Schneier on Security
A blog covering security and security technology.
« The Efficacy of Post-9/11 Counterterrorism |
| Where Are All the Terrorists? »
September 2, 2011
Friday Squid Blogging: SQUIDS Game
It's coming to the iPhone and iPad, then to other platforms:
In SQUIDS, players will command a small army of stretchy, springy sea creatures to protect an idyllic underwater kingdom from a sinister emerging threat. An infectious black ooze is spreading through the lush seascape, turning ordinary crustaceans into menacing monsters. Now a plucky team of Squidseach with unique personalities, skills, and ability-boosting attiremust defend their homeland and overturn the evil forces that jeopardize their aquatic utopia.
...which they describe as Angry Birds meets Worms, with RPG elements. "For the universe, Audrey and I share a passion for cephalopods of all sorts, and that was a perfect match with the controls I had in mind," Thoa said.
As before, use the comments to this post to write about and discuss security stories that don't have their own post.
Posted on September 2, 2011 at 4:44 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I might actually need to get that game, when it comes to a platform I actually have in my house...
@ChristianO: Yeah, it sounds like the goal is to replace an existing client/server system with a new client/server system, but the new client is trusted less (except we still trust the new client with the card numbers, pins, and control of the cash output device...)
Then again, diabold has already shown they don't have a clue how to do cloud-like security with the horribly botched job with the voting machines.
It still bothers me that I, with absolutly no security background beyond what I read here, could design a system that is more conceptually secure than what they put forth.
TSA accused of 'racial profiling' after two black women had their Afro-style hair searched
What is interesting is that both women had gone through the scanner successfully. Apparently afros can be used to defeat a scanner.
@ Petréa Mitchell,
The ruling on eye witnesses is a step in the right direction.
I've been banging on about the unreliability for years now which is why I'm totaly unsurprised about the 75% of wrongful convictions (cleared by DNA) are from "That's the man your Honour" drama statments made in court.
What the article did not mention was the "Oh my Gaud I'm important" factor in eye witnesses in that they suddenly see their 15minutes of fame heading in their direction and will do whatever is necessary to get those minutes.
What I would like to see is that the process gets relegated to "supporting evidence" at best.
However the process needs real seperation in that the lineup should be run fully independantly otherwise it is still possible to game the result. For instance the photo line up is going to end up with only those for whom there is some other form of evidence, thus it does not matter which mugshot the wittnesses pick...
This might be of some interest,
If the resarchers have successfully married quantum storage and quantum processing then one of the currently most problematic issues (ie qbit data persistenc) has been partly resolved.
Bruce, old friend and teacher, would you consider writing a piece on security that might create some flames?
I would like to read an essay from you that could be entitled "If I Ran Wikileaks". I'm not suggesting any endorsement or condemnation of WL - more of a primer on what kind of security apparatus you would build to handle a "generic" whistleblower site; submissions, collaborations, etc.
Is this a silly idea? Already written?
Minicon 34 Restaurant Guide? Bruce! Dude! I love ya, man. I knew you were in the trenches with the rest of us nerds, but now I find out you've been in the sub-basement with me and the rest of the freaks! LOL!
Write some sci-fi dangit!
@ Bruce and Clive
With the quantum computing improving, it's about time to evaluate quantum-resistant asymmetric cryptography. Bruce, many people have asked you to review NTRUsign and similar algorithms. Considering the weaknesses I know about, I thought about using it in conjunction with a strong non-quantum-resistant cipher until we get something better. What are your thoughts on quantum-resistant cryptosystems? What recommendations would you make? Is there anything good brewing in some research labs on the defensive side?
Basically, it says the group is about to do more DDOS, cons and hacks. The group hasn't really gotten much more effective at causing damage over time. Most likely, whatever they do will be similar to what they've done in the past. They'll just use some new tools and hit new targets.
I should add that the best ways to stop attacks like these don't change either and that companies aren't employing risk mitigating architectures won't change either. Hence, they might suffer the consequences of "managing" (read: ignoring) risk.
On NTRUsign security
Well, this isn't heartening.
Of course, the top post did say they did successful key recovery on "NTRUSign-251 without perturbation." A quick look at wikipedia showed that they use perturbations to defend against exactly this kind of attack. It seems conceptually similar to the RSA padding schemes. In any case, the question is will the perturbation scheme make this system truly resistant for first 2^30 signatures? What level of confidence to place in this claim?
(Of course, we could always generate more keys & swap them out over time. This is already done in many symmetric systems although the risk of guessing the key is low. As that risk is high in this one, I figure changing out the asymmetric keys regularly would be a good idea.)
Well, you never know who they're going to attack next. Reportedly, people testing the new DDoS tool decided to try to take out WikiLeaks and 4chan, of all things.
(For those arriving late: Anonymous was attacking people on behalf of WikiLeaks last year, and 4chan is where its nucleus originally formed.)
@Clive. The problem is that eye witnesses are essential for creating courtroom drama to bolster the state's case. We have known about the unreliability of eye witnesses for /many decades/. But if you take away eye witnesses you severely hamper the state's ability to make its case. And hello! That's what prosecutors do, make criminal cases.
You seem to be under the apprehension that the purpose of the court is to search for the truth. ERROR. ERROR. The purpose of the court is to entertain everyone, haven't you been watching Nancy Grace?
I don't know if anybody has picked up on this,
But it appears that Apple has a problem in it's OS when it comes to digital certificates and revocation,
"Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain"
So the result is whilst a user can revoke the root certificate and ordinary certificates via the "keychain" in the case of Extended Validation (EV) certificates the user can not and the OS continues implicitly trusting them Opps...
This is a very nasty little gotcher that could be exploited in oh so many ways...
It will be interesting to see what Apple say's on it (after they have finished pretending to be Police Officers to cover up for the careless/drunken mistakes of their employees and Apple iPhone5 prototypes ;)
More on the police and Apple:
It isn't uncommon for San Francisco police to help private investigators, as they did when Apple security searched a San Francisco home looking for a lost iPhone prototype, said Police Chief Greg Suhr.
Bruce, I just finished reading Kevin Poulsen's book Kingpin and your site is mentioned in the end notes. Chapter 24, page 156 has it as, "...a widely read computer security blog."
It's amazing how many places your work pops up.
Is there a point where adding rounds to a block cipher gives no security, it's just spinning your crypto-wheels?
The Los Angeles Times article "As 9/11 anniversary approaches, San Diego officials ask residents to be on alert" (August 24, 2011) mentions a campaign in San Diego, Califonia. This campaign urges residents to be aware of activity that might indicate terrorist plans. More information about the campaign (which includes a "The Eight Signs of Terrorism" video) is at:
(To be sure, the campaign directs persons to focus upon the actual activity involved, and not upon the race or nationality of other persons.)
First let me define complexity as the effective number of bits. That is to brute-force a 128bit password has a complexity of 128. This means that on the order of 2^128 operations are required to do this.
The complexity of breaking an n-round encryption scheme is usually of the form C = c1 + n*c2.
With an B-bit key, this will exceed B at some value for n. Each attack-method has its own c1 and c2. So for every known attack, the number of rounds is chosen so that c1 + n * c2 > B: A brute-force attack would be easier. Newer attack methods with lower c1 + n * c2 might be found in the future. Therefore some margin is taken and the number of rounds is chosen larger than the minimum indicated by the inequality. So at the present time, you'll be "spinning your crypto-wheels" for a few rounds just to be sure that in the future newer attack methods don't erode your security beyond what you expect of an encryption method with a B-bit key.
"Is there a point where adding rounds to a block cipher gives no security, it's just spinning your crypto-wheels?"
Do you mean "no security" or "no increase in security"?
The answer to both is yes.
A block cipher is simply a system to map a plaintext block to a ciphertext block or back again.
Many block ciphers are based on rounds and each "full round" is actually just another map. Therefore the final cipher map is the sum of the individual round maps. To be of use as a cipher system each map must have an inverse.
The number of maps any block cipher can have is limited by it's block size. For a binary system with B bits of block size the size of the input and output sets is N = 2^B thus the size of the map increases with the block size as N^2. However the number of maps is based on the number of permutations possible so the total number of maps M = N!.
Although M is very large many of the maps lack any kind of complexity so are of little use, every map will have an inverse map (other than the null map which is it's own inverse) so the actuall usable keyspace size is considerably less then M but should be many many times N.
You can look at the round maps as being of moderate complexity but if combined correctly provide greater complexity. However if combined incorrectly they can effectivly become partial or full inverses of each other thus reducing or removing complexity. However nomater how many round maps you sum together you cannot have more than M maps.
Most block cipher full rounds are based on the use of patial rounds acting on part of the input block with "one way functions" and a reversable operator such as XOR, ADD or MUL within the field size of that rounds function (a map is in effect a field). The one way function usually has as it's input the other part of the block and a round key.
The one way function can thus be considered a map in it's own right, however they are certainly not built as maps but as basic logical functions that are usually orthagonal to each other. Considerable care has to be excercised in their design so that they provide nonlinear behaviour with a suitable avalanche criteria, often they use small maps known as Sboxs to provide nonlinear behaviour and these are combined via basic ALU logic and math functions to get high speed performance.
The analysis of the oneway functions falls under a branch of mathmatics called combinitronics which uses both graph theory and group theory as basic tools. It's a subject area that fills many books and has a number of conferances and thus papers.
However the important thing to remember is that no matter how large a block is there are a finite number of permutation maps, and no matter how complex an individual map is there are a whole group of maps that will undo it's complexity partially or in one case (the inverse map) fully. So adding two maps can result in a stronger map, a weaker map or a null map.
I hope that gives you an intuative feel for the answer to your question?
@A blog reader:
As an ex-San Diego resident, I feel justifed in saying that that video is a hilariously typical example of the paranoia and fear-mongering ever present in such conservative areas.
Anyone remember "Jam Echelon day"? I'd love to have a "Jam DHS Day," encouraging people to perform non-illegal "warning sign" activities and report them, to flood and overwhelm the response channels as a demonstration that we will not put up with Soviet-style "citizen surveillance."
@Bruce: A failed posting attempt due to, for example, using "Anonymous" as a name should not trigger the flood protection (which disallows the same poster to fix the mistake and actually post). False positive, ahoy!
@Daniel: I've always felt the greatest flaw with the criminal justice system is that all of the incentives for the prosecution and the police encourage them to "nail" someone to the wall, not find the truth.
1. The prosecutor is a political office, which means the prosecutor must get the "vile and evil criminal" convicted and put away (preferably with the harshest sentence). Never mind any exonerating evidence. Try to get it hidden or excluded any way possible, or dismiss it.
2. The police may not hold a political office, but their ultimate boss (chief, commissioner) is appointed by a politician in many cases, or elected in the case of a sheriff. If they don't nail someone, they get political heat.
So, the police and prosecutor have to stick it to someone; otherwise, they won't move up in their career (or might lose it altogether. The governor doesn't think "is this man innocent?". Instead, he thinks "If I let this probably innocent man out, and he does commit a crime in the future, will I keep my office or get to run for president?". Unfortunately, we just haven't come up with the right incentives and motivations yet to get a criminal justice system motivated by truth and justice. That's why it's refreshing when you see police and prosecutors who do strive to find the truth, even if it means not pursuing the easy prey.
I found this interesting.
The official death toll for the September 11 attacks stands at 2,996, including the 19 hijackers, but research suggests that there is a further, indirect toll as a result of behavioural changes induced by fear.
"German professor estimates an extra 1,595 Americans died in car accidents in year after September 11 attacks"
So the burning question is whether Al Qaeda calculated the effect 9/11 would have on highway deaths in the US. Put that on the list of things to ask al-Zawahiri before someone from SEAL Team Six subdues him with gunfire.
Passengers may be able to keep their shoes on! After 10 long years, we might have the first small move towards sanity.
Now if we could just avoid gropes and radiation, air travel might not be so painful.
Did you miss The Register?
I did 8(
It appears that they and several other sites had their DNS entry hijacked. According to Zone-H
"They all use NetNames a their [DNS]registrar. It appears that the turksh attacker managed to hack into the DNS panel of NetNames using an SQL injection and modify the configuriton of arbitrary sites, to use their own DNS (ns 1 .yumurtakabugu.com and ns 2 .yumurtakabugu.com) and redirect those websites to a defaced page."
Apparently The Register is still waiting for a formal explanation ( http://www.theregister.co.uk/2011/09/05/... ) from NetNames, who amongst other things claim on one of their pages,
"Organizations cannot afford to have their online presence unavailable for any ength of time. It is therefore imperative that businesses choose a domain registrar that uses a robust, highly available and sufficiently secure and robust DNS infrastructure."
Opps massive fail, obviously NetNames is "not secure enough" for some "Organizations [who] cannot afford to have their online presence anavailable..."
Oh and NetNames also act as a CA for SSL and EVSSL certs...
Now as all the details are not in we don't know if this would also have effected "Secure DNS", I rather suspect it would...
I've been pointing out for several years with the likes of "Code Signing", PKI/CA's and other systems such as DNSSEC that it is always going to be possible to subvert the process "up stream" of the signing process, and that is the obvious place to attack especialy if it's at the top of a hierarchical process (and the attackers are proving right).
Now you might be thinking "yeah so what" well The Register like nearly all the sites involved have a "login process" linked to an Email address, what if the DNS hijack also involved a stolen SSL cert and a password harvesting system?
It is a well known joke about "Tolkein Passwords" that the majority of users have multiple accounts but "just one ring to bind them all" with an identical password.
The nub of the problem is "security is hard, very hard" and way to many people thus outsource it to other organisations that in effect become the tops of large hierarchies and thus nice big fat juicy targets for attackers...
It appears that way too many of these companies to which security has been outsourced (some of very large size like RSA and NetNames) that are thus actually responsable for maintaining the integrity of the security of the Internet are not up to the job. And as far as I can see it's all for the same reason "business process over security process". Which begs the question "What price security?"
In a "free market" it's almost always going to be a race to the bottom with lowest price, and ease of use or conveniance being the two major service selection criteria by customers with security so far behind it's either "over the horizon" or "lost in the grass of the noise floor".
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.