GOVEROTRAGEOUS: The Untold Story of Japan’s Secret Spy Agency

“Very few people know what the DFS is doing and can enter the building,” according to an active-duty official with knowledge of the directorate’s operations, who spoke on condition of anonymity because they were not authorized to talk to the media. The official agreed to share details about the directorate after The Intercept and NHK last year revealed that the spy agency had obtained a mass surveillance system called XKEYSCORE, which is used to sift through copies of people’s emails, online chats, internet browsing histories, and information about social media activity. The official said that they believed the directorate’s use of XKEYSCORE was “not permissible” under the Japanese Constitution, which protects people’s right to privacy.

Source: The Untold Story of Japan’s Secret Spy Agency

# – # – # – # – #

Here’s an example of why no Gooferment’s Deep State can be trusted or contained by mere “constitution”.  Lysander Spooner had it right.

“Inasmuch as the Constitution was never signed, nor agreed to, by anybody, as a contract, and therefore never bound anybody, and is now binding upon nobody; and is, moreover, such an one as no people can ever hereafter be expected to consent to, except as they may be forced to do so at the point of the bayonet, it is perhaps of no importance what its true legal meaning, as a contract, is. Nevertheless, the writer thinks it proper to say that, in his opinion, the Constitution is no such instrument as it has generally been assumed to be; but that by false interpretations, and naked usurpations, the government has been made in practice a very widely, and almost wholly, different thing from what the Constitution itself purports to authorize. He has heretofore written much, and could write much more, to prove that such is the truth. But whether the Constitution really be one thing, or another, this much is certain – that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.” Lysander Spooner (1808-1887), No Treason (1870)

# – # – # – # – #

SECURITY: Tricks for passwords

6 simple tricks for protecting your passwords
By Maria Korolov Follow
Network World | Dec 22, 2014 3:00 AM PT

*** begin quote ***

We all know that the current username-and-password system is broken. With Russian hackers reportedly sitting on over a billion passwords, and new breaches hitting the news on a regular basis, it’s fair to assume that if hackers don’t have your password already, they’re about to.

“Most websites and companies require passwords that are at least eight characters long, contain lower and upper case characters, a number, and one or more special characters,” says Vincent Berk, CEO of network security firm FlowTraq.

These kinds of password policies have actually reduced security overall, argues Jacob West, CTO at HP Enterprise Security Products. “We need to bring some sanity back to our password policies,” he says. “A human will never be able to meet these requirements.”

*** and ***

1. Letter substitution cipher: a=b

2. Letter substitution cipher: a=s

3. Never write down encrypted passwords; banana, not nsmsms

4. Use earworms to your advantage: Wheels on the bus go round and round

5. The mnemonic code: a=alpha

6. Add site name to end of password: banana-twitter

*** and ***

One popular alternative is to use a password management tool that keeps all your passwords in an encrypted file, usually in combination with apps on your desktop, laptop and mobile devices.

*** end quote ***

I have used all of these at one time or another.

I think LASTPASS with a complex master password written no where is “good enough” for my non-financial passwords. The few financial ones I have memorized.

AND … …

For those sites who use “security questions”, Users should treat those just like passwords. Do NOT use real answers.

Happy New Year!

# – # – # – # – #   

SECURITY: STUPID secondary identification

How Hackers Reportedly Side-Stepped Google’s Two-Factor Authentication
Kelsey Campbell-Dollaghan

*** begin quote ***

Writing on Ello, Blakeman describes how hackers gained access to his Instagram account through his Gmail. Even though he had two-factor turned on, the hackers were able to reset his Instagram password through Gmail and take control of his account (which has since been restored). So how did they do it? Blakeman says that Wired’s Mat Honan, himself a veteran of an epic hack, helped him by suggesting he check with his cellphone provider.

It turns out his number had been forwarded to a different number—which is how the hackers gained access:

“The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.”

*** end quote ***

I suspect it’s those STUPID secondary identification authenticators!

Once again, if your mother’s maiden name isn’t “R2D2GMAIL” at Google and “R2D2AMAZON” at Amazon, then you are asking to be hacked.

Sorry, but, I use LASTPASS and just keep the secondaries in the notes. 

AND, I never reuse a password anywhere!


# – # – # – # – #   


How To Use Dropbox and TrueCrypt To Securely Transfer Files Privately
by Bill Rounds

*** begin quote ***


Using Dropbox and TrueCrypt should appear fairly self-evident by now. For example, you can travel with a laptop that contains no information across borders and when you arrive at your destination just install Dropbox and sync with your files from the cloud. Because Dropbox has control of the encryption key you can use TrueCrypt for an added layer of protection. That way if the Dropbox servers were compromised for whatever reason the your files would still be encrypted.

Another wonder aspect of setting up your information architecture to use TrueCrypt and Dropbox is that you no longer need to worry about backing up the files. This can save lots of time and headache.

*** end quote ***

So much for the child pornographers being caught at the border crossing.

I’m advising that all international travelers NOT carry ANY computing platform through “security”. (Not that it makes us any more secure; it’s just theater to amuse the rubes.)

That means phone, ipads, netbooks … … nothing.

You can’t know what they will “find” when they do their “data proctology” exam. Or, what they will place on your hardware when it’s outside of your control.

Come to think of it that’s good advice even inside the US.


# # # # #

TECHNOLOGY: Questions about hardware / software engineering,techies-revenge-lands-her-in-jail.aspx

Techie’s revenge lands her in jail
By Liam Tung on Dec 10, 2010 9:25 AM

*** begin quote ***

Four days after being fired from the Suncoast Community Health Centers’ for insubordination, Patricia Marie Fowler exacter her revenge by hacking the centre’s systems, deleting files, changing passwords, removing access to infrastructure systems, and tampering with pay and accrued leave rates of staff.

*** end quote ***

This story begs a number of questions about hardware / software engineering.

(1) Firewalls, hardware, and software are NOT designed to avoid the “King” effect. One example. The SWIFT funds transfer network in the 80’s had the concept of split authentication. The contract with SWIFT and the institution REQUIRED two separate “supervisors of an administrator” and “technology administrators”. There had to be collusion between FOUR people to subvert the security system. Bosses were NOT permitted to access the system but did receive the couriered envelop with their half of the institution’s code. They gave it to their administrator. Once the two haves were used, a new pair was generated and sent to the bosses. Either “administrator” could lock the “kingdom”. (I forget how long the “keys” were, but I remember typing it in was a giant pain.) Surprisingly, even honchos, who were openly hostile to “security”, meekly went along with this kabuki.

(2) It seems like there was very little separation of duties. The IT administrator apparently has access to the firewalls, other platforms, and data tables in applications. Seems like the place was an accident set up to happen. Where were the internal and external auditors? At the very least, with suitable automation, rebuilding components of the infrastructure should be near trivial. You wonder where was their disaster recovery plan; probably locked up in the head of the rogue administrator.

(3) “Passwords” in and around a serious “security” situation. Guess they never heard of two factor authentication?

Nice to know we don’t need no stinkin’ security!

Seasonal Greetings,

# # # # #

ISP: Verizon / Yahoo email is insecure (No SSL, port: 110) (No SSL, port: 25 or 587, use authentication)
Your Verizon Yahoo! Mail ID (your email address without the “”)
Email Address: Your Verizon Yahoo! Mail address (e.g.,
Your Verizon Yahoo! Mail password

# # # # #

SECURITY: LASTPASS (Recommended with a big caveat)

LastPass is a password manager that makes web browsing easier and more secure

# – # – #

Recommended, with a caveat.

I would never ever trust anyone with passwords to “financial” or “key email accounts”.

So, then by definition, passwords for “financial” services and their dedicated email accounts are NEVER shared with anyone, any service, or put on any machine. Written down in a secret spot. Not carried in a wallet or anything you’d expect.

(Handwritten and rolled up in a pen.)

Since there are very very few of these, they are easy to remember.

Yeah, under my tin foil hat, I’m paranoid!

And, you must use unique passwords for everything. It’s a pain, but necessary!

# # # # #