What am I missing here? I thought Assange isn't a US citizen. He also wasn't on US soil when he received, nor when he published the material. How is the US juridical system involved, then?
Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.
We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.
In the leaks you can find for almost all tools and implants that the developers of the tools provide methods to remove and also auto-remove the implant.
For example, Hive: page 4 of this https://wikileaks.org/ciav7p1/... :
is the self delete delay (in seconds). Amount of time since last successful beacon or trigger allowed to pass before self-deletion occurs. If unused, the default value is 60 days in seconds.
There is also an entire section devoted to self-delete, on page 14: 4.1 (S) Self-Delete
They are using git, have troubles with idiots who put binaries in git, know about Git-Flow (my favorite branching technique), are doing retrospectives (so Scrum sprints), are trying to do something that looks like semver.org for release numbering (although most of it is quite wrongly numbered). All in all, quite a typical software development company. Okayish in software development processes and practices. Could be better here and there.
That's moron. You asked for it. Now suck it up. Apologize to the world for creating a obvious backdoor.
I'm quite sure it won't be the only one coming from Intel's headquarters. And yes, security-researchers will keep digging them up and expose them. Forever.
Not really true. We even have a saying in Dutch: "over de schreef gaan" which comes from the "schreef" which was a wooden block the size a city or town allowed a knife to be. When you entered the city-walls you were asked to put your knifes on the schreef. If your knife was larger than the schreef, then it went over the schreef. Nowadays it's a way of saying that you went to far with something.
But this "schreef" thing actually existed in the 16th century. If you go to a good museum they probably still have the wooden block of the European city you are visiting a museum of.
This means that weapon control was regulated since hundreds of years in European cities and towns.
Well, our universe expands. Perhaps particles are being added somewhere at its edges, and to make room for the new guys we get universe-wide expansion in return. Which would or could mean that we are inside a black hole (or, that our universe is a black hole) and particles, stars and planets are swirling around it and getting sucked in from time to time.
Google employed 47,756 people in 2013, I heard that NSA employs around 40,000 people. So Google has about the same amount of 'analyst for every n Americans' as the NSA has. Both the NSA and Google operate both outside of the USA and inside of the USA. My conclusion is that I should be equally worried about the NSA as I am about Google. Besides, NSA doesn't have to play fair and (can) reuse(s) the results of Google by stealing the data.
Either way. Whatever direction it went. I consider the NSA and the GCHQ to be the same organization anyway. And it doesn't matter. What matters is that within the NATO alliance we have members that distrust the other members so much that they feel the need to spy on them. That to me means that NATO is no coordinated effort whatsoever and that NATO is utterly broken and members of it distrust each other massively. That is the world we have in 2014. Thank you UK and US. Not.
> Show me where the NSA created a secret police force in another country (repeatedly), and trained them,
You mean like how the NSA created and trained GCHQ, and tasked them with attacking targets all over Western Europe? You want an example? They attacked Belgium by breaking into Belgian's telephone operator Belgacom. It was all over the news a few months ago. And yes, breaking into national infrastructure (Belgacom is owned for > 50% by the Belgian government) at the scale the GCHQ did can easily be considered a military attack.
> orchestrated a large-scale industrial chemical disaster solely to distract from domestic problems,
Agent Orange in Vietnam.
> numerous assassinations,
Drone attacks in Iraq, Afghanistan, Pakistan.
> and routinely engaged in psychological warfare of social undesireables so extreme that its victims often committed suicide or went insane
> Or you believe that power abides by human rights (more or less, and only when it's not convenient to forget them) because of the goodness of its heart.
This is actually more or less what Spinoza learned Western Europe in 1670.
Example English translation:
"If men’s minds were as easily controlled as their tongues, every king would sit safely on his throne, and government by compulsion would cease; for every subject would shape his life according to the intentions of his rulers, and would esteem a thing true or false, good or evil, just or unjust, in obedience to their dictates. However, no man’s mind can possibly lie wholly at the disposition of another, for no one can willingly transfer his natural right of free reason and judgment, or be compelled so to do. For this reason government which attempts to control minds is accounted tyrannical, and it is considered an abuse of sovereignty and a usurpation of the rights of subjects, to seek to prescribe what shall be accepted as true, or rejected as false, or what opinions should actuate men in their worship of God. All these questions fall within a man’s natural right, which he cannot abdicate even with his own consent."
If China's leaders wants to control their country's population, they better start reading Spinoza very very very well. Power does abide by human rights. See how many regimes that don't abide by human rights have ended with their population revolting compared to how many regimes that do abide by human rights having their population fully under control since WOII and some even longer. QED.
It's by the way something the US also better starts learning. Because the way things are going now...
I agree with this. I'm also really pissed that secret services refuse to create more transparency and do a lot of things that are not lawful (like dragnet surveillance, indiscriminate mass surveillance of ordinary law abiding citizens, economic espionage, etc).
That, however, doesn't mean that we'll have any progress by calling workers at the NSA traitors who should be killed or even heavily sanctioned. Processes should however be fixed.
I do think transparency and legality of their profession has to come back (by following the processes and requirements, and having a public debate on all this).
It's not a deal society can make to allow a surveillance police state (even if it's here already; it still doesn't make it OK for it to stay). The US can and should make legislation deals with the EU on this if the fear is that internationally laws and processes aren't worth a lot. It can make such deals even with China or Russia, and with other BRIC countries too. There is no need to have invasive non-targeted worldwide surveillance of ordinary citizens for America to be much more safe than before 9/11. Whoever in the US military and/or government who's telling you that is lying.
Right now, however, the US is showing absurd distrust in the rest of the world and actions done by your NSA as being seen in the population worldwide as military action against them. They are ordinary citizens with no intent to harm anybody in the US. But by invading their privacy so insanely massively you Americans ARE going to create a lot of nutcases for decades to come.
For the time being we can start by blocking all outbound UDP data on routers. Unfortunately these hw hacks call nsa over open wifi too. So we'd have to jam wifi in buildings too..
Buy Lego Technics and Mindstorms, allow your kid to take apart old electronic devices when he or she is older. Learn it welding so that when your kid grows older he or she can put bigger things together. By the time your kid is that old, 3D printers will affordable. Let's make things (better).
I even wonder how opting us all in automatically is even legal in my country. I don't care about the US but I'm pretty sure that here in Belgium there are laws against this. Sorry for the Dutch article, but here is an example of it: https://nl.wikipedia.org/wiki/Portretrecht
The text recommends that Congress should end such storage [bulk telephony metadata] and transition to a system in which such metadata is held privately for the government to query when necessary for national security purposes. How will that privately held system be described? How many years does the private providers and private third parties need to keep records around and more importantly which records? Can under the recommendations of the panel a E-mail provider like Lavabit exist that keeps records in encrypted form and has a business model of destroying all records and traces on request of their customer? Under which circumstances must they surrender the customer data over to the government? Can they inform their customer about such an event?
None of these safeguards pro privacy would make legitimate surveillance of suspected wrongdoers where consequences of their actions can harm a lot of innocent civilians or government personnel any harder or impossible (I think the word terrorist is inflated to the point of being meaningless, so I refuse to use it for this purpose).
Before 9/11 we didn't have extreme amounts of such dangerous wrongdoing activity more than after 9/11, yet secret services where extremely much more careful with the privacy of innocent citizens before 9/11 than after. Is the claim that before 9/11 citizens didn't communicate (because electronic communication was less than today), and therefor the 'changing world' implies more communication so more surveillance needed and less privacy allowed? Because if that's the claim of the head of secret services to why he changed the United States in a surveillance state, my counter argument would be that it's idiotic and that being an idiot he shouldn't have such an important role in society. Then again, he offered his resignation last summer. I guess that's the least he should have done.
I'm pretty sure a lot of people consider this, me included. And this is why a lot of people are self-censoring themselves. That still some of us decide that it's worth the risk to protest here and on the street shows how important the debate is. It's btw all over the news that even the media is self-censoring themselves already. All this is a huge sign that democracy and freedom of speech are a thing of the past. I hope people who work at the NSA are proud of themselves (because a lot of them are autistic, I'll make it clear that that was cynicism).
Among the reasons why a biological virus or bacteria is or can be successful, is that it can remain undetected for long so that it has a lot of opportunity to infect other hosts with itself. Viruses or bacteria that kill the patient quickly are rarely successful. A computer virus designed to quickly destroy the US economy would similarly have to act fast (execute, destroy BIOS, reboot, etc), but this aspect of it also goes against the virus' ability to spread and infect many other systems with itself. I conclude that this is a PR stunt by the NSA. Are rather silly one.
By the way. For having done exactly this we in Belgium expect the British government to pay for expenses made to clean up their secret services' illegal bricking of Belgacom's servers. The estimated cost so far is 15 million Euros. UK, please do pay up.
Slashdot Mirror
What am I missing here? I thought Assange isn't a US citizen. He also wasn't on US soil when he received, nor when he published the material. How is the US juridical system involved, then?
Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.
We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.
This shows that we are still a young sector. We only have two mainstream operating systems.
For example the car industry has multiple major mainstream car brands, models and domains (sports cars, SUV, sedan, etc).
I expect even more kinds of operating systems, operating system brands and operating system principles to become mainstream.
We're still a young sector.
In the leaks you can find for almost all tools and implants that the developers of the tools provide methods to remove and also auto-remove the implant.
For example, Hive: page 4 of this https://wikileaks.org/ciav7p1/... :
is the self delete delay (in seconds). Amount of time since last successful beacon or
trigger allowed to pass before self-deletion occurs. If unused, the default value is 60
days in seconds.
There is also an entire section devoted to self-delete, on page 14: 4.1 (S) Self-Delete
They are using git, have troubles with idiots who put binaries in git, know about Git-Flow (my favorite branching technique), are doing retrospectives (so Scrum sprints), are trying to do something that looks like semver.org for release numbering (although most of it is quite wrongly numbered). All in all, quite a typical software development company. Okayish in software development processes and practices. Could be better here and there.
You asked for it Lenovo and/or Intel. This turns an incoming buffer into a funciton pointer and executes arbitrary incoming code:
v3 = *(VOID **)(CommunicationBuffer + 0x20);
v4 = CommunicationBuffer;
*(v3 + 0x8)(*(VOID **)v3, &dword_AD002290, CommunicationBuffer + 0x18);
That's moron. You asked for it. Now suck it up. Apologize to the world for creating a obvious backdoor.
I'm quite sure it won't be the only one coming from Intel's headquarters. And yes, security-researchers will keep digging them up and expose them. Forever.
Not really true. We even have a saying in Dutch: "over de schreef gaan" which comes from the "schreef" which was a wooden block the size a city or town allowed a knife to be. When you entered the city-walls you were asked to put your knifes on the schreef. If your knife was larger than the schreef, then it went over the schreef. Nowadays it's a way of saying that you went to far with something.
But this "schreef" thing actually existed in the 16th century. If you go to a good museum they probably still have the wooden block of the European city you are visiting a museum of.
This means that weapon control was regulated since hundreds of years in European cities and towns.
Well, our universe expands. Perhaps particles are being added somewhere at its edges, and to make room for the new guys we get universe-wide expansion in return. Which would or could mean that we are inside a black hole (or, that our universe is a black hole) and particles, stars and planets are swirling around it and getting sucked in from time to time.
But I don't know. I am not an astrophysicist.
I didn't minimize their accomplishments.
Fantastic. Well done.
Google employed 47,756 people in 2013, I heard that NSA employs around 40,000 people. So Google has about the same amount of 'analyst for every n Americans' as the NSA has. Both the NSA and Google operate both outside of the USA and inside of the USA. My conclusion is that I should be equally worried about the NSA as I am about Google. Besides, NSA doesn't have to play fair and (can) reuse(s) the results of Google by stealing the data.
Either way. Whatever direction it went. I consider the NSA and the GCHQ to be the same organization anyway. And it doesn't matter. What matters is that within the NATO alliance we have members that distrust the other members so much that they feel the need to spy on them. That to me means that NATO is no coordinated effort whatsoever and that NATO is utterly broken and members of it distrust each other massively. That is the world we have in 2014. Thank you UK and US. Not.
> Show me where the NSA created a secret police force in another country (repeatedly), and trained them,
You mean like how the NSA created and trained GCHQ, and tasked them with attacking targets all over Western Europe? You want an example? They attacked Belgium by breaking into Belgian's telephone operator Belgacom. It was all over the news a few months ago. And yes, breaking into national infrastructure (Belgacom is owned for > 50% by the Belgian government) at the scale the GCHQ did can easily be considered a military attack.
> orchestrated a large-scale industrial chemical disaster solely to distract from domestic problems,
Agent Orange in Vietnam.
> numerous assassinations,
Drone attacks in Iraq, Afghanistan, Pakistan.
> and routinely engaged in psychological warfare of social undesireables so extreme that its victims often committed suicide or went insane
Yep, routinely being done by US agencies.
Spy on them. Oh wait, that did this on all citizens on the planet ..
Translucent USB cables and connectors.
> Or you believe that power abides by human rights (more or less, and only when it's not convenient to forget them) because of the goodness of its heart.
This is actually more or less what Spinoza learned Western Europe in 1670.
Example English translation:
"If men’s minds were as easily controlled as their tongues, every king would sit safely on his throne, and government by compulsion would cease; for every subject would shape his life according to the intentions of his rulers, and would esteem a thing true or false, good or evil, just or unjust, in obedience to their dictates. However, no man’s mind can possibly lie wholly at the disposition of another, for no one can willingly transfer his natural right of free reason and judgment, or be compelled so to do. For this reason government which attempts to control minds is accounted tyrannical, and it is considered an abuse of sovereignty and a usurpation of the rights of subjects, to seek to prescribe what shall be accepted as true, or rejected as false, or what opinions should actuate men in their worship of God. All these questions fall within a man’s natural right, which he cannot abdicate even with his own consent."
If China's leaders wants to control their country's population, they better start reading Spinoza very very very well. Power does abide by human rights. See how many regimes that don't abide by human rights have ended with their population revolting compared to how many regimes that do abide by human rights having their population fully under control since WOII and some even longer. QED.
It's by the way something the US also better starts learning. Because the way things are going now ...
I agree with this. I'm also really pissed that secret services refuse to create more transparency and do a lot of things that are not lawful (like dragnet surveillance, indiscriminate mass surveillance of ordinary law abiding citizens, economic espionage, etc).
That, however, doesn't mean that we'll have any progress by calling workers at the NSA traitors who should be killed or even heavily sanctioned. Processes should however be fixed.
I do think transparency and legality of their profession has to come back (by following the processes and requirements, and having a public debate on all this).
It's not a deal society can make to allow a surveillance police state (even if it's here already; it still doesn't make it OK for it to stay). The US can and should make legislation deals with the EU on this if the fear is that internationally laws and processes aren't worth a lot. It can make such deals even with China or Russia, and with other BRIC countries too. There is no need to have invasive non-targeted worldwide surveillance of ordinary citizens for America to be much more safe than before 9/11. Whoever in the US military and/or government who's telling you that is lying.
Right now, however, the US is showing absurd distrust in the rest of the world and actions done by your NSA as being seen in the population worldwide as military action against them. They are ordinary citizens with no intent to harm anybody in the US. But by invading their privacy so insanely massively you Americans ARE going to create a lot of nutcases for decades to come.
Stop it.
For the time being we can start by blocking all outbound UDP data on routers. Unfortunately these hw hacks call nsa over open wifi too. So we'd have to jam wifi in buildings too ..
“The astronauts told me that when they met Nixon later he asked them, ‘The artist—he’s a Democrat?’ They said, ‘No, he’s Belgian,’ and he said, ‘OK.’
Buy Lego Technics and Mindstorms, allow your kid to take apart old electronic devices when he or she is older. Learn it welding so that when your kid grows older he or she can put bigger things together. By the time your kid is that old, 3D printers will affordable. Let's make things (better).
I even wonder how opting us all in automatically is even legal in my country. I don't care about the US but I'm pretty sure that here in Belgium there are laws against this. Sorry for the Dutch article, but here is an example of it: https://nl.wikipedia.org/wiki/Portretrecht
The text recommends that Congress should end such storage [bulk telephony metadata] and transition to a system in which such metadata is held privately for the government to query when necessary for national security purposes. How will that privately held system be described? How many years does the private providers and private third parties need to keep records around and more importantly which records? Can under the recommendations of the panel a E-mail provider like Lavabit exist that keeps records in encrypted form and has a business model of destroying all records and traces on request of their customer? Under which circumstances must they surrender the customer data over to the government? Can they inform their customer about such an event?
None of these safeguards pro privacy would make legitimate surveillance of suspected wrongdoers where consequences of their actions can harm a lot of innocent civilians or government personnel any harder or impossible (I think the word terrorist is inflated to the point of being meaningless, so I refuse to use it for this purpose).
Before 9/11 we didn't have extreme amounts of such dangerous wrongdoing activity more than after 9/11, yet secret services where extremely much more careful with the privacy of innocent citizens before 9/11 than after. Is the claim that before 9/11 citizens didn't communicate (because electronic communication was less than today), and therefor the 'changing world' implies more communication so more surveillance needed and less privacy allowed? Because if that's the claim of the head of secret services to why he changed the United States in a surveillance state, my counter argument would be that it's idiotic and that being an idiot he shouldn't have such an important role in society. Then again, he offered his resignation last summer. I guess that's the least he should have done.
I'm pretty sure a lot of people consider this, me included. And this is why a lot of people are self-censoring themselves. That still some of us decide that it's worth the risk to protest here and on the street shows how important the debate is. It's btw all over the news that even the media is self-censoring themselves already. All this is a huge sign that democracy and freedom of speech are a thing of the past. I hope people who work at the NSA are proud of themselves (because a lot of them are autistic, I'll make it clear that that was cynicism).
Among the reasons why a biological virus or bacteria is or can be successful, is that it can remain undetected for long so that it has a lot of opportunity to infect other hosts with itself. Viruses or bacteria that kill the patient quickly are rarely successful. A computer virus designed to quickly destroy the US economy would similarly have to act fast (execute, destroy BIOS, reboot, etc), but this aspect of it also goes against the virus' ability to spread and infect many other systems with itself. I conclude that this is a PR stunt by the NSA. Are rather silly one.
By the way. For having done exactly this we in Belgium expect the British government to pay for expenses made to clean up their secret services' illegal bricking of Belgacom's servers. The estimated cost so far is 15 million Euros. UK, please do pay up.