Recent Comments


Note: new comments may take a few minutes to appear on this page.

September 23, 2017 2:56 PM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ Bob,

I think your statement might be overstated given what modulus add and sub is, but I would have to look at it

It's simple binary math,

0+0=0, 0x0=0
0+1=1, 0x1=1
1+0=1, 1x0=1
1+1=0, 1x1=0

ADD and SUB are the same function (+), the only difference is that you invert one input and in 2's complement you add a 1 into the carry bit which turns double inverts the LSBit output which is back into the XOR again.

It's something most assembler level programmers are aware of, C and above high level language programmers...

Read More →

September 23, 2017 2:44 PM

Wael on Bluetooth Vulnerabilities:

@Spine Milligna,

Gave me a hearty chuckle to see Clive join the typo police!

+1

But to be honest with you, it wasn't a typo! I freakin clicked 'P' on purpose thinking that's the right word. I don't know what I was thinking...

Oh speaking of dishes eaten cold

The dish came warm to me. Plans cancelled :)

September 23, 2017 2:42 PM

Bob on ISO Rejects NSA Encryption Algorithms:

@Clive
Are you mostly talking Simon? Yeah, my bad, no mod there. I dunno. I don't do chip.

They said they could put it on an 8-bit AVR chip. It would be good for comm crypto. Imagine being able to distribute a table of keys representing channels, say up to 100 channels. In the field, switch to whatever whenever. Redo the channel keys all of the time, back at base. Maybe they want this for NATO and need ISO for whatever legal reason. Language standardization for specification. I don't pay attention enough. Don't care except for Speck.

September 23, 2017 1:47 PM

Spine Milligna on Bluetooth Vulnerabilities:

Well maybe you should try "The Buccaneer" approach as a "hearty Swab" not an international plane swapper.

Gave me a hearty chuckle to see Clive join the typo police!

September 23, 2017 1:34 PM

Bob on ISO Rejects NSA Encryption Algorithms:

@Clive
"The ADD function used in Speck, the least significant bit of the ADD function is directly equivalent to the XOR function of the two LSBits."

This is messed up. Have they released code for Speck? I have several papers, been studying it, but no code. The whitepaper never explained how data horizontally propagates beyond two word channels. I think your statement might be overstated given what modulus add and sub is, but I would have to look at it. A link to this finding would be helpful if you or someone documented this.

I think most primitive operations are...

Read More →

September 23, 2017 11:27 AM

vas pup on ISO Rejects NSA Encryption Algorithms:

@Edward Morbius:
"Trust is an extension of what is known into what is not directly supported. It is not the same as blind faith, that is, belief in the opposition of evidence, but trust is faith in the absence of direct evidence. The presence of trust lets you skip a lot of work, much of it quite costly in terms of real resources."
Very good point!
Regarding trusting US or any other government. Any government have multiple goals, but ALL of them has in that list self preservation as one of the primary goal (elected officials more concern about reelection, not real needs...

Read More →

September 23, 2017 10:53 AM

Nick P on Friday Squid Blogging: Using Squid Ink to Detect Gum Disease:

@ All

Thermal, Side Channel via Air Conditioner

I gave Clive credit elsewhere as always for predicting most of this stuff with his matter/energy, root-cause analysis. Also the need to energy gap. I added that the shielded rooms couldn't even have toilets due to the water and pipes propagating signals. They can't have wireless devices such as cellphones due to the radio waves causing secrets to leak. Now, the poor bastards occupying secure rooms have to go without...

Read More →

September 23, 2017 9:01 AM

Clive Robinson on Friday Squid Blogging: Using Squid Ink to Detect Gum Disease:

@ GregW,

... couldn't the person move their head around the room(+nearby areas?) to map out the boundaries of the signal...

Yes and no.

If the signal persists after they move then yes. But... if the signal is under the control of an observer --as would be the case with a covert weapon-- then no, because the observer would either redirect it or turn it off.

September 23, 2017 8:53 AM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@ tyr,

I'm not sure what you mean by Germany being close to Russia.

Trade and the resulting economics.

To Germany, Russia is a significant market for their manufactured goods (especially industrial/manufacturing plant/services).

To Russia, Germany is a significant market for their raw resources exports and thus major source of foreign currency.

As for Poland both Germany and Russia see it as a problem for various religious and political reasons, which I'll let others look up as that is a conversation I'm defiantly not going to get...

Read More →

September 23, 2017 8:04 AM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ Bob,

The point of ARX is a new vector on minimalist design.

Yes and it's got problems... The ADD function used in Speck, the least significant bit of the ADD function is directly equivalent to the XOR function of the two LSBits. Which means in Speck the least significant bits on both halves are just XORed all the way through the rounds, with just shifted versions of the halves. You can if you redraw this show it up as the equivalent of a cascade of LFSR generators which have aditional nonlinear outputs. Such N/LSFR generators have been the speciality of...

Read More →

September 23, 2017 7:57 AM

GregW on Friday Squid Blogging: Using Squid Ink to Detect Gum Disease:

Re: Cuba sonic(?) phenomena

Random thought...

If the physically felt behavior was for some so spatially defined that the phenomena stopped when they got off their bed, couldn't the person move their head around the room(+nearby areas?) to map out the boundaries of the signal in such a way that the origin of the emitter was revealed?

September 23, 2017 7:35 AM

Ergo Sum on Friday Squid Blogging: Using Squid Ink to Detect Gum Disease:

@Anders..

Latest Finfisher

Quote from the referenced link:

We discovered these latest FinFisher variants in seven countries; unfortunately, we cannot name them so as not to put anyone in danger.
So, how do we know if one of the countries is not the US? For that matter, how do we know that the FinFisher just had not been "discovered" in the US? And if the ISPs in the US already support FinFisher for LEOs, how do we know that a foreign state actor do not use this "feature" for their surveillance needs?...

Read More →

September 23, 2017 5:31 AM

r on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@all,

https://it.slashdot.org/story/17/09/22/2131211/adobe-security-team-accidentally-posts-private-pgp-key-on-blog

Incase you missed out.

@MarkH,

Okayokay, anyways my point was more of lets blame less the group where the initiators are concerned and spend more energy on the individuals who caused it. Have you seen my local democrats? Neither side is without fault. I do, appreciate your sympathy n concern brother thanks.

Ps,...

Read More →

September 23, 2017 5:05 AM

Daniel Azuelos on ISO Rejects NSA Encryption Algorithms:

John Campbell • September 22, 2017 1:28 PM

The algorithms derived from the mathematics don't have to be back-doored if there's something subtle in the mathematics that provides an implicit "weak" path.
[...]


Just imagine the model of public key cryptography transposed to published cryptographic algorithms.
A public source cryptographic algorithm
    Apublic()
could have been conceived as the public part of a more complex cryptosystem. The private pending part of this cryptosystem
...

Read More →

September 23, 2017 2:04 AM

tyr on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:


@Clive

As I read the Catalan situation someone has
noticed that EU bureaucrats hate democracy
(populations meddling in the governance).
That led to making a public issue of it
and the typical knee jerk you'd expect from
a bunch with fascisti roots.

I'm not sure what you mean by Germany being
close to Russia. There's a substantial no mans
land called Poland they have fought over many
times between them.

Northerners are more eager because they freeze
if they stop moving. Southerners on the other
hand...

Read More →

September 23, 2017 1:40 AM

politics are strange or people are strange (Doors) on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

Regarding the upcoming German election:

"Election-watchers expected a flood of fake news and inflammatory social media aiding Alternative for Germany, known by its German initials, AfD, to come from Russia. But one of the major publishers of online content friendly to the far-right party is an American website financed in large part and lead by Jewish philanthropist Nina Rosenwald."

Sound like Mercers, Cambridge Analytica, etc., and Brexit?...

Read More →

September 23, 2017 12:18 AM

Spooky on Friday Squid Blogging: Using Squid Ink to Detect Gum Disease:

Another exploitable breach reported for Intel ME (RCE by Mark Ermolov and others):

Intel ME 11.x (Skylake) Arbitrary Code Execution

As more time passes, it is not hard to see why ME was universally panned here for years; if this exploit turns out to be easily repackaged for malware, millions of others are going reach the same understanding albeit through a far more traumatic and costly process. The price of ignorance...

Read More →

September 22, 2017 11:58 PM

Nick P on ISO Rejects NSA Encryption Algorithms:

@ Who?

" "Evidence of correctness to meet a particular set of government requirements" does not really mean anything,"

Surviving two to five years of NSA pentesting and 10+ years of field use without a single, reported hack certainly means *something*. Meanwhile, OpenBSD has piles of bugs they fix with a recent round of vulnerabilities that are related to C language. They also conveniently just call most reported problems bugs instead of vulnerabilities since nobody evaluates whether the mitigations could be broken. I gotta a draft on that...

Read More →

September 22, 2017 10:29 PM

0xBB on Boston Red Sox Caught Using Technology to Steal Signs:

The rules about what sorts of sign stealing are allowed and what sorts are not are arbitrary and unenforceable. My guess is that the only reason there aren't more complaints is because everyone does it.

And it really doesn't help their game, either, because everyone knows everyone else does it. It's just that when people bring that weird high-tech stuff into a professional baseball game, it's far more likely that someone is betting money on the outcome of the game, and hedging their bets on the field, so the teams with the aforementioned technology are not even...

Read More →

September 22, 2017 8:19 PM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@ MarkH, r,

Are you seriously suggesting that there is not a systematic difference between the way the two parties allocate public funds for low-income Americans?

I think that the pair of you are talking about a large problem from different angles / view points. Neither of you is wrong in what you see and both views explain what you see of the problem.

It's like the tale of the three blind men describing an elephant. One touches the tail and declares the elephant to be like a rope, another touches a leg and says the elephant is like a trunk of a...

Read More →

September 22, 2017 8:03 PM

Bob on ISO Rejects NSA Encryption Algorithms:

Any day of the week, I would say burn down the State Dept. and solve half of this country's problems. I would also say fail by default until you like what you see.

However, cryptanalysis knowledge is required here. I actually appreciate the Speck documentation and proofing. I find ARX algorithms novel and 'next-step'. I would even go as far as saying if there is any math proofing that is readable, it would be the Speck/Simon team document. ARX is at least approachable for anyone to study.

@Clive
Yes we do. We need a combinational logic worth of algorithm options....

Read More →

September 22, 2017 7:18 PM

Esteban on Boston Red Sox Caught Using Technology to Steal Signs:

Sign stealing is against the rules, UNLESS you're a runner on second base and can see the catcher's hand signals. Then you can steal signs. All other sign stealing is not allowed.

Read the MLB rules before you post.

September 22, 2017 6:35 PM

MarkH on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@Clive, who wrote:

"Analysis from voting patterns indicates the stronger exit sentiment where immigration and 'foreigners' was lowest. Remain votes were higher where immigration was high."

Polling indicates exactly the same pattern in the US.

Likewise, about four decades ago when violent crime incidence was miserably high in the US, there was a strong negative correlation: fear of crime was greatest where crime was least.

Democracy's design flaw, is the appalling tendency of most to substitute emotion for knowledge and reason.

September 22, 2017 6:24 PM

Clive Robinson on Bluetooth Vulnerabilities:

@ Wael,

In the days of Buccaneers the ships were wood and sail, the major activity of the unskilled or those needed only to man the guns and sails was a form of makework such as "swabing the decks" with the likes of holy stones and buckets of salt water.

A "hearty swab" was one settled into the existence and possesed of a cheerful disposition.

Oh speaking of dishes eaten cold remember "not to count your chickens..." otherwise you may aquire to large a coop.

September 22, 2017 6:12 PM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@ MarkH,

However, to assert that the country of Blovenia is populated by the industrious Monoliths and the lazy, parasitic Neoliths is to go far beyond the frontier of ethnic bigotry.

It's not my view point but one frequently expressed by those in the north.

The real issue if you want the history of the view point is, as a general rule of thumb in the northern hemisphere agriculture is to the south of a country or group of countries due to the increased light and warmth. This pushes industrial usage of land north wards. However the amount of...

Read More →

September 22, 2017 5:24 PM

MarkH on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@r:

You're right. I'm from far-away Calhoun County Michigan, more than 100 miles as the crow flies.

Are you seriously suggesting that there is not a systematic difference between the way the two parties allocate public funds for low-income Americans?

Really????

Seriously?!?!?!?!?!?
______________________________________________

Well, the Constitution guarantees your right to believe whatever you want.

September 22, 2017 5:13 PM

r on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@MarkH,

Never attribute to malice what one can merely accomplish with incompetence.

You're not from around here, 40% of "Genesee county" (roughly) can't read beyond a 4th grade level and you want tho blame a political party when the great simplification amply falls on 'government' itself regardless of party? Sell me another line about who is failing when NOBODY steps up.

September 22, 2017 4:56 PM

Changes to the 100 latest comments on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

On one hand we could all be more concise; on the other hand ...

Two things:

If you load 100 latest comments in your browser and then are away from the internet while reading them then you can't read "More -->" until you are back on the internet, of course.

Second, for those counting ISP bytes, "More -->" might be costly, depending, of course, on the length of the respective thread.

September 22, 2017 4:37 PM

Fred P on Boston Red Sox Caught Using Technology to Steal Signs:

Erm... so the problem is that the communications between the pitcher and catcher isn't encrypted sufficiently, allowing onlookers to intercept their communications.

Why don't they just either encrypt/decrypt their signs, or at least have an encoding that changes over time, reducing the use of eavesdropping?

Alternatively, give the pitcher and catcher some means of secure communication as part of their standard outfit.

September 22, 2017 4:16 PM

Wael on ISO Rejects NSA Encryption Algorithms:

@Clive Robinson,

Do you know what's happening with TrustedBSD?

Never installed it. I only followed it once in a while as I was aware things eventually were merged with FreeBSD. Who knows, may be they reached their goal and achieved trust?

So don't be to hard on the OpenBSD folks, they are doing a lot beter than many, even though it may not be optimal for your situation.

I don't understand those who complain about whatever operating system. It would be more productive to specify what an acceptable operating system looks...

Read More →

September 22, 2017 4:11 PM

Wael on Bluetooth Vulnerabilities:

@Clive Robinson,

But I guess you must have been realy tired as you missed both ;-)

Oh, no! I got the first one. The second one... I still don't get.

I trust that where ever you have landed you've had the chance to "re-coop"

I landed where I started - one day trip. No plans hatched yet. Plans are a dish best eaten cold ;)

September 22, 2017 3:51 PM

Clive Robinson on Bluetooth Vulnerabilities:

@ Wael,

I meant "swab" not "swap"

I know hence the left-right joke, and it your tired brain missed that then the Buccaneer joke about a "hearty swab".

But I guess you must have been realy tired as you missed both ;-)

I trust that where ever you have landed you've had the chance to "re-coop" by the time you read this, and have hatched "a cunning plan".

September 22, 2017 3:43 PM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@ JG4,

Your posting, has revealed a failing to the changes in the 100 Latest Comments page.

It cuts a page down to about the first couple of paragraphs. Which means if you reply to two or more people with diferent sections for each in the same post the second and subsequent persons names do not get displayed and thus cannot be seen or searched for. Thus may get missed, by people like me who do not read individual thteads, unless they are the current days thread.

A case of "unintended consequences".

September 22, 2017 3:43 PM

albert on Boston Red Sox Caught Using Technology to Steal Signs:

That's the difference between a game and a business. Sports and music are the only professions I know that your work is 'play'; you play music and you play ball.

I really liked baseball as a kid, but now it's ridiculous. Any sport that relies on decency, respect and honesty is going to fail in all those areas. Abuse of technology makes cheating 'better', faster, and cheaper. Remember steroids? Might as well throw away the record books; they're meaningless now.

You guys are missing the point. Sign stealing is not illegal. Why not eliminate cameras that show the...

Read More →

September 22, 2017 3:26 PM

MarkH on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@Clive:

Delving into tensions within a state is one thing. I pretty roundly disagree with your perspective, but don't object to your taking up the topic here.

However, to assert that the country of Blovenia is populated by the industrious Monoliths and the lazy, parasitic Neoliths is to go far beyond the frontier of ethnic bigotry.

Even if there are data justifying such characterizations ON AVERAGE, they are nonetheless hazardous. This kind of framing implicitly imputes to individuals some quality (or lack of quality) due to their involuntary membership in a...

Read More →

September 22, 2017 3:01 PM

MarkH on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@r:

I don't get the flintstone reference ... unless you mean old-fashioned (traditional). Anyway, I too love my country and countrymen.

I referenced a political party, which I almost never do on this blog, for a damn good reason.

In our crazy two-party system, one of the two has, since 1980, consistently adhered to a policy of comforting the comfortable, and afflicting the afflicted. Though they don't always say it so plainly, a majority of them believe that poor people are poor because they are defective in morals and character. Accordingly, their suffering is...

Read More →

September 22, 2017 2:51 PM

Ninja on Boston Red Sox Caught Using Technology to Steal Signs:

The players could use electronic devices to talk among themselves as well. Just allow electronic devices as long as it's not direct eavesdropping the opponent with them and issue heavy penalties if the team is caught doing it.

September 22, 2017 2:37 PM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ Wael,

Do you know what's happening with TrustedBSD?

They had Open BSM in alpha back in Dec16 and then they appeared to just vanish of the face of the planet. I did wonder if the DARPA / NSA / Intel funding dried up or something else happened.

September 22, 2017 2:08 PM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ Who?, Nick P, Scott, Wael,

but it would be nice if OpenBSD listens to the community.

There are a couple of problems with listening to "the many voices" in a community, especially a large one.

Firstly is the "You can please some of the people some of the time" but "you can never please all of the people all of the time". So at some point you are going to be upsetting people.

Secondly is the "Stool leg problem", a free standing stool/seat is not stable with one leg, only stable in one direction with two legs, but about as stable as it's...

Read More →

September 22, 2017 1:28 PM

John Campbell on ISO Rejects NSA Encryption Algorithms:

The algorithms derived from the mathematics don't have to be back-doored if there's something subtle in the mathematics that provides an implicit "weak" path.

There are already examples of NSA manipulating the "curves" used for key processing.

The NSA is there to protect the Nation, not its Citizens. We've reached the point we cannot trust the Nation to protect the interests of its Citizens.

September 22, 2017 12:22 PM

Who? on ISO Rejects NSA Encryption Algorithms:

@ Nick P, Scott

OpenBSD lacks some useful features like kernel MAC and filesystem ACLs, sometimes as a consequence of lack of manpower, other because they just ignore the community (not only theirs, but other security-conscious communities also). It turns OpenBSD into an operating system that sometimes misses valuable security features or provides half-baked solutions.

However, the fact is that even with these weaknesses OpenBSD remains as the most secure general purpose operating system available right now. "Evidence of correctness to meet a particular set of government...

Read More →

September 22, 2017 11:04 AM

Daniel on Apple's FaceID:

Apple has been the leading major corporation in promoting user privacy and security in recent years, and I concur with Bruce’s assessment that they probably aren’t building a database of user facial patterns (or fingerprints). However, this technology is still ripe for abuse insofar as even if Apple has good intentions, it can be coerced into using it for oppressive or Orwellian purposes by nation-state actors all over the world: China, Russia, the US, the EU or elsewhere.

So long as the source code is closed, we can’t know what Apple is doing (or is being forced to do). I...

Read More →

September 22, 2017 10:53 AM

Nick P on ISO Rejects NSA Encryption Algorithms:

@ Scott

The reason OpenBSD can't make the list is right in the opening paragraphs:

"an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC)."

OpenBSD folks are opposed to mandatory access controls. Probably a lot of other things in the...

Read More →

September 22, 2017 9:57 AM

Catherine on Boston Red Sox Caught Using Technology to Steal Signs:

@Chelloveck: I wasn't going to be crude in my above post, but playing in the nude could be circumvented by remote-controlled vibrators. However, I feel that anyone dedicated enough to go to those lengths deserves to get away with it.

(At this point, signal jamming is probably the only feasible option for enforcing the rule - but it would likely affect the stands as well, and spectators would not like that. )

September 22, 2017 9:34 AM

Catherine on Boston Red Sox Caught Using Technology to Steal Signs:

Predefined signals could be sent using the vibration function on a wearable device. That would be virtually undetectable to outside observers. However, it would be much harder to train players to learn the signals by heart and interpret them in real time.

September 22, 2017 8:56 AM

Clive Robinson on Boston Red Sox Caught Using Technology to Steal Signs:

@ Bruce,

Caught Using Technology to Steal Signs

It's very emotive language whicdkh is used in thue article.

Would it be as interesting if it was,

    Found Using Technology to Read Hand signals

Caught and Stealing imply some kind of crime was committed, rather than ignoring an arbitary and largely usless rule, mainly ment to placate spectators.

If anything it improves the skill of the game players as it removes "hidden knowledge".

I guess the easiest thing to do is just ban the hand signals or equivalent.

September 22, 2017 8:47 AM

Clive Robinson on Boston Red Sox Caught Using Technology to Steal Signs:

@ JP,

It would be much simpler to solve the issue by authorizing the use of electronic devices. Then it would be up to each team to create strategies to foil their adversaries.

Ever watch Futurerama?

Some of the story lines involve the Robot baseball league and human sporting, events where performance enhancing drugs are compulsory. The reasons, to make the games more interesting for spectators and advertisers...

As a French king once scratched on a window, "The more things change, the more they stay the same".

September 22, 2017 8:15 AM

225 on Boston Red Sox Caught Using Technology to Steal Signs:

This is such a nicer way to cheat compared to baseball players being juiced to the gills. At least here they can throw fake signals, encode their gestures differently. It should be a cat and mouse evolution which is part of the game.

September 22, 2017 8:07 AM

JG4 on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:


Bruce has given clear indications, e.g., by posting "Murder is a recent evolutionary strategy", that origins of the need for computer security are within the bounds of acceptable discourse. it's a short step from murder to why we need trust, whether it is in hardware, firmware, software, systems, people, courts, legislation, etc. if it can be shown that trust is misplaced, the entire structure is in danger of collapse. a point well made by John Boyd and the reason that I am moving to Switzerland. the gateway drug for John Boyd literature is the movie The Pentagon Wars. today...

Read More →

September 22, 2017 7:58 AM

Scott on ISO Rejects NSA Encryption Algorithms:

@Nice P, thanks, re. SELinux! Maybe I should read up on this topic, I'm by no means expert on it.

Meanwhile, I've found this link to my interest: https://en.m.wikipedia.org/wiki/Trusted_operating_system which gives Trusted OS credentials to popular desktop operating systems, giving each one various points on a scale (the trust level), including Windows, OS X, and some Linux distributions, even without the SELinux extension. A notable omission from Examples of operating systems that might be certifiable is...

Read More →

September 22, 2017 7:48 AM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

There is a BBC "business" news item on network security and IoT devices,

http://www.bbc.co.uk/news/business-41252203

Whilst many readers here may know some or all of it, it's a short reasonably well written piece you could put under the nose of less ICT savey managers etc for them to get a feel for the problem in a non "sales blurb" manner.

However one thing all should note is that in essence it's about behavioral signiture analysis. That is "known" network devices have "known capabilities" a subset of which...

Read More →

September 22, 2017 7:32 AM

JP on Boston Red Sox Caught Using Technology to Steal Signs:

It would be much simpler to solve the issue by authorizing the use of electronic devices. Then it would be up to each team to create strategies to foil their adversaries.

The one problem I'd have with this solution is if it's done in a way that is cost-prohibitive for smaller teams to have devices that bigger teams can easily spend money on or they have to resign themselves to use very inferior products thus being at a handicap against wealthier opponents.

September 22, 2017 7:30 AM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ ShavedMyWhiskers,

Doing independent homework on this stuff is hard.

Maybe, maybe not, it depends on what you want to get out of it (See history of FEAL if you want to see what might happen).

The round structure is very simple and is also amenable to "small scale modeling" to "get a feel"

For instance the "AND" function of two rotated copies of one input reduces down to an AND function of an integer and a rotated copy. Which means it would be quick and easy even using Python to write an eight or sixteen bit counter, and perform a rotation...

Read More →

September 22, 2017 7:04 AM

Wael on Bluetooth Vulnerabilities:

@Clive Robinson,

Was that "left for right" or with another person...

I meant "swab" not "swap". Both hands. Told ya: the brain stopped working.

September 22, 2017 7:01 AM

Sidelobe on Apple's FaceID:

It occurs to me that Face ID will be excellent for those who prop up their phone on the dashboard of their car while they drive. They won’t need to set the phone to never lock, and the device will stay unlocked while they are alert and driving. But the phone will still lock automatically when they’re no longer in front of it. This is a similar advantage to those who keep their phone on their desk, as evidenced by the issue at the podium. And, if a proper link can be made between the phone and other desktop equipment, the abilities of auto lock / unlock go way up.

September 22, 2017 7:01 AM

Wael on A Really Good Article on How Easy it Is to Crack Passwords:

@Clive Robinson,

But there is also the fun side of recursion involved,

Turtles all the way down, as you always say. Or the "lesser-flea" problem...

"Is it password managers all the way down" or do you commit the ultimate "Post-it note" sin ;-)

I write them down on a file on some devices. They are "hand-obfuscated", so they're meaningless to others. I can't commit 20+ passwords to memory, some of which change periodically because of policy enforcements.

September 22, 2017 6:58 AM

AFAIK on Apple's FaceID:

Balance.... There are soooooo many other fundamental components of mobile that need rethinking; face rec is 'adequate' for most mobile uses. I&A is the easy part.

Excellent blog, Bruce. It's a tiny island in an ocean of ignorance and confusion. Thank you.

September 22, 2017 6:28 AM

ShavedMyWhiskers on ISO Rejects NSA Encryption Algorithms:

Now the challenge is to discover the issue with
Speck and Simon.

Sadly in the convoluted logic of this world this rejection might be a manipulation because these methods are too good.

Doing independent homework on this stuff is hard.

One bit of homework should be “Programming Pearls”
If nothing else it shows that an insight turns hard into easy.

Unroll your education... algebra and calculus are full of insights
and some ar fun to mispronounce so much fun that you might be in the “hospital”.

September 22, 2017 5:38 AM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@ Ratio,

It is about security both short term and in the longer term in Europe, which can be regarded as a state of some 600million individuals with a networth considerably greater than nations that consider themselves "Super Powers".

I have not treated it as "political" in that I've indicated actions not individuals of political parties or the parties themselves or their espoused policies. I've also generalised expressed opinions of journalists and other commentators.

As has been pointed out the ISO OSI seven layer model is realy a subset of the more general...

Read More →

September 22, 2017 5:37 AM

r on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

@MarkH,

I am a 'flintstone', I love both my country and my countrymen (and women). Despite the truth behind your statement I still don't think your direct attribution of 'republican' to be fair. While i may from time to time utter the phrase 'repugnican' may we keep that staple limited to 'corrupt' or 'self serving'? We have many many many 'good' and well intended republicans both in my state and local vicinity thank you.

September 22, 2017 4:43 AM

Clive Robinson on ISO Rejects NSA Encryption Algorithms:

@ Edward Morbius,

This is equally terrifying and fascinating.

The NSA got only a fraction of what they diserved with the reputational hit.

As has been pointed out many times in business "New customers are hard to find, but that is easy compared to getting a scorned customer back once they have left". It was the primary thinking behind "The customer is right" that led in turn to "The Customer is King".

The problem the voting citizens have with the IC is that they do not use the IC's services even third hand so can not "Send a Message" by...

Read More →

September 22, 2017 4:01 AM

Clive Robinson on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

Election interference in Europe

As many may know in a few days Germany goes to the polls and journalists are expecting there to be quite right wing parties gaining seats.

Further due to Germany being close to Russian there are also questions being raised about potential interferance.

But hiding away behind this is what the Spanish Government is upto, which is redolant of what you would expect in a democracy turning into a Police State, and has raised the issue of it being

    unacceptable for there to be political prisoners in a European...

Read More →

September 22, 2017 3:57 AM

Edward Morbius on ISO Rejects NSA Encryption Algorithms:

Looking through the tagset, and discussion, on this article, I'm surprised to see that Bruce doesn't seem to have either "trust" or "reputation" among these ... though both do turn up in tag searchs. I'd suggest adding those to this article.

The question of identity, authentication, signifiers, and what we mean when we talk about "identity" has been on my mind a lot.

As to the value of trust, David Gerard (author of The Attack of the 50-Foot Blockchain) nailed this in a recent Financial Times interview. Paraphrasing from...

Read More →

September 22, 2017 3:03 AM

Clive Robinson on A Really Good Article on How Easy it Is to Crack Passwords:

@ Wael,

forgot how many times...

I'm reminded about the old saying of "To err is human" with the rider of "But it takes a Computer to really f4€# up".

There would be something quite ironic about a computer based password manager forgetting the passwords.

But there is also the fun side of recursion involved, you use a password manager to avoid remembering increasingly complex and unrememberable passwords. But because of security the password manager should be password protected, which should be as secure as possible, thus will be equally...

Read More →

September 22, 2017 2:44 AM

Clive Robinson on Bluetooth Vulnerabilities:

@ Wael,

Wasn't too bad... only a swap of the hands

Was that "left for right" or with another person...

I've never regarded major surgery as "Wasn't too bad" ;-)

The brain isn't working at the moment.

Well maybe you should try "The Buccaneer" approach as a "hearty Swab" not an international plane swapper.

September 22, 2017 2:02 AM

Wael on Bluetooth Vulnerabilities:

@Clive Robinson,

Your thoughts so far?

The brain isn't working at the moment.

September 22, 2017 1:52 AM

Clive Robinson on A Really Good Article on How Easy it Is to Crack Passwords:

@ Thrawn,

As the number of words gets higher, the number of combinations grows exponentially.

Whilst the number of combinations does go up another problem starts occuring... The failings of the human mind brings it down again...

If I give you six words at random the chances of you remembering them let alone their order is quite small.

To do it most memory techniques recommend you "build a story" around the words, or a sentance.

The average human mind will still have problems, thus people without knowing the effect on security --or...

Read More →

September 22, 2017 1:49 AM

Wael on Bluetooth Vulnerabilities:

@Clive Robinson,

as I have an early free massage appointment session at the airport.

So I have a Globlal Travel card; the international version of TSA Pre Check. And wouldn't you know! I got "randomly" selected for "additional checks". Wasn't too bad... only a swap of the hands for residuals and traces of interesting materials... No massage today.

@Rachel,

if [...] sings a song

I tried this one, but got stuck on the first line...

On the day I was sworn, the curses all lathered ‘bound

Pick a...

Read More →

September 22, 2017 1:32 AM

Wael on Apple's FaceID:

@Bruce Schneier,

I am not planning on enabling it just yet.

Then your only option is to use a passcode. I believe FaceID is more robust than TouchID.

September 22, 2017 12:26 AM

Edward Morbius on Friday Squid Blogging: Another Giant Squid Caught off the Coast of Kerry:

I'm looking for measures of quantified privacy, part of which requires a robust definition of privacy. There are some useful web and research results, but nothing particularly clear. Most of the references are overly specific to my interests -- they concern statistical methods or quantified metrics specific to a particular data store, not a more general, social/cultural...

Read More →

September 21, 2017 11:41 PM

Jared Hall on Securing a Raspberry Pi:

TJ: Hah! "No guide can fix laziness.."

There should be a book about that. "Laziness for Dummies"!

September 21, 2017 10:50 PM

jdgalt on ISO Rejects NSA Encryption Algorithms:

NSA will just submit future proposals through front groups, or individuals not yet publicly known to be connected with NSA. Simon and Speck should consider background-checking future submitters.

Open-source crypto projects should consider background-checking their coders, too.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.