The Context of Aikido’s Philosophy


, , , , , , , , ,

Here I’ll try to explain the more esoteric ideas associated with Aikido, and clear up some of the misunderstanding over the nature of ‘Ki’. Of course, I’m nowhere near the most authoritive source on this, but I’ve been practising several years at a dojo that’s taken Ki as the foundation for developing skill in the more traditional techniques, and it’s taken me that long to grasp what’s actually being taught.

The Way of Peace
Why is Aikido referred to as ‘the way of peace’, and how does the training promote a philosophy that’s almost never taught in a dojo? It’s commonly held that this philosophy originated with Morihei Ueshiba, and that his mission was to somehow use Aikido as the vehicle for promoting world peace.

The Daito-ryu techniques are what Ueshiba excelled at and started out teaching in the 1920s, and at some point Aikido became officially independent of Aiki-jutsu. An academic study of Admiral Takeshita’s journal claims Aikido began as a Daito-ryu study group, which Ueshiba soon rebranded. Of course, Ueshiba researched other martial arts, and many initial students had brought with them a mastery of Judo. This evolved into what officially was called Aikido in 1942.

By all accounts, Ueshiba was indeed a deeply religious man in his later years, and the Omoto religion seemed to be his biggest influence. Onisaburo Deguchi also strongly encouraged the development of Aikido.
Ueshiba did a fair bit of evangelising to anyone who would listen. Other than Koichi Tohei’s Book of Ki Sayings, I couldn’t find much to indicate that Ueshiba’s students cared about or understood the religious aspect. As far as I can tell, that reached the West primarily through John Stevens.

Thanks to the research posted on the Aikido Sangenkai blog, we learn that the ‘way of peace’ was actually carried over from the Daito-ryu as a core principle. The following quote is attributed to Takeda Sokaku:

‘The purpose of this art (Daito ryu) is not to be killed, not to be struck, not to be kicked, and we will not strike, will not kick, and will not kill. It is completely for self-defense. We can handle opponents expediently, utilizing their own power, through their own aggression. So even women and children can use it.’

Just like Aikido, which is extremly useful to someone who is small and lightweight (as I can attest). The wording in a scroll written by Yukyoshi Sagawa, a contemporary of Morihei Ueshiba and another student of Takeda, should also be familiar to Aikido practitioners:

‘As the Ki of Aiki is natural it unifies and reconciles without the slightest ill feeling or resistance. The harmonious reconciliation that is Aiki must be the basis for the formation of human society.’

It could also be called ‘The Way of Peace’ because Aiki is a great leveller. A smaller person with confidence in the methods, a natural awareness and the right body language is no longer an attractive target for the predators in society. If enough people learned how to use it, we’d expect there’d be less violence.

Ki and Aiki
Sagawa’s statement doesn’t make a lot of sense to anyone who doesn’t know what Aiki is. Here’s my (revised) understanding of it: Anyone who’s driven a car knows that an engine can’t move a car from a static position – we start the engine first, then bring the clutch to just the right point to build momentum. That connection is an example of Ki. Likewise, a lightweight couldn’t normally make a technique work against a heavyweight in a fight, but it becomes possible if the technique is applied at a precise moment when the heavyweight’s centre of gravity isn’t synched with the rest of his body – this is also a manifestation of Ki. Essentially ‘Ki’ is the connection or ‘linkage’ between two bodies for redistributing mass and power. It can also refer to the connection between different parts of the same body, hence the term ‘mind-body co-ordination’.

What Takeda Sokaku, Ueshiba and later Koichi Tohei taught was a way of applying that principle in a fight. Attacks are not countered by strength or physical effort, but instead through understanding body mechanics and body language. It takes a while to become proficient at using Aiki, but it provides a much better chance of survival in a real fight than the techniques themselves.
Because Aiki (let’s call it ‘Ki’) wasn’t well understood by everyone, the idea began circulating that it was some mysterious ‘force’ or ‘energy’, and Aikido sometimes became associated with the ‘no-touch knockout’ bullshit. It’s possible to imagine how that then became conflated with Ueshiba’s religious teachings.

A Quick Look at Windows 10 Enterprise


, , , , , ,

Yesterday I spent a couple of hours playing with a preview release of Windows 10 Enterprise. This might be a different release to what the mainstream press has covered, but the interface should be the same. To do Windows 10 full justice, I’d have to spend longer playing with it and cover the OS internals at some point.

The Start Menu and Metro Interface
From the average user’s perspective, Windows 10 is essentially Windows 8 with the Metro interface contained within the Start menu – Microsoft promotes this particular feature as a selling point of Windows 10. Almost all the defects I encountered were related to this one thing. It’s a little rough around the edges, taking several restarts to get the Start menu working properly. Well, it is a demo at this point.


The rest of the operating system appears quite stable, and the system requirements are modest. On a VM with around 2GB memory and a dual-core CPU (roughly the spec of my ten-year-old laptop) the interface was very responsive and immediately intuitive. The same UI should work perfectly across devices as the the corner icon switches the Start menu into a full Metro interface.


A superficial gripe I had was the default appearance. It looks more glossy after ditching the (literally depressing) themes and changing the colours a bit.


Other than a web search and Cortana being integrated into the Start menu, Windows 10 has roughly the same online features as Windows 8. This is surprising, given it’s apparently the final version of the OS, and I expected this preview to showcase the OS as the interface to Microsoft’s ‘ecosystem’ (i.e. all the online services and recent APIs).

Everything else was near identical to Windows 8. The old command prompt, PowerShell, Task Manager (with minor changes), other default applications and features were present.

Microsoft Edge
Windows 10 includes the replacement for Internet Explorer – Microsoft Edge, formerly called ‘Project Spartan’. Its design is clean and minimalist, compared to Explorer.
Its innovative feature is the ‘Web Notes’, which can be used to overlay whatever web page with notes, highlighting and drawings.


Finally the concept of multiple virtual desktops has arrived in Windows 10. This feature has been native ro CDE, Gnome and KDE since the late 90s. In Windows 10, we can have more workspaces (at least 200), and the applications can be dragged between them.


Hacked Team


, , , , , , , , , ,


The Twitter page was restored around six hours later, but Hacking Team were well and truly owned by then, and roughly 370GB of the company’s data was being circulated and copied by millions. At the time of posting this, over 53 million requests were made to the FTP mirrors hosting the exfiltrated material. DDoS attacks, threats and PR aren’t going to fix this for them.


As we can see, it seems everything was dumped – admin files, client lists, email archives, RCS source code, exploits… everything. Even though Hacking Team are most likely finished, I think the information has long-term value for fighting commercial malware vendors, knowing which organisations were using the malware, and understanding the ‘ecosystem’ Hacking Team were operating in.

For several years Hacking Team had a reputation for providing remote access malware (that’s basically what it is) to bad men, and empowering regimes with dodgy human rights records. In-depth investigations were countered with PR, but we knew the malware had somehow found its way onto the computers of journalists and human rights groups. It’s quite possible, though not proven, that Hacking Team was complicit in the torture, imprisonment and deaths of innocent people. I tried to give Hacking Team the benefit of the doubt while skimming through the material, played Devil’s advocate in places, but the evidence is damning whichever way we look at it. There’s no getting around the fact Hacking Team provided backward regimes ‘offensive security’ capabilities they wouldn’t otherwise have. What the fuck were they thinking?

Hacking Team is one more addition to the growing list of Internet surveillance firms that got owned, and clearly the exposure of injustice is now a common motive for hackers and insiders. Any organisation involved in something objectionable should therefore expect to be exposed sooner or later. Not even the NSA and GCHQ were immune to this. Not all disclosures will be mediated by celebrity gatekeepers like Glenn Greenwad either.

So who were the clients? There are a couple of spreadsheets listing them for the ‘offensive security’ services. The Ethiopian and Sudanese governments were prominent among the clients, and the most commented on. I went digging through the material for connections to Saudi Arabia, as that country is known to have an atrocious human rights record, and it transpired Hacking Team were indeed trading with Saudi Arabia’s defence and intelligence organisations:


According to its own marketing material, Hacking Team’s remote access malware was designed to be deployable against large numbers of people, and invoices can be found for Technology Control Group ISP and the General Intelligence Presidency in Saudi Arabia.


It also appears, from references in the archive, that Hacking Team were pushing the malware at various marketing events for surveillance technologies. One of these is ISS World, which I covered here before. Unlike your typical security conference, these are off limits to the public.

The RCS Malware
The source code for the ‘Remote Control System’ was posted on GitHub, but removed the next day. I’ll comment on the screenshot below, as it’s caused a bit of controversy on Twitter and Hacker News:


It led some to believe Hacking Team were planting dodgy material on targets’ computers, but it looks more like they were testing their ‘evidence management system’ on dummy files. It probably doesn’t need pointing out that the installation and subsequent discovery of malware that could be used to plant evidence would seriously undermine the prosecution in a properly conducted trial.
The repo was taken off GitHub before I could take a proper look at the source, but thankfully we have all the documentation, plus the source code for the ancilliary components (exploits, droppers, etc.).

GeoTrust Certificates
One of the more interesting aspects of this is in the shared dev directory. It looks as if they were using GeoTrust certificates to sign kernel-level code, perhaps as Windows ‘drivers’. I wonder how they came across these, but it looks as if GeoTrust provided Hacking Team with the signing certificates.


Gamma International
For anyone who wants more material on the FinFisher products, there’s a stash of files
in /rcs-dev/share/Documentation.

United Nations and the Sudan Issue
Following the Citizen Lab report, the United Nations started taking an interest in Hacking Team’s business, in particular their dealings with Sudan. Correspondance relating to this can be found in the /SUDAN directory. Some United Nations group made the argument that Hacking Team’s malware violated the restrictions on the sale of arms to the country, especially given the human rights concerns. According to our own government’s Foreign Office, arbitrary arrests, some torture and police corruption is routine in that region.
The United Nations group didn’t receive a direct reply from Hacking Team, but we know Hacking Team were at least aware of the concerns because the fax was in their file system.


We know know the malware was supplied to a Sudanese entity known as the ‘National Intelligence Security Service’ at the end of December 2014, and a 2012 invoice for the ‘Remote Control System’ can be found.


This aspect is very important. Although the malware in this case might be defined as ‘arms’, because there’s little ambiguity about its intended usage, this could have set a precedent for regulating legimate security testing tools.

The Intercept on Disk Encryption


, , , , , , , , , ,

Micah Lee’s arguments on The Intercept for BitLocker were very well made, most of them I agree with, and the important point is to choose wisely when it comes to disk encryption. Whether people should use BitLocker depends on why they need volume/disk encryption. If you’re one of those people ‘with nothing to hide’, and are primarily concerned about the loss or common theft of a laptop, BitLocker provides a very effective security measure. But Lee’s article was posted on The Intercept, so I’m assuming it’s about encryption in the context of protecting information from The Powers That Be, in which case it should have at least mentioned how BitLocker and the ‘lawful access’ issue are intertwined.

BitLocker (‘Device Encryption’ in the standard Windows 8 edition) has some weird key management going on. With the standard Windows installation the user must be signed into a Microsoft online account or a domain to activate BitLocker, so I’m assuming there’s no option but to upload the recovery key.

WTF?! No way!

WTF?! No way!

Maybe it was designed that way to make encryption ‘user friendly’ for the average consumer, but I don’t understand why a symmetric decryption key must be stored anywhere while the local machine’s switched off, and having more than one key would make it even more vulnerable. Key recovery attacks are such a common way of defeating encryption, so they strike me as odd design choices. Many of us also use encryption, in-house servers and local storage because we don’t trust ‘the cloud’ for a variety of reasons – there are service providers who aren’t above lying about their security practices or abusing positions of trust, so passwords/keys are the very last thing I’d want to upload.

Microsoft does reportedly comply only with ‘lawful’ requests, so BitLocker potentially comes with a key escrow system. Problem is the word ‘lawful’ has such a broad meaning in the United States – anyone could be labelled an ‘extremist’, and FISA (without public oversight) appears to be ‘rubber stamping’ requests. Maybe it doesn’t happen often to actual non-extremists and law-abiding citizens. Maybe it does. The point is strong encryption should provide a safeguard, at the very least against warrantless access.
I just find it odd that Microsoft’s offline device encryption isn’t supported for the average user. I also find it interesting that BitLocker wasn’t mentioned during that fuss over device encryption between Google, Apple and the FBI last year.

The Alternatives
Anyone using Windows would have to trust Microsoft to some extent where encryption is concerned, and obviously the system running the encryption software. If you’re not using BitLocker, the chances are the alternative uses Microsoft code libraries and DLLs that could theoretically have a backdoor of sorts, or be replaced with something that contains malicious code. I doubt Windows is backdoored by default, or the NSA wouldn’t have bothered with their ‘tailored access’ exploits, or the FOXACID/QUANTUM thingy. You could, I suppose, go down the road of not trusting Microsoft entirely, in which case you might want to consider a setup like the hardened UNIX security model I blogged about last year, and use that in conjunction with disk encryption. I think that’s about as secure as you can realistically get.

Micah Lee discussed solutions that encrypt an entire primary disk, but we don’t need to be limited to that. Why not instead encrypt a partition or attached storage device, when the only real advantage being lost is protection against local tampering of the OS? One possibility is to boot into an operating system that’s fairly clean and secure, and mount an encrypted drive from there. Most tablets and laptops have an SD or microSD slot to accommodate a secondary drive that might be fully encrypted with something like DiskCryptor. The encrypted storage could also be something like an iStorage or IronKey device.

The best-known alternative is TrueCrypt, which has been audited, doesn’t have any obvious backdoors and it’s proven resilient until now. I’m still wary of using TrueCrypt for the same reason Lee gave: the project has been discontinued, and software ages fast when nobody’s maintaining it and dependency issues start surfacing. That might rule out TrueCrypt as a long-term solution, but again a secondary storage device gives us the option of using legacy filesystems. However, we can use a fork of TrueCrypt, such as VeraCrypt. Logically this is a much safer option than BitLocker, since no encryption key is uploaded or stored unless you’re creating an optional(!) key file. VeraCrypt and DiskCryptor aren’t 100% proven, but they seem the best alternatives available.


Get every new post delivered to your Inbox.

Join 25 other followers