Glider from the game of Life, rising from the left




Archive for August 2018

Free Software for Tallying Votes in Los Angeles County


In the November 2018 election, Los Angeles County will implement at least two of the three most important voting-system reforms, namely paper ballots and free software. (I don't know whether they will manage to implement the third reform, which is auditing of randomly sampled precinct results.)

“L.A. County Gets State Approval of New Vote-Counting System Using Open Source Software”
John Myers, Los Angeles Times, August 22, 2018

It is the first election system of its kind, using publicly available source code that has been certified for use in California.

#free-software #voting-systems

Our War in Yemen


“America Is Committing War Crimes and Doesn't Even Know Why”
Micah Zenko, Foreign Policy, August 15, 2018

The military commander responsible for overseeing the provision of support for a new air war in the Middle East did not know what the goals of the intervention were, or how he could evaluate whether it was successful. The United States had become a willing co-combatant in a war without any direction or clear end state.

Two inevitable results have followed. First, there have been a litany of war crimes of the sort perpetrated last weekend, in which Saudi planes, using American munitions, bombed a school bus killing dozens of Yemeni schoolchildren. Second, the U.S. government has responded to those crimes with silences that might seem chastened, but in truth must be classified as defiant, given the bureaucratic maneuvering undertaken to obscure the United States' unthinking complicity both to outsiders and to itself.

In some ways, I suppose that it's better for such war crimes to be completely unmotivated and unintelligible acts of random psychosis than to have American politicians pretend to be protecting the homeland from terrorists.

#war #Yemen #foreign-policy

CIA Field Agent Cyberdefense Failed


“Botched CIA Communications System Helped Blow Cover of Chinese Agents”
Zach Dorfman, Foreign Policy, August 15, 2018

It was considered one of the CIA's worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency's network of agents across the country, executing dozens of suspected U.S. spies. …

Now, nearly eight years later, it appears that the agency botched the communication system it used to interact with its sources, according to five current and former intelligence officials. …

When CIA officers begin working with a new source, they often use an interim covert communications system — in case the person turns out to be a double agent.

The communications system used in China during this period was internet-based and accessible from laptop or desktop computers, two of the officials said.

This interim, or “throwaway,” system, an encrypted digital program, allows for remote communication between an intelligence officer and a source, but it is also separated from the main communication system used with vetted sources, reducing the risk if an asset goes bad.

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected — and there would be no way to trace the communication back to the CIA. But the CIA's interim system contained a technical error: It connected back architecturally to the CIA's main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader cover communications system the agency was using to interact with its vetted sources, according to the former officials. …

U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one formal official — links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA's own website, according to the former official.

As a rule of thumb, it is now about three orders of magnitude more difficult to defend against computer and network intrusions than to carry out the intrusions themselves.

#Central-Intelligence-Agency #China #communications-security #espionage

The NSA Can Crack the Cryptosystems That Most VPNs Use


Increasing numbers of Internet Service Providers monitor or record all of their customers' interactions and distort them, when possible, by dropping ads onto Web pages and e-mail messages and redirecting some IP addresses. Customers who are concerned about privacy and/or unimpeded communication have begun using virtual private networks — agents that receive service requests from customers and forward them to the designated services, concealing their origin. The VPN receives the results and return them to the customer. All communications between the customer and the VPN are encrypted so that the customer's ISP's recordings of the transactions aren't intelligible and the ISP has no way to modify their content.

This of course means that the customer has to trust the VPN more than the local ISP, since the VPN could play the same kinds of tricks if it chose to do so. A number of VPN service providers have been found to be corrupt in exactly this way.

The mediation is also pointless if the encryption that the VPN uses when interacting with customers can be broken by eavesdroppers. It turns out that many otherwise competent and honest VPNs are using weak cryptosystems with known vulnerabilities, and that many others are using cryptosystems that well-funded state agencies such as the National Security Agency have been able to break since at least 2006, even though stronger alternatives are available.

“NSA Cracked Open Encrypted Networks of Russian Airlines, Al Jazeera, and Other ‘High Potential’ Targets”
Micah Lee, The Intercept, August 15, 2018

The National Security Agency successfully broke the encryption on a number of “high potential” virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems, according to a March 2006 NSA document. …

There are many different VPN protocols in use, some of them known to be less secure than others, and each can be configured in ways to make them more or less secure. One, Point-to-Point Tunneling Protocol, “is old and insecure and there are bunch of known security vulnerabilities since forever,” Nadia Heninger, cryptography researcher at the University of Pennsylvania, told me in an email. “I would not at all be shocked if these were being exploited in the wild.”

The NSA also appears to have, at least in some situations, broken the security of another VPN protocol, Internet Protocol Security, or IPSec, according to the Snowden documents published by The Intercept and Der Spiegel in 2014.

“For both TLS and IPsec, there are both secure and insecure ways of configuring these protocols, so they can't really be labeled as blanket ‘secure’ or ‘insecure,’” Heninger explained. “Both protocols offer a zillion configurable options, which is a source of a lot of the published protocol-level vulnerabilities, and there are cipher suites and parameter choices for both protocols that are definitely known to be cryptographically vulnerable.” Still, she was “pretty confident” that there are ways to configure TLS and IPsec that “should resist all known attacks.” …

In 2015, Heninger and a team of 13 other cryptographers published a paper, titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” that revealed major weaknesses in the security of several of the internet's most popular protocols. Their paper described a new attack called Logjam and concluded that it was within the resources of a nation-state to use this attack to compromise 66 percent of all IPSec VPNs. “A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break,” the authors speculated.

#virtual-public-networks #encryption #National-Security-Agency

Facebook Purges Leftist Media Company


“teleSUR English Removed from Facebook for Second Time”
teleSUR English, August 14, 2018

“‘Deeply Disturbing’: For Second Time This Year, Facebook Suspends Left-Leaning teleSUR English without Explanation”
Jessica Corbett, Common Dreams, August 14, 2018

Just another ratchet click, advancing a policy that has already been established for some time:

“Facebook Says It Is Deleting Accounts at the Direction of the U.S. and Israeli Governments”
Glenn Greenwald, The Intercept, December 30, 2017

It's not surprising that Facebook finds straightforward reports of events that happen in the world to be “hateful, threatening or obscene.” I often feel that way myself. The difference is that it's not my policy to keep other people from finding out things that I already know.

#Facebook #social-media #news-suppression

Twitter Purges Antiwar Writer


Twitter has purged am author and critic of the American wars in the Middle East for sassing the Establishment too roughly. They also suspended two antiwar libertarians after they complained about the purge.

“I Was Banned for Life from Twitter”
Peter van Buren, The American Conservative, August 9, 2018

I suppose it's just as well. As a corporation, Twitter simply can't sustain an open, global forum for political ideas. It's not cost-effective.

#Twitter #social-media #war

TSA Oppression Continues


The Senate Committee on Commerce, Science, and Transportation called in some of the honchos in the Transportation Security Administration to ask a few pointed questions about the “Quiet Skies” program, under which the TSA dispatches teams of air marshals to surveil people who fidget too much in airports or get glassy-eyed waiting for their flights to be called. The witnesses boasted that they had monitored five thousand suspicious-looking passengers and confirmed that not one of them posed a threat to anyone's safety.

Given this perfect track record, the TSA plans to continue the program and to re-educate the air marshals who have complained about its pointlessness. It's not really pointless if it contributes to the oppressive atmosphere of modern American airports and helps to assure passengers that every move they make is monitored by armed law-enforcement officers. That sense of living in a police state is America's strongest defense against terrorism.

“TSA Says ‘Quiet Skies’ Surveillance Snared Zero Threats”
Jana Winter, The Boston Globe, August 3, 2018

Federal air marshals have closely monitored about 5,000 US citizens on domestic flights in recent months under the controversial “Quiet Skies” program, but none were deemed so suspicious that they required further scrutiny …

The TSA defended the program, said it would continue, and announced plans to better educate and communicate with members of the Federal Air Marshal Service …

“TSA Admits ‘Quiet Skies’ Surveillance Program Is Useless, Promises to Continue Engaging in Useless Surveillance”
Tim Cushing, Techdirt, August 10, 2018


Cart-horse confusion expected to continue for the foreseeable future

#Transportation-Security-Administration #surveillance #law-enforcement

Cortana Runs Apps Even When the Screen Is Locked


“Cortana Flaw Allowed Takeover of Locked Windows 10 Device”
Lindsey O'Donnell, Threatpost, August 9, 2018

Thanks to Cortana's “universal access methods” … researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.

The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard — but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.

Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, …

“In the past, the OS made user the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it's the developers' responsibility,” said [Tal Be'ery of the Israel Institute of Technology].

Sure it is. This is another case of Microsoft designing the operating system so that it conforms to Microsoft's interests rather than to the preferences and needs of users and application developers.

#Cortana #Microsoft #security

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018