Schneier on Security
A blog covering security and security technology.
« Tennessee Makes Password Sharing Illegal |
| Spam as a Business »
June 8, 2011
25% of U.S. Criminal Hackers are Police Informants
I have no idea if this is true:
In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" -- hackers specialising in ID theft -- have themselves taken over the management of crime forums, using the intelligence gathered to put dozens of people behind bars.
So ubiquitous has the FBI informant network become that Eric Corley, who publishes the hacker quarterly, 2600, has estimated that 25% of hackers in the US may have been recruited by the federal authorities to be their eyes and ears. "Owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation," Corley told the Guardian.
But if I were the FBI, I would want everyone to believe that it's true.
Posted on June 8, 2011 at 3:46 PM
• 86 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wouldn't the knowledge that informants are everywhere drive hackers to disclose less personal information?
Meh, that's news so old it predates the web. Crackers have never been good at keeping their mouths closed. It's only since cracking became big business that that's started to change.
Compared to antiwar protesters, that's actually a very low percentage.
It is much easier to take the effort to make everyone believe that 25% has been recruited than to recruit them in reality.
The targeted conspiracy would cease to communicate efficiently and the collateral damage and cost of operation would be minimal.
What else can one do when a bunch of 18-year old anonymous vigilantes run amok on the internets and threaten world stability?
Disinformation.... that's what it accomplishes. If they think that one of their crew has been compermised then you reduce the total brain power behind the crew and in essence their capabilities.
I'm not sure about anyone else but I work better in a team then as an individual and if that team it disrupted, well then the productivily falls.
The title makes it sound like a sound statistic doesn't it? Completely anecdotal. You can find it referenced elsewhere as though they have actual data.
So now we see the FUD spreading not just to legitimate businesses, but to cyber criminals. I like it.
Hackers ratting out each other, changing sides under pressure or over money is not exactly a novel idea, but I have no idea where this figure comes from or on what verifiable information it is based.
Perhaps Corley just finished his copies of "Kingpin" by Kevin Poulsen and "Ghost in the Wire" by Kevin Mitnick and decided to add his two cents. Mitnick (on Twitter) for one believes it's way over 25%, but from where I am sitting it's more FUD than fact.
I'm curious what exactly they mean by "hackers".
so some kid wants to Stick It To The Man, installs LOIC, and participates in a DDoS or two. net admins trivially log the participants, cops visit those in the US. "tell us what you know about Anonymous!". and that's another "criminal hacker" turned "police informant".
I'm of the opinion that Anonymous is well and truly owned at this point, although it's a tossup as to whose government they are actually working for/with. They've definitely cooperated with the US. It's why Assange is still alive and allowed to live the jet-set vida loca that he does. It's also why the releases of the information allegedly provided by Bradley Manning were delayed (likely in order to sanitize/censor/alter it) and strategically timed. Anonymous also seems to select it's targets in a manner that infers a pro-Israel agenda, although that is just an educated guess based on personal observation.
There's also been a concentrated effort to co-opt most of the hacker community in the NYC area since at least the early 1990s. I've worked directly alongside Legion of Doom and Masters of Deception hackers turned "legit", although some are more inclined to work with the feds than others. I agree with Mitnick in that the number of informants is a lot higher than 25%. They're certainly very thick on the ground in NYC.
Plea bargains are the path to federal slavery. This is no joke.
It's gotta be either disinformation or the guy is talkin' outta his ass. I mean, how would come up with reliable numbers on this? Informants would stay anonymous if they wrote the guy, making tracking hard there. If they didn't write him, he might try to find out by looking at who was around when people got arrested, but that's still guesswork. Finally, if the FBI was the source, we couldn't trust it because of their tendency to inflate their success rate and probability of a psyop to scare people away from those forums.
Hence, there's no way to reliably determine the percentage of informants without significant error rates or integrity issues. We can logically conclude the information is wrong, probably intentionally. From here, "who intended this wrong information to be put out?" If it was the 2600 author, then he's talkin' out his ass. If it wasn't, someone fed him this. Maybe the Feds.
The BS-detecting power of logic and critical thinking is great. Whenever something seems suspicious, just ask yourself: "What would Spock say?" Haha.
"25% of U.S. Criminal Hackers (That are charged) are Police Informants".
Proable the same statictics of any type of crime(plead/turn state evdenct and get a lighter sentence).
Arrr the FF Spell checker asn't work :)
@Nick P: most of the banks, brokerage houses and ISP/CLECs in the NYC area have co-opted former crackers working for them. Such people are not given the power they have, especially in the post-Bush era, unless they've been owned by the Feds. The only question is whether they got caught or whether they got bought. They also network with each other, and it is quite a pervasive network indeed.
@ Nick P:
Of course the % itself is inherently unprovable, but the concept is surely true. Look at the check-forging guy who went to work for the Feds (Frank Abagnale). And MS runs honeypots; surely the Feds do.
Also, we the public have been assaulted with so much FUD that it's about time that the crooks are subjected to the same tactic.
O/T: I finally read the Bell follow-up you linked, and commented in some detail at the original thread of six days ago,
"They also network with each other, and it is quite a pervasive network indeed."
That's all true, but that's in general. If informants were anywhere near 25%, we wouldn't see nearly as much success on carder forums by amateurs and pro's alike. Remember that it was one, good counter-intel guy who took down that huge carder market. It wasn't like twenty something informants/carders. There's simply not enough evidence present in actual case studies of those caught to presume 1/4 (or near that) are working with law enforcement.
We can't look at exceptional situations (or individuals) to prove the rule. I'm standing by the claim that, if the Feds so infiltrated the carder markets, we'd see many more arrests and much less success on the part of carders than we do. Frank Abignale was utterly awesome at his trade, though. I loved the movie too. My favorite scene, aside from him tricking Tom Hanks, is him paying a $1,000 a night hooker with a $1,300+ FAKE check and getting $300 cash to cover the "difference." He basically made $300 off her and got about a grand in free extras. Epic win.
@ tommy on high assurance & Bell's paper
Thanks for mentioning it: this blog needs an email notification system. You're analysis is sound and matches the claims of both Bell and I. Basically, the government mandated the creation of ultra secure OS's, network components, and database components. It got them. Then, it reversed the trend and said, "1. File some paperwork. 2. Meet the minimum. 3. Profit." The Underwear Gnomes must have been in the software business selling to the government... :)
Yes, the NSA screwed us up totally. They didn't even have to mandate secure software. Just increasing the bar on structure, security features, etc. would have made most offerings much better. What if gov.'t said it would stop buying x86-based solutions five years from now (and meant it)? All those x86 shortcomings would fade as we'd see PPC, ARM and MIPS solutions popping up left and right. We'd even see Microsoft port Windows to stuff like that.
No, the NSA/DOD has failed us by instead allowing low assurance components to be used for high assurance jobs. That's on top of killing the high assurance market. If the trend is to reverse, they must lead the way. If not, it will take a wealthy philanthropist to push all the "selfless acts of security" that might turn this trend around a bit. Not looking good either way.
What percentage of U.S. Police Informants are Criminal Hackers?
So, the implication is either:
1. No other countries are interested in infiltrating the criminal networks
2. The remaining 75% are personnel from other agencies.
I call FUD on the whole statistic. Perhaps 25% in the locations they know of...
With regards the 'Corley comment to the Guardian',
"Owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation," Corley told the Guardian. rather susceptible to intimidation."
The FEDS have a proven track record of getting longer than life sentances with the various racketeering laws partly because the sentance per crime might be low (say 14 days) but when they can treat each individual card number as one crime you are looking at 38years for just a thousand CC numbers even with "bulk discounting" and parole they are still looking at sentances as long as they have already lived...
However they might not realise what being "owned by the man" for the rest of their lives is going to do to them. After all zoo animals tend to live longer healthier lives than their relative on the plains of Africa etc.
Also I suspect that the "cushy deals" if they have not already stopped will fairly soon stop for carders. Because many are actually unskilled and only of use short term. Look at it this way how many informants are going to be of use a year down the road?
The FEDS are only realy going to be interested in taking the "technical enablers" long term because they have rare and very marketable skills, and once off of the market their tools rapidly age.
But even the "technical enablers" are going to find it tough in future times, as you don't need that many "cyber weapons developers" to stay ahead of the game.
Also I suspect that "carders" are on the way out the money in it is dropping faster than a brick chucked of the Eiffel Tower (or Empire State building if you preffer) and the risks are rising very quickly.
The smart criminals have moved on to other income streams, and the realy smart botnet operators are starting to realise the potential of APT for "insider dealing" and good old fashioned espionage / blackmail for information that can be much more safely capatalised on.
@ Nick P,
"... this blog needs an email notification system."
Err no, I've suffered from a couple of those on other blogs you'ld be better taking an RSS feed and filtering it.
What I do on this blog is take a quick "find" look at the "100 latest comments", provided the poster puts my name in it I find it and reply. If they don't put my name in it then I might find it on a quiet day otherwise not.
17.345346 percent of statistics are made up, including this one.
Even if the FBI believes that statistic, what it actually means is: over 25% of the hackers that the FBI knows about are moles.
Personally, I'm more worried about the hackers who're good enough that the FBI hasn't detected them.
@ Nick P:
Sorry for the misunderstanding: I was *agreeing* with you that the figure was unprovable (and probably high, I should have said that), but that surely *some* are, whether it's 1% or 5% or whatever. And if this FUD intimidates crooks, good.
Twice, my own credit card co. has called and notified me that my account has been canceled and replaced with a new # due to a major breach. (Once, after it had already been declined. Good thing I had cash with me, or I'd have been washing dishes. Memo to self back then: Never leave home without *two* different cards.) But no arrests, no publicity. Perhaps it was kept quiet in the hopes that anyone who bought the now-blacklisted numbers and tried to use them would be nabbed? IIRC, it was about 20k card #s once and 30k the second time. (I suffered no loss. Props to the card co.)
Agree that Abagnale was not a good analogy: He did prison time, then *openly* went to work for LE, banks, etc. Just saying that the plea-bargain, work-for-us concept, and the honeypot concept, are "credible" (pardon the pun). And the old saying, "Set a thief to catch a thief." (mid-1600s British, US-ized to "It takes a thief to catch a thief".)
And LOL at the hooker getting hooked - but since when do hookers take checks? (I wouldn't know.) He was lucky her pimp or whatever didn't find him and beat the **** out of him.
Maybe the real ones operate on other IRC channels and use a different internal language?
How do you know how many bad guys there are there out there?
25% of lemmings are FBI informants. As long as lemmings are what *we* identify as lemmings.
It's a bit like numerology. If you try hard enough, you can make anything fit your preconceptions however laughable they are to the rest of the world.
O/T @ Nick P. (thanks for HA reply) and Clive Robinson:
(Nick) "...this blog needs an email notification system."
Or it could change from a blog format to a PHPbb-type forum, with a new thread for each post, but that's much more unwieldy, more work to administer, and for notification, would require registration, password, etc., which puts a bit of a crimp on the one-time or infrequent (legit) commenter. (and I could be arrested for sharing my pw!)
(Clive) "Err no, I've suffered from a couple of those on other blogs you'ld be better taking an RSS feed and filtering it. What I do on this blog is take a quick "find" look at the "100 latest comments", provided the poster puts my name in it I find it and reply."
When I'm here, I just check the last few days of threads in which I've commented, which isn't by any means all of them, do a browser "find" for my name, and keep hitting "next" until done. Takes about 5 seconds per thread to find any "@ tommy".
But that doesn't address the issue that there's a limit to how far to go back, and the reply to Nick P. was at a six-day-old thread; hence the O/T heads-up here. If anyone has a better idea on how to alert someone that you've replied to their comment of a few days ago, other than my O/T which was part of an on-topic reply anyway, well, surely there's enough brainpower here...
Most of this stuff becomes old news soon anyway, or it's been discussed to death, or it's updated (RSA, e. g.), but Clive and Nick pointed me to papers that deserved more than a cursory read, and I wanted to reply. Ideas, without flooding the e-mail inbox?
@Bahggy "Perhaps 25% in the locations they know of..."
What? You mean they don't have any informers in locations they don't know about! Why aren't they addressing this immediately? They should be prioritising the recruitement of new snitches in the locations.they.don't.know.about.
Welcome to the internet, where are the guys are pervs and all the 13-year-old girls are FBI Agents...
"the realy smart botnet operators are starting to realise the potential of APT for "insider dealing" and good old fashioned espionage / blackmail for information that can be much more safely capatalised on."
Absolutely. Carding is just a fast road to jail if done in large enough amounts (as the Kingpin book proves), and not profitable enough if done small enough to stay under the radar (although it can be used to bootstrap your way up to better things.)
Still, the last risk analysis I read was identity theft in general was a 1 in 700 probability of getting caught. Those odds are a LOT better than moving physical drugs. Especially since the Feds won't investigate any case less than $50-100K in losses - it just isn't worth their time.
But generally, stealing highly valuable information and selling it to someone who is willing to pay large for it is the safest and most profitable endeavor for hackers. But it's also the hardest, since you have to 1) break into somewhat more secure facilities, 2) find a buyer, and 3) get the funds in a secure manner (always the big problem in any criminal endeavor.)
As for the percentage of hackers being informants, it is well known in prison that just about everyone these days is an informant to one degree or another. The constant lament is that there are no "stand up guys" any more.
Standard joke in prison is: 4 guys in a cell talking, one guy leaves. The others say, "Hey, you know he's a rat." Second guy leaves. The others say, "Hey, you know he's a rat." Third guy leaves. The remaining guy says, "Lousy rat. Now I better go tell the guards what's up."
Not being in the criminal subculture and being an anarchist to boot, I never ratted on anyone for anything. I had a cellie once who when asked about me told the guy, "He couldn't care less if you murdered a guy in front of him." Which was true - I didn't care about anyone's business.
The reality of Federal prosecution is that their conviction is so high because they use extortion as their basic tactic. Grab someone low on the totem pole, threaten them with twenty-five to life if they don't rat - then wait for them to rat. Which they will. Then use that to get the next guy up the chain.
The smart criminals rat out the others first to get a deal with no jail time. That way they avoid getting ratted out on and also avoid getting shanked in prison when someone finds out they ratted.
I knew a drug chemist who refused to rat out the others in the group. But the leader of the group was a repeat drug offender. He ratted out everyone, got off with a few months. The chemist ended up being threatened with 25 years, under the theory that he was the "prime enabler", being the technical guy. Which was a joke all around. He'd never done anything criminal before.
Reading Kingpin was a laugh. The level of stupidity of the average carder/hacker is just astounding. The number of stupid mistakes/decisions made is mind-boggling.
@Clive @Nick P " be better taking an RSS feed "
nah. This blog needs a wiki and a white board.
So if the feebies KNOW they've got 25% of hackers as snitches then they know exactly how many there are. Good for them! Glad to know they aren't wasting my tax dollars. Now if they could only fix their damn case managment system. Or even get it to work.
I don't buy it.
BTW - for all the children in the house working as a snitch is not fun. THEY are righteous, good and clean. YOU are a distended piece of rectum who turned on your own slimy kind and they'll remind you of it every day. And it doesn't pay much. Work for the Feebies and all your so called skillz you take so much pride in will mean jack. Ask Abagnale. It took decades for him to move from tool to collaborator.
@Nick & Bob: I agree that it is a difficult statistic to prove, but that's because the number fluctuates depending on where one is. Logistics still matter. The percentage of informants is very likely a lot higher in NYC or New England (what's NEW, "pussycats"?) than it is in, say, Romania. The issue is global, but the FBI's version of it is local.
This is a PR number, designed for a specific effect. Possibly somebody wants a budget increased or a promotion facilitated.
This also meant the number itself is at best hot air.
Good point. The old adage is "If you're a good hacker, everyone knows who you are. If you're a GREAT hacker, no one knows who you are!"
92.8% of the numbers are made up ("NOMA")
@ Nick P. / Clive / tommy / Bruce
As the blog is powered by Movable Type for now, it may be worth while looking into several patches that have been released, apparently following the PBS breach. See http://techcrunch.com/2011/06/09/... .
@ BF Skinner,
"nah. This blog needs a wiki and a white board."
They would make nice additions but...
There are administration and security concerns over and above that of resources.
A nice first step would be to allow people to upload a small sized graphics file within a comment, rather than providing a link (which destroys their anonymity), possably with the ability to do "overlays" etc. The problem is they would need to be "visualy moderated" otherwise the moronic minority will find ways of putting up questionable material hidden within.
I do like the idea of a wiki, they can be set up such that they only need partial moderation.
Put simply you generate a random public / private self signed certificate to sign your posts/edits with and send it with your post or edit.
The moderator checks all unsigned posts / edits, but builds up a track record against a particular signiture. As the moderator gains confidence in the poster using that signiture they need to less and less moderate there comments. If a user abuses the trust or makes a questionable comment the moderator can knock their trust level back down again, thus occasional transgressions (which will happen) can be dealt with in a less offensive manner than other methods (like three strikes and out etc).
The main news is the government are blackmailing offenders into becoming informants.
It is a sad state of affairs when a government can only get information in this way.
It is the same mentality that the government have in torturing people to surrender information against their will.
Obama has now banned torture, perhaps blackmailing offenders into becoming informants should be banned too.
Immunity for information isn't justice, and justice should be seen to be done.
Also torture isn't justice either, and what you end up with is information that is forced, and not accurate or reliable.
Trying to get actionable intelligence with these methods is like trying to get blood out of stone, and is largely a waste of human resources, time and money.
Nick P: While I agree the number has to be made up, and is impossible to prove, you wrote (of carders) "There's simply not enough evidence present in actual case studies of those caught to presume 1/4 (or near that) are working with law enforcement".
I can't speak to the carder scene, but if you paid attention to the 2008 RNC and surrounding events, you know there were numerous informants and undercover officers in the various anarchist groups wreaking havoc back then - nowhere near a quarter, to be sure, but a goodly number. Yet as far as I recall only two or maybe three such were ever directly cited in the legal proceedings; the vast majority were apparently just there to provide situational awareness to law enforcement.
I suspect the carder scene is quite similar - full of informants whose primary task is not gathering evidence for prosecution, but providing situational awareness regarding the latest tools and tricks of the trade, potentially exploitable gossip, et cetera. Less "John Quincy Doe, DOB 1/2/94, claims in IRC logs (see attached) to have carried out the breach of SuperMegaBankCorp on Friday the 13th..." and more "Max_Kool is trying to impress chicks by saying he and Gunnar are getting six ounces of AK47 each to code a new iPod/iPad data-mining tool for Teddy Ruxpin, but there are rumours the real work is being done by Jean Nguyen."
@Andrew " the government are blackmailing offenders into becoming informants"
_OFFENDERS_. I really don't have a problem with it. There are two ways to penetrate any organization. Plant an asset, join up, or turn one already inside.
Are they going to come forward and say "I am a part of something extremely troubling and want to help the forces of good vanquish them."
It happens. Rarely, I think. Maybe with questionable motives "Hey officer. I think that guy over there is dealing drugs and stuff." (He's gone now move the sht)
And snitches can compromise the LE, 'let 'em deal drugs if we can catch the killers.'
But the thing is if you knew someone committed a serious crime. Would you report them to the police or wouldn't you? Some would say we have a duty to society to report bad people to the authorities.
Lamo is reported to have turned Manning in. Was he an LE asset or concerned citizen? Only he and his handler would know. I'll give him the benifit until more comes out.
i like the wiki idea because i keep getting frustrated when we start tracking a particular line of thought across dozens of posts where the circumstance is different but the issue is the same. It violates my sense of order.
THIS JUST IN:
"In latest attack, hackers steal Citibank card data" (55 mins ago)
"NEW YORK (AP) — About 200,000 Citibank credit card customers in North America have had their names, account numbers and email addresses stolen by hackers who broke into Citi's online account site.
Citigroup Inc. said it discovered that account information for about 1 percent of its credit card customers had been viewed by hackers. Citi has more than 21 million credit card customers in North America, according to its 2010 annual report. The New York-based bank, which discovered the problem during routine monitoring, didn't say exactly how many accounts were breached. Citi said it was contacting those customers.
The bank said hackers weren't able to gain access to social security numbers, birth dates, card expiration dates or card security codes. That kind of information often leads to identity theft, where cyber criminals empty out bank accounts and apply for multiple credit cards. That can debilitate the finances and credit of victims. Citi customers could still be vulnerable other problems. Details about their bank accounts and financial information linked to them could be acquired using the email information and account numbers hackers stole.
Federal regulators have taken notice and are asking banks to improve security. .... (etc.)"
Now that the cow is gone, lock the barn...
One possible solution, for local, not online, use: click my sig.
That link is gone and the Wayback Machine doesn't have it either. Got a live link?
@ Clive Robinson:
"A nice first step would be to allow people to upload a small sized graphics file within a comment, rather than providing a link (which destroys their anonymity),...."
I don't understand how that would notify you that I responded to your comment on a six-day old thread. What exactly is in this graphic?
"possably with the ability to do "overlays" etc. "
If I'm understanding you correctly, you're talking about the same technique used in clickjacking attacks: To overlay an "innocent" graphic ("Play Whack-a-Mole") that covers a link or button, "Install our spyware or botnetware". Fortunately, NoScript generates warnings of all such overlays by default, blocks them, and generates a report number that can be sent to the developer and/or posted at the support forum. I'd hate to see all of those alarms going off when 20 or 30 people upload their overlay graphics.
The Cringley post is right on. Matter of fact, tommy and I were just discussing another angle: the NSA and US government *were* promoting ultra-secure systems, then intentionally subverted all of it. They also classify high assurance operating systems and network components as munitions subject to export control. This (in part) caused the cancellation of two A1-class designs because most prospective customers were overseas and the companies couldn't get back their huge investment without those sales. Effectively, the government tries to destroy anything that undermines their control, from civil rights groups to bulletproof OS's.
If you're interested, Bell published an addendum that gives specifics about how gov.'t got the high assurance market started, then killed it, and continues to kill it. It also has recommendations for reversing the trend. It's a great paper.
Looking back: Addendum by Bell
In Addendum: "Microsoft was unable to find an entire video game hidden in Excel before release."
B.F. Skinner: "But the thing is if you knew someone committed a serious crime. Would you report them to the police or wouldn't you? Some would say we have a duty to society to report bad people to the authorities."
The question is: who are the bad people? Are drug users bad people? Are whistle-blowers?
"Lamo is reported to have turned Manning in. Was he an LE asset or concerned citizen?"
Or was he a publicity-seeking asshole, as Glenn Greenwald and others charge?
"Only he and his handler would know. I'll give him the benefit until more comes out."
I won't. He was incorrect to do it IMHO. Whatever Manning's motivations, he did the same thing Daniel Ellsberg did: expose government misbehavior.
Take the Sibel Edmonds case. She went to great lengths to reveal evidence of espionage in the FBI translation department as well as of treason at the highest levels of the US government. In return, she was fired and then gagged from ever speaking about what she knew. She is the very epitome of what you refer to as a "concerned citizen", far more so than Lamo. But the government of two administrations of both parties has gone to great lengths to cover up everything she discovered and infringed on her civil rights. Is she a bad person?
The issue of using informants goes deeper than whether they are effective in increasing conviction rates. It involves the issue of whether those conviction rates are of actual criminals or merely people trapped by the state in a no-win situation just because they know the wrong person and the state machine needs convictions to justify careers and budgets.
Back in the '90's, the US Bureau of Prisons changed the inmate classification system to generate more high security inmates, and then flood them into the existing penitentiaries (with the concomitant increase in risk of harm to those lower classified inmates). The purpose was to then approach Congress for a larger budget by claiming there weren't enough penitentiaries to handle the load.
This is how the US government actually works rather than the fiction most citizens labor under about how it works.
Speaking of whistle blowers, another of Obama's egregious attempts to prosecute whistle-blowers is falling apart:
Feds Ridiculous Prosecution Of Whistleblower Thomas Drake Falling Apart
On A New Schneier Forum
"Or it could change from a blog format to a PHPbb-type forum, with a new thread for each post, but that's much more unwieldy, more work to administer, and for notification, would require registration, password, etc., which puts a bit of a crimp on the one-time or infrequent (legit) commenter. (and I could be arrested for sharing my pw!)"
A thread-based model would be ideal. It doesn't have to work like that. We could offer registration for regulars who want authenticity to their posts without having to PGP-sign every post to Schneier blog. Anyone else would post under whatever name they want, with the system flagging them as a guest. Additionally, I could see the display being tree-like like Slashdot's.
The system could even do email notification without registration. Currently, a post is submited with required name and optional email. That can be reused in the next system. In my scheme, the system would only send an email notification if somone responded to your actual posts. Responses to the conversation and other responses wouldn't cause email notifications, although there could be an option for that. Each reply to someone's comment would have a box with these options: "don't notify me if someone replies" (default); "notify me if someone replies to my posts"; "notify me if someone replies to the thread." Each email notification would have a link for unsubscribing. What you think?
@ tommy on other post
"Just saying that the plea-bargain, work-for-us concept, and the honeypot concept, are "credible" (pardon the pun)."
Thanks for clarification. I definitely agree. I'm sure there are plenty out there. I was just arguing with the numbers and bullshit stats in general. I guess we're on the same page, then.
"And LOL at the hooker getting hooked - but since when do hookers take checks? (I wouldn't know.)"
lol course you don't know. Yeah, that surprised me too. It might have been fictional. But, it's also conceivable because he was a convincing pilot. Pilots make plenty of money, their payroll checks rarely bounce, and it was the hotel or whatever that was cashing it, not a bank. Maybe it's just too hard to turn down a $1,000 "sure thing," as she probably thought it was. Of course, it probably didn't bounce... ;)
@ Nick P. @ Bill Swift:
Nick, using your new link to Bell's Addendum, going through Google, causes good old NoScript to throw a redirection warning and block. The link you gave me still works fine, as of a minute ago:
And yes, wholeheartedly recommend.
@ Nick re: notifications: I learned only a few weeks ago from Moderator that for various reasons, I'm second only to Clive in tripping auto-filters, and that by consistently including a not-for-publication e-mail address, which I now do, there is indeed a trust model that grows with successive good-faith posts. (Mine may not all be brilliant, but at least they're in good faith.:)
I like that your model doesn't even require registration. I have been at other places where there is no authentication of users posting, and the number of posts forging the name of a known commenter were very few. And usually very noticeable to the community, because we each have our own unique style. (I know a Clive post by the first sentence ... :). And promptly deleted.
But to make yours work where we receive only responses to *our own* comments - I don't want to be flooded with 50-100 comment notifications a day -- the sw has to look for an agreed-upon syntax, e. g., the usual "@ Nick P." or "@Nick P." (I've seen commenters use the space after @, and not.), and preferably not be case-sensitive. And be a *little* fuzzy, in case someone writes "@ Nick P" without the period for last initial. And this syntax should be clearly presented to new visitors, just as the request not to use "anonymous". These all seem easy enough to do. I like it!
@ tommy on Bruce's next blog ;)
"I have been at other places where there is no authentication of users posting, and the number of posts forging the name of a known commenter were very few. And usually very noticeable to the community, because we each have our own unique style. (I know a Clive post by the first sentence ... :). And promptly deleted."
Exactly. It's why a no registration scheme could work.
"...the sw has to look for an agreed-upon syntax..."
I think I didn't explain my concept well earlier. I was looking into using an online interface that visually shows the different conversations going on and lets you expand or collapse them. Check this Slashdot post's comments for an example of this style, although I don't like the UI:
See how it's hierarchical? It's basically a visual tree structure where each post contains an indented listing of replies to it. You can also reply to individual posters in a way where it's visually obvious you're replying to them. This structure also makes selective notifications easier.
Now, let's say Bruce largely wanted to keep his blog the same (sigh). Well, there's two other things that come to mind. One is adding a little reply link on the end of the "posted by" line. Clicking this would start the "post a comment" form going by automatically adding this at the beginning of the line: "@ tommy at June 9, 2011 10:43PM." The user would type their message and enter the other info (e.g. name). When they finally click submit, two things will happen.
First, the page would update in a way that let's you create a link that goes directly to the new post. This already occurs in Movable Type, as you can see in the URL bar something like "#comment-549201". As soon as the comment is posted, a notification is sent to the person the comment is replying to with a link directly to that comment.
Second, the use of these comment identifiers also allows one more trick I'm thinking about: the automatically generated "@ tommy...." line will become a link to the previous comment. The one the new post is replying to. So, if someone was dropping a 10 page essay (*cough* Clive *cough*) and needed a quick rehash of what they said, they could just click that link, go to their old comment, and then hit the browser's back button to go back to the recently posted reply. Is this making sense? (Can you tell I'm better at executing requirements than codifying them lol?)
The first feature can be implemented with little change to this product or its interface. The second might look cluttery and be found unacceptable by Bruce. I mean, it seems many people pick Movable Type in part for its clean style, which I'm trying to maintain. The first feature alone solves our main problem, though. So, any important conversation can continue to go on without us having to maintain records and do constant checks of old posts. In particular, Clive and I have some awesome design discussions going back a year or two that people might occasionally add to. Adding this functionality requires little modification to archives and can liven up old discussions when people find them Googling around.
@ Bruce Schneier or Moderator
Which version of Movable Type do you use? Open source edition or Pro? And what's the version number? I'm looking into prototyping an extension or plugin for an unobtrusive, low resource notification ability. I just need to know what I would be working with.
@ Clive at June 9, 2011 4:01 AM,
Hi, can you do me and the other readers a favour by puting the initial of your surname after 'Clive' (as long as it's not R ;) so that people don't confuse us as the same person.
@ Nick P:
Correct, I did not understand what you had in mind. Slashdot - meh. Gray font on gray bg. I had to do View > Page Style > No Style to turn it into blue on white just to read.
I'm familiar with boards in the hierarchical or tree structure. Even better, IMDb gives you your choice on the Message Boards:
View: thread | flat | inline | nest
Super! To each, his/her/its own! ... It only shows that way after you are logged in, but of course we don't need to have the login requirement. And we could still select to be notified of replies or not, with a checkbox.
"...let's say Bruce largely wanted to keep his blog the same ... One is adding a little reply link on the end of the "posted by" line."
Love it! For all the reasons and with all the functions you said. Traditional forums have "Reply" and "Reply with quote", in which the post you are replying to is already presented in your message-compose box, but I think that would require more full-on PHP-type stuff there, and isn't necessary. If you can do your simple link, that's a huge win.
But the second function would save us hunting for the quote among multiple comments by multiple posters, and multiple comments by the same poster.
Even if the second function is found to be too cluttery or whatever, the main feature would tremendously facilitate ongoing discussions, especially over time. If it truly can be implemented with little change, I say, go for it.
Question: I sometimes reply to several commenters in one post, rather than take up additional board space with four individual comments to four previous posters. (It also feels vaguely like flooding to do three or more all separately, although two isn't a problem.) Can your prototyping cleverness allow for this possibility? If not, perhaps it is indeed better to make individual replies to each previous poster.
Looking forward to the prototype, Schneier Blog Beta. And I know you won't let it suffer from feeping creaturitis, like http://news.yahoo.com, which now has a beta, http://beta.news.yahoo.com/. They've cluttered it up with "local" weather and stories of "local" interest, based on IP geolocation. Aside from the clutter, I'm glad they're wrong by a fair distance, on general principles, even though I read about the geolocation attack with 100m resolution.
"Can you tell I'm better at executing requirements than codifying them lol?"
Yes, but if you've ever watched the TV series "House, M. D.", I'd rather have a rude and abrasive, but genius, doctor who cured me than an incompetent, Marcus Welby-style doc whose bedside manner made me feel warm and fuzzy while I was slipping away ...
OTOH, House's patients usually have little choice, or deliberately seek him out. You have to sell your idea first (or explain it to those whose job it is to sell it). This post I'm replying to (now, where's that link button? ;) explained it very well. I would guess that you're like a lot of us -- brain runs faster than fingers can type, and sometimes, faster than mouth can move. In other words, get ahead of ourselves.
(Which is better than mouth moving faster than brain, which gets a lot of people in trouble.) And a self-deprecatory sense of humor is always nice. Cheers.
@ BF Skinner, Nick P
"I like the wiki idea because i keep getting frustrated when we start tracking a particular line of thought across dozens of posts where the circumstance is different but the issue is the same. It violates my sense of order."
Yup that is one of the problems with technical blogs. Also there realy are times as Nick P notes that you realy grind out detail on an idea and as it does not generaly have a thread of it's own it' realy O/T bigstyle, and other commenters on topic posts can get lost in the middle (Sorry folks we are doing just that on this thread 8(
"I don't understand how that would notify you that I responded to your comment on a six-day old thread."
Sorry it woulden't, I was talking about other additional features BF Skinner brought up (white board & wiki).
'What exactly is in this graphic"possably with the ability to do "overlays" etc. " If I'm understanding you correctly, you're talking about the same technique used in clickjacking attacks:'
Err no not intentionaly.
If you think back to the way 8bit games consoles used to use "sprite overlays" to reduce graphics bus bandwidth with updates to improve responsiveness, I was thinking in a similar way.
A bit of background, one of my bug bears is that HTML is not realy "incrimental" without one heck of a lot of work.
Take this blog page for instance I may have downloaded it ten or twenty times in it's entirety only to pick up maybe one extra network packets worth of comments that are on the end.
It would be nice if my browser could send a "time last accessed" to the server and it only sent me the delta data since that time. It would cut bandwidth down a lot (which with mobile data networks is becoming an increasing concern).
The idea of graphic overlays was in the same vein, if I upload a complex flow chart or hardware block diagram onto the "white board" you might want to only add an arrow or simple comment to it, and you might or might not want to include some or all of the other previous posters annotations.
Using graphics only "transparent overlays" to the background graphic is perhaps the easiest and least bandwidth (and storage) way to do it.
However as you indicated it can if done the wrong way open up all sorts of problem.
@ The One And Only Clive Robinson:
Of course you're right to ask The Clive With No (Sur)name to distinguish himself, especially as "Clive" is a much-rarer given name for the US-born than for the UK/CW-born or parented.
However, you're on safe ground. The comment is perceptive and witty enough to be one of yours, but it's only two sentences, and the grammar and spelling are perfect. ;-D
(kidding! Your insights are far more important than such nits, and this isn't a forum on language skills, anyway. Have a pint on me, Mate. ;)
@ Clive Robinson, Sorry We Cross-Posted:
Thanks for the explanation. However, the brain cells in my gut are telling me that adding any sort of graphic upload capability is a huge increase in bandwidth, disk space, and potential malice. Many posters have linked to an image to illustrate their points, and that's easier, cheaper, and safer. I think flow charts of posts would be about as confusing as the present situation.
ChangeDetection.com will tell you when the page changes, but not eliminate unchanged data. I'll bet between you and Nick P., you could come up with that page add-on that lets you query for changes since the last access by that IP (since there isn't registration of user/pass).
@ tommy, Nick P,
I actualy prefer the linear time line of top first bottom last.
The problem with reply to comment can be seen on the likes of Brian Kreb's blog when viewed on a mobile. The indenting is very slight and when you have over 50 posts you effectivly have to re-read the whole page to find the latest comments than just reading down from the last post you made.
This is especialy true when a person is responding to two simillar but diferent asspect posts (as I'm currently doing).
I like the look and feel of this blog considerably more than I do others, partly because it looks virtualy the same irrespective of browser or platform, but also because it is logicaly intuative.
I have major issues with many blogs that want you to enter / review / edit then post and have three or more buttons under the text entry blog where you have to guess which order you have to press them to get it to post successfully. And worse on some they effectivly dump the comment you've made with some page about "you must..." that as it refers back to the original post page stops you using the back button.
Then perhaps the worst of the worst are those with "word look alike" editors that use a mixture of browser script and server side functions "argh...." The just don't work properly except in a particular default browser with more holes than every ship on the ocean floor.
Oh and one plea to all blog owners, dump the captchars unless they are fully "disabled user" compliant, most times you just can't see them well enough on a mobile phone screan or anything at or below 1024p/line res.
Bruce's current setup works even with the old 16colour VGA screen on the old 486motherboard & Knoppix live CD system I use for mouching around suspect sites looking for malware.
I guess British Intelligence won't be able to hack me out of the FBI carnivore/HAL 9000 and leave a nice Yorkshire Pudding recipe then? Wow. Bummer.
"Looking forward to the prototype, Schneier Blog Beta. And I know you won't let it suffer from feeping creaturitis"
Appreciate it. I might do it in a few months to a year. I'm kind of dedicated to a few major projects right now. Soon as I finish them, I'll do a design and maybe a prototype. It definitely won't be afflicted as those others sites you mentioned because I'm aiming for a somewhat secure design and minimalism is an important part of that.
@ Nick P.:
"... I'm aiming for a somewhat secure design and minimalism is an important part of that."
You mean, like when I said that my Windows folder was chopped by 95%, from 4 GB to 175 MB, and that a lot of MS patches are for files I no longer have? Yes, isn't it funny how bloat increases attack surface, and "one man's 'feature' is another man's exploit"?
"Use the minimum resources necessary to accomplish the desired tasks, and no more"... We are on the same page, my friend. Looking forward to it, whenever.
""one man's 'feature' is another man's exploit"? "
To further your point, Microsoft defended the continued existence of the Firewire DMA vulnerability by calling it a feature. It's *supposed* to bypass the security mechanisms for performance.
"Use the minimum resources necessary to accomplish the desired tasks, and no more"
It's a principle shared in Saltzer and Shroder's landmark paper and DJB's QMail Qmail paper. Here's a recent architecture that takes these principles to the extreme you do to reduce attack surface:
Poly 2 Paradigm: A secure network service architecture
DJB Paper if you missed it
Small quam on with his paper: I think reducing privilege isn't a distraction. If we *all* did secure development, it would be a distraction. However, third party and legacy code, especially w/out source, might be very buggy. Privilege reduction and isolation technologies help to counter this issue.
@ Nick P.:
Glad I'm not alone in my extremism. ;)
".... Firewire DMA vulnerability by calling it a feature. It's *supposed* to bypass the security mechanisms for performance."
My whole machine would run a bit faster if it weren't running AV; I can measure a tiny drop in speed of WPA2 vs. an unencrypted network; occasionally, I get firewall alerts; sandboxing the browser added a couple of seconds to the time to get the pdf's to the desktop, where they were manually scanned, etc... We could get max speed by dropping *all* security, but what good is the performance boost when you're compromised? You've given the pwners a faster machine, I guess. (sigh)
I see that I have some more interesting reading, just as the new week starts. When digested, do I reply to you here, even if this thread is no longer on the home page, or give you an O/T shout at whatever the latest thread or your latest post is, as before?
(See? Your Schneier Beta *is* necessary and useful!) ... I'll watch this thread until I know where to reply. Have a great week.
Hmmm, and how many people *think* they're working for the FBI but they're working for some uber-scammers?
Ive been checking this article regularly so just reply here. Looking forward to it.
This is not a new tactic. It was also the premise of a very successful TV show in Canada called Intelligence that was cancelled after the second season allegedly because of political pressure (the DEA was portrayed as cowboy rogue cops operating in Canada with the sometimes willing acquiescence of Canadian politicians). The plot of the various episodes invariably intertwined bureaucratic needs for inside criminal information with cooperation of pressured criminals to allow a gray underworld of criminals operating with a certain degree of impunity so long as they continued to provide information on colleagues and rivals to the authorities. This actually is not far off the mark historically from my experience as a criminal defense attorney decades ago. In the pre-Internet world, informants were used by drug enforcement agencies to obtain information on criminal enterprises, with a turning of a blind eye seemingly to other activities. Not surprising the same tactic may be applied to criminal hackers today. The rub for law enforcement is that the tolerance of activities of such individuals can taint an otherwise legitimate prosecution if the facts can be discovered by competent criminal defense counsel and brought to light, so it can be a two-edged sword.
@ Nick P.:
Thanks. Sorry, but with MS Patch Tuesday, I have to vet all the individual patches for the machines that either I own or help friends with ("Just Say No" to Auto-Update, given past disasters), so running a little farther behind than usual. Surely by this weekend... Quick first-glance at Poly certainly indicates that they're people after my own heart: It's much harder to make code safe than it is just to get rid of it.
No worries. I'll patiently await the reply. Taking care with Patch Tuesday is definitely a wise idea. Just don't take too long: the patches themselves are an aid to black hats building exploits. Reminds me of a brilliant project in my archives...
Automatic Patch-based Exploit Generation
@ Nick P.:
No worries all around. I've long been aware of "Patch Tuesday" being followed by "Exploit Thursday", as black-hats reverse-engineer the patches to see what the vulns were. It's not surprising that someone managed to automate the process, thus shortening the safe harbor to hours vs. a day or two.
This is why that Tuesday is an ultra-high priority. I have the page bookmarked in advance; it's always
www dot microsoft.com/technet/security/bulletin/msYY-MMM.mspx
where XX = 2-digit year and MMM = three-letter abbreviation for month.
I don't particularly like things accessing the web in the background (I might be doing online banking, e. g.), so even auto-notification is off. Which means checking every couple of hours during the day, then when it's published, dropping everything else and doing the fine-toothed-comb bit on them.
My machines are always taken care of before retiring Tuesday night, and the family/friends are either also taken care of, or sent a quick heads-up, e. g., "Eight vulns in Excel this month. Don't open any except from the most trusted sources until we get the patch installed and verified." ... which is good advice anyway, but the rest of the family is non-tech. Unfortunately, that means some are still on IE, naive and not willing to change, greatly complicating and lengthening this task -- I'm ashamed to admit that I have a sibling who uses (pardon my language) AOL.
So they're all good to go not too late on Wednesday, at the latest, and have been given quick workarounds in the interim where possible. But this pushes everything else in life back by a day or two, so there's some catch-up to do.
Your links are invariably fascinating, and deserve much more than a fast read-through. I'd like to set aside time to read, digest, assimilate, and form some kind of intelligent response, rather than a hasty "Good article, thanks."
You're practically a one-man library of papers of great insight. Keep 'em coming, but not too fast. ;-D ... speaking of insight, the reply about Qubes to mashiara at the Android thread not only cut to the core, but reinforced what we've been discussing: putting a high-assurance OS on insecure foundations and hw is not a complete solution, and that we throw away the lessons that were learned decades ago.
btw, I doubt I've perused nearly as many tech blogs as you, but of the few I occasionally visit, I agree that this one has, overall, the highest-quality readership and discussions, and is at the top of the priority list for whatever time is available for such.
The papers are a top priority for this weekend, and I'm looking forward to them.
Take plenty of time. I personally haven't looked too much into the Poly2 architecture because I'm moving toward different approaches. I mainly posted that one for you. SecureCore is one I'm very excited about. I've been thinking of using an approach like that with a formally verified processor like VAMP or AAMP7G. Combined with extensive on-chip testing, this would provide an extremely assured base platform for many solutions.
"You're practically a one-man library of papers of great insight. Keep 'em coming, but not too fast. ;-D ..."
Yeah. I think I have all papers relevant to high assurance design from ACM and IEEE. Been collecting them for about a year or two. I'd have even more if I had a Springer-Link account. :( I think I'll wait for you to digest these, then I'll email you my Orange Book era paper collection. Interesting thing is they made lots of high assurance systems back then and posted many papers on them. Tools and techniques change, but plenty of tactics and wisdom remains the same.
I'll also give you some of my papers on recent solutions to many problems in security... solutions that haven't been implemented commercially in the mainstream. These two sets alone would give you great insight into the inadequacy of modern OS and web security approaches, especially with regard to covert channels.
"putting a high-assurance OS on insecure foundations and hw is not a complete solution, and that we throw away the lessons that were learned decades ago. "
Indeed. It's easiest to think about this stuff in terms of layers. In OSI or TCP/IP, also built in layers, each layer depends on layers below it to function properly. Systems security works the same way. If any layer below is insecure, then the security claims of layers that depend on them are invalidated. Secure systems might function from top down, but security is built in from the bottom up.
"I agree that this one has, overall, the highest-quality readership and discussions"
By far. That was the point I made to Joanna, who just made a blanket dismissal of blog comments as a source for useful information. Here's a nice comparison.
Blog topic: Researchers puzzle to understand how to relate these newly discovered gravitational effects with the nuclear and electromagnetic forces.
Slashdot comment: "Omg spooky stuff. Keep it coming. I like nachos."
Krebs on Security comment: "Very insightful article. You keep doing good investigations. I have nothing further to add to your discussion."
Clive Robinson comment here: "Looking at the research, it was obvious that (blah blah) was the explanation. I've further deduced the Unified Field Theory of physics from this work. It's further down in my comment."
No contest. :)
@ Nick P.:
"Secure systems might function from top down, but security is built in from the bottom up."
Plus, *any* chain is only as strong as its weakest link. Sad analogy: You build your high-assurance OS, with its tightly-locked kernel, with hypervisor supervision, on an ultra-secure CPU and other hw -- and then have to log on to an Internet structure full of holes - spoofed or stolen SSL/TLS certs; corrupt ISP or Net infrastructure employee, blah, blah, blah ... You at least keep your own machines from being compromised, but if you want them to talk to other machines from time to time ....
As we both know, the Internet as it exists today was never built for security (though they did an amazing job with reliability, for a new technology), because no one foresaw that the ability to connect to it would become commonplace in the majority of non-Third-World populations (and even some in those).
LOL at the "blog comparisons"! (I saw the gist of your "talk" with Joanna; hence, the comment.) But speaking as a strict logician (Aristotelian, not voltage-gated, lol), someone who *dismisses* an entire class or set of people without evaluating the merits of what's said has committed at least two classic errors in logic: hasty generalization ("I've seen useless comments at blogs" => "All blog comments are useless") and argumentum ad hominem in the plural ("This statement came from a blog commenter, not from a peer-reviewed research paper" => "It can't possibly have any merit".) To the logician, every statement stands on its own merits, regardless of who said it, or in what medium, etc.
btw, as this conversation continues and the thread is off the homepage (but into the bookmarks), that forum-like, thread-based model is sounding better and better, regardless of whether it's hierarchical or in the classic PHPbb forum, where you can have subfora about each category of topic, and lists of threads inside, which may or may not bump from a new comment, as the admin wishes. Looking forward to that, but for the moment, this otherwise-abandoned thread suits our purposes. Have a great weekend, and a happy Father's Day, if you have, or are, a father. Or even if not. ;)
"You at least keep your own machines from being compromised, but if you want them to talk to other machines from time to time .... "
A huge part of the problem. They standardize insecure ways of doing things. Got to work with what they give us just to interact with their systems. This is why things like cross-site scripting attacks and parasitic storage (google Volleystore paper) are on my radar.
"btw, as this conversation continues and the thread is off the homepage (but into the bookmarks), that forum-like, thread-based model is sounding better and better"
Yeah. I hate using my bookmarks for this stuff. No disrespect to Bruce, but it's kind of like our comment about bad standards forcing the security burden on users. The lack of a push feature in Movable Type increases the burden for users keeping up with conversations. Sighs..
"Have a great weekend, and a happy Father's Day, if you have, or are, a father. Or even if not. ;)"
You too my friend. Nicely done song, btw. I saw something on the site about misheard lyrics. I think my favorite of those was Nightwish's Wishmaster. Somebody redid the song with ridiculous lyrics and it still sounded right lol.
Nightwish Wishmaster Misheard Lyrics
@ Nick P.:
I've long been aware of the principle of least privilege; but off the top of my head, couldn't have attributed it to Saltzer's 1974 paper.
The Poly2 paper was both thoughtful and supportive of what I've been doing to try to tighten a COTS OS. (Win XP, although they cite vulns in FreeBSD and the Linux kernel, and confirm the consensus here at the blog that no readily-available OS is secure.)
" ... application-specific (minimized) OSs" - Mine is getting pretty close to that. Sometimes, I have to restore a file to run a one-time-only tool, then re-delete the file. What's there is what's necessary to boot to Windows with a fully-functional GUI and the minimum of required support functions, and to support the apps I use.
"Removal of all other services reduces the functionality of the system to a bare minimum".
Yep. All services not required have been disabled. A few are re-enabled on a per-need basis. Default start-up: 11 Windows core services; the rest are AV, firewall, browser sandboxing, wireless, printer and scanner (those two *could* be disabled until needed, but as local services, not accessible to WAN, no harm in running), and audio (could be disabled when not listening to music/video; I don't need the bells going off all the time; and the volume is off most of the time anyway.) So, 18 services start by default. How many on your machines?
"Often these services are overlooked or assumed to be required for stable operation of the system"
Case in point: msconfig tells you that RPC Locator service is "essential", yet it's never running, and things are fine. Go figure... (RPC itself is required.)
Glad they acknowledged "Psychological acceptability", since convenience usually trumps security.
"...the use of write-once and read-only media..."
I don't boot from Live CD or anything, but the sandbox tool renders the entire HD read-only to the app being sandboxed (usually, the browser), and much valuable, but infrequently-used, data, as well as both system backups and data backups, are stored on CD/DVD. This was originally for economy of HD footprint, but it's a good point that such things are much less vulnerable to attack or corruption than HD contents.
I can't afford a separate machine for each application, and doubt most people could, although some here have suggested having one machine used only for banking or other high-sensitivity activities, which is never otherwise online, and using another for the rest of normal browsing.
Separation of types of traffic is more applicable to an enterprise LAN than to a sole user like myself, but it's an interesting idea. If only those designated as Admins can access the LAN admin network, that's a huge gain for security of the rest, and shrinking of real attack surface -- the attacker has to compromise that particular network, which of course is strongly hardened, in order to attack the systems themselves, as opposed to being able to get any one worker to click on a malicious link or attachment, etc. The latter has no privilege to affect the system, only to use it per need.
"Internal communications authenticated and encrypted" - My WPA2 does that, even in using the remote (next room) printer/scanner, but I'll bet very few enterprises have implemented that. Once introduced, which shouldn't be too expensive, it seems the CPU and bandwidth costs would be small, for a large gain. No employee training needed, beyond the ever-vexing problem of lending or leaking of pw, pasting it under the keyboard, etc. Weak choices of pw could be automatically rejected, as some online banks are *finally* starting to do.
I like the two-person integrity controls for modifying security policy and enforcement, but companies will scream. So, just empower several qualified and vetted individuals with this authority. Now, an attacker has to break and impersonate two different persons instead of one.
"The goal is to minimize a general-purpose OS such that it supports only those specific services that are supposed to run on a system,"
For services that I *think* I'll never use, the support files are deleted, though not unregistered. Thus, if later the service is in fact needed, merely restoring the associated file(s) enables quick start of the service.
For the abhorrently dangerous (RDP, UP'nP), the reg keys are deleted also, so that they no longer even appear in the Services window. All backed up and catalogued, of course, so readily available if restoration is needed. An attacker obviously can't use these protocols to attack my setup, but if he gains access other ways and would like to enable them to create additional channels for future attacks, he's got a lot more work ahead of him than most attackers would likely suspect, no?
"A combination of ARP, IP, TCP, UDP, ICMP, and DNS is sufficient to provide the necessary network communication support. ... Additional areas in which protocol stripping will be useful include ARP and DNS. The physical addresses of all machines are known and do not need to be resolved dynamically"
Way ahead of you, guys. The DNS service was disabled and removed, as was ARP.exe and the ARP drivers, since my ISP does DNS lookups for me. The router keeps its own table of LAN clients without needing Windows components or services.
"An application binary and its dependencies are the only essential components for an application to execute on a system..... .All other code on the system is superfluous."
*Thank_You,_Sirs*, that is exactly what I've been aiming for. The rest of Sec. 4.2 is aimed at their single-application-server model, not directly applicable to my case. I have followed 1) and 2) by removing as many utilities and libraries as possible. The only chat client is AES-256 secured, and not normally running except when in use, on a VPN whose access I control, via both password and affirmative approval of any new users. (rare). Windows Management Instrumentation (WMI/WBEM) has been removed, as the information provided does not seem to be missed. Some warn of disaster if you delete this. Didn't happen here.
%windir%\system32 currently has only 272 dll's, about a thousand less than originally, and other file types have been similarly cut. Especially ActiveX (.ocx), of which only *one* remains, and that one is needed for the simplified Win Media Player 6.4.
I'm not going to mess with system calls and library functions, but if they can implement their proposal, great. As far as kernel reduction, I've already found that I can do without ntkrpamp.exe, and in fact, I could cut ntkrnlpa.exe if it weren't for the fact that DEP requires it, and I like the additional defense-in-depth of DEP. Still, that's about a 25% reduction in kernel exe size.
I didn't run their complex Vulnerability Metrics formula, since my system is a single-user vs. large multi-user with their independent servers, etc. In terms of Total Lines Of Code in Sec. 5.1, I haven't counted the lines :), and doubt that the *number* of files cut is linear to number of files deleted, because many essential files - the 2MB kernel exes, e. g., are probably a lot larger than average. But footprint is a reasonable approximation of that, I think, and so shrinking the size of the Windows folder by about 95% should presumably cut the TLOC by something reasonably close to that.
Mitigation of Attacks: (Sec 5.2) Presumably, a Web-based exploit of any vulnerability cannot write outside of the browser's sandbox, which is emptied regularly. The only other Web-facing apps are the AV and firewall themselves. E-mails are read in plain text only; attachments are auto-scanned for viruses *before* d/l, and again before opening, along with Best Practices regarding unknown sources. If it's necessary to open an uncertain document, it too can be opened inside a sandbox, where malicious contents cannot write to the HD.
Sec. 6.1 Intrusion: The router and firewall prevent unsolicited inbounds and severely restrict outbounds, with UP'nP also disabled in the router. WAN pinging is prohibited, as are IDENT on Port 113. NoScript's ABE function
prevents WAN requests from accessing/attacking LAN resources. The firewall opens no ports except as required for the browser for HTTP, HTTPS, etc., and only when internally requested. All ports are invisible to unsolicited outsiders.
Sec. 7.5: "Hardened OSs such as TrustedBSD, Security-Enhanced Linux (etc.). typically add new security mechanisms, replace existing modules with more secure ones,... Although Poly has similar goals, the means of attaining them are not through addition of more software ... but by removing unnecessary software and functionality."
Right up my alley.
Thanks for the paper. The Qmail paper's response should come a little more quickly with all the Patch Tuesday stuff out of the way, and what looks like a fairly light week ahead, so far.
Nick, I don't see this approach and the various approaches you're taking as being XOR to each other. You've already come out in favor of minimalism for the Schneier Blog Beta, and surely that will be incorporated in your ultimate high-assurance system.?
What do you think of what I've done in trying to harden a Swiss-cheese OTS system?
(Nick P.) "This is why things like cross-site scripting attacks ... are on my radar."
Nick, I think you really should take a new and exhaustive look into NoScript and the capabilities that have been added since you last looked, or may never have been aware of. NS prevents XSS attacks and many others by default, OOB, no user config or action required, *even if scripting itself is allowed globally*.
Thanks for the kind words on the song. My own favorite misheard lyric, which I myself misunderstood for many years, was from "Groovin' " by The Rascals.
Actual line, improperly stressed:
"Life would be ecstasy, you and me endlessly ... (groovin')" .
The meter required them to stress "less" in "endlessly"; hence, it sounded like:
"Life would be ecstasy, you and me and Leslie... (groovin')"
Sounded like a kinky threesome to me, and inspired a parody on that exact premise.
I'm not familiar with the song and band you cite, but will check it out.
btw, as a trivial joke, took the original lyrics of Sinatra's "Strangers In The Night", scrambled the phonemes in each line, but kept them all there, and it came out readable and with some serendipitous funny lines, like
Glove was just a lance away
Oven for liver
I figured you'd like the paper. You were basically doing what they advocate. Yes, most of it is more for an enterprise environment, but it could be applied to a virtualized residential system using high assurance hypervisors and user-mode linux VM's. However, over the past few years, I've been looking for ways to use physical isolation in residential or small busines servers cheaply and securely. I actually found some ideas, the first being the Artigo.
For one, users don't usually care whats in the box they turn on and surf with. Maybe it's a single computer board connected to peripherals. Or, maybe it's about six embedded PC's wired with a secure communications switch and each connected to certain peripherals. ;)
So, I started with Artigo: $200-300, small PC with VIA Padlock processors. The chips are about as fast as Atom's, use 25 watts max, onboard true random number generator (my original motivation), onboard AES/SHA1/SHA256/RSA acceleration, and Intel VT support. After a little BIOS minimization and choice OS, those babies were perfect for decomposing COTS offerings with physical isolation. Just getting a KVM switch and an Artigo board for a banking appliance is about $400 and simple as hell to use. Ever consider embedded boards for this stuff?
Well, I was also looking at the separation kernels and the like. I needed military or aerospace grade, POWER architecture hardware before I'd think of trusting the hardware. But, the security enforcement (at my levels) would kill the performance of complex systems. Decomposing them onto several pieces of hardware would be nice, but space, energy, cost considerations were troubling. WHAT TO DO!?
How bout embedded, aerospace-style POWER boards on a PCI backplane? It's basically just a board that lets PCI devices talk to each other. So, instead of current approach (32core PC + virtualization), we just get some 1U or 2U PCI backplanes with 12 ports each and plug in 12 cards each, dividing functionality among them. Some might be secure POWER boards, some DirectX-enabled x86 boards, and some might just be for storage. Using about four or five different types of boards keeps both board and development costs down (thanks to specialization). Each would connect to a inline device that prevented unauthorized DMA access attempts. Devices could only communicate through a high assurance, message router card that enforced the security policy. Alternatively, we'd use regular PCI cards with a custom designed secure, PCI backplane that basically acted as an IOMMU and message router. The high performance of PCI would let many types of applications and peripherals be used, but the security issues interconnections would be gone.
For a home system, it might have a few boards in it. One is the master node that tells the PCI backplane the access/messaging rules. It also has the ability to start, shutdown, wipe or load software onto the other nodes. The other nodes will have at least one x86 board that can run Windows and regular apps. It might have another, cheaper, more secure board to do isolated web browing or other apps on a Linux ABI. It might also have a medium/high assurance POWER board for trusted apps like banking and/or a board just for storage, allowing certain boards to be denied write access at certain times via master node mediation. It would all be in a box that looked like a PC and worked like a PC. They would access the UI of the master node with a button on the computer or a special key combination. So, the system is about four or five mass produced boards on top of the normal PC components. What you think? Could this work if marketed as a secure application platform? Be low cost?
"So, 18 services start by default. How many on your machines? "
I'm not even going to pretend that my minimization efforts compare. Right now, I do everything on a Linux box with AppArmor, NX, Firefox, and NoScript behind a carefully configured NAT router. I'm not too worried about most malware and script kiddies. ;) I keep moving my data to external storage. If anything happens on this machine, I just pop in a LiveCD, retrieve any remaining critical files, format the HD, install fresh, update everything, and reconfigure everything. The entire process is usually done way faster than an Acronis restore, so I stopped using that.
With my Windows boxes, I pretty much figure "security" is just delaying the inevitable. So, I do a clean install, update everything, apply what hardening/minimization I know, and backup with Acronis to external media. I'd use the system, applying updates as they came along (just restore if they screw things up), until the planned date where I did the real update, usually monthly or every 45 days. I'd then do the following:
1. Move any critical data to external storage.
2. Restore from the clean backup (using the boot disc!)
3. Do any updates and verification.
4. Clean up any extra garbage included.
5. Backup either incrementally or differentially using the boot disc
5-1. Do a full backup instead after a certain number of incremental/differential backups have been done.
This strategy means, if problems are suspected, I'm one restore and data transfer away from a clean system. I like my current Linux approach better, though. ;)
"The only chat client is AES-256 secured"
Which one? An OTR-based solution?
"Nick, I don't see this approach and the various approaches you're taking as being XOR to each other. You've already come out in favor of minimalism for the Schneier Blog Beta, and surely that will be incorporated in your ultimate high-assurance system.?"
Yeah... sort of. The key difference is that they are trying to *contain* attacks with physical isolation and minimizing untrusted systems. My main line of research is about designs that *prevent* any compromises with "medium or high assurance/robustness." Some of these designs involve systems with plenty of features and code (see SCOMP or XTS-300). My minimalism means that only useful code is included and the system is designed in a modular and layered way that allows one to verify, before it's even run, that the system will always adhere to the security policy and is functionally correct. Of course, testing is used as well to cover what other things miss. So, Poly2 approach shares similarities, but mine build a "correct by construction" system from the ground up, starting at the hardware & OS.
Now, you may wonder why I praise Poly2's minimizations, then promote building apps on top of high assurance platforms with extra, unneeded functionality. This is paradoxical, but not contradictory. The effort needed to produce an EAL6/7 system, including show it hasn't been subverted during development, is tremendous. For real assurance, even the compilation phases must be mapped from source down to assembler (DO-178B certification requires this). This is a very manual process that ensures nothing sneaky is added, nothing critical is removed, and compiler optimizations don't invalidate the security policy. If you had a perfect piece of source code, could you really be sure if will be just as secure after you arbitrarily remove something and run it through GCC? Nope.
So, for certain high assurance designs, we try to get the requirements right ahead of time because, once we get that signed binary library or source code set, changes require recertification to maintain trustworthiness. Building onto an unchanged certified platform allows us to ignore that layer when validating/certifying the new system. (Note: if the source code change is verified somehow, the CompCert compiler can be used to produce PPC or x86 object code. It's mathematically verified and has survived all testing. Amazing product. I plan to use it to fast track future implementations.)
"What do you think of what I've done in trying to harden a Swiss-cheese OTS system?"
I'm quite amazed at what you've done. My minimization efforts haven't come anywhere close. I figured it would take a mind-boggling amount of time to figure out what can safely be removed. You've actually bested CERIAS because their successes were on an open-source, well-understood, minimal UNIX operating system. Windows is a bloated, obfuscated mess of code. You really need to write a guide or a book on how you did that, what depended on what, what was totally useless, etc. Seriously. It could inspire similar efforts for Win7, Win8, Ubuntu, and MacOSX. Truly amazing work, tommy boy!
Btw, I just looked at your parody on the Rascals. That was freakin' great! I was listening to the original while I read it. I kept hearing it wrong even as I tried to hear it right. Terrific.
@ Nick P.:
Wow, your comments are more complex and informative than some published .pdfs, and that is a compliment, *not* a complaint!
I got sidetracked with Volleystore, and skimmed that paper. Scary to think of people free-riding off of ICMP echo requests. I wonder if my favorite ping target for testing purposes, www.example.com, has received an increase of traffic from those attempting parasitic storage? Just when we think we have enough hurdles to overcome, someone comes up with a new one (sigh)... although their own solution was both simple and elegant: a simple change to the ICMP protocol that doesn't prevent the attack per se, but removes its benefit, by requiring the parasite to store one block of data locally for every block stored parasitically. This approach might be useful in other areas: don't prevent the attack, but require the attacker to use resources GEQ the benefit; i, e., make the attacker's ROI = 0 or negative. Wouldn't work where the gain is hundreds of thousands or millions of dollars, probably, but in some other areas, it's a clever approach that should be explored.
Pardon me while I have fun with words: "No gain, no pain". (No gain to the attacker = no pain to the defender.)
I also see that I have a huge discussion awaiting on the single-bank Live CD or VPN ideas, but would rather answer this, as it took me a long time to respond in the first place (to Poly2 paper).
"For one, users don't usually care whats in the box they turn on and surf with."
Nope. So long as the *user interface* is familiar, comfortable, and convenient, most couldn't care less, or even care to know, how it's done. So, have a free hand.
However, my first impression is that your excellent ideas would be difficult, if not impossible, to implement in laptops, where bulk and ventilation/cooling become more critical issues. No OEM laptop would accept the types of things you're proposing; when I asked my OEM about maybe upgrading to a faster CPU, they said that each mobo was custom-fit for a particular model of CPU, so couldn't change the processor without chaning all the rest = buy a new machine. So instead, I bought a $40 1GB RAM stick for the second slot, which allowed me to disable swapping/paging to disk and get rid of pagefile.sys., esp. with useless services disabled. I read that for a CPU to read stuff that's been swapped to disk takes 40,000 times as long as to read stuff directly from RAM. I believe it. MFT lookup, head seek, etc,.... This cheap baby is as fast as a lot of more expensive machines.
Just out of curiosity, could your proposed hw be fit into a standard laptop-sized container, even if it had to be custom-built? Else, I'm afraid that many who need laptops for travel (try composing your next paper on a smart phone on board the plane, etc.) couldn’t use the embedded-boards approach, though the idea sounds great for desktops.
"we just get some 1U or 2U PCI backplanes with 12 ports each and plug in 12 cards each, dividing functionality among them..... Each would connect to a inline device that prevented unauthorized DMA access attempts. Devices could only communicate through a high assurance, message router card that enforced the security policy..."
Isn't this along the same lines of some of Poly2, with your divided-functionality cards whose access is restricted, being sort of analogous to their single-app machines, on a three-tier network, with strict separation of access and privilege? Different (and simpler-sounding) approach that could fit in a single machine, vs. the Poly architecture requiring a complete enterprise system design. What I'm saying is, I like it. You and they have the same ideas of separation and isolation, but you're doing it in a single machine -- which, of course, could also be part of an enterprise LAN that uses the other principles to control access and communication among workstations on the network, as well as a single home machine.
"For a home system, it might have a few boards in it. .... at least one x86 board that can run Windows and regular apps.". ... Runing Windows and regular apps a major win for Average Home User. (AHU) -- I’d say, practially a requirement.
"They would access the UI of the master node with a button on the computer or a special key combination."
We may be getting beyond the means or desire of AHUs here. Better to have a standard Windows-type GUI with a conspicuous desktop and Start menu shortcut; "Secure Mode. Click here before doing online banking or other high-security browsing." Then if the GUI changes, they're not shocked.
"So, the system is about four or five mass produced boards on top of the normal PC components. What you think? Could this work if marketed as a secure application platform? Be low cost?"
I think the second question would answer the first. I'm not up on the cost of each component, but if mass-produced -- if Dell and other mass-marketers would tool up thousands and thousands of these, and advertise "New! Advanced security never before possible in your home computer!" -- if the mass-production made the cost delta relatively small, consumers would buy it. If enough did, then those OEMs who don't have it are at a disadvantage; their marketing d***wads would whine, and it would soon become an industry standard. *Someone* will always undercut price by omitting that, but with enough media coverage, Homeland Security press conferences...
Look how long it took for firewalls to come standard OOB in Windows home systems. Not until 2001 when XP was introduced, and then, it was off by default. Useless, because AHUs didn’t know to turn it on. Finally, in XP SP 2 in 2004, it was turned on by default -- what, 13 years after Win 3,1 became popular? Constant ads from 3rd-pary fw makers forced MS to act. Get even one high-priced OEM to use this, and trumpet to the world the secuirty of their system, and the others will have to follow suit sooner or later -- which brings the price down yet more.
“I keep moving my data to external storage. If anything happens on this machine, I just pop in a LiveCD, retrieve any remaining critical files, format the HD, install fresh, update everything, and reconfigure everything. The entire process is usually done way faster than an Acronis restore, so I stopped using that.”
Good plan for most users. My entire HD footprint is about 835 MB at the moment (including 225 MB of Acronis, LOL), so an Acronis restore is just a few minutes vs. those with 400 GB of HD usage. ... Actually, cutting the size of Acronis backups so that they would fit on a single DVD, then on fewer CD’s, is what started me on the minimalization path in the first place, though I’d already started conserving RAM by disabling services. The security implications quickly became apparent, and gave added motivation. Can now do one full backup and several incremental backups on a single 700-MB CD, plus raw (non-compressed, Windows-format) data backups. Full = 340 MB; increments, 15-80 MB depending on how long and how many major changes.
I too move data off the machine, or back it up off-disk, frequently, for the reasons you said: No fears.
“This strategy means, if problems are suspected, I'm one restore and data transfer away from a clean system. I like my current Linux approach better, though. ;)” ... I like them both, plus, you have an added layer of redundancy, Can’t have too much of that... With my small HD footprint, haven’t bothered with the Linux idea, but for most people, your dual-boot setup, backup, and catastrophe plans would be excellent.
"The only chat client is AES-256 secured"
“Which one? An OTR-based solution?”
Um, no, I just use LogMeIn Hamachi free home version, as I’m not concerned with deniability or possible record-keeping or logging. The two uses have been: 1) To remotely administer the computer of an elderly relative, using other third-party remote admin tools, but runing them over Hamachi for additional security and intrusion-prevention, vs. running them over the Internet, and 2) Casual chat with remote friends, none of which is very sensitive, but without worrying about the virus-and-worm-infested networks that are AIM, Yahoo, etc., and with no third parties, incliding spammers, allowed. I don’t possess any national secrets or anything, which is fine with me. PGP e-mail is used for discussing privacy- or security-sensitive issues.
“Now, you may wonder why I praise Poly2's minimizations, then promote building apps on top of high assurance platforms with extra, unneeded functionality.“
Your explanation made perfect sense. If I were trying to obtain certification for my trimmed OS (it’s nowhere near that, but let’s pretend), then as you say, every time I found a new file that could be deleted, it would all have to be re-certified. We have different goals (third-party cert vs. personal comfort level), and hence, different incentives. Therefore, different methodologies. The tense wasn’t always clear: Are these just ideas, or have you actually designed, and built, any? I hope you’ve attracted support for your approaches, perhaps sufficient at least to help design and build a prototype. Are you allowed to say whether you’ve implemented any such systems, and where? If not by name, then generically: Corporate, government?
“You've actually bested CERIAS...” ... Wow, I beat Purdue University? I had no idea... but the credit isn’t all mine, as you’ll see.
“You really need to write a guide or a book on how you did that, what depended on what, what was totally useless, etc. “ ....My main source was a guy who must have spent thousands of hours of research, trial-and-error, etc.,
I needed a good bit of trial-and-error myself, since his setup, needs, apps, and usage are different from mine, as are everyone’s. But I doubt I’d have blazed the path myself if someone hadn’t already chopped down some of the trees. AFAIK, he has no plans to do the same for Vista or 7, probably because after spending so much time de-bloating XP, he’s happy with his setup and has no plans to buy and install another bloated whale. Nor do I. ... I don’t think he’s into Mac or Ubuntu, but if someone who was, would just read his Guide and follow the same general path, they could probably do so. Are they as bloated as Windows?
I spent about two years gradually implementing his ideas, testing each significant change for a week or two, marking the failures, adding a few new finds of my own. I’d be happy to share them, but we run into the dfferent usage/apps thing. Everyone who follows his guide needs to check it against their own hw, drivers, apps, usage, etc. If you’d like pics of the properties and contents of the Windows folder and system32 folder (the biggest target), I’d be happy to email them to you.
Thank you for the kind words. Unfortunately, flaws will still be found endlessly in the files that remain, so please keep on striving for higher and higher levels of assurance in your OS and hw setups, while also trying to make it more and more affordable.
I just gave Bruce my two cents’ worth on his book cover and title, so I’m afraid the bank-security thread is going to get pushed back a day or two, then looking forward to studying the QMail paper and commenting, even if it’s this weekend. Of course, if you have any comments on this topic, look forward to them. Cheers.
@ Nick P.:
Great minds post at the same time, apparently. :) Just saw your Rascals comment after posting my lengthy reply.
Glad you liked it. It was literally decades after the original's release that I finally learned what they really intended to say.
In all that spare time you don't have, :) feel free to browse any of the other 430 titles in my catalog. They range from the lofty (educational, Shakespearean) to social/political satire, to just "funny", to downright silly -- miscegenation with sheep crops up a dozen times or more, including once to "American Pie". I hope Don McLean never sees it. :) If you want to see that one, click the signature to *this* post.
A few are a little "racy". The site prohibits outright obscenity; clever double-entendre is much more challenging IMHO, but I don't know your tastes -- some people don't like such things, which is cool.
My original works, in date order, but can be sorted by original song, original performer, or popularity (# of page views):
99 more with a collaborator, heavier on current political satire and on classics (Homer, Dante, Shakespeare), including parodying the entire Broadway musical/movie "My Fair Lady":
No obligation, of course, and no offense taken. But I've always agreed that "all work and no play makes Jack a dull boy." You can only stare at code files and research papers for so long...
"However, my first impression is that your excellent ideas would be difficult, if not impossible, to implement in laptops, where bulk and ventilation/cooling become more critical issues. "
The design for the cards was a desktop tower, not a laptop. Laptops can be used but I'd have to use really tiny boards. Gumstix is popular. There was an Atom-based x86 board called Firefly that had a TPM, Intel VT, Wireless and more. You could fit about six in a laptop form factor, although less in reality due to peripherals taking up space.
"Else, I'm afraid that many who need laptops for travel (try composing your next paper on a smart phone on board the plane, etc.) couldn’t use the embedded-boards approach, though the idea sounds great for desktops. "
Actually, it just dawned on me that a new product essentially does laptop + embedded board. It's an ARM-based compute module you plug into a laptop SATA bay. I wouldn't use it, but it demonstrates the principle: you can include an extra secure board in a decent sized laptop. Only question: where to put the trusted interface... (sighs)
"Better to have a standard Windows-type GUI with a conspicuous desktop and Start menu shortcut"
Could do that. The Compartmented Mode Workstations of the past usually had colored lines around the Windows that indicated their security domain and part of the screen (top or bottom) couldn't be modified by any apps/VM's. This is where buttons, labels of running domains, etc. were. If we did it this way, we could put the button there.
"The tense wasn’t always clear: Are these just ideas, or have you actually designed, and built, any? I hope you’ve attracted support for your approaches, perhaps sufficient at least to help design and build a prototype. Are you allowed to say whether you’ve implemented any such systems, and where? If not by name, then generically: Corporate, government? "
I can't really say much about what I've implemented. It's mostly a hobby for me, but those that want my grade of security usually demand secrecy too. I've certainly designed 100x more than I've implemented. High assurance implementation is more costly in terms of time and resources than high-level design. I'm more productive by focusing on designs and only implementing when it makes the most sense. I mainly contribute ideas to researchers and blogs. I've seen some of my own designs turn up in Ph.D. theses, research demos, etc. This can only mean a few things: they copied without giving credit; they independently arrived at the same thing; some of my suggestions inspired their final product.
An example was the OP secure web browser at University of Illinois, which inspired Chromium's sandboxing. Google "Secure web browsing with the OP web browser" for an illustration of good security engineering. I came up with almost an identical design a month or two before, except theirs ran on Linux and mine ran mostly on a microkernel. There was one other minor difference (plugin handling?). So, was it "great minds think alike" or "good artists create, great artists steal"? Not sure. But most of my work is for society's benefit, not profit, so I'm fine with it either way.
"AFAIK, he has no plans to do the same for Vista or 7, probably because after spending so much time de-bloating XP"
Thanks for the link. It's unfortunate that he's done because Windows 7 is the ideal OS to do this too. It's the best Windows design they've come up with. The user-mode driver architecture, static driver verifier, NX, reliance on managed code for many apps, mandatory integrity control and improved client security apps make Win7 the most secure OS they've made (well, since Trusted Xenix, but that's UNIX haha). I've confirmed it also uses about the same resources, in default config, as an XP system does. The only drawback is in the DRM stuff if someone finds that an obstacle to their work.
My bad. Xenix was a Microsoft OS, but Trusted Information Systems made Trusted Xenix. They were hardly even the same codebase. So I guess Win7 really is the best Microsoft has done. :)
@ Nick P.:
"Actually, it just dawned on me that a new product essentially does laptop + embedded board. .... I wouldn't use it, but it demonstrates the principle: you can include an extra secure board in a decent sized laptop. Only question: where to put the trusted interface... (sighs)"
So, if our discussion has you thinking of ways to fit this into laptops, then it's synergistic and worthwhile. The economies of scale would increase tremendously if you could add the laptop market to the desktop market, even though many components would be different. The *concepts* are similar, which greatly reduces R&D cost, even if the components are different. It's easier to develop the two in parallel than to do the desktop, then have someone ask, "Hey, can you do that for a laptop", right?
"I can't really say much about what I've implemented. It's mostly a hobby for me, but those that want my grade of security usually demand secrecy too.".
No problemo. I have one friend who's done work for Gov contractors, including for NASA, but that fact is not exactly top-secret. I have another who's doing some really advanced project for the Gov. I'd pull the old joke, "I'd tell you, but then I'd have to kill you", except that if he told *me* any of the details, he'd have to kill me... Which suits me fine: "That which I do not know, cannot be beaten out of me." (or drugged, extorted, etc.) I like remaining as low-value a target as possible.
"I've seen some of my own designs turn up in Ph.D. theses, research demos, etc. This can only mean a few things: they copied without giving credit; they independently arrived at the same thing; some of my suggestions inspired their final product."
Which is what makes proving plagiarism so difficult. Sometimes, a long block of text or a complex diagram is *identical", which is a good give-away. Stealing ideas without credit (and a share of the profits, if any), is scum in my book. Inspiring others is quite a compliment, which should be returned with an acknowledgment: "Inspired by concepts first presented by Nick P. , for whose semiinal work we are grateful." ... So, if your high-assurance laptop hits the market, I get credit, right? (KIDDING!! ;)
Example: The Chiffons and their producer successfully sued former Beatle George Harrison, because the latter's song, "My Sweet Lord", used the same melodic structure as the decade-earlier hit, "He's So Fine".
Musical experts testified about the unlikelihood of the same "string" reappearing over and over.
"So, was it "great minds think alike" or "good artists create, great artists steal"? Not sure.”
“If I have seen further it is by standing on the shoulders of giants.” - Sir Isaac Newton. Be honored to be one ot the giants on whose shoulders they stood.
“It's mostly a hobby for me,... I've certainly designed 100x more than I've implemented. ... But most of my work is for society's benefit, not profit, so I'm fine with it either way.”
It’s good that you enjoy your hobby enough to do it without thought of compensation, much like my silly little hobby. Except that yours actually improves the world. ;) ... Seriously, if you like playing with ideas, then keep putting them out there. Regardless of whether the people who sign the checks want to go for it, you have the satisfaction of knowing that you’ve shown the world what *could* be done. Whether they do it is (usually) out of your control, but the Wright Brothers’ first flight wasn’t of any immediate practical use, either. But by showing the world that it *could* be done, it inspired them and many others, to where we now take jumbo-jets for granted. Someday, perhaps we’ll take for granted rock-hard, bullet-proof smart phones, because you tried to do HA in a laptop, then someone started from your ideas and tried to do it in a smaller box, then someone else took that idea and ...
“It's unfortunate that he's done because Windows 7 is the ideal OS to do this too. It's the best Windows design they've come up with....I've confirmed it also uses about the same resources, in default config, as an XP system does.”
Famous for being the *only* OS in MS history to use fewer resources than its predecessor, and that goes all the way back to DOS systems, IIRC. Perhaps the EU lawsuit over misrepresenting how many existing machines could use the resource-hogging Vista had something to do with that? Which was satirized rather viciously in the following:
which was received very well by a not-necessarily-tech crowd.
I don’t feel inclined to spend the money to buy 7, nor to learn the intricacies and do the trial-and-error deletion, but since you’re already on it, and like to play with stuff, maybe set up one copy on a separate partition or external HDD that isn’t the default-boot, or on a spare machine; follow the same general paths; logging every change; note what works and what doesn’t; with frequent Acronis backups of that partition or external drive only, so you can reverse any fatal errors?
Scroogling (I trust Brandt more than Google) “Windows 7”+trimming gives some interesting hits, like
which gets the install down to 2.5 GB. Others at the thread confirmed what you said, that it’s about equal to XP Pro in resource use, but one wanted to put it on various portable devices, and another, on an older computer with less RAM and HD space.
Haven’t looked at them all, but you might find something interesting among them. At least, it shows that people are working on the idea -- probably inspired by the pioneering work of the guy who did the XP trimming guide. If you have major success, I’ll bet hosting a similar site or forum, or even publishing a .pdf or e-book, would be successful.
“The only drawback is in the DRM stuff if someone finds that an obstacle to their work.”
My 2005 XP didn’t have most of that crap, and I refused it (another benefit of parsing Patch Tuesday updates very carefully, including refusing IE 7, 8, and 9). The 2008 has some; I haven’t tried deleting or disabling it, partly because I want one machine in relatively OOB condition (just got rid of some huge, ulltra-low-hanging fruit that wouldn’t affect functionality), and partly because I don’t d/l DRM-type stuff. Hey, any video at YouTube, I can turn into an MP3 or movie... (won’t say how, though I’m sure it’s an “open secret”.)
Take a look at the W7 trimming search results and see what you think. But I’d rather have a high-assurance system than the smallest possible one, even though I’m using the Poly2 small-is-better approach on my own -- no other options without custom-building a laptop. (I’m a laptop fan -- no pun intended - for various reasons.) When you build your HA laptop, I’ll be happy to test it. :)
"The *concepts* are similar, which greatly reduces R&D cost, even if the components are different."
This is where it get's tricky. Intuition says the statement is true. It will certainly be true to a degree. The requirements, development tools, formal methods, testing tools, configuration management, documentation handing, and certain process aspects could be standardized for several products or target hardwares. Additionally, reusing the same development approach on a 2nd product usually decreases costs because of developer familiarity and the fact that developers often make custom tools to make their jobs easier. This is especially true in high assurance development where each new type of product often requires new tools to support development requirements, tools that can be reused on similar products.
Now, here's where it falls apart a little. Desktops, laptops, thin clients and appliances share some features, but differ widely in others. For instance, the first two are general purpose, must have full x86 compatibility, and require any addons to follow many standards and cheaply. The other two are special purpose, can run whatever OS you want, have fewer standards requirements, and can have whatever hardware configuration you want. The kinds of modeling, testing and requirements gathering that apply to the first category might not translate to the second. This means there's little synergy. However, within each category, development efforts could certainly be shared and reused.
Now, for desktops and laptops, here's the main deliverables I see being shared: majority of functional and security requirements; formal specification of these; several protocols (and maybe implementations); possibly high-level, black-box designs; many black box acceptance tests; many implemented functions. This allows for plenty of reuse. The things that are different can have a HUGE impact. Power management requirements for laptops creates special security issues for attached devices. This includes power usage & the functionality that causes sleep & hibernation. These can often be tampered with, requiring special considerations. Space, cost and form factor issues also affect hardware choices, which may require high level design changes. So, it's hard to say ahead of time how much synergy can happen. The only guarantee is that developers who made one high assurance product will have more productivity working on the second if it's similar.
"I'd pull the old joke, "I'd tell you, but then I'd have to kill you", except that if he told *me* any of the details, he'd have to kill me...
I often joke like that too, but it actually is kind of a joke. If he told you classified information, HE would be guilty of a felony and, depending on his intent & potential damage, possibly prosecuted for espionage. Government espionage comes with a >mandatory 15 yr sentence
"That which I do not know, cannot be beaten out of me. (or drugged,extorted, etc.)"
Hell yeah! It's why I try to do some high assurance designs to work in spite of that or try to detect it, so adversaries know such an event makes their chances of success worse rather than better. My justifications for that are admittedly self-serving. ;)
"Stealing ideas without credit (and a share of the profits, if any), is scum in my book. Inspiring others is quite a compliment, which should be returned with an acknowledgment: "Inspired by concepts first presented by Nick P. , for whose semiinal work we are grateful."
Lol. Mostly agreed. I don't like taking too much credit for my ideas, though. I think it was Solomon that told his son that there's nothing truly new: everything has been done before to some degree. This is true for me especially: I absorb tons of information, design ideas, lessons learned, etc. from others and transform them in my head to make them better, target them to new solutions, etc. The level of novelty varies from slight modification to quantum leap. An example of the latter was coming up with a form of covert communication based on Princeton Engineering Anomalies Research lab's "thought switch." Nobody else is on that and might have trouble figuring it out even with that hint. ;)
The transaction appliance idea is so obvious that I've already found two or three more papers describing about the same thing, including one in my collection that I just got to read today (I download them in batches & read them over time). So, I usually don't take too much credit because my ideas truly stand on the shoulders of the truly seminal work by individuals like Bell, Karger, and Schneier. They're the real innovators. I'm just a guy trying to make the ideas work for us. ;) To be more clear and daring, I'd say many security architectures aren't novel but just concrete realizations of the novel concept of secure decomposition: decomposing a complex system into smaller, simpler parts that interact in careful ways.
"So, if your high-assurance laptop hits the market, I get credit, right? (KIDDING!! ;) "
Lol yeah sure. I can honestly say you're feedback might have reduced the costs. Due to what I've read, I've mentally divided high assurance methodologies into a bunch of groups for different types of products. It has to be that way due to the traits of the methods used. However, you forced me to enumerate possible areas of overlap in similar product categories and I noticed that there's more than I first realized. So, if we reused an unusually high amount of previous work effort, you'd deserve some credit for it. I'd either say "He saved us $250,000 in development costs" or to customers "he saved you $2.50 on your device." Depends on how mischevious I felt... [patented grin of mischief]
"It’s good that you enjoy your hobby enough to do it without thought of compensation, much like my silly little hobby. Except that yours actually improves the world. ;)"
Stress is the silent killer. Happiness is one of the necessities in life. Life's little pleasures motivate people into higher productivity (well, some don't lol), reduce stress, and make society better off in general. Entertainers like you are vital in helping people get away from the grind long enough to come back and take one of my security lectures in good stride. ;)
"Take a look at the W7 trimming search results and see what you think. But I’d rather have a high-assurance system than the smallest possible one, even though I’m using the Poly2 small-is-better approach on my own"
Thanks for the Win7 links. I think my HA research will prevent me from contributing much to that. We all have our place of greatest value. I was thinking though if you want the easiest route to a minimalist system you might want to grab some certified hardware and go the Linux route for most activities. You have about four main options. Gentoo is a source-based distro that let's you easily build/compile from ground up. You can start with a RedHat/Centos kernel, strip it, and build from there. You can start with ArchLinux, which is a distro lean enthusiasts prefer. On the extreme end, Linux From Scratch let's you do what it says. If you want BSD, NetBSD is extremely modular & has a friendly community. Just a thought for you.
Disclaimer: This is a personal comment. Opinions expressed are not necessarily those of Bruce Schneier. For those in doubt, see comment author's criticisms of the Movable Type platform.
@ Nick P.:
">> except that if he told *me* any of the details, he'd have to kill me..."
"I often joke like that too, but it actually is kind of a joke. If he told you classified information, HE would be guilty of a felony and, depending on his intent & potential damage, possibly prosecuted for espionage.... "
Which is exactly why he'd have to kill me: So no one could ever find out from me, voluntarily or otherwise, that he'd divulged it, assuming he divulged it to me securely in the first place. ... So there is a nugget of truth in the old joke. ;)
"I can honestly say you're feedback might have reduced the costs. ... you forced me to enumerate possible areas of overlap in similar product categories and I noticed that there's more than I first realized."
Found the right word for why Schneier blog discussions are the best around: "Cross-pollination.'
"I was thinking though if you want the easiest route to a minimalist system you might want to..."
Thanks - but it's minimal enough for me now, and the work is already done. :) ... and all compatible with apps for Windows. Had I not already done all this... but you've given some good ideas to anyone else who despises bloat.
"Stress is the silent killer. Happiness is one of the necessities in life... "
Or as someone once put it, "Laughter is the best medicine."
Also, some subset of that hobby is social and political satire, which has been recognized as a strong means of criticism since ancient Greece and Rome. People often tend to absorb more, or get the point better, when it's delivered in an interesting and amusing way. I could flood you with examples, but will just give a few samples (your beliefs may vary):
Recently, Reps. Ron Paul and Barney Frank introduced legislation to get the Feds out of the weed-busting business, which has been a costly failure anyway. (Not a partaker myself, but I don't think that gives me the right to tell you that you can't.) I hit that topic hard (twice in one day) two years ago when Michael Phelps proved that you can set a record for most gold medals in a single Olympics, even while taking a toke once in a while.
"Killing Me Softly With His Song" by Roberta Flack =
"Swimmer Wins Oftly, Hitting Bong (Michael Phelps)"
"Big Spender" by Peggy Lee =
"Hey, Bong Swimmer (Michael Phelps)"
The other side of the BP oil-spill story; Corruption at the oversight agency, and the Administration's failure to address it:
"Show Me" from "My Fair Lady" =
"Show Us (POTUS v. Minerals Management Service and BP)"
Lots more there: Senator Larry Craig, O. J. Simpson, Michael Vick, the current POTUS and the previous two; the current V-POTUS and the previous one; etc. Plus one about an issue that Bruce blogged:
"A high school bans backpacks as a security measure. This also includes purses, which inconveniences girls who need to carry menstrual supplies. So now, girls who are carrying purses get asked by police: "Are you on your period?"
I had sent Bruce the story, but of course others might have as well, and he may have seen it himself first. The piercing parody of the stupidity described there, and of outlandish terror fears in general (using the media's definition of "terror*):
"Put Your Head On My Shoulder" by Paul Anka =
"Is Your Purse A Gun Holder (Or On Your Period?)"
Last one, I promise, and probably the granddaddy of them all: a non-partisan rant about Government and politicians in general, done to all four verses of The Star-Spangled Banner:
"I have never made but one prayer to God, a very short one: "O Lord make my enemies ridiculous." And God granted it." -- Voltaire.
So they may serve some purpose in ridiculing the pompous and idiotic.
No obligation, of course, end no offense taken if skipped. Plus the usual guarantee: Double your money back if not satisfied. :)
Hope I don't have so many links that it trips the filter, but the trust model based on using the same e-mail address in that field has worked so far - haven't been auto-filtered since. One more little-publicized aspect of the BP thing in the signature link. Fingers crossed...
Late reply. My bad. I looked at a few of the songs. The Star Spangled Banner parody was my favorite. You 100% nailed that one. I wish there was an audio performance of it.
As for BP link, I didn't know about that. However, Clive responded to a post of mine about the spill and told me everything I needed to know. The corruption far exceeds what's in that link. Btw, Clive might have the answer for the fine exceeding $75 million: after Valdez spill, they introduced new liability legislation. Might have changed who gets liable or for how much.
Clive's "essay" response
RobertT also just told Mark Currie on the "Court rules..." post why he shouldn't try to build his device in the United States. It's incidentally the main reason I haven't [publicly] offered any of my designs, including the one that uses Mark's. Until patent reform happens, developing systems that compete with the 800 lb guerillas is a legal minefield. It's also very expensive to navigate.
@ Nick P.:
No apologies necessary --"Life Happens". ... and the parodies were hardly obligatory reading. :)
Yes, the media didn't showcase the corrupt officials nearly as hard as they hit the Big, Evil Corporation, as your own experience shows -- especially a *foreign* BEC. If it had been Exxon/Mobil instead of *British* Petroleum, would the reactions have been different? ... Still, corps are a fave scapegoat, partly because broadcast media don't get their licenses renewed by BP, but by the FCC, which is a, um, "Government" agency. :P
I don't excuse BP. But comparing a crook to a crooked cop who accepts a bribe to let the crook go, I regard the cop as the more evil of the two, because he was specifically entrusted with preventing or catching the crooks.
"The Star Spangled Banner parody was my favorite. You 100% nailed that one. I wish there was an audio performance of it."
Do you remember the line from the original "Rocky"?
"Why did you become a boxer?"
"Because I can't sing or dance". lol
I write, but I can't sing or dance either. If you, or anyone you know, wants to record it, add some appropriate video, and upload it to YouTube or whatever with lyrics credit, cool . A fellow writer put one of my Vista-trashing parodies on YouTube, but with karaoke lyrics only, no actual singing voice. That doesn't get so many hits - needs a voice. It's
I sold a half-dozen or so parodies to a radio producer, who syndicates stuff to about 700 indie stations nationwide. The best was on Sen. Larry Craig. He said his singer had a hard time getting all the way through a take without cracking up laughing, which is about the best compliment a comedy writer could ask for.
Others were Astro-Nut Lisa Nowak; H. Clinton during the VP speculation in 2008 (they cut it in half due to time constraints -- gotta get in all the commercials); McCain's choice of Palin; Scooter Libby; and John Edwards, back when his biggest problem was his campaign paying for his $400 haircuts. They each dropped off the air as the news became old, but the Edwards one kept getting new lives as his further problems continued to become public.
Won't burden you with any more links to the lyrics, except upon request. I do have mp3s of the productions, but not for mass distribution. The producer bought the complete North American airplay rights, and guarantees exclusivity to his subscribing stations. However, for someone who clearly understands the need for NDAs and respects them, I think I could entrust a copy, with the agreement that it goes no further. Could e-mail them -- disposable e-mail address is fine. Any of my own song pages of the past two years or so has the email-revealing reCaptcha right after the copyright notice - your fave "Star-Spangled" has it.
As you said, stress is the killer. In addition to the usual stresses of life, I've been impacted pretty hard by the ongoing economic mess, so these are pleasant diversions.
Back on topic:
I myself have been slammed for a week or so, and only just now returned to the Electronic Banking thread (other than my post about the bank's stupid "Security Stamp" for e-mail), where I saw the patent discussion and left comments to all, including to your very fine and thorough summary of the Live CD.
Not quite up to reading a Clive post ATM, especially if it's so much longer than his average as to deserve "essay" status. ;) But will do so. And your QMail .pdf is still on my desktop, so that it will keep reminding me to read it when I can do it justice, as I'm quite eager to do. Thanks as always for your responses.
@ Nick P.:
I read Clive's post on BP/Halliburton/Transocean. All good stuff.
But my point was that the Gov agency charged with oversight of *all three of those* (the entire process of drilling on US Gov land, above or below water) was rubber-stamping permits without reading the specs; skipping inspections or letting BP conduct their own (Self-signed SSL cert, anyone?), and accepting bribes of cocaine and hookers in return.
There's one more missing element, because I had posted too many links already, and that is that
*BP did not want to drill there in the first place. The Feds forced them to.*
I seem to be the only person on Earth not connected with these companies who knows that. Again, it was told in parody form, with intro and comments:
"BP (It's Not Your Fault -- *REALLY*)"
If it's the last parody of mine you ever read, please take a glance. Only 16 lines and four explanatory footnotes.
Thanks for the Clive link. The liability issue is a mess, because the Gov made it a mess. That point is in my song, too, but Clive always has some extra insights.
There's a follow-up to the "inaction against MMS drug-and-sex-parties" parody in the signature link, done to Christmas classic, "Silent Night", should time permit and curiosity motivate.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.