How I Think The NSA Hacked The World

This started from the confluence of two things. One was the news that the NSA had pretty much stuck their snout into any data trough they could find and was sucking up everything. Phone “contact trace” information on everyone. “Who talks to whom” (and how often, and when, and from where, and…) Phone location data (they admitted to “testing” tracking folks GPS location data). Any and all email. Even statements that they had managed to break into VPN Virtual Private Network encrypted tunnels and PPTP Point To Point Protocol links.

That kind of set me on my haunches to think for a bit.

I know a bit about encryption. As the VPN methods were described to me, they ought not be easy to break. “Triple DES” encryption. DES Data Encryption Standard uses a 56 bit key. When proposed, it could not be broken, but over time more compute power made it crackable. Triple DES used DES three times and made it much harder to crack. Eventually all such fall before Moore’s Law. But… It takes (took?) about a 1/4 $Million bit of hardware to crack DES. More than most folks can spare, but chump change for a TLA Three Letter Agency like the NSA.

But generally I’d figured VPN and PPTP were “secure enough”. They needed lots of hardware to crack one “round” of DES, and there were three rounds.

Then there was a bit of news that the Windows Phone was crackable and could be used to gain credentials to a corporate network. In looking down the chain of information, I found out that most all Microsoft encryption relied on one method, and it was deeply flawed. It is called PEAP-MS-CHAPv2 and it is, IMHO, “broken by design”.

For some time I’d groused that Microsoft software seemed designed to leave “crap” all over the place that was useful to law enforcement, TLA’s, and anyone breaking into your box. That it just wasn’t secure. No, worse than that, that it seemed DESIGNED to be a tattletale and information leaker. But other than a vague “I’d never do it that way” and a frequent “that is either damn stupid or they are being pushed to do it badly” feeling, there wasn’t hard data to point at. I think that has changed.

Some Crypto

Here’s the security advisory that sent me down this path:

M.S. phone exploit

Microsoft Security Advisory (2876146)
Wireless PEAP-MS-CHAPv2 Authentication Could Allow Information Disclosure

Published: Sunday, August 04, 2013

Version: 1.0
General Information
Executive Summary

Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device. Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim’s encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim’s domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information.

Turns out that Microsoft phones try to do that “Authentication” against a WiFi Hotspot, and in the process an attacker can get your “credentials” for logging onto your whole network. (so a corporate network can be exposed via any person with a Microsoft Phone visiting a Starbucks where someone else has set up a bogus WiFi hotspot) That “intercept the victim’s encrypted domain credentials” part.

So lets break down that name a little:

Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2

Version 2 means there was an earlier one that got changed / dumped.
In the beginning, there was CHAP. Challenge Handshake Authentication just means the server “challenges” you to present some credentials, and you do, and that authorizes your connection. This was changed by Microsoft to become a MS variation. Over time, CHAP was a bit ‘light’, so the spec was modified to allow extensions to the encryption method. That “extensible” authentication part. So with PEAP, we ought to get some more hard core and hard to crack extensions. And Microsoft proceeded to use PEAP-MS-CHAPv2 in pretty much everything they do.

What did we really get?

This site lays out the problems, and how they enable the “crack”:

First, note that this is from July 2012 so we are pushing 1.5 years and no fix. You don’t leave a known exposure open for a year and a half without some reason. Like maybe an “Agency” wants it.

Next some text from the posting:

The first obvious question is why we looked at MS-CHAPv2, given a lingering sense that the internet should already know better than to rely on it. Unfortunately, however, even as an aging protocol with some prevalent criticism, it’s still used quite pervasively. It shows up most notably in PPTP VPNs, and is also used quite heavily in WPA2 Enterprise environments — often in cases where its mutual authentication properties are being relied upon. For the talk, we put together a list of the hundreds of VPN providers which depend on PPTP.

It’s used all over the place.

So how about the protocol itself?

The Protocol

Let’s take a look at the protocol itself, in order to see what we’re dealing with:

At first glance, one is initially struck by the unnecessary complexity of the protocol. It almost feels like the digital equivalent of hand-waving — as if throwing in one more hash, random nonce, or unusual digest construction will somehow dazzle any would-be adversaries into submission. The literal strings “Pad to make it do more than one iteration” and “Magic server to client signing constant” are particularly amusing.

If we look carefully, however, there is really only one unknown in the entire protocol — the MD4 hash of the user’s passphrase, which is used to construct three separate DES keys. Every other element of the protocol is either sent in the clear, or can be easily derived from something sent in the clear:

That kind of “lots of complexity doing nothing” indicates either profound lack of understanding by the folks who wrote it; or that “this behaviour is by design”… It’s just do darned “sloppy” that I find it hard to believe that someone who knows crypto could actually write it like that by accident. But are there any particulars to support that notion?

We have an unknown password, an unknown MD4 hash of that password, a known plaintext, and a known ciphertext. Looking back at the larger scope, we can see that the MD4 hash of the user’s password serves as a password-equivalent — meaning that the MD4 hash of the user’s password is enough to authenticate as them, as well as to decrypt any of their traffic. So our objective is to recover the MD4 hash of the user’s password.
In a situation with an unbounded password length across a large character set, it would make more sense to brute force the output of the MD4 hash directly. But that’s still 128bits, making the total keyspace for a brute force approach on that value 2^128 — which will likely be forever computationally infeasible.

So at a ‘top level’ with a shallow look, it looks like 128 bits of ‘key’ and an impossible brute force attack. So the “top look” is like something you don’t want to tackle. But look a bit more…

Divide And Conquer

The hash we’re after, however, is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack. Instead of brute forcing the MD4 hash output directly (a complexity of 2^128), we can incrementally brute force 7 bytes of it at a time.

Since there are three DES operations, and each DES operation is completely independent of the others, that gives us an additive complexity of 256 + 256 + 256, a total keyspace of 2^57.59

This is certainly better than 2^138 or 2^128, but still quite a large number. There’s something wrong with our calculations though. We need three DES keys, each 7 bytes long, for a total of 21 bytes:

Those keys are drawn from the output of MD4(password), though, which is only 16 bytes:

We’re missing five bytes of key material for the third DES key. Microsoft’s solution was to simply pad those last five bytes out as zero, effectively making the third DES key two bytes long:

It is at this point that the hackles start to rise. “pad those last 5 bytes out as zero”? Really? That is throwing away those bytes. It’s obviously and incredibly stupid as complexity is what provides the protection and each bit is far more valuable than the last as it’s an exponent.

Since the third DES key is only two bytes long, a keyspace of 2^16, we can immediately see the effectiveness of divide-and-conquer approach by brute forcing the third key in a matter of seconds, giving us the last two bytes of the MD4 hash. We’re left trying to find the remaining 14 bytes of the MD4 hash, but can divide-and-conquer those in two 7 byte chunks, for a total complexity of 2^57.

The next interesting thing about the remaining unknowns is that both of the remaining DES operations are over the same plaintext, only with different keys.

Oh Dear. This is looking worse and worse. Skipping down a bit.

The expensive part of these loops are the DES operations. But since it’s the same plaintext for both loops, we can consolidate them into a single iteration through the keyspace, with one encrypt for each key, and two compares:
This brings us down to a total complexity of 256!

This means that, effectively, the security of MS-CHAPv2 can be reduced to the strength of a single DES encryption.

When a single DES is known to be breakable.

This has all the look and feel of a backdoor. Mindless confusing ‘wrapper’ complexity that looks good, but inside the lock is very weak with a method that reduces to being subject to a known attack.

Cracking DES

It’s been done, but it isn’t easy. Typically about $250,000 of hardware is needed. Well inside an ‘agency’ budget, but beyond the typical individual. Just the kind of threshold the NSA would like in a backdoor just for them…

At this point, a question of feasibility remains. In 1998, the EFF used ASICs to build Deep Crack, which cost $250,000 and took an average of 4.5 days to crack a key.

David Hulton’s company, Pico Computing, specializes in building FPGA hardware for cryptography applications. They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.

Thanks to Moore’s Law that cost will be cut in half about every 18 months. In not too many years, anyone can do it.

But Wait! There’s more! These good folks have made the hardware available to anyone.

It wouldn’t be a ton of fun if only David or I could crack MS-CHAPv2 handshakes, however. So we’ve integrated the DES cracking box with CloudCracker, in order to make David and his team’s genius/skills/resources available to everyone.

We’ve published a tool called chapcrack, which will parse a network capture for any MS-CHAPv2 handshakes. For each handshake, it outputs the username, known plaintext, two known ciphertexts, and will crack the third DES key. It will also output a CloudCracker “token,” which is an encoded format of the three parameters we need for our divide and conquer attack.

When this token is submitted to CloudCracker, the job is transmitted to Pico Computing’s DES cracking box, and you receive your results in under a day.

Yes, they’ve made it available for free to anyone.

IMHO, the NSA most likely “leaned” on Microsoft to put this bit of buggery in place. It is just complicated enough to pass casual inspection, while being just broken enough that Agency Guys can get in with $1/4 Million toys, and the ‘riff raff’ was kept out. Not something any experienced crypto programmer would choose to do (if they had a brain) but just the things an Agency would do to get selective access.

It is used all over Microsoft, so grants access all over Microsoft. From the phone to the desktop to VPNs and PPTP links.

The article goes on to list some alternative ideas:

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.

OpenVPN is not subject to these ills, so IMHO it is the solution of choice for VPNs.

In related news, the leaks keep adding up. The NSA looks to be fulfilling the worst paranoids dream. From tracking cell phone GPS to find where everyone likes to go, and path to get there; to gathering all email and dredging it; to generally spying on everyone, everything, and both breaking into private encrypted communications and computers and leaning on major businesses to provide all their data.

This means that using products from Microsoft, Google, Twitter, whatever is pretty much guaranteed to get you bagged, tagged, and had.

It does look like, for now, Truecrypt and GPG are both snoop proof.

In general, you want to use open source software with no place for government control to be inserted into your processes without your knowledge.

From this posting (of a PDF): you can get a more in depth look at the encryption method. They do have some interesting observations, like:

It is not clear to us why the MS-CHAPv2 designers chose such a complicated and insecure algorithm for generating 24-byte responses, when a simpler and more secure alternative was available.

The most obvious reason was that it was requested to be done that way by someone with authority.

In Conclusion

What can I say. I’m torn between a certain degree of smugness and a large dose of resentment. Put “Snowden NSA” into any search engine and step back. After years of folks “poo-pooing” my concerns over privacy, security, and the leaky nature of Microsoft (not to mention the potential evil of phones with GPS in them and the potential for abuse in ‘social networking’); I’m finally vindicated.

Like that old Unix Sysadmin’s joke: “I’m not paranoid, they are out to get me! I’m the SysAdmin.” I’ve spent a long time defending companies against outside attacks and hacking. So yes, they were out to get me. Every single day (and I had the log files to prove it….)

So OK, a minute or two of being smug.

But I’m also aghast at how completely and easily folks have accepted that their cell phone is a personal tag and tracker for the Government, that their email is for public consumption, and that their medical records are Big Brother’s Property. (The “right to an abortion” rested on an implied right to privacy in the constitution. How can that stand when the medical record of that abortion must be sent to The Government….)

I’ve worked out how to make a “DIY” cell phone without GPS and that can run over cell circuits or WiFi. I need to put some more work into it, but in a few days ought to have it small enough to be portable. I’ve posted some clues on how to secure your machine from intrusion (TruCrypt and Dongle Pi for example). I resent that I have to spend that much time to secure my constitutional right to privacy and my constitutional right to be secure in “my papers and effects”.

As hardware prices plunge, DIY decryption engines will be ever cheaper. Putting back door weaknesses in code just begs for folks to exploit them. It is, at it’s core, both immoral and profoundly stupid.

Yet our government is doing it to us.

OK, if you are not using Linux now, start getting comfortable with it. It is not “owned” by anyone, so is harder to force it to do something. The source code is widely used. Folks ought to notice “odd things” inserted into the code (should it happen) and remove them. In short, a global “barn raising” team of millions is looking at the code all the time. And a TLA “leaning” on someone has the hard job of figuring out who, and how to prevent everyone else from seeing the work product.

OpenVPN is stronger than MS-VPN and is likely safe even in the heat. Linux isn’t as prone to being a “chatty Cathy) as MS. So tend to that direction. encrypt files with any messages in them and send those encrypted files though email agents such as yahoo or Google. Encrypt everything you can. Even if you don’t need to.

Even the NSA can’t spend the money needed to decrypt all versions encrypted things. So having more encrypted files to hide among is a valuable thing.

That’s it for now, but over time I’ll be posting more bits of pointers on being secure in a police state with paid snoops and corrupted corporate trust. That seems to be where we are headed. Even little things like just turning the cell phone off when driving. It’s illegal to talk on it anyway, so just shut it down. Remember, you are not paranoid when it has been demonstrated that the government is spying on everyone. And pressuring companies to provide data / access and install back doors. The only thing you can trust is open source software.

And with that, it’s time for bed (as the sun comes up ;-) Time for “sweet dreams”.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Political Current Events, Tech Bits and tagged , , , , , . Bookmark the permalink.

44 Responses to How I Think The NSA Hacked The World

  1. omanuel says:

    Thank you, E.M. Smith, for sharing this information with the public. The Bill of Rights has no protection except the vigilance of public-minded citizens.

    With kind regards,
    Oliver K. Manuel

  2. philjourdan says:

    Thanks for the leg work. Right now most people do not feel threatened because “they did not do anything wrong”. But a local talking head pointed out 7 felonies that most people have probably committed and never known they did. in other words, it is not what you do, it is if they want you. And with all communication being an open book, they can get you.

  3. DirkH says:

    philjourdan says:
    5 October 2013 at 6:54 pm
    “But a local talking head pointed out 7 felonies that most people have probably committed and never known they did. in other words, it is not what you do, it is if they want you. ”

    If they want you, and all they do is use those felony charges, they must really like you.
    Because there are always other possibilities – just making stuff up, and of course Breitbarting / Hastingsing.

  4. E.M.Smith says:


    Thanks. It was a bit of a surprise to me that the MicroSoft version of CHAP was clearly weakened just enough to be crackable-with-money. Had not been suspicious enough to suspect that, so had not looked. Now we know…


    One of my favorites is the “possession of bomb making materials” law. In the ’80s I publishes a letter showing that my local hardware store (listed by name address and ingredients) was in violation of that law. A few weeks later some of the ingredients had left the shelves. (They came back a decade or so later). Pipe parts. Match heads or DIY black powder. Matches and string (to make the fuse). Drills.

    Today I’d point out that anyone with a gas stove and matches has “bomb making materials”. Just light a candle on one side of the room and open the gas valve on the other side. Leave rapidly. The resultant gas explosion usually takes down the building… Don’t have gas? Well, dust works too… So a blower (like a vacuum cleaner outlet) and flammable dust (like flour) and ignition source. A bit harder to get the dust right, but doable. If you can clean your home and bake a cake, you are a felon. Get over it…

    (For the record, I have an All Electric Kitchen, so not a felon at the moment! 1/2 ;-)

    Gun laws in many places now include air guns as “fire arms” even though no fire is involved. This includes blow guns. In theory, anyone with a straw and dry peas is “in possession of a firearm” and in many jurisdictions if you have no permit or license that is a felony…

    (For the record, I only have lentils and no straw, so not a felon in possession of a firearm at the moment. Hopefully 1/2 ;-)

    Many places have “possession of deadly weapon” or “use of deadly weapon” laws. Note that a lady was just murdered by police at the capitol for the crime of mental illness. They justify the shooting on the basis that she was in possession and use of a ‘deadly weapon’ as she was driving a car and thus a threat to the public. I both possess and drive a car, so I guess that means I can be shot on sight by police 8-{

    The list goes on and on…

    We desperately need a thorough pruning of our criminal laws along with one for our governments…

    “Giving the police they tools they need to do the job” has crossed the line into “giving the police the right and ability to arrest or kill anyone at any time and get off scott free.” That is a police state, like it or not. (Remember that I was a Law Enforcement Eagle Scout and have been in security and enforcement at various times in my careers. My sympathies lie with the police. But too far is just that. Too far.)


    Look what was done with Assange of WIki Leaks. He is wanted for “rape” in Sweden. His crime consists of having voluntary sex with a couple of blonds. With a condom. One of which “broke”. He asked if it was OK to continue and was told yes by said lady. Then busted. For, under Swedish law, “unsafe sex” can be prosecuted as rape. Was it all a set up? IMHO, yes.

    Take a good looking “partner” and have a rigged condom in the package. Pretty much guaranteed to work. Agencies must love that angle. Talk about F-ing someone over… So if a great looking Swede says “Sure it’s OK. Yes I want to.”, that is “rape”…

    Some places are trying to extend “rape” to include failure to get “permission” for every step of closer contact. Forget to ask “can I move from kissing to caressing now?” and you too can be a rapist. Just insanity.

    There’s a whole lot more, but I’m already upset enough ;-)

    Don’t know what “Hastingsing” is…

  5. Steve C says:

    Dear God. I know bugger all about encryption, but when I see something like “…Microsoft’s solution was to simply pad those last five bytes out as zero …” my blood runs cold. Seems to prove everything everyone’s ever suspected about the Redmond enterprise.

    And yes, whatever you may be doing that’s “interesting” – or even not – is potential terrorism nowadays. Years ago, I pulled down a copy of “The Terrorist’s Handbook” off the net, just out of interest, having been interested in chemistry at school. There was stuff in there that terrified me – using chlorates around metals, all sorts, not to mention the warning at the front that even if you were trying this with military explosives training you could still expect to lose about 33% of your personnel. Honestly, if I thought any of my neighbours was using that thing as any sort of instruction manual, I’d report him myself, out of a desire to keep living. If there’s a copy of that file on any of my hard drives now … O_O

    And re. Assange btw, let us never forget that his case has been tried and dismissed already in a Swedish court. It ain’t over even when it’s over.

  6. Power Grab says:

    I’ve always wondered if the original lawsuit brought against MS by DOJ was intended to pressure them into leaving back doors in their products.

    I’ve also wondered if it’s not a valid concern that TBTP could manufacture evidence (e.g., log entries, GPS entries, whatever) if they really wanted to take someone down, but there was no naturally-occurring evidence to do the job. If the corporations are that much in their back pocket, why would they not sit still for it?

    Sometime in the late 70’s/early 80’s I read an article in MIT Technology Review that said that videotape couldn’t be used as evidence in court because it could be edited so no one could tell it wasn’t a true record. I guess that’s been reversed.

    Even while I am amazed at computer animation these days, I’m also fearful that bogus evidence can be created using those tools.

  7. Steve C says:

    @Power Grab: I share your fear. Surf from an encrypting live CD, download onto a memory stick (an easily hidden memory stick) and don’t have a hard drive in the machine. You know it makes sense.

    @EM – There was a saddening piece from Henry Porter in the Guardian/Observer last month, entitled Perhaps I’m out of step and Britons just don’t think privacy is important. Sadly I entirely agree with him. The whole Snowden thing just isn’t an issue any more in this “free country” (/sarc to the last two words). It’s had its five minutes. We, or at least most of us, have a lot to learn.

  8. Speed says:

    E.M. Smith wrote, ” … their medical records are Big Brother’s Property.”

    My health care provider (a “University Hospital” attached to a medical school and university with a strong engineering program — graduate and undergraduate) can’t get my medical records in order so I’m not concerned that the NSA has them. Or perhaps I should ask that the hospital request them from the NSA.

    If it came to a no-holds-barred showdown at the Server Corral between the NSA and the best security people at Google, Microsoft, Apple et al, I wonder who would win. And how would we know?

  9. Bennett In Vermont says:

    I’d love to hear your take on the NSA’s approach to TOR cracking and if you think TOR is already compromised for non-targeted users?

    Thanks again, EM!

  10. E.M.Smith says:

    @Steve C:

    My high school chemistry teacher would now be arrested for the things he did in class to get us interested in chemistry. Showed us how to make Nitrogen TriIodide (contact explosive) for one thing… It’s more a toy than anything damaging (at least in the small quantities he made) but now that would be a hanging offense.

    @Power Grab:

    It’s now much easier to fabricate “evidence” and much more difficult to prove it is a fabrication. You can ‘water mark’ and digitally sign some documents, but that typically isn’t done with things like normal digital photos or log files. Most of it now depends on chain of custody. But if the custodian is corrupt…


    In your hypothetical, the first problem is that the “showdown” would never happen. The “deal” would be done at the executive level and the Techs would be told “This is Bob” (or perhaps “This is Officer Bob”) give him an administrator account and go to lunch.

    Now, say it was “mano a mano” between the two tech teams. The corporate team would find themselves “otherwise occupied”. Could be a surprise warrant (perhaps later found to be ‘in error’) or a call that their car was on fire or…

    Long before any conflict could happen, the deflection would be done.

    Now, if you want to take it even further, most likely the teams would simply be working together to the same end. “Oh, you want into the Foo Database, here, let me get Joe, he knows that one cold. Say, you need anyone at your place?…” To put a finer point on it: I’ve had FBI background checks and worked in computer security in places that had people with guns on the doors. It’s a more or less revolving door between agencies and industry. Hey, everybody needs a career path.

    Now, IF, somehow, you make it through all those barriers and end up with a Team vs Team contest: It would, IMHO, depend entirely on the teams. The one I had at Apple would be very hard to beat. The ones at most corporate shops would be “toast” in minutes. The NSA folks are very very good at what they do, so a test of wills over encryption would likely break their way. They are not as adept at the more strange and broad aspects of all types of computers; so could likely be faked out by a corporate team with specific and more esoteric information on an odd ‘edge case’ tech.

    How would you know? Simple. The companies would deny that anything happened. ;-)

    In reality I think it’s about 100% minus an unmeasurable fraction that all major information providers have logins provided to NSA (and perhaps other agencies too). We know from public disclosures that at a minimum the major search engines and OS providers have “issues” and that the telcos have equipment on site to route a copy of “stuff” to “agencies”. I’d be harder pressed to figure out who is NOT compromised. Little companies from other countries (though they likey have THEIR TLAs inside the house…)

    That’s why I say to use open source software, strong non-commercial encrypting software, and generic hardware (NOT from China…). I also change hardware and OS often. The MS Windoz laptop is used for things that don’t have any public records issue (like making postings where it’s published anyway) so doesn’t really matter if someone sucks the stuff out of it. I also have a few dozen other machines that I sporadically swap between; and on them, I also frequently load a new OS from scratch. (That is, they are “development” machines ;-)

    Then again, if someone wants my browsing history of reading WUWT, and doing research for posted articles, well, they will be bored out of their minds ;-) So I’m not all that worried. Mostly just do the protective stuff to “keep my hand in” the security biz. And to a lesser extent as a matter of principle.

    @Bennett in Vermont:

    Per TOR:

    That second link says it all. They can, with persistence, find out who some folks are. They can’t figure out everyone on TOR. The attacks used require a LOT of traffic, and someone who is a casual user will not give enough data to back track to them. Furthermore, it only really works against things like servers left up for months / years. Silk Road for example. Stay up long enough, and someone will connect that leaves a bit of tracking info. Get enough of those, you can start knowing where to put wire taps on the routers…

    In particular, Java Script was a known exposure / weakness. Folks were advised to turn it off. “Oddly”, the vendors of Java were remarkably slow about fixing some of the security exposures… I’m sure it was just a workload issue /sarc;… So some folks left Java Script on and got penetrated. Then when those folks visited a major site, that could be used to get some data (like what was sent and recieved, and latency and nearest link and). Get enough of that data you can paint a picture. Then you know things like “It is somewhere in San Francisco” and can lean on the telco for more information about traffic patterns. Do some “injections” (use your client to drive a bunch of known traffic) and see where it goes. Eventually you have one building or one wire where everything you send out, shows up. Long time. Lots of work.

    Now compare that to a guy who launches TOR for a browser on a live CD or dedicated box that gets wiped weekly. Does it from, say, a public internet hot spot. Does a bit of browsing or gets / sends some email. Then gets off, scrubs, and goes on about life. First off, too small a target to justify the hunt. Second, not enough persistence or consistency for an likely find. Finally, if you do track it; there’s no evidence kept on machines. So any “bust” can only say “has an encrypted disk that we think has TOR on it.” And even then, having TOR is not a crime. So that’s largely just not an issue.

    But if you run a $Billion drug exchange and have it up 24 x 7 for a few years; yes, you will eventually get found. Personally, I consider that a stellar level of secrecy. In short: IMHO TOR is just fine for ordinary folks casual use. For career criminals, any computer use is a bad idea.If really worried, go to Garlic Routing. as found in I2P (Do note that even this has some risks. “Perfect Dark” users have been arrested in Japan after some sting work. Then again, Perfect Dark is closed source so who knows what bugs and exposures were in it.

    In all cases, do not use Java. (Big corporation with lots of government sales owns it… and it is closed source.) Use open source alternatives or forgo that function. For months Java had holes in it you could drive an army of hackers through. I suspect that they were put in or left in ‘upon request’; but have no evidence for that – just the very long time they have persisted is ‘odd’.

    The most simple answer is that doing anything without understanding, and understanding the limitations; then doing it for a couple of years, while being a ‘person of interest’: eventually you will get caught. Know what you are doing. Be sporadic. Don’t be a ‘person of interest’ to law enforcement. Odds are you will be perpetually safe.

    Over time, the race will wander back and forth between the two sides. It’s always that way. So you need to be aware of how things change over time and when the tide is against you, close down or recandle.

    Final note: The biggest “issue” I saw in that was just the provisioning of buggered versions of TOR from the Agencies. Make sure you know how to do digital finger print (hash code / SHA and etc) verification and know where your version came from. Having the source code is best.

    Given that Silk Road was taken down, I expect that a whole lot of smart folks are working on a “Generation Two” that is even better… I’ve had some ideas, but I’m sure what “they” are cooking up will be even better.

    My idea was just to make a distributed compute platform that is also spread around on a dark net. Now you may be able to trace traffic back to some node; but which node will wander with the wandering processes. And in all cases the “user” isn’t on the places where code is running. You have to find the virtual distributed machine, that is spread over a dozen real places, then trace back to the controlling / display node, then figure out if it is just a relay / proxy, then… I haven’t put much effort into it, partly because if you add a viral insertion behaviour, it becomes Skynet… and I don’t want to accidentally make that ;-) But very similar things are already done in data centers today, so it’s not a big leap. (VMs dispatched to variety hardware on demand, results coming back from the ‘cloud’ to some remote place…) Pirate Bay is reputed to have a virtual machine distributed dispatch structure, so if a main server is ever found / disabled, a new one dispatches automatically. I’m just looking to add that to the “client” side with the “window” remoted too.

  11. crosspatch says:

    ““Who talks to whom” (and how often, and when, and from where, and…) ”

    This is called Traffic Analysis. You don’t have to break codes to use traffic analysis but governments are generally careful to generate bogus traffic so traffic levels to all nodes stay pretty much constant. I used to use an encryption system called CIPE which did this. When there was no “real” data flowing across the pipe, it injected random garbage so that traffic levels stayed the same all the time. Someone watching the traffic flow would have no idea when you were really sending traffic and when you were not because there would be no change in traffic patterns.

  12. EM, you said nitrogen triiodide, I thought it was ammonium triiodide. We used to make it to put on the lab door knob and it would explode when warmed by the hand of the person opening the door (give a fright but would not hurt anyone). I made some at home once and as it was a bit wet I put the glass vial on a heater to dry. It exploded shattering the glass vial into dust. I had some difficulty explaining the explosion but as there was no evidence left only a bad smell I got away with it.

  13. omanuel says:

    FEAR of nuclear annihilation in 1945 convinced frightened world leaders and guilt-ridden scientists to undertake a project that was doomed to failure from the start:

    Hide from the public information that is recorded in the rest masses of every known atom but three (H-1, H-2 & He-3): Energy (E) from repulsion between neutrons is stored as mass (m) in all 3,000 known atoms.

    Spying on and/or locking up citizens will not keep the truth from leaking out: Neutron repulsion in the core of the Sun is the creator and sustainer of every world, life and atom in the solar system.

    Click to access Synopsis.pdf

    Click to access Creator_Destroyer_Sustainer_of_Life.pdf

    Efforts to hide that information have enslaved mankind and blocked our continued progression as a species.

  14. Joe Caldwell says:

    Important question — can 1) Java, 2) javascript, 3) Flash, 4) another server-side initiated method, be used to covertly query a client’s computer hardware for unique identifiers, such as a MAC address, or a mother-board serial number (thinking Apple, here), and cause that information to be returned to the inquiring server, which is then recorded into a server-side database along with the client’s session details and data?

    I am presuming that this is not only possible, but likely — so then the question becomes HOW to prevent such unique identifiers from being passed? How would one know that such queries are being initiated against their computer hardware? How can MAC addresses and/or a mother-board serial numbers be reliably and transparently spoofed, perhaps with a notification to the end-user along with a client-side generated log file noting the requesting IP addresses and device types?

  15. Steve C says:

    Cementafriend – I’ve come across both names for it, I’ve always assumed that no-one could be quite sure because it always went bang when you tried to investigate it!

    May I also add a memory not entirely dissimilar to yours? I guarantee its true, and am delighted to report that the teacher in question was still with us last time I checked.

    Not so long before I left school, we had the great good fortune to have a chemistry practical on April 1st. Too good to miss. I sneaked into the lab before the lesson, quickly mashed a batch of ammonium/nitrogen triiodide, and spread it liberally around the lab in small amounts before returning to join the rest of the class and look as innocent as I could.

    It all went pretty much as expected. Throughout the lesson, as fellow pupils picked things up and put them down, there were small pops and bangs from all over the room. Everyone knew what was going on, so we just got on with our qualitative analysis and chuckled to ourselves.

    At the end of the lesson, the chemistry teacher called two of the class up to his desk – me, and a fellow whose “explosive tendencies” later led him into civil engineering. “Okay,” the master said, “Which one of you was it? It must have been one of you two.” I cheerfully admitted that I had been the guilty party, not seriously expecting much retribution for a bit of fun. However, that teacher was a good deal sharper than either of us had expected …

    “Right,” he said, “Well, you can both go back to your benches and clear up now ready for lunch. By the way, you’ve both been trying to analyse self-raising flour this lesson, so you can throw it away. April Fool!”

  16. Pingback: Becoming more secure in the police state | T W A W K I

  17. philjourdan says:

    @DirkH – True – they can make stuff up. If you are a lowly person, there is no need for a show trial, so you just disappear like all the residents of Stalin’s Gulags. But if you are a known person, they will want to make sure people know about you, and that means evidence, and a show trial. So it is probably easier to use an existing law. That way, no holes in it.

  18. adolfogiurfa says:

    They are in need of a “injection” of a 1 megawatt Tesla Scalar Wave which no Faraday Cage can stop:

  19. Bennett In Vermont says:

    You inspired me. So first I downloaded gpg4usb and TruCrypt, and then I bought a 16 gb USB drive ($13 including tax! Bog loves Moore’s Law) and (using TruCrypt) created a 500 mb sub drive (volume) on the USB drive named “move along” and copied TOR and gpg4usb onto it, along with a text file containing my various user names and passwords.

    Selecting a memorable 20 character password for the volume is an interesting challenge. But once done, as Forest says, “…one less thing.”

    E.M., Do you share your pgp public key

  20. punmaster says:

    Revelation 13:16
    And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:

    But I’m also aghast at how completely and easily folks have accepted that their cell phone is a personal tag and tracker for the Government, that their email is for public consumption, and that their medical records are Big Brother’s Property.

    I have been telling people for some time now that they won’t be forced to choose to accept the
    mark or be killed. They willingly accepted that mark when they got their cell phone.

  21. omanuel says:

    Regretfully, punmaster, there is some validity in your concerns.

    Regretfully, punmaster, your concerns are valid. Thanks to the glob climate scandal, people are becoming more aware of government manipulation.

    From personal experience, I know without doubt that after 1945,

    1. Theoretical models of reality over-ruled observations of reality, e.g., Fred Hoyle’s SSM (standard solar model) of hydrogen-filled stars over-ruled all observational evidence of mass fractionation in the Sun:

    2. New scientific discoveries were engineered at the best universities to discredit unacceptable observations:

    a.) The 1964 observation of mass fractionated neon isotopes from the Sun in the Fayetteville meteorite

    were obscured by the neon alphabet game:

    “The Neon alphabet game,” Proc. 11th Lunar Planet Sci. Conf. 15, 879-899 (1980)

    Click to access Neon_alphabet_game.pdf

    b.) The 1972 observation of “strange xenon” in primitive meteorites

    was obscured by super-heavy element fission hypothesis:

    “Strange xenon, extinct superheavy elements and the solar neutrino puzzle,” Science 195, 208-209 (1977).

    Click to access StrangeXenon.pdf

    Etc., etc., ad infinitum

    With kind regards,
    Oliver K. Manuel
    Former NASA Principal
    Investigator for Apollo

  22. Zeke says:

    Punmaster, you have only partially quoted the verse.

    Revelation 13:16 “He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, 17 and that no one may buy or sell except one who has the mark or[f] the name of the beast, or the number of his name.

    18 Here is wisdom. Let him who has understanding calculate the number of the beast, for it is the number of a man: His number is 666.”

    Possibly refers to an RFID, radio frequency identification. Obamacare permits the use of implantable devices, and there are also ink versions of RFIDs which can be permanently placed on the skin. Some states have already passed laws that outlaw placing any mark or implantation on its citizens. The means, motive, and opportunity is now available in our country for a mark to be placed in the right hand or on the forehead, and for this to be enforced through economic coercion (IRS and Obamacare in the US). However, this does not mean it is inevitable at this time; it could still be delayed because people have free will. This is the text.

  23. Zeke says:

    More on Obamacare, which includes provisions for Radiofrequency ID implantable devices:

    Potential for Abuse ‘Enormous’ With Massive Obamacare Database

    Those worried about how much data the National Security Agency has collected on them won’t like what’s coming in 2014.

    The Patient Protection and Affordable Care Act, popularly known as Obamacare, is building a giant database of everyone’s personal information as part of its effort to run the system. The Department of Health and Human Services assures everyone that the Federal Data Services Hub will be secure, but after the IRS and NSA scandals, not everyone is convinced.

    Editor’s Note: Should ObamaCare Be Repealed? Vote in Urgent National Poll

    “The potential for abuse is enormous,” notes Deputy Editor James S. Robbins. He says that the massive database will include “income and financial data, family size, citizenship and immigration status, incarceration status, social security numbers, and private health information.”

    It will compile files on everyone in the United States and will get its information from the IRS, the Department of Homeland Security, the Department of Defense, the Veterans Administration, the Office of Personnel Management, the Social Security Administration, state Medicaid databases, and the Peace Corps.

    While the Daily Mail reports that many fear the hub will be a hacker’s dream, Robbins says hacking isn’t the only threat. Community and consumer-focused nonprofit groups called “Navigators” will have access to the information for the purpose of receiving grants from health exchanges so they can “provide fair and impartial public education” and “refer consumers as appropriate for further assistance,” according to the Government Accountability Office.

    [Non-profits probably refers to NGOs ~Zeke]
    Read Latest Breaking News from

  24. Zeke says:

    Joe Biden on video lecturing Chief Justice Roberts on the fact that he will rule on the constitutionality of an RFID chip for all Americans when he rules on Obamacare:

  25. Zeke says:

    Punmaster, I hope that the verse makes it clear in context that you will not be able to buy or sell without the chip.

    This is important because the text has prophecied that these events would take place and that a world leader/world empire is going to use this mark to control all commerce.

    Those who wish to subject our lives and economies to a World Empire (“United Nations” and European Union) need to consider that they are individually taking sides in history, and that the implications are very serious for each individual soul.

    The other means of understanding whether these things are coming about is to look at the spiritual condition of people. Romans describes the darkness and deception and total hatred of morality that will come. They will be “unmerciful, unloving, untrustworthy, boastful, proud, haters of good, inventers of evil things” and “being filled with all unrighteousness, sexual immorality, wickedness, covetousness, maliciousness; full of envy, murder, strife, deceit, evil-mindedness; they are whisperers, backbiters, haters of God, violent, proud, boasters, inventors of evil things, disobedient to parents, undiscerning.” (Rom) Also Hindu texts and Zoroastrian texts say that in the last times, people will become very immoral, hateful and hating one another, without natural affection or any virtue. (I can provide the quotes if needed) The vitriolic language and seething hatred in people is going to get overwhelming, and a world leader will seem to promise world peace to them. Deceptions will be deliberately used by him to inspire awe, worship, and loyalty. The way out is to put your faith in God and He will provide what you need to get through these times.

  26. Zeke says:

    It is an interesting coincidence that Obamacare with its extensive data hub went into effect on Oct 1, and that the government shutdown occurred at the same time.

    Perhaps those who are better versed in computer updates can tell me if a shutdown and reboot is required for such a massive update of Obamacare which “will achieve what has, until now, only appeared in pulp thrillers: a central database linking critical state and federal data on every U.S. citizen for real-time access.”

    You will all have more expertise on that subject than I.

  27. omanuel says:

    The good news is just this.

    Honest science has confirmed historical superstitions: Every atom, living cell, and world in the Solar System is connected to the Sun’s powerful pulsar core by the invisible force fields that emanate from it.

    The bad news for Obama and other wannabe tyrants: You are totally powerless !

  28. adolfogiurfa says:

    @omanuel. Bravo!….and THEY, those stupid bad kids, are totally unable to reset our Most Holy Sun Absolute, at the center of our galaxy! :-), they won´t survive the experiment!

  29. adolfogiurfa says:

    My advice: As the japanese gentlemen when facing defeat: They do HARA-KEE-REE (Hara: the center of man, Kee= force, Ree=to cut)

  30. Power Grab says:

    Re the corrupted moral condition of people in the last days – I find myself wondering (sorry! I wonder about lots of things these days!) whether the growth in bad feelings/behavior is actually something that is orchestrated by TPTB.

    I’m thinking of the changes in popular culture that I’ve observed in my life. For instance, there was a day when John Wayne was the epitome of manhood. An ideal man was one who would fight for what he believed, and for what was right (moral). Then when things flipped over during the late 60’s and early 70’s, Alan Alda was held up as the type of man that was ideal. Anti-war sentiment was cultivated. Then when Star Wars came into the picture, it became OK again to fight your enemies, only you had to use light sabers or disintegrating rays. You didn’t see guns unless it was a crime flick. I never enjoyed crime flicks, so I’m not sure who the ideals are supposed to be. I’m guessing they use less black-and-white morality and more shades-of-grey in portraying characters.

    Or consider music. Was it in the 40’s when there was a concerted effort to manipulate the mood of people by promoting certain styles of music? Big band music in the 40’s. Early rock & roll starting in the 50’s. Hard rock in the late 60’s to now. Soft rock and touchy-feely folk music in the 70’s. Also, psychedelic music in the 70’s. When did rap become popular? I’d like to know if violence against women grew when they started pushing non-romantic music.

    I keep wondering where young men might ever find an example of treating women as anything but either a sexual object or a target for violence these days. If a young man grows up without a proper father (and mother), where will he ever see anything good lived out in front of his face? Even superheroes look like people with questionable motives to me.

    Oh, and don’t you think that TPTB will collect not only financial and health data (as well as the rest of what was mentioned), but they will also compile a list of the types of entertainment you consume? Without that, they would be missing a lot in your profile of each individual, would they not?

    I happened to peruse a list of data that is routinely requested for college admission recently. It surprised me to see them asking for the student’s favorite class, music, food, book, movie, and vacation. Of course, a lot of people post that sort of thing frequently on their Facebook page. I’m sure they don’t realize how that fills in their profile for TPTB. Now that I think about it, security questions sometimes focus on attributes like that when you are setting up new accounts on the web. I guess that makes it part of the profile, too.

  31. omanuel says:


    The RiSING SUN is the Japanese flag.

  32. omanuel says:

    Should add an image of the RISING SUN at the top of my autobiography?

    Click to access Synopsis.pdf

  33. omanuel says:

    Were those invisible force fields from the Sun’s pulsar core illustrated in the flag from 1870?

  34. E.M.Smith says:


    Tor does something sort of like that. Packets wander around for “a while” before exiting. Partly to confuse connectivity and partly to give bogus traffic.


    Both are used. Don’t know which one is “approved” right now. The hydrogens get stripped off the ammonia and Iodine goes on, so I think Nitrogen Tri-Iodide is the correct structure; but ammonium tri-iodide gives a better idea how to make it ;-)

    @Joe Caldwell:

    Well, “it depends”. Some machines don’t have a serial number. There was an ill fated Intel CPU with serial numbers that got shot down by public resistance (but would not be surprised to see that return). The MAC address goes out on your network traffic so that the routing can get your traffic back to you (but some things can be done to strip such identification, such as NAT Network Address Translation routers).

    Yes, various codes can collect various things about you. Android (in phones and increasingly tablets) likes to try to use GPS information. Google tries to pick up your location based on what local WiFi hot spots your OS is sniffing at the moment. The list goes on.

    My method may not be perfect, but it is better than nothing. I try to use either a Virtual Machine on my laptop or a Raspberry Pi (see “dongle pi” posting on this site) as a “sockpuppet” for anything questionable or just desiring some privacy. That blocks CPU number (as there isn’t one) and such. Also lets me do a ‘reset’ and erase any malware that crawled in. I try to always run through a NATing router (such as most home internet connections and most WiFi spots). I also have a dozen or so computers and regularly wander between what machines I’m using at any one time. (I’m “on the road” right now and have 4 with me. An old Mac “snowbook”, the HP laptop, and 2 Raspberry Pi. Not counting the dozen or so Virtual Machines in VirtualBox.) Also I’ve been known to use “Live CD” linux releases to have a disposable system on any old hardware laying around.

    I would never consider having ONE home computer and just using it naked for everything.

    For some hardware, the MAC address can be software changed. For the R.Pi a WiFi dongle costs about $10 to $20 and has the MAC address. So were I doing something nefarious I’d use a sock puppet machine on a WiFi at a public spot like a coffee shop, then when done just “burn the dongle” and put a new WiFi dongle on it, flash the SD card with the generic image and be done.

    Unfortunately, while I know how to do all this, I have no need for it. Sigh. The perils of a boring life style ;-)


    Since major data centers of TLAs (Three Letter Agencies) are hardened against direct lightning strikes, I doubt that your pulse would do much…

    @Bennet In Vermont:

    I’m embarrassed to say it… It’s one of those “I ought to do this some day” things… But…

    I don’t have a PGP public key. I’ve not seen a need for one, really, until now.

    So as soon as I get one made, yes, I’ll put it in the About tab or something.

    Have I mentioned lately that I have a relatively dull and ordinary life? Got over “porn” in the ’60s or so (back when Playboy and topless as ‘porn’ and it only was available at the bus stop store). Don’t particularly do anything political (other than vote and gripe about lousy government). Don’t have a lot of secrets nor grand projects. Most of what I do is published here anyway. Try to avoid email for anything / everything (largely due to said security holes). Don’t do twitter or facebook or any “social media”.

    But the collection of everything by government has moved things past a threshold. So yes, I’m going to have a “public key”… Real Soon Now ;-) I’d put some time into looking for opportunistic encrypting email and had figured I’d do a PGP / GPG key set then… But maybe I need to move that up.

    As for “Memorable passwords”: I like to use phrases with substitutions. One quick substitution is to sprinkle in bits of other languages (so a simple ‘one language’ dictionary attack fails). So “I like apple butter on bread” becomes “Je like apple butter on pan”. “Je” being “I” in French and “pan” being bread. BTW, it doesn’t matter if you do a lousy job with the language and “broken” is in some ways better. So Pom or POMM or pomm for “apple” are all just fine. As long as you remember what it is. Then I start doing special character substitutions. Pomm and become P0mm and “like” can be “l1ke”. Now, you can do added things like, say, instead of “I”, use your car license plate. “KE3J834 l1ke P0MM butter on pan.” (Note the added period at the end). It doesn’t take too many of those “hashes” and it’s very unlikely that the result can be found by dictionary attack or patterned attacks.

    Oh for the love of Mike can become “0h f0r the love of M!ke.” as another example. Or you can just type the second word backwards “0h r0f the love of M!ke.” just to make it fun. “Bang the drum” can be “! eht murd” where ! is pronounced “bang”. Or even “!;eht;murd)” which is still “bang the drum” but with an escalation of size of word separators from , to ; to ) instead of the expected. You get the idea…


    The move to payment via cell phone is right on that path. Look for “touch points” replacing anonymous cash.


    At one time “Medical Privacy” was as big as “Lawyer Privilege”. I remember “Doctor / patient confidentiality” being in the same sentence with “Lawyer /client privilege” and “Priest / confessor privilege”. Now the only one surviving is the lawyers special carve out…

    That medial database is a greater risk to all of us than ANY other data collection so far.

    BTW, I’ve never been so glad of having allergies to various materials. The spouse is allergic to metals, too. Not going to be easy finding an implantable that is guaranteed to have zero allergenic properties… I’m never going to accept one. (Simply cite the risk, and refuse. I’ll have reached my natural end of life before that law suit finishes…)

    No “shutdown and reboot” is needed to link databases. Only to keep Microsoft running past a weekend ;-)

    BTW, since ANYTHING can be money or currency, it isn’t possible to “control all commerce”. At various times all sorts of things are ‘money’, and “the most exchangeable commodity” is the natural money. That can be cigarettes, beer, wine, 1 lb bags of rice, diamonds, SD cards, you name it. Something small, of known value, and widely used. Even salt and pepper can be currency. I could easily see an underground economy based on the Joint as the small unit, the Ounce (coke) as the larger unit, and the “baggie” in between. (Testing purity easily done at any time ;-) So forcing folks into “digital currency” is going to “have issues”.

    @Power Grab:

    Destruction of the Christian ethic in America was a stated objective of the Marxists / Communists. I think that has not changed. Our open (and good!) public education at the local level and our Judeo-Christian ethos were two things they set out to destroy as they worked against the Globalist Socialist Communist message. (All that is just stating historical fact, not opinion. Read your Marx, Lenin, etc.)

    I’m not strongly Christian, yet encouraged my kids to be so; precisely to increase their resistance to such “messaging”.


    Quite a sun fetish you have going there! ;-)

    Not sure what it has to do with the NSA and encryption, though…

  35. omanuel says:

    E.M. Smith,

    Thanks for your patience.

    Perhaps the most obvious encryption (changes in the Japanese flag in 1945) is the most difficult encryption to decipher.

  36. E.M.Smith says:


    Hmmm… Interesting point. Symbols have long been used for covert communications. The Masonic order is full of special meaning symbols. They ARE a kind of “code book” in that the meaning of a symbol is not always clear without an agreement between parties and sometimes has several meanings depending on “depth” of initiation. Kind of a steganographic layering..

    Perhaps making a symbol based “code book” has some utility. seems to say it was around long before W.W.II

    The national flag of Japan is a white rectangular flag with a large red disk (representing the sun) in the center. This flag is officially called Nisshōki (日章旗?, “sun-mark flag”) in Japanese, but is more commonly known as Hinomaru (日の丸?, “circle of the sun”).

    The Nisshōki flag is designated as the national flag in the Law Regarding the National Flag and National Anthem, which was promulgated and became effective on August 13, 1999. Although no earlier legislation had specified a national flag, the sun-disc flag had already become the de facto national flag of Japan. Two proclamations issued in 1870 by the Daijō-kan, the governmental body of the early Meiji Era, each had a provision for a design of the national flag. A sun-disc flag was adopted as the national flag for merchant ships under Proclamation No. 57 of Meiji 3 (issued on February 27, 1870), and as the national flag used by the Navy under Proclamation No. 651 of Meiji 3 (issued on October 27, 1870). Use of the Hinomaru was severely restricted during the early years of the American occupation after World War II; these restrictions were later relaxed.

    So looks to me like the “top meaning” of land where the sun first rises (eastern most land before the vast empty north Pacific ocean) is pretty much reasonable.

    Do find it a bit curious, though, that the swastika is a ‘good luck sign’ in Japan (and much of Asia) and was co-opted by the Nazi for their own sun symbol. Probably more symbolic mileage there…

  37. Another Ian says:


    For your spare time – and I don’t think O/T here

  38. frost says:

    Another data point:

    I went to the post office a couple of weeks ago to inquire about a package that had been sent to me with tracking number assigned. It was not insured but had left the local regional center a couple of week before that and I wanted to see if there was anything further I could do to locate it. I talked to the shift manager who told me that the PO ‘tracks every thing these days, even if you don’t pay for it. We take a picture of every package at every handling step.’

    My next thought was about OCR and that they can now build a database tracking every communication that takes place thru the mail.

  39. omanuel says:

    E.M. Smith,

    Thank you for your patience. P.K. Kuroda launched me on a journey to the core of the Sun in 1960, but he never told me where I was headed or what I would find.

    From his writings, those of Fred Hoyle, George Orwell, Robert Jungk, David (?) a reporter for the Atlantic Constitution and my own career, I suspect these historical events guided mankind from the horrors of 1945 to those engulfing the globe today.

    1. Aston warned in the 1920s that release of energy from cores of heavy atoms might ignite fusion of light elements in the atmosphere.

    2. Four atomic bombs exploded over a one month period in the late summer of 1945:
    _a.) July 16 in New Mexico
    _b.) Aug 06 Hiroshima
    _c.) Aug 09 Nagasaki Japan
    _d.) Aug 12 Konan, Korea

    3. Earth’s atmosphere did not ignite. Russian troops captured Japan’s A-bomb facility at Konan, and shot down an American plane trying to obtain information. The American crew were held captive and perhaps used as pawns in negotiations.

    4. Without telling the public about the fourth atomic bomb, and with limited information about its nature, the United Nations was formed on Oct 24, 1945 to protect the world from nuclear annihilation by ignition of its atmosphere.

    5. Two facts were hidden after 1945: Neutron repulsion causes
    a.) A-bombs to explode
    b.) Stars to make hydrogen

    6. Fusion H-bombs with fission cores were developed in the early 1950s.

    7. The USSR launched Sputnik in 1957, preparing to take control.

    8. Joseph Kennedy spent a fortune to get his son elected in 1960 to keep Richard Nixon out of office and to end USSR’s domination of space.

    9. John Kennedy established the Apollo Mission to end USSR’s dominance. The Cold War almost erupted.

    10. Kennedy was killed in office in 1963 after the Bay of Pigs invasion and the Cuban Missile Crisis.

    11. Richard Nixon got in office in 1972, ended the Apollo program, and returned this country to its 24 Oct 1945 destiny under the UN.

    12. Tearing down the Berlin Wall and the collapse of the Evil Empire may have been a Hollywood production featuring one of its greatest actors, Ronald Reagan?

    13. The current AGW scare began in earnest and Russia resumed its dominance of space.

    With kind regards,
    Oliver K. Manuel
    Former NASA Principal
    Investigator for Apollo

  40. M Simon says:

    I’m having a look at “smart grid” encryption. In fact why is there a need for a “smart” grid? The official reason is to integrate intermittent unreliable sources of power.

  41. Zeke says:

    Another Ian says “For your spare time – and I don’t think O/T here

    This is my favorite quote from the article, The Anglosphere miracle

    by Daniel Hannan:

    The real question is not whether liberal democracy was always destined to succeed, but how it managed to get off the ground at all.

    We are still experiencing the after-effects of an astonishing event. The inhabitants of a damp island at the western tip of the Eurasian landmass stumbled upon the idea that the government ought to be subject to the law, not the other way around. The rule of law created security of property and contract which, in turn, led to industrialization and modern capitalism. For the first time in the history of the species, a system grew up which, on the whole, rewarded production better than predation.

  42. R. de Haan says:

    With the biggest floodgate still to come in slow motion:

    Former Congressional staffer Susan Lindauer covered Iraq and Libya at UN as a U.S. Intelligence Asset and back door channel on anti-terrorism from 1993-2003.

    Summer of 2001, her team warned about a major terrorist attack involving airplane hijackings and a strike on the World Trade Center.

    Listen to what Susan Lindauer had to say, just skip the introduction:


    Incredible that they even stole the idea to attack the USA with passenger planes:

  43. Pingback: Classical Values » Stop The Smart Grid

Comments are closed.