The Market Ticker
Commentary on The Capital Markets- Category [Technology]
2014-12-18 06:15 by Karl Denninger
in Technology , 127 references

I have to laugh...

So desperate to stand out in a sea of phablets, BlackBerry went wide with the Passport -- too wide. The Passport sports a very heavy and awkward square design that's pretty much impossible to use with one hand. And while the keyboard is big and cushy, it's simply not worth the trade-off to carry a tank in your pocket. Add in buggy performance and a camera that takes its sweet time focusing and it’s easy to see why I called this device the New Coke of smartphones. The newer BlackBerry Classic, with its more traditional design, looks more satisfying for CrackBerry addicts.

So let me see if I get this right.

A device is a flop if it sells out repeatedly and the company that makes it cannot deliver for a couple of weeks at a time.  That is, unless it's Apple, in which case it's a good thing.  If it's BlackBerry it's a bad thing.

Oh, and as "not worth the trade-off", uh, I disagree, having had to wait for a restock to get one in my hands.  Hands-down it's the nicest smartphone I've ever had, for the first time living up to the promise of reducing the amount of time I spend on various tasks instead of simply tempting me to play Angry Birds Seasons.

As for the Classic, I suspect that's going to be a big hit too; announced yesterday right on schedule.  And speaking of schedule, that's one thing Chen is doing as their CEO since he took over -- he's putting up targets and then hitting them.

We'll see if that continues on Friday with earnings.

I suspect it will.

View this entry with comments (registration required to post)

For all the crap in the world today there occasionally is a reason to smile.

The Navy's 30-kilowatt solid-state laser aboard the USS Ponce is now being fired in operational scenarios by sailors in the Persian Gulf, marking the first-ever deployment of a sea-based directed energy weapon.

"We've tested it in the lab we've tested it operationally at sea. Now, we are not testing it anymore. This is operational," said Rear Adm. Matthew L. Klunder, chief of naval research at the Office of Naval Research. "They are using it every day."

This is a particularly-cool weapon for a couple of reasons, with one of the foremost ones being the cost per-use -- it's about a dollar.

Yes, I know, it expensive to make.  That's ok.  Missiles are expensive to make too and can only be used once; when fired that money is gone, burned up and forever expended.  The laser, on the other hand, will eventually wear out but in the meantime it's cheap on a per-use basis and the cost of producing them will probably come down a great deal as the number of them made goes up.

They also have the advantage of operating at the speed of light, so once targeted you're basically fooked -- there's no evasion possible once a firing decision is made on a locked target.

There may be a few effective (ablative or highly reflective?) countermeasures that potential targets can take against such a weapon but those likely make you very visible, and that's not so good for you either if you're intending an attack.

I like it a lot.

View this entry with comments (registration required to post)

This is why you want to build something that you cannot break "on command" by anyone.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

Some legal experts are concerned that these rarely made public examples of the lengths the government is willing to go in defeating encrypted phones raise new questions as to how far the government can compel a private company to aid a criminal investigation.

New examples?

Never seen a subpoena you can't disclose and must comply with, have you?

Well, I have.  And if you recall a few years ago right here, on The Ticker, there was a huge hue and cry from "users" who got all bent out of shape when I made very clear that were I to be served such a set of papers I would comply with the demands made, and further, I would expect said user that caused me to incur said cost to pay for the cost(s) of compliance and/or harm done to me.

In my opinion that's entirely reasonable.  After all but for your actions and inaction in putting a stop to this sort of **** in the first place I wouldn't have had that cost (including quite possibly a very material cost of legal defense) thrown upon me.

This policy was not new, by the way -- it was just better-explained at the time.  It was the same position I took when I ran MCSNet, for the same reason.

I didn't sign up to be your whipping boy upon which you can offload the costs of your actions upon, nor your inactions in allowing a government to exist that pulls this sort of thing.

But in this case the point is that Apple (and Google, maybe) are changing their software so they cannot get back in if you encrypt a device. That solves the problem because no court or law and compel you to do an impossible thing.

Incidentally, BlackBerry is in that category too, and you just got a bonus in this regard with them as Germany required the company to guarantee it would not build in back door means of decryption for any government, including theirs and the United States, as a condition of approving a recent German acquisition.

View this entry with comments (registration required to post)

An update to my post on the bust of Silk Road 2, because there apparently are some folks who read my article and recently emailed me trying to claim that there's some magical incantation that I didn't know about (and was attempting to pin the entire thing on an unencrypted laptop.)

Since it's a slow news day and I'm bored let me respond to the handful of emails I received over the last few weeks on this topic:  If you're too stupid to read for content you definitely shouldn't be doing drug deals (or anything else illegal) on the Internet.  You will get caught.

As for how Forbes had an interesting article on it at the time that I didn't cite for a simple reason -- I wrote about this attack vector back in May of 2013 based on my own work over the previous several years including an examination of the code itself.  This is what I said at the time (yes, the link is aged off and you can't read the whole article, so I won't bother linking it):

Tor.  Tor is a package comprising what is known as the "Onion Router" that encrypts traffic and routes it through multiple computers all over the globe, and is used for web surfing.  It sounds good, but there are risks associated with it.  

First, because of the multiple encryption steps (one for each "hop" the traffic takes) it materially slows down your browsing.  In addition in order to actually conceal who you are it is absolutely necessary that you not sign into a web site or otherwise transmit a set of credentials.  Next, you are trusting strangers, some of who may not be trustworthy.  In particular if there is a "strategic" compromise of nodes on the Tor network you could find yourself being monitored anyway while believing you're "safe." This is a fairly significant risk if you're worried about governments; if you're worried about common cybercriminals, not so much.  Because the network (by natural process) routes the most traffic through the highest bandwidth nodes and bandwidth costs money (and thus there aren't very many high-bandwidth nodes) the number of actual nodes that have to be compromised before the odds are your traffic is no longer secure is relatively low.

In short Tor might be useful but it is not a panacea.  If you're trying to hide from the owner of a web site who is not savvy to what you're up to it will probably work.  If you're trying to hide from a government and it's a backwoods tin-pot dictator, you might be successful.  If you're trying to hide from the NSA, good luck.

Read that second paragraph very, very carefully.

As if that wasn't enough a few months later we knew that this attack vector not only worked but was actively exploited; I wrote about that on 9-12-2013 as well when a kiddie porn ring apparently got nailed through exactly this sort of attack.

Obviously Mr. Silk Road 2 didn't read either of those articles or he didn't understand the implications of them.  If I can trace packet flow I can determine the exit point and unfortunately to prohibit unencrypted traffic from flowing to such a "hidden" point it must be coincident with the terminus.  Determining that a given machine is the terminus of such a "hidden" site is not difficult at all if I can compromise a sufficient number of nodes in the middle as part of a confederacy because simple traffic analysis (without having to decrypt the payload!) will allow me to determine in a relatively short period of time (for a busy site this might only take minutes) exactly which node probably holds the hidden service.

Let's say I have 500 "nodes" in this theoretical "encrypted" network.  Of them 20 or 30 have very high bandwidth connections compared to the others, and thus will bear the lions share of the traffic.  If I compromise half of those, say a mere 15 hosts, I can then, using a known set of computers I control, start connecting to the so-called "hidden" service and through nothing more than analysis of the traffic pattern I intentionally generate I can determine with a high degree of reliability where the terminus likely is.  If I then go further and start tampering with the packets in transit through those 15 machines once I develop a hypothesis I can prove my guess is correct without having to actually be able to decrypt the traffic itself!

Once I know where that terminus is ordinary government means (e.g. go kick in the door with a warrant in-hand) work perfectly well and you are


Now who has the money to put up a bunch of high-bandwidth "encrypted" servers and task a few bright folks to do this sort of thing when they get sufficiently motivated?  Gee, that'd be The Feds and their counterparts in other countries, right?

Uh huh.

Go read the last paragraph of that quoted passage again.  The FBI broke "Tor" because you don't need to break the encryption to be able to find the terminus of a communication and once you know where a communication path is ending up you don't need anything more-fancy than an old-fashioned warrant.

As I have repeatedly said for years despite people's claims to the contrary Tor does not secure your traffic against governments provided they're sufficiently interested in whatever you're up to -- and it never has.

View this entry with comments (registration required to post)

How idiotic can you be, America?

The latest technology used by Apple and Google to meet consumers’ demands on securing private data is hitting a nerve with the Department of Justice.

In a meeting last month with Apple executives, the No. 2 official at the Justice Department said the company’s new encryption technology that locks out law enforcement would lead to a tragedy, The Wall Street Journal reported. A child would die and the police would not be able to search the suspect’s phone, the official allegedly said.

Note two things:

  • The scaremongering using children, the typical way that the government shuts down anything reasoned debate.

  • Not even a pretense that the desired change would prevent the death -- it would only be the post-hoc search of the phone that would be curtailed!

In a word, so what?  If little Suzy is dead then we have a suspect and a body; the fact that there was a murder hasn't changed.  That the police have to actually do their work the old-fashioned way doesn't change anything either, nor does access to someone's phone (or lack thereof) change DNA and other physical evidence.

Apple's executives apparently took this the same way I did, which is good.  Credit where credit is due.

But pay attention folks, because there are some 330 million of us here and complying with the DOJ's demands will get a hell of lot more of us killed than just little Suzy!

Washington (CNN) -- China and "probably one or two other" countries have the capacity to shut down the nation's power grid and other critical infrastructure through a cyber attack, the head of the National Security Agency told a Congressional panel Thursday.

Admiral Michael Rogers, who also serves the dual role as head of U.S. Cyber Command, said the United States has detected malware from China and elsewhere on U.S. computers systems that affect the daily lives of every American.

These attacks are possible because of crap, hole-ridden so-called "security" and the use of off-the-shelf garbage that is riddled with back doors and just plain old-fashioned shoddy programming.

I used to write bespoke software -- ground-up, from the operating system level that ran on bare hardware, to run fairly-critical infrastructure.  It was not only air-gapped it ran out of PROMs that could not be field-programmed in the first place.

For convenience and cost reasons most modern command and control, along with many process-control systems, run not only on commodity hardware (which could be tampered with at manufacturing time) but also on commodity commercial software as well.  The latter is potentially disastrous because such machines and software are designed to be field-upgraded.

The capacity for anyone to override the user's security measures, including cryptographic integrity of the operating system and applications themselves, places that machine at the risk of compromise by malicious third parties who can be half a world away -- including nation-state third-parties.

Just a couple of days ago I detected and successfully interdicted a high-intensity attempt to break into my infrastructure here at The Ticker coming from Germany.  There are dozens of attempts daily that hail from China, Russia and parts of what were previous the USSR, but they tend to be low-intensity attacks that are in the noise level and, other than a nice report that I get every morning with a litany of failures, are unremarkable.  This one was different; it was high-intensity and sustained over the space of several hours, and was a clear probe attack aimed at penetrating SSL negotiation.

It is highly likely that the actual machines assaulting my infrastructure were not the "true source"; that is, those systems were under control of someone else -- and that "someone else" may well be in China or Russia somewhere.  They might even be part of or paid by the government.  In fact, I'd bet on it.

But there's not much here at stake if, by some chance, I screw up and someone gets in.  Oh sure, it's a hassle and maybe something gets stolen that's here, or a disk gets scrambled.  That would be annoying, but not fatal to anyone.

The same problem at a nuclear power plant or large substation could have critical or even catastrophic consequence.

As I wrote the other day for our government to demand this sort of "back door" access will get Americans -- and large numbers of them -- killed.  It might get a significant percentage of our population killed, and might result in the collapse of our economy and society -- all because of the ignorant arrogance of people in our government.

We must not permit this to happen.

View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.