Recent Comments


Note: new comments may take a few minutes to appear on this page.

January 22, 2017 9:57 AM

Anura on New White House Privacy Report:

@The establishment lost

On the other hand, the free market takes care of failing institutions by putting them out of business.

If your only measure of success is (gross profits - worker pay), where the lower the worker pay the higher the success then sure... It's like selective breeding - the economy evolves and if that's what you think the important measure to society is, and you use that as your selection criteria, then that's what your economy will evolve around: maximizing (gross profits - worker pay). If your measure of success is whether good outcomes are generated, it's pretty clear that capitalism is a failure.

We've spent the last century struggling to prop it up with regulations and redistribution, because it does not result in good outcomes - it results in a plutocratic society in which workers are wage slaves, left powerless and forced to accept whatever job they are offered for whatever will allow them to pay for food at the company store, while personal possessions become entirely owned by the corporations themselves. This is because wealth is the measure of control over the economy, and past a certain point the only use for wealth is gaining more wealth.

January 22, 2017 9:04 AM

Dirk Praet on Friday Squid Blogging: Know Your Cephalopods:

@ My Info

Those posts are too long and buzzword-heavy.

No they aren't. They are quite adequately addressing real issues in the complex realm that is high-assurance security, and which unfortunately cannot be reduced to Twitter-like "Where there is a will there is a way" slogans.

January 22, 2017 8:46 AM

The establishment lost on New White House Privacy Report:

@GreenSquirrel

You say,

"The one time he did align with the USG was around Russian info-ops, so this may have clouded people's thinking"

And then I say, study the No true Scotsman fallacy:

https://en.wikipedia.org/wiki/No_true_Scotsman

@r

I won't address every point of your rant, I will only say that if you believe I supported the Bush administration when it did nothing to prevent the pushing of subprime mortgages and then I supported the bailing out of banks, you'd be wrong. That's precisely my point: government is so evil that you always get the worst result possible. The only thing government offers to its faithful followers is Faustian bargains.

You want to help people prosper? Make sure the economy creates good paying jobs.

You want to get people educated -which I assume nobody here questions is a desirable goal-, give students -and their parents- choice. Instead, what government gives is teacher's unions powers that protect pedophiles http://nypost.com/2014/06/14/tenured-teachers-they-cheat-they-loaf-they-cant-be-fired/ .

I could go on, but you get the idea. Government is the only institution in society that cannot fail by design (when it fails, we call it revolution, such as French revolution, American revolution or Bolshevik revolution). In addition, it is the only institution the society gives police powers and prisons.

On the other hand, the free market takes care of failing institutions by putting them out of business.

To me it is obvious that giving such an institution -government- too much power is inevitably ruinous. In their wisdom, the founding fathers made sure that government was divided and that each branch had an adversarial relationship with the others.

January 22, 2017 8:40 AM

Wael on New White House Privacy Report:

@Dirk Praet,

Please try to write down your comments in one comprehensive post instead of hitting the Enter key every ten minutes. It really makes for easier reading.


Problem is: @r gets an epiphany every 10 minutes which results in a cacophony of posts. I speak from first-hand experience when I'm up late :)

January 22, 2017 8:34 AM

Dirk Praet on New White House Privacy Report:

@ r

I can't fathom for a second why the banks were bailed out at all

Because it was the lesser of two evils. The consequences of not doing so would have been even more catastrophical in causing a domino effect that would have crashed the entire financial system, plunging the world into a deep recession and reducing many regions all over the planet to the status of Greece and worse. The outrageous thing however was how it was done, and by whom. With the exception of some "rogue traders" like Jerome Kerviel, no politician or banker was ever held accountable or indicted, let alone went to prison (Iceland being one of a few notable exceptions).

Instead, those tasked with the bail-out were the exact same people who for years had been fostering the deregulation, short-term thinking, climate of risk taking and corporate irresponsibility that had caused the financial crisis in the first place. While at the same time the entirely legitimate Occupy Wall Street protest was labelled a form of domestic terrorism.

One of the few legislative initiatives that in the US came out of the crisis was the 2010 Dodd-Frank Act, and which the new Trump administration has already announced they will fully dismantle. So anyone even remotely thinking Trump is not firmly on the side of Wall Street and corporate America is totally deluding himself.

PS Please try to write down your comments in one comprehensive post instead of hitting the Enter key every ten minutes. It really makes for easier reading.

January 22, 2017 7:55 AM

ab praeceptis on WhatsApp Security Vulnerability:

Dirk Praet

That's what I intended to indicate for myself, too. But I wanted to be fair and give him the opportunity to come up with something reasonable.

January 22, 2017 7:13 AM

r on Friday Squid Blogging: Know Your Cephalopods:

http://www.csoonline.com/article/3159073/computers/is-antivirus-getting-worse.html

Average detection rates for known malware went down a couple of percentage points slightly from 2015 to 2016, he said, while detection rates for zero-days dropped in a big way - from an average of 80 percent down to 70 percent or lower.

"If the industry as a whole is dropping 10 to 15 points in proactive protection, that's really bad," he said. "Anti-virus isn't exactly dead, but it sure smells funny."

January 22, 2017 7:02 AM

MarkH on Attributing the DNC Hacks to Russia:

@Dirk:

Actually, I'm not upset about any individual's acceptance or non-acceptance of the conclusions of US intelligence. As I wrote above, your opinions and mine are based on information available to all the world's readers, and are of no inherent value.

Politically, the judgment of great masses of people -- and more importantly, how strongly they feel about it -- is something that in the fullness of time governments need to consider.

Individual opinions? So much cheeto dust.
_____________________________________________

Some of the positions I have seen advocated here along the path of argument and analysis, however, go rather beyond the realm of opinion. These include inferences from data, generalizations about what is valid or how things work, and prescriptions of how various parts of the world are supposed to operate.

Unlike, "do I trust these guys?" the answer to which is to some extent a matter of faith (as in, not far removed from religion), the other propositions may be objectively valid or invalid, practicable or infeasible.

They have included the Truly Preposterous.

I respect the right of anyone to believe what they choose -- in my country, this right is essentially enshrined in our written constitution. At the same time, when someone spouts codswallop, my natural reflex is to poke holes in it and let the gas escape :)

January 22, 2017 6:38 AM

r on New White House Privacy Report:

@the other white establishment,

The good thing, about the GM style bailouts excluding the banks - was that it I believe largely saved pensions whereas bankruptcy would've liquidated the entire thing for the union. Which would've been even more unfortunate than what occurred in this aspect.

Ford(?) hardly even needed the help, I think they were the first to declare a complete recovery.

But you want to cut more of our fat out of our body, for what?

So you can sell us some nice glycerine soap?

No thank you, I'm not buying.

January 22, 2017 6:27 AM

r on New White House Privacy Report:

@the other white establishment

We used to own a form truck, we could build you any size house without the bank having a say at all.

It was called savings, who's been eating away at that?

Who?

I can still build you a house from the ground up, maybe we'd have to sub out the basement at this point but who cares. It's the choice between you paying $100k and paying $500k (mostly interest) and people are idiots and part of the "convenience culture".

The banks make those investments in big builders like a gamble in vegas (because it's lucrative), then they have to pay on their bets with the heads of the commoner so they devise a way to get their empty homes filled.

But alas, you're not here to debate: you're here to push.

January 22, 2017 6:27 AM

Dirk Praet on WhatsApp Security Vulnerability:

@ ab praeceptis

Please, elaborate.

@Rolf Weber at the time argued that not only it was desirable but also perfectly possible to introduce undetectable NOBUS backdoors. The usual suspects strongly disagreed on both accounts.

January 22, 2017 6:19 AM

r on New White House Privacy Report:

And now, here your types are making more populist popular promises of success while you plot and you scheme to suck their success right out of their hard working hands.

You're a spin doctor.

Of course people who receive robocalls for free loans and cheap mortgages are going to bite out of desperation considering the state of eclairs we find ourselves in.

Is it sad? YES
Should we encourage either behaviour? HELL NO

But who is at fault when intent is considered?

January 22, 2017 6:16 AM

r on New White House Privacy Report:

If by your account, the crash occurred in 2008 - and prior to that the republicans had a reasonable amount of control over the country you would advocate doing that again? If the crash occurred in 2008 due to the fermentation of mortgages do you think that it just happened over night?

Mortgages are 10,20,30 and 40 years long. People like Bernie Madoff are eternal, you want evil? There's your example ftard.

People who couldn't afford their mortgages lol, no - people who couldn't afford to make deals with the devil - a predatory unregulated indecent lender.

January 22, 2017 6:09 AM

r on New White House Privacy Report:

The fact that the banks were bailed out should leak the concept I pushed the other day about world capitalists v the people 2.0.

Someone upstairs must've been apprehensive about the repercussions of not letting walstreet survive it's vampiric hunger for the blood of the underling.

January 22, 2017 6:05 AM

r on New White House Privacy Report:

@the other white establishment,

And you think forcing tax credits down American companies' throats for keeping American's employed is not the same thing in your loose definition of "let the chips fall" ?

If these companies can't afford American workers why are we keeping them propped up in the face of globalization?

You're off your rocker, I think you hit some titanic style black ice in your oh so holy see.

I can't fathom for a second why the banks were bailed out at all, I would've let them fail - they have lawyers - I would've given that money to the people instead. If the Casino bank rolls you for $1m USD when you've only got $1000 bucks that's THEY'RE FAULT - you don't bail the educated (they knew what they were doing look at Wells Fargo) thieves out from a self-made problem. It's improper to let or encourage such behavior.

But you, you push a thinly veiled attempt to appeal to the anarchists and the working man who's tired of paying out to a government that only pays attention to corporate interests.

The Tea Baggery of the Tea Party has revealed itself as nothing more than populism, but the key is that since a veil exists the meta of this reality is that the existence of such a veil qualifies them as evil and maligned in itself.

Your reasons, their reasons - should be in plain view and not masked.

Welcome to the leak that is your mouth and heart.

January 22, 2017 5:59 AM

Dirk Praet on Attributing the DNC Hacks to Russia:

@ MarkH

Those (like Bruce, it would seem) who place more trust based on the specifics of the situation, sources, and context, are inclined to accept the conclusion.

Mark, I don't understand why you are so upset by the fact that some of us here refuse to go along with the conclusion by the USG and IC that the Kremlin ordered the DNC hack, and which even the NSA is only "moderately confident" (read: are not entirely sure) about. By your own admission, the publicly available evidence currently does not support that conclusion beyond reasonable doubt, and to us is the minimal requirement for public accusation and retaliation on the international stage. There is no denying either that both parties are known to have been wrong or lying about equally sensitive matters in the past. I again refer to the WMD narrative in the UN and DNI Clapper's "least untruthful" statements to the Senate in the surveillance debate.

Neither @Clive or me frantically deny the possibility that indeed the Russians were behind it. But with what is currently on the table, we consider the likelihood fifty-fifty at best. Unless you think of us as Russian agents or clueless idiots, why is it so difficult for you to just accept this dissent as a minority report instead of getting all worked up and personal about it?

January 22, 2017 5:56 AM

r on New White House Privacy Report:

@the other white establishment,

Your response, although substantial lacks substances outside of the quoted bloc.

Are you rambling or advertising?

WHAT makes you think that the government is too big or too small?

AND where do you advise making changes rather than vague references to culling the pigs on the hill?

Outrage and anger can be harnessed for good, it seems to me that you're still lacking a true direction.

January 22, 2017 5:50 AM

r on New White House Privacy Report:

@GreenSquirrel,

There's been a couple times where the 'necessity' or 'usefulness' of intelligence has been conveyed, that's about as 'extreme' as I've seen @Bruce post. I have no qualms with the concept of intelligence either, I think @Bruce tries to understand and steer our/they're perceived necessity and understanding of such practices.

I'm much the same way, (hopefully I'm not putting my foot in my mouth and have this right) I think dialog is required and that over-reach is the problem and that security and intelligence can be done in a forthright manner by the IC/USG.

But, in creeps "absolute power". I definitely don't agree with the policy pusher above who thinks that what would be very nearly a free-for-all would be any better than what we have now with respect to the 'default' [m]alignment of humanity.

If he believes the whole world is evil, then he's just a couple steps from grabbing a gun.

And people call me crazy/paranoid. ;-)

January 22, 2017 5:38 AM

r on Friday Squid Blogging: Know Your Cephalopods:

@Jen Gold,

Well now, if I don't need to be eating the paper my snark isn't written on.

Why does he even need to travel to the US?

Good for him, hopefully the Swedish stuff is a farce and he can enjoy actually stretching his legs in the NWO.

January 22, 2017 5:34 AM

Clive Robinson on Attributing the DNC Hacks to Russia:

@ MarkH,

Did I say that those were the only two critiques? If so, where?

Well you did say,

It seemed to me at the time that I was in a distinct position from all of the regular commenters whose thoughts I was reading.

And,

I particularly recall two currents of criticism, which I attempt to summarize:

That is you tried to give the impression that no other posters on that page had made worthwhile comment, and that those not worthwhile comments were of two basic types...

Would it be that you thought you could just wave your arms and now having being called on your supposed recolection you are back tracking?

I Suspect that might be the case with you going on to say,

They were two which I believed (and still believe) don't make sense in light of how critical systems are designed for airliners.

How about you mention some others that are there that do not fall into the "two" you "still believe"?

January 22, 2017 4:55 AM

Wael on Friday Squid Blogging: Know Your Cephalopods:

@JenGold Stockholm,

President Obama commuted Chelsea Manning's prison sentence yesterday, reducing her time required to serve behind bars from 35 years to just over seven years.

Must have appointed the same attorney:

Attorney: Good news, cheer up!
Death row inmate: I'm all ears!
Attorney: I reduced the sentence for you
Death row inmate: Best news I heard today, you're the best.
Attorney: We aim to please!
Death row inmate: Tell me more, I'm ready to celebrate :)
Attorney: Reduced your sentence from 50,000 volts to 35,000 volts
Death row inmate: Get out of here.

Let's have a moment of silence,

Sing Sing along...

Amazing farce how sweet the ultrasound
That saved a wretch like me.
I once was crossed now I'm conned
Was blind but now I see.
'Twas TAO catalogue that taught my heart to fear
And grace my fears relieved.
How suspicious did that graze sneer
The hour I first believed.
When we've been there over seven years
Bright shining as the dun
We've no less days to sing sing BND praise
Then when we first begun.
Amazing farce, how sweet the ultrasound
That saved a wretch like me.
I once was crossed, but now I'm bound.
Was blind, but now I see

January 22, 2017 4:17 AM

Ratio on Attributing the DNC Hacks to Russia:

@MarkH,

As it happens, life has shown me that smart people often overestimate the reach of their insight, leading (from time to time) to spectacular errors to which the erring person is often blind.

Close enough.

January 22, 2017 3:55 AM

Wael on Attributing the DNC Hacks to Russia:

@MarkH,

And the depth of that arrogance is exposed, when you patiently explain to them where they are mistaken, and they respond with angry insistence that you either don't understand their brilliance

Oh, well. Can't stop that. All you can do is explain. If they still argue, then it becomes a moot discussion, time to move on... hard to argue with 'Stupid'.

January 22, 2017 3:12 AM

GreenSquirrel on New White House Privacy Report:

@The establishment lost

And while he hasn't condoned explicitly the NSA dragnet program, you can read in his posts a veiled justification for their existence making excuses for the Obama administration using them.

Wow. I think we've been reading a different blog to each other so I don't know how I managed to comment here.

I don't recall any posts where Bruce provides any (veiled or otherwise) justification for NSA's surveillance or makes excuses for government data hoovering. In fact it is nearly always the exact opposite.

The one time he did align with the USG was around Russian info-ops, so this may have clouded people's thinking.

However, I am open to the fact I may have misread his posts about the problems with security theatre, the need for people to secure their data and his efforts to out the excessive NSA surveillance ops as being wrong. Please remind me where I can find all the veiled justification.

January 22, 2017 12:17 AM

Jen Gold Stockholm on Friday Squid Blogging: Know Your Cephalopods:

@ FigureItOut

"Jen Gold Stockholm
thanks for patience everybody
--We love to think we're helping people who need the protection (I do too), that's what motivates me. Most of us have been on the other side, some of us still reside there mostly (not me, but I will make occasional trips back to keep my skills up and "spy on the enemy" :p). All it takes is a decent amount of planning, OPSEC, and hiding behind others to attack undetected and you won't ever get caught. Unsolved mystery.

But it doesn't take much thought to realize, strong defense is the way forward for humanity. Attacking is for the mentally unstable/insecure usually. Imagine, say NASA or SpaceX having a rocket crash due to a diliberate hack from a human, that would be really sad. An example of one mentally unstable human ruining research and "a way out" for humanity. "


Love your work all round, FIO
It's nice of you to respond personally and write something interesting!
Although I can't see how it relates to my quoted text. I found my original reference and I was saying 'thanks all for your patience' meaning, being off topic for writing specifically to Clive about a therapy. But I then immediately agreed the whole forum is very patient with extraordinary rendition being performed for pages and pages upon otherwise unsuspecting threads, so I was sure my one post was tolerable.

PS what if NASA, SpaceX (or DivX, or triple X or whatever they're called) and other such billionaire CEO 'tech problem solver' heroes, (lets dig tunnels to solve congestion! Hooray! ) spent their money trying to solve homelessness and poverty instead? Would that be a sufficient 'way out' for humanity?

January 21, 2017 11:51 PM

MarkH on Attributing the DNC Hacks to Russia:

Editing Correction, last words should read:

"or accusations are you are part of a conspiracy (not making this up) to suppress invention."

January 21, 2017 11:20 PM

the establishment lost on New White House Privacy Report:

@Anura and others,

Again you are giving false choices. The answer to the problem of what constitutes "too much government" is found in federalist paper 10,

http://avalon.law.yale.edu/18th_century/fed10.asp

"AMONG the numerous advantages promised by a well constructed Union, none deserves to be more accurately developed than its tendency to break and control the violence of faction. The friend of popular governments never finds himself so much alarmed for their character and fate, as when he contemplates their propensity to this dangerous vice. He will not fail, therefore, to set a due value on any plan which, without violating the principles to which he is attached, provides a proper cure for it. The instability, injustice, and confusion introduced into the public councils, have, in truth, been the mortal diseases under which popular governments have everywhere perished; as they continue to be the favorite and fruitful topics from which the adversaries to liberty derive their most specious declamations. "

"By a faction, I understand a number of citizens, whether amounting to a majority or a minority of the whole, who are united and actuated by some common impulse of passion, or of interest, adversed to the rights of other citizens, or to the permanent and aggregate interests of the community. "

That, is the problem with "too much government": it ends up being the government of a faction imposing its own ideas and vision of society on society as a whole. Take the example of a recession. Government might impose a solution that doesn't work for everyone. The way Obama handled the great recession is a case in point. We learned recently that eight individuals, mostly Americans, have as much wealth as the bottom half of the world population. These individuals got wealthier as a result of the Obama policies (because of the stock market bubble fueled by low interest rates). The rest of society, not so much. The unemployment rate of 4.7% is a fantasy not only because it doesn't count the people who gave up looking for work, but because it doesn't include people who have part time jobs that don't pay enough to get these people above the poverty level. The number of people on food stamps remains at high historical levels, despite the alleged low unemployment. On the other hand, the new debt Obama issued to fund this travesty is on all Americans.

Further, the 2008 crash itself was caused by government backing mortgages of people who couldn't afford their homes (the so called "subprime mortgages").

Given the historical record of excessive government ruining societies and, on the other hand, the economic growth and prosperity that results when government gets out of the way and focuses itself on guaranteeing our most basic rights (security, freedom of speech, private property), etc, it begs the question how is that there are some people who still naively believe in government as a force for good.

We will never know how our society would be today had the Obama administration pursued a different agenda, however few people question that the reason Bernie Sanders gave Hillary Clinton a run for her money in the Democratic primary and the reason we have president Trump is that the Obama economy worked for very few at the expense of many.

January 21, 2017 11:20 PM

MarkH on Attributing the DNC Hacks to Russia:

@Wael:

There seems to have been a miscommunication. What I wrote wasn't clear enough, for which I apologize.

When I wrote that Bruce has taught us about the invention of worthless ciphers by crypto-n00bs, I didn't mean to to suggest that Bruce was practicing intellectual arrogance.

He is 100% correct: I used to waste time on a couple of cryptography forums, and it happened quite often that someone who spent a few hours reading about cryptography reinvented the same broken wheel.

The arrogance I meant was not in reference to Mr Schneier, but rather those who make Very Passionate Assertions of Rightness without having taken the time and trouble to study the domain.

It's the n00bs, who offer examples of intellectual arrogance.

And the depth of that arrogance is exposed, when you patiently explain to them where they are mistaken, and they respond with angry insistence that you either don't understand their brilliance, or accusations are part of a conspiracy (not making this up) to suppress invention.

January 21, 2017 11:02 PM

MarkH on Attributing the DNC Hacks to Russia:

@Dirk:

Surely, we are free to air our beliefs, ideas and opinions. It's not my wish to limit such freedoms. I believe that freedom is under heavy threat, however. I also believe that our self-delusions make us more vulnerable to such threats.

For my own part, I prefer to write things which I hope will be somehow instructive or illuminating for a reader or two.

The unclassified report from the US intelligence agencies, nearly free of new information, was a kind of litmus paper.

Those with the general attitude, "those US officials are a bunch of lying liars and I don't trust a damned thing they say" naturally doubt or dispute the conclusion.

Those (like Bruce, it would seem) who place more trust based on the specifics of the situation, sources, and context, are inclined to accept the conclusion.

I don't "chime in" on this question, because my trust or lack thereof is of no inherent interest. Imagine a forum for little children: "my favorite color is blue!" "No, my favorite color is yellow!" Maybe fun, but of limited instructional value.

Where it gets more interesting, is when I imagine the counterfactual that the report had 950 MB of appended network logs, communication intercepts, and detailed technical analyses. Were this the case, people like you and me probably would be unable to independently verify most of it, or perhaps any of it.

So I imagine that it would devolve to the same situation: "Billy is my friend," or "Billy is a liar and he looks at me funny, make him stop!"
____________________________________________

As it happens, life has shown me that smart people often overestimate the reach of their insight, leading (from time to time) to spectacular errors to which the erring person is often blind. To me, it's a topic of interest and importance, which perhaps those who read Bruce's blog might also find interesting.

@Clive:

Did I say that those were the only two critiques? If so, where?

They were two which I believed (and still believe) don't make sense in light of how critical systems are designed for airliners.

January 21, 2017 9:40 PM

Thoth on Friday Squid Blogging: Know Your Cephalopods:

@Clive Robinson

What is the likelihood that biometric authentication and the What You Are factor is going to still be good in a MFA scheme since now almost every Government of Banks (and other organisations) are collecting so much biometric data to a point I am starting to doubt if it's secure to use anymore.

The What You Know, What You Have and Where You Are would make a good 3FA by replacing the What You Are/biometrics.

January 21, 2017 9:29 PM

My Info on Cloudflare's Experience with a National Security Letter:

By what authority, exactly, is a so-called "National Security Letter" issued? Let's cite some U.S. Code, and some reasoning why someone of some vague purported government authority thinks this is in accordance with the U.S. Constitution.

Did the letter come in the United States mail? How, then, is it any different from any other scam or mail fraud or some sweepstakes or chain letter or the like? Or was it "served" by the local sheriff's office?

NSLs do not require prior approval from a judge.…

If you need a Wikipedia article, Barratry (common law). Or take it up with your local postmaster or postal inspector.

Return to sender.

We're getting deep into the red-light district of national security, where TSA officials feel up our private parts before we are allowed to fly with made-up attendants in tightly fitting skirts, minimum shoe heel height, long acrylic nails, and bangle bracelets as they motion flight emergency instructions with their hands. Until we learn to stand up for our rights, we just keep falling deeper into this hole we are digging ourselves.

Excuse me, my motion discomfort bag is full. Could you please put it in the recycle bin and get me a new one?

January 21, 2017 8:17 PM

ab praeceptis on WhatsApp Security Vulnerability:

Rolf Weber

Back then and today I argued that governments should introduce something like the Feinstein/Burr proposal, that they should demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

Please, elaborate.

January 21, 2017 8:15 PM

ab praeceptis on Attributing the DNC Hacks to Russia:

MarkH

Thank you for that excellent demonstration of, oh, well ... I'll stay polite.

Decisions like the one to interconnect flight control and entertainment systems was certainly not made by an expert engineer. You can confidently bet your house on it that that decision was made by management; possibly some of the involved managers had indeed at some point in their life got some kind of engineering degree - but that doesn't logically allow a statement like yours.

As for the security mindset one should see how committees tick, how large corporations tick, and when the basic decisions were made. Let me help you, they were made in about the years when many otherwise highly regarded IT engineers made decisions like those that still plague, for instance, Unix.

It's simple, the context was very different from today. "Security mindset" isn't something absolute, it's depending on and evolving with the context. Then, rather crude simple security (as in ITsec), was all that was reasonably needed. Then, digital systems were deemed just an evolution of electronics, "more bang for the buck and in less space, too".

Once that path was opened it got nailed down by corporate processes and by committees. How would they prepare for a situation where the majority of passengers had considerably more powerful systems in their pocket then large corporations had in their headquarters at that time? A situation where those pocket devices would exchange volumes of information by far bigger than, say, all cross atlantic communications combined at that time?

Once that did become visible on the horizon, you bet your ass that plenty system engineers started to become concerned and to make noise - obviously in vain. They lost at the first day of the battle against the high and thick and sturdy walls of corporate committee processes.

When it finally became clearly and unavoidably visible that whole segment had grown to a size and solidified (and been encrusted) to a degree where banks/shareholders, politics and whatnot were involved. I bet that at some meeting table someone high up said something like "To change the design and production and processes so as to have those on board systems really seriously secure will be so prohibitively expensive that whole aircraft related industries will close down. So, you either insist on it and have an industry that is secure but dead, or we go the time-proven way of incremental steps", the latter meaning corporation-politician-finance industry-committees sloooooow ping pong - which is obviously the route that was taken.

And that route wasn't that bad. They went step by step, system element by system element. If engineers (real ones, not managers) were involved then only in terms of "how?", i.e. the implementation of decisions.

Why wasn't the route the worst? Simple. Due to a factor you comfortably ignored: One can't just stop the world (or a large infrastructure or industry). There are systems - like e.g. major aircraft and the whole related businesses - one must change while they are at least to a large degree running.

Same with the ssl/tls crap. To rip that out of the OSs and distros, etc. would be a no brainer. BUT that's not possible because that would mean that administrations of countries, large organizations etc. would screech to a halt. The security part has been done; we have the building block. To implement that in a reasonable way without creating havoc is the problem that is hard to solve.

January 21, 2017 7:36 PM

r on Friday Squid Blogging: Know Your Cephalopods:

If you're pulled over for texting and driving they will save it for later under the excuse of 'pending further investigation' or other more general rules of evidence. Until which time such things as deleted or encryption data can be resurrected or fabricated (because they never existed in the first place) I don't think one can expect the expedient return of said devices.

Travel light and use inexpensive devices that carry agnostic volumes encrypted off-device.

January 21, 2017 7:23 PM

r on Friday Squid Blogging: Know Your Cephalopods:

@Clipper,

If you're arrested and charged, your phone is kept indefinitely currently for mining purposes.

We already know that computers and HDD's are treated that way so phones are hardly a surprise but I'm putting it out there as an irrefutable fact at this point so that people are aware of the situation at hand.

So it's not just border patrol and customs, it should be expected.

January 21, 2017 7:20 PM

Thoth on Friday Squid Blogging: Know Your Cephalopods:

@Clipper

Not surprising to know that the US Crude and Bold Pirates are thieves who legally steal travelers belongings to make up for the lesser paycheck.

Also, my usual travel advise is to travel light and expect your stuff to be stolen or yourself to be kidnapped and roughed up. With that in mind, bring as little electronics as possible (especially disposable burner phones).

If you are going to Western countries, bring Chinese made phones and if you are going to Chinese Allied Territories (vassal kingdoms or main land of People's Communist Imperial China), you should bring phones made by the West (which doesn't really exist in substantial amounts). Use a Full Disk Encryption with file level encryption and just for the additional kick, rename all the files and make some fake files.

Do not rely on biometrics but strong passphrases made up of 32 characters (or a MD5 asciified hexstring if you can remember). Travel light and expect personal harm and danger even in "civilized countries" during this time of global strife and disorder.

January 21, 2017 6:58 PM

Clive Robinson on Attributing the DNC Hacks to Russia:

@ MarkH,

Everyone else, as far as I could deduce, was at absolute zero in this domain of knowledge.

Some people have a depth of knowledge, some a bredth of knowledge, few have multidomain knowledge. However the one thing every one can do is make vague disparaging or critical claims without substantiating them.

Your comment of,

I particularly recall two currents of criticism, which I attempt to summarize:

Can by inspection of the thread concerned can be seen to be at best meaningless as there were rather more than two sets of concerns raised and in some cases they were detailed as to why they were a concern based on experience in similar safety systems.

At least one comment was based on knowledge of a very very public incident viewed in real time by the greatest percentage of the worlds population than any other incident so far. And that was the Apollo XI moon landing (due to rendezvous radar data which repeatedly scheduled a process because of a misconfiguration of the radar switches.)

Further those who design safety system rules --that other designers obay and implement in their systems-- have often spent quite a bit of time finding out why things go wrong and supposed accidents happen. Where a clear technical fault is established it can usually be attributed to domain to domain design oversight. That is a problem type is known in one domain but is not known about or considered relavant in another domain at design time, where unfortunately it is actually also applicable.

Further designers of safety systems have tended to follow the actuarial approach. Which whilst usually fine in random probability or predictable probability events caused by physical processes, are generally not fine when a malicious actor or other directing mind is involved.

Your comments suggest you are not cognizant of these points which is odd when you say,

I have studied aviation safety for decades, and in consequence have a little-bitty teensy-weensy understanding of how safety-critical systems are analyzed and certified for use in civilian airliners.

Ahhh well, I guess your last word is applicable,

Those who made Authoritative Pronouncements about a realm of engineering completely unknown to them, gave shining examples of Intellectual Arrogance.

January 21, 2017 6:51 PM

r on Friday Squid Blogging: Know Your Cephalopods:

@Java Lava,

RE: Lavabit v. ProtonMail,

Assurance wise, we know within a reasonably quantifiable limit how Lavabit responds to such pressure - where ProtonMail is concerned one cannot consider a lack of visual evidence of their success thus far in the face of what lavabit went through as even the remotest of respectability.

A lack of evidence of coercion is not evidence at all.

January 21, 2017 6:46 PM

r on Friday Squid Blogging: Know Your Cephalopods:

@Thoth, All

I thank you for your hard work and dedication to your beliefs, no matter what they are.

Life, inter-living - is a WIP.

Thank you.

Even you criminally minded and privacy invaders, I read and write assembly I thank you for sharing your exigent code intentional or not.

I'll C your bet and raise you with some random hex.

January 21, 2017 6:43 PM

JG4 on Friday Squid Blogging: Know Your Cephalopods:


you could do worse than have a visionary for science advisor

David Gelernter, fiercely anti-intellectual computer scientist, is being eyed for Trump’s science adviser
https://www.washingtonpost.com/news/speaking-of-science/wp/2017/01/18/david-gelernter-fiercely-anti-intellectual-computer-scientist-is-being-eyed-for-trumps-science-adviser/

some fascinating history in here

Seer of the mirror world
http://www.economist.com/node/21540383
...
In his book “Mirror Worlds”, published in 1991, he accurately described websites, blogging, virtual reality, streaming video, tablet computers, e-books, search engines and internet telephony. More importantly, he anticipated the consequences all this would have on the nature of social interaction, describing distributed online communities that work just as Facebook and Twitter do today.
...[that probably should be Dr. Kaczynski, not to split hairs]
The publicity around Dr Gelernter's work may explain why Ted Kaczynski, an anti-technology terrorist known as the Unabomber, decided to target him with a letter bomb in 1993. Mr Kaczynski hoped to foment a worldwide revolution against the “industrial-technological system” and sent a series of letter bombs, causing three deaths and many injuries before being arrested in 1996. The letter bomb sent to Dr Gelernter put him in hospital for weeks, required him to undergo extensive surgery and left him with permanent injuries to his right eye and right hand, which he covers with a glove. “Whenever I get to feeling a bit morose and missing my old right hand, I wind up thinking instead how privileged I am to be an academic in computer science,” he wrote to his friends by e-mail after leaving hospital. “In the final analysis one decent typing hand and an intact head is all you really need.”

January 21, 2017 6:37 PM

r on New White House Privacy Report:

@the other white establishment,

We have the right to live in a relatively disease free society: the CDC helps us with that.

We have the right to invest our money in insured institutions: the FDIC is evidence of that.

Society and Government are NP hard, is the reality and gravity of this situation for you?

Being an idealist is one thing, suffering from a casual naivete is another.

That sort of blind eye to your fellow man is general labeled as being callous.

Are you callous?

The NIST is evidence of our right to generally live a secure and private digital life, does it make sense to you then that that's why we've railed against the disclosures?

Who's going to protect us from Ma Bell now?

There are aspects that are 'corrupt', but not necessarily or necessarily evil.

Who's going to protect my free speech when I ridicule Comcast for price fixing or predatory surcharges?

You?

January 21, 2017 6:30 PM

r on New White House Privacy Report:

@the other white establishment

We have the right to have access to foods free from poison: the FDA is evidence of that.

We have the right to have access to media free from severe forms of 'smut': the FCC is evidence of that.

We have the right to live a life free from criminal mayhem: the FBI is evidence of that.

I can go on all night with this line of thinking can you?

What is it that you want to repeal?

'As much as possible without losing a basic minimum functionality.'

You're a spigot of unthought, you're a thot.

January 21, 2017 6:25 PM

r on New White House Privacy Report:

@the establishment lost, CC: moz, Anura

This:

(by moz, earlier) This is glib and unthinking. The alternative to government is not the freedom the anarchists called for, it is the warlords of middle ages Europe and of today's Somalia. Your narrow minded analysis blinds you to the complexity of different aspects of government both good, evil, selfless and more and more often commercial.

You said:

My idea is to have enough government to avoid anarchy, but not too much government that it becomes totalitarian.

I'll ask you now the same thing I've asked others:

"Where do you draw the line?"

http://www.azlyrics.com/lyrics/deadkennedys/wheredoyadrawtheline.html

How totalitarian is totalitarian?

How unregulated is free?

How unregulated is decent and fair?

Like you said, you and I are likely quite a bit alike - BUT -

Is government evil by default for including people?

Are people evil by default?

These are vantage points that are not completely shared by the rest of society, none of the positions we take up are. When you figure out how to deal with legislating away other's rights let me know.

January 21, 2017 5:57 PM

Thoth on Friday Squid Blogging: Know Your Cephalopods:

@My Info

You can tell @Moderator to set a 500 character limit on all posts of you don't like long posts. Maybe @Moderator and @Bruce Schneier would be happy to save database space.

Buzzword heavy ? I am simply stating the mechanisms that Lavabit can utilize when they setup their HSM and gave them a bunch of proper use ideas instead of their poor idea of shredding or destroying their administrator codes and cards.

HSMs are difficult to use and administer for those who have never used it before and they will make a ton of very bad decisions. I simply ease those up by putting some of my experience of deploying HSMs for organisations up here for free which I could have kept quiet or charged for a hefty amount due to the amount of work need to be proficient at using a HSM.

You talk about building some.secure process and high assurance security ? Do you have any suggestions or projects or will you be simply copying the works and words that me, @Nick P, @Wael, @Clive Robinson, @ab, @RoberT, @Figureitout, @Markus Ottela and many of us have painstakingly formatted, put together and some of us even have working projects of higher assurance systems. Maybe you can brong something onto the table for some high assurance desugns and projects instead of only baseless criticism ?

If you do not know much about what is a HSM and simply jump in and call it buzzword and not the internals, please go and ask @Nick P for his link farm on design papers on HSMs or go to Cryptech.is for their Open Source HSM (lower cost than commercial HSMs but still can pyt a hole in the pocket) and go and use one before critisizing.

I could have kept my mouth shut on all these details on HSMs and how to properly use them from my experience at helping organisations deploy these stuff and let any first timers trip up and most of the time the consequences are pretty nasty. Also these knowledge are usually kept behind close doors in the industry and most wouldn't come out to talk about it in the open whereas I made the exception to not collect a hefty fee and gave it freely here amd did what most of us don't do which is to open the once closed doors on these machines.

Link: https://cryptech.is/

January 21, 2017 5:45 PM

Wael on Attributing the DNC Hacks to Russia:

@Dirk Praet,

Tell them it's an antenna that radiates some brain waves. If only they can receive it to be more intelligent ;)

January 21, 2017 5:22 PM

Dirk Praet on Attributing the DNC Hacks to Russia:

@ Wael

And you couldn't possibly have read @Thoth's mind! He wears the Alkaline heavy duty hat.

The guys at the hockey club never quite understood what that aluminium foil was doing in my helmet.

January 21, 2017 5:10 PM

Dirk Praet on Attributing the DNC Hacks to Russia:

@ MarkH

Re. The Intellectual Arrogance of Geeks, Parts I & II

Mark, excuse me for not being the sharpest knife in the drawer, but what exactly are you getting at and are the Russians somehow responsible for it?

The way I understand this forum is that we are all free to think about and comment on topics our host touches and for which a degree in the subject matter is not a prerequisite. If someone is demonstrably talking out of his/her *ss, then it is perfectly OK to point that out, and preferably in a somewhat civil and substantiated way. That's how a discussion goes forward and how, with a bit of luck, we all gain a better understanding of the topic, the baseline however remaining that everybody is free to voice whatever dissenting opinion unless it is being done in a consistently rude or condescending way.

"When men yield up the privilege of thinking, the last shadow of liberty quits the horizon." - Thomas Paine

January 21, 2017 4:47 PM

Sancho_P on Friday Squid Blogging: Know Your Cephalopods:

@albert

Wait a moment!

While efficiency is valuable, it is the wrong end of the sausage.
Increasing efficiency inevitably leads to more consumption.
This is a sad but longstanding truth [1].
We super technicians accelerate our train to death and no one stops our eagerness, because it can be made to money.

[1]
The principle: https://en.wikipedia.org/wiki/Jevons,_William_Stanley
Some actual facts by Robert Bryce (take care, long excerpt):
http://www.alternet.org/story/84982/if_we_all_started_driving_priuses%2C_we%27d_consume_more_energy_than_ever_before

January 21, 2017 4:43 PM

Ted on New White House Privacy Report:

@My Info

Re: Privacy, Free and Open Source CRM Software Packages, Commerical CRM Offerings, and DBAs

SugarCRM’s general privacy policy states that the data submitted via a purchased or downloaded solution is governed by the applicable SugarCRM agreement, and as required by law. They provide an email to contact their General Counsel with questions, and perhaps that -- along with reviewing the applicable privacy policy -- would be the wisest course of action for securing documented assurances on data usage (especially for the purpose of managing customer data). Microsoft provides an overview of their privacy policy for Microsoft Dynamics' customer data and content via their Trust Center where they also review their security, compliance, and transparency policies.

The FTC has a substantial collection of weekend worthy reading on their legal resources for consumer privacy page, where you can filter and search through relevant cases, reports, staff opinions, and events. Some reports I'd like to read are their Data Broker Industry report, Consumer Privacy Best Practices report, Big Data report, among others.

Because I am now curious, guides on database security best practices. Thoroughly enjoyed reading your links. Thanks for sharing :)


January 21, 2017 4:20 PM

My Info on Friday Squid Blogging: Know Your Cephalopods:

@ Jonathan Wilson & Thoth's long posts

Before we begin, all HSMs are simply tamper resistant hardened machines with more security engineered into them than your normal PC or server. They will still run into glitches, bugs and be subjected to system failure like any other PC or server. There IS NO DAMN SECRET SAUCE except the usual tamper meshes, tamper switches, some custom ASICs or FPGAs with other tamper sensors and sometimes omes with side-channel prevention mechanisms usually in the form of whitebox crypto implemented on the ASICs or FPGAs.

That's like some homeless guy with $1,000,000 cash, bearer bonds, and stock certificates in his pocket trying to sleep in a sheltered corner somewhere rather than on a park bench out in the open. In other words, I'm not buying it. Those posts are too long and buzzword-heavy.

When we have that much cash, let's build ourselves a proper home for our crypto, and keep our secrets secret. Where there's a will, there's a way. I say provably high-assurance security properties for hardware and software, and when I say "provably," I mean free and open source with formal proofs verifiable by an automated proof-checking system. Right now we are struggling to clean the pigeon droppings off our computers, and we don't even have bird netting for security.

January 21, 2017 4:03 PM

Wael on Attributing the DNC Hacks to Russia:

@MarkH,

We're even, now ;)

Focus more on the subject and less on the person. Remember: I've got a sockpuppet with your name on it. And he's more patient than I'm. He'll get you ten years from now :-)

January 21, 2017 3:55 PM

Wael on Attributing the DNC Hacks to Russia:

@MarkH,

One more thing:

You complain about this, call it mental arrogace:

Bruce has reminded us many times, that engineers who are perfectly ignorant of cryptography invent worthless ciphers

Then you make a similar assertion:

Those who made Authoritative Pronouncements about a realm of engineering completely unknown to them, gave shining examples of Intellectual Arrogance.

So a statement by your host is unacceptable to you, but when the same statement comes from you, it's ok? Quick! Trade Mark another term for what you just committed!

January 21, 2017 3:32 PM

Wael on Attributing the DNC Hacks to Russia:

@MarkH,

Bruce has reminded us many times, that engineers who are perfectly ignorant of cryptography invent worthless ciphers

Generally speaking, yes and it's backed up by empirical data, too.

Bruce posted about this story, and the comments discussion was memorable.

Yes, this story! and this one

It seemed to me at the time that I was in a distinct position from all of the regular commenters whose thoughts I was reading.

So not only have you read more history books than most of us here have, but you can also read our thoughts. Across vast distances, too. I got news for you: You couldn't possibly have read my mind because I'm wearing state of the art tinfoil gear. And you couldn't possibly have read @Thoth's mind! He wears the Alkaline heavy duty hat.

Everyone else, as far as I could deduce, was at absolute zero in this domain of knowledge.

goddamn! That's a lot worse than 0C! Negative 273C... Isn't that a tad harsh?

This did not in any way discourage them from asserting the two theses summarized above, with utmost authority and certitude.

Happens once in a while. Engage them and educate them.

The Intellectual Arrogance of Geeks, Part II

You should have given a link rather than a paraphrased summary so we can engage in a more meaningful and less bitter discussion. Otherwise you run the risk of being accused of 'Intellectual Cowardice'© Part I.

January 21, 2017 2:33 PM

albert on Friday Squid Blogging: Know Your Cephalopods:

@JG4, VinnyG, et al,

Future energy production needs to be renewable, emission-free, and safe.

More efficient storage systems make wind and solar more practical, and they meet all three criteria. Harnessing ocean tides is being done.

I'm against nuclear. It's not safe, it's very expensive, and it creates huge amounts of hazardous waste. I'd like to see the physicists develop a way to render it innocuous. This would be a great boon to everyone, even if we stopped using nuclear power today.

There are mitigation techniques that we can use right now to reduce our energy consumption. (Given that we can't go off fossil fuels cold-turkey)

0. Increase efficiency of devices already in use. LED lighting will save a fortune in energy costs. VFDs for fan and pump systems often have 1 year paybacks in commercial systems.
1. The US military burns a tremendous amount of diesel and jet fuel. Most is unnecessary waste.
2. Increasing the amount and quality of public transportation.
3. Railroads are a very efficient means of bulk transportation.
4. So are our waterways.
5. Reduce air and truck transport of non-time critical goods. (why do we need everything yesterday?)

Reduce the entrenched 'build there, use here' system of economic development.

I gotta go..
. .. . .. --- ....


January 21, 2017 2:01 PM

MarkH on Attributing the DNC Hacks to Russia:

The Intellectual Arrogance of Geeks, Part II

Not very long ago, we learned that the FBI had interrogated a man who implied (falsely) that he could control a passenger jet by plugging into an ethernet jack on an under-seat passenger entertainment assembly.

Bruce posted about this story, and the comments discussion was memorable.

I particularly recall two currents of criticism, which I attempt to summarize:

1. "If in truth the passenger entertainment systems have a connection to the network of critical avionics flying the aircraft, then the planes' designers are guilty of inexcusable negligence."

2. "I don't care how good those aviation engineers think they are, they lack the Security MindsetTM needed to protect against an active adversary, which we self-proclaimed Security Mavens possess in abundance. Therefore, they can't connect these two networks without endangering the plane."

It seemed to me at the time that I was in a distinct position from all of the regular commenters whose thoughts I was reading. I have studied aviation safety for decades, and in consequence have a little-bitty teensy-weensy understanding of how safety-critical systems are analyzed and certified for use in civilian airliners.

Everyone else, as far as I could deduce, was at absolute zero in this domain of knowledge.

This did not in any way discourage them from asserting the two theses summarized above, with utmost authority and certitude.
____________________________________________

Without getting into the details, I thought it very probable, based on my thumbnail-sized knowledge of the aircraft design and certification process, that both theses were dead wrong.

Interestingly, two or three comments appeared on that discussion by people claiming job-based knowledge of relevant types of airliner systems, who very modestly and politely explained that no, the design of the system absolutely precludes the supposed vulnerability.
____________________________________________

At the time, I was wondering "how do such smart guys get it so completely wrong?" It's the same kind of curiosity that has lead me to read extensively on why planes crash.

I came up with two guesses.

First, was the error of extrapolation, which goes something like this: "I've being developing computerized systems since the vacuum tube days, and I know the limits of How These Things Are Done. Within those limits, what those bozos did at Airbus and/or Boeing is damned unsafe."

Given the reality that almost all software is done at quality levels bordering on criminal negligence, resulting in system which are collections of serious accidents waiting to happen, I can understand people imagining that airliner flight control systems are just as bad. This extrapolation is understandable, but also wrong.

The second error (which interacts strongly with the first) is what I will call meta-ignorance: being ignorant of the dimensions of my ignorance.

Those of us who don't work on civil airliners (and perhaps a few other critical types of systems which are done at comparable levels) may be completely unaware that there is world of ultra-robust system design, which seeks to account for every credible failure mode. In order to keep the domain of credible failure modes small enough to enumerate, appeal is often made to radical simplicity.

Unexpected as it may seem, an ultra-robust system design can frustrate active attack without getting into the measure-countermeasure "arms race" we are so familiar with in the world of security.

Those who made Authoritative Pronouncements about a realm of engineering completely unknown to them, gave shining examples of Intellectual Arrogance.

January 21, 2017 1:56 PM

A Nonny Bunny on Friday Squid Blogging: Know Your Cephalopods:

This graphic shows the important difference between arms and tentacles.
I don't think it did. It states there's a difference, and show what number of each some cephalopods have of either. But I still don't know what makes an arm different from a tentacle. But nevermind, I'll just google it.

January 21, 2017 12:25 PM

buckaroo on New White House Privacy Report:

BHO spoke "You now have more control over the privacy of your financial information"

This was typical BHO horse manure. What he should have done is criminalize data breaches. At a minimum, fines should have inflicted pain by making them a double-digit percentage of revenues. We should also prosecute corporate officers for allowing such things, but instead we saw Target CEO Gregg Steinhafel walk away with a $61 million golden parachute. Boy, we sure taught him a lesson!

Most of you have not yet been caught by a breach involving your medical data. Let me tell you what will happen: nothing. I was a member of a HIPAA complaint against a medical insurance company. HIPAA is advertised as a serious law with serious consequences for breaches. We received one year's credit monitoring, with the corporation, not to mention corporate officers, suffering no pain. If we had been victims of identity theft, we would have been on our own (I froze my credit to prevent that).

And if the Children's Online Privacy Protection Act was so effective, why didn't BHO take the belt to Google each time it was caught data-mining student emails? Instead his administration operated a revolving door for Google employees, with over 250 of them employed by him.

Not that Trump will be any better.

January 21, 2017 11:36 AM

Java Lava on Friday Squid Blogging: Know Your Cephalopods:

Re: lavabit 2.0

Technical considerations aside the biggest factor that will force me to take a look at their service is their track record. The way they behaved the first time earned a great deal of credibility and trust from me. My one worry about services like ProtonMail and others is what they will do under serious pressure...something that they haven't been tested on yet. Lavebit went through a real world legal stress test and won an A+ from me.

January 21, 2017 11:28 AM

Markus Ottela on Friday Squid Blogging: 1874 Giant Squid Attack:

@Dirk Praet

Unles @Markus Otella objects, I concur. And both should do whatever is necessary to make sure those names are sufficiently protected against future patent trolls.

I don't mind associating similar tools with TFC. But I think an opportunity to play with words is being missed here when FTP uses two letters of TFC, and even TFTP exists.

January 21, 2017 11:18 AM

Spooky on New White House Privacy Report:

The layers of hypocrisy in this report are simply jarring. It is much too late for this sort of discussion and besides, Snowden beat him to it several years ago. Privacy is already dead. Barack's own people lead large-scale international efforts to kill it, and by most accounts succeeded. For the vast majority of folks who are not technically inclined--roughly, 99.75 percent of the global population--they have no defense against this corrupt collection and collation of their data by corporate and government interests. They will be caught in these nets and they will become potential targets. And lest you feel too smug about that, rest assured that all of you non-cloistered programmers fall within multiple activity graphs of this unprotected population. Anything the spooks want to know probably falls within one or two levels of inference. You will share their fate. But at least you'll have lots of company and for primates that is usually a source of comfort. :-)


Cheers,
Spooky

January 21, 2017 10:44 AM

Anura on New White House Privacy Report:

@the establishment lost

So you take away the one thing in this country that give individuals power, take away the things that allowed average Americans to be more equal and prosperous, and then give corporations complete control of the government that remains: law enforcement, and military. Yeah, that sure sounds like freedom to me. The corporations can declare war on any country they want, imprison anyone they want, and pretty much enslave the entire population.

Government is not evil - in a world with high inequality, if there's a recession the government is the only entity with the power that the people can use to get themselves out. If you remember anything from the recession, the narrative from the anti-government types is that we need to rely on "job creators" to do stuff for us, because individuals can't do anything for themselves - those are the people you give all the power to in a libertarian government.

In the last few decades, we've done a sliver of what you are asking for - we kept minimum down, made taxes flatter, cut regulations, cut government spending, and the result has been that the economy has weakened and the people are struggling and powerless. The rich capitalize on that, telling people it's all the government's fault when they aren't telling people that the rich are inherently better than them and that's why higher inequality is always better.

You want freedom, you have to stop allowing corporations to control every aspect of our life. Your proposal does exactly the opposite.

January 21, 2017 10:23 AM

kevin on New White House Privacy Report:

@ Alan S

Great cites & links: they were full of rich secondary links.

Thanks for posting.

January 21, 2017 10:11 AM

Rolf Weber on WhatsApp Security Vulnerability:

@Dirk Praet

The post from Nicholas Weaver you linked is great. And I'm very confident not only he but a lot of other smart people did write about man-in-the-middle attacks before I did. I never claimed I found something new. I mean, man-in-the-middle attacks are as old as public key encryption, and that WhatsApp is "vulnerable" (I wouldn't call it a vulnerability because providers like WhatsApp with billions of users have no other chance than to do what WhatsApp does -- WhatsApp is as secure as it can reasonably be) was as obviously as obviously something can be.

What's a bit strange is that I posted my article here (and I think this is why Bruce get notice of it), we both discussed about it, but back than you objected my points, not that Weaver wrote something similar before. But anyway.

My point never was that I found a "vulnerability", let alone a new one. Back then and today I argued that governments should introduce something like the Feinstein/Burr proposal, that they should demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

January 21, 2017 9:33 AM

buckaroo on New White House Privacy Report:

@moz "The alternative to government is not the freedom the anarchists called for, it is the warlords of middle ages Europe and of today's Somalia."

Thanks for noting this. Anarchists and libertarians have an ignorant view of the world, believing that no-government ends up as some kind of panacea. Limited regulations gave us the Gilded Age, great for oligarchs, but really bad for workers and the environment. Somalia is a lawless society for the most part, yet anarchists and libertarians are not moving to their promised land.

Historically speaking, it is curious that the last time anarchists and communists arose en masse was in the 1960s when the Democratic Party ate its own, especially in Chicago in 1968. The time before that was the turn of the century when the Gilded Age was ending.

January 21, 2017 9:24 AM

Nick P on Attributing the DNC Hacks to Russia:

@ MarkH

I disagree with your conclusion. Instead, the people that got in the management positions were there for superior skills or perceived skill in managing people, knowing business, alignment with executive's expectations, etc. They typically have different goals than the IT people. They might not understand IT at all with most CIO's coming from an operations background. Yet, they tell the IT people how IT needs to happen, what investments are worthwhile, what maintenance shouldn't be done, that security doesn't matter, and so on. The IT people rightly call bullshit on such a situation.

In a well-managed environment, the people running IT understand both the business and IT side of the equation. At least one IT person will be there for evaluating proposals for feasibility. The IT proposals themselves will be about providing business benefit. Some budget exists for security, maintenance, etc. The IT projects will probably succeed more than fail here.

January 21, 2017 9:23 AM

the establishment lost on New White House Privacy Report:

@moz

I am not an anarchist and I do not defend anarchy. You are proposing a false choice here. I am not saying to do away with government altogether rather to acknowledge that government is a necessary evil, but evil nonetheless and act consequently.

My idea is to have enough government to avoid anarchy, but not too much government that it becomes totalitarian. I think that what we know Obama's NSA ended up doing bordered totalitarianism when it came to our digital lives. We need to resist that not because Obama was in power but because it was an unwarranted invasion of privacy. So I do not take seriously anything any official associated with the Obama administration says with respect to protecting the privacy of our digital lives. none.

@r

You are preaching to the choir here. Government is made of people, that's why it is inherently evil. Our rights do not come from government but from our Creator, as the US declaration of independence correctly says.

January 21, 2017 9:04 AM

buckaroo on Friday Squid Blogging: Know Your Cephalopods:

@VinnyG

Yes, the U.S. is producing a great deal of oil from fracking, though I'm not convinced it won't cause long-term water woes. But that was not the point of my comment regarding the Strait of Malacca. Many of our allies, especially South Korea and Japan, depend upon oil coming through the Strait. China wants to force them and some other countries in the region into accepting its dominance. China intends to make the South China Sea lakefront property, with all of the geopolitical implications. It's all about oil. The map at the below link illustrates my point.
http://www.eia.gov/todayinenergy/detail.php?id=10671

January 21, 2017 9:00 AM

My Info on New White House Privacy Report:

@Ted

Re: "Consumer Privacy Bill of Rights"

Several free and open source Customer Relationship Management software packages are available, including SugarCRM and OpenCRX.

You will need to employ a database administrator or someone competent in this respect if you do not wish to avail yourself of one of their (or others') commercial CRM offerings, such as Salesforce, Microsoft Dynamics, or even SAP. I do not mean to cast aspersions on any particular vendor, but definitely beware vendor lock-in and vendor theft and misappropriation of your customers' data!

These software suites are where small to medium businesses tend to store their potentially consumer-privacy-violating data. Larger businesses have the personnel and unique requirements to justify developing the necessary software in-house, and they are perfectly competent to avail themselves of standard vanilla commercial and/or open source databases for this purpose.

January 21, 2017 8:48 AM

Wael on Friday Squid Blogging: Know Your Cephalopods:

@Dirk Praet,

The key is transformed from 'data' to a set of code and data, it's also masked and scattered across the binary so that it can't be found in a contiguous memory location. The key or parts of it is effectively moved from the data segment to the code segment, This means its resistant to static analysis (dump the binary and search for the key), and resistant to dynamic analysis (use a debugger and observe memory during execution.)

To extract a key or reverse engineer a WBC instance, the adversary needs to possess the required math skills.

Operations that use the key never reconstruct the key, The key is used in its 'WBC key' state.

This was the cliff's notes version,

January 21, 2017 8:38 AM

JG4 on Friday Squid Blogging: Know Your Cephalopods:


@VinnyG

as solar and wind become cheaper than fossil fuels, OPEC grows weaker. the rub is that there still is not an effective way to power transportation with wind and solar. electric cars will help, but I don't see lithium-ion displacing diesel in trucks, trains and ships. OPEC's back could be broken with CNG in those applications and the CNG can be made from coal and renewable hydrogen. it is a crime against humanity to burn coal for electricity. I have much less of a problem with using nuclear or renewable hydrogen to convert coal to CNG. I think that I am on the record suggesting that humans appear not to have the technological sophistication to use nuclear power safely. I'm told that Chernobyl translates into English as wormwood. that made the hair on the back of my neck stand up

January 21, 2017 8:23 AM

mike on New White House Privacy Report:

Bruce,
I noticed something strange about this file.
As pointed out above the link became dead after the inauguration.
I looked at your site before you added the edit and the new link.
Then I got the file as html from Google cache.

As I read your edit today and saw you offer the file, I googled it again with this search string: 'privacy in our digital lives whitehouse pdf'; your site has disappeared from Google's list.

Could it be Google wish their copy is the only one on offer?
Or could it be that parties unknown are removing it?

January 21, 2017 7:29 AM

Dirk Praet on New White House Privacy Report:

@ Slime Mold with Mustard

How did some guy in London catch that but the primary voters didn't?

Trump told them what they wanted to hear, and in a way they could understand. Then they saw what they wanted to see.

@ AlanS

The more pertinent writing by Brandeis on privacy is his blistering assault on government invasion of citizen privacy in 1928's Olmstead dissent.

Where did you find that little gem?

This isn't a changed rhetoric. It's the same old lip service to privacy rights while doing the opposite.

Given Obama's pretty miserable record on the matter, it is very hard indeed not to read this as anything but painfully hollow words.

January 21, 2017 6:51 AM

VinnyG on Friday Squid Blogging: Know Your Cephalopods:

@buckroo re Strait of Malacca:
I suspect the US is near the point where domestic shale oil capacity could replace OPEC oil for a longer period than the weakest OPEC states could go without US oil revenue (given the will to increase production and pipeline delivery, and pay somewhat higher prices, of course.)

January 21, 2017 6:35 AM

MarkH on Attributing the DNC Hacks to Russia:

The Intellectual Arrogance of Geeks, Part I

Bruce has reminded us many times, that engineers who are perfectly ignorant of cryptography invent worthless ciphers, thinking "I'm a clever engineer, and this isn't so hard." That is intellectual arrogance. But we sophistos who often comment on this blog, of course, know better!
____________________________________________

I assume that many of the "lurkers" here make our livings in technical work and/or academia. Everyone who falls into this category, has probably experienced this at least once: a supervisor/administrator/client, with a grotesquely over-simplified concept of our work, casts doubt upon and/or lectures us about it. Someone of abysmal ignorance, lecturing a professional. If you've been through this, you'll know how irritating and sometimes infuriating it can be.

We have invested years of intensive study and practice to develop our various levels of expertise. But a person who knows no more about our work than you could learn from a newspaper, says we are wrong or offers foolish advice. Often they are thinking, "I'm a clever person, I can understand this well enough." That is intellectual arrogance!
____________________________________________

At least half of the engineers I've known (and they have been many, over the years) delighted in making withering critiques of the management of whatever organization they (or we) worked for. Of course, this is easy and fun, because the shortcomings of management are easy for all to see. They think, "I'm a clever person, managing an organization can't be that hard."

But most of them have never even coached a kids' sports team, let alone attempted to lead an institutional effort to accomplish technical or educational results. In my judgment, they have been utterly ignorant of the enormous challenges and pressures on the other side of the desk.

Sometimes I asked them, "if you are so much smarter about how to run an organization, why aren't you running one now?"

They are guilty of intellectual arrogance in the first degree.

January 21, 2017 6:34 AM

VinnyG on New White House Privacy Report:

@Panopticon & AlanS
NTM that Obama surrogate AG Loretta Lynch removed all restrictions on NSA sharing information with the plethora of 3-letter fed police/spy agencies on her way out the door:
http://www.foxnews.com/opinion/2017/01/19/andrew-napolitano-attorney-general-loretta-lynch-and-parting-shot-at-personal-freedom.html
Sadly, I have zero expectation that Trump will roll back any of the instrumentality of oppressive authority put place by Obama - he will almost certainly build on those elements to create an even worse police state than already exists.

January 21, 2017 6:26 AM

moz on New White House Privacy Report:

@The establihsment lost

Bruce posted on his blog that he's disappointed Hillary lost. You are hardly pushing news on us.

us who understand that government is evil

This is glib and unthinking. The alternative to government is not the freedom the anarchists called for, it is the warlords of middle ages Europe and of today's Somalia. Your narrow minded analysis blinds you to the complexity of different aspects of government both good, evil, selfless and more and more often commercial.

the above report, coming from the most privacy violating administration in US history, cannot be taken as anything other than a practical joke

Except that, as my earlier post shows you've missed the point and this probably isn't a joke. It's probably a memetic weapon in the war against privacy. The US Government is doing this because US commercial interests want support so they can override privacy and get access to EU data.

Perhaps Bruce knows or has reason to believe differently? It would be interesting to hear. If you have evidence that Bruce, who as the author of applied cryptography and the original password safe took noticeable legal risks for your privacy, has gone over to the other side and is somehow pushing this report for bad reasons, that would be interesting. As it is you are all talk and no evidence.

January 21, 2017 6:16 AM

r on New White House Privacy Report:

@Wael,

Sometimes you have to break things down in ways the person you're speaking to would understand. ;-)

January 21, 2017 6:14 AM

Thoth on Friday Squid Blogging: Know Your Cephalopods:

@all

re: Lavabit 2.0 Part 3

Also, to prevent an SO or Admin user quorum from being sbjected to "black bag job", asking famous security celebrities like @Bruce Schneier, DJB or Matthew Green to be part of the custodian quorum would make kidnapping or coercing these academic celebrities a very risky job to do just for their quorum besides using geographical and jurisdiction splitting of the key quorums.

January 21, 2017 5:41 AM

r on New White House Privacy Report:

@65535,

My recent comments about strategic lying aside, Rolf Webber's premonition betrays the pitchfork's we've taken up against the NSA ever so slightly. It might explain why the repeal process was never started once Obama came into office and it may betray some other practices in ways that alleviate certain concerns. Considering Trump's stance against the MSM it could very well be that many of our objections are due to spin and only a partial view of the subject en question brother.

We still have a long way to go.

January 21, 2017 5:36 AM

r on New White House Privacy Report:

The kid was 50 feet from me and another old schooler, hopefully he learns from his experience and I'm deeply gratified that no one was hurt.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.