Posts by jschuh@infosec.exchange
(DIR) Post #ASaowQr7cPcADAKtU0 by jschuh@infosec.exchange
2023-02-12T04:45:34Z
3 likes, 2 repeats
I was looking to add some flush mount LED fixtures, and since COB LED arrays are so cheap I was wondering why they don't just add in red LEDs that get mixed in at lower dimming levels. It just seemed like such an obvious way to duplicate how natural light sources work.Turns out it's patented until at least 2036*, meaning that they do exist and only Philips seems to be able to legally make them. So, they're much more expensive and don't come in the form-factor I need anyway.The patent system is so dumb._* https://patents.google.com/patent/WO2016160798A1
(DIR) Post #ASe1FLMU3GVxb7fXua by jschuh@infosec.exchange
2023-02-13T16:32:02Z
0 likes, 0 repeats
Not looking forward to what happens when SEO, content farms, etc. all start targeting search engines with hastily integrated LLMs like ChatGPT. I expect it's gonna get pretty ugly.
(DIR) Post #ATWXX3IgJDcI5cTIMC by jschuh@infosec.exchange
2023-03-12T01:19:52Z
0 likes, 0 repeats
@alex Fair point that they didn't do anything fraudulent or crazy, but they were among the group of banks that successfully lobbied to have the stress test limits raised from $100bn to $250bn a few years ago. None of us can know if compliance with those stress tests would have prevented this, but it sure is the kind of thing that would have required them to maintain more liquidity and just hedge more carefully in general.BTW, I still want to see the FDIC put forth a public plan early next week, where banking customers are made whole (or as close to whole as reasonably possible). I just think it's also fair to say that SVB knowingly flew a bit closer to the sun than was safe, and that's why their wings melted.
(DIR) Post #ATXzAJqvaqaidkOlGa by jschuh@infosec.exchange
2023-03-12T16:36:21Z
0 likes, 0 repeats
TBH I'm surprised that no one offers a B2B service to conveniently distribute funds across multiple FDIC insured accounts. Way back when I was a consultant I pentested/audited a few of these systems, so I know they exist and are used by big companies. Just seems like a pretty obvious business idea.
(DIR) Post #ATXzAKuVf13Bv958UK by jschuh@infosec.exchange
2023-03-12T17:13:50Z
0 likes, 0 repeats
@Viss As a standard package, or as more of a boutique thing? Because I'm not surprised that accounting firms will provide the service (I assume at a non-negligible price), but I'm just wondering why there aren't already businesses just doing this as a low-margin, high-volume, standalone service.
(DIR) Post #ATXzALqICBGsoM7HYO by jschuh@infosec.exchange
2023-03-12T17:45:54Z
0 likes, 0 repeats
@Viss I went searching around the last few days and couldn't find anything publicly advertised. Although, I wouldn't be surprised if all of a sudden a bunch of new startups pop up offering this sort of thing.The systems I looked at ~20 years ago appeared to use any FDIC insured bank that had an e-banking API. We're talking about thousands of banks of all sizes, spread out across the country. Seems like building something to tap that for SMBs would be a really good thing, and could also work out great for a ton of smaller regional banks.
(DIR) Post #ATXzfEAKmsZHymDJWS by jschuh@infosec.exchange
2023-03-12T18:09:42Z
0 likes, 0 repeats
@alex @Viss Yes! That's exactly what I was looking for. It had just been so long that I had no idea what the correct name was for it, and none of my searches were turning up anything useful.
(DIR) Post #AUcW56UlavEv9K8EuO by jschuh@infosec.exchange
2023-04-13T15:34:05Z
0 likes, 0 repeats
@mmasnick I think we all know this needs an aggressive police response to the threat of violent tech crime: employ strict curfews, stop and frisk, and probably a tech focused police task force.This has to be full on broken windows policing. If you see a group of tech execs congregating anywhere they could potentially commit a crime—street corners, bars, convention centers, conference rooms—then you need to call the cops to come and break that up. We need to take this seriously, lest our cities be taken over by a wave of tech on tech crime.
(DIR) Post #AUeOb24HBCsvMsNIVE by jschuh@infosec.exchange
2023-04-14T18:09:22Z
0 likes, 0 repeats
@lauren This is all pretty normal and predictable. When we'd get reservists we'd give them basic clerical work, because there's not much else to do with someone who shows up for a few weeks and then you never see again. But clerical stuff in a SCIF is still gonna require a JWICS terminal, and based on the blanket compartments I've seen in the news reports, all of the stuff he shared would have been readily available to anyone on JWICS.
(DIR) Post #AUeUbsrTUhMUpTAzUe by jschuh@infosec.exchange
2023-04-14T19:02:26Z
0 likes, 0 repeats
@Popehat @mmasnick @nilay_patel I feel like I get it. From my own experience the worst thing that can come out of this kind of interview is to get pinned down saying something that turns into a really bad headline. So, he just stuck to the canned line that the lawyers and PR cooked up.The thing is that it's really not very hard to avoid getting pinned down without completely faceplanting like he did. But that would require being at least somewhat versed in trust and safety concerns, and being able to point to some actual efforts Substack is making in that space. IMHO the complete failure at that is why this interview was so bad. Because it reinforces all the other evidence that Substack is simply ignoring trust and safety almost entirely as a concern.
(DIR) Post #AUiBjF2QJrf78fvqoC by jschuh@infosec.exchange
2023-04-16T13:58:35Z
0 likes, 0 repeats
@lcamtuf I give it two weeks max before I have to start ignoring headlines about the Linux Black Mercy.
(DIR) Post #AVlgqs8JNQ2sCCKMQy by jschuh@infosec.exchange
2023-05-18T04:29:01Z
0 likes, 0 repeats
@lauren These settings aren't Google advertising preferences. They're browser settings for a collection of open standard, privacy preserving APIs that are available to any site. And once they're stable they'll default to being on because they're vastly more privacy preserving than the existing things that they're replacing (i.e. 3p cookies and other Web APIs that are being removed).To briefly summarize each one:Ad topics - This replaces 3p cookie based interest tracking, which currently works by having every advertiser plant tracking cookies on every site they can as they try to reconstruct your entire browsing history to infer your interests. The Topics API instead runs a model over your local browsing history (entirely on-device) that maps to a set of ~350 likely topics. A site requesting your topic list may receive up to three topics that were highly ranked by the model (contingent on your settings, k-anonymity thresholds, etc.).Site-suggested ads - Replaces unrestricted 3p cookie based remarketing ads with FLEDGE and fencedframes, which dramatically limits the granularity of targeting and limits the ad's communication with its server unless the user interacts with it.Ad measurement - This replaces 3p cookie and URL decoration based attribution with the Attribution Reporting API, which provides privacy protections both by narrowly scoping the data that can be sent and by using blinding intermediaries. This one isn't even personalization; it's literally how advertisers measure the clicks that they get paid for.FWIW, Privacy Sandbox was the big project I led in my last few years at Google, and the whole point of it was to dramatically improve privacy on the Web without killing the things that actually fund most of the content on the Web. I never really cared about the ad haters. I just cared about making the Web safer.
(DIR) Post #AVmfKcUi51t1d8oyDQ by jschuh@infosec.exchange
2023-05-18T15:46:39Z
0 likes, 0 repeats
@lauren I know your background, but my perspective here is that I was literally the executive responsible for Privacy Sandbox until March 2021. I juggled all the constituencies, externally and internally all the way up to Sundar. And I'm telling you that 3p cookies etc, can't be removed until these APIs are on by default. And there's no privacy improvement by introducing the new APIs unless the old ones are removed.Just read the last two years of the UK CMA's reports on the Privacy Sandbox¹; because those reflect the broader consensus of regulators and Google's ad tech competitors. They're generally positive about the privacy properties, but their major concern is that Google has a unique 1p data position and could use 3p data blocking to kill off its competition in Web ads. So, there will be a torrent of lawsuits and regulatory injunctions if Chrome blocks 3p tracking before these APIs are on by default and performing comparably to the 3p cookies of today.Again, I'm not dismissing your decades of experience in security and privacy, but I would ask that you not do so for mine either—which includes over a decade working on these exact issues in Chrome and the Web platform. I'd also suggest that maybe the years I spent directly responsible for the Privacy Sandbox give me better insight into the concerns than what can be gleaned from expertise alone (regardless how extensive that expertise is)._¹ https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes
(DIR) Post #AVmhi3xUKpKRNTaWf2 by jschuh@infosec.exchange
2023-05-18T16:13:28Z
0 likes, 0 repeats
@lauren I know you don't see the concerns as technical—we both appreciate that reality. I'm just saying that from dealing with numerous regulators and coalitions of ad tech companies it was very clear that they would never allow Privacy Sandbox to ship 3p data blocking if the new APIs were not also on by default. So, beyond the technical arguments, that's pretty much a guarantee that they ship that way.And yeah, like you I could definitely see the toxicity around big tech swallowing up the Privacy Sandbox. But I'm hopeful it has enough momentum at this point that it still makes it through. Because my biggest fear is that the Web continues to lose mindshare and quality content, and we all get stuck entirely in the walled gardens of companies like Apple and Google (and I state that as someone who still likes Google).
(DIR) Post #AVmipIv7CpFvlIUkTo by jschuh@infosec.exchange
2023-05-18T16:26:00Z
0 likes, 0 repeats
@lauren Sadly I'm in agreement on pretty much all of this.. but I'm hopeful it doesn't play out that way.
(DIR) Post #AWkNaRvVQOsWTjaaYa by jschuh@infosec.exchange
2023-06-16T01:29:04Z
0 likes, 2 repeats
The Difference Between How Trump, Biden, Pence, and Clinton Mishandled Classified InformationI should first state where I’m coming from (because #IANAL). I served in the US intelligence community from 1996-2004, first as an enlisted Marine, and then as a federal employee at NSA and later CIA. I worked on watchfloors and did ops, but most of that career was spent managing and/or securing classified systems. I was trained at the Fort Washington¹ facility in qualifying SCIFs², had my classified courier card for years, and in my time saw a few classified mishandling cases up close.Next is a bit of background on how classified information handling works. In the 99.99% case, classified docs are only ever handled in SCIFs (which have fence-lines and armed guards). Printed documents are marked with their classification level, and when not in use everything is locked in a properly rated safe, managed with access logs. Classified computer systems are rated to the maximum level of classified allowed, and also secured when not in use. Systems at different classification levels are air-gapped to prevent leakage (technically it’s more complicated, but accurate for this discussion).The last bit of background is the legal framework for classified document handling. There actually is no law defining classified information or handling processes. Rather, there’s the 1917 Espionage Act³, plus 100 years of legal precedent and executive orders (most recently EO 13526⁴). The Espionage Act refers to a very broad category of “information respecting the national defense” and makes illegal the dissemination of this information through either “willful intent” or “gross negligence.”The key point is that the law applies to a broad category of information, and the EOs build a framework for identifying such information and how to securely handle it. This is also the main basis that the courts use to delineate violations of the law, which is why classified mishandling is prosecuted under the Espionage Act.With all of that out of the way, it’s time to look at each of these cases of classified mishandling. I’ll start with Clinton’s case first, because it’s the weirdest, in that it only barely involves classified data handling. That might seem confusing given all the press coverage in 2016, but the most accurate description of what Clinton did is that she forwarded emails from her official DoS (Department of State) email account to a personal account. The critical thing here is that because her DoS account was on a FOUO (For Official Use Only⁵) system, directly connected to the public Internet, those emails never should have contained any classified information. FOUO systems may contain sensitive information, but are explicitly not for handling classified information.Accepting that, sometimes classified information leaks to a FOUO system. This tends to happen one of two ways, the first of which is usually in preparing briefings/reports for a lower classification level. It’s common to pull some of that information from classified documents, declassify as needed, and then transfer that to a lower classification system. Sometimes mistakes are made in this process and (now invalid) classification markings are left in the downgraded document. That explains the classification markings found in a few of Clinton’s emails⁶.Classified information can also leak without being marked, if the substance of discussion simply includes information that would be considered classified. This is why it was reported that Clinton had 2,100 classified email threads⁷. Because, all of her emails were sent to the classification authorities at all of the intelligence agencies, and they reviewed everything, flagging anything they would have viewed as classified. FWIW, I doubt that any senior national security official’s FOUO inbox would make it through this process without coming away similarly flagged (but that's its own very long discussion).With that context, here’s the first critical thing to understand about Clinton’s emails: The classified information leak was independent of her forwarding her official email to her personal email address. This is because any classified information she received was already leaked on the FOUO systems that the emails were coming from. So, the classified mishandling situation is the same regardless of whether Clinton’s email had remained on the FOUO DoS server or on a machine in Clinton’s basement. Neither are authorized for handling classified information.So, then what was wrong with Clinton forwarding her FOUO emails to a personal address? Mainly it comes down to the government’s obligations regarding records retention and the mandatory security baseline for the systems they manage. Those are both extremely good reasons for why Clinton shouldn’t have forwarded her emails, but they don’t really have anything to do with classified information handling.And to be fair to Clinton, since she was using a FOUO system, she had a reasonable expectation that she wasn’t receiving any emails containing classified information. So, unless she personally introduced the classified information into the discussions that got retroactively flagged, it’s entirely possible that she never even mishandled classified herself. Rather, she may have simply had additional copies of emails that had already leaked to FOUO systems. (FWIW, I don’t expect to ever find out the answer to this.)This gets to the legal repercussions of what Clinton did. Once again, IANAL, but I did see cases of similar infractions. And as long as the offending party cooperated, there was very little in the way of repercussions. About the worst case would be junior enlisted getting slapped with non-judicial punishment⁸ because their commander wanted to make an example of them. But outside of that, pretty much anyone else in the same situation would just be told to stop, or at worst get a minor slap on the wrist.Either way, I cannot imagine what grounds someone could even be prosecuted over if they're simply forwarding emails from a FOUO account, to their personal account, for the purposes of accessing their email from another device. Moreover, the scope and depth of the Clinton investigation would normally have been reserved for someone stealing actual marked classified information or otherwise bridging classification levels between systems. Clinton genuinely received more scrutiny and greater repercussions than pretty much anyone else in her situation would have. None of this is to say that what Clinton did was a good thing, but it genuinely was far less than it's usually made out to be.Now, on to Biden and Pence, which are nearly identical cases of classified mishandling. Remember several paragraphs back about the 99.99% case? Well, that’s not the White House, because that place is just weird. It has a mess of spaces cleared for handling classified, and uncleared people endlessly circulating about—some of whom literally live there! The whole thing is a security nightmare, and they should ban printed classified just as a precautionary measure.That’s why I’m not surprised that Biden and Pence wound up with marked classified papers mixed in with their other documents. TBH I’m surprised it doesn’t happen more often. But that sort of thing is also why the statute sets the bar at “willfully” or “negligent.” Both Biden and Pence did exactly the right thing in notifying the appropriate custodian of the mistake, turning over everything, and complying fully with investigations. It was all by the book, and no one would ever be charged for something like this.Finally, we get to Trump. His case is highly unusual, but not at all complicated. The indictment⁹ provides mounds of evidence that he “willfully” took large quantities of classified material with him when he left the White House. After NARA (National Archives and Records Administration) contacted him about returning the missing classified material, he chose to lie, evade, and then turn over only some of the stolen documents. Eventually the FBI had to raid Mar-a-Lago to recover 300+ additional classified documents, and it’s still unclear whether everything has been recovered.The whole point here is that the Trump case is genuinely unprecedented in just how crazy it is. The volume and scope of the theft puts it in league with espionage cases that land people in prison for decades. Even worse, the whole crime is documented with recordings, corroborating witnesses, and pretty much everything a prosecutor could dream of. While I'm at it I should also quickly knock out some of the more common attempts I’ve seen to dismiss the criminality of Trump’s situation, so here goes: Are the classified documents in fact Trump’s property? No. The Presidential Records Act is entirely clear on this¹⁰.Could Trump have declassified these documents already as president? No. EO 13526 sets out the classification process, and if he wanted to expand it to include psychic declassification he had to write a superseding EO laying out such a process.Does it matter that Trump doesn’t appear to be an agent of a foreign power? No. Just ask Petraeus¹¹ or Schulte¹²; you break the law when you willfully take the information and risk dissemination to those not cleared for access.Does it matter that Trump stored the information in a locked room? Accepting that a resort with random people ambling about is laughably unsafe, the fact is that there are clear regulations for storage and transport of classified material, and Trump was so far outside the bounds of those that the tiny measures he took are immaterial.TL;DR: Literally anyone else who did what Trump did would already be sitting in federal prison for at least a decade. Trump is getting an unheard of level of special treatment—entirely to his own benefit! There’s simply no comparison to what Clinton, Biden, or Pence did. The most appropriate comparisons for Trump’s case all involve people currently serving long federal prison sentences… or people who already died in prison._¹ https://en.wikipedia.org/wiki/Interagency_Training_Center² https://en.wikipedia.org/wiki/Sensitive_compartmented_information_facility³ https://en.wikipedia.org/wiki/Espionage_Act_of_1917⁴ https://en.wikipedia.org/wiki/Executive_Order_13526⁵ https://en.wikipedia.org/wiki/For_Official_Use_Only⁶ https://www.politico.com/blogs/under-the-radar/2016/07/hillary-clinton-classified-emails-error-225194⁷ https://www.usnews.com/news/politics/articles/2016-02-29/state-dept-wins-dispute-over-clinton-email-on-north-korea⁸ https://en.wikipedia.org/wiki/Non-judicial_punishment⁹ https://www.justice.gov/storage/US_v_Trump-Nauta_23-80101.pdf¹⁰ https://en.wikipedia.org/wiki/Presidential_Records_Act¹¹ https://en.wikipedia.org/wiki/David_Petraeus#Criminal_charges_and_probation¹² https://en.wikipedia.org/wiki/Joshua_Schulte