Tuesday, February 24, 2015

[tt] (c-punks) [qubes-users] Persistent firmware backdoors possible across major hard drive brands (fwd)

----- Forwarded message from Eugen Leitl <eugen@leitl.org> -----

Date: Tue, 17 Feb 2015 16:11:14 +0100
From: Eugen Leitl <eugen@leitl.org>
To: cypherpunks@cpunks.org
Subject: [qubes-users] Persistent firmware backdoors possible across major hard
drive brands

----- Forwarded message from Axon <axon@openmailbox.org> -----

Date: Tue, 17 Feb 2015 14:44:30 +0000
From: Axon <axon@openmailbox.org>
To: "qubes-users@googlegroups.com" <qubes-users@googlegroups.com>
Subject: [qubes-users] Persistent firmware backdoors possible across major hard drive brands
Message-ID: <54E353CE.7040202@openmailbox.org>

Hash: SHA512

On 2015-02-16, Kaspersky Lab announced[1]:
> GReAT has been able to recover two modules which allow
> reprogramming of the hard drive firmware of more than a dozen of
> the popular HDD brands. This is perhaps the most powerful tool in
> the Equation group's arsenal and the first known malware capable of
> infecting the hard drives.
> By reprogramming the hard drive firmware (i.e. rewriting the hard
> drive's operating system), the group achieves two purposes:
> 1. An extreme level of persistence that helps to survive disk
> formatting and OS reinstallation. If the malware gets into the
> firmware, it is available to "resurrect" itself forever. It may
> prevent the deletion of a certain disk sector or substitute it with
> a malicious one during system boot. "Another dangerous thing is
> that once the hard drive gets infected with this malicious payload,
> it is impossible to scan its firmware. To put it simply: for most
> hard drives there are functions to write into the hardware firmware
> area, but there are no functions to read it back. It means that we
> are practically blind, and cannot detect hard drives that have
> been infected by this malware" warns Costin Raiu, Director of the
> Global Research and Analysis Team at Kaspersky Lab.
> 2. The ability to create an invisible, persistent area hidden
> inside the hard drive. It is used to save exfiltrated information
> which can be later retrieved by the attackers. Also, in some cases
> it may help the group to crack the encryption: "Taking into account
> the fact that their GrayFish implant is active from the very boot
> of the system, they have the ability to capture the encryption
> password and save it into this hidden area," explains Costin Raiu.

Affected HDD brands include[2] (but are probably not limited to):
* Western Digital
* Maxtor
* Seagate
* Hitachi
* Micron
* Corsair
* Mushkin
* Samsung
* Toshiba

This is bad news for everyone, including Qubes users, since there's
nothing we can really do at the OS/software level to protect ourselves
from this kind of persistent HDD firmware infection (or compromised
firmware and hardware in general). Measures like AEM don't help if the
drives are already infected before we even purchase them. If we want
freedom and safety in the future, our best bet is probably to
(continue to) push for open-source firmware and hardware.



You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/54E353CE.7040202%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

----- End forwarded message -----

----- End forwarded message -----
tt mailing list

Monday, February 23, 2015

[tt] [Cryptography] Information. it's the real thing

It is always important to think about the /information/
carried by our messages. This includes the information
available to the intended recipient, as well as the info
available to the adversaries. This is relevant to what
John Young wrote on 02/16/2015 10:34 AM:
> "The very encryption used to secure transports is used to hide data
> exfiltration."
... and relevant to a lot of other recent discussions,
and to crypto and security in general.

Information. It's the real thing.

Regrettably, in dozens upon dozens of messages recently,
people have tossed around phrases like "indistinguishable
from random" (I-F-R).

Although I-F-R is "close" to the right idea, it is not
exactly the criterion we should be using. To my astonishment,
on 01/21/2015 09:17 PM, Jerry Leichter contradicted me on
this point:

>> the first thing you need to get anywhere in formalization is precise
>> definitions.

>> A common strong definition of semantic security says [....]

The nice thing about formal definitions is that there
are so many to choose from. Anyone is free to define
terms however they like, but the result is a choice,
not a law of nature. There is no guarantee that the
results will apply to the real world. Cryptology lives
within the intersection of fancy math *and* down-to-earth
engineering. You need both.

I choose to formalize many things in terms of information.
Often it is appropriate to exclude information that would
be computationally infeasible to obtain.

I do not choose the I-F-R criterion, because it is not
viable in the real world, and I can prove it. An example
suffices to make the point:

_Message Length_ is one of the many things that can be
used as a covert channel. It has been used this way
for a long time. It has been used by both teams, i.e.
when the sender wants it to be used that way (for
exfiltration) and when the sender doesn't (but the
opponent uses it anyway).

So .... does anybody really think that the message length
needs to be indistinguishable from random? If so, we are
in big trouble, because message length could be anything
from zero on up, and there does not exist any uniform
random distribution on such a range. The formal laws of
probability forbid it. This is an example of what formality
can do for you. Sometimes it tells you that your formalism
is broken.

In the real world, people sometimes do send traffic that
resists traffic analysis. One option is to send a lot
of messages, all with the same length. Consider for
example ATM cells. Many trillions of them are sent, all
with the same size. You will not have much luck traffic-
analyzing those lengths! Arguably the first one told
you something, namely the length, but it didn't tell you
anything you didn't already know, given that it was an
ATM cell to begin with. Even if you didn't know a_priori
that it was an ATM cell, after a while the leakage (on a
per-message basis) goes asymptotically to zero anyway.
As long as the traffic is indistinguishable from business-
as-usual, the nobody gains any information from it.

There is an extensive literature on this, including
contributions from guys like Shannon, Kullback, and
Leiber, who were not exactly clueless about crypto.
If you think your formal methods are better than theirs,
that's an extraordinary claim, and will require some
extraordinary proof. My suggestion: if you want to
formalize something, in all likelihood your time would
be well spent formulating it in terms of information
gain and things like that, rather than some notion of
"indistinguishable from random" ... which is no more
formal, and a lot less viable in the real world.


Speaking of cover traffic: If you look at the header
of this message, you will probably find a field called
"Quilt" which contains 64 symbols that could convey
6 bits apiece, for a total of 384 bits. All of my
outgoing mail has had such a header for a while now.
Maybe it's just random cover traffic ... or maybe it
is a cleverly-encoded message. By sending such fields,
I create a forest. That's a good place to hide a tree,
if I ever need to.

If you are wondering about the name: There is such a
thing as a crazy quilt, in contrast to a patterned
The cryptography mailing list
tt mailing list

[tt] [SALT] Practical geoengineering (David Keith talk)

----- Forwarded message from Stewart Brand <sb@longnow.org> -----

Date: Sun, 22 Feb 2015 14:35:04 -0800
From: Stewart Brand <sb@longnow.org>
To: SALT list <salt@list.longnow.org>
Subject: [SALT] Practical geoengineering (David Keith talk)
Message-Id: <713A2561-C6A7-489A-A719-6FA4B2002478@longnow.org>
X-Mailer: Apple Mail (2.2070.6)
Reply-To: services@longnow.org

"Temporary, moderate, and responsive" should be the guidelines of responsible geoengineering, in David Keith's view. For slowing global warming, and giving humanity time to bring greenhouse gas emissions down to zero (and eventually past zero with carbon capture), he favors the form of "solar radiation management" that reflects sunlight the way volcanoes occasionally do—with sulfate particles in the stratosphere.

The common worry about geoengineering is that because it is so cheap ($1 billion a year) and easy, civilization would become "addicted" and have to continue it forever, while giving up on the expensive and difficult process of reducing greenhouse gas emissions, thus making the long-term problem far worse. Keith's solution is to design the geoengineering program as temporary from start to finish. "Temporary" means shut it down by 2200. (Keith also likes the term "patient" for this approach.)

By "moderate" he means there is no attempt to completely offset the warming caused by us, but just cut the rate of climate change in half. That would give the highest benefit at lowest risk—minimal harmful effect on ozone and rainfall patterns, and the fewest unwelcome surprises, while providing enough time (and plenty of incentive) for societies to manage their carbon dioxide mitigation and orderly adaptation. Geoengineering's leverage is very high—one gram of particles in the stratosphere prevents the warming caused by a ton of carbon dioxide.

"Responsive" means careful, gradual, and closely monitored, with the expectation there will be many adjustments along the way, along with the ability to back off entirely if needed. Though climate-change models keep improving, we still do not completely understand how climate works, and that raises the very good question: "How do you engineer a system whose behavior you don't understand?" Keith's answer is "feedback. We engineer and control many chaotic systems, such as high-performance aircraft, through precise feedback." The same goes for governance of geoengineering. It is a complex system that will require sophisticated control by a global set of governing bodies, but we already do that for the far more complex system of global finance.

Keith's specific program would begin with balloon tests in the lower stratosphere (8 miles up) releasing just 100 grams of sulfuric acid—about the amount of particles in a few minutes of normal jet contrail. "If those studies confirm safety and effectiveness," Keith said, "then we could begin gradual deployment as early as 2020 with three business jets re-engineered for high altitude. By 2030 you could have about ten aircraft delivering a quarter million tons of sulfur per year at a cost of $700 million."

The amount of sulfur being released might be up to a million tons by 2070, but that would still be only one-eighth of what went into the stratosphere from the Mt. Pinatubo volcanic eruption in 1991, and one-fiftieth of what enters the lower atmosphere from our current burning of fossil fuels. By then we may have developed more sophisticated particles than sulfate. It could be diamond dust, or alumina, or even something like a nanoscale "photophoretic" particle designed by Keith that would levitate itself above the stratosphere.

This is no quick fix. It is not quick, and it doesn't try to be a complete fix. It has to be matched with total reduction of greenhouse gas emissions to zero and with effective capture of carbon, because the overload of carbon dioxide already in the atmosphere will stay there for a very long time unless removed. Keith asked, "Is it plausible that we will not figure out how to pull, say, five gigatons of carbon per year out of the air by 2075? I don't buy it."

Keith ended by proposing that goal should not be just 350 parts per million (ppm) of carbon dioxide in the atmosphere. (It's rising past 400 ppm now.) We can shoot for the pre-industrial level of the 1770s. Take carbon dioxide down to 270 ppm.

—Stewart Brand sb@longnow.org <mailto:sb@longnow.org>

SALT mailing list
unsubscribe / change email: http://list.longnow.org/mailman/listinfo/salt

----- End forwarded message -----
tt mailing list

Saturday, February 21, 2015

[tt] (c-punks) Re: Hackers can’t solve Surveillance (fwd)

----- Forwarded message from Lodewijk andré de la porte <l@odewijk.nl> -----

Date: Fri, 13 Feb 2015 19:43:02 +0000
From: Lodewijk andré de la porte <l@odewijk.nl>
To: stef <X@XXXXX.XX>, cypherpunks <cypherpunks@cpunks.org>
Subject: Re: Hackers can't solve Surveillance

The fun began with the implication that healthcare for everyone is a
must. Good healthcare means not dying in good health. Assuming mental
health (too tricky to deal with for this argument) that leaves people
that wish to die in a precarious position. And what do with so many

That might seem a strange argument, but it is not at all. Healthcare
is yet imperfect because it's damn hard and expensive. Less
surveillance is easier, not harder.

The problem is that the general public WANTS surveillance. They want
to give away their liberties for the safety it may bring them. Marx
had a huge audience. I do not believe the hackers do.

"Solving" surveilance for me means aligning it with justice, dignity,
freedom and most significantly, tirrany prevention. With the cost of
surveilance only going down we must consider the endgame. The endgame
is full and continuous surveillance. It is inevitable as long as more
surveillance has any advantage. I am not yet sure how to deal with
this properly, and think it a political question.

As for claiming your own privacy: we're far behind in the game for
reasons beyond me. Most likely some modern variant of imperialism,
where money is stolen from the weak and thrown at surveillance (see
also the American budget for the department of unconsitutionality).

To compare these issues with healthcare is meaningless. Although the
conclusion is correct. If there is not far more effort (=money)
expanded on feature-and-convenience parity for privacy-protecting
solutions; we're all royally fucked.

And no violent revolution will beat back the drone armies that already
in flight. The time that a revolution was feasible was already ending
when the founding fathers decreed Americans must bear arms in
militias. Without similar class weaponry there is no chance,
regardless of combatant quantity. The assault rifle cannot match the
helicopter, the APC, the drone, and is not readily available
either. The people's organization (intelligence and command and
control infrastructure) will never again match that of the army. There
will be no more violent revolutions. That is over now.

So, if everyone would be so kind as to think of what to do about a
world steepled in dysfunctional markets ... Well that would probably
solve the privacy thing as well. We'd know to buy safe. And we'd spend
a lot more on healthcare, too, I'm sure. But perhaps before everyone
lived indefinitelt, we should fix democracy, or adopt whatever *cracy
does work. Although, who's first to shoot me when I suggest no person
knows what's best even for himself, or should be left the freedom to
make the wrong choice? Besides, isn't government merely a product on a
less free market?

P.S.: i take back everything i stated in this rant. It's the only way
anyone could make a statement nowadays ;)

----- End forwarded message -----
tt mailing list

Friday, February 20, 2015

[tt] (lem-l) Pirx's loony dip in Canada (fwd)

----- Forwarded message from Vadim Bulitko <bulitko@gmail.com> -----

Date: Mon, 9 Feb 2015 09:45:23 -0700
From: Vadim Bulitko <bulitko@gmail.com>
To: S-Lem <lem-l@lists.rpi.edu>
Subject: Pirx's loony dip in Canada

Hi everyone,

Remember Pirx setting a record in a sensory deprivation test when he
was floating in warm salt water for hours? That was the "loony dip" in
"The Conditioned Reflex".

Here is a real-life version, it seems:


Perhaps it is good that they limit the time to 90 minutes? :)


----- End forwarded message -----
tt mailing list

[tt] [NSG-d] Non-human rights

----- Forwarded message from Dave Lindbergh <lindbergh@92f1.com> -----

Date: Thu, 19 Feb 2015 17:57:17 -0500
From: Dave Lindbergh <lindbergh@92f1.com>
To: Nanotechnology Study Group - open discussion <nsg-d@marshome.org>
Subject: [NSG-d] Non-human rights
Message-ID: <CAE6LUK_BW+TKNG=RyQzFzvP1AvkGLnrsw=cEUdPE1T=fRU0vPg@mail.gmail.com>
Reply-To: Nanotechnology Study Group - open discussion <nsg-d@marshome.org>

Here's a link to an article about the court case I mentioned on Tuesday:


The plaintiffs asked the appeals court to grant habeas corpus (the right to
dispute its imprisonment) to a chimpanzee. They lost.

The summary of the court's reasoning is this:

Instead they rejected Wise's argument that legal rights arise from an
> abiding respect for individual liberty and self-determination. Rather, said
> the court, rights are contingent upon responsibility. If a chimp can't be
> expected to fulfill his social duties, neither can he have rights.

> "Unlike human beings, chimpanzees cannot bear any legal duties, submit to
> societal responsibilities or be held legally accountable for their
> actions," wrote the judges.

> "In our view, it is this incapability to bear any legal responsibilities
> and societal duties that renders it inappropriate to confer upon
> chimpanzees the legal rights—such as the fundamental right to liberty
> protected by the writ of habeas corpus—that have been afforded to human
> beings," they concluded.

I thought it was a well-reasoned decision, something that that can be
applied to "uplifted" animals, AIs, aliens, etc., with a hope of getting a
reasonable result.

When a criminal violates the rights of other people, we put him in prison -
taking away his rights, because he failed to live up to his responsibility.

Children have less rights than adults (they can't drive, can't vote, can't
enter into contracts, etc.) - because they're unable to fulfill the same
responsibilities as adults.

It seems to me that rights are indeed contingent on responsibilities - they
are two sides of the same coin.

If there were a chimp (or other animal, or computer, or alien) who could
speak or write, and understand language, and who can undertake and fulfill
the responsibilities of an adult person (obey the law, respect the rights
of others, etc.), then they would have the same rights as people. As I
think they should.

(And, just because animals aren't people, and don't have "rights", doesn't
mean we can't be kind to them, or have laws that protect them.)


** The following attachments were removed: multipart/alternative

Nanotechnology Study Group NSG-d open discussion group
Send replies (no attachments) to: NSG-d___no-spam@marshome.org
Questions for list admin: NSG-d-owner___no-spam@marshome.org
Archive: http://MarsHome.org/mailman/private/NSG-d
Unsubscribe: NSG-d-unsubscribe@marshome.org
Password or Options or Unsubscribe: http://MarsHome.org/mailman/options/NSG-d
Hosted by CyberTeams.com and Mars Foundation(tm), http://MarsHome.org

----- End forwarded message -----
tt mailing list

Thursday, February 19, 2015

[tt] (cybcom) Re: What humans can learn from semi-intelligent slime (fwd)

----- Forwarded message from Bernard Cohen <b.cohen@CITY.AC.UK> -----

Date: Sun, 8 Feb 2015 21:50:44 +0000
From: Bernard Cohen <b.cohen@CITY.AC.UK>
Subject: Re: What humans can learn from semi-intelligent slime

Adelman did it with DNA.

On 8 February 2015 at 02:26, Nick Green <nick_green@blueyonder.co.uk> wrote:

> Slime mold solves Travelling Salesman Problem, well soap film bubbles
> can do that too ( and much quicker-slideshow here:
> http://www.powershow.com/view/dc2d2-NjJhZ/Approaching_PNP_
> Can_Soap_Bubbles_Solve_The_Steiner_Tree_Problem_In_
> Polynomial_Time_powerpoint_ppt_presentation).
> So why can't we build computers like that?
> There might be something in this cybernetics where forces meet bits
> stuff after all. :-)
> How intelligent is inorganic matter?
> Best
> N.
> On 06/02/2015 10:56, Oliver Bandel wrote:
>> Hi,
>> Biology, Rathm, Computation....
>> ...Slime...
>> What humans can learn from semi-intelligent slime
>> http://www.ted.com/talks/heather_barnett_what_humans_can_learn_from_semi_
>> intelligent_slime_1
>> Ciao,
>> Oliver
>> To subscribe or unsubscribe to the list please follow the following
>> link: http://hermes.gwu.edu/cgi-bin/wa?SUBED1=cybcom&A=1
>> .
> To subscribe or unsubscribe to the list please follow the following link:
> http://hermes.gwu.edu/cgi-bin/wa?SUBED1=cybcom&A=1

Professor Emeritus
City University London
'Patterns lively of the things rehearsed' John Dee

----- End forwarded message -----
tt mailing list