Recent Comments

Note: new comments may take a few minutes to appear on this page.

October 25, 2016 5:24 PM

Rodney Dangerfield on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@chris s, warp

The link escapes me, bit it goes further than that. It's actually counter productive for a person to lay claim to the name itself as that specifically is reason enough to search points property. Happened a couple of years ago and made it to popular sites (/.). Could be sensationalism I'm sure but w/e.

Couple that with the "reverse engineering is punishable by death" and my state's soon to be passed (and past) "life sentence for hacking a vehicle" I'm sure I'll be retroactively prosecuted for reverse engineering the rx7 ecu. w/e

October 25, 2016 4:58 PM

chris s on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@warp, I think the reference is to Section 58 of the Terrorism Act of 2000:

"A person commits an offence if—

(a) he collects or makes a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism, or

(b) he possesses a document or record containing information of that kind."

This was the section under which the individual is currently charged. Section 57 goes even further:

"(1)A person commits an offence if he possesses an article in circumstances which give rise to a reasonable suspicion that his possession is for a purpose connected with the commission, preparation or instigation of an act of terrorism.

(2)It is a defence for a person charged with an offence under this section to prove that his possession of the article was not for a purpose connected with the commission, preparation or instigation of an act of terrorism."

You will notice that the 2nd clause effectively reverses the burden of proof.

[FWIW, the USB cufflink is not just available online, but also in middle-brow high street retailers such as marks and spencer].

October 25, 2016 4:38 PM

Sancho_P on Friday Squid Blogging: Which Squid Can I Eat?:

@Markus Ottela

You are welcome, do whatever you want with that stuff, tell me in case you need more / something else.
In small quantities you will have to order that optocoupler from mouser, digikey, tme or so, even amazon have it listed (SMD only, shocking price).
Make your electronic store (if there is any) order it for you, that’s easy in respect to tax and customs, plus there is another “isolator” between source and “target”.

”As for the trust on hardware, COTS has it's risks, and functionality of optocoupler isn't verifiable any way. I would imagine though that if the local electronics store that carries these components is infiltrated and adversary hands out IC with malicious logic, user is targeted to the extent one or another close access operation will get them in the end.” (my emph.)

I’m not sure if I understood your concerns. First, they’d have either to infect ALL devices (very costly for a mass product plus with very high risk of unintended side effects and detection, do not underestimate competitors’ curiosity) or to have an agent at your local store.
The latter is only feasible if you are a very valuable target.
However, there is still hope:
Also a simple optocoupler can be tested (230 VAC hint @Figureitout) and you will connect only one transmission line to the FT232.
On the other hand, any USB / TTL converter is a soft target, so better use the RasPi’s UART lines directly.

Forget about the phototransistor if you want to transmit more than Morse code using your flashlight. No way for reliable + homemade kBps.

Re your discussion with @Figureitout:
[adafruit adapter] ”I wonder if shared ground loop …”
This is a USB to USB isolator, not USB-TTL, a completely different device.
It’s intended to be completely transparent to all USB negotiations, commands and data. Of course you’d be free to connect GND of input and output, no problem.

Re: Reed-Solomon erasure code: Good!
I love it (however, it’s probably over my head).

”Unrecoverable transmission errors display warning to user:

Exactly what I was talking about, this is crap, totally unacceptable in critical mission or security.

I’ll try another simple analogy, this time from the as-famos-as-stupid car domain:
Driving home you have to hit the brake in an emergency, but nada, zilch,
a simple but true message comes up: “Brake failure!”.
Waking up after 3 months in coma you are told “Brake fluid was gone”.

Shouldn’t we have a warning before failure? In case someone has touched …?

But be aware: Real, true security isn’t digital, isn’t true or false.
This is also why my example (the simple brake fluid level switch) is crap.
That’s not security, that’s a farce.

pass …
Good you didn’t invest time here yet ;-)

October 25, 2016 4:27 PM

Clive Robinson on DDoS Attacks against Dyn:

@ albert,

Clever debunkers usually use the ad hominem approach as a last resort.

I guess some "trainees" think they are better than the trainer... Pilots have a saying about "old and bold", in that you may see bold pilots, and you may see old pilots, but you seldom see old and bold pilots...

Some trainees have to learn not to jump over the gun, lest as they stand there with the gun barrel now at their backs, somebody pulls the lanyard...

October 25, 2016 4:11 PM

Clive Robinson on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@ albert,

I think it's time to rename the Dept of Defense to the more appropriate Dept. of War.

Do you actually mean "change it back" not rename it?

We used to be more honest with ourselves a century or so ago... I guess when you lie to yourself lying to others is second nature, hence the mess we are in.

October 25, 2016 3:58 PM

Clive Robinson on President Obama Talks About AI Risk, Cybersecurity, and More:

@ vas pup,

The tell in what you've quoted is,

    ... not financial gain, but rather to boost their reputation among other hackers in order to compensate for what might be a lack of self-esteem in the rest of their lives.

Whilst there may be a few "400lb chair benders" amongst them, many will be those who are intelligent and picked on by those who shall we say have more brawn than brains and hunt in packs for the fun of inflicting pain of one form or another on "specky four eyes brain box".

The hacking is a outlet for those bullied to get "self esteem" amongst those they regard as their peers, mentors or betters. Thus the way to prevent this unhealthy problem is not "selection for segregation" of those with intelligence at an early age, but "selection and correction" of those who bully (which most education establishments are actually quite bad at despite having policies etc in place).

The thing is, if you allow intelligent child to be bullied, a number that do not gain an outlet or justice, will turn their thoughts and actions to revenge. And revenge driven by intelligence is sometimes not focused on the bully but those who failed to stop the bully, and that can be very nasty indeed, with many other lives being adversely affected.

October 25, 2016 3:41 PM

ab praeceptis on Friday Squid Blogging: Which Squid Can I Eat?:

Markus Ottela

You are right (prime size) but: It's just a (reasonable) recommendation to use 2 roughly equal primes for modulus generation. It makes sense, no question but unless your opponent is a) extremely potent and b) already has cracked the ECC part, this is of rather little concern with my mechanism.

Again, my bandaid idea is an *addition*. The question of how (in)secure a (effectively, it is to be assumed) 512 bit RSA modulus is, is not that trivial because even 512 bit RSA moduli aren't factored in seconds (it is a reasonable assumption that today a mid-size academic cooperation would need some weeks to do that; nsa might do it in days, maybe even hours if your stuff is important enough for them to throw all their resources at it). But again, that's an additional or, worst case (ECC broken) an emergency security layer (512 bit is much less then 1K or 2K bit but *so much better than nothing*).

Moreover, the "use roughly same size primes" does not suggest that an RSA modulus of, say a 256 but and a 768 bit prime is as trivial to factor as a 512 bit modulus; it merely suggests that it's simpler than a 512/512 modulus, which brings us into the grey area of not yet feasible or extremely expensive.

So, I still think that my bandaid mechanism might be useful, at least as an option.

But, of course, I'm not a vendor. You don't like my mechanism, no problem. I merely like to think of ways for a poor man (compared to nsa or even a university) to defend himself well.

October 25, 2016 3:06 PM

albert on UK Admitting "Offensive Cyber" Against ISIS/Daesh:


The 'hearts and minds" approach by the West (actually, the US. EU countries are merely lapdogs) was and is, a lost cause. Propaganda is seldom effective when presented by the invading force. Whom do you believe, the video on your computer or smartphone, or the ISIL guy with a gun to your head?

Everyone but Fallon seems to think that Mosul has no "cyber" infrastructure to attack, so little will be learned. Infrastructure attacks are simply a slower way to kill civilians. Any talk about test cases is BS.

Thinking about Russia in Afghanistan, they ran home with their tails between their legs, assisted in no small way by US support. How long have -we- been there? How many Muslim countries in the ME have achieved anything since Western military involvement?

This, I believe, is the endgame: Total, continuous instability in the ME, applied to all countries who don't play ball with us. Oil producers who don't will move to the top of the shit-list. Iran is next. Syrian oil might be of some benefit, but wearing down Russia is probably the goal there. Don't be fooled by the military; the State Dept. may be full of psychopaths but they're there to take the heat. The corporatocracy pulls the strings.

I think it's time to rename the Dept of Defense to the more appropriate Dept. of War.

. .. . .. --- ....

October 25, 2016 2:49 PM

Markus Ottela on Friday Squid Blogging: Which Squid Can I Eat?:

@ab praeceptis

"When chosing the private key for Curve25519 ECDH, why not chose one that is prime"

Curve25519 ECDHE is nice as it takes any 256-bit value as valid private key. I'd rather not reduce the keyspace into just all the 256 bit primes (I wonder what the ratio is). The sad truth is equivalent amount of security for classical DHE has large enough keys to drive the user typing them insane. And while the QC qubit requirements are higher, they're not outrageous. IANAC but if djb is fine with Curve25519, I think it's good enough until QC comes. If QC is part of user's threat model, PSK is the way to go.

RE: PHC finalists
Good point. It would be interesting to see if there were performance over security tradeoffs made there like in the case of Rijndael vs Serpent during AES.


After the 256-bit local key is stored into the smart card the rest is free for the contacts. RxM side smart card needs to store two 256-bit keys for sending and receiving. The TxM side basically needs only 256-bit keys for sending, but I think it's worth it to store a hash that can verify identities of parties during initial key exchange, e.g. SHA256("fingerprint" + public key with smaller value + public key with larger value). The string "fingerprint" is just for domain separation. You said keys are not exportable. Is this by design or is it possible to control the exportability so that only the hash of public keys is exportable and not the symmetric keys.

In addition to keys each contact needs the hash ratchet counters (64 bits) plus a UID, for this purpose 12 bits.

(300 * 1000 * 8 - 256) / (512 + 64 + 64 + 12) = 3680 contacts that is slightly less than the 12 bit UID space (4096).

The XMPP account is somewhat public knowledge so storing mappings of UID and XMPP accounts on TxM/RxM isn't a huge problem. As long as conversations are not logged on the smart card I don't think there's a problem with the limited space.

Smart cards may be slow but unlike TxM/RxM currently, they don't have to re-encrypt the entire key database after every message. Just encrypt+sign/auth+decrypt 255-byte string, run the key once through SHA256 and update the hash ratchet counter. That's all. Any idea what the performance numbers are on your ChaCha20(-Poly1305?) implementation or AES?

October 25, 2016 2:27 PM

ab praeceptis on Security of Password Managers:


In case you are looking for a magic silver bullet - that doesn't exist.

As Clive correctly stated much depends on your use case. In order to recommend a good pw manager, we should at least know your operating system (windows? linux? ...).

Generally speaking and assuming you don't have highly sensitive state secrets on your notebok, a password manager is a good approach at your "too many sites, too many passwords" problem.

Fingerprint readers are a two edged thing. On one side they are, oh so comfy. On the other side one shouldn't put too much trust in them.

All in all I'd suggest to use a good password manager along with one single high quality password (for the manager). This would reduce your problem very much (to only 1 password rather than many).
You may or may not add fingerprint reading to that, if the password manager can handle it, depending on your trust in that.

Finally, and again given that the password manager supports that, you might want to additionally (to the password) use some external "I have" factor such as a smartcard reader or a usb device.
For company or high sensitivity use that might be attractive, for purely average private use it might be overkill.

Finally, some practical "mindset" advice: There is no perfect security. All we can strive for is better security, e.g. by making it harder for attackes. You have already done something good by using different passwords for different sites/services. That's more than what most do. Finally, it's not only important *what* one does but also *how* it's done. Again, you are on a good way by asking for advice.

If you tell us more about your use case and your operating system we will quite probably be able to offer you some practical recommenadations.

October 25, 2016 2:09 PM

albert on DDoS Attacks against Dyn:

@Lt Dan,

Note @Dan H response to me:

1. Name-calling and personal attack.

2. Attributing a different meaning to a statement I made.

3. Asking a question totally irrelevant to that statement.

4. Assuming hyperbole as fact.

Clever debunkers usually use the ad hominem approach as a last resort.

Not so in this case.

. .. . .. --- ....

October 25, 2016 1:52 PM

CallMeLateForSupper on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

"...I can confirm that we are using offensive cyber for the first time in this campaign."

Maybe the "cyber" is the same ol' same ol', but crafted to be morally and/or religiously *offensive* to the targets. For example, mass Tweets to ISIS that "Abu Bakr al-Baghdadi admits he is gay" or injecting a turbaned May into ISIS-friendly web pages.
"A lot of people are saying this. I don't know."[C] 2016

October 25, 2016 12:11 PM

Warp on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@Clive Robinson

It can be used against you in a court of law to say you're an old-school hacker? Do you have a source on this? I occasionally talk with D.C. types that are trying to appeal to the hacker communities, so this would be a useful talking point to bring up in those kinds of conversations.

October 25, 2016 11:32 AM

vas pup on President Obama Talks About AI Risk, Cybersecurity, and More:

A study suggests there are parallels between the way youngsters turn into hackers and how youths become addicted to drugs and alcohol:

"[The hormone] dopamine can be released quickly as vulnerable youth achieve frequent and rapid successes online, and if these successes are linked to anti-social acts, such as hacking, they will be reinforced to pursue further ends to obtain their gains," it states.
The study suggests a large part of the problem is that many youngsters see the internet as a place that is not watched over by guardians.
The report adds that often their goal is not financial gain, but rather to boost their reputation among other hackers in order to compensate for what might be a lack of self-esteem in the rest of their lives.
The authors also suggest educators develop new tests to identify which children have the highest potential for technological skills when they are as young as four, so they can be "nurtured and rewarded" for using their talents in ways that benefit society.
"So, rather than trying to change what people are interested in, we should be steering them to pro-social activities rather than criminal ones, and looking to what's in their surroundings that influences the path they go down."

October 25, 2016 11:23 AM

Crunchr on UK Admitting "Offensive Cyber" Against ISIS/Daesh:


"Old-School Hacker". ROTFLMAO! Can't wait to be the first poor schmuck arrested for writing a "weaponized bookmarklet". (The "probable cause" will be because I didn't need some bloathog "library" like jQuery just to slap the DOM around).

Sure, I can try explaining to a jury raised on Win-DOHs and CNN that I merely used tPVD() for a function name because it represents the Phantom Variable's Dog -- which, after running, disappears up its own ass in a puff of smoke. Or r2PS() for Rowdy Roddy Piper's Sunglasses (trust me, the judge'll be dropping the hammer on my ass before I even get to explain that one).

On the bright side, maybe I'll be immortalized as The Lightbox Killer.

October 25, 2016 11:22 AM

Jim Lippard on DDoS Attacks against Dyn:

Tens of millions of IP addresses does not mean tens of millions of devices. Level 3's reporting on Mirai estimated it at about half a million devices a few weeks ago, and it may be as high as a million bots now, but it's not ten million.

Flashpoint has stated in public media that this attack was perpetrated by neither nation-state attackers nor hacktivists. I suspect Krebs has already identified the names of individuals involved in or associated with this attack, in his past reporting on Mirai, NameCentral, vDOS, Datawagon, BackConnect, etc. Ben Chia, you should take a look at those posts, and Dyn researcher Doug Madory's talk in Dallas at NANOG 68, which occurred prior to the attack.

October 25, 2016 10:48 AM

Clive Robinson on Friday Squid Blogging: Which Squid Can I Eat?:

Another root to an Android's heart

It's not been a good past few days for Android with the variation on RowHammer and now Dirty Cow,

As I've already indicated above I have mixed feelings on such exploits, but when all is said and done I come out on the right of "freedom to tinker" because that is what moves society out of the maws of the unproductive "rent seaking" wasteralls.

October 25, 2016 10:47 AM

Dan H on DDoS Attacks against Dyn:

@albert, another closed minded dolt unable to see the world for what it is, but knows the US is evil. And how can you sit there and say that another nation has a government they want? You believe Cambodians want Pol Pot and the Khmer Rouge?

Oppression in China and Russia today is ancient history?

Your drivel bores me and your limited capacity for thought amuses me.

October 25, 2016 10:15 AM

albert on DDoS Attacks against Dyn:


You see a textbook example of propaganda techniques in @Dan H comment:

1. He prattles on about Russia and China having brutal governments, which is totally irrelevant. Sovereign nations may have any kind of government. It's not for anyone to judge what happens within their borders.

2. He bores us with a lot of ancient history, which is largely irrelevant today.

3. He ignore the brutality visited upon other sovereign nations by the US, and also within its own borders.

I could go on, but it's obvious that these people are totally brainwashed by the MSM, and that's not unusual within most of the countries in the world.

Everyone will have to choose sides when the revolution comes.

. .. . .. --- ....

October 25, 2016 10:09 AM

GEORGE BALMER on Hardware Bit-Flipping Attack:

Good info.

On this very subject, can anybody provide info to a question posed by one of our developers, 'What is the susceptibility of radiation hardened silicon to a row hammer attack?'

Thanks for any guidance.

October 25, 2016 9:34 AM

Clive Robinson on Security of Password Managers:

@ Karen,

Would someone please respond with one of those choices please?

The problem is there are many solutions that have both strong points and week points. And those points vary wildly with which threat you are designing against. Worse is that some services only alow eight character passwords or other limitations, which weaken the available password candidates.

For instance writing random pass words/phrases on a piece of paper has the advantage of allowing truly random thus very difficult to guess or dictionary attack pass words/phrases of any desired length. But they are easily revealed to any other person who has access to the piece of paper long enough to make a copy of some form (could be a second or two if they have a "photographic memory" and shoulder surfs or has access to a high resolution security camera etc). Further the more secure the pass word/phrase the more likely you are to be seen using the piece of paper...

Password managers come in two basic flavours accessable by online attackers and those not. As with the piece of paper your concern is with others accessing it. Thus having a password manager on a computer or other device that can be somehow accessed from online is not a smart move nomatter how good the actuall software is. Because the attacker could just "shim" the "HCI" (keyboard and display drivers).

Thus you might want to take extra precautions on the assumption your pass word/phrase repository be it paper, software or token gets accessed by others. So you could use a prefix or postfix you keep in your head or other method by which only partial information is kept in your repository.

Beyond the above there is not much more people can say without knowing the specifics of your "use case", which for obvious reasons you should not make public.

October 25, 2016 9:06 AM

Clive Robinson on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@ Jim Hacker,

It was mentioned, it was included with the court paperwork in broadcasts on the arrest of Cardiff man Samata Ullah. Who was most newsworthy in the tech press for the "USB Cufflinks" from August this year. Apparently as part of his website and corespondance he claimed to be an old school hacker type system administrator, and this was considered noteworthy in court documents as part of evidence of being a terrorist.

The thing is in the UK we now have "thought crime" --brought in by Theresa May-- where you can be charged for doing something perfectly legal and done by many people if those prosecuting a case can say "must be for terrorism" loudly enough, wave their arms enough etc etc...

Take for instance he stands accused of deliberatly concealing a USB memory device in cufflinks. The prosecution forgot to mention in the paperwork that in fact he had purchased them off of a well known Internet Retailer, as you can if you wish to...

Further he is accused of installing an OS on the legaly purchased USB device that could be used for terrorist purposes, just as many people who read this blog do. Likewise he is accused of encrypting part of his website, just as our host has. Further of also publishing "training" information on how to access the site, as our host has done.

At no point in their public statments have the prosecution said what the OS is nor what the supposed encryption is nor the training information... Thus it has been assumed by many to be TAILS, https and Tor guides.

Thus I'm waiting for the Met Police to also claim in court documents he had access to a kitchen sink. Into which he poured grease from a cooking pot and therefore he must be planning in his head a WMD terrorist attack on Cardiff...

October 25, 2016 8:08 AM

SYNERGYUSALLC on Ransomware as a Service:

Out of necessity to cover our own needs and protect our clients we created an application called RansomSaver, it is an Outlook add-in and basically what it does is moves new incoming infected email to a folder under the deleted items called RansomSaver. We provide this software for free and with no strings attached.

To download or see further information regarding RansomSaver please visit

October 25, 2016 7:48 AM

Dan H on DDoS Attacks against Dyn:

@LtDan You're insanely naive.

China tolerates no political opposition and deals brutally with dissent. People are still persecuted. It is an atheist government that does not allow members to practice a faith.

Recently Russia has signed legislation that revokes evangelizing outside of the Church. Movements that have opposed the Putin government have been crushed. The Duma passed a law allowing police to open fire on crowds. The number of political prisoners has increased.

34-49 million were killed by Stalin.

Mao Zedong killed 45 million in 4 years.

The US isn't perfect, but there isn't any systemic government practice to eliminate opposition or persecute people for their beliefs.

People can take issue with the US military, but without her might the world would be a much more dangerous place. During the ouster of Libyan leader Qadaffi (mistake), the other NATO countries involved could not function without US assistance of command and control. Europe was at a stalemate in their war until the US entered in 1917. Europe again was in the throes of war until the US entered in 1941; without which Russia would have dominated most of Europe because Germany could not have defeated Russia and England on her own could not have defeated Germany, nor could Britain have stopped a Russian westward push. Korea was a United Nations operation with a multitude of nations involved, but essentially a US led campaign. Vietnam was a cold war proxy fight, and the US could have crushed North Vietnam but the goal was not to topple the Hanoi government, but to keep South Vietnam free, which was accomplished until the US left. South Vietnam didn't have the command and control to fight the North on their own.

Take your childish rhetoric elsewhere and grow up and face reality.

October 25, 2016 7:37 AM

Karen on Security of Password Managers:

Non-computer-security person here. I have no desire to read a research paper full of computer jargon I won't understand so I'd like to ask directly.

I have about 20 different passwords that I feel are of good quality running through my head. Only problem is I frequently forget which password I used for what site, or which version of said password I used. Thus, I have to reset the stupid thing, putting one more password in my head. I'd really like to use this little fingerprint reader on my laptop for all my passwords or for that matter a retinal scanning device but, alas, that will not do.

I was really hoping for a yes password managers are a good idea, or only if you use a good one (examples), or no don't use them-a piece of paper is safer. Would someone please respond with one of those choices please?

October 25, 2016 7:19 AM

Ted on How Different Stakeholders Frame Security:

From Josephine’s paper 'What we talk about when we talk about cybersecurity: security in internet governance debates'

“...focus on more specific threats and issues within that space as a means of preventing themselves from succumbing to a façade of agreement without grappling with the sources of disagreement that linger just below the surface...”

Although, the following example does not highlight a specific clash between stakeholder groups involved in internet governance -- governments, private industry, and civil society -- it does provide a case of developers establishing a rigorous testing environment to evaluate models of applied designs.

Earlier this year, the Industrial Internet Consortium (IIC) developed a security evaluation environment -- the "Security Claims Evaluation Testbed." It is now one of many IIC testbeds that have been created for hands-on system security testing.
The “Security Claims Evaluation Testbed” allows for the testing of a configurable cybersecurity platform that includes endpoints, gateways, and other network components. Data sources can include industrial, automotive, medical, manufacturing, smart grid/energy, and other market segment endpoints.
The testbed allows developers to evaluate the security of their applications, products, and services to ensure they align with the IIC Security Framework prior to product launch. What is learned can be integrated into forthcoming versions of the framework.

Are testing modules available for the legal and social analysis of internet policies and events? With an analysis scope that extends beyond the technical micro-system?

There is an interesting online class 'Creative Problem Solving and Decision Making' that breaks down complex problem-solving by defining and analyzing the following five elements: actor analysis, goal analysis, causal analysis, alternative analysis, and scenario analysis. I wonder if a program could be designed to collect and test various scenarios before new policies are drafted.

October 25, 2016 6:35 AM

The Rt Hon Jim Hacker on UK Admitting "Offensive Cyber" Against ISIS/Daesh:


"It's actually got to the point where to say you are "an old school hacker" can and will be used against you in a court of law...."

link (especially whether this is just the good old prosecutor's dishonesty, or more) ?

October 25, 2016 3:55 AM

fajensen on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

Sure, "offensive" twittering stern warnings for months ahead and letting ISIS run off into Syria will be "Another Milestone in The War on Terrorism".

Notice how these goons alway and for ever confuse Effort and Input with Results? Because that's their game, burning through vast ressources and never, ever, fix the problem that giveth the Funding. Rather, their actions (and inactions) will compound and expand the problem, this provides Growth in the Funding.

The UK is back to training "Freedom Fighters" (to fight Freedom in Syria, of course). Because no serious politician today can just leave a big, fat, fiasco alone; No, it absolutely must be compounded and doubled-down on.

Is it still a wonder why a vote for the un-serious politician is considered the less effective evil, the moral choice!?

October 25, 2016 3:50 AM

Wesley Parish on Friday Squid Blogging: Which Squid Can I Eat?:

@Europe vs American Models

People with conscience and morals used to run America. Now its tax dodging, profit minded Wall St backed corporations using big-data to crush competition.
That's rather an oversimplification, and plays right into the hands of the US. It's interesting to examine what the others think of that:

The simple truth is that the US government never intruded on the rights of anyone who could fight back either in the courts or the battlefield unless they had overwhelming advantage; likewise US big business - you should read Norbert Wiener. In one of his books, in the preface or epilog (I've forgotten which one: I thought it was God & Golem, but I've misplaced my copy) the person giving the biography tells about his former opposition to workers' rights and the change in mind occasioned by discovering just how petty, low and stupid the bosses actually were as compared with the dignity of the workers he met and came to like. A bit of US union history might work wonders: everybody's taught that the unions established themselves through violence: what nobody ever acknowledges is that the bosses hit first and bloodiest. They only conceded when they were outfought.

Norbert Wiener?
ht tps://

October 25, 2016 3:50 AM

TJ on DDoS Attacks against Dyn:

@Sancho_P: You mean like printer cartridges that are 30% the cost of a new printer retail, CPU and GPU that have 5-15 year usefulness(GPUs typically less recently), the nightmare that is NAND and NOR wear leveling that nobody brings up when the subject of SSD and thumb-drives comes up, and such?

DDOS? Improve DNS infrastructure and fix reflection and someone will still use malware propagation to gain enough to overwhelm.. Especially given how everything has fine-grained metering in the name of capitalism and profit is king in the modern world. Never-mind ISP fiber links, DHCP, and downstream congestion..

October 25, 2016 3:31 AM

Thoth on Friday Squid Blogging: Which Squid Can I Eat?:

@Markus Ottela
In my original Root of Trust design above, I did mention that keys are not exportable. Once the user enters the correct secrets into my smart card scheme, it turns into an encryptor assuming you don't have a ton of things to encrypt since I assume the encrypted database would not be more than 300 KB ?

The smart card can also be doubled as a message encryptor like Project Vault which can be adapted to. The drawback is that smart cards are rather slow encryptors so they are mostly suited for signature checking and unwrapping the KEK.

October 25, 2016 1:59 AM

ab praeceptis on Friday Squid Blogging: Which Squid Can I Eat?:

Markus Ottela

"Curve25519 is the weakest link..." - Of course, as is PK Crypto generally. For one the quality of numbers used, in particular of primes, often isn't exactly ideal. Plus, of course, the sword of pq (I took the liberty of handing Damokles a post-crypto sword *g) is hanging over our PK crypto.

I've played with a "bandaid" idea for a while. "bandaid" because it doesn't avoid the pq problem but makes it relatively cheap to use a "PK ratchet" (pardon my english).

The logic is this: When chosing the private key for Curve25519 ECDH, why not chose one that is prime and can serve as input for stage 2 (RSA)? If the price isn't too high, we can at least protect ourselves against either one of them broken. The effectively used SK for sym crypto could then be, say hashed(SK 1) xor hashed(SK 2) (or whatever mangling recipe you like).

"Twofish, AES and SHA3-256-CTR" - luxury for later, not at all urgent. As you correctly stated, PK is the hot zone. The sym. algos are damn well analyzed and tested and deservedly well established.

"bcrypt, scrypt and argon2" - Argon2 was the winner in the contest and for good reason. *If* you want to have alternatives, have a look at the other finalists. Interesting and worth a good look anyway.

"I'll take a look at the mypy when I find some time." - Do yourself (and your project) a favour and find that time *soon*. MyPy is a very simple and comfortable way with next to 0 learning curve to have your python code (pseudo but checked) statically typed. Doing crypto with dyn. typing is just inviting trouble it seems to me.

October 25, 2016 1:40 AM

Eliot Lear on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

Bruce, we have an active battle going on and I hope that nobody would be surprised that both sides are going to use whatever tools they have at their disposal to win. In fact one wonders if either side has ever seen Star Trek II. A more interesting case is where there is no such active battle or any sort of declared conflict. One example is Stuxnet, where one could argue it actually saved IRANIAN lives by averting a bombing.

October 25, 2016 1:20 AM

ab praeceptis on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

Clive Robinson

@ Hate,

Hate the word "cyber" so very much. It's cringe incarnate.

Yup you are not the only one even Bruce made comment on it at one point.

Let's CYBERhate that word!!!

October 25, 2016 1:11 AM

ATS on DDoS Attacks against Dyn:


nope, reprogramming isn't an issue. Most of the bot codes out there for IoT doesn't even bother updating the firmware. These devices are generally always on devices. So all you need for an infection is a live exploit, never have to touch the flash firmware. And by their nature, routers tend to be live systems running out of and using ram. They also tend to run COTS OSes like stripped linux due to cost issues.

Routers tend to run programs like firewalls et al. In fact, the primary problem with most home gateways/routers is that they aren't ever updated, either because the manufacturer doesn't do updates or the customers just never install them. Making it so that they cannot be updated won't solve the problem at all, these things are running real OSes because they basically need to and no software is ever going to ship bug/exploit free.

In almost all cases, the issue for IoT devices is that they are treated as throw aways devices never receiving any post sale support. In a sane world, the following would be true:

1) IoT devices require a password change to function.
2) IoT devices default to an automated update scheme using secure cryptographic hashes.
3) IoT device makers support security updates for a minimum of 5 years.

Those are the bare minimum requirements for IoT devices to remain viable going forward. Any solution that start with IoT devices be non-updatable is just a non-starter. You wouldn't buy a corporate or personal firewall that couldn't be updated because you KNOW there will be bugs and exploits. You wouldn't use a computer that cannot be updated because you KNOW there will be bugs and exploits. Hell, for mainstream CPUs where roughly 1/2 the development budget is spent on validation and verification and it is taken very seriously, bug still exist and bugs are still found years after they are shipped.

Also, people blaming UPnP are barking up the wrong tree. UPnP is a reality. It is not going away. The problem isn't UPnP. It is default passwords and unsupported software/hardware. Those two things make up 100% of the attack vectors. Sure without UPnP, the devices wouldn't exist in the first place, so something not called UPnP but doing the same thing would exist instead.

October 25, 2016 12:55 AM

Bill Gates on Did Kaspersky Fake Malware?:

That's not "faking" malware!

Thanks Krebs for another click bait moron-a-thon.

If someone was cheating off your paper in High School and you intentionally wrote down wrong answers and the cheater got an F, would you then give the person whose test was being copied without permission detention???


This article is absurd, and the comments are absurd. Kaspersky has issues, but it does more than a lot of these companies who basically have done nothing with their product engines for 10 years in some cases.

October 25, 2016 12:36 AM

Clive Robinson on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

@ Hate,

Hate the word "cyber" so very much. It's cringe incarnate.

Yup you are not the only one even Bruce made comment on it at one point.

However we've lost the war on this, just as we did on the missuse of "Hacker" by the "know nothing" --except how to manipulate-- jornos and politicos...

It's actually got to the point where to say you are "an old school hacker" can and will be used against you in a court of law....

Such is the power of the "know nothings" to pervert society.

October 25, 2016 12:18 AM

Clive Robinson on President Obama Talks About AI Risk, Cybersecurity, and More:

@ r,

Linus is popular with a certain crowd because of his sometimes colourful outbursts. Some call it "character" others "entertainment". Either way it rises a smile when I read the more publicized ones.

It also needs to be said that he is more often right than wrong, which makes him immensely irritating to some, who thus tend to over react when he does make a mistake in their eyes.

But when all is said and done, he does a job for which few have either the talent or the stamina, and thus his short pithy statments can be seen as a time saving measure.

October 25, 2016 12:00 AM

Clive Robinson on Friday Squid Blogging: Which Squid Can I Eat?:

@ Joshua Pritikin,

Squid is loaded with cholesterol. Eat it at your peril

It's a complex ill understood subject at best... Not all lipids are the same, if you ask most doctors will tell you the HDL good LDL bad advice. The problem is the evidence behind the mantra is not as clear cut as many portray it. There is also good LDL as well as bad but the cost of the tests to differentiate is almost eye wateringly high.

Further have you ever asked how much dietary LDL cholesterol makes it across the gut barrier to directly become LDL blood cholesterol?

The answer is nowhere as much as many have tried to make you belive in the past (or currently). It turns out on investigation that the liver is responsible for most of the LDL in your body.

The liver manufactures and secretes LDL into the bloodstream, and does not require any dietary cholesterol to do so. What is not clear is what all the LDLs it produces are for...

Part of this is that there are receptors on your liver cells that can "monitor" and try to adjust the various LDL levels. If however, you have fewer liver cells (which some people do due to genetics), or if they do not function effectively, the various LDL levels may rise. But there may be other reasons for the rise in certain LDL production.

For reasons of "doctrine" and "funding sources" [1] few experiments were carried out in the past into what effect sugar has in the bodies reaction to it's effects (the Keys "Sugar good, Fat bad" mantra). This is now changing and more balanced research is being carried out and steadily it is being found that whilst some LDL causes plaques in the arteries, it appears to be as a defence mechanism to other efects, some of which are caused by sugar...

We by no means have all the answers, but unlike the last fourty to fifty years we are now starting to do the research... So time will hopefully produce more answers. But one thing that is hard not to notice is the epidemic of heart attacks, strokes, TIAs, stones etc that have hit the western world, appear to be historicaly as a delayed consequence of our "sweet tooth" and "salty tongue" and excess calorific intake from simple carbohydrates.

One thing that is becoming recognised is that "sugar" triggers a response in the brain that unlike proteins does not sate our hunger / appetite. It's been argued that this is a survival mechanism. The reason is that simple carbohydrates like sugars are only plentiful in late summer and early autumn in non equitorial regions. This is at a time when many animals lay down fat stores to see them through the winter months when all forms of plant foods are scarce, thus some even hibernate. It therefor appears logical to assume similar mechanisms are part of human survival.

[1] See history of "pure white and deadly" and other articles about Keys deliberate misreading of his own study and the funding sources from the "corn syrup" industry and the effects they had on what research was done.

October 24, 2016 10:35 PM

Markus Ottela on Friday Squid Blogging: Which Squid Can I Eat?:

@ab praeceptis

"While I consider NaCl an excellent choice it might be desirable to provide a fallback and to not put all eggs into one basket."

Curve25519 is the weakest link, not XSalsa20. I've given this some thought since I deprecated OTP and CEV versions. With the current version, 2-3 algorithms could be used in cascade for PSKs. It wouldn't be too hard to implement either, most of the work was done when writing CEV version: The options are Twofish, AES and SHA3-256-CTR.

The issue is local key's key decryption key would have to be 100 or 150 chars instead of current 50 to ensure no weak links in security (if rest of the keys are delivered over just XSalsa20, there's no added security if adversary compromises the networked computer and breaks the encryption).

"Sampling (i.a.) random through SSH over ethernet seems to be an inconsistency actually weakening your design. It might be worthwhile to use NaCl there, too."

NSA likes to talk about red/black concept. According to this jargon, TxM that outputs ciphertexts is what's called a blacker. In theory it would be possible to have an entire isolated network of systems that use the TxM as a gateway; The HWRNG is an element in such network: it sits behind data diode so it can not be exploited:

The TCB base is of course wider but the installer is just for convenience. It would take the user 10 minutes to type the sampler program on Raspbian without it never having been connected to Internet. Otherwise, the Ethernet connected HWRNG sampler RPi stands pretty close to threat model of TxM.

"PBKDF2-*? From what I understand that is mainly used in contexts that require it (e.g. smartcards). Wouldn't there be more attractive KDFs/Hash ratchets (e.g. Argon2 (PHC winner))?"

This is definitely something that needs improving. Most of the attacks are done with parallel CPUs. I'm going to have to look into the differences between pbkdf2, bcrypt, scrypt and argon2, find a library and test vectors and run some performance tests but yes, it will be done.

I'll take a look at the mypy when I find some time.


@Clive Robinson

"some of [us] would like to be able to put in the same level of effort in our own non-employment coding projects"

It's come with a cost on everything else in my life but I feel it's worth it.

"hopefully a "well done" will sound better."

You made my day! (:



TFC works as long as there's no pre-compromise of TxM (malware outputs keys to network). If this attack doesn't happen, data diodes provide security until the adversary does their next optimal move: Exploit serial stack and inject malware to RxM that has access to RAM and a key logger. This way it can access master password, PIN and ultimately master key, that can decrypt persistent data. The sensitive keys or plaintext data stored by malware is then exfiltrated by attacker that compromises the end point physically.

If the smart card returns the static master decryption key (hash of signed password) to RxM, the malware can grab it from the memory and store it in plaintext. Even if the smart card would yield a new symmetric encryption key every time, malware could still store all keys or all displayed plaintext messages separately.

TFC's current persistent data encryption works against medium strength adversaries that haven't compromised RxM but are accessing TFC files when user left screen unlocked. In this context Yubikey's static password provides similar protection against brute force to that of a smart card with one significant drawback: If user leaves Yubikey on table, the entropy takes a few seconds to copy to personal device. Smart cards on the other hand require the PIN before they yield the key. So user can make a lot of effort to ensure future mistakes won't have dire consequences. This is worth looking into, but then again, it's the high strength adversaries and physical compromise by HSAs we're worried about.

If smart cards would be used, best application would be ephemeral conversations, where the forward secret symmetric keys are generated based on public keys, stored and used inside the smart card. Similar to what the Google Project vault's messenger does. That way the malware on RxM would have yet another layer up against it. Malware could still log plaintext messages displayed from the point of compromise onwards, but impersonation would be an infeasibly hard problem. A pre-requisite for this would be to have a capacitive numpad integrated into the smart card surface. That way infected RxM would have no access to PIN.

I have no expertise with smart card programming and use so I can't say how much effort this all would add to end users, but if it's doable, then any usable guide would be worth trouble integrating into TFC.



"Have you seen [data diode designs and discussion from last week]?"

Apologies, getting the release out took most of my time. The data diode design and article is fantastic. All the necessary information is there. Rx side is powered by the RxM so that's a huge plus. I have a USB-TTL converter lying around somewhere but local stores do not carry the optocoupler model, so testing is going to have to wait. The material looks great: I'd love to add the article to TFC wiki (you'd get the credits naturally), if you don't mind that is.

As for the trust on hardware, COTS has it's risks, and functionality of optocoupler isn't verifiable any way. I would imagine though that if the local electronics store that carries these components is infiltrated and adversary hands out IC with malicious logic, user is targeted to the extent one or another close access operation will get them in the end.

The only way to mitigate this is to make the original design work with a phototransistors that replaces PNA1801LS. A list of compatible LED-phototransistor pairs is really needed.

The paper by Jones et. al. gives following specs to phototransistor:

handles 20mA forward current at 15 volts
collector current of at least 3mA at 500 Lux
peak sensitivity near 800nm
4μs response time

the LED would have to have

maximum current rating of 20mA
2.2V nominal forward voltage drop
Non-diffusing package

I'm not sure if the panasonic LN28RCPP and LN28CPP LEDs are still in stock somewhere.

The great thing about these simple components is it's much harder to hide logic inside them so ordering from online store would be almost risk-free.

"Imagine to wait 3 minutes only to see “Failed, checksum error” on the receiving side."

The latest version of TFC features Reed-Solomon erasure codes (used e.g. in CDs) so that should fix most of the transmission errors:

"I don’t know if @Markus Ottela ran into speed issues because of the converters, the coupler or whatever (USB, OS, TFC SW). It seems he didn’t see the proposal or doesn’t find the time to acknowledge."

The issues were with optocoupler. The simple wire-based data diodes (left-most) have handled RS232's 115200 bd/s fine.

"I guess any automated feedback would be a no go for a data diode as it would constitute an information channel back to the source"

I agree. I'd rather make all the retransmissions in the world than risk covert return channel.



"There *could* maybe be some kind of crazy attack there over powerlines thru a powersupply but not worth it IMO to fully prevent that."

I pondered about this for some time. My threat model is mainly batteries dying on me when I'm demoing the system so it's fine for me. Some users might consider the side channel risk too big. A DC connector leaves room for options from power supplies to large battery packs.

RE: I wonder if shared ground loop was the reason I got so terrible readings with my scope when trying to analyze the bare output of USB-TTL adapter. Will have to investigate

"Have you experienced any errors yet?"

This question was directed to Sancho_P but I'll just say that outside what bad Python code has caused, not really. The CNY75A works very reliably at 9600 bd/s and during testing where I sent packets together with their checksums, not even 19200 bd/s had any issues (hence the speedup in latest version). The reason I did not use faster speed since beginning was my scope displayed slight latency in rising edges.. Turns out it wasn't a problem.

"You'd prefer silent fail?"

Unrecoverable transmission errors display warning to user:



IIRC it was Frederic Jacobs who talked about pip using no authentication over downloaded packets.
The SHA256 hashes might do the trick so I'll have to re-investigate.

The docstring is incorrect, 768 is valid length for entropy queries (It really confuses when docstrings are out of date. This will be fixed).

I'll have to dive deeper into the input validation check but huge thanks for pointing this out!

Duplicate code is a big issue. At some point the code is going to have to be rewritten from start into smaller packages. "Simple is better than complex" but having slightly different implementations of each function for different programs might be just bad design.

Global variables are a problem too, I've tried to keep the number at absolute minimum.

Again, thank you so much for taking the time to review the code! I've much to learn but it'll get there.

October 24, 2016 10:21 PM

Billy on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

There's not much cyber in Mosul to attack. ISIS has shut down all the cellular networks in Mosul. They even make residents turn in their satellite dishes so they can't watch TV.

I also read that if people want to leave Mosul, ISIS makes them leave a family member behind as a hostage and if you don't return to the city in 10 days they will kill that person.

I don't see how the US lead coalition plans on evacuating 1 million civilians out of Mosul when those people have no access to the internet or TV. Not to mention that ISIS won't let them leave the city even if they wanted to.

The attack on Mosul is looking like Aleppo version 2.0 . Only this time it's USA doing the bombing instead of Russia. So I doubt we'll see western media splash pictures of children being pulled out of the rubble in Mosul like we saw in Aleppo.

October 24, 2016 9:37 PM

TJ on Bypassing Intel's ASLR:

NX, ASLR, Heap Cookies, RET/stack cookies, MPX, SGX were all defeated without side channels within weeks and months. Write-back hashing is the only undefeated protection and it's only in a couple embedded systems like the xbox 360 and requires handler modification else it blocks everything from stack execution to page table glitching.

They all sale like anti-virus subscriptions though even though they are obviously limited.

October 24, 2016 6:32 PM

gordo on Security Economics of the Internet of Things:

City banks plan to hoard bitcoins to help them pay cyber ransoms
Experts say blue chip companies have decided it’s cheaper to deal with extortionists than risk damaging attacks
The Guardian | Jamie Doward | Saturday 22 October 2016 22.30 BST Last modified on Monday 24 October 2016 17.56 BST

“The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks,” Moores said. “From a purely pragmatic perspective, financial institutions are now exploring the need to maintain stocks of bitcoin in the unfortunate event that they themselves become the target of a high-intensity attack, when law enforcement perhaps might not be able to assist them at the speed with which they need to put themselves back in business.”


“Big companies are now starting to worry that an attack is no longer an information security issue, it’s a board and shareholder and customer confidence issue,” Moores said. “What we are seeing is the weaponisation of these [hacking] tools. It becomes a much broader issue than businesses ever anticipted.”

October 24, 2016 5:38 PM

Sancho_P on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

Offensive cyber for the first time, that will change everything !!! Hope !!!

Islamic “State”, militarized rebells - a couple of barbaric illiterates, supported by an endless stream of western logistic, weaponry and ammunition.
How many years are we already keeping that fire burning?

Because we, the western allies, have to burn the incredible debt we’ve accumulated in exchange for the black gold.
Look at Libya. Gaddafi dead, debt dead. Hillary for President.

Offensive cyber will stop the “war”, for sure.

October 24, 2016 5:19 PM

Upper-class Twit of the Year on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

Looked at the headline, thought, What kind of shithead mouths the mortifying bafflegab 'cyber' as a noun?

Ah. Who but Fallon, crooked as the day is long, knows nothing about defense except where to pick the bags of money up. A perfect puppet for NATO. Telling, that Britain's elite keyboard commandos are going over the top from the safety of their cubicles. The Brits are one step above Togo in the motley coalitions nowadays, and any attempt to pretend otherwise threatens to dislodge Scotland. Why do these feckless pedo snools still have the veto? They can't play with their Trident rubberduckies without Washington's permission, and they can't even torture helpless captives right.

October 24, 2016 5:08 PM

Sancho_P on Security Economics of the Internet of Things:

@Pressed Rat

@Bruce is right when he said “But the only way for you to update the firmware in your home router is to throw it away and buy a new one”

Nope, unfortunately not.
Be careful whenever you hear “buy”, whoever tells you …

… Oh yea, just throw away your old thingamajig and buy a new one, like this
luxury super cheesy D-Link DWR-932 B LTE router:

and have fun!

October 24, 2016 4:15 PM

Sancho_P on How Different Stakeholders Frame Security:

@Bruce: I miss your “good article”, was it done deliberately? (I’d vote for very …)

The paper distinguishes between two groups: Pro and contra.
This is obvious but not helpful, on the contrary, as it polarizes us human beings
into the most unnatural digital form, only useful to stupid machines, 0 and 1.
Republican or Democrat, paranoia or blind, America or Russia, …
Nonsense, the world is round and colorful, not flat / black and white.

I propose to see three basic groups: The good, the neutral, and the bad.
All other groups consist of these basic types:
Americans, rich, yellow, conservatives, elderly, … whatever.

Our society works because we, the society, try to take out the worst of the bad.
Result is: The good outnumber the bad.

Whenever society creates a broader group having impunity the society will fail.

—> Try to identify the group(s) with impunity in this topic’s struggle.

October 24, 2016 4:03 PM

r on Intelligence Oversight and How It Can Fail:

@Humble Pheasant,

It's considerably easier than letting the legal beagles out of their cage, think Missouri think Texas... It's only a matter of time, if we couldn't identify JFK's assassin what makes you think that when that tree falls in the forest of oblivion we'll actually hear the break?


October 24, 2016 3:16 PM

Ross Snider on UK Admitting "Offensive Cyber" Against ISIS/Daesh:

An interesting acknowledgement, however late it is coming.

Much of the cyberwarfare work against the Islamic State Group and the Government of Syria have been propaganda/messaging campaigns, launched to control narrative and widespread understanding of legitimacy. It would be interesting to see inner workings of information campaigns from Qatar, Saudi Arabia, Turkey and other countries that have sought to magnify extremist Sunni Salafists including the Islamic State Group.

There's other aspects to shutting down particular arenas of conversation: digital and telecommunications infrastructure used by the Islamic State Group to organize can be disrupted in what to disrupt the decision cycle - in an attempt to paralyze the operations of the adversary.

As the group has taken Mosul it's also likely that some critical and civilian infrastructure in the city are running connected to the grid, and disruption of this infrastructure can deny the defensive operations options and make defending the city (without water, power, etc) less attractive - a kind of attrition warfare.

These are the kinds of 'operational details' that would be incredibly interesting to hear more about both because it informs what kinds of capabilities are available and effective when performing an invasion and to understand what ratios between operation types lead to effective outcomes when facing insurgent groups claiming to be freedom fighters against local oppression and foreign intervention. As a group that has had massive success exploiting the vacuum in the proxy war, Mosul may be one of the first and best case studies in hybrid warfare against this kind of militarized rebellion force.

October 24, 2016 2:45 PM

My Info on How Different Stakeholders Frame Security:

Internet "stakeholders" have a portfolio of "stakes" in AAPL, GOOGL, MSFT, FB, YHOO, TWTR, ORCL, CRM, SAP, RHT, etc. Who else do you think they're talking about?

Getcha stawwwk!!! Good dividen'-payin' stawwwk!!!

October 24, 2016 2:20 PM

AlanS on DDoS Attacks against Dyn:

The lesson from this is that the "Security Lessons from a Power Saw" are dependent on figuring out the sociology/economics/politics of getting companies to take product security seriously. The IoT is the poster-child for: "we can't be bothered with even minimal security even when we know this will create a Tsunami of Shit at some later point". Recently I was at a dinner and ended up sitting next to someone who works for a well-known company that sells "home automation" products. When I mentioned DDoS and the apparent lack of motivation for IoT companies to invest in security, he agreed and said it was all about "time to market".

October 24, 2016 2:04 PM

Jesse Thompson on How Different Stakeholders Frame Security:

I do not understand why security is so frequently framed as "where should power be centralized".

Feel insecure? Apparently that just means that you lack enough power to feel better about yourself, so you'd better fight other actors in order to wrestle their power from them.

But the reason this entire pattern is so disgusting is because Adam Smith answered this question once and for all in "The Wealth of Nations", one of the published materials coincident with the emancipation of the United States.

Put simply: power should concentrate into the hands of those whom it most directly affects. You as an agent will never profit as much by conquering your neighbor and robbing them of agency as you will instead respecting your neighbor and their agency and commencing trade with them.

This works both at the scale of government, and at the scale of individual, and in the conflicts between the two.

October 24, 2016 1:43 PM

CallMeLateForSupper on Friday Squid Blogging: Which Squid Can I Eat?:

From the Face-Palm file:
FUD and security theatre in Kemper County, Mississippi, have resulted in the enactment of an ordnance outlawing the wearing of a clown costume by anyone of any age, until 1 November 2016. Violators are subject to a $150 fine.

Clown: not OK
Assault Rifle: OK
WTF, over!

October 24, 2016 1:31 PM

Clive Robinson on How Different Stakeholders Frame Security:

I read,

    ... and in a sense, both would be right, except that each promotes a differently secure internet and society

The thing is they are not "Government Employees" like "Corporate Employees", they are "Civil Servants" which means they are "Servants of the Civilians". Thus they are not the masters but the servants, designated to work for the civilian population, not themselves be it directly or by having their loyalties subverted by a self selected few. It is after all what "We the people..." is all about.

The people have in the past decided that "we the people" should be secure in their homes possessions and papers, except on articulable complaint to lawfull authority. Likewise that no agents of the government such as troops be quatered in the peoples homes.

Quite a number of gov agents belive that such considerations do not apply to them. Thus their defination of security is total subjugation of the population.

The two are clearly at odds with each other, and the only reason the gov agents can get away with it is by control of the "Guard Labour".

Thus there is also a considerable inequality of power between the gov agents and the people.

As long as the gov agents have control of the guard labour there can be no chance of the people having the privacy and thus securityb they have believed they are entitled to.

October 24, 2016 1:03 PM

pattigurl on DDoS Attacks against Dyn:

Marcel, you are correct. I've mitigated DDoS attacks from compromised hosts before but the rapid increase in IoT devices with open ports where users don't change default login credentials is really troubling. And that's just IPV4! :-/

October 24, 2016 12:54 PM

Ted on Friday Squid Blogging: Which Squid Can I Eat?:

IoT updates, patching, and taxes.

According to this WSJ article written by Deloitte Insights, IoT blurs the line between products and services. And there are different tax treatments for goods (eg: tangible products) vs services (eg: monthly subscriptions). Additionally, businesses will be taxed as a regulated utility if what they sell is deemed to be telecommunications.

Companies that generate increased revenue streams from service and communications-type offerings will face determinations made by regulatory and taxing authorities when they are audited.

There are significant administrative and technology-related costs associated with calculating and processing telecom-related taxes, fees, and surcharges. What constitutes telecommunications in one state may pass as a more basic service in another.

Often sorting out these issues requires litigation to finalize the appropriate tax treatment of certain offerings. According to the author, companies may benefit from designing business models around the IoT with the tax consequences in mind.

October 24, 2016 11:57 AM

albert on How Different Stakeholders Frame Security:

@Sok Puppette,

A died-in-the-wool academic, to be sure. Ironic that the gov't has the same security issues that J. Q. Public have.

Does the LE/IC have really great security in their systems?

Is the Internet broken beyond repair?

Enquiring minds want to know.

. .. . .. --- ....

October 24, 2016 11:49 AM

Pressed Rat on Security Economics of the Internet of Things:

> "If anything, more and more routers are now able to self-update"

> The DSL/router/wifi device I got from CenturyLink is able to download updates.

> In the six years I've been using it, how many updates were available?

> Zero.

Exactly this. Many many cheap consumer routers never get firmware updates from the manufacturer. It isn't a matter of the device not supporting updates, but simply the lack of updates. Furthermore even if updates are available they often use old unpatched libraries with known vulnerabilities that haven't been fixed because the library vendor has moved on.

Bruce is right when he said this:

But the only way for you to update the firmware in your home router is to throw it away and buy a new one.

There are good consumer routers out there that run supported OSS software. But they are in the minority because they cost more.

Ultimately I think the ISPs are going to deal with this by disconnecting badly behaving ports. They already do it for email.

October 24, 2016 11:40 AM

Daniel on How Different Stakeholders Frame Security:

and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.

Correct. Yet all this fancy phrasing does is convey what used to be known as "values" or even more broadly "culture". The question then becomes how does one go about resolving value conflict via cultural warfare. Once upon a time the answer to that question in America would have been "democracy" but to a large extent that answer is no longer possible. It is no longer possible when concentrations of power have been invested in certain institutions that feel they have have the right to by-pass democratic mechanisms in order to promote their own vision of the future (I am think of the CIA spying on the Senate). It is no longer possible to rely on democracy when the fourth estate feels the necessity to whip a propaganda machine into motion in order to blame outside parties for interfering in democratic process (liberal panic over Russian intervention in the current election) rather than educate the populace on hard security problems. It is no longer possible to rely on democracy when one political party keeps undermining faith in democratic legitimacy by calling the system "rigged". In short, everyone agrees that democracy in the USA broken somehow by everyone is pointing fingers at some other party in order to maximize short-term benefits to themselves.

Of course, what play out within a particular culture also plays out between cultures. It is difficult for the USA to take a credible international stance, however, when it doesn't have its own house in order.

October 24, 2016 11:39 AM

mark on Privacy Makes Workers More Productive:


You write, "...It never was, just about every piece of realy independent research in this area has concluded that the average human is only mentally productive for about 4-6 hours a day..."

What I've heard was that the original Ford, wound up going with the union pushing an 8 hour day, because his own research showed that workers on the line were less productive beyond that point (as opposed to, say, the 16 hour day that was still common at the time).

But All Computer People Know that They're So Important that they need to answer the boss when he calls with a bright idea he came up with at 01:30, and that working 10, 12, and 15 hour days just proves how critical they are to the company.... (personal time? family? those aren't important....)

I would have *LOVED* to join a union decades ago, so, for example, I could have gone to a union hall and gotten hired, rather than spending most of the Bush Recession of the first half of the oughts "between positions".


October 24, 2016 11:32 AM

Marcel on DDoS Attacks against Dyn:

@Some Guy:
It's even simpler than that. Normally every modem/router nowadays does NAT and as a side-effect blocks all incoming traffic already. Security-wise this is a good thing. But if you buy a Wifi-enabled security cam or PVR which you like to control with your smartphone from anywhere, you will have to configure your router to enable access to your device. This is complicated for non tech savvy people. They will call their ISPs, to tell them their internet is not working.

This is why they invented UPnP. This allowed devices you connect in your house, to ask your router to open a port, so they can be accessed from outside. This is in widespread use and requires no user interaction. So the customer is happy because everything works out of the box. The ISP is happy too, because he does not get all those support calls.

But with this, the foundation of the largest botnet ever is laid.

Simple solution: disable UPnP by default (or just remove it). Have people put in some extra effort if they want to open a port. Sooner or later that port will get abused.

October 24, 2016 11:22 AM

JG4 on Friday Squid Blogging: Which Squid Can I Eat?:

the mention of the F-35 disaster reminded me of this excellent discussion, which is spot on the topic of nation-state security

the substance of Boyd's work is that simple systems often outperform complex systems, besides offering the insiders less opportunity to feather their nests

@Thoth - your point is well taken. the system has been perverted - or, adapted, if you prefer, to serve the needs of the few, while claiming to serve the needs of the many. I've done a bad job of pointing out that many systems are adaptive and respond to feedback. Very little of it is accidental, as wikileaks are showing.

October 24, 2016 11:09 AM

MikePoland on Virtual Kidnapping:

@Tatütata It's also a fairly common scam in Poland, in fact I've recently read about a gang of Polish scammers who moved their operations to Germany after realizing there was much more money to be made there. It has appeared even in Japan, called there "It's me".

October 24, 2016 10:55 AM

albert on DDoS Attacks against Dyn:


Point taken.


Isn't remote programmability really the issue?
In the pre-Internet (Mesozoic) era one had to move a jumper in order to reprogram the BIOS (and that was being done locally:).

Does it make sense to allow remote programmability now? It's bad enough to access someones computer (or router) to simply read data, but why allow them to inject malware as well? A router doesn't have to run application programs like a computer.

. .. . .. --- ....

October 24, 2016 10:24 AM

Krammenvherf on DDoS Attacks against Dyn:


No need to go that far.

Watch the news section on any website predominantly visited by the general population. Any security-related entry. Comments like that is what fills the head of your average joe when it comes to security. No difference if it's indeed conspiratorial or not.

October 24, 2016 9:45 AM

Horrorshow, Droogie on How Different Stakeholders Frame Security:

Pretty good article. Wolff does an excusable amount of 2-4-6-8, Simplify, Exaggerate! in contrasting human and national security perspectives. Human security approaches like the IGF Charter include protection from crime as an integral principle. The real difference between the two perspectives is the emphasis on protection of humans versus repression of proliferating 'threats.'

The next step is some deontology to assign duties or responsibilities to all these techical stakeholders. If Internet governance organizations have any interest in interacting with global meatspace, instead of manipulating it, those duties and responsibilities will be grounded in human rights. The US government approach is to start from the minutia and work backward to some idiotic dominance agenda while giving obvious facile lip service to undefined rights.

October 24, 2016 9:42 AM

Whitebeard on How Different Stakeholders Frame Security:

I began to seriously doubt the need to pay for privacy services the first time I ran a domain scan and learned it was "registered" to:

Yoki (sic) Bear
123 Main Street
Antarctica 99999

"Officials". "Governance". "Security".

October 24, 2016 9:20 AM

Will on DDoS Attacks against Dyn:

@Impossibly Stupid

Considering nation states are a not-implausible threat actor, "cutting them off" is not a realistic nor responsible solution.

I'd like to explore ways of limiting the potential bandwidth utilization of IoT devices on a physical level. Sadly I'm not educated enough to know what is or is not practical in this regard. I'd like to think it doable for wired connections, but I don't know enough about wireless to know what could be practical in this regard.

October 24, 2016 9:13 AM

Skeptical on Friday Squid Blogging: Which Squid Can I Eat?:

@Clive: Surprised your eardrums were intact. Though I'd be more concerned if I were on the receiving end from the 30mm gun on the other side. I believe it's going to be retired in the near future as more F-35s become operational.

@Nick: Probably some overlap between development of certain simulations, visualizations, and game development, but I am a little skeptical as to whether it's enough for a company to split resources between the two. The market moves fast, and the economics often weights speed to shipment more greatly than final quality. Although I suppose if certain components were abstracted in just the right way...

Re recent IoT-driven ddos, autonomous/semi-autonomous vehicle hacking, and the like... the price of failures of security, and the likely liability that will attach to companies involved, will be clearer and more dramatic than much of what we've seen thus far. Over the long run, I think the prospects are good that the incentives will line up appropriately. The recent attacks have been on the lowest of the lowest hanging fruit - and seem to rely as much on certain servers being beyond the easy reach of Western law enforcement as anything else.

And, I think this particular vector will lose current rather quickly. The attack last week essentially put every company on notice that selling internet accessible devices with non-random, non-unique login credentials poses a serious danger to both customers and others in society.

Indeed, so easily were these devices harnessed for use of harm that frankly I think companies harmed by the events of last Friday have a plausible cause of action against the merchants of the goods utilized in the attack, though the bar for attaching liability to a person for the criminal actions of a third-party is rather high. However, given recent FTC enforcement actions, and the number of people who predicted such an event, I'd venture the suit to likely be viable.

Moreover, though I haven't looked closely, I suspect there is room on federal and certain state levels for regulatory and law enforcement agencies to look hard at the question of liability or penalty for companies whose products were utilized.

And those companies whose products were not on Mirai's list (but was it the full list?) but have vulnerabilities of the same class had better be very, very proactive.

October 24, 2016 9:02 AM

uh, Mike on How Different Stakeholders Frame Security:

Government actors are in a perpetual conflict of interest between protecting the government and protecting the governed.

Protecting the government involves feeding it power over the governed.

It's a familiar conflict in American history. It just looks different for awhile when novel environments, like the Internet, arise.

October 24, 2016 7:50 AM

chuckb on How Different Stakeholders Frame Security:

The semantic approach to consensus seems to rest (and fail) on the notion that all "stakeholders" somehow have equal standing and stake in all issues of (whatever their definition of) "security", and that "governance" has some operational meaning in the Internet, as though it were some singular system as opposed to an agreement on an architecture. The anthropological observations however, ring true.

October 24, 2016 7:41 AM

Thoth on Friday Squid Blogging: Which Squid Can I Eat?:


It's the usual Military-Industrial-Goverment complex which focuses on profiting over the trampled rights of their own citizens and of the notion of humanity and in favour of a highly controlled world order where citizens are simply economic generators to feed the elites.

It's all about profit for elites where the rich gets richer and poor gets poorer.

October 24, 2016 7:38 AM

r on Friday Squid Blogging: Which Squid Can I Eat?:

@Clive, CC: tyr

In response to your 'walk of paths',

A certain level, or a certain quality of outliers is a good thing. Everyone on this site is an outlier when you shine the light on the center of society, we might seem to be a random sample economically etc but more than likely there's a different center point we could all be hidentified from outside of here... genetic, psychological, etc.

Outliers are envelope pushers, destructive or not. Yes there are malicious ones with malignant habits but there's others that are Hark Tamils - ones that should be allowed to play and to push - sometimes maybe under supervision [and super-vision] but none-the-less allowed to participate for the greater good.

October 24, 2016 6:24 AM

ATS on DDoS Attacks against Dyn:


The problem is that many of those IoT devices being use? They are consumer switch/routers/gateways. Can't exactly disable ports on those. And most of them are easy to hack because either people don't change their passwords or they have multiple exploits and are never patched.

October 24, 2016 4:39 AM

randomfakeaccount#23 on DDoS Attacks against Dyn:

" The tin-foil hat comments are hilarious. "

" the conspiracy comments are hilarious"

Whenever I see responses like this, it becomes obvious state/corporate-sponsored actors are here to deflect the narrative away from dangerous territory. It's hijacking 101. I hope the 10 cents you get per post is worth it.

October 24, 2016 3:29 AM

Curious on DDoS Attacks against Dyn:


Maybe the following legal move could paradoxically help solve DDos'ing issues in the future:

By making ddosing not illegal.

(Presumably forcing the industry to come up with some solution for preventing ddosing to ever happen again.)

Heh, just a thought though.

October 24, 2016 2:47 AM

Wael on Friday Squid Blogging: Which Squid Can I Eat?:

@Clive Robinson,

The head sockets aren't in very good shape these days... sight and sound, I guess! May I use your timeshare? :)

However another part of me knows that there are sufficient people of "evil intent" ...

Keeps us busy. I think there is a solution to this rooting problem. Having flags or single bits to control access is a fundamental weakness...

October 24, 2016 2:47 AM

Clive Robinson on Friday Squid Blogging: Which Squid Can I Eat?:

@ All,

You might not of heard of "Black Mirror" it started in the UK as the brain child of Charlie Brooker, who started his work life as a computer games reviewer.

Any way what started as Cult Noir viewing on the UK Channel 4 has moved to Netflix where it will find a larger audience.

Put simply it's a near future Techno dystopia look at what could well happen with the technology of today (an earlier episode earily parallels the Trump Presidential run).

Give it a watch you might not get nightmares, but you should enjoy it.

October 24, 2016 2:27 AM

Clive Robinson on Friday Squid Blogging: Which Squid Can I Eat?:

@ tyr, and the usuall suspects,

Speaking of universal ownership, especially by the likes of corporates with Android...

It appears it's also got under others skin, and they have come up with a version of RowHammer to "root" Android devices,

I'm not sure how to feel about this... From my egalitarian streak, anything that alows you as an individual to take ownership of the hardware you have purchased is a good thing and allows you to exert the traditional sense of ownership over tangible objects and "The Freedom to Tinker".

However another part of me knows that there are sufficient people of "evil intent" who will use such a development to act as pariahs to society in general.

October 24, 2016 2:15 AM

erltoichi on Security Economics of the Internet of Things:

I respectfully disagree with Mr. Schneier here.
Firstly, the original Internet design architecture, or rather the design of Internet protocols (IP protocol suite) had a first level design goal, namely the interconection of existing, separately managed (non-IP) networks - the design of a unified network was explicitly not a goal.
It also had second level design goals among which were (see for details):
1.) Internet communication must continue despite loss of networks or gateways.
4.) Internet architecture must permit distributed management of its resources.
6.) Resources used in the internet architecture must be accountable.
We can already see from this that 1.) was of primary concern back then and it is clear that an architecture of the Internet as it exists today as one big unified network, with critical parts of the infrastructure concentrated in a few single places was not only not a design goal, but was explicitly a situation to be avoided.
Security was not a high priority because in the original design it was assumed that security would be managed by these separate networks and that only trusted hosts/networks would be connected (it was a DARPA/military project after all).
Nowadays, we live with basically one unified network, where the majority of platforms are not diversified at all but provided by a handfull of companies (i.e. Microsoft, Cisco, etc).
The problems of these platforms and software (i.e. protocols like TCP/IP, UDP/IP, or services like DNS, HTTP) are well known and while the quality of implementation is in general much better than it used to be, new releases introduce new vulerabilities and in general do not address the underlying design issues.
Secondly, while the Internet has scaled very well to this point, the problems that are due to the underlying design are starting to show. As Mr. Schneier pointed out here, security now on network level is all but impossible, simply because the Internet is a huge mess, where fixing one part is likely to break the whole network, and it is true that no one cares about security of endpoints anyway. This will not improve with all these new IoT devices - in fact, I believe that this will kill the Internet. Nowadays, the only way to secure your network is to disconnect yourself (i.e. your devices) as much as possible and implement security and connectivity only at the edges of your network.
Most individuals don't have the skills or resources to do that, and because of cost most organisations are not willing and not capable to do it.
As a consequence, you can today prepare yourself for the complete crash already.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.