"What no one seemed to notice," said a colleague of mine, a philologist, "was the ever widening gap, after the 2000 Presidential election, between the government and the people. Just think how very wide this gap was to begin with, here in the United States. And it became always wider. You know, it doesn’t make people close to their government to be told that this is a people’s government, a true democracy, or to be enrolled in civilian defense, or even to vote. All this has little, really nothing, to do with knowing one is governing.
"What happened here was the gradual habituation of the people, little by little, to being governed by surprise; to receiving decisions deliberated in secret; to believing that the situation was so complicated that the government had to act on information which the people could not understand, or so dangerous that, even if the people could not understand it, it could not be released because of national security. And their sense of identification with the President, their trust in him, made it easier to widen this gap and reassured those who would otherwise have worried about it.
"This separation of government from people, this widening of the gap, took place so gradually and so insensibly, each step disguised (perhaps not even intentionally) as a temporary emergency measure or associated with true patriotic allegiance or with real social purposes. And all the crises and reforms (real reforms, too) so occupied the people that they did not see the slow motion underneath, of the whole process of government growing remoter and remoter.
"The dictatorship, and the whole process of its coming into being, was above all diverting. It provided an excuse not to think for people who did not want to think anyway. I do not speak of your ‘little men,’ your baker and so on; I speak of my colleagues and myself, learned men, mind you. Most of us did not want to think about fundamental things and never had. There was no need to. Super-power status gave us some dreadful, fundamental things to think about -- we were decent people -- and kept us so busy with continuous changes and ‘crises’ and so fascinated, yes, fascinated, by the machinations of the ‘national enemies,’ without and within, that we had no time to think about these dreadful things that were growing, little by little, all around us. Unconsciously, I suppose, we were grateful. Who wants to think?
"To live in this process is absolutely not to be able to notice it -- please try to believe me -- unless one has a much greater degree of political awareness, acuity, than most of us had ever had occasion to develop. Each step was so small, so inconsequential, so well explained or, on occasion, ‘regretted,’ that, unless one were detached from the whole process from the beginning, unless one understood what the whole thing was in principle, what all these ‘little measures’ that no ‘patriotic American’ could resent must some day lead to, one no more saw it developing from day to day than a farmer in his field sees the corn growing. One day it is over his head."
...censors actually permit 'vitriolic criticism' of China's leaders and governmental policies but the censors crack down heavily on any move to get people physically mobilized to act on such criticism.
So. Am I to conclude from this observation that China has enacted the same essential policy as the United States of America?
The "Big Brother" societies have discovered that a "Free Press" can be managed to function as bread and circuses once did. This is the dictum: "You are free to say whatever you like, provided that you act withing the proscribed boundary."
Fact on the ground? Yes. But? You cannot vote simple laws to violate Constitutional violation. That requires the Amendment process. Yes. This extends to Congress delegating their powers of coinage and exercise of war. Not legally possible without Amendment.
It is not easy to discover vulnerabilities through code examination.
The easy to discover problems are picked up by source management tools, LINTs and things.
Functional vulnerability in derived object code is less work-intensive, and generally returns richer results versus man-hours of investment.
Pen geniuses still "fuzz" binaries, rather than trawl millions of lines of code.
Think about how Android vulnerabilities are discovered, by Blackhat Briefing presenters. They don't usually delve into the monolithic available sources. Many vulns only make themselves evident, when combined with microcode on devices or in combination with radio stacks, etc.
How many Intel or nVidia employees... How many Broadcom or Qualcom employees need to be placed by NSA, into their otherwise ordinary engineering jobs?
How many Mossad associated employees? Whoops. I guess that's anti-Semitic. I'd have to ask how many PLA planted engineers, as there's no recognized anti-Sinoism.;-)
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
In Unix systems, there’s a program named “login“. login is the code that takes your username and password, verifies that the password you gave is the correct one for the username you gave, and if so, logs you in to the system.
For debugging purposes, Thompson put a back-door into “login”. The way he did it was by modifying the C compiler. He took the code pattern for password verification, and embedded it into the C compiler, so that when it saw that pattern, it would actually generate code
that accepted either the correct password for the username, or Thompson’s special debugging password. In pseudo-Python:
def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor()
else:
compileNormally(code)
With that in the C compiler, any time that anyone compiles login,
the code generated by the compiler will include Ritchie’s back door.
Now comes the really clever part. Obviously, if anyone saw code like what’s in that
example, they’d throw a fit. That’s insanely insecure, and any manager who saw that would immediately demand that it be removed. So, how can you keep the back door, but get rid of the danger of someone noticing it in the source code for the C compiler? You hack the C compiler itself:
def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor(code)
elif (looksLikeCompilerCode(code)):
generateCompilerWithBackDoorDetection(code)
else:
compileNormally(code)
What happens here is that you modify the C compiler code so that when it compiles itelf, it inserts the back-door code. So now when the C compiler compiles login, it will insert the back door code; and when it compiles
the C compiler, it will insert the code that inserts the code into both login and the C compiler.
Now, you compile the C compiler with itself – getting a C compiler that includes the back-door generation code explicitly. Then you delete the back-door code from the C compiler source. But it’s in the binary. So when you use that binary to produce a new version of the compiler from the source, it will insert the back-door code into
the new version.
So you’ve now got a C compiler that inserts back-door code when it compiles itself – and that code appears nowhere in the source code of the compiler. It did exist in the code at one point – but then it got deleted. But because the C compiler is written in C, and always compiled with itself, that means thats each successive new version of the C compiler will pass along the back-door – and it will continue to appear in both login and in the C compiler, without any trace in the source code of either.
They are already deliberately violating the law, with impunity. They compromise your security at every step. Adding un-encrypted metadata to your traffic will only: 1 - ID you for possible actions by later custodians of this information 2 - Acknowledge your silent submission to the fact of universal collection as a normative state 3 - Divert efforts from real crypto-countermeasures
People need not to give NSA their complicity and assent, but to resist, and applaud every time somebody manages to FUCK UP their mission.
Don't believe they are infallible and omnipotent. Their arrogance and resource dominance are their weakness.
Also: remember they hired Snowden. They can be defeated in their illegal, unethical and immoral mission, if you yourself, are undefeated in your own moral and ethical standing.
When you can use computers, to generate noise, and cryptographically obscure the noise/signal distinction, as well as the signal pattern - then you make this "entire job" the focus of your attack.
The BEST thing to happen to Tor, could be the Botnet they are trying to shut down. What a lot of traffic to hide in - and what a piss gulp to sift for sigint.
We don't just want to conduct ourselves privately.
We want to actively disrupt the engine of oppression, by jamming a spanner in the works. Every "little man", with a private act of ambiguous disobedience is a small victory, which will ruin the plans of the arrogant and unprincipled "authority".
Don't just use Tor and I2P for meaningful data transfer. Send blocks of useless, misleading crap - that are expensive to examine. Frequently.
Name them things like "SCADA" and "VulnAssess".;-)
Then? Include the text of "Alice's Restaurant" stegenographically embedded in the payload.
Slashdot Mirror
"Within the law"
The essential point of agreement between US and PRC. The US has enforced "Free Speech Zones" as law, in contravention of the law.
The US position is essentially: "Remain ineffective and largely unnoticeable, or its time for zip-ties and truncheons".
"What no one seemed to notice," said a colleague of mine, a philologist, "was the ever widening gap, after the 2000 Presidential election, between the government and the people. Just think how very wide this gap was to begin with, here in the United States. And it became always wider. You know, it doesn’t make people close to their government to be told that this is a people’s government, a true democracy, or to be enrolled in civilian defense, or even to vote. All this has little, really nothing, to do with knowing one is governing.
"What happened here was the gradual habituation of the people, little by little, to being governed by surprise; to receiving decisions deliberated in secret; to believing that the situation was so complicated that the government had to act on information which the people could not understand, or so dangerous that, even if the people could not understand it, it could not be released because of national security. And their sense of identification with the President, their trust in him, made it easier to widen this gap and reassured those who would otherwise have worried about it.
"This separation of government from people, this widening of the gap, took place so gradually and so insensibly, each step disguised (perhaps not even intentionally) as a temporary emergency measure or associated with true patriotic allegiance or with real social purposes. And all the crises and reforms (real reforms, too) so occupied the people that they did not see the slow motion underneath, of the whole process of government growing remoter and remoter.
"The dictatorship, and the whole process of its coming into being, was above all diverting. It provided an excuse not to think for people who did not want to think anyway. I do not speak of your ‘little men,’ your baker and so on; I speak of my colleagues and myself, learned men, mind you. Most of us did not want to think about fundamental things and never had. There was no need to. Super-power status gave us some dreadful, fundamental things to think about -- we were decent people -- and kept us so busy with continuous changes and ‘crises’ and so fascinated, yes, fascinated, by the machinations of the ‘national enemies,’ without and within, that we had no time to think about these dreadful things that were growing, little by little, all around us. Unconsciously, I suppose, we were grateful. Who wants to think?
"To live in this process is absolutely not to be able to notice it -- please try to believe me -- unless one has a much greater degree of political awareness, acuity, than most of us had ever had occasion to develop. Each step was so small, so inconsequential, so well explained or, on occasion, ‘regretted,’ that, unless one were detached from the whole process from the beginning, unless one understood what the whole thing was in principle, what all these ‘little measures’ that no ‘patriotic American’ could resent must some day lead to, one no more saw it developing from day to day than a farmer in his field sees the corn growing. One day it is over his head."
http://www.press.uchicago.edu/Misc/Chicago/511928.html
...censors actually permit 'vitriolic criticism' of China's leaders and governmental policies but the censors crack down heavily on any move to get people physically mobilized to act on such criticism.
So. Am I to conclude from this observation that China has enacted the same essential policy as the United States of America?
The "Big Brother" societies have discovered that a "Free Press" can be managed to function as bread and circuses once did. This is the dictum: "You are free to say whatever you like, provided that you act withing the proscribed boundary."
Now is the time to sing "Barret Brown's Body".
Thanks. It definitely goes on my reference shelf. Leisure reading, when time again permits. ;-)
Well,
NSA is USGov, and USGov is property of highest bidder.
That's not ever going to be in YOUR interest.
Secret security courts are themselves, illegal.
Fact on the ground? Yes. But? You cannot vote simple laws to violate Constitutional violation. That requires the Amendment process. Yes. This extends to Congress delegating their powers of coinage and exercise of war. Not legally possible without Amendment.
It is a misunderstanding.
You are freer in getting them fixed. You usually - not always - find them in derived objects, deployed as intended.
Example of vector, not to be taken as literal example of one real threat.
It is not easy to discover vulnerabilities through code examination.
The easy to discover problems are picked up by source management tools, LINTs and things.
Functional vulnerability in derived object code is less work-intensive, and generally returns richer results versus man-hours of investment.
Pen geniuses still "fuzz" binaries, rather than trawl millions of lines of code.
Think about how Android vulnerabilities are discovered, by Blackhat Briefing presenters. They don't usually delve into the monolithic available sources. Many vulns only make themselves evident, when combined with microcode on devices or in combination with radio stacks, etc.
Code is used to confirm findings. Sometimes. ;-)
I like it.
And, I like your virtualization strategy for post-facto security. Wrap the devil in the Matrix. As long as you are sure that you own the Matrix. :-)
Yes. The reality of his concrete example is not a necessary condition for illustrating this vulnerability.
Bingo.
How many Intel or nVidia employees... How many Broadcom or Qualcom employees need to be placed by NSA, into their otherwise ordinary engineering jobs?
How many Mossad associated employees? Whoops. I guess that's anti-Semitic. I'd have to ask how many PLA planted engineers, as there's no recognized anti-Sinoism. ;-)
Moral
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
http://cm.bell-labs.com/who/ken/trust.html
You can not add security, later.
In Unix systems, there’s a program named “login“. login is the code that takes your username and password, verifies that the password you gave is the correct one for the username you gave, and if so, logs you in to the system.
For debugging purposes, Thompson put a back-door into “login”. The way he did it was by modifying the C compiler. He took the code pattern for password verification, and embedded it into the C compiler, so that when it saw that pattern, it would actually generate code
that accepted either the correct password for the username, or Thompson’s special debugging password. In pseudo-Python:
def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor()
else:
compileNormally(code)
With that in the C compiler, any time that anyone compiles login,
the code generated by the compiler will include Ritchie’s back door.
Now comes the really clever part. Obviously, if anyone saw code like what’s in that
example, they’d throw a fit. That’s insanely insecure, and any manager who saw that would immediately demand that it be removed. So, how can you keep the back door, but get rid of the danger of someone noticing it in the source code for the C compiler? You hack the C compiler itself:
def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor(code)
elif (looksLikeCompilerCode(code)):
generateCompilerWithBackDoorDetection(code)
else:
compileNormally(code)
What happens here is that you modify the C compiler code so that when it compiles itelf, it inserts the back-door code. So now when the C compiler compiles login, it will insert the back door code; and when it compiles
the C compiler, it will insert the code that inserts the code into both login and the C compiler.
Now, you compile the C compiler with itself – getting a C compiler that includes the back-door generation code explicitly. Then you delete the back-door code from the C compiler source. But it’s in the binary. So when you use that binary to produce a new version of the compiler from the source, it will insert the back-door code into
the new version.
So you’ve now got a C compiler that inserts back-door code when it compiles itself – and that code appears nowhere in the source code of the compiler. It did exist in the code at one point – but then it got deleted. But because the C compiler is written in C, and always compiled with itself, that means thats each successive new version of the C compiler will pass along the back-door – and it will continue to appear in both login and in the C compiler, without any trace in the source code of either.
http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/
Where do I sign up for THIS new Trojan horse?
Have fun, when the SWAT team comes. :-)
NSA.
Amerika's blackmail clearinghouse.
They are already deliberately violating the law, with impunity. They compromise your security at every step. Adding un-encrypted metadata to your traffic will only:
1 - ID you for possible actions by later custodians of this information
2 - Acknowledge your silent submission to the fact of universal collection as a normative state
3 - Divert efforts from real crypto-countermeasures
People need not to give NSA their complicity and assent, but to resist, and applaud every time somebody manages to FUCK UP their mission.
If voting could change anything, it would be outlawed.
As it is, they just want the numbers to look good enough, to get away with what they want.
That's why they keep so many in jail - and out of the polls.
Somebody's knockin' at the door.
Somebody's ringin' the bell.
Do me a favour...
Don't believe they are infallible and omnipotent. Their arrogance and resource dominance are their weakness.
Also: remember they hired Snowden. They can be defeated in their illegal, unethical and immoral mission, if you yourself, are undefeated in your own moral and ethical standing.
When you can use computers, to generate noise, and cryptographically obscure the noise/signal distinction, as well as the signal pattern - then you make this "entire job" the focus of your attack.
The BEST thing to happen to Tor, could be the Botnet they are trying to shut down. What a lot of traffic to hide in - and what a piss gulp to sift for sigint.
We don't just want to conduct ourselves privately.
We want to actively disrupt the engine of oppression, by jamming a spanner in the works. Every "little man", with a private act of ambiguous disobedience is a small victory, which will ruin the plans of the arrogant and unprincipled "authority".
Don't just use Tor and I2P for meaningful data transfer. Send blocks of useless, misleading crap - that are expensive to examine. Frequently.
Name them things like "SCADA" and "VulnAssess". ;-)
Then? Include the text of "Alice's Restaurant" stegenographically embedded in the payload.
Exactly. You detail and amplify the support for my thesis with rigourous logical reasoning and a thorough grasp of the fundamental risks and issues.
Other Guardian link by Schneier in reply to my post. It has elliptic curve-ball in it.