cypherpunks
Threads by month
- ----- 2025 -----
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- 4 participants
- 33564 discussions
---------- Forwarded message ----------
From: Bruce Schneier <schneier(a)schneier.com>
Date: Tue, Jan 14, 2014 at 11:52 PM
Subject: CRYPTO-GRAM, January 15, 2014
CRYPTO-GRAM
January 15, 2014
by Bruce Schneier
CTO, Co3 Systems, Inc.
schneier(a)schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1401.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
How the NSA Threatens National Security
NSA Exploit of the Day
Tor User Identified by FBI
News
Security Risks of Embedded Systems
Schneier News
Schneier News: I've Joined Co3 Systems
Twitter Users: Please Make Sure You're Following the Right Feed
** *** ***** ******* *********** *************
How the NSA Threatens National Security
Secret NSA eavesdropping is still in the news. Details about once
secret programs continue to leak. The Director of National
Intelligence has recently declassified additional information, and the
President's Review Group has just released its report and
recommendations.
With all this going on, it's easy to become inured to the breadth and
depth of the NSA's activities. But through the disclosures, we've
learned an enormous amount about the agency's capabilities, how it is
failing to protect us, and what we need to do to regain security in
the Information Age.
First and foremost, the surveillance state is robust. It is robust
politically, legally, and technically. I can name three different NSA
programs to collect Gmail user data. These programs are based on three
different technical eavesdropping capabilities. They rely on three
different legal authorities. They involve collaborations with three
different companies. And this is just Gmail. The same is true for cell
phone call records, Internet chats, cell-phone location data.
Second, the NSA continues to lie about its capabilities. It hides
behind tortured interpretations of words like "collect,"
"incidentally," "target," and "directed." It cloaks programs in
multiple code names to obscure their full extent and capabilities.
Officials testify that a particular surveillance activity is not done
under one particular program or authority, conveniently omitting that
it is done under some other program or authority.
Third, US government surveillance is not just about the NSA. The
Snowden documents have given us extraordinary details about the NSA's
activities, but we now know that the CIA, NRO, FBI, DEA, and local
police all engage in ubiquitous surveillance using the same sorts of
eavesdropping tools, and that they regularly share information with
each other.
The NSA's collect-everything mentality is largely a hold-over from the
Cold War, when a voyeuristic interest in the Soviet Union was the
norm. Still, it is unclear how effective targeted surveillance against
"enemy" countries really is. Even when we learn actual secrets, as we
did regarding Syria's use of chemical weapons earlier this year, we
often can't do anything with the information.
Ubiquitous surveillance should have died with the fall of Communism,
but it got a new -- and even more dangerous -- life with the
intelligence community's post-9/11 "never again" terrorism mission.
This quixotic goal of preventing something from happening forces us to
try to know everything that does happen. This pushes the NSA to
eavesdrop on online gaming worlds and on every cell phone in the
world. But it's a fool's errand; there are simply too many ways to
communicate.
We have no evidence that any of this surveillance makes us safer. NSA
Director General Keith Alexander responded to these stories in June by
claiming that he disrupted 54 terrorist plots. In October, he revised
that number downward to 13, and then to "one or two." At this point,
the only "plot" prevented was that of a San Diego man sending $8,500
to support a Somali militant group. We have been repeatedly told that
these surveillance programs would have been able to stop 9/11, yet the
NSA didn't detect the Boston bombings -- even though one of the two
terrorists was on the watch list and the other had a sloppy social
media trail. Bulk collection of data and metadata is an ineffective
counterterrorism tool.
Not only is ubiquitous surveillance ineffective, it is extraordinarily
costly. I don't mean just the budgets, which will continue to
skyrocket. Or the diplomatic costs, as country after country learns of
our surveillance programs against their citizens. I'm also talking
about the cost to our society. It breaks so much of what our society
has built. It breaks our political systems, as Congress is unable to
provide any meaningful oversight and citizens are kept in the dark
about what government does. It breaks our legal systems, as laws are
ignored or reinterpreted, and people are unable to challenge
government actions in court. It breaks our commercial systems, as US
computer products and services are no longer trusted worldwide. It
breaks our technical systems, as the very protocols of the Internet
become untrusted. And it breaks our social systems; the loss of
privacy, freedom, and liberty is much more damaging to our society
than the occasional act of random violence.
And finally, these systems are susceptible to abuse. This is not just
a hypothetical problem. Recent history illustrates many episodes where
this information was, or would have been, abused: Hoover and his FBI
spying, McCarthy, Martin Luther King Jr. and the civil rights
movement, anti-war Vietnam protesters, and -- more recently -- the
Occupy movement. Outside the US, there are even more extreme examples.
Building the surveillance state makes it too easy for people and
organizations to slip over the line into abuse.
It's not just domestic abuse we have to worry about; it's the rest of
the world, too. The more we choose to eavesdrop on the Internet and
other communications technologies, the less we are secure from
eavesdropping by others. Our choice isn't between a digital world
where the NSA can eavesdrop and one where the NSA is prevented from
eavesdropping; it's between a digital world that is vulnerable to all
attackers, and one that is secure for all users.
Fixing this problem is going to be hard. We are long past the point
where simple legal interventions can help. The bill in Congress to
limit NSA surveillance won't actually do much to limit NSA
surveillance. Maybe the NSA will figure out an interpretation of the
law that will allow it to do what it wants anyway. Maybe it'll do it
another way, using another justification. Maybe the FBI will do it and
give it a copy. And when asked, it'll lie about it.
NSA-level surveillance is like the Maginot Line was in the years
before World War II: ineffective and wasteful. We need to openly
disclose what surveillance we have been doing, and the known
insecurities that make it possible. We need to work toward security,
even if other countries like China continue to use the Internet as a
giant surveillance platform. We need to build a coalition of
free-world nations dedicated to a secure global Internet, and we need
to continually push back against bad actors -- both state and
non-state -- that work against that goal.
Securing the Internet requires both laws and technology. It requires
Internet technology that secures data wherever it is and however it
travels. It requires broad laws that put security ahead of both
domestic and international surveillance. It requires additional
technology to enforce those laws, and a worldwide enforcement regime
to deal with bad actors. It's not easy, and has all the problems that
other international issues have: nuclear, chemical, and biological
weapon non-proliferation; small arms trafficking; human trafficking;
money laundering; intellectual property. Global information security
and anti-surveillance needs to join those difficult global problems,
so we can start making progress.
The President's Review Group recommendations are largely positive, but
they don't go nearly far enough. We need to recognize that security is
more important than surveillance, and work towards that goal.
This essay previously appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens…
or http://tinyurl.com/ok4vydn
Newish Snowden revelations:
http://www.nytimes.com/2013/12/21/world/nsa-dragnet-included-allies-aid-gro…
or http://tinyurl.com/or8lz4e
http://www.theguardian.com/uk-news/2013/dec/20/gchq-targeted-aid-agencies-g…
or http://tinyurl.com/pcmqpgm
http://www.spiegel.de/international/world/snowden-documents-show-gchq-targe…
or http://tinyurl.com/oxcv5ko
Recent DNI declassifications:
http://www.theguardian.com/world/2013/dec/21/national-intelligence-bush-era…
or http://tinyurl.com/lxufd23
http://icontherecord.tumblr.com/post/70683717031/dni-announces-the-declassi…
or http://tinyurl.com/mqqu9jg
President's Review Group report:
http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_repo…
or http://tinyurl.com/lj4azsg
http://www.nytimes.com/2013/12/20/opinion/protecting-citizens-and-their-pri…
or http://tinyurl.com/nfjnrub
The three different GMail collection programs:
http://www.washingtonpost.com/investigations/us-intelligence-mining-data-fr…
or http://tinyurl.com/mm3ttqt
http://www.washingtonpost.com/world/national-security/nsa-collects-millions…
or http://tinyurl.com/kn8ld96
http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links…
or http://tinyurl.com/jwzxh77
Cell-phone location data collection:
http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphon…
or http://tinyurl.com/nu4h5s9
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/new-documents-…
or http://tinyurl.com/opjhjko
NSA lying:
http://www.theatlantic.com/politics/archive/2013/12/new-evidence-that-the-h…
or http://tinyurl.com/kjyd43o
NSA redefining words:
https://www.eff.org/deeplinks/2013/06/director-national-intelligences-word-…
or http://tinyurl.com/ma7dk5j
http://www.newyorker.com/online/blogs/closeread/2013/12/how-to-tell-when-th…
or http://tinyurl.com/ly4eewu
NSA hiding behind particular programs:
http://www.theatlantic.com/politics/archive/2013/12/how-americans-were-dece…
or http://tinyurl.com/q5mt8j7
All the Snowden documents released so far:
https://www.eff.org/nsa-spying/nsadocs
https://www.aclu.org/nsa-documents-released-public-june-2013
http://cryptome.org/2013/11/snowden-tally.htm
http://www.mindmeister.com/326632176/nsa-css
http://www.tedgioia.com/nsa_facts.html
Other law-enforcement organizations that engage in national surveillance:
http://online.wsj.com/news/article_email/SB10001424052702303559504579198370…
or http://tinyurl.com/q434yn7
http://arstechnica.com/tech-policy/2013/12/new-us-spy-satellite-features-wo…
or http://tinyurl.com/no7yzbx
http://www.foreignpolicy.com/articles/2013/11/21/the_obscure_fbi_team_that_…
or http://tinyurl.com/mozzoyp
http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-phone-trove-eclip…
or http://tinyurl.com/k2qd45z
http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-…
or http://tinyurl.com/mxdftt8
Sharing of intelligence information between organizations:
http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805
or http://tinyurl.com/kbsc4k9
http://www.reuters.com/article/2013/08/07/us-dea-irs-idUSBRE9761AZ20130807
or http://tinyurl.com/modr5rz
The limitations of intelligence:
https://www.schneier.com/blog/archives/2013/09/the_limitations.html
The NSA's Quixotic goal:
https://www.schneier.com/blog/archives/2013/11/dan_geer_explai.html
NSA spying on online gaming worlds:
http://www.nytimes.com/2013/12/10/world/spies-dragnet-reaches-a-playing-fie…
or http://tinyurl.com/mee2ubn
No evidence that NSA bulk surveillance makes us safer:
http://www.theguardian.com/commentisfree/2013/oct/08/nsa-bulk-metadata-surv…
or http://tinyurl.com/pt7v3eb
Alexander's 54 terrorist plots:
http://usnews.nbcnews.com/_news/2013/06/27/19175466-nsa-chief-says-surveill…
or http://tinyurl.com/m2tldhc
Alexander's 13 terrorist plots:
http://www.salon.com/2013/10/02/nsa_director_admits_to_misleading_public_on…
or http://tinyurl.com/m459sa6
Alexander's one remaining plot:
http://www.huffingtonpost.com/2013/10/23/nsa-attacks-thwarted_n_4148811.html
or http://tinyurl.com/mc3ccda
Arguments that NSA surveillance could have stopped 9/11:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/30/heres-why-nsa-…
or http://tinyurl.com/myk6s9u
Boston bombers:
http://www.reuters.com/article/2013/04/24/us-usa-explosions-boston-suspect-…
or http://tinyurl.com/kk7vrwb
http://storify.com/MacleansMag/the-social-media-trail-of-tsarnaev-brothers
or http://tinyurl.com/klvz899
NSA surveillance is ineffective:
http://www.cnn.com/2013/12/30/opinion/bergen-nsa-surveillance-september-11/…
or http://tinyurl.com/kjvk3sr
U.S. intelligence budgets:
http://articles.washingtonpost.com/2013-08-29/world/41709796_1_intelligence…
or http://tinyurl.com/ov35q5q
Lack of Congressional oversight:
https://www.youtube.com/watch?v=JPnfgUkcvOk
http://www.theguardian.com/commentisfree/2013/oct/25/nsa-no-congress-oversi…
or http://tinyurl.com/p8ctswu
NSA's lawbreaking:
https://www.aclu.org/national-security/nsa-collating-data-americans-faceboo…
or http://tinyurl.com/mqs3mwf
http://www.theguardian.com/commentisfree/2013/oct/16/nsa-fbi-endrun-weak-ov…
or http://tinyurl.com/kp3t92s
http://www.nationalreview.com/corner/356159/sensenbrenner-nsa-surveillance-…
or http://tinyurl.com/l5deldt
http://www.theatlantic.com/politics/archive/2013/07/mission-creep-when-ever…
or http://tinyurl.com/l2ddac9
Current Congressional bills:
https://www.aclu.org/blog/national-security/usa-freedom-act-real-spying-ref…
or http://tinyurl.com/mzjlyns
https://www.eff.org/deeplinks/2013/11/floor-not-ceiling-supporting-usa-free…
or http://tinyurl.com/mvqew8f
Transparency and oversight:
https://www.schneier.com/essay-447.html
https://www.schneier.com/essay-435.html
Security is more important than surveillance:
http://www.schneier.com/essay-452.html
** *** ***** ******* *********** *************
NSA Exploit of the Day
One of the top secret NSA documents published by Der Spiegel is a
50-page catalog of "implants" from the NSA's Tailored Access Group.
Because the individual implants are so varied and we saw so many at
once, most of them were never discussed in the security community.
(Also, the pages were images, which makes them harder to index and
search.) To rectify this, I am publishing an exploit a day on my
blog.
In the blog comments, feel free to discuss how the exploit works, how
we might detect it, how it has probably been improved since the
catalog entry in 2008, and so on.
"DEITYBOUNCE provides software application persistence on Dell
PowerEdge servers by exploiting the motherboard BIOS and utilizing
System Management Mode (SMM) to gain periodic execution while the
Operating System loads."
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
"IRONCHEF provides access persistence to target systems by exploiting
the motherboard BIOS and utilizing System Management Mode (SMM) to
communicate with a hardware implany that provides two-way RF
communication." It works on the HP Proliant 380DL G5 server.
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of_1.html
"FEEDTROUGH is a persistence technique for two software implants,
DNT's BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen
firewalls."
https://www.schneier.com/blog/archives/2014/01/feedtrough_nsa.html
"GOURMETTROUGH is a user configurable implant for certain Juniper
firewalls. It persists DNT's BANANAGLEE implant across reboots and OS
upgrades. For some platforms, it supports a minimal implant with
beaconing for OS's unsupported by BANANAGLEE."
https://www.schneier.com/blog/archives/2014/01/gourmettrough_n.html
"The HALLUXWATER Persistence Back Door implant is installed on a
target Huawei Eudemon firewall as a boot ROM upgrade. When the target
reboots, the PBD installer software will find the needed patch points
and install the back door in the inbound packet processing routine."
https://www.schneier.com/blog/archives/2014/01/halluxwater_nsa.html
"JETPLOW is a firmware persistence implant for Cisco PIX Series and
ASA (Adaptive Security Appliance) firewalls. It persists DNT's
BANANAGLEE software implant. JETPLOW also has a persistent back-door
capability."
https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html
"SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and
SSG 300 firewalls. It persists DNT's BANANAGLEE software implant.
SOUFFLETROUGH also has an advanced persistent back-door capability."
https://www.schneier.com/blog/archives/2014/01/souffletrough_n.html
"HEADWATER is a Persistent Backdoor (PDB) software implant for
selected Huawei routers. The implant will enable covert functions to
be remotely executed within the router via an Internet connection."
https://www.schneier.com/blog/archives/2014/01/headwater_nsa_e.html
"SCHOOLMONTANA provides persistence for DNT implants. The DNT implant
will survive an upgrade or replacement of the operating system --
including physically replacing the router's compact flash card."
https://www.schneier.com/blog/archives/2014/01/schoolmontana_n.html
A U.S. government employee e-mailed me, asking me not to post these on
my blog. The government has a weird policy that exposed secrets are
still secret, and government employees without clearances are
prohibited from reading the classified paragraphs. I've heard this
before. Basically, before exposure only people with a TOP SECRET
clearance could read these paragraphs. After exposure, only people
without any clearance at all can read these paragraphs. No, it
doesn't make any sense.
** *** ***** ******* *********** *************
Tor User Identified by FBI
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a
final exam. (It's just a coincidence that I was on the Harvard campus
that day.) Even though he used an anonymous account and Tor, the FBI
identified him. Reading the criminal complaint, it seems that the FBI
got itself a list of Harvard users that accessed the Tor network, and
went through them one by one to find the one who sent the threat.
This is one of the problems of using a rare security tool. The very
thing that gives you plausible deniability also makes you the most
likely suspect. The FBI didn't have to break Tor; they just used
conventional police mechanisms to get Kim to confess.
Tor didn't break; Kim did.
http://usnews.nbcnews.com/_news/2013/12/17/21943608-harvard-student-tried-t…
or http://tinyurl.com/oud3x95
http://www.thecrimson.com/article/2013/12/17/eldo-threats-experts-sentencin…
or http://tinyurl.com/lvok7nm
http://www.wbur.org/2013/12/18/pdf-criminal-complaint-harvard-bomb-threat
or http://tinyurl.com/oe8mrsp
** *** ***** ******* *********** *************
News
This story is about how at least two professional online poker players
had their hotel rooms broken into and their computers infected with
malware. I agree with the conclusion: "So, what's the moral of the
story? If you have a laptop that is used to move large amounts of
money, take good care of it. Lock the keyboard when you step away. Put
it in a safe when you're not around it, and encrypt the disk to
prevent off-line access. Don't surf the web with it (use another
laptop/device for that, they're relatively cheap). This advice is true
whether you're a poker pro using a laptop for gaming or a business
controller in a large company using the computer for wiring a large
amount of funds." Cheap laptops are very cheap, especially if you buy
old models off the remainder tables at big box stores. There's no
reason not to have special purpose machines.
http://www.f-secure.com/weblog/archives/00002647.html
An interesting research paper documents a "honeymoon effect" when it
comes to software and vulnerabilities: attackers are more likely to
find vulnerabilities in older and more familiar code. It's a few
years old, but I haven't seen it before now. The paper is by Sandy
Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: "Familiarity
Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in
Zero-Day Vulnerabilities," Annual Computer Security Applications
Conference 2010.
http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&ac…
or http://tinyurl.com/kkypwxz
Acoustic cryptanalysis "can extract full 4096-bit RSA decryption keys
from laptop computers (of various models), within an hour, using the
sound generated by the computer during the decryption of some chosen
ciphertexts."
http://www.cs.tau.ac.il/~tromer/acoustic/
Two long blog posts on the NSA. The first is about RSA entering into
a secret agreement with the NSA to make the backdoored DUAL_EC_PRNG
the default random number generator in their BSAFE toolkit. The real
story here is how the NSA has corroded the trust on the Internet.
https://www.schneier.com/blog/archives/2013/12/nsa_spying_who.html
The second is about the NSA Tailored Access Operations (TAO) group and
their capabilities, based on new NSA top secret documents released by
Der Spiegel. Jacob Appelbaum did a great job reporting on this stuff.
https://www.schneier.com/blog/archives/2013/12/more_about_the.html
If you read nothing else from this issue of Crypto-Gram, read those two links.
Here is the list of NSA documents from the Der Spiegel article:
https://www.schneier.com/blog/archives/2014/01/nsa_documents_f.html
Fascinating report from Citizen Lab on the use of malware in the
current Syrian conflict.
https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possi…
or http://tinyurl.com/nx3vtwu
https://www.eff.org/deeplinks/2013/12/social-engineering-and-malware-syria-…
or http://tinyurl.com/my7dd9j
http://www.wired.com/threatlevel/2013/12/syria-report/
Amusing Christmas comic.
http://www.onthefastrack.com/?webcomic1=december-22-2013
"Talking to Vula" is the story of a 1980s secret communications
channel between black South African leaders and others living in exile
in the UK. The system used encrypted text encoded into DTMF "touch
tones" and transmitted from pay phones.
http://www.anc.org.za/show.php?id=4693
Joseph Stiglitz has an excellent essay on the value of trust, and the
lack of it in today's society.
http://opinionator.blogs.nytimes.com/2013/12/21/in-no-one-we-trust/
It has amazed me that the NSA doesn't seem to do any cost/benefit
analyses on any of its surveillance programs. This seems particularly
important for bulk surveillance programs, as they have significant
costs aside from the obvious monetary costs. In this paper, John
Mueller and Mark G. Stewart have done the analysis on one of these
programs. Worth reading.
http://politicalscience.osu.edu/faculty/jmueller/NSAshane3.pdf
Matt Blaze on TAO's methods, pointing out that targeted surveillance
is better than bulk surveillance.
http://www.theguardian.com/commentisfree/2014/jan/06/nsa-tailored-access-op…
or http://tinyurl.com/m8s74no
This is important. As scarily impressive as TAO's implant catalog is,
it's targeted. We can argue about how it should be targeted -- who
counts as a "bad guy" and who doesn't -- but it's much better than the
NSA's collecting cell phone location data on everyone on the planet.
The more we can deny the NSA the ability to do broad wholesale
surveillance on everyone, and force them to do targeted surveillance
in individuals and organizations, the safer we all are.
The failure of privacy notices and consumer choice.
http://firstmonday.org/ojs/index.php/fm/article/view/4838/3802
Interesting story of a 1971 burglary of an FBI office.
http://www.nytimes.com/2014/01/07/us/burglars-who-took-on-fbi-abandon-shado…
or http://tinyurl.com/n62lf4d
http://www.nytimes.com/video/us/100000002635482/stealing-j-edgar-hoovers-se…
or http://tinyurl.com/kqwjuvm
It's also a book:
http://www.amazon.com/The-Burglary-Discovery-Hoovers-Secret/dp/0307962954/
or http://tinyurl.com/mjlt3xm
** *** ***** ******* *********** *************
Security Risks of Embedded Systems
We're at a crisis point now with regard to the security of embedded
systems, where computing is embedded into the hardware itself -- as
with the Internet of Things. These embedded computers are riddled with
vulnerabilities, and there's no good way to patch them.
It's not unlike what happened in the mid-1990s, when the insecurity of
personal computers was reaching crisis levels. Software and operating
systems were riddled with security vulnerabilities, and there was no
good way to patch them. Companies were trying to keep vulnerabilities
secret, and not releasing security updates quickly. And when updates
were released, it was hard -- if not impossible -- to get users to
install them. This has changed over the past twenty years, due to a
combination of full disclosure -- publishing vulnerabilities to force
companies to issue patches quicker -- and automatic updates:
automating the process of installing updates on users' computers. The
results aren't perfect, but they're much better than ever before.
But this time the problem is much worse, because the world is
different: All of these devices are connected to the Internet. The
computers in our routers and modems are much more powerful than the
PCs of the mid-1990s, and the Internet of Things will put computers
into all sorts of consumer devices. The industries producing these
devices are even less capable of fixing the problem than the PC and
software industries were.
If we don't solve this soon, we're in for a security disaster as
hackers figure out that it's easier to hack routers than computers. At
a recent Def Con, a researcher looked at thirty home routers and broke
into half of them -- including some of the most popular and common
brands.
To understand the problem, you need to understand the embedded systems market.
Typically, these systems are powered by specialized computer chips
made by companies such as Broadcom, Qualcomm, and Marvell. These chips
are cheap, and the profit margins slim. Aside from price, the way the
manufacturers differentiate themselves from each other is by features
and bandwidth. They typically put a version of the Linux operating
system onto the chips, as well as a bunch of other open-source and
proprietary components and drivers. They do as little engineering as
possible before shipping, and there's little incentive to update their
"board support package" until absolutely necessary.
The system manufacturers -- usually original device manufacturers
(ODMs) who often don't get their brand name on the finished product --
choose a chip based on price and features, and then build a router,
server, or whatever. They don't do a lot of engineering, either. The
brand-name company on the box may add a user interface and maybe some
new features, make sure everything works, and they're done, too.
The problem with this process is that no one entity has any incentive,
expertise, or even ability to patch the software once it's shipped.
The chip manufacturer is busy shipping the next version of the chip,
and the ODM is busy upgrading its product to work with this next chip.
Maintaining the older chips and products just isn't a priority.
And the software is old, even when the device is new. For example, one
survey of common home routers found that the software components were
four to five years older than the device. The minimum age of the Linux
operating system was four years. The minimum age of the Samba file
system software: six years. They may have had all the security patches
applied, but most likely not. No one has that job. Some of the
components are so old that they're no longer being patched. This
patching is especially important because security vulnerabilities are
found "more easily" as systems age.
To make matters worse, it's often impossible to patch the software or
upgrade the components to the latest version. Often, the complete
source code isn't available. Yes, they'll have the source code to
Linux and any other open-source components. But many of the device
drivers and other components are just "binary blobs" -- no source code
at all. That's the most pernicious part of the problem: No one can
possibly patch code that's just binary.
Even when a patch is possible, it's rarely applied. Users usually have
to manually download and install relevant patches. But since users
never get alerted about security updates, and don't have the expertise
to manually administer these devices, it doesn't happen. Sometimes the
ISPs have the ability to remotely patch routers and modems, but this
is also rare.
The result is hundreds of millions of devices that have been sitting
on the Internet, unpatched and insecure, for the last five to ten
years.
Hackers are starting to notice. Malware DNS Changer attacks home
routers as well as computers. In Brazil, 4.5 million DSL routers were
compromised for purposes of financial fraud. Last month, Symantec
reported on a Linux worm that targets routers, cameras, and other
embedded devices.
This is only the beginning. All it will take is some easy-to-use
hacker tools for the script kiddies to get into the game.
And the Internet of Things will only make this problem worse, as the
Internet -- as well as our homes and bodies -- becomes flooded with
new embedded devices that will be equally poorly maintained and
unpatchable. But routers and modems pose a particular problem, because
they're: (1) between users and the Internet, so turning them off is
increasingly not an option; (2) more powerful and more general in
function than other embedded devices; (3) the one 24/7 computing
device in the house, and are a natural place for lots of new features.
We were here before with personal computers, and we fixed the problem.
But disclosing vulnerabilities in an effort to force vendors to fix
the problem won't work the same way as with embedded systems. The last
time, the problem was computers, ones mostly not connected to the
Internet, and slow-spreading viruses. The scale is different today:
more devices, more vulnerability, viruses spreading faster on the
Internet, and less technical expertise on both the vendor and the user
sides. Plus vulnerabilities that are impossible to patch.
Combine full function with lack of updates, add in a pernicious market
dynamic that has inhibited updates and prevented anyone else from
updating, and we have an incipient disaster in front of us. It's just
a matter of when.
We simply have to fix this. We have to put pressure on embedded system
vendors to design their systems better. We need open-source driver
software -- no more binary blobs! -- so third-party vendors and ISPs
can provide security tools and software updates for as long as the
device is in use. We need automatic update mechanisms to ensure they
get installed.
The economic incentives point to large ISPs as the driver for change.
Whether they're to blame or not, the ISPs are the ones who get the
service calls for crashes. They often have to send users new hardware
because it's the only way to update a router or modem, and that can
easily cost a year's worth of profit from that customer. This problem
is only going to get worse, and more expensive. Paying the cost up
front for better embedded systems is much cheaper than paying the
costs of the resultant security disasters.
This essay originally appeared on Wired.com.
http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-intern…
or http://tinyurl.com/ngoxykw
Security vulnerabilities in routers:
https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-…
or http://tinyurl.com/mycykl7
http://www.youtube.com/watch?v=stnJiPBIM6o
Security vulnerabilities of older systems:
http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&am…
or http://tinyurl.com/l57yph8
Embedded malware:
http://news.cnet.com/8301-10784_3-9970972-7.html
http://nakedsecurity.sophos.com/2012/10/01/hacked-routers-brazil-vb2012/
or http://tinyurl.com/8js9jg2
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
or http://tinyurl.com/ncwl6rr
http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-came…
or http://tinyurl.com/mcv73mj
Two essays that debunk the "NSA surveillance could have stopped 9/11" myth:
http://www.cnn.com/2013/12/30/opinion/bergen-nsa-surveillance-september-11/
http://www.newyorker.com/talk/comment/2014/01/13/140113taco_talk_wright
The changing cost of surveillance:
http://ashkansoltani.org/2014/01/09/the-cost-of-surveillance/
http://www.yalelawjournal.org/the-yale-law-journal-pocket-part/constitution…
** *** ***** ******* *********** *************
Schneier News
I left BT at the end of December.
https://www.schneier.com/blog/archives/2013/12/yes_im_leaving.html
Last month, Eben Moglen and I had a conversation about NSA
surveillance. Audio and video are online.
https://www.softwarefreedom.org/events/2013/a_conversation_with_bruce_schne…
or http://tinyurl.com/mganzed
https://www.youtube.com/watch?v=N8Sc6pUR1mA
** *** ***** ******* *********** *************
Schneier News: I've Joined Co3 Systems
For decades, I've said that good security is a combination of
protection, detection, and response. In 1999, when I formed
Counterpane Internet Security, I focused the company on what was then
the nascent area of detection. Since then, there have been many
products and services that focus on detection, and it's a huge part of
the information security industry. Now, it's time for response.
While there are many companies that offer services to aid in incident
response -- mitigation, forensics, recovery, compliance -- there are
no comprehensive products in this area.
Well, almost none. Co3 Systems provides a coordination system for
incident response. I think of it as a social networking site for
incident response, though the company doesn't use this term. The idea
is that the system generates your incident response plan on
installation, and when something happens, automatically executes it.
It collects information about the incident, assigns and tracks tasks,
and logs everything you do. It links you with information you might
need, companies you might want to talk to, and regulations you might
be required to comply with. And it logs everything, so you can
demonstrate that you followed your response plan and thus the law --
or see how and where you fell short.
Years ago, attacks were both less frequent and less serious, and
compliance requirements were more modest. But today, companies get
breached all the time, and regulatory requirements are complicated --
and getting more so all the time. Ad hoc incident response isn't
enough anymore. There are lots of things you need to do when you're
attacked, both to secure your network from the attackers and to secure
your company from litigation.
The problem with any emergency response plan is that you only need it
in an emergency. Emergencies are both complicated and stressful, and
it's easy for things to fall through the cracks. It's critical to
have something -- a system, a checklist, even a person -- that tracks
everything and makes sure that everything that has to get done is.
Co3 Systems is great in an emergency, but of course you really want to
have installed and configured it *before* the emergency.
It will also serve you better if you use it regularly. Co3 Systems is
designed to be valuable for all incident response, both the mundane
and the critical. The system can record and assess everything that
appears abnormal. The incident response plans it generates make it
easy, and the intelligence feeds make it useful. If Co3 Systems is
already in place, when something turns out to be a real incident, it's
easy to escalate it to the next level, and you'll be using tools
you're already familiar with.
Co3 Systems works either from a private cloud or on your network. I
think the cloud makes more sense; you don't want to coordinate
incident response from the network that is under attack. And it's
constantly getting better as more partner companies integrate their
information feeds and best practices. The company has launched some
of these partnerships already, and there are some major names soon to
be announced.
Today I am joining Co3 Systems as its Chief Technology Officer. I've
been on the company's advisory board for about a year, and was an
informal adviser to CEO John Bruce before that. John and I worked
together at Counterpane in the early 2000s, and we both think this is
a natural extension to what we tried to build there. I also know CMO
Ted Julian from his days at @Stake. Together, we're going to build
*the* incident response product.
I'm really excited about this -- and the fact that the company
headquarters are just three T stops inbound to Harvard and the Berkman
Center makes it even more perfect.
http://www.co3sys.com
https://www.co3sys.com/news/news-releases/bruce-schneier-joins-co3-systems-…
or http://tinyurl.com/nzhbsf4
http://www.darkreading.com/attacks-breaches/bruce-schneier-departs-bt-for-s…
or http://tinyurl.com/nyatozb
http://threatpost.com/bruce-schneier-joins-startup-co3-systems/103429
or http://tinyurl.com/puynhos
http://www.networkworld.com/news/2014/010614-schneier-co3-277365.html
or http://tinyurl.com/kd4f4j9
https://www.co3sys.com/blog-post/bruce-schneier-chief-technology-officer
or http://tinyurl.com/kszop9o
https://www.co3sys.com/blog-post/security-legend-bruce-schneier-joins-co3
or http://tinyurl.com/k2u3rnb
https://www.youtube.com/watch?v=c7XMWR1hD9M&sns=tw
http://threatpost.com/bruce-schneier-joins-startup-co3-systems/103429#
or http://tinyurl.com/khs2gdk
** *** ***** ******* *********** *************
Twitter Users: Please Make Sure You're Following the Right Feed
I have an official Twitter feed of my blog; it's @schneierblog.
There's also an unofficial feed at @Bruce_Schneier. I have nothing to
do with that one.
I wouldn't mind the unofficial feed -- if people are reading my blog,
who cares -- except that it isn't working right, and hasn't been for
some time. It publishes some posts weeks late and skips others
entirely. I'm only hoping that this one will show up there.
It's also kind of annoying that @Bruce_Schneier keeps following
people, who think it's me. It's not; I never log in to Twitter and I
don't follow anyone there.
So if you want to read my blog on Twitter, please make sure you're
following @schneierblog. And if you are the person who runs the
@Bruce_Schneier account -- if anyone is even running it anymore --
please e-mail me at the address on my Contact page. I'd rather see it
fixed than shut down, but better for it to be shut down than continue
in its broken state.
@schneierblog:
http://twitter.com/schneierblog/
@Bruce_Schneier:
https://twitter.com/Bruce_Schneier
My contact page:
https://www.schneier.com/contact.html
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security
guru" by The Economist. He is the author of 12 books -- including
"Liars and Outliers: Enabling the Trust Society Needs to Survive" --
as well as hundreds of articles, essays, and academic papers. His
influential newsletter "Crypto-Gram" and his blog "Schneier on
Security" are read by over 250,000 people. He has testified before
Congress, is a frequent guest on television and radio, has served on
several government committees, and is regularly quoted in the press.
Schneier is a fellow at the Berkman Center for Internet and Society at
Harvard Law School, a program fellow at the New America Foundation's
Open Technology Institute, a board member of the Electronic Frontier
Foundation, an Advisory Board Member of the Electronic Privacy
Information Center, and the Chief Technology Officer at Co3 Systems,
Inc. See <http://www.schneier.com>.
1
0
16 Jan '14
tracking down the bastards
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-co…
How it started...
http://sbirsource.com/sbir/awards/39357-computer-virus-electronic-counterme…
http://sbirsource.com/sbir/awards/39376-computervirus-electronic-execution-…
are the companies and folks who got your tax dollars to build equipment at the NSA's
bidding for TAO.. the whole SBIR was facilitated by DARPA is my unerstanding
sbirsource.com/sbir/awards/16634-computer-virus-electronic-counter-measure-… this was the second award in 1992..
One of The research firm and name supplying these designs?
Software & Electrical Engineering
248 Walnut Street
Willimantic, CT 06226
Mr. Victor Civie
the beginnings of the NSA Tailored Access Operation began here in part
at least the ones der speigel is complaining about.. may have changed nowadays.. but here is the original culprit..
for those doing betting death pools I suggest Mr. Victor Civie and those of his ilk as
one people would pay to nominate
from the description
Sophisticated Virus, Parasite and Resource Management systems are to be constructed to alter or report on the operation of a designated target. Specific systems include the Tape Worm, a low profile smart Parasite featuring comprehensive resource management operations, the Stealth Striker, an ultra low profile targeting virus, the Transport, an ultra low profile utility virus used to transport, load and excecute large programs and various surveillance and maintenance systems. Virus/Parasite objectives include securing a stable base, fixing, relocating and reproducing in teh target system, the ability to find and infect other systems, alter/record/monitor/recall computer operations, and alter/record/monitor/recall data and output. The effort will also produce a Code miniaturization strategy and apply the principals to the EMC programs. compact Task Oriented Routines are designed to create code to perform assigned tasks.
another winner of the Phase 1 grant was
Sparta, Inc.
23041 Avenida De La Carlota,, Suite 325
Laguna Hills, CA 92653
Principal Investigator
DOUG PRICE
3
2
Re: [cryptography] [Cryptography] Boing Boing pushing an RSA Conference boycott
by coderman 16 Jan '14
by coderman 16 Jan '14
16 Jan '14
On Wed, Jan 15, 2014 at 10:31 AM, John Young <jya(a)pipeline.com> wrote:
> With a $67B security market heading to $87B by 2016 why
> would any security firm settle for RSA piddling racketerring?
> ...
> Not saying the RSA bashers are diverting attention from their
> venality, that would be contrary to industry ethics to hide and
> be hidden, by that I mean journalism and advertising, publicity
> and campaign bribery, donations to computer education and
> conferences, dark web sales to rogues and spies, plagiarism
> and huffy indignation, sabotage and thievery, copyright and
> DMCA takedowns, well, why preach in this smokey chapel to
> the stogie-sucking porkies, don't they pay minimum taxes to
> betray the privacy of ordinary taxpayers who pay the most.
information security as a discipline or specialization should not
exist. that systems, code, protocols, *, are built without "security"
priorities, and without end-user privacy and availability paramount,
is the dereliction of basic duty.
we could try a different approach as complementary: security by self
evident existence.[0]
> FatSec Preacher bellows: Is there any industry more corrupt
> than the fatuous security industry?
>
> FatSec Believers yell back: Nope, and newcomers are flocking in.
>
> And so, the sated toads toddle out to fancy chariots stashing
> drunken investor bedmates, croaking,
>
> "And we bloated firms are getting much fatter on hackers.
> and we pay them shady bitcoins them to boost the flab."
"bloated [.. and] fatter [...] hackers [paid in] shady bitcoins [...]
to boost the flab [and excesses]"
- sounds exactly like DEF CON 21 point in fact!
:P
P.S. i have discovered a chain of black ops infowar payments to JYA as
proxy pressure against corporate players not sufficiently cow towing
to powers as deemed fit.
the list of disclosures on cryptome.org a persistent store of targeted
retaliation as paid for by covert coin wallets
https://blockchain.info/address/1P11b3Xkgagzex3fYusVcJ3ZTVsNwwnrBZ
0.0666 BTC from 1JM2M2n246Ug3niz4X1YxTsivM8JxuXahJ,
1NEwWKEYtewMYmUzSc11CTUEUj4XSUhoGy
0.1 BTC from mix
13cgGBPRzdoBLWdkcjkBufeKJkS7t7EMmt,1JdHacTEKzKNu22thGkR3QoAqJEgixs9xD,1LxrugsC8hRWbAoNDU3QJAmUbwUGovnDB3,1NoJRdptNeQ7xB16p4kV1hXk1sKqfv1qs4,1LybLfgmtp2nC2toY8kR3vmSzBzQsxyreR,1ALfEcdd6Sdr77shtjAynia98orGrZEkN5,1BtFpAnqqaYBxy4CJG8NZkygz5YkQ8rnTa,16zeB2RLRV7BR1pjG4K1cNptDaUwTzDRm4,1CjAT7be3uhq5FXphJr1bZQ9TCe8hN18yr,1Bcsf8AWvhb8k3dsa52f9wEfdGq4JFC7cB,1LwwzPvcJC28JTitvAQ76PzukEZzTc4Hr2,155cq3FNNDyr3inrrKKFR2z2dEQHs1UARY,1HpJ54pzy36rredY6ArSzmK4HLADgN4yBi,1HAZzEeawHNyy9vtKrTz1iuVYiDAN8JXYw,1Nb8N1BMANUStTz3k2ajcjyW2g17FHCnXq,115WXPRm3o4gE3wnKWPQGC4i6f5XGM2sJY,1J6jEAUQtnCd4mJpuBkXRy4KH1rKuP42ze,12Tuo695poGwkzCpPnTctt2kVC6NkG3iyG,17WeGSpZBRuJ1FbU9CDj2dvZuf4nsFGasY,1HUsEBRFnMgi77KATEdtJhUhPp8D1K1dm2,1K2Try6bipWvin517XaP3eHTQkKD7vRdRA,16kx8bvc9bmSaLGraUbp5verErFz8EoWGw,147A9ysb1MKY75ECGj3XiiiDKpomJgzZs1,1KyXSwxFjdjCc4gRdTJu2kora3Li2suWdx,14xjUyxRkH1Fa55UGUXf3RzgjbpbVsGfPn
0.10101 from mix
1DktVLeDwuQNBR5GhCDyZGcS4hBVLdiV7Y,1HMXV3RbWvkqT348yci7AEF57GYRZrPEwf,1A5sHDrGtEvyMPC51pcCKN2VcCyj6PpKfA,18E6VwKbHTcns5tzB8VFTei8RDG4f12DsN,1BxRMpZmjrBcDKvccgLbAa8CYrmNZSzP8v,1MCTZnt9ZC8wmFtRcfxFzGikAqdsUu1NXi,1HehKV16aioxoDFmRypVFbHt7Nj4yE21K6,18yxEFyKWU7k4SN8H6SA7cxey3f6CrDJd3,1AFuP17AaGnn7EukjKYQoKf8qHqcut4jEA,19DNCpRYZLvmvBRHFH9CQoeArgaXXaXqP6,12TiNxaaF12nJR9pKyYZk4X7HCKuVCh1FM,1dXS2dwDsT29h7gvRnUyjHK2ViWArcDfH,1HYXCHgACh9cat2tHJsFAUHTYkqtU6SPj7,15XsYmWSb2tk2BbFsusyqodQTmWzdU1SBx,1NCCrGZTvECaxPVsJW8FG2k3ez1FJrHFcv,16qYQB4mKBvN5w7pB4NnPR7AXUMG4wLA7H,19XRN2CeiRK4xn2B5bcHBjWkXdjTHKXoNr,18XKyXcMfLcsPyspx1M5TLfzvv7QuoNi12,1ADJRNQkJg2fiYTWAuupBqrP1LXFLzeBy7,17c7qx7pektRmKp83XtZhc4yiRYGzzY8Cj,1E9uKJLW1D5iK9mHwDuasYCqUYhR2NfQ9x,13JfZ5Pm2UMKV6jRvFyjkSGsyGqio6mSZF,1KpjyYK4NNLGn1wMSUfpK4xY5emr72zJGX,1KS8XumTUcZE5oALLevpDMAQASfWX1gZJb,189QUKAQhTRkrrRGsKHBxTVbLGtSz7rXYH,1Ph79b99rHtkE1p5KV2LXGPaPdgunMR8Bq
0.1 from mix 1JJ5zWzRjr88BFKHPnvbWqxD5vtbWFbKja,1PBEb8KeBQpjPAyXwQAABu67cLufLEWFC4,1AsL2Y76BBZxHjQdpY5w3hdXSW5VeCLSPi,1KKHz4VWNu2xvK1VMHmUTrasuUkN1aUkZt,1KuWiFj4fdHSf8VwYP7P2aJosBsMM6UvZx,1AKqBPYULbJoVwv2bU3JJ9BNAaxmp4MQNQ,1AjkkN7Xd4mdzMYJDWK16h7WmgYVQkY9RE,1CDusW53zzxYjEXqjiDoECnHAJkmke46R8,18hCUt5TjKVepJsHBryupGfFtjte6bqsqV,1B7DhKYBUTThdsw4y9RqXY1yUokcFCj5xS,1VVRw4BJKxMF6yTrGCusfjo7NgFwGFiTH,12CN4CfHg31LkpdhiYpQZMmgaxWevmL7wC,12ufG6NpEM3p4SJgTGB1YMUuzTaVyfmkzn,15NhfgGSrgLCMQK4Q3skX39fZn9H1jJauh,19DZwxTUFtDgxZGZNNomSzUfdtuENaqZ3J,14syscfppLQ3NpCV16HudsABHW4U1J3pnb,1249NaoLoQ9jrqpUtb3FuMRmp8eT5ud5sy,1JdytQhBfvbMb2138SqwT8msuykYwu4jts,1CmTgm9tH7FuhYxNGGkWHkK8umWBxTqBaL,1BWjgmPpjSGaeWFPL3eXKTuYttYvGCYo3V,1NH9nTXUCNfA3LnzcjWkQLKnEK3FX33uB7,1DFTLTPgTtMwog6u5B6dW36T4HAmCEHrMn,1FRcgEgqGvcQPbjejD6rZtv6k4coKReAsm,198EdZ8oGTqHVPbDqofTBecXVXj6vsYXK5,13TvfH7y619ZvefN6yxWBcZUmHUy1qzjMs
0.037 from mix 1Kc4AnGmHV7xdhaQQ2ZKzhBMXs7Gomf3Qz,16m9DPFYbo1J5eA7H91CpkYjMaYp1sKikk,17GfsPQRDGisPMRrRnpbU4ggCQcnZHF6g6,1GzLDY8Aqmrztmo7xq9rB39vdgiEK9BqJa,1MgCmje65bNK8dz6m86q7aXYfaGHsgcZP4,1KDsuNyuf8BTmwBYnpU2e4uPTMALhd9qyW,1L4ZyeMzVURk5Rd8NVt5wGzu8gvsRfNqAG,19YYiw9AyScaSHjbuCKkrQBqTFjMjLTgq5,132AVbkhLNU8q2SdRDGFhiU7VPaBy44Ye3,18tBYvATWRScFrJvM37BHhuXZaUax9sSQF,14BG7tNJF5wig1kmYvXbMc8hv7Y4GbcLbj,1C3CrbTdGMpvEsQXgv6Tgh5GayHX3juXQY,1F5FTo5gH2LRo8K6U1So2YBEk2ntNVUNVx,1CRPiBLFQ4V34FYCjiXp6zaikaRMPGengX
0.5 from mix 1CUoQDQYAs5UWNDShNmEtNLjyu7Y8deARn,1MnqNm4CYutNHKJigdmSjunz97Sjn6FX2b,13Ry5c1AW2zjhn1LShxMLXJczJ19nJrzAk,1AYM2pRwPizB2nBpoAMtFyTCiuLpSPDQ59,1J1QzUTRFeHVnspu4jAoTu6uNZEtXeJ63R,15Gu8bzHwfxDmrV7ekLcSWSXEmnevc3Xn7,188UqaPhyBABnG84ExTTXT5yFP8MyaRw9E,1Dvz5Vu8KaNAzkAdZYQ3aGshyJCkpjzYkh,15ArsPoDjg8oVq3Xy96XVzsmWjTn2sw7cC,12rSkqqMbYLjL7QbNgebUV7kvRVt9ZhMUh,1LjcFihEKJUgukfTEWFVXrR1F1GkZSd2pE,1ZKnacQ9wDBv8ZnGNUEXwAjmYfB9C9B7Y,18r7MjFUm7y6PnAVZXvrDHVnjZKm8vquMa,144A1Ts8vZss7UWjFLEzYAqSTLkDrKNXYW,1NcP1yykNmHfK2g92ip5A3RZ2tBL1sa7Bf,1Bq8ShAQKWXDrizzxm8eW2Dx9zurEJ95ow,13EVhFRTqfGt15SW3tKctcjSwDhaJLpUKL,1QEVtaARbR6bNyNp9k4Pr7JFXxu4qPGXRB,1BdYGHH63ZaSadxpimjkkcGRhgUNyMMkFJ,1CE9Dyu2U3LDtr4TDxHefkTyJ1NEZNCj9w,1CvVBijvvqcUthtT7Hyz8sS7i2i1fGTifa,14u8192rmtKUkUMhnuA2JJd6D7PWpPzKA2,1J2jALZgVT2dkDkYXLTj1KPUqLqazn6x74,18EwPGr5t3h6L42cABsxEfcHH6YnvSxjy8,1KKqKmarNh91MpUn9MSY8X95aJZV4ccLNo,1JdtbAXoaHuSziR57CPgSAWAo5PSFX7m4n,1Gt3ZaUdEXDF5dUF6SeQo3vLwYdjm1g5WJ
0.01 from mix 18JbLc8Es5kDs24VAf2AZVR7xBXp4buVGS,1HRFQK738JJqbsLzkH6uyUDJ57s5UxCUah,1A4mxg4badrDcRists59b84AbqZPCp9oCo,14zPR4ZGh5CEBqWyxyxoPXJT5HT6MZyGSa,13WczJWtZWApthb9WMmhbDrHpvHhJEWEon,1NWPnwwuTAuRCiYaVVx1xQiSEf1mkkP3tQ
0.01 from mix 1AqJCqF15hByG3LFnNakHrj9HFxwCoty3c,19HdnvQnUbRNNaM9Mj1TrTxSanzuW2KLJK,1KT9boFiiNrXnfEXmjGzfGwZF2HKiLjJGQ,1PsfErV7SemNPnkBnRAwfS7shuc8GCjgJy,17L1o33aj4ajfwWCgCbNPmqU4jbiZGWWH6,1P8MREjTTeG913xpfkfw4NcQ7qMJoP8CiT,1Foj7F7oYK2w8LtAmCHBQPCjJsjDMgLUny,1JcXSwP47kft3PSjCdpkxKer8UiFDL1XMU,1KYqxCQ7VfxGFd33SSNot5NYaC6Uer2m1S
when did you begin accepting payments to keep cryptome.org plaintext
without HTTPS support john???
*grin*
best regards,
0. "security by self evident existence"
"""
Red-Team Networks Everywhere!!!
This effort attempts to remedy the pervasive and comprehensive
vulnerability of consumer, industry, and government hardware and
software systems. In order to achieve best effective posture with
maximum haste apply four principles globally:
1) Blanket Legal Invulnerability
Remove all criminal and civil liability for "hacking", computer
trespass, and all related activities performed over data networks;
establish proactive "shield" legislation to protect and encourage
unrestricted security research of any subject on any network. extend
to international agreements for blanket protection in all
jurisdictions.
2) Educational Support Everywhere
Establish lock picking, computing, and hacking curriculum in pre
school through grade school with subsidized access to technical
resources including mobile, tablet, laptop test equipment, grid/cloud
computing on-demand, software defined radios with full
receive/transmit, and gigabit internet service or faster.
3) Collaborative Competitions
Organize a program of blue and red teaming challenges for educational
and public participation at the district, regional, and national level
cultivating expertise and rewarding it with hacking toys, access, and
monies.
4) Privileged Positioning
Direct and unrestricted backbone access to various individuals or
groups who demonstrate competence in either the educational or
competitive realms, in order for them to mount additional attack
strategies against any reach-able target. this access must consist of
both passive taps of backbone traffic as well as injection taps for
raw packet transmission at core rates. this should be available on the
Internet backbone at internet exchanges, private fiber through public
right of way, and core networks of operators of licensed wireless
spectrum.
end result / strong attractor:
Open software and hardware widely in use in
post-privacy-protection-purge future will invert power structure to
defender with near unassailable advantage in "cyber domain". Any
attacker required to compete against the global, collaborative,
massive, iterative-crowd-hardened systems publicly in use.
as of jan 2014 https://peertech.org/rednet
1
0
-:=/ kollider_function /=:--
A. Reversing the Panopticon
http://cartome.org/reverse-panopticon.htm
"The reconnaissance capabilities of (San Gimignano's) massive masonry
observation towers, with their intelligence-gathering and defensive
overview of strategic landscape and crucial traffic, had been supplanted by
a more lightweight, mobile structure: a technology of administrative
compartmentalization, classification and policing, underpinned by
technologies of authoritarian inspection, data collection and databanking."
B. [video] MICROWAVE WEAPONRY'S USE ON PEOPLE /via cryptome
https://www.youtube.com/watch?v=aMMEQNnSZIo
-- observation towers --
a. towers of San Gimignano
http://www.contemporarynomad.com/wp-content/uploads/2012/11/san-gimignano.j…
b. cellular towers
https://www.google.com/search?q=cellular+towers&tbm=isch
The ocean's hidden waves show their power / stratification...
http://phys.org/news/2014-01-ocean-hidden-power.html
[q] Their effect on the surface of the ocean is negligible, producing a
rise of just inches that is virtually imperceptible on a turbulent sea. But
internal waves, which are hidden entirely within the ocean, can tower
hundreds of feet, with profound effects on the Earth's climate and on ocean
ecosystems. (...) These waves are potentially "the key mechanism for
transferring heat from the upper ocean to the depths," Peacock says, so the
focus of the research was to determine exactly how the largest of these
waves, as revealed through satellite imagery of the Luzon Strait region,
are generated.[/q]
))(()(( food science ()(())((
<sandwich> though my previous discovery of fried baloney & hummus with
slice of red onion^1 as being strangely equivalent to an eggsalad sandwich
(?!) was as far as it went; though just now realized in a lightly _toasted
7-grain bread, with mayo on one side, then thin sliced hard salami, thin
slice of colby-jack, and other piece of bread, that--
(bread/mayo/salami/cheese/bread)
the sandwich is so minimal and boring, works best with lettuce (arugula!)
and slice of red onion, though without such ingredients, left to ponder on
the delicious the crispy thin plain kettle potato chips, and decided to
place them then squish them onto/into the sandwich as a new layer, somewhat
panini flattened to get the chips to become more level...
(bread/mayo/potato-chips/salami/cheese/bread)
and oh my goodness is it a delicious sandwich. so figured to do a search
and found others who have realized likewise, perhaps due to necessity...
Squishing potato chips in your sandwich...anyone else do this?
http://chowhound.chow.com/topics/763996
<?sandwich> testing123... sprintf('onward...
^1: (bread/mayo/fried-balony/fresh-hummus/red-onion/bread)
Is Your Refrigerator Running? / ~resiliency. via digg
http://modernfarmer.com/2014/01/refrigerator-running/
[q] Refrigeration is the invisible backbone on which the world’s food
supply depends — and given our climate-changed forecast of more extreme
weather events, it may yet prove to be its Achilles’ heel.
Currently, 70 percent of America’s food supply is refrigerated at some
point in its journey from farm to table, and without refrigeration, meat,
chicken, seafood and dairy last just two hours before they’re unsafe to
eat. Perishable fruits and vegetables often have only a day or two at room
temperature before they turn to mush.[/q]
\\----- programming -----//
[book review] Period Piece
The theory and meaning of our own hieroglyphics.
http://www.weeklystandard.com/articles/period-piece_773244.html?nopager=1#
[q] Unlike the interrobang, whose conception, creation, rise, and fall were
all observable within a decade, the @ symbol has been around for centuries
and is now enjoying widespread resurgence thanks to the Internet. While its
exact origins are unknown, the earliest recorded use of the @ symbol is in
a letter sent from Seville to Rome, dated May 4, 1536. [/q]
octothorpe = #
pilcrow mark = ¶
interrobang = ‽
manicule = ☞
diple = ‹
guillemets = « »
ligatures e.g. = æ
dagger = †
amphora = @
>>> cartoon <<<
http://www.gapingvoid.com/when%20a-listers%20start%20losing%20the%20plot.jpg
http://images.sodahead.com/polls/0/0/1/8/5/8/9/2/5/58451459_now_what.jpeg
:::=====television=====:::
re: POV--> Nobody Needs a New TV Anymore /via digg
http://nymag.com/daily/intelligencer/2014/01/nobody-needs-a-new-tv-anymore.…
[q] Unless the TV industry can find a way to force obsolescence on its old
products — like making new models of devices like the Roku incompatible
with TVs made before 2011 — the appeal of new models will be limited to TV
addicts and people with too much disposable income.[/q]
comments: i think the viewpoint in the above article demonstrates a certain
narrowed conceptualization or myopia even, of technological systems as
being more than the end-use tools that are interfaced with, say on the
screen of a 'smart tv' or its hardware configurations and options. these
are indicators of functionality, though they map into larger, extended
systems - infrastructures, and various industries and buildings that have
been effectively rationalized under an earlier broadcast, then cable model,
now importing 'internet' content such as youtube videos and streaming
movies (redbox, amazon video, etc) as additional layers or services. [note-
still at CRT here, not sure how it functions exactly in these terms.]
what is happening is one way to analyze the situation. what could be
happening- the *potential* for network-based television, is a larger
question and consideration. such a large enigma that Steve Jobs of Apple,
Inc. claimed to have cracked the idea of television open, and realized or
discovered resolution for a future model of television, likely involving
the issue of its content ecosystem in addition to interface.
a missing parameter in referencing [tv] without distinguishing past and
future conceptual differences is that the cathode-ray-tubes of the past and
liquid crystal displays (LCD) of the present HDTVs are of different
parameters of functionality. it is not about connecting a CRT display to
the global network as if 'Internet TV', another channel to tune into via
airwaves. instead it is a television display (LCD) screen that has become a
computer, and thus is more like having a personal computer becoming a
television, though it can also tune into airwaves and network protocols as
its channel spectrum.
so while it is true perhaps that there is a limit to innovation in the
hardware interfaces due to a limit reached in the given model, within
certain constraints -- including content ownership via media conglomerates
based on DRM and copyright restrictions, redistribution rights, and
royalties -- which is basically the entire media industry, from radio to
television to movies to music (and publishing even), this viewpoint is
based on the idea that this situation is fixed in its given functioning and
cannot be surpassed or radically changed, within those parameters.
so part of the larger consideration would be to consider HDTV beyond the
local tool or artifact - the television set - and consider the ecosystem it
functions within and potentially could function within, interface with.
first off: the TV set is recontextualized in the realm of the global
computer network, and thus it is at least in part an issue of an 'internet
television' set as HDTV device, interface, functionality, hardware,
software, programming, content, display.
likely curved screens, touch interfaces, wireless, menus/UI, refresh speed,
resolution, these kinds of parameters have tangible effects on
functionality, ease of use, enjoyment, if the design is effective. though
-what- is accessible is a fundamental issue; and for many, this likely
involves a cultural wasteland of commercial content chock full of
advertisements , where the experience of seamless channel surfing has
become bureaucratized, as IP and broadcast frequencies are different
systems, and content exists in multiple formats in several locations (say
media server, internet services, movie streaming, over-the-air) and thus
begins to be unmanageable at the level of interface, requiring much effort
to access and view content that is not preprogrammed and formatted (a
guess, reading feedback of others)
in that there are multiple systems, formats, menus, issues of having to
type or input data, difficulty in doing so, etc. time, energy, frustration,
when pre-computer TV was simple. basic. and always worked except for
transmission glitches or interruptions. prior to being made obsolete by a
new 'digital standard', making old sets no longer functional in the 'new
system' which turns out to be CHAOS, a difficult to mediate or resolve
cultural question, unless it is not in question- which then only involves
extending the existing model, parameters further. and then it is only about
dollars, selling units of HDTV, per capita consumption of mass media
dressed-up as internet content, via extension of the same systems, one-way
media delivery. except- youtube, memes, perhaps TED Conferences, etc. then
also, videoteleconferencing.
the larger question of infrastructure involves parallel video content that
could be made accessible or available to these networked HDTVs. imagine
community television, anywhere in the world. or special access to a school
video archive of a children's play, requiring private login to view years
later. though also, ideas and debates recorded on video, theater and plays
as performance videos, music concerts and recitals, educational
programming, lectures, etc. this was the earlier model or potential that
was passed over, never allowed to develop by the existing rationalization,
within its controlling interest and technical parameters. instead such
'civic content' is locked out, or made into a proprietary channel or
service, oftentimes content requiring additional payment for access,
instead of offering it as a public service, say for sustaining and
improving cultural awareness, cultural literacy. instead, the bane of
pledge drives for 'public TV' interrupts such content with commercials,
advertisements that demand tithing in order to keep the awful
content-system moving in the same backwards direction, a charade of
educational programming, a heist of 'public airwaves' and spectrum, for
what thus amounts to a private ideological approach to mass media,
everywhere colonized the same.
just consider - and certainly fortunate you are if not familiar with this
television content - how destructive a show like "Friends" is to
programming behavior of populations who then mimic and extend adult
adolescence as 'shared consciousness' via brainwashed young people who
congregate and behave similarly, as if adulthood involves preschool for
shared groups. as if this dumbing-down is an education in ignorance,
condoning and developing it (said show is show cynical perhaps it is
covert-based military propaganda even, to promote such decline)
so instead of communicating about meaningful ideas via television or video,
having debates about ideas, the content is trivial and stupid. demeaning,
debasing, idiotic, and formulaic for the very antihuman principles ruling
over and oppressing populations in daily environments. what kind of
relation does Hollywood have with human citizens exactly? why is mass media
programming hostile to ideas of freedom, intelligence, beyond their narrow
self-interest? what kind of public trust is that which seeks to eliminate
other perspectives, public goals, ideals, principles, and instead actively
dismantles, destroys, prevents, censors such views? and everyone who
*purchases* their television content, pays or buys into this services.
VOTES for it via participating in the onesided delivery model of ungrounded
perspective, warped beliefs, antihuman agendas, normalized and standardized
as if 'shared culture' and not unshared cult exploiting humans via oneway,
entropic expropriation of human power, decision-making, relations,
intelligence, via- most likely- endless signed ~legal documents
now that is dark humor. so dark that the laugh track and non-funny
comediennes provide a diorama-like span of artifice in which to place the
malaise of being lost in such false POVs.
this one-way formatting of culture in hostile terms and dynamics... then
leading to adult preschoolers as the constituency, filling up the void in
mass media as its representatives and participants. the state as mass media
production, then waging war against terrorists, turning against its own
citizenry and constitution. the script turned into a government
prescription that then formats and 'owns' the development (and decline) of
culture via its representation. political engineering, social engineering,
behavioral engineering - marcom & advertising.
public issues and interests then are a pay-per-access approach. parallel to
this, timepiece, the SPOT watch by Microsoft, which could have indicated an
innovative approach to content, except for a monthly or yearly fee to
access radio-broadcast content for the 'smart watch', such that to get the
weather report required tithing. any blip of news, more dimes and quarters.
and thus content-limited, dies out. maximal payment via cellular data
services-- requiring payment of full cellphone plan prior to access data or
services are extra fees, such that actual *information* and data is rare,
unless people live to SMS and that is their lifework
the model of content distribution, ownership, approaches to 'profit'-
removed of a vital and fundamental civic dimension and component that is
absent from these devices and tools. essentially boxed-in by a limited
privatized approach that relies on _censoring outside views and content
from a given platform or industry or media, because that constraint becomes
the basis for moneymaking instead of- i don't know- doing something
worthwhile for humanity, in an innovative and ingenious way that still
makes money, and does not falsely constrain or limit or confine the device
or its future media development out of selfish private interest at the
expense of larger human goals and needs. again- i don't know... like
knowing when the bus is going to arrive at a bus stop via a watch or PDA or
phone- as a public service. and having such data available and accessible
for populations - and then developing more based on such public services
and infrastructures, including media libraries accessible via HDTVs,
schools or university resources and classes as part of public outreach,
etc. in a coherent approach and model based on shared goals, principles,
incentives, reflecting a value in truth and honoring content as more than
private moneymaking ventures that turn culture into a fool's paradise
the civic versus commercial footprint, not just for profit or even
non-profit, also no-profit, a model of the commons and public human sphere
that could be developed outside the given approaches, in parallel to it,
and then made accessible via these tools, as another channel or interface,
though likely a million times larger and full of all the best resources of
culture. and being a citizen provides access, instead of having to pay for
it through a third-party always
so the issue of this existing development of idiocy as the basis for social
relations (antisocial) if not promoting xenophobia via such group dynamics
that become standard, 'the measure' by which others are judged, in these
devolved terms and conditions. including in thinking, such that the
ignorant become the masses who then single out unique individuals are the
problem, the very opposite of democratic potentials, that ideas matter, not
just shared views and beliefs in a larger louder physically more strong
group who are superficial, shallow, and by most indications, incredibly
stupid and extremely proud of it- because this ignorance is the very basis
for social power, engineering consensus and compliance with such lowered
viewpoints as if ideal, enlightened by conformity, by fitting in,
submission, cultic bliss.
it is difficult to write beyond this condition because it is the culture,
it is the televised content, it has taken over 'online programming' and
forms the basis for substitute discourse via idiotic memes and 'dialogue'
about meaningless events as structure for shared relations and reality,
making trivial the everyday, into issues of consumption,
co-media/commodities that participation then validates as a process,
sustaining and building false perspectives, structures, frameworks that can
further be exploited, oppress, via these same means/memes
high-brow, high art, intellectualism and theory-speak and social affairs to
low brow to the realm of the debased and disgusting, all on the same
cultural level, ungrounded, headed in an antihuman direction with an
actively hostile agenda, and yet nonsensical or immune from 'reason' beyond
opinion, due to loss of logic beyond binary ideology & its quick
judgements. in this way mass media - networked or not - becoming channel
surfing, there is always yet another choice to tune into, ignore the
others, even while it persists, keeps on developing, though these 'other
choices' are still the same thing, annihilating all hope of any change in
principles and goals and ideals- because they are against human culture,
implicitly, by design
a question of platforms and tools and devices to access a parallel content
system would need to investigate how to establish a framework for what
exists as a latent yet unused resource, of video or recordings, and then
model a way to integrate this public content into a common model that could
scale from local to state to global interconnectivity, then to standardize
this and establish a common interface that is of highest use and function
and usability versus the oft encountered lowest functionality for such
resources, set at odds with basic searches or categorization, for lack of
coherent modeling of concepts and ideas, beyond unique strings
reading about CES recently, the recent yearly Consumer Electronics Show, a
quote from the Sony CEO reminded me of some of the unique potentials built
into existing tools for access that could co-exist in traditional models
and offer potentially an interface into this world beyond the private-only
model, where cultural media resources could someday be accessed.
reference: Sony CEO says cloud TV won't compete with cable
http://www.theverge.com/2014/1/7/5285310/sony-ceo-kaz-hirai-says-cloud-tv-w…
[q] Unlike Microsoft's push, Hirai focused on the installed user base of
the PS3, suggesting that when the service does come to customers it will be
modular and will allow TV viewing across several of the company's products.
"I know Intel was in this space as well, but from my perspective, when you
look at the installed base of the PS3 — 25 million in the US — when we're
talking to a lot of the broadcasters, it's a compelling number." [/q]
the Sony Playstation (PS3/PS4) has its own gaming network and streaming
services, though i am not familiar with how these function- it would seem
that streaming video games as well as movie content is part of its
ecosystem approach, perhaps also external services in some way. though what
has intrigued me for years is that the device includes a Blu-Ray disk
player as part of its videogame console, and can be used as a dvd player to
watch HD movies, which the Blu-Ray disk format exists for- to match higher
screen resolution of HDTVs, while earlier DVDs are more the
cathode-ray-tube resolutions and screen ratios (4:3 versus 16:9). so there
is an interesting overlap or crossover in content and media delivery,
interface, interaction with the videogame consoles (presumably Microsoft
X-Box One likewise), in that they not only can play videogames with an HDTV
device, though can also play movies on disk, matched to that high
definition resolution, and also access streaming content from the internet
within some framework or given parameters.
the potential then, in this particular videogame console as media access
platform, is that it could open a portal to the 'public commons' of another
world of content, say media archives of hundreds of thousands of films,
lectures, videos of events, educational resources, and that if it were
coherently organized and presented as public service, could likely be
integrated into such a content delivery infrastructure - though connected
with a different system of values than those that otherwise dominate what
is on offer, as an 'online commons' or 'public space' beyond a realm of
juvenilia or existing commercialism that is so highly saturated in the
given model that it is like toxic content, as if ideological residue
imparts itself from mere proximity to the detritus of the mainstream in its
devolved, ungrounded warped worldview
so what if the question of television extended into its infrastructure -
what services are on offer, in the private model, and what content exists
that could potentially be accessed, if it were coherently and effectively
organized and accessed via these same tools and devices
what if the problem involves information, modeling of a view that is not
trapped within a too small consideration of what this involves, and
requires a librarian-like cataloging of resources and an information
architecture that unifies and scales distributed resources into a common
model and intelligible framework, while not existing in the 'same place' or
location, or within a central repository except insofar as it can be
interfaced and accurately account for content
perhaps issues of streaming are too involved and that a large effort and
resources would be required to gain access to high definition content or
quality media resources, yet the content itself already exists in archives
around the world and locally, and would provide an immense value to those
newly able to connect with what is otherwise absent and out of bounds
within media and culture, if as memory, knowledge, communication, relation,
awareness, value
what if ideas were debated on the internet, like they were in past eras as
part of the process of reasoning, and really got into the issues of
information and intelligence in a shared model and multiple views. the
incapacitation by one-way media prevents this, and a lack of quality in
existing online resources, else media archives that remain unshared or
still undeveloped, such as video of a dance performance or one act play,
bound or limit what is possible now and also what could potentially occur,
by neutralizing the possibility by going along with the standard model and
approach that does not question or function outside its own parameters in
terms of content development in profit-based scenarios
what if knowledge was of value. shared awareness. education. insight. clear
communication of ideas. debates that shape improved understanding and
promotes civic involvement and engagement with the present day and its
issues and situations. beyond the one-way panel and the presentations, and
into other forms and dynamics of relation, sharing of ideas. this too could
populate the content offerings within media devices. it would be
interesting to know what the difficulties are, what attempts have been
made, by those most engaged in these dynamics and dimensions- and what
actually may be possible as human content within networked media devices
beyond the WWW model for websites and apps, and TV channels. in this way,
what about the media archive and networked library, access to the cultural
assemblage of resources, stratigraphic layering, interconnections across
frameworks
--- quotes from Henry Ford ---
http://www.secretsofthefed.com/wp-content/uploads/2013/01/Henry-Ford-Bankin…
http://firm-guide.com/wp-content/uploads/2012/10/Quote-of-the-day-Henry-For…
.:.:-.-: URLS -:-..::.
[experiment] String Crossing -- What do you see?
http://www.exo.net/~pauld/activities/perception/stringcrossing.htm
[video] George Lucas' First Film ('liberty and political freedom')
http://gizmodo.com/freiheit-george-lucas-very-first-very-worst-film-1497187…
about: Freiheit (film) 1966 - 3 minutes
http://en.wikipedia.org/wiki/Freiheit_%28film%29
// audio interview, tomorrow (1/15/2014) @ noon PST...
Quantum Leap: The moment we transform potential into reality
http://www.blogtalkradio.com/the-art-of-film-funding/2014/01/15/quantum-lea…
[q] Our guest, Fred Alan Wolf Ph.D., “teaches that quantum physics is the
most useful, immediate, and relevant kind of science you can learn to
profoundly affect your day-to-day life.[/q]
New cyber-attack model helps hackers time the next Stuxnet
http://phys.org/news/2014-01-cyber-attack-hackers-nextstuxnet.html
[q] As Robert Axelrod and Rumen Iliev at the University of Michigan write
in a paper just published in the Proceedings of the National Academy of
Sciences, "The question of timing is analogous to the question of when to
use a double agent to mislead the enemy, where it may be worth waiting for
an important event but waiting too long may mean the double agent has been
discovered."[/q]
Coral chemical warfare:
Suppressing a competitor enhances susceptibility to a predator
http://phys.org/news/2014-01-coral-chemical-warfare-suppressing-competitor.…
[q]The researchers don't know all the factors that may have made the
chemically noxious seaweed more palatable to the fish. However, those
seaweed portions that had been competing with coral had less effective
chemical defenses against fish. When the researchers took extracts from
treatment seaweed and control seaweed and applied them to a palatable
seaweed species not previously used in the experiment, fish preferred the
seaweed coated with extracts from the portions that had been competing with
corals, indicating that competition had compromised the seaweed's chemical
defenses against herbivores. [/q]
===== outer.limits =====
[video] 'Aliens Exist' Says Canada's Former Defense Minister¹
http://fusion.net/modern_life/story/aliens-exist-canadas-defense-minister-3…
¹/via drudge
:::::::::: muzak ::::::::::
//cf.bitsets,logic,circuits,nestedsets,dimensions,numberline,aesthetics
The Divine Music of Mathematics /via hh
http://www.firstthings.com/article/2012/03/the-divine-music-of-mathematics
[q] "The various attempts to impose mathematics on music (or music on
mathematics) produced, respectively, bad music and bad mathematics."
...
"Not until the nineteenth century did mathematicians arrive at a rigorous
definition of irrational numbers, as the limit of an infinite converging
sequence of rational numbers. [/q]
^ (this could be interdimensional,nested sets,thresholds,
as with nested platonic solids, vertices/edges meeting, &c.
note also: music seems to have no concept of ~perspective.
perhaps why musicology is incoherent if not nonsensical;
midi notevalues makes fineprint legalize look like poetry)
(note: 'most simple number' (1), infinity can exist between
zero & one, in bounded condition,given approach/dynamics)
(rel. what is missing/big conceptual gap: laser monochord;
analog-digital, modeling+sampling(&classical/quantum),
simplest 'vibrating string' instrument to model emp.ideas;
harmonics,split,multiplex beams,tuning,ratios,plus signals)
(musical frameworks are flat. Timaeus not flat,nested and
hierarchy, implicit. problems related to time,metronome-
approach,numberline. makes no sense as space-time/order
whereby natural rhythm,movement as if artificial,unnatural;
ideological snap to fit. framework is conceptually backwards,
like rationalizing everything in a given consensus, false-view)
[note:the world (15c.onward) this article describes is madness]
[also: 1 symbolically equates w/infinity in n-value logic model]
(issue:basically,trying to work expanded,fragmented,diluted
cosmic bitset back to core truth (1), in multiple frameworks,
nested,disconnected permutations full of noise,tiny signals;
patterns,circuits,ecology,forms/concepts,archetypes,structures)
more...
problem with music: model of the world does not accurately map
to experience (of reality) thus problem of communication/langue,
viewpoints & sharing of false perspective, beliefs, rationalizations.
(future: music visualization displays, tracking, order, structure, cf.
videogames (rockband,etc), also n-dimensional, geometric space,
drumming in virtual reality, inside 12-sided polygon mile wide, &c)
--note also, this summarizing quote from the essay...
[q] In light of the extraordinary influence of Augustine’s idea, we might
think about the problem this way: Even if the ultimate foundations of
reality remain hidden from us, we nonetheless possess a creative faculty
that gives us insight into the infinite. We employ the same faculty at play
in music as we do in probing reality through mathematics. And this faculty
whose workings we observe in the laboratory of music offers an intimation
of our role as junior partners in creation.[/q]
(i think this is dead wrong. there is infinitesimal truth, not maximal
in music today, 'junior partners' only if neuro/audio/signal engineering
programming audiences via entrainment,hypnosis, brain-wave mods;
otherwise this kind of connection is an illusion and a cultural conceit)
<---| ¿¿¿ |--->
future Google as information bank, leasing data/info or access
-----------------------------------------------------------------
[video] The Game of Wiffleball
https://www.youtube.com/watch?v=5y_Wa21qjNs
', $nym, $curveball);
{educational fair-use of copyright, 2013}
13C/27-C1 112-B2B/57-A2A 613-A2A/54-B2A
2
2
15 Jan '14
If courageous, Rivest, Shamir and Adelson can be burnt in effigy.
Their initials once were rightly world famous, and to smear these
distinguished gentlemen by vulgar opportunistic protest instigated
by noobs with less than zero comprehension of cryptography
should be condemned not debated.
James Bidzos raped the three once, twice, thrice, then hid his
corporatorizing crime under skirts of EMC. Don't ravage his
victims.
Protest, sure, but demonstrate what to protest for effectiveness,
not idiotic sloganeering of a logo. Hell, long-time duplicitous
IBM deserves deeper anger than RSA. DES and much more.
Go big and really bold. Protest the Waasenaar Arrangement,
the greatest rigging of the dual-use technology market ever, and
the world's greatest gang of cheaters, bribers, underhanded
dealers of contraband, most of it lethal, far deadlier than crypto.
Greenwald blogs there are cryptographers and comsec experts
reviewing Snowden's material for future releases. Presumably
the highly ethical reviewers have a clear shot at avoiding release
of their own names and firms. They will cheat, that's certain.
2
1
using Curve p25519 cryptography for type 2(Mixmaster) and type 3(mixminion) remailer blocks
by gwen hastings 15 Jan '14
by gwen hastings 15 Jan '14
15 Jan '14
So it seems because we are using a decades old technology(email) that
another 2 decade old technology is still useful for anonymous dissent
where email based lists are concerned.
I am looking at resurrecting
mixmaster, mixminion and nym.alias.net nymserver designs from the
various code wastebaskets and retrofit them with some newer encryption
technology based on curve25519 and poly-1305 libsodium based algorithms
and routines.
Do these ideas sound interesting and viable to the coders on the list
and of course worthwhile? or are they best left to the trashbin of
history being mostly used by trolls and those damn pesky voices of dissent?
gh
--
Tentacle #99
ecc public key curve p25519(pcp 0.15)
1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910
Governments are instituted among men,
deriving their just powers from the consent of the governed,
that whenever any form of government becomes destructive
of these ends, it is the right of the people to alter or
abolish it, and to institute new government, laying its
foundation on such principles, and organizing its powers
in such form, as to them shall seem most likely to effect
their safety and happiness.’
https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli)
https://github.com/stef/pbp.git (curve 25519 python based cli)
3
4
In response to the earlier chatter about BitCoin privacy..
http://sourceforge.net/mailarchive/message.php?msg_id=31813471
Apparently gaining some traction, implementation running on the testbed.
Haven't looked over the details, but it at least seems like a small
improvement. I don't know if it will actually defend against BitIodine type
clustering analysis.
R
Full text:
* Abstract
A Stealth Address is a new type of Bitcoin address and related
scriptPubKey/transaction generation scheme that allowers payees to
publish a single, fixed, address that payors can send funds efficiently,
privately, reliably and non-interactively. Payors do not learn what
other payments have been made to the stealth address, and third-parties
learn nothing at all. (both subject to an adjustable anonymity set)
* Acknowledgments
Credit goes to ByteCoin for the original idea.(1) Gregory Maxwell, Adam
Back, and others on #bitcoin-wizards contributed valuable input on the
implementation. Finally thanks goes to Amir Taaki for input on the
general idea of stealth addresses and use-cases.
* Background
Viewed generally a Bitcoin address is a mechanism by which a payee
instructs a payor to create a transaction such that the payee can spend
one or more of the transaction outputs. Of course, typically the address
is simply the hash of a pubkey, and the mechanism by which the funds are
made available to the payee is to simply create a scriptPubKey of the
following form:
DUP HASH160 <pubKeyHash> EQUALVERIFY CHECKSIG
The problem however is address reuse: it is convenient for payees to
give one or more payor a single address and use it multiple times for
various purposes. This results in all those payments becoming trivially
linkable to each other by an attacker - a threat not only to the privacy
of the user, but also to all users of Bitcoin.(2)
BIP32 hierarchical deterministic wallets are frequently proposed as a
solution. Now an address is a chain code and the mechanism by which a
scriptPubKey is generated is to derive a one-time-use pubkey from that
chain code and some index i. However, this quickly runs into two main
problems:
1) Lack of privacy: While someone not in possession of the address can't
link payments together, someone who is can.
2) State: If the index is not to be re-used wallets must either maintain
per-address state, or somehow query for already used indexes, or
somehow generate them in a sufficiently small range that the payee
can recover the indexes. All these solutions are problematic.
A good example of where the BIP32-derivation solutions fails come up at
the Dark Wallet Hackathon where it was suggested by the author that for
the purpose of securing person-to-person payments OpenPGP public keys
and X.509 certificates be extended with a new user-id field containing a
Bitcoin address. Wallet software could then use either certificate
system to ensure funds were being sent to the intended recipients -
essentially a non-interactive way of solving what the BIP70 payment
protocol solves interactively. Of course, without stealth addresses the
scheme would likely have little or no privacy.
* Requirements
1) Generated scriptPubKey must be globally unique
2) Must be only spendable by payee
3) scriptPubKey and associated transaction must be indistinguishable to
third-parties from other transactions in some anonymity set.
4) Method must be fully deterministic and funds recoverable from a
wallet seed and blockchain data for both payee and payor.
5) Funds must be efficiently recoverable by payee with reasonable, and
configurable, computation and bandwidth costs.
6) Must be compatible with CoinJoin/Must not leak information to payee
about what txins were used to pay them.
7) Must be compatible with multisig-protected wallets.
8) Must not make assumptions about txin scriptSig form.
9) Must be possible to prove to third parties that payment was made in
accordance to instructions without revealing any other information.
** Payment Reliability
Schemes for making payments by transmitting nonces to the recipient
through some other medium, such as Bitmessage, were discussed at the
Dark Wallet Hackathon. However using any medium but the blockchain
itself for the communication means that the reliability of the payment
getting to the recipient is less than that of a standard transaction.
For instance Bitmessage nodes only keep messages for two weeks. We
decided that anything less than reliable atomic transactions was
unacceptable.
* Applying encryption to payments, simple explanation
Using Elliptic curve Diffie-Hellman (ECDH) we can generate a shared
secret that the payee can use to recover their funds. Let the payee have
keypair Q=dG. The payor generates nonce keypair P=eG and uses ECDH to
arrive at shared secret c=H(eQ)=H(dP). This secret could be used to
derive a ECC secret key, and from that a scriptPubKey, however that
would allow both payor and payee the ability to spend the funds. So
instead we use BIP32-style derivation to create Q'=(Q+c)G and associated
scriptPubKey.
As for the nonce keypair, that is included in the transaction in an
additional zero-valued output:
RETURN <P>
The payee recovers the funds by scanning the blockchain for candiate P's
in transactions, regenerating the scriptPubKey, and finally checking if
any txouts in the transactions match. Note the close similarity of this
technique to how the Bitmessage network functions - an initial
implementation of the idea will find the Bitmessage code a suitable
starting point.
* Trading off anonymity set size for decreased bandwidth/CPU
By taking advantage of prefix filters(3) we can choose a tradeoff
between anonymity set size and bandwidth/CPU usage if the payee
specifies that payments to them are to match some short prefix k. There
are a few possibilities for how the prefix is to the applied - the most
simple is if per-block indexes of scriptPubKeys are available:
RETURN <k> <P>
Alternatively if per-block indexes of H(scriptPubKeys) are only
available the wallet software can grind the scriptPubKey with nonce i
until it matches the specified prefix:
RETURN <i> <P>
Furthermore as symmetric ciphers are quite cheap we might as well hide
the purpose of the OP_RETURN txout and encrypt the pubkey P using H(Q)
as a symmetric key. This gives us a slightly larger anonymity set.
* Advantages of using a separate output
An alternative would be to either re-use a pubkey or signature nonce
value from a transaction input, saving about 45 bytes per txout. An
absolute minimum sized Bitcoin transaction is 166 bytes(4) so at best we
have a 27% savings in tx fees, and more typically around ~15%. (modulo
mass-payments from a single txin)
However using an explicit prunable OP_RETURN output to store the pubkey
rather than re-using one from a txin or txin signature has a number of
advantages:
1) The txin's owned by the payor are not revealed to the payee. In fact,
they could be held by a third-party who simply makes a transaction
with the appropriate txouts on behalf of the payee.
2) Less information about the txouts is leaked. The statistical
distribution of txouts remains unchanged - not possible in re-use
schemes because they need to grind the payee scriptPubKey's for the
sake of the prefix filters.
3) If required the nonce secret can be revealed to prove that a payment
was made to a third-party, e.g. for dispute resolution.
* Bare CHECK(MULTI)SIG output alternative
An alternative with better efficiency could be to use bare
OP_CHECK(MULTI)SIG outputs to hold the nonce pubkey - generally a second
output is needed anyway for change. The most simple would be to use Jeff
Garzik's OP_DROP proposal(5) for the prefix:
<prefix> DROP n <pubkey>...<pubkey> m CHECKMULTISIG
or
<prefix> DROP <pubkey> CHECKSIG
The payor pubkey is in the *change* txout, and the payee's ECDH-derived
pubkey in the other txout. By setting the prefix to be the same on both
txouts and using the same basic scriptPubKey form the relationship of
change and payment is still hidden; CoinJoin-using implementations can
adopt even more sophisticated approaches.
If IsStandard() rules remain the same and using OP_DROP is impractical,
we can also grind the change pubkey to match the prefix in a
deterministic manner so the wallet can still be recovered from a seed.
More costly, but maybe still acceptable for reasonably short prefixes.
Either way the result is transactions that are actually smaller and
cheaper than standard transactions, although without the advantage of
pushing scriptPubKey size payment to the receiver. (a pity we didn't
spend the extra time to adopt OP_EVAL)
A disadvantage is that revealing the nonce secret to prove a payment was
made is more problematic - either the txout needs to be spent first, or
we need a CHECKMULTISIG.
* Address format
To be decided. To support mulisig we probably want the ability to
specify n-of-m master pubkeys, using the nonce to generate derived ones.
For the single pubkey case the addresses will be a little longer than
standard Bitcoin addresses:
s9KND3vfXjs3YqfZp86Acce3bM7Mhuptwh6mjeDnThsDei9Z2ZZcU
vs.
1LZn91ynrA6BCmoUKwnV3Ygk4FQMfPxLbg
1) ByteCoin, Untraceable transactions which can contain a secure message
are inevitable, https://bitcointalk.org/index.php?topic=5965.0
2) Gregory Maxwell, Dark Wallet Certification discussions, also
http://snowdenandthefuture.info/PartIII.html
3) Peter Todd, [Bitcoin-development] Privacy and blockchain data,
http://www.mail-archive.com/bitcoin-development@...>
4) Bitcoin Wiki, Maximum transaction rate,
<http://www.mail-archive.com/bitcoin-development@...>https://en.bitcoin.it/w/index.php?title=Maximum_transaction_rate&oldid=36983
5) Jeff Garzik, Add small-data OP_DROP transactions as standard
transactions, https://github.com/bitcoin/bitcoin/pull/1809
1
0
Hi ll
Anyone know the current status.. any mixminion remailers still running??
seems like 4 servers only at present not near enough and ALL relay only..
adamas:relay (ok)
cypher:mbox relay frag (ok)
hermetix:mbox relay (ok)
khjk:relay (ok)
sigh
gh - rebuilding the technology of dissent one software package at a time
--
Tentacle #99
ecc public key curve p25519(pcp 0.15)
1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910
Governments are instituted among men,
deriving their just powers from the consent of the governed,
that whenever any form of government becomes destructive
of these ends, it is the right of the people to alter or
abolish it, and to institute new government, laying its
foundation on such principles, and organizing its powers
in such form, as to them shall seem most likely to effect
their safety and happiness.’
https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli)
1
0
Net Neutrality Ruling, Internet Interprets Censorship as Damage, There are no Captains, Decentralize Everything, etc.
by Odinn Cyberguerrilla 14 Jan '14
by Odinn Cyberguerrilla 14 Jan '14
14 Jan '14
Hello,
As you are probably aware, there has been a net neutrality ruling from US
courts and it essentially kills net neutrality.
Reference (this is just one of many news outlets announcing this)
http://gigaom.com/2014/01/14/breaking-court-strikes-down-fccs-net-neutralit…
This is surely no new concept to anyone on this list (the concept that we
can't rely upon laws, need to use technical solutions to bypass what
passes for government/corporation-state, etc.) but I have to say this net
neutrality calls into stark contrast what we are doing with what we could
be doing. And by we, I mean anyone using the internet.
Many people use AT&T, or Verizon. Many people use Google and Facebook. Or
Weibo. Or VK. Or... you get the picture. But rather than harp about any
one company (or licensing approach, or ruling, etc) I want to emphasize
decentralized systems beyond what many are accustomed to hearing about /
using.
When people hear "open source" or "p2p" they might think of Ubuntu, or
Android (regarding open source OSs) or Bittorrent, or Piratebay (in terms
of things that come to mind if an ordinary human is asked what do they
thing of as an example of P2P or F2F tech). Given the news about Bitcoin
it's a sure bet at least some people if asked on the street might also say
'Bitcoin' (or alternately, "what's P2P?" or "Software!") So you'll get a
lot of responses and responses will vary substantially, but this is my
sense based on talking to people I know around my (rather small) town.
But how often do you hear people talking about what is needed to literally
Decentralize Everything?
Well, except for posts occasionally on lists like these, or meetings /
discussions with like-minded people, or hackerspaces, or development
discussions, the answer is Almost Never.
Anyway, this recent ruling announcement re. net neutrality (or its death)
here in the USA is just one more example of how we cannot rely upon laws,
at least in my view. But it also made me think some more about this and
realize that if we want decentralized protocols / solutions to spread at
all, we have to do a way better job at being good advocates for them and
talking about them incessantly to everyone in a way that is easy, simple,
and makes sense to people.
As this post already exhibits I can be very wordy and windbaggish.
Further evidence of that fact is presented amply in my recent post here:
https://odinn.cyberguerrilla.org/index.php/2014/01/02/opensourcebuildguide/
As I reflect on this I think about the following.
1) I need to make something shorter that easily introduces people to open
source stuff. Something that's even simpler than prism-break
(http://prism-break.org/) - an option which is so simple that anyone (at
least in primary school levels) can understand it and act on things
presented in it within less than a minute. Look. Software. Click (one
click, two max!) to get it. Done.
2) What are some ways to Decentralize Everything? To the DNS and beyond?
Stuff that comes to mind (remember, there is no one thing, there are no
captains, there is no one solution, these are just examples of possible
partial solutions being thrown out here):
2)a. https://github.com/bitcoin/bitcoin/
2)b. https://github.com/namecoin
2)c. https://nameid.org/
2)d. concepts like this
http://torrentfreak.com/how-the-pirate-bay-plans-to-beat-censorship-for-goo…
2)e. Convergence for namecoin
https://github.com/JeremyRand/Convergence/tree/namecoin
2)f. Convergence (a different one) https://github.com/moxie0/Convergence
2)g. Tack.io - for pinning (it's my understading that moxie0 prefers
this direction, but I haven't been tracking it closely enough to say
what is going on with it right now) --> http://tack.io/
2)g.1. See also the Tack internet draft(!) at http://tack.io/draft.html
2)g.2. See also reference TACK implementations https://github.com/tack
So...
As I read through this, and similar stuff, I think to myself, something
about this needs to be broadcast in a way that it is so easy to do, so
simple to accept, that it meets the "everybody sees it (or it's in the
news) and they click and download it"
I know it's never really that simple. But I am throwing this out there
because even more censorship is coming. And there are no captains, and we
do need to decentralize everything. We must get A Lot more people on board
with decentralization, open source, and as close to p2p as possible, we
need to make it so easy to defeat censorship of anything that those who
propose allowing it to happen will just throw up their hands in
frustration. So the question (one of many!) is how to present this in a
way that makes sense to a lot of people.
A lot more than currently.
OK I am done for now.
your thoughts please
3
3
Hi All
while NOT encrypted.. this sounds apt for some encryption and use
in tradecraft(ie 2 spies in a coffeeshop/restaurant what have you.. etc...)
https://github.com/Katee/quietnet
gh
ps in python no less :)
--
Tentacle #99
ecc public key curve p25519(pcp 0.15)
1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910
Governments are instituted among men,
deriving their just powers from the consent of the governed,
that whenever any form of government becomes destructive
of these ends, it is the right of the people to alter or
abolish it, and to institute new government, laying its
foundation on such principles, and organizing its powers
in such form, as to them shall seem most likely to effect
their safety and happiness.’
https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli)
1
1