Recent Comments


Note: new comments may take a few minutes to appear on this page.

June 29, 2017 2:54 PM

Clive Robinson on The Women of Bletchley Park:

From the article,

    Today, the mansion in the heart of the southeast English countryside

Not realy if you look at a map of England it's a good distance north north east of London on the south side of "the middlands".

On of the reasons it was picked is that the local railway station was a croising point in central England where there were trains to both Oxford and Cambridge. That area in general being fairly rural was ideal for not just the code braking but signals intercept and a whole load of other clandestine operations. In some respects it was also about "as far in land" as you could get, and the entire area was essentially flat with good ground conductivity in all directions which made it desirable for signals work.

June 29, 2017 2:51 PM

Major on Websites Grabbing User-Form Data Before It's Submitted:

@Ross

I don't understand how any of this adds up to "Free Software has failed". I am running my free operating system, with my free programming languages and free apps like the kick ass mathematics system Sage that beats any paid software that I am familiar with hands down, and nothing is failing me. I even get a ton of free cloud processing. I have never been successfully hit by malware. I realize both paid and unpaid software and services might be collecting data on me so I take countermeasures like not putting confidential code on the cloud, encrypting data and monitoring what goes in and out of my network. Any failure seems like a consumer side problem to me...

I think suing people for my ignorance is an inefficient way of addressing... my ignorance. Anybody paying any attention sees web sites responding to their keystrokes, so obviously they are being processed. Anybody paying any attention knows that companies are extracting as much personal data as possible, so it is quite possible that any entry is being stored. Sure, shame companies for being sneaky. Publicize the issues. But a lawsuit? This is unlikely to benefit anyone but lawyers except in the most egregious cases. By the time a suit is resolved the harm is done and the industry has moved on to new tricks.

And what does this have to do with Free Software? Security and privacy issues occur with both free and proprietary software, but free software, being open source, makes the issues easier to find and to fix. And free software makers have less incentive to cheat and trick their users and less ability to hide what they are doing.

In a world with less and less need for employees and more and more people, we better find some way to satisfy needs for free. Telling programmers who are happy to contribute free code to shove it only serves those that want to squeeze the average Joe dry so they can selfishly thrive.

June 29, 2017 2:43 PM

pots or not on Friday Squid Blogging: Injured Giant Squid Video:

@r
@Clive Robinson

A few years ago, or so, Java based malware on osX (around the time of Snow Leopard or Mountain Lion) was spreading rapidly in Silicon valley and elsewhere, iirc. Iirc, Apple let a contract to Kaspersky regarding this Java malware. I thought it was interesting, at the time and currently, that Apple went with a foreign firm. Perhaps Apple wanted a less biased or constrained analysis than domestic firms could give.

perhaps this is a relevant link
https://threatpost.com/apple-fixes-flaws-updates-java-6-os-x-090612/76978/

June 29, 2017 2:19 PM

Slime Mold with Mustard on The Women of Bletchley Park:

If @Bruce had see the painfully bad television program "Bletchley Circle" he would have avoided the topic altogether.

June 29, 2017 2:11 PM

Clive Robinson on Websites Grabbing User-Form Data Before It's Submitted:

@ Ross Snider,

This is the ultimate indication that Free Software has failed.

NO, it's a sign that the whole software industry has failed to mature as other markets have done.

You may not be aware of the history of Steam Boilers in the United Kingdom in the Victorian era, but it's an abject lesson of why the software industry has failed.

The important difference is that When Victorian boilers went wrong things became kinetic and death and injuries were part of that. Where as most software when it gpes wrong only kills you a little bit with the stress hormones hardining your arteries etc.

It was the needless death and destruction from boiler explosions that caused Parliament to act, and regulations were brought in about testing certifying and maintaining boilers. Boiler making moved from being an artisanal craft skill of blacksmiths to what became engineering through the application of the scientific method.

In the UK today it is obvious to any one with eyes to see or ears to listen that the old Victorian turn a blind eye to danger has not gone. In that more than a year ago there were very serious warnings about the fire safety of cladding being put up on tower blocks from senior fire officers, they were totaly ignored. Untill a few days ago a tower block in London went up like a signal fire and many were killed. Only now is it being discovered that of the near 150 towerblocks that have been tested in the past few days 100% of them fail basic fire safety tests with respect to the cladding. This is being politicaly portraied as being unexpected, despite the repeated warnings of experts.

That is despite many many warnings it is only now after so many deaths that the profiteers are scrabbling around and actually paying some notice to what they should have atleast a decade ago. Worse the current UK Prime Minister as Home Office Minister turned a blind eye to all the warnings and she's pretending it was not on her watch.

The leason from this is that the only way the software industry will cease to be a bunch of mainly incompetent artisans and actually become real engineers is when a large number of people die in one large head line grabbing incident. Untill then profit and blind eyes will rule the day.

The thing about "Free Software" is often but not always the source is available, directly or indirectly, which is realy the Closed -v- Open argument not the Free -v- Payed argument. The Free -v- Payed generally only comes to light by litigation where people ask for compensation and discover they have no rights or standing etc.

The software industry needs to change, people need not only to accept responsability but be capable of acting responsibly. Few current software coders are capable of acting responsibly because they have neither the training nor time to do so. Thus it is more of a managment issue, and for that to change, senior managers need to start seeing the inside of prison cellS for extended periods and have their assets taken away to give compensation. Only then will they behave responsibly and encorage those below them to act responsibly. The downside of course is that many will become unemployed in the process and the fast pace of change will come to a shuddering halt prior to what will seem like a snail like pace for years to come.

It's something that needs to happen urgently, but won't till there is a pile of around a hundred corpses with grieving family and friends demanding justice.

June 29, 2017 2:01 PM

Mike Gerwitz on Websites Grabbing User-Form Data Before It's Submitted:

This type of thing was discussed back in 2013 when Facebook was doing research on self-censorship by tracking whether users had typed message but didn't submit them. But they didn't track the content of the messages:

https://arstechnica.com/business/2013/12/facebook-collects-conducts-research-on-status-updates-you-never-post/

As many other commenters here express concern for: JavaScript programs are just that---programs. Your web browser is downloading and automatically executing untrusted, ephemeral JavaScript without your knowledge or consent. For those looking for more information: I've given two talks touching on this in the past two years at LibrePlanet: one details many of the ways that you can be tracked online (and otherwise have your privacy violated), and another touches on the issue as it relates to software freedom. Slides for the former contain numerous references so you can do your own research. The bibliography is available in BibTeX format. I hope some here will find it useful.

June 29, 2017 1:59 PM

albert on Websites Grabbing User-Form Data Before It's Submitted:

@Bruce,
"...Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs...."

I agree, but unfortunately, as bad as it was under the former administration, now 'Government regulation' need to be moved to my oxymoron list. 'Government' likes the data, but the Corporatocracy make money with it, it's a win/win for them and a lose/lose for us.

@Others,
I thought that there were -valid security- reasons for avoiding Java, not just abuse by corporations.

"When new technology can be abused, it will be abused, and in the shortest possible time."

Many websites -require- JavaScript to run, like your banks website. If you run Firefox, you can try 'View, Page Style, No Style'. Old versions of Opera had a single-key Java disable/enable, until they drank Chromium-aid (why would Google ever want to let users do that?).

Class action suits against offending companies is a good idea, but -laws- to do that. We don't have them yet.

When the corporations and their congressional representatives suffer enough from an insecure system, then things might change.

. .. . .. --- ....

June 29, 2017 1:43 PM

R00KIE on Websites Grabbing User-Form Data Before It's Submitted:

"Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs."

This is true, governments should step in but the question is do they want to? Can anyone say with a straight face that their government is not eager to spy more on its citizens and control their lives more? A few vulnerable IoT devices and badly coded websites can be handy in collecting some more information on the populace.

There is also the matter that most of the people in power and thus approving the new laws are mostly computer illiterate, we see examples every day, such as the encryption backdoor law ideas, do I need to say more?

June 29, 2017 1:41 PM

Freezing_In_Brazil on The FAA Is Arguing for Security by Obscurity:

Being a witness to the EMBRAER efforts to be a key player in the market, I cannot rule out that this is a roadblock thrown at EMBEAER`s way. Pure smear campaign in action.

June 29, 2017 1:31 PM

Tatütata on Girl Scouts to Offer Merit Badges in Cybersecurity:

They should be able to recycle and extend old and tested skills, such as first aid:

- Tie network cables into knots to stop data leakage;
- Start fires with Samsung smartphones (and put them out after);
- Make cookies out of AOL CDs;
- Carve USB sticks into whistles.

June 29, 2017 1:21 PM

Clive Robinson on Websites Grabbing User-Form Data Before It's Submitted:

@ CallMeLateForSupper,

Sears is circling the bankruptcy drain right now.

Which is bad news re personal information.

This has happened before so we should be aware of it but often we are not.

If a company has an internal sales database, that it has stuffed with what it considers "internal sales notes" never ment to see the outside world... if they become bankrupt that database and everything in it becomes "an asset" for the receivers to sell at maximum value for the creditors. Thus your data and some comments from a sales droid about you that are not complementry because you got upset when they delivered late etc become something to be sold endlessly...

It's just one of the reasons I don't do online shopping and prefer to go to a shop and pay cash.

The one time I did try was with Amazon and they so badly screwed things up, I let people know just how bad they can be... And as the took money they have not returned I consider them thieves as well.

June 29, 2017 1:00 PM

Ross Snider on Websites Grabbing User-Form Data Before It's Submitted:

This is the ultimate indication that Free Software has failed.

We're asking for regulatory bodies to please constrain what private companies do with secret code. The problems that immediately become apparent are that regulatory bodies do not understand code. They also do not function in a scalable way that can handle large amounts of code review (anyone on this blog should know how long that takes to do).

Calling for a regulatory body to do this is asking for the companies to regulate themselves.

Here's a better (more scalable) idea: open companies up to lawsuit if they break expectations, including of privacy but also of security. When a large body of case law has been established, make certain practices ("dark patterns") illegal and allow the companies and their developers to see fines, revocation of license, and jail time if they break the law (severity, etc accounted for by the justice system and due process).

Mandate that the behavior of systems be inspectable and modifiable by consumers. Allow them to file suite if they feel that they are being mistreated. This isn't some extreme view, it's the foundation of our political system.

June 29, 2017 12:47 PM

CallMeLateForSupper on Websites Grabbing User-Form Data Before It's Submitted:

@TimH

There is a bright side re: your sears[dot]com experience: Sears is circling the bankruptcy drain right now. The closing of tons of Sears stores - my local one among them - was in the news (last week?).

June 29, 2017 12:47 PM

ab praeceptis on Friday Squid Blogging: Injured Giant Squid Video:

Dirk Praet

I dislike all widely used init systems but systemd is clearly the worst of all. The reason I dislike them is that they are a hodgepodge and utterly misunderstood.

What are init systems (the name alone is misleading)? They are de facto the control layer of a system - which makes them highly desirable attack targets. Of course, that didn't seem to be a significant concern in the 70ies and 80ies. Today, however, init systems are open bleeding wounds.

Unfortunately the safety aspects have been rarely considered and instead the old mechanisms have been extended in irresponsible and rather massive ways, usually driven by featuritis. Today we have even insane aberrations from the freedesktop people (like dbus) in it or tightly linked.
(Sidenote: an old and very well confirmed rule of mine is "Even an obscenely drunk and half unconscious system developer with seriously evil intentions will not be able to produce code of such abominable bad design and quality as that of gui developers everydays work. If he could, the gui people would print that code and hand it around as an example of unnecessary excellence"). In other words "Don't listen to gui people and keep a solid distance from their "code". As for "ux" people, shoot them on sight".

You might have noted it already; I'd better refrain from answering your question and keep a modicum of politeness. Let it suffice when I state that you won't find anything like unixish init systems in any reasonably safe OS.

June 29, 2017 12:41 PM

chris on Websites Grabbing User-Form Data Before It's Submitted:

Some time ago in noticed that the Google Password Estimator transmits every key press to show you a nice red or green bar. This estimator is a widget you can add to your site to improve "security". Maybe it does more good than harm. But I don't like it.

I hope you never entered a password and thought: 'Oh. I use that password already for $importantService. I'd better use BatteryHorseStapleCorrect! So they won't know...'.

June 29, 2017 12:19 PM

Iggy on Websites Grabbing User-Form Data Before It's Submitted:

I, too, am grateful to Bruce for keeping his site friendly, clean and elegant.

I've used noscript and CCleaner for many years and while I allow as few scripts as possible, it's not perfect, largely because of me: I sometimes guess which script is ok and sometimes I say "oh the heck with it" and allow some I'd rather not in order to get to the content. But now that I've received confirmation of something I've suspected has been happening at Amazon for many years--yet another reason I don't do business there anymore and don't miss that pseudo-state at all--and it further validates my less is more and fake ID attitude toward data sharing.

Just because I'm paranoid doesn't mean I'm not being followed.

June 29, 2017 11:22 AM

FXL on Websites Grabbing User-Form Data Before It's Submitted:

I implemented a system like this for a marketing company in 2004. Captured email addresses from shopping cart signup pages regardless of the user hitting the submit button and followed up with a reminder email if the user had not made the purchase with in an hour or so.

I'm surprised people are just noticing this now.

June 29, 2017 11:11 AM

Who? on Friday Squid Blogging: Injured Giant Squid Video:

@ Clive Robinson

I forgot to mention that O'Reilly appear to be heading down a similar route to journal publishers,

That is sad. Last week I bought eight O'Reilly books on a local bookstore. I had these books on my list for years. I hope Safari will not replace printed books, ever.

June 29, 2017 10:26 AM

pots or not on Is Continuing to Patch Windows XP a Mistake?:

@Clive Robinson
@Rachel
@JonKnowsNothing

In some parts of the usa, it costs about 75 usd per month for an old fashioned land line.

For a user that can marginally afford it is it worth keeping that copper twisted pair landline for things like 56 kbs modems to internet, phone service that doesn't require ac or battery back up, etc., since some phone companies tear out the old copper wire when they update to fiber and won't replace copper if you quit fiber. In fact some companies, I believe, have federal appproval to stop supporting copper if, for example, they can provide fiber phone service (presumably voip) instead.

Regardless at least one usa resident plans to keep the status quo, at least until receiving feedback from SOS bloggers.

The phone company indicated that any complaints about copper, ie. requested service calls, could force a fiber conversion. That begs the question: if a separate cable provider installs cable and cuts the twisted pair could I solder the twisted pair back together. Should the cable company know where the twisted pair is outside?

OT where people are lucky enough to have a choice between fiber and cable, from a security perspective, what are the pros and cons for a home or small business user? For example a cable modem can be purchased, but fiber might require specialized hardware from the phone company before the customer's router. Legally might, pots, fiber , coax cable have different protections under federal, state, or local law. In the past I think that eff.org indicated that cable might provide some advantages from a privacy or security perspective under the law.

Thanks in advance

June 29, 2017 10:07 AM

TimH on Websites Grabbing User-Form Data Before It's Submitted:

I was checking out on Sears.com a few days ago and was asked for email address before getting total with shipping. Shipping was prohibitive, so I stopped there, closed the browser. Less than a day later, spam from Sears. Ok, so easy to do the unsubscribe, but the auto-subscribe-to-spam feature was rude, and certainly puts me off buying from them.

On similar note, I'm amazed how few sites allow a purchase as a guest option still. Who wants to set up yet another fsking account just to buy a something?

June 29, 2017 9:55 AM

Gord Wait on Separating the Paranoid from the Hacked:

"Hello, I am calling from the Google, our security audit has detected that your cyber has been hacked. For a small fee we can help.."

June 29, 2017 9:25 AM

Parabarbarian on Websites Grabbing User-Form Data Before It's Submitted:

Javascript: Extending user friendly surveillance to every corner of the Internet.

Unfortunately, the popular web development platforms rely heavily on javascript to make their pages look "pretty". Some to the point that a page will not render without it. This trend will only accelerate as HTML5 becomes more pervasive.

Give a programming language the ability to violate your privacy and someone will pay a programmer to use that power.

For the time being, get Noscript and Privacy Badger. Not perfect but they help.

June 29, 2017 8:52 AM

TS on CIA Exploits Against Wireless Routers:

-> Are you saying the US belongs in the 'evil' countries list?

It certainly hasn't belonged on Santa's "Nice" list anymore in a long while.

June 29, 2017 8:19 AM

Dr. I. Needtob Athe on Websites Grabbing User-Form Data Before It's Submitted:

"But it’s too late. Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses."

For what it's worth, I've added these lines to my hosts file:

0.0.0.0 murdoog.com
0.0.0.0 www.murdoog.com

Will that help?

June 29, 2017 8:16 AM

mk- on Websites Grabbing User-Form Data Before It's Submitted:

@Scott well is it a real world scenario, the users who type in their personal data, but then change their mind and don't explicitly submit it? I mean, I wouldn't care about them when building up my database for sending unsolicited emails ;)

June 29, 2017 8:15 AM

Rachel on Websites Grabbing User-Form Data Before It's Submitted:

Whilst it is annoying, I've stopped visiting most Javescript required sites, and somehow I've found I don't miss them

I keep Javascript off but as you say, sometimes it is necessary to use a site and its impossible without it. As mentioned before another reason to cheer Bruce for maintaining a most functional, trim site.
The Ethereum article you probably didn't read, courtesy of 'Bloomberg' I suppose a US rag, had one of the more obnoxious examples of Javascript I've experienced for a while. When moving the mouse to scroll down whilst reading, without warning the page would scroll left and right, obscuring the article one was absorbed in and opening large side panels of unnecessary graphic displays. I wondered if it was possible for Bruce to link us to text only versions of such articles but they surely only exist in the one place - anything else being a breach of copyright.

June 29, 2017 8:13 AM

AgentZico on Websites Grabbing User-Form Data Before It's Submitted:

Even though I had used and still uses JavaScript, one of the first things I do before surfing on any smart mobile device is to... TURN OFF JAVA SCRIPT of browsers. Its like preventing headaches before they come.
Also, it's almost always about one thing with those at the other end of data retrieval...MONEY.
If they don't use it themselves, they sell the data to those who'll use it.

June 29, 2017 8:07 AM

Rachel on Friday Squid Blogging: Injured Giant Squid Video:

@ Clive

Let me put it another way, I would far sooner trust Kaspersky Labs AV etc than I would Microsofts

thanks Clive, as usual, for your outstanding contributions.
I get your point on the impartiality of Kaspersky - also considered by many to be technically superior in its category of software - but wasn't there something in the Snowden files about Kaspersky being compromised by NSA? i vaguely recall their code was backdoored to not detect IC-bred malware. My memory also seems to indicate it was covert backdoored, not with the will or knowledge of Kaspersky. I could be wrong on the latter.

On a related note, hinted at in the above post, i appreciate your comments about your choice in avoiding AV altogether, described previously

June 29, 2017 7:52 AM

mk- on Websites Grabbing User-Form Data Before It's Submitted:

There are valid UX reasons for sending data typed by the user before explicit 'submit' action, e.g. autocomplete. Let's not get paranoid, a lot of data about user's environment is sent when user merely hit the enter key in URL bar, that's how the HTTP works.

IMHO we should rather educate people to change their "expectation of what will happen", rather than fight with javascript. Possibly we can advice using software that blocks suspicious pages from even being opened (Google's Chrome is doing something like that).

June 29, 2017 7:35 AM

JG4 on Friday Squid Blogging: Injured Giant Squid Video:


http://www.nakedcapitalism.com/2017/06/links-6292017.html
...
Big Brother IS Watching You Watch

Facebook’s Secret Censorship Rules Protect White Men from Hate Speech But Not Black Children ProPublica (Chuck L)

Berkeley Capitulates to Police Militarization and Spying Counterpunch. ChiGal: “And so it goes…”

NSA Appears To Be Seducing Sen. John Cornyn With Personal Tours And One-On-One Meetings Techdirt (Chuck L)

The Age of No Privacy: the Surveillance State Shifts into High Gear Counterpunch. ChiGal: “Maybe mostly known to NC readers but a good catalogue of all the ways we are tracked and makes the point that the surveillance state is a springboard for the police state – and law-abiding or not, everyone in a police state is a target by definition.”

June 29, 2017 7:35 AM

matteo on Websites Grabbing User-Form Data Before It's Submitted:

@Clive Robinson
same here, if it ask for javascript i quit (or i cheat)
for example ebay said with big banner in center "java script needed for this site" and obscured the rest.
you could do nothing.
but i pressed f12 deleted the banner and the site was perfectly working (even search worked).
now they removed this antifeature.
but other websites are doing the same.

anyway everyone should have noscript.

June 29, 2017 7:31 AM

matteo on Websites Grabbing User-Form Data Before It's Submitted:

i hate this kind of tracking and it's pervasive.

@Nick
or... navigate with noscript.
anyway i sometimes sent fake (but "valid") credit card numbers when spammers emailed me to steal info. in this way they have to filter out invalid from valid but can't be automated.

June 29, 2017 7:29 AM

Bod Dylan's Beanie Cap on Websites Grabbing User-Form Data Before It's Submitted:

I know at least one website that is rumored to do this and justifies it on the basis that they use it to catch trolls and other people who violate their TOS using multiple identities. I don't know that this justification makes it ethically any better but I do think it is important to realize that this practice isn't always about the ability to monetize data.

June 29, 2017 7:27 AM

Clive Robinson on Websites Grabbing User-Form Data Before It's Submitted:

As I mentioned the other day about having Javascript disabled, the final nail in the Javascript coffin as far as I was concerned was Google's auto-compleat.

Other people realy should think about turning Javascript off, when you do quite offten you get "dynamic advert free" browsing and less chance of contracting a nasty dose of malware.

However the pariahs that the marketing industry are, have got alarmed at how their business model gets nuked by turning off Javascript. So they now arrange with site owners not to send the content you are interested in if you have Javascript disabled. Whilst it is annoying, I've stopped visiting most Javescript required sites, and somehow I've found I don't miss them.

June 29, 2017 7:15 AM

Clive Robinson on Friday Squid Blogging: Injured Giant Squid Video:

@ r,

With regards the FBI, Kaspersky Labs and Democrate Senator Jeanne Shaheen's anti-Kaspersky ammendment to the Spending Bill, it's realy a load more of the same old same old on the face of it.

However if you think back in December last year, according to the Russian newspaper Kommersant, Ruslan Stoyanov, the head of Kaspersky Lab's Computer Incidents Investigations Unit, was arrested on Treason charges, along with Sergei Mikhailov, a division head of the Russian intelligence service FSB.

And this year there has been a managment shuffle allegedly FSB operatives moved in.

This has kind of set the stage for a 1950's style "OMG there's Reds under the lab" type moment. Thus now we get the "anti-American" response.

The fact is that I suspect that the real reason is a little closer to home. Kaspersky are not just independent business wise from the Russian Government, they are also independent of US Government IC entities as well, and appear to have shown no fear or favour when it comes to finding and neutralizing malware, much of it cyber-crime related, but IC entity related stuff as well.

Thus Kaspersky Labs are not liked by the US or Russia for their activities.

What does not help is the partisan behaviour of the FBI over "Russia Inside" political mantra. The Russian's are doing far less spying and political manipulation on the US, than the US has and is doing on Russia. It's probably a point Putin will bring up with Trump if and when they next formaly meet.

The thing is the US pilitical establishment are following the Orwell playbook, and thus have decided the US needs an enemy to scare the US Citizens with. The enemy needs to be such that their can be witch hunts to get rid of home political openents and the like.

Let me put it another way, I would far sooner trust Kaspersky Labs AV etc than I would Microsofts... Not that I'm going to start using either of them for technical reasons.

Oh I would also expect similar ammendments in the future with European and Far Eastern products. This is basically economic warfare, US Corps have lost and expect to lose further business to non US Competitors thanks to Ed Snowden and Wikileaks. US products are looked on by many outside the US as having been produced by wet lepers and thus shuned with other countries products given more favour. One way to fight back is the old FUD game where things are not stated but implied and politicos acting on it on cue.

It will be interesting to see what the rest of the world does. After all it was not long ago that the US blocked their use of two Chinese Telco companies products. Other Five-Eye nations carried on using the two companies products and one company set up a special facillity in the UK to work with the UK Gov on issues and concerns they might have. I can see Kaspersky setting up similar arrangements in the near future.

June 29, 2017 6:03 AM

Rachel on Is Continuing to Patch Windows XP a Mistake?:

@ Clive
@ Jonknows nothing

We have a rotary phone or three on hand all time. Living in the country,at the very end of the supply line that happes to be old, power goes out not infrequently sometimes for several days. Or lightning strikes will blow up anything plugged in so we've gone through countless electricity-reliant phones. As clive noted,a rotary phone will still work without electricity. The line is often clearer also - less interference. I recommend everyone to have a rotary phone in the house just in case

June 29, 2017 4:41 AM

Clive Robinson on Is Continuing to Patch Windows XP a Mistake?:

@ JonKnowsNothing,

While I might wish for the same thing but... have you tried to use a rotary phone recently?

Yes and it still works ;-)

There are some "entities" that have a requirment to use them. In part because of their reliability under certain extream conditions[1], and in part because no other phone type has been certified for use (and may never do so now)[2].

Part of the issue is "legacy systems" the cost of the copper wire is way less than the cost of installing it and in some cases certifing it. Thus there is a hugh investment in existing systems and replacing them with a like for like system using new protocols / standards is going to be way to expensive. Hence they hang around like the ghost at the banquet.

Howrver some newer installations are actually looking to replace traditional 2 / 4 / 6 wire base band phone wiring systems with "leaky feeder" RF systems as this gives much greater expansion capabilities both currently and in the future (thus keeping the instalation investment longer). Thus low power VHF/UHF PMR, Wifi, GSM and other services all use the same cable with minimal provlems. Thus existing intrinsically safe (Ex-I) radio systems can be used along with newer systems, without requiring "re-wiring" and certification.

[1] Military field tellephones and any network where EMP from nukes or solar flares etc or where the infrastructure may loose power. So you will find them also in critical infrastructure such as water and energy supply in "Engineering Order Wire" circuits.

[2] You will find both Ex-D and Ex-I phones in "safety critical" areas in Industrial Control Systems, Petro-chem, mines, gas/oil platforms and the like, usually these have "low voltage" ring circuits some systems work below three volts. Part of the problem is that modern surface mount components can not meet the "physical" issolation distances of 0.5mm between tracks on a PCB. Whilst there are ways around this it's expensive to get through certification. One way around is Ex-E encapsulation, but as nearly all existing wiring is for a different method, you have a very limited market to sell new into...

June 29, 2017 4:06 AM

Wael on Separating the Paranoid from the Hacked:

What's good for goose is good for gander (blockchain). Forking the previous list...

  1. If you get hit with a stone in the chest and look behind you to see who threw it at ya... Yoooou might be paranoid

  2. If you have a set of salad bowls and they're labeled "shielding"... Yoooou might be paranoid

  3. If your tinfoil hat is made out of depleted uranium... Yoooou might be paranoid

  4. If you're in court, and the judge asks you to present an ID, and you give her an encrypted biological fingerprint encoded as a QR code on self-destructive paper, HMAC'ed with a onetime pad shared secret key that you don't share (nor remember) and another paper with an oAuth 2.0 token.. Yoooou might be paranoid

  5. If you show up to CISO job position interview wearing your favorite straitjacket... Yoooou might be paranoid

  6. If they hire you... they might be paranoid

  7. If you're alone in your secret underground bunker inside an air-gaped shielded room and you look behind you to see who's shoulder-surfing... Yoooou might be paranoid

  8. If your boss says you're his right hand man, and you check not only that he is not left-handed, but that he really isn't a she... Yoooou might be paranoid

Built on Jeff Foxworthy's you might be a redneck...

June 29, 2017 3:43 AM

Dirk Praet on Friday Squid Blogging: Injured Giant Squid Video:

@ ab praeceptis, @ Clive Robinson, @ Thoth, @ Wael

I'm not even mildly surprised. I'm taking systemd to be a "build funny disasters!" toolkit and it matches linus' makeshift OS quite well.

Systemd started out as a good idea, but somehow along the way turned into a bit of an abomination. Any informed opinions about OpenRC, as found in TrueOS and a number of Linux distributions like Gentoo ?

Now hackers can get really personal and physical if they gain access to IoT enabled sex toys.

I just for the life of me can't imagine why anyone with even half a brain would purchase IoT-enabled sex toys, unless for framing someone else.

June 29, 2017 3:30 AM

Dirk Praet on CIA Exploits Against Wireless Routers:

@ Pete

Basically, you are stuck building your own router with an OS that is constantly patched and being worked on. Probably running a minimal Linux or FreeBSD variant.

Indeed. It's not the first time we see an entire list of hopelessly compromised home routers. Even a really old dual NIC PC or laptop can easily be turned into a (FreeBSD based) pfSense router/firewall. Recommended for home users and SMB's. Power users may prefer a home-brew OpenBSD router, for which there are excellent guidelines available if you do a short search for them.

@ B

All nation states engage in this type of behavior so I am not sure what the point of the disclosure is - should we be shocked that the US is pretty good at this stuff?

The point is that we are living in an age of mass surveillance targeting world and dog, not just parties of "legitimate" interest. While there is nothing shocking about this disclosure, these leaks are a most welcome heads-up for defenders everywhere, especially to those for whom the NSA and the CIA are nothing but criminal foreign spying agencies.

June 29, 2017 3:19 AM

Wael on Friday Squid Blogging: Injured Giant Squid Video:

@Clive Robinson,

This begs all sorts of questions about the security of the interface to these toys...

Which is worse from a security/safety perspective: a digital virus or a biological one? Were these toys available in 2009 (not that you would intimately know)? Poor David Carradine didn't know what hit him! And they called it auto-erotic asphyxiation. Somehow I'm questioning the meaning of the "auto" part. Seems it refers to auto firmware update :)

PS: would a USB condom help to practice safe hex? Ooooh... uuuuh... zzzzzzap.

June 29, 2017 2:42 AM

Jan on The FAA Is Arguing for Security by Obscurity:

Related to this topic.... what do you guys think of datalink (CPDLC) via internet ?

I mean, sending ATC clearances via https connection to a 'mobile' device in the cockpit, as an add-on for voice comms...

This mobile device could be a tablet / smart-phone ... E-flight bag ... not connected to the Avionics of course...

Surely, the airframe needs to be equiped with broadband internet... but that will become mainstream on request of the PAX in the near future ...

Interesting to get some thoughts / comments...


June 29, 2017 1:37 AM

Thoth on Friday Squid Blogging: Injured Giant Squid Video:

@Clive Robinson

Now hackers can get really personal and physical if they gain access to IoT enabled sex toys. I really wonder when will there ever be a defined limit as to the circumstances they will stop integrating IoT. Toilet bowls, dish washers, fridge, rice cookers, light bulbs, doors are all IoT enabled and now even sex toys.

June 29, 2017 12:53 AM

Clive Robinson on Friday Squid Blogging: Injured Giant Squid Video:

@ Bruce, and the usual suspects,

This Guardian article on the scientific paper publishing business may be of interest,

https://www.theguardian.com/science/2017/jun/27/profitable-business-scientific-publishing-bad-for-science

What the article does not mention is another trick publishers are doing. They are finding bubling up scientists and publishing their work in book form. The scientist is lucky to get even the basic payment per volume sold. The publishers however only print a few hundred at most, that are only ever sold to University libraries for eye watering prices. The last estimate I saw was that each of their sales and marketing droids was pulling in excess of 2million USD each year.

To say "Scientific Publishing" is a racket is an understatment, and for all Elsiver's complaints about Sci-Hub their profits keep rising faster than inflation yeat on year.

June 28, 2017 10:46 PM

JonKnowsNothing on Is Continuing to Patch Windows XP a Mistake?:

@Richard

Given the situation, Microsoft should either continue to patch XP, or create a 'lite' Windows 10 variant that will run on XP level hardware - and provide existing XP users with a FREE upgrade path.

While I might wish for the same thing but... have you tried to use a rotary phone recently?

There are some things that are not upgradeable.

Not long ago, I asked my ISP (ATT ahem ahem ahem) if I could just have PHONE service with NO INTERNET service?

My thinking was I would just hang out with the ubiquitous data tracker/warhead delivery device with built-in easily manipulated evidence producers for pre-crimes and pre-thought-crime convictions that I carry with me. Who needs wires when you can be convicted much more easily with a wireless one.

SURPRISE! The answer is NO. I can no longer have just a PHONE. I can drop the PHONE and go INTERNET only but if I want a PHONE and MUST HAVE the INTERNET + PHONE combo package. There is no PHONE ONLY option anymore.

So.. why is there "Telephone" still in the name ATT? I dunno but they don't really offer it anymore. Just Fake Fone Service (voip).

There are some things that worked and worked well. Most of them are No Longer In Service.

So, if you want to use a rotary phone, you might have to move "elsewhere". If M$ and Others want to kill off old tech they are going to have to block it another way. You cannot block what isn't on the internet but if it is then companies do what they are doing: forcing upgrades that do not work, to force people to buy new stuff in desperation.

Perhaps PETYA-NOT is the answer.


June 28, 2017 10:22 PM

John Falck on Amazon Patents Measures to Prevent In-Store Comparison Shopping:

I think the prior comment by Mr. D'Oliveiro likely hits the point. The patent, like other forms of intellectual property, both give you the exclusive right to do something, and prevents others from doing it in the same way unless you license that authority to them. By owning patents on methods to prevent in-store price checking, Amazon can file suit and prevent others for implementing that same approach, thereby allowing people to do in-store price checks (ideally comparing prices on Amazon, from Amazon's perspective). Rather than repressing price checking, Amazon most likely wants to protect it. Clever, if that is the strategy.


Lawrence D’Oliveiro • June 23, 2017 6:39 PM
Remember that patents aren’t about giving anybody the ability to do something, but about giving the patent-holder the ability to prevent them doing it.

June 28, 2017 6:55 PM

TJ on Article on the DAO Ethereum Hack:

Even in Bitcoin and Zcash stuff like this happens with service providers all the time; those are the two best designed and developed systems. There is no PCI with crypto currency service providers..

Once you go in to these fly by night pre-mined alt-coin projects it's just a free for all, though..

Bloomberg was nice and helped them market their alt-coin by describing it as a revolution even though these are started up every six-months mostly by questionable investors and bottom-dollar-developers..

People will forget this happened in a matter of weeks.. It's not the first big "heist" like this in the crypto currency community..

June 28, 2017 6:42 PM

CarpetCat on CIA Exploits Against Wireless Routers:

If only USA Americans have brick house, and:
Rest of world lives in wood house, then:
Why does CIA have brickblasting tools?

Once again, I repeat, repeat, Hacking all those Internet of Things Refridgerators in the middle eastern sand?

June 28, 2017 4:33 PM

Chris Zweber on Girl Scouts to Offer Merit Badges in Cybersecurity:

@Fat Bastard

19. The Surprise President: Hack the student body election results to make the class stoner student council president
20. The Instaqueen: Compromise the Instagram accounts of the starting quarterback and like all of your own photos

June 28, 2017 4:24 PM

undercoverSam on Someone Is Learning How to Take Down the Internet:

Having worked around hackers and phreakers, I have to say Bruce was on target with this blog post and as far as what's next for the internet, hackers will not stop and if you stop them for now it IS "for now". They "find ways" and tech is too vulnerable and it can't be fixed for good 100%. Sorry but there's more to come.

June 28, 2017 3:59 PM

DM on Article on the DAO Ethereum Hack:

A paragraph in the article that immediate jumped out at me was where he mentions using a lower case "t" instead of "T" in Line 666. That would have prevented the hack.

If your computer language is so picky about simple character case causing massive semantic shifts in the logic, then I'd argue for going back to the 1980's with all UPPER CASE (or case indifferent) languages. Lisp anyone? Sheesh!

June 28, 2017 3:18 PM

Milo M. on Separating the Paranoid from the Hacked:

The victim in the BBC story is publishing a book:

https://www.linkedin.com/in/gary-berman-8aa36475

http://www.stalkingonair.com/

"Finally, I had to shut down my computer and began searching for the local FBI office. After an intake interview, two agents came to my home and I shared some of the initial documentation. While they were literally watching over my shoulder, a giant cursor appeared on my computer screen and deleted several files. They didn’t believe their OWN eyes and cited 'insufficient evidence to open a case'."

June 28, 2017 2:31 PM

ab praeceptis on Friday Squid Blogging: Injured Giant Squid Video:

Clive Robinson, Thoth

I'm not even mildly surprised. I'm taking systemd to be a "build funny disasters!" toolkit and it matches linus' makeshift OS quite well.

But it goes further than that. Example: devuan. At first glance a smart approach. "fork debian and create an debian without systemd". The problem, though, is that there is a *reason* both for the systemd plague having being "designed" and for having been accepted into major linux distros.

That reason is a mix of "don't waste time designing anything. Just hack away!", plain stupidity, utterly mistaken democratic ideas, and large corps as well as intelligence agencies being *deeply* involved (plus, of course, the blown up ego and merciless cluelessness of a mediocre self-declared wunderkind).

Just another reason for me to amusedly giggle when reading smart advice like "Don't use windows, use linux instead. linux is secure!".
Not that I'm somehow a fan of windows - I'm most definitely not - but looking closer I see linux to reliable get worse and more insecure while microsoft might actually one day come up with a relatively solid OS. They've spent truckloads of money for security research and they have solid experience in how to not to it.

June 28, 2017 2:11 PM

ab praeceptis on Article on the DAO Ethereum Hack:

Thoth

Side note: Some months ago I was approached by a group who had developped a blockchain currency, that was supported and already in limited use by a rather big japanese bank. They wanted me to took at their stuff and to examine its safety and security and to make suggestions on how to repair any eventual weaknesses.

Result: After a relatively brief look I declined and told them that their whole design (and implementation) is so f*cked up that a detailed examination, let alone "minor repairs" didn't make any sense.

From what I've seen since then they're doing well and are on their way to become a regional standard.

Thanks, no more questions.

June 28, 2017 2:02 PM

jdgalt on Girl Scouts to Offer Merit Badges in Cybersecurity:

Even five-year-olds need to learn things such as not answering questions from phishing callers, even if they claim to be a relative, landlord, daddy's boss, police, etc., and not accepting and using disks/thumbdrives/other media from unknown sources.

June 28, 2017 1:58 PM

meh on CIA Exploits Against Wireless Routers:

A possible solution to the continual attack on IOT, SoHo devices and network capable appliances in general, may lie in removal of the attack surface. We all know the easiest method is cracking the admin software, like the webgui (http), telnet, ssh, ftp, snmp and so forth.

These things sit on these devices for years, rarely used, cept maybe during initial config. They are rarely part of the device's update cycle. Vendors send out patches to make the product better but overlook the admin tools and the software stacks its made from. But web guis are a necessity these days, the average user just wants an easy way to config and forget.

And with offboarding (toggle/switch based air gap) the admin tools and other rarely used features, would provide 100% protection, regardless of consumer IT skill, vendor lifespan and default pwds. Products retain their ease of use when needed and secure when not, no longer easy pickings for quick botnet takeovers. Who cares if my IOT runs 2002's bug ridden firmware, the stuff rapid bots exploit is not even connected to the mainboard, cept during that 5/10/15 min period i need to cfg my device.

I just want hit the toggle switch with a built-in 10 min timer, so i can configure my net-enabled printer/fridge, etc via the webgui, when done the switch breaks (fail to safe spring) the connection and now my IOT is secure. Well least from the low hanging fruit, i know theres tons more vectors to attack from. I offboarded my wifi router, all vendors admin tools are on external storage, which i put into a drawer 10ft away, with no issues. When i need to cfg it, i just reconnect the storage device and web in, cfg and yank the storage device, simple, fast and secure. Would be easy to relocate all my IOT vendor admin tools from the devices to my USB stick and have one item to configure them all. And for vendors to implement this would be trivial.

June 28, 2017 1:49 PM

Fat Bastard on Girl Scouts to Offer Merit Badges in Cybersecurity:

FYI: Here are the names of the badges the girls can earn

1. The Cookie Monster Badge: earned for successfully hacking into 20 strangers computers running Firefox and turning cookies off surreptitiously.
2. The Thin Mint Badge: earned for enticing twenty people into a honeypot,
3. The Snitcherdoodle Badge: earned for infiltrating any Tor hidden service using a tool from Metasploit
4. The More S'more Badge: earned for infiltrating a Tor hidden service hosting child pornography and deleting all content. (Must have earned The Snitcherdoodle Badge first).
5. The DOS-si-dos Badge: Fending off any Denial Of Service attack of 2000 mb/s or greater
6. The Savanna Smile Badge: Getting your security-related tweet re-tweeted by @TheGrugq
7. The Burnt Brownie Badge: Using any SCADA exploit to compromise a public electrical system
8. The Junior Junior Badge: Finding your first 0-day in any kids toy
9. The Cadette Cabal Badge: Creating a new fake identity from multiple real identities and opening a bank account with it. (must be earned as a group).
10. The Senior Thesis Badge: Sending all e-mail encrypted with PGP for six months
11. The Cute Ambassador: Using steganography to successfully communicate with a Girl Scout in a foreign country.
12. The Plucked Daisy Badge: Meeting Julian Assange in person
13. The Green Machine Badge: Uncovering the real identity of Satoshi Nakamoto
14. The Boys Have Cooties Badge: Infecting 100 computers with ransomware
15. The CIA Badge: Communicating with a boyfriend via the drafts folder of Google email
16. The NSA Badge: Forgetting to delete the draft of the email (must have earned The CIA Badge first)
17. The Bald Eagle: Using Amazon's Alexia to successfully spy on your parents
18. The Apple: Jailbreaking an iPhone


June 28, 2017 1:30 PM

JG4 on Friday Squid Blogging: Injured Giant Squid Video:


@Bob Paddock

I've commented before on what I termed "projected intent." The drones are scary enough, but that is the tip of the proverbial iceberg. Any machine with motors/actuators/mobility/ability to influence the environment can be repurposed for mayhem. The regulatory framework is light-years behind the criminal possibilities.


June 28, 2017 1:24 PM

Rhys on The FAA Is Arguing for Security by Obscurity:

The issue is "proprietary".

Not 'a' product. Not 'a' category of product. A domain of "proprietary". As a 'rule'.

Criteria and weightings would be unknown and unassailable. Best practice and state of the art will be unknown or speculative.

There is a trade off between the public's interests and the owner/developer's interests. Copyrights, patents, and performance rights are intellectual property protections that are a balance of those interests- public & private.

Equivocating trade secrets (proprietary), obscurity, and secrecy are what is the proposition. Not any individual product. Might as well be talking about the joey-bagga-donuts OS. FAA is to make a rule. Not for any one product alone.

As I previously stated, it is not the just flying public and aircraft manufacturers that have a stake. Its the collateral damage on the ground that is also the public's interest. A much larger stake. By magnitudes.

Not one article here, or supplied to the FAA addresses more than just cyber security issues. OPSec of the developer is nearly nonexistent in the development process. The sources of code (let alone code inspection) is not, nor was not, a consideration. As were the libraries and tool sets controls. Employee hiring & turnover rates only further erode obscurity. The assessment process, once, was to distill out the impurities that might have entered the development.

The FAA leadership is talking about instant displacing an entire infrastructure evolved over 70+ years. Rebaseline won't make US competitive. No matter how bucolic the memories of the 1960's might be.

June 28, 2017 1:19 PM

Ross Snider on Girl Scouts to Offer Merit Badges in Cybersecurity:

I sincerely look forward to the day I can look at resumes for pentesting/sysadministration/operations and see Girl Scout experience. Somehow it already seems more credible than "random Cisco certification here".

June 28, 2017 1:01 PM

Cynthia Dame Logan on the lam on CIA Exploits Against Wireless Routers:

Very first comment and subsequent amplifying comments, with the same slogan for dopes to repeat: everybody does it. Why the hair-trigger sensitivity on this issue?

Because this is how CIA targets protected persons for murder, disappearance and torture.

https://ronaldthomaswest.com/2014/11/22/reorganizing-murder-inc/
https://ronaldthomaswest.com/2014/12/20/alfreda-bikowsky-the-definition-of-stupid/

The vise on CIA's nuts just got another quarter-turn with the the Chagos case referred to the ICJ. Because Chagos is a key site in the US torture gulag, along with Navy ships at sea, based at Diego Garcia and staffed by CIA torturers in military billets. CIA torture never stopped. CIA pukes in soldier suits just got busted supervising torture of Yemenis.


https://www.apnews.com/4925f7f0fa654853bd6f2f57174179fe/US-interrogates-detainees-in-Yemen-prisons-rife-with-torture

These are not just torture camps, they're death camps, with extrajudicial killing on Condor scales. This is an ongoing CIA crime against humanity - legally, what Nazis do. The world has teed up the command structure for Nuremberg 2.


Who runs it all?

http://www.zeit.de/politik/ausland/2017-06/cia-donald-trump-torture-abu-zubaydah-said/komplettansicht

June 28, 2017 12:20 PM

Ross Snider on CIA Exploits Against Wireless Routers:

@ Dan H

The United States does not have a great human rights record. Not sure if you've looked recently.

But point taken. In great power conflict and geopolitics, these sorts of capabilities are not yet constrained by international law, and therefore are free game for intelligence competition.

This recommends an immediate solution: a series of treaties and international obligations requiring the United States and others to limit these kinds of capabilities, limit their use, fund secure systems technologies for consumers and infrastructure, create definitions and systems to constrain cyberweapons, their use and cyber intelligence operations.

We should develop clauses to prevent foreign intelligence capabilities from being used on domestic populations which could both help outlaw America's mass domestic surveillance programs and obligate other nations to limit their abilities to monitor their own populations.

This way the CIA doesn't get to use these technologies, but neither does the FSB, etc.

June 28, 2017 11:01 AM

Pete on CIA Exploits Against Wireless Routers:

If you care at all about home network security, don't run a home router. The vendors simply don't patch them quickly enough or often enough to be useful.

Quarterly patching just isn't sufficient.
In February, there was a nasty UDP issue found in the Linux kernels prior to 4.8.x, I think. So, if you have a router running anything prior to that, remote access is possible with just a slight amount of skill. The issue was introduced in 2.6.x kernels, so it has been around a long, long, time.

Basically, you are stuck building your own router with an OS that is constantly patched and being worked on. Probably running a minimal Linux or FreeBSD variant.

Patch your router, tonight. If the vendor doesn't have any patches, get an old PC or buy a $150 miniPC and install a minimal debian/ubuntu server, then follow some online instructions to turn it into a router. Your old wifi-router can be the wireless-AP for your network, just don't use it on the edge.

Please.

June 28, 2017 10:27 AM

Bob Paddock on Friday Squid Blogging: Injured Giant Squid Video:

@Clive Robinson to your drone link add:

"I Could Kill You with a Consumer Drone"

"As a former intelligence soldier who now sells drones for a living, I can tell you that this problem is bigger than almost anyone realizes.

Right now, I’m holding a drone that can fly thousands of feet in air in less than 30 seconds, getting it to an altitude where no one could see it. My drone could be up in the air, ready to strike a target before you even had time to blink.

A range extender I’ve added to the antenna allows me to control it up to seven miles away. Or I can click a button to activate a tracking device, ordering my drone to follow a vehicle or person, filming every movement in 4K high-definition video. If it ever loses its radio link to the controller, it can automatically return to its launch location. Except — this drone is not meant to come back. It is not meant to take nice photos of my vacation. It is meant to strike. A small mechanism allows it to carry and drop a 2.5-pound payload ... "

June 28, 2017 10:19 AM

JG4 on CIA Exploits Against Wireless Routers:


The objection is not that the CIA is doing this to people outside the US. That clearly is their jurisdiction. The objection is that the CIA, with the assistance of others, are trampling the 4th amendment inside the US and that their approach puts at risk a large cross-section of global infrastructure. I've probably said before that with appropriate safeguards, some of the surveillance is a good idea. Snowden proved that we are light-years from appropriate safeguards. If mass casualties result from their approach of blocking good security practices, that will be further proof.


June 28, 2017 9:48 AM

JG4 on Friday Squid Blogging: Injured Giant Squid Video:


@tyr

Good point, but artificial intelligence, or something quite similar to AI, perhaps in the flavor of natural language processing, will be able to distill out all of the features from any number of billions of stories. Story features include, but not limited to, plots, plot twists, characters, character types, settings and themes which constitute a polydimensional topology. Once all of the features of that surface that already have appeared in published stories are fully described, any potential story can be mapped onto that surface to determine novelty and overlap to the existing stock of stories.

The news at NakedCapitalism didn't have a lot of security overlap today, but there were a few gems.


June 28, 2017 9:47 AM

B on CIA Exploits Against Wireless Routers:

If the CIA was not doing this we should fire everyone in the division and hire competent intelligence professionals. All nation states engage in this type of behavior so I am not sure what the point of the disclosure is - should we be shocked that the US is pretty good at this stuff? Shocked that it was disclosed? To me the only shocking thing would be if the CIA was not a leader in this field.

Or, is the point that it is immoral for foreign intelligence agencies to exploit vulnerabilities to carry out their mission (you know, spying)? Or that it is only immoral when the CIA does it but not when MSS or GRU or MI5 or BND or RGB do these exact same things?

Or is it that foreign intelligence is itself immoral, and we should shut down the CIA and encourage all other nations to shutter their foreign intelligence agencies so we can bask in new world order of safety?

June 28, 2017 9:32 AM

fajensen on Separating the Paranoid from the Hacked:

Very strange story!

"Normal people" must have very different computing experiences than I have.

Apparently, they see all robustness, reliability and predictability; I see flaky garbage that barely hangs together and one *better* check those numbers etcetera.

If my wife comae to me and complained about strange happenings with her computer and computer-related things, the very last thing I would suspect is that her mind has cracked or she is going senile. I would *immediately* blame everything on her computer malfunctioning, Facebook screwing up, and so on.

June 28, 2017 8:32 AM

e1228 on Article on the DAO Ethereum Hack:

@Judge

If you have a contract (and the code is the contract, as far as Ether goes), and people are allowed to read it and understand it, and people do agree with it, well, everything is good.

Considering that this isn't some kind of consumer relationship (one big co. that has a monopoly or a significant share of the market), so no one is obliged to sign it to receive something just because there is no other way of getting the product...

And considering that it isn't exactly the average Joe that knows how to contract with Ether, so that it can't be argued that "a normal person would be fooled by such clause"...

I think your point is perfect. People want freedom to come and go, people want freedom to use whatever substance they like, to drink and eat whatever they wish... and then, when they sign a contract that says "One can say 'exit!' and then get all the money you've put in the bowl", they begin to complain that the contract was unfair, that's a felony, and so on.

Grow up, people.

June 28, 2017 8:22 AM

CU Anon on CIA Exploits Against Wireless Routers:

DAN H :

    Don't forget when you begin your replies about the "evil" US CIA and NSA that China, Russia, North Korea, Iran, and a host of other countries...

Are you saying the US belongs in the 'evil' countries list?

June 28, 2017 8:10 AM

Thoth on Friday Squid Blogging: Injured Giant Squid Video:

@Clive Robinson

re: Remote Code Exec in systemd on Ubuntu

That will make @ab praeceptis would be extremely thrilled and overwhelmingly happy to see this news. It yet again proves that Linux is not built for security at all and Linus calling the GRSec guys out doesn't know what he is talking about.

June 28, 2017 7:54 AM

Jenny on CIA Exploits Against Wireless Routers:

All these CIA leaks makes me wonder if they are deliberate.

The Americans may be concerned about Trump and Russian meddling in their elections, and what a better way to make people take security seriously, than leaking the vulnerabilities yourself.

June 28, 2017 6:57 AM

Another Kevin on CIA Exploits Against Wireless Routers:

'Tomato' is an unfortunate code name for one of the exploit packages, when it's also the name of a popular distribution of after-market firmware for the very same routers. At least I presume there's no connection, or else I hacked myself years ago while attempting to achieve better security for my home network!

June 28, 2017 6:55 AM

Clive Robinson on Friday Squid Blogging: Injured Giant Squid Video:

@ The Usuall Suspects,

This may raise a wry smile.

It would appear that the systemd has a remote execution on Ubuntu...

    An out-of-bounds write was discovered in systemd-resolved when handlingspecially crafted DNS responses. A remote attacker could potentiallyexploit this to cause a denial of service (daemon crash) or executearbitrary code. (CVE-2017-9445)

https://www.ubuntu.com/usn/usn-3341-1/

I'm no fan of systemd and have a special place reserved for it in the netherhells.

June 28, 2017 6:51 AM

Dan H on CIA Exploits Against Wireless Routers:

Don't forget when you begin your replies about the "evil" US CIA and NSA that China, Russia, North Korea, Iran, and a host of other countries, without great human rights records are doing the same thing.

June 28, 2017 6:24 AM

Wesley Parish on The Dangers of Secret Law:

FWVLIW, feedback is a "vital interest" of the living being; this can be illustrated by the quality of life suffered by the victims of Hansen's Disease frequently termed "leprosy", where the feedback of the nervous system is truncated and eventually terminated. My mum told me tales of what happened when that nervous system feedback is truncated - a man whose toes fell off because they became diseased and he could not feel the pain; a child who rolled into a fire while sleeping next to it, and suffered third-degree burns.

What has feedback to do with secret laws?

The habit of referring to case histories is a feedback cycle. Case histories that produced a satisfactory outcome are constantly referred to; case histories which did not, are generally ignored.

Secret law cuts away that feedback cycle: it is secret in all aspects, so it does not pass through the constant referral that all other law is subject to, and thus the constant correction that all other law is subject to.

It can be influenced by other law, but it cannot visibly affect other law.

On the other hand, the habit of not referring to it, overflows to the habit of cross-referencing all available case histories. Learned helplessness, it is termed, and institutionalization is another term, and there are others as well.

In one of the textbooks I read extensively during my initiation into the mysteries of neuropsychology was an experiment I found distasteful: a couple of kittens were placed in a couple of baskets connected by a balance rod on a central fulcrum. One had holes for its feet, so it could move around; the other didn't. One kitten grew up to be a normal vigorous cat; the other was a permanent invalid.

That's what the US executive branch has intended for the US legislative branch.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.