Schneier on Security
A blog covering security and security technology.
Note: new comments may take a few minutes to appear on this page.
http://weibo.gy/1bd Top bygging th http://baid.us/qY4c eheaven, den bestemte guder er oppriktig stilling med både sider, selv om the sinnene pleier ikke å vil ennå som er Route Zu http://txd.cn/ZWQwM Hongjun sine vilje heldigvis de er ikke i stand til etterlate Videre kostnadsfrie pin jade Mana tunge ikke-vurderes, og er spesielt ufølsom gjennom hans / hennes
I wonder why the most of discussion is about web site passwords. Security in those cases is less relevant since:
1. The provider has all your private data anyway in plaintext, and it can leak, sell and give it to advertisers or intelligence agencies
2. No matter how secure your password is, someone can hack the system and get/release all the information (such as credit card numbers)
3. Number of login attemps is usually limited, therefore brute force approach isn't practical in most cases
Much more important and interesting use case is the choosing password for personal private information, such as PGP key, password safe, or Truecrypt container. In this case the attacker can easily launch offline brute force attacks. 50-60 bits of entropy is trivial to break even for hobbysts (64-bit RC5 was broken by Distributed.net in 2002). 100 bits is the bare minimum for decent security and >=128 bits is recommended. Better be safe than sorry.
XKCD example is bad one because it doesn't really use random words and therefore gives a false sense of security. For example a "horse" is a common animal. How many common animals we have? cat, dog, mouse, rat, chicken, pig, horse, cow, fox, bear, wolf, etc. definitely not 11-15 bits of entropy. Same applies to other common words such as "correct" and "battery". This is also the reason why most of password strength calculators can't be trusted, they don't take into account the popularity of words, prefixes and suffixes
If you really want to follow XKCD scheme you should select some words randomly and then use them (NO exceptions, NO cherry picking), but then memorizing the passphrase will be much more difficult. For example: "reflectivecrisplyblackishwhollyprayershora" or "volitionmisspentunsettlingdenimexaggeratorveld". These are taken from list of 40k words, therefore they have only 6*15 = 90 bits of entropy.
I don’t see why this is news. It is already working using biotechnology for detection in many high security locations, it’s called a guard dog.
Yes, you are right. With unit testing these bugs would have been found. They mixed up the return values and that's easy to check.
But for unit testing it is important that the functions are atomic and stateless. That's also lacking.
The guys from both OpenSSL and GnuTLS didn't knew what they were doing. Otherwise they wouldn't have used all the gimmicks (massive amount of assembly, m4 and crappy makefiles) and sticked only with C, manpages and a strict policy like the OpenSSH guys did.
@ Nick P,
With regards the --postulated-- founder of bit coin...
Did you see the comment about knowing he was an old timer from the fact his code used RPN...
I guess that's me "outed" as well if you lot hand not already noticed ;-)
“The European intelligence agencies knew what we were up to, so there was no surprise," said James Lewis
Whilst most likely true as a statment it lies well.
You need to remember that the Intel Community sees it's self as "keepers of the faith" compleatly unlike those unreliable untrustworthy easily bought "grubing in the mire" politicians.
Thus the IC jealously guards "methods and sources" from politicians unless it uses "sanitised glimpses" to get the politicians to loosen the purse strings and thus give the IC new empire. The usuall trick for this is to talk about "capability gaps" and how to "mitigate the threat", most of which is nonsense and uses "speculative FUD" much as politicians do with "think of the children".
So yes the European IC serices definatly knew, but probably not the run of the mill politicians.
As I've said several times before, the best way to lie is by telling the truth but from a different perspective. And that line from James Lewis is a classic example.
@ Jack O'Lantern,
And for e-books the definition would be that they have not been "collected" until they have been"processed into intelligible form"
Actualy this is one of the "pay-per-view" business models that has been discussed in the publishing industry. It's partly based on the idea that one of the biggest costs to publishers is "delivery costs" and was founded on the same poor understanding of things that gave us the Content Scrambling System of DVDs .
Thus the premise was to send a single optical disk (or other storage media) with the entire current catalog of the publisher stored on it. And each time you read a book or page from a book you'd pay a fee...
Like the minds behind CSS the assumption was that the keys could be kept secret if put in an e-reader...
These minds have not given up on this "Holy Grail" as it's seen as by far the best candidate for making even more profit, so like many others they are waiting for the technology (ie TPM-4-DRM) to give them what they want and in the mean time they are lubricating a legislator near you to ensure they get the legislation to own not just you but those that create "the content".
So what's next? secret sensors installed in every washing machine sending smell data to the government cataloging everyone's smell? This may sound crazy, but is it any worse than what's already been happening? I mean, seriously, tracking the location every second of every day of every person via cell phone triangulation? really?
This is Greatest Blog for Mobile Technology which is give more satisfaction after Read blog you can get information From our Website a large collection of popular and branded Bluetooth Mini Speaker for phone
These are all old economic and marketing algorithms mentioned, nothing to do with surveillance..
Survelliance algo is all to do with pattern recognition and building in bitmap, text, and audio data which you need access to camera grids or telco infrastructure to implement. This is mostly lashing out at companies for reminding us we live to consume and are careless about it..
It's a double stack USB socket with solder point PCB mounting and integrated backdoor controller.. Sounds to me like you didn't read or look at the pictures...
I have yet to see this corroborated by any additional sources, but if proven true... Wow, that could really beef up my point here! ;.-P..
'Just Because it is legal doesn't mean we should do it' (US intelligence figures say Europe is acting 'mock surprised' at leaks on NSA)
European intelligence agencies were all aware of the type of covert surveillance undertaken by the US National Security Agency (NSA), a former state department official and current director of the Center for Strategic and International Studies (CSIS) has said. “The European intelligence agencies knew what we were up to, so there was no surprise," said James Lewis, who led a discussion with senior US intelligence figures at the RSA conference, the large international security industry gathering here last week.
This "James Lewis" fellow certainly seems like the sort of character with the necessary kind of qualifications to speak about such a matter... http://csis.org/expert/james-andrew-lewis
Apparently France knew too. Wonder what Merkel, Morales, et. all think about that... ;-)
Ok, that's it. I'm buying stock from all the publicly traded companies that produce garlic.
I have 3 different WiFi routers on-hand here and every one of them have admin/root access disabled over WiFi by default. That's real-world.
You must be using a better class of WiFi router...
I've dealt with a bunch here, supplied by the local Telcos, and none of them had the ability to disable admin over WiFi.
In the EU common serious crime forensic protocols say to place an odor absorbing material and then seal off the scene for several hours before doing anything else. Using dogs, the sample can later be compared with a suspect's scent.
"This is made to be used in foundries by manufacturers"
Where does it say that? Sounds to me like it's something that gets physically installed on a target's machine when access is available. Most of these posts seem to be in that realm.
NIST was the group that revised their WTC7 collapse report several times over at least seven years since 9/11. They are the government agency that claims small fires brought down an entire 47-story building into its own footprint despite never being hit by a plane, dozens of witnesses on video saying the building was going to come down, video evidence showing that small sub-building on the roof collapsing before the rest of the building, and BBC announcing on live TV the building's demise more than 30 minutes before it collapsed.
Until NIST comes clean on this, they will forever be yet another corrupt and ultimately unnecessary government organization. We have now have several instances of well-publicized evil against the citizens of the US. Their 2014 taxpayer-funded $850M budget is not justified. We would be better served by eliminating this entity altogether and have the private sector pick up anything that's really necessary. IEEE is a good example of setting standards without government.
I like to think
(it has to be!)
of a cybernetic ecology
where we are free of our labors
and joined back to nature,
returned to our mammal
brothers and sisters,
and all watched over
by machines of loving grace.
Hopefully Kit in the laboratory works the same as kit in the field - otherwise electrical safety testing is a bit of a waste of time.
So if any experiment ever performed had an error then every experiment ever performed is invalid?
They modelled the spread of a virus mathemtically - this is generally a better approach than infecting a bunch of machines then sending out questonaires to ask people if they are infected
The problem is that it allows their assumptions to dictate the results.
I have 3 different WiFi routers on-hand here and every one of them have admin/root access disabled over WiFi by default. That's real-world.
Both that bug/feature from Microsoft & this little gem at the bottom of the techdirt article:
"Eventually, it should die out as Windows XP machines finally go extinct, but for now, enjoy (but don't bother connecting) the 'Free Public WiFi' found in so many airports..." (Emphasis Buck's)
(Posted: October 11th, 2010 @ 9:49AM)
Must've missed that one a few years ago... Thanks for the reminder! ;-) Never ceases to amaze me - the potential for widespread consequences from simple computational errors; even without the addition of malicious intent!
The Roooski NSA seems to use their data so much more effectively:
http://rt.com/news/... (a phone call between the EU Foreign Aff. Chief and Estonian Foreign Minister)
and Victoria Nueland's call on youtube.
@Brandioch - they demonstrated the attack on kit in the laboratory. Hopefully Kit in the laboratory works the same as kit in the field - otherwise electrical safety testing is a bit of a waste of time.
They modelled the spread of a virus mathemtically - this is generally a better approach than infecting a bunch of machines then sending out questonaires to ask people if they are infected
This is made to be used in foundries by manufacturers which means it's not just in government target networks..
The US accuses China and Korea for putting stuff in consumer and business hardware all the time..
It takes extensive hooking and table patching in Windows to hide a WIFI NIC from taskbar and all the COM interfaces native UIs and policies query. Even if you relayed it through another class of device with a generic driver, like USB audio, you still have some expensive coding to do and a occupied external port..
I'm pretty sure it is NIC class and I don't see any rootkit mentioned.
@Crocodile Chuck: Thank you for your posting. I did not have right now official prove or link to check, but increased cortisol level could be detected by predator (lion, tiger) out of the breath of potential human target. Anecdotally, predator jump on the human target only after smelling cortisol (in nature setting).
The East German Stasi pioneered this. They maintained a scent library, with mason jars containing scraps of clothing from each of their enemies of the state. This allowed them to get their bloodhounds up to speed quickly, if they ever had to track you down.
@ Knott Whittingly
Seems someone gets it...indexes are processing of collected data. I argue that it makes us all guilty, searching a line-up where everyone is in the line-up puts a "number" around all our necks.
Also like the reference to Feynman, this was my suggestion months ago. Am reading the Luke Harding book, it is quite an indictment of the IC. When will this monster become quilled?
A) Your dog could have told you this years ago. B) Now you have to guard your dirty laundry.
"Worrying about a computer reading your email is like worrying about your dog seeing you naked."
Interesting. Makes me wonder:
Would you worry if it were your neighbour's dog?
Your neighbour's Aibo?
For security application it is prospective to identify increased level of stress hormone in a body odor when person going through clearance check point.
May be two-step procedure could be applied:
on the first step - not stressful questioning to catch base line of stress hormone, on the second step - test/sensitive questioning to catch changes in the level of stress hormone.
Karzai describes the Taliban. He describes them to be top experts in advanced drone swatting. these bastards sell their phones to families:
Of course, there other issues as well, secondary to civilian casualties. The private security firms, the parallel government structures, the contracts given to people, to individuals, causing corruption. And, of course, in a deeper way, reflecting a deeper lack of agreement between us, the way the so-called war on terror was fought. The sanctuaries were left alone outside Afghanistan and Pakistan, but the civilian villages were attacked. So when I say civilian casualties and when I say the incorrect strategy, the attack on the Afghan villages, that is exactly the crux of the difficulties.’’
This here is an interesting view on that drone strikes:
Well i think it is safe to say, as long as it is like this, all these TAO implants must be published in the open.
Hamid Karzai was in the midst of negotiating a security agreement with the United States when he met a 4-year-old girl who had lost half her face in an American airstrike.Five months later, the Afghan president’s eyes welled with tears as he described visiting the disfigured little girl at a hospital. He took long pauses between words. Sitting behind his desk Saturday night, the man who has projected a defiant image toward the West suddenly looked frail.
That day, I wished she were dead, so she could be buried with her parents and brothers and sisters” — 14 of whom had been killed in the attack — he said.
In an unusually emotional interview, the departing Afghan president sought to explain why he has been such a harsh critic of the 12-year-old U.S. war effort here. He said he’s deeply troubled by all the casualties he has seen, including those in U.S. military operations. He feels betrayed by what he calls an insufficient U.S. focus on targeting Taliban sanctuaries in Pakistan. And he insists that public criticism was the only way to guarantee an American response to his concerns.
And "data acquired by electronic means is 'collected' only when it has been processed into intelligible form."
So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.
And for e-books the definition would be that they have not been "collected" until they have been "processed into intelligible form".
So what if the "data acquired by electronic means" is already in "intelligible form"? Many images, sms messages, etc do not need any particular processing in order to be understood by humans.
Or is it that their definition on "intelligible form" is that it is in that format when its content can somehow be "understood" by their supercomputers...
Re: "...information shall be considered as 'collected' only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties." ETC.
Well OF COURSE!
It's an agency definition having no force of law in regards to the Constitution.
Robbing the bank can be redefined as an "innovative, self determined withdrawal" ....but it's still bank robbery in the eyes of the law...and people.
Bitcoin founder identified!
Interesting story. Here's a non-paywalled link. :)
This guy would be a great additions to clean slate redesigns of computers for security. Bitcoin says plenty about his crypto/thinking skills. He also worked on what I'm guessing was classified COMSEC devices. He also built his own computers, whatever that means. Strong in several areas including physics and comp sci. Long experience with privacy and anonymity tech. Also an utter asshole who likes proving that others are idiots compared to him.
Seems to be a perfect fit for improving or beating one of the clean slate designs. Matter of fact, securing the storage and transfer of Bitcoins is the next problem for the currency. A truly secure computer would solve many of their problems and ours. People in Bitcoin development or an established security type [that he might trust] should push him on this. Secure, usable endpoints would do more for his libertarian goals than the currency he made.
Note: I'd bet a few Bitcoins that he already solved some tough aspects of private or secure computing in his previous work. He couldn't share that. Yet, he *could* employ techniques that have since been independently discovered and publicly published. At the least use his mind to shoot down bad options quickly as I did in some projects. Preventing the amateurs from wasting time is as valuable as design/code contributions.
I saw this on Slashdot the other day. A few things from that article...
The virus has been designed and practically demonstrated in a laboratory setting.
Okay. A laboratory proof-of-concept then.
This information was then used to inform an infection model to test the application of the virus in two urban environments: Belfast, Northern Ireland and London, England, with data extracted from Wigle.net.
Real world? Or not? A bit ambiguous there.
APs are considered to be connectable if their separation lies within a certain radius, varied between 10 and 50 m in the model. The model initiates the virus by infecting an AP at random to act as a seed and then calculates how many days would be required to either infect or blacklist all APs in the area.
So it is a simulation
of a "virus" attack that has never been seen outside of a laboratory.
And it seems that the method of attack used (admin access over WiFi) is not that common since it is disabled by default on most WiFi routers.
So I wouldn't be too worried about this. I'd be more concerned about the regular WiFi attacks using backdoors or worms exploiting vulnerabilities in default services.
Dogs I trust tell me that underwear I've worn for a day smells just like me. I would assume that the weakness of this biometric is similar to that of fingerprint sensors and biometrics in general. It's very hard to make sure that the biometric presented to the sensor is live.
@6535: "I wonder how quickly the NSA guys will be buying this virus kit."
No, no, you've got it backwards. The NSA is selling the kit overseas. How else can the US government justify all of the so-called cyberwarfare expenditures?
This is not an argument about the semantics of the word "collect".
There are always small disagreements about the meaning of words, but the definition Clapper uses is not within the umbra, penumbra or antumber of English usage. Clapper was not engaged in semantic hairsplitting, he was lying. His tortured semantics do not deserve a careful refutation; they deserve a horse laugh, or a horse whipping.
I fear I didn't express myself very clearly. What I had in mind is not the backspace as another character of the password, but the pattern of the password-entry.
Say your final password is 123. but you enter it like 124 - oh no sh*t delete the 4 and write a 3.
Or measure the time between the entry of characters: '1' er, wait, oh yes , '2', then 4, oh no ... which makes quite a unique pattern for each user and will be more difficult to observe by someone looking over your shoulder.
But I agree, applications don't allow or recognize such things for now. They see only the final '123' that you 'enter'.
"So... who watches the dogs?"
Millions on YouTube
A key difference between NSA's handling of our data and Google's ad placement or a dog watching you have sex is that the the NSA apparently does look at all of the data.
Consider a scenario in which all your data is visually scanned for a set of keywords by a human being, and examined more carefully when any of those keywords is found, especially carefully when specified combinations are found, and so on, and the document is actually read in the normal way if certain criteria are met. That's examining all the data, with a human in the loop.
Now you automate the initial scanning, so that it's a computer that does the first set of tests, and only sends it to a human if it meets specified criteria.
These situations are substantially the same. There is a human in the loop in both cases, and that's what matters most.
Consider that if you have keyword searches (or just phone call link searches) implemented with any reasonable efficiency---and they must have done so to handle large volumes of data---then the data have already been analyzed for certain relationships, to build database indexes. That is itself a kind of data analysis enabling further data analysis, like having hordes of non-English-speaking workers scan documents for English keywords visually.
And it reveals things. Those database indexes amount to dossiers on all of us. They don't look like dossiers to the naive, but the ability to do things like free text searches, automatic analyses of social networks, and various analyses involving time and location means that they're far more effective than the kind of dossiers the Stasi used to compile.
In the Stasi days, there were only a few basic indexes by which an individual's dossier could be found and (re-)examined by a human.
Think about having social network and other relationships preprocessed into database indexes, and the ability to construct others on demand with flexible queries.
That amounts to a vastly larger database with a staggering number of virtual indexes available to snoops, which the Stasi could only dream of.
The potential for abuse is limited only by the analysts' imaginations. Anyone with a clue can reverse-target anybody they want, i.e., frame queries in such a way as to seemingly innocently yield "incidentally" data about an unstated real target, and likewise "accidentally" reveal almost any information they can express logically.
That would be possible even if the standard were probable cause to believe serious crimes have been committed. A standard of "reasonable articulable suspicion" makes it vastly easier, and impossible to detect unless you do something flagrantly stupid.
We need an independent prosecutor and a blue-ribbon commission with a Feynman-like figure to cut through the bullshit about this, sitting down at an analysts terminal and showing just how easy it is to answer some very interesting questions about anybody of interest, even with a suspicious supervisor looking over your shoulder at all times.
Somebody needs to dunk the o-ring in a glass of ice water and break it with their fingers for the cameras.
Apologies, there is a glaring typo in my last comment. It should have said
hermeneutical "circle", not "circe".
Feel free to update and delete this last comment. :|
I guess I should now better specify that this youtube linkin my previous post goes on to explain 'hermeneutics' in its own way, and isn't directly related to what I wrote. That video offer a nice introduction for becoming comfortable with the general idea of "the hermeneutical circe" which I had mentioned.
With apologies to anyone with their brain "wired" towards engineereing work, perhaps relying mostly on a given knowledge base, perhaps not at all used to simmer in doubt and eternal uncertainty. :)
I am sorry that this text goes on for so long, but as I see it, there is no way around it.
I can only do so much not knowing the inns and outs of bureucracy, however here are some thoughts of mine. (Well, not really thoughts per se, but so to speak. The reflections here were not apparent from the start)
I would say there might be even more damning issues at stake than authorities patently not being forthright (by lying, as in expressing falsehood) to a public.
I don't think a good "solution" to learning about policy is as simple as soliciting authorities for using "ordinary English" in explaining things as sceptical suggested, but at least that is something which might have explanations seem more clear. But would such explanations then be precise and relevant in the larger scope of things?
I see a danger in having solicited authorities to be pragmatic to explain themselves and what they do with ordinary English, as such explanations would perhaps only be relevant outside bureaucracy and not within it. Ergo, there might be no change at all that affect "policy" in general.
My point here would be that the authorities probably can't be forthright to itself (pretty sure a single policeman or politician isn't required to understand it all) and that anyone tasked with working with the concept of there being 'an oversight' for example, can't even be expected to be simply pragmatic about things (focusing on given problems), because there would be no way of knowing just *where* to start being pragmatic other than in the simplest way, like interpreting existing terminology within the framework of policy, either by being forced to do this or by not knowing any better. The general idea here would be about how difficult it might be to work with policies, when "a policy" perhaps can't be explained outside its own definitions, expecially if there were to be minute definitions that only seem to have been tailored to justify having some given policy in the first place.
Given how a particular meaning to various things are attributed to any given policy by definitions, I think it is important to realize that the general notion of "policy" is likely not something logical, as in being rational or sound in itself, but is probably theory for sake of theory. (Afaik, a soldier in the military is never concidered as committing murder in a war killing other soldiers, unfortunately.) As if someone exclaimed "We do what we do because that is how we do it", or "we do what we can because we must" (as if simply implying that one is compelled). Notions of what would otherwise be best, just or make best sense probably wouldn't apply there in the context of a bereaucracy.
"A theory" is here thought of, not as an idea, nor a set of ideas, as much as something being an existing "legal" framework, given in writing and thus constituting *policy* at the highest level (legislature). Presumably, everything "bureaucratic" would be deemed as "policy" by authorities; and there would be be a bunch of policies; and I suspect that the authorities would be free to dictate tailormade truthful statements as they see would fit any given situation, but then as more on the side and not in the heat of it all I think. Simply discussing your own thoughts can never be a lie, and so one cannot help but being honest this way. I would say that to try discern whether or not someone or something is being forthright to you, is unfortunately dependent on the context and relative to the exchange of meaning, because of it being limited to your own expectations. Thus, being a passive party, is never a good thing, because you would forever be on the recieving end this way, as some piece of entertainment.
A theory doesn't have meaning to it, but rather makes up this kind of conundrum for which theory *is* what was meant in the first place. A peculiar problem then would be by having people in power providing excuses later on, because if one had to assume that someone misused the public's trust, with everything having passed in time prior, an event or act can't simply be justified later on as if there was some apriori knowledge to look for, as if a mere explanation would show why something came to be or how.
Another angle in attempting to describe a problem, for which the bureaucracy was thought to fold in on itself to provide a way and the means to sustain itself (providing excuses), would be to consider knowledge in general as it relates to any problems of understanding governmental policy, as understanding something within the proverbial 'hermeneutic circle'. A hermeneutic circle could be understood as a framework of references, where there is a "known" relation between the knowledge about the whole as it relates to every part of the whole. Also, cue the rarely used word 'synecdoche'. I suppose one can understand it as being similar to a synonym in the simplest sense. What is interesting then I think, is how a spokesman or simply a member of the authorities might perhaps end up relating to a variety of problems of a "philosophical" nature, but where conflicting notions of reality isn't resolved in a satisfactory manner by 'some standard'. And it is with this notion of 'some standard' which ought to be interesting, if something ever is to be considered particularily problematic, as in, 'interesting' for whatever reason. (Like trying to understand notions of 'privacy' and 'security', whatever those would come to mean to any individual.) What is interesting of course, is ending up having a general consensus about some things that one would argue to be simple to understand. Being pragmatic about such notions for which one attempts to relate to reality in general, is probably the wrong way to go about it, if a discussion or just 'a problem' about a subject matter is understood as being imposed on a public not knowing any better. (I will have to point out that the notion of "not knowing any better" is here something of an absurdity given that there is no specific context that I am discussing nor am even implying here.) As for the notion of there possibly being any instance of the proverbial synecdoche at any point, I suspect *such* would be important to try learn about, or at least be something to be aware of; because if someone makes use of a particular word to impress someone as a part of an argument, or with the entire argument itself, the seriousness of a subject matter should be fairly clear, or at least, a kind of seriousness that is not to be overshadowed by triviality (status quo) nor supposedly "pressing matters". I would like to think that candidates for such mincing of words could be: power, law, legal, authority, lawful and any kind of thinkable words or phrases derived from the previous ones.
http://www.youtube.com/watch?v=iWnA7nZO4EY (Ways In and Out of the Hermeneutic Circle, Paul Fry, YaleCourses)
It is fairly old but I would guess it has gotten smaller and better. Also, I would guess the black hats are in a race with the NSA to see who make the best air-gap hack.
“If I store hundreds of pounds of cocaine in my house, but don't actually use it, can I be charged for having it?”
@ Bob S.
“…if you don't think they are gawking the porno shots I've got a bridge in Brooklyn to sell you real cheap.”
Yes, you can bet they are looking at the porn if they can measure it - they looked at it. They hit the bottom so to speak.
@ db cooper
“Seems the CIA may have ruffled the feathers of the US Senate Intelligence Committee by spying on them”
Yes, and it probably goes a lot farther than just Senators.
@ Alan S.
“By Clapper's own logic Snowden didn't "collect" any information about the NSA until he read it or shared it with someone else who read it.”
How true, there are an estimated 1.7 million documents missing and Snowden and the press have only released a small fraction of that. Thus, Snowden is on par with Clapper – the documents haven’t been “collected” until we see them.
“…it's extremely likely that also sexually explicit images of minors have been collected...uh...I mean, whatever they call what they do. Is there some silly newspeak definition of "possession" too or might the GCHQ now be guilty of possessing child porn?”
Yes, you could look at it that way.
One thing I would like to seen the NSA collect less of is billions of tax payer dollars!
In these tight budget times it would be a good idea to cut the NSA’s budget by 40%. Put the money to better use! And, no more porn collecting!
Lost a family member to kidney disease. Remember Target targeting pregnant daughters with baby coupons? What becomes the responsibility of the operator of a device that identifies people who are seriously ill and may not know it?
I don't want to test this device.
Didn't Alien 4 use a similar ID, and show spoofing of the same?
@ uh, Mike
If you suggest to put the wifi-ap into a faraday cage, then have fun with trying to connect :)
Or was there another intention I am not aware of?
You don't see all USB-Devices in the windows task bar (e.g. HID). I played a little bit around with a programable teensy-stick and if it's configured as keyboard the user won't see it and windows gives it's own driver for it.
I don't know what possible ways for code execution exist only with windows keyboard drivers, but I'm sure there are always ways to abuse it ;-(
The two big questions are a) how to get from 85 to 99.9 or whatever you need for real use and b) how to keep the algorithms secret so they can't be spoofed. Good luck with those.
Funny. Thought I was reading the script for a Monty Python skit.
TRANSLATION: Malicious FW ROM that likely uses browser or protocol exploits or patches downloaded binaries on the fly(which given how HTTP and FTP work I doubt is the case).
I'm assuming this isn't just a logger firmware since it's in the news. Else boring and ignore my translation..
Just look in windows task bar... detected.. or put a policy on USB ports and block it all together..
I'd find a windows USB zero-day and load a rootkit to hide the NIC and create a covert channel to send my data over. But then you still have a stick sticking out of a occupied USB port..
This isn't good for audited or technical user environments..
@ kashmarek just what is the odor signature of a "bad" guy
If I were a gambler, I would think the U.S. government will at some point spend millions of tax-payer dollars on exactly such research. And if the results go beyond the prototype stage we will "enjoy" it at airports, train stations and various security check points across the nation. I'll just have to remember to avoid spicy Thai food a day or two prior to going through said check points. ;^)
Have you noticed where dogs sniff other dogs to capture information. And, dog olfactory recptors are thousands of times more powerful than human capabilities.
Using specific drug sensor(s) to detect drug plantations (and probably drug processing) is significantly easier since a suitable sample can probably be acquired with miles and miles of flyover.
However, the odor combination for a specific human being, especially after a shower and application of deodorant, seems unlikely from any position that the human nose can't detect it. It particular, that odor would likely change if the subject (perp?) were working out (or just working), if the temperature was hot (or cold), or the subject had ingested a sufficient quantity of flavor emitting substances (food, beer, etc.), such as to change the signature. And, age will also do pretty much the same thing (you know, old people smell). Further, just what is the odor signature of a "bad" guy? Probably pretty much the same as everybody else. Or, is that signature a "secret" (like the no fly list) so that it can't be challenged?
Along with the plethora of other such "identification" fantasies out there, I sense FUD.
In other news from my dog:
"Walks are great we should go for more walks, lets go for one right now. Yeah Walk Walk Walk!"
"Smelling a dogs butt can tell you a lot about them... like what their but smells like."
Is it most likely, that there are backdoors (as discovered in AVM, Linksys, Cisco,...) in all public wifi-routers and such a virus could be used in cyberware (drones over the enemy territory to implant trojans/viruses in networks or just to take the infrastructure offline)?
If not today, then tomorrow there will be drones that use electronic noses (http://en.wikipedia.org/wiki/Electronic_nose) to identify a specific person as target. I know of such technology that is already in use to find illegal drug plantation.
@ Jonathan Wilson
Thank you, I didn't knew that. This might be one reason why the NSA has had problems to identify what he has stolen, too.
The number of NSA exploits is overwhelming. It seems that nothing related to computers is secure or out of their reach.
Isn't it exactly the kind of element that can be stolen from someone to impersonate him ?
If it is used in 'airports, border checkpoints, …', we may have to worry about it.
@TIM, the reason they are so old is that 2008 or so is when Snowden was able to steal the documents he did, i.e. he has never been in a position to steal documents newer than 2008 (or if he was, he chose not to steal such documents)
Sorry, if this question has already been answered somewhere on this blog before, but, why are so many documents so old (I mean from around the year 2008)?
Is it to protect the national security of USA?
I don't want to imagine what they are able to do today, when they were in 2008 so far :(
Two good reasons to think that matters are not quite as dire as the "word games" section of your post describes:
(1) The 4th Amendment, and FISA, are not subject to the specialized definitions of DOD regulations. So the executive branch can't simply define its way out of the confines of the 4th Amendment and FISA.
(2) Executive branch regulations recognize that fact. For example, USSID 18 uses terms as defined by DOD regulations for particular sections (such uses are denoted by all-caps, e.g. "COLLECTION" rather than "collection"). But for other sections, such as those referencing the 4th Amendment, or the requirements of FISA, the DOD definitions are explicitly not used.
Finally, I'd just note that unless there is an understanding that one will be using terms as defined in a particular source, one's words will be given their ordinary meaning. This is why the NSA's GC's description of what occurred with Clapper is couched in terms of how Clapper understood Wyden's question, and not in terms of how Clapper's words are defined by DOD regs.
So, to the extent anyone thinks he's being tricky by using a term as defined in DoD regulations without informing his audience of the peculiar and particular manner of his usage, he's not. If there's intent to deceive, such an individual is simply lying.
Reporters should clarify, when speaking with government spokespersons or officials, that the terms being used are being given their ordinary English meanings in statements being given by those spokespersons or officials.
I also think that the White House, and NSA, should set forth a standing policy that when words have both ordinary meanings, and meanings as defined by regulations, and when those meanings differ substantially, public statements will use ordinary meanings unless explicitly stated otherwise.
One more quick note: if you look at USSID 18, you'll see that even within the sections where DOD definitions apply, USSID 18 sometimes uses the ordinary word "collection" (not all caps) and sometimes uses the defined term "COLLECTION" (all caps). So the defined term is not necessarily the default usage of government officials and spokespersons.
STRAITBIZARRE seems to be NSA's swiss army knife. Would be interesting to learn more about this tool, afaik we know next to nothing about it.
$ 1,015 K (50 units) : it's a joke, right ?
Read again what is stated on those 3 claims. All are true statements. See: http://www.true-cryptophone.net/
You know and say yourself that it encrypts the counter. Did anybody argue that you can not use counter mode ? The above link clearly states "The voice protection may work well for your needs."
Let's say you have a confidential file. You must encrypt it. What would you prefer ? Take (as example) AES in counter mode to create a bunch of pseudo random byte sequence and then XOR your file on it ? Or would you encrypt the file itself directly as it's supposed to be? Which one do you prefer? Encrypting a counter (1,2,3...n) or your file itself ? I prefer correct encryption of my data.
In your case you have encrypted and protected only a number sequence. Nothing more.
In my case i have encrypted and protected the data.
Now you take your resulting pseudo random byte sequence from step 1 and patch it from OUTSIDE with your confidential data. That's lame. A cheap solution. A poor grade.
Me however, am done already in step 1. If i want to lower myself to your level by also having a step 2, then i could take my encrypted result and patch another (a 2nd plain file) and patch it with XOR onto it. You can not do likewise, as you would end up losing all your data.
They tell misleading argument that the voice is encrypted after the XOR operation. There is a term for that and it's called scrambling. Voice data is scrambled at the end. That is not encryption of the voice data. You lie if you put scrambling and encryption on same level. They're different. Hardcore way is like a Decibit Cryptophone does it, encrypting the data itself, without need for cheap solutions.
Besides, you must be complete out of your mind to defend a phone that costs 4000 USD per piece. Needs 2 of them to function. You might be related to that phone and making profits from it or did you write the datasheet yourself ? Yes they can fool simple knowledged people to literally buy it's utter nonsense sales arguments.
Besides to have a "crypto"-phone based on an insecure consumer phone hardware, only having replaced the software... is not secure. You need a secure smartcard chip, like credit cards have or those used with set top boxes etc to generate & store keys and do cryptographic operations.
So, what else do you have to bash on me ?
You mention terrorism, but it's worth noting that we already know that GCHQ are involved in reputation assassination (and share data with the NSA). This alone should make the idea of having the your data (or that of politicians or CEOs, or anyone) stored extremely worrying.
Past experience has shown that given this type of data, government agencies misuse it (e.g. the FBI spying on peaceful rallies); whether such things happen because of design or just the type of mission-creep that's typical of security (it's easier to argue for more rather than less) is irrelevant.
The semantic argument over what exactly the word "collect" means or should mean serves as a distraction which gives people something to argue about without achieving much of anything. We need to reframe the question, perhaps into something clearly defined around the issue of storage and access.
How about cutting the old USB connector off and wiring a new one from a different device to it? Shouldn't be too difficult. Anything in USB protocol operation that would prevent this?
You might be able to detect this by X-raying the USB connector that houses it.
So, now that it's only 128 or 256 bit security they can crack it. Those darned strength reductions! ;)
The more likely explanation is that four modes is pretty confusing and an unnecessary amount of work to support on the many platforms that will use the standard. They've narrowed it down to two modes: basic with good strength and extra-strong. Avoiding 384 and 512-bit might also benefit with resource constrained devices, allowing them to use the standard. I've never known anyone to use the 224 or 384 for normal operations. The 512 bit is considered overkill by most who know that the attacks will be on endpoints and logic rather than primitives.
So, nothing about that quote makes me worry. The article you linked also has a response from the Keccak team saying essentially the article claimed BS and the modifications didn't change the main primitives of Keccak. They said they were a subset of the original Keccak that narrowed the options to a few secure ones. If anything, I'm seeing practical changes rather than subversive ones.
"Edwards Snowden" should be "Edward"
"how were treated at airport security" should be "we're"
There was a third typo between the above two but I can't find it now.
@ Clive Robinson
"In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA.
'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."
One of the best uses of sed I've seen in a long time.
@M, from what we now know, GHCQ almost certainly possesses child porn. That explains how an all-out, absolute, no-holds-barred law against something can go awry in bizarre ways.
Someone, somewhere asked what "desirable nudity" is. That would be adults.
> Or to kill the Prince of Wales?
Or the Princess?
a) That bug is inexcusable. The code is crap. Not the programmer's fault though.
b) Because something as monumentally important as SSL security should be the subject of quality controls so tight that changes to source like that would be accompanied by religious ceremonies
c) Deliberate? Quite probably. Only after the management around that area was relaxed and 'destabilised'
@Mark in CA
I think ive seen some diffs in a discussion that show the person who introduced that bug was and is still a gnutls leading developer. Perhaps this was accidential.
But the sad truth is that this may not matter. It could be that nsa knows these vulnerabilities and uses them in their FLYING PIG program where they impersonate google in ssl connections, anyway.
It may be that the FLYING PIG program was created after the nsa learnt from some of their hackers that many browsers have flaws in their checks of ssl certificates. It can well be that they do not even have to insert anything because the software that we use is hoplessly flawed anyway.
With upper case, lower case, numbers, and basic special characters you have 85 printable characters (including space, but not tab) on a standard US keyboard, which is approximately 6.409 bits per character of entropy for a random password, so with 20 random characters you have the equivalent of a 128-bit key.
If you included backsapce, it would only add .017 bits of entropy per character, which isn't much; for a 20 character random password, it adds about a third of a bit of entropy. Plus, it would be very annoying if you accidentally type the wrong key.
The thing is, a lot of applications don't even allow all special characters, or 20 characters, making lack of a backspace the least of your problem.
All "collected" data, whether read by any human or not, eventually goes away. Consider that the government probably loses MORE data than they ever use, simply because it dies on the recording media, the media goes out of date, they don't have the time or money to move the data forward to new media, and when they actually need the old data, it has become too expensive to access, as the current computers are no longer able to access the old formats or devices. The IRS is a classic example (data probably still being held on tape cartridges with few or no working devices to read them). Why, someone just announced they can't communicate with an older satellite because they disposed of the ground station technology that performed the job years earlier.
So, how long will the NSA "collected" data from today and earlier, live before it can no longer be used for any meaningful purpose? Come on, let's hear your estimate in years.
The government works best when it loses stuff (including laptops, but probably really good at losing almost everything they touch).
@ z • March 5, 2014 9:06 AM
" If I store hundreds of pounds of cocaine ... If I steal 500 machine guns ... If I'm engaged in corporate espionage ... will I be prosecuted?"
Of course you will. This only works for the TLAs because they apparently have the right to redefine words as they see fit and (and this is the important bit) have the courts then recognise their idiosyncratic definitions.
All of us redefine words everyday. But only some of us can impart the force of law onto those new definitions.
"Google even modifies our web search results based on our previous behavior."
Google and Amazon suggestions are ok-ish, but the thing that annoys me about this is that it assumes that I will be the same - and buy and want the same things - tomorrow as yesterday, and that I'll be the same in 10 years as I was now. It seems like there's no scope for change, or re-imagination.
I hate that vision of the future.
So by the NSA's logic, if you have thousands of child-porn images on your computer, you're not a perv...it's only when you open one of those images that you cross the line......uh-huh.
Hm...I guess it's extremely likely that also sexually explicit images of minors have been collected...uh...I mean, whatever they call what they do. Is there some silly newspeak definition of "possession" too or might the GCHQ now be guilty of possessing child porn?
I'm surprised its not more passive (AngryNeigbor style) as those are harder to detect but this thing will emit.
How things are getting better:
How does a commodity (so unattributable), 40 MHz ARM chip the size of a dimple on a golf ball suit ya?
Another weakness of the password system I've long thought about is that the password is being 'submitted' as a field.
Just imagine, if every keystroke were part of the password, I could create a password like
The same is valid for smartphone passwords, either they're '1234' on iPhones or some kind of spirals which is far too easy to oversee. 1-2-3-4-[backspace]-5-#-[backspace]-[backspace]-6 should be much better
"When I use a word," [Clapper] said in rather a scornful tone, "it means just what I choose it to mean -- neither more nor less."
"The question is," said Alice, "whether you can make words mean so many different things."
"The question is," said [Clapper], "which is to be master -- that's all."
-- Lewis Carroll, Through the Looking-Glass (1871)
$ cat ThroughTheLookingGlass.txt | sed -e 's/Humpty Dumpty/[Clapper]/g'
I think your calculation of entropy is not correct.
correct horse battery staple has a higher entropy than 44 because an attacker does not know if your using uppercase, lowercase, numbers or whatever.
So, combining xckds and Bruces algorithms with Jim's multiple language idea will produce nice passphraces:
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..