Veracrypt are dogmatic. They avoid relying on TPM for user convenience because they want to prtect against "evil maid attacks" and believe TPM provides a false sense of security. I actually think I know what I want and why (without being mansplained by Veracrypt if you will forgive the feminist escalating but God oh mighty dealing with individuals beliefsystems is frustrating at the best of times). Microsoft actually handle this quitewell atthe user interface level although in the opposite way when it comes to turning TPM off because it is on by default in Windows.
This is why I fully reserve the right to be sceptical and wait for all the evidence.
You and me both.
Though I hate "circumstantial evidence" as I realy do not consider it anything other than an untested supposition on potential coincidence.
I'm not that keen on "forensic evidence" either, it argues backwards from effect to just one of many probable causes, as history shows "forensic practitioners" get it wrong oh so many times, especially if they work for the FBI.
That is I do not believe in applying the laws of...
Full disk encryption with a strong password where the keys are fully erased after shutdown. It won't stop an evil-maid attack, but if the disk is ever stolen and never returned, data shouldn't be readable.
I have picked up that a lot of media seem to follow a hierarchy and cherry pick off each other from a single originating source.
I read this past week that fish oil is also good for boosting breast size. The commentary was fairly predictable.
This past week I have been wearing a sports bra which makes me stick out a bit. I have also been wearing this with a light top makes things much more visible. While out shopping there has been a definate uptick of men deciding they had forgotten something for their shopping basket and looping back to take another look. I...
I have a fair idea of the kind of expertise and effort required. Discrimination cases may be similar too. I know enough about this field I could advise him although have my limits which require other professional expertise to support. Most of the broad brush issues are already known but the number of experts who are able to deal with the sometimes very involved nuances and working out are similarly restricted. This is very infuriating.
If I said there were probably less than a dozen people in the world who could follow the complete discussion this would be fair. I...
You're posting opinion as fact again. The internet isn't really the place to pusha complex case because it involves a lot of careful work and fact checking and cross referencing and thingsproceeding in some kind of order. I hate to sound like Clive but without the formal processes of a court and certified professionals managing the data and a clear checkable record of the discussion in one place it is not possible to make sense of it.
I very clearly kept my comments focused on the one passport issue.It wasn't an invitation to drag everything and the kitchen sink in...
Thereis a fairly well established set of laws and arguments which cover both the exact categoristion of security issue and the technical issues. I personally would only seriously discuss this if this was on the table before discussion. Neverhavigb discussed anythign with you before I would also want to discover exactly what your agenda is and what you want.
With regard to Alex Jones (a multi-millionaire) and his ilk in UK law: There is a positive obligation to improve human rights and equality. When abuse and discrimination has been proven in law the burden of...
> This is a "cold boot" attack, and one we thought solved.
When did we think that? What was supposed to have solved it?
cold-boot means the attacker has physical control over the hardware. Those attacks are difficult to defeat (just ask anyone who's build a games console in the last decade or two). Other than going old-skool-mission-impossible and mixing thermite into the RAMs silicon how do you prevent a cold-boot attack?
“I am a Firefox fan, but they are beginning to have issues, too. Go to "about:config" then enter the search term "http" and you may be surprised to see at least a hundred ways Firefox phones home in order to help you, all the time. hmmmm, been here before. I deleted all I could find which quieted it down quite a bit, and it still mostly works. Anyway,”
That is a real issue and a troublesome issue with FF. Do you have a step-by-step method of eliminating those url calls back to FireFox? How about SSL everywhere? I recommend FF because it still hase the search...
" it is not unusual for the two to have close passport numbers – it merely means they applied together. "
Which is obviously suspicious of itself.
And when these two unrelated "fellows" got them, the first place they needed to visit was SALISBURY.
"Boshirov said the two had gone to visit Salisbury Cathedral, “famous not just in Europe, but in the whole world. It’s famous for its 123-metre spire, it’s famous for its clock, the first one [of its kind] ever created in the world, which is still working.”
Apologies to Bruce in advance, because this isn't directly related to security unless your idea of what is "security" is as broad as mine.
Why has EFF not said word one about Internet platforms (and services like Kickstarter and Paypal) that block or eject people for political dissent?
Even if EFF considers that action to be the organization's own freedom of speech/association, EFF could be a lot of help just as a meeting place for those who would work around these bans by creating competitors to the sites that perform them, and by promoting legislation so that...
I lack knowledge to assess the extent of age discrimination in mathematics.
However, when you wrote "laziness," perhaps you weren't aware that the work would need to be done by a mathematician already expert in some of the special topics (i.e., from a worldwide population of perhaps only a few), and consume full professional attention for possibly a year, or even several years.
It's understandable before committing to such a project, to want to have some confidence that it will be fruitful.
My guess is that for de Branges, his "flying solo" may be a...
Check out a paper entitled "Lest We Remember: Cold Boot Attacks on Encryption Keys" - [citp.princeton.edu] (full 16 page PDF linked from that URL)
It's several years old now, but they demonstrate just how long it takes data to decay in several different DRAM modules, mostly DDR2. Data recovery on cooled modules was possible even after several minutes. I read in another research paper that DDR3 decay was much faster -- a good thing -- on the order of a few seconds, but I cannot...
@aserraric: "carry out the hardware modification (undetected), then wait for the victim to sign on, and then execute the actual attack."
@Mike D: "yank power out of the box, forcing an abnormal power-off, downstream of any UPS, connect your doohickey, and power it back up, letting the doohickey jump in and clear the flag before boot continues."
Careful hardware modification does not necessarily require power to be off to happen... just steal (or confiscate) a still-running computer, open it up while it's still running, clamp your modification onto the chip (carefully)...
We all know what happened to Gordon Welchman on the instigation of the UK government. As for US leaks the US also released information on the Welrod pistol the UK government was refusing to release. I know people say Hollywood is nonsense (and the UK state wordplaying over "suppressor" versus "silencer" is annoying) but the Welrod is a known known. I am left wondering why so many silenced guns available on the open market in the US make such a racket and why nobody has manufactured a modern day equivalent of the Welrod and why Hollywood movies rarely if ever feature the...
de Branges perhaps has more "street cred" than the new claimant, having achieved a really important proof while in his 50s, and having focused much of his career on topics closely related to RH. However, his claims of proof have yet to convince his colleagues, and the analysis of a very long "proof" based on highly specialized work done by de Branges over the years is a very costly undertaking.
I noticed this when I read about this news a couple of days ago. While I appreciate thinsg take effort I do wonder if ageism plays a role in their...
Designing secure voting requires an understanding that the threat comes from within and from within at every level. All(*) the people involved in designing, building, testing, installing, administering, managing the vote process are themselves voters and members of civil society. Some of them are immediately affected by the consequences of elections.
Every single one of them is motivated to some degree or other to subvert the voting process. That is why the best mechanisms are the simplest and the plainest. This lesson is available from the analysis of any voting system: if it...
Tom Wolfe, towards the end of his essay “The Intelligent Coed’s Guide to America”, reprinted in his collection “Mauve Gloves and Madmen, Clutter and Vine” covers the press reaction.
It squared with my personal experience at the time. Wolfe mentions an important television interview with Solzhenitsyn fairly soon after his exile, where he gave a thorough summary of the camps. By chance I had seen it. The interviewer as I recall was popping with indignation and trying to deny, refute or explain away nearly everything said.
Though any number of things could be stored in memory when a computer is idle, Segerdahl notes that an attacker can be sure the device's decryption keys will be among them if she is staring down a computer's login screen, which is waiting to check any inputs against the correct ones.
I don't see why the decryption keys need to be stored in memory for this purpose. You don't need to compare user-submitted decryption keys to a known correct value in order to validate them -- just do the decryption, and if you get garbage, the keys were wrong. If you don't, the keys were correct.
If I understood the gist of your earlier comment, it's about intentional weakening of supposedly "random" generation. I think it's widely understood that this can be done in ways that make a break computationally feasible.
My argument is about typical crypto implementations, which I presume to be intended as strong but which are likely to suffer from typical weaknesses in well-meant (but not catastrophically flawed) PRNGs, which can result in dramatic reductions in the search space ... while still leaving it vastly beyond computational feasibility....
I didn't download your linked documents but did a search and read another paper. I'm really fuzzy about the space-time thing. I did read or watch something the other week which mentioned a few things. It seems the universe was one big super atom thingy whatsit singularity doo dah then early in the big bang only space existed not time with spactime emerging slightly later. This paper helps explain Newton and also why spacetime and gravity emerged.
I only understand about 1% of this. I grasp most of the critical concepts but lack the internal mathematical language to...
The Wall Street Journal (September 21, page A5) has an ad for a Swiss rotor machine called the NEMA, designed to improve on the Enigma; it "contains an incredible 10-wheel rotor designed to correct the vulnerabilities of its predecessor." The price is not mentioned, but it's obviously high enough to pay for a quarter-page WSJ ad. The source is an antiques dealer in New Orleans.
Most of the recent smorguessborat of quantomb physics are actually totally taboo and were never meant to have been released into any type of public or private domain. These types of reckless scientific forays would have otherwise remained forgotten and/or CLASSIFIED and/or all infos destroyed. Yet something went horribly wrong. Humans were never meant to be tampering with any of this type of thing. We are at extreme risk until all such esoteric materials are fully redacted back into complete occlusion and then destroyed before our existence is.
You're assuming Windows performs a real shutdown when the user clicks on "Shutdown". In general, it does not. You have either have to hold down the shift key, change the *default* "fast shutdown" to off or try something like "shutdown /s /f /t 0" in the command area. Otherwise you get the "fast shutdown" that dumps the RAM and lets this attack work.
Unless you are assuming a non-Microsoft OS (which should be step one if you care about your data), this is going to work.
Azidoazide azide contains a lot of energy! It's a shame it cannot be harnessed for batteries. Cars and mobile phones area long way down any use case scenario due to sensitive handling requirements. All you have to do is look at it wrong and it goes bang.
Flags are fast and cheap much like flags (or "deindexing") used by Facebook et al to "delete" information at the request of the user. As we know and as you highlight "delete" doesn't mean delete. If the information still exists it can be used and abused without concious knowledge or approval of the owner.
There are some problems with Bellingcat’s analysis. The first is that they also quote Russian website fontanka.ru as a source, but fontanka.ru actually say the precise opposite of what Bellingcat claim – that the passport number series is indeed a civilian one and civilians do have passports in that series.
@Phaete: Some systems have a JTAG or similar debug/reflash connector. Some don't.
@aserraric: Or, since you have physical access, you just yank power out of the box, forcing an abnormal power-off, downstream of any UPS, connect your doohickey, and power it back up, letting the doohickey jump in and clear the flag before boot continues.
The correct mitigation for this attack is to always wipe down the memory after power-on but before boot, say via hardware reset logic, or some un-overridable ROM boot code, on the same chip as the memory in question. They shouldn't be trusting a flag.
Jason Miller, the US president's former communications adviser, stepped down from his role as a political contributor for the CNN cable channel after the allegations surfaced. He has been accused of getting a woman he met at an Orlando strip club pregnant and then slipping an abortion pill into her...
People keep forgetting the wetware was hacked ten steps before. As he path follows a lot of steps where control and coercion accumulate slowly until a vulberability occers should not come as a surprise. The door then slams shut.
What looks like a lot of "if" "but" "maybe" effeort for an individual is least effort for an organsation. Individuals don't properly perceieve their own OODA loop even if they are aware of the concept.
Tor is vulnerable to trafic analysis as people have been saying for a while now. In fact a number of attacks have used "flow correlation attacks" already, what DeepCorr brings to the party is substantially improved deanonymisation through the use of "deep learning" AI.
When you think about it many privacy / security attacks would br considerably improved with deep learning, however untill recently...
Your introduction is misleading. You need access to a locked, but running computer to execute a "cold boot" attack. You cannot perform such an attack on a computer that is properly shut down, since the key is no longer in RAM in this case.
So, you would have to carry out the hardware modification (undetected), then wait for the victim to sign on, and then execute the actual attack.
@Clive - Can't recall if I posted this last year, but a key player in the lithium-ion space published what is believed to be an important innovation last year. I sent him a note congratulating him on the work and asking for his tips on health and longevity. He said, "Pick good genes." Apparently close behind good genes is a good sense of humor.
So the researchers designed a relatively simple microcontroller and program that can connect to the chip the firmware is on and manipulate the flag.
Connect as in "connect that USB plug to the PC" or Connect as in "connect those wires to that small chip"
Couldn't find that info, it makes it a factor 100 times more difficult or not. But yeah, if solder, then it's the same principle they already did with the iPhone. Hardware hacking becomes more powerful as the old generation of grey beards passes on and info becomes obscure
But suppose that pseudo-random generation is not utterly broken, but merely weak enough that you can exclude 99.99...% of primes of the relevant magnitude, and you know which primes are likely or certain to be skipped.
Easy peasy, I've already built one for fun, it's not that difficult to do... Oh and the NSA is assumed to have used it in the Dual Eliptic Curve Digital RNG that NIST later pulled.
You can read of a better way in a quite recent article I used a modified version of one given in the Cryptovirology book I mention...
Google has become way too intrusive. They must have the explicit approval, encouragement and the blessing of .gov to get away with what they do. (and some others)
I am a Firefox fan, but they are beginning to have issues, too. Go to "about:config" then enter the search term "http" and you may be surprised to see at least a hundred ways Firefox phones home in order to help you, all the time. hmmmm, been here before. I deleted all I could find which quieted it down quite a bit, and it still mostly works. Anyway,
And this is all due to the fact that the press (1) did not, in your view, adequately inform the public about the Soviet prison camp system and moreover (2) refused to report on Solzhenitsyn’s description of life in the Gulag. Have I got that right?
The first part is opinion (“what is adequate?”) but second part is the statement of an objective fact, supposedly. Do you happen to have any evidence that shows the press refusing to report on this topic, as a matter of policy (a “policy of darkness” in your words) to boot?
"They are “effectively” limit periodic — a new kind of order — because the synchronicities in their spacings only hold statistically across the whole system."
"Synchronicity" is a term coined by the noted physicist/mathematician Carl Jung, in a book of the same name. Oh, wait - he was a psychiatrist, not a mathematician, not a physicist. Much of his stuff was bonkers religious speculation. "Synchronicity" is a woo term, and doesn't belong in any kind of scientific discourse.
Bruce I like the picture, sub word and byte, if you v=I(for loop)*sub word byte It produce collision between over values, add other basic maths,instead of a swap byte, you can use maths to workout the value,I had three add,mul,div,sub that just three had enough collision to match The mix columns with the xor I'm thinking of mixing 7f80 it needs some filter like abov,
From Matthew Green's twitter feed: "I switched to Firefox and I’m finding it every bit as Chrome. Also doesn’t surreptititiously associate your browsing with a Google account!" and from [blog.cryptographyengineering.com] :
"Why I’m done with Chrome This blog is mainly reserved for cryptography, and I try to avoid filling it with random “someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from time to time something...
Matiyasevich showed that the primes can be generated as the positive output values of a certain polynomial in several variables with integer coefficients. (It turns out there are many such representations.) Are the methods behind this kind of work applicable to the factorization problem ?
But seriously folks, there is no space, time, or space-time, just as Newton’s “time flowing everywhere equably etc.” was unreal. What is real is things in motion, and their natural properties. Locality, unitarity, Feynman diagrams are all just convenient approximating assumptions in a mathematical model, with a limited usefulness that has now reached its limits. In all cases, the partial model was confused with the reality, entirely unnecessarily. This kind of thing seems...
"I don't care how friendly it is I aint geting in there!"
They are naturaly solitary animals because even octopi know that octopus tastes good...
Mind you the Japanese have strange longings for tenticals if some of their line drawings are to be believed...
Though my favourit octopus story comes from the London Aquarium. They had an octopus in a tank with a solid lid on. Anyway various other "exhibits started to disappear and theft was suspected but by who... So infra-red CCTV was set up "on the Q T" and the...
A leak of Russian government data about the suspects in the Salisbury poisoning may provide a rare insight into how Russia’s military intelligence agency provides cover identities for its agents abroad.
Investigative journalists have unearthed what appears to be a series of passports with similar numbers belonging to suspected Russian intelligence officers, including the Salisbury...
Octopuses Get Strangely Cuddly On The Mood Drug Ecstasy
"It turns out that octopuses and people have almost identical genes for a protein that binds the signaling molecule serotonin to brain cells. This protein is also the target of MDMA, so Dolen wondered how the drug would affect this usually unfriendly animal."
"I’m still annoyed that Chrome has gone to mandatory Google login — exactly the same way Android did (and has received enormous criticism for) — and people at Google are acting like they’re surprised people are upset.
I mean it is, after all, Google’s browser and they can do whatever they want (modulo GDPR concerns). I just wish folks would acknowledge the difference.
But your comment is too cryptic even for normal times. If you disagree with something say so? If you don't understand something then say so?. But just to try to keep it short for the sake of other readers.
I guess I’m having trouble understanding how it is that 4 × 1 = 6 as per footnote .
… and again the most basic arithmetic turns out to be juuuuuust out of reach.
I was tired but can't sleep as I'm unwell again, and wanted to keep things as brief as I could.
But your comment is too cryptic even for normal times. If you disagree with something say so? If you don't understand something then say so?. But just to try to keep it short for the sake of other readers.
To try and shorten the potential for a long back and forth, I'll expand on what I said.
Most here understand four "fair dice" are dice each...
C# has received some recent attention in the security community, and the Microsoft.Workflow.Compiler.exe security issue recently identified by Matt Graber at SpecterOps prompted us to take a closer look at the potential for using this technique in real-world attacks. Firstly, we...
@ Andy -- You've basically just described the exact operation of the Stuxnet worm. And we now know for certain that state level actors are actively trying to penetrate our election systems with exactly the methods you'd expect as step 1 (phishing people on vulnerable systems peripherally connected to voting systems).
This is only my loose opinion but I believein some ways the UK is no better than the US. The only difference is the focus on the statistical average and constraints on the extremes. I surmise this is because UK dogma is more towards conserving resources than the US. The UK also plays the sweep it under the carpet routine better than the US which is more heart on sleeve.
Speaking of sweeping under the carpet more GCHQ shinanigans....
[…] the press thoroughly failed to adequately cover the decades of the Soviet work-death camps, and then doubled down on the darkness by solidly refusing to cover Aleksandr Solzhenitsyn’s account of the realities of the Gulag, when he came in exile to the west.
So one can lay he deaths of 70+ million people at the doors of this press and its policy of darkness.
I see, 70+ million people die as the result of inadequate coverage of current events.
I'm having PTSD flashbacks at the moment so not up to commenting much.
It's interesting how this police officer is up for a misconduct hearing. I have been punched and sexually harassed and slammed into a wall by police officers and seen complaints go walkies. One complaint which was prusued by the Polcie Commissioner went to the IPCC who conducted an investigation behind my back and it was no surprise the (very) senior police officer got off because the investigation did not have access to critical evidence and legal argument I could supply.