NAFTA Revisited

Trump’s long awaited wishlist for NAFTA has appeared.
See Summary of Objectives for the NAFTA Renegotiation

For NAFTA being “the worst trade deal ever”, there certainly aren’t a lot of specific problems being considered.

A few that interest me:

  • “Establish rules to prevent governments from mandating the disclosure of computer source code.” — That looks like a serious security violation and possibly forbidding Free/Libre Open Source code.
  • “Ensure standards of protection and enforcement that keep pace with technological developments, and in particular ensure that rightholders have the legal and technological means to control the use of their works through the Internet and other global communication media, and to prevent the unauthorized use of their works.” — DRM anyone? This looks either to be very vague and ineffectual or the thin edge of the wedge of a very intrusive Internet. “Ensure” could cover no end of evil surveillance, censorship and invasion of privacy. 1984 called and wants Freedom abolished, I think.
  • “Require that SOEs not cause harm to another Party through provision of subsidies. — I could see lawyers getting rich over this one. Any business could claim some government corporation was subsidized and given unfair advantage after doing all the initial capital investment, creating the market and educating consumers like Manitoba Hydro did for hydro and wind and promoting EVs.”
  • “Seek to eliminate non-tariff barriers to U.S. agricultural exports including discriminatory barriers, restrictive administration of tariff rate quotas, other unjustified measures that unfairly limit access to markets for U.S. goods, such as cross subsidization, price discrimination, and price undercutting.” — This will be fun. Canadian farmers are split on the Canadian Wheat Board and united on milk and egg supply management. This is one where I think Trump might have my support. These days farmers can deal on the Internet so CWB could be replaced by a shipping company and I would like the price of milk products to be based somewhat on the cost of production instead of the speculative price of quotas traded like stock options… It’s silly but one cow’s worth of quota can cost several times as much as a cow and the price of milk is raised to cover this artificial “cost of doing business”. Both made sense at one time but with farming being a business now instead of a family subsistence, no longer.

I’m sure there are more hard nuts to crack in there but these are the ones that popped out on a quick read. They are not much like Trump’s campaign rhetoric so they might actually get somewhere. It’s pretty clear USA is not interested in abolishing NAFTA, just tweaking. Still, the Canadians and Mexicans will have to be careful not to give away the farm.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.

This entry was posted in politics and tagged , , , . Bookmark the permalink.

24 Responses to NAFTA Revisited

  1. oiaohm says:

    Deaf Spy
    Then, both you and the bush village idiot miss a tiny detail. All Windows executables are signed. Which means, one can’t simply forge one easily.
    Missed a major fact that you statement here is a lie.
    https://wine-staging.com/news/2017-05-30-release-2.9.html
    The reason why wine has had to start development more real looking .dll files is that there are more and more windows programs containing their own PE loader. Yes there own PE loader that is signed but then does not check what they are loading is signed or not. So the idea that all Windows executables are signed is false. The stub the application loads with has to be signed nothing more has to be.

    You describe a generally correct technique, but it is not so simple anymore, when you have to consider factors like page execution permissions, stack frames (x64 are especially interesting), memory alignment rules…
    All that was covered in the old Linux virus writing example. Its not that hard. So by 2001 tutorals how to do that for windows 32 bit. 64 executable on disc patching is no different to 32 bit executable patching.

    https://github.com/secretsquirrel/the-backdoor-factory
    These days you don’t need much skill at all to-do the modifications. Yes that will take the windows signature off and resign as well.

    Finally, how harder would that be to be achieved with Debian? Because, you say, the USNavy would look at the source codeZ and find the hack? You must be a moron to believe so, Robert.
    You have debian reproducible builds process. So source to binary can be matched.
    https://reproducible-builds.org/

    Reality you are behind the times. Any executable binary modification in debian will be detected in a reporducible-builds test. If you want breach debian in a hard to detect way you will have to comprise the source.

    Yes you can run audit tools on the source that are normally more effective than on binaries and you can absolutely match the source program was built from to the final binary.

    Reality with the man in middle binary patching that is going on and that it is so simple to perform with the existing tools you cannot presume that a binary you get is not tainted without extra paths of validation.

    Reality if you can write a old school TSR dos style code modernized and you can get you hands on one of the modern open source insert code into binary exe its a dead simple process to patch any windows PE 32bit or 64 bit executable.

    Deaf Spy you are talking about 200 lines of wrapper code that is fairly straight forward to find on the Internet to alter a jmp in a Win64 bit executable and insert your own binary code in. Signing stripping and replacing is not hard either.

    As I said this can be taught in 1 hour. Its not super that hard to modify executables. Now knowing enough to write the asm code correctly that takes a little more time.

    Funny part is the code is only minority more complex than doing a dos TSR even with all the so called new stuff.

  2. Deaf Spy says:

    Typically, one would find linear code, remove one instruction, replacing it with a JMP to an empty region, replacing that instruction there, inserting a “patch”, followed by a JMP back to the original stream of code. That’s actually trivial and often shown in “the movies”. If Hollywood actors can understand it…

    In “the movies” they show going through black holes, but I seriously doubt actors understand it.

    You describe a generally correct technique, but it is not so simple anymore, when you have to consider factors like page execution permissions, stack frames (x64 are especially interesting), memory alignment rules…

    Is it doable. Yes. Easy? No. I am sure, Robert, you can’t do it. If you want to prove us wrong, get a random EXE or DLL from Windows (even XP), say, something from the Shell, and hack it with a JMP to a call to MsgBox (you can call it with nulls as parameters) and JMP back, and send us the executable for us to review.

    Then, both you and the bush village idiot miss a tiny detail. All Windows executables are signed. Which means, one can’t simply forge one easily.

    So, tell us again, Robert, how is this exactly so easy?

    Finally, how harder would that be to be achieved with Debian? Because, you say, the USNavy would look at the source codeZ and find the hack? You must be a moron to believe so, Robert.

  3. oiaohm says:

    DrLoser really you are a moron. AIX complier suite will relink applications out the box without any tricks required at all.
    How unspeakably cretinous, Fifi, you moron.
    So Dr Loser your a moron to be correct the formal term for the hard to detect method is Relinked with Link Time Optimization. That is not that complex to pull off.
    I’m not actually saying that you didn’t try to do that, Robert. You are clearly the sort of incompetent moron who would give it a try. But … it didn’t work, did it?
    Read the tutorial I put up. It contain demo code doing a jmp replacement. Yes it might be for elf but PE is Coff related close enough format to recode the method.

    The bin/hex replacement method was 9x time frame when tools were limited.

    DrLoser basically I gave a cite containing the methods I am talking about yet you still are calling me a moron. Its because you are clueless on this topic.

    There is a book PC Architecture & Assembly language By Barry Kauler from 1993 that covers patching NE binaries. There are quite a few books of that time frame that cover do what Robert described as well.

    What Robert described we would not do now in the 90s and 80s was not that strange. The relink with link time optimization to make the addition look more part of the binary is just advancement the old method of altering the long jump still works and is still found in about 70 percent of new executable embedded malware.

  4. DrLoser says:

    Jmp insert is the simplest. Relink is more complex as it can in-line the added code make it harder to detect that there has been a code path modification.

    How unspeakably cretinous, Fifi, you moron.

  5. DrLoser says:

    Back in the day we wrote code from switches, bin/hex dumps, assembler and a wide variety of higher level languages.

    As Grece correctly points out, Robert, you are not part of this “we.” For evidence, we need only try to imagine “you” writing code “from bin/hex dumps….”

    I’m not actually saying that you didn’t try to do that, Robert. You are clearly the sort of incompetent moron who would give it a try. But … it didn’t work, did it?

    Writing code in hex dumps, pah!

    And this “wide variety of higher level languages?”

    These days, Bobbie, you are barely proficient in Bash. Let alone Cobol, Fortran, and Basic … which were the only “higher level languages” available back then. I know this, because I was there. And you, Bobbie, you spavined useless cheapskate piece of garbage, you were not.

  6. oiaohm says:

    Whats this we Robert? Don’t you mean to say they wrote code? Considering that, who are they anyways?
    Grece it was a necessary evil if you look at Roberts work history. Of course you come out presuming incorrectly.

    Jmp insert is the simplest. Relink is more complex as it can in-line the added code make it harder to detect that there has been a code path modification. The reality is a relink can be taught in 1 hour the resulting binary will look normal as if the patched in code was in the original source in most cases even that you never had the original source. Signed applications only requires a valid signing key to make new signatures. Please note we are talking government to government attacking here. Stealing signing keys is not off the table.

    http://kernelex.sourceforge.net/ patching closed source binaries was a lot more common in the transition from 9x to nt lines operating systems on both sides of the conversion as well. Its something we have not had to do a lot of since the year 2002. So people are forgetting how simple it is or they were never working in a administrator role at that time in schools that had a lot of applications to work around. Yes in-memory and on disc patching of closed source applications that you do not have the source to has had many different uses over the years that are not malware so it is possible to find non malware tutorials to do it.

    Grece reality you never had a point you lack the historic knowledge. With Robert stated history you would expect him to have performed a few patched to closed source binaries. Remember early windows did not have SXS and working in schools it was nothing to have to educational applications installing the exact same name dll with totally different contents so then needing to binary modify 1 of the executables so you could rename the dll. This kinda of making the Linux chroot for compatibility look friendly.

    SXS=Side-by-Side Assemblies by the way its quite young technology.
    https://msdn.microsoft.com/en-us/library/windows/desktop/ff951640(v=vs.85).aspx
    It only appears in Windows XP 2002. Working before that you had dll hell so knowing malware binary patching methods was at times a required skill to allow application compatibility on the old Windows platform.

    Really biggest mistake ever by Deaf Spy then Dr Loser and Grece prove there lack of knowledge thinking Deaf Spy has a point or Robert has said something strange. The time Robert administrated windows 9x required the skill.

    By the way bin/hex dumps was a common method to putting the jmp in the Windows 9x time frame. The compatibility work around was normally jmp to block of code and jmp back not the more hidden relink where the added code is embedded as if it was there in the link. So Robert was describing Windows compatibility work form before windows XP. Those patch in methods work on modern with minor alterations for address randomization.

    Due to not understand how simple binary patching is a lot of people think being a malware writer is a lot more skilled than what it really is. Of course those who worked in the 9x time frame who had to do it as part of their legal job so required mixes of applications worked do not see majority of malware authors as having any major skill.

  7. Grece says:

    Back in the day we wrote code from switches, bin/hex dumps, assembler and a wide variety of higher level languages.

    Whats this we Robert? Don’t you mean to say they wrote code? Considering that, who are they anyways?

  8. Deaf Spy wrote, “it is unspeakably more difficult to “embed some evil code” without the source code than to actually discover such an attack without the source code?”

    No, it isn’t. Back in the day we wrote code from switches, bin/hex dumps, assembler and a wide variety of higher level languages. If there was a need, a way could be found. When working with crude tools of the day, paper tape, for instance, it was definitely easier for small snippets to be modified by setting switches and looking at lights. Typically, one would find linear code, remove one instruction, replacing it with a JMP to an empty region, replacing that instruction there, inserting a “patch”, followed by a JMP back to the original stream of code. That’s actually trivial and often shown in “the movies”. If Hollywood actors can understand it anyone can. Getting this to survive address randomization and checksums can be done.

  9. oiaohm says:

    DrLoser really again attempt to support a idiot who did not have a point. When will you learn to do some research before jumping in boots an all.

  10. oiaohm says:

    Has it ever occurred to you, Robert, that it is unspeakably more difficult to “embed some evil code” without the source code than to actually discover such an attack without the source code?
    http://www.linuxsecurity.com/resource_files/documentation/virus-writing-HOWTO/_html/index.html
    Deaf Spy this is a old ELF virus writing tutorial. Yes for adding code to a binary that you don’t have the source code to. It turns out to be surprising simple. Linking is Linking.

    Really how many clueless idiot statements are you going to make Deaf Spy before you learn better. When you build a application historically you have built object files then used a linker to join them into application. All insert code into existing binary is really making the linking process work on a built executable.

    Problem here is discovering an attack in a closed source binary can be quite hard. Yes signing and signatures can help of you are getting those from dependable sources.

    Its surprises most people that is 1 hour of training to be able to embed extra code into any platform executable format. So altering binaries is not hard. Sometimes annoy due to limitations of tools. Like gcc/binutils out box does not support relinking executables.

    https://github.com/espadrine/opera/blob/master/chromium/src/third_party/syzygy/binaries/exe/README.TXT
    Please note relinking has not only been used by malware it been used by some parties doing performance modifications under Windows. Welcome to fun is that binary with a wrong checksum under windows wrong because malware has modified it or is it wrong because the maker relinks the executable based on CPU it is running on. This does explain why after all these years you still get unsigned programs on Windows from some closed source game vendors.

  11. DrLoser says:

    Malware writers do it all the time.

    That is not an answer to the question “do you realise that A is orders of magnitude more difficult than B,” Robert.

    As it happens, there are answers to that question. Several, in fact. But apparently you either do not know them or are not confident of your ability to back them up.

    Never mind. Read Deaf Spy’s comment once more (twenty times if it helps your failing cognitive powers), and try again.

  12. DrLoser says:

    This US Navy obsession, btw. Doesn’t really sound like the sort of thing that Mr Pogson likes to bang on about, does it?

    Thinking about it, I remembered that both Pogson and Schestowitz made a big deal out of the USS Yorktown, an event that happened back in 1996. Seems like a reasonable guess as to the root cause of Robert’s unease, what with him being stuck, technologically, in the world of 1996…

    Or perhaps there’s some other important reason for the pick. Perhaps Robert will disclose this reason to us. He is, after all, famously keen to back up his assertions with cites, however dubious the quality or relevance.

  13. Deaf Spy wrote, “Has it ever occurred to you, Robert, that it is unspeakably more difficult to “embed some evil code” without the source code than to actually discover such an attack without the source code?”

    Malware writers do it all the time. It’s not that hard given that Russia, China, and N. Korea have lots of smart people working on such tasks. Examine the binary. Put in links to new code. Adjust the checksum(s) or checksummer to give the “right” answer. These guys have super-computers to help with that.

  14. Deaf Spy says:

    …embeds some evil code in TOOS, and sells it to Navy without source code…

    Has it ever occurred to you, Robert, that it is unspeakably more difficult to “embed some evil code” without the source code than to actually discover such an attack without the source code?

    Now, for the pure exercise, I’d leave it to you to explain how that can be. 🙂

  15. oiaohm says:

    https://wiki.linuxfoundation.org/images/2/2e/NDA_contributors.pdf

    It isn’t a security violation (serious or otherwise) and it doesn’t forbid FLOSS. In regard to the latter point, you may remember, Robert, that GPL3 (and other such licenses) are perfectly capable of operating either within or without “government mandates.”
    DrLoser you are forgetting NDA. We have not seen what NDA vs GPL3 looks like fully yet.

    NDA covered FLOSS can be not very much different to Microsoft product in what you can do with it as a government. Some of the existing rules some countries have forbid supplying FLOSS covered by NDA. So this again depends how it worded.

    No, it’s not. Suppose Navy orders some GNU/Linux. M$ can jump up and down screaming Navy is violating NAFTA. It protect M$ and friends.
    This by Robert has some base in fact.

    DrLoser really you need to look at Australia. The labeling and control of tobacco.
    https://en.wikipedia.org/wiki/Plain_tobacco_packaging#Tobacco_industry_response
    Yes restriction in packaging and Tobacco attempted to sue under restriction of trade. Of course I can see Tobacco attempting to claim that Australia tax on Tobacco is a not right.
    https://www.cdc.gov/tobacco/data_statistics/fact_sheets/economics/econ_facts/index.htm

    Seek to eliminate non-tariff barriers to U.S. agricultural exports including discriminatory barriers, restrictive administration of tariff rate quotas, other unjustified measures that unfairly limit access to markets for U.S. goods, such as cross subsidization, price discrimination, and price undercutting.
    People forget Tobacco is a USA agricultural export so the wording of this is concern because it could be used against countries attempt to control usage of Tobacco and other USA agricultural products that cause major issues. Other items this could attack is countries with GM import bans and items like it. So there are a few points of worry.

  16. Grece wrote, “Robert, are you writing a movie? Nothing of what you stated would be an plausible.” but earlier DrLoser had written, “Utter inability to deal with simple grammar. (“It protect?”)” for a mere typo. People who live in glass houses should not throw stones. Perhaps you should criticize each other instead of the good people out here.

  17. Grece says:

    OK, so unscrupulous PC-maker, in league with some foreign power, embeds some evil code in TOOS, and sells it to Navy without source code. This code wakes up at random time on random date and transmits…….

    Robert, are you writing a movie? Nothing of what you stated would be an plausible. I think you should start-up as a script writer for the next series in Mission Impossible movies.

    Who is this unscrupulous PC-maker?

    Which foreign power?

    Where would they embed it? Internally/externally?? Hardware/software??

    Why would they be selling it to the Navy, when most governments work on a fixed-cost contractual basis?

    Also, on top of all that, whose damn Navy are you even theoretically discussing?

  18. DrLoser wrote, “It isn’t a security violation (serious or otherwise) and it doesn’t forbid FLOSS.”

    OK, so unscrupulous PC-maker, in league with some foreign power, embeds some evil code in TOOS, and sells it to Navy without source code. This code wakes up at random time on random date and transmits the last 17 characters input on the keyboard to some website where another bit of malware has been installed to relay the information to Big Brother. Now vital information is leaking from Navy, perhaps nuke codes, passwords, e-mails,… How is Navy not compromised? How is Navy able to detect and avoid the compromise without seeing the source code? You bet this is a security vulnerability.

  19. Grece says:

    It’s pretty clear USA is not interested in abolishing NAFTA, just tweaking.

    That was never the plan Robert. The plan was always to renegotiate, and if that were to fail, then the U.S. would submit a notice under Article 2205 of the NAFTA agreement that America intends to withdraw from the deal.

    https://www.youtube.com/watch?v=XEfwK6iyQqY

  20. DrLoser says:

    No, it’s not. Suppose Navy orders some GNU/Linux. M$ can jump up and down screaming Navy is violating NAFTA. It protect M$ and friends.

    Is Fifi subbing for you now, Bobbie? There seems to be a convergence here.

    * Total irrelevance to the point at issue
    * Utter inability to deal with simple grammar. (“It protect?”)
    * Ludicrous straw-man (pointed out by Grece. I don’t need to rehash his excellent arguments).

    The only thing you are lacking is a couple of spectacularly stupid and irrelevant “cites” that you have been storing in your hamster cage for a decade or so. No doubt Fifi can help you out with said rubbish cites.

  21. DrLoser says:

    “Establish rules to prevent governments from mandating the disclosure of computer source code.” — That looks like a serious security violation and possibly forbidding Free/Libre Open Source code.

    It isn’t a security violation (serious or otherwise) and it doesn’t forbid FLOSS. In regard to the latter point, you may remember, Robert, that GPL3 (and other such licenses) are perfectly capable of operating either within or without “government mandates.”

    You might have some sort of point below that particular piece of drool, but frankly it was so utterly cretinous that I really couldn’t be bothered to read the rest.

  22. Grece says:

    No, it’s not. Suppose Navy orders some GNU/Linux. M$ can jump up and down screaming Navy is violating NAFTA. It protect M$ and friends.

    Robert, you are rambling again, like your sidekick Peter again. As a former project manager, could you enlighten me as to how this action/reaction would transpire in the most simplistic terms?

    Who’s Navy? Where/When??

    How would said Navy “order” Linux when its “Free/Libre Open Source code”?

    Why would Microsoft be jumping up/down and screaming? When they already sell software in the U.S., Canada and retain the DOD and the U.S. Navy as customers.

  23. Grece wrote, “It’s about protecting American interests.”

    No, it’s not. Suppose Navy orders some GNU/Linux. M$ can jump up and down screaming Navy is violating NAFTA. It protects M$ and friends.

  24. Grece says:

    .“Establish rules to prevent governments from mandating the disclosure of computer source code.” — That looks like a serious security violation and possibly forbidding Free/Libre Open Source code.

    Actually Robert, it’s not. It’s about protecting American software. It’s about protecting American interests.

Leave a Reply

Your email address will not be published. Required fields are marked *