mersenneforum.org

mersenneforum.org (https://www.mersenneforum.org/index.php)
-   Tales From the Crypt(o) (https://www.mersenneforum.org/forumdisplay.php?f=130)
-   -   'All Your Data ❝Я❞ Belong To Us' Thread (https://www.mersenneforum.org/showthread.php?t=20713)

ewmayer 2015-11-30 03:05

'All Your Data ❝Я❞ Belong To Us' Thread
 
I think a thread documenting the numerous egregious failures by governments, big business and online sites to use even the most basic crypto/security tools to properly protect their customer/user data would be useful. As breaches dating back at least to the WW2 Enigma cracking program show, most of the time "it's not the crypto, it's the misuse or un-use thereof which is the problem."

========================

[url=www.troyhunt.com/2015/11/when-children-are-breached-inside.html]Troy Hunt: When children are breached -- inside the massive VTech hack[/url]

lavalamp 2016-01-21 16:32

Well this certainly seems like a government failure.

[URL="http://www.tomshardware.com/news/uk-mikey-sakke-voip-encryption-backdoor,31035.html"]UK’s 'Government-Grade Encryption' For VoIP Calls Backdoored By Default[/URL]

retina 2016-01-21 16:59

[QUOTE=lavalamp;423393]Well this certainly seems like a government failure.

[URL="http://www.tomshardware.com/news/uk-mikey-sakke-voip-encryption-backdoor,31035.html"]UK’s 'Government-Grade Encryption' For VoIP Calls Backdoored By Default[/URL][/QUOTE]More likely a government success. That was no accident. It was deliberate. And they successfully deployed it.

[size=1]Unless by "failure" you mean they failed to keep it a secret. In which case then I agree, a failure, but to be expected that eventually people would discover it. Makes one wonder what will be the next trick they are using that is yet to be discovered.[/size]

lavalamp 2016-01-21 17:09

I think it's perfectly possible to fail even if you get exactly what you want.

ewmayer 2016-09-02 22:50

[url=arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/]New cloud attack takes full control of virtual machines with little effort[/url] | Ars Technica
[quote]The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.[/quote]
Haven't delved deeply into the mathematical details here, but e.g. with respect to an RSA-style key the attack scheme appears to rely on the high odds that flipping a random bit in the (known) product of 2 similar-sized primes will produce a new composite which is much easier to factor. But far more than RSA-style schemes are vulnerable:
[quote]The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.[/quote]
p.s.: I was composing the above as I was reading the Ars piece - see a pair of promoted comments at the end confirming my quick take - this is a quote from the research paper described in the article:
[i]
Public-key cryptography relies on the assumption that it is computationally infeasible to derive the private key from the public key. For RSA, computing the private exponent d from the public exponent e is believed to require the factorization of the modulus n. If n is the product of two large primes of approximately the same size, factorizing n is not feasible. Common sizes for n today are 1024 to 2048 bits. In this paper we implement a fault attack on the modulus n of the victim: we corrupt a single bit of n, resulting in n'. We show that with high probability n' will be easy to factorize. We can then compute from e the corresponding value of d', the private key, that allows us to forge signatures or to decrypt. We provide a detailed analysis of the expected computational complexity of factorizing n...[/i]

Nick 2016-09-03 07:17

The VU paper is available here:
[URL]http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf[/URL]

It's a good fault injection attack. Yet again, optimization destroys security.

GP2 2016-09-03 07:20

[QUOTE=ewmayer;441425][url=arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/]New cloud attack takes full control of virtual machines with little effort[/url] | Ars Technica[/QUOTE]

The article notes that ECC memory is one factor that helps mitigate the attack, though not completely. Usually cloud hardware uses ECC memory; [URL="https://aws.amazon.com/ec2/faqs/"]Amazon's FAQ[/URL] mentions that they have it, and undoubtedly Google and Microsoft Azure do too.

jasonp 2016-09-03 20:30

[url="https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf"]Paper reference for the Rowhammer attack[/url]

Edit: actually there is no exploit described in the paper, it characterizes what the errors induced in the DRAM look like. Really scary stuff.

ewmayer 2016-09-20 08:09

[url=www.vanityfair.com/news/2016/09/welcome-to-the-dark-net]Welcome to the Dark Net, a Wilderness Where Invisible World Wars Are Fought[/url] | Vanity Fair

ewmayer 2016-10-24 22:03

[url=http://www.reuters.com/article/us-usa-cyber-idUSKCN12L1ME]Cyber attacks disrupt PayPal, Twitter, other sites[/url] | Reuters

Widely reported last week, but much of (at least the early) reporting missed a crucial aspect: This was the latest Internet-of-Things-mega-botnet attack. Nice description of just how bad the problem is - and this is by design on the part of the manufacturers! - from Brian Krebs, who was victimized by a similar but smaller-scale such attack last month:

[url=https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/#more-36754]Hacked Cameras, DVRs Powered Today's Massive Internet Outage[/url] | Krebs on Security
[quote]At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”

Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. [b]“The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”[/b][/quote]
[emphasis mine.] Hardcoded firmware rootkits protected only by a shared factory-default password ... what could go wrong? And the fact that the visible UI allows owners to "secure their device via custom password" provides a suitably false sense of security. Nice.

But hey, time to indulge in that wildly popular fad among U.S. officialdom (including, alas, experts with a big soapbox like Bruce Schneier): let's blame the Russians! How about something along the lines of 'Officials refused to comment on several eyewitness reports claiming to have seen a shadowy figure resembling The Putin lurking around Dyn headquarters in the days prior to the attacks'.

ewmayer 2017-01-01 02:24

Here in the US, the MSM-driven "Russians are coming!" hysteria continues apace - first the Rooskies allegedly hacked the US elections leading lame-duck Obama to "impose sanctions", now they allegedly hacked the NE US power grid.
Mike Shedlock has a good collection of propaganda-narrative-debunking links in [url=https://mishtalk.com/2016/12/31/more-bullsht-fake-news-from-washington-post/]More Bullsh*t Fake News from Washington Post[/url].

Most interesting to me about this manufactured hysteria is to compare it to the non-response to a genuinely damaging hack of an actual US government agency (note the Democratic National Committee is a private political party, not an organ of the government) which was credibly traced to a nation-state actor. To maximize the irony, here is a link to the WaPo story on it (but note the particulars were confirmed by multiple news outlets as well as skeptical-of-officialdom blogs, i.e. I didn't just take WaPo's word for it then, either):

[url=https://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html]Chinese hack of federal personnel files included security-clearance database | 12 Jun 2015[/url]

Remember all the saber-rattling, tough sanctions and other punitive actions against China which that led to? Neither do I.

Unlike Mish, I don't believe the folks [url=http://deadline.com/2016/11/shocked-by-trump-new-york-times-finds-time-for-soul-searching-1201852490/]setting the narrative[/url] at WaPo, NYT etc. are stupid at all - they appear to have a very clear set of objectives with their ongoing agitprop-disguised-as-news campaign, including but not limited to:

o Maintain their own longstanding quasi-monopoly on 'news' (much of which is government propaganda) by smearing independent information sources as Commie-sympathizing peddlers of "fake news";
o Keep the populace in fear about "dark outside forces";
o Make excuses for the Dems blowing the election (and deflect from their blatant rigging of their own primary to install the designated NatSec/establishment/Wall-Street stooge as the party's nominee);
o Delegitimize the incoming administration and pressure it to knuckle under to the Deep State.

[b]Edit:[/b] Here is an Ars piece on the weakness of the 'evidence' provided so far:

[url=arstechnica.com/security/2016/12/did-russia-tamper-with-the-2016-election-bitter-debate-likely-to-rage-on/]White House fails to make case that Russian hackers tampered with election[/url] | Ars Technica

ewmayer 2017-05-15 03:25

[I link to Mish here not because he's any kind of crypto expert but because both of his posts contain nice annoted sets of links]

[url=https://mishtalk.com/2017/05/13/wannacry-cyber-attack-hits-99-countries-fedex-nissan-hospitals-universities-with-nsa-developed-malware-five-questions/]WannaCry Cyber Attack Hits 99 Countries, FedEx, Nissan, Hospitals, Universities with NSA Developed Malware: Five Questions.[/url] | MishTalk

[url=https://mishtalk.com/2017/05/14/microsoft-blasts-nsa-cia-for-stockpiling-vulnerabilities-criminal-negligence-by-nsa/]Microsoft Blasts NSA, CIA for "Stockpiling Vulnerabilities" Criminal Negligence by NSA?[/url] | MishTalk

[url=https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html]How to Accidentally Stop a Global Cyber Attacks[/url] | MalwareTech -- On why the U.S., ironically enough given NSA's role in developing the weaponized malware in question, was mostly spared.

[url=www.washingtonsblog.com/2017/05/ransomware-hack.html]Top NSA Whistleblower: Ransomware Hack Due to "Swindle of the Taxpayers" by Intelligence Agencies[/url] | Washington's Blog -- some choice harsh verbiage from ex-NSA-analyst "legend" William Binney.

paulunderwood 2017-05-15 12:29

I wonder how much money has been "given" to M$ to date by the UK's NHS. Surely the powers that be must have known the XP is obsolete as will be later versions of Windoze OS one day. Of course, because of the bloat, hardware needs to be updated. So much for "total cost of ownership"!

ewmayer 2017-09-29 00:04

[url=https://www.techdirt.com/articles/20160414/09250634185/report-exposes-flaws-link-shorteners-that-reveal-sensitive-info-about-users-track-their-offline-movements.shtml]Report Exposes Flaws In Link Shorteners That Reveal Sensitive Info About Users And Track Their Offline Movements[/url] | Techdirt

ewmayer 2017-10-13 22:37

[url=https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/]With Virtual Machines, Getting Hacked Doesn’t Have to Be That Bad[/url] | The Intercept

paulunderwood 2017-10-16 10:25

[url]https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns[/url]

lavalamp 2017-10-16 12:03

[QUOTE=paulunderwood;469932][url]https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns[/url][/QUOTE]Is WPA2 entirely software based or does it have hardware requirements also? I wonder how hard this would be to patch up.

From the article it seems as though they're saying the protocol was cracked, rather than the encryption, but I'm not entirely sure.

retina 2017-10-16 12:24

[QUOTE=lavalamp;469935]Is WPA2 entirely software based or does it have hardware requirements also? I wonder how hard this would be to patch up.[/QUOTE]It is software (or firmware I guess). It can be patched. But in reality it won't be patched. Most devices won't get a patch from the manufacturer. And if they did, "no one" knows how to install it anyway, or even that it needs installing, or even that there is something to install. Welcome to the world of insecure devices.[QUOTE=lavalamp;469935]From the article it seems as though they're saying the protocol was cracked, rather than the encryption, but I'm not entirely sure.[/QUOTE]The [strike]key[/strike] 8-digit WPS negotiation was broken many years ago. Some newer devices have workarounds for that problem. But the encryption is secure in that no one has yet broken AES (that we know of anyway).

Edit: It wasn't the key, but the "secret" device number.

ewmayer 2017-10-24 20:58

An interesting angle on the WPA2 vulnerability:

[url=https://www.privateinternetaccess.com/blog/2017/10/the-recent-catastrophic-wi-fi-vulnerability-was-in-plain-sight-for-13-years-behind-a-corporate-paywall/]The recent catastrophic Wi-Fi vulnerability was in plain sight for 13 years behind a corporate paywall[/url] | privateinternetaccess.com
[quote]When this week’s KRACK wi-fi vulnerabity hit, I saw a series of tweets from Emin Gür Sirer, who’s mostly tweeting on bitcoin topics but seemed to know something many didn’t about this particular Wi-Fi vulnerability: it had been in plain sight, but behind paywalls with corporate level fees, for thirteen years. That’s how long it took open source to catch up with the destructiveness of a paywall.

Apparently, WPA2 was based on IEEE standards, which are locked up behind subscription fees that are so steep that open source activists and coders are just locked out from looking at them. This, in turn, meant that this vulnerability was in plain sight for anybody who could afford to look at it…. [W]hile ordinary activists and coders were locked out of reviewing these documents, the NSA and the like had no shortage of budget to pay for subscriptions to these specifications. Thus, the IEEE’s paywall was lopsiding the security field toward mass surveillance, away from security.[/quote]

ewmayer 2017-11-12 02:14

[url=https://www.nakedcapitalism.com/2017/11/why-you-should-never-buy-an-amazon-echo-or-even-get-near-one.html]Why You Should NEVER Buy an Amazon Echo or Even Get Near One[/url] | naked capitalism

Dr Sardonicus 2017-11-12 15:25

[QUOTE=ewmayer;471589][url=https://www.nakedcapitalism.com/2017/11/why-you-should-never-buy-an-amazon-echo-or-even-get-near-one.html]Why You Should NEVER Buy an Amazon Echo or Even Get Near One[/url] | naked capitalism[/QUOTE]Fascinating. The idea of cross-referencing to identify voices -- in particular, voice commands -- occurred to me while watching the [i]Star Trek: The Next Generation[/i] episode [b]Brothers[/b] (8 Oct, 1990). Commander Data was able, merely by imitating Captain Picard's voice, to commandeer the [i]Enterprise[/i] and lock everyone else out from voice command of computer. The thought immediately occurred to me: [i]Wait[/i] a minute! Doesn't the computer [i]know[/i] Captain Picard is somewhere [i]else[/i]?

Now, I don't expect these voice-activated "assistants" to be as sophisticated as the [i]Enterprise[/i]'s computer, so perhaps a high-quality recording of the owner's voice could be used to cause mischief...

There's another kind of voice activated "assistant" heavily advertised of late -- remote controls, in particular Comcast TV and internet services. I don't know enough details about what you can tell the remote to do, or how good its recognition capabilities are, but the potential for running up pay-per-view or other extra charges is amusing to contemplate.

ewmayer 2017-11-17 01:40

[url=https://theweek.com/articles/736984/nsa-needs-stop-hacking]The NSA Needs to Stop Hacking[/url] | The Week

ewmayer 2017-11-22 01:08

o [url=https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/]Google collects Android users’ locations even when location services are disabled[/url] | Quartz
[quote]Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. [b]They were never used or stored, the spokesperson said[/b].[/quote]
Re. bolded snip: Right, because the same company that's been blatantly lying about user opt-out of its location services can be trusted regarding their claims about storage an use of such collected data. We pinkie-swear! But hey, this stuff is covered on page 31, subsection V.a{4], paragraph 3 of their privacy policy, so it was made eminently clear, notwithstanding the deliberately misleadingly named "location services" opt-out. But it gets even better - check out Google's lawyerly parsng of its own "we do not use your location data" language:
[quote]While Google says [b]it[/b] doesn’t use the location data it collects using this service, [b]it does allow advertisers to target consumers using location data[/b], an approach that has obvious commercial value. The company can tell using precise location tracking, for example, whether an individual with an Android phone or running Google apps has set foot in a specific store, and use that to target the advertising a user subsequently sees.[/quote]
IOW, "We respect your privacy, even if the legions of advertisers we sell your data to do not."

o [url=freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/]No boundaries: Exfiltration of personal data by session-replay scripts[/url] | Freedom to Tinket
[quote]You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.[/quote]

ewmayer 2017-11-30 22:09

[url=www.mintpressnews.com/william-binney-and-the-struggles-of-a-good-american/234907/]William Binney: the Struggles of 'a Good American'[/url] | Mint Press News
[quote]In other words, if [NSA director] Hayden had listened to Binney and SARC, there would have been no Edward Snowden and 9/11 might not have occurred. But as the film painfully points out, while Binney, Roark and Drake were being prosecuted, Hayden went on to get two major promotions. The first was Deputy Director of National Intelligence and later Director of the CIA. (Hayden remains a respected go-to intelligence expert sought out by the mainstream U.S. media.)
...
I would be remiss if I did not note that [documentary filmmaker Friedrich] Moser is from Austria and his film was sponsored by the Austrian Film Institute. I doubt that such a film could be made in the United States today. Recently, the mainstream U.S. media has labeled him a “conspiracy theorist” because he has disputed the conventional wisdom that Russia “hacked” Democratic emails to help elect President Trump; Binney’s experiments revealed that the download speed of one of the key hacks was impossible via an Internet hack and instead matched what was possible from a direct download onto a thumb drive, i.e., a leak from an insider.

But that is the fate of people who sacrifice their careers for just causes. They eventually lose their reputations.

Moser is to be congratulated for making his aptly titled film, which would be enormously informative to about 99 percent of the public. I would recommend it to anyone. You can see it on Amazon for $4, the story of a good American [/quote]

ewmayer 2017-12-20 23:27

o [url=https://thebaffler.com/salvos/the-crypto-keepers-levine]The Crypto- Keepers: How the politics-by-app hustle conquered all[/url] | Yasha Levine, The Baffler
[quote]For the last three years I had been investigating the grassroots crypto tech accessories at the heart of today’s powerful privacy movement: internet anonymizers, encrypted chat apps, untraceable drop boxes for whistleblowers, and super-secure operating systems that even the NSA supposedly couldn’t crack. These tools were promoted by Pulitzer Prize-winning journalists, hackers, whistleblowers, and the biggest and most credible names in the privacy trade—from Edward Snowden to the Electronic Frontier Foundation and the American Civil Liberties Union. Apps like Tor and Signal promised to protect users from America’s all-seeing surveillance apparatus. And the cryptographers and programmers who built these people’s crypto weapons? Well, many of them claimed to live on the edge: subversive crypto-anarchists fighting The Man, pursued and assailed by shadowy U.S. government forces. Citing harassment, some of them had fled the United States altogether, forced to live in self-imposed exile in Berlin.

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

My investigation of this community had brought me a lot of abuse: smears and death threats lobbed by military contractors against me and my colleagues; false slanderous stories planted in the press about me being a sexist bully and a CIA agent paid to undermine trust in encryption. So I learned long ago to approach my sources with skepticism and wariness—especially someone as infamous as [Russian internet mogul-in-exile Pavel] Durov, who had recently gotten into the crypto business with Telegram, which now enjoys the distinction of being ISIS’s favorite chat app.
...
In America, the initial movement to take the anti-surveillance fight to Silicon Valley fizzled and turned into something else that was at once bizarre and pathetic: privacy activists working with Google and Facebook to fight the NSA with privacy technology. This made precisely as much sense as siding with Blackwater (or Xe or Acadami or whatever the Pentagon contractor calls itself now) against the U.S. Army. Yet this trend of politics-by-app went into overdrive after Donald Trump was elected president. You saw it everywhere: civil libertarians, privacy advocates, and demoralized liberals arose to proclaim that encryption—even the stuff rolled out by Silicon Valley surveillance giants—was the only thing that could protect us from a totalitarian Trump administration.

“Trump Is President. Now Encrypt Your Email,” urged New York magazine’s technology editor Max Read in an opinion piece published in the New York Times in March. “In the weeks after Donald J. Trump won the election, a schism threatened to break my group of friends in two. Not a political argument brought about by the president-elect, or a philosophical fight over the future of the country, but a question of which app we should be using to chat....” Buzzfeed concurred: “Here’s How To Protect Your Privacy In Trump’s America: Easy tips to shield yourself from expanded government surveillance,” wrote the outlet, offering its millennial readers a listicle guide to “going dark” on the net.

What were these apps? Who made them? Did they really work? That’s where the story got even stranger.
[b]
Secrets and Lies
[/b]
Durov’s involuntary encounters with the FBI drive home one unpleasant fact of life in the big data economy: today’s app-obsessed privacy movement relies almost entirely on crypto tools that were hatched and funded by America’s foreign policy apparatus—a body of agencies and organizations that came out of an old-school Cold War propaganda project run by the CIA.
...
Eventually, the CIA’s multi-tentacled propaganda operation shed its covert status, and was transformed by Congress into the Broadcasting Board of Governors, a sister federal agency to the State Department. With a nearly billion-dollar budget, today the BBG operates America’s sprawling foreign propaganda nexus. The American public is only dimly aware of the BBG’s existence, but this media empire leaves almost no corner of the world untouched by satellite, television and radio transmissions. And just as was the case nearly seventy years ago under the CIA, the mission of the BBG is to systematically perpetrate the very same thing that America’s esteemed political establishment is currently accusing Russia of doing: sponsoring news—some of it objective, some wildly distorted—as part of a broader campaign to project geopolitical power.
...
Over the next several years, the BBG, backed by the State Department, expanded the Internet Freedom initiative into a $50 million a year program funding hundreds of projects targeting countries across the world—China, Cuba, Vietnam, and Russia. And here things, yet again, took a turn for the surreal: the Internet Freedom apparatus was designed to project power abroad—yet it also emerged as the primary mover and shaker in America’s domestic privacy movement. It funded activists and privacy researchers, worked with the EFF and ACLU and even companies like Google. Wherever you looked, privacy tools funded by this agency dominated the scene. That included the most ardently promoted privacy products now on offer: Tor, the anonymous internet browsing platform that powers what’s known as the “dark web,” and Signal, the chat app championed by Edward Snowden. Both of them took in millions in government cash to stay afloat.[/quote]

ewmayer 2017-12-20 23:28

[Continued from above post]
[quote][b]
From a Whisper to a Scream
[/b]
When Pavel Durov first had VKontakte taken away from him by the Kremlin and fled Russia, he was hailed in the West as a hero—a modern-day Sakharov who fought for freedom and paid the price with his business. America’s crypto and privacy community embraced him, too. But it did not take long for the relationship to sour—and the chief culprit was Signal, a crypto mobile phone app built by a small opaque company called Open Whisper Systems, aka Quiet Riddle Ventures LLC.

Invented by a self-styled radical cryptographer who goes by the name of Moxie Marlinspike (although his real name may or may not be Matthew Rosenfeld or Mike Benham), Signal was brought to life with funding from the BBG-supported Open Technology Fund (which has pumped in almost $3 million since 2013), and appears to rely on continued government funding for survival. Despite the service’s close ties to an organization spun off from the CIA, the leading lights of America’s privacy and crypto community back the app. “I use Signal every day. #notesforFBI,” Snowden tweeted out to legions of followers who went out and downloaded the app en masse. Marlinspike leveraged Snowden’s praise to the max, featuring the leaker’s endorsement prominently on his company’s website: “Use anything by Open Whisper Systems.”

Largely thanks to Snowden’s endorsement and support, Signal has become the go-to encrypted chat app among American journalists, political organizers, and activists—from anarchists to Marxists to Black Lives Matter. These days, it’s also the secure planning app of first resort for opposition rallies targeting Trump. The app’s even made major inroads into Silicon Valley, with Marlinspike working with management at Facebook and Google to get them to adopt the chat app’s encryption architecture into their mobile chat programs, including WhatsApp. Not surprisingly, Facebook’s adoption of Signal into its WhatsApp program won plaudits from the BBG; managers at the propaganda shop boasted that government-funded privacy tools were now going to be used by a billion people.

Despite Open Whisper’s continued ties to the U.S. government, leading lights of America’s privacy and crypto community have taken to warning off people from using anything else. That includes Telegram, which deploys a custom-built cryptographic technique designed by Pavel Durov’s brother, Nikolai, a mathematician. Even Snowden has taken it upon himself to shoo people away from Telegram, advising political activists, journalists, dissidents, whistleblowers—in short, everyone—to use Signal or even Facebook’s WhatsApp instead. “By default, it is less safe than @WhatsApp, which makes [it] dangerous for non-experts,” he tweeted in response to a question from a Telegram-curious supporter.

But for an app designed to hide people from the prying eyes of the U.S. government, Signal’s architecture has given some security and crypto experts pause. Its encryption algorithm is supposed to be flawless, but the app’s backend runs as a cloud service on Amazon, which is itself a major CIA contractor. The program also requires that users connect the app to a real mobile phone number and give access to their entire address book—strange behavior for an app that is supposed to hide people’s identities. Signal also depends on Google and Apple to deliver and install the app on people’s phone, and both of those companies are surveillance partners of the NSA. “Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies,” wrote Sander Venema, a developer who trains journalists on security. “I’m pretty sure that Google could serve a specially modified update or version of Signal to specific targets for surveillance, and they would be none the wiser that they installed malware on their phones.” And given Signal’s narrow marketing to political activists and journalists, the app works like a flag: it might encrypt messages, but it also tags users as people with something to hide—a big fat sign that says: “WATCH ME, PLEASE.”

And anyway, Signal or no Signal, if your enemy was the United States government, it didn’t really matter what crypto app you used. A recent dump of CIA hacking-tool documents published by WikiLeaks revealed that the agency’s Mobile Devices Branch has developed all sorts of goodies to grab phone data, even when it’s quarantined by the firewalls of apps like Signal and WhatsApp or even Telegram. “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide, and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied,” wrote WikiLeaks.
...
Durov was dumbfounded. As we sat talking, he told me he could not understand how people could trust a supposedly anti-government weapon that was being funded by the very same U.S. government it was supposed to protect its users from.

I told him that I shared his bewilderment. Throughout all my reporting on this set of crypto radicals funded by a CIA spinoff, I asked a simple question that no one could properly answer: If apps like Signal really posed a threat to the NSA’s surveillance power, why would the U.S. government continue to fund them? I couldn’t help but think of how this alignment of government and corporate power would have been received among the tech and media establishment in the United States had something similar taken place in the former Soviet Union: imagine if the KGB funded a special crypto fax line and told Aleksandr Solzhenitsyn and dissident samizdat writers to use it, promising that it was totally shielded from KGB operatives. Then imagine that Solzhenitsyn would not only believe the KGB, but would tell all his dissident buddies to use it: “It’s totally safe.” The KGB’s efforts would be mercilessly ridiculed in the capitalist West, while Solzhenitsyn would be branded a collaborator at worst, or a stooge at best. Ridiculous as this fusion of tech and state interests under the rubric of dissidence is on the face of things, in America this plan can somehow fly.

As I laid out this analogy, Durov nodded in agreement. “I don’t think it’s a coincidence that we both understand how naïve this kind of thinking is, and that we were both born in the Soviet Union.”[/quote]

Nick 2017-12-21 08:45

[QUOTE]
Apps like Tor ... promised to protect users from America’s all-seeing surveillance apparatus.
[/QUOTE]
It sounds as if the author has not really studied the history of Tor or talked to the people behind it.

ewmayer 2018-01-11 02:02

Article on post-quantum cryptography, aimed at the layperson, but interesting nonetheless:

[url=nautil.us/blog/-how-classical-cryptography-will-survive-quantum-computers]Why Quantum Computers Won’t Break Classical Cryptography[/url] | Nautil.us

ewmayer 2018-01-29 00:08

[url=https://thebaffler.com/the-future-sucked/your-faceprint-tomorrow-silverman]Your Faceprint Tomorrow[/url] | Jacob Silverman, [i]The Baffler[/i]

xilman 2018-01-29 07:27

[URL="https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases"]All your bases are belong to U.S.[/URL]

ewmayer 2018-02-18 23:17

[url=https://thebaffler.com/latest/oakland-surveillance-levine]Surveillance Valley[/url] | Yasha Levine, [i]The Baffler[/i]

ewmayer 2018-03-02 07:05

o [url=https://www.nature.com/articles/d41586-018-01835-3]The quantum internet has arrived (and it hasn’t)[/url] | Nature

Discussion re. how the various national Intel services will possibly go about weakening, outright banning, or bypassing (e.g. via hardware implants) the promise of quantum comms security is welcome.

o [url=https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/]In-the-wild DDoSes use new way to achieve unthinkable sizes[/url] | Ars Technica: [i]Attackers abuse “memcached” to amplify volumes by an unprecedented factor of 51k.[/i]

Dubslow 2018-03-16 01:19

[url]https://www.us-cert.gov/ncas/alerts/TA18-074A[/url]

chalsall 2018-03-16 01:33

[QUOTE=Dubslow;482457][url]https://www.us-cert.gov/ncas/alerts/TA18-074A[/url][/QUOTE]

For those who don't know about it, [URL="http://www.dpstele.com/scada/introduction-fundamentals-implementation.php"]SCADA[/URL] controls your world's infrastructure.

For those who do know about, be very afraid if any part of that network is connected to the Internet.

Even "air gaps" can be a problem....

ewmayer 2018-03-22 00:47

[QUOTE=Dubslow;482457][url]https://www.us-cert.gov/ncas/alerts/TA18-074A[/url][/QUOTE]

I have three questions which I'd like to see the Intel agencies address:

[1] How reliable is the Russian-government attribution? IOW, was spoofing ruled out, and if so, how?

[2] Are the Deplorable Rooskies uniquely bad in this regard, or are other state-level actors doing similar probing?

[3] Are we to believe our own Intel complex is not engaged in similar activities?

Dubslow 2018-03-22 02:00

[QUOTE=ewmayer;483023]I have three questions which I'd like to see the Intel agencies address:

[1] How reliable is the Russian-government attribution? IOW, was spoofing ruled out, and if so, how?

[2] Are the Deplorable Rooskies uniquely bad in this regard, or are other state-level actors doing similar probing?

[3] Are we to believe our own Intel complex is not engaged in similar activities?[/QUOTE]

Although I can't speak to 1 and 2, I should think that 3 is a very obvious "no". In fact I would think we're supposed to think that "we" are doing it even better than this report states.

Dr Sardonicus 2018-03-24 15:13

[QUOTE=ewmayer;483023]I have three questions which I'd like to see the Intel agencies address:

[1] How reliable is the Russian-government attribution? IOW, was spoofing ruled out, and if so, how?[/quote]

Dunno.

[quote][2] Are the Deplorable Rooskies uniquely bad in this regard, or are other state-level actors doing similar probing?[/quote]

Dunno, but my guess is, "No, yes -- and non-state-level actors, too."

[quote][3] Are we to believe our own Intel complex is not engaged in similar activities?[/QUOTE]

No. Have been, for a long time. My vague recollections from the distant past conjured the parameters "malware russia gas line explosion" for a Google search. Among the hits was this 2004 [url=https://www.nytimes.com/2004/02/02/opinion/the-farewell-dossier.html]William Safire column[/url].

In my estimation, the real problem on the US end is, the folks running power plants -- like the folks running a lot of companies in the private sector -- aren't taking this sort of thing seriously.

xilman 2018-03-24 18:17

[QUOTE=Dr Sardonicus;483271]In my estimation, the real problem on the US end is, the folks running power plants -- like the folks running a lot of companies in the private sector -- aren't taking this sort of thing seriously.[/QUOTE]Another real problem, and I wish I could remember the guy's name, is that a PhD student had his thesis classified because its first version contained the locations of about a dozen locations where about a dozen back-hoes could take out over 90% of the internet in the US. His university kicked up a fuss and a censored version was submitted to allow him to gain his doctorate.

Nothing I've learned since suggests that the situation is any more resilient to spetznaz activity. Perhaps no news really is good news in this respect.

Nick 2018-03-24 22:00

Our credit card company is introducing two factor authentication for Internet purchases: in addition to the existing checks, they want to send a mobile text message (SMS) which you then type in as well to complete the online transaction
At the same time, we have the impression that our telco is busy replacing its expensive old telephony switches with VOIP technology (they have just announced an end date for two-channel ISDN, for example).

So apparently we shall be relying more and more on the independence of the phone network while the distinction between it and the Internet becomes less and less...:confused2:

Dr Sardonicus 2018-03-26 14:49

[QUOTE=xilman;483286]Another real problem, and I wish I could remember the guy's name, is that a PhD student had his thesis classified because its first version contained the locations of about a dozen locations where about a dozen back-hoes could take out over 90% of the internet in the US. His university kicked up a fuss and a censored version was submitted to allow him to gain his doctorate.

Nothing I've learned since suggests that the situation is any more resilient to spetznaz activity. Perhaps no news really is good news in this respect.[/QUOTE]
As I like to say, "Today's fiber-optic network is no match for an idiot with a backhoe." But that's unfair to backhoe operators, because it seems to be more often the case, the problem is a bad job of locating underground utilities.

Speaking of digging, a few minutes' worth of Googling turned up a

[url=https://www.washingtonpost.com/archive/politics/2003/07/08/dissertation-could-be-security-threat/32266f9d-0ae4-4185-84d5-967ce77f4fa8/]2003 WAPO story[/url]

that may refresh your memory about that dissertation.

Uncwilly 2018-03-26 17:52

[QUOTE=Dr Sardonicus;483425]As I like to say, "Today's fiber-optic network is no match for an idiot with a backhoe." But that's unfair to backhoe operators, because it seems to be more often the case, the problem is a bad job of locating underground utilities.[/QUOTE]
Speaking from personal experience, sometimes it is not the location services fault either. I consulted on a breach of a high pressure gas line in the 15 cm diameter range. The backhoe hit it after the meter, which is past the utilities responsibility. Meter by like :spinner: The utility reps had no idea about the line. The local fire brigade was called to the location. Lots of fun....

chalsall 2018-03-26 18:43

[QUOTE=Uncwilly;483442]I consulted on a breach of a high pressure gas line in the 15 cm diameter range. The backhoe hit it after the meter, which is past the utilities responsibility. Meter by like :spinner:[/QUOTE]

Yeah. Known in the industries as the "demarcation point".

[QUOTE=Uncwilly;483442]The utility reps had no idea about the line. The local fire brigade was called to the location. Lots of fun....[/QUOTE]

I bet!

Hopefully no one was stupid enough to try to light a ciggy during the incident! :wink:

Dr Sardonicus 2018-03-27 19:21

[QUOTE=Uncwilly;483442]Speaking from personal experience, sometimes it is not the location services fault either. I consulted on a breach of a high pressure gas line in the 15 cm diameter range. The backhoe hit it after the meter, which is past the utilities responsibility. Meter by like :spinner: The utility reps had no idea about the line. The local fire brigade was called to the location. Lots of fun....[/QUOTE]
That's interesting -- having what amounts to an HP gas main [i]on the user's side of a meter[/i]. I'm guessing the customer was a major industrial operation -- which would be good, in the sense that it would probably be well away from residential areas. But -- with a meter right there, surely utility reps would at least have been able to identify who the customer was.

Uncwilly 2018-03-27 20:20

[QUOTE=chalsall;483447]Hopefully no one was stupid enough to try to light a ciggy during the incident! :wink:[/QUOTE]The backhoe operator shut off the machine as soon as they realised what happened.[QUOTE=Dr Sardonicus;483562]But -- with a meter right there, surely utility reps would at least have been able to identify who the customer was.[/QUOTE]
The incident happened about 1.5km (pipe distance) from the meter. Yes it was an industrial site. They had not used the line (much, to heat the office, etc.) in several years. The on-site personnel did not know about the line.

chalsall 2018-03-27 23:22

[QUOTE=Uncwilly;483573]The on-site personnel did not know about the line.[/QUOTE]

F' me! Someone could get a scar from that!

LaurV 2018-03-28 06:59

[QUOTE=Uncwilly;483573]They had not used the line (much, to heat the office, etc.) in several years.[/QUOTE]
This is due to global warning.

Dr Sardonicus 2018-03-28 14:12

[QUOTE=Uncwilly;483573]The backhoe operator shut off the machine as soon as they realised what happened.
The incident happened about 1.5km (pipe distance) from the meter. Yes it was an industrial site. They had not used the line (much, to heat the office, etc.) in several years. The on-site personnel did not know about the line.[/QUOTE]If they weren't using the line much, I guess the meter didn't start whizzing around until the oopsadaisy with the backhoe. I'm glad the operator knew what to do, and nobody got hurt.

Reminds me of one time years ago when my neighbors were on vacation, and their sprinkling system breached somewhere. I didn't realize it at first, because we'd been getting a lot of rain, so that swampy area out back wasn't remarkable. But when it was still swampy after a week of dry weather, I tossed in some mosquito dunks, and investigated. I traced the source: water was pouring out of the ground in the neighbor's yard. They'd given a key to another neighbor, so I went to him. He shut off the sprinkler system, and the water stopped immediately.

When the neighbors returned, I told the guy about the problem. He didn't believe me. No, he said, that was water percolating from further uphill.

A couple of days later, I saw his wife working in their garden. She told me they'd gotten a call from Utilities, because they'd noticed an extraordinary amount of water usage at their house. The water bill was around $350.00.

I can only guess, but I imagine her husband believed me then...

chalsall 2018-03-29 18:24

[QUOTE=Dr Sardonicus;483647]If they weren't using the line much, I guess the meter didn't start whizzing around until the oopsadaisy with the backhoe. I'm glad the operator knew what to do, and nobody got hurt.[/QUOTE]

A friend of mine's first job was in the mining industry.

Just out of university, he was paid good coin to sit opposite a digger digging a hole, observing. They knew old gas lines ran all over the place, but didn't know where they were.

"I don't know what I'm watching for" he said. "Don't worry; you'll figure it out" answered the operator, and then started digging.

My friend said that as he watched the soil fall after each shallow scoop he could actually see where something linear and strong was. Sometimes it was a plant root; sometimes it was an old pipe.

Dr Sardonicus 2018-03-30 14:33

[QUOTE=chalsall;483779]A friend of mine's first job was in the mining industry.

Just out of university, he was paid good coin to sit opposite a digger digging a hole, observing. They knew old gas lines ran all over the place, but didn't know where they were.

"I don't know what I'm watching for" he said. "Don't worry; you'll figure it out" answered the operator, and then started digging.

My friend said that as he watched the soil fall after each shallow scoop he could actually see where something linear and strong was. Sometimes it was a plant root; sometimes it was an old pipe.[/QUOTE]
Some years ago, the local utility company hired an excavating firm to put a couple of "taps" for service lines in a sewer main which was buried under the street near my house. The main had been "located" and the street marked with a splotch of paint. But when the excavators dug there -- no sewer main! So, they began to trench toward where they reckoned the main was. Along the way, they unexpectedly encountered a pipe -- an abandoned gas line or something, buried a lot less deep than what they were digging for. The locator hadn't known about it, so hadn't marked it. They dug around it, leaving it without a scratch, bridging the trench. That backhoe operator was [i]good[/i] -- he probably could have flipped a dime with that thing. They eventually did find the sewer main and tapped into it, but because of the bad locate, the job took an extra day.

[i]Any[/i]how, the operator told me they sometimes had to dig up buried pipes or whatever, in places where any records of exactly where they might have been buried were long gone. In a situation like that, they could tell from the way the layers of soil looked in shallow test digs, whether it had been dug up before -- even a hundred years ago. Once they found where it had been dug up before, they'd know to dig deeper.

This brought something to mind: I have often seen an unfortunate proclivity in people to dismiss skilled professionals -- be they plumbers, construction workers, or excavators -- as somehow unworthy of respect because of the kind of work they do. But there is a maxim, "The devil is in the details." And it is perhaps well to keep in mind that, in any skilled work, even digging a large hole in the ground, there are [i]always[/i] details.

Uncwilly 2018-03-30 20:08

[QUOTE=Dr Sardonicus;483817]They eventually did find the sewer main and tapped into it, but because of the bad locate, the job took an extra day.
...
This brought something to mind: I have often seen an unfortunate proclivity in people to dismiss skilled professionals -- be they plumbers, construction workers, or excavators -- as somehow unworthy of respect because of the kind of work they do. But there is a maxim, "The devil is in the details." And it is perhaps well to keep in mind that, in any skilled work, even digging a large hole in the ground, there are [i]always[/i] details.[/QUOTE]
There is a major public works project in my area that is taking months longer than planned because of "unknown" utilities. They have been found and have had to be rerouted for the project.

One of my favourite quotes that applies here:
[QUOTE]"We must learn to honor excellence in every socially accepted human activity, however humble the activity, and to scorn shoddiness, however exalted the activity.

An excellent plumber is infinitely more admirable than an incompetent philosopher.

The society that scorns excellence in plumbing because plumbing is a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy. Neither its pipes nor its theories will hold water."[/QUOTE]--John Gardner (United States Secretary of Health, Education, and Welfare 65-68), "Excellence"

Dr Sardonicus 2018-03-31 13:36

[QUOTE=Uncwilly;483835]There is a major public works project in my area that is taking months longer than planned because of "unknown" utilities. They have been found and have had to be rerouted for the project.[/QUOTE]
This reminds me of a curious aspect of the Sears Tower (now the Willis Tower) in Chicago, involving [i]known[/i] utilities. In [u][b]CLOUT[/b][/u] -- [i]Mayor Daley and His City[/i], [b]Len O'Connor[/b] wrote the following about the sale of a block of a city street to make room for the structure:
[quote]The price of $130 per square foot was about $40 over the sale price of much less valuable streets and alleys, but in selling the block of Quincy Street to Sears at the price of $2,767,000, the city agreed to absorb the $1,122,000 cost of relocating the water and sewer lines beneath the street -- and this cut the the cost per square fot from $130 to $77, which was indeed a bargain basement price.[/quote]

ewmayer 2018-03-31 22:02

[url=https://www.reuters.com/article/us-usa-immigration-visa/u-s-visa-applicants-to-be-asked-for-social-media-history-state-department-idUSKBN1H611P]U.S. visa applicants to be asked for social media history: State Department[/url] | Reuters

This is of course madness, but madness of a predictable, ever-encroaching you-knew-this-was-gonna-happen kind. China is busily tying the right to participate in society to an Orwellian all-your-data-aggregated "social credit score", they are simply a few years ahead of us and more naked in their drive to enforce conformity and crush all forms of dissent.

DHS has also been less than coy in their push to condition the citizenry to begin expecting to [url=https://www.theatlantic.com/technology/archive/2017/02/give-us-your-passwords/516315/]have to cough up their social media passwords at the border[/url].

Dr Sardonicus 2018-04-01 13:41

[QUOTE=ewmayer;483892][url=https://www.reuters.com/article/us-usa-immigration-visa/u-s-visa-applicants-to-be-asked-for-social-media-history-state-department-idUSKBN1H611P]U.S. visa applicants to be asked for social media history: State Department[/url] | Reuters

This is of course madness, but madness of a predictable, ever-encroaching you-knew-this-was-gonna-happen kind. China is busily tying the right to participate in society to an Orwellian all-your-data-aggregated "social credit score", they are simply a few years ahead of us and more naked in their drive to enforce conformity and crush all forms of dissent.

DHS has also been less than coy in their push to condition the [b][i]citizenry[/i][/b] to begin expecting to [url=https://www.theatlantic.com/technology/archive/2017/02/give-us-your-passwords/516315/]have to cough up their social media passwords at the border[/url].[/QUOTE]
One might reasonably object to the use of the word "citizenry" (my emphasis) in the above. After all, the cited articles do say (again my emphasis)

[quote]The proposal, if approved by the Office of Management and Budget (OMB), would require most [b][i]immigrant and non-immigrant visa applicants[/b][/i] to list all social media identities they have used in the past five years.[/quote]
and
[quote]“What sites do you visit? And give us your passwords.”

That’s what U.S. Homeland Security Secretary John Kelly wants [b]foreign visitors[/b] to hear before they’re allowed to enter the United States.[/quote]

However, that objection might just as reasonably be answered, by reading the second article all the way to the end:

[quote]An American citizen entering the U.K. might be asked to turn over his passwords, for example, which will promptly be shared with the U.S. government. “Think of it as backdoor built into your constitutional rights,” Zdziarski wrote.[/quote]

Hmm. What if you don't [i]have[/i] any social media accounts? Would posting to forums (like this one) count?

ewmayer 2018-04-07 06:12

[url=https://www.schneier.com/blog/archives/2018/04/subverting_back.html]Subverting Backdoored Encryption[/url] | Schneier on Security -- Discusses a proposed scheme of subliminal communication schemes, or 'ascii steganography', if you will. From the paper Schneier is discussing:
[quote][b]Abstract:[/b] In this work, we examine the feasibility of secure and undetectable point-to-point communication in a world where governments can read all the encrypted communications of their citizens. We consider a world where the only permitted method of communication is via a government-mandated encryption scheme, instantiated with government-mandated keys. Parties cannot simply encrypt ciphertexts of some other encryption scheme, because citizens caught trying to communicate outside the government's knowledge (e.g., by encrypting strings which do not appear to be natural language plaintexts) will be arrested. The one guarantee we suppose is that the government mandates an encryption scheme which is semantically secure against outsiders: a perhaps reasonable supposition when a government might consider it advantageous to secure its people's communication against foreign entities. But then, what good is semantic security against an adversary that holds all the keys and has the power to decrypt?

We show that even in the pessimistic scenario described, citizens can communicate securely and undetectably. In our terminology, this translates to a positive statement: all semantically secure encryption schemes support subliminal communication. Informally, this means that there is a two-party protocol between Alice and Bob where the parties exchange ciphertexts of what appears to be a normal conversation even to someone who knows the secret keys and thus can read the corresponding plaintexts. And yet, at the end of the protocol, Alice will have transmitted her secret message to Bob. Our security definition requires that the adversary not be able to tell whether Alice and Bob are just having a normal conversation using the mandated encryption scheme, or they are using the mandated encryption scheme for subliminal communication.[/quote]

Dr Sardonicus 2018-04-07 16:36

[QUOTE=ewmayer;484649][url=https://www.schneier.com/blog/archives/2018/04/subverting_back.html]Subverting Backdoored Encryption[/url] | Schneier on Security -- Discusses a proposed scheme of subliminal communication schemes, or 'ascii steganography', if you will. From the paper Schneier is discussing:[quote]We show that even in the pessimistic scenario described, citizens can communicate securely and undetectably. In our terminology, this translates to a positive statement: all semantically secure encryption schemes support subliminal communication. Informally, this means that there is a two-party protocol between Alice and Bob where the parties exchange ciphertexts of what appears to be a normal conversation even to someone who knows the secret keys and thus can read the corresponding plaintexts. And yet, at the end of the protocol, Alice will have transmitted her secret message to Bob.[/quote][/QUOTE]
So, for example, an E-mail with such innocuous content as
[quote]"I met today with the guy who gave you your [b]biggest black caviar jar[/b] several years ago. We spent about 5 hours talking about his story, and I have several important messages from him to you. He asked me to go and brief you on our conversation. I said I have to run it by you first, but in principle I am prepared to do it, provided that he buys me a ticket. It has to do about the future of his country, and is quite interesting."[/quote]

would be completely secure against any suspicion that it had anything to do with payoffs...

retina 2018-04-08 01:32

[QUOTE=Dr Sardonicus;484700]So, for example, an E-mail with such innocuous content as <snip> would be completely secure against any suspicion that it had anything to do with payoffs...[/QUOTE]Yes, but the difference is one can transmit arbitrary content; images, videos, text, links, whatever.

But I do wonder about why the meta-data was not mentioned. It isn't just the content that has important information, but also the people you communicate with. IMO one needs to solve the meta-data issue also.

retina 2018-04-08 13:51

All your images are belong to us, forever
 
[url]https://spectrum.ieee.org/tech-talk/semiconductors/optoelectronics/selfpowered-image-sensor-could-watch-you-forever[/url] [quote]With such an energy harvesting imager integrated with and powering a tiny processor and wireless transceiver you could “put a small camera, almost invisible, anywhere,” ...

...

If the project continues, they’ll work to integrate everything needed for a self-powered wireless cameras.[/quote]

ewmayer 2018-04-10 00:03

[url=www.dailymail.co.uk/sciencetech/article-5577055/Chromes-built-anti-virus-tool-scanning-private-files-computer.html]Privacy outrage after Google users discover Chrome's built-in anti-virus tool is scanning private files on their computers without telling them[/url] | Daily Mail

My question to such outraged Google users would be why, given Google's dismal track record with regard to user privacy (e.g. Gmail scanning the content of every e-mail and doing who-knows-what with it) and Facebook-style "our users *are* the product" business model, why would they be in the least bit surprised by this discovery about Chrome?

If you haven't yet ditched Google and Facebook in their entirety, you are part of the problem. Starve the beast!

Dr Sardonicus 2018-04-10 12:57

[QUOTE=ewmayer;484904][url=www.dailymail.co.uk/sciencetech/article-5577055/Chromes-built-anti-virus-tool-scanning-private-files-computer.html]Privacy outrage after Google users discover Chrome's built-in anti-virus tool is scanning private files on their computers without telling them[/url] | Daily Mail

My question to such outraged Google users would be why, given Google's dismal track record with regard to user privacy (e.g. Gmail scanning the content of every e-mail and doing who-knows-what with it) and Facebook-style "our users *are* the product" business model, why would they be in the least bit surprised by this discovery about Chrome?

If you haven't yet ditched Google and Facebook in their entirety, you are part of the problem. Starve the beast![/QUOTE]It's not the files being scanned that should concern them. After all, what files is an anti-virus tool [i]not[/i] supposed to scan? The part that would burn my toast is (my emphasis),

[quote]Chrome Cleanup Tool, a browser component added in 2014 to scan and remove malicious or resource heavy software, is behind the outcry.

It was originally an optional add on for Chrome, letting users get rid of malware and bloatware they may have unintentionally installed.

[b]In October 2017, the Mountain View firm re-branded it and made it a compulsory part of the Chrome installation - without users' knowledge.[/b][/quote]

ewmayer 2018-04-21 00:52

End-of-week link dump time:

o [url=http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4]Hackers Stole a Casino's Database Through a Thermometer In the Lobby Fish Tank[/url] | Business Insider

o [url=https://www.bleepingcomputer.com/news/government/fda-wants-medical-devices-to-have-mandatory-built-in-update-mechanisms/]FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms[/url] Bleeping Computer. If it can be remotely updated, it can be hacked - imagine the extortion possibilities! (To say nothing of the pay-up-or-die rent extraction business model this would enable.) Having one's IoT toy bricked or computer encrypted by hackers is merely infuriating. Having one's insulin pump or pacemaker suffer such a fate, jeebus.

o [url=https://www.theguardian.com/technology/2018/apr/17/facebook-admits-tracking-users-and-non-users-off-site]Facebook admits tracking users and non-users off-site[/url] | Guardian: [i]Statement comes as company faces US lawsuit over facial recognition feature launched in 2011 and planned to expand to EU[/i]
[quote]In a blog post, Facebook’s product management director, David Baser, wrote that the company tracked users and non-users across websites and apps for three main reasons: providing services directly, securing the company’s own site, and “improving our products and services”.

“When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook,” Baser wrote.

“Whether it’s information from apps and websites, or information you share with other people on Facebook, we want to put you in control – and be transparent about what information Facebook has and how it is used.”[/quote]
The level of cognitive dissonance in that "we can explain" quote by Mr. Baser is breathtaking, no?

Related:

o [url=https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/]No boundaries for Facebook data: third-party trackers abuse Facebook Login[/url] | Freedom to Tinker
[quote]Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs… Facebook Login and other social login systems simplify the account creation process for users by decreasing the number of passwords to remember…. We’ve uncovered an additional risk: when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site.[/quote]
o [url=https://www.theguardian.com/commentisfree/2018/apr/11/mark-zuckerbergs-facebook-hearing-sham]Mark Zuckerberg's Facebook hearing was an utter sham[/url] | Zephyr Teachout

o [url=https://techcrunch.com/2018/04/17/facebook-gdpr-changes/]A flaw-by-flaw guide to Facebook’s new GDPR privacy changes[/url] | TechCrunch
[quote]With a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data.[/quote]
o [url=https://techcrunch.com/2018/04/20/just-say-no/]Facebook starts its facial recognition push to Europeans[/url] | TechCrunch
[quote]But under impending changes to its [Terms and Conditions (T&Cs)] — ostensibly to comply with the EU’s incoming GDPR data protection standard — the company has crafted a manipulative consent flow that tries to sell people on giving it their data; including filling in its own facial recognition blanks by convincing Europeans to agree to it grabbing and using their biometric data after all. Users who choose not to switch on facial recognition still have to click through a ‘continue’ screen before they get to the off switch. On this screen Facebook attempts to convince them to turn it on — using manipulative examples of how the tech can "protect” them.[/quote]

o [url=https://tech.thaivisa.com/gmail-introduce-new-privacy-features-including-confidential-mode-self-destructing-emails/28302/]Gmail to introduce new privacy features, including ‘confidential mode’ and self destructing emails[/url] | Thai Tech

One reader comments:
[quote][i]
The feature also includes a confidential mode which will prevent the recipient of the email from forwarding, downloading, printing or copying and pasting text from the email.
[/i]
Um, it doesn’t prevent you from taking a screen shot and posting it on Twitter, I assume.

“Staff Writer”‘s opinions aside, Google’s strange improvements do highlight the need for major improvements to the email protocol here in the post ARPANET era. A lot of commercial firms (medical and financial, e.g.) rightly discourage the use of email for sensitive material, instead setting up awkward and lame proprietary systems as part of their own web sites. It’s a cumbersome arrangement, and the need to visit and separately log in to every individual site to see if you have “mail” misses most of the point of email: having a convenient single inbox where you can get and file messages from, and reply to, all senders you’re corresponding with, using a familiar and sophisticated mail client.

I can think of several issues:

(1) Privacy of the actual message while in transit. This is the obvious one, and has been addressed in non-standardized and hard to use ways by things like PGP.

(2) Privacy of routing info and metadata while in transit. Building a graph of people’s associates is a big goal of surveillance programs, and if 3rd parties can see who you’re corresponding with by watching mail traffic, they can easily do it. Tor tries to use a complex arrangement to obscure the relationship between senders and receivers for web services to address this vulnerability.

(3) Privacy while at rest on a mail server. Email is generally store-and-forward, so there are going to be one or more places where your mail is sitting on a 3rd party server where it’s fair game for the operator, their employees, and law enforcement. The identity of the sender and receiver, and the message content, need to be protected during this time.

(4) Privacy while at rest in your own mail client(s) and device disks. Similar to 3, but a different vulnerability in that all your material is conveniently collected in one place for snoops, customs agents, and law enforcement. This vulnerability may be covered by other schemes to protect the entire device, e.g., whole disk encryption.

(5) Authentication. The system needs to be able to recognize you and bring the appropriate decryption or whatever to bear, while ensuring that this doesn’t happen for others. Not a unique problem, but it’s not being solved very well right now despite a lot of effort and thinking by people in the field.

(6) Key management. I assume a lot of this would be managed by asymmetric crypto systems, so senders would use your public key to do various things, and you would use your private key to “undo” them. Managing these keys has always been difficult in, e.g., PGP, and has made that system largely unusable unless you are really knowledgeable and dedicated.

It would be great to gather the same mental firepower that developed the original email standards back in the nice-guy era and have them do V2.0 for the present day, developing new standards that everyone would adopt and support so we could use email with confidence and privacy.[/quote]

henryzz 2018-04-23 16:07

Relevant story to this thread. [url]http://finestories.com/s/10906/the-reset-manifesto[/url]

ewmayer 2018-05-01 01:47

o [url=www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains]‘Forget the Facebook leak’: China is mining data directly from workers’ brains on an industrial scale[/url] | South China Morning Post. [i]Government-backed surveillance projects are deploying brain-reading technology to detect changes in emotional states in employees on the production line, the military and at the helm of high-speed trains[/i]

And you can be sure that government efforts to 'weaponize' this kind of technology by turning it into a tool of lie detection and forced re-education are proceeding apace. The wearable caps are reminiscent of the ones in John Christopher's 1967 [url=https://en.wikipedia.org/wiki/The_Tripods]Tripods Trilogy[/url] (note that the fourth novel, the prequel [i]When The Tripods Came[/i], was written 20 years later), one of my early-teen-self's favorite SciFi opuses.

o [url=https://boingboing.net/2018/04/26/user-supplied-listening-device.html]Security researchers can turn Alexa into a transcribing, always-on listening device[/url] | Boing Boing:. “Checkmarx researchers including Erez Yalon have created a ‘rogue Alexa skill’ that bypasses Amazon’s security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker.”

o [url=nymag.com/selectall/2018/04/richard-stallman-rms-on-privacy-data-and-free-software.html]Richard Stallman, RMS, on Privacy, Data, and Free Software[/url] | NY Magazine. "No company is so important that its existence justifies setting up a police state. And a police state is what we’re heading toward."

o [url=https://www.bloomberg.com/features/2018-palantir-peter-thiel/]Palantir Knows Everything About You[/url] | Bloomberg
Peter Thiel’s data-mining company is using War on Terror tools to track American citizens. The scary thing? Palantir is desperate for new customers.
[quote]High above the Hudson River in downtown Jersey City, a former U.S. Secret Service agent named Peter Cavicchia III ran special ops for JPMorgan Chase & Co. His insider threat group—most large financial institutions have one—used computer algorithms to monitor the bank’s employees, ostensibly to protect against perfidious traders and other miscreants.

Aided by as many as 120 “forward-deployed engineers” from the data mining company Palantir Technologies Inc., which JPMorgan engaged in 2009, Cavicchia’s group vacuumed up emails and browser histories, GPS locations from company-issued smartphones, printer and download activity, and transcripts of digitally recorded phone conversations. Palantir’s software aggregated, searched, sorted, and analyzed these records, surfacing keywords and patterns of behavior that Cavicchia’s team had flagged for potential abuse of corporate assets. Palantir’s algorithm, for example, alerted the insider threat team when an employee started badging into work later than usual, a sign of potential disgruntlement. That would trigger further scrutiny and possibly physical surveillance after hours by bank security personnel.

Over time, however, Cavicchia himself went rogue. Former JPMorgan colleagues describe the environment as Wall Street meets Apocalypse Now, with Cavicchia as Colonel Kurtz, ensconced upriver in his office suite eight floors above the rest of the bank’s security team. People in the department were shocked that no one from the bank or Palantir set any real limits. They darkly joked that Cavicchia was listening to their calls, reading their emails, watching them come and go. Some planted fake information in their communications to see if Cavicchia would mention it at meetings, which he did.

It all ended when the bank’s senior executives learned that they, too, were being watched, and what began as a promising marriage of masters of big data and global finance descended into a spying scandal. The misadventure, which has never been reported, also marked an ominous turn for Palantir, one of the most richly valued startups in Silicon Valley. An intelligence platform designed for the global War on Terror was weaponized against ordinary Americans at home.[/quote]
Peter Thiel - who better to midwife an utterly odious technology than an utterly odious individual?
[quote]As Thiel’s wealth has grown, he’s gotten more strident. In a 2009 essay for the Cato Institute, he railed against taxes, ­government, women, poor people, and society’s acquiescence to the inevitability of death. (Thiel doesn’t accept death as inexorable.) He wrote that he’d reached some radical conclusions: “Most importantly, I no longer believe that freedom and democracy are compatible.” The 1920s was the last time one could feel “genuinely optimistic” about American democracy, he said; since then, “the vast increase in welfare beneficiaries and the extension of the franchise to women—two constituencies that are notoriously tough for libertarians—have rendered the notion of ‘capitalist democracy’ into an oxymoron.”[/quote]
Getting back to the early uses of Palatir's tech:
[quote]Founded in 2004 by Peter Thiel and some fellow PayPal alumni, Palantir cut its teeth working for the Pentagon and the CIA in Afghanistan and Iraq. The company’s engineers and products don’t do any spying themselves; they’re more like a spy’s brain, collecting and analyzing information that’s fed in from the hands, eyes, nose, and ears. The software combs through disparate data sources—financial documents, airline reservations, cellphone records, social media postings—and searches for connections that human analysts might miss. It then presents the linkages in colorful, easy-to-interpret graphics that look like spider webs. U.S. spies and special forces loved it immediately; they deployed Palantir to synthesize and sort the blizzard of battlefield intelligence. It helped planners avoid roadside bombs, track insurgents for assassination, even hunt down Osama bin Laden. [b]The military success led to federal contracts on the civilian side[/b].[/quote]
Uh ... so far as I know the above efforts had bupkis to do with how bin Laden was eventually found hiding - some would say in plain sight, based on what the Pakistani security services knew or should have known - in Pakistan. And given that "we are still winning" the war of terror in Afghanistan over 15 years later with no end in sight, that's some definition of military success". Were one of a cynical mind, one might almost conclude that the aim of all these never-ending military engagements are not about "winning" in any conventional sense of the term, but rather about enriching a vast array of private military contractors such as Palantir, and for field-testing weapons and technologies, many of which eventually also get deployed back on the home front, such as military gear for ever-more militarized domestic law enforcement agencies, and predictive-analytics spyware such as described in the article.

But this part was the most richly ironic for me:
[quote]In one adventure missing from the glowing accounts of Palantir’s early rise, I2 accused Palantir of misappropriating its intellectual property through a Florida shell company registered to the family of a Palantir executive. A company claiming to be a private eye firm had been licensing I2 software and development tools and spiriting them to Palantir for more than four years. I2 said the cutout was registered to the family of Shyam Sankar, Palantir’s director of business development.

I2 sued Palantir in federal court, alleging fraud, conspiracy, and copyright infringement. In its legal response, Palantir argued it had the right to appropriate I2’s code for the greater good. “What’s at stake here is the ability of critical national security, defense and intelligence agencies to access their own data and use it interoperably in whichever platform they choose in order to most effectively protect the citizenry,” Palantir said in its motion to dismiss I2’s suit.

The motion was denied. Palantir agreed to pay I2 about $10 million to settle the suit. I2 was sold to IBM in 2011.[/quote]
In other words, Palatir is yet another "success story" founded on IP theft - precisely the kind of corporate crime its tech was later used by JPMorgan to help prevent.

And this nicely-crafted paragraph near the end of the article describes the trend not just at Palantir, but throughout the Big Data and predictive analytics world, where AI is all the rage and its inevitability appears to be turning into a self-fulfilling prophecy:
[quote]Palantir is twice the age most startups are when they cash out in a sale or initial public offering. The company needs to figure out how to be rewarded on Wall Street without creeping out Main Street. It might not be possible. For all of Palantir’s professed concern for individuals’ privacy, the single most important safeguard against abuse is the one it’s trying desperately to reduce through automation: human judgment.[/quote]

kriesel 2018-05-14 00:17

[QUOTE=Dr Sardonicus;483817]
[I]Any[/I]how, the operator told me they sometimes had to dig up buried pipes or whatever, in places where any records of exactly where they might have been buried were long gone. In a situation like that, they could tell from the way the layers of soil looked in shallow test digs, whether it had been dug up before -- even a hundred years ago. Once they found where it had been dug up before, they'd know to dig deeper.

This brought something to mind: I have often seen an unfortunate proclivity in people to dismiss skilled professionals -- be they plumbers, construction workers, or excavators -- as somehow unworthy of respect because of the kind of work they do. But there is a maxim, "The devil is in the details." And it is perhaps well to keep in mind that, in any skilled work, even digging a large hole in the ground, there are [I]always[/I] details.[/QUOTE]

I had occasion to replace some old piping on a farm shortly after purchasing it; it had deteriorated to the point the well ran continuously and could not reach adequate pressure. A veritable caravan showed up on the designated day; dump truck towing a trailer bearing a backhoe, and multiple plumbers' vans, etc. Looked and was expensive (think 4 months' house rent). Documentation of the private underground piping and power and phone wiring was poor to nonexistent. Buried power in the involved area included a stout 220v 3 phase high current line straight from the utility transformer, upstream of the meters and site cutoff switch. Site power for the day was provided by a portable generator. The crew consisted of a master plumber who also ran the backhoe and did electrical, a driver, an older plumber, and a young musclebound laborer. For the parts where marking or sensing devices revealed conductors or metal piping, the older plumber did the close digging by hand. Occasionally they'd break something and have to do an in-the-trench splice. The soil was fairly dry and a mix of loam and sand. Most of it was about 6 feet down. They did this project with no shoring. It became clear what the purpose of the young guy was at the first trench cave-in; briskly but safely dig out the older plumber before he developed any medical issues from being trapped immobilized in the trench.

What's the proper pay level for "yes, I'll put my health in the hands of a guy with a shovel digging me out 3 times a day"?

With minutes to go to wrap up the job on a Friday evening, putting the dirt back and smoothing it out, the master plumber bent the curb stop top by a couple feet with the backhoe. They spent Saturday morning replacing it.

ewmayer 2018-05-14 21:52

From down under, but surely not unique to Android users there:

[url=https://www.qt.com.au/news/accc-investigating-oracle-research-showing-google-/3413924/]What Google is doing with your data[/url] | Queensland Times
[quote]Australian Competition and Consumer Commission chairman Rod Sims said he was briefed recently by US experts who had intercepted, copied and decrypted messages sent back to Google from mobiles running on the company’s Android operating system.

The experts, from computer and software corporation Oracle, claim Google is draining roughly one gigabyte of mobile data monthly from Android phone users’ accounts as it snoops in the background, collecting information to help advertisers.

A gig of data currently costs about $3.60-$4.50 a month. Given more than 10 million Aussies have an Android phone, if Google had to pay for the data it is said to be siphoning it would face a bill of between $445 million and $580 million a year.[/quote]

Nick 2018-05-15 07:01

[QUOTE]...collecting information to help advertisers...[/QUOTE]Evidently the myth still persists that all the data giants will ever do with your information is use it to target advertising.

ewmayer 2018-05-15 22:41

[url=https://www.wired.com/story/efail-encrypted-email-flaw-pgp-smime/]EFail: Encrypted Email Has a Major, Divisive Flaw[/url] | WIRED

ewmayer 2018-06-08 00:14

[url=https://www.engadget.com/2018/06/05/dhs-facial-recognition-scan-travelers-at-border/]DHS will use facial recognition to scan travelers at the border[/url] | Reuters
[quote]The work is part of a larger biometric data project that currently includes ongoing facial recognition pilots in eight airports including the Hartsfield-Jackson Atlanta International Airport, Washington Dulles International Airport, JFK International Airport and Chicago O'Hare International Airport.

There are, of course, concerns over how this technology will be implemented. "This is a way for the federal government to track people -- monitoring who goes where and what they do there," ACLU attorney Mitra Ebadolahi told The Verge. "In a free society, we should all be able to safely live our lives without being watched and targeted by the federal government."[/quote]
LOL, any notion of "free society" is so last century ... I predict in under a decade being face - and perhaps retina - scanned will be mandatory for travelling abroad, and perhaps even flying domestically, and DHS will likely be installing (or cloning feeds from) an ever-increasing percentage of 'mundane' traffic and other surveillance feeds, all of which data will be getting fed into an ever-more-capable AI-driven panopticon. To use the same Orwellian phrase as the government data-vacuumers, Total Information Awareness has always been the goal. The fraction of basic human "participation in society" activities which leave no digital footprint, from biometric scanning, to undergoing a background/credit check to be able to rent even a humble apartment, to kids being digitized via "fun smartphone apps" and school-mandated spyware installs and "Google Docs" for their schoolwork, continues to decrease exponentially with time.

richs 2018-06-08 01:24

True story
 
Here's a true story regarding facial recognition systems.

My son-in-law and daughter travel to New York City on her business trip. Coincidentally my wife and I are in NYC on a business trip of my own. My daughter has a room reserved at the Four Seasons hotel in midtown Manhattan. On the way to the hotel from the airport, a police officer reroutes the taxi to the back entrance of the Four Seasons. Hmm, rather strange.... My wife meets the two of them in the lobby because she wants to check out the Four Seasons having never stayed there. My daughter attempts to check in, but the hotel clerk is acting completing nervous and says the room is not yet ready. So my wife and daughter go to the restroom which is located in an alcove off the hotel lobby before heading out to stroll around Manhattan while waiting for the room. My son-in-law waits in the alcove.

My daughter and wife exit the restroom and there are two NFL linebacker-size New York City detectives holding my son-in-law against the alcove wall saying "We know you are Mr. ****, a drug dealer from Mexico." My son-in-law is half Irish and half Indonesian and looks Hispanic, but he isn't. My wife, who is a New Yorker and is under 5 feet in height, walks over to the detectives and says in her total New York accent "You have the wrong guy. This is my son-in-law and he's a good boy! Let him go!" Well, the detectives size her up and start laughing. Then they say "We guess the computer at JFK picked out the wrong guy" and they let him go. So my family walks out through the lobby and there are a lot of police and other agents watching them from the lobby mezzanine.

Out on East 57th Street walking down the sidewalk, my son-in-law gets tapped on the shoulder and a guy shows a badge and says "Department of Homeland Security. I wanted to see you with my own eyes since you could be a twin brother to Mr. **** from Mexico." My son-in-law says you've got the wrong guy and the agent walks away.

So they identified him with facial recognition at JFK, tracked the taxi, diverted the taxi, and assembled a whole team in the Four Seasons lobby before taxi arrival.

Four months later, boarding a plane with my wife, daughter, and son-in-law going to New Zealand, the same thing happens in the jetway going to the plane. The agents again thought he was Mr. **** from Mexico.

So I agree with Ernst, any notion of a free society is out the window these days.

Xyzzy 2018-06-08 02:02

Good thing he didn't get shot.

He could have been "reaching for a gun", right?

richs 2018-06-08 02:14

Government run rampant. This was Obama era, just for clarification.

Dr Sardonicus 2018-06-08 14:02

Having a driver's license picture taken? A number of states already have decreed, Thou shalt not smile. Thou shalt not wear glasses. (They mess up facial-recognition software). Ironically, despite the state's many border signs saying "Welcome to Colorful Colorado," [url=http://kdvr.com/2016/05/26/no-more-smiles-changes-come-to-colorado-drivers-licenses/]new Colorado DMV requirements[/url] also decree that driver's license photos taken in that state will be in grayscale. It seems that color is also inconvenient for facial recognition software. So, new driver's license photos in the Centennial State look like old-style mug shots.

I can see it now. You're a resident of Colorado, driving down the road. Traffic cop pulls you over.

Cop: License and registration, please. (looks at license)

Cop: Step out of the vehicle, please.

You: Er, what's the problem, Officer?

Cop: You're under arrest for grand theft auto.

You: But it's [i]my car![/i]

Cop: Not according to this picture it's not. The owner of this vehicle has no glasses, is not smiling, and has gray skin. OK, you're not smiling now, either. Hmm, your skin is looking a little gray now, too. Oh, wait, now it's sort of greenish-white. Nice try, pal. If you're the owner, you're obviously in disguise, which means you're up to something. Let's go.

Dr Sardonicus 2018-06-09 16:31

Sorry if this is off-topic (different "us"), but I couldn't resist:

[url=https://www.bbc.co.uk/news/world-us-canada-44421785]China hackers steal data from US Navy contractor - reports[/url]

jasonp 2018-06-23 21:19

[url="https://www.perpetuallineup.org/sites/default/files/2016-12/The%20Perpetual%20Line-Up%20-%20Center%20on%20Privacy%20and%20Technology%20at%20Georgetown%20Law%20-%20121616.pdf"]A pretty sobering report[/url] on facial recognition

Nick 2018-06-24 07:17

[QUOTE=jasonp;490379][URL="https://www.perpetuallineup.org/sites/default/files/2016-12/The%20Perpetual%20Line-Up%20-%20Center%20on%20Privacy%20and%20Technology%20at%20Georgetown%20Law%20-%20121616.pdf"]A pretty sobering report[/URL] on facial recognition[/QUOTE]
Thanks for the link.

There are various situations in which governments themselves issue people with new or fake identities (spies, protection programs, etc.)
If this technology threatens to make that impossible then, presumably, there are also government departments working on countermeasures.
It would be interesting to know what those are!

ewmayer 2018-06-24 21:08

[QUOTE=jasonp;490379][url="https://www.perpetuallineup.org/sites/default/files/2016-12/The%20Perpetual%20Line-Up%20-%20Center%20on%20Privacy%20and%20Technology%20at%20Georgetown%20Law%20-%20121616.pdf"]A pretty sobering report[/url] on facial recognition[/QUOTE]

Related article I meant to post a few days ago but forgot:

[url=https://safehaven.com/article/45656/Tech-Giants-Under-Fire-For-Facial-Recognition]Tech Giants Under Fire For Facial Recognition[/url] | SafeHaven.com

ewmayer 2018-06-27 21:09

The [url=https://en.wikipedia.org/wiki/Room_641A]Room 641A[/url] franchise is - unsurprisingly, but nice to see details - revealed to be nationwide:

[url=https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/]The NSA’s Hidden Spy Hubs in Eight U.S. Cities[/url] | The Intercept
[quote]The secrets are hidden behind fortified walls in cities across the United States, inside towering, windowless skyscrapers and fortress-like concrete structures that were built to withstand earthquakes and even nuclear attack. Thousands of people pass by the buildings each day and rarely give them a second glance, because their function is not publicly known. They are an integral part of one of the world’s largest telecommunications networks – and they are also linked to a controversial National Security Agency surveillance program.

Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C. In each of these cities, The Intercept has identified an AT&T facility containing networking equipment that transports large quantities of internet traffic across the United States and the world. A body of evidence – including classified NSA documents, public records, and interviews with several former AT&T employees – indicates that the buildings are central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory.

The NSA considers AT&T to be one of its most trusted partners and has lauded the company’s “extreme willingness to help.” It is a collaboration that dates back decades. Little known, however, is that its scope is not restricted to AT&T’s customers. According to the NSA’s documents, it values AT&T not only because it “has access to information that transits the nation,” but also because it maintains unique relationships with other phone and internet providers. The NSA exploits these relationships for surveillance purposes, commandeering AT&T’s massive infrastructure and using it as a platform to covertly tap into communications processed by other companies.[/quote]

petrw1 2018-06-27 22:06

Nothing to do with facial recognition....just plain old names.
 
About 10 years ago my son's friend, who as 21 at the time and happens to be Italian decided to wanted to be a Police Officer in Canada.

A background check uncovered that his Father, living in Canada, has the same as a wanted Mafia guy in Italy.
--- END OF STORY ---
His request to pursue a career in the Police Force was denied.

No picture checks (AKA facial recognition), no background checks, nothing....just NO!!!

Xyzzy 2018-06-28 02:02

[url]https://tu-dresden.de/ing/informatik/sya/ps/die-professur/news/geheime-daten-auf-dem-druckpapier-diplominformatiker-der-tu-dresden-entwickeln-verfahren-gegen-druckerueberwachung[/url]

ewmayer 2018-07-10 01:40

Like many people I at one point thought the initialism EFF stood for "Electronic Freedom Foundation", not the correct "Electronic Frontier Foundation". [i]The Baffler[/i]'s Yasha Levine explains the vastness of the gulf between those two; however, Levine's defense of the SOPA and PIPA copyright bills mars an otherwise-excellent essay, IMO:

[url=https://thebaffler.com/salvos/all-effd-up-levine]All EFF'd Up[/url]
[quote]When previous internet privacy scandals hit—from the Apple dispute with the FBI to Edward Snowden’s NSA leaks and even to obscure data gathering provisions in anti-piracy laws—groups like the Electronic Frontier Foundation had been out on the cyber-barricades, piling up the e-tires and setting them ablaze with memes and gifs. They organized online protests, website blackouts, digital strikes, cyber pickets, and even physical rallies: you name it, they did it all. And that made sense. Because EFF’s leaders, together with their digital-rights comrades shoring up the bulwarks of civil society as we know it, were supposed to be go-to defenders of the people on the internet. They were professional activists, attorneys, and technologists who did the hard, thankless work of keeping the internet free and democratic.

And yet something broke down with the Facebook-Cambridge Analytica scandal. On paper, this controversy looked to be a dream organizing opportunity for EFF and its allies. Here was a Silicon Valley giant using its platform to spy on Americans and subvert the workings of our democracy. EFF should have been leading the charge. And yet in what was arguably the greatest public dispute concerning the planet’s largest social networking platform, EFF was AWOL—nowhere to be found. As I continued scanning the privacy group’s website in the weeks after Mark Zuckerberg’s appearance on Capitol Hill, all the advice it offered to irate and concerned Netizens seeking to preserve their privacy on Facebook were pro forma notifications telling them to opt out of platform API sharing and download EFF’s Privacy Badger ad blocker extension for Chrome—a browser made by Google, a Silicon Valley surveillance giant.

The silence of digital advocacy groups was deafening, and even insiders began to question their motives. April Glaser, a Slate tech reporter who had previously worked at EFF, penned a heartfelt appeal for EFF and other tech watchdogs to do something—anything—to protect the American people from Silicon Valley surveillance. “Privacy advocates know how to build coalitions and campaigns. They know how to make demands, and they know how to hatch an action agenda fast,” she wrote. “But it didn’t happen over the March weekend that the Cambridge Analytica news broke.” She wondered why the normally spunky and combative advocacy groups—groups that she admired and worked for—were sitting on the sidelines. “If the people whose job it is to care about digital privacy can’t be bothered to push for laws to regulate how Facebook treats the data we give it,” she wrote, “why should Congress?”
[b]
Buying Silence
[/b]
One likely explanation, Glaser reasoned, was that most of these groups depended on funding from the very same corporations that they should be criticizing. Over the past years, EFF has taken millions in funds from Google and Facebook via straight donations and controversial court payouts that many see as under-the-radar contributions. Hell, Google co-founder Sergey Brin’s foundation gave EFF at least $1.2 million.

But the reason for EFF’s silence on the Facebook surveillance and influence scandal goes deeper—into the business model of the internet itself, which from the outset has framed user privacy as being threatened by ever-imminent government censorship, as opposed to the protection of users and their data from wanton commercial intrusion and exploitation. Put simply, the lords of the internet care very little about user privacy—what they want to preserve, at the end of the day, is their own commercial license against the specter of government regulation of any kind.
...
the truth is that EFF is a corporate front. It is America’s oldest and most influential internet business lobby—an organization that has played a pivotal role in shaping the commercial internet as we know it and, increasingly, hate it. That shitty internet we all inhabit today? That system dominated by giant monopolies, powered by for-profit surveillance and influence, and lacking any democratic oversight? EFF is directly responsible for bringing it into being.[/quote]

ewmayer 2018-09-08 21:07

[url=https://www.theregister.co.uk/2018/08/21/mcafee_flaws_smartplugs/]Security MadLibs: Your IoT electrical outlet can now pwn your smart TV[/url] • The Register

[url=https://money.cnn.com/2018/08/21/technology/google-data-collection/index.html]Google's data collection is hard to escape, study claims[/url] | CNN - one more reason to own a dumbphone.

Dr Sardonicus 2018-09-28 23:04

Oops!
 
Whether this is actually on-topic is too much for my pea brain. It looks like a case of "convenience means security-stupid."

[url=https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/?comments=1][b]50 million Facebook accounts breached by access-token-harvesting attack[/b] [size=2]Bugs in two features enabled mass harvest of single sign-on tokens.[/size][/url][quote]Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook's code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users.

In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the "view as" feature, "code that allowed people to see what other people were seeing when they viewed their profile," Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens.[/quote]

Chuck 2018-09-29 00:42

Facebook hack? No problem. I have no Facebook account.

Stargate38 2018-09-29 16:52

Me neither. The only stuff I make public is on one of the following: Mersenneforum, my website, Reddit (they don't allow people to post personal info, anyway), Factordb, Google+, or anywhere else I'm registered, but NEVER Facebook. There are just too many privacy issues, and it keeps getting hacked. I don't want hackers messing with anything of mine. That's also why I never post anything that would jeopardize my identity, as it might get in the wrong hands.

retina 2018-09-29 17:20

[QUOTE=Stargate38;497072]I don't want hackers messing with anything of mine. That's also why I never post anything that would jeopardize my identity, as it might get in the wrong hands.[/QUOTE]Do you use a proxy or VPN to post? If not your IP address(es) can possibly be used to identify you. For example, if this board has been compromised and someone has copied the IP addresses of all your posts you might never find out about it. Even if all those IP addresses individually are shared addresses with other people (say a library, or your workplace) the unique pattern of visits to each location most probably only leads to you. Yes, this is super-paranoid stuff, but something to consider if ever you think you are not identifying yourself.

Stargate38 2018-09-29 18:17

They won't find much. I checked my IP, and it says I live in Kansas, even though I don't. Probably because my IP is dynamic.

Uncwilly 2018-09-30 02:35

[QUOTE=Stargate38;497088]They won't find much. I checked my IP, and it says I live in Kansas, even though I don't. Probably because my IP is dynamic.[/QUOTE]
I see Ohio.

Stargate38 2018-09-30 19:40

If I lookup my IPv4 it shows Kansas. You probably use my IPv6, though.

ewmayer 2018-10-05 20:27

[url=https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies]The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies[/url] - Bloomberg
[quote]In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency. Elemental’s national security contracts weren’t the main reason for the proposed acquisition, but they fit nicely with Amazon’s government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the CIA.

To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.[/quote]
This next bit which makes wild claims re. the allegedly ludicrous improbability of such OEM-implants is just silly:
[quote]One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. [u]Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”[/u][/quote]
Let's deconstruct some of that silliness: "...would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location" - in other words, precisely the kinds of things those offshore manufacturing contractors are paid to do, yes? And WTF does that bit "made it through the global logistics chain to the desired location" even mean? You mean "were shipped by the manufacturer to the outfit which contracted the business?" That is somehow spook and improbable? And then to top off the inanity, we have the Blowhard-in-chief at the pompously named Grand Idea Studio Inc. nattering on about what "black magic" hardware manufacturing is - well yes, it would seem that way to you folks who have been busily offshoring those capabilities for decades, wouldn't it?

But kudos to the piece's author for this lovely little bit of deadpan humor:
[quote]Back in 2006, three engineers in Oregon had a clever idea. Demand for mobile video was about to explode, and they predicted that broadcasters would be desperate to transform programs designed to fit TV screens into the various formats needed for viewing on smartphones, laptops, and other devices. To meet the anticipated demand, the engineers started Elemental Technologies, assembling what one former adviser to the company calls a genius team to write code that would adapt the superfast graphics chips being produced for high-end video-gaming machines. The resulting software dramatically reduced the time it took to process large video files. Elemental then loaded the software onto custom-built servers emblazoned with its leprechaun-green logos.

Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. [b]Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.[/b][/quote]

Related:

[url=https://www.reuters.com/article/us-usa-military-china/u-s-military-comes-to-grips-with-over-reliance-on-chinese-imports-idUSKCN1MC275]U.S. military comes to grips with over-reliance on Chinese imports[/url] | Reuters

The following quote in the above, apparently uttered without the smallest sense of irony, is just ... precious:
[i]
“People used to think you could outsource the manufacturing base without any repercussions (on national security). But now we know that’s not the case,” said one U.S. official familiar with the report, speaking on condition of anonymity.[/i]

A classic exemplar of Upton Sinclair's famous quote, "It's hard to get a man to understand something when his salary depends on him not understanding it."

retina 2018-10-05 20:34

When I read about that my first thought was that someone is shorting the stock and wants to make China manufacturing look bad. And look what happened the stocks in many Chinese tech companies has fallen.

I call bullshit on the story. Someone is making a mockery of the news machine to make a profit.

ewmayer 2018-10-05 20:43

[QUOTE=retina;497435]When I read about that my first thought was that someone is shorting the stock and wants to make China manufacturing look bad. And look what happened the stocks in many Chinese tech companies has fallen.

I call bullshit on the story. Someone is making a mockery of the news machine to make a profit.[/QUOTE]

You'll need more to make your BS-calling credible than "look, share prices of the Chinese company in question have fallen" - that's what share prices are supposed to do when bad news hits the wires. And while e.g. Apple may not be admitting to having been victimized by what is claimed, did they or did they not sever their relationship with Supermicro in 2016 as described? That's easy enough to check. I found the level of detail and related-linking in the article high enough for it to seem quite plausible - and it is undeniable that China has a large-scale and sophisticated multi-front intelligence program - as does the US, but the kind of supply-chain vulnerability described here asymmetrically affects the importer nation.

In other words, I call BS on your BS call.

Dr Sardonicus 2018-10-05 22:39

[QUOTE=ewmayer;497438]And while e.g. Apple may not be admitting to having been victimized by what is claimed, did they or did they not sever their relationship with Supermicro in 2016 as described? That's easy enough to check.[/QUOTE]

"May not be admitting?" They told Bloomberg it wasn't true before the story was published.

[url=https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/]October 4, 2018 statement from Apple[/url]
[quote]The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
Apple provided Bloomberg Businessweek with the following statement before their story was published:
<snip>
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement. <snip>[/quote]

Apple did indeed sever relations with Supermicro in 2016, as described [url=https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/]here[/url].

I'm no computer expert, but malware-ridden firmware, downloaded from the supplier's support site, sounds like a good reason to say Adios.

Apple and Facebook have also confirmed reports of malware attacks.

It seems odd that the Bloomberg story refers to a "top-secret probe," but doesn't mention the agency or agencies conducting it. The obvious one would be the FBI.

The idea of a subcontractor planting an extra component in hardware is "plausible." Having it [i]go undetected[/i] would depend on [i]very[/i] lax quality-control checking of the item upon receipt -- in this case, simply verifying that the thing was built according to design. Such laxity would be the real scandal if the story were to pan out. But alas, the idea doesn't seem totally farfetched these days.

ewmayer 2018-10-15 20:26

Article questions the Bloomberg Supermicro hardware-implant story based on the alleged non-necessity of a hardware-level hack in order to achieve the same end:

[url=https://arstechnica.com/information-technology/2018/10/supermicro-boards-were-so-bug-ridden-why-would-hackers-ever-need-implants/]If Supermicro boards were so bug-ridden, why would hackers ever need implants?[/url] | Ars Technica
[quote]Steve Lord, a researcher specializing in hardware hacking and co-founder of UK conference 44CON] was one of several researchers who unearthed a variety of serious vulnerabilities and weaknesses in Supermicro motherboard firmware (PDF) in 2013 and 2014. This time frame closely aligns with the 2014 to 2015 hardware attacks Bloomberg reported. Chief among the Supermicro weaknesses, the firmware update process didn’t use digital signing to ensure only authorized versions were installed. The failure to offer such a basic safeguard would have made it easy for attackers to install malicious firmware on Supermicro motherboards that would have done the same things Bloomberg says the hardware implants did….. [F]or the past five years, it was trivial for people with physical access to the boards to flash them with custom firmware that has the same capabilities as the hardware implants reported by Bloomberg…. According to documents leaked by former NSA subcontractor Edward Snowden, the use of custom firmware was the method employees with the agency’s Tailored Access Operations unit used to backdoor Cisco networking gear before it shipped to targets of interest… Besides requiring considerably less engineering muscle than hardware implants, backdoored firmware would arguably be easier to seed into the supply chain.[/quote]
Let's see if we can come up with a plausible rationale for a would-be-surveiller with the needed supply-chain access (i.e. China) to prefer a hardware implant to simply fiddling the firmware. I've seen the (alleged) hardware-implant hack described as "a shot across the bow of the NSA" by the Chinese, and per Snowden, the NSA, lacking China's manufacturing-supply-chain access, relies bigly on firmware backdooring, coupled with selected-target-of-interest shipment-interdiction for purposes of hardware implantation. Speculating freely, say you're the Chinese spooks - you know it's not unlikely that at some point the NSA is gonna firmware-flash the same export gear you are interested in backdooring. With firmware, he who flashes last wins, so doing a custom backdooring-flash at the factory in Guangzhou is of little use if the NSA overwrites your backdoored firmware with their own after the shipment arrives stateside. A hardware implant would presumably be immune to such nullification-via-overwriting.

But we really do need to see some actual hardware-implanted gear made available for public inspection - if not from e.g. Apple, which denies the existence of such a thing, then from one of the other end users allegedly targeted by implant-laden hardware - in order for the the Bloomberg claims to move from merely possible/plausible to genuinely believable.

ewmayer 2018-10-26 19:55

[url=https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324]‘Do Not Track’ Privacy Tool Doesn’t Do Anything[/url] | Gizmodo
[quote]Why do we have this meaningless option in browsers? The main reason why Do Not Track, or DNT, as insiders call it, became a useless tool is that the government refused to step in and give it any kind of legal authority. If a telemarketer violates the Do Not Call list, they can be fined up to $16,000 per violation. There is no penalty for ignoring Do Not Track.[/quote]
So in the pantheon of brilliant "free market"-based ideas, this is right up there with the notion of letting the financial industry "self-regulate".

Dr Sardonicus 2018-10-28 00:51

[QUOTE=ewmayer;498838][url=https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324]‘Do Not Track’ Privacy Tool Doesn’t Do Anything[/url] | Gizmodo

So in the pantheon of brilliant "free market"-based ideas, [b]this is right up there with the notion of letting the financial industry "self-regulate"[/b].[/QUOTE]Speaking of which: [url=https://www.apnews.com/bbf3d73e47c542eb80b3d930305cf855]Watchdog looks to rescind crucial part of payday loan rules[/url][quote]The cornerstone of the rules enacted last year would have required that lenders determine, before approving a loan, whether a borrower can afford to repay it in full with interest within 30 days. The rules would have also capped the number of loans a person could take out in a certain period of time.

But since President Trump appointed Acting Director Mick Mulvaney, the bureau has taken a decidedly more pro-industry direction than under his predecessor. Mulvaney has proposed reviewing or revisiting substantially all of the regulations put into place during Cordray’s tenure.[/quote]

chris2be8 2018-10-28 16:54

[QUOTE=ewmayer;498838][URL="https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324"]‘Do Not Track’ Privacy Tool Doesn’t Do Anything[/URL] | Gizmodo

[/QUOTE]

The GDPR might give it some teeth in the EU.

But that only moves the trackers to a country outside the EU. So it's not much use unless *every* country in the world gives it teeth.

Chris

ewmayer 2018-10-28 19:54

[QUOTE=chris2be8;498974]The GDPR might give it some teeth in the EU.[/QUOTE]

The US needs something with teeth like the GDPR ... at the same time I'm puzzled how the EU passed a disastrous related piece of legislation in form of the [url=https://www.nakedcapitalism.com/2018/10/civilized-societies-dont-call-censorship-copyright.html]European Copyright Directive[/url]. Surely one can respect individuals' privacy without crushing free expression.

retina 2018-10-29 08:16

[QUOTE=ewmayer;497431]This next bit which makes wild claims re. the allegedly ludicrous improbability of such OEM-implants is just silly:[/QUOTE]Not so silly IMO, and the opinion of most others.

[url]https://www.servethehome.com/investigating-implausble-bloomberg-supermicro-stories/[/url] [quote]I do not know the editorial team at Bloomberg, but here is a New York Times assessment of this team’s track record in the space:[quote] 🚨 Something is wrong. Blanket denials from companies, NCSC and DHS are v. unusual. The only precedent for this is a 2014 Bloomberg article, by the same author, which claimed NSA exploited Heartbleed, and was vigorously knocked down with zero follow up by Bloomberg or correction. [url]https://t.co/lRMiJlXD5G[/url]

— Nicole Perlroth (@nicoleperlroth) October 7, 2018[/quote]This seems to be far from an isolated viewpoint on the reporters (e.g. the Robert M. Lee thread.)[/quote]I still think this is all BS, and is just a stock shorting scam.


All times are UTC. The time now is 15:55.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.