Recent Comments


Note: new comments may take a few minutes to appear on this page.

November 19, 2017 12:15 AM

Clive Robinson on Long Article on NSA and the Shadow Brokers:

@ Anders,

This means that there was lot more information than journalist got.

That is supposition on your behalf. The only person who knows what Ed Snowden liberated from the NSA archive systems is in all probability Ed and that only in a general sense. Likewise what was actualy distributed is known only to Ed and those he gave them to either for use or safe keeping.

Those he gave to Glen Greenwald we indirectly know --from others Glen showed them to initially-- exceed those that have so far been published. Realistically we also know that of...

Read More →

November 19, 2017 12:07 AM

ID on I Seem to Have a LinkedIn Account:

So Bruce Schneier does work with Joel Harding - a notorious social media low-life troll and teen porn peddler and his equally abominable cohort? Otherwise he would not have removed the references to sources re online activities of the latter some of which are either criminal or administrative offenses - impersonating federal government officers, fishing personal data, hacking social media accounts etc....

Read More →

November 18, 2017 9:37 PM

hmm on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

What about remote exploit of default IME configurations in the wild?
They originally didn't even require any password. RTN key without pw got IME root. (!!)

Imagine all kinds of mickey mouse obscurity magic packet crap is enabled by default?
Someone is fuzzing the hell out of it as we speak. What happens when they get it?
Intel CPU-ring level wormware that nobody can secure themselves from?

Nobody would have any way of noticing in OS land. Careful net snorting maybe at the firewall/NAP/router level, and then you'd have individual malware-specific...

Read More →

November 18, 2017 8:20 PM

65535 on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

This is the hack that started the above discussion. It is a fair big hole in the ME part of Intel's chips.

Proof of concept attack via JTAG - USB hack:

"Attack allows execution of unsigned code via USB"

The Intel Management Engine goes unnoticed by most users, but the subsystem plays a very important role in Intel-based systems. Since 2008, nearly every CPU released by the company comes with the IME which some call a computer within your computer... Positive Technologies, can execute unsigned code on nearly any computer running the IME through USB. The attack works...

Read More →

November 18, 2017 8:05 PM

65535 on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

Here is a discussion between Anders, Clive, and 65535 about the use of Win2K pro or Win2K server as an alternative to Intel's new chips including skylake and newer intel processors which seem to have a relatively big back door via a successful proof of concept USB-JTAG hack associate with scamming Intel's ME/AMT out of band system. This hack can take over the Intel ME system and the entire MS OS. It should be fixed.

Anders and Clive R. use Win2k systems to avoid many hacks. We were discussing the possibility of using Win2K as a useable solution to problem of many of new hacks....

Read More →

November 18, 2017 7:54 PM

65535 on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@ Clive R.

When is USB1 or USB2 or USB3 over a serial connector such as the straight DB9 [DE9] null modem or straight, better considering the building complexities of USB? I have many other questions.

I am going to link this post forward to the new Squid thread so more eyeballs can look at it.

See you on the new Squid.

November 18, 2017 6:07 PM

Anders on Long Article on NSA and the Shadow Brokers:

@Clive Robinson

Do you remember on what conditions Snowden was granted the asylum in Russia?

“If he wants to stay here, there is one condition: He must cease his work aimed at inflicting damage to our American partners, as strange as it may sound from my lips.”

This means that there was lot more information than journalist got. Since NSA didn't know what Snowden exactly took with him stopping publishing the materials helped Russkies - now NSA don't know what Russian agencies got to know getting access to whole Snowden trove.

November 18, 2017 5:59 PM

Clive Robinson on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@ Albert,

They were drawn and quoted.

The old joke said "Hand drawn and quoted" to match "Hung drawn and quatered".

A process I have described befor along with gelding and gouging, and one or two other entertainments from the time...

However the one that sticks most in my mind is "boiling alive" not because of the process but the reason given for the punishment originally. A cook allegedly poisoned a noble man and his family and the King decreed that "as he had killed by cooking he in turn should be killed by cooking" on the "eye for an eye" principle.

November 18, 2017 5:54 PM

neill on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@Iggy

i was just playing with john glenn's remark made during his historic flight when he said "ZERO G's and i feel fine"

just deleting your photos will not get them off FB servers ... but feeding them more will dilute their datasets, possibly to the point where they are no longer valuable

e.g. 3 pix with your face tagged = it's you
300 pix with faces = ???

November 18, 2017 5:48 PM

Clive Robinson on Long Article on NSA and the Shadow Brokers:

@ Anders,

    ... it will be possible to identify those very brave people in countries where if you spy for Britain you get killed.

Yeah well senior US Politico's think nothing of naming assets, agents and officers.

So "The Special Relationship" the Brits continuously get told about is only special in that the Brits are not supposed to complain when a point scoring idiot in one of the US houses flaps their gums and a source gets burned or a trial gets blown out of the water.

Ed Snowden did not reveal any names or anything else, he handed the trove...

Read More →

November 18, 2017 5:36 PM

Anon on Who Are the Shadow Brokers?:

Their English doesn't sound like it's coming from a foreign speaker. It sounds like an adult doing baby-talk. Whoever is behind it is trying to obfuscate their speaking patterns.

November 18, 2017 5:27 PM

Clive Robinson on New White House Announcement on the Vulnerability Equities Process:

@ Douglas Coulter,

We all know that simply revealing something doesn't create a patch, and further doesn't get that patch installed.

Lets assume that they do reveal, you'll not that the "commercial equities" is number three on the list. Which almost certainly means thay any reveal they do make will not be public but to the commercial entity which has made the code eyc error.

This means there will be no incentivisation for the company to do anything unlike the "responsible disclosure" process. Further they might only release an interim work around...

Read More →

November 18, 2017 4:30 PM

Tor, Tails, & Tor Browser w/o Tor on Motherboard Digital Security Guide:

@Anura

"For those of you that use Firefox, be aware that with the latest update many extensions, including NoScript, will no longer work and will be silently disabled."
https://www.schneier.com/blog/archives/2017/11/friday_squid_bl_600.html#c6764184

I found this, but haven't tried it, w/ or w/o a VPN.

"11. Use the Tor browser with a VPN (instead of the Tor network)

serveimageTor (which stands for The Onion Router) is a free software and open network that has...

Read More →

November 18, 2017 2:41 PM

albert on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@Wael,
You may ask a friend.
..
@Winston,
"AI is now officially a religion." I like the sound of that. You meant 'Ai'? I'm so disappointed.

We won't really need Ai in the future, except in the IoT. When you have a nation (a world?) of fleshybots, 'thinking' becomes unnecessary, and even dangerous. Robert Sapolsky didn't say so, but he implies that someday, specific undesirable behavior may controllable with drugs. The next step is genetic modification (GMH) to ensure 'consistent' and 'reliable' behavior.

IT IS ONLY THEN, THAT WE WILL ACHIEVE...

Read More →

November 18, 2017 2:13 PM

albert on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:


"In Medieval Times, how were punners punished?" (see what I did there)

"They were drawn and quoted."

-------

"What is a mouse when it spins?"

Answer in the next Squid Blog.....


-------
This is one one can actually look up. Since y'all were 0 for 2, I made it a little easier. I gave you a Nelson instead.

. .. . .. --- ....

November 18, 2017 1:24 PM

John on Long Article on NSA and the Shadow Brokers:

@Anders
"It's clear as a day that everything Snowden had or did know at that time ended up on the hands of Russian three letter agencies."

Improbable.

You are assuming that a majority of operations are visible to Snowden and he knows the internal workings of the many tools that he obtained user manuals for, both of which are highly unlikely events given his tenure and educational background.

A couple screenshots and instructions does not adequately explain how a tool actually perform, much like most sysadmins have no idea how to code a kernel. At the lower...

Read More →

November 18, 2017 1:00 PM

David Viel on IoT Cybersecurity: What's Plan B?:

We're doing our part. ControlMQ, our secure middleware, allows product and integrators to build IoT systems that are secure against network attack. See more at:
www.cognoscentisystems.com

November 18, 2017 12:08 PM

Winston Smith on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

"Oh, rumour has it a model T ford car can not be hacked by an ten year old with a harmonica from fifty feet away."

I genuinely laughed at that comment. Thank you, Clive Robinson.

On another positive note, this forum exists... Which is truly a positive development in the overall state of security/privacy. Sincerely.

November 18, 2017 12:06 PM

Anonymous on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

"Oh, rumour has it a model T ford car can not be hacked by an ten year old with a harmonica from fifty feet away."

I genuinely laughed at that comment. Thank you, Clive Robinson.

On another positive note, this forum exists... Which is truly a positive development in the overall state of security/privacy. Sincerely.

November 18, 2017 12:00 PM

Winston Smith on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@tyr

My link didn't include the details of the content of that US military leak. Good find, thank you. Anyone who thought that their social media posts were only viewed by friends should understand that "friends" is essentially equated with "public", or worse, the Eye of Sauron (in my idealistic 'privacy advocate' mind, at least).

The article also mentioned that one of the explicit purposes for the US military's interest in social media is to leverage it as a propaganda tool, or rather, an anti-2nd-world-radicalization platform. If effective, this sort of operation would...

Read More →

November 18, 2017 11:46 AM

Petre Peter on Commenting Policy for This Blog:

what: is gratitude
why: because of schneier.com; because of Thanksgiving.
how: thank you for your hospitably

what: is “town square”
why: because i would like to be in a house from a town square; because, for me, town squares are not easy to find.
how: by opening the maps application and searching for squares inside a town; note that the squares are not squares-even when they are meant to be used as a memorial.

what: is $25 testbed
why: because i am not here to argue why the house always wins; because i am not here to see the triumph...

Read More →

November 18, 2017 11:37 AM

Douglas Coulter on New White House Announcement on the Vulnerability Equities Process:

It seemed to me on a quick skim (but also looking at events) that a big deal is what is proactive.

If they keep a vuln, they then use it proactively to hack supposed "adversaries".
EG effort is expended to exploit it.

If not, they "reveal"' the vuln - and effort stops right there. No effort is made to protect the citizens and so on. That's a really big difference. As usual, the lie is right out in front, people just miss it. This is how the pols and bureaucrats hide things in plain sight. That whole half of the mandate is effectively ignored.

We all know...

Read More →

November 18, 2017 11:35 AM

Clive Robinson on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@ tired,

Now if everyone could comment with a lots of optimistic vibes

Err, not everything is backdoored Yet.

Oh, rumour has it a model T ford car can not be hacked by an ten year old with a harmonica from fifty feet away.

Not much else realy sorry ;-)

November 18, 2017 11:25 AM

Clive Robinson on New White House Announcement on the Vulnerability Equities Process:

@ Wael, Mike Barno,

I'll remind you three years from now (if I'm still alive and kicking.

How are you going to kick anyone with those new improved "parole anklets" for every one who is not a 1% of the 1%, with those shaped charges to blow your foot off should you violate the rules, including moving to quickly[1]?

[1] Running away will be a new crime after all those donut buckets in blue don't want to raise a sweat having to pull out a gun to take aim to shoot you...

November 18, 2017 11:12 AM

Clive Robinson on Motherboard Digital Security Guide:

@ hmm,

I assume your ex wife doesn't still have access to your machines clive?

I don't have an "Ex Wife"[1], but a lot of people I used to know do, they married young and regreted early. From what I remember most of them did not see it comming (both men and women). In fact they thought their relationships had been through a rocky patch and were now improving, right up untill they found themselves out in the cold with a handfull of legal papers and mind numbing debt.

Which brings us back to,

The topic was having people in your...

Read More →

November 18, 2017 10:19 AM

Iggy on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@neill, lol.

Precisely out of fear over how unfriending might create an international incident, I unfriended no one, I simply removed all pix, convos and left the news feeds on. I have 2 whole FB friends who are actual friends who happen to be on FB. I, too, don't believe in friending people I haven't met. Silly me.

RIP Sen and Astronaut John Glenn? Indeed.

November 18, 2017 10:15 AM

Clive Robinson on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@ 65535,

Here is where you get into a gray zone. How does the average small business or person setup your semi-pro data diode? Do you have any specific hardware [serial ports and db9 pin cables] and software you use?

For the right sort of person it's fairly trivial to do. But like hens teeth that sort of person is rarely found on the ground. You kind of have to look at Hard Science and Electronics graduates not people with a General CS background.

In essence you look for a micro controler development system for an MCU with at least two serial...

Read More →

November 18, 2017 9:37 AM

Clueless in Seattle on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

+1 for getting outside more

@tired
not exactly "optimistic vibes", but from the, to me, humorous far side:

... “This eighteen-year-old punk kid shows up,” Dariani told me, describing a typical meeting with potential sponsors, “and he’s talking about how things are ‘retarded’ and making fart jokes and not listening to your team with a hundred years of experience. And you’re sitting there going, ‘This is the guy who makes the decision about whether my company succeeds or fails?’ ” Dariani smiled. “First you’re angry. But then you’re terrified.”...

Read More →

November 18, 2017 9:08 AM

Ratio on Long Article on NSA and the Shadow Brokers:

@Anders,

“A week after publication of his leaks began, Ars Technica confirmed that Snowden had been an active participant at the site's online forum from 2001 through May 2012, discussing a variety of topics under the pseudonym "TheTrueHOOHA".”

Quoting from the May 2014 article The errors of Edward Snowden and Glenn Greenwald that had been in my “to read” pile for weeks:

Snowden’s early writings on the online...

Read More →

November 18, 2017 8:33 AM

Clive Robinson on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@ Nick P, Wael,

So, the KVM switch and separation kernel idea...

Kind of burns a little the first time somebody takes an idea and runs with it without acknowledging it. Eventually it gets to the point where it is just irksome[1].

But I still think a KVM / sep kernel idea is a little bit of over kill for most applications. So I still favour a striped down graphics system running on a striped down (C2 *nix) running isolated serial lines with either terminals or modifed VNC viewers for the display, for less exacting purposes.

It's something...

Read More →

November 18, 2017 6:02 AM

hmm on Motherboard Digital Security Guide:


"The statistics on dovorce, and spousal abuse should make you wary of making comments like those."

Divorce is common but you can see it coming and if you don't, you've got other security issues.

The topic was having people in your house, accessing your machines. I assume your ex wife doesn't still have access to your machines clive? If so then all bets are off, yes.

You should be able to trust people you share physical proximity with. If that's not true, evaluate that situation.

If you've allowed untrustworthy people into your life, why is that?

November 18, 2017 4:26 AM

Donaald Duck Go on Me on the Equifax Breach:

Look, having computer security — my uncle was a great professor and scientist and engineer, Dr. John Trump at MIT; good genes, very good genes, OK, very smart, the Wharton School of Finance, very good, very smart — you know, if you’re a conservative Republican, if I were a liberal, if, like, OK, if I ran as a liberal Democrat, they would say I’m one of the smartest people anywhere in the world — it’s true! — but when you’re a conservative Republican they try — oh, do they do a number — that’s why I always start off: Went to Wharton, was a good student, went there, went there, did this,...

Read More →

November 18, 2017 4:18 AM

Rump it Up on Me on the Equifax Breach:

Congress is not good, doing a lot of things some of which are good things and some of which are bad things

November 18, 2017 4:05 AM

OrwellianUtopia on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

Mastercard applies for patent on blockchain type technology. It is a purely devious move in the name of more making more money. I am guessing the idiots handling patent approval would blindly approve the patent application.

http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20170323294&OS=20170323294&RS=20170323294

November 18, 2017 3:56 AM

hmm on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

"I can't wait to see the explanation for spying on American citizens."

If they're doing an investigation into a known crime it's not spying, it's an investigation. Trump was similarly confused and will be similarly enlightened soon.

They didn't find out about Leonard because of some widespread illegal dragnet operation.

The people they ensnared in a subsequent investigation are not "american citizens" either,
if they've enlisted they are the property (cattle) of the US government under the UCMJ.

Explanation enough?

November 18, 2017 3:02 AM

neill on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

@Iggy

after accumulating 7 "friends" i just got too busy to keep up, and un-friended my wife ... then my sister ... then everyone ... BAD mistake!!!

(learned from it, should have done it the other way around, wife last (next time, or next wife))

anyways, now "i have ZERO friends, and i feel fine"

RIP john glenn

IF they love data, give them lots of it! tag people in pictures! upload pix! feed the snake!

November 18, 2017 12:25 AM

It's Tricky Tricky Tricky on New White House Announcement on the Vulnerability Equities Process:

I wonder what the modus operandi is should a vulnerability in Kaspersky software be found, as if I recall the code is to be laid open to the US.

The US claim that Kaspersky - and no doubt other vendors - have ill will, but play the hypocrisy card themselves. This is the epitome of exceptionalism. The same people then wonder why countries such as Russia want to move towards sovereignty of their data infrastructure.

All in all of course, everyone's playing the same game, it's just that the US appear to be the most vocal about it - "not fair!" like a whiny child....

Read More →

November 17, 2017 11:34 PM

uh oh on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@whomever

You did not state how the firewall would be setup or used, which is kind of critical.

Ok, although:

options of using "End of Life" Operating Systems directly on the internet, behind a home NAT'd router or in a DMZ serving over various ports and filters?

Perchance DMZ means a different thing to other people, but I'm frequently worried that some of those clients are actually real.

November 17, 2017 10:00 PM

tyr on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:


@Winston Smith, et al

https://www.upguard.com/breaches/cloud-leak-centcom

Here's a bit more on the DOD leak.

With Fat Leonard scandal taking down 440 navy
including 60 admirals, apparently the military
leaks like a sieve these days.

I can't wait to see the explanation for spying
on American citizens.

The best RT underliner on the news today has NATO
apologizing for putting Erdogans name on their enemies
listing. I hadn't heard that Turkey was...

Read More →

November 17, 2017 9:44 PM

John Givens on Me on the Equifax Breach:

>> 7. We need effective regulation of data brokers.
Isn't it time for consumers to be notified upon any financial transaction being made in their name? Permanently, promptly, and at no cost? Three key measures are needed:
1. Consumers may designate a preferred email address and a subject line identifier with any credit bureau, without cost. It must be retained by every credit bureau and displayed in its credit report.

2. Consumers may verify or change their choice, at any time, without cost. However, if it gets changed, the credit bureau must report this deed to...

Read More →

November 17, 2017 8:55 PM

Wael on New White House Announcement on the Vulnerability Equities Process:

@Clive Robinson,

Closed source is at best the inner wall, whilst Open Source tends to be the outer wall.

I like the analogy!

@Mike Barno,

Oh, just wait until you see it three years from now...

I'll remind you three years from now (if I'm still alive and kicking.)

November 17, 2017 8:00 PM

Fatima on Details about Juniper's Firewall Backdoor:

I don't know if this is the right blog where to post this question.
We recently deployed a pair of Juniper MX960 routers to perform multiple network functions and among them the L3 statefull firewall function. on both sides of trusted and untrusted interfaces we are receiving MP-BGP VPNv4 routes. I do understand the IP flows discontinuity (flows are permitted or blocked) but I don't understand why its not possible to advertise the MP-BGP routes from the trusted to untrusted and vice-versa.

Thanks for help in advance.

November 17, 2017 7:51 PM

Winston Smith on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

"Log off and spend the weekend outdoor without any connectivity."

Indeed. Headed there now. Cheers!

Another reason to disconnect, the coming panopticon. Consider just how many people will fall completely for the following once the promise of "freedom from work, freedom from the daily grind," is on the horizon:

httpsw.dezeen.com/2017/10/11/anthony-levandowski-engineer-religion-artificial-intelligence-ai-god-way-of-the-future/

November 17, 2017 7:24 PM

Alarming New Public TV Broadcast Standard (ATSC3) on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

“We’ll know where you are, who you are, and what you’re doing -- just like you do now, just like everybody does now, the internet does, or Google, or a Facebook,” Sinclair Executive Chairman David Smith told investors at the Wells Fargo Technology, Media & Telecom Conference Nov. 8. “We will have perfect data all the time.”
https://www.bloomberg.com/news/articles/2017-11-14/ads-may-soon-stalk-you-on-tv-like-they-do-on-your-facebook-feed

Sinclair...

Read More →

November 17, 2017 7:14 PM

65535 on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@ Anders

Thank you. That is straight forward answer.

Good going.

@ Clive R.

I know that said firewall was not defined. I would put the firewall as at least a NAT device with no UnPnP turned on. The uses for internet it business mostly are indeed email and some txt messages or even using a low use phone line for computer/fax.

Most of my customers do check their bank accounts weekly or daily but usually don't bank electronically. That is every batch of payments and Account Receivables are done via a trusted person. This person usually brings back a...

Read More →

November 17, 2017 6:43 PM

Clive Robinson on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@ 65535,

With all of the above said, the question remains could you use Win2k Pro or Win2K in any small business or home behind a fire wall?

You did not state how the firewall would be setup or used, which is kind of critical.

As I've frequently said my machines are not connected to any external networks and I use instrumented data diodes of my own design that only alow a strict subset of file types (ie they are all human readable like TXT RTF CSV). The development machines are in the main only connected via Serial lines in some cases because they...

Read More →

November 17, 2017 6:11 PM

Mike Barno on New White House Announcement on the Vulnerability Equities Process:

@Who?, Wael,

The world, as we would like it to be, is probably broken beyond any repair.

Oh, just wait until you see it three years from now...
Every USAn executive-branch policy has been changed by political appointees to Rush to break it quicker.

November 17, 2017 6:03 PM

Sancho_P on Long Article on NSA and the Shadow Brokers:

@Tõnis

I think I understand what you meant but please be aware that this sentence, besides being wrong, also can be read as combining blasphemy and American exceptionalism:
”1. The rights enumerated in America's Constitution are God-given rights that belong to all of mankind.”

To me Ed Snowden’s revelations were bad for the US-IC, but not the point.
The point was how the US (USG, MSM, public) reacted.
Their insane backlash against the “traitor” was the real revelation.

In fact, the Kremlin don’t trust Ed, as he might be a spy. Even...

Read More →

November 17, 2017 6:03 PM

AllIsLost on Friday Squid Blogging: Peru and Chile Address Squid Overfishing:

Does anyone have info or links about any arrangements Facebook has with intelligence agencies to provide live help to its moderators (censors). Somewhere I read that agents are assigned to partner with Facebook content monitors to help them resolve edge cases of prohibited speech & imagery, but the citation eludes me. Any info you have will be appreciated. TIA.

November 17, 2017 5:22 PM

Clive Robinson on FBI Increases Its Anti-Encryption Rhetoric:

@ Peaceheah

Just to reiterate, when the fire dept. saves lives, they are typically NOT sued for invasion of privacy nor even property damages, etc.

Realy bad analogy to use.

It is more like the police department insisting on every door and window not having any locks what so ever "just in case" they want to come in and go through the underware draw taking copies of any photos or other documents they want, oh and not carring one jot if the local street hoodlums come in to do a little raping and pillaging...

November 17, 2017 5:07 PM

Clive Robinson on New White House Announcement on the Vulnerability Equities Process:

@ Who?, Wael,

VEP makes non-US products safer, as these are only exposed to the usual threats

Whilst there is a degree of truth in that, the more important take away is that you are actually talking about "Closed Source" software.

The reason there is a degree of truth in the argument is that whilst the NSA and other Intel agencies in the US are some of the largest money pits in the world they are however resource constrained. That is there is only so much they can do, which also is effected by the "The smalest apples fall further from the...

Read More →

November 17, 2017 4:35 PM

Clive Robinson on New White House Announcement on the Vulnerability Equities Process:

The priorities are clear, when we read,

At a high level we consider four major groups of equities:

1, defensive equities;
2, intelligence / law enforcement / operational equities;
3, commercial equities;
4, international partnership equities.

Additionally, ordinary people want to know the systems they use are resilient, safe, and sound.

Does anyone see any "lets protect the economy" in that list?

We know full well that "defensive" realy means "offensive". Likewise we also know that "inteligence" realy means...

Read More →

November 17, 2017 3:52 PM

Jonathan Wilson on New White House Announcement on the Vulnerability Equities Process:

Personally, I am not convinced the NSA, FBI, CIA or any other agency should be allowed to horde general vulnerabilities in general purpose software at all for any reason. Nor should they be allowed to do anything that intentionally makes said general purpose software less secure (e.g. forcing companies to insert backdoors).

I dont like the scumbags who distribute child pornography but that doesn't mean the FBI should be allowed to use a secret undisclosed flaw in the TOR browser (or possibly even in the base Firefox codebase) and make everyone vulnerable. If there is no other way...

Read More →

November 17, 2017 3:48 PM

Clive Robinson on Motherboard Digital Security Guide:

@ hmm,

... if you are living in a house with someone you do not fully 100% trust

There is nobody born who is 100% trustworthy, we all cheat and lie even to ourselves. We might call them white lies or the glue that enables society to work, but they are still lies even when you do not say anything. Then there is gossip etc...

>... and sharing your data and devices with them, whose fault is that?

The statistics on dovorce, and spousal abuse should make you wary of making comments like those.

You could --and many have-- write books...

Read More →

November 17, 2017 2:28 PM

Who? on New White House Announcement on the Vulnerability Equities Process:

@ Wael

It was shocking to me when, a few years ago, I learned the NSA was doing industrial and technological espionage against allies. I did know there was a huge surveillance network targeting citizens, we all knew about programs like ECHELON and TRANSIENT. It was not exactly what I would call a secret then. Targeted surveillance against political leaders and influential people... sure! But industrial espionage against allies... it was somewhat unexpected to me.

November 17, 2017 12:28 PM

Who? on New White House Announcement on the Vulnerability Equities Process:

@ Wael

Touché!

I missed the point about NSA counterparts. The world, as we would like it to be, is probably broken beyond any repair. I have, however, not limited NSA's work to US products (I wrote "industrial espionage done by the IC" too) but I understand US corporations are more reachable to IC than foreign ones because they are either more vulnerable to legal threats (NSLs) or share interests with the IC and, in general, the US Government.

November 17, 2017 11:45 AM

Jay on Me on the Equifax Breach:

I can't find a video of this anywhere. Can somebody link one?

November 17, 2017 11:45 AM

Anders on Friday Squid Blogging: Squid Season May Start Earlier Next Year:

@65536

"With all of the above said, the question remains could you use Win2k Pro or Win2K in any small business or home behind a fire wall? Using Win2K of any version seems to possibly be less risk than say a new Windows phone on the network or even Windows 10 Pro on the network. Is the risk/reward favorable to using Win2k behind a NAT firewall? Yes? No?"

YES

W2K pro is even without patches more secure than modern win 10 since it's no target any more for modern attacks - there's no even powershell that modern attacks use for lateral movement.

The only...

Read More →

November 17, 2017 11:29 AM

curious 77 on Long Article on NSA and the Shadow Brokers:

@Tovaritch

"Pure totalitarian genius."

Thanks for the link. I haven't read the article yet, but I suspect there wouldn't be much switching cost if China decided to change course. I would hate to see Trump have that much power.

November 17, 2017 11:11 AM

@Anders on Long Article on NSA and the Shadow Brokers:

@Anders

Some of what you have said in this thread, is logically reasonable, but unverified, obviously.

I worry about the propoganda power of the USG being turned against its' citizens. Perhaps try to maintain skeptical thinking at all times.

November 17, 2017 10:46 AM

Wael on New White House Announcement on the Vulnerability Equities Process:

@who?

VEP makes non-US products safer

Unless there are NSA counterparts with the same MO in most countries. Counterparts that do the same exact things with non-US products and US products alike. Many exploits come from outside the US, too. Some of these exploits are sold to TLAs, foreign and domestic.

Also I wouldn't limit NSA's work to US products, although they'd have more leverage with local products.

November 17, 2017 10:42 AM

Tovaritch on Long Article on NSA and the Shadow Brokers:

@Anders

I see--you were expecting him to shoot himself in the balls. :-)

But yes, I remember that, too. Assuming he actually meant it, I also remember thinking how admirable it was that despite his modest background, he had been able to abandon such a simplistic and jingoistic viewpoint, and apparently completely autodidactically.

November 17, 2017 10:34 AM

Who? on New White House Announcement on the Vulnerability Equities Process:

This one is the way I see the [currently broken] Vulnerability Equities Process:

  1. The US Government has easier access to the source code of products manufactured by U.S.-based corporations (by means of agreements, NSLs or other deals) than to the source code of non-U.S. ones.
  2. The US Government looks for vulnerabilities in these products.
  3. Instead of fixing them, they (usually) collect these vulnerabilities for future use.
  4. Sometimes these bugs are released in the wild (by means of leaked documentation or exploits) or rediscovered by a third ...

Read More →

November 17, 2017 10:29 AM

curious 77 on Long Article on NSA and the Shadow Brokers:

@hmm

"If China as a NATION hadn't just banned WINNIE THE POOH because people tried to say Xi looks a little lazy eyed towards the honey jar, then I'd believe your assertion that people are allowed to criticize in China, for a half second."

Searching for: WINNIE THE POOH Xi censorship yielded multiple hits.

A guest on Charlie Rose recently said something like "Xi is the most capable and powerful leader" in the world today.

I wonder if Trump is jealous of Xi's power, ability, etc., or how often Trump thinks about things like starting a war to try to increase...

Read More →

November 17, 2017 9:25 AM

Dorothy on Motherboard Digital Security Guide:

These articles on personal computer security are fascinating, and I do implement some of their suggestions. My question is about social media bars. One used to be able to block them while using AdBlock Plus and/or UBlockOrigin, but on many sites a person can't block them any more. Are these new social media bars with FaceBook, Twitter, etc. buttons tracking me while I am reading the web page on which they are floating, even though I don't click on them? I don't belong to any of these social media companies.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.