Archive for the ‘Privacy’ Category

See Through Walls With WiFi!

Thursday, June 22nd, 2017

Drones that can see through walls using only Wi-Fi

From the post:

A Wi-Fi transmitter and two drones. That’s all scientists need to create a 3D map of the interior of your house. Researchers at the University of California, Santa Barbara have successfully demonstrated how two drones working in tandem can ‘see through’ solid walls to create 3D model of the interiors of a building using only, and we kid you not, only Wi-Fi signals.

As astounding as it sounds, researchers Yasamin Mostofi and Chitra R. Karanam have devised this almost superhero-level X-ray vision technology. “This approach utilizes only Wi-Fi RSSI measurements, does not require any prior measurements in the area of interest and does not need objects to move to be imaged,” explains Mostofi, who teaches electrical and computer engineering at the University.

For the paper and other details, see: 3D Through-Wall Imaging With Unmanned Aerial Vehicles and WiFi.

Before some contractor creates the Stingray equivalent for law enforcement, researchers and electronics buffs need to create new and improved versions for the public.

Government and industry offices are more complex than this demo but the technology will continue to improve.

I don’t have the technical ability to carry out the experiment but wondering if measurement of a strong signal from any source as it approaches a building and then its exit on the far side would serve the same purpose?

Reasoning that government/industry buildings may become shielded to some signals but in an age of smart phones, not all.

Enjoy!

Tor 7.0! (Won’t Protect You From @theintercept)

Wednesday, June 7th, 2017

Tor Browser 7.0 Is Out!

The Tor browser is great but recognize its limitations.

A primary one is Tor can’t protect you from poor judgment @theintercept. No software can do that.

Change your other habits as appropriate.

Skype/Microsoft – Invasion of Privacy

Thursday, June 1st, 2017

I first noticed this latest invasion of privacy by Skype/Microsoft yesterday.

A friend tried to share an image via Skype and when I went to look at it, I saw a screen similar to this one:

I say “similar to this one” because yesterday I closed the window and got the image via email.

Today, I had a voice message on Skype, which I cannot access without supplying my birthday!

The

“We need just a little more info to set up your account.”

is a factual lie. My account is already set up. Has been (past tense) for years.

This information is required” is that color in the original, no editing.

Anyone else experiencing a similar invasion of privacy courtesy of Skype/Microsoft?

More Dicking With The NSA

Sunday, May 21st, 2017

Privacy-focused Debian 9 ‘Stretch’ Linux-based operating system Tails 3.0 reaches RC status by Brian Fagioli.

From the post:

If you want to keep the government and other people out of your business when surfing the web, Tails is an excellent choice. The Linux-based operating system exists solely for privacy purposes. It is designed to run from read-only media such as a DVD, so that there are limited possibilities of leaving a trail. Of course, even though it isn’t ideal, you can run it from a USB flash drive too, as optical drives have largely fallen out of favor with consumers.

Today, Tails achieves an important milestone. Version 3.0 reaches RC status — meaning the first release candidate (RC1). In other words, it may soon be ready for a stable release — if testing confirms as much. If you want to test it and provide feedback, you can download the ISO now.

Fagioli covers some of the details but the real story is this:

The sooner testers (that can include you) confirm the stability, etc., of Tails Version 3.0 (RC1), the sooner it can be released for general use.

In part, the release schedule for Tails Version 3.0 (RC1) depends on you.

Your response?

Check Fagoli’s post for links to the release and docs.

Effective versus Democratic Action

Saturday, May 13th, 2017

OpenMedia is hosting an online petition: Save our Security — Strong Encryption Keeps Us Safe to:

Leaked docs reveal the UK Home Office’s secret plan to gain real-time access to our text messages and online communications AND force companies like WhatsApp to break the security on its own software.1 This reckless plan will make all of us more vulnerable to attacks like the recent ransomware assault against the NHS.2

If enough people speak out right now and flood the consultation before May 19, then Home Secretary Amber Rudd will realise she’s gone too far.

Tell Home Secretary Amber Rudd: Encryption keeps us safe. Do not weaken everyone’s security by creating backdoors that hackers and malicious actors can exploit.
… (emphasis in original, footnotes omitted)

+1! on securing your privacy, but -1! on democratic action.

Assume the consultation is “flooded” and Home Secretary Amber Rudd says:

Hearing the outcry of our citizens, we repent of our plan for near real time monitoring of your conversations….

I’m sorry, why would you trust Home Secretary Amber Rudd or any other member of government, when they make such a statement?

They hide the plans for monitoring your communications in near real time, as OpenMedia makes abundantly clear.

What convinces you Home Secretary Rudd and her familiars won’t hide government monitoring of your communications?

A record of trustworthy behavior in the past?

You can flood the consultation if you like but effective actions include:

  • Anyone with access to government information should leak that information whenever possible.
  • Anyone employed by government should use weak passwords, follow links in suspected phishing emails and otherwise practice bad cybersecurity.
  • If you don’t work for a government or have access to government information, copy, repost, forward, and otherwise spread any leaked government information you encounter.
  • If you have technical skills, devote some portion of your work week to obtaining information a government prefers to keep secret.

The only trustworthy government is a transparent government.

Alert! Alert! Good Use For Cat Videos!

Friday, April 28th, 2017

A Trick That Hides Censored Websites Inside Cat Videos by Kaveh Waddell.

From the post:

A pair of researchers behind a system for avoiding internet censorship wants to deliver banned websites inside of cat videos. Their system uses media from popular, innocuous websites the way a high schooler might use the dust jacket of a textbook to hide the fact that he’s reading a comic book in class. To the overseeing authority—in the classroom, the teacher; on the internet, a government censor—the content being consumed appears acceptable, even when it’s illicit.

The researchers, who work at the University of Waterloo’s cryptography lab, named Slitheen after a race of aliens from Doctor Who who wear the skins of their human victims to blend in. The system uses a technique called decoy routing, which allows users to view blocked sites—like a social-networking site or a news site—while generating a browsing trail that looks exactly as if they were just browsing for shoes or watching silly videos on YouTube.

Slitheen’s defining feature is that the complex traffic it generates is indistinguishable from a normal request. That is, two computers sitting next to one another, downloading data from Amazon.com’s homepage—one that does so normally and another with the contents of this Atlantic story instead of Amazon’s images and videos—would create identical traffic patterns. The more complex Slitheen request would take slightly longer to come back, but its defining characteristics, from packet size to timing, would be the same.

How about that! With a clean local browser history as well.

After reading Waddell’s post, read Slitheen: Perfectly imitated decoy routing through traffic replacement, then grab the code at: https://crysp.uwaterloo.ca/software/slitheen/.

Talk up and recommend Slitheen to your friends, startups, ISPs, etc.

Imagine an Internet free of government surveillance. Doesn’t that sound enticing?

Scotland Yard Outsources Violation of Your Privacy

Monday, April 24th, 2017

Whistleblower uncovers London police hacking of journalists and protestors by Trevor Johnson.

From the post:

The existence of a secretive unit within London’s Metropolitan Police that uses hacking to illegally access the emails of hundreds of political campaigners and journalists has been revealed. At least two of the journalists work for the Guardian.

Green Party representative in the British House of Lords, Jenny Jones, exposed the unit’s existence in an opinion piece in the Guardian. The facts she revealed are based on a letter written to her by a whistleblower.

The letter reveals that through the hacking, Scotland Yard has illegally accessed the email accounts of activists for many years, and this was possible due to help from “counterparts in India.” The letter alleged that the Metropolitan Police had asked police in India to obtain passwords on their behalf—a job that the Indian police subcontracted out to groups of hackers in India.

The Indian hackers sent back the passwords obtained, which were then used illegally by the unit within the Met to gather information from the emails of those targeted.

Trevor covers a number of other points, additional questions that should be asked, the lack of media coverage over this latest outrage, etc., all of which merit your attention.

From my perspective, these abuses by the London Metropolitan Police (Scotland Yard), are examples of the terrorism bogeyman furthering government designs against quarrelsome but otherwise ordinary citizens.

Quarrelsome but otherwise ordinary citizens are far safer and easier to spy upon than seeking out actual wrongdoers. And spying justifies part of Scotland Yard’s budget, since everyone “knows” a lack of actionable intelligence means terrorists are hiding successfully, not the more obvious lack of terrorists to be found.

As described in Trevor’s post, Scotland Yard, like all other creatures of government, thrives in shadows. Shadows where its decisions are beyond discussion and reproach.

In choosing between supporting government spawned creatures that live in the shadows and working to dispel the shadows that foster them, remember they are not, were not and never will be “…on you side.”

They have a side, but it most assuredly is not yours.

The Upside To Overturning Internet Privacy Rules

Monday, April 3rd, 2017

Trump signs measure overturning internet privacy rules by David McCabe.

From the post:

President Trump has signed a Congressional resolution overturning Federal Communications Commission rules that would have required internet providers to get their customers’ permission before sharing personal data like browsing history with advertisers. The rules had yet to go into effect.

Is this a bad thing?

Sure, but there is an upside.

You have already seen media reports urging everyone to start using VPNs and the like to protect their privacy from ISP predators.

What happens if VPNs come into everyday use by the average user? Aside from greater profits for VPN vendors.

Hmmm, several orders of magnitude more VPN connections than are being tracked by the usual alphabet soup agencies.

Encourage every user you know to use a VPN connection. Hell, offer them as swag at conferences.

Teacher and library conferences. Church camps. Oh, yeah, technical conferences too.

Hackers in the mist? 😉

Eroding the Presumption of Innocence in USA

Saturday, April 1st, 2017

You may be laboring under the false impression that people charged with crimes in the USA are presumed innocence until proven guilty beyond a reasonable doubt in a court of law.

I regret to inform you that presumption is being eroded away.

Kevin Poulsen has a compelling read in FBI Arrests Hacker Who Hacked No One about the case of Taylor Huddleston was arraigned on March 31, 2017 in the Federal District Court for the Eastern District of Virginia, docket number: 1:2017 cr 34.

Kevin’s crime? He wrote a piece of software that has legitimate uses, such as sysadmins trouble shooting a user’s computer remotely. That tool was pirated by others and put to criminal use. Now the government wants to take his freedom and his home.

Compare Kevin’s post to the indictment, which I have uploaded for your reading pleasure. There is a serious disconnect between Poulsen’s post and the indictment, as the government makes much out of a lot of hand waving and very few specifics.

Taylor did obtain a Release on Personal Recognizance or Unsecured Bond, which makes you think the judge isn’t overly impressed with the government’s case.

I would have jumped at such a release as well but I find it disturbing, from a presumption of innocence perspective, that the judge also required:

My transcription:

No access to internet through any computer or other data capable device including smart phones

Remember that Taylor Huddleston is presumed innocence so how is that consistent with prohibiting him from a lawful activity, such as access to the internet?

Simple response: It’s not.

As I said, I would have jumped at the chance for a release on personal recognizance too. Judges are eroding the presumption of innocence with the promise of temporary freedom.

Wishing Huddleson the best of luck and that this erosion of the presumption of innocence won’t go unnoticed/unchallenged.

Peeping Toms Jump > 16,000 In UK

Monday, March 27th, 2017

The ranks of peeping toms swells by at least 16,000 in the UK:

More than 16,000 staff in the public sector empowered to examine your web browsing by Graeme Burton.

From the post:

More than 16,000 staff in the public sector and its agencies have been empower by Section 4 of the Investigatory Powers Act to snoop on people’s internet connection records.

And that’s before the estimated 4,000 staff at security agency MI5, the 5,500 at GCHQ and 2,500 at MI6 are taken into account.

That’s according to the responses from a series of almost 100 Freedom of Information (FOI) requests made in a bid to find out exactly who has the power to snoop on ordinary people’s web browsing histories under the Act.

GCHQ, the Home Office, MI6, the National Crime Agency, the Ministry of Justice, all three armed forces and Police Service of Scotland all failed to respond to the FOI requests – so the total could be much higher.

My delusion that the UK has a mostly rational government was shattered by passage of the Investigatory Powers Act. Following web browsing activity, hell, even tracking everyone and their conversations, 24 x 7, isn’t going to stop random acts of violence.

What part of random acts of violence being exactly that, random, seems to be unclear? Are there no UK academics to take up the task of proving prediction of random events is possible?

Unless and until the UK Parliament comes to its senses, the best option for avoiding UK peeping toms is to move to another country.

If re-location isn’t possible, use a VPN and a Tor browser for all web activity.

Smile! You May Be On A Candid Camera!

Thursday, March 9th, 2017

Hundreds of Thousands of Vulnerable IP Cameras Easy Target for Botnet, Researcher Says by Chris Brook.

From the post:

A researcher claims that hundreds of thousands of shoddily made IP cameras suffer from vulnerabilities that could make them an easy target for attackers looking to spy, brute force them, or steal their credentials.

Researcher Pierre Kim disclosed the vulnerabilities Wednesday and gave a comprehensive breakdown of the affected models in an advisory on his GitHub page.

A gifted security researcher who has discovered a number of backdoors in routers, estimates there are at least 18,000 vulnerable cameras in the United States alone. That figure may be as high as 200,000 worldwide.

For all of the pissing and moaning in Chris’ post, I don’t see the problem.

Governments, corporations, web hosts either have us under surveillance or their equipment is down for repairs.

Equipment that isn’t under their direct control, such as “shoddily made IP cameras,” provide an opportunity for citizens to return the surveillance favor.

To perform surveillance those who accept surveillance of the “masses” but find surveillance of their activities oddly objectionable.

Think of it this way:

The US government has to keep track of approximately 324 million people, give or take. With all the sources of information on every person, that’s truly a big data problem.

Turn that problem around and consider that Congress has only 535 members.

That’s more of a laptop sized data problem, albeit that they are clever about covering their tracks. Or think they are at any rate.

No, the less security that exists in general the more danger there is for highly visible individuals.

Think about who is more vulnerable before you complain about a lack of security.

The security the government is trying to protect isn’t for you. I promise. (The hoarding of cyber exploits by the CIA is only one such example.)

That CIA exploit list in full: … [highlights]

Wednesday, March 8th, 2017

That CIA exploit list in full: The good, the bad, and the very ugly by Iain Thomson.

From the post:

We’re still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.

First, though, a few general points: one, there’s very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.

Two, unlike the NSA, the CIA isn’t mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone’s house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You’ll probably be tricked into opening a dodgy attachment or download.

That’s actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you’re unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.

Thirdly, if you’ve been following US politics and WikiLeaks’ mischievous role in the rise of Donald Trump, you may have clocked that Tuesday’s dump was engineered to help the President pin the hacking of his political opponents’ email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn’t the Russians who broke into the Democrats’ computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That’ll shut the intelligence community up. The President’s pet news outlet Breitbart is already running that line.

Iain does a good job of picking out some of the more interesting bits from the CIA (alleged) file dump. No, you will have to read Iain’s post for those.

I mention Iain’s post primarily as a way to entice you into reading the all the files in hopes of discovering more juicy tidbits.

Read the files. Your security depends on the indifference of the CIA and similar agencies. Is that your model for privacy?

EFF Urges Trusting Cheaters

Sunday, February 19th, 2017

Congress Must Protect Americans’ Location Privacy by Kate Tummarello.

From the post:

Your smartphone, navigation system, fitness device, and more know where you are most of the time. Law enforcement should need a warrant to access the information these technologies track.

Lawmakers have a chance to create warrant requirements for the sensitive location information collected by your devices.

It’s already against the law to intercept and transcribe all phone calls but the weight of the evidence shows the US government is doing exactly that.

The periodic EFF calls for legislation by known cheaters leave me puzzled.

Laws, to government agencies, mark “don’t get caught zones” and little more.

Protecting sensitive location information, to be effective, must be demanded by consumers of manufacturers.

No backdoors, no warrants, no snooping, it’s just that simple.

Amazon Chime – AES 256-bit Encryption Secure – Using Whose Key?

Wednesday, February 15th, 2017

Amazon Chime, Amazon’s competitor to Skype, WebEx and Google Hangouts.

I’m waiting on answers about why the Chime Dialin Rates page omits all of Africa, as well as Burma, Cambodia, Laos and Thailand.

While I wait for that answer, have you read the security claim for Chime?

Security:


Amazon Chime is an AWS service, which means you benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. In addition, Amazon Chime features security capabilities built directly into the service. Messages, voice, video, and content are encrypted using AES 256-bit encryption. The visual roster makes it easy to see who has joined the meeting, and meetings can be locked so that only authenticated users can join.

We have all heard stories of the super strength of AES 256-bit encryption:


As shown above, even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key.
… (How secure is AES against brute force attacks? by Mohit Arora.)

Longer than the universe is old! That’s secure.

Or is it?

Remember the age of universe example is a brute force attack.

What if an FBI agent shows up with a National Security Letter (NSL)?

Or a conventional search warrant demanding the decrypted content of a Chime conversation?

Unlocking AES encryption with the key is quite fast.

Yes?

PS: This isn’t a weakness limited to Chime. Any encryption where the key is not under your control is be definition insecure.

Twitter Activist Security

Tuesday, January 31st, 2017

Twitter Activist Security by the grugq.

From the post:

Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.

I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.

The basic principles of operational security are actually very simple, they’re what we call the three Cs:

  • Cover
  • Concealment
  • Compartmentation

There is more to serious counterintelligence, of course, but keep these three concepts in mind. The two most important concerns will be compartmentation and concealment. In practice this means that you need to separate your resistance Twitter account from your personal life completely.

I won’t quote the details because any omission could be the one that trips you up.

It’s not a short read but if you want to be safe, read Twitter Activist Security at least once a month and see how you stack up against the advice.

The precautions are good ones but I would be asking what “political activism” requires a Twitter account?

Unless you are using the account to stream coded messages, the purpose of such an account is unclear to me.

Not to mention that every account associated with another identity is an opportunity to make a mistake and break cover.

Defeating New York Surveillance (with knitting)

Monday, January 30th, 2017

In Proposal to Reduce Privacy in New York City I pointed out pending plans to add surveillance cameras at seven tunnels and bridges in and out of the city.

I was describing the need to defeat the cameras for personal identity and my wife, a librarian and knitter, said what I was looking for a balaclava. She also said knitting sites, such as Ravelry are full of patterns, etc.

Imagine the chagrin of surveillance camera operators when they encounter:

balaclava-reg-460

Just add sun glasses and you’re set! Total identity concealment!

Don’t get too creative, as a balaclava like this one:

balaclava3-460

is distinctive enough to be recognized a second time and/or found in your apartment or car.

Lastly, there are some people who don’t “get” the idea of a balaclava being for concealment, such as Andrew Salomone, who has preserved his identity with:

balaclava-id-460

Andrew does beautiful work but I’m not inviting him to any op-sec meetings. 😉

Support your local librarians and/or knitters!

Proposal to Reduce Privacy in New York City

Sunday, January 29th, 2017

Memo: New York Called For Face Recognition Cameras At Bridges, Tunnels by Kevin Collier.

From the post:

The state of New York has privately asked surveillance companies to pitch a vast camera system that would scan and identify people who drive in and out of New York City, according to a December memo obtained by Vocativ.

The call for private companies to submit plans is part of Governor Andrew Cuomo’s major infrastructure package, which he introduced in October. Though much of the related proposals would be indisputably welcome to most New Yorkers — renovating airports and improving public transportation — a little-noticed detail included installing cameras to “test emerging facial recognition software and equipment.”

The proposed system would be massive, the memo reads:

The Authority is interested in implementing a Facial Detection System, in a free-flow highway environment, where vehicle movement is unimpeded at highway speeds as well as bumper-to-bumper traffic, and license plate images are taken and matched to occupants of the vehicles (via license plate number) with Facial Detection and Recognition methods from a gantry-based or road-side monitoring location.

All seven of the MTA’s bridges and both its tunnels are named in the proposal.

NYCbridgesTunnels-460

Proposals only at this point but take this as fair warning.

Follow both Kevin Collier and Vocativ as plans by the State of New York to eliminate privacy for its citizens develop.

Counter-measures

One counter measure to license plate readers is marketed under the name PhotoMaskCover.

PhotoMaskCover-460

Caution: I have never used the PhotoMaskCover product and have no relationship with its manufacturer. It claims to work. Evaluate as you would any other product from an unknown vendor.

For the facial recognition cameras, I was reminded that a hoodie and sunglasses are an easy and non-suspicious way to avoid such cameras.

For known MTA facial recognition cameras, wear a deep cowl that casts a complete shadow on your facial features. (Assuming you can drive safely with the loss of peripheral vision.)

As the number of deep cowls increase in MTA images, authorities will obsess more and more over the “unidentifieds,” spending their resources less and less effectively.

Defeating surveillance increases everyone’s freedom.

Online tracking: A 1-million-site measurement and analysis [Leaving False Trails]

Tuesday, January 17th, 2017

Online tracking: A 1-million-site measurement and analysis by Steven Englehardt and Arvind Narayanan.

From the webpage:

Tracking Results

During our January 2016 measurement of the top 1 million sites, our tool made over 90 million requests, assembling the largest dataset (to our knowledge) used for studying web tracking. With this scale we can answer many web tracking questions: Who are the largest trackers? Which sites embed the largest number of trackers? Which tracking technologies are used, and who is using them? and many more.

Findings

The total number of third parties present on at least two first parties is over 81,000, but the prevalence quickly drops off. Only 123 of these 81,000 are present on more than 1% of sites. This suggests that the number of third parties that a regular user will encounter on a daily basis is relatively small. The effect is accentuated when we consider that different third parties may be owned by the same entity. All of the top 5 third parties, as well as 12 of the top 20, are Google-owned domains. In fact, Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites.
… (emphasis in original)

Impressive research based upon an impressive tool, OpenWPM.

The Github page for OpenWPM reads in part:

OpenWPM is a web privacy measurement framework which makes it easy to collect data for privacy studies on a scale of thousands to millions of site. OpenWPM is built on top of Firefox, with automation provided by Selenium. It includes several hooks for data collection, including a proxy, a Firefox extension, and access to Flash cookies. Check out the instrumentation section below for more details.

Just a point of view but I’m more interested in specific privacy tracking data for some given set of servers than general privacy statistics.

Specific privacy tracking data that enables planning the use of remote browsers to leave false trails.

Kudos to the project, however you choose to use the software.

Raw SIGINT Locations Expanded

Tuesday, January 17th, 2017

President Obama has issued new rules for sharing information under Executive Order 12333, with the ungainly title: (U) Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency Under Section 2.3 of Executive Order 12333 (Raw SIGINT Availability Procedures).

Kate Tummarello, in Obama Expands Surveillance Powers On His Way Out by Kate Tummarello, sees a threat to “innocent persons:”

With mere days left before President-elect Donald Trump takes the White House, President Barack Obama’s administration just finalized rules to make it easier for the nation’s intelligence agencies to share unfiltered information about innocent people.

New rules issued by the Obama administration under Executive Order 12333 will let the NSA—which collects information under that authority with little oversight, transparency, or concern for privacy—share the raw streams of communications it intercepts directly with agencies including the FBI, the DEA, and the Department of Homeland Security, according to a report today by the New York Times.

That’s a huge and troubling shift in the way those intelligence agencies receive information collected by the NSA. Domestic agencies like the FBI are subject to more privacy protections, including warrant requirements. Previously, the NSA shared data with these agencies only after it had screened the data, filtering out unnecessary personal information, including about innocent people whose communications were swept up the NSA’s massive surveillance operations.

As the New York Times put it, with the new rules, the government claims to be “reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.”

All of which is true, but the new rules have other impacts as well.

Who is an “IC element?”

The new rules make numerous references to an “IC element,” but comes up short in defining them:

L. (U) IC element is as defined in section 3.5(h) of E.O. 12333.
(emphasis in original)

Great.

Searching for E.O. 12333 isn’t enough. You need Executive Order 12333 United States Intelligence Activities (As amended by Executive Orders 13284 (2003), 13355 (2004) and 13470 (2008)). The National Archives version of Executive Order 12333 is not amended and hence is misleading.

From the amended E.0. 12333:

3.5 (h) Intelligence Community and elements of the Intelligence Community 
        refers to:
(1) The Office of the Director of National Intelligence;
(2) The Central Intelligence Agency;
(3) The National Security Agency;
(4) The Defense Intelligence Agency;
(5) The National Geospatial-Intelligence Agency;
(6) The National Reconnaissance Office; 
(7) The other offices within the Department of Defense for the collection of 
    specialized national foreign intelligence through reconnaissance programs;
(8) The intelligence and counterintelligence elements of the Army, the Navy,
    the Air Force, and the Marine Corps;
(9) The intelligence elements of the Federal Bureau of Investigation;
(10) The Office of National Security Intelligence of the Drug Enforcement
     Administration;
(11) The Office of Intelligence and Counterintelligence of the Department
      of Energy;
(12) The Bureau of Intelligence and Research of the Department of State;
(13) The Office of Intelligence and Analysis of the Department of the Treasury;
(14) The Office of Intelligence and Analysis of the Department of Homeland 
     Security;
(15) The intelligence and counterintelligence elements of the Coast Guard; and
(16) Such other elements of any department or agency as may be designated by 
     the President, or designated jointly by the Director and the head of the 
     department or agency concerned, as an element of the Intelligence Community. 

The Office of the Director of National Intelligence has an incomplete list of IC elements:

Air Force Intelligence Defense Intelligence Agency Department of the Treasury National Geospatial-Intelligence Agency
Army Intelligence Department of Energy Drug Enforcement Administration National Reconnaissance Office
Central Intelligence Agency Department of Homeland Security Federal Bureau of Investigation National Security Agency
Coast Guard Intelligence Department of State Marine Corps Intelligence Navy Intelligence

I say “incomplete” because from E.O. 12333, it is missing (with original numbers for reference):

...
(7) The other offices within the Department of Defense for the collection of 
    specialized national foreign intelligence through reconnaissance programs;
(8) The intelligence and counterintelligence elements of ..., and the 
    Marine Corps;
...
(16) Such other elements of any department or agency as may be designated by 
     the President, or designated jointly by the Director and the head of the 
     department or agency concerned, as an element of the Intelligence Community.

Under #7 and #16, there are other IC elements that are unnamed and unlisted by the Office of the DOI. I suspect the Marines were omitted for stylistic reasons.

Where to Find Raw SIGINT?

Identified IC elements are important because the potential presence of “Raw SIGINT,” beyond the NSA, has increased their value as targets.

P. (U) Raw SIGINT is any SIGINT and associated data that has not been evaluated for foreign intelligence purposes and/or minimized.
… (emphasis in original, from the new rules.)

Tummarello is justly concerned about “innocent people” but there are less than innocent people, any number of appointed/elected official or barons of industry who may be captured on the flypaper of raw SIGINT.

Happy hunting!

PS:

Warning: It’s very bad OPSEC to keep a trophy chart on your wall. 😉

IC_Circle-460

You will, despite this warning, but I had to try.

The original image is here at Wikipedia.

The People vs the Snoopers’ Charter [No Input = No Surveillance, Of Gaff Hooks]

Friday, January 13th, 2017

The People vs the Snoopers’ Charter

From the webpage:


Ever googled something personal?

Who you text, email or call. Your social media activity. Which websites you visit.

Who you bank with. Where your kids go to school. Your sexual preferences, health worries, religious and political beliefs.

Since November, the Snoopers’ Charter – the Investigatory Powers Act – has let the Government access all this intimate information, building up an incredibly detailed picture of you, your family and friends, your hobbies and habits – your entire life.

And it won’t just be accessed by the Home Secretary. Dozens of agencies – the Department for Work and Pensions, HMRC and 46 others – can now see sensitive details of your personal life.

Over 200,000 people signed a petition to stop the Snoopers’ Charter, the Government didn’t listen so we’re taking them to court and we need your help.

There’s no opt-out and you don’t need to be suspected of anything. It will just happen all the time, to every one of us.

The Investigatory Powers Act lets Government keep records of and monitor your private emails, texts and phone calls – that’s where you are, who you speak to, what you say – and all without any suspicion of wrongdoing.

It forces internet companies like Sky, BT and TalkTalk to log every website you visit or app you have used, creating a vast database of deeply sensitive and revealing information. At a time when companies and governments are under increasingly frequent attack from hackers, this will create a goldmine for criminals and foreign spies.

Your support will help us clear the first hurdle, being granted permission by the Court to proceed with our case against the Government.

It’s time we all took a stand. We’ve told the Government we’ll see them in court and we need your help to make that happen. Please donate whatever you can to fund this vital case.
… (emphasis in original)

In case you are missing the background, see: Investigatory Powers Act 2016, which is now law in the UK.

The text as originally enacted.

The true extent of surveillance in the United States is unknown so it isn’t clear if the UK was playing “catch up” with this draconian measure or trying to beat the United States in a race to the least civil society.

Either way, it is an unfortunate milestone in the legal history of a country that gave us the common law.

surveillance-camera-460

From a data science perspective, I would point out that no input = no surveillance.

Your eyes maybe better than mine but in the surveillance camera image, I count at least three vulnerabilities that would render the camera useless.

Ordinary wire cutters:

cutters-460

won’t be useful but a gaff hook could be quite effective in creating a no input state.

The same principle applies whether you choose a professionally made gaff hook or some DIY version of the same instrument.

A gaff hook won’t stop surveillance of ISPs, etc., but disabling a surveillance camera could be seen as poking the government in the eye.

That’s an image I can enjoy. You?

PS: I’m not intimate with UK criminal law. Is possession of a gaff hook legal in the UK?

EFF then (2008) and now (2016)

Tuesday, December 20th, 2016

The EFF has published a full page ad in Wired, addressing the tech industry, saying:

Your threat model has just changed.

EFF’s full-page Wired ad: Dear tech, delete your logs before it’s too late.

Rather remarkable change in just eight years.

Although I can’t show you the EFF’s “amusing” video described in Wired as follows:

THE ELECTRONIC FRONTIER Foundation is feeling a little jolly these days.

As part of its latest donor campaign, it’s created a brief, albeit humorous animated video espousing why it needs your cash.

Among other things, the video highlights the group’s fight for electronic rights, including its lawsuit challenging President Bush’s warrantless eavesdropping on Americans.

The lawsuit prompted Congress to immunize telecoms that freely gave your private data to the Bush administration — without warrants. (The EFF is now challenging that immunity legislation, which was supported by President-elect Barack Obama.)

What’s more, the EFF video, released Wednesday, reviews the group’s quest for fair use of copyrighted works, working electronic voting machines, and how it foiled wrongly issued patents.

It’s not on the EFF site, not available from the Wayback Machine, but it sounds very different from the once in a lifetime fund raising opportunity presented by President-elect Trump.

President Obama could have ended all of the surveillance apparatus that was in place when he took office. Dismantled it entirely. So that Trump would be starting over from scratch.

But no, the EFF has spent the last eight years working within the system in firm but polite disagreement.

The result of which is President-elect Trump has at his disposal a surveillance system second to none.

The question isn’t whether we should have more transparency for the Foreign Intelligence Surveillance Court but to strike at its very reason for existence. The charade of international terrorism.

Have you ever heard the EFF argue that toddlers kill more Americans every year than terrorists? Or any of the other statistics that demonstrate the absurdity of US investment in stopping a non-problem?

If you are serious about stopping surveillance then we need to strike at its rationale for existence.

Tolerance of surveillance, the EFF position, is a guarantee that surveillance will continue.

PS: Cory Doctorow attempts to make the case that President-elect Trump will do worse than President Obama. It’s possible but considering what Obama has done, it’s too close to call at this point. (You do realize we already have databases of Muslims, yes? So playing the “Trump says he will build a database of Muslims” card, yes, he said that, is deceptive. It already exists.)

I agree we are in danger from the incoming administration but it’s a factual issue whether it will be any worse than the present one.

The distance between said and actual policy can be quite large. Recalling that Obama promised to close our illegal detention of prisoners at Guantanamo Bay. Yet, eight years later a number of them remain there still.

VA State Police Paid $585K+ For Cell Site Simulator – Your Price?

Sunday, December 4th, 2016

Virginia State Police releases cellphone surveillance logs Since May 2015, the VSP have used their DRTbox unit 12 times – 5 of which appeared ineffective by Curtis Waltman.

From the post:

As part of a nationwide FOIA census for cell site simulator surveillance devices, the Virginia State Police responded with new documents detailing their acquisition and use of the DRT 1183C. Made by Digital Receiver Technology of Maryland, the DRT 1183C is a device that is commonly referred to as a DRTbox. It is very similar to other cell site simulators like the Harris Corporation’s Stingray, except that DRTboxes can also intercept voice communication as well as GPS location and other metadata.

Astonishingly unredacted, these documents detail their 2014 purchase, which upgraded their obsolete DRTbox model to the smaller and more powerful 1183C. This cost the VSP $585,265, and came complete with a whole bunch of accessories, including a Chevrolet Suburban outfitted specifically to run the device.

Two questions:

  1. What features are offered by your home-brew cell site simulator?
  2. Estimated price (parts + labor)?

When law enforcement, judges, legislators, etc., join ordinary citizens in the smartphone gold fish bowl, effective privacy will be a goal of vendors.

Spies in the Skies [Fostered by Obama, Inherited by Trump]

Tuesday, November 29th, 2016

Spies in the Skies by Peter Aldhous and Charles Seife.

Post in April of 2016, it reads in part:

Each weekday, dozens of U.S. government aircraft take to the skies and slowly circle over American cities. Piloted by agents of the FBI and the Department of Homeland Security (DHS), the planes are fitted with high-resolution video cameras, often working with “augmented reality” software that can superimpose onto the video images everything from street and business names to the owners of individual homes. At least a few planes have carried devices that can track the cell phones of people below. Most of the aircraft are small, flying a mile or so above ground, and many use exhaust mufflers to mute their engines — making them hard to detect by the people they’re spying on.

The government’s airborne surveillance has received little public scrutiny — until now. BuzzFeed News has assembled an unprecedented picture of the operation’s scale and sweep by analyzing aircraft location data collected by the flight-tracking website Flightradar24 from mid-August to the end of December last year, identifying about 200 federal aircraft. Day after day, dozens of these planes circled above cities across the nation.

The FBI and the DHS would not discuss the reasons for individual flights but told BuzzFeed News that their planes are not conducting mass surveillance.

The DHS said that its aircraft were involved with securing the nation’s borders, as well as targeting drug smuggling and human trafficking, and may also be used to support investigations by the FBI and other law enforcement agencies. The FBI said that its planes are only used to target suspects in specific investigations of serious crimes, pointing to a statement issued in June 2015, after reporters and lawmakers started asking questions about FBI surveillance flights.

“It should come as no surprise that the FBI uses planes to follow terrorists, spies, and serious criminals,” said FBI Deputy Director Mark Giuliano, in that statement. “We have an obligation to follow those people who want to hurt our country and its citizens, and we will continue to do so.”

I’m not surprised the FBI follows terrorists, spies, and serious criminals.

What’s problematic is that the FBI follows all of us and then, after the fact, picks out alleged terrorists, spies and serious criminals.

The FBI could just as easily select people on their way to a tryst with a government official’s wife, or to attend an AA meeting, or to attend an unpopular church.

Once collected, the resulting information is subject to any number of uses and abuses.

Aldhous and Seife report the flights drop 70% on the weekend so if you are up to mischief, plan around your weekends.

When writing about the inevitable surveillance excesses under President Trump, give credit to President Obama and his supporters, who built the surveillance state Trump inherited.

Surveillance Self-Defense [Guide to creating “false” persona?]

Tuesday, November 15th, 2016

Surveillance Self-Defense – Tips, Tools and How-Tos for Safer Online Communications

From the webpage:

Modern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.

Select an article from our index to learn about a tool or issue, or check out one of our playlists to take a guided tour through a new set of skills.

Definitely a starting point that merits sharing.

One important topic that is missing: How to create a “false” persona?

A “false” persona that cannot be connected back to a user is far more valuable than two-factor authentication, strong passwords, etc.

Pointers to such resources?

Leaking and Whistleblowing in the Trump Era

Monday, November 14th, 2016

In the Trump Era, Leaking and Whistleblowing Are More Urgent, and More Noble, Than Ever by Glenn Greenwald.

From the post:

For the past 15 years, the U.S. Government under both parties has invented whole new methods for hiding what they do behind an increasingly impenetrable wall of secrecy. From radical new legal doctrines designed to shield their behavior from judicial review to prosecuting sources at record rates, more and more government action has been deliberately hidden from the public.

One of the very few remaining avenues for learning what the U.S. Government is doing – beyond the propaganda that they want Americans to ingest and thus deliberately disseminate through media outlets – is leaking and whistleblowing. Among the leading U.S. heroes in the War on Terror have been the men and women inside various agencies of the U.S. Government who discovered serious wrongdoing being carried out in secret, and then risked their own personal welfare to ensure that the public learned of what never should have been hidden from it in the first place.

Many of the important consequential revelations from the last two administrations were possible only because of courageous sources who came forward in this way. It’s how we learned about the abuses of Abu Ghraib, the existence of torture-fueled CIA “black sites,” the Bush warrantless eavesdropping program, the wanton slaughter carried out in Iraq and Afghanistan, the recklessness and deceit at the heart of the U.S. drone program, the NSA’s secret construction of the largest system of suspicionless, mass surveillance ever created, and so many other scandals, frauds, and war crimes that otherwise would have remained hidden. All of that reporting was possible only because people of conscience decided to disregard the U.S. Government’s corrupt decree that this information should remain secret, on the ground that concealing it was designed to protect not national security but rather the reputations and interests of political officials.

For that reason, when the Intercept was created, enabling safe and productive whistleblowing was central to our mission. We hired some of the world’s most skilled technologists, experts in information security and encryption, to provide maximum security for our journalists and our sources. We adopted the most advanced programs for enabling sources to communicate and provide information to us anonymously and without detection, such as Secure Drop. And we made an institutional commitment to expend whatever resources are necessary to defend the right of a free press to report freely without threats of recrimination, and to do everything possible to protect and defend our sources who enable that vital journalism.

Over the past two years, we have published several articles by our security experts on how sources (and others) can communicate and provide information to us in the safest and most secure manner possible, to minimize the chances of being detected. We’ve published interviews with other experts, such as Edward Snowden, on the most powerful tools and methods available for securing one’s online communications. As our technologist Micah Lee explained, no method is perfect, so “caution is still advised to those who want to communicate with us without exposing their real-world identities,” but tools and practices do exist to maximize anonymity, and we are committed to using those and informing the public about how to use them in the safest and most effective manner possible.

Considering the damage done to the Constitution by George W. Bush and Barack Obama, leaking/whistleblowing in the Trump era is not “more urgent, and more noble….”

That is to say leaking/whistleblowing is always urgent and noble.

Think about the examples Greenwald cites. All are from the Bush and Obama administrations with nary a hint of Trump.

Exposing murder, torture, war crimes, lying to allies, Congress and the American public. And that’s just the short list. The margin of this page isn’t large enough to enumerate all the specific crimes committed by both administrations.

By all means, let’s encourage leaking and whistleblowing in the Trump era, but don’t leak timidly.

Government officials, staffers, contractors and their agents (double or otherwise), have freely chosen to participate in activities hidden from the public. Hidden because they are ashamed of what they have done (think CIA torturers) and/or fear just prosecution for their crimes (waging wars of aggression).

Leak boldly, insist on naming all names and all actions being described.

Secrecy hasn’t prevented excesses in secret, perhaps severe and repeated consequences from bold leaks will.

Leak early, often and in full.

PS: We should not rely exclusively on insiders to leak information.

Hackers have an important role to play in creating government transparency, with or without the government’s consent.

Orwell: The surveillance game that puts you in Big Brother’s shoes [Echoes of Enders Game?]

Sunday, November 13th, 2016

Orwell: The surveillance game that puts you in Big Brother’s shoes by Claire Reilly.

From the post:

“Big Brother has arrived — and it’s you.”

As CNET’s resident privacy nark, I didn’t need much convincing to play a game all about social engineering and online surveillance.

But when I stepped into my role as a new recruit for the fictional Orwell internet surveillance program, I didn’t expect to find the rush of power so beguiling, or unsettling.

Developed by German outfit Osmotic Studios, Orwell sees you working as a new recruit in a surveillance agency of the same name, following a series of terrorist attacks in Bonton, the fictional capital of The Nation. As an agent, you are responsible for scraping social media feeds, blogs, news sites and the private communications of the Nation’s citizens to find those with connections to the bombings.

You start with your first suspect before working through a web of friends and associates. You’re after data chunks — highlighted pieces of information and text found in news stories, websites and blogs that can be dragged and uploaded into the Orwell system and permanently stored as evidence.

The whole game has a kind of polygon graphic aesthetic, making the news clippings, websites and social media feeds you’re trawling feel close to the real thing. But as with everything in Orwell, it’s viewed through a glass, darkly.

If you are a game player, this sounds wickedly seductive.

If your not, what if someone weaponized Orwell so that what appear to be “in the game” hacks are hacks in the “real world?”

A cybersecurity “Enders Game” where the identity of targets and consequences of attacks are concealed from hackers?

Are the identity of targets or consequences of attacks your concern? Or is credit for breaching defenses and looting data enough?

Before reaching that level of simulation, imagine changing from the lone/small group hacker model to a more distributed model.

Where anonymous hackers offer specialized skills, data or software in collaboration on proposed hacks.

Ideas on the requirements for such a collaborative system?

Assuming nation states get together on cybersecurity, it could be a mechanism to match or even out perform such efforts.

Another Day, Another Law To Ignore – Burner Drones Anyone?

Thursday, October 27th, 2016

Sweden bans cameras on drones, deeming it illegal surveillance by Lisa Vaas.

From the post:

Sweden last week banned the use of camera drones without a special permit, infuriating hobby flyers and an industry group but likely pleasing privacy campaigners.

Drone pilots will now have to show that there’s a legitimate benefit that outweighs the public’s right to privacy – and there are no exemptions for journalists, nor any guarantee that a license will be granted.

The cost of a license depends on variables such as the takeoff weight of the drone and whether it’s going to be flown further than the pilot can see, and none of the licenses are cheap. Costs range from an annual license fee of €1,200 right up to a maximum hourly fee of €36,000.

UAS Sweden (Unmanned Aerial System – SWEDEN) has objected to the ruling on the potential for loss of jobs.

The interests of the industry will be better met with development and advocacy of burner drones. Similar to a burner cellphone, it isn’t intended for recovery/re-use.

Burner drones are critical to reporting on government attacks like the one imminent on #NoDAPL camps (North Dakota).

Burner drones keep journalists beyond the reach of batons, tear gas and water canon, all good things.

Just searching quickly, Airblock has the right idea but its capabilities are too limited to make an effective burner drone for journalists.

Something on that order, with a camera, longer range/duration, modular is good, especially if you can add on parts that “bite.”

Privacy advocates miss the fact there is no privacy in the face of modern government surveillance. Banning drones only reduces the ability of people to counter-spy upon their less than truthful governments.

In case you are interested, the administrative court ruling in question:

The organization of camera on a drone but not for the camera in a car

Summary:

The Supreme Administrative Court has in two judgments found that a camera mounted on a drone requires a permit under camera surveillance law while a camera mounted behind the windscreen of a car or on a bicycle handlebar does not need permission.

Please ping me with notices of burner drone projects. Thanks!

Unmasking Tor users with DNS

Thursday, October 6th, 2016

Unmasking Tor users with DNS by Mark Stockley.

From the post:

Researchers at the KTH Royal Institute of Technology, Stockholm, and Princeton University in the USA have unveiled a new way to attack Tor and deanonymise its users.

The attack, dubbed DefecTor by the researchers’ in their recently published paper The Effect of DNS on Tor’s Anonymity, uses the DNS lookups that accompany our browsing, emailing and chatting to create a new spin on Tor’s most well established weakness; correlation attacks.

If you want the lay-person’s explanation of the DNS issue with Tor, see Mark’s post. If you want the technical details, read The Effect of DNS on Tor’s Anonymity.

The immediate take away for the average user is this:

Donate, volunteer, support the Tor project.

Your privacy or lack thereof is up to you.

Oversight Concedes Too Much

Wednesday, September 28th, 2016

It’s deeply ironic that the Electronic Frontier Foundation writes in: Police Around the Country Regularly Abuse Law Enforcement Databases:


The AP investigation builds off more than a year’s worth of research by EFF into the California Law Enforcement Telecommunications System (CLETS). EFF previously found that the oversight body charged with combatting misuse had been systematically giving law enforcement agencies a pass by either failing to make sure agencies filed required misuse data or to hold hearings to get to the bottom of persistent problems with misuse. As EFF reported, confirmed misuse cases have more than doubled in California between 2010 and 2015.

Contrast that post with:

NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight and What to Do About Lawless Government Hacking and the Weakening of Digital Security, both of which are predicated on what? Oversight.

Sorry, it is one of those “facts” everyone talks about in the presidential debates that both the Senate select Committee on Intelligence and the House Permanent Select Committee on Intelligence have been, are and in all likelihood will be, failures in terms of oversight of intelligence agencies. One particularly forceful summary of those failures can be found in: A Moon Base, Cyborg Army, and Congress’s Failed Oversight of the NSA by Eli Sugarman.

Eli writes:

Does the U.S. government have a moon base? How about a cyborg army? These questions were not posed by Stephen Colbert but rather by Rep. Justin Amash (R-MI) to highlight the futility of Congress’s intelligence oversight efforts. Amash decried how Congress is unable to reign in troubling NSA surveillance programs because it is not adequately informed about them or permitted to share the minimal information it does know. Congress is instead forced to tease out nuggets of information by playing twenty questions with uncooperative intelligence officials in classified briefings.

Oversight? When the overseen decide if, when, where and how much they will disclose to the overseers?

The EFF and others need to stop conceding the legitimacy of government surveillance and abandon its quixotic quest for implementation of a strategy, oversight, which is known to fail.

For anyone pointing at the latest “terrorism” attack in New York City, consider these stats from the Center for Disease Control (CDC, 2013):

Number of deaths for leading causes of death:

  • Heart disease: 614,348
  • Cancer: 591,699
  • Chronic lower respiratory diseases: 147,101
  • Accidents (unintentional injuries): 136,053
  • Stroke (cerebrovascular diseases): 133,103
  • Alzheimer’s disease: 93,541
  • Diabetes: 76,488
  • Influenza and Pneumonia: 55,227
  • Nephritis, nephrotic syndrome and nephrosis: 48,146
  • Intentional self-harm (suicide): 42,773

Do you see terrorism on that list?

Just so you know, toddlers with guns kill more people in the United States than terrorists.

Without terrorism, one of the knee-jerk justifications for government surveillance vanishes.

The EFF should be challenging the factual basis of government justifications for surveillance one by one.

Conceding that any justification for surveillance exists without contesting its factual basis is equivalent to conceding the existence of an unsupervised surveillance state.

Once surveillance is shown to have no factual justification, then the dismantling of the surveillance state can begin.

Tor 0.2.8.8 is released, with important fixes

Friday, September 23rd, 2016

Tor 0.2.8.8 is released, with important fixes

Source available today, packages over the next week.

Privacy is an active, not passive stance.

Steps to take:

  1. Upgrade your Tor software.
  2. Help someone upgrade their Tor software.
  3. Introduce one new person to Tor.

If you take those steps with every upgrade, Tor will spread more quickly.

I have this vision of James Clapper (Director of National Intelligence), waking up in a cold sweat as darkness spreads across a visualization of the Internet in real time.

Just a vision but an entertaining one.