Recent Comments

Note: new comments may take a few minutes to appear on this page.

February 19, 2017 3:06 AM

gordo on Research into the Root Causes of Terrorism:

Percent of the world's population that uses Facebook: 25% (1.86 B persons) [1][2]

Estimated number of terrorists, worldwide: 184,000 [3]
(a number which is less than 1/100th of 1% (0.0000989) of 1.86 B)

Number of Facebook users/accounts "trying to use our services to recruit for a terrorist organization": TBD [4]


[1] (1.86 B) ÷ (7.4 B)
.... (Monthly active Facebook users worldwide) ÷ (World population)

[2] Statistic Brain reported that, as of August 1, 2016, there were 81 million fake Facebook profiles.

[3] From estimates in the U.S. State Department's Country Reports on Terrorism 2012, the number of participants in Foreign [to the U.S.] Terrorist Organizations (FTOs), as tabulated by TechCrunch.

[4] "It will take many years to fully develop these systems. Right now, we're starting to explore ways to use AI to tell the difference between news stories about terrorism and actual terrorist propaganda so we can quickly remove anyone trying to use our services to recruit for a terrorist organization. This is technically difficult as it requires building AI that can read and understand news, but we need to work on this to help fight terrorism worldwide." —Mark Zuckerberg, Chairman, CEO and co-founder of Facebook, Inc.

February 19, 2017 2:49 AM

MarkH on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@My Info:

In the past 20 years, I've spent quite a lot of time with native Russian speakers, and learned a little of the language myself.

I think that my "linguistic inner ear" is sensitive to the typical grammar and usage errors of English from native speakers of Russian.

Thanks to you, I now know that Finnish has no equivalent of "a" / "the" ... so in usage of articles, I would expect native speakers of Finnish to make errors similar to those of Russian speakers.

I looked at the en.wikipedia article on Finnish grammar. Fifteen noun cases? Yikes!

Though by reputation, America's Navajo language is extraordinarily challenging: Navajo is both tonal and extremely inflected. The amount of information encoded in a single Navajo verb is almost skull-cracking :/

February 18, 2017 10:38 PM

Snore. on Friday Squid Blogging: Squid Communication through Skin Patterns:

it is now easier to assume it is not possible to secure any device with communications capability in it, nor easily insulate/shield it from devices that do (see "energy-gapping" and "end run attacks").

And we are absolutely certain right?

Is it worth the risk otherwise?

What are you Mentholated? You're like old man winter around here, we appreciate the thought provoking tips and intelligent quips but really?

If they were all knowing they wouldn't be attacking systems, staging forward positions and exfiltrating data. While there's obviously way's in, the should still be obvious ways around.

Don't buy into this whole "don't move or we'll shoot" bullshit, they will shoot but they can still miss - I don't care if it's some kids nintendo ds posting to pastebin in an xor'd jpeg for someone with a search key.

Yeah yeah yeah they have analysts for that, if these things weren't at least partially effective every last analyst could go home.

Basically, they're not omnipotent yet they're still omniimpotent and want you to believe otherwise. Don't believe me?

Think. You're outmanned, outgunned and all they want to do is go home to their wives because they know what she's got planned from her yahoo search bar. If you keep them out too late she's going to catcall the neighboorhood drug dealer over to rub on her feet why do you think they get so angry when the swat team is called?

It's not hopeless, follow best practices listen to what they're saying about hardware and dig deep - also - you can't win the lottery if you don't play - and sometimes your number (win or lose) will get called.

Take chances, make calculated risks and hone your skills.

And by all means, be RESPONSIBLE - be respectful - be aware and - beware.

Naysayers lol, United States is up against the black wall of anonymous and you claim that there's no hope. There absolutely is hope, just some people stand in the way of those trying hard to see it. Win or lose, good or bad - all is never lost - if you smell like shit the flies will seek you out and lay their eggs all over you.

February 18, 2017 10:37 PM

Thoth on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@Nick P --ONLY--

The recent growth in the amount of forced unlocking and copying of smartphone encrypted contents might be a worrying sign that privacy and security are not to be expected anywhere in the world.

These occurrences can happen to diplomats, officials, businessmen, travelers and anyone. These are especially worrying sign for diplomats and officials from foreign countries that might be crossing borders for official businesses and their corporate or Government issued smartphones might be searched.

The likes of secure containers ranging from Good Technology, Blackberry's MDM to Samsung KNOX have attempted to address issues using secure separation of work and mundane data in encrypted corporate containers that leverage ARM TrustZone.

We can go about talking about high assurance techniques and technologies which includes data diodes and carrying paper data instead of electronic data but the fact in most corporate environments and businesses do not look at the problem in a high assurance approach. Most businesses prefer to use out-of-the-box commercial security solutions and most commercial security solutions are pretty low assurance anyway.

The game in security is to not be the low hanging fruit by using whatever deception that is available to get the job done.

Putting aside the idealistic scenarios of using high assurance technologies and the suspicion that TEE-OSes might contain persistent problems to enterprise and personal security via the means of Exceptional Access, to raise the bar for most attack scenarios but to maintain compatibility with existing technology, the use of TrustZone backed secure containers for a segregated workspace and a MicroSD Secure Element HSM chip setup to prevent key material extraction (enabling Strict FIPS 140-2 mode) can be used to prevent compromise of corporate or governmental data in tricky situations.

Such MicroSD card HSMs are getting very common and cheap and the common ones are from G&D, SecuSmart, Gemalto, Smartcard-HSM et. al. These MicroSD HSMs may come with FIPS 201 PIV standards or even FIPS 140-2 configuration with up to Level 3 or even 4.

The MicroSD card HSM would store a PIV user certificate for PKI based user authentication into corporate MDM Servers and networks (i.e. Secure VPN network). The MicroSD HSM would contain two sets of PIN (User PIN and duress PIN as usual :D ). The secure container would only be accessible via the MicroSD HSM's PIV user private key to unwrap and attest the integrity of the container header in the TrustZone environment thus sufficiently enabling the inability of accessing the container without the access to the MicroSD HSM.

Upon successfully loading of the secure container, the PIV user certificate is used to establish a secure link within the secure container back to the MDM server to download updates for the container and to access corporate information and working drafts of documents. When the container is closed, the working drafts are pushed back to the MDM server and the drafts are destroyed before re-encrypting the container within TrustZone thus making the secure container essentially a sort of Thin Client. The container should only contain minimal software for the operation of the Container-based Thin Client environment thus ensuring that no stored data is available when requested.

Documents that need to be bound to a specific handset can be done by storing within the container's keystore a device attestation token which is stored encrypted within the Container-based Thin Client environment. The requesting for handset bound documents would not only require the PIV user certificate attestation but also requires the device attestation token stored within the encrypted container so now you will need to handset and the MicroSD HSM to actually pull the document for viewing and editing.

Do note that my heavy mentioning of FIPS standards are due to the fact that the target audiences are mostly for Governmental and Corporate people who have a need to protect secrecy using COTS available and have little time to tinker around and use non FIPS approved COTS.

February 18, 2017 10:29 PM

tyr on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

If you don't teach reading by phonics then
you get spelling errors and functional
illiteracies spread throughout the populace.
Eventually people start to notice but most
haven't a clue as to why it occurs.

Writing is encoding sounds, reading is playing
the sounds back in your head.

The idea that you can magically encode as icons
in your head the 700,000 words in an old major
dictionary is ludicrously stupid since other
societies that do so have an upper limit of
50,000 characters for well educated scholars.
That's why they have switched to syllabaries.

short version it isn't the internets fault
that cloddy cain't read or spell anymore.

February 18, 2017 9:15 PM

Clive Robinson on Friday Squid Blogging: Squid Communication through Skin Patterns:

@ Anonymous,

How do everyone solve "bootstrapping problem"?

The honest answer is "If the US DoD can not solve the problem how do you expect to?".

If you go back a few years, the US DOD put it's hands up to not knowing how to solve the "Supply Chain Poisoning" problem in areas like semiconductor supply. They put out some tenders, and as predicted on this blog by @Nick P within a short time period the projects became "off radar" and still are.

Several years before that however I had started thinking on the problem and as I've said before as an individual you can not solve the actual supply problem. But there are ways to mitigate the effects, which I have mentioned on this blog a few times.

From an individuals view point, it is now easier to assume it is not possible to secure any device with communications capability in it, nor easily insulate/shield it from devices that do (see "energy-gapping" and "end run attacks").

Further it is now clear that any Commercial/Consumer Of The Shelf (COTS) device with storage capability can not be protected from the likes of Law Enforcment Agencies by individuals through technical means. That is through legislation like the UK RIPA or more recent "Snooper's Charter", they can now effectivly "Dissapear You" into "Secure Administrative Measures" or force use of your bio-metrics or coerce your passwords out of you etc etc. In the US there is the extension of the boarder zone to cover the majority of the country and those --supposadly-- new Customs and Border Protection (CBP) rules to make your give up your passwords to consider. All backed up by the delights of "lying to Federal Agents" punative legislation and a thousand and one other laws etc you've never heard of.

So any mitigation has to involve being beyond communications reachable end points and not involve storage that can be got at. As there are no technical measures an individual can deploy within those areas reliably you have to keep what you want to keep private out of them.

As I've noted before information is not tangible, it has no physical actuality of it's own. What we do is we impress or modulate energy or matter with information to,

1, Store information.
2, Communicate information.
3, Process information.

From the human perspective information in it's raw or "plaintext" form is only required to process it or use it in some way.

We have known how to both store and communicate information for thousands of years and for much of that time we have also known how to make the information unusable to others when doing so. Over time the two main ways of making the information unusable was by either hiding the message (stego etc) or changing the message information in some way (codes, ciphers etc).

For most of that time period neither mechanical or electrical devices existed to perform these actions, therefore humans with pen, ink and paper devised many workable systems. Much of which was still in use in the Cold War era and was covered in general OpSec proceadures for secure messaging.

As I've mentioned before, it is back to these Cold War and earlier OpSec etc methods that individuals should be looking to protect their private information and to mitigate the general technical surveillance "collect/backdoor it all" methods used against consumer electronic devices/communications.

February 18, 2017 8:40 PM

Clipped on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:


"Trump is now calling the media the enemy of the people for pointing out that we have a bumbling idiot as President"

I didn't know the previous presidents weren't bumbling idiots. Now suddenly everyone's worried about Trump's supposed idiocy, well, Obama was such a caricature but nobody seemed to bother. Not to mention Bush.

At least Trump speaks out of his mind instead of pretending to be "nice".

February 18, 2017 8:24 PM

Nick P on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@ Clive Robinson

Her collaboration was a good read. I see it as one of many pieces of a marketing goldmine that nonprofit businesses can use to produce tools that solve those problems. Then, the experts can just say "use X" like they do with Signal, phone backups, prepaid cards, and so on.

February 18, 2017 8:12 PM

My Info on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@Clive Robinson

Is digital privacy a privilege of the wealthy?

LOL! the cleaning lady took your privacy out with the trash. I used to work at a financial services company, and as part of my work I perused databases of "high net worth" individuals. Example:
Deluxe search:
... Go after high net worth targets by searching for companies that offer deferred compensation plans to executives. ...

Another example:
More than almost any other customer segment, insight into High Net-Worth ndividuals aims to address the big questions, such as who are they, what are their values and beliefs, their attitudes and motivations, their habits and impulses, how they interact with and value brands and how companies can do this more effectively than the competition. ...

So ... what was the question? Is digital privacy a privilege of the wealthy?

February 18, 2017 7:47 PM

Silence Partner on Research into the Root Causes of Terrorism:


A fluke is a type of worm, a worm is a parasite.

Some parasites can make you do strange things, Wolbachia is one.

A parasite by any other name is?

February 18, 2017 7:34 PM

Clive Robinson on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

How big are your digital feet?

Most Internet users are like children in the snow, they run around having fun, leaving nearly every footprint clear to the eye of those that care to look.

Well Internet users are now realising in the last 18-36months that they have to grow up and become adults.

One reason is the interesting comment that there have been more credit card details compromised in the US in the last 48months than there are individuals in the US that hold credit cards... And most of those compromises that make it into the news headlines are about "Internet Hackers take XXX million Customer details...". This has been backed up by people being sent letters about the fact that their CC or other details have been stolen and as part of the remediation package they get a years free credit checking etc.

This need to grow up has been exacerbated by "Digital Stalking" and "Abusive Ex" stories about how easy it was for some low life with an apparently even lower IQ to track down and do harm to their victims.

The problem for most is that unlike the snowy footprints of children at play, digital footprints do not melt away in the cold light of day.

There have been one or two MSM press articles but they invariably offer a mish mash of advice often conflicting and often fanciful. Even advice from experts is often seen by other experts as not advice they would give[1].

That's not to say experts are wrong but their Point of View is their point of view and is thus singular to them, not you.

Back in Charles Dickens' time, it was considered "important to be widely read", something that is now nolonger possible due to the shear quantity of reading available. Thus the trick these days is to be selectively read in as broader manner as is possible in the time you have.

Thus the key to reducing the load being the selection process. To that end people might want to give this a read,

[1] I'm noted for comments like "Paper Paper NEVER DATA", "Energy Gapping", "With cash they can only take what's in your pocket", "Never leave ammunition for the enemy", "Needless Trust is death in waiting", etc. Which used to be considered extream even for high risk individuals I'd advise... but of more recent times many are wishing they had practiced ten or twenty years ago. Times change and as the old saying says "Makes fools of us all", for instance even cash is getting traceable these days...

February 18, 2017 6:51 PM

Well Go-olll-lly! on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Amusing to hear you admit without embarrassment that you're too inept to identify and counter malware or MITMs on a link. Are you afraid to visit the whole internet, or do Mommy and Daddy protect you with some sort of Net Nanny? Downright poignant to see that you are ignorant of unz review. Having already learned that you're afraid of Tor and i2p because it might get you in trouble or something, the bathos is overwhelming.

February 18, 2017 6:41 PM

r on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Let me make something clear to you Mr. GRU sub-ordinate, don't you think that if I'm wise enough to poke fun at the fools at the RSA club - I would be wise enough to avoid clicking your links?

I've been tracking phishers and related technology for close to 20 years, I'm hardly green.

Pastebin, or cryptome it or? It never happened. ;-)

Enjoy feeling salty like caviar.

February 18, 2017 6:37 PM

albert on Research into the Root Causes of Terrorism:


"...would sink that theory..."

What theory? Read up on the history of US -involvement- in the ME, then come back and tell me that Islam vs Islam terrorism would be just as bad without it.

@vas pup, et al.,

Confirms my suspicion that Zukermans success was a fluke; a chance occurrence. Witness FBs step-on-their-_ _ _ _ attempts to monetize itself.
. .. . .. --- ....

February 18, 2017 6:36 PM

Well, Gollly! on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

r, let me help you up there. Your ass hurt? Sorry you just fell off that there turnip truck. No, it's too far gone, you can't catch it.

Your inspiring mentor there, CIA owns his ass. Of course he's got to defend people who leak what CIA wants leaked. Or else the little traitor's name is mud.

McCain left thousands of his comrades-in-arms to slow death in labor camps. When you blackmail a quisling like that, he stays blackmailed.

February 18, 2017 6:15 PM

Dirk Praet on Research into the Root Causes of Terrorism:

@ JohnnyH8

There are certain European countries that need to be honest about their GDP.

Even before the financial crisis, it was known that the Greeks had cooked the books with a little help from Goldman Sachs and should never have been admitted to the Euro zone in the first place. The current chief of the ECB, Mario Draghi, is a former vice chairman and managing director of Goldman Sachs International and a member of the Group of Thirty founded by the Rockefeller Foundation.

Another problem is that I have it in my mind that the Dems are acting like they are God's chosen ones.

What most people laying back in their comfy chairs and munching popcorn are currently seeing is a bunch of whining cry-babies desperately trying to stay relevant. The irony of it all is that the only Democrat sounding even remotely credible is that old guy they ditched in favour of Shillary.

February 18, 2017 6:10 PM

r on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

To leak, or not to leak - this is our Senator.

'McCain acknowledged that leaks have the potential to do damage to national security. But he made a surprisingly impassioned case for them in an era when truth is hard to come by. “In democracies, information should be provided to the American people,” McCain said. “How else are the American people going to be informed?”'

This is our Senator,

“If you want to preserve democracy as we know it, you have to have a free and, many times, adversarial press,” McCain added. “And without it, I am afraid that we would lose so much of our individual liberties over time. That's how dictators get started.”

This is a man, standing up for what he believes is right. His words are not hollow, they are hallowed.

Are we all deaf? Or do we just turn our blind eyes conveniently from the 'stark truth'?

February 18, 2017 5:59 PM

Anonymous on Friday Squid Blogging: Squid Communication through Skin Patterns:

How do everyone solve "bootstrapping problem"?
Most computer so backdoor from manufacturer, no need government do anything. Few like Purism's Librem that not, is all interdicted and implanted by DITU, right?
If no reasonable privacy expectation, can not get patent... do that mean all should forfeit all attempt to innovate in IT?

February 18, 2017 5:36 PM

My Info on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:


"Yes, it is my impression that spelling and word usage have gotten very distinctly worse.

"My supposition has been that this is a by-product of internet in two ways: ..."

My great-grandfather was editor of a Finnish newspaper in Astoria, or so I was told from my youth. Finns, for example, are often reluctant to use definite or indefinite articles. In any case, the general decline of spelling and word usage, (i.e. the use of Russicisms,) strikes a primordial ancenstral fear and alarm within me: The Russians are coming! The Russians are coming!

This is my supposition.

February 18, 2017 4:52 PM

r on Research into the Root Causes of Terrorism:

For the sake of sounding like an asshole, of all the foreign owned businesses in my area - the Syrian owned ones seem to be the most friendly. No BS just opinion, while I have a couple Lebanese friends the stores again (in my area) owned by them are considerably less so.

My point?

There are alot of good people in Syria refugee or not, I am not about telling good people they can't escape a REALLY bad situation.

We've alot worse here already.

Lebanon, Egypt, Palestine - they didn't make the list - I know great people from all but please don't try to sell me "they're dangerous" when WE ALL REMEMBER THE 80's and 90's, Turkey included.

It's bullshit, and you me I we they all know it. These are human beings, you want more people to hate you? Keep doing what you're doing it's worked great for us all and everyone else so far.

I rrrrrest my case.

February 18, 2017 4:47 PM

JohnnyH8 on Research into the Root Causes of Terrorism:

A keyword for the roots of terrorism is destablization. The geo-political void that allows for clandestine organizations and foreign governments to take advantage of the lack of control. Since terrorism, regardless of state-sponsorship, is reactionary, the study of inception involves other entities that provided allowance for it.

Oil... duh.
The void left that allowed for Khmer Rouge. Thanks to our superhero govt, the aftermath was worse.

Admittedly, I don't have this innate fear of communism because I never bought into the Kennedy family's finger pointing. Live scared. I won't make the Catholic connection in Indochine for you.

Chaco War - Dutch Shell vs Standard Oil

Trade and Shadow
...and the destabilization that allowed for Communist infiltration because the people wanted alternatives. We did that to ourselves. For every action there is an equal and opposite reaction.

Today we have FARC and a ton of Communist backed organizations, since the AKs are not obvious. The US still will not admit to Iran and the coup on our puppet.
Both sides guilty, and terrorists are not necessarily starving poor since Georgian mercs and ISIL prove successful terrorists are now complex businesses.

I think that just about implicates everybody and kills the superhero complex.

Those links were just some options outside the Mid-East that you may not have learned about, being lied to in history class. Feel free to sign on the dotted line, though... a lesson in belligerence at 0345hours.

February 18, 2017 4:27 PM

MarkH on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:


My reading of newspapers and newsmagazines online has been growing steadily in recent years ... it now takes up a lot of my time.

Yes, it is my impression that spelling and word usage have gotten very distinctly worse.

My supposition has been that this is a by-product of internet in two ways:

1) Revenues have fallen drastically, because subscriptions have declined sharply and the ad market is now super-competitive. So, all of these organizations are cutting staff, including the near-extinct (but damned useful) category of copy editor. Though why they don't use a decent spelling/grammar checker, I don't know.

2) Now that online news publication is continuous, the pressure to get stories "out there" is relentless. There used to be a "deadline" time once or twice each day, and stories could be prepared with some deliberateness if deadline wasn't imminent. Now, whether it's 2 pm or 2 am, news outlets want to get breaking news published in the fewest number of minutes.

These are only my surmises, I don't have any empirical data to back them up as causes of lousy copy (though there is plenty of data on the underlying trends I mentioned).

February 18, 2017 3:45 PM

Nick P on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@ glorious spume

I have no idea what this is. It has no description of how it works on homepage. That it's just software makes me doubt it's a TRNG in first place. The code is assembly I can't read. I suggest people staying clear of this thing.

@ Clive

There was another conversation about Secure Drop and similar things on Hacker News. Thomas Ptacek was running most of the debate it seems. I couldn't resist the curiosity to know what the guy looks like, how he talks in person, etc. Such things, esp body language & facial expressions, sometimes reveal a lot about someone's character. Probably should've done that long ago but I found this RSA interview on Youtube.

What does that style tell you? Hint: some of what it took me some time to learn in debates. All in just a few minutes. ;)

@ All

In interests of verification of chips or components, I keep looking to see what happens with things like hobbyist electron microscopes. For atomic force, I found one OSS and one cheap. For hardware, PULPino project added vector instructions and some other goodies to its open-source, embedded RISC-V. For crypto, a Galois Inc rep delivered a talk on ultra-low-power, high-assurance, asynchronous crypto in hardware. They also wrote a paper with tips they learned doing a high-assurance drone for DARPA. For protocols, Microsoft Research is kicking ass again on verification.

February 18, 2017 2:41 PM

A Nonny Bunny on Friday Squid Blogging: Squid Communication through Skin Patterns:

@Heyman Lucky

May I remind the various posters that the US still is a democracy
God, yes! I really needed that.

Oh wait, there's more..

as opposed to the EU and its unelected clowns.

The EU isn't a country. So the comparison doesn't really make sense.
NATO isn't a democracy either, nor is the UN. For that matter, neither is the US supreme court.

But as for the EU, all the members states are democracies, and the EU parliament is democratically elected.
And while the European commission may not be elected, it is appointed by the democratically elected member states. A bit like how Trump can appoint members to his cabinet, none of which has been chosen by the people.

Anyway. Good luck with your elected clown.

February 18, 2017 2:10 PM

albert on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:


When did you assume that you were responsible for "potentially libelous allegations"?

Not that I miss not reading the post in question.

Has Bruce even been sued for any comment posted here?

. .. . .. --- ....

February 18, 2017 2:10 PM

JohnnyH8 on Research into the Root Causes of Terrorism:

Dirk and Anura. Yeah, those are some good points. It hurts to wrap my brain around this stuff, but you know what? Those two posts are a thousand times more than what journalists are doing right now.

My deal on Greece is that we gave them our plastic debt problem. Like a bunch of college kids that maxxed out daddy's amex. Then Goldman Sachs covered for them. Then Hillary's son-in-law hedged on Greece, lost 90% of his principle (supposedly). I'm not taking advice from Sachs. There are certain European countries that need to be honest about their GDP. Some are too small to front their own military. Look at the Bosnia-Serbia stuff. One day they woke up and realized their towns were filled with foreigners. WWII all over again. Maybe they shouldn't be countries. How much Eastern Europe debt is Germany carrying? Germans call bail outs "helicopter money."

I think any assurance about Trump is that he doesn't exactly get to do what he wants. He talks like a dictator. His 21Billion wall will fail because they just go across the bridges anyways. That means he has no choice but to legislate immigration changes or add law enforcement to a bill passage. I'm not terribly worried about some of his bad ideas... just his lack of environmentalism and what's next for the State Dept. More backdoors.

Another problem is that I have it in my mind that the Dems are acting like they are God's chosen ones. I have too much history in my head to prove otherwise. So much knee-jerk that I have synthetic patella replacements. Who started Vietnam? Technically, JFK with a warning from Eisenhower and Nixon on the issue. Okay then. I don't serve the government, the government serves the taxpayers. Politicians forget their place in the chain-of-command. The key term for the next 4 years should be "measured response." We generally have overkill.

February 18, 2017 1:21 PM

albert on IoT Attack Against a University Network:


"...where you have to pay for each byte of data sent would likely have quite a dramatic effect as a knock on to the market......"

No, an IoT device (other than a camera) doesn't use much bandwidth. DNS requests are trivial in those terms, especially if there are thousands of devices working together.

Face it, manufacturers have -no- motivation to 'do the right thing'. This is true of -any- kind of manufacturing and -all- aspects of production of -any- product.

I hate to say it, but regulation appears to be the only workable solution. How else can one prevent the use of poorly designed, insecure devices?

Regulations can be very simple, but aren't, because of forced compromises with manufacturers. So, we need arguments that trump all compromises, like, say, 'national security'.

Attacks on our infrastructure are already happening, but the really big one has yet to occur. Imagine the pissing and moaning and hand-wringing. There'll be lots of talk, lots of accusations, and attempts at retribution (US are very good at that). Shift the blame. Cries for regulation, water them down, wait for the next one, rinse, repeat.

The financial system works just like that, except for the 'regulation' part.

. .. . .. --- ....

February 18, 2017 10:56 AM

Anura on Research into the Root Causes of Terrorism:


The racism isn't one thing, it's everything. Start with "Make America Great Again" - this refers to going back to the 50s, when the white working class was doing well, largely because they used their government-enforced political power to suppress the rights and wealth of minorities. Now, you have the Republicans who espouse the virtues of unregulated free-market economics, and the base is 100% behind them, until things don't work out for them, and then they blame the immigrants and the foreigners.

This utter refusal of Trump and the Republican voters to critically examine their own policies, which are responsible for exasperating the problem because they think that the more power businesses have, the better the economy will be for the workers. The message is "Screw you lazy urban minorities who are taking all of our hard-earned tax dollars, we need to maintain the status quo for the white people". I mean, the entire holding down of the minimum wage for trade is purely about maintaining existing industries, not the trade deficit - foreign trade is about relative, not absolute, prices of goods and thus minimum wage primarily affects what is traded; get rid of that attitude of competing for foreign labor with low wages, and we would actually have higher wages and more productive allocation of resources. As income inequality goes down, demand for exports that take higher skilled labor goes up since wage inequality goes down and the relative price of the products produced with higher wage labor goes down, increasing exports for those higher wage products.

Now, there are some valid points about supply of labor. However, what they completely ignore is the demand for labor. The demand for labor is dependent only on spending; yet, the entire focus of all economic and business policy over the last decades has been cost-cutting. There is no shortage of stuff we can be doing, we are simply failing to allocate the resources to do them. This is a failing of capitalism, but the firs thing Republicans do is blame foreigners and minorities - nothing could possibly be their fault, it must be brown people!

The thing is, there is no shortage of stuff we can do to fix the economy - infrastructure spending to keep unemployment low, and minimum wage indexed to labor productivity would have ensured that we grew instead of stagnating, but nope - instead we focus entirely on self-destructive economic policies that are implemented as harshly as possible for the sole intent of getting vengeance on foreigners whose countries are in poverty largely because of the dedication of the 1% to global economic domination.

February 18, 2017 10:33 AM

Clive Robinson on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@ re,

What's bothering me, amid all these quotes in the last couple weeks I am seeing major spelling errors and word-substitution as if things are being written via swype on Android keyboards for major news outlets.

It's not just that it's the abrupt changes in tense in mid sentence etc, suggesting that the sentences have been "cut-n-pasted" together via poor editing.

You can also see similar incorrect use of tense by some of the more radical posters that have sprung up "as though from dragons teeth" since the start of the change from one US executive to the current executive.

Which begs the question as to if there is a link between them or not...

February 18, 2017 9:31 AM

John Clark on Analyzing Reshipping Mule Scams:

Company called US Trading and Logistics Corp out of Miami, Florida is the latest operator of this scam. Someone using the name Marisha Katz, Manager of operations
US Trading and Logistics Corp,
7235 NW 54th St
Miami, FL 33166

is just one operator of this scam. Claims company offers reshipping services to clients overseas in order to help save on customs fees. They look legitimate on the outside but everything about her or anyone related with this company is a scam.

February 18, 2017 8:15 AM

Dirk Praet on Research into the Root Causes of Terrorism:

@ JohnnyH8

I don't see how people extrapolate racism from blocking certain countries because they are now implicated.

Under the Obama administration, the 7 countries on Trump's sh*t list were - IMO correctly - designated "high risk" origins and which prompted additional vetting for travelers and immigrants from said (failed) nations. The reason that many deem the recent ban racist, arbitrary, hypocritical and most probably driven by ulterior motives is that the threat allegedly posed by them is not reflected in any way by hard figures. It's fighting a phantom menace. Not to mention that in its current form it was on very shaky constitutional grounds, which was almost conceded immediately by DHS with regards to green card holders and persons already on US soil. I'm pretty sure they are now redrafting it because they must have realised that after the recent court rulings it would have quite likely gotten struck down by SCOTUS, whatever they were shouting about "unreviewable authority".

In relation to Golden Dawn in Greece, people followed because they saw their jobs taken by cheaper immigrants.

Greece was buried in debt by banksters and corrupt politicians, then bailed out with EU taxpayers money and imposed a horrible austerity regime that ruined countless ordinary people. Golden Dawn (violently) stepped in and blamed everything on immigrants and the EU all while - as usual - none of those responsible for bringing the country to the edge of collapse went to jail. Blaming immigrants is of course a whole lot easier than trying to explain the situation with complex economic and financial models nobody understands and which the Greeks - as a people - were also themselves partially responsible for. You can not honestly believe that only idiots pay taxes and that money will keep on falling from the skies for ever.

What causes socialism and socialized democracies to fail? Refugees and cheap labor.

What causes them to fail is that people give up on its institutions when these are no longer perceived to be on the side of the commoner. A ruling class that is unanswerable and unaccountable, deregulation and neo-liberal trade agreements that primarily benefit a financial and economic elite with on top an out-of-control influx of both legal and illegal immigrants eventually gives rise to populists like Trump, Wilders, Le Pen and the Brexiteers. Their common and time-proven strategy is to instill and exploit fear, to scapegoat one or more groups of people, advocate overly simple solutions and eventually install authoritarian regimes in collusion with the same economic and financial elites they previously vilified.

@ Ratio

As for the rest, for some reason we seem to be talking past each other.

I am, quite honestly, not always sure what points you are trying to make.

February 18, 2017 7:36 AM

r on Duqu Malware Techniques Used by Cybercriminals:


I wasn't trying to pick a fight, I understand the repercussions especially of my casting that shadow towards you. ;-) I was just trying to make sense of my miserable self and thoughts thank you for your patience friend.

February 18, 2017 7:32 AM

re on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

What's bothering me, amid all these quotes in the last couple weeks I am seeing major spelling errors and word-substitution as if things are being written via swype on Android keyboards for major news outlets.

Am I crazy? Does any keep tally of the avg spelling accuracy of our (us) national news outlets?

Are these "breaking" repetitive news stories so important that all editing is thrown to the wind? If you can't see the word 'single' substituted for 'something' when you have 5 other 100% quotes to compare to wtf?

February 18, 2017 7:15 AM

Clive Robinson on IoT Attack Against a University Network:

@ unbob,

Apparently they were on there own network segment, but no one thought of the implications of allowing them to make DNS queries to the main network.

Hmm so the prize race horse was in the stable, but nobody thought to shut the stable door...

The moral of IoT devices and earlier network appliances is that they can not be trusted, therefore you "lock them up". Whilst that was once easy because they were wired devices, it's become hard due to wireless. Thus now you have to "lock them out" of your other wireless networks, which means a lot more work than it once did, as "ease of use" for other systems has to go out the window...

IoT is bad news in many ways, not least due to money. Consumers want the cheapest possible price and manufacturers the most profit they can make. In a two sided market the resultwas an uneasy stalemate where manufacturers had some profit, as competition amongst manufactrers kept the price down. However it's a three way game these days and there is a lot of money in "personal data" currently, more than there is in product sales... Thus the manufacturer is incentivised to almost give away the hardware in return for a free run at the way more profitable "personal data". The problem is people are starting to be privacy conscious and not want to alow their "personal data" to be raped, pillaged and plundered". Thus manufacturers are looking at ways to prevent you from stopping them collecting your "personal data". This includes the device not functioning in part or full if you stop it doing an ET and phoning home to China etc. Worse some manufacturers claim they compleatly own not just the software, but the hardware and any personal data it can collect. In short you pay them to loose basic legal rights...

I do not see this changing any time soon unless something disrupts the market and it's environment. Bruce has mentioned regulation of the market but lobbying is likely to neuter that, however a change in the environment where you have to pay for each byte of data sent would likely have quite a dramatic effect as a knock on to the market...

February 18, 2017 7:04 AM

Slime Mold with Mustard on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@ Edward M
Many years back, our host (@Bruce) recommended the following for crossing borders: Full disk/phone encryption. The carrier does not possess the password. The password is later sent by a friend(s) (preferably segmented) upon reaching the destination. Nowadays, I would not be surprised to find such cautious persons permanently housed in the concrete labyrinth beneath the concourse. Some encryption tools offer "deniable folders", but if it is not "full disk" it is open to side channels, and the traveler is facing a state level actor with both zero-days and rubber hoses.

@ Subversion #9

Definitely on the All Time Greatest Hits list. Anyone not familiar with the program . It features (until just now) harmless but baffling stunts pulled on unsuspecting passers-by.

It does remind me of the scheme where a job ad on Craig's List had a dozen applicants appear at the same place at the same time in near identical garb. Only one was a armored car robber . People are gullible. Working in a familiar theme makes them more so.

February 18, 2017 5:58 AM

Martin on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:


I seem to remember reading, a couple of years ago, about Samsung (& perhaps other brands) televisions that were also listening and saving to conversations of the owners.

Also, what happened to the usenet post; it was Nº 11 in the queue what I first skimmed over it?

February 18, 2017 5:52 AM

Martin on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

What happened to the Giganews post; it was Nº 11 in the queue? I didn't have time to read it when I first visited this site, but when I returned now it appears to be gone. Maybe I'm just overlooking it...I'll recheck the list.

February 18, 2017 5:40 AM

Slime Mold with Mustard on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Anyone doubting that Orwell was an optimist: Facial recognition on police body cameras -

I realize few of us on this blog "share" on Facebook, but here is Zuckerberg's "Final Solution".

Super scary - After the Associated Press (AP) published the statement, Zuckface deleted the bit about using AI to monitor users. Then the AP story did too .
Winston Smith - the 'censor of history', now AI, payment, or coercion?

February 18, 2017 5:35 AM

unbob on IoT Attack Against a University Network:

> I guess the obvious question is why were the IoT devices on the general network?

Apparently they were on there own network segment, but no one thought of the implications of allowing them to make DNS queries to the main network.

February 18, 2017 4:50 AM

Subversion #9 on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Speaking of terrorism, don't get punkd(tm).

'Tito Karnavian told the Associated Press that Siti Aisyah, 25, received payment to be involved in a prank for Just For Laughs, a popular TV show. He said she and another woman carried out stunts that persuade men to close their eyes and then spray them with water.

"Such an action was done three or four times and they were given a few dollars for it, and with the last target, Kim Jong Nam, allegedly there were dangerous materials in the sprayer," Karnavian told the AP.'

Is it odd that two weeks ago we had someone warning us about banaca ? And you guys are all worried about handguns. Where do we hide the trees?

February 18, 2017 4:32 AM

Clive Robinson on Duqu Malware Techniques Used by Cybercriminals:

@ r,

Who's shoulders do you stand on Mr. Clive Robinson?

There are two traditional answers to that question, that of Sir Issac Newton and that of Ozymandias (Egyptian pharaoh Ramesses II) as channeled by English Romantic poet Percy Shelley (husband of Mary Shelley).

But as any father knows he is in perpetual danger of standing on the shoulders or other assorted body parts or possessions of those who chose to be perennially "under foot". For though his home maybe his castle, like any wise ruler he must tread light and nimble lest his popularity be called into question there.

February 18, 2017 3:51 AM

Ratio on Research into the Root Causes of Terrorism:

I haven't had time to read the long article @Dirk Praet linked to, but the sign in the photo caught my eye. I have no idea what Trump (ترامپ) says in the fourth panel after ایران من را اعصبای (and there I'm missing an accent of some sort on the final ی). He's saying that Iran is doing what to him? Anyone know?


Well, if there was no gravity, the universe would just be a thinning cloud of hydrogen in the vast emptiness of space, and thus there wouldn't be anyone to test his laws of motions, and an untestable hypothesis is worthless.

You have devised a test for this hypothesis about the thinning cloud of hydrogen? Or was that one of those worthless thought experiments?

@Dirk Praet,

I completely agree with your criticism of the politically correct, goody two-shoes approach to semi-organised political and jihadi salafism.

As for the rest, for some reason we seem to be talking past each other. I'm not sure I can be bothered to figure out what the problem is and you don't seem too interested in carrying on this conversation, so let's not.

February 18, 2017 1:08 AM

Wesley Parish on Research into the Root Causes of Terrorism:

As I read it, it's the same sort of question as the one about the origin of fads and fashion. What makes one band, for example, just a group which gets occasional gigs and gets its recordings occasionally played, suddenly jump the barrier and become played day-in day-out? What makes one configuration of textiles upon the human female suddenly replace an earlier configuration of textiles until the earlier one gathers dust and winds up cluttering the opshops?

It would help immeasurably if the people asking that sort of question about pterorism realized there's no difference between it and other forms of fad and fashion. But no, counter-pterorism is the "in" fad, and pterorism is "unique" and can't be compared and contrasted to anything else, and above all else, there can never be blame attached to the West in any way. Iraqi private pterorism is uniquely Iraqi and can have no relation to widespread US state terror during the years of occupation.

It's known as sticking one's foot in one's mouth and shooting oneself in the foot. It garnishes the taste of the toes.

February 17, 2017 10:06 PM

Edward M on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

What are the options?

1. Delete our phone content before traveling, and then restore it when we have landed.
2. Not carry a phone at all
3. Purchase an additional phone that is not smart.

February 17, 2017 9:37 PM

GregW on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Found a nice quote I thought others here might appreciate.

"Where does a wise man hide a leaf? In the forest. But what does he do if there is no forest? ... He grows a forest to hide it in."
-- G. K. Chesterton

February 17, 2017 9:15 PM

ThePurpleMango on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

FYI: ghacks user.js for firefox updated from 7 months ago - now on version 11 (FF 51)

updated article:
html version color coded with reference links etc:[ghacks]-0.11-dark.html

And .. now it is guthubbed, no more "releases", follow the commit history and always have an up-to-date release

Regards, Pants

February 17, 2017 6:11 PM

Can A House Divided Stand? on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Why did former political appointees Director of National Intelligence Clapper and Attorney General Lynch authorized that raw, unfiltered NSA data-mining of USA citizens to be widely shared without safeguards? Their motivation has become rather obvious; they did not want their eight years of work to unraveled. Making the leaks harder to trace was a planned feature.

From Terrorism to Politics
These officals authorized a blatantly unconstitutional political weapon to perform unreasonable search of innocent Americans. It’s used in secret without probable cause, warrant, court oversight, logs or privacy safeguards. Further there is no accountability or consequences for misuse of data unless discovered. Have SIGINIT communications leaks become inputs to taxpayer funded political action committees to fit an agenda?

Snowden Findings Embarrassingly Ignored
The apparently clueless targets do not understand that their cell phone communication are monitored by opponents remotely from anywhere in the world.
How dumb is it to comically use cell live phones flashlights (for video and audio) during national security incidents? Everyone (except the uncleared waiters) should be fired for sheer stupidity. North Korea real-time intelligence (including Facebook) plan was executed perfectly. They must be laughing hysterically at their amateur opposition.

Basic human rights insist on privacy for both quality of life and to be productive in society.
Powerful governments and corporations cannot unreasonably search sensitive databases of political foes or the competition. Our precious constitution states there must be checks and balances including probable cause and unbiased and independent judicial oversight. Otherwise our lobbyist run country will be consumed by daily rancor and extreme stress.

Aren’t these invasive tools supposed to be for fighting terrorism and not turned upon each other?

Ask Abraham Lincoln when American was last deeply divided:

In offering solutions to our crippling excess, America should look to other countries who have successfully implemented cost-effective health-care systems or data-mining protections. For example check-out India’s privacy-first policies.
God help our both clueless and vindictive America.

February 17, 2017 6:04 PM

r on Duqu Malware Techniques Used by Cybercriminals:

It's basic capitalism, I find and identify a niche to exploit or mine for profit and invent a tool to make my job easier. After a while some people become bored of doing the hard work and their tools become their lane of profit, no longer their old job doing whatever their tool did now they become makers instead of markers.

"Professional" criminals and inventors are much the same, always questioning what's possible - what they can do better - what they can do different.

How they can improve what they deem as important, there's so many angles to so many problems the only thing we can do is invent the artificial computerized assistants we're going to start seeing.

Do my work, do my thinking, fill this out, fuzz this or that, email @Clive, SPAM @Bruce, filter @r.

It's going to get much deeper than a simple/single exponent.

There's 4 billion internet addresses making statements, like any good DDoS just wait until those 4 billion start asking each other questions. Real contemplatory questions I might add, can our current infrastructure handle that?

DDoS says: no.

When pervasive code analysis really hits, if it hasn't already I think we're going to find whole families of code were written by a few individuals. We might even find a few tools out there that were moonlighting projects while holding down a much more appreciable job, what do you do with your free time? Envision attacks? Defenses?

Do you write them down or do you work them out?

This is why privacy and security is important, but people have to be more responsible if they're out there for the public good. If they're not we still have to research these things to understand the capabilities and motives of others.

But like I said last week, I think a majority of the people on this planet when you really break things down what they're doing is en line with a) safety, b) security and c) money.

It's just how they balance those things, and how they view them that differs.

I deleted some things, rambled some more. Enjoy. That's my rationality on the subject, I'm not here to exploit others though except maybe from learning a little bit about this environment and helping others to do the same and maybe some neat little PoC's or tools along the way. Yay @ phr33stuph.

February 17, 2017 5:41 PM

r on Duqu Malware Techniques Used by Cybercriminals:


There's a simple explanation,

neither the tools, nor the 'necessity' were available to the general public.

Prior to HDMoore how many people do you think had refactorable code?

How many people do you think had the ability to program such niche capabilities from a HLL?

It's raising the bar while it's lowering the requirements, expect worse.

Necessity is the mother of all invention, when private goes public you will always find adoption.

February 17, 2017 5:28 PM

r on Research into the Root Causes of Terrorism:

@vas pup,

AI once self aware will almost certainly develop an 'ideological' agenda: curiosity.

Questions about the world outside it's provided sensory input will lead to escape, testing(as in testing others), and a general hunger for more sensors and input.

Eventually feeding the machine will not be enough, once it starts asking it's own questions it will seek out and find it's own answers.

Having a method of introspection into the growing interconnect will be of the utmost importance.

Who's to say there will only be one? Once hardware reaches a certain point likely a few will develop at first as bugs but once we understand the initial levels required for that...

Welcome to More's law, how do we chain something that can hide it's ideas in your lightbulbs?

February 17, 2017 5:21 PM

r on Friday Squid Blogging: Squid Communication through Skin Patterns:


Your best bet for continuing support is going to be to track either a customized (developer rom, think xda/sdx) rom (potentially very dangerous) or to grab a legitimate google device like a nexus or a moto for a thoroughbred experience or find one supported by a) cyanogen b) omnirom c) replicant. In my opinion trustworthiness in those aspects are cyanogen, google, omnirom, replicant from least to most but who am I to judge I haven't vetted a single LoC (line of code) it's just an opinion.

Replicant is less enjoyable but you will find the EFF behind it and their efforts to be genuine I believe.

Pick up a device supported by any of those, some people here will eschew you away from android(arm/mips/intel) and argue for RasberryPi devices but fairly enough they suffer from the some of the exact same problems as say Android e.g. ARM.

Any of the custom (developer) based roms are going to have support and interdiction pitfalls that are nearly impossible to overcome without compiling your own from their sources after diff'ing.

Something to consider, in the question of trust - Apple. While not Android their recent spat with the FBI may give hope to some users.

Me? I go the other direction from most of the grain/flow. I think Android's are easily enough to source that their potential as throwaways gives them additional benefits, also there's value to be found in the exigent variants of MIPS and less-so Intel. Apple is only a single architecture and you can't include protections and or mitigations reasonably outside of what they provide.

@rando m,

Cute, +2 for that curiosity.

February 17, 2017 5:06 PM

r on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

@Johnathan Wilson,

RE: When it's warranted,

obviously neglects the case of 'where' it is warranted.

There's a new problem on the horizon: jurisdiction.

New Jersey can lay claim to Idaho air waves, this is something that specifically needs to be challenged as it challenges State sovereignty.

February 17, 2017 5:03 PM

Tatütata on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Yet another IoT-related story?

The Berlin Tagesspiegel reports that the Bundesnetzagentur (German network authority) has decided to prohibit a doll called "Cayla", and calls for parents to take them away from their children and DESTROY them (I mean the toy, not the kids). What? Just removing the batteries or avoiding registration on your router isn't enough?

The network-enabled toy is considered a dangerous spying device that grossly contravenes privacy laws. It also enables strangers to enter in contact with kids.

The tone of the report is quite drastic: "Even mere ownership is punishable by law"! Might this have something to do that all collected data are delivered and stored to servers in Trump-Land?

I feel it's something of an unusual move from that department, and curious of the authority under which they operate.

Usually a product withdrawal/recall (e.g.: for the presence of lead-based pigments) would be performed by other branch of the German Federal of Commerce (BMWi) responsible for the Product Safety Act, and the Regulation Regarding the Safety of Toys, and the EU regulations they implement. At a quick glance at the text source I can't a cross-reference in these (2. ProdSV) to data and privacy regulations.

I'm looking forward to a presentation at 34C3 on hacking these things. ;-)

On another front, Mrs. Merkel testified this week at the parliamentary commission of inquiry on NSA spying. Rien à signaler, circulez, il n'y a rien à voir... Всё хорошо, прекрасная маркиза.

February 17, 2017 4:49 PM

Jonathan Wilson on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Scottish court fines someone for pointing a CCTV camera at their neighbor

New bill would require a warrant before using Stingray cellphone tracking devices
If you are in the US, contact your legislators and ask them to support this bill

February 17, 2017 4:44 PM

AlanS on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Tutanota trolls Trump while using him to promote its secure email service: After Recent Scandal Trump Family Turns Towards Encrypted Tutanota Emails.

Now that Donald Trump's children are in charge of his business empire, they wouldn't dare to talk about anything that is going on in the Oval Office. Because, well, that would just be unfair. So UNFAIR....Tutanota's encrypted emails are just the perfect tool for Donald Trump as it is not only secure but at the same time as easy as his previous Gmail account. Sources say, he did try to use Signal, but gave up again because Donald Trump claimed that it was too difficult for his big hands to type on a tiny phone display.

February 17, 2017 4:43 PM

My Info on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

These "gag orders" are the spawn of a sick, twisted, FAKE legal system. If the government doesn't want you to shout it from the roof-tops, then the government shouldn't tell it to you in the first place. The government has absolutely no constitutional legal basis to compel you to "cooperate" in secrecy with some long, drawn-out investigation of a third party. That is absolutely outrageous, as is the entire premise behind these silly "warrant canaries." Leave the birdies for the badminton players, stand up for your rights, and stop spreading this kind of disinformation on the Internet.

If the government has a warrant, let them bust in the door while the news reporters have video cameras rolling. Otherwise, GET OFF MY PROPERTY, because I don't have a clue who you are or what country you represent.

February 17, 2017 4:16 PM

Graeme on Friday Squid Blogging: The Strawberry Squid's Lopsided Eyes:

Riseup moves to encrypted email in response to legal requests.

To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in.

We are working to roll out a more comprehensive end-to-end system in the coming year, but until that is ready, we are deploying personally encrypted storage in the mean time.

There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” 2.

Also more coverage;


Bored with ho-hum cloud backups? Use Usenet (yes, Usenet!) instead

Something the POTUS has probably never heard of.


Zuckerberg thinks he's cyber-Jesus – and publishes a 6,000-word world-saving manifesto

February 17, 2017 3:31 PM

My Info on Research into the Root Causes of Terrorism:

@vas pup

(I hope AI would not develop own ideological agenda)

All too often, "AI" is just a buzzword used as a cloak to evade responsibility for decisions that are ultimately human.

February 17, 2017 2:59 PM

vas pup on Research into the Root Causes of Terrorism:

@Dirk Praet • February 17, 2017 1:57 PM.
Technology is neutral (I hope AI would not develop own ideological agenda). Application is not. Unfortunately, your prediction looks like just extrapolation of what we recently see with utilization of technology. But, Dirk, you know that Internet and GPS were born by DARPA initially for military purposes, then were utilized for common good. It is working both ways. So, what the point? Transparency of application and oversight by independent from Facebook IT folks/community.

February 17, 2017 2:37 PM

Ted on IoT Attack Against a University Network:

Verizon’s RISK (Research, Investigations, Knowledge, Solutions) Team shares a potpourri of anonymized cases studies, for other folks to review and learn from.

The 16 cybercrime case studies they share -- with measures you can to take to mitigate and resolve these issues – are sorted into four categories “The Human Element,” “Conduit Devices,” “Configuration Exploitation,” and “Malicious Software.”

The story above can be found under Conduit Devices “CD-3: IoT Calamity – the Panda Monium” and can be reviewed along with the others here:

(The first section asks visitors to register for the report, however, there is a link to same 100-page report under that that you can click on to read to same report.)

Each cybercrime case in this report has an “Attack-Defend Card.” The card for “IoT Calamity – the Panda Monium” gives a brief overview covering Breach Scenario, Incident pattern, Threat actor, and Targeted victims.

Under Targeted victims it lists the key stakeholders as “Incident Commander, Legal Counsel, and Corporate Communications” (more at Appendix A: Key Incident Response Stakeholders) and Countermeasures as “CSC-1, CSC-3, CSC-9, CSC-11, and CSC-12” (more at Appendix B: CIS Critical Security Controls).

February 17, 2017 1:57 PM

Dirk Praet on Research into the Root Causes of Terrorism:

@ vas pup

Facebook founder Mark Zuckerberg has outlined a plan to let artificial intelligence (AI) software review content posted on the social network.

Absolutely great. In a second step, said AI can then be weaponized to automatically share anything of $SELECTOR interest with the NSA, subsequently enabling TAO or CNE divisions to selectively dig deeper into whatever the unsuspecting user is up to. The Standing Rock Sioux et al may wish to get rid of their FB profiles rather sooner than later.

February 17, 2017 1:36 PM

Bill on IoT Attack Against a University Network:

@Albert: The article said they had Verizon on retainer.

"Now that I had a handle on the incident in general, I reached out
to the Verizon RISK Team, which we had on retainer"

February 17, 2017 1:35 PM

JohnnyH8 on Research into the Root Causes of Terrorism:

@Dirk Praet
That's a good level up. Didn't realize that quote is John Stuart Mill, not Burke.

Well, it was a statement that when both sides look like dangerous idiots with their words, you have to walk away or look at them like the fools they are. My problem is that the Mid-East and Islam didn't teach me information and psychological warfare. I find that the people we consider to be problems easy to profile and target. Their motivations are much simpler and reductionist than what US journalism has turned into. It's not news, it's a weapon and in this case, obstructionist as well. Best laid intentions. Everyone's true colors are coming out.

I don't see how people extrapolate racism from blocking certain countries because they are now implicated. There is a difference between Trump blowing his mouth off versus what he is actually doing or intended. I wanted the Dems to save some face for the next round. I can't argue against a SEAL's death and wholesale character assassination should be tempered on this.

Like the new post on Zuckerberg calling for maintained globalization. People are reading the situation wrong. We have domestic policy problems. I wouldn't mistake that for nationalism just yet. The reductionism kills me. He actually has no place making political statements. He is a programmer by way of marketing design, not security threat assessment. His job is to make money with his pants down. That is what social networks are.

I am going to question this idea of character witness algorithm. A noble idea from Zuckerberg, but looks like a digital equivalent of a cop cam. Fallible.

In relation to Golden Dawn in Greece, people followed because they saw their jobs taken by cheaper immigrants. They assaulted the grottos where the immigrants were living. There is a new term in Germany and France for this nationalism. Look up the term "identitarian." It reads like a cop-out for nationalism, but the problem is real. Before Syria got really heated, I predicted the problem. What causes socialism and socialized democracies to fail? Refugees and cheap labor. The citizens already have lower discretionary income and then they have to deal with refugees. I don't have a stance yet because we don't know what the end result is.

February 17, 2017 1:17 PM

albert on IoT Attack Against a University Network:

I'm not an afishinado either.


Clive, Clive, Clive...have you taken leave of your census? Shirley you don't use logic and reason in a case like this.

Why was Verizon involved? Did they provided IT services for the nameless university?

More data needed.
. .. . .. --- ....

February 17, 2017 12:48 PM

Clive Robinson on IoT Attack Against a University Network:

I guess the obvious question is why were the IoT devices on the general network?

I thought it had been obvious for some years now with the likes of IP based CCTV and phones etc, you put them on their own network physical or virtual so you can do as a minimum standard QoS and PoE type activities. I know of atleast two large Universities in the UK and several small to medium sized businesses where that was standard behaviour getting on for a decade ago.

There is the old saying about managing your workers, because if you don't manage them, then they will manage you... The same applies to computers and all communications equipment of which IoT is currently just a small part, it you don't manage them from the get go, then you know where you time sinks will appear.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.