m Quec.lim's republished posts.http://quec.li/~m /New book: Thing Explainerhttp://blog.xkcd.com/2015/05/13/new-book-thing-explainer/6f4d4c70f1cae174f9deebcbaa4f3a536a155c96Wed, 13 May 2015 00:00:00 -0400New book: <em><a href="http://blog.xkcd.com/?p=805">Thing Explainer</a>!</em><br /><br /><br /> <a href="http://blog.xkcd.com/?p=805"><img src="https://xkcd.com/thing-explainer/ThingExplainerCover.png" /></a>http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=6f4d4c70f1cae174f9deebcbaa4f3a536a155c96The Wright Brothers: Stuff that I didn?t knowhttp://blogs.law.harvard.edu/philg/2015/05/11/the-wright-brothers-stuff-that-i-didnt-know/http://blogs.law.harvard.edu/philg/?p=7516Mon, 11 May 2015 12:27:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D7516More on the NSA's Capabilitieshttps://www.schneier.com/blog/archives/2015/05/more_on_the_nsa_1.htmltag:www.schneier.com,2015:/blog//2.7017Mon, 11 May 2015 07:26:00 -0400<p>Ross Anderson <a href="https://www.lightbluetouchpaper.org/2015/05/02/meeting-snowden-in-princeton/">summarizes</a> a meeting in Princeton where Edward Snowden was "present." </p> <blockquote><p>Third, the leaks give us a clear view of an intelligence analyst's workflow. She will mainly look in Xkeyscore which is the Google of 5eyes comint; it's a federated system hoovering up masses of stuff not just from 5eyes own assets but from other countries where the NSA cooperates or pays for access. Data are "ingested" into a vast rolling buffer; an analyst can run a federated search, using a selector (such as an IP address) or fingerprint (something that can be matched against the traffic). There are other such systems: "Dancing oasis" is the middle eastern version. Some xkeyscore assets are actually compromised third-party systems; there are multiple cases of rooted SMS servers that are queried in place and the results exfiltrated. Others involve vast infrastructure, like Tempora. If data in Xkeyscore are marked as of interest, they're moved to Pinwale to be memorialised for 5+ years. This is one function of the MDRs (massive data repositories, now more tactfully renamed mission data repositories) like Utah. At present storage is behind ingestion. Xkeyscore buffer times just depend on volumes and what storage they managed to install, plus what they manage to filter out. <p>As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a "stolen cert," presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can't. There's no evidence of a "wow" cryptanalysis; it was key theft, or an implant, or a predicted RNG or supply-chain interference. Cryptanalysis has been seen of RC4, but not of elliptic curve crypto, and there's no sign of exploits against other commonly used algorithms. Of course, the vendors of some products have been coopted, notably skype. Homegrown crypto is routinely problematic, but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails. </p> <p>[...]</p> <p>What else might we learn from the disclosures when designing and implementing crypto? Well, read the disclosures and use your brain. Why did GCHQ bother stealing all the SIM card keys for Iceland from Gemalto, unless they have access to the local GSM radio links? Just look at the roof panels on US or UK embassies, that look like concrete but are actually transparent to RF. So when designing a protocol ask yourself whether a local listener is a serious consideration. </p> <p>[...]</p> <p>On the policy front, one of the eye-openers was the scale of intelligence sharing -- it's not just 5 eyes, but 15 or 35 or even 65 once you count all the countries sharing stuff with the NSA. So how does governance work? Quite simply, the NSA doesn't care about policy. Their OGC has 100 lawyers whose job is to "enable the mission"; to figure out loopholes or new interpretations of the law that let stuff get done. How do you restrain this? Could you use courts in other countries, that have stronger human-rights law? The precedents are not encouraging. New Zealand's GCSB was sharing intel with Bangladesh agencies while the NZ government was investigating them for human-rights abuses. Ramstein in Germany is involved in all the drone killings, as fibre is needed to keep latency down low enough for remote vehicle pilots. The problem is that the intelligence agencies figure out ways to shield the authorities from culpability, and this should not happen.</p> <p>[...]</p> <p>The spooks' lawyers play games saying for example that they dumped content, but if you know IP address and file size you often have it; and IP address is a good enough pseudonym for most intel / LE use. They deny that they outsource to do legal arbitrage (e.g. NSA spies on Brits and GCHQ returns the favour by spying on Americans). Are they telling the truth? In theory there will be an MOU between NSA and the partner agency stipulating respect for each others' laws, but there can be caveats, such as a classified version which says "this is not a binding legal document." The sad fact is that law and legislators are losing the capability to hold people in the intelligence world to account, and also losing the appetite for it. </p></blockquote> <p>Worth reading in full.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7017Online Dating Scamshttps://www.schneier.com/blog/archives/2015/05/online_dating_s.htmltag:www.schneier.com,2015:/blog//2.7011Thu, 07 May 2015 13:30:00 -0400<p>Interesting <a href="https://www.benthamsgaze.org/2015/05/06/understanding-online-dating-scams/">research</a>:</p> <blockquote><p>We identified three types of scams happening on Jiayuan. The first one involves advertising of escort services or illicit goods, and is very similar to traditional spam. The other two are far more interesting and specific to the online dating landscape. One type of scammers are what we call <i>swindlers</i>. For this scheme, the scammer starts a long-distance relationship with an emotionally vulnerable victim, and eventually asks her for money, for example to purchase the flight ticket to visit her. Needless to say, after the money has been transferred the scammer disappears. Another interesting type of scams that we identified are what we call <i>dates for profit</i>. In this scheme, attractive young ladies are hired by the owners of fancy restaurants. The scam then consists in having the ladies contact people on the dating site, taking them on a date at the restaurant, having the victim pay for the meal, and never arranging a second date. This scam is particularly interesting, because there are good chances that the victim will never realize that he's been scammed -- in fact, he probably had a good time.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7011Why no robots at Starbucks?http://blogs.law.harvard.edu/philg/2015/05/02/why-no-robots-at-starbucks/http://blogs.law.harvard.edu/philg/?p=7426Sat, 02 May 2015 12:21:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D7426Measuring the Expertise of Burglarshttps://www.schneier.com/blog/archives/2015/04/measuring_the_e.htmltag:www.schneier.com,2015:/blog//2.6994Thu, 30 Apr 2015 15:22:00 -0400<p>New research paper: "<a href="http://www.tandfonline.com/doi/abs/10.1080/1068316X.2014.989849">New methods for examining expertise in burglars in natural and simulated environments: preliminary findings</a>":</p> <blockquote><p>Expertise literature in mainstream cognitive psychology is rarely applied to criminal behaviour. Yet, if closely scrutinised, examples of the characteristics of expertise can be identified in many studies examining the cognitive processes of offenders, especially regarding residential burglary. We evaluated two new methodologies that might improve our understanding of cognitive processing in offenders through empirically observing offending behaviour and decision-making in a free-responding environment. We tested hypotheses regarding expertise in burglars in a small, exploratory study observing the behaviour of 'expert' offenders (ex-burglars) and novices (students) in a real and in a simulated environment. Both samples undertook a mock burglary in a real house and in a simulated house on a computer. Both environments elicited notably different behaviours between the experts and the novices with experts demonstrating superior skill. This was seen in: more time spent in high value areas; fewer and more valuable items stolen; and more systematic routes taken around the environments. The findings are encouraging and provide support for the development of these observational methods to examine offender cognitive processing and behaviour.</p></blockquote> <p>The lead researcher <a href="http://www.theatlantic.com/business/archive/2015/04/the-mind-of-a-burglar/391676/">calls this</a> "dysfunctional expertise," but I disagree. It's expertise.</p> <blockquote><p><a href="http://www.port.ac.uk/department-of-psychology/staff/claire-nee.html">Claire Nee</a>, a researcher at the University of Portsmouth in the U.K., has been studying burglary and other crime for over 20 years. Nee says that the low clearance rate means that burglars often remain active, and some will even gain expertise in the crime. As with any job, practice results in skills. "By interviewing burglars over a number of years we've discovered that their thought processes become like experts in any field, that is they learn to automatically pick up cues in the environment that signify a successful burglary without even being aware of it. We call it 'dysfunctional expertise,'" explains Nee.</p></blockquote> <p>See also <a href="http://eprints.port.ac.uk/16632/">this paper</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6994Remote Proctoring and Surveillancehttps://www.schneier.com/blog/archives/2015/04/remote_proctori.htmltag:www.schneier.com,2015:/blog//2.6985Wed, 29 Apr 2015 07:12:00 -0400<p>Interesting <a href="http://www.nytimes.com/2015/04/06/technology/online-test-takers-feel-anti-cheating-softwares-uneasy-glare.html">article</a>. There are a lot of surveillance and privacy issues at play here.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6985Shaking Someone Down for His Passwordhttps://www.schneier.com/blog/archives/2015/04/shaking_someone.htmltag:www.schneier.com,2015:/blog//2.6988Tue, 28 Apr 2015 13:50:00 -0400<p>A drug dealer <a href="http://arstechnica.com/tech-policy/2015/04/drug-dealer-cops-leaned-me-over-18th-floor-balcony-to-get-my-password/">claims</a> that the police leaned him over an 18th floor balcony and threatened to kill him if he didn't give up his password. One of the policemen involved corroborates this story.</p> <p>This is what's known as "rubber-hose cryptanalysis," well-described in <a href="https://xkcd.com/538/">this xkcd cartoon</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6988Scientist Hawking tells upset fans Malik may be in parallel One Directionhttp://feeds.reuters.com/~r/reuters/cyclicalconsumergoodsNews/~3/d7USoR86vrM/people-hawking-onedirection-idUSL8N0XO1TN20150427http://www.reuters.com/article/2015/04/27/people-hawking-onedirection-idUSL8N0XO1TN20150427?feedType=RSS&amp;feedName=cyclicalConsumerGoodsSectorMon, 27 Apr 2015 06:34:00 -0400<strong>m</strong>: <em>"My advice to any heartbroken young girl is to pay attention to the study of theoretical physics because, one day, there may well be proof of multiple universes.<br /> "It would not be beyond the realms of possibility that somewhere outside of our own universe lies another, different universe and, in that universe, Zayn is still in One Direction."<br /> </em>April 27 (Reuters) - What is the cosmological effect of singer Zayn Malik leaving the best-selling boy band One Direction and consequently disappointing millions of teenage girls around the world?<div> <a href="http://feeds.reuters.com/~ff/reuters/cyclicalconsumergoodsNews?a=d7USoR86vrM:L-YHiBUAhnw:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/reuters/cyclicalconsumergoodsNews?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/cyclicalconsumergoodsNews?a=d7USoR86vrM:L-YHiBUAhnw:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/reuters/cyclicalconsumergoodsNews?i=d7USoR86vrM:L-YHiBUAhnw:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/cyclicalconsumergoodsNews?a=d7USoR86vrM:L-YHiBUAhnw:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/reuters/cyclicalconsumergoodsNews?i=d7USoR86vrM:L-YHiBUAhnw:F7zBnMyn0Lo" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/reuters/cyclicalconsumergoodsNews/~4/d7USoR86vrM" height="1" width="1" alt="" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2Freuters%2FcyclicalconsumergoodsNews&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2015%2F04%2F27%2Fpeople-hawking-onedirection-idUSL8N0XO1TN20150427%3FfeedType%3DRSS%26amp%3BfeedName%3DcyclicalConsumerGoodsSectorDSA-3232 curl - security updatehttps://www.debian.org/security/2015/dsa-3232https://www.debian.org/security/2015/dsa-3232Tue, 21 Apr 2015 20:00:00 -0400<p>Several vulnerabilities were discovered in cURL, an URL transfer library:</p>http://quec.li/EntryComments?feed=https%3A%2F%2Fwww.debian.org%2Fsecurity%2Fdsa-long&entry=https%3A%2F%2Fwww.debian.org%2Fsecurity%2F2015%2Fdsa-3232Why are the stories about U.S. corporate tax avoidance about corporate greed rather than non-corporate greed?http://blogs.law.harvard.edu/philg/2015/04/19/why-are-the-stories-about-u-s-corporate-tax-avoidance-about-corporate-greed-rather-than-non-corporate-greed/http://blogs.law.harvard.edu/philg/?p=7351Sun, 19 Apr 2015 12:11:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D7351Universities are doing what they say: Discriminating against white and Asian menhttp://blogs.law.harvard.edu/philg/2015/04/17/universities-are-doing-what-they-say-discriminating-against-white-and-asian-men/http://blogs.law.harvard.edu/philg/?p=7362Fri, 17 Apr 2015 12:20:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D7362First color photos of Pluto, Charon snapped by New Horizons probehttp://go.theregister.com/feed/www.theregister.co.uk/2015/04/15/new_horizons_first_color_pluto_and_charon/tag:theregister.co.uk,2005:story/2015/04/15/new_horizons_first_color_pluto_and_charon/Wed, 15 Apr 2015 15:26:00 -0400<strong>m</strong>: <em>"They were snapped by the probe's 6cm telescope, called Ralph?"<br /> </em><h4>NASA craft flies three billion miles ? and someone forgot to focus</h4> <p><strong>Pic</strong> NASA's New Horizons spacecraft has sent back the first true color images of Pluto and its largest moon Charon. The probe is, right now, speeding towards the dwarf planet at four kilometres a second (8,950 MPH).?</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.theregister.co.uk%2Fheadlines.rss&entry=tag%3Atheregister.co.uk%2C2005%3Astory%2F2015%2F04%2F15%2Fnew_horizons_first_color_pluto_and_charon%2FAlternatives to the FBI's Manufacturing of Terroristshttps://www.schneier.com/blog/archives/2015/04/alternatives_to.htmltag:www.schneier.com,2015:/blog//2.6956Fri, 10 Apr 2015 11:33:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6956