Profile

Cover photo
Gary Marriott
Works at Gary Marriott Consulting
Attended Northgate Highschool
Lives in Toronto
70 followers|207,085 views
AboutPostsPhotosYouTube+1'sReviews

Stream

Gary Marriott

Discussion  - 
 
This from Bruce Schneier, where I am forced to question his mention of the OPM hack.
"Bruce,
Are you absolutely sure the OPM (BTW is Personnel not personal) data breach was not also an integrity and availability hack?

Since the OPM's records were the key arbiter of personnel security validity, how do we know that the persons who had unauthorised access were not also able to alter those same records, damaging their integrity.

And of course if you are forced to assume that then you have to re-assert the truth of every record they have, which is a real Denial Of Security Vetting attack."
2
Add a comment...

Gary Marriott

Discussion  - 
 
From this: https://www.schneier.com/blog/archives/2016/01/uk_government_p.html?nc=8#comment-6715755

Although you judge harshly it is a fact that the supposed bastions of democracy the US & UK differ widely in their democratic construction. Specifically the UK has not had a bill of rights or a constitution to guard citizens rights until the recent adoption of the European bill of human rights.

Because of this, it was possible for the UK government to institute legally binding bills going back almost a century that require communications providers to include the capability of third party interception in equipment. Thus the reason why this mainstream VOIP solution has key escrow.

It is only the inexorable onward march of moores law and the weakening of warrant laws that has made the use of this technology for more than specifically targeted interception (bulk collection) possible.

Which is where the communications operators can and sometimes do take a small stand in sticking to the letter of the law in protecting their customers privacy from injudicial exposure.

Therefore, while there is still a need for targeted interception then perhaps with the current and future technology there is a need for open oversight external to the authorities. What that looks like, I don't know.
4
Add a comment...

Gary Marriott

Shared publicly  - 
 
 
See: http://yro.slashdot.org/story/15/11/18/2136224/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research

OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.

Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/Lavabit ).

So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.

Thus, what could CMU have done.

* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}

So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)
3 comments on original post
1
Add a comment...

Gary Marriott

commented on a post on Blogger.
Shared publicly  - 
 
This is a good write up but its outcome depends very much on the assumptions made. Yes Scrypt can be weaker than Bcrypt (if you use specific chosen parameters). Also where parallelizable is stated in step two, that is a function of using the P parameter above 1 (which I do not recommend) .

Finally, a much better way to use scrypt for password hashing is to use it AS the pluggable function in a modified PBKDF2 such that the outer (non-parallelizable) loop is run for a specific time for the give hardware e.g. 1 second. Then the iteration count is passed forward on the front of the output hash. AND With the inner scrypt set with P=1 and the other parameters set to be well above the maximum size of available local memory for ASIC, FPGA, GPU or CPU L1/L2 caches.
1
Add a comment...

Gary Marriott

Discussion  - 
 
 
I have to say, even if the US and UK both make sweeping requirements that all commercial encryption products have LEO back doors. AND that all their allies follow suit. It will still be a futile effort for the following reasons:-

a) Open source software cannot be controlled in this way by any one or group of entities (ideas cannot be un-invented).

b) An encrypted communication (excluding headers) is by definition indistinguishable from random noise. Thus a double encrypted communication looks just the same as a single encrypted one. So a mandated encryption scheme can be used to wrap an open source secure one.

c) Evil doers have to be assumed to be just a smart as the people chasing them, so will utilise a) and b) to look legitimate.

d) Everyone else, not doing a) & b) is vulnerable to the same Evil doers gaining access to the LEO secured keys.

In the end, this idea is not only foolhardy but possibly exactly what the bad guys want.
2 comments on original post
4
Lauren Weinstein's profile photoDave Howe's profile photo
11 comments
 
And the narrative has been, so far... "show me a case where the current capabilities made the difference" - when asked that, so far they have always backed down and retreated into generalities, claims of currently open cases and so forth.

But yeah. This has nothing to do with the given excuses, but providing sufficient fear to congress that their wishlist can be voted though - we already know they aren't above lying openly to congress (and aren't punished for giving "least untruthful" answers) so there is no actual downside to making claims that can't be backed up (or at least to date there has been no reason for them to worry about that)
Add a comment...

Gary Marriott

commented on a video on YouTube.
Shared publicly  - 
 
Clearly though the banning of this 'Toy' was due to people who share the presenters stated belief that small magnetic spheres are a suitable childrens toy. These 'Toys' were designed as adult executive toys, to be sold to adults. If we follow that logic then perhaps guns, bombs and for that matter all sharp or heavy objects should be banned to prevent idiots from putting them in the hands of children.

Gary Marriott

commented on a video on YouTube.
Shared publicly  - 
 
Let me add a few more from my home County, with hints:-
Garboldisham
Gippeswyk (now called Ipswich)
Dallinghoo
Gislingham - (Jiz-ling-am)
Ousden
Stowlangtoft
Thelnetham - CLUE: The first TH is a thorn and the second is T-H so "Thel-net-am"
And finally
Uggeshall
Have him in circles
70 people
Betsy Weber's profile photo
Adam Evenden's profile photo
Md Aamir's profile photo
Rama Caritey's profile photo
D Wigglesworth's profile photo
Alan Hamm's profile photo
Lina Maria (OneDaringDevil)'s profile photo
Randy Walker's profile photo
Beth Lawrence's profile photo

Gary Marriott

Discussion  - 
 
Interesting:
https://www.youtube.com/watch?v=wnTGO6OFgCo

The head of the NSA/CSC supports strong encryption and says “So spending time arguing about ‘hey, encryption is bad and we ought to do away with it’ … that’s a waste of time to me,”.

But although this may appear as a reversal of his rior opinion, he is still pushing for technology companies to change their business models to not offer end-2-end encryption.
2
Paul Stephenson's profile photoGary Marriott's profile photo
2 comments
 
We are not fooled. 
Add a comment...

Gary Marriott

Discussion  - 
 
See: http://yro.slashdot.org/story/15/11/18/2136224/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research

OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.

Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/Lavabit ).

So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.

Thus, what could CMU have done.

* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}

So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)
1
1
Gary Marriott's profile photoLarry Beckham's profile photo
3 comments
 
"How are you enjoying using the DARPA funded internet" I love/hate it. I so addicted to it and get infinite pleasure and knowledge from it but the surveillance state know more about me that anyone. Liberty is doomed.
Add a comment...

Gary Marriott

Discussion  - 
 
A nice summary of why the FBI etx wants back-doors and why it will not help them from Bruce Schneier:
https://www.schneier.com/blog/archives/2015/07/back_doors_wont.html

To summarise his summary, to stop a determined adversary from 'going dark' it is not enough to just put back-doors in security products under your control; you need to do this to ALL SECURITY PRODUCTS EVERYWHERE! or prevent their use by EVERYONE!

At which point any nation doing this would be come less free than North Korea.

Seems the proposal is akin to cracking shelling peanuts with a thermonuclear device.
10
4
Add a comment...

Gary Marriott

Shared publicly  - 
 
I have to say, even if the US and UK both make sweeping requirements that all commercial encryption products have LEO back doors. AND that all their allies follow suit. It will still be a futile effort for the following reasons:-

a) Open source software cannot be controlled in this way by any one or group of entities (ideas cannot be un-invented).

b) An encrypted communication (excluding headers) is by definition indistinguishable from random noise. Thus a double encrypted communication looks just the same as a single encrypted one. So a mandated encryption scheme can be used to wrap an open source secure one.

c) Evil doers have to be assumed to be just a smart as the people chasing them, so will utilise a) and b) to look legitimate.

d) Everyone else, not doing a) & b) is vulnerable to the same Evil doers gaining access to the LEO secured keys.

In the end, this idea is not only foolhardy but possibly exactly what the bad guys want.
1
1
D Wigglesworth's profile photo
2 comments
 
I believe what I'm advocating can be summed up like this: You know that there is legislation that criminalizes tampering with DRM on things like music and movies? Well... I'm only saying that that kind of thinking should be applied to my own personal (private) data. Simple.

The complicated part is how to actually implement this so that it can have a practical benefit. But it appears to be well within reach. 
Add a comment...

Gary Marriott

Shared publicly  - 
 
Its almost magic, in the sense that SQRL's technology is sufficiently advanced to appear so. And yet it is anonymous, secure and simple.
 
Hey everyone! Something cool to share:
Yesterday (Tuesday) during our weekly Security Now! podcast, I used a working beta iOS SQRL client on an iPhone (supporting the nearly finished SQRL secure identity authentication system), to log onto Leo's computer 452 miles away!
Here's the 4-minute segment showing how it went. Check it out! More coming soon, Thanks!!
19 comments on original post
1
Add a comment...
People
Have him in circles
70 people
Betsy Weber's profile photo
Adam Evenden's profile photo
Md Aamir's profile photo
Rama Caritey's profile photo
D Wigglesworth's profile photo
Alan Hamm's profile photo
Lina Maria (OneDaringDevil)'s profile photo
Randy Walker's profile photo
Beth Lawrence's profile photo
Education
  • Northgate Highschool
  • Sidegate Lane Primary
  • Suffolk College
  • Open University
Basic Information
Gender
Male
Work
Occupation
Wandering Genius / Web developer
Employment
  • Gary Marriott Consulting
    CK&BW, 2010 - present
  • Cyberwalker Media Inc
    Wandering Genius / Web developer, 2010 - 2010
  • British Telecommunications Plc
    1996 - 2009
  • Electronic Techniques Anglia Ltd
    1993 - 1996
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Toronto
Previously
Ipswich - London - Toronto
Gary Marriott's +1's are the things they like, agree with, or want to recommend.
Gizmag
plus.google.com

New and emerging technology news

Adobe AIR
market.android.com

Enjoy your favorite web applications with Adobe AIR. Enjoy your favorite web applications with Adobe AIR. Adobe AIR enables you to have you

IMDb Movies & TV
market.android.com

Search the world's largest collection: · Over 1.5 million movie and TV titles · Over 3.2 million celebrities, actors, actresses, directors a

Baby Sign Language Dict. Demo
market.android.com

PLEASE READ: **This is an EXAMPLE of what the BIG 300+ Word app will be like. There are only a few signs in this app as a free demo for you!

Location Scout
market.android.com

Location Scout - Discover filming locations for thousands of movies. Ever wondered which movies were filmed at or near your current location

Campaign for "santorum" neologism - Wikipedia, the free encyclopedia
en.wikipedia.org

We have laws in states, like the one at the Supreme Court right now, that has sodomy laws and they were there for a purpose. Because, again,

Santorum
spreadingsantorum.com

Santorum 1. The frothy mix of lube and fecal matter that is sometimes the byproduct of anal sex. 2. Senator Rick Santorum

Best hackerspace in Toronto.
Public - a month ago
reviewed a month ago
One of the best child friendly dentists in Toronto, very nice staff and just the right level of distraction to keep you little one from apprehension over any dental procedures.
Public - 8 months ago
reviewed 8 months ago
A short distance beyond the Toronto Eastern boundary is this small but perfect indian restaurant, Only a little North of Frenchman's Bay. I have always found the staff kind, helpful, friendly and attentive. The food is excellent and uncompromisingly true to its origins. Finally please don't judge a book by its cover, the outside is plane but once inside it is a welcoming family friendly environment.
Public - 8 months ago
reviewed 8 months ago
Public - 11 months ago
reviewed 11 months ago
10 reviews
Map
Map
Map
I should probably be keeping this to myself, but if you are coming in to Toronto by car and are going to have to take TTC in downtown already, you will appreciate this piece of advice. Leave the 401 at Kennedy, go South and then take Ellesmere East. After the bridge turn right and drive back under the bridge to park at Ellesmere Station. This car park may be small but because this is the least used station on the network it is rarely full. At the time of posting the charge was: Daily rate is $3 between 5:00 am and 2:00 am. Afternoon/Evening rate is $2 between 3:00 pm and 2:00 am. That and the cost to your nerves of driving into Toronto is worth the admission, and the ride into town via the LRT and Metro.
• • •
Public - 8 months ago
reviewed 8 months ago
Certainly one of the better sushi restaurants in Toronto, plus not as expensive as those of equal quality nearer town. Only one drawback, if you are expecting Teppanyaki, that part of the restaurant is no longer used as there was insufficient demand.
Public - 8 months ago
reviewed 8 months ago
A real pleasure, eating with my 4 year old son. Food is plentiful and of really good quality. Little touches like comp' side dishes make all the difference. Its now 8 months later and this place only gets better.
Public - a year ago
reviewed a year ago