just go with it.

Can you tell me more about it?
Well, if you have a child, it’s your number one priority in life. Being able to control who takes a picture of them is important. So I thought a children’s collection will be appropriate. That’s why we have jackets, basic wear and also fashionable streetwear clothes. No one else does that yet.

..."

July 1, 2016 9:09 AM

Thoth on Friday Squid Blogging: Bioluminescence as Camouflage:

@r
FreeBSD/RPi because there is no OpenBSD variants. Take a look at the chart on how much Linux kernel vs. FreeBSD kernel has vulnerabilities and you should know why I went for FreeBSD.

Granted, FreeBSD is not a common go-to OS for most people and thus does not represent a huge market share which means lesser attackers are bothered to attack it but looking at the trend of FreeBSD and Linux, there is a bar graph in both of the webpages and interestingly, the overall gradient for FreeBSD's bar graph is a descending (means lesser exploits and problems overall) whereas Linux has an interesting hump shape (sometimes less and sometimes more exploits).

If you are to sit down and look at the statistics to choose the most suitable OS for your missions, there is a look of things to consider including exploits, usability and many more. I settled on FreeBSD from a bunch of OSes that RPi supports because this OS has an overall low amount of exploits/problems and is more trustworthy than it's Linux and Windows counterparts for deployment on RPi devices.

Also, the availability of familiar GNU tools allows for easier adaptation to FreeBSD from Linux.

P.S. One of the old Computer Science lessons semester project I had when I was much much younger when I was taking my CS diploma, it happens coincidentally that my team (me and another person) was assigned the topic to research on FreeBSD (should be version 6 or 7).

Links:
- https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
- https://www.cvedetails.com/product/7/Freebsd-Freebsd.html?vendor_id=6

July 1, 2016 8:53 AM

John Ridley on Anti-Paparazzi Scarf:

If they're shooting raw, they can fix this in post almost effortlessly.

July 1, 2016 8:52 AM

Roastbeef on Anti-Paparazzi Scarf:

Actually I think a lot of cameras are already immune to this. My Canon DSLR has a mode where it sets its exposure using a face recognition algorithm to determine where to look and then does a couple of ultra quick flashes before taking the real photo.

July 1, 2016 8:48 AM

Mindraker on Anti-Paparazzi Scarf:

There's this strange notion that somehow celebrities want "privacy"... Celebrities feed off of public attention. No attention, no money. Why else do you think Justin Bieber does all his ridiculous nonsense? For the public attention.
They may "pretend" they want it, "woe is me, the paparazzi are hunting me again!" but the paparazzi are their lifeblood.

July 1, 2016 8:24 AM

Ben on Anti-Paparazzi Scarf:

Another possible defeat is, I wonder how much you can improve with Photoshop et al. on the image on the right.

July 1, 2016 8:18 AM

Clive Robinson on Anti-Paparazzi Scarf:

A simple test of sense,

You can pre-order the scarves online, from $268 to $478,

So they cost more than three celebs IQ added up... Thus a fool and their money etc etc...

July 1, 2016 8:07 AM

r on Friday Squid Blogging: Bioluminescence as Camouflage:

@Thoth,

You're using fbsd on a pi?
What's the reasoning behind that, bsd licensed so it's closed source???
My apologies, but I don't see any other advantage in that usage case could you explain please?


@Anyone, Clive, Nick P

With the link Clive posted about Qualcomm trustzone, does that extend to say freescale's impl in something like the 'usb armory' ?

eg. is it relatively vendor agnostic or no?

July 1, 2016 8:04 AM

Jacob on Anti-Paparazzi Scarf:

Probably will be defeated in a few weeks or less.

Two things to try out:
1.Set the camera exposure compensation to -3EV or more so the scarf would be much brighter but face normal.
2. Check the polarisation of the reflected light from the scarf. If polarised, a simple polarisation filter on the camera's lens will solve the problem (can also test a polarising filter on the flash head itself)

July 1, 2016 8:00 AM

Affectuate the spalaffelators on Interview with an NSA Hacker:

Good catch, Skeptic, "They minimized that where possible to keep in line with their mission parameters." Lots of people are susceptible to that kind of bureaucratic bafflegab. There is no such thing as mission parameters. Some West Point mediocrity pulls a phrase like that out his ass and his apple-polishing underlings parrot it. Bureaucrats, even DoD bureaucrats, start from authorities, not mission parameters. Every document cites the authority for putting pen to paper. There was no 'where possible.' NSA shitcanned the law. They acted ultra vires because they were confident that they could get away with it. At home, maybe they can, because US democracy is fake. In the civilized world outside the hermit kingdom the US government will pay for what they did for a long, long time.

July 1, 2016 7:58 AM

Joshua Bowman on Anti-Paparazzi Scarf:

That doesn't seem likely to work at all: The white point of most cameras is set low to wash out highlights, rather than at maximum, so all it would do it create a shining white scarf in a regular photo. An HDR camera would simply capture the scarf AND the subject in good lighting. Basically a useless invention, unless the camera just happens to key the range off the scarf instead of the entire scene, so it would be easily defeated by taking several photos and keeping the best, as usual.

July 1, 2016 7:54 AM

65535 on Interview with an NSA Hacker:

@ Adam Kaplan, albert, Who?, Daniel, Richard, Vesselin Bontchev, aName, and others.

I agree that the NSA “hacker” with so called “internetz skillz” projects an unethical, self-enriching, creepy picture of workers in the NSA’s staff. If this type of criminal element is indeed the core of the USA’s Intelligence community the USA is in deep trouble. The "end result justifies any means" usually ends in very undesirable results.

The actual 4,000 + word article has little hard data except some buzz words such “bandwidth shaping” and “CNE” – which are never fully explained.

We know the NSA has been playing “send the packets around the world” game to bypass privacy laws.

Exactly how is this done? Is it bribes paid to peering partners to game the BGP routers? Is it NSA ownership of DNS servers with poisoned entries? Or is it some other method?

It would appear uneconomical for ISP’s or others involved in routing of data packets to provide less than optimal routes for sheer economic reasons.

Exactly, how does the “lamb” subvert plain economics in the highly competitive data delivery sector?

The article contains a lot of words but almost no hard data. This makes me suspect of the “lamb’s skillz” and his true position in the NSA [if any]. He could be a sly yum yum with a good line of BS.

July 1, 2016 7:51 AM

Barbara Chustz on Security Analysis of TSA PreCheck:

I paid $100.00 and waited approx. a month for my Global Pass Card. I recently traveled by Southwest Airline from New Orleans. I was pre-checked on the flight there but was not on the flight from New Orleans.
I wrote a complaint to TSA explaining that I have had a Global Pass for a year and I wanted to know why I was not pre-checked. They sent me a form letter telling me that I should apply for TSA or Global Pre-check. The obviously did not read my complaint and didn't respond appropriately to my question. I am fed up with TSA and don't think they provide any security as they have not stopped a single terrorist attack anywhere! The personnel are rude and and there is not consistent
procedures from airport to airport especially in regard to medical equipment.

July 1, 2016 7:49 AM

Nick P on Interview with an NSA Hacker:

@ Clive

Well, automatic normally refers to machine pistols. You still have to squeeze the trigger on most, hence semi-automatic. Single-action revolvers make you manually chamber the round *and* pull the trigger. Purely revolvers. Double-action revolvers chamber the round as you pull the trigger. With a different mechanism, semi-automatics chamber the next round after the trigger is pulled. Both styles often let you pull back the hammer first. I was going to say initial shot takes more pull due to chambering on revolver but initial on semi-automatic requires cocking it. One could actually say a double-action revolver is more automated than a typical, semi-automatic pistol.

That's interesting. :)

July 1, 2016 7:46 AM

Jon on Anti-Paparazzi Scarf:

So Paparazzi will need to go with flashless photography? seems easy enough...

Alternatively you could just use a remote flash, the more remote the better, it's been fairly standard tech in photo studios for decades now, my parents used portable remote flashes back in the early 90's for wedding photography.

Seems like this stylish scarf might be better sold as a safety mechanism for fashionistas who need to increase their visibility while walking at night.

July 1, 2016 7:07 AM

Rover on Comparing Messaging Apps:

Hello,

I am a Signal user and familiar with all the issues (no enough users using it, blah blah). It is also strange that messaging apps users are blindly faithful. They even refuse to install other messaging apps resulting in Mexican Stand-off.

I have noticed in this thread as well as Micah's article an absent of comment on Wire Swiss that has all the features of Signal except that it is not:
1) tied to a SIM or mobile phone number
2) It is of minimalist design - e-mail and password - to create an account. No profile like Skype and name can be changed at will.
3) Can use mobile number optionally to facilitate searches but that does not have to be the same as that in the SIM card, if there is one.
4) It has encrypted video conferencing.
5) It only uses the Contact if allowed but does not demand.

I am also a user and fan of Wire as I like its idea of not relying on the mobile phone or SIM card. Give that a try on its browser version before installing any apps.

Rover

July 1, 2016 7:02 AM

mrpizzaman on Security Analysis of TSA PreCheck:

Still not flying to any TSA infested airport. And I make it a point to always react to invitations for coming to the US.

The TSA is (almost) useless from a security pov and a pest from a business pov. Millions of people are avoiding anything in the US as they, rightly so in my opinion, do not want to be sexually assaulted (because that is what it is, if you do not believe me, as any legal professional on what the charges would be if you did it - don't sexually harass people, not for any reason, not even if you are a government - bad idea).

By comparison, a country like Israel, does not engage in any of these practices.

As fas as the ID and fingerprinting is concerned: anyone thinking that this is proof of anything should probably not work in security: the Japanese system some time ago (google it) has been beaten on several occasions with counterfeit passports and a piece of tape (like in 10 $ special tape) by foreign workers ... and for those who do not know, about 200-300m from the airport boats dock with no checks whatsoever ... security is a framework and global concept, not a theatre like in the US.

The US has put me and many other of from travelling there - good luck with your (declining) holiday market and increasing security problems.

July 1, 2016 5:26 AM

Clive Robinson on Interview with an NSA Hacker:

@ Nick P,

Not a gun expert outside common ones.

Even "experts" don't agree, some make a differentiation between "automatics" and "revolvers" when it comes to hand guns...

July 1, 2016 5:18 AM

Dirk Praet on Security Analysis of TSA PreCheck:

@ Clive, @ An American, @ Herman

The latest crop of bombers did not go through security. It is sufficient to threaten the throng before the checkpoint.

From what I've read it would seem that one of the perpetrators upon airport entry created a diversion by blowing himself up, allowing the two others to get inside. It doesn't take a tactical genius to go about an attack this way. I remember using similar tactics overtaking the opposite camp during my time at the boy scouts. The only way to mitigate against this is by having multiple perimeters and avoiding choke points.

To the credit of Turkish LE and customs, they did spot that the three men were unusually overdressed, which forced them to split up early on. If they had gone unchecked, the carnage would probably even have been bigger.

June 30, 2016 11:08 PM

aName on Interview with an NSA Hacker:

@Bruce

I deeply respect your opinion and I would love to see a reply to Mike's comment...

'"Organizations like the NSA play an important role in national security, and are necessary both offensively and defensively".

Really? I'm pretty sure on this very blog you've argued that they have never caught a single bad guy, except some taxi driver who gave $8000 USD to some guys in Somalia.

And it's this sort of bullshit, naive statement that allows governments around the world to continue to abuse the law in our names. As a non-American, I couldn't disagree with you more, Bruce.'

Me, I haven't read the previous post mentioned, but I have seen Snowden saying something very similar, that the NSA surviliance is completely useless.

June 30, 2016 10:45 PM

Skeptic on Interview with an NSA Hacker:

They minimized that where possible to keep in line with their mission parameters.

Another person who believes everything the read.

June 30, 2016 10:26 PM

Nick P on Interview with an NSA Hacker:

re 385

I'm guessing a Taurus revolver (esp .38ACP) with laser attachment. Not a gun expert outside common ones. So, that's just a guess.

June 30, 2016 9:53 PM

R3LLiM on Comparing Messaging Apps:

@Markus Ottela

Thank you for the information appreciate it! My brain is like a sponge to all of this type of stuff. I just wish I had the knowledge that so many people have on this website.

@Dirk Praet

I 100% agree! That right there is called dumbing down the public and desensitizing them to what really matters. A man gets eaten by a bear all over the news headlines while your government is doing the dirty work and passing BS laws taking our freedoms away one by one. Death by paper cuts.

June 30, 2016 9:52 PM

Ninja Hitman Assassin Agent X-99 on Interview with an NSA Hacker:

@Bourbon After Work

The .385s are in the glass case, right next to the double-action revolvers with safeties and the handguns that make clicking and ratcheting noises every time you point them at someone.

You'd know that if you were a REAL gun expert, and had one of those wheelguns with a "silencer" on it.

ROTFLMAO

June 30, 2016 9:36 PM

PerryD on Security Analysis of TSA PreCheck:

@Hay Seed et al; I travel with relative frequency, about 15 domestic US trips per year. When the PreCheck program was first introduced several years ago, I was enrolled by USAir without any action on my part...no interviews, documentation, or any other corroborating evidence from me.

Over those several years, the only time that I -haven't- had a PreCheck boarding pass was during the month in 2014 that I was running a public Tor bridge. I (or rather my home IP) was blocked...couldn't log into bank accounts, renew my driver's license, etc, and my PreCheck status 'mysteriously' was suspended. Ever since, I am 'totally randomly' (their words) selected for additional screening every single time I travel by air. I've been put up against a wall spread-eagle while a dog goes through my car when entering military bases 'totally randomly' (their words).

Once I move the Tor bridge to a private, unpublished IP the restrictions on banking, DMV transactions and such were dropped, but I still get pulled aside for extra screening, even when in the PreCheck line.

June 30, 2016 8:48 PM

Thoth on Friday Squid Blogging: Bioluminescence as Camouflage:

@all
Hopefully people (and also nations hoping for UN protection) would realize how fragmented and utterly unreliable the processes of the UN.

China and Russia intends to veto UN resolution for enshrining human rights online (freedom of speech and Internet censorship) as per their usual habits.

Strong and verifiable computational processes should be the key to personal cyber security instead of relying of rules and regulations. The world of the Internet and computers relies on proven physics and not rules and regulations as it's core.

Link: http://www.theregister.co.uk/2016/06/30/russia_china_fight_un_effort_to_extend_human_rights_online/

June 30, 2016 7:26 PM

Bourbon After Work on Interview with an NSA Hacker:

I've read this whole thread up to this point, even every single reply. I rubbed my only two neurons together, thought I had a spark and began to type...

Clive R., Nick P., and Arclight have absolutely nailed the answer to the question of the human condition and motivation vs. the Empire. Arclight, I really do believe, distills the genuine reasons for cooperating with the NSA (in the role of employer) in the fewest words.

For what it's worth, Bruce is absolutely correct: this bloviating article is written from a considerably vain point of view. Tantalizing but little substance.

My own take: I really wish people valued security, privacy and their constitutional rights more. In the end, they get what they deserve. I wish it weren't so. Yes, I'm from the USA.

PS: there is no such weapon as a .385 automatic handgun in production.

June 30, 2016 6:54 PM

Clive Robinson on Security Analysis of TSA PreCheck:

@ An American, Herman,

The latest crop of bombers did not go through security. It is sufficient to threaten the throng before the checkpoint.

A long time ago in an age we have near forgot, @Bruce made a joke about "A55 bombers" and others made serious comments about the risk of security check choke points and land side attacks.

If I were a betting man at that time I would have put money on the land side attacks happening before someone stiched a bomb up their butt.

As history now shows I would have lost such a bet, somebody did indeed sew a bomb up their butt and tried to kill a Saudi Prince. The plot failed even though it was not just the brown stuff hitting the fan. And for a short while Bruce nervously joked about getting a visit etc, whilst the rest of us worried about TSA staff with size 14 black rubber elbow gloves and flashlights doing a PR number on us at the check point.

June 30, 2016 6:37 PM

Thoth on Friday Squid Blogging: Bioluminescence as Camouflage:

@Nick P
The main problem is BIOS size is very small and squeezing in secure device driver and all that would be a problem unless there is a way for BIOS to sideload a bigger software like the secure device driver stack later on as needed.

BIOS injection is also headache besides the tiny size which is why secure chips keep their ROM or boot codes in the tamper resistant memory to prevent logical or physical tamper whereas normal CPUs don't have such luxury.

I have been reading up in the ZeroTier. Would be going to load my RPi/FreeBSD with one of those soon for experiments.

June 30, 2016 6:20 PM

ianf on Friday Squid Blogging: Bioluminescence as Camouflage:


@ rrrrrrrrrr […] “women masquerading vocally as men for tech interviews did worse than had they voices been genuine (un-man-adulterated).”

All it says is that it takes more than timbre of voice to sound like a man, so probably the impression they gave off was subtly confusing as to who they were – the character of the person, not the gender.

June 30, 2016 5:30 PM

moo on Interview with an NSA Hacker:

@Mark:

--------
"Organizations like the NSA play an important role in national security, and are necessary both offensively and defensively".

Really? I'm pretty sure on this very blog you've argued that they have never caught a single bad guy, except some taxi driver who gave $8000 USD to some guys in Somalia.
--------

As I recall, Bruce has consistently made a distinction between intelligence gathering that targets specific persons of interest (which he considers legitimate and necessary, and I agree) and automated mass surveillance of everybody (which is a big overreach, and dangerous to freedom/liberty in the long term AND produces absolutely giant haystacks in which you can hardly find the needles).

Surgical spying on foreign diplomats, politicians, industry, terrorists is what the NSA *should* be doing. Scooping up the data exchanged by hundreds of millions of Americans with the flimsy justification that a few of them might be terrorists, not so much.

June 30, 2016 5:25 PM

r on Friday Squid Blogging: Bioluminescence as Camouflage:

@All,

You guys are going to kick my butt for this as it's not directly security related, there's a study (and thread) at slashdot currently about women masquerading vocally as men for tech interviews doing worse than they would have unadulterated.

It hit me, that if this study was done right it may come down to broadcast confidence and language usage characteristics: sort've like how coders show through compiler output comparison.

https://news.slashdot.org/story/16/06/30/2035225/women-interviewing-for-tech-jobs-actually-did-worse-when-their-voices-were-masked-as-mens

June 30, 2016 5:23 PM

977779 on Interview with an NSA Hacker:

@Winter

The abyss between the people and the intelligence community is very well illustrated by the Prometheus like status of Snowden: A hero to the people, and the vilest of criminals to the community.

I suspect my own social circles leave me furthest from having the best knowledge of this kind of pulse of the public, but I really wonder about this. Given how it has played out, I still can't discount my theory that Snowden is just a psy-op against the public to help create a 'new-normal', that, while being pretty freakishly orwellian, is at least close enough to the real truth so that society can minimally function and progress. I think people closer to silicon valley can see the contrasts better. As some other comment pointed out, most of the centralized services, in addition to the government intelligence offices, are populated by a mix of true-believers, and those who are willing to behave (like true believers). And then you have a population that is wise to the level of integration of organized crime with the government. It's all pretty depressing really. But it's one hell of a ride, to live in interesting times.

June 30, 2016 4:53 PM

An American on Security Analysis of TSA PreCheck:

@ Herman

> The latest crop of bombers did not go through security. It is sufficient to threaten the throng before the checkpoint.

Obviously we need checkpoints before the checkpoints.


Shoot... I better shut up before some be-urry-crat sees this and thinks I'm serious...

June 30, 2016 4:47 PM

An American on Security Analysis of TSA PreCheck:

I've got an idea that would create immense benefit at the cost of a significantly small increase in risk: abolish the TSA.

Simple to implement, 100% reduction in costs, extremely high passenger satisfaction... we all know it's the right thing to do.

June 30, 2016 4:40 PM

Advodka(t) on Crowdsourcing a Database of Hotel Rooms:

@ianf

Im sorry i whasnt specific enough, i not asking to be told nice stories or be spoonfed.

I meant more in regards to "cause my google never gives me more than what I asked for." What are the right questions or jargon i should ask google?

June 30, 2016 4:40 PM

Glomar on Issues Regarding Lone-Wolf Terrorism Prevention:

"The FBI, therefore, requests that you direct requesters seeking records or information pertaining to the investigation [Orlando shooting] to the FBI to request such information. We further ask that you immediately notify the FBI of any request your agency receives pursuant to Florida’s Sunshine Law or any equivalent law, or otherjudicial, legislative or administrative process, for records or information pertaining to the F Bl’s active, on-going investigation so that the FBI can seek to prevent disclosure through apprOpriate channels, as necessary. Finally, to the extent your agency is obligated to respond to a request under Florida’s Sunshine Law for records and information pertaining to the FBI’s pending investigation, including information that your agency has provided to the FBI in furtherance of our investigation, we request you withhold the records pursuant to FLA. STAT. § 1 19.7 1(c)(1) and any other applicable exemption to help ensure that the FBI’s investigation can proceed unimpeded."

June 30, 2016 3:05 PM

Nick P on Comparing Messaging Apps:

@ Clive Robinson

Interesting stuff on the signaling history. Far as other comment, I'm only resisting the smartcard stuff due to subversion and verifiability. There's very-few vendors pushing it with subversion risk that's hard to estimate. The quality of the general tooling & interface standards are also shit which Thoth confirmed. That will lead to bad implementations. So, it has to be a clean-slate smartcard.

Good news is that the older nodes can probably handle it if we sacrifice on CPU, etc as that's exactly what smartcard vendors do. The bad news is it takes esoteric skills plus tech that's *definitely* patented & lawsuit-worthy. Independent evaluation and verification of their stuff from HDL to transistors with verifiable image to match decapping is a compromise I'd consider making. I like both Infineon and Gemalto. I'd lean toward Infineon as I expect Netherlands to be a greater risk when U.S. starts putting pressure on. In Germany, there's already strong activity both for and against surveillance tech plus lots of breakers (eg CCC) to keep assessments going.

@ Markus Ottela

" The faster ones that support up to 1M baud/s are more complex on the inside"

What do you mean by that?

"but I still find it hard to believe skies will be filled with them in my lifetime."

I was talking about the enemy stealing the keys part. People expect they'll get hacked. It's a useful fear to play on countering surveillance or drones. Also was a nice visualization of how they'd be used.

June 30, 2016 2:51 PM

Nick P on Friday Squid Blogging: Bioluminescence as Camouflage:

@ Thoth

re OpenVPN

Check out ZeroTier. Developer said the core code is actually around 18-20Kloc of C++ with rest depending on what features you use. It's about a virtual, secure switch for the globe that deals with all that crap. Might be worth betaing to see if it fits your use as many parts of it are small enough for stronger analysis and implementation.

re PVB

It's a nice flowchart but the problem is in your threat model. If it's a regular PC, then your root of trust is really starting at the BIOS level. As in, they can try to bug the system to collect the info (hashes) that get passed to the secure device. Once they know them, they can create and send in a new BIOS that just sends those to the secure device. The newer ones are starting to have enough memory to sneak in this kind of code & data, too. So, your scheme if depending on a BIOS they can monitor and inject on is equivalent to just BIOS itself giving the OK.

Worth thinking about. BIOS still needs to be immune to injection or nothing else in system can see the trusted boot phase. Host and peripheral chip firmware are the main risks at software level.

@ Grauhut

Get them to add Fabric to the list as a building block. The related work will show you how good the team is on concept and tech level. I don't know about implementation quality as it's academics making it. Yet, it's one of the older approaches that builds on things that worked to varying degrees. A robust, re-implementation or extension of that might help in many use cases.

Note: Also worth consideration are secure Spread and security-enhanced ZeroMQ. Boeing used byzantine-tolerant variant of secure spread in a higher-security, pub-sub scheme that was badass.

@ All

In case you missed previous comment, I recently found evidence that clean-slate, compatible designs at 0.35 micron node will still be usable day-to-day. They will be compatible with lightweight distro's or alt OS's like Haiku that I can tell. Higher-end shit can still be isolated, diversified, and results mediated to benefit from performance per dollar and watt. Mostly untrusted workloads. Example might be running a full build of a secure toolchain... compilers/linkers to OS to middleware... through an OpenPOWER cluster to run all assurance activities on there. Only if it passes will core analysis run on 0.35u cluster with specific things always tested with rest sampled against OpenPOWER results. Odds of subversion will be low since detection risk is high & main TCB will be checked anyway. Plus, reliable as their shit is, they can't start blaming it on gamma rays and shit. ;)

Note: The linked CPU is probably a custom design which also uses things like out-of-order execution that are risky for real-time or crypto applications. A barely-optimized, standard cell might be quite a bit slower. Yet, my old Pentium 2 w/ 200Mhz and 64MB of RAM kept me programming, gaming, and hacking for quite a while. I'm just hoping an open, six-metal, standard-cell RISC will hit at least that performance.

June 30, 2016 2:43 PM

r on Crowdsourcing a Database of Hotel Rooms:

@Freezing,

The rooms are not identical, they each have a different phone number and reception properties.

Having been to a hotel previously, those intelligence services may also be in control of a switchboard or the network additionally allowing them to quietly hone in on which specific room you are occupying. Couple that with something sincerely dangerous like fibre optics and you're pretty much guaranteed a proper death by hit squad.

June 30, 2016 2:36 PM

r on Facebook Using Physical Location to Suggest Friends:

@AA Member,

Unfortunately, brother (or sister) location as data can be mined from other sources readily. Yes, by installing the application you give the application permission to 'goto the source' but even using my laptop I've seen suggestions based on the network I've used e.g. a certain McDonald's etc. There's only a few ways to protect yourself from that (Tor, VPN, Proxies in general) and there are downsides to using such technology as it raises the question 'what are you trying to hide?'. Worse yet: are the networks of sensors deployed at malls across America that have been engineered to identify and correlate your device's self-identifying features with it's owner's purchases.

There's a very large dragnet out there waiting eagerly for us outside.

June 30, 2016 2:19 PM

Your 10th Grade English Teacher on Security Analysis of TSA PreCheck:

@MrC:
"It was pre-checked."

^o^ You win the internet, dude! ^o^

Seriously, though, I'm so glad my ever-growing taxes are being used to hire the very best and brigh*CHOKE*COUGH*CHOKE*(thud)

June 30, 2016 2:16 PM

Nick P on Interview with an NSA Hacker:

@ Richard

"like Bruce, I think these folks fulfill an important purpose - but leaving our citizens vulnerable in some lame-ass attempt to make your own job easier is just plain DUMB."

It's bad but not dumb. I've followed their work since I read Puzzle Palace and studied high-assurance security. They involuntarily participated in Walker's Security Initiative where they published criteria for and evaluated highly-secure systems. Some good ones came out of that. Market got killed by almost no demand, NSA competiting for ego, Congress pushing COTS acquisition requirements, and export restrictions. Mainly feature demand and time to market as that's pretty much only thing Americans cared about. Stronger security remained a niche in defense and elsewhere (eg smartcards). NSA even, per what believable people said, was fairly careful about intercepting on Americans. They minimized that where possible to keep in line with their mission parameters.

Now we get to the real problem as I explained here. Post-9/11, enough Americans and its leaders demanded something like that never happen again. NSA would have to get the intel out of anywhere without cooperation of owner. Basically. Them hacking and subverting about everything directly follows from such a mission requirement. Hayden sort of admitted it one day himself. After each leak, Americans didn't do shit & even elected same scumbags. Responsibility lay on apathetic Congress and people. They need to give them a reasonable mission so they can reduce collection without thinking they'll be blamed for next 9/11. If mission stays, collection will only expand.

@ Vessekub Vibtchev

Maybe someone else has the link but we've discussed this before. The NSA hackers often had scripts to follow showing how to deal with situations, when to back off, and so on. They were script kiddies. Certain ones in TAO had real talent. Most of the cabailities are devised, as I guessed, in SAP's with more talented people. Majority using tooling have little talent, though. I was mocking them on that.

The consensus of discussion was that they're just soldiers. Remember that NSA is a military organization that's tasked with hitting targets to gain intel for other organizations. Most of the job is pretty redundant not even needing much brains. Plus, more brains = more risk of subversion and rebellion. So, like with most military stuff, the brains and veterans compress everything into training and tactics that regular soldiers can use to do their job. Their intelligence may vary but the baseline is necessarily small. The tools and scripts do most of the work. Just like in general population of hackers.


@ keiner

You do realize that none of your comment changes my reply. You previously expressed outrage the U.S. would collect intelligence on specific parties. I showed they're either corrupt in a way that might screw U.S. or are also collecting intelligence the same way. Hence, the U.S. is either no worse or worth calling out than them in those situations. Or are better for playing the game more effectively. Yours was just some nice, anti-American sentiment I see when these issues come up. It had been different if you called out all the corrupt parties and their games over your idealism as a few others did. That have been fair, even if unrealistic.

June 30, 2016 1:53 PM

Richard on Interview with an NSA Hacker:

@Winter

"The abyss between the people and the intelligence community is very well illustrated by the Prometheus like status of Snowden ..."

The ancient Greeks held the sciences and the pursuit of truth in high esteem, so Prometheus is glorified as the bringer of the light and knowledge into our world - a hero who paid a horrible price for his gift.

The church in the middle ages found the pursuit of truth through science to be a threat, so in their theology, Prometheus, the bringer of light and knowledge, is replaced by Lucifer, also 'bringer of light', but one who tricked us into gaining knowledge we would be happier not knowing.

So some will see Snowden as a Promethean hero who brought dark facts to light, and paid a terrible price - while others see Snowden as the Devil himself and assert the 'ignorance is bliss' theory that the American People would have been happier and better off in continued divine ignorance.

Personally, I come down on the side of truth, and think Snowden should be pardoned for 'speaking truth to power' and allowed to return to the country he so clearly loves and was willing to risk everything for.

June 30, 2016 12:23 PM

Bumble Bee on Interview with an NSA Hacker:

@Arclight

Meanwhile life grinds on somehow or another. I just went for a morning stroll and somehow met up with a drug dealer on the corner of Hazelton St and Glenwood Ave. He was using his fine credentials with the BATFX to make a straw purchase of a pink .385 automatic handgun for his live-in girlfriend because she needed it to extort more child support from her ex. They tried not to let me leave, but by then they were so high they couldn't stop me. On my way back to my car, a "couple" of lipstick l------ hookers showed up out of the blue.

After I shook them off my tail I ate hardtack for lunch and I'm just waiting for my SSI check tomorrow.

June 30, 2016 11:57 AM

BREXTONE on Comparing Messaging Apps:

Michael

I just dont understand why the fuss about everyday conversations. if you don't have anything to hide, you don't have anything to be afraid or to hide/obfuscate.

That says quite a volume about you.

It is not about hiding. It is about minding your own damn business.

Also, I do mind collection "for 'national security' purposes". It is of no benefit to me personally. I suspect it is of no benefit to the aforementioned "nation" either. Do forgive me my insolence.

June 30, 2016 11:28 AM

Arclight on Interview with an NSA Hacker:

Having been around some of these folks, the ethics aren't that complicated. Most employees either implicitly trust their employer and assume that their upper management is doing right by the American people and not breaking any laws. As long as they follow the rules they are given, the responsibility rests with the "big picture" people who know more than they do and are in a position to do the right thing.

Others just show up to collect a paycheck, don't think about it too much, and know that they will not be fired as long as they adhere to the handbook.

Violations of the "rules as stated" are reportable and can result in consequences to agency employees, giving the impression that everything is on the up-and-up. Where it breaks down, is in the assumption that the leadership actually knows what's going on, cares about the U.S. Constitution and has a will to do something about it if things are not kosher.

Arclight

June 30, 2016 11:26 AM

AA Member on Facebook Using Physical Location to Suggest Friends:

Turn off location services for the Facebook app. People are giving Facebook information about themselves and are all up in arms when Facebook uses that information. Just don’t give them the information in the first place. At least on iOS, the user had to explicitly give Facebook permission to acquire their location.

I wonder if the original author is familiar with AA meetings. As an AA member, I am friends with my fellow AA members, and becoming friends is a great way for a newcomer to establish a sober network. It’s also somewhat of a myth that we do not use last names. While different areas are more sensitive to this, we often use last names in meetings. After all, we are not anonymous to each other, simply at the public level.

I know this doesn’t take away from the article any—I just had to rant because it’s so tiring when people who know nothing about AA use us in their “privacy” examples.

June 30, 2016 11:00 AM

Jane on Security Analysis of TSA PreCheck:

I hate to come off sounding as if I support the TSA in any way, but I guess I never learned to keep quiet.

We have not (yet) reached the "papers, please" restriction on travel here. You can still cross state and county lines. Although if you drive instead of walk, you could still be selected (theoretically self-selected) to provide your license and proof of insurance.

June 30, 2016 10:23 AM

keiner on Interview with an NSA Hacker:

@Nick P

The US government is as corrupt (at least) as the Brazilian. No question about that.

Make an educated guess who "inspired" the Brazilian state crisis. Or Middle America. Or.. or.. (you name it).

The US try to play world courthouse, but only whenever it is considered politically opportune, i.e. when left-wing governments or the Russians come into play. Who destabilized the whole Middle East? On purpose, btw.

https://www.youtube.com/watch?v=9fPzvG7qFRI

dated 1989! Watch Mr. Rumsfield. 10 years BEFORE 911 totally determined to destabilize a whole region in the world he has no idea of how it works.

June 30, 2016 10:05 AM

Freezing_in_Brazil on Crowdsourcing a Database of Hotel Rooms:

@ianf

Less obnoxious, except to hotel owners perhaps.

I never said I like the solution, but if somebody has to pay, let it be the owner.

Yeah, let's make this into a law of global reach and proportions, then build up local, state, federal, intercontinental, and UN structures (...)

Or better yet: just leave to the innocent Ibis hotel guest in Paris the burden of proving why and how he was not the trafficker at the identical room at a London Ibis at the same time, since both of them look the same, as do both rooms.

As to homeowners, etc, those are not my words.

June 30, 2016 9:04 AM

ianf on Comparing Messaging Apps:


@ Dirk Praet, Clive

I'll tell you why there was a grizzly bear-eats-MTB-cyclist item in the morning news flow on the BBC: in newsrooms all over the globe at all times there are floating "human-interest" Mondo Cane-type short stories, or vignettes, to be used as slot fillers for scheduled items that for one reason or another have gone AWOL at their allotted time. Deployed also in order to lighten the often way somber mood of a news broadcast – they don't like us to switch channels. Usually these items are gleaned from other stations' feeds the same morning & bought for just this purpose. They're emitted maybe twice during the day, and then forgotten. Had the story instead been of a cyclist bites grizzly bear type, I'd guarantee you, that we'd see it in plenty more places.

Clive, if you remember the UK long-running TV series Drop the Dead Donkey, or either, or both the Canadian CBC, and the U.S. HBO TV episodic drama called The Newsroom, all of them had plenty of just such story fillers, which means alles ist klar and Bob's your uncle.

June 30, 2016 8:58 AM

SJ on Facebook Using Physical Location to Suggest Friends:

I had something slightly odd happen to me. It wasn't location-based, but it did involve FaceBook discovering that I had interacted with another person outside of the FaceBook ecosystem.

From memory, the sequence of events was close to:

(A) I had a profile on a dating website
(B) One potential date that I met had lots of online conversation, and we tried to plan a meet-up
(C) During the plan for the the meetup, we shared phone numbers via the dating-website communication.
(D) I didn't have full name, so I entered "DatingSiteHandle DatingSite.Com" in my electronic phonebook, with the new number
(E) The meetup happened, but no second date ever happened.
(F) A month later, FB suggested that I be friends with someone who looked familiar...then I realized that the person had used the same ProfilePhoto on the dating site and on FaceBook.

My suspicion is that FB has permission to see the electronic phone book on my smart-phone.

June 30, 2016 8:47 AM

CallMeLateForSupper on Facebook Using Physical Location to Suggest Friends:

@ fellow critics of FB

"...Facebook... has seen a reduction of 21% in “original sharing”, users making posts about their own life. As people have become more aware of the downsides of sharing personal details publicly, it seems that they’ve stopped sharing altogether. [...] But at the same time, it relies more on network effects than most social networks.
[...]
"So it’s perhaps unsurprising to find that gradually, the highest tier of privacy settings have been removed by Facebook. You can still hide individual posts, but your Facebook account itself is now public, whether you like it or not.

"How do I know? Because my own Facebook presence has been fully exposed to the outside world with no warning or control."

https://www.theguardian.com/technology/2016/jun/29/facebook-privacy-secret-profile-exposed

The final section, "Update" is probably helpful to FB-ers. Personally, I found it amusing because it illustrates that the ancient art of hiding controls deep in layers of menus beneath an illogical root menu is still used. :-)


Just say "NO" to Facebook. (Mister Yuk sticker here, for emphasis)

June 30, 2016 7:10 AM

Hay Seed on Security Analysis of TSA PreCheck:

Regarding the very friendly TSA pre-check process, I found on the internet the wait time for the interview is weeks and months, followed by weeks and months waiting to see if the honest citizen has been deemed honest. In other words, replacing one line for a longer line.

I repeat only honest citizens would avail themselves to this kind of intrusion and abuse. Only.

Essentially, Pre-check would be familiar to any criminal being booked in a jail for a criminal offenses: picture, prints, computer check, submissiveness rating...

All that's absent is committing a crime.

Honest people shouldn't be treated like criminals so they can keep their shoes on, computer in luggage and have a bottle of water.

I guess it's useless to harp on our former unalienable rights, no one cares anymore.

Freedom to travel was our right. Not anymore.

June 30, 2016 5:42 AM

Dirk Praet on Comparing Messaging Apps:

@ Clive

Silly news story of today on the BBC, apparently a man riding a mountain bike in some woods in the US was eaten by a Grisly Bear... Why this is given prominance in the UK morning news I have no idea.

I guess it's far easier to focus on this kind of stories than explaining to the British public just to what mind-boggling extent they have been lied to and betrayed by the Murdoch empire and an utterly disconnected political caste obsessed with their own personal interests only.

June 30, 2016 4:55 AM

Thoth on Friday Squid Blogging: Bioluminescence as Camouflage:

@Grauhut
TLS/VPN is not a good way to hid identity since it is assumed state actors already have the ability to listen on the Internet backbone.

It is more for generic use (not trusting the WiFi provider in the hotel when overseas type of use case) and work use when accessing personal and work stuff when I am overseas meeting clients.

If I want to hide my tracks, I wouldn't be using TLS/VPN as well as these stuff leak too much metadata.

June 30, 2016 4:35 AM

Matt on Interview with an NSA Hacker:

He talks about wandering around the NSA and asking people about the interesting stuff they work on. I thought these places were completely compartmentalized, certainly for people at the technician level....

June 30, 2016 4:26 AM

Clive Robinson on Comparing Messaging Apps:

@ Markus Ottela, Nick P, Thoth,

DIACs are, not commonly available to home constructors and thus quite expensive. A cheaper and easier solution and readily available parts is a pair of Zener (avalanch) diodes in series anode to anode will do the same job. Roughly the conduction voltage will be Vz+0.7V.

However all such sharp knee threshold devices have a real down side when it comes to EMC/EmSec, if you have a filtered signal it's rise and fall times are relatively slow thus have low harmonic content and energy. Stick one of these devices in and you end up with the near equivalent of a comb generator, that can be well into the GHz region of the EM spectrum. Thus like large wild animals "they need care and attention in their feeding"[1]. The solution to this is to use series resistors and capacitors to the signal ground forming a "T filter" at appropriate points.

With regards,

The issue there is manual typing of public key (something I did with previous TFC signing key) is insanely annoying.

Yes, the "manual typing" was the major failing I identified with hand held authetication devices for financial transactions a decade or so ago. @Nick P and myself had quite a conversation about it in the past as he favourd a USB type solution. There is no way around this problem if the device is going to be "out off sight" as part of it's normal operation (and locking it in a safe does not work either). The NSA solution is "Cryptofill" via what they call "Crypto Ignition Keys" which you have on your car key ring etc. @Thoth has quite reasonably realised that Smart Cards / Subscriber Identity Modules are the way to go on this. The only down side is making them more rugged. One way might be to use a USB dongle that uses serial protocols to access an onboard SC/SIM.

Speaking of USB...,

The USB-drive explanation was just a way to bridge the way airgapped TCB is used, to how the three-computer setup works.

You might want to update this with an outline of why "energy gapping" is required using the issue of low end ultrasonics from laptop piezo speakers to a small electret microphone in another device. As well as how light that humans cannot see can be picked up as a reflection off of a wall etc with a photomultiplier (Markus Klune at Cambridge Labs has papers on this). So the photo diode serial signal splitter needs to be in a metal --not plastic-- box.

[1] Silly news story of today on the BBC, apparently a man riding a mountain bike in some woods in the US was eaten by a Grisly Bear... Why this is given prominance in the UK morning news I have no idea.

June 30, 2016 3:55 AM

tyr on Interview with an NSA Hacker:


Morals and ethics ??

It turns out that it is impossible to legislate morality.
Legislation merely shifts the effected populations one
way or another without solving any of the problems. If
you consider the technological safeguards, you get the
same conclusion. The locks on your home doors are not
there to deter "real" criminals, they are there to keep
those who act on impulse at random in check. The phrase
is locks keep honest people honest. That is true for
every technical solution. Dedicated nation states are
not going to be deterred if they want your information.
Whether your should then remove your front door to let
anyone at random rummage through your computer for any
interesting bits is left as an exercise for the student.

We have to make it harder for "honest" entities to remain
honest. Harder for them to harvest and store and use our
private property. Note that this does not make the nation
state surveillance activities harder. It makes them do
a clearly focussed job, instead of random harvests of
teen selfies and incriminating or embarassing political
materials. Smaller data haystack, better results because
then you're finding the real problems before they appear
on the front page as another tragedy.

If you indulge in blanket conflations of what should be
separate workable areas of solution you're making the
solvable insoluble because of the same lack of focus in
your problem definition. The current stupidity of tossing
previously worked out legal solutions because 'computer'
has to be remedied by getting the damnned legislators an
education so that their proposed laws make sense. The
runaway national security stae needs to be curbed by budget
cuts and demands for results that mean something. Stop
trying to fix everything as a blanket solution to every
problem. Fix the center of the bell curve and then the
fringes which will still exist are no longer intractable.

Techs fix problems by understanding what they are first
and clearing away those things that are not part of the
problem. Then you can achieve some results instead of
random pokings at the complicated mess hoping to get
lucky.

The current status of the user is one of being required
to wear no clothing because it might conceal something
and to remove your front door because there might be a
computer inside the house. So where's the ethics in that?
Where's the morality ?

June 30, 2016 3:30 AM

Curious on Facebook Using Physical Location to Suggest Friends:

@65535
Having looked at emptywheel's blog, I suspect that the use of the phrase "device location" could be abused or cause misunderstandings if ever used in a boilerplate response to the media: in the sense of 'device location' meaning nothing other than presumed 'location of the device'.

It would not surprise me if maybe Apple thinks that making presumptions about the location of any device, is totally ok.

June 30, 2016 3:15 AM

Vesselin Bontchev on Interview with an NSA Hacker:

LOL. This loser is "one of NSA's top hackers"? Some of my students can do better, given the tech he had. No wonder a contractor sysadmin like Snowden managed to pwn them so thoroughly.

No, I still don't believe it. More likely, the journalist believed his bragging because he (the journo) didn't know any better. The NSA ought to have better talent than that...

June 30, 2016 2:09 AM

Winter on Interview with an NSA Hacker:

The abyss between the people and the intelligence community is very well illustrated by the Prometheus like status of Snowden: A hero to the people, and the vilest of criminals to the community.

Having seen the work ethics of people like Lamb has indeed influenced "consumers".

Study: Encryption use increase largest in 11 years
Enterprise use of encryption saw the largest increase over the past year in over a decade, according to a report released today by the Ponemon Institute
http://www.csoonline.com/article/3088916/data-protection/study-encryption-use-increase-largest-in-11-years.html

June 30, 2016 2:08 AM

Markus Ottela on Comparing Messaging Apps:

@ R3LLiM

Signal is the best mobile app out there, but like Snowden said, smartphones can be 'owned' with single malicious SMS. Security is a layered process. It's hard to give definite answers but I think I made a decent summary about secure communication here.

June 30, 2016 2:02 AM

Markus Ottela on Comparing Messaging Apps:

@ Nick P:

I added HSA to terminology at the front page of the blog but I probably should make edits to articles (TCB too). Many things are outdated, e.g. WhatsApp protocol description. It turns out Signal's double ratchet protocol was not used during the time of writing. When the protocol changed, notifications about E2EE started popping up and fingerprints were enabled. There's a lot of updating to be done but TFC keeps me busy whenever I have spare time.

The USB-drive explanation was just a way to bridge the way airgapped TCB is used, to how the three-computer setup works. It also helps the users understand how they should setup the system were they only to use PGP (as Green suggested): public keys on TxM, private key on RxM; The issue there is manual typing of public key (something I did with previous TFC signing key) is insanely annoying.

There's still potential for one-way property to fail due to EMF crosstalk somehow.

Since TxM must be assumed to be clean (not vulnerability-free but malware-free), the relevant attack is key leak from RxM to NH. Let's assume RxM's serial interface or Rx.py can be exploited to run arbitrary code that reverses serial pin order and uses data diode's Rx-side wires as antennas. I'm not sure the EM field is strongh enough to induce a current data diode's Tx-side (NH); AFAIK LEDs don't conduct current below forward voltage. If that's not enough assurance, putting a DIAC in front of Tx pin should help.

Also, Jones' data diode had a ground loop around the PCB to shield the devices. Something like that could be used as well.

I should really put more effort to data diode design but it's not the first priority at the moment.

"Also, since it's basically a form of octocoupler, the speed might be increased by using faster ones at some point."

Jones warned about not using ICs as it's easy to hide a tiny CPU inside it. High assurance probably needs LEDs and phototransistors. I had issues finding a fast enough phototransistor (someone at Reddit may have found one but I haven't gotten around to ordering them). The reliable speeds Jones got were around 1200 baud/s -- I'm not expecting more.

The optocoupler I'm using is Vishay's CNY75 that works reliably at 9600 baud/s. The faster ones that support up to 1M baud/s are more complex on the inside: I'd appreciate if anyone could tell me how to connect the Rx side pins: Most serial ports support 115200 baud/s, some go up to 921600 baud/s -- file transmission could really use a speedup.

--while keeping power to each unit really low.

From the perspective of acting as an antenna that leaks signals from CPU, memory etc, limiting the current flow with resistors to absolute minimum would be a great idea. As for the signals that pass through the data diode, those are all public (they are all passed through NH, assumed to be in control of the adversary).

They find the scenario entirely believable due to incompetence and insecurity they've seen in all other tech.

Maybe I'm expecting linear adaptation of technology and drones get deployed exponentially, but I still find it hard to believe skies will be filled with them in my lifetime. We'll see.

June 30, 2016 1:45 AM

Clive Robinson on Interview with an NSA Hacker:

@ Richard,

... almost any purely technical solution (even a hardware jumper) will be totally ineffective absent a LAW banning anyone from intentionally introducing a backdoor into ANY software program OR hardware device so that they can gain unauthorized access at a later time

Which brings us back to morals and ethics and why some people lack them whilst others have them strongly.

It has been observed that children who don't get given sweets whilst growing up have little interest in them when older, the same appears to be true of coffee as well (the Chinese don't drink it and the US appear strung out on it). The question this raises is in effect similar to addiction, if you don't develop a habit when you are overly susceptible to the rewards of the habit, then you don't get hooked on the supposed rewards.

As others have noted the morals and ethics of banks, financial institutions and large companies are fairly bad. Even though there are laws, regulations, watchdogs and ultimately punishment. This does not stop their bad behaviour, some argue because the punishment is ineffective. In this respect the NSA is just as bad, but has the advantage of no punishment.

Thus the question then becomes one of "Is the punishment sufficient, and if not can it be made so?". The answer appears to be no to both parts of the question. That is they are hooked on the rewards of bad behaviour. And like many people today will have behaviours where they take a small reward today, even knowing it will cause them to die ten or twenty years earlier.

Thus arguably the only effective punishment once a behaviour has become an addiction is to distance the person from the temptation. The logical consequence of this is either the person or temptation is exocised/terminated from society, and preferably both to stop others from getting hooked. Many would consider such a response draconian.

But at the end of the day, if we want to stop a behaviour that is endemic then it appears that, it is the only way to go. The problem is that we've found it does not work for various reasons.

Thus as long as there is a reward, no mater how small or fleeting then there will always be people who will take the risk as long as there is a way they can, no matter how draconian the punishment may be down the road.

Which means that "prevention" not "punishment" is the way to go. One way to do prevention is by reporting deviant behaviours. That is others report the devient behaviours to a third party who's job it is to correct or terminate the deviant. Such reporting is what whistleblowing is all about...

I could go on but you can see where the argument is going...

June 29, 2016 11:21 PM

Thoth on Friday Squid Blogging: Bioluminescence as Camouflage:

@Grauhut
Yup, there is no real P2P on the IP stack but there is logical P2P (users have to do it on application stack manually) as in the OSI layers.

What I am referring to P2P over TLS/VPN is to have some sort of DHT list of VPN access points and everytime a VPN access point (using the word server does not best describe this approach) changes IP address, it updates the DHT list of other VPN access points close to it and the DHT list propagates just like how Bittorrent nodes work. This will continuously allow rather persistent access even if one IP address is unavailable due to firewalls or whatever that's in between (unless it's a network choke point like ISPs playing the game of whack-a-mole of sorts).

June 29, 2016 9:38 PM

Mark J on Security Analysis of TSA PreCheck:

=TSA Pre-check requires the target to be fingerprinted, produce several kinds of ID, investigated, submit to an in person interrogation and pay a tribute.=

Not quite as melodramatic as all that. My 15 minute Pre-check experience was quite painless. I showed just my passport, not "several kinds of ID." I was not interrogated or even asked questions other than to verify I was the person I claimed to be. I did provide fingerprints, which is the 5th time in my life I've had to do so for one reason or another, including for my current job. And if I was investigated, it wasn't while I was there. Most likely their "investigation" showed that my wife and I have been in our current careers for over a decade and have lived in the same house for all that time and most likely have no reason whatsoever to cause mayhem on an airplane. The $85 fee is about what I'd spend on a good bottle of Scotch, so easily worth it to avoid the hassles of the usual security lines.

That said, I'm not a believer that all the BS security theater does squat to increase security at the airport. It just shifts the point of vulnerability. All the more reason to want to get through that vulnerable point more quickly.

June 29, 2016 9:01 PM

Hacker chumps on Interview with an NSA Hacker:

Hear! Hear! Mark and Richard.

It would be easy to legislate for proper physical security on most easy attack vectors for the spooks - but we have lame duck governments everywhere who are democratic in name only.

Further, that ex-hacker sounds like a major dick. No insight, running around doing his best 'HackerZ' impersonation, no implication of how many felonies the spooks have committed in shitting all over the personal liberties of the global population, thinks Snowden is a traitor (is it traitorous to expose wholesale criminality of government agencies?), and has no clue as to how the US is the world's #1 material supporter of terrorism world-wide (and has been for decades).

If these are the clowns being actively sought to run advanced script-kiddie functions in shadowy units, then no wonder they are fucked in their supposed function (catching bad guys). The intelligence in supposed intelligence agencies is MIA if this one-dimensional retard's view is prevalent - which I suspect it is.

It is not surprising they then fallback to the easy hits in 99% of their work i.e. stealing IP, economic espionage, surveillance of outspoken groups that don't conform to their authoritarian worldview etc.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.