Recent Comments


Note: new comments may take a few minutes to appear on this page.

April 22, 2018 9:31 AM

Security Sam on Securing Elections:

In a state of representative democracy
The best you going to get is mediocricy
For even though you elect a candidate
The winner fails to follow the mandate.

April 22, 2018 7:44 AM

Mark C on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

An intersting element in the story of "the largest foreign bribery case in history" is the apparent use of what appears to be a custom built encrypted software system by the large Brazilian corporation Odebrecht.

The system - named as "Mywebday" - was operated by a department known as the Division of Structured Operations. In effect this was a whole formal separate department set up to manage corruption with a departmental budget said to be around $600million. If the reports so far are borne out by the full story then this starts to sound like something from the movies: ie for...

Read More →

April 22, 2018 7:18 AM

dont call me shirley on Oblivious DNS:

Typo: tag "DNA" should probably be "DNS"...

April 22, 2018 3:16 AM

For ratio... on Lifting a Fingerprint from a Photo:

Quote,

That’s nonsense. P(success) = (1 - (1 / 1000))4.

However it was not success we were talking about but change in odds of failure from one in one thousand for a single step to that of for steps.

So we were actually looking for the probability it would be at fault / fail not success. But anyway we can work fail out from success easily enough,

So to work it out your way for "success",

1, 1 / 1000 = .0010
2, 1 - 0.0010 = 0.9990
3, 0.9990^4 = 0.9960

Then convert to "fail",

4, 1 - 0.9960 = 0.0040

...

Read More →

April 22, 2018 12:55 AM

Clive Robinson on Friday Squid Blogging: Eating Firefly Squid:

@ Thoth,

This is a bad idea since almost all Hardware Wallets do not have a secure and reliable time source and thus immediately negates the guarantees of authenticity of any signed document.

Time like True randomness is something all computers have very distinct problems with, and probably always will do.

Mad as it might sound things have got to the point where we have to make alowance for relativity in mobile devices that we carry in our pockets...

Computers have no implicit way of understanding time, they are glorified state machines...

Read More →

April 21, 2018 11:17 PM

Meher on Lifting a Fingerprint from a Photo:

Clive Robinson writes:

> I can not recall of any case which I've had even >fairly distant contact with where such expert > opinion has been called into question by the >defence. Why I don't know because there have been >quite a few cases recorded where when challenged >and the actual full original images have been >produced in front of a jury, the jury have not been >impressed with the supposed expert opinion.


Dear Clive, thankyou for this.
In my job I occasionally had to work alongside the police. One Detective, or possibly a Search and Rescue copper,...

Read More →

April 21, 2018 11:15 PM

Ratio on Securing Elections:

@Sancho_P,

So what you say is: [...]

No, that is not what @Heck is saying. (On a crucial point it’s the exact opposite!)

April 21, 2018 8:34 PM

Alyer Babtu on Securing Elections:

@Ross Snider

Some “pre-commentary” on your remarks, showing the problems are at least 100 years old:

On the rich in politics, G. K. Chesterton, Orthodoxy, 1908 - “You will hear everlastingly, in all discussions about newspapers, companies, aristocracies, or party politics, this argument that the rich man cannot be bribed. The fact is, of course, that the rich man is bribed; he has been bribed already. That is why he is a rich man.”

On the main problem of the party system, that it is really a single party, H. Belloc and C. Chesterton, The Party System, 1911 - “ ......

Read More →

April 21, 2018 6:07 PM

65535 on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

@ RockLobster

"IMO that should raise more questions about Twitter than it does about Kaspersky.”

That could be true. I am sure Twitter is not immune to NSLs and has probably received them.

‘In a letter to Twitter CEO Jack Dorsey on Friday, CEO Eugene Kaspersky expressed he was dumbfounded by the decision: “One thing I can say for sure is this: we haven’t violated any written—or unwritten—rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and...

Read More →

April 21, 2018 6:05 PM

echo on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

I have no idea how data from price comparison websites could have been used by Cambridge Analytica unless the data provided additional insight into people's demographics and who might be more persuadable?

It's interesting that Brittany Kaiser's allegations are denied. In other contexts I have both been told and have witnessed events which have subsequently been denied. If these leadswerepursued they would lead to claims of contempt of court and gross professional negligience (and possibly fraud). I am extremely skeptical of the personalities behind and affiliated with Cambridge...

Read More →

April 21, 2018 4:59 PM

JG4 on FBI Increases Its Anti-Encryption Rhetoric:


@Clive - I've been busy or I would have been more vocal. Trust that you are mending from the latest medical difficulties. I like your construction, but I want to point out one useful addition. "Think of the children" is a canard that is intended to shut down logic and replace it with emotion. There are numerous cognitive tricks in that repetoire, as echo cites. Had an excellent week of networking, almost like the good old days. Part of the intellectual progress was recognizing that the severance of the peasants from the soil is one root cause of our gut biome problems....

Read More →

April 21, 2018 4:44 PM

VW under the hood on Securing Elections:

Don't worry the stealth engineers from VW emmissions scandal are taking invisible election tampering as their next challenge

Uses AI to distinguish between actual election scenarios from auditing scenarios and act accordingly.

April 21, 2018 4:36 PM

Ross Snider on Securing Elections:

The biggest issues in election / democracy security are:

1. Republican/Democratic Party capture of the government. These parties have engineered the election commission so that it is not really possible to run as any other political party - or as independent.

2. Private / industrial capture of political parties. The board members to the only available political parties are from a very narrow demographic and their control of political parties represents a huge security compromise for democracy.

3. Gerrymandering, superdelegates, hom-estating and other hacking...

Read More →

April 21, 2018 4:25 PM

DS on Securing Elections:

Bruce, you might be happy to know that all of your suggestions are already the method by which elections are run here in Wyoming. I am an election judge/official who serves in a voting place where two precincts vote together. Here's our methodology:

1. Mark-sense ballots. The candidate/issue is marked on the ballot, the voters mark the ballot and return it to the mark-sense machine, where it is counted and deposited in a secured (locked) container until after the polls close.

2. Ballots are controlled in locked boxes before they come to the polling place. One of our/my...

Read More →

April 21, 2018 1:47 PM

Denton Scratch on Securing Elections:

So the way I read the article (and I think all the comments I've seen), it feels that the discussion seems to be about the technical problem of constructing a trustworthy voting system.

Well: I think that's all well and good, IFF you have an informed voting populace. If you don't, then voting doesn't mean much, and the design of the voting system is a distraction.

April 21, 2018 1:05 PM

Sancho_P on Securing Elections:

@Heck

Small correction: It is a mess. [- not only in “this” country]

So what you say is:
We can not trust the thugs, be it left, right, red, black, green, yellow, …
They’d sell and exploit the personal voting results for their own benefit against us,
the society:
Because we always vote for lobbied thugs.

And this is exactly why election security isn’t really important:
Uncontrolled capitalism has won the elections years ago.
Perfect voting machines / systems, even anonymity, won’t change that.

April 21, 2018 12:26 PM

Alyer Babtu on Securing Elections:

The wiley ballot tamperer will of course see that the preferred outcome is obtained with the minimal biasing needed, so that the result is plausible. Can the audit methods detect this, are they sensitive enough ? And the tamperers would also avoid certain districts and focus on others, perhaps playing a long game.

April 21, 2018 12:04 PM

Boofery on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

Since Cloudflare has been in the news with its 1.1.1.1 DNS server I took a look at encrypted DNS. What I discovered was that most people who are using Cloudflare's new service are not encrypting. According to this tweet only .04% of users encrypt.

https://twitter.com/grittygrease/status/983058814592266241

The annoying part is trying to verify that one's connection is in fact encrypted. One has to go into Wireshark and inspect packets....

Read More →

April 21, 2018 11:26 AM

albert on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

"...By definition, scientists who perform classified research cannot take full advantage of the standard practice of peer review and publication to assure the quality of their work and to disseminate their findings. Instead, military and intelligence agencies tend to provide limited disclosure of classified research to a select, security-cleared audience.

In 2013, the US intelligence community created a new classified journal on cybersecurity called the Journal of Sensitive Cyber Research and Engineering (JSCoRE)...."...

Read More →

April 21, 2018 11:19 AM

echo on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

@vas pup

There is more on EU privacy concerns with the UK from the shady billionaire Barclay brother owned Telegraph. (Paywalled in a shoot yourself in the foot way to stop the rest of us being brainwashed by accident.)

Gievn how wriggly the UK is with regard to European law (and this is just the microscopic areas I am aware of) I'm not surprised the EU doesn't trust the UK!...

Read More →

April 21, 2018 10:28 AM

CallMeLateForSupper on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

@Bruce
Maybe they are fishing only in traditional/convenient locations? ISTR a report w/i the past several months of a squid species being found north of Britain, whereas it had been fished further south heretofore.

We are seeing some species migrate toward the poles. Imagine mosquito swarms in the Arctic. (I am only half-joking.)

April 21, 2018 9:54 AM

echo on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

Oooh. Before I forget! I thought this was funny. The boss class didn't though.

https://www.independent.co.uk/news/world/americas/us-air-national-guard-woman-oath-dinosaur-puppet-video-robin-brown-tennessee-a8313226.html
Three US Air National Guard members have been disciplined, and one of them fired, for an incident involving a children’s dinosaur puppet.

Master Sergeant Robin Brown, a senior non-commissioned...

Read More →

April 21, 2018 9:46 AM

echo on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

There's nothing new in the two articles I'm linking to which isn't already covered by books such as Robert Cialdini's 'Persuasion' and principles contained within the European Convention.

One big annoyance I have really began increasingly noticing over this past week is there is hardly a pop science or technology article which doesn't lead in some way to sombody trying to sell something or a new business venture they are trying to attract capital to. I have also began noticing the path a lot of news makes from its original source through to major social media outlets and...

Read More →

April 21, 2018 8:31 AM

65535 on Lifting a Fingerprint from a Photo:

@ Roger
“fortunately, this wasn't the only evidence on which Elliott Morris was sentenced to eight and half years:” ... had almost £20,000 hidden in bitcoin accounts – the majority of which, Elliott admitted, was gained from his illegal drug sales.”’

On the finger print side I agree with some of your points. Long ago the points of match in the States was as low as 7 ~ not very accurate.

On other points I will have to differ :

The 8 years in jail thing.

According to SWP Elliot Morris was convicted and did 8.5 years in jail. SWP said in their cached...

Read More →

April 21, 2018 7:45 AM

PeaceHead on New Book Coming in September: "Click Here to Kill Everybody":

I like the "CH2KE" title a lot. Also, "internet+" doesn't seem like a non-fitting term.
I look forward to reading the book. Thanks for all your hard work getting these ideas out and down on paper. By the way, I very much liked "Liars & Outliers" from a humanist point of view.

Keep on keepin' on.

April 21, 2018 7:41 AM

echo on Lifting a Fingerprint from a Photo:

@Bauke Jan Douma

In the UK the large discrepancy between white collar and other crime prosecutions was a big media issue at one point for a very brief time before the pressure of news events caused this to be buried and forgotten.

Another issues is disparity in access to state services. Even where access is equal between rich and poor areas studies have been done in the UK which prove an annual drift of 5% (to the best of my memory) away from poor areas towards rich areas within areas under local government control. Of course, this adds up over time and compounds...

Read More →

April 21, 2018 7:31 AM

echo on Lifting a Fingerprint from a Photo:

@Roger

There is European court case law where the UK government was done over the issue of "tests" and scientific validity which caused things to be reframed as a "heuristic". Nothing actually changed. No "experts" suddenly became more expert. No documentation suddenly appeared out of nowhere. No extra auditable information was produced. History and context, and previous abuses of power mysteriously evaporated which neatly headed off public inquiries and court action for compensation. I cannot help wondering if the issues are connected.

Around this time there were a lot of...

Read More →

April 21, 2018 6:30 AM

Ratio on Lifting a Fingerprint from a Photo:

I did a double take scrolling past this bit:

So if the probabillity of error at each step is 1/1000 and you walk through the steps, there is only one of the sixteen modes that is a pass. It has four independent steps in that mode each with the same 1/1000 probability, therefore a one in 1/250 chance of not having failed at some point (ie 1/1000 + 1/1000 + 1/1000 + 1/1000).

That’s nonsense. P(success) = (1 - (1 / 1000))4.

April 21, 2018 12:54 AM

Roger on Lifting a Fingerprint from a Photo:

There is nothing enormously surprising in this: obvious if a photograph is of good enough quality then it can be used to form an image of a fingerprint; and once you have that image, the way it was captured has little bearing on the ability to identify it.

However, this part is worrying:

Despite being provided with only a very small section of the fingerprint which was visible in the photograph, the team were able to successfully identify the individual.

Fingerprint matching is not done by sliding digital transparencies over one another, a la...

Read More →

April 20, 2018 11:15 PM

tyr on Friday Squid Blogging: Eating Firefly Squid:


@ Clive

Pompeo is in NK to mend fences now that
they can hit Washington with a nuke.

Some fools have insisted that the Rus
and Syrians are going to clean-up a
chemical attack. Usually people who
failed basic chemistry before choosing
their current careers. If it was Chlorine
that displaces oxygen from ordinary stuff
in the area forming new compounds. Gas
diffuses everywhere as it works so to
clean something like that up requires
removing everything in the area which
is called major construction...

Read More →

April 20, 2018 10:28 PM

Seredic Labingi on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

Tails Linux version: 3.6.2
(and confirmed in some previous versions)
Bridge use in clients exposes more in logs than should:

- Warning Message:

"[warn] Your log may contain sensitive information - you're logging more than "notice". Don't log unless it serves an important reason. Overwrite the log afterwards."

- Source: /var/log/tor/log
- Problem: When using obfs4 bridges, log level is set to a high (probably 'debug') level.
- Solution: properly configure log to the 'notice' level when using obfs4 bridges
- Reproduce-able?: Yes

April 20, 2018 10:11 PM

Bennett on Securing Elections:

This might be getting a little off topic, into "movie plot threat" territory...

How sure are we that optical media are "write-once"? Historically it was difficult to seek to specific angular positions, but then we got DiscT@2 and LightScribe which try to do exactly this (not likely accurate enough to overwrite bits, but why didn't anyone attack the position-based copy-protection schemes this way?).

There's a lot of redundancy on a disc (CIRC, EFM, and an upper Reed-Solomon layer—it's less than 30% "real" data). Though we can't "un-burn" a bit, we could perhaps burn more to...

Read More →

April 20, 2018 9:46 PM

V on Securing Elections:

The article doesn't mention mail-in ballots, the one form of voting that is more or less guaranteed to be fraudulent. The person in a household with the largest fists can vote for everyone living there, mail can be intercepted and replaced, bad guys can watch you vote/seal your ballot in the envelope/drop it in a public mailbox, etc, etc.

If you want fair elections try the following:

1) You must be at least this tall to vote -OR- show proof you are at least x years old.
2) You must dip your thumb in the purple dye to vote.
3) Anyone physically present at a...

Read More →

April 20, 2018 9:00 PM

Alyer Babtu on Securing Elections:

Is there a place here for an application of zero knowledge proofs ?

April 20, 2018 7:51 PM

Heck on Securing Elections:

I mean, it's like saying, "why do we need computer security? don't you trust people? you got bigger problems if you can't trust people!"

Yeah, we do have bigger problems: namely, you can NOT trust people. It's as simple as that. Therefore we have to set up systems that work "well enough" even in a world where lots of people will do bad things if they can get away with it scott free (and sometimes even if they can't get away with it).

That's why computers are so bad, the fundamentals of everything was designed in an era where we forgot about this, and designed...

Read More →

April 20, 2018 7:15 PM

Clive Robinson on Oblivious DNS:

@ Albert,

Any recommendations for an unbound local resolver for Linux?

It's already there as historically, the way you want to do things, was the way it was originally built to work.

Have a look at your local hosts file[1] all *nix and as MS nicked BSD networking all networkable MS OS's and for the same reasons Mac OS's have them.

You also as part of DNS have a local cache on the host machine which in essence is a speed up mechanism as well as to reduce DNS requests.

Simply when you make a network request the OS goes through the...

Read More →

April 20, 2018 6:56 PM

Heck on Securing Elections:

@Sancho_P
"Why do we need anonymity with democratic voting?"

Because, without anonymity one group of thugs will form that harass people who "vote wrong"... and another group of thugs will form that promise money to people who "vote right"... (because, without anonymity, those groups of thugs can see/verify who everyone voted for) No amount of regulation or even prison sentences can prevent this fully, only removing the ability for it to happen can: i.e. foolproof anonymity! And we know this from history. It's actually happened. Yes, in this country. It was a mess.

April 20, 2018 6:40 PM

PeaceHead (again) on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

THANK GOODNESS for living life and those who tend to agree with such PEACEFUL sentiments.

As for squids and SQUIDs (super quantum interfereence devices),...
"..let live and live;live and let live..."
Sure sounds good to me.

I wish I knew how to say, "I cannot be made to eat squid!" in Japonese.
However, for now I can print "Heiwa" with an honest grin (in Kanji, albeit, Chinese).

Sometimes Peace Really Does Prevail Realms of Existence.
Even Peace Hath Her Victories.

:)

April 20, 2018 6:09 PM

Sancho_P on Securing Elections:

Hmm.
I think the main problem with voting are the candidates.
If there is the choice between inept characters still each one remains a bad choice.
I assume all candidates want the very best for the populace and are not stupid.
-> @ the system to get candidates there is the problem!

So my proposal::
Find better candidates and require a 2/3 majority to win.

Btw:
Why do we need anonymity with democratic voting?
Because we can not trust our powers?
That would be a very serious issue.

April 20, 2018 5:32 PM

justina.colmena on Securing Elections:

Those foreign-influenced self-aggrandizing fraternizing ballot-counting thieves in law have banned guns and legalized marijuana.

We gave up our freedoms and our rights for drugs. We ain't gettin' any of that back, ever.

Too bad. Once a free country.

April 20, 2018 4:55 PM

Clive Robinson on FBI Increases Its Anti-Encryption Rhetoric:

@ PeaceHead (again),

Need we really complain about the "good guys" traversing boundaries to do "good stuff"?

Yes we must for several very good reasons.

Firstly you ignore the issue that one persons good is often another persons bad.

Which you then conflate with your using of "firemen" in the same way as "think of the children" or "fluffy kitten videos" you are in effect making an inverse strawman argument. Lipstick on a pitbull dog is not going to make it any less dangerous (infact the opposite).

The FBI want you to think of...

Read More →

April 20, 2018 4:45 PM

Mario Lacroix on Friday Squid Blogging: Squid Prices Rise as Catch Decreases:

APT activities are usually associated to strategy industry attacks. Why attacks on industry, that causes disruption, fines, and even reduction of commercial activities are not pointed as part of cyber war too? Disrupting the enemy finances and commercial operations is as bad as fake news when attacking democracy, right? Any protection against those from the government point of view? RIA?Thoughts on the theme?

April 20, 2018 4:41 PM

echo on Lifting a Fingerprint from a Photo:

@65535

From what I can tell following GCHQ comments after the Cyril Smith scandal GCHQ will not release information to a prosecuting authority unless it is within its remit of "national security". I do not know what the current official (or unofficial) policy of GCHQ is, nor how this may or may not relate to the US-UK agreement with respect to none "national security" prosecutions.

April 20, 2018 4:37 PM

echo on Lifting a Fingerprint from a Photo:

After I commented the Guardian reported a few hours later that Allied Healthcare had gone bust. This story was a complete coincidence. As this issue is too far off topic I won't comment more.

April 20, 2018 3:35 PM

Hmm on Securing Elections:

Of course the other major consideration is who do we trust to design and vet such an endeavor?

There seems to be no single entity, we'd need a purpose-built coalition. This is the latent problem.

Trust.

April 20, 2018 3:33 PM

Clive Robinson on Lifting a Fingerprint from a Photo:

@ Neil,

e.g. lab tech has a 10e3 chance of putting the wrong label on a test-tube, another one double checks - does that make the result 10e6, 10e5, 10e4 probable?

The problem for many trying to get their heads around it, is deciding "what is a dependent and what is an independent trial" (balls in the jar etc) but also how you take more than one probability and get the rrsults to come up right without getty Monty's Goat.

Engineers tend to look at things in ways that make it clearer. They talk of "failure modes" and "their probabilities"....

Read More →

April 20, 2018 3:18 PM

Hmm on Securing Elections:

@Xavier

That's an interesting thought which kind of ties in with Bruce's main thrust.

If we had an 'election week' in which to cast a physical vote, all of which was a massively audited and observed process with data visible/confirmed in the public milieu, that would seem to solve several problems. Poor people who have to work / traveling people / infirm / caregivers / military, etc, all would have more flexibility - and the eligible voters would each have a lot less of an excuse for not exercising their duly inherited rights. The 5-12 hour lines we've seen in some...

Read More →

April 20, 2018 3:01 PM

65535 on Lifting a Fingerprint from a Photo:

@ Clive Robinson

“Most likely that is the UK version of plea barganing going on in the background.”- Clive R.

Yes, this plea bargaining game comes in very handy in the states for the reason that no actual evidence is presented. The police make and allegation of wrong doing and hope that the person will cave-in to the charge. This avoids the actual facts in front of a jury which may get the case tossed out of court.

“one thing to remember, a phone is an "electronic ball and chain" around your ankle if you don't take the "proper" precautions.”- Clive R....

Read More →

April 20, 2018 1:33 PM

albert on Oblivious DNS:

@wetsuit,

Noted, but I still like the idea of caching frequently visited web sites. Any recommendations for an unbound local resolver for Linux?

Farming was a dream of mine...a long time ago.

. .. . .. --- ....

April 20, 2018 12:35 PM

Who? on Securing Elections:

As I said lots of times in the last year the right way to alter elections (if there is a use for the word "right" in this context) is attacking the people not the technology itself. Attacking the voting machines is risky, as soon as the attack is discovered the President changes. Attacking people is safer, as the entire process has been designed to reflect people wishes and it is exactly that, people wishes, what is attacked.

April 20, 2018 12:18 PM

Chris on Securing Elections:

If you accurately choose the winner, then loser would already be convinced... I would argue that if the loser isn't convinced, then the burden is on the loser to show evidence.

More broadly, the arguments presented here ignore potentially larger issues - does each person eligible to vote vote only once? Is every voter actually eligible? I believe those issues are just as important.

I bring this up because "convincing the loser" is not simply a voting machine issue, or vote tampering issue.

April 20, 2018 12:00 PM

Ratio on Friday Squid Blogging: Eating Firefly Squid:

Re: Salisbury, Douma, conspiracy theories, and disinformation

Russia spread fake news via Twitter bots after Salisbury poisoning – analysis:

Russia used trolls and bots to unleash disinformation on to social media in the wake of the Salisbury poisoning, according to fresh Whitehall analysis. Government sources said experts had uncovered an increase of up to 4,000% in the spread of propaganda from Russia-based accounts since the attack,– many of...

Read More →

April 20, 2018 11:53 AM

Xavier on Securing Elections:

Maybe another issue is the massive number of simultaneous votes in the US

If I compare to my country (France), for any election day, we vote only on ONE subject each time, and (rarely) 2 (in that case, there is 2 ballot boxes with a color coded scheme for the voting enveloppes)


This way, voting machines are not that useful, paper count is relatively easy (and if you have time you can volonteer to help)

There are some voting machines pushed by that industry lobbying, but it's not widely developped.


The US electoral system on the other hand...

Read More →

April 20, 2018 11:45 AM

Not sure on Securing Elections:

What about vulnerabilities of scanning ballots? Threats from attacks on the ocr software and hardware - eg two independent ocr checks can be both compromised

Are there robust tests to validate the trustworthiness of ocr validation systems against threats from attacks on the ocr and data processing engines?

April 20, 2018 10:50 AM

echo on Friday Squid Blogging: Eating Firefly Squid:

I'm feeling a bit dim today so you will have to excuse my lack of effort with making a contribution. These last few comments are inspiring reading.

April 20, 2018 10:19 AM

wetsuit on Oblivious DNS:

@albert:

"Why not store the IP addresses on our computers?"

LOL - that's a really big hosts file! There are many more sites than domains, so (according to Netcraft), 200M domains x 100 = 20GB, which is not bad. Would have to be updated smartly, and that'd be the trick.

The general idea is good, and is why I've cached a long run of internet usage into an unbound local resolver. Of course if the first pull was bad, it's still bad.

--- ..--- -... .- ..-. .- .-. -- . .-.

April 20, 2018 9:56 AM

Brian Hankins on Securing Elections:

"A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD."

Just a nit -- probably want to store on write ONCE media. Historically, write-only media has proven troublesome as an audit trail. :)

April 20, 2018 9:50 AM

echo on Lifting a Fingerprint from a Photo:

My sense is a lot of the issues are because of "protecting the fortress". Careers and the organisation chart becomes a higher priority than the citizen.

As far as "rights" in the UK are concerned I was told verbally (i.e. avoiding leaving a potentially career destroying paper trail) by a senior doctor that if "rights" were mentioned that every door will slam.

When the issue of the constititional dividing line between the state and a citizen came up I was personally bulldozed by a lawyer who, in theory, has professional standards to uphold and was supposed to be...

Read More →

April 20, 2018 9:28 AM

Matthias on Obscure E-Mail Vulnerability:

I am disappointed that no one seems to take issue with the ability to change an account email without invalidating payment information. For me that is the primary issue with Netflix. Any action that can potentially transfer control of an account to someone else should invalidate payment information.

April 20, 2018 8:51 AM

albert on Lifting a Fingerprint from a Photo:

@Jon fD,
"...One does wonder if plea bargains can be retracted on the grounds that they were extracted under duress. J...."
Not if your attorney allows you to. Plea bargains are a sick joke; a way to boost conviction rates on weak cases.
..
@Anyone,
Clive is spot on re: fingerprints. Worse, fingerprints are now 'checked' by -computers-, not human experts. And -probabilities- are the final arbiter in deciding a match, just as with DNA. The final straw is the amount of time and money spent on prosecuting people for selling marijuana. And don't even get me...

Read More →

April 20, 2018 8:50 AM

albert on Lifting a Fingerprint from a Photo:

@Jon fD,
"...One does wonder if plea bargains can be retracted on the grounds that they were extracted under duress. J...."
Not if your attorney allows you to. Plea bargains are a sick joke; a way to boost conviction rates on weak cases.
..
@Anyone,
Clive is spot on re: fingerprints. Worse, fingerprints are now 'checked' by -computers-, not human experts. And -probabilities- are the final arbiter in deciding a match, just as with DNA. The final straw is the amount of time and money spent on prosecuting people for selling marijuana. And don't even get me...

Read More →

April 20, 2018 8:09 AM

Mike Acker on Securing Elections:

First and Foremost: use a mark-sense paper ballot

Second: AUDIT

after the election select ( e.g. ) 1% of precincts at random. AUDIT the tally, manually.

if the machine count does not check then the software maker PAYS for a total manual recount.

Product liability is the key to cleaning up the HOT MESS that is commercial electronics today.

April 20, 2018 8:02 AM

FRex on Securing Elections:

The problem is that people so often are willing to argue with security experts or invent issues on this: "it's progress", "it strengthens democracy", "it's convenient", "just use blockchain" (this is increasingly answer to every problem ever in some circles), "it works perfectly in Estonia", "it takes too long to count paper votes", "who cares how we vote, it's all rigged anyway" (the last one usually spoken by someone from the West who happens to hate the results of the last election in their country).

April 20, 2018 7:22 AM

echo on Lifting a Fingerprint from a Photo:

@Clive

Medical and beaurocratic systems suffer from the same issues you describe (and Bruce describes in his new topic on voting systems). The same patterns are there as is in some cases outright medical fraud and passing the blame to low level box tickers, or in beaurocratic systems apssing the blame to low level officials instead of decision makers where the originating discriminatory lack of governance actually began.

I am aware of one medical "expert" who has been cited as an authority who based his "expertise" on what was at the time a known iffy study. This was used...

Read More →

April 20, 2018 7:18 AM

Wesley Parish on Friday Squid Blogging: Eating Firefly Squid:

@all re: space war

I put some thought into the issue during the Gypper's Reign. I had concluded that what with the instability of the most advanced US radar systems of the time - you remember the USS Vincennes shooting down an Iranian Air airliner under the impression that a jet airliner climbing to get well above the hostility in the Persian Gulf was actually a jet fighter diving to attack? - the likeliehood was that once the US had established their Budgetary Defense Initiative misleadingly advertised as the Strategic Defense Initiative and commonly labeled "Star Wars", the...

Read More →

April 20, 2018 4:08 AM

Jon (fD) on Lifting a Fingerprint from a Photo:

One does wonder if plea bargains can be retracted on the grounds that they were extracted under duress. J.

April 20, 2018 3:50 AM

Winter on Lifting a Fingerprint from a Photo:

@Clive
"But one thing to remember, a phone is an "electronic ball and chain" around your ankle if you don't take the "proper" precautions."

Just yesterday, the Dutch courts have sentenced a criminal based on decrypted PGP phone messages. No English reports. Here is the Dutch report:
https://www.nrc.nl/nieuws/2018/04/19/veroordeling-noffel-van-groot-belang-voor-justitie-en-politie-a1600105

These criminals were convinced the phones were...

Read More →

April 20, 2018 3:36 AM

Winter on Lifting a Fingerprint from a Photo:

Why do fingerprints work in forensics?
Because criminals tend to be stupid and good OPSEC is hard.

But all this lamenting on "bad forensics" here seems to gloss over the fact that "good forensics" does not cure bad laws (everything in recreational drugs) and does even less in a broken judicial system (USA, and UK?).

The USA criminal system is broken. No amount of science and good forensics can mend that.

April 20, 2018 3:25 AM

Clive Robinson on Lifting a Fingerprint from a Photo:

@ 65535,

I am not getting a true accounting of the facts from either the BBC or SWP. I smell a bad odor in this pot and “ecstasy” case so to speak.

You noticed the difference in sentencing from just 30 months to 102months for "possessing with intent to supply"?

Most likely that is the UK version of plea barganing going on in the background.

In the UK you can get reduction in sentencing for admitting your involvment but no way that much. But often more for "helping the police with their enquiries". The chances are that 30month sentance was...

Read More →

April 20, 2018 2:48 AM

Tordr on Lifting a Fingerprint from a Photo:

For me the most interesting thing is that we now have one more proff of consept for reverse engineering fingerprint from photo.
For an attacker we now have the following scenario:
* Find rich/fameous person with fingerprinting lock.
* Take close up picture of his/her hand as he/she waives at an event.
* Reverse engineer fingerprint.
* Unlock door and install spyware in house/on computer. (Stealing is the easiest, but I think there are more lucrative options now).

April 20, 2018 12:53 AM

65535 on Lifting a Fingerprint from a Photo:


From the police perspective I have a few questions

“The 28-year-old was among nine people who were sentenced today for more than 20 years at Cardiff Crown Court for their involvement in a conspiracy to supply cannabis. Two others, who were found not guilty of being involved in the conspiracy, were sentenced for separate drugs offences.”-south Wales police [SWP]

Two others were found not guilty…sentenced for a separate drug offense… That is very handy almost to handy. A little parallel construction going on with this case.

“to forensically link Elliot Morris,...

Read More →

April 19, 2018 11:34 PM

Security Sam on Lifting a Fingerprint from a Photo:

In the times of Horance and Jasper
Sherlock would know where to look
And would use just pencil and paper
To unveil a print in a blank notebook.

April 19, 2018 8:41 PM

Thoth on Friday Squid Blogging: Eating Firefly Squid:

@Clive Robinson, all

More snake oil abound.

Woleet, a company that claims to provide trusted document signature are looking to use cryptocurrency Hardware Wallets to execute digital signature.

This is a bad idea since almost all Hardware Wallets do not have a secure and reliable time source and thus immediately negates the guarantees of authenticity of any signed document.

Most of the trusted digital signatures are done using a HSM or a Secure Time Server (essentially a HSM without all the PKI and goodies feature lists) that have been certified by FIPS and...

Read More →

April 19, 2018 8:39 PM

PeaceHead (again) on Lifting a Fingerprint from a Photo:

One quick addition...

If you redefine "photography" in terms of the electromagnetic spectrum, you can get away with all kinds of of technical "wizardy". I'd love to see a time-lapse MRI scan of a sculpture or painting to know what the artist was thinking or doing while creating the piece.

!!survive!!

April 19, 2018 8:36 PM

PeaceHead (again) on Lifting a Fingerprint from a Photo:

Thanks for such an interesting and somewhat cheerful bit of forensic depth.
I remember back when fingerprinting was losing it's luster because of digital database corruption and/or manipulation concerns. But this recent bit is much less dismal, and nice.

I like the idea reaffirmed that REALITY has a thankfully fussy way of reasserting itself, regardless of the subjective windows (or FFT windows) of various tunnelvisions of resolution.

Law enforcement techniques still have a future. And thus, so does law enforcement.

All Lives Matter
Blue Lives...

Read More →

April 19, 2018 8:11 PM

Thoth on Oblivious DNS:

@Clive Robinson

RE: Blockchain

It is just a fancy way of saying Merkle Tree and no more. In it's most basic form as we know it is what it is and marketing people call it Ledger, Next Gen Trust, Blockchain ...etc... and rightfully, a bunch of scams, spams, junks and nonsense are built on top of that.

I will touch on my latest snake oil hunting expedition which I just found another probably snake oil trying to mingle in solid security technology just for sales and marketing.

There is a form of Merkle Tree called the Permissioned Ledger which essentially means...

Read More →

April 19, 2018 7:55 PM

Thoth on Oblivious DNS:

@all

Not exactly part of the topic but is still relevant to the topic, Google has decided to explicitly prevent any sort of "Domain Fronting" techniques that are traditionally relied upon by journalists, dissidents and privacy oriented people as well as bad actors.

Because of the way our network works, we have to use weird methods like "Domain Fronting" to attempt to clean away our transmission traces and it's a cat and mouse game of taking out any proxy services that is responsible for masking traces by using national level bans and via political and economical sanctions...

Read More →

April 19, 2018 7:50 PM

PeaceHead (again) on DARPA Funding in AI-Assisted Cybersecurity:

One of my personal "nightmares" is a scenario where some kind of AI or AI hybrid system is busy "doing it's thing" and it gets "stuck on repeat". Take for example some kind of NDT scanner where a reflected signal is not supposed to cause harm but is radiated at a person or their environment or tools.

In the case of a person-controlled system alone, an "overuse" victim saying, "Hey, would you please turn that signal off, that hurts!" or "It burns, please stop!" or "Hey, those vibrations are making me feel sick, you can turn that off now... please!".

In such a case,...

Read More →

April 19, 2018 7:24 PM

PeaceHead (again) on FBI Increases Its Anti-Encryption Rhetoric:

Just to keep the firemen metaphor alive...

Firemen can typically get into just about any type of conventional housing/retail/commercial/residential building/house/establishment. That's what they do for a living to save lives. You could call it "backdooring" or whatnot, but whether or not they use a battering ram or a skeleton key, or locksmithing tools or else, is not exactly relevant...

The main idea is that THEY CAN USUALLY GET IN QUICKLY as needed to save lives.
So my rhetorical question remains...

WHERE IS THE _TRUE_ COMPLAINT?

Need we...

Read More →

April 19, 2018 6:10 PM

kos on Lifting a Fingerprint from a Photo:

We found a high rez(2+ meg) photo of a cannabis bud with some chap's thumb held up next to it for size comparison.
We sent the photo to fingerprints, and they came back with a name. A friend of the guy who's place we had seized the computer from.
Enough for a conviction on it's own? No.
Enough for a search warrant? Absolutely.
Did the search warrant find said plump buds? Yep.
I don't know about junk science, but I will take the result. As to whether cannabis should result in law enforcement in the first place? Show me the taxes.

April 19, 2018 5:37 PM

Sancho_P on Oblivious DNS:

@albert

I’m afraid it would be of no real benefit.
To store (most of) the IP addresses (or to run a DNS on your local network) might be relatively easy, but it will not change the following request to connect to the desired service. So your ISP knows exactly at which times and how often you access 66.33.204.254 (schneier.com).

And it will not solve the “first come first serve” issue - If someone replies “in lieu” of 66.33.204.254 and is faster then you will see their page.
The other, authentic replies will be _silently_ ignored by your computer.

April 19, 2018 5:13 PM

Clive Robinson on Oblivious DNS:

@ Albert,

It appears to me that applying band-aids to an insecure system won't make it secure (and may make it worse), so the system needs to be scrapped.

One of the first design errors of the current DNS with regards privacy is that is a "Pull not Push" system. The reason for that choice is that "Pull" is more efficient and timely than Push.

However the implication of Pull is that it has to be not just fast but "low latency" as well, which makes "traffic analysis" way easier... Push however whilst it can work and give low latency information has...

Read More →

April 19, 2018 5:02 PM

neill on Lifting a Fingerprint from a Photo:

@Clive Robinson

" ... Over the years I've worked out many ways to fool the majority of forensic tests ... "

good work! proves that really nothing is 100%, DNA, facial, fingers, ...

but has anyone ever looked into the math of probabilities?

e.g. lab tech has a 10e3 chance of putting the wrong label on a test-tube, another one double checks - does that make the result 10e6, 10e5, 10e4 probable?

the claim that e.g. DNA proof is 10e9 'unique' always made me laugh - if you look at the whole chain the evidence goes thru, and add up the failings of all...

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.