m Quec.lim's republished posts.http://quec.li/~m /matt [wronka.org]http://quec.es/org.wronka/matt/2015/01/28/Wed, 28 Jan 2015 00:00:31 +0000;matt [wronka.org]Tue, 27 Jan 2015 19:00:00 -0500While psi works fine in <a href="http://quec.es/t/jessie/">Jessie</a>; now <a href="http://quec.es/t/chromium/">Chromium</a> is unusable at 30-bit.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Wed%2C+28+Jan+2015+00%3A00%3A31+%2B0000%3Bmatt+%5Bwronka.org%5DOpen Door (New England Morning)http://focoro.com/ViewPhoto/abe/p3mjsz/vso8ks0sg8/wronka-open_door_new_england_morning_http://focoro.com/ViewPhoto/abe/p3mjsz/vso8ks0sg8/wronka-open_door_new_england_morning_Tue, 27 Jan 2015 11:46:00 -0500<p><a href="http://focoro.com/profile/wronka">Matthew Wronka</a> published <a href="http://focoro.com/ViewPhoto/abe/p3mjsz/vso8ks0sg8/wronka-open_door_new_england_morning_">Open Door (New England Morning)</a>:<br /><a href="http://focoro.com/ViewPhoto/abe/p3mjsz/vso8ks0sg8/wronka-open_door_new_england_morning_"><img alt="Open Door (New England Morning)" title="Open Door (New England Morning)" src="http://media.focoro.com/converted/sml/abe/p3mjsz/vso8ks0sg8/wronka-open_door_new_england_morning_.jpeg" /></a></p>http://quec.li/EntryComments?feed=http%3A%2F%2Ffocoro.com%2Fprofile%2Fwronka%2Fatom&entry=http%3A%2F%2Ffocoro.com%2FViewPhoto%2Fabe%2Fp3mjsz%2Fvso8ks0sg8%2Fwronka-open_door_new_england_morning_matt [wronka.org]http://quec.es/org.wronka/matt/2015/01/27/Tue, 27 Jan 2015 13:37:03 +0000;matt [wronka.org]Tue, 27 Jan 2015 08:37:00 -0500removing snow<br /> <br /> <a href="http://hume.matt.wronka.org/~matt/snow/snow.gif">http://hume.matt.wronka.org/~matt/snow/snow.gif</a>http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+27+Jan+2015+13%3A37%3A03+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org] Hopkinton Notices Google Grouphttp://quec.es/org.wronka/matt/2015/01/27/Tue, 27 Jan 2015 02:25:16 +0000;matt [wronka.org]Mon, 26 Jan 2015 21:25:00 -0500&quot;<a href="http://quec.es/t/juno/">Juno</a> 2015 <a href="http://quec.es/t/winter/">Winter</a> <a href="http://quec.es/t/storm/">Storm</a> <a href="http://quec.es/t/codered/">CodeRed</a> <a href="http://quec.es/t/message/">Message</a>&quot;<br /> <br /> What does that mean?http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+27+Jan+2015+02%3A25%3A16+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org] Debian Jessiehttp://quec.es/org.wronka/matt/2015/01/27/Tue, 27 Jan 2015 02:19:21 +0000;matt [wronka.org]Mon, 26 Jan 2015 21:19:00 -0500I recently switched my home boot image from an ever-out-of-date <a href="http://quec.es/t/ubuntu/">Ubuntu</a> installation to <a href="http://quec.es/t/debian/">Debian</a> <a href="http://quec.es/t/jessie/">Jessie</a>, which was at one point &quot;almost stable&quot; or &quot;almost frozen&quot; or something like that. Then <a href="http://quec.es/t/systemd/">SystemD</a> broke loose and it's still clearly testing.<br /> <br /> Things that don't work:<br /> <br /> NFS doesn't mount on boot. I give-up. I can't get it to mount anything from the init scripts. The <a href="http://quec.es/t/internet/">Internet</a> suggests this is because of something left in /var/run/network, but since /var/run is tmpfs this is clearly out (also, I checked, the directory isn't there).<br /> <br /> Running sudo clears afs tokens. I've seen one other reported issue, but no solution. cf. <a href="http://comments.gmane.org/gmane.linux.debian.user/489795">http://comments.gmane.org/gmane.linux.debian.user/489795</a><br /> <br /> I can no longer get a gnome-session or gnome-settings-daemon running on top of spectrwm. I also can't figure out how to change the window manager for gnome, so it seems like I'm stuck with all of gnome, or none of it now. Why do I care? colord/colormgr is really the only reason why. The rest of the gnome environment is an exercise in frustration.<br /> <br /> <br /> The most surprising thing that works? Qt now doesn't look like vomit when running in a 30-bit X display.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+27+Jan+2015+02%3A19%3A21+%2B0000%3Bmatt+%5Bwronka.org%5DPrint Modulehttp://www.darktable.org/2015/01/print-module/http://www.darktable.org/?p=3507Mon, 26 Jan 2015 16:01:00 -0500<p>After being in the camera our pictures deserve some love and to be shared. Every photographer will tell you the joy of having a picture in the hands. At last the pixels have taken form on a piece of paper to give birth to a photography which can be put on the wall!</p> <p>Though, printing is not easy, there are many technical aspects to take into account. To streamline this process darktable has been added a print module.</p> <h1>The print module</h1> <p>Nothing fancy there, just the page displayed as it will be printed on the paper. The display will show the page itself, the borders and the image properly aligned:</p> <p><a href="http://www.darktable.org/wp-content/uploads/2015/01/dt-print-modulev2.jpg"><img class="alignnone wp-image-3522 size-large" src="http://www.darktable.org/wp-content/uploads/2015/01/dt-print-modulev2-494x354.jpg" alt="dt-print-modulev2" width="494" height="354" /></a></p> <ul> <li>the white area is the paper with the proper aspect ratio</li> <li>the little black markers in each corner are representing the non printable area. These markers are not displayed for printers supporting border-less mode.</li> <li>the gray area is the print area, that is, the paper minus the borders</li> <li>finally the picture take place on the print area with the proper alignment, above the alignment is set to top.</li> </ul> <h1>The print settings</h1> <p>Let's look at the print settings offered by this module:</p> <p><a href="http://www.darktable.org/wp-content/uploads/2015/01/dt-print-settingsv2.jpg"><img class="alignnone size-full wp-image-3523" src="http://www.darktable.org/wp-content/uploads/2015/01/dt-print-settingsv2.jpg" alt="dt-print-settingsv2" width="295" height="476" /></a></p> <p>Using the control offered we can:</p> <ul> <li>select the printer</li> <li>set the printer profile and intent which is the most important settings</li> <li>select the paper</li> <li>set the orientation of the page either landscape or portrait</li> <li>select the unit for the border values</li> <li>set the borders or each side separately or identically using the lock button</li> <li>use one of the nine possible alignment of the picture on the page : left, right, bottom-right, centered...</li> <li>specify the way to export the picture : export profile and intent</li> <li>add a style during the export, this comes handy to add a signature or whatever watermark for example. it is also the way to adjust the exposition, indeed when printing B&amp;W picture it is often needed to add some lights.</li> </ul> <p>This printer profile and intent is important to get correct color rendition on the print. This is the only way to ensure that the color displayed on the screen will be the one found on the paper as expected.</p> <p>But be warned, a printer profile is valid for a specific <em>paper</em>, <em>printer</em> <strong>and</strong> <em>driver</em>. So profiles offered by vendors on the Internet cannot be used here. Indeed, if the profile match the printer and paper they have been created for the Windows or MacOS drivers. Using them won't give you a correct print rendition. One solution is to create the profile yourself for your graphic work-flow. This is outside the scope of this article but you can <a href="http://pobry.blogspot.fr/2013/06/creating-icc-profile-on-gnulinux.html">read the process on another article I have written</a> some time ago. There is also companies offering profiling for you if you prefer.</p> <p>The last widget is the print button, click on it and the picture will be sent to the corresponding printer.</p> <h1>How to setup for using the print module?</h1> <p>This is an important point to note. The print module is based on CUPS. So you need to install CUPS on your machine for it to work properly.</p> <p>When it is installed head your Web browser to <a href="http://localhost:631">http://localhost:631</a> and add your printer there. Depending on the printer there is few or a lot of parameters to configure on this interface. The important ones are:</p> <ul> <li>Uncorrected : If the printer offers different color settings select the one that does nothing. That is, asking the driver to not try to be smart at all.</li> <li>Borderless : If you intend to print borderless you need to activate this option on the CUPS interface.</li> </ul> <p>Note that when you have configured the printer on CUPS you should never ever change the settings there if you are using a print profile. Indeed the print profile depends on the CUPS rendering settings. You have been warned!</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.darktable.org%2Ffeed%2F&entry=http%3A%2F%2Fwww.darktable.org%2F%3Fp%3D3507OpenIDhttp://www.unprompted.com/projects/blog/openid_riphttp://www.unprompted.com/projects/blog/openid_ripSat, 24 Jan 2015 19:52:00 -0500<p> Mini-rant/follow-up: It has almost been two years since <a href="http://www.unprompted.com/projects/blog/openid">I wrote about my issues interfacing with OpenID</a>, and since I have recently been getting <a href="https://developers.google.com/accounts/docs/OpenID"><span>?</span>deprecation warnings from Google</a>, I finally put in the <a href="http://www.unprompted.com/projects/changeset/2929/projects" title="Password authentication, because Google is killing OpenID.">work</a> to optionally support password authentication. That will teach me to try to do the right thing. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%3Fformat%3Drss&entry=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%2Fopenid_ripWhen Thinking Machines Break the Lawhttps://www.schneier.com/blog/archives/2015/01/when_thinking_m.htmltag:www.schneier.com,2015:/blog//2.6727Fri, 23 Jan 2015 05:55:00 -0500http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6727Defending Against Liar Buyer Fraudhttps://www.schneier.com/blog/archives/2015/01/defending_again_3.htmltag:www.schneier.com,2015:/blog//2.6726Wed, 21 Jan 2015 07:31:00 -0500<p>It's a common fraud on sites like eBay: buyers falsely claim that they never received a purchased item in the mail. Here's a <a href="https://isis.poly.edu/~hossein/publications/liar_buyers_Jakobsson_Siadati_Dhiman_USEC2015.pdf">paper</a> on defending against this fraud through basic psychological security measures. It's preliminary research, but probably worth experimental research.</p> <blockquote><p>We have tested a collection of possible user-interface enhancements aimed at reducing liar buyer fraud. We have found that showing users in the process of filing a dispute that (1) their computer is recognized, and (2) that their location is known dramatically reduces the willingness to file false claims. We believe the reason for the reduction is that the would-be liars can visualize their lack of anonymity at a time when they are deciding whether to perform a fraudulent action. Interestingly, we also showed that users were not affected by knowing that their computer was recognized, but without their location being pin-pointed, or the other way around. We also determined that a reasonably accurate map was necessary -- but that an inaccurate map does not seem to increase the willingness to lie.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6726Linux Router Upgrade: Celeron to Pentium 4http://www.prolixium.com/blog?id=1011http://www.prolixium.com/blog?id=1011Tue, 20 Jan 2015 09:54:00 -0500<p>After setting up an LXC on my aging "core" router at home, <a href="http://www.prolixium.com/computers#starfire">starfire</a>, I started thinking it might be time for an upgrade. starfire has been a Celeron-based Dell Dimension 2350 with 4x Intel Gigabit Ethernet and 1x Broadcom Fast Ethernet NICs. Rather than replacing the whole box, I figured it would be cost-effective to get a boost in performance by spending $23 on eBay and upgrading it to a Pentium 4 2.5 GHz CPU (<a href="http://ark.intel.com/Products/Spec/SL6PN">SL6PN</a>).</p> <p>After the upgrade, transit latency dropped quite a bit:</p> <p><img style="border-style: solid; border-color: #000000; border-width: 1px; padding: 4px; vertical-align: middle;" src="http://www.prolixium.com/images/blog/celery-to-p4.png" title="Celeron 2.0 GHz to Pentium 4 2.5 GHz" alt="Celeron 2.0 GHz to Pentium 4 2.5 GHz" /> <p>Good enough. <a href="https://wiki.debian.org/Apt">Apt</a> seems slight faster, too, although I suspect that's because of the larger L2 cache vs. clock speed.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.prolixium.com%2Ffeed%3Fwhat%3Dmynews&entry=http%3A%2F%2Fwww.prolixium.com%2Fblog%3Fid%3D1011Accountability as a Security Systemhttps://www.schneier.com/blog/archives/2015/01/accountability_.htmltag:www.schneier.com,2015:/blog//2.6725Tue, 20 Jan 2015 07:24:00 -0500<p>At a CATO surveillance event last month, Ben Wittes <a href="http://www.lawfareblog.com/2014/12/did-edward-snowden-call-for-abolishing-the-intelligence-community/">talked about</a> inherent presidential powers of surveillance with this hypothetical: "What should Congress have to say about the rules when Barack Obama wants to know what Vladimir Putin is talking about?" His answer was basically that Congress should have no say: "I think most people, going back to my Vladimir Putin question, would say that is actually an area of inherent presidential authority." Edward Snowden, a surprise remote participant at the event, said the opposite, although using the courts in general rather than specifically Congress as his example. "...there is no court in the world -- well, at least, no court outside Russia -- who would not go, 'This man is an agent of the foreign government. I mean, he's the <i>head</i> of the government.' Of course, they will say, 'this guy has access to some kind of foreign intelligence value. We'll sign the warrant for him.'"</p> <p>There's a principle here worth discussing at length. I'm not talking about the legal principle, as in what kind of court should oversee US intelligence collection. I'm not even talking about the constitutional principle, as in what are the US president's inherent powers. I am talking about the philosophical principle: what sorts of secret unaccountable actions do we want individuals to be able to take on behalf of their country?</p> <p>Put that way, I think the answer is obvious: as little as possible.</p> <p>I am not a lawyer or a political scientist. I am a security technologist. And to me, the separation of powers and the checks and balances written into the US constitution are a security system. The more Barack Obama can do by himself in secret, the more power he has -- and the more dangerous that is to all of us. By limiting the actions individuals and groups can take on their own, and forcing differing institutions to approve the actions of each other, the system reduces the ability for those in power to abuse their power. It holds them accountable.</p> <p>We have enshrined the principle of different groups overseeing each other in many of our social and political systems. The courts issue warrants, limiting police power. Independent audit companies verify corporate balance sheets, limiting corporate power. And the executive, the legislative, and the judicial branches of government get to have their say in our laws. Sometimes accountability takes the form of prior approval, and sometimes it takes the form of ex post facto review. It's all inefficient, of course, but it's an inefficiency we accept because it makes us all safer.</p> <p>While this is a fine guiding principle, it quickly falls apart in the practicalities of running a modern government. It's just not possible to run a country where <i>every</i> action is subject to review and approval. The complexity of society, and the speed with which some decisions have to be made, can require unilateral actions. So we make allowances. Congress passes broad laws, and agencies turn them into detailed rules and procedures. The president is the commander in chief of the entire US military when it comes time to fight wars. Policeman have a lot of discretion on their own on the beat. And we only get to vote elected officials in and out of office every two, four, or six years.</p> <p>The thing is, we can do better today. I've often said that the modern constitutional democracy is the best form of government mid-18th-century technology could produce. Because both communications and travel were difficult and expensive, it made sense for geographically proximate groups of people to choose one representative to go all the way over there and act for them over a long block of time.</p> <p>Neither of these two limitations is true today. Travel is both cheap and easy, and communications are so cheap and easy as to be virtually free. Video conferencing and telepresence allow people to communicate without traveling. Surely if we were to design a democratic government today, we would come up with better institutions than the ones we are stuck with because of history.</p> <p>And we can come up with more granular systems of checks and balances. So, yes, I think we would have a better government if a court had to approve all surveillance actions by the president, including those against Vladimir Putin. And today it might be possible to have a court do just that. Wittes argues that making some of these changes is impossible, given the current US constitution. He may be right, but that doesn't mean they're not good ideas.</p> <p>Of course, the devil is always in the details. Efficiency is still a powerful counterargument. The FBI has procedures for temporarily bypassing prior approval processes if speed is essential. And granularity can still be a problem. Every bullet fired by the US military can't be subject to judicial approval or even a military court, even though every bullet fired by a US policeman is -- at least in theory -- subject to judicial review. And while every domestic surveillance decision made by the police and the NSA is (also in theory) subject to judicial approval, it's hard to know whether this can work for international NSA surveillance decisions until we try.</p> <p>We are all better off now that many of the NSA's surveillance programs have been made public and are being debated in Congress and in the media -- although I had hoped for more congressional action -- and many of the FISA Court's formerly secret decisions on surveillance are being made public. But we still have a long way to go, and it shouldn't take someone like Snowden to force at least some openness to happen.</p> <p>This essay <a href="http://www.lawfareblog.com/2015/01/accountability-as-a-security-system/">previously appeared</a> on Lawfare.com, where Ben Wittes <a href="http://www.lawfareblog.com/2015/01/a-response-to-bruce-schneier-and-a-cautious-defense-of-energy-in-the-executive/">responded</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6725New NSA Documents on Offensive Cyberoperationshttps://www.schneier.com/blog/archives/2015/01/new_nsa_documen.htmltag:www.schneier.com,2015:/blog//2.6723Sun, 18 Jan 2015 08:34:00 -0500<p>Appelbaum, Poitras and others have another NSA aticle with an <a href="http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html">enormous Snowden document dump</a> on <i>Der Spiegel</i>, giving details on a variety of offensive NSA cyberoperations to infiltrate and exploit networks around the world. There's <i>a lot</i> here.</p> <p>Paired with the December 28th <a href="http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html"><i>Spiegel</i> article</a> on the NSA cryptanalytic capabilities, we've seen a huge amount of Snowden documents in the past few weeks. I need more time to go through it all.</p> <p>Hacker News <a href="http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html">thread</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6723Shaping Wi-Fi?s future: the wireless-mobile convergencehttps://freedom-to-tinker.com/blog/vicentin/shaping-wi-fis-future-the-wireless-mobile-convergence/https://freedom-to-tinker.com/?p=10719Sat, 17 Jan 2015 12:26:00 -0500According to recent news, Comcast is being sued because it is taking advantage of users&#8217; resources to build up its own nationwide Wi-Fi network. Since mid-2013 the company has been updating consumers&#8217; routers by installing new firmware that makes the router partially devoted to the ?home-user? network and partially devoted to the ?mobile-user? network (a [&#8230;]http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10719Don?t let your kids grow up and go to graduate school?http://blogs.law.harvard.edu/philg/2015/01/14/dont-let-your-kids-grow-up-and-go-to-graduate-school/http://blogs.law.harvard.edu/philg/?p=6735Wed, 14 Jan 2015 15:32:00 -0500<p>A couple of articles on impoverished academics:</p> <ul> <li><a href="http://www.rawstory.com/rs/2015/01/this-college-instructor-has-a-masters-degree-and-shes-still-living-in-poverty/">&#8220;This college instructor has a Master?s degree ? and she?s still living in poverty&#8221;</a></li> <li><a href="http://www.huffingtonpost.com/julia-meszaros/the-rise-of-the-hyper-edu_b_6460180.html">&#8220;The Rise of the Hyper Educated Poor&#8221;</a></li> </ul> <p>Adding some weight to what a (PhD professor) Sinophile friend says is an old Chinese saying: &#8220;Poor as a professor; dumb as a PhD.&#8221;</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6735Keystroke Logger Disguised as a USB Chargerhttps://www.schneier.com/blog/archives/2015/01/keystroke_logge.htmltag:www.schneier.com,2015:/blog//2.6718Wed, 14 Jan 2015 08:39:00 -0500<p><a href="http://www.theregister.co.uk/2015/01/13/this_10_phone_charger_will_wirelessly_keylog_your_boss/">It's</a> <a href="http://boingboing.net/2015/01/12/keysweeper-creepy-keystroke-l.html">called</a> <a href="http://samy.pl/keysweeper/">KeySweeper</a>.</p> <p><a href="http://threatpost.com/how-a-10-usb-charger-can-record-your-keystrokes-over-the-air/110367">More</a> <a href="http://it.slashdot.org/story/15/01/13/183226/wireless-keylogger-masquerades-as-usb-phone-charger">articles</a>. Source <a href="https://github.com/samyk/keysweeper">code</a>.<br /> </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6718David Cameron's Plan to Ban Encryption in the UKhttps://www.schneier.com/blog/archives/2015/01/david_camerons_.htmltag:www.schneier.com,2015:/blog//2.6715Tue, 13 Jan 2015 15:07:00 -0500<p>In the wake of the Paris terrorist shootings, David Cameron has said that he <a href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html">wants</a> <a href="http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html">to</a> <a href="http://www.bbc.com/news/uk-politics-30778424">ban</a> encryption in the UK. Here's the quote: "If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other."</p> <p>This is similar to FBI director James Comey's <a href="https://www.schneier.com/blog/archives/2014/10/more_crypto_war.html">remarks</a> from last year. And it's equally <a href="https://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html">stupid</a>. </p> <p>Cory Doctorow has a <a href="http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html">good essay</a> on Cameron's proposal:</p> <blockquote><p>For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with. <p>Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6715Similar Projects to SandboxOShttp://www.unprompted.com/projects/blog/sandboxos_comparisonhttp://www.unprompted.com/projects/blog/sandboxos_comparisonSun, 11 Jan 2015 17:06:00 -0500<p> When I started working on SandboxOS, I was somewhat in disbelief that nobody was doing this already. Since then, I have discovered a handful of projects with similar goals, but as far as I can tell, it is still unique enough to continue pursuing. </p> <h1>JavaScript Contenders</h1> <p> There are a handful of JavaScript-related projects with similarities. </p> <h2>node.js + io.js</h2> <p> <a href="http://www.unprompted.com/projects/attachment/blog/sandboxos_comparison/nodejs.png"><img width="128" style="float:right" src="http://www.unprompted.com/projects/raw-attachment/blog/sandboxos_comparison/nodejs.png" /></a><a href="http://nodejs.org/"><span>?</span>Node.js</a>, and by extension <a href="https://iojs.org/"><span>?</span>io.js</a>, are essentially another runtime environment similar to those of <a href="https://www.perl.org/"><span>?</span>Perl</a>, <a href="https://www.python.org/"><span>?</span>Python</a>, and <a href="https://www.ruby-lang.org/"><span>?</span>Ruby</a>. </p> <p> node.js popularized using JavaScript outside of the web browser, especially web server-side, allowing web application to be built completely in JavaScript. But ultimately node.js and io.js compete in an already overpopulated niche. </p> <p> SandboxOS is different, because it introduces a security model and an application model. </p> <h2>node-os</h2> <p> node-os is an operating system built from node.js running on a Linux kernel. </p> <p> This seems to be the result of taking the package manager from node.js, npm, to its extreme and using it for managing all system files. </p> <p> There is not really much comparison with SandboxOS. It is just another interesting projects in the same area. </p> <h2>Runtime.JS</h2> <p> Runtime.JS is an operating system kernel built using V8 and JavaScript. </p> <p> It is an attempt at eliminating one layer of the stack commonly present in node.js applications. </p> <p> SandboxOS, for better or worse, adds another layer. </p> <h1>Linux Container-based Contenders</h1> <p> I am not especially familiar with recent developments in Linux containerization. I've gather that it is a step beyond virtualization, allowing some amount of isolation without sacrificing performance. </p> <p> SandboxOS different from all of them in that it attempts to make it easy to host web applications on all sorts of devices - anything where web browsers are found. While I have yet to measure the performance implications, the goal is to move toward having many more servers with many fewer (often just one?) users. </p> <h2>Docker / Rocket</h2> <p> <a href="http://www.unprompted.com/projects/attachment/blog/sandboxos_comparison/docker.png"><img width="128" style="float:right" src="http://www.unprompted.com/projects/raw-attachment/blog/sandboxos_comparison/docker.png" /></a><a href="https://www.docker.com/"><span>?</span>Docker</a> is the current dominating presence in this area. It appears to be tailored primarily toward sysadmins. </p> <p> Rocket is an alternative being built for <a href="https://coreos.com/blog/rocket/"><span>?</span>CoreOS</a>. </p> <h2>Sandstorm</h2> <p> <a href="http://www.unprompted.com/projects/attachment/blog/sandboxos_comparison/sandstorm.png"><img width="128" style="float:right" src="http://www.unprompted.com/projects/raw-attachment/blog/sandboxos_comparison/sandstorm.png" /></a>Sandstorm is the first project that actually concerned me that I might be stepping on somebody's toes. Their goals are very much aligned with mine, but they're taking a completely different approach, using Linux containerization. Interestingly, <a href="https://blog.sandstorm.io/news/2014-08-19-why-not-run-docker-apps.html"><span>?</span>Sandstorm does a good job explaining</a> why containers are great, but they don't solve enough of the problem. </p> <p> They aim to make it trivial to run servers and make a better future for open source webapps, and I wish them luck. </p> <h1>Editing Apps</h1> <p> It may just be because programmers like <a href="http://en.wikipedia.org/wiki/G%C3%B6del,_Escher,_Bach"><span>?</span>strange loops</a>, but being able to edit applications from an application which is itself editable is a fundamental assumption in SandboxOS. </p> <p> SandboxOS targets the most devices by far. </p> <h2>OLPC Develop Activity</h2> <p> I think I first heard such a goal proposed for the One Laptop per Child project. Their <a href="http://wiki.laptop.org/go/Develop"><span>?</span>Develop activity</a> seemed to be down-prioritized pretty quickly, but it was a neat concept and it is a neat project. </p> <h2>Wiki OS</h2> <p> I'm not clear on the origins of <a href="https://www.wiki-os.org/"><span>?</span>Wiki OS</a>, but it seems to be an attempt at reproducing a traditional desktop environment on the web on devices where Silverlight can be run, and it allows modifying applications with an interface that I would compare to Visual Basic. </p> <h2>Android AIDE</h2> <p> I encountered <a href="https://play.google.com/store/apps/details?id=com.aide.ui"><span>?</span>AIDE</a> while in the middle at marveling at how seemingly unnecessarily difficult mobile development is made by the available toolchains. That project puts all of the tools necessary to build Android applications on-device. </p> <h1>Decentralization</h1> <p> One final theme I am watching for activity on is decentralization. </p> <p> <a href="http://techcrunch.com/2015/01/10/decentralize-all-the-things/"><span>?</span>This recent article</a> hints at future tech to decentralize web applications "like BitTorent does" without any information on how that can work. </p> <p> <a href="https://unhosted.org/"><span>?</span>Unhosted web applications</a> are another trend of building web applications without a server component altogether. </p> <h1>Conclusion</h1> <p> There is a lot of activity in this area. So far, SandboxOS seems to be going in the right direction and not stepping on anybody's toes, so I'm going to charge forward with it! </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%3Fformat%3Drss&entry=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%2Fsandboxos_comparisonNew Hopkinton Outdoor Rink open for the Seasonhttps://groups.google.com/a/hopkintonma.gov/d/topic/hopnotices/Y0LuJ6u7jYghttps://groups.google.com/a/hopkintonma.gov/d/topic/hopnotices/Y0LuJ6u7jYgFri, 09 Jan 2015 14:27:00 -0500The new Hopkinton Outdoor Rink, located on the basketball courts in between the high school and middle school, was officially opened Thursday with a ribbon cutting on the ice. The rink is a result of a collaborative effort from many town departments (Fire Department, Water Department, DPW, the Schoohttp://quec.li/EntryComments?feed=https%3A%2F%2Fgroups.google.com%2Fa%2Fhopkintonma.gov%2Fgroup%2Fhopnotices%2Ffeed%2Fatom_v1_0_topics.xml&entry=https%3A%2F%2Fgroups.google.com%2Fa%2Fhopkintonma.gov%2Fd%2Ftopic%2Fhopnotices%2FY0LuJ6u7jYgConsumers Deserve Protection Against the Scourge of DRM?Will the UN Help?https://www.eff.org/deeplinks/2015/01/tell-un-consumers-deserve-protection-against-scourge-drm83800 at https://www.eff.orgThu, 08 Jan 2015 16:48:00 -0500http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.eff.org%2Frss%2Fupdates.xml&entry=83800+at+https%3A%2F%2Fwww.eff.orgKnow when to fold 'em: computer aces Texas hold 'em pokerhttp://feeds.reuters.com/~r/reuters/technologysectorNews/~3/cGxsDZvZ9xc/story01.htmhttp://www.reuters.com/article/2015/01/08/science-poker-idUSL1N0UL0RW20150108?feedType=RSS&amp;feedName=technologySectorThu, 08 Jan 2015 14:00:00 -0500NEW YORK, Jan 8 (Reuters) - Almost always raise your opponent's first bet, which can provoke an immediate fold. In later rounds, if your opponent raises, re-raise if you're holding at least a pair of threes. Err on the side of playing a hand, not folding.<img width="1" height="1" src="http://reuters.us.feedsportal.com/c/35217/f/654231/s/4221cfa6/sc/13/mf.gif" border="0" /><br clear='all'/><div> <a href="http://feeds.reuters.com/~ff/reuters/technologysectorNews?a=cGxsDZvZ9xc:fgPSUdMOgDI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/reuters/technologysectorNews?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/technologysectorNews?a=cGxsDZvZ9xc:fgPSUdMOgDI:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/reuters/technologysectorNews?i=cGxsDZvZ9xc:fgPSUdMOgDI:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/technologysectorNews?a=cGxsDZvZ9xc:fgPSUdMOgDI:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/reuters/technologysectorNews?i=cGxsDZvZ9xc:fgPSUdMOgDI:F7zBnMyn0Lo" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/reuters/technologysectorNews/~4/cGxsDZvZ9xc" height="1" width="1" alt="" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2Freuters%2FtechnologysectorNews&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2015%2F01%2F08%2Fscience-poker-idUSL1N0UL0RW20150108%3FfeedType%3DRSS%26amp%3BfeedName%3DtechnologySectorLoitering as a Security Systemhttps://www.schneier.com/blog/archives/2015/01/loitering_as_a_.htmltag:www.schneier.com,2015:/blog//2.6488Mon, 05 Jan 2015 08:10:00 -0500<p>In Kyoto, taxi drivers are encouraged to <a href="http://en.rocketnews24.com/2015/01/02/kyoto-taxi-drivers-reduce-convenience-store-robberies-50-percent-by-doing-absolutely-nothing/">loiter</a> around convenience stores late at night. Their presence reduces crime.</p> <blockquote><p>In Kyoto about half of the convenience stores had signed on for the Midnight Defender Strategy. These 500 or so shops hung posters with slogans such as "vigilance strengthening" written on them in their windows. These signs are indicators to taxi drivers that they are allowed to park there as long as they like during breaks. The stores lose a few parking spaces in the process but gain some extra eyes which may be enough to deter a would-be bandit from making their move. <p>Since the program started in September 2013 the number of armed robberies among participating stores dropped to four compared to 18 in the previous year. On the other hand, the shops which were not in the Midnight Defender Strategy saw an increase in robberies, up from seven to nine incidents compared to the year before. Overall the total number of robberies was nearly halved in the prefecture.</p></blockquote> <p>Hacker News <a href="https://news.ycombinator.com/item?id=8836428">thread</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6488TLS WTFhttp://www.unprompted.com/projects/blog/sandboxos_tlshttp://www.unprompted.com/projects/blog/sandboxos_tlsFri, 02 Jan 2015 21:09:00 -0500<p> This is my recollection of my misadventures in trying to support TLS for <a href="http://www.unprompted.com/projects/blog/sandboxos_overview">SandboxOS</a>. </p> <h2>The Goal</h2> <p> I have a JavaScript runtime environment. I want it to be able to do these things: </p> <ul><li>Run a web server that supports HTTPS to secure or even just obfuscate my traffic. </li><li>Connect to web servers over HTTPS to post to <a href="http://www.twitter.com/"><span>?</span>Twitter</a> and whatnot. </li><li>Connect to XMPP and IRC servers requiring secure connections to run chat clients and bots. </li></ul><p> I want it to be able to do those things on Linux, OS X, and Windows, and I don't have a very high tolerance for complicated build steps or large dependencies. </p> <h2>Background</h2> <p> "I want to use SSL," I thought to myself. <a href="https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html"><span>?</span>Apparently</a> what I wanted is called TLS these days. I scratched my head and moved on, because this was the least of my problems. </p> <p> Going in, I knew that OpenSSL had recent <a href="http://heartbleed.com/"><span>?</span>vulnerabilities</a>, leading it to be forked into LibreSSL. I knew that GnuTLS was a thing. Outside of that, I did not have much knowledge about what was available. </p> <p> I did some research and found that I should look into Mozilla's NSS as something that could potentially work on all the platforms I cared about. I also learned that if I wanted to support the most common libraries on each platform, I would need to look into SSPI on Windows. I also saw that node.js uses OpenSSL on all platforms. </p> <p> I'm using libuv for doing all of my socket I/O, and I'm pretty happy with it. But it poses a challenge here, because these libraries tend to prefer being used as a wrapper on top of native BSD-style sockets and I didn't want TLS interfering with libuv's event loops at all. I chose to try to pass data around myself in order to avoid that scenario. It looks like NSS creates unnecessary intermediate sockets to abstract away that interface. </p> <h2>Getting Started: Build the Libraries</h2> <p> I believe it went like this: </p> <ol><li>Look at Mozilla NSS (Network Security Services). <ul><li>GPL-compatible license. Good. </li><li>Supports the platforms I care about. Good. </li><li>Get it and try to build it. They have a non-trivial custom build harness. Not a great sign, but OK. </li><li>Try to build it for win32/x64. Discover <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Building"><span>?</span>this note</a>: <blockquote> <p> Note: Building for a 64-bit environment/ABI is only supported on Unix/POSIX platforms. </p> </blockquote> </li><li>Looked at the API a bit. It looks like it really wants to be bound to system sockets. That will incur unnecessary overhead the way I want to use it. Lame. </li><li>That was enough strikes for me. I wan't about to maintain my own builds of this for three platforms, and I certainly wasn't about to let this constrain me to Win32/x86, if that note was correct. </li></ul></li><li>Look at LibreSSL. <ul><li>GPL-compatible license. Good. </li><li>It looks like the latest release is expected to be usable. Great. </li><li>It only builds on Windows through <a href="http://stackoverflow.com/questions/26235941/is-there-a-way-to-run-libressl-on-windows"><span>?</span>MinGW</a>. Ugg. </li><li>By this time I had some OpenSSL code. I tried it on OS X and found that the OpenSSL system library on OS X was supported but has deprecated for some time. Crap. </li></ul></li></ol><h2>I Wrote a TLS Wrapper</h2> <p> I resolved to support OpenSSL on Linux, the <a href="https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/index.html"><span>?</span>Secure Transport API</a> on OS X, and SSPI on Windows, and all in code that could be easily extracted to use for other projects. </p> <p> Currently the entirety of the public API looks like this, though I haven't yet tackled SSPI: </p> <div><pre><span>class</span> <span>Tls</span> <span>{</span> <span>public</span><span>:</span> <span>static</span> Tls<span>*</span> create<span>(</span><span>const</span> <span>char</span><span>*</span> key<span>,</span> <span>const</span> <span>char</span><span>*</span> certificate<span>);</span> <span>virtual</span> <span>~</span>Tls<span>()</span> <span>{}</span> <span>virtual</span> <span>void</span> startAccept<span>()</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>void</span> startConnect<span>()</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>void</span> shutdown<span>()</span> <span>=</span> <span>0</span><span>;</span> <span>enum</span> HandshakeResult <span>{</span> kDone<span>,</span> kMore<span>,</span> kFailed<span>,</span> <span>};</span> <span>virtual</span> HandshakeResult handshake<span>()</span> <span>=</span> <span>0</span><span>;</span> <span>enum</span> ReadResult <span>{</span> kReadZero <span>=</span> <span>-</span><span>1</span><span>,</span> kReadFailed <span>=</span> <span>-</span><span>2</span><span>,</span> <span>};</span> <span>virtual</span> <span>int</span> readPlain<span>(</span><span>char</span><span>*</span> buffer<span>,</span> size_t bytes<span>)</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>int</span> writePlain<span>(</span><span>const</span> <span>char</span><span>*</span> buffer<span>,</span> size_t bytes<span>)</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>int</span> readEncrypted<span>(</span><span>char</span><span>*</span> buffer<span>,</span> size_t bytes<span>)</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>int</span> writeEncrypted<span>(</span><span>const</span> <span>char</span><span>*</span> buffer<span>,</span> size_t bytes<span>)</span> <span>=</span> <span>0</span><span>;</span> <span>virtual</span> <span>void</span> setHostname<span>(</span><span>const</span> <span>char</span><span>*</span> hostname<span>)</span> <span>=</span> <span>0</span><span>;</span> <span>};</span> </pre></div><h2>Implementation Rants</h2> <p> I don't know where to begin. </p> <ol><li>There are not enough good examples. If you are an engineer at Apple who worked on the Security framework, where did you put your ~100 line C file test case that fetches <a href="https://www.apple.com/"><span>?</span>https://www.apple.com/</a> and fails if you try to reach the same server by a different name? <ul><li><a href="http://www.rtfm.com/openssl-examples/"><span>?</span>This</a> was the best I could find for OpenSSL. It's alright but 12 years old. </li><li><a href="http://www.coastrd.com/c-schannel-smtp"><span>?</span>This</a> is why I haven't attempted SSPI yet. I think SSPI will be manageable, but that example is insane. </li></ul></li><li>Do not pretend TLS connections are BSD-style sockets. TLS is a terribly <a href="http://www.joelonsoftware.com/articles/LeakyAbstractions.html"><span>?</span>leaky abstraction</a>. Socket calls that ought not to block might need to block so that TLS handshaking can finish. New errors can occur at every turn. A TLS session can close without the network connection going away. Stop pretending it's not a separate layer. </li><li><strong>Verify hostnames.</strong> TLS without hostname verification <a href="http://tersesystems.com/2014/03/23/fixing-hostname-verification/"><span>?</span>isn't secure</a>. OpenSSL did not make verifying hostnames easy. The headers I have on debian jessie required me to extract the names from the certificate and do my own pattern matching to account for wildcard certificates. I had several implementations where it appeared the default verification would check names, but only testing showed that it wasn't happening. Apple made it a fair bit easier, but it still didn't happen by default. </li><li>So far I have not yet found how to load my certificate and private key from PEM files on OS X without calling this private function <a href="http://www.opensource.apple.com/source/Security/Security-55179.13/sec/Security/SecIdentity.c"><span>?</span>from the Security framework</a>: <div><pre><span>extern</span> <span>"C"</span> SecIdentityRef SecIdentityCreate<span>(</span>CFAllocatorRef allocator<span>,</span> SecCertificateRef certificate<span>,</span> SecKeyRef privateKey<span>);</span> </pre></div>All other attempts I've made at getting a SecIdentityRef from my key and certificate have failed. I could keep them in the login keychain, but I want to support PEM on all platforms for consistency. </li></ol><h2>Results</h2> <p> So SandboxOS does what I need for TLS for now. It took me five times longer to write than I had hoped, and doesn't support TLS on Windows yet. </p> <p> It can connect to secure servers. It verifies hostnames when you do that. I can run a secure web server with it. It might be fun to support client certificates, but that is about as far as I want this to go, and that can happen later. </p> <p> I'm hoping somebody searching for some of these words will stumble upon this and either show me how stupid I've been or benefit from <a href="http://www.unprompted.com/projects/browser/projects/sandboxos/trunk/src/Tls.cpp">browser:projects/sandboxos/trunk/src/Tls.cpp</a>. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%3Fformat%3Drss&entry=http%3A%2F%2Fwww.unprompted.com%2Fprojects%2Fblog%2Fsandboxos_tlsWorryinghttp://xkcd.com/1468/http://xkcd.com/1468/Fri, 02 Jan 2015 00:00:00 -0500<img src="http://imgs.xkcd.com/comics/worrying.png" title="If the breaking news is about an event at a hospital or a lab, move it all the way over to the right." alt="If the breaking news is about an event at a hospital or a lab, move it all the way over to the right." />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1468%2FMore Data on Attributing the Sony Attackhttps://www.schneier.com/blog/archives/2014/12/more_data_on_at.htmltag:www.schneier.com,2014:/blog//2.6483Wed, 31 Dec 2014 08:52:00 -0500<p>An <a href="http://www.4thmedia.org/2014/12/breaking-we-can-conclusively-confirm-north-korea-was-not-behind-sony-hack/">analysis</a> of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies an insider.</p> <blockquote><p>Our Gotnews.com investigation into the data that has been released by the "hackers" shows that someone at Sony was copying 182GB at minimum the night of the 21st -- the very same day that Sony Pictures' head of corporate communications, Charles Sipkins, publicly resigned from a $600,000 job. This could be a coincidence but it seems unlikely. Sipkins's former client was NewsCorp and Sipkins was officially fired by Pascal's husband over a snub by the Hollywood Reporter. <p>Two days later a malware bomb occurred.</p> <p>We are left with several conclusions about the malware incident:</p> <ol><li>The "hackers" did this leak physically at a Sony LAN workstation. Remember Sony's internal security is hard on the outside squishy in the center and so it wouldn't be difficult for an insider to harm Sony by downloading the material in much the same way Bradley Manning or Edward Snowden did at their respective posts. <p><li>If the "hackers" already had copies, then it's possible they made a local copy the night of the 21st to prepare for publishing them as a link in the malware screens on the 24th.</ol></p> <p>Sony CEO Michael Lynton's released emails go up to November 21, 2014. Lynton got the "God'sApstls" email demand for money on the 21st at 12:44pm.</p></blockquote> <p><a href="http://blog.norsecorp.com/2014/12/29/ex-employee-five-others-fingered-in-sony-hack/">Other evidence</a> implies insiders as well:</p> <blockquote><p>Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014. <p>The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack.</p> <p>The investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony's anti-piracy stance, to infiltrate the company's networks.</p></blockquote> <p>I have been skeptical of the insider theory. It requires us to postulate the existence of a single person who has both insider knowledge and the requisite hacking skill. And since I don't believe that insider knowledge was required, it seemed unlikely that the hackers had it. But these results point in that direction.</p> <p>Pointing in a completely different direction, a linguistic analysis of the grammatical errors in the hacker communications <a href="https://taia.global/2014/12/taia-global-linguists-establish-nationality-of-sony-hackers-as-russian-not-korean/">implies</a> that they are Russian speakers:</p> <blockquote><p>Taia Global, Inc. has examined the written evidence left by the attackers in an attempt to scientifically determine nationality through Native Language Identification (NLI). We tested for Korean, Mandarin Chinese, Russian, and German using an analysis of L1 interference. Our preliminary results show that Sony's attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.</p></blockquote> <p>The FBI still <a href="http://www.politico.com/story/2014/12/fbi-briefed-on-alternate-sony-hack-theory-113866.html">blames</a> North Korea:</p> <blockquote><p>The FBI said Monday it was standing behind its assessment, adding that evidence doesn't support any other explanations. <p>"The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector," a spokeswoman said in a statement. "There is no credible information to indicate that any other individual is responsible for this cyber incident."</p></blockquote> <p>Although it is now <a href="http://in.reuters.com/article/2014/12/30/northkorea-cyberattack-idINL1N0UD1IB20141230">thinking</a> that the North Koreans hired outside hackers:</p> <blockquote><p>U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month's massive cyberattack against Sony Pictures, an official close to the investigation said on Monday. <p>As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said, U.S. investigators are looking at the possibility that Pyongyang "contracted out" some of the cyber work.</p></blockquote> <p>This is nonsense. North Korea has had extensive <a href="http://www.voanews.com/content/north-koreas-world-class-cyber-attacks-coming-from-china/1795349.html">offensive</a> <a href="http://www.aljazeera.com/indepth/features/2011/06/201162081543573839.html">cyber</a> <a href="http://www.news.com.au/technology/north-korea-training-an-army-of-computer-hackers-to-launch-cyber-attacks/story-e6frfro0-1226605278059">capabilities</a> for years. And it has <a href="http://www.securityweek.com/china-likely-factor-north-korea-cyber-prowess-experts">extensive support</a> from China.</p> <p>Even so, lots of security experts don't believe that it's North Korea. Marc Rogers <a href="http://marcrogers.org/2014/12/21/why-i-still-dont-think-its-likely-that-north-korea-hacked-sony/">picks the FBI's evidence apart</a> pretty well. </p> <blockquote><p>So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.</p></blockquote> <p>But, as I <a href="https://www.schneier.com/blog/archives/2014/12/did_north_korea.html">wrote</a> earlier this month:</p> <blockquote><p>Tellingly, the FBI's <a href="http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation">press release</a> says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan. <p>On the other hand, maybe not. I could have written the same thing about Iraq's weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.</p></blockquote> <p>I also <a href="https://www.schneier.com/blog/archives/2014/12/did_north_korea.html">wrote</a> that bluffing about this is a smart strategy for the US government: </p> <blockquote><p>...from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.</p></blockquote> <p>Of course, this strategy completely backfires if the attackers can be definitely shown to be <i>not</i> from North Korea. Stay tuned for more.</p> <p>EDITED TO ADD (12/31): Lots of people in the comments are doubting the USB claim.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6483Ex-Korean Air executive detained in 'nut rage' casehttp://reuters.us.feedsportal.com/c/35217/f/654235/s/41e1af1f/sc/8/l/0L0Sreuters0N0Carticle0C20A140C120C30A0Ckal0Eprobe0EidUSL3N0AUE1AA20A141230A0DfeedType0FRSS0GfeedName0FindustrialsSector/story01.htmhttp://www.reuters.com/article/2014/12/30/kal-probe-idUSL3N0UE1AA20141230?feedType=RSS&amp;feedName=industrialsSectorTue, 30 Dec 2014 10:18:00 -0500SEOUL, Dec 31 (Reuters) - A South Korean court on Tuesday ordered that a former Korean Air Lines executive be detained for delaying a flight following an outburst over the way she was served nuts, in a case that prompted both outrage and ridicule.<img width="1" height="1" src="http://reuters.us.feedsportal.com/c/35217/f/654235/s/41e1af1f/sc/8/mf.gif" border="0" /><br clear='all'/><div> <a href="http://feeds.reuters.com/~ff/reuters/industrialsNews?a=2CJfb3GcScI:KLEWPe9Vg8s:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/reuters/industrialsNews?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/industrialsNews?a=2CJfb3GcScI:KLEWPe9Vg8s:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/reuters/industrialsNews?i=2CJfb3GcScI:KLEWPe9Vg8s:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.reuters.com/~ff/reuters/industrialsNews?a=2CJfb3GcScI:KLEWPe9Vg8s:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/reuters/industrialsNews?i=2CJfb3GcScI:KLEWPe9Vg8s:V_sGLiPBpWU" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/reuters/industrialsNews/~4/2CJfb3GcScI" height="1" width="1" alt="" />http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2Freuters%2FindustrialsNews&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2014%2F12%2F30%2Fkal-probe-idUSL3N0UE1AA20141230%3FfeedType%3DRSS%26amp%3BfeedName%3DindustrialsSector