Funk Babblings

Posted by Dan Savage

http://www.thestranger.com/savage-love/2017/10/18/25477034/savage-love

My only child is 16 years old. He was curious about sex from a very young age and very open with me, so his interest in sexual matters gave me ample opportunity to talk with him about safety and consent. He went through a cross-dressing phase when he was small—mostly wanting to wear nail polish and try on mascara—and I felt like I navigated those waters pretty well, but his father made attempts to squelch those impulses. (He and I are divorced. He has since remarried and is less involved.) That's the background. I've always accepted that he is who he is and done my best to help guide and educate him. Then last year, I caught him trying to shoplift a pair of panties. I'm not the sort of mom who freaks out, but I made him put them back and talked to him about his actions. When I asked him why he stole them, he refused to tell me. I asked: "Did you want them to masturbate with? Did you want to wear them?" He said he wanted to try them on. I told him that if he wanted to explore, he needed to do that with a legal purchase and in the privacy of his own room. Today, I found a girl's bra in the laundry. He says he doesn't know whose it is or how it got there, but this isn't my first rodeo. What on earth do I do? If I send him to a therapist and this is about being trans or cross-dressing tendencies, I'm afraid that will shame him. However, this is now something of a criminal/ethical concern, and I want to nip that in the bud. He is in every way a wonderful human: kind, smart, funny, athletic, no drugs. Is this just the same kid who has always been curious about sex? Or are these warning signs of some sort of sexual deviance? Please help.

Mom In Sleepy South Carolina Lovingly Educates Offspring

Take a deep breath, MISSCLEO, or take two—take however many you need until you're back in touch with your inner mom, the one who doesn't freak out.

Your son may be a cross-dresser or he may be trans or he may find bras and panties titillating because women wear them and he wants to sleep with women (not be one). (Lots of gay boys are titillated by jockstraps—but a closeted gay boy can collect 'em all without freaking out his mom.) We can't know whether your son is a cross-dresser, trans, or merely titillated, MISSCLEO, but he's clearly exploring and wants to do so privately. So while he could go to his mom and ask for a pair of panties and let her know exactly how he intends to use them, he doesn't want to ask his mom for a pair of panties or share his uses for them with his mom. He knows you've always accepted him for who he is (but a reminder never hurts), so if this is about his gender identity, well, you'll have to trust that he'll share that with you when he's ready. But if this is about a kink, he may never share that info with you, because why on earth would he? Kinks are for sharing with lovers, not mothers.

Give your son some space, including the space to make his own mistakes. As teenage misbehavior goes, swiping a single pair of panties isn't exactly a crime spree. If you suspect he snuck into the girls' locker room and made off with a bra (there has to be an easier way for a guy to get his hands on a bra!), you'll want to address that with him—not the "Why do you want a bra?" part, but the risk of getting caught, suspended, expelled, or worse. There are too many prosecutors out there looking for excuses to slap the "sex offender" label on teenagers—especially in the Bible Belt.

My hunch is you don't have a sex offender on your hands or a kid drifting into organized crime. You have a slightly pervy teenage boy who's curious about sex and who may, like millions of other men, have a thing for women's undergarments. You should emphasize the Not Okay–ness of shoplifting panties from stores or stealing bras from classmates (or the siblings of friends or Laundromats or thrift stores) and the possible consequences should he get caught—theft charges, suspension/expulsion, losing friends, coming into the sights of a sex-negative prosecutor. (Seriously: A man like Harvey Weinstein gets away with assaulting women for decades, but prosecutors across the country are throwing the book at teenagers who got caught sharing pics they took of themselves with their BFs/GFs/NBFs.) But otherwise, MISSCLEO, I'm going to advise you to back the fuck off. Your son knows you love him, he knows he can talk to you about anything, and he'll confide in you if and when he's ready—if, again, this is something he needs to discuss with you at all.

My father passed away suddenly. I had a very idyllic childhood and was close to my father and my mother (who is also deceased). Upon sorting through my father's stuff after his death, I stumbled upon his erotica collection. If it were just a stack of Playboys, I would have thought nothing of it—that's just men being men. However, his collection contained material that was quite disturbing to me, including photos depicting violent sexual acts and fictional erotica books and magazines with themes of incest. Additionally, there were letters from people with whom he was obviously having extramarital affairs, including during the time that I was a child and believed that we were a "normal" family. Since discovering this, it has been hard for me to come to terms with it and think of my father in the way that I used to. I can barely stand to look at a photograph of him. I consider myself to be a sex-positive person, and I realize that even parents are entitled to be kinky, but I simply can't get over this. Any suggestions for how to deal with what I'm feeling and how to try to get past it?

Parent's Arousal Really Ended Nice Thoughts

Sex-positive, huh? Could've fooled me.

Your dad was a kinky motherfucker—you know that now—and if you've been reading Savage Love for a while, you'll know that lots of people are kinky and, distressingly, lots of people out there "enjoy" incest porn. "Of the top hundred searches by men on Pornhub," Seth Stephens-Davidowitz writes in his book Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are, "sixteen are looking for incest-themed videos." And it's not just men: "Nine of the top hundred searches on Pornhub by women are for incest-themed videos." That's cold comfort, I realize, and it doesn't make it any less squicky, but your dad's tastes weren't as freakish as you thought and/or hoped.

As for his affairs, your happy childhood, and your suddenly conflicted feelings...

Your mother isn't with us, PARENT, so you can't ask her what her arrangement was with your father. But it's unlikely you would have had such an idyllic childhood if your parents' marriage was contentious and your mom was miserable about your dad's cheating and his kinks. It seems likely that your mom didn't have a problem with your dad's sexual interests or she tolerated them or—and I hope you're sitting down—she was an active and happy participant. (Kinky women weren't invented in a lab in San Francisco in 2008.) If your mom didn't have a problem with your dad's kinks (which she had to have known about) or his affairs (which she might not have known about), I don't see why they should be a problem for you.

On the Lovecast, Dan chats with the creator of a naughty, naughty game: savagelovecast.com.

mail@savagelove.net

@fakedansavage

ITMFA.org

[ Comment on this story ]

[ Subscribe to the comments on this story ]

http://www.thestranger.com/savage-love/2017/10/18/25477034/savage-love

http://www.smbc-comics.com/comic/become-one

HEY! GUYS! WE WERE ON NPR!

http://www.smbc-comics.com/comic/become-one

Posted by Bruce Schneier

https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html

In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

What the bill does do is leverage the government's buying power to nudge the market: any IoT product that the government buys must meet minimum security standards. It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner; don't have unchangeable default passwords; and are free from known vulnerabilities. It's about as low a security bar as you can set, and that it will considerably improve security speaks volumes about the current state of IoT security. (Full disclosure: I helped draft some of the bill's security requirements.)

The bill would also modify the Computer Fraud and Abuse and the Digital Millennium Copyright Acts to allow security researchers to study the security of IoT devices purchased by the government. It's a far narrower exemption than our industry needs. But it's a good first step, which is probably the best thing you can say about this legislation.

However, it's unlikely this first step will even be taken. I am writing this column in August, and have no doubt that the bill will have gone nowhere by the time you read it in October or later. If hearings are held, they won't matter. The bill won't have been voted on by any committee, and it won't be on any legislative calendar. The odds of this bill becoming law are zero. And that's not just because of current politics -- I'd be equally pessimistic under the Obama administration.

But the situation is critical. The Internet is dangerous -- and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.

Markets, as we've repeatedly learned over the past century, are terrible mechanisms for improving the safety of products and services. It was true for automobile, food, restaurant, airplane, fire, and financial-instrument safety. The reasons are complicated, but basically, sellers don't compete on safety features because buyers can't efficiently differentiate products based on safety considerations. The race-to-the-bottom mechanism that markets use to minimize prices also minimizes quality. Without government intervention, the IoT remains dangerously insecure.

The US government has no appetite for intervention, so we won't see serious safety and security regulations, a new federal agency, or better liability laws. We might have a better chance in the EU. Depending on how the General Data Protection Regulation on data privacy pans out, the EU might pass a similar security law in 5 years. No other country has a large enough market share to make a difference.

Sometimes we can opt out of the IoT, but that option is becoming increasingly rare. Last year, I tried and failed to purchase a new car without an Internet connection. In a few years, it's going to be nearly impossible to not be multiply connected to the IoT. And our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else's cars, cameras, routers, drones, and so on.

We can try to shop our ideals and demand more security, but companies don't compete on IoT safety -- and we security experts aren't a large enough market force to make a difference.

We need a Plan B, although I'm not sure what that is. E-mail me if you have any ideas.

This essay previously appeared in the September/October issue of IEEE Security & Privacy.

https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html

https://xkcd.com/1904/

https://xkcd.com/1904/

Widowmaker brought herself in from the cold, one day, exchanging a list of Talon agents for sanctuary, and at first couldn't or wouldn't say why. Her first breakthrough in explaining herself came in a talk with Lena Oxton, who then helped her break through Angela Ziegler's insistence that Widowmaker was not really a person, and that Amélie Lacroix could yet be recovered. But despite that truth, sometimes, some of Amélie's last memories - mostly but not always tightly compartmentalised away - trouble the spider, and this is one of those times.

This is the sixth in a series of stories set in the It is Not Easy to Explain, She Said continuity, a timeline largely compliant with known canon as of July 2017 (pre-Doomfist/Masquerade), which is when I wrote and posted the first story. It is not part of the on overcoming the fear of spiders AU.

This story follows "It's not easy to explain, said Lena Oxton" in chronological sequence. [AO3 link]

"Do you remember what it was like?"

Lena held Widowmaker's hand, gently, as they sat together, otherwise alone, mid-afternoon, in the smaller canteen at Gibraltar. She drank tea, cream, two sugars. Her counterpart drank obscenely hot coffee, unsweetened, strong, and dark.

For the most part, Amélie's memories stayed safely in their place, out of Widowmaker's way, but there were a few, occasionally, at the border between her birth and the previous woman's death, that picked at her, at times. Dr. Ziegler suggested that was because of the emotions around them - emotions could, perhaps, last long enough, even if the thoughts themselves didn't, to become Widowmaker's emotions as well.

"A little," said the former Talon assassin, after some delay. "Not very much, thankfully. I do not think she was making new memories very well, by then. But there are some."

Lena shuddered a little. "I can't even imagine it."

Widowmaker shook her head. "For her, it was not even the fear of it happening. It was..." She pondered a moment. "It is not easy to explain."

"I can't imagine it would be."

"She would feel, and think, one way, one thing, and then, she would find herself thinking another way, a different thing, a thing like I would think, sometimes, but she would be thinking it, and not me. And sometimes it would be something neither of us would think, but something they very much wanted her to think. And she would believe what she thought, and what she felt, but she would know, she would remember, moments before, thinking very differently about the same thing."

"And she'd fight it," assumed Tracer, "and that would hurt."

"No - but yes? Both would feel like it was her. There was nothing for her to fight. But the difference in the two... that, she found horrifying."

Lena let out a long breathy hoo sound, and took another sip of her tea, before continuing. "So they were making her think... their thoughts, then."

"My thoughts, at least, at times." She leaned her elbows against the table. "Or, to be more correct, the kind of thoughts they wanted me to think. About... how lovely, how beautiful, how perfect it would be when they put her back, and she killed Gérard. And she would believe it, because she could already feel it." The assassin smiled. "As I do, when I kill."

Tracer shuddered. She knew, she knew that the assassin enjoyed her kills - that for a long time, it had been all she lived for. But making Amélie feel that, and Amélie knowing they made her feel that... "Was it you, then? When they did it?" she asked, hoping for an unlikely yes.

The blue assassin laughed, a sound that still made Lena's heart ring every time it happened, no matter the context. "No. I could hardly have imitated Amélie so well for so long. I'd've been discovered, almost immediately. No - it was still her." She took a sip of her coffee. It had cooled a bit, but remained hot enough for her tastes. "That's why it took her two weeks to strike."

"So in the end..." the teleporter said, voice distant in her own ears, "Amélie killed Gérard. And enjoyed it."

Widowmaker nodded. "In a way. They were never above to achieve everything they wanted with her, but they were able to recondition her enough to kill - at least, for a time. And so, she assassinated Gérard, but being torn between the grief and the guilt and the ecstasy..." She shook her head. "That all but shattered her. When she returned, as programmed, they took her apart completely. And built me."

"But you feel some of her... emotions, from then? Her conflict?"

"I do," she said, a tinge of sadness in her voice. She put down her cup. "It was the only death about which I felt conflicted, until Mondatta, and the fight with you."

Lena put a third sugar in her tea. She needed something sweet right then. "D'ya ever wonder," she said, as she refilled her cup from the teapot, "if they'd done a better job sealing her off, if you might not've started to, y'know, think on your own?"

"Internal conflict as the source of self-awareness? Dr. Ziegler has suggested that idea as well." She shrugged. "I do not know. But let's say it's true - in which case, Talon did me yet another favour. They..." she picked her cup back up, sipped at the coffee, and put it back down, "left me open, on accident, to you." And she smiled again, just a little, at the side of her mouth.

The Overwatch teleporter let out her breath, and her eyes softened just a bit, as she looked into those metallic eyes. "Aw, luv. That's..."

"May I kiss you?"

Lena blinked, putting down her tea. "...you... care about..." She shook her head, just a little. "...things like that?"

"I don't know." The spider shrugged again, this time with something artificial in the nonchalance. "But I am finding I... may. At least, with you. Shall we find out?"

Lena wasn't sure what she expected. Would she be cold? Would she feel wrong, would she feel like some dead - and then no, she did not, she was not, she was none of those things, she was cool, yes, but not cold, cool like the first breezes of autumn, like the first hints of snow off the mountains, not chilling, but invigorating, and Lena returned the kiss, almost involuntarily, herself warm, no, hot, like summer sun, like the last day at a Spanish beach before the turning of the weather, and Widowmaker was just as surprised, finding herself melting just a little bit more, and she gasped, pulling away, panting, looking down at her coffee, thinking, How can she be so warm?, before looking back up at the one who had reached past her eyes of molten gold, and finding she had no words then at all.

"Blimey, luv..." managed Lena, after a moment. "You're... only the second woman ever to make me feel like that with a kiss."

"For me, you," breathed Widowmaker, eyes wide, "...are the first."

"I hope it don't make you feel like killin' someone," Lena half-laughed, half-serious, half-joking, a lot nervous and a little afraid, and if that made more than a whole, so be it. "Chiefly, me."

"Never." Widowmaker reached across the table, grabbing Lena's hands with both of her own. "Do you understand? Never. I could not."

She pulled Lena forward, close, quickly, knocking the teacup across the table, shattering it on the floor, and the smaller woman gasped, startled, but did not flee.

"I do not know why, and I do not know how, but..." The spider kissed the teleporter, again, the meeting short but intense, "...I have found someone I could never kill."

Hooooooo, thought a part of the teleporter, unexpected emotions swirling around her mind, throwing her into responding before she even knew she was doing it. This is not gonna be easy to explain, to... to anybody.

http://www.smbc-comics.com/comic/letter

Thanks. I mean it. Without you, we don't get to do this project.

http://www.smbc-comics.com/comic/letter

http://www.smbc-comics.com/comic/dear-lord

Dear sweet lord it's pub day. God help us.

http://www.smbc-comics.com/comic/dear-lord

Posted by Bruce Schneier

https://www.schneier.com/blog/archives/2017/10/security_flaw_i_1.html

A security flaw in Infineon smart cards and TPMs allows an attacker to recover private keys from the public keys. Basically, the key generation algorithm sometimes creates public keys that are vulnerable to Coppersmith's attack:

While all keys generated with the library are much weaker than they should be, it's not currently practical to factorize all of them. For example, 3072-bit and 4096-bit keys aren't practically factorable. But oddly enough, the theoretically stronger, longer 4096-bit key is much weaker than the 3072-bit key and may fall within the reach of a practical (although costly) factorization if the researchers' method improves.

To spare time and cost, attackers can first test a public key to see if it's vulnerable to the attack. The test is inexpensive, requires less than 1 millisecond, and its creators believe it produces practically zero false positives and zero false negatives. The fingerprinting allows attackers to expend effort only on keys that are practically factorizable.

This is the flaw in the Estonian national ID card we learned about last month.

The paper isn't online yet. I'll post it when it is.

Ouch. This is a bad vulnerability, and it's in systems -- like the Estonian national ID card -- that are critical.

https://www.schneier.com/blog/archives/2017/10/security_flaw_i_1.html

https://www.nytimes.com/2017/10/16/opinion/columnists/republicans-taxes-honesty.html

https://www.nytimes.com/2017/10/16/opinion/columnists/republicans-taxes-honesty.html

[AO3 link]

"I'm pretty sure I know what we're gonna see on this video," Venom said, back in her Tracer garb, but still more than a bit blue at the edges and entirely gold in the eyes. "'Cause I'm pretty sure I know what I saw." She gave Angela Ziegler a pointed look. "But... I might be wrong."

Most of the current members of Overwatch Lunar Embassy sat around a table in the ambassador's workshop - even Fareeha, though her thoughts clearly chased rabbits elsewhere. Lena glanced over with more than a little sympathy - she hardly even remembered her mother, and couldn't even imagine what it would be like to have one return from the grave.

"If everyone's ready, I'm going to start with Ana Amari's recording," Winston said, to general assent. "I haven't looked it yet - Athena's just finished deep-scanning the media for anything... inappropriate... to our systems."

Jack Morrison looked at the drive containing the video. He didn't really want to play it again - it scared him. He had some ideas about why, but he didn't like them. Being a super-soldier was one thing. Being... whatever this implied... was another entirely.

He sat quietly in his temporary quarters on the small Los Muertos compound just south of the New Mexico border. He could hear Delgado outside, running her fighters through the training regimes he'd taught her, with that new man, Arturo, acting as her second. Jack smiled to himself, hearing the noise. If we're not careful, I'm going to end up with a pretty good strike team here. Already got one that's not half bad, he thought.

The former - and, arguably, again - Strike Commander looked at the drive a third time, thought, the hell with it, and linked it to his padd. A notice came up, saying the file system was damaged, and he let it repair itself, which took only a couple of minutes, and produced a slightly larger video file.

Winston hit play. The large wall display showed a view through a sniper rifle - a conventional firearm, not Talon make - and Venom chuckled a little to herself. Still using the old-style scopes, grams? Good to know. Through it, from above and from two alleys situated a town that looked hot and had signs in Spanish, a group of Los Muertos fighters spilled out, led on the far side by one all too familiar white-haired super-soldier, on the near side by a woman clearly his lieutenant mirroring his actions, and through upper windows by a set of three sharpshooters. Military tactics against cheap street thugs means a battle that would end quickly, until blam, blam, blam, and all three sharpshooters were down, and there was chaos.

Morrison dodged into view, and the sniper fired, again, quickly - Venom could see Jack all but centred in her sight - and again, that blur, and then, Morrison is fine, and dodging away, and one of the fighters with him is dead on the ground.

"What th'..." said Reyes, as Mercy blinked, and looked confused. Mei looked at the screen, and back to the doctor, similarly confused. "What just...?"

Morrison saw himself spill out of the passenger side of the lead vehicle, face bloodied, just as he remembered. He stopped the video, and zoomed in as far as the footage would allow - the resolution wasn't bad, but the lens wasn't great, and the image could've been shaper. Then, the blurriness got much worse, before returning to sharper focus, and his tactical visor was intact.

What the hell, he thought.

He stopped the replay, and backed up the video, and ran it again, in slow motion, frame at a time, zoomed in as before, tracking his own movement manually.

"Winston, stop the replay?"

The scientist nodded, and motion stopped.

"...re-run that last shot at Morrison, slowly."

The sniper's scope tracked the soldier, a second fighter next to him, close by, but not unduly close. The shot rang out, just behind the former strike commander's motion, but still clearly a headshot. Then the blur.

His visor had definitely been wrecked. Whoever took the shot had hit it perfectly, sheering right across his eyes, ripping most of it off his face without touching his skin. Hell of a shot, he thought, complimenting whoever - or, knowing Talon, whatever - had taken it. Then the blur.

He stopped the video, and studied the frame carefully. The compression wasn't too bad, but the resolution could've been better. He zoomed out, and saw the side of the truck in as sharp a focus as it had been a few frames before - just the upper part of his face became an indistinct mass.

"Stop," said Venom. The video froze in place, blur still covering most of the field. She walked up to the screen. "See these?" She pointed at the sniper scope ticks around the frame, still in perfect focus. "And this?" She pointed at a perfectly-focused truck lamppost base, in the upper left corner. "This isn't recorder artefact."

Winston nodded. "I agree. Whatever this is, it's a real effect."

"Sorry luv, but the news gets worse. I saw exactly this happen," Venom said, "though my sight. I didn't talk about it yet, 'cause I figured maybe I blinked" - though she knew damn well that was impossible - "or maybe someone ran between me and Jack right as I took the third shot. But I know I had him dead in my sights, and when I fired, somebody else was dead on the ground."

"You took a kill shot?" asked Reyes.

"Third time, in that mess? Bloody right I did."

Mei looked unhappy and Gabriel frowned, but found couldn't really argue. "...fair enough."

Venom nodded. "Step through, frame at a time?"

Several more frames of blur, and then, one where it seemed to thin, and then form a line along the horizontal centre of the visor, and there the visor was, again, intact, and Morrison saw himself reaching up and activating it, without a second thought, just as he remembered, during the battle.

He flipped through the last set of frames. Nothing more than what he'd already seen - a broken visor, a blur, and an intact visor, in that order. It didn't make any sense. Nothing in the Soldier Enhancement Programme could do anything like that.

Unless.

Unless it wasn't the SEP.

Several more frames of blur, and then, one frame where the blur, the fog, seemed to coalesce on the right side, and then the soldier's head was to the right, apparently unharmed, and the fighter whose head had been all but out of frame was dead, on the ground, a large section cut out, almost scooped, mostly missing, and Mei made a small choking sound as the view through the scope swept from the dead fighter's body, back to Morrison's intact and dodging head, and back to the woman, and back to Morrison, before the shooter took another shot just too late, into a wall, as Morrison dove down an alley and behind a skip.

Winston blanched, and spread the key frames across the display. Gabriel looked more than a little ill, himself. "I have seen some fucked up things in my life, but that..."

Venom looked over to Dr. Ziegler, her anger controlled, but not entirely concealed. Angela said nothing, staring intently at the images. "Doc? You gonna say somethin'?"

Morrison thought back to the failed defence of Overwatch Geneva, when everything came apart, falling into Angela Ziegler's lab, badly hurt, bones broken, stumbling around in the dark, the only light the emergency exit signs and his biotic field, as he grasped around, looking for the aid kits he knew had to be down here somewhere.

He remembered finding one, no, two, and applying them both, and passing out as another blast hit the base.

And then he remembered nothing until he awoke, having somehow made his way outside, having scavenged a UN uniform from one of the Talon soldiers, and feeling more than a little out of joint, like he didn't fit back together quite right, like everything was just a little off, or a little more than a little off, and he remembered putting it out of his mind and concentrating on getting away, getting as far away as possible, before Talon's UN puppets could get ahold of him, and make him pay for his defiance.

What were you working on down there, Angela? he thought to himself.

"I... this cannot be happening," the doctor said.

"Pretty sure we just saw it," replied Venom.

"What are you talking about?" asked Winston.

"Angela?" the assassin prompted.

The medic shook her head. "I know what you are thinking," she said to Venom. "But you do not understand. My experimental nanosurgeons were not capable of doing what we just saw. Not even the most advanced ones."

Mei jumped in, supporting the doctor. "It's true! I knew that generation, this was not in their operating parameters."

Jack pulled out his knife, pulled up his sleeve, and cut a long gash in his arm - nothing too deep, just enough to test his enhanced healing. The skin knit itself back together, normally, like it had ever since the treatments all those years ago back in California.

He cleaned his knife, put it away, and pulled out a pistol to replace it. He stared at the medium-caliber firearm, not sure he was ready to do what he needed to do, then chided himself for not being enough of a soldier. Enough of a man. It worked.

"Delgado!" he shouted.

"Yeah, Spooky?" she replied from outside.

"Pistol's acting up. Gonna fire a couple of test rounds in here, clear it. Don't freak out."

"Sure you don't want to go to the range for that?"

"It's fine, I've got a fire box."

"Oh, okay. Thanks for the warning."

"No problem."

Venom pressed the point. "You're sayin' that's not some kind of experimental nanosurgeon swarm? 'Cause it looks to me like Ana made that headshot, and then somethin' stole some parts from whoever was nearby to fix it."

Dr. Ziegler rubbed her temples. "I agree that is what it looks like. But it cannot be what I made. If nothing else - I am careful! None of my experimental versions will, or even can, remain active for so long. The last time he could've had access was when the UN moved against the Geneva watchpoint, and nothing from that generation could survive."

"The evidence," said Winston, "indicates otherwise."

"It can't be!" She slammed her palms atop the table. "None of the experimental models from that era could!"

Venom narrowed her eyes at the doctor. "None of 'em? You sure about that, doc?"

Dr. Zhou leaned over to Dr. Ziegler. "I don't think you should rule it out, I could help you go over the old records, over everything that was in there when the fighting happened..."

Angela looked over to Mei-Ling gratefully. "I really don't think it's necess..." and she blinked at a thought, and looked back to Venom. Is... that what you think? Venom's face caught the doctor's surprise, as she realised that the researcher hadn't actually put it together herself yet, and the Talon assassin just nodded, and the doctor bit her lip. "...I... it has been some years, and that was a tremendously hectic - even chaotic - time. It... we should investigate. I would very much appreciate your help in that, Mei."

"Sure, Dr. Ziegler," confirmed the eco-biologist.

"Thank you," Venom replied, nodding. About time.

"God damn," said Reyes, "Could it be more than just him? Could others be... infected?"

"Absolutely not," said Angela. "My nanosurgeons would've impressed themselves with the initial contact DNA, it would be impossible for them to spread successfully. All" - she stressed, pointedly - "of my technologies rely on that. All of them."

Morrison pulled up a trouser leg, pulled off his left boot and sock, and aimed the pistol at the outer edge of his foot. It'd hurt, but it wouldn't kill anybody - particularly not him. But he hesitated.

Do it, you coward, he thought to himself. God damn it, just do it.

And he fired.

The pain was brilliant and sharp, more than he expected, but muted itself quickly. He felt suddenly almost like he was in a dream, half asleep yet fully awake, as he watched his foot splatter, then turn into a greyish and pink mist, and reform, in front of his eyes.

"Meanwhile," said the Talon assassin in Tracer orange and Overwatch white, "I don't think there's any safe way to bring him in alive now. I think our friends should get the next shot."

"No!" interjected Mei, with unexpected force. "That's not what we agreed!"

Tracer, or Venom, looked over to the Chinese scientist. "We agreed Overwatch gets first shot, then..."

"No!" she insisted, even more forcefully. "I will not go along with that!" She looked straight into the assassin's gold eyes. "You are not the only one he abandoned to her death. He abandoned my entire team and I want him tried for that. I want it exposed! I want my friends to be..." she choked a little, and suddenly she was crying, "I want my friends to be remembered! I want justice for them! In court, with it all exposed for the whole world to see him for the monster he is!"

Lena blinked, and blinked again, shocked by the intensity of the normally cheerful woman's outburst, and leaned forward, "Oh wow, Mei, I'm sorry, I know what..."

"No, you don't know!" The small woman shouted. "You know what it's like to disappear for years and wake up in the future but you do not know what it is like to wake up and find all of your friends dead because he couldn't be bothered to send a rescue ship! He knew we were in cryogenic suspension and still alive. At least with you, he thought you were probably dead, but with us, he knew we were alive, and just decided to let us die!"

She continued in a small, quiet voice, "And most of us did. Slowly. In the cold. As the power ran out."

Nobody knew what to say. Gabriel and Winston knew it wasn't that simple, but knew better than to open their mouths. Angela just leaned over to the smaller woman and offered her hand, and Fareeha just sat quietly next to her wife, comforting her in turn. And then Venom found her voice, at last. "I'm... I'm sorry, Mei. You're right."

Lena "Tracer" Oxton took a long, slow, deep breath, and let it out. "I withdraw my motion. Our friends will remain on stand down. Overwatch will try again."

God damn you, Ziegler, the stroke commander thought, staring at his perfectly intact left foot, which moments ago he'd shot through for a second time. He shook with unreasoning fury. What the hell did you do to me?

https://xkcd.com/1903/

https://xkcd.com/1903/

Posted by Bruce Schneier

https://www.schneier.com/blog/archives/2017/10/new_krack_attac.html

Mathy Vanhoef has just published a devastating attack against WPA2, the 14-year-old encryption protocol used by pretty much all wi-fi systems. Its an interesting attack, where the attacker forces the protocol to reuse a key. The authors call this attack KRACK, for Key Reinstallation Attacks

This is yet another of a series of marketed attacks; with a cool name, a website, and a logo. The Q&A on the website answers a lot of questions about the attack and its implications. And lots of good information in this ArsTechnica article.

There is an academic paper, too:

"Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2," by Mathy Vanhoef and Frank Piessens.

Abstract: We introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. Several types of cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPA-TKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected.

Finally, we confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.

I'm just reading about this now, and will post more information
as I learn it.

EDITED TO ADD: More news.

EDITED TO ADD: This meets my definition of brilliant. The attack is blindingly obvious once it's pointed out, but for over a decade no one noticed it.

EDITED TO ADD: Matthew Green has a blog post on what went wrong. The vulnerability is in the interaction between two protocols. At a meta level, he blames the opaque IEEE standards process:

One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings. More importantly, even after the fact, they're hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications -- you'll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.

The IEEE has been making a few small steps to ease this problem, but they're hyper-timid incrementalist bullshit. There's an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they've been public for six months -- coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.

This whole process is dumb and -- in this specific case -- probably just cost industry tens of millions of dollars. It should stop.

Nicholas Weaver explains why most people shouldn't worry about this:

So unless your Wi-Fi password looks something like a cat's hairball (e.g. ":SNEIufeli7rc" -- which is not guessable with a few million tries by a computer), a local attacker had the capability to determine the password, decrypt all the traffic, and join the network before KRACK.

KRACK is, however, relevant for enterprise Wi-Fi networks: networks where you needed to accept a cryptographic certificate to join initially and have to provide both a username and password. KRACK represents a new vulnerability for these networks. Depending on some esoteric details, the attacker can decrypt encrypted traffic and, in some cases, inject traffic onto the network.

But in none of these cases can the attacker join the network completely. And the most significant of these attacks affects Linux devices and Android phones, they don't affect Macs, iPhones, or Windows systems. Even when feasible, these attacks require physical proximity: An attacker on the other side of the planet can't exploit KRACK, only an attacker in the parking lot can.

https://www.schneier.com/blog/archives/2017/10/new_krack_attac.html

http://www.smbc-comics.com/comic/perspective

Welp, that's the end of book preorders for Soonish. We've laid it all on the line for this one. I sincerely hope you enjoy it.

http://www.smbc-comics.com/comic/perspective

Posted by By Paul Krugman

https://krugman.blogs.nytimes.com/2017/10/15/subsidies-spite-and-supply-chains/

https://krugman.blogs.nytimes.com/2017/10/15/subsidies-spite-and-supply-chains/

http://www.smbc-comics.com/comic/gridiron

Tomorrow night I fly off for Seattle, and the beginning of the Soonish tour! See you soon(ish), geeks!

http://www.smbc-comics.com/comic/gridiron

Posted by By Paul Krugman

https://krugman.blogs.nytimes.com/2017/10/14/lies-lies-lies-lies-lies-lies-lies-lies-lies-lies/

https://krugman.blogs.nytimes.com/2017/10/14/lies-lies-lies-lies-lies-lies-lies-lies-lies-lies/

http://www.smbc-comics.com/comic/wrestling

Wish us luck, geeks. Book tour info here.

http://www.smbc-comics.com/comic/wrestling

Posted by Bruce Schneier

https://www.schneier.com/blog/archives/2017/10/friday_squid_bl_596.html

It's International Cephalopod Awareness Days this week, and Tuesday was Squid Day.

I can't believe I missed it.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

https://www.schneier.com/blog/archives/2017/10/friday_squid_bl_596.html