Software Industry Greed is Driving the Assault on our Privacy & Security

The motivation to release software, without proper testing, in order to generate a quick buck is as much of a threat to our security and privacy as the activities of hackers and alphabet agencies. It is time that software companies started to pay the price for the sorry mess that their greed is helping to create.

Once upon a time these matters could be considered in isolation but with the “Internet of Things” connecting millions more devices every day we are headed for a world that will have 28 billion IoT devices by 2020.

Consumer concern will not halt the rollout. A staggeringly high number of consumers hold serious concerns about the possibility of their information getting stolen from everyday devices – their smart home, their tablet, their laptop. One would think therefore that this concern would pressure software manufacturers to be more rigorous in their pre-GA testing activities. Not so.

Why? Because so much of this IoT stuff is embedded and consumer awareness is mainly limited to the high profile exposures. Consumers are not hesitating to purchase connected devices because consumers do not know that the devices are connected.

Samsung’s SmartThings smart home platform is a leaky colander of loosely connected hack prone software. IoT security hardening is not just about the particular application but also about building security into the network connections that link applications and that link devices.

And then there is the “Data”. The amount of this stuff that is generated by IoT is intractably large. As few as 10,000 households can generate 215 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.

The number and variety of privacy attack vectors becomes unmanageable very quickly. From the CIA hacking your Samsung TV, uBeacons doing their bit (uXDT & Audio Beacons – Introduce your Paranoia to your Imagination), hackers controlling your car, it’s a worryingly real threat to the personal security and privacy of every one of us.

If the CIA’s Directorate of Digital Innovation (DDI), who are tasked with delivering cyber-espionage tools and intelligence gathering capabilities, cannot even secure their own USB drives then what chance do the rest of us have.

Unfortunately the answer is that we have no chance.


The CIA Dark Triad – Windows, macOS & Linux

According to the WikiLeaks Vault 7 dump the CIA deploys malware that includes the capability to hack, remotely view and/or clone devices running the Windows, macOS, and Linux operating systems.

This seems to suggest that the agency has no problem bypassing encryption, proxies, VPN and that Tor anonymity is a myth.

This does not mean that each of the point solutions offering a product under each of the above headings have been compromised. Rather it means that the OS level hack capability of the CIA – as seen on iOS and Android – means that they can gain full control of the device and render any point solution counter measures moot.

Therefore they subvert the platform which by extension means that anything that is running on the platform is subverted.

Tablet, laptop, smart-phone, AV device – it seems they are all fair game and in that case so is everything that you do on them.

You have been warned.

You are being watched.


“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News


“All uR devICE r belong 2 US”, Vault 7, Weeping Angel, the CIA & Your Samsung TV

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS.

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is it’s most emblematic realization.

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.

In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.


Extracted entirely from Vault 7: CIA Hacking Tools Revealed

Behind Their Lines: The Last Song

From Behind Their Lines: The Last Song


Anna Akhmatova

By 1917, the number of Russian soldiers who were injured, dead, missing, or held as prisoners of war was approaching five million men. The situation on the home front was equally bleak: over 400,000 Russian civilians were killed as a result of military action in the First World War, and another 730,000 civilians died due to famine and disease.

Three years of horrific death and slaughter had given rise to a national mood of hopeless despair. When the Russian Revolution began on March 8th, 1917, few doubted the central role that the Great War had played in the unrest that led to the eventual overthrow of Russia’s monarchist government.

Anna Akhmatova, one of the foremost Russian poets of the twentieth century, shaped the chaos into poetry. She had written about the start of the war in her poem “In Memoriam, July 19, 1914”: “We aged a hundred years, and it / all happened in an hour.” In the midst of the 1917 revolution, she composed the haunting poem “Now no-one will be listening to songs.”

now-nobody-will-be-listening-to-songsNow no-one will be listening to songs.
The days long prophesied have come to pass. / The world has no more miracles. / Don’t break My heart, song, but be still: you are the last.

Not long ago you took your morning flight / With all a swallow’s free accomplishment. / Now that you are a hungry beggar-woman, / Don’t go knocking at the stranger’s gate.

(Translated by D.M. Thomas)

Repeated throughout the poem are images of isolation and alienation: the solitary beggar, the stranger who has barred himself behind his gate, the last song, and the loneliness of “no-one.” Even the most desperately needy will find no hospitality or place to shelter, for this is a world bereft of miracles.

The poem recalls a past when music soared like a bird, yet in a new world born out of violence, the “bitter days foretold [have] come over the hill.”* The turbulence of revolution may have created its own discordant noise like nothing heard before – but it is not a song.

Akhmatova’s poem is itself a dirge, bidding a melancholy farewell to the traditional tunes of folklore that have joined communities and connected the past to the present. Addressing song itself, the poet pleads with it to be silent, for the last surviving melody sings of a past that can never be recovered – and that tune has the power to break the heart.


Russian cavalry on Eastern Front, WWI

* This from Stanley Kunitz’s translation of the poem’s second line.

The Regional Subjectivity of Crime & The Tests for Guilt

A definitive statement as to what constitutes Crime has successfully evaded scholars. But one thing that they all seem to agree on is that “A person is never punished merely for wrong thinking or evil thoughts”.

“Thought Crimes” Orwell style are not offences (Or are they?).

In an age of Mass Surveillance, Kinematic Fingerprinting & Emotion Detection, Mass Data Retention & the Investigatory Powers Act and Alphabet Agency Profiling based on Digital Activities, is that still the case?

Certainly there are many examples of arrest and detention for “thinking” a certain way. But that’s not for here at this time.

Rather than examining the definition of crime in a particular country I think it is more interesting to examine it in the global context. The majority of people tend to assume that Crime and Punishment can be generally assumed to be similar everywhere that they travel to.

As someone with a wanderlust tendency who has “walked the Earth” I can assure you that is not the case.

A Moving Goalpost

The definition of “Crime” in a society has always been influenced by the prevailing norms that exist at any particular time amongst a group of people living together as a community.

Personal feelings, religious beliefs, preferences, tastes, experiences, economic expediency or laws based based on the personal opinions of a “leader” have been the motivations that translated into local laws that criminalised some acts and did not consider other acts as “criminal”.

A Simple Analogy: The Attitude to Cannabis in the USA

In 2017 I guess the simplest analogy would be the different attitude to marijuana in the United States. The use, possession, sale, cultivation, and transportation of cannabis is illegal under federal law in the United States but individual States are permitted to conditionally decriminalise cannabis for recreational or medical use.

Cannabis is listed at a Federal level as a Schedule I substance under the Controlled Substances Act of 1970 and is classified as a Schedule I drug. The DEA defines this classification as a substance that has a high potential of being abused by its users and has no acceptable medical uses.

So there exists a contradictory attitude of Federal versus certain State laws regarding the exact same matter – in the former it is a “crime”, in the latter it is not – in some States.

The Definition of Crime

“There is no one word in the whole lexicon of legal and criminological terms which is so elusive of definition as the word crime” (McCabe 1983:49)

It reminds me of the first thing that we were thought during my time as an Economics student – namely, that the study of Economics was an “inexact social science”.

Inexact laws that contain in their antecedents vague ceteris paribus (“all other things being equal”) conditions and “facts” based on local beliefs or tendencies do not constitute definitions.

The different definitions of crime and the vastly different tariffs which certain criminal offences attract are therefore, for the most part best understood in the context of the culture, religious practices and societal “norms” of the region or country that are being examined (excluding the universally abhorred offences – but irritatingly that is not always the case either).


  • Judicial Corporal Punishment in Saudi Arabia for Possession of Alcohol (Flogging);
  • Mandatory death penalty for drug trafficking in Singapore;
  • Filipino President Rodrigo Duterte’s state sanctioned vigilante murders of suspected drug dealers;
  • The universal application of sharia (Islamic law) by certain countries;
  • The acceptance of sharia in some secular European countries as the basis for divorce, inheritance and other personal affairs of their Islamic population;

Looking around Google I came across the following definition of crime which was not accredited:

“Harmful act or omission against the public which the State wishes to prevent and which, upon conviction, is punishable by fine, imprisonment, and/or death. No conduct constitutes a crime unless it is declared criminal in the laws of the country. Some crimes (such as theft or criminal damage) may also be civil wrongs (torts) for which the victim(s) may claim damages in compensation.”

Types of Crime (In the Republic of Ireland) 

* A crime is defined in law in the Republic of Ireland as an act which may be punished by the State. The way in which a criminal offence is investigated and prosecuted depends on the type of crime involved. For these purposes criminal offences may be described in different ways such as:

  • Summary offences
  • Indictable offences
  • Minor offences
  • Serious offences
  • Arrestable offences

* Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].

The Test for “Guilt”

However, the mental state as well as the physical elements of a crime are key parts of establishing the guilt of a person committing an offence. In order for a person to be guilty of an offence there must be coincidence between two key concepts, that of “Mens Rea” and “Actus Reus”:

  • Mens Rea dictates that there must be a guilty mind, moral culpability and a blameworthy state of mind;
  • Actus Reus concerns itself with with the physical elements of the crime and excludes the mental element;

For guilt to be established then the two concepts must be coincidental “happening or existing at the same time”.

The latin phrase “Actus Non Facit Reum, Nisi Mens Sit Rea” translates as “An act does not itself constitute guilt unless the mind is guilty”.


Naidoo, Jadel. 2016/2017. Diploma in Criminology Class Notes. Dublin Business School 1 (1) 1-14;

Penrose, Graham, AirGap Anonymity Collective (16 January 2017). Mass Surveillance & The Oxford Comma Analogy. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (3 January 2017). Orwell 4.0: The Stealth Advance of Kinematic Fingerprinting & Emotion Detection for Mass Manipulation. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (21 November 2016). NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity. Blog [online] Available at: URL [Accessed 25th February. 2017].

Penrose, Graham, AirGap Anonymity Collective (29 October 2016). Ireland is NOT a Privacy Advocate. Blog [online] Available at: URL [Accessed 25th February. 2017].

Hausman, Daniel M. 1984. Causal Priority. Noûs, 18 (2): 261-279.

Hausman, Daniel M. 1998. Causal asymmetries. Cambridge: Cambridge University Press.

Citizens Information. (19 July 2016). Classification of crimes in criminal cases. Journal, [online] Volume(Issue), P1. Available at: URL [Accessed 25th February. 2017].


A Bluff Was At Once, Genius & Ridiculous

Hours of boredom punctuated by moments of terror – not war, poker.

I have been meaning to write this for some time. I was an “early adopter” of online poker. That is if you can use that phrase, which is normally associated with positivity, in the same sentence as something that is quite so negative. But anyway, I was an “early adopter”.

I was never much of a gambler. Growing up in a country famed for its stud farms, thoroughbred horses, and trainers I could have given a rats for horse racing and never liked or frequented the bookies. A lifelong participant in sport with a passion for Liverpool F.C, the “Dubs” and “the boys in green” – still I never laid a bet on a match.

And then there were cards. I always played cards. As a kid we played pontoon, don and five card hold’em. I used to ratchet up my pocket money each week by playing cards against the richer kids. Starting with a smaller stake, nearly always ending up with more than I started with. Sometimes I cheated. Well, you do don’t you. From time to time. When you’re a kid.

We used to play “in-betweens” which is basically betting on whether the next card will be in between the previous two or the same and there were odds. When we visited my country cousins we played 25 or 110.

And on it went every Saturday for a few years until I turned 16 or so and forgot all about cards really until I was in my early 30s.

Then poker went online and I bought a few books and joined a few sites and opened multiple accounts and won a few quid at the start. More or less, playing only now and again until 2008 when everyone decided that they wanted to be a poker pro.

I had accounts with Full Tilt (before they took everyones money), Ultimate Bet (before the internal cheating scandal), PokerStars, 888, and on and on and on.

Real quick – you sat at a table. People called other people “donkeys”, “fish”, “muppets”, “arseholes” and debated deeply philosophical points like “how the fuck could you call me with that shite”.

Everybody’s bluff was at the same time genius and the height of stupidity. And these excerpts from the complex social interactions and ponderings on sophisticated human behaviours were at the 1c/2c tables.

I moved up and played and with dozens of different usernames on several different sites. I won a shitload of cash.

Never a tournament player – always the cash games.

I had always held the view that the frequency of “bad beats” and outrageously good hands for several players at the same table were a sign that the whole thing was rotten.

I was rebuked and people pointed to the trustworthiness of the RNG’s that ran the games and that these “once in a lifetime” hands offline, occurred with such frequency online because of the exponentially greater number of hands being played and the speed of play.

Total unadulterated horse shit.

Forget about groups of players colluding. Forget about the trolling. Forget about the piranhas knocking about picking off the new winners. Forget about the Super-Users or the Admin password holders. Forget about all that. Just concentrate on what a massive fiddle it all is.

And then it happened.

I loaded USD$200 one night after re-opening my PokerStars account. I remember the night very well. I had just put the last of my three sons to bed and it was about 11pm. By 1am I had over three grand. I sat down at a six handed no-limit Texas hold’em table.

I played on and by 4am I had over US$38,000. Mike Matusow was at the table to my immediate right.

I was a “cerebral” player. I thought. Able to pick out the nuances of peoples innermost thoughts by how quickly or slowly they hit the call or raise button. What a “dick”.

I never “ran it twice”. The thing about poker players until they get owned is that they are the greatest self-obsessed, narcissistic shites that you could hope to meet.

At any rate a new player joined the table after another had exited, after being cleaned. I hovered over his avatar. He / She / It was from China.

A couple of hands passed and then I was dealt pocket bullets on the button. The Chinese “entity” was “under the gun” and flat called. There was a fold and the cut-off folded too (Matusow) and I raised.

The small blind folded and the big blind called. The Chinese “entity” then re-raised. I was an “aggressive” player I thought but on this occasion with the usual faux complexity with which poker obsessives view even the most simplistic decision – I decided to be “sneaky” and flat called the Oriental re-raise. The big blind folded. I was much worse at poker than I thought.

The flop was A, 10, 8.

The Chinese entity bet about 12 grand or something silly. I decided it was time and possessing “the nuts” straight up I went All-In. The “Beijing Bandit” snap called.

I had a minor concern that the dude could be holding pocket 8’s / 10’s and would hit a one outer but I didn’t think so.

Both our hole cards were now visible and turned over waiting for the Turn and River community cards in this epic showdown.

The “entity” had Q 8. I mean come on. He had bottom pair with a Q kicker. He needed “runner runner” 8’s to beat me. Thats odds of 0.0925% or one time in approximately 1080. I was bullet-proof.

The turn was an 8. I had a boat A’s & 8’s versus his set of 8’s.

He had a one outer. I was golden for the nanosecond that it took for the RNG to decide that the next card in this poker “random” universe would be an 8. And so it was.

The river was a 8.

And in the text box – the word “boom” appeared next to the entities name. This is the point in Western’s where a guy stands up (me) and shoots the “boom” guy between the eyes, for taking the piss and not having the wit or the wisdom to realise that he/she/it is a complete wanker.

In the VR of online poker it is replaced with bits of broken laptop sticking out from the wall opposite.

In my case it was different.

I closed the laptop lid and went to bed. I muttered “fuck that” on the way.