Both Assange and Snowden are apparently alive and well, despite Mossad-like agencies wishing otherwise, largely thanks to Tor; and Hamas, whose adversary was in fact the Mossad, apparently still exists. Hizbullah has hopefully taught us all a good lesson about supply-chain attacks.
Debian is probably the only example of a successful public public-key infrastructure, but SSH keys are a perfectly serviceable form of public-key infrastructure in everyday life. At least for developers.
Mickens's skepticism about security labels is, however, justified; the problems he identifies are why object-capability models seem more successful in practice.
I do agree that better passwords are a good idea, and, prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes—if you can avoid being phished. My own secure password generator is http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords...., and some of its modes are memorable correct-horse-battery-staple-type passwords. It's arguably slightly blasphemous, so you may be offended if you are an observant Hindu.
Neither Assange nor Snowden are a threat anymore. They are contained and have next to no ability anymore. So it would be a waste of resources to pursue them. The lackeys (police etc) are all that’s needed here to harass them and make their lives miserable. What’s Mossad going to do? Kill them with explosives? That takes all the fun out of torturing them and making their lives miserable by proxy.
The only thing I see is that both are contained and quarantined. The threat of both has been neutralized to the degree where I think the espionage agencies of all these countries are playing along together to keep the engine of their craft going uninterrupted without fuss.
In other words, you have to be gullible to think an embassy cares about protecting Assange. It’s a phone call from the secret service director saying “Keep him there for now, it’s where we want him.”
> prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes
Can you elaborate on this? I don't understand the context for malicious microphones and how that affects secure passwords.
Oh, well, it turns out that keyboard sounds leak enough entropy to make it easy to attack even very strong passwords.
Microphones on devices such as Ring doorbell cameras are explicitly exfiltrating audio data out of your control whenever they're activated. Features like Alexa and Siri require, in some sense, 24/7 microphone activation, although normally that data isn't transmitted off-device except on explicit (vocal) user request. But that control is imposed by non-user-auditable device firmware that can be remotely updated at any time.
Finally, for a variety of reasons, it's becoming increasingly common to have a microphone active and transmitting data intentionally, often to public contexts like livestreaming video.
With the proliferation of such potentially vulnerable microphones in our daily lives, we should not rely too heavily on the secrecy of short strings that can easily leak through the audio channel.
Using a password manager is an easy and useful protection against audio leaks of passwords.
But this is an example of the kind of thing the OP is talking about. You're probably not at a very realistic risk of having your password hacked via audio exfiltrated from the Ring camera at your front door. Unless it's Mossad et al who want your password.
Like "you're probably not at a very realistic risk of having your phone wiretapped", this is overindexing on past experience—remember that until Room 641A commenced operations in 02003 (https://en.wikipedia.org/wiki/Room_641A), you weren't, and after it did, your phone was virtually guaranteed to be wiretapped. Similarly, you aren't at a very realistic risk of having your password hacked via audio, until someone is doing this to 80% of the people in the world. As far as we know, this hasn't happened yet, but it certainly will.
Why did you choose random’s SystemRandom rather than secrets?
What?
Oh, you mean PEP 506. I wrote this program in 02012, and PEP 506 wasn't written until 02015, didn't ship in a released Python until 3.6 in 02016, and even then was only available in Python 3, which I didn't use because it basically didn't work at the time.
PEP 506 is just 22 lines of code wrapping SystemRandom. There's no advantage over just using SystemRandom directly.
what is 02012 and why write it so strange?
Obviously it's octal and the person is a time traveler from the 11th century.
It's the long now foundation thing. The long now foundation encourages writing years with five digits to encourage readers to think about long term planning, to plan for a future of humanity that is measured in more than thousands of years.
https://en.wikipedia.org/wiki/Long_Now_Foundation
They want to feel like they matter in over 10k years from now, where a 4-digit year would start to wrap.
In fact that will be not even 8k years from now.
I’ll be very embarrassed when I’m still writing 9999 on my checks.
The idea that either of them are at risk of being whacked is utter tinfoil-hattery. The worst Snowden has to fear is being convicted and jailed, and it says a lot about him that he fled to Russia of all places instead of manning up and facing trial.
Snowden didn’t choose Russia as a destination. He left Hong Kong for Latin America and got stranded in Moscow when the U.S. revoked his passport mid-transit. He spent weeks in the airport transit zone while seeking asylum from multiple countries; Russia gave him temporary asylum after that.
“Manning up and facing trial” sounds fair in theory, but under the Espionage Act there’s no public-interest defense. He’d be barred from explaining motive or the public value of the disclosures, much of the case would be classified, and past national-security whistleblowers have faced severe penalties. That’s why he sought asylum.
It was the US that forced Snowden into Russia.
> ...Assange and Snowden...
I'd argue that for every Assange and Snowden, there are 100 (1k? 100k?) people using Tor for illegal, immoral, and otherwise terrible things. If you're OK with that, then sure, fine point.
> SSH keys
Heartbleed and Terrapin were both pretty brutal attacks on common PKI infra. It's definitely serviceable and very good, but vulnerabilities can go for forever without being noticed, and when they are found they're devastating.
Mickens was arguing that security was illusory, not, as you are, that it was subversive and immoral. My comments were directed at his point. I am not interested in your idea that it would be better for nobody to have any privacy.
> ...who non-ironically believes that Tor is used for things
besides drug deals and kidnapping plots.
That was the quote I was referring to. Also, of course I didn't say that no one should have any privacy; I simply implied a high moral cost for this particular form of privacy.
Continuously updated HTTP response dumps from all the major Tor hidden services: https://rnsaffn.com/zg4/
It is accurate to say that Tor's hidden service ecosystem is focused on drugs, ransomware, cryptocurrency, and sex crime.
However, there are other important things happening there. You can think of the crime as cover traffic to hide those important things. So it's all good.
Definitely some heinous-sounding stuff.
The third result was "FREE $FOO PORN" where $FOO was something that nearly the entire human race recognizes as deeply Not Okay and is illegal everywhere.
I wonder what % of the heinous-sounding sites are actually providing the things they say they are.
I'm sure that some (most?) of them actually offer heinous stuff. But surely some of them are honeypots run by law enforcement and some are just straight up scams. However, I have no sense of whether that percentage is 1% or 99%.
If you truly have a secure tool you won’t be able to control what your users do with it.
Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.
Yeah it's extremely immature, even within police agencies there's a huge variation on their ability to perform digital forensics. Furthermore, just because the feds don't like you for whatever reason doesn't mean they're going to deploy their top-of-the-line exploits against you, or detain and torture you, or whatever magic voodoo bullshit the author thinks the Mossad can do.
You did not write what you actually disagree with....
the maximalist false dillema of "all or nothing": either it's a super-poweful super-human agency and you can't do anything, else any half-measure is fine
The dichotomy between what average people(including political activists) can actually handle and stuff proposed by security researchers is real.
The idea that average people can't handle incremental improvements like a password manager, MFA, full disk encryption, etc is unhealthy infantilization of people who are entirely capable of understanding the concepts, the benefits, the risks they address, and appreciating the benefits of them.
Most people just don't care enough until after they're hacked, at which point they care just enough to wish they'd done something more previously, which is just shy of enough to start doing something differently going forward.
It's not that normies are too stupid figure this out, it's that they make risk accept decisions on risks they don't thoroughly understand or care enough about to want to understand. My personal observation is that the concept of even thinking about potential future technology risks at all (let alone considering changing behavior to mitigate those risks) seems to represent an almost an almost pathological level of proactive preparation to normies, the same way that preppers building bunkers with years of food and water storage look to the rest of us.
I do understand the concepts and exactly because of that I doubt I myself would be able of airtight opsec against any determined adversary, not even state-level one. I think it's humility, you think I infantilize myself lol.
I do use password manager and disk encryption, just for case of theft. Still feels like one stupid sleepy misclick away from losing stuff and no amount of MFAs or whatever is going to save me, they actually feel like added complexity which leads to mistakes.
The third mode is enabled by scale of data and compute. If enough data from enough sources is processed by enough compute, Mossad does not need to have a prior interest in you in order for you to fit a profile that they are interested in.
Anyone else see all the drones flying over a peaceful No Kings assembly?
I'm pretty sure his point was that security labels are a dead end.
(Have you ever attended an academic security conference like Usenix Security?)
Yep. While there might be some use cases for his ultra-simplistic "Mossad/not-Mossad duality" - say, convincing Bob Jones that "b0bj0nes" is not a great password - it's 99% fairy tale.
And even if the CIA/Mossad/NSA/whoever is "interested" in you - this is the era of mass surveillance. The chances that you're worth a Stuxnet level of effort is 0.000000001%. Vs. 99.999% chance that they'll happily hoover up your data, if you make it pretty easy for their automated systems to do that.
Also worth noting that Mossad/CIA/etc. are not monoliths. Maybe you got a top agent assigned to you, but maybe your file is on the desk of the Mossad's version of Hitchcock and Scully from Brooklyn 99.
> Yep. While there might be some use cases for his ultra-simplistic "Mossad/not-Mossad duality" - say, convincing Bob Jones that "b0bj0nes" is not a great password - it's 99% fairy tale.
Honestly, the oversimplification here reads to me more like something Bob Jones could use to justify not caring about "b0bj0nes" not being a great password.
I was thinking, "Bob, stop making excuses about how it's hopeless, and you'd need a 'U0hBNTEyICgvdmFyL2xvZy9tZXNzYWdlcykgPSBjNGU2NGM1MmI5MDhiYWU3MDU5NzdlMzUzZDlk'-level password to be safe. That 'b0bj0nes' is so easy that a bored kid might get it in a few dozen guesses, and you need to change it to something better."
That password should include symbols too! Without symbols, each character is one of 62 values (sticking to ASCII letters and digits). Including symbols makes it much harder to guess passwords of a given length. Even better would be Unicode letters, digits, and symbols, even if you stick to the Basic Multilingual Plane.
Best would be non-text, binary strings. Since I already use a password manager, I don't really need to type passwords by hand. But I do understand most people prefer text passwords that could be entered by hand if necessary.
Except that's exactly what the Mossad will be expecting us to use, for our uber-secure password! By eschewing symbols and binary, we are actually meta-out-smarting their ultimate giga-quantum nuclear crypto cracker.
Or: This is Bob "Dim Bulb" Jones we're talking to. KISS, and maybe we can convince him to upgrade his password to "iwantacoldbeernow".
“iwantacoldbeernow”
Sorry, your password does not meet complexity requirements because it does not contain at least one of each of the following: uppercase letters, lowercase letters, numeric digits, nonalphanumeric symbols.
“I want 1 cold beer now.”
Sorry, your password may not contain spaces.
“Iwant1coldbeernow.”
Sorry, your password is too long.
“Iwant1beernow.”
Sorry, your password is too long.
“1Beer?”
Sorry, your password is too short.
“Password1!”
Thank you. Your password has been changed.
I've always enjoyed Mikens' writing. He has a great sense of humor.
I like his using Mossad as the extreme. I guess "Mossad'd" is now a verb.
Remember, you don't have to be unhackable, just sufficiently unimportant to not be worth burning any novel capability on
I think people don't understand what this means either. the nation-state "agencies" that can and will get into your network/devices can do so because they would employ tactics like kidnapping and blackmailing a local telco field technician. or if it's your own government, they can show up with some police and tell them to do whatever and most will comply without even receiving a proper court order.
so unless you're worth all that trouble, you're really just trying to avoid being "low hanging fruit" compromised by some batch script probing known (and usually very old) vulnerabilities
plenty of big telcos push back to gub'mnt orders. they usually get a warrant.
or they just pay the $2100 per API call to download it from the telco or social media company.
it's not improper if you agreed to give a company the ability to sell your data to anyone -- the government is anyone, and they have the money.
Given that choice I'd rather choose to be unhackable.
So the advice would be for an activist to choose extremely boring forms of activism? ;)
If you're at that level where some powerful entity really takes an interest in you, you just have to operate as if you're always compromised, I think.
I like the "gray man" concept, but can't predict when you end up on the radar or why. As a young graduate student, I once wrote an article that rebuffed the government's "Total Information Awareness" trial balloon and suddenly found myself embroiled in much unexpected controversy, including some big name journalists e-mailing me and asking questions. You just never know when you stumble into something that you're not supposed to know about and what might happen.
I think the more important maxim to follow is this: if you didn't manufacture your own sillicon, you are infinitely more hackable than if you did.
Alas, no matter how hard we try to trust our compilers, we must also adopt methods to trust our foundries.
Oh, we don't have our own foundries?
Yeah, thats the real problem. Who owns the foundries?
Nah, if I manufactured my own silicon, I'd be infinitely more hackable than I am right now - just like if I wrote my own crypto code. 99.9999% of people are going to be more secure if they just rely on publicly accessible cryptography (and silicon). Otherwise you're just going to be making stupid mistakes that real cryptographers and security folks found and wrote defenses against three decades ago.
If you could make your own silicon, you could create a guild or a federation to audit it, and then your trust circle would be smaller and therefore safer.
>Otherwise you're just going to be making stupid mistakes that real cryptographers and security folks found and wrote defenses against three decades ago.
Yeah, thats the point, learn those same techniques, get it in the guild, and watch each others backs.
Rather than just 'trusting' some faceless war profiteers from the midst of an out of control military-industrial complex.
When has anybody ever been hacked via a foundry?
While having your own foundry is undoubtedly a good thing from the perspective of supply chain resiliency, if hacking is what you're worried about there are probably easier ways to mitigate (e.g. a bit more rigor in QC).
Roughly everybody you've ever met, 100% of the time.
There's a reason the NSA can get Intel CPUs without IME and you can't. Given the incentives and competence of the people involved, it's probably an intentional vulnerability that you can't escape because you don't fab your own chips. There's strong circumstantial evidence that Huawei got banned from selling their products in the US for doing the same thing. And the Crypto AG backdoor (in hardware but probably not in silicon) was probably central to a lot of 20th-century international relations, though that wasn't publicly known until much later.
And this is before we get into penny-ante malicious hardware like laser printer toner cartridges, carrier-locked cellphones, and HDMI copy protection.
No amount of QC is going to remove malicious hardware; at best, it can tell you it's there.
Not exactly what you're asking, but multiple CVEs have been found in Intel's Management Engine (ME) which have been used in spyware.
It might not be an intentional backdoor, but it very much seems designed with out-of-band access in mind, with the AMT remote management features and the fact that the network controller has DMA (this enables packet interception).
"When" is what we will likely never know, given the subterranean depth of trust and visibility there. Probably never...
Do you know what "your" CPU is doing? Do you really?
I always figured the spy crap was programmed right in to the chips themselves and the BIOS.
That's right, just keep your head down, smile and nod, do your job and nothing will ever go wrong. /s
A more charitable view would be to act like a zebra in a herd of zebra rather than a zebra in a herd of horses.
Charitable, but also privileged. Many people only have the option of looking like a cow in a cattle yard.
I don't think that's the interpretation, but make your computer systems disconnected from what you do.
If relevant adversaries don't know which computer to burn the exploit on, then they won't burn it on the right one.
You /s but this is actually valid advice for someone who just wants to get by in life and is content.
Do the bombs dropping in war zones avoid apolitical people? If not, when is the appropriate time to get sufficiently political to avoid having a bomb dropped on one's head?
"Keeping your head down" means not doing anything that would cause a government (especially your own) to want to disappear you.
If you vocally oppose your tyrannical government, you won't avoid a bomb on your head. In the best case you'll get a bullet through your head. Worst case, you spend a lifetime in a prison.
Very few individuals can influence whether or not bombs drop. The best way to avoid having bombs dropped on your head is moving to a place where fewer bombs are dropped.
But many people together, although none of them individually influencial enough, certainly can influence where bombs get dropped.
When you start successfully reaching many people you can be sure that security agencies will start watching you.
In areas where bombs are dropped there is generally a large majority in favor of stopping that, but they have little influence.
>someone who just wants to get by in life and is content
"It’s the reductionist approach to life: if you keep it small, you’ll keep it under control. If you don’t make any noise, the bogeyman won’t find you. But it’s all an illusion, because they die too, those people who roll up their spirits into tiny little balls so as to be safe. Safe?! From what? Life is always on the edge of death; narrow streets lead to the same place as wide avenues, and a little candle burns itself out just like a flaming torch does."
That's stupid. It's not all an illusion. The scale definitely matters. If you are buying stocks you can make a profit as a little guy that if the big guys tried to do it they would quickly become the "market maker" and the strategy would not scale up. It's the same with criminal activity or insurgency--small mosquitoes are ignored while the major threats get swatted hard.
True enough. I'm content as long as I don't hear the news anywhere. Recently had my dad over and he can't go 5 minutes without the news on in the background. Really hard to be content then.
Downvoted, but so much evil is caused by people due to their distorted yet sincerely believed moral virtues. Not due to an absence of morality but because of it. Whatever you have in your mind as the image of quintessential evil is probably caused by those people's sincerely held moral system, a moral system they believed in as strongly as you do yours. So people who just live their lives and do not grasp on external change are fine by me.
are you saying that you've downvoted me, or just pointing out that I've been downvoted? If the former, why?
Mine as well.
I have a fond memory of being at a party where someone had the idea to do dramatic readings of various Mickens Usenix papers. Even just doing partial readings, it was slow going, lots of pauses to recover from overwhelming laughter. When the reading of The Slow Winter got to "THE MAGMA PEOPLE ARE WAITING FOR OUR MISTAKES", we had to stop because someone had laughed so hard they threw up. Not in an awful way, but enough to give us a pause in the action, and to decide we couldn't go on.
Good times.
Sounds like you found nerd heaven. I couldn't imagine a situation like yours in my world! :)
Bit of an aside, but I'm wondering in what city this was in.
I'm going to be job hunting soon and I was planning to prioritize the Bay Area because that's the only place I've encountered a decent density of people like this, but maybe I'm setting my sights too short.
Houston, Texas.
There are nerds everywhere.
> [...] it’s pretty clear that compilers are a thing of the past, and the next generation of processors will run English-level pseudocode directly.
hilarious AND scary levels of prescient writing...
Where does this deification of Mossad come from anyways? They've done a lot more than western intel agencies post cold war but that's absolutely come with failures just like every other intel agency in existence.
The 4096 bits just stops it being so easy to surveil you that it is hyper-automated. So there is some use. The $5 wrench needs a million dollar operation to get that guy to your house.
Depends how strong the protections of your civil society is, but it doesn't cost $1m to send a goon with a crowbar or shotgun. Sure that doesn't scale, but if you are a target you're screwed
The $1m is the stuff they did to the point where they knew where to send the goon.
If you are a target you are screwed. But clever crypto isn't useless.
Probably used to average over $1m. Nowadays, those operations (polonium, novachuk, expending expensive KGB resources) send a signal. Otherwise, swatting your home while they drain your wallets; or threatening to swat; quite inexpensive.
Oh come on, that's way over budget! Every time I managed such an operation, we'd just rent a van and... uh, I mean, um, I heard it costs less.
<NO CARRIER>
Its a million dollars to the defense contractor who lobbies for more wrench attacks.
this is why you need a fake password that provides access to fake content that looks like the real content
It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO
ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
https://eprint.iacr.org/2019/1336.pdf
> Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
And for added fun, that same radical decentralization crowd, finally settling on the extremely centralized Lightning crutch, which is not only centralized but also computationally over complicated and buggy.
> going to use a drone to replace your cellphone with a piece of uranium
That's assuming they can figure out who you are in the first place. My pipe dream for the internet (that I thought we were getting way back in the 90's) is total anonymity. You can say whatever you like about the mossad, or the NSA or the KGB or whatever you like, and they'll never be able to figure out whose cellphone to replace with a piece of uranium.
We have the technology to make it happen (thanks to the paranoid security researchers!) just not the collective will to allow it.
If you think the bots and bad actors are bad now...
The biggest social challenge to this is astro-turfing, from my own point of view. Even total anonymity with proof of work doesn't solve the problem. Like the idea we want is that people can speak truth to power. But total anonymity makes it quite difficult to figure out if its power speaking lies to create a false perception of the truth.
I mean go read 4chan, a place where there is something like total anonymity. Those people are constantly imagining that half the comments on the site are generated by intelligence agencies and, who knows, maybe they are right? I really do wonder if there is any way to reap the rewards of total anonymity without the poison of bad actors.
I'm somewhat moderate on the issue from a practical point of view. I think citizens have a right to some sort of reasonable privacy and I don't think laws which try to regulate the technical mechanisms by which we can have it make sense, no matter how evil the use of the technology is. But I don't think that, in the end, it is beyond the remit of authority to snoop with, for example, a court order, and the means to do so. I expect authority to abuse power, but I don't think that technological solutions can prevent that. Only a vigilant citizenry can do it.
It is kinda funny, but cost and benefit analysis is not foreign even to Mossad. Mossad would prefer quite a few people's data stolen, but they are not going to carry out a black abroad for most of them.
> you could enlist a well-known technology company to [run a PKI],
If you have a single company, then that's easy enough for a group like Mossad to infiltrate. Probably easier than a distributed system.
The best known PKI (webtrust) is many companies, not a single company. So it's distributed but that makes it easier to hack not harder because you have many possible targets instead of just one.
I see this on reddit a lot in self hosting context.
The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.
The point about the lay person not needing massive parallelism was very true, until it was not :D
Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.
The article actually addresses this -- that all these extra issues are not manageable for mere mortals anyway and/or perfectly spherical cows are involved.
It does not. It just invents a bunch of straw men, and then mocks them.
Literally what you are doing with the article right now.
Mickens essays are always a good read
Security is a problem caused by ownership of some usefulness. Sometimes solution can be around addressing these two causes.
Do you have a concrete example?
Do not have concentrated usefulness and do not have concentrated ownership.
When we need him the most (a world overrun in llms and AI slop) it seems like he's vanished...
I think the central premise is a "wrong". The "point" of science isn't really to do useful things. Framing things from that angle is in subtle ways dangerous bc that shouldnt be part of the incentive structure.
you dont understand the mating behaviors of naked mole rats bc of some sense of "usefulness". Its just an investigation of nature and how things work. The usefulness comes out unexpectedly. Like you find out naked mole are actually maybe biologically immortal
You should just find interesting phenomena and invetigate. Capitalism figures out the usefulness side of things
Yeah, Science shouldn't be concerned with usefulness, just like Art. It's the application of those fields which should concern itself with usefulness i.e. applied science, engineering, design etc. I'm not saying that scientific research shouldn't be carried out by companies with specific goals in mind, just that it shouldn't be the expected default.
The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or full of disloyal people likely to become infiltrators, are quite successful.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.
Well, data security. Right up until the wetware is included.
I think, a lot of people imagine these people as very capable, and they think of things like those pagers etc., but when I think of them I think of the Lillehammer affair and a bunch of other similarly silly business, so I'm much less impressed with them, feeling that they're basically silly people.
There's so many cock-ups etc. that you can read about Wikipedia that I don't understand why people hold these people highly and imagine them to be so able. They simply aren't.
Another example of power resides where men believe it resides.
Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world. Fun fact, they aren't.
Intelligence agencies have great capabilities no doubt they get billions of $$$ and have utter immunity to do whatever they want in the name of national security. Why is only Mossad scary? I'd be more scared of the CIA and KGB than of Mossad.
US has never been in existential threat like Israel has been, if it were I wouldn't want to stand in their way.
> Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world.
I don't believe I've ever seen Mossad depicted in a Hollywood movie? I guess there was Munich. Are there specific movies/TV shows that you're thinking of?
Americans, by and large, don't even think about Mossad. Certainly not the way they're aware of the CIA and KGB - which no one should be scared of at the moment since it hasn't existed since 1991, though obviously there are modern successors.
> Are there specific movies/TV shows that you're thinking of?
Not GP, but NCIS is the big one offhand. Of course that show has simply gotten more and more ridiculous on general over the years
Ah, very Germanic tactics against some Mediterranean foe. Us, Southern Mediterranean/half Atlantic guys, we have it easier. We would just put fake data, hints and traces untl they get mad and paranoid between themselves, we are experts on that since forever.
Also, the Southern part of the country (which I am pretty much not related culturally at least on folklore and tons of customs) managed to bribe even the Russian mafias. They were that crazy, it's like a force of nature. OFC don't try backstabbing back these kind of people, some 'folklorical' people are pretty much clan/family based (even more than the Southern Italians) and they will kick your ass back in the most unexpected, random and non-spectacular way ever, pretty much the opposite of the Mexican cartels where they love to do showoff and displays. No, the Southern Iberians are something else, mixed along Atlantics and Mediterranean people since millenia and they know all the tricks, either from the Brits/Germanics to Levantine Semitic foes...
You won't expect it. You are like some Mossad random Levi, roaming around, and you just met some nice middle aged woman on a stereotyped familiar bar where the alleged ties to some clan must be nearly zero, and the day after some crazy Islamic terrorist wacko with ties to drug cartels will try to stab you some Sunday in the morning and he might try to succeed with the dumbest and cheapest way ever.
No, is not an exaggeration. We might not be Italy, but don't try to mess up with some kind of people. My country is not Mafia-bound, but criminal cartels, mafias and OFC some terror groups from the Magreb (and these bound to the Middle East ones) have deals with each other because of, you know, weapons and money. And Marbella it's pretty much a hub.
This explains a lot about Argentina.
Half of Iberians can't stand the rascal (picaresca) tradition from the other half. Specially the heavy industrialized North.
We are not as divided as Italy, as Spain has powerhouses in the South as Airbus and the like, but, yes, there's a 'climatological gap' between the different 'Spains' across the mountains.
Not Ethnics, but kinda like what would happen in Italy if the North wasn't as developed (the North of Spain isn't bad but you can't compare it against the Franco-German-Austrian-Italian industrial hub) and the South had their Mafias shut down in the 19th century and if they were more developed than they are compared to the Southern Spain.
The South here isn't a shithole as Napoli and the like but some Andalusian coastal places can be far more dangerous than the Basque Country/Navarre in the 80's (terror attacks) for a policeman.
OTOH, Belgium it's far closer to be a Narcostate than some microrregions in Spain such as Algeciras in Cádiz (Andalusia) were you can read about the Militarized Police fighting drug boats almost as a daily chore.
On Argentina, except for a die hard Ghetto like the '3000 viviendas' and Cañada Real, every Argentinian would love to stay in Spain even at the worst neighbourhood at their town. Iberia it's far more secure than Latin America by a huge margin.
The most dangerous issue on any bad town would be either a pickpocket/non-violent rob of watching some low tier drug dealers doing their stuff and maybe some very late night rape issue over months if not years. Far less than anything you would get in Buenos Aires.
Unless, as I said, you really want to mess up your like with some sketchy people, the ones you would spot from meters away, especially in remote/nearly hidden taverns/pubs where drug dealing it's widely known.
For example, if some pub it's accesed by walking down some stairs into a basement, (where you can't see anything from the outside without going down); even if it looks good, clean, modern, maintained... run away.
> On Argentina, except for a die hard Ghetto like the '3000 viviendas' and Cañada Real, every Argentinian would love to stay in Spain even at the worst neighbourhood at their town. Iberia it's far more secure than Latin America by a huge margin.
https://en.wikipedia.org/wiki/List_of_countries_by_intention... lists Argentina at 4.31 murders per 100k population per year, a bit lower than the US's 5.76, while Spain is way down at 0.69, so I think that's sort of true. 6× is sort of "a huge margin". I'm pretty sure there are neighborhoods in Argentina that are lower than 0.69, though, and neighborhoods in Spain that are over 4.31.
On the other hand, 4.31 is already low enough that I don't know anybody who's gotten murdered, although when I volunteered in the die-hard ghettos I met people whose children had been murdered before I met them. In https://en.wikipedia.org/wiki/List_of_countries_by_mortality... we can see that Argentina's crude death rate is 728 deaths per 100k population per year, so 99.4% of deaths are from non-murder causes. If you somehow acquired immunity to all causes of deaths other than murder, and you lived in 02025 Argentina until someone murdered you (through some kind of time-travel Groundhog Day thing, I guess) your life expectancy would be 23000 years. Real-life people who get heart disease and cancer don't really need to worry about getting murdered in Argentina unless they start dating a machista.
Consequently, murder is not a major reason that people leave Argentina. (Contrast Honduras at 31.4 murders; Belize with 27.8; South Africa with 45.5; Memphis, Tennessee, with 48.0; or St. Louis, Missouri, with 87.8.)
No, the reason every Argentinian would love to stay in Spain is that Spain has an economy.
I think fighting Israel is kind of a glimpse into what trying to fight a malevolent AGI will be like.
Expect to lose in highly surprising ways.
I don't know, driving a big truck into AWS' us-east-1 power supply section sounds more than enough to take down internet for a while.
ITT: we've never spent time around ashburn va data centers.
most have big heavy barriers and multiple bollards and fences. some of the reston va data centers have big glorious planters out front and weird angles to walk up to the mantrap -- to prevent trucks from driving through. the generators usually have some sort of fence or bollards, and most are on multiple power sources from the local and airport grids.
source: used to manage nova data centers and did plenty of attack surface mapping. the truck-through-front-door approach is consistently considered.
Of course, but that's the point. Actual AGI wouldn't need to limit itself pointlessly in ways that would make it obvious to every internet rando how to hit it. Just as you cannot kill an intelligence agency with a single strike, it could distribute itself over many secret locations.
I would hope that data centre has multiple power supplies from multiple locations - as well as UPS and on site generators, certainly mine do.
However given AWS is so complex (which is required because they want to be a gatekeeping platform) leading the uptime to struggle to match a decent home setup, I'm not sure. I'm sure there's no 6 figure bonus for checking the generators are working, but a rounded corner on a button on an admin page?
this guy's stuff reads like word salad and people lap it up. I've never understood why.
He wrote quirky internet humor before it was mainstream, in fact he's a victim of his own success - when this article came out this would've been considered funny and witty writing, but has become tired and derivative enough today to provoke a negative reaction.
Despite word salad it is entertaining and the core message is valid
Because it's a funny rant.
Very true, unfortunately there's no password strong enough to stop Malaysian Airlines ground crew from loading a pallet full of Mossad-rigged walkie talkies on my flight from Kuala Lumpur to Beijing via conveniently-placed-NATO-AWACS-infested airspace.
2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.
I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.
Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!
Then how it's possible Mossad didn't know about what had happened on 7 October 2023?
The same way the US didn't know about 9/11. Intelligence failures.
(Portions of the US intelligence apparatus knew, but that knowledge didn't transition into action)
Israel's intelligence services (not Mossad) did collect valid signals, such as sim cards in Gaza being swapped out for Israel sim cards, but it was ignored as another false positive. What the public don't see are all the false positives (like many drills for an attack that don't materialize) that drown out valid signals when the attack is actually going to happen. There's also hesitancy to act on signals because drills are used to expose intelligence.
It's one of the many asymmetries that changes when you are the defender versus the attacker. As the defender, you have to be right 100% of the time. As the attacker, you have the luxury of being right only 30% of the time. The law of large numbers is on the side of the attacker. This applies to missile offense/defense and to usage of intelligence.
This information asymmetry is also one of the key drivers of the security dilemma, which in turn causes arms races and conflict. The defender knows they can't be perfect all the time, so they have an incentive to preemptively attack if the probability of future problems based on their assessment of current information is high enough.
In the case of Gaza there was also an assessment that Hamas were deterred, which were the tinted glasses through which signals were assessed. Israel also assumed a certain shape of an attack, and the minimal mobilisation of Hamas did not fit that expected template. So the intelligence failure was also a failure in security doctrine and institutional culture. The following principles need to be reinforced: (i) don't assume the best, (ii) don't expect rationality and assume a rival is deterred even if they should be, (iii) intention causes action, believe a rival when they say they want to do X instead of projecting your own worldview onto them, (iv) don't become fixated on a particular scenario, keep the distribution (scenario analyses) broad
> As the attacker, you have the luxury of being right only 30% of the time.
Interesting number you suggested. That's a pretty normal success rate for a carnivore attacking prey.
Avoiding a car accident has a low cost, you just have to take it slowly and be 1 min late to your meeting or whatever, but deciding wether you should attack first based on a small suspicion, that a hell of a problem, because if you're wrong, you're seen as the bad guy. And maybe even if you're right and can't prove it.
> because if you're wrong, you're seen as the bad guy. And maybe even if you're right and can't prove it.
An example of this is France cutting off all support after Israel's initiation of the Six Day War, which followed signals such as Egypt massing troops on the border. The problem for Israel was the lack of strategic depth combined with the geographical low ground, which creates these hair trigger scenarios with no room for error, reducing the threshold to act preemptively. The more abstract problem was the absence of a hegemon in the late 20th century that had security control over West Asia, which is a necessary and sufficient condition for resolving the security dilemma.
Actually Gaza and the West Bank are handled by the "Shabak" agency which is the equivalent of the FBI while the "Mossad" agency is only for foreign operations and is equivalent to the CIA
And asking how did they miss something is like asking how come AWS has downtime. But I'm sure you could come to this conclusion on your own if you didn't really want the answer to be something else.
And the article is a huge rant about why security people are stupid for worrying about the most clearly implausible shit ever.
a. I am too lazy to search but they probably did, the problem was what was done with the information. Same with 8200 the all mighty signal intelligence corps
b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
> b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
For that purpose is Gaza inside or not inside Israel?
Shin Bet (Israeli internal security service) have an Arab desk that covers the West Bank & Gaza.
Israel would probably dispute it, but for most of the world Gaza in relation to Israel is "abroad" and not "domestic".
Domestic intel = Shin Bet, not Mossad
This is exactly the type of comment that will get you mossad'd.
ok I'll keep you updated, but I don't own any real estate they could "de-Hamasify"
Lack of omniscience, infinite computing power, and yottabyte storage facilities?
Dunno, Microsoft was quite generous with their cloud plan.
Maybe they did but it was permitted to happen to provide the pretext to expand those Greater Israel borders.
They didn't know about Hannibal Directive Celebration Day? Who told you that?
They didn't know about the pretense they wanted to spend the following 2+ years making unlimited fallacious justifications for committing a live-streamed holocaust of children? Who told you that?
If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.
The amount of examples we've seen of this is staggering.
That sounds like an elected legislator, not like the kind of person with close access to compartmentalized info. And its the form of a leak of policy or some covert program; details which could also be bought; so it’s called “retail” compared with systematic.
I think saying that people like Hillary Clinton, Trump, Biden or Bolton didn't have access to highly sensitive information is not a reasonable stance (and those are just the ones we know about).
It’s good that no one is arguing that. But your argument isn’t strong. You’re saying that numbers matter. Those kinds of people go in and out of SCIFs. If they belch a secret at lunch, maybe it has lobbying implications, but it wasn’t compartmentalized. It can even be disinfo.
The real ROI is to land a Jonathan Pollard. Not even a million Hegseths can leak enough info to collect into one Pollard.
This all seemed very clever until I read the bio and learned that the author works for Microsoft -- the last company that has any business being flip about security. Bro needs to STFU and get on with the security drudgery, because his customer's opposition very definitely is the Mossad.
Despite his somewhat annoying style, that article has many good points about the aloofness of security researchers. However, I will disagree on two points which the article contains:
1. Tor is (rightly) used by anyone who has a good reason for remaining anonymous. (See [REALNAMES] for who this can be.) Anyone trying to smear Tor as only used by drug dealers and other unsavory types are themselves suspect of having an agenda of discouraging Tor use for anyone lest they be suspected. This can only lead to an installation of Tor being viewed as a suspicious thing in itself; who would want that?
2. His threat model of Mossad or not-Mossad leaves out one important actor, which we can call the NSA. They, and others like them, unlike Mossad, are not after you personally in that they don't want to do anything to you. Not immediately. Not now. They simply want to get to know you better. They are gathering information. All the information. What you do, what you buy, how you vote, what you think. And they want to do this to everybody, all the time. This might or not bite you in the future. He seems to imply that since nothing immediately bad is happening by using slightly bad security, then it’s OK and we shouldn’t worry about it, since Mossad is not after us. I think that we should have a slightly longer view of what allowing NSA (et al.) to know everything about everybody would mean, and who NSA could some day give this information to, and what those people could do with the information. You have to think a few steps ahead to realize the danger.
[REALNAMES] Who is harmed by a "Real Names" policy? <https://geekfeminism.fandom.com/wiki/Who_is_harmed_by_a_%22R...>
(Repost of <https://news.ycombinator.com/item?id=23572778>)
honestly I find any idiosyncratic style refreshing in AI slop world