gutui

oare ... ? dar ce stiu eu..... Crisis Sub-phases of Kondratieff Cycles Based on Professor Thompson's analysis long K cycles have nearly a thousand years of supporting evidence. If we accept the fact that most winters in K cycles last 20 years (as outlined in the chart above) this would indicate that we are about halfway through the Kondratieff winter that commenced in the year 2000. Thus in all probability we will be moving from a "recession" to a "depression" phase in the cycle about the year 2013 and it should last until approximately 2017-2020. Charles Nenner Research (source) Stocks should peak in mid-2013 and fall until about 2020. Similarly, bonds should peak in the summer of 2013 and fall thereafter for 20 years. He bases his conclusions entirely on cycle research. He expects the Dow to fall to around 5,000 by 2018 – 2020. Kress Cycles (Clif Droke) (source) The major 120 year cycle plus all minor cycles trend down into late 2014. The stock market should decline hard into late 2014. Elliott Wave (Robert Prechter) (source) He believes that the stock market has peaked and has entered a generational bear-market. He anticipates a crash low in the market around 2016 – 2017. Market Energy Waves (source) He sees a 36 year cycle in stock markets that is peaking in mid-2013 and will cycle down for 2013 – 2016. “… the controlling energy wave is scheduled to flip back to negative on July 19 of this year.” Equity markets should drop 25 – 50%. Armstrong Economics (source) His economic confidence model projects a peak in confidence in August 2013, a bottom in September 2014, and another peak in October 2015. The decline into January 2020 should be severe. He expects a world-wide crash and contraction in economies from 2015 – 2020. Cycles per Charles Hugh Smith (source) He discusses four long-term cycles that bottom in the 2010 – 2020 period. They are: Credit expansion/contraction cycle, Price inflation/wage cycle, Generational cycle, and Peak oil extraction cycle.

mea culpa.

The EFF and Lookout are reporting on a new piece of spyware operating out of Lebanon. It primarily targets mobile devices compromised by fake secure messaging clients like Signal and WhatsApp. From the Lookout announcement: Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data. We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut. It looks like a complex infrastructure that's been well-developed, and continually upgraded and maintained. It appears that a cyberweapons arms manufacturer is selling this tool to different countries. From the full report: Dark Caracal is using the same infrastructure as was previously seen in the Operation Manul campaign, which targeted journalists, lawyers, and dissidents critical of the government of Kazakhstan. There's a lot in the full report. It's worth reading. via Bruce Schneier

http://groups.csail.mit.edu/mac/classes/6.805/articles/money/nsamint/nsamint.htm

WASHINGTON — A newly drafted United States nuclear strategy that has been sent to President Trump for approval would permit the use of nuclear weapons to respond to a wide range of devastating but non-nuclear attacks on American infrastructure, including what current and former government officials described as the most crippling kind of cyberattacks. For decades, American presidents have threatened “first use” of nuclear weapons against enemies in only very narrow and limited circumstances, such as in response to the use of biological weapons against the United States. But the new document is the first to expand that to include attempts to destroy wide-reaching infrastructure, like a country’s power grid or communications, that would be most vulnerable to cyberweapons. The draft document, called the Nuclear Posture Review, was written at the Pentagon and is being reviewed by the White House. Its final release is expected in the coming weeks and represents a new look at the United States’ nuclear strategy. The draft was first published last week by HuffPost. It called the strategic picture facing the United States quite bleak, citing not only Russian and Chinese nuclear advances but advances made by North Korea and, potentially, Iran. “We must look reality in the eye and see the world as it is, not as we wish it to be,” the draft document said. The Trump administration’s new initiative, it continued, “realigns our nuclear policy with a realistic assessment of the threats we face today and the uncertainties regarding the future security environment.” The Pentagon declined to comment on the draft assessment because Mr. Trump has not yet approved it. The White House also declined to comment. But three current and former senior government officials said large cyberattacks against the United States and its interests would be included in the kinds of foreign aggression that could justify a nuclear response — though they stressed there would be other, more conventional options for retaliation. The officials spoke on the condition of anonymity because they are not authorized to discuss the proposed policy. Gary Samore, who was a top nuclear adviser to President Barack Obama, said much of the draft strategy “repeats the essential elements of Obama declaratory policy word for word” — including its declaration that the United States would “only consider the use of nuclear weapons in extreme circumstances to defend the vital interests of the United States or its allies and partners.” But the biggest difference lies in new wording about what constitutes “extreme circumstances.” In the Trump administration’s draft, those “circumstances could include significant non-nuclear strategic attacks.” It said that could include “attacks on the U.S., allied, or partner civilian population or infrastructure, and attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.” The draft does not explicitly say that a crippling cyberattack against the United States would be among the extreme circumstances. But experts called a cyberattack one of the most efficient ways to paralyze systems like the power grid, cellphone networks and the backbone of the internet without using nuclear weapons. “In 2001, we struggled with how to establish deterrence for terrorism because terrorists don’t have populations or territory to hold at risk. Cyber poses a similar quandary,” said Kori Schake, a senior National Security Council and State Department official during President George W. Bush’s administration, who is now the deputy director general of the International Institute for Strategic Studies in London. “So if cyber can cause physical malfunction of major infrastructure resulting in deaths,” Ms. Schake said, the Pentagon has now found a way “to establish a deterrent dynamic.” The draft review also cites “particular concern” about “expanding threats in space and cyberspace” to the command-and-control systems of the American nuclear arsenal that the review identifies as a “legacy of the Cold War.” It was the latest warning in a growing chorus that the nuclear response networks could themselves be disabled or fed false data in a cyberattack. So far, all of the United States’ leading adversaries — including Russia, China, North Korea and Iran — have stopped well short of the kind of cyberattacks that could prompt a larger, and more violent response. The Russians have placed malware called “Black Energy” in American utility systems, but never tried to cause a major blackout. They have sent cable-cutting submarines along the path of undersea fiber optic lines that connect the continents, but not cut them. North Korea has attacked companies like Sony, and used cyberweapons to cause chaos in the British health care system, but never directly taken on the United States. Still, the document recognizes that American, Russian and Chinese strategies have all been updated in recent years to reflect the reality that any conflict would begin with a lightning strike on space and communications systems. During the Obama administration, for example, a secret program, code-named “Nitro Zeus,” called for a blinding cyberattack on Iran in the event negotiations over its nuclear program failed and Washington found itself going to war with Tehran. There are other differences with the Obama administration policy. The draft strategy embraces the American production of a new generation of small, low-yield nuclear weapons — some of which were under development during the Obama administration. Some experts warn that such smaller weapons can blur the distinction between nuclear and non-nuclear weapons, and, as a result, be more tempting to use. And it states outright that Russia is testing its first autonomous nuclear torpedo, one that American officials believe would be guided largely by artificial intelligence to strike the United States even if communications with Moscow were terminated. It was Washington’s first public acknowledgment of such an undersea weapon, a prototype of which was first envisioned in the 1960s by Andrei Sakharov, the physicist who later ranked among the Soviet Union’s most famous dissidents. The torpedo’s development was detected by the Obama administration and has been widely discussed in defense circles, but never publicly referred to by the Pentagon as a significant future threat. Mr. Trump has rarely publicly criticized President Vladimir V. Putin of Russia for Russia’s aggressions around the world. But the Pentagon document describes Moscow’s actions as so destabilizing that the United States may be forced to reverse Mr. Obama’s commitment to reduce the role and size of the American nuclear arsenal. Advertisement Russia is adopting “military strategies and capabilities that rely on nuclear escalation for their success,” Defense Secretary Jim Mattis wrote in an introduction to the report. “These developments, coupled with Russia’s invasion of Crimea and nuclear threats against our allies, mark Moscow’s unabashed return to Great Power competition.” In most cases, the Trump administration plan would simply move forward nuclear weapons that Mr. Obama had endorsed, such as a new generation of nuclear cruise missiles — low-flying weapons with stubby wings that, when dropped from a bomber, hug the ground to avoid enemy radars and air defenses. But the strategy envisions other new nuclear weapons. The draft policy calls for “the rapid development” of a cruise missile to be fired from submarines. Mr. Obama had retired that class. It also calls for the development of a low-yield warhead for ballistic missiles fired from submarines. It is relatively easy for presidents to change the country’s declaratory policy on the use of nuclear arms and quite difficult for them to reshape its nuclear arsenal, which takes not only vast sums of money but many years and sometimes decades of planning and implementation. The price tag for a 30-year makeover of the United States’ nuclear arsenal was put last year at $1.2 trillion. Analysts said the expanded Trump administration plan would push the bill much higher, noting that firm estimates will have to wait until the proposed federal budget for the 2019 fiscal year is made public. “Almost everything about this radical new policy will blur the line between nuclear and conventional,” said Andrew C. Weber, an assistant defense secretary during the Obama administration who directed an interagency panel that oversaw the country’s nuclear arsenal. If adopted, he added, the new policy “will make nuclear war a lot more likely.” One of the document’s edgiest conclusions involves the existence of a deadly new class of Russian nuclear torpedo — a cigar-shaped underwater missile meant to be fired from a submarine. Torpedoes tipped with nuclear arms were common during the Cold War, with the Soviet Union pioneering the weapons and developing them most vigorously. One Soviet model had a range of miles and a large warhead. Advertisement Mr. Sakharov, a famous Russian dissident in the 1970s and 1980s, envisioned a giant torpedo able to travel several hundred miles and incur heavy casualties with a warhead thousands of times more powerful than the Hiroshima bomb. Though his vision was rejected at the time, the new review discloses that Moscow has resurrected a weapon along the same lines. The document calls it “a new intercontinental, nuclear-armed undersea autonomous torpedo.” In a diagram labeled “New Nuclear Delivery Vehicles over the Past Decade,” it identifies the torpedo by its code name, Status-6. News stories have reported the possible existence of such a weapon since at least 2015, but the document’s reference appears to be the first time the federal government has confirmed its existence. The long-range torpedo with a monster warhead is apparently meant to shower coastal regions with deadly radioactivity, leaving cities uninhabitable.

http://www.navy.mil/submit/display.asp?story_id=103130 https://www.reuters.com/article/us-usa-navy-collisions/ex-u-s-navy-officers-face-negligent-homicide-charges-over-ship-collisions-idUSKBN1F6017 in mijlocul a nicaieri, 2 nave se ciocnesc... in 2 incidente diferite.... GPS -ul a functionat ? un gind stingher ma poarta la cele 2 alarme false de atac nuclear, Hawai si dupa 4 zile, Japonia... GPS satelite implicat? probabil e efectul nerodisruptorului MSG consumat in zona...

ca bine zici

Meltdown https://github.com/search?o=desc&q=meltdown+poc&s=updated&type=Repositories&utf8=✓ https://gist.github.com/search?utf8=✓&q=meltdown Spectre https://github.com/search?o=desc&q=spectre+poc&s=updated&type=Repositories&utf8=✓ https://gist.github.com/search?utf8=✓&q=spectre

From: Cfir Cohen via Fulldisclosure <fulldisclosure () seclists org> Date: Wed, 3 Jan 2018 09:40:40 -0800 Introduction ============ AMD PSP [1] is a dedicated security processor built onto the main CPU die. ARM TrustZone provides an isolated execution environment for sensitive and privileged tasks, such as main x86 core startup. See [2] for details. fTPM is a firmware TPM [3] implementation. It runs as a trustlet application inside the PSP. fTPM exposes a TPM 2.0 interface over MMIO to the host [4]. Research ======== The fTPM trustlet code was found in Coreboot’s git repository [5] and in several BIOS update files. The TPM reference implementation code is published in trustedcomputinggroup.org (TCG) TPM specification. In fact, the code *is* the spec. Most TPM vendors implement their TPMs based on the TCG spec code. Vendors implement the storage layer (where non-volatile data and persistent objects are stored), connect the crypto library to a good source of entropy, and sometimes re-implement the low-level crypto functions. However, a lot of the TPM code is shared with the publicly accessible TPM specification: request/response marshaling, session management and command execution logic. This research focused on vendor specific code that diverged from the TCG spec. Vulnerability ============= Through manual static analysis, we’ve found a stack-based overflow in the function EkCheckCurrentCert. This function is called from TPM2_CreatePrimary with user controlled data - a DER encoded [6] endorsement key (EK) certificate stored in the NV storage. A TLV (type-length-value) structure is parsed and copied on to the parent stack frame. Unfortunately, there are missing bounds checks, and a specially crafted certificate can lead to a stack overflow: NESTED_CERT_DATA1 = '\x03\x82\x07\xf0' + 'A * 0x7f0 NESTED_CERT_DATA2 = '\x03\x82' + pack('>H', len(NESTED_CERT_DATA1)) + NESTED_CERT_DATA1 CERT_DATA = '\x03\x82' + pack('>H', len(NESTED_CERT_DATA2)) + NESTED_CERT_DATA2 Proof Of Concept ================ Without access to a real AMD hardware, we used an ARM emulator [7] to emulate a call to EkCheckCurrentCert with the CERT_DATA listed above. We verified that full control on the program counter is possible: EkCheckCurrentCert+c8 : B loc_10EE4 EkCheckCurrentCert+60 : LDR R4, =0xB80 EkCheckCurrentCert+62 : ADDS R4, #0x14 EkCheckCurrentCert+64 : ADD SP, R4 EkCheckCurrentCert+66 : POP {R4-R7,PC} 41414140 : ???? | R0=ff,R1=f00242c,R2=f001c24,R3=824,R4=41414141,R5=41414141,R6=41414141,R7=41414141,PC=41414140,SP=f003000,LR=11125 As far as we know, general exploit mitigation technologies (stack cookies, NX stack, ASLR) are not implemented in the PSP environment. Credits =========== This vulnerability was discovered and reported to AMD by Cfir Cohen of the Google Cloud Security Team. Timeline ======== 09-28-17 - Vulnerability reported to AMD Security Team. 12-07-17 - Fix is ready. Vendor works on a rollout to affected partners. 01-03-18 - Public disclosure due to 90 day disclosure deadline. [1] http://www.amd.com/en-us/innovations/software-technologies/security [2] https://classic.regonline.com/custImages/360000/369552/TCC%20PPTs/TCC2013_VanDoorn.pdf [3] https://en.wikipedia.org/wiki/Trusted_Platform_Module [4] http://www.trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2-0-v43-150126.pdf [5] https://github.com/coreboot/blobs/tree/master/southbridge/amd/avalon/PSP [6] https://en.wikipedia.org/wiki/X.690#DER_encoding [7] http://www.unicorn-engine.org/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ via: http://seclists.org/fulldisclosure/2018/Jan/12

Spectre still unfixed, unlike what Intel says Written by https://twitter.com/never_released , reviewed and corrected by Alex Ionescu On January 4th, 3 separate vulnerabilities were released, the two first ones being named Spectre (Variant 1 and 2) and the third one being Meltdown (Variant 3). Intel CPUs are affected by all vulnerabilities, as are Apple A-series CPUs used on iOS devices, the ARM Cortex-A75 and the Qualcomm Snapdragon 845 CPUs. CPUs with speculative execution from other manufacturers (other ARM "big" cores, AMD CPUs, PowerPC, ...) are affected by Spectre but not Meltdown. Meltdown (Variant 3) Meltdown has been fixed on the Linux kernel through a patchset named KPTI, which affects performance differently depending on the workload. The effects are negligible for typical desktop usage, but some server workloads are heavily impacted. Windows was patched in November for Insider (beta) builds, and January 2018 for everyone else. The hit when having a CPU without the INVPCID feature (pre-Haswell CPUs) is bigger than more modern CPUs for Meltdown, the TLB has to be flushed on each interrupt or context switch on older CPUs. KPTI is only available for 64-bit operating systems. Some 32-bit operating systems such as Mac OS X are immune because they use separate memory maps for kernel and userspace, at does Linux with a 4GB/4GB memory split. Spectre (Variant 2) Spectre (Variant 2) is still unfixed on Linux at this time. It's fixed on Windows on Intel systems with a microcode update delivered by the OEM. If no microcode update is done, retpoline is implemented on Windows as a mitigation. On Linux, it'll be fixed with a mitigation called retpoline (with 5-10% performance impact in server use, should be negligible for customers) on Intel CPUs. IBRS, a patchset with a performance impact which also requires newer microcode to work exists for security-concerned users who want absolutely zero risk. IBRS is currently available through microcode updates for Haswell and later. On AMD CPUs, retpoline isn't needed and usage of the LFENCE instruction is enough to protect against Variant 2 of Spectre. Windows uses both LFENCE and retpoline. Spectre (Variant 1) Spectre (Variant 1) is currently unfixed in general. Some attempts at mitigating for specific applications such as reducing timer precision in JavaScript are being developed and pushed for Mozilla Firefox and the next stable Chrome release. Notes On Windows Server, KvaShadow (KPTI) and IBRS are disabled by default because of the performance impact, and have to be explicitly enabled by the administrator if he's concerned enough about security. On Windows (client), the update is only downloaded if the antivirus vendor did set a registry key, for compatibility reasons. macOS warning: The security flaw is not fixed in macOS 10.12 or 10.11, but only in High Sierra, Apple modified their support website to reflect this ( https://twitter.com/mikeymikey/status/949345240099377152 ) "The microcode is delivered through a firmware update. Consult with the device manufacturer about the firmware version that has the appropriate update for your CPU." infers that the microcode necessary for mitigating Spectre (Variant 2) cannot be applied by Windows, but requires OEM action. sursa: https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9

it's a deal. gata, batem palma, noi, tu laba, marete Führer al ortografiei

batrine ai chiulit de la scoala , instructorul trebuie sa iti fi spus ca schimbarea topicului, atacind pe emitentul asertiunii ce iti este neconfortabila tezei careia ii faci propaganda, fara a aduce argumente contrare, doar incercind sa arunci in derizoriu opinentul, nu va face decit sa te expuna oprobiului si invectivelor. banuiesc ca nu asta doresti. fervoarea si frecventa cu care se combate in favoarea tezei oficiale, confirma indirect doar, ca a fost atinsa in discutii o zona sensibila.

arunca o privire aici, astfel incit marota maghiara sa poata fi depasita. stiu, unguroaicele sint cele mai bune, caci sint UD(e)_M(e)R(eu), dar, subliniez, scopul unei astfel de operatiuni nu e un orgasm, scopul se quantifica in fonduri alocate, impactul asupra opniei publice, conditionarea bizonului in neputinta educata, unde statul atotputernic, reprezentat de institutiile de forta, protejeaza bizonul. atasarea unei imagini, cu o mizda la care bizonul baleste sau dupa caz, il complexeaza, mizda ce e reprezentarea unui rau si posibile amenintari inquantificabile cunosterii comune a bizonului, propulseaza actiunea celor din "ochiul si timpanul" in zone mistice. nu glumesc, nu aberez. e doar o operatiune de consolidare a imaginii... nu uita de femeia batrina, asasinata, urmare a demersului ciber crminal al mizdei bunace, blocarea camerelor de supraveghere in zona urbana wdc. a fost un exces al scenaristului, insa induce in subconstient culpa difuza, in perceptia celui ce baleste in fata imaginilor bunaciunii. ii inoculeaza si conditioneaza sentimentul de nesiguranta de un instinct primar.sex. in cazul mizdelor, mecanismul e similar, asociaza si amplifica sentimentul de nesiguranta de frustrarea ca nu e femela dominanta. in plus cheltuielile de punere in scena a operatiunii, se pare, au fost deja recuperate. e tiparul gladio, cap, coada.

"panarama" este victima colaterala. da bine ca si profil, face povestea vandabila mediatic. povestea miroase a actiune pusa in scena cu ajutorul unui/unor "inciting agent" . a arunca in dereizoriu ipoteza agentului provocator, folosind iute sintagma "teoria conspiratiei"... imi consolideaza banuiala pina in prezent, folosirea agentului provocator in actiuni ale membrilor "five eyes" s-a dovedit a fi practica comuna. probabil, povestea de fata coroborata cu ceva cunoastere legata de operatiunile de tip "gladio", ar putea capata consistenta... terorism cibernetic, nu? dar ce scriu eu, banuiesc ca stii ce sint operatiunile de tip gladio, nu? insa, se vede ca eu aberez matinal, o fi de vina paharul cu single malt on the rocks, de dupa cafea, iar mizda din imagini halea python pe toast, la beauty salon cind se epila lung, iar tinarul cu care era combinta dovedea o profunda cunostere in 3-4 limbaje de programare, iar activitatea sa infractionala avea la baza tools-uri care ar fi necesitat munca unei echipe de peste 6 oameni, cu specializare de nisa ingusta, timp de peste 4 luni... varianta exclusa, caci e rodul energiei sale creative, prost directionate, un geniu ce a alunecat in infractional, pe 2 perechi de labii exagerat de umede... asta e! ma insel, de vina e ce am trait si refuzul meu de a accepta neconditionat o legendare ... sa fiu amabil si sa o calific a fi TFL-ista? CSF? NACSF!

ai grija ce scrii, strici legendarea unei operatiuni a fortelor reunite a "baietilor de baieti, cu ochi albastri" din mai multe tari&continente... ar fi pacat ca remarci de acest fel, cinice, sa distruga o operatiune minutios pusa la punct, operatiune in care niste "baieti de baieti, cu ochi albastri" , sub acoperire, au gasit niste fraieri ce se inscriau in profilul dorit, protagonistii arestarii, profil de delicvent extrem de vandabil media. mai mult, presupun ca "baietii" sub acoperire le-au pus la dispozitie tools-uri, logistica si bani de start-up... asa se intimpla cind "baieti de baieti, cu ochi albastri" au nevoie sa isi justifice existenta, prezenta si persistenta in supravegherea nediscriminatorie si bugetarea acestei activitati. acum intelegi de ce era necesara o pipitza bimbo... e ca si imnul cintat de Amy Gordon... cheia succesului...

copile, imi cer scuze ca nu ma pot cobori in morcila ta si a celuilalt profil pe care-l folosesti, Stefan-cel-Mare probabil ai nevoie de ceva care sa iti stimuleze secretia de dopamina... ma lasa rece downvote-ul tau, n-am nimic de dovedit, nimanui.

https://player.vimeo.com/video/148946917

Computer vendors start disabling Intel Management Engine , Intel® Management Engine Critical Firmware Update (Intel-SA-00086) ...

https://top-kickass.org/F20E09397C6EC52B295006E6EDA44FE246D0AC00

sa nu uitam ca "dansul" nostru, a inceput de la o imagine postata de tine, cu adolescenti ce mimau felatia la un bal al bobocilor. incercai sa politizezi aceasta intimplare grotesca... psd era de vina... evident, la cluj... apoi, ai fost deranjat de citeva postari care credeai ca aduc atingere dna si/sau sri. ai simtit nevoia sa ma injuri intr-un mesaj privat... "Ce pizda ma-tii imi dai - la postari ? suferi ? " atita ai putut. atita ai si facut. in cascada au venit reactii de la inca 3 useri care pe parcursul activitatii lor, impreuna cu tine, au ca si scop unic, upvote-ul intre voi, down voteul in haita, impotriva celor ce va deranjeaza. intimplator, toti aveti aceleasi marote. acum, recunosc, doza mea de nebunie la betie, mi-o asum si o savurez in fiecare clipa, intrebarea e, tu ce faci cu ticalosia ta? iti stimuleaza secretia de dopamina? daca da, felicitari, bun venit in rindul psihopatilor! iti explica stefan cel mare cum e cu dopamina, ca el e pe inhibitori

.... am sters postul caci cind l-am scris, eram excesiv de berulit, deh ... friday afternoon fever

e mai serios decit constientizam in bordul nostru cultural, va fi voluntar obligatoriu pentru sclavetzii coorporate: " According to a Facebook spokesperson, Facebook workers will have to review full, uncensored versions of nude images first, volunteered by the user, to determine if malicious posts by other users qualify as revenge porn. " Facebook Workers, Not an Algorithm, Will Look at Volunteered Nude Photos First to Stop Revenge Porn caci, PornHub is using machine learning algorithms to identify actors in different videos, so as to better index them. People are worried that it can really identify them, by linking their stage names to their real names. Facebook somehow managed to link a sex worker's clients under her fake name to her real profile. Sometimes people have legitimate reasons for having two identities. That is becoming harder and harder. pentru "voluntarii" obligati sa se alinieze in trendul corect politic, ca sa-si pastreze standingul coorporate, o solutie... http://hackerfactor.com/blog/index.php?/archives/432-Looks-Like-It.html

This has set a precedent for future interactions with the US DOJ, and they will go through the Swiss court system as required by law. https://protonmail.com/blog/transparency-report/ etc. http://lmgtfy.com/?q=deanoymise+tor https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf https://arstechnica.com/security/2015/07/new-attack-on-tor-can-deanonymize-hidden-services-with-surprising-accuracy/ http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf https://www.cs.princeton.edu/~annee/pdf/usenixsec15.pdf https://www.youtube.com/watch?v=-oTEoLB-ses&feature=youtu.be&t=1998 . http://www.robgjansen.com/publications/sniper-ndss2014.pdf https://www.infoworld.com/article/2609583/encryption/how-secure-was-lavabit-s--secure--email--not-very--says-researcher.html

https://energycommerce.house.gov/hearings/securing-consumers-credit-data-age-digital-commerce/ Last week, I testified before the House Energy and Commerce committee on the Equifax hack. You can watch the video here. And you can read my written testimony below. Testimony and Statement for the Record of Bruce Schneier Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School Fellow, Berkman Center for Internet and Society at Harvard Law School Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce" Before the Subcommittee on Digital Commerce and Consumer Protection Committee on Energy and Commerce United States House of Representatives 1 November 2017 2125 Rayburn House Office Building Washington, DC 20515 Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). My popular newsletter Crypto-Gram and my blog Schneier on Security are read by over 250,000 people. Additionally, I am a Fellow and Lecturer at the Harvard Kennedy School of Government­ -- where I teach Internet security policy -- ­and a Fellow at the Berkman Klein Center for Internet and Society at Harvard Law School. I am a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient. I am here representing none of those organizations, and speak only for myself based on my own expertise and experience. I have eleven main points: 1. The Equifax breach was a serious security breach that puts millions of Americans at risk. Equifax reported that 145.5 million US customers, about 44% of the population, were impacted by the breach. (That's the original 143 million plus the additional 2.5 million disclosed a month later.) The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers. This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come. And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating. 2. Equifax was solely at fault. This was not a sophisticated attack. The security breach was a result of a vulnerability in the software for their websites: a program called Apache Struts. The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017. This was not a minor vulnerability; the computer press at the time called it "critical." Within days, it was being used by attackers to break into web servers. Equifax was notified by Apache, US CERT, and the Department of Homeland Security about the vulnerability, and was provided instructions to make the fix. Two months later, Equifax had still failed to patch its systems. It eventually got around to it on July 29. The attackers used the vulnerability to access the company's databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability. The company's incident response after the breach was similarly damaging. It waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft. Equifax opened a website to help aid customers, but the poor security around that­ -- the site was at a domain separate from the Equifax domain­ -- invited fraudulent imitators and even more damage to victims. At one point, the official Equifax communications even directed people to that fraudulent site. This is not the first time Equifax failed to take computer security seriously. It confessed to another data leak in January 2017. In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen. Also in 2016, a security researcher found and reported a basic security vulnerability in its main website. And in 2014, the company reported yet another security breach of consumer information. There are more. 3. There are thousands of data brokers with similarly intimate information, similarly at risk. Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us­ -- almost all of them companies you've never heard of and have no business relationship with. The breadth and depth of information that data brokers have is astonishing. Data brokers collect and store billions of data elements covering nearly every US consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month. These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we've purchased, when we've purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet. 4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data. If there were a dozen people who stood behind us and took notes of everything we purchased, read, searched for, or said, we would be alarmed at the privacy invasion. But because these companies operate in secret, inside our browsers and financial transactions, we don't see them and we don't know they're there. Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to or why. If anyone knows about them at all, it's about their business as a credit bureau, not their business as a data broker. Their website lists 57 different offerings for business: products for industries like automotive, education, health care, insurance, and restaurants. In general, options to "opt-out" don't work with data brokers. It's a confusing process, and doesn't result in your data being deleted. Data brokers will still collect data about consumers who opt out. It will still be in those companies' databases, and will still be vulnerable. It just won't be included individually when they sell data to their customers. 5. The existing regulatory structure is inadequate. Right now, there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is. They only learn about data breaches when the companies announce them­ -- which can be months after the breaches occur­ -- and at that point the onus is on them to obtain credit monitoring services or credit freezes. And even those only protect consumers from some of the harms, and only those suffered after Equifax admitted to the breach. Right now, the press is reporting "dozens" of lawsuits against Equifax from shareholders, consumers, and banks. Massachusetts has sued Equifax for violating state consumer protection and privacy laws. Other states may follow suit. If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information. Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach. Proving this is difficult. If you are the victim of identity theft in the next month, is it because of Equifax or does the blame belong to another of the thousands of companies who have your personal data? As long as one can't prove it one way or the other, data brokers remain blameless and liability free. Additionally, much of this market in our personal data falls outside the protections of the Fair Credit Reporting Act. And in order for the Federal Trade Commission to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation. Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us. In reality, this is not an effective enforcement regime. Although the FTC is investigating Equifax, it is unclear if it has a viable case. 6. The market cannot fix this because we are not the customers of data brokers. The customers of these companies are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer­ -- everyone who wants to sell you something, even governments. Markets work because buyers choose from a choice of sellers, and sellers compete for buyers. None of us are Equifax's customers. None of us are the customers of any of these data brokers. We can't refuse to do business with the companies. We can't remove our data from their databases. With few limited exceptions, we can't even see what data these companies have about us or correct any mistakes. We are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us. Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and the a public breach happens, they end up okay. Equifax's CEO didn't get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease. Even the negative PR that Equifax is currently suffering will fade. Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation. 7. We need effective regulation of data brokers. In 2014, the Federal Trade Commission recommended that Congress require data brokers be more transparent and give consumers more control over their personal information. That report contains good suggestions on how to regulate this industry. First, Congress should help plaintiffs in data breach cases by authorizing and funding empirical research on the harm individuals receive from these breaches. Specifically, Congress should move forward legislative proposals that establish a nationwide "credit freeze" -- ­which is better described as changing the default for disclosure from opt-out to opt-in -- ­and free lifetime credit monitoring services. By this I do not mean giving customers free credit-freeze options, a a href="http://money.cnn.com/2017/09/15/pf/warren-schatz-equifax/index.html">proposalby Senators Warren and Schatz, but that the default should be a credit freeze. The credit card industry routinely notifies consumers when there are suspicious charges. It is obvious that credit reporting agencies should have a similar obligation to notify consumers when there is suspicious activity concerning their credit report. On the technology side, more could be done to limit the amount of personal data companies are allowed to collect. Increasingly, privacy safeguards impose "data minimization" requirements to ensure that only the data that is actually needed is collected. On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary. Finally, Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information. This is essential as long as consumers are these companies' products and not their customers. 8. Resist complaints from the industry that this is "too hard." The credit bureaus and data brokers, and their lobbyists and trade-association representatives, will claim that many of these measures are too hard. They're not telling you the truth. Take one example: credit freezes. This is an effective security measure that protects consumers, but the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus. Why isn't there a smartphone app that alerts me when someone wants to access my credit rating, and lets me freeze and unfreeze my credit at the touch of the screen? Too hard? Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are. Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the more rigorous EU privacy laws. The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting storing the personal data of EU citizens. Those companies have already demonstrated that they can comply with those more stringent regulations. Credit bureaus, and data brokers in general, are deliberately not implementing these 21st-century security solutions, because they want their services to be as easy and useful as possible for their actual customers: those who are buying your information. Similarly, companies that use this personal information to open accounts are not implementing more stringent security because they want their services to be as easy-to-use and convenient as possible. 9. This has foreign trade implications. The Canadian Broadcast Corporation reported that 100,000 Canadians had their data stolen in the Equifax breach. The British Broadcasting Corporation originally reported that 400,000 UK consumers were affected; Equifax has since revised that to 15.2 million. Many American Internet companies have significant numbers of European users and customers, and rely on negotiated safe harbor agreements to legally collect and store personal data of EU citizens. The European Union is in the middle of a massive regulatory shift in its privacy laws, and those agreements are coming under renewed scrutiny. Breaches such as Equifax give these European regulators a powerful argument that US privacy regulations are inadequate to protect their citizens' data, and that they should require that data to remain in Europe. This could significantly harm American Internet companies. 10. This has national security implications. Although it is still unknown who compromised the Equifax database, it could easily have been a foreign adversary that routinely attacks the servers of US companies and US federal agencies with the goal of exploiting security vulnerabilities and obtaining personal data. When the Fair Credit Reporting Act was passed in 1970, the concern was that the credit bureaus might misuse our data. That is still a concern, but the world has changed since then. Credit bureaus and data brokers have far more intimate data about all of us. And it is valuable not only to companies wanting to advertise to us, but foreign governments as well. In 2015, the Chinese breached the database of the Office of Personal Management and stole the detailed security clearance information of 21 million Americans. North Korea routinely engages in cybercrime as way to fund its other activities. In a world where foreign governments use cyber capabilities to attack US assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security. 11. We need to do something about it. Yes, this breach is a huge black eye and a temporary stock dip for Equifax -- ­this month. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014? Unless Congress acts to protect consumer information in the digital age, these breaches will continue. Thank you for the opportunity to testify today. I will be pleased to answer your questions. Tags: breaches, national security policy, Schneier news Posted on November 8, 2017 at 6:33 AM • 8 Comments Cybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate: The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming home purchases scheduled for settlements -- the pricier the better -- then assume the identity of the title agency person handling the transaction. Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close -- often hundreds of thousands of dollars, sometimes far more -- to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish. Here it is in fine art: The fraud is relatively simple. Criminals hack into an art dealer's email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document. Once money has been transferred to the criminals' account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery's email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources. I'm sure it's happening in other industries as well, probably even with business-to-business commerce. via Me on the Equifax Breach