Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Parks, Raymond]

I did a quick search through my data and there haven't been any major Skype 
vulns in a while.  There's a local privilege escalation from this last spring 
and URL snooping, but neither should result in massive Skype usage.  The Dark 
Comet Remote Access Tool (RAT) uses the Skype port and protocol to "phone 
home", so you might have a pest problem.  Even worse, a vulnerability was 
published last fall for getting in to the Dark Comet RAT via it's use of Skype 
- so if you have Dark Comet, someone could be breaking it to get into your 
computer.

I'd do an off-line, boot from CD/DVD, virus scan with your anti-virus of choice.

The Jet Pack provides a wireless access point - could someone be piggybacking 
on that?  What's your WiFi security?

Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
NIPR: rcpa...@sandia.gov
SIPR: rcpar...@sandia.doe.sgov.gov (send 
NIPR reminder)
JWICS: dopa...@doe.ic.gov (send NIPR reminder)



On Sep 6, 2013, at 5:03 PM, Nick Thompson wrote:

Hi, everybody,

I have a Verizon jet pack for my internet here in Massachusetts and every once 
in a while huge charges have appeared on my usage, apparent downloads of a 
gigabyte scale of magnitude.  I complained to Verizon and they did an analysis 
of my record and tell me that these are VOIP usages.  Their suspicion is that 
some teenager in my house is using the box to make phone calls over skype.   
But there is no teenager in my house and no other house within an eighth of a 
mile.  Is it possible that some Trojan is using skype to communicate.  Why?  
What would be the benefit to the hacker.  Using my computer for what?  In any 
case, I have murdered skype.  Is there any other abuse of the voip protocol 
that could be going on in my computer?  Can I disable voip altogether on my 
machine?   My service costs ten dollars a gig, so this is not a small matter 
for me.  Anybody have any thoughts?

Nick

Nicholas S. Thompson
Emeritus Professor of Psychology and Biology
Clark University
http://home.earthlink.net/~nickthompson/naturaldesigns/



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Nick Thompson]

Thanks, Raymond,

 

There is nobody else within an eight of a mile and the wifi barely reaches
across the house.  

 

The stuff on my computer is standard office stuff.  The only unusual program
I have is the music program finale.  

 

Does uninstalling Skype really get rid of it.  It had become a really pushy
program and it fought of uninstallation for a bit.  

 

When I get back to Santa Fe, I think I am going to wipe the hard disk and
start again.  Try to limp along until then. 

 

Nick 

 

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

 <http://home.earthlink.net/~nickthompson/naturaldesigns/>
http://home.earthlink.net/~nickthompson/naturaldesigns/

 

From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Parks, Raymond
Sent: Friday, September 06, 2013 7:30 PM
To: The Friday Morning Applied Complexity Coffee Group
Subject: Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

 

I did a quick search through my data and there haven't been any major Skype
vulns in a while.  There's a local privilege escalation from this last
spring and URL snooping, but neither should result in massive Skype usage.
The Dark Comet Remote Access Tool (RAT) uses the Skype port and protocol to
"phone home", so you might have a pest problem.  Even worse, a vulnerability
was published last fall for getting in to the Dark Comet RAT via it's use of
Skype - so if you have Dark Comet, someone could be breaking it to get into
your computer. 

 

I'd do an off-line, boot from CD/DVD, virus scan with your anti-virus of
choice.

 

The Jet Pack provides a wireless access point - could someone be
piggybacking on that?  What's your WiFi security?

 

Ray Parks

Consilient Heuristician/IDART Program Manager

V: 505-844-4024  M: 505-238-9359  P: 505-951-6084

NIPR: rcpa...@sandia.gov <mailto:rcpa...@sandia.gov> 

SIPR: rcpar...@sandia.doe.sgov.gov <mailto:rcpar...@sandia.doe.sgov.gov>
(send NIPR reminder)

JWICS: dopa...@doe.ic.gov <mailto:dopa...@doe.ic.gov>  (send NIPR reminder)

 

 

 

On Sep 6, 2013, at 5:03 PM, Nick Thompson wrote:





Hi, everybody,

 

I have a Verizon jet pack for my internet here in Massachusetts and every
once in a while huge charges have appeared on my usage, apparent downloads
of a gigabyte scale of magnitude.  I complained to Verizon and they did an
analysis of my record and tell me that these are VOIP usages.  Their
suspicion is that some teenager in my house is using the box to make phone
calls over skype.   But there is no teenager in my house and no other house
within an eighth of a mile.  Is it possible that some Trojan is using skype
to communicate.  Why?  What would be the benefit to the hacker.  Using my
computer for what?  In any case, I have murdered skype.  Is there any other
abuse of the voip protocol that could be going on in my computer?  Can I
disable voip altogether on my machine?   My service costs ten dollars a gig,
so this is not a small matter for me.  Anybody have any thoughts? 

 

Nick

 

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

 <http://home.earthlink.net/~nickthompson/naturaldesigns/>
http://home.earthlink.net/~nickthompson/naturaldesigns/

 



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe  <http://redfish.com/mailman/listinfo/friam_redfish.com>
http://redfish.com/mailman/listinfo/friam_redfish.com

 


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Brent Auble]

Actually, it's probably not a vulnerability, it's a feature...  (and did it 
before Microsoft bought them so we can't even blame M$).

Skype was originally set up to do peer to peer communication without going 
through any sort of centralized Skype-owned servers.  I believe it still does 
that some of the time, but much of it now goes through Microsoft's servers 
(potentially to comply with wiretapping laws and increase security generally).  
Basically, Skype distributes processing among various computers that have Skype 
up and running, which ends up sucking up bandwidth.  Here's a not-very-helpful 
explanation from the Skype web page: 
https://support.skype.com/en/faq/FA10983/what-are-p2p-communications

Because of that, I only open up Skype when I'm calling someone or expecting a 
call.

Brent



 From: Nick Thompson 
To: 'The Friday Morning Applied Complexity Coffee Group'  
Sent: Friday, September 6, 2013 10:04 PM
Subject: Re: [FRIAM] [EXTERNAL]  Urgent: skype vulnerability?
 


Thanks, Raymond,
 
There is nobody else within an eight of a mile and the wifi barely reaches 
across the house.  
 
The stuff on my computer is standard office stuff.  The only unusual program I 
have is the music program finale.  
 
Does uninstalling Skype really get rid of it.  It had become a really pushy 
program and it fought of uninstallation for a bit.  
 
When I get back to Santa Fe, I think I am going to wipe the hard disk and start 
again.  Try to limp along until then. 
 
Nick 
 
Nicholas S. Thompson
Emeritus Professor of Psychology and Biology
Clark University
http://home.earthlink.net/~nickthompson/naturaldesigns/
 
From:Friam [mailto:friam-boun...@redfish.com] On Behalf Of Parks, Raymond
Sent: Friday, September 06, 2013 7:30 PM
To: The Friday Morning Applied Complexity Coffee Group
Subject: Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?
 
I did a quick search through my data and there haven't been any major Skype 
vulns in a while.  There's a local privilege escalation from this last spring 
and URL snooping, but neither should result in massive Skype usage.  The Dark 
Comet Remote Access Tool (RAT) uses the Skype port and protocol to "phone 
home", so you might have a pest problem.  Even worse, a vulnerability was 
published last fall for getting in to the Dark Comet RAT via it's use of Skype 
- so if you have Dark Comet, someone could be breaking it to get into your 
computer. 
 
I'd do an off-line, boot from CD/DVD, virus scan with your anti-virus of choice.
 
The Jet Pack provides a wireless access point - could someone be piggybacking 
on that?  What's your WiFi security?
 
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
NIPR: rcpa...@sandia.gov
SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder)
JWICS: dopa...@doe.ic.gov (send NIPR reminder)
 
 
 
On Sep 6, 2013, at 5:03 PM, Nick Thompson wrote:


Hi, everybody,
> 
>I have a Verizon jet pack for my internet here in Massachusetts and every once 
>in a while huge charges have appeared on my usage, apparent downloads of a 
>gigabyte scale of magnitude.  I complained to Verizon and they did an analysis 
>of my record and tell me that these are VOIP usages.  Their suspicion is that 
>some teenager in my house is using the box to make phone calls over skype.   
>But there is no teenager in my house and no other house within an eighth of a 
>mile.  Is it possible that some Trojan is using skype to communicate.  Why?  
>What would be the benefit to the hacker.  Using my computer for what?  In any 
>case, I have murdered skype.  Is there any other abuse of the voip protocol 
>that could be going on in my computer?  Can I disable voip altogether on my 
>machine?   My service costs ten dollars a gig, so this is not a small matter 
>for me.  Anybody have any thoughts? 
> 
>Nick
> 
>Nicholas S. Thompson
>Emeritus Professor of Psychology and Biology
>Clark University
>http://home.earthlink.net/~nickthompson/naturaldesigns/
> 
>
>
>FRIAM Applied Complexity Group listserv
>Meets Fridays 9a-11:30 at cafe at St. John's College
>to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
 

FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Steve Smith]

Nick -

Sounds like you got the distinction of becoming a 'supernode' in the 
Skype P2P network somewhere down the line...


   
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf

Like Brent suggested, only running Skype when you want/intend to use it 
would reduce this side-effect.   But then, the whole point of the 
architecture was to allow the overhead costs to be low enough to keep it 
a "free service".   The question is whether you want to contribute to 
the "commons" or just take from them?   In the case of your Mobile 
HotSpot, it makes sense to not use *that* bandwidth to support other 
Skype call routing... but in general, it is a natural part of a 
"community service".


How many of us knew that Skype worked this way?

- Steve



Thanks, Raymond,

There is nobody else within an eight of a mile and the wifi barely 
reaches across the house.


The stuff on my computer is standard office stuff.  The only unusual 
program I have is the music program finale.


Does uninstalling Skype really get rid of it.  It had become a really 
pushy program and it fought of uninstallation for a bit.


When I get back to Santa Fe, I think I am going to wipe the hard disk 
and start again.  Try to limp along until then.


Nick

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

http://home.earthlink.net/~nickthompson/naturaldesigns/ 
<http://home.earthlink.net/%7Enickthompson/naturaldesigns/>


*From:*Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Parks, 
Raymond

*Sent:* Friday, September 06, 2013 7:30 PM
*To:* The Friday Morning Applied Complexity Coffee Group
*Subject:* Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

I did a quick search through my data and there haven't been any major 
Skype vulns in a while.  There's a local privilege escalation from 
this last spring and URL snooping, but neither should result in 
massive Skype usage.  The Dark Comet Remote Access Tool (RAT) uses the 
Skype port and protocol to "phone home", so you might have a pest 
problem.  Even worse, a vulnerability was published last fall for 
getting in to the Dark Comet RAT via it's use of Skype - so if you 
have Dark Comet, someone could be breaking it to get into your computer.


I'd do an off-line, boot from CD/DVD, virus scan with your anti-virus 
of choice.


The Jet Pack provides a wireless access point - could someone be 
piggybacking on that?  What's your WiFi security?


Ray Parks

Consilient Heuristician/IDART Program Manager

V: 505-844-4024  M: 505-238-9359  P: 505-951-6084

NIPR: rcpa...@sandia.gov <mailto:rcpa...@sandia.gov>

SIPR: rcpar...@sandia.doe.sgov.gov 
<mailto:rcpar...@sandia.doe.sgov.gov> (send NIPR reminder)


JWICS: dopa...@doe.ic.gov <mailto:dopa...@doe.ic.gov> (send NIPR reminder)

On Sep 6, 2013, at 5:03 PM, Nick Thompson wrote:



Hi, everybody,

I have a Verizon jet pack for my internet here in Massachusetts
and every once in a while huge charges have appeared on my usage,
apparent downloads of a gigabyte scale of magnitude.  I complained
to Verizon and they did an analysis of my record and tell me that
these are VOIP usages.  Their suspicion is that some teenager in
my house is using the box to make phone calls over skype.   But
there is no teenager in my house and no other house within an
eighth of a mile.  Is it possible that some Trojan is using skype
to communicate.  Why?  What would be the benefit to the hacker. 
Using my computer for what?  In any case, I have murdered skype. 
Is there any other abuse of the voip protocol that could be going
on in my computer?  Can I disable voip altogether on my machine?  
My service costs ten dollars a gig, so this is not a small matter

for me.  Anybody have any thoughts?

Nick

Nicholas S. Thompson

Emeritus Professor of Psychology and Biology

Clark University

http://home.earthlink.net/~nickthompson/naturaldesigns/
<http://home.earthlink.net/%7Enickthompson/naturaldesigns/>



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribehttp://redfish.com/mailman/listinfo/friam_redfish.com




FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/6/13 5:29 PM, Parks, Raymond wrote:
I did a quick search through my data and there haven't been any major 
Skype vulns in a while.  There's a local privilege escalation from 
this last spring and URL snooping, but neither should result in 
massive Skype usage.  The Dark Comet Remote Access Tool (RAT) uses the 
Skype port and protocol to "phone home", so you might have a pest 
problem.  Even worse, a vulnerability was published last fall for 
getting in to the Dark Comet RAT via it's use of Skype - so if you 
have Dark Comet, someone could be breaking it to get into your computer. 
Where do the folks selling zero day exploits seem to invest effort when 
it comes to Linux?   Do they work against versions that are in wide 
distribution (2.6.32), or try to get in early and sell bugs early in the 
hopes the lifetime of the work will be relatively longer (3.12)?Is 
bleeding edge kernel and system software any better or worse security 
wise than a service contract for RHEL, etc. (and immediate updates).   
If there are bad statistics, that would suggest to me some benefit from 
security from obscurity?


It still blows me a way that governments trust vendors that use 
international development teams, but do not disclose source code. Why 
not more of a push toward systems that can _really_ be audited?   It 
seems to me like using medicine that has no systematic study or peer 
review.


If this is accurate, it looks to me like the databases on exploits tends 
to be against old software?


http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2013/opgpriv-1/Linux-Linux-Kernel.html

Marcus

FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[mar...@snoutfarm.com]

Glen wrote:

"It has always struck me that diversity and co-evolution constitute a
superset of obscurity."

I posit that co-evolution moves faster in today's open source world,
because:

1) More independent thinkers.  Drones tend not to care, and not caring
leads to not thinking.  Passive aggressive compliance, brain rot.

2) Improved access to information -- the source code, and a community
around it.  This allows motivated individuals to educate themselves rapidly
about things, and to be empowered to use this information.   

3) A culture that has low tolerance for secrets.

4) Similar incentive structures for Linux in the server space as would
exist for the Windows Server line. 

On the other hand, the Windows world surely has more people working on
finding vulnerabilities.  But many of those people are working without
direct knowledge of how their target works. They have to infer it.  Perhaps
that has benefits, but it has costs too.

Marcus


mail2web.com - Microsoft® Exchange solutions from a leading provider -
http://link.mail2web.com/Business/Exchange




FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen e. p. ropella]

Marcus G. Daniels wrote at 09/11/2013 07:55 PM:

If there are bad statistics, that would suggest to me some benefit from 
security from obscurity?


That reminds me.  Did anyone see Stephanie's presentation?  It has always 
struck me that diversity and co-evolution constitute a superset of obscurity.

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
Whoever fights monsters should see to it that in the process he does not become a 
monster.   And when you look long into an abyss, the abyss also looks into you.   -- 
Nietzsche, "Beyond Good and Evil"



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen e. p. ropella]

mar...@snoutfarm.com wrote at 09/12/2013 09:30 AM:

I posit that co-evolution moves faster in today's open source world,
because:


At first, I agreed vehemently.  Then I started thinking (always a mistake).  It depends 
on what you mean by "faster".  It's possible that the species diversity might 
increase.  But, perhaps _like_ a fluid going through a diverging nozzle, as the 
cross-section grows, the velocity shrinks.  Perhaps while the progress of any one lineage 
slows, more lineages arise?  Of course, I'm assuming there's some conserved property.  
It's also possible there is no conserved property, or that the whole co-evolutionary 
machine takes better advantage of the various nooks and crannies of the world.


1) More independent thinkers.  Drones tend not to care, and not caring
leads to not thinking.  Passive aggressive compliance, brain rot.


I think it's important to consider that the drones are caring and thinking ... 
they're simply thinking about other stuff ... like who they'll vote for on some 
reality TV show, or whether to go to the mall or buy from amazon.com.  The real 
trick is that of marketing.  How to corral a bunch of drones into caring and 
thinking about what you want them to?  How to manufacture care/thought?


2) Improved access to information -- the source code, and a community
around it.  This allows motivated individuals to educate themselves rapidly
about things, and to be empowered to use this information.


It also allows us to lavish kudos on the fame-tolerant we find there.  E.g. 
Musk, Diamandis, Branson, Dawkins, Tyson, Lady Ada, etc.  The more we can turn 
these unfortunate suckers into role models, the easier it will be to corral the 
drones.  Without the improved access to information, we're stuck with the 
dually diagnosed (deeper-digging _and_ charismatic).  Improved access to 
information allows us to worry less about charisma and focus on people who do 
things, regardless of what they look like or their stage/tv presence.


3) A culture that has low tolerance for secrets.


I think you might be slightly off on this one.  It's not a low tolerance for 
secrets so much as a need for _qualified_ secrets.  We don't care if you won't 
answer a question, as long as we're happy with _why_ you won't answer it.  The 
focus is on authenticity rather than openness.


4) Similar incentive structures for Linux in the server space as would
exist for the Windows Server line.

On the other hand, the Windows world surely has more people working on
finding vulnerabilities.  But many of those people are working without
direct knowledge of how their target works. They have to infer it.  Perhaps
that has benefits, but it has costs too.


As with my prattling about your (3), I'd suggest the issue is less with the reverse 
engineering (which is fun) and more with the monolithic nature of Windows.  Tools in that 
world are too tightly coupled... it makes for a fragile tool chain... very efficient when 
used in the right context, but seemingly broken when abused.  And, as with Merle's 
"outsider everything", _abuse_ is the new _use_.

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
Cynics regarded everybody as equally corrupt... Idealists regarded everybody as 
equally corrupt, except themselves. -- Robert Anton Wilson



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[mar...@snoutfarm.com]

> 2) Improved access to information -- the source code, and a community
> around it.  This allows motivated individuals to educate themselves
rapidly
> about things, and to be empowered to use this information.

"It also allows us to lavish kudos on the fame-tolerant we find there. 
E.g. Musk, Diamandis, Branson, Dawkins, Tyson, Lady Ada, etc.  The more we
can turn these unfortunate suckers into role models, the easier it will be
to corral the drones."

I think it is better to not deprive the drone prone of important
existential angst.  Make them sit around these people for a few days until
they lose their religion.  That won't happen if they just watch them on
TED, or in carefully produced speeches in the East Room of the White House,
or even in university lecture rooms.

> 3) A culture that has low tolerance for secrets.

"I think you might be slightly off on this one.  It's not a low tolerance
for secrets so much as a need for _qualified_ secrets.  We don't care if
you won't answer a question, as long as we're happy with _why_ you won't
answer it.  The focus is on authenticity rather than openness."

If an interface promises to do Y when it sees X, and that is tested and
declared `compliant', it doesn't tell me for sure what happens when it sees
Z, when Z is never mentioned (e.g. in the documentation).   Maybe it will
indeed again deliver Y when X is seen again, but meanwhile also deliver X
to the Mossad?  I want to see the logic that leads to Y, and see exactly
how it happens.  Otherwise all I have is a sketchy contract and it is up to
me to try to break it with Z and whatever other misuse one can think of, or
break down the obsfucated artifact (executable) into smaller bits and try
to rationalize that.  As you point out, that's different than trying to
POSIX open(2) a file and being given EPERM.   That's a refusal, but it can
be checked for consistency with other sorts of queries (e.g. stat(2)).  

Marcus


mail2web - Check your email from the web at
http://link.mail2web.com/mail2web




FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen e. p. ropella]

mar...@snoutfarm.com wrote at 09/12/2013 02:32 PM:

I think it is better to not deprive the drone prone of important
existential angst.  Make them sit around these people for a few days until
they lose their religion.  That won't happen if they just watch them on
TED, or in carefully produced speeches in the East Room of the White House,
or even in university lecture rooms.


Yeah, I know.  But that doesn't scale.  Somehow we need to replace silly role 
models like Justin Bieber with real ones like Spot Draves (draves.org) ... or 
_you_. 8^)  There's no way to get all the drones into a religion-losing 
interaction, especially when/if the role models really do continue working.


3) A culture that has low tolerance for secrets.


If an interface promises to do Y when it sees X, and that is tested and
declared `compliant', it doesn't tell me for sure what happens when it sees
Z, when Z is never mentioned (e.g. in the documentation).   Maybe it will
indeed again deliver Y when X is seen again, but meanwhile also deliver X
to the Mossad?  I want to see the logic that leads to Y, and see exactly
how it happens.  Otherwise all I have is a sketchy contract and it is up to
me to try to break it with Z and whatever other misuse one can think of, or
break down the obsfucated artifact (executable) into smaller bits and try
to rationalize that.


But where do you stop, in your ideal?  Do you stop at the source code?  Or do you also 
need a transparent compiler?  Linker?  Run-time? System? Component, vhdl, ceramics, 
doping, drawing methods?  Do you have to _be_ Yog-Sothoth in order to finally sit back 
and say to yourself "OK, there are no secrets, here"?

Of course, the answer is that it depends on who "you" are.  Some of us are 
satisfied quickly, very near the interface.  Others need to dig in and pick every nit 
they can (and eventually go mad ;-).  But, in the end, all of us tolerate secrets.  It's 
just a matter of the quality/character of those secrets.


As you point out, that's different than trying to
POSIX open(2) a file and being given EPERM.   That's a refusal, but it can
be checked for consistency with other sorts of queries (e.g. stat(2)).


Ha!  Nice.

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may 
be the most oppressive. -- C. S. Lewis



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/12/13 6:23 PM, glen e. p. ropella wrote:
But where do you stop, in your ideal?  Do you stop at the source 
code?  Or do you also need a transparent compiler?  Linker? Run-time? 
System? Component, vhdl, ceramics, doping, drawing methods?
One way to avoid going down and down is to build a paranoid compiler.   
Imagine using a loop of adds to do a multiply (or for base 2, left 
shifts), and in another case just using a multiply instruction.  If the 
hardware is broken or malicious, cross checks on the functionally 
equivalent calculations can be identified.


An area where these issues come up is for resilience of high performance 
computing systems.  Very large systems are prone to soft-errors from 
cosmic rays, voltage regulation, and faults from heat.  If a calculation 
can be performed two times or more on different processors, then by 
voting it is feasible to identify when  memory feeding a calculation or 
when a calculation itself is in error.


Doing this at a higher level is possible, but the more complex the 
instructions are, the harder it may be to formulate isomorphic cases.   
How do you convert a "Drive to work" operation into to "Fly to New York 
City" operation?


I do think it is necessary for safety-critical or performance-sensitive 
applications to have a compiler that allows for public review of its 
mechanisms.Ideally compilers would also be better about explaining 
bad outcomes.   An example that comes to mind is 
-ftree-vectorizer-verbose in GCC, which shows the hazards that prevent 
converting a sequence of scalar operations into vector operations.


Going to another level, the runtime and system software is open source 
with Linux, even some firmware.
Going down again there are examples of full microprocessor Verilog 
designs like the UltraSparc T1 & T2 available as source code.

http://www.oracle.com/technetwork/systems/opensparc/opensparc-t2-page-1446157.html

Reconfigurable and synthesizable hardware (FPGAs, Tensilica/Intel Quark) 
already offer control at the hardware level.
And with nano-fabrication tools and desktop electron microscopy systems, 
one can imagine someday building/checking computing devices atom by 
atom.   Eventually everything will be software..


One person is unlikely to have the breadth to understand the preferred 
form (source) of all of these, but diverse overlapping communities 
working in public could secure them, and no reverse engineering would be 
needed.   Companies like Red Hat have working business models around 
this kind of development.


Marcus


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/12/13 6:23 PM, glen e. p. ropella wrote:

Or do you also need [..] doping [..]
Saw this on /. this morning. 
http://people.umass.edu/gbecker/BeckerChes13.pdf

Yikes..

Marcus


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen]

Marcus G. Daniels wrote at 09/12/2013 09:24 PM:

One way to avoid going down and down is to build a paranoid compiler. Imagine 
using a loop of adds to do a multiply (or for base 2, left shifts), and in 
another case just using a multiply instruction.


It all boils back down to state-less computing ... we need a new motto: "security 
through anarchy" ... doesn't rhyme as well as security through obscurity, though.


Doing this at a higher level is possible, but the more complex the instructions are, the harder it 
may be to formulate isomorphic cases. How do you convert a "Drive to work" operation into 
to "Fly to New York City" operation?
[...]
One person is unlikely to have the breadth to understand the preferred form 
(source) of all of these, but diverse overlapping communities working in public 
could secure them, and no reverse engineering would be needed.


If we know this is/will-be the case, then why press for absolute transparency 
at all?  Why not be anarcho-capitalist and allow for the opacity of some, 
strategically allowed, opacity?

Regardless, the genetic construction of "Drive to work" vs. "Fly to NYC" need not be that 
different, though they probably _will_ be very different in any particular case.  It reminds me of a 
conversation I just had with a bunch of automatic programming skeptics.  My role in the argument was to 
assert the typical ALife case that it is difficult to _abduce_ from the one example of life that we have to a 
general understanding of life. (I learned a new word at the same conference - though not in this particular 
argument - "gnotobiotic" http://www.merriam-webster.com/dictionary/gnotobiotic.)  And a noble 
objective would be to try to regenerate life forms based on new genetic structures, ideally computational 
structures.  They didn't give me a chance to allow for synthetic biology because their reactions were so  
vehement.  One guy said it's flat out impossible.  Another guy expressed that it was a complete waste of 
time.  The only female in the discussion kept asking loaded questions i
mplying that I was either feeble-minded or insane. 8^)  The conversation devolved into 
objective functions and I found myself torn between adopting my "wacko/moron" 
role vs. lecturing them on implicit objective functions and co-evolution.  Guess which 
one I chose. ;-)

Anyway, my point here is that working at the interface level carries more benefit than 
cost for the same reasons that test-driven development has taken over (at least in hype) 
the s/w development world.  I tend to view it as a "constraint based approach" 
to the world.  Forcing absolute transparency (even if only in the ideal) seems like a low 
RoI commitment.

Lastly, it's also important to realize that your egalitarian concept of of the 
diverse overlapping communities _might_ turn out to be naive or overly simple.  
If we think in terms of gaming, there should arise some seriously competent 
gamers who pool resources into a very small (and controllable) cabal that has a 
better understanding of the entire stack than anyone else.  And, not only will 
the transparency _not_ assist the rest of us schlubs in keeping that cabal 
honest, it will _prevent_ that because the cabal can hide behind the illusion 
of transparency.

They can always say things like "It's all on the up and up!  The source code's out there.  Check it 
yourself."  ... all the while _knowing_ that without their billions of dollars in assets we normal 
people cannot "check it ourselves".  Hence, perhaps similar to "green washing", the good 
gamers will use our own ideology against us.

--
⇒⇐ glen e. p. ropella
And even though I'm sitting waiting for Mars; I don't believe there's any 
future in cause
 



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/13/13 2:57 PM, glen wrote:
If we know this is/will-be the case, then why press for absolute 
transparency at all?  Why not be anarcho-capitalist and allow for the 
opacity of some, strategically allowed, opacity?
The anarcho-capitalist will try to extract every bit of value from any 
vocabulary they own or influence.  It's fine for them to try to do that, 
but it is also fine to make them obsolete.   For example, GPU vendors 
own their hardware designs and their driver stacks.  If their driver 
stacks are open sourced, or reverse-engineered that gives a little more 
insight into how their hardware works.  If people know how their 
hardware works, then some competitor can come along and create similar 
hardware at a lower price point.  Provided an open source effort can 
come along and make a sort of similar VHDL design that puts them out of 
business, it's all good.   Most anarcho-capitalists aren't that, of 
course, they are capitalists, and expect public investment to be there 
to protect their IP for them, through copyrights, patents, and so on.  
The GPU vendors want an interface like OpenCL so that they can keep 
people away from the actual design.  That's annoying, and misrepresents 
the concept of `open' for their own selfish purposes.
Anyway, my point here is that working at the interface level carries 
more benefit than cost for the same reasons that test-driven 
development has taken over (at least in hype) the s/w development 
world.  I tend to view it as a "constraint based approach" to the 
world.  Forcing absolute transparency (even if only in the ideal) 
seems like a low RoI commitment.
Some users can't afford to trust, and will have a very sensitive cost 
function.   Other users have a more risk/reward structure.


Lastly, it's also important to realize that your egalitarian concept 
of of the diverse overlapping communities _might_ turn out to be naive 
or overly simple.  If we think in terms of gaming, there should arise 
some seriously competent gamers who pool resources into a very small 
(and controllable) cabal that has a better understanding of the entire 
stack than anyone else.  And, not only will the transparency _not_ 
assist the rest of us schlubs in keeping that cabal honest, it will 
_prevent_ that because the cabal can hide behind the illusion of 
transparency.
But it is ok if there are schlubs, if provided one chooses to be one.   
Membership in the cabal comes from cognitive investment, not capital.
They can always say things like "It's all on the up and up!  The 
source code's out there.  Check it yourself."  ... all the while 
_knowing_ that without their billions of dollars in assets we normal 
people cannot "check it ourselves".  Hence, perhaps similar to "green 
washing", the good gamers will use our own ideology against us.


I've worked on a variety of types of code, and I don't find I need to 
appeal to individuals controlling teams of people and domain experts to 
understand the parts I'm interested in.There's a scale free property 
to good codes that makes it possible to understand them.   Understand 
the goals, inputs, the outputs, and starting building out an 
understanding..   If there is no source code it is much more difficult 
(but not impossible).


Marcus


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen]

Marcus G. Daniels wrote at 09/13/2013 02:59 PM:

If people know how their hardware works, then some competitor can come along 
and create similar hardware at a lower price point.  Provided an open source 
effort can come along and make a sort of similar VHDL design that puts them out 
of business, it's all good.


Right.  So, it would work fairly well without a requirement for absolute 
transparency.


Most anarcho-capitalists aren't that, of course, they are capitalists, and 
expect public investment to be there to protect their IP for them, through 
copyrights, patents, and so on. The GPU vendors want an interface like OpenCL 
so that they can keep people away from the actual design.  That's annoying, and 
misrepresents the
concept of `open' for their own selfish purposes.


Well, to be fair, copyrights and patents have to be defended by their owners 
using the public infrastructure as a lever.  If you're too poor to defend your 
own property, that public infrastructure is worthless to you.  Some of the 
larger organizations often argue that _they_ are the primary source of the 
public infrastructure in the first place.  So, it's not quite as cut and dried.

But you're right, these capitalists are not anarcho-capitalists by any stretch. 
 They want state-corp integration ... preferably asymmetric integration.


Membership in the cabal comes from cognitive investment, not capital.


I disagree.  Membership in the set of cabal _tools_ ... the technically competent person, 
comes from cognitive investment.  Ownership/control of those tools comes from capital, 
usually in the form of "golden handcuffs".  What percentage of geeks do you 
know that wouldn't opt for a 6 figure salary in exchange for their indentured servitude?  
... at least for a little while?

Membership in the actual cabal requires you to be able to own/control the 
tools, which means you need money to pay them some sort of competitive salary 
(or perhaps lavish them with avant technology).  In some rare cases, you can 
exert control through charisma or machiavellian manipulation.  But that's the 
exception, not the rule.


I've worked on a variety of types of code, and I don't find I need to appeal to 
individuals controlling teams of people and domain experts to understand the 
parts I'm interested in.There's a scale free property to good codes that 
makes it possible to understand them.   Understand the goals, inputs, the 
outputs, and starting building out an understanding..   If there is no source 
code it is much more difficult (but not impossible).


Again, for the most part, I agree.  But you have to remember two things 1) 
you're not the average and 2) the _types_ matter.  For example, it's one thing 
to be curious about, say, operating systems.  But it's another thing, entirely, 
to be curious about cryptographic systems.

--
⇒⇐ glen e. p. ropella
Among the metal ones a messenger will soon arrive.
 



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/13/13 6:40 PM, glen wrote:

Membership in the cabal comes from cognitive investment, not capital.


I disagree.  Membership in the set of cabal _tools_ ... the 
technically competent person, comes from cognitive investment. 
Ownership/control of those tools comes from capital, usually in the 
form of "golden handcuffs".  What percentage of geeks do you know that 
wouldn't opt for a 6 figure salary in exchange for their indentured 
servitude?  ... at least for a little while?
What kind group would contain an instance of such a cabal?  An open 
source development team at Intel or Google?   A big university software 
team?   I can't think of a lot of examples of open source development 
done for its own sake.  I agree about this distinction between a cabal 
purposes vs. the human tools that achieve it. Usually the technological 
tools are closed too (with open as the exception), serve the human 
resource tools, which then serve the cabal (e.g. the company's deciders).


I'm talking about a different sort of cabal, like the folks that develop 
and direct a large package like LLVM, Postgres, GHC, or R. These 
projects involve developers that span universities and corporations.  
The software serves as a research vehicle, and/or the basis for another 
specialized product.  The people that work on these packages may even 
work for competing companies that provide the golden handcuffs (and jump 
between the companies to the extent their aren't legally restricted from 
doing so).


Marcus


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[Marcus G. Daniels]

On 9/13/13 6:40 PM, glen wrote:
So, it would work fairly well without a requirement for absolute 
transparency.
If the goal is to develop versatile technical language, and someone 
effectively owns a bunch of the useful words (interfaces , ...) that is 
an impediment to giving everyone a fair shake at doing technical work.  
Those that can afford to license the useful interfaces at least aren't 
at a deficit compared to those that cannot.  The worse part is that 
certain interfaces become less mutable than others. If the licensed 
interfaces aren't the perfect ones, then the sellers and customers of 
those words will try to keep them around even if they lack deep merit. 
   If, on the other hand, the useful parts of the interfaces can be 
recast in another way, and understood in isolated bits then better 
interfaces can be built around them.  The frozen language (interfaces, 
..), I think, tends to limit the imagination of the users.   The split 
between users and implementers or vendors and customers, is 
artificial.   The ethic of absolute transparency says that if you want 
something, you don't need to bitch to someone to get it, you can just go 
make it.  This was the original appeal of computers to me: Imagination 
-> Reality


Marcus


FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen]

Marcus G. Daniels wrote at 09/13/2013 08:14 PM:

What kind group would contain an instance of such a cabal?


Perhaps a decent example might be ALEC  or, perhaps, 
funders of the Cato Institute or Heritage Foundation.  The point is that they may 
well lobby/advocate for absolute transparency _and_ integration of tools, perhaps 
actively working against unifying standards (because unification is antithetic to 
individualism).  These people would argue for absolute transparency and would have 
the resources to maintain large corporate machinery/bureaucracy to keep track of and 
manipulate the ecology of tools.

Any asymmetrically weaker entity would, in principle, be able to dig into any 
aspect of the system.  But such an entity would be incapable of grokking the 
whole system, at least as well as the army of lawyers, accountants, auditors, 
programmers, etc. who worked on behalf of the cabal.  And even if an entity 
like the EFF or ACLU _could_ compete on understanding the system, they could 
not compete in the public outreach (advertising during the super bowl, lobbying 
for net neutrality, etc.).

--
⇒⇐ glen e. p. ropella
Shadow of the New Praetorian
 



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen]

mar...@snoutfarm.com wrote at 09/16/2013 02:53 PM:

Such a Beast will be slow moving. All those people need to be motivated to
clarify and then solve some problem posed to them.


I'm not so sure.  I admit that the current trend toward flat corporate 
hierarchies works toward the requirement to motivate all those people.  But the 
old style, autocratic, specialize everything, command and control structure 
doesn't need such motivation. Incentive satisfices. There only need be an elite 
core (cybernetically augmented with their data warehouses) of people who 
understand how every specialized piece fits into the whole.  And that elite 
core can be relatively small.

I don't have a concrete example of it.  But I hear enough people chanting about 
how they want to be paid more to do their mindless jobs, that I can imagine 
there are enough people willing to be paid to do whatever they're told ... of 
course, those tools don't mix well with the tools who do invest their energies 
into learning technology.  But, again, it strikes me that an organization like 
Cato could lure those (often libertarian minded) tools in, hypnotize them with 
naive rhetoric, then reinforce their training with high salaries.


That doesn't many there aren't asymmetric opportunities.

Groking a big system isn't just a question of insisting on interfaces owned
and implemented by 3rd parties.  Interfaces are the easy part, IMO.


I agree on both counts.  I'm just talking it out to see where I might fit in.

--
⇒⇐ glen e. p. ropella
I can tell just by the climate, and I can tell just by the style
 



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[mar...@snoutfarm.com]

Glen wrote: 

"But the old style, autocratic, specialize everything, command and control
structure doesn't need such motivation."

Well, I mean some mental models have to develop at the various levels of
the organization.  I used the term `motivation' to mean the process of
understanding enough of a sub-problem to propose a solution.  If the
problem is hard, the it may have to be sent out to all of the leaves of the
organization and come back to even determine feasibility.  On the other
hand, if there is a small super-knowledgeable and super-capable cadre of
workers, there is less of this percolation to wait on..

Marcus


mail2web.com – Enhanced email for the mobile individual based on Microsoft®
Exchange - http://link.mail2web.com/Personal/EnhancedEmail




FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[glen e. p. ropella]

mar...@snoutfarm.com wrote at 09/16/2013 03:45 PM:

Well, I mean some mental models have to develop at the various levels of
the organization.  I used the term `motivation' to mean the process of
understanding enough of a sub-problem to propose a solution.  If the
problem is hard, the it may have to be sent out to all of the leaves of the
organization and come back to even determine feasibility.  On the other
hand, if there is a small super-knowledgeable and super-capable cadre of
workers, there is less of this percolation to wait on..


Ah!  OK.  I admit there's a type of latency in the cabal/incentive structure that 
wouldn't exist in the more dynamic "extracurricular" ecology you propose.  But 
I think it's more than compensated for by other latencies in the latter.

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
We must respect the other fellow's religion, but only in the sense and to the 
extent that we respect his theory that his wife is beautiful and his children 
smart. -- H.L. Mencken



FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Re: [FRIAM] [EXTERNAL] Urgent: skype vulnerability?

[mar...@snoutfarm.com]

"Any asymmetrically weaker entity would, in principle, be able to dig into
any aspect of the system.  But such an entity would be incapable of
grokking the whole system, at least as well as the army of lawyers,
accountants, auditors, programmers, etc. who worked on behalf of the cabal.
"

Such a Beast will be slow moving. All those people need to be motivated to 
clarify and then solve some problem posed to them.   But, it's surely true
that the very best experts in something have been employed doing that thing
for decades, and that small organizations can't afford to support that. 
The SEA `researchers' are surely eclipsed by the NSA researchers across
many dimensions. That doesn't many there aren't asymmetric opportunities.  
 
Groking a big system isn't just a question of insisting on interfaces owned
and implemented by 3rd parties.  Interfaces are the easy part, IMO. 

Marcus


myhosting.com - Premium Microsoft® Windows® and Linux web and application
hosting - http://link.myhosting.com/myhosting




FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com