Recent Comments


Note: new comments may take a few minutes to appear on this page.

September 26, 2016 12:10 PM

Jacob on Friday Squid Blogging: Space Kraken:

@ Clive

Wosign CA and its StartCom branch got the ax today from Mozilla and Google. Will not trust any new cert for 1 year, and then must undergo a very rigorous audit to be readmitted.

September 26, 2016 11:55 AM

Clive Robinson on Friday Squid Blogging: Space Kraken:

@ Bruce,

You might find this pre Babage computer "automater" that rights a single line of Latin verse of interest,

http://www.atlasobscura.com/articles/the-strange-victorian-computer-that-generated-latin-verse

It is not however a computer, it's kind of a cousin to the mechanical odometer disiplay in a car.

The idea behind it is the same as the "Instant minuet kit" designed in the late 1700s, in which you threw dice to select a string of musical phrases that when played gave you a minuet.

This poem system works well in Latin due to the way the language works.

That aside as a curiosity of the ingenuity of the time (no standard parts untill Whitworth many years later) it is a quite interesting item.

September 26, 2016 11:19 AM

Clive Robinson on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Rolf Weber,

You claimed the ECJ used the Snowden files as evidence. So you carry the burden of proof.

I do not have any "burden of proof" as you should well know if you knew anything of relevance. So do not inappropriately use some expression you have heard being used in respect of the law, but have no knowledge of what it means or why.

Further I did not "claim" anything, I told you why they would have had to use them. Plain and simple. You can if you know how look it up for yourself.

Which leaves the question of are you a moron, a troll or both?

September 26, 2016 10:21 AM

ENHANCE! on Friday Squid Blogging: Space Kraken:

@Clive

Thank you for that spot-on analysis of our "justice" system. I would point out that the CSI Effect goes far beyond the general public's lack of actual forensics knowledge. The vast majority of people in America have been rendered so braindead by "entertainment" that they can't even comprehend the most elemental concepts of physics. They think tires squeal on dirt and shotguns blow people backwards through the air and explosions make noise in space and that female CIA employees wear low-cut black catsuits (just to name a few). In short, most Americans (including the cops) now live in a fantasyland where a "logistical syllableism by reduced ducttape absurdem" is all it takes to send your ass to the Big House.

Thank God there's still enough oxygen left in outer space to support those huge fireballs. Too bad it's not getting to the "brains" on Earth.

September 26, 2016 10:20 AM

CallMeLateForSupper on Friday Squid Blogging: Space Kraken:

@Drone
"Hmmm, Krebs' site seems always up for me since I posted the link here."

I found KrebsOnSecurity[dot]com reachable here sometime yesterday afternoon.

September 26, 2016 10:20 AM

Natalie Clarke on Forensic Analysis of Smart Card Fraud:

Hello, My name is Natalie and i just feel like letting everyone know about this. There is this new way of making money with a programmed ATM card called the Blank ATM card. I got one through the help of a hacking team called CHEVRON BLANK ATM HACKERS two days after i paid. This Blank ATM card is programmed to mess with any ATM and its camera thereby allowing you to withdraw up to $80000 monthly from any ATM. Since i got the card i've been able to withdraw enough to get myself a new car and invest in a huge profit making business. Although it is illegal, there's no risk of being caught and you can use this opportunity to make your life better. For those of us in need of financial stability, you can get more information about this Blank ATM card by contacting them now through their email: chevronblankatmhackers@outlook.com . The most amazing thing is I got this Blank ATM card at a very low rate and i hope you also do too.

September 26, 2016 9:59 AM

Ninho on Friday Squid Blogging: Space Kraken:

@Gringo :
"I don't know about onionmail, but Sigaint.org appears to have a easier setup. "

Sure, but unlike Onionmail, Sigaint is webmail only, it does not support regular internet mail clients and protocols (pop3/smtp) - at least for free account users.

Onionmail, au contraire, is true internet mail. It does not live in the browser - no webmail access being available, not even as an option. Perso I see this as an advantage - opinions may vary.

For anyone there who'd want to try onionmail under Windows, here is a list of easily available software which I have been satisified with (Win XP 32):
- the Tor client of course (tor.exe)
- thunderbird : we want a mail client which can do Pop3 as well as Smtp WITH Startssl ! MS mail clients WON't fit the bill. Another possible hit is Clawsmail (which i haven't tried)
- last but not least, "Sockscap", from NEC, later Permeo, now abandon?ware, yet easily found on reputable download sites. Need this - or alternatives s.a. Freecaps, or 'Hummingbird Socks'... to "socksify" the mail client. (Although thunderbird by itself could be configured to 'talk socks', this won't work with onionmail because, as far as I could determine, there is no way to instruct thunderbird to do DNS resolves through the socks proxy).

I won't offend Bruce's high profile audience by going down the nitty-gritty details, left as an exercise for the interested... Please test your settings by dropping a test mail to : ninho AT ninho@wc2eyfmw7wrwomf4.onion

Heed that without superimposed encryption (like, GPG), the operator of the onion node hosting the mail server or their evil maid COULD in principle snoop the cleartext : please, leave no personally identifying or sensitive details in your test message !

September 26, 2016 9:44 AM

Ano on The Failure of Two-Factor Authentication:

Sorry but that's bit too easy: The author is just complaining about something without naming better alternatives / proposals.

September 26, 2016 9:28 AM

Curious on Friday Squid Blogging: Space Kraken:

Something apparently went wrong with the most recent update to OpenSSL:

https://www.openssl.org/news/secadv/20160926.txt

"This security update addresses issues that were caused by patches
included in our previous security update, released on 22nd September
2016. Given the Critical severity of one of these flaws we have
chosen to release this advisory immediately to prevent upgrades to the
affected version, rather than delaying in order to provide our usual
public pre-notification."

September 26, 2016 8:16 AM

Clive Robinson on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Rolf Weber,

Why don't you go and equate yourself with what went on and why?

I Like many others here are tired of your ways of going about trying to show you are some kind of super genius who can make definitive statments on that you have not performed research on or understand the processes behind.

Personaly I'm very sick and tired of it thus untill you actually show you have done the requisit work to actually make a statment with some grounds to it, I propose to leave you to that echo chamber lump of fat between your ears and ignore your sniping and carping.

September 26, 2016 6:47 AM

Clive Robinson on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Rolf Webber

It is simply not true that the European Court of Justice referred to Snowden or any of his documents or "revelations"

They would have had no choice but to referre to the documents in making their descision as they were part of what was refered to them from the court in Ireland.

As a matter of course, specific evidence is not refrenced in most court rulings, and often summings up.

So there is nothing to be read into it's absence.

So stop trying to "make hay out of sand" it's becoming very embarrassing for even the most pro readers of your comments.

September 26, 2016 6:31 AM

Rolf Weber on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@Clive Robinson

It is simply not true that the European Court of Justice referred to Snowden or any of his documents or "revelations" in its ruling. SafeHarbor was just invalidated for other reasons (shortcomings of the EU Commission).

And in the meantime, SafeHarbor was replaced by PrivacyShield. That's all what happened. A lot of people were busy, lawyer earned some money, but the reality didn't change a bit. The Schrems case is dead.

September 26, 2016 5:59 AM

Clive Robinson on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Jim N,

I seriously doubt you can download a bunch of files from the internet and "swore them in" as testimony without an AOK from the source of these documents

They were sworn in as evidence, not as testimony. You need to understand the difference.

Whilst compelling testomy from a witness requires certain legal niceties, published evidence requires no such niceties, it's in the public domain.

Such evidence can be contested but it was not --possibly because it would have failed-- thus "it's taken as read"...

Now it has the status as having been recognised as evidence, not just in the court in Ireland but also the premia court of Justice in the EU, recognised by some 27 states, which means arguably it trumps the US Supream Court which is limited to recognition in only one sovereign states jurisdiction.

Interestingly though due to Europe being the birth place of most types of judicial process it is likely to be considered valid in most jurisdictions in the world unless there is superceading legislation to disbar it (which in many places there will not be).

You might not like the idea, but there are plenty of American, Russian and more recently Chinese using foreign justice systems to get judgments that are then transferable either into another court in another juresdiction or likewise for Enforcment.

September 26, 2016 5:54 AM

65535 on Friday Squid Blogging: Space Kraken:

@ Grauhut

“@all: Now that KrebsonSecurity is back...”

Yes, Krebs on Security is up and has post mentioning Bruce S. and his prior warning about probing the internet for points of weakness. Bruce thought it probably was a nation state actor. Krebs doesn’t think so.

I wonder who is correct. The booter service for hire was run by two men Israel, Israeli citizen named Yarden Bidani who was just about to join the IDF and a guy named Itay Huri. It appears that both men were arrested and quickly released.

‘Alleged vDOS Owners Have Been Arrested And Released’

“Once their names were out in the open, it did not take overly long to find and arrest them. Albeit they were questioned by officials, they have been released on Friday on bond. Authorities also put both men under house arrest…” –The Merkle

http://themerkle.com/alleged-vdos-owners-have-been-arrested-and-released/

Krebs indicates that they harnessed a huge bot net of home routers and Inter of Things such as video cameras and other devices with hardcoded passwords or easy to guess passwords.

When Bruce was exiting BT there was some boards that suggested that all UK citizens including those under BT internet service had backdoored routers with Internet facing shells which GCHQ could/can manipulate.

It was guessed the same is true for modems and routers in the USA, and many other countries who spy on their citizens.

It this huge DNS reflection and amplification attack on Krebs on Security were nation state or backed by a Nation state proxies I would guess Israel would have the know-how and lists of all backdoored internet facing devices and IoT devices with hardcoded passwords. Surely, these devices are now known and probably will be blacklisted.

I wonder what the true findings of this DDos attack will uncover. Place your bets on:

1] Two proprietors of a booter service in Israel

2] Two booter’s in conjunction with a Nation State

3] Your average disgruntled team of hackers

4] Unknown


September 26, 2016 5:54 AM

Rolf Weber on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@Jim N

Right up there. (hint: 'backbone')

I still don't know what exactly you mean. I said that Upstream is wiretapping of internet backbone links which one end on American soil and the other abroad. With this tapping, it is possible to collect the content of emails -- before Snowden, when STARTTLS was very rarely used, this means it was possible to collect almost all emails transmitted through the tapped links in cleartext. Nowadays this changed, because today only a fraction of emails is still transmitted in cleartext.

I'm not well-versed in these names. Care to elaborate?

Upstream is the explained tapping of internet backbone links, while under PRISM American internet companies (like Google or Facebook) are compelled to hand over userdata and content of specific accounts.

If you are interested, I wrote a technical explanation about the differencies between PRISM and Upstream, about the possibilities and limitations of each:

https://plus.google.com/+RolfWeber/posts/bkvXuB9DfXJ

September 26, 2016 4:57 AM

Clive Robinson on Friday Squid Blogging: Space Kraken:

@ Ted,

However, would you say that abandoning the process now would be imprudent, at least for medical devices?

The last thing I want is for people to abandon security in not just medical products but all long lifetime products with a high replacment cost.

The problem is "talk down" where those with security at heart are poryayed as extravagant market killers by "fast buck" managment protecting eye watering profit margins and any future legal liabibility.

The actual price between what would be regarded as secure algorithms currently and "teen sister diary crypto" is actually less than fifty cents in the BOM. A point that does not get made often enough to refute the "you will kill the market" argument profiteers, who mostly cause an avalanche of market killing activity in the frenetic race for the bottom they create if they do not have a monopoly or cosey cartel.

If you look back on this blog I've argued several times for NIST to stop pandering to such behaviour and produce "framework standards" where there are laid down requirments for inplace upgradability with sufficient protections to stop easy cracking/hacking. Such that when the current "secure" implementation is found to be wanting --as they always are-- the problem can be corrected without ripping peoples chests open every "patch tuseday" and before some script kiddy senfs the breakdancing of to resus with some poor med tech astride them trying to keep their blood flowing.

The only way this can be done is not with "lightweight" recomendations that the manufactures want but legaly enforcable standards where such managment can be locked up on attempted manslaught or equivalent charges with fines and damages that will put their family etc on the streets and take away any pensions or other assets they might have tried to hide.

Contrary to such legislation and regulation killing a market history shows it actually opens it up to inovation and competition, giving real value to those involved on all sides of the market.

September 26, 2016 3:26 AM

Drone on Friday Squid Blogging: Space Kraken:

@CallMeLateForSupper,

Hmmm, Krebs' site seems always up for me since I posted the link here. Try this:

www.downforeveryoneorjustme.com

September 26, 2016 12:31 AM

Bobby on Friday Squid Blogging: Space Kraken:

Krebs comment section is offline with an 503 message, looks like another round in the game has started.

September 25, 2016 11:55 PM

ab praeceptis on Friday Squid Blogging: Space Kraken:

Clive Robinson

There I disagree with much of what you say. For a start, c isn't the decisive barrier in that issue. Speed is in the multiple inches per ns (around 12"/ns) which is far out on chip level.

I also feel that you're mixing up diverse things here (from FPGA to the cloud).

Of course, my perspective is limited but from what I see the usual use cases for FPGA are almost banal things like hiding away IP in a "custom chip". Another typical scenario is the poor mans ASIC. Another one is to save on pieces on board andoften it is a mixture of those. Speed (as in HW acceleration) actually seems to be a rather rare case.

There are just quite many product classes out there of which even a bigger manufacturer doesn't produce enough to justify an ASIC. Rule of thumb: If you need millions, go ASIC; if you need just some tens of thousands, however, you are next to bound to go FPGA.

Funny anecdote: I know of companies who *dislike* FPGAs; they go so far as to exclude third parties offering them FPGA based products. Reason: They take that to mean that that third party isn't big enough and/or that the given part is somehow makeshift.

Speed? I know of rather rare cases where companies chose FPGAs as a way to speed up things. I think that the "FPGA means speed" story is largely a fairy tale stemming from "real custom HW (read ASICs) we can't afford, so let's take the fastest we can afford" scenarios. A typical case is miners of gnu hacking devices.
As soon as a use case reaches tangible quantities you'll find chip makers to pick up. Just look at intel and aes.

Oh and btw. price is a major factor, too. I know cases where, for instance an Infineon XMC4300 was used when, sometimes later, a desire for PK encryption came up. The idea to go FPGA was floated but short lived. It turned out to be less complicated and *much* cheaper to use a simple fast arm core as second processor which at the same allowed to put some other load from the main MCU.
In other cases I saw the same game but in the other direction. They switched to a cheap dual core arm and put all the MCU typical connectivity stuff into a cheap arm based MCU.

Another btw: Don't underestimate the many cases where MCUS are abused for things others put into FPGAs. No new tool-chains needed, no new know-how needed and dirt cheap.

From what I see, Nick P is pretty close to what I experience out there.

September 25, 2016 10:47 PM

Clive Robinson on Friday Squid Blogging: Space Kraken:

@ a b praeceptis, Grauhut,

I widely agree regarding major parts. I assume, however, that implementation will happen differently.

That is to be expected when trying to predict the future even in the near term. In part it's due to different view points, in part to having different experience thus knowledge of issues. Which is why it's important to have the conversations.

In part my view is based on what happened with logic chips back last century and in part on the laws of physics. FPGA's like logic chips offer a large amount of flexibility, but at a price, the speed of light "will brook no arbitrage" thus is a devil that can not be cheated. This puts a finite limit on how fast information can be requested from a distance, even with the impossibility of infinite bandwidth. Which means that the speed information can be processed is ultimately defined by the distance it has to travel, not the bandwidth of the path it takes, even though that can have a very significant effect.

From my point of view Intel's aproach has been mainly about "bandwidth" not "distance". The reason for this is unfortunatly the sequential natute of most software.

For those old enough to have actually built CPUs from MSI logic chips a big problem was "delay time" or the length of time it took a signal to get from A to B not just due to gate delays but track and circuit delays. The solution back then as it still is is to "divide and conquer" which we call "pipelining", where we trade higher through put for longer delays by chopping the signal path into short lengths and inserting registers. However a better solution was to minimise the circuit area which is what VLSI chips gave. Unfortunatly though designers had become fixated on pipelining which means a considerably greater number of gates thus area...

A clue to why this was perhaps not the best way to go was "vector processor super computers". In essence there was a couple of ways of looking at vector processors, the original idea was a very wide register or array that held more than one value thus multiple calculations were performed simultaniously by the single CPU. Another was to have the array of values feed an array of much simplified ALUs / CPUs. Due to the limitations of the technology of the time they went down the single CPU route. The point that most people did not get taught was those vector arrays had minimal distance to the CPU... If you do the calculations you will realise that a minimal area RISC CPU with very large amounts of very local memory solves a number of issues not least of which is the "heat death" issue.

Intel however first tried to solve the bus bandwidth issue by using a complex instruction set, that also reduced the need for what was at the time very expensive memory. The problem with a CISC CPU is large area and lots of active gates thus heat and distance... All there subsiquent optomisation options were hamstrung by the CISC design. The CPU just got bigger and hotter. Thus very late in the game they tried going back to what was Vector Processing with SMID but it had to be effectively bolted on to the large hot legacy CPU...

To be vaguely poetic about it Intel had a "large hot ugly go nowhere CPU" whilst ARM had a "lean cool elegent go faster CPU" onto which vector processing could be done either way, of which the second is the more flexible option. To get into the same state Intel will have to throw out most of it's core, but it's instruction set prevents that.

However even though ARM could get many times the number of CPU cores in the same area as Intel in a much better vector arangment, it will not show the performance gains untill programers change...

Thus the dirty truth is that it is the bulk of programers that have gone to far down an evolutionary cul-der-sac...

The addition of an FPGA alows a lot of sequential code to get squeezed down into parallel hardware for a hundred or so speed improvment, even though FPGA's are way way slower than the macros for CPU cores and other custom blocks we see in SoCs. Thus in the near future FPGA's will be one way to go to get around the programer issue. The thing is with a properly designed parallel algorithm tiny RISC CPUs with large amounts of low heat memory with hardware configured in both vector forms on a chip will give the same if not better performance as an FPGA...

Thus we need also look at the "market", it's changing and changing fast Wintel is loosing out fast to Android Pads for end users. Wintel is holding on by it's fingernails on the business desktop and gaming machines. The world is "going cloud" wether we like it or not (and I hate it from a security perspective). The cloud means tens or hundreds of thousands of identical servers in a building all identically configured.

Orders of ten thousand or more makes custom chips more than cost effective. Thus as with logic chips of old I expect FPGAs to be a near term solution for servers and a much longer term solution for high end pads and the like for vertical markets. However I fully expect custom chips to quickly replace FPGAs in server farms as and when they identify what software replacment hardware macros get them the best bang for their buck.

The question then falls to single chip like the current SoCs or multiple chip in single package. The difference will be in the hundred thousand up will be single chip, a couple of thousand up multiple chip in package.

Further I realisticaly expect both to be used on the same motherboard, with FPGA and custom chip in with a standard vector processor chip for the likes of IO.

Hopefully by that time some programers will be "parallel thinking" at the lower intensive levels with sequential programers working in "plumbing" apps in a similar way to *nix shell scripting to make applications.

As I've said before the future of computing is parallel from on chip upwards, the real question is where are the sequential "artisan" programers going to go as the parallel "engineers" work their way up the computing stack, sweeping all before them?

September 25, 2016 9:51 PM

Andre Devereaux on Organizational Doxing and Disinformation:

Fake letters are nothing new. A few readers of this blog are likely old enough to remember the Canuck Letter. It wasn't even a good fake, rife with spelling mistakes and bad grammar, yet it caused its target, Senator Edmund Muskie, a tonne of grief.

September 25, 2016 9:32 PM

TJ on Tesla Model S Hack:

People in these comments should just go show them how to write hundreds of thousands of lines of code without memory corruption..

These firmwares have ZERO memory protections.. You basically just have to learn OBDII and make an interface

September 25, 2016 9:30 PM

r on Friday Squid Blogging: Space Kraken:

@Jim N,

It's statements like the following that you paint your self into a corner with:

https://www.schneier.com/blog/archives/2016/09/amtrak_security_1.html#c6734821

Stop and frisk is supposed to be a weapons search, not a violation of the 1st or 4th amendments.

You seem to me to be pretty AOK with that, I'm not. So you're suspect to me as I'm sure if you're on the other side of the rail yard I'm likely not AOK with you.

Ten Four?

You can accomplish much of "their" necessities without DPI through the use of meta not data.

I think this is sort've what's being said by the FBI about "going dark", if we cut off their plain-text capabilities they think they have no recourse but to become entirely obtuse and opaque to the civilian courts. I'm not really interested in seeing juriprudence disappear from evidence rooms. At some point it will boil down into accusations by the state and executions there-of. Not my cup of Tee.

https://www.schneier.com/blog/archives/2016/09/friday_squid_bl_545.html#c6734944

WW3 huh? We're not really playing with fire when they don't have nukes or subs. It's considerably much safer to just encorporate our point and clique instability instant abilities. These really aren't super powers, they're maligned and repurposed civilian capabilities capably applied and coupled with inculpability that're honing in (and zeroing out) your angry son with E's.

They're not simply smudging out names and places with white-out, there's blackouts (think the outrage over little miss guided manning). Can you really blame the world for being angry with us at times over things like this? It doesn't really matter if it's true or not because time after time it paints a picture that's bloody as hell.

We have to clean our act up, because you can't clean up an image smeared on the wall of history in blood.

There's as of yet, been no real consequences outside of some stern looks from the other side of the river[s]. Fortunately, for us - most of the people with ICBM capabilities operate on the same level as a deterant. Again, THANK GLOD that most of the natives only have bows & arrows.

This is where asymetric war fare comes en to play, I point missiles at you - you point missiles at me - I make threats - you make threats - I shake down one of your friends - you sell my son drugs - somebody flinches - and somebody who's name isn't written down in your book of life dies. There ARE moveable parts behind the zine's that play (Advanced) D&D (&D) (3rd Edition+) while the rest of us stare in horror as they infanticize about mayhen and suits.

I'm not thrilled, I'm concerned.


@KFC,

Did you see this? It's SFW.


@Clive, Curious

http://www.slate.com/articles/news_and_politics/jurisprudence/2015/04/fbi_s_flawed_forensics_expert_testimony_hair_analysis_bite_marks_fingerprints.html

http://www.bbc.com/news/science-environment-36940475

http://www.cbsnews.com/news/massachusetts-lab-tech-arrested-for-alleged-improper-handling-of-drug-tests/

https://www.bloomberg.com/news/articles/2015-02-02/will-lie-detectors-ever-get-their-day-in-court-again-

Do you feel safe now? Then again, it could be just some liberal media spin spun up to the point of furthering this turbo prop down the runaway.

Hail to the Taxi!

Are you going to stand in front of a train to stop it?

September 25, 2016 9:01 PM

Clive Robinson on Friday Squid Blogging: Space Kraken:

@ Curious,

Off topic I guess:

From my point of view "not at all", I find it highly relevant to the process of political manipulation through the law courts.

If the FBI and DoJ can use "junk science" that is known to be "junk science" then they have a short term upfront advantage on the "You're guilty because we say you are" game. Which makes trials "witch hunts" in a "cargo cult" legal system where justice is no where to be seen.

It's been a standard FBI technique for quite some time. We have seen various FBI led techniques such as the ratios of metals in bullet fragments to provide "hocus pocus" proof that causes the "CSI Response"[1] in juries and more than a few judges[2].

The hard thing to do is not to get caught up in the spectical, drama or fear of being in judgment. Because doing so effects your mentality and you can easily think emotionaly not rationaly. At which point you are nolonger independent but a "play thing" of one side or another.

The reason much of this technobable does not get questioned is that courts are mainly not about justice but process[2]. Actual evidence rarely counts with a jury[1,3] just the quantity of testiment against the defendent or prosecution. Thus a wealthy defendent can buy a great deal of mud to throw at an often unprepared prosecution and sway the jury.

Part of the reason courts are more about process than justice is the repeate offender or obvious offender issue. The innocent and first time offenders do not know the game where as repeate offenders do. Thus the courts more often than not see guilty people standing as defendents for crimes and thus it's a game of which legal eagle is better on the day and how the defendent "blags it" to the jury. Innocent people come across badly because they do not see it as a game, and they get judged on their lack of acting ability not on their guilt or not.

Making it worse for the innocent more often than not in run of the mill crimes the LEOs are fairly certain who has committed a crime due to what gets called collectively "MO". Likewise in more serious crimes, like those against targeted individuals not property --or those defending it or who have the misfortune to be in the way/bystanding-- the number of suspects are quite limited and often a motive is fairly easily reasoned out. In both cases the police are usually just looking for a "weight of evidence" to obtain a conviction, not to determin either guilt or innocence. Which means that the LEOs tend to have a blinkered view, they look for a likely suspect and once found they drop further looking for suspects and go all out and ignore contrary evidence.

Thus the prosecution on balance don't get called out on "technobable" and thus it gets through time and time again developing a faux reputation. Then it hit's an edge case of an actual innocent person getting steam rollered and they go to jail. It's often only by chance that the case gets re-investigated more thoroughly and where the trouble starts. People build reputations on technobable and thus obtain a false position in life, for many reasons it becomes difficult for them to admit a mistake innocent or not. Those behind them do not like to see what is now also their mistakes aired in public nor do they want to face having civil suit for damages. Thus they fight every which way they can to defend the technobable and maintain the status quo.

The reason this effects security is technobable is often the underlying reasoning for "best practice". This is due to lacking both reliable metrics, and reliable testing methods. Technobable then gets turned into "best practice tools" that get "marketed aggressively".

The result of this is that the best practice tools unsurprisingly have a very poor return on investment. This has the knock on effect that all security tools "get tared with the same brush". Thus those with control of finances see all security investment like buying the Emperor's Clothes. With the result that a downward spiral happens. There is not the finance available to do the research required to develop metrics and tests, thus technobable is what "wins the race to the bottom"... Just as it always does in a "free market" where the buyer can not be aware.

[1] The "CSI Response" in juries and others standing in lay judgment is caused by the "CSI Effect". Put simply the various "TV CSI Programs" use Special Effects etc to make Forensic Science look over glamorous and importantly overly capable. The most obvious of these is the "infinite image resolution" nonsense. Put simply they keep zooming in on CCTV footage getting better and better images. This is scientificaly impossible but because it's an easy story line and looks good on the screen it gets put in. Unfortunately the bulk of viewers just accept it without question --it is entertainment after all-- so their expectations of forensics are falsified and cold hard reality gets excluded from their expectations. Thus when they sit in a jury their expectations on the forensic examination of evidence gets a bit of a culture shock, which leaves them prey to any "technobable" the prosecution can get past the judge[2].

[2] Judges are often worse than lay juries when it comes to "evidence". Judges look for "the little lies" of procedural mistakes not "the big lies" of technobable. This is because to judges a case is about the rules and paperwork more than it is about the actual determination of truth. Thus they are prey to the "Emperor's new clothes" sales pitch[3]. Further in general judges do not like "expert witnesses" especialy when the get pushed hard on what is in reality their "hearsay" by the various members of the legal proffession trying to "point score".

[3] The Emperor's new clothes effect is one that is long known in the gambling and investment games. More accurately called "Talking the talk" or "Telling/selling the tale". With the stock investment age old advise or warning of "If it sounds to good to be true, then it's probably not true" thus "walk on by".

September 25, 2016 8:15 PM

CarpetCat on Friday Squid Blogging: Space Kraken:

@In the year 2000...

I wouldn't worry too much about Intel, et al. Soon, most electronics will be very flexible with organic base parts. Imagine a TV that you could rollup, then threw onto the wall. With power passively provided by heat absorbtion. Or cutting one in half, and having it 'grow' two back. Eventually, they can be shrunk down to almost wallet size, growing back to desired size in a few minutes.

I know, it sounds, err, reads too good to be true. But you can trust me, I'm from the future. Why wouldn't you believe me, you believe everything else you're told...

ps. Save, bookmark this post. When it all comes true you can come back and wonder with awe.

September 25, 2016 8:09 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ Moderator

"@My Info: Re your interpretation of @r's opaque witticism as a "scarcely concealed death threat," I have reviewed this thread and disagree. Please refrain from further harangues that have nothing to do with security."

Almost missed that, only because it's background'd in yellow. Nice of the mod to hop in and clarify. I'll just go back to reading slashdot since I'm being accused to be a troll here. Not a big deal.

September 25, 2016 7:56 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ r,

Depends on the content. :)

Does Krebs have a Russian accent? Care to post a video link to a speech of his? I'll listen to it.

September 25, 2016 7:27 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ TomTrottier,

"Maybe Krebs could switch to using Youtube?"

Don't see why not, unless he speaks too much Russian accent to be taken seriously?

I've not paid much attention to his site in the past, not sure why, but it looks to be a good read, and unlike some sites he does his own reportings in an original way.

September 25, 2016 7:26 PM

Nick P on Friday Squid Blogging: Space Kraken:

@ Clive Robinson

I disagree with your FPGA analysis a bit. A few points.

"Firstly, they are between 50 and 500 times slower than custom silicon and it's far from easy to get the best from them even for RTL experts of which there are darn few in circulation."

Most designs I see at custom silicon are just over 1GHz with max I've seen being around 4GHz unless it's a ludicrously tiny circuit. The top FPGA, Achronix, is 1.5GHz with the cheaper ones being 100-200MHz. So, it's more like 5-10 times slower for average FPGA. Compared to software, though, those FPGA's often provide anywhere from a fractional to 50x speedup on the job vs a custom-level CPU.

"Verilog and VHDL are not very user friendly and Verilog has very real problems when used by those who's background is software not hardware."

The FPGA's will primarily be used to accelerate specific algorithms. There's HLS tools that can do that already. There is a learning curve on the HDL stuff. It's no as bad as it seems, though, where a lot of people figure it out and on cheap FPGA's. It will just take some time for the supply side to appear. There's already a supply side in people that get trained for ASIC's, do boring grunt work, and want a more interesting job. FPGA's will be easy for them. This is sort of already happening.

"That is FPGA silicon and CPU silicon do not make for cosy bed fellows on the same chip, thus seperate chips will give much higher yields. But... you have to have an interconnect of some sort and this is problematical as you have to put "translation hardware" in at both ends."

I'm not sure how true or false this is in practice. We have too little data. There does need to be a translation layer but it might be a simple protocol. Likewise, what's passed back and forth doesn't necessarily have to be the raw data: might just be control messages where the raw data comes through the NoC from DDR block. That's pretty likely. Also, remember almost everything about ASIC design was some grand challenge taking PhD's to pull off. And they usually come up with a tool for whatever it is. Even if this is difficult, they'll figure something out given some vendors already synthesize whole NoC's for their customers.

"Further others have the same gimic and the takeup is not exactly stella. Due to lack of "easy FPGA tools" etc. "

I think it's smart rather than a gimmick given FPGA market is already in the *billions*. Plus, the products adding a CPU onto FPGA fabric were selling well when I looked into them. Adding an FPGA on-chip without the delays of a PCI coprocessor and with a *real* CPU will provide enormous benefit to HPC and cloud users. A number of them are already doing the semi-custom stuff with Intel and AMD that costs far more. A FPGA means, if higher unit price is OK, then they can get quick deployment from even cheaper developers at cheaper NRE. Quite a few of the customers will have relatively low number of units but need FPGA or ASIC throughput. Tooling is still a problem but I expect fabless companies to be main suppliers like with ASIC's.

"This where the likes of the ARM cores have an advantage they already have large tapeout libraries and are verymuch standard for SoC chips thus Servers on Chip is a tiny incremental step as Apple is showing almost every year with it's A10 chip."

This is true. The combination of better EDA tooling and shuttle runs means it's actually cheaper than ever to get an ASIC done. The cost of the higher nodes is *very significant*, though. Apple is barely an example because they have *billions*. Think more like how most vendors use whatever Qualcomm, etc dictate because they simply can't afford to do the development. It's spread across them. Samsung and Apple made enough on their phones to do their own. Some of the VC funded companies that sell to high-priced markets, Cavium being one I often cite, have also come up with some stuff. Adeptiva iterated a few of theirs with extremely, clever management of it all to only cost a few million. All that is still way more than cost of developing same solution on Xilinx or Altera with 500 nodes worth of FPGA's.

And don't forget a bit selling point: FPGA's run multiple designs for multiple or adaptable workloads.

"That is much of the software will become hardware macros that run as parallel tasks. An ARM style CPU with lots of on chip memory or a hardcoded macro can run entire threads autonomously and ultra efficiently. "

That's already happening with groups like Cavium. It will continue. It's the Amiga model revived. :)

"But to get to this level of parallelism will require a slaughter of current code cutters unless they can either retrain out of sequential thinking, or the programing languages become 6th or more generation where the sequential thinking will be at a sufficiently high level that the parallel threads/macros/cores are abstracted out of the programers view. "

Or we just use tools like ParaSail, RapidMind, etc. that essentially do it for them with them following some cookbook-style rules. It will suck for people that can't use such tools.

September 25, 2016 7:13 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ Taking the Hint,

"It’s nice to finally see Mr Snowden discuss abuses from American corporations – not just governments."

The hush-hush on these forums around Google is somewhat interesting. Have Google got folks watching/monitoring this? Oh ya, it's just an extra crawlbot parameter, a self-professed defender of free speech perhaps only when it suits its purpose?

@ Daniel,

"I can't figure out which is worse, that Krebs site got knocked off-line or that Google is his new protector. Google censors a great many things, I shudder to think of it as the guardian of free speech."

Reading up on Krebs' past articles now. It's interesting.

September 25, 2016 6:53 PM

CarpetCat on Friday Squid Blogging: Space Kraken:

Those of you with Win7 machines might want to check for DiagTrack again. MS snuck it in somehow again. Just a coincidence, but after deleteing it AGAIN, my router spontaneously rebooted about 3 hours later. Ahem, cough cough.

Reading the newspaper, I saw that Hilliary and Co would run out to the nearest store to replace her phones. Always the same place, nearest to the state building. Why attack State Dep security when you can break into the nearest cell phone store?

There was other, more depressing stuff, like rule of law meaningless, etc. But no one seems to care anymore...(perhaps when thouest bellies are not so full, and the nights are oh so cold...) I think I just elipsed myself...

September 25, 2016 6:51 PM

Jim N on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Rolf Weber,

"Where did I write email and wiretaps in one sentence?"

Right up there. (hint: 'backbone')

"And you seem to confuse PRISM with Upstream."

I'm not well-versed in these names. Care to elaborate?

@ Clive Robinson,

"Austrian student Max Schrems back in 2014. Max took the entire published parts of the Ed Snowden revelations and squeezed them in fourteen large lever arch folders and swore them in as testimony."

While I'm not well-versed in legal matters, I seriously doubt you can download a bunch of files from the internet and "swore them in" as testimony without an AOK from the source of these documents, and I highly doubt the three letter agencies would put a stamp on such docs brought forth by the Austrian in Ireland. The whole thing is too theatrical. Thus, on U.S. soil atleast, a conspiracy theory is what it remains.

September 25, 2016 5:13 PM

Gringo on Friday Squid Blogging: Space Kraken:

@Czerno

Too bad about Protonmail. I had hoped they could have done better. It has the aroma of hushmail and the failures surrounding that steaming heap.

I don't know about onionmail, but Sigaint.org appears to have a easier setup and they have been around a lot longer. According to IRC they are the "gold standard" of darkweb email.

September 25, 2016 4:02 PM

ab praeceptis on Friday Squid Blogging: Space Kraken:

Clive Robinson

(re. your "FPGA" post).

I widely agree regarding major parts. I assume, however, that implementation will happen differently.

You are right in that the tools for FPGAs are way too complicated for most - plus there is a whole lot of FPGA intricacies that are hard to be put into a tool at all.

My take is that (as you said) there will be more and more HW "libraries" for typical routines and purposes. The two ideas that mainly drive that will be a) to have complex blocks (like, for instance, EtherCat) readily available and b) to put (usually time) critical small blocks into HW (typical example: crypto).

FPGAs are but one approach to that, and a clumsy, slow, and burdensome.

My assumption is that the pivot point will change. I think, the fabs will inevitably walk towards a situation in which even single wafers can be reasonably produced and sold; that is basically but a question of them creating their "libraries".

Another, albeit less relevant and more short term, evolution I assume is "inside bonding", i.e. offering multiple chips inside one package. This might be attractive for an analgon to what today is many fabless chip houses. Those might, for instance, buy some periphery silicon (without packaging), design some glue HW to connect that periphery functonality to say an arm core and package the whole thing into 1 package.

Customers will love it as it takes away much of the ugly work that is hard for them and because it's cool and felt as (assumedly) safe (mostly in terms of IP protection) to have your own chip with your own logo on it.
For the backend it's seductive as it's largely know-how based (read fabless) and generates attractive products with rather little effort.

One example that strikes me is crypto. On the one hand one very typically has rather primitive little devices for which a cheap 16-bit MCU is damn good enough. On the other hand there are more and more clients who want good crypto even on the interconnection with those simple devices. It would, of course, be attractive if they could buy a mildly more expensive and pin compatible version of their MCU that had some crypto HW acceleration built in.

September 25, 2016 3:16 PM

Daniel on Friday Squid Blogging: Space Kraken:

I can't figure out which is worse, that Krebs site got knocked off-line or that Google is his new protector. Google censors a great many things, I shudder to think of it as the guardian of free speech.

September 25, 2016 2:51 PM

Developer Backdoor? on iPhone 7 Jailbreak:

I wonder about the 'threat' model of activist employees putting intentional backdoors into locked down walled garden style products. The other one that comes to mind is that one where android(IIRC) had something where every keyboard character got fed in the background into a root shell.

One can imagine activist developers not in line with the corporate agenda throwing in a few of these to help out the hackers who then leverage the initial exploit to 'hold onto root' long enough to figure out a better exploit that wasn't of the gift variety.

It's a theory...

September 25, 2016 2:02 PM

Moderator on Friday Squid Blogging: Space Kraken:

@My Info: Re your interpretation of @r's opaque witticism as a "scarcely concealed death threat," I have reviewed this thread and disagree. Please refrain from further harangues that have nothing to do with security.

September 25, 2016 1:45 PM

Laam Venerinde on Friday Squid Blogging: Space Kraken:

@Czerno

Once again, the old privacy-v-security spin got going. News full of it here. "In order to combat terrorism, we ourselves have to become terrorists-errrr-aw, forget it". The whole "Swiss-ensured anonymity/privacy" had reeked rotten to me anyway (see: that Swiss analogue of ECHELON). Too much parties interested in the opposite. And after they killed bank secrecy... Nah. I suspect, the only thing that has changed is legal status - that is, nothing.

Good news for PR men, I guess. Playing the fear and "terrorism" card still works. For the rest of us - did you really expect something else?

September 25, 2016 1:01 PM

My Info on Friday Squid Blogging: Space Kraken:

@r

-- "... both of you have been put out ... entomb your ineptitude ..."

That is incredibly ugly language -- a scarcely concealed death threat with the assumption of its having already been carried out. Rest assured I take it seriously since the failed attempt on my life shortly after my last post.

A large caliber gunshot directed at me when I posted something on a transgender topic to the internet from a mobile device. Not in fact unusual. Happened to me in Chicago a few months ago, too.

Certainly confirms my claims of a holocaust against the transgender.

The internet privacy and security angle is what makes it relevant to this forum.

[N.B. No known relation to @Jim N other than discussion in this thread.]

September 25, 2016 12:46 PM

Ted on Friday Squid Blogging: Space Kraken:

@Clive Robinson

Even if the algorithm is good, it will inevitably be broken long before the "End of Life" of many products it will be put in such as Smart meters and implanted medical electronics.

You are right, both historically and logically. However, would you say that abandoning the process now would be imprudent, at least for medical devices?

According to Dr. Sarbari Gupta, CISSP, CISA, implantable medical devices (IMDs) are subject to many constraints including device size, cost, power, computational capability, and storage. Does this make lightweight cryptography necessary for those purposes and standards? Granted, being free from the need for advanced medical care would be an alternative.

http://csrc.nist.gov/news_events/cps-workshop/slides/presentation-1_gupta.pdf

Also from the “Postmarket Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff”

Line 770: "Risk Analysis and Threat Modeling"

"FDA recommends that manufacturers conduct cybersecurity risk analyses that include threat modeling for each of their devices and to update those analyses over time. Risk analyses and threat modeling should aim to triage vulnerabilities for timely remediation. Threat modeling is a procedure for optimizing Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. Threat modeling provides traditional risk management and failure mode analysis paradigms, and a framework to assess threats from active adversaries/malicious use. For each vulnerability, a summary report should be produced that concisely summarizes the risk analysis and threat modeling information. Due to the cyclical nature of the analyses, the information should be traceable to related documentation.
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

September 25, 2016 12:06 PM

AC2 on Amtrak Security Awareness:

Am with Clive as well.

For the forthcoming kids' vacation decided against a US trip - many other places are far more welcoming.

Will only come for business trips.

September 25, 2016 11:43 AM

r on Friday Squid Blogging: Space Kraken:

@Jim N, My Info

Time to reformulate your plan of attack, both of you have been put out (Dan Rathered) and are likely putting out (read not being put-in).

I almost didn't bite as I have been warned about you (too) and now you've received mine.

Tag, you're IT - willing merchants of disinformation.

Tomes to me to entomb your ineptitude for all of time to beholden caufielded.

September 25, 2016 11:07 AM

CallMeLateForSupper on Friday Squid Blogging: Space Kraken:

While reading this yesterday,
https://theintercept.com/2016/09/24/a-walking-tour-of-new-yorks-massive-surveillance-network/
and with the attack on Krebs' site fresh in my mind, the thought occured to me: how many city/county/state/fed-owned cameras contribute bandwith to bots? Think of the profound irony: herding many thousands of individual pieces of Five Eyes' (and others) surveillance infrastructure into a massive stampede.

"Bloody brilliant!" - Tom Jerico, in the movie "Enigma"

September 25, 2016 10:47 AM

My Info on Friday Squid Blogging: Space Kraken:

@Jim N
"Google Allo," Snapshot, WhatsApp, etc. are of little interest to privacy advocates until they entrench themselves to the point one becomes a hermit or a witch (or a terrorist) for refusing to use them. Then it's more like robbing than stealing privacy.

@r
"shut the border - ... Lock your doors. Load your guns."

Those are good ideas.

The Democrats, yes they do have especially a transgender holocaust going on. Identify them, offer them 'help,' (in reality nothing but psych meds and 'conversion therapy' to try to make them 'comfortable' with their originally assigned gender,) and meanwhile work behind the scenes to ship them on cattle cars to concentration camps (or mental hospitals -- a favorite trick of Vladimir Putin for his political enemies.)

Psychiatry is getting very, very grisly these days.

The Democratic political aim with gender transition/reassignment therapy is to waste as much of the patient's time and money as possible and then ultimately refuse, and if possible force the patient into prostitution.

Transgender looking for a 'real' job? Sorry, we just got a call from the boiler room. We were told not to hire you. You're too old. Besides, you can't use the restroom.

That is the Democratic political machine in action, in case you were so deluded as to think Democrats were 'tolerant' or 'open-minded.'

September 25, 2016 10:28 AM

Czerno on Friday Squid Blogging: Space Kraken:

In news : In a poll today, Swiss voters have approved by a massive majority (66%)a new law authorizing the surveillance of communications and internet by the secret services ...

Bad news for Protonmail and similar who used to boast of their made-in-Switzerland anonymity.

Maybe time for us all to examine "onionmail" ( en.onionmail.info ) as advertised by @Ninho on last week's squiddy ...

September 25, 2016 10:27 AM

Pyton Harkerz on Periscope ATM Skimmers:

ATM HACK: Do you know you can HACK any ATM Machine?!!!

We have a specially programmed ATM Card that can be use to hack ATM Machines, the ATM cards can be used to withdraw at the ATM or swipe at stores and POS. We sell this cards to all our customers and interested buyers worldwide, the card has a daily withdrawal limit of $5000 on ATM and up to $50,000 spending limit on in stores. And also if you in need of any other Cyber hack services, We are here for you anytime any day.

The prices are negotiable and include the shipping fees and charges, order now!

Here is our price lists for the ATM CARDS:
BALANCE - PRICE
$10,000 - $650
$20,000 - $1200
$35,000 - $1900
$50,000 - $2700
$100,000 - $5200

Contact us via:
Email Address: pytonwizards@cyberservices.com

Mobile number:
+1 518-480-2281 (Text & Viber Only)

Python Hackers.

September 25, 2016 10:23 AM

CallMeLateForSupper on Friday Squid Blogging: Space Kraken:

@Drone
"There's lots more; read it."

Love to... but the site was still unreachable here less than two minutes ago.

September 25, 2016 7:37 AM

Drone on Friday Squid Blogging: Space Kraken:

I see Brian Krebs has a new DDoS related post up:

"25 The Democratization of Censorship"

https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

Excerpting:

"The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor... It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before."

There's lots more; read it.

September 25, 2016 7:02 AM

Grauhut on Friday Squid Blogging: Space Kraken:

@Jim N: "@Kim Fat Cow "Krebs site is online :-)" He better get a better pipe"

One of the biggest pipes possible now as it seems :)

root@home:~$ ping krebsonsecurity.com
PING krebsonsecurity.com (130.211.45.45) 56(84) bytes of data.
64 bytes from 45.45.211.130.bc.googleusercontent.com (130.211.45.45): icmp_seq=1 ttl=56 time=16.6 ms
64 bytes from 45.45.211.130.bc.googleusercontent.com (130.211.45.45): icmp_seq=2 ttl=56 time=15.9 ms
...

September 25, 2016 6:34 AM

Grauhut on Friday Squid Blogging: Space Kraken:

@all: Now that KrebsonSecurity is back...

"Someone Is Learning How to Take Down the Internet"
(Bruce)

“Someone has a botnet with capabilities we haven’t seen before,” McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”


Now someone learned to take down Akamai. But who?


Possibly the ZeroAccess guys? They could have the capabilities and an open bill with Krebs.

http://arstechnica.com/security/2013/12/microsoft-disrupts-botnet-that-generated-2-7m-per-month-for-operators/

September 25, 2016 5:24 AM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

@Curious,

RE: Crapcom

https://it.slashdot.org/story/16/09/25/004250/street-fighter-v-update-installed-hidden-rootkits-on-pcs

Friday Capcom tweeted "We are in the process of rolling back the security measures added to the PC version of Street Fighter V." This prompted one user to reply, "literal rootkits are the opposite of security measures."

Not when you're Sony, Capcom, the NSA, the IDF, the CIA or anyone else acts with imputiny.

I'm very secure in stating that mild observation.

You really don't have to spin these props up any more than they already are, it's sad. (where's that propeller beanie when I need it...)

It's becoming apparent that an appearence is impatiently more important that being perceived as impotent.

Am I being impolite here? Have I surpassed some quotient?

Please, let me Noe if I am.

September 25, 2016 4:43 AM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

@Joe K,

The same old program seems to be running, once again. Is the American mainstream press a weapon of mass destruction?

The various hentities of the msm are apparently just clam o-ring, aren't they?

They only open up that well fed maw wide to let that sand slip out onto our <g>ears.

They're not the weapon of mass destruction but a cog in the we'll of the masses distraction.

I argue, that when one hand watches the other: the ugly facade staring back at them with such eager bliss as to count every last second is their own. Reflecting on a ticking bomb.

Likely, they're only a small peice of the larger Western Minded Dilemna you allude to, one hand counts the minutae and the other hand I'm sure counts the our's.

Do we really knead seconds?

September 25, 2016 3:55 AM

Clinton den Heyer on Someone Is Learning How to Take Down the Internet:

If it's a DDoS attack on the 13 dns root servers of IPV4 then it's not the first time it's happened. In terms of testing limitations of current resilience there have been a couple of notable times in the not so distant past where botnets have been assembled and active that have been capable of shutting down the Internet as we know it easily. Conficker springs to mind. Moving into IPV6, whatever the reason for the above article, the fact that we still only have an evolved(and evolving) architecture and no central governance for the Internet should be warning of its instability enough.

September 25, 2016 3:47 AM

Duck Duck Gustav on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

Do you recall the name of Schrodinger's cat per chance?

The box itself belonged to Pandora.

You should've never opened it, you have lost all trust and integrity in doing so.

Go ahead, blame it on some lowly windows administrator. Some runt of the mill criminal.

We could infer from his inabilities that your inabilities run deeper, my recommendation is that you paint him as a Messiah, as some Uber Hacker to make yourself not some fool.

If he could accomplish to much and yet so little, imagine what the FSB could do with their non-MAC spoofing mayhen's.

Don't try to evade that logic, it does you no good.

We the public can blame you and yours for not securing the box, and for misappropriating public funds in it's operative functions.

No amount of damage control will recover your pitch and your yaw from this one, so quit wasting our time and our public money and get back to work. It's business as usual behind closed doors and minds.

September 25, 2016 3:35 AM

Joe K on Friday Squid Blogging: Space Kraken:

@JG4

I read the piece about Clapper on the blog you linked to, the one that asked the question "What makes a liar lie?"

And then I read the Wall Street Journal articlette it referred to:

Related questions that sprang to mind are "What makes a reporter fail to report?" and "When is a stenographer's notepad like Write-Only-Memory"?

The reporter promises us that "Mr. Clapper's comments were his most explicit to date connecting Russia to the hacking operation," but when we examine the direct quotes therein, we find nothing explicit about them.

Did Clapper said anything remotely like what that reporter claims? One will search his article in vain for quotes substantiating that Clapper said anything of the kind.

The article does quote Clapper. Apparently, Clapper opened his mouth and said some things, and the reporter wrote some of them down. But only in the reporter's imagination, and perhaps a suggestible reader's, do those particular quotes amount to saying that Russians hacked the DNC.

If Damian Paletta, the reporter in question, has other more juicy quotes in his notepad, which actually demonstrate Clapper doing this alleged about-face on his "Calm the fuck down, people" stance, why did he choose not to share them with the public, by putting them in the article? Is the WSJ running low on electronic ink?

A more accurate headline would swap out "U.S. Intelligence Chief" and replace it with "Wall Street Journal Reporter".

Related: Would you like to know how I knew, way back when, that the Bush administration's claims about Iraqi WMD were utter bullshit? Because when you searched for potentially substantiating evidence in the news, you came up with the same three bits of pocket lint.

If they had had good evidence, they would not have been showing off the same three bits of pocket trash, over and over.

The same old program seems to be running, once again. Is the American mainstream press a weapon of mass destruction?

September 25, 2016 3:33 AM

Duck Duck Gustav on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

Mr. Weberr,

I've been monitoring things here, and I would like to point out that in sharing documents with the international media those documents have been thus shared with Russia via proxy.

You may be right, concentrating on the "upstream" issue seems to be what's at play both at the start of this topic and within the confines of it.

However, we can make up whatever names you want for whatever operation you want today: tomorrow it can all be reclassified removed and repurposed. Concentrating on today's treat, and treatise in the long term no matter what the disclosure will be found to be ineffective as long as the ball is in play.

Unfortunately for both of us, Schrodingers cat is out of the box.

You cannot reuse said box for it's coffin and we can't execute something we can't see with the public light.

September 25, 2016 2:46 AM

Rolf Weber on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ab

There is, of course, no hard proof, but many, many indications. This is why I mostly express it like "Snowden most certainly shared documents with Russia". Of course you are free to believe in his fairy tale narrative, as well as I am free to call you naive.


@Jim N

Where did I write email and wiretaps in one sentence?
And you seem to confuse PRISM with Upstream.


@Clive Robinson

You were asked for a link. What you say is nonsense in big parts. E. g. it was no criminal case, and while the documents were filed, neither the Irish courts nor the European Court of Justice really dealed with them.

September 25, 2016 1:59 AM

Alan on Hacking Bridge-Hand Generation Software:

@Steinar, after reading the email thread linked in the original post, I imagine that the hand generation program is something like this:

deck = [AS, KS, QS, ..., 2S, AH, KH, ... 2H, AD, KD, ..., 2D, AC, ..., 2C]
# Do a Fisher-Yates shuffle.
for i in range(52):
    j = random(52 - i)  # Insecure PRNG: linear congruential generator
    swap(deck[i], deck[i + j])
north_hand = sort(deck[0:13])
east_hand = sort(deck[13:26])
south_hand = sort(deck[26:39])
west_hand = sort(deck[39:52])

By sorting the cards (by suit, then by rank within each suit), it's tricky to recover the order that the cards were dealt. Because of this, although each hand has a touch over 95 bits of information, it's tricky to go from that back to the 48 bits that the PRNG was seeded with. I haven't thought this all the way through, but I suspect that's why just looking at 48 bits of output isn't enough to find the seed.

September 25, 2016 12:55 AM

Clive Robinson on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Jim N,

Which documents would that be? Would you kindly provide a link to it?

It was in a criminal case against nine US companies including Apple, the US Government and the Irish Data Commisioner held in front of Judge Prof. Gerard Hogan brought by Austrian student Max Schrems back in 2014. Max took the entire published parts of the Ed Snowden revelations and squeezed them in fourteen large lever arch folders and swore them in as testimony. Thus at that point the Ed Snowden ceased to be hearsay and became sworn evidence in a court of law dealing with criminal charges. It did not take the judge very long to hand down guilty verdicts for "indiscriminate mass surveillance".

Whilst not widely reported out side of Ireland it caused a considerable howl from the USG and US companies who are dragging it upto and through the European Court of Justice (the ECJ not the ECHR).

The Taoiseach (ie prime minister) on realising the damage to his "get rich quick tax fiddle scheme" quickly booted the judge up to the appeals court to get him out of the way. Max got what he wanted the US indicted in court for the mass surveillance and an order against the Irish regulator to "perform" her statutory duties.

However the regulator lurking in her grubby little abode above a "little shop of horrors" in Portarlington conveniently close to the largest bog in Ireland has decided, prrsumably on orders from above her pay grade to play dirty rather than comply with the court order. She has hit Max with no less than eleven spurious cases in the obscure but nether the less very expensive commercial court.

However the attempts of the Irish Taoiseach and regulator to keep it all bolted down and quiet to keep the commercial gravy train of US corporate tax avoiders going has just hit a massive rock with the EU Commission that has found against Apple and it's tax avoidance. We now have the interesting case of the Commisson saying Apple has to hand the goverment in Ireland 13billion Euros... Which the grubby little Taoiseach is desperatly trying to find fault with the EU Commission so that the 13billion can be rejected...

Which has unfortunatly started shining a light back on Max's little win that is heading for the ECJ as slowly as the defendants can force it. What they originaly thought would be an "easy win" suddenly became an endless nightmare. Because shock horror the ECJ last year made a very damaging (for the US and it's companies) decision. Rather than stop PII transfers it halted all "legal transfers" by making such transfers illegal... Ouch...

Appart from making the US Government a willing partner in illegal activity and giving the Snowden revelations the force of legal evidence, there is another little problem for the US IRS/Treasury, which is that mammoth ball of cash thay has avoided US taxation. Whilst the US is unlikely to get at it the EU look likely to take a huge slice out of it. Which will almost certainly cause serious political headaches for those schmoozing corporates of US politico's, unless they can buy off the US MSM... Expect to see a lot more tax deductable advertising on a TV near you any time soon as the very least of it.

September 24, 2016 11:39 PM

Clive Robinson on Friday Squid Blogging: Space Kraken:

@ Ted,

It appears there was a public workshop earlier this year reflecting that same thought.

With the sound of horse hooves fading in the distance, they are finally realising the dual meaning of bolted, and that the one on the stable door should have come first.

It is too little to late, due to US Mrdical Insurance companies the legacy problem is now well dug in on heart related medical electronic implants.

Digging us out of that messy pit is going to be difficult without having to "crack chests" again. And it's not as though "red flags" have not been raised for quite some time. The most public of which was one of the George "Dubyer" Bush coterie having the remote interface in his pacemaker disabled on "National Security" advice. Apparently there were fears that hackers would jerk him around like a breakdancing ragdoll, and it would not look good for the Secret Service if it got on the CNN news.

Back at the turn of the century CENELEC / CEPT had a bit of a rude awakening as design houses started producing Software Defined Radio kit and the futureologists in the likes of Advanced Micro Devices started talking about "universal transceivers" with single devices going from DC to Microwave and beyond with all communication modes compatability. In effect making a mockery out of half a century of licencing regulation.

Since then things have got very very interesting. For a few hundred dollars you can by the likes of the HackRF One from Great Scott Gadgets that will do from the AM band up to 6Ghz in half duplex that has the usable Zero IF bandwidth of over a MHz. It's sold as "experimental test equipment" but it can do most analog and digital modes if you have sufficient "back end grunt" via GNU Radio etc, and with a few tweeks and add-ons could become a Cell Site Simulator with Stingray like capabilities.

Thus the previous licencing and regulation and the legislation behind it had relied on "security by obscurity" and that has all been blown out of the water by this "Disruptive Technology" of SDR.

What ever the FDA or other interested entities in Smart Meters and other infrastructure think it had better include very strong crypto that can be upgraded several times in it's expected service life of a quater of a century. Because anything less will be compleatly and utterly hacked and the attacks made usable by "script kiddies" who will amongst other things make grandpa dance...

THe bottom line is to think otherwise flies in the face of modern history of technology...

September 24, 2016 11:25 PM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

Pull up a chair (and an signal line), we interrupt your irregularly scheduled canary thread to bring our notional anathema: Kumbaya.

Everyone, please - in unisom: THE Symphony of Distraction.

https://science.slashdot.org/story/16/09/24/185231/cisco-blamed-a-router-bug-on-cosmic-radiation

Cisco blamed a router bug on cosmic radiation, I suppose this is better than the typical "Act of God" cruft we see from the insurrance companies.

Is this what is going to happen when the proper explanations are all classified and in violation of an NDA?

Hardware is hardwired to accept these risks, we all were just labeled clueless products above - do you accept these risks? did you accept these risks?

Will you accept these risks?

September 24, 2016 11:06 PM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

@Hinting A-Round Daft Serection

their clueless products

They are clueless products are not they?

September 24, 2016 10:54 PM

Taking the Hint on Friday Squid Blogging: Space Kraken:

Google Allo should be deleted and never used, says Edward Snowden

http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-allo-should-be-deleted-and-never-used-says-edward-snowden-a7320861.html
It’s nice to finally see Mr Snowden discuss abuses from American corporations – not just governments.
In this example there is an intimate relationship between Google and The White House. Executive job offers flow both ways. Both Google and Facebook manipulate their clueless products to elect a restful Ms. Clinton. But the Europeans are well aware that USA policy is really authored by ex-Google employees. In fact it’s hard to name a single country that doesn’t resist except for suck-up England.

September 24, 2016 10:43 PM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."

https://tech.slashdot.org/story/16/09/24/228203/tuesday-was-microsofts-last-non-cumulative-patch

Panic in the streets, exploits in the wild, contempt in our hearts, linux in our minds.

September 24, 2016 10:23 PM

Duck Duck Gustav on Friday Squid Blogging: Space Kraken:

My greatest Appalatian logs to derial from your per pro und pre insistance that those that reflect upon those that reflect yours are prone to para no identity christ with (and without) ease.

The burning effigy in your pants begats but hurt beligerancy believe it or not, wry comments are butt responses to despondents desperately seeking to communicate from the deepest of sour chasm.

Doves my flatulence scare you?

Doo I make myself clear?

Thease and this is thus not a question of would-wind instruments, or percussion sections but a question of a much larger cadense droning on behind minds more closed than my own. Were you lost at the interjection? the introspection? Where is the sign...

You ask I, self and Yousef sir with both certainty and contempt - I ask: is there any certainty in the accusations of PreK Kollaborators?

I, Vince in PE Klass to vind out.

My reflection? (As opposed to your's)

I am uncertain about whether I was [de]sponding to sour chasm from **His Infamous** or not I suppose.

What <is> your <slanted> eye doing here?

September 24, 2016 10:05 PM

Differences that count on Friday Squid Blogging: Space Kraken:

regular Blockchain vs ‘Editable’ Blockchain

Accenture Patents a Blockchain-Editing Tool vs Accenture Debuts Prototype of ‘Editable’ Blockchain for Enterprise and Permissioned Systems Tool

September 24, 2016 10:00 PM

neill on Friday Squid Blogging: Space Kraken:

@ Clive et al.

we could throw hundreds of cores on one die, and use 'hypertransport' do the cache and memory accesses & sync ...

there's an interesting paper from intel about motherboard design (didnt save the link) and the main constraint here is PIN COUNT

we're at 2000+ already, and noone has the capability to manufacture a 3000, 4000, 5000 count socket (yet), with a motherboard that coud route all tracelines w/o signal failures, or manufacturing problems (and cost increase)

thats what you would need to feed a few hundred cores on a single die, power & data & control etc

so intel does what they can do to increase IPC, cache, cores, AVX, FMA etc whatever they come up with to use existing socket tech and squeeze more FLOPS out of it

im not a big fan but ill give intel a lot of credit for their achievents (and keep x86 code compatibilty)

IMHO itanium is an amazing product, so was everything altivec, but the large scale production cost ultimately decides where this all will go

September 24, 2016 9:44 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ r,

"I think you missed the point about the drum synthesizer and paranoia."

Well, then quit being so paranoid about "Russians". I don't care if you "gone to elementary with [Russians]" or studied music in moscow. The tired, old red scare is getting old and tiresome.

September 24, 2016 8:42 PM

r on Friday Squid Blogging: Space Kraken:

@Jim N,

Here, let's simplify this.

Blame my fixation on Russia on having appearently gone to elementary with them.

Did you miss PE class?

There were Russians there too, and the substitutue librarian... well...

He was a huge fan of Orwell.

I think you missed the point about the drum synthesizer and paranoia.

September 24, 2016 8:39 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ r,

"WTF Is that? A Drum Synthesizer??"

You seem to have some sort of fixation on anything "Russian"-related. Has it not been reported of American involvement in other countries' general elections? Truth is every country does it to every other. If every country had gone to war over this, we'd have WW3 a dozen times over already.

Vote...

September 24, 2016 8:31 PM

tyr on Friday Squid Blogging: Space Kraken:


@Clive

M$ didn't do the world any favours by hijacking the
entire Microcomputer industry into the awful path
of IBM + M$ crap. There was a thriving bunch of
innovation going on in many places which was taken
out as the survivors had to make PC compatible
boards just to stay afloat.

I don't expect current programming types to make the
leap to parallel unless someone re-invents the
wheel on multiprocessor architecture. That also has
to have a massive hardware redesign to make the
single processor programmer model viable. Stranger
things have happened but I haven't seen much rational
comp developement take place in a macro sense. It
has been kludge what sorta works and hope to fix it
later. Of course most of society uses that model to
charge forward into an unknown future.

My favourite developer story was the corp that built
an intel based PC with 1 meg of Ram then had to ask
Intel why they could only use 640K of the memory.
They had already done the circuit board fab by the
time they had to ask that.

I can't wait to see the bloat level achievable with
an OOP parallel language implementation running on
wintel hardware.

September 24, 2016 8:27 PM

Ronnie on Friday Squid Blogging: Space Kraken:

Physical security - Bowley lock - a new lock design that is more pick-resistant and more bump-resistant. Company is positioning themselves as a less expensive high-security lock. All things being equal, thieves would opt for the easier target although doesn't preclude kicking in doors or smashing windows.
https://www.bowleylockcompany.com/

Animation of how the lock mechanism works
https://www.youtube.com/watch?v=jgekjfwphGc

Discussion of (an early version of) the lock
https://www.youtube.com/watch?v=1MnZM8Pkvmw

Probably the biggest barrier to adoption is that the user has to modify their lock/unlock behavior slightly.

September 24, 2016 8:24 PM

Jim N on iPhone 7 Jailbreak:

it's looking more and more lkely that they made some sort of deal with the man. :L

September 24, 2016 8:23 PM

Louise on Someone Is Learning How to Take Down the Internet:

Glad someone summarizes what I observed for a couple years!

One newsworthy DDOS of 2014:

DDoS Attack Hits 400 Gbit/s, Breaks Record
http://www.darkreading.com/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787

took place just days in advance of Fadi Chehadé's visit to Beijing:

ICANN CEO to Meet with Chinese Internet Industry Leaders in Beijing
13-Feb-2014
http://www.agip-news.com/news.aspx?id=33010&lang=en

Fadi Chehade, President and CEO of ICANN Visited CNNIC With His Senior Team
http://english.cnic.cas.cn/ns/es/201302/t20130222_99138.html

Later, in 2014, attended the 2014 World Internet Conference in Wuzhen, east China's Zhejiang province:

ICANN President: More than 75 percent of the top-level domains have implemented DNSSEC
http://en.gmw.cn/node_61960.htm

and, last year, was adamant:

China key to global Internet governance: CEO of ICANN
http://www.chinadaily.com.cn/world/2015wic/2015-12/14/content_22710065.htm

It is too much of a coincidence to believe the record-breaking DDoS attack days in advance of Fadi Chehadé's visit to Beijing ISN"T s show of military might that would normally manifest as a military parade for visiting dignitaries.

Chehadé apparently received the welcome of a high-level dignitary, with that infamous display of DDoS might. The announcement, therefore, that Chehadé would, upon retirement from ICANN - co-chair the High-Level Advisory Committee (HAC) of the Wuzhen Initiative didn't surprise me, though it shocked many:

The Firewall Awakens: ICANN's exiting CEO takes internet governance to the dark side
http://www.theregister.co.uk/2015/12/18/ex_icann_ceo_will_work_with_china/

September 24, 2016 8:07 PM

r on Friday Squid Blogging: Space Kraken:

@My Info,

WTF Is that? A Drum Synthesizer??

You're kidding right, if the Russians are THAT far into everything then maybe you should shut the border - close your mind - close your eyes. Lock your doors. Load your guns.

What could you have that they want after enjoying their time here not **having** to change their MAC ?

Demonkrat! Demokrat! Demokrat!

Is that what you see?

September 24, 2016 8:01 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ My Info,

"I'm sorry, this Google GOOG no / stock-split GOOGL Alphabet, Inc. company is the one to watch. NSA - pffft."

I'm surprised the privacy loving folks here haven't written anything on Google Allo this week.

September 24, 2016 7:59 PM

Jim N on Friday Squid Blogging: Space Kraken:

@ Kim Fat Cow

"Krebs site is online :-)"

He better get a better pipe, not only that he's been a target of DDoS, but now that the "free publicity" it generated will drive tons more viewers to his blog. :^)

September 24, 2016 7:55 PM

Jim N on Two Good Essays on the NSA's "Upstream" Data Collection under Section 702:

@ Rolf Weber,

"So the topic is Upstream and 702. That's what I commented so far. No more, no less. Don't blame me when you actually derailled the discussion."

Funnier is that, in your "example", you wrote Email and wiretaps in one sentence, while it was widely reported email contents are obtained in bulk directly from hosts.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.