Schneier on Security
A blog covering security and security technology.
« Liars and Outliers News |
| U.S. Federal Court Rules that it Is Unconstitutional for the Police to Force Someone to Decrypt their Laptop »
February 24, 2012
Friday Squid Blogging: Squid Can Fly to Save Energy
There's a new study that shows that squid are faster in the air than in the water.
Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have thought that such flight was a way to avoid predators, but Ronald O'Dor, a marine biologist at Dalhousie University in Halifax, Canada, has calculated that propelling themselves through the air may actually be an efficient way for squid to travel long distances.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on February 24, 2012 at 4:08 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
For a while, I have maintained that the ideal candidate for President is someone who would hate being nominated. -- People who want the job are clearly nuts so we can clearly not choose anyone who would be happy about it. But we would need to pick someone who would feel obligated to do a good job so we can clearly not choose anyone who doesn't care about it. -- So that gives an interesting question for Bruce: "How would you feel about being nominated for President?"
Jed Bartlet for President! ;-)
Does this sound like FUD to specifically eliminate cash as a medium for payment so that all transactions can be electronically monitored? I doubt the value of electronic payments for crippling drug cartels etc.
The squid story is much cooler than anything that happened in security this week.
Hey bcs, Robert Jordan's 'wheel of time' books mention a similar theme among some of the main characters (forget where, but the characters I believe are Lan and Rand). Or maybe it was in one of Terry Brooks' books...or a security course I took last year...oh man, I forget now...pretty sure wheel of time though...lol!
"Duty is heavier than a mountain, death, a feather" ;o)
Actually, the court cases are consistent with one another. So long as the 11th Circuit opinion outlined above at Volokh remains good law I'm not panicked. I'm not a huge fan of Fricosu because I'm not a fan of jailhouse confessions under any circumstances but the court there applied what I see as the correct standard.
Overall, I see the courts as working out these cases in a reasonable and rational way. I think the vital question going forward is going to be what happens when someone simply says, "I can't remember the password." That is awkward because it strikes me that there is no reasonable way to handle it.
Another squid news story from the BBC.
26 February 2012 Last updated at 01:59
Eavesdropping on the squid world
Jonathan Amos By Jonathan Amos Science correspondent, BBC News, Salt Lake City
The Kill Switch Comes to the (Windows 8) PC
February 16, 2012, 7:32 PM EST
Microsoft declined to answer questions about the kill switch in Windows 8 other than to say it will only be able to remove or change applications downloaded through the new app store."
Full Story: http://www.businessweek.com/magazine/...
"Any software loaded from a flash drive, DVD, or directly from the Web will remain outside Microsoft’s control."
Riiiiight, like I trust a proprietary Operating System to NOT do something outside of MY control!
Enjoy your uncontrollable remote kill switches, Microsoft 8 users!
Please share this story with as many other human beings as you can before Windows 8 is released.
Find your freedom switch at http://distrowatch.com/
@marge: I do wonder if the kill switch is to allow them to remove applications that break DRM. Remember that a media player upgrade that strengthened DRM was touted as an important security upgrade a few years ago. MS and Apple have proven time and again that Hollywood is customer #1. Even on our own pcs. I will have to imagine that MS will run a PSA style FUD campaign to discourage people from installing apps outside the store.
A. Nony. Mous and that rapist from Europe named Julian have joined forces on the Deathstar to take out Hans Solo and the rest of the noble freedom fighters in the security industry.
@ Marge, Gabriel,
The Kill Switch Comes to the (Windows 8) PC
It is unfortunate but not unexpected, and whilst it is the fault of the DRM and security industry it's probably not at their behest, but to cover M$ back legaly.
It may be seen as the "law of unintended consequences" coming home to bite. As some may know in the past Judges have made draconian rulings, that appear to be based on the simple notion that if some "media" can be remotely controled then "all of it should because there is a mechanism in place".
Also at one time M$ was talking to security personel in Gov Agencies and large corporates about using crypto on everybodies documents etc made using Office and other M$ products. So that M$ or others (security officers) could make the user created and copyrighted documents just disappear from the users PC (the exact method was not clear due to typical M$ FUD).
So the idea is not new and almost certainly will be left open for abuse by one or more persons.
And potentialy could get people jailed for various crimes and offences they had not themselve committed but had happened on the PC under their control...
"Duty is heavier than a mountain, death is lighter than a feather" is a Shienarian proverb in Wheels of Time, and mentioned in connection with both Lan and Rand. The Shienarians might be somewhat similar to ancient Japanese (I am not at all a historian), which would be consistent, as the saying here on our planet is a Japanese proverb.
Another MS technology precedent to the Windows 8 kill switches are their "Kill bits" (http://en.wikipedia.org/wiki/Killbit), used for many years in conjunction with Windows Update to blacklist/kill/disable 3rd-party Windows ActiveX plugins that have security vulnerabilities.
After my recent hassles installing my /legitimate/ copy of Win7 it seems like I won't be upgrading to Win8 when it comes out if it includes such a kill switch. Hopefully enough of the gaming community will add support for Linux over the next five or so years instead of just killing off PC support entirely.
@ No One
Linux's market share isn't worth having the gaming community add Linux support. That stuff can get expensive if you're squeezing every last bit of performance or profit you can out of something. How many people paying $50-60 for a game or recreational app are running it on Linux? Almost nobody, marketwise. That Adobe is discontinuing Flash support on Linux is another nail in the coffin for the "Windows alternative."
I might have to dual-boot after all. (sighs) At least I got to have a few years not worrying about most viruses surfing the web. It's been so relaxing. :)
@Nick P: It's a chicken-egg problem. Why do I run Windows as my desktop machine? Because games run on it. Why do games only focus on Windows support? Because most people have Windows.
Luckily, between Valve and indie shops more games are likely to be available on Linux in the future. (Valve has already started targeting OSX -- Linux isn't a huge step, compile-wise.)
It's worth noting that in the Humble Indie Bundle http://www.humblebundle.com/ , a game distribution run entirely on charitable donations, the Linux people have regularly been willing to pay almost twice as much as the Windows people for the same games. (Latest averages: Windows: $5.09; Mac: $7.44; Linux: $9.08)
As 'No One' says, it's a chicken-and-egg problem. People don't do gaming on Linux because there aren't many games available on Linux. Loki Software, one of the first game companies set up to port games to Linux, failed. (I have over half the stuff they did.) But a lot of the indie shops are including Linux, as they're seeing an untapped market there that's willing to pay to get reasonably high-quality games, and there's a lot less competition in that market. (And supporting Linux lets you get into the Humble Indie Bundle, which has made money for a number of indie game developers.)
(It's also worth noting that a number of the indie games are actually being written in Flash or Java or other cross-platform languages anyway, so 'porting' isn't even really necessary.)
You might want to read,
written by Thomas Rid and Peter McBurney and available from the Royal United Services Institute (RUSI) Journal web site,
Thomas Rid would appear to have similar opinions to you and quite a few readers of this blog. However I do disagree with his well known comment that, Cyber-war is not war because nobody dies. Because people can and do die from the secondary effects of Cyber-crime.
NPR just ran a piece onbusiness identity theft.
It was what seemed like a weird sort of theft-- multiple yellow pages listings under the name of an existing business, but no overt financial attack on the business. The listings only appeared in one edition of the phone book. The listings had addresses for vacant lots, so they weren't a software glitch at the phone book.
Any idea about what might have been going on?
Apparently due to SCOTUS finding on the jones case the FBI have had to turn off more than 3000 GPS devices...
And in some cases obtain court orders to turn some back on so they could actually retrieve them.
That said there is no comment on what the FBI intend to do with the data already stored in these devices. Legaly it might be "Fruit from the poisond vine" but that in no way makes it any less usefull. For instance in court in say a years time the FBI may say they have seen person X at the scene of an a suspect activity. However they may dress it up for court as a random hapenstance as opposed to admitting that person X was known to frequent that area on a very regular basis known from these "poison fruit" records...
Personaly I think the FBI should firstly notify all those they put these tracking devices on and secondly give the persons concerned all the tracking data and other information relating to it.
Not because I think the persons concerned should particularly benifit by it (but civil suit should remain an option for them). But because unless LEO's are actually punished in a meaningful way they will continue to push the envelop well beyond the point of abuse to the detriment of society in general. And thus have behaved in an irresponsible way that an ordinary citizen could expect to receive significant punishment if they behaved in a similar manner.
At the end of the day "respect for the law" is a two way street, if the ordinary citizen feels they are not respected by the LEA's then they will cease to respect the law. The result of this is initialy non cooperation with LEO's and LEA's followed in many cases by actual disregarding for the law. So the argument can be made quite easily that each time an LEO or a LEA push the envelop in this way they are actually harming not just societies but their own longterm interest.
Possibly of interest Markus's words have been picked up by Government Computer News,
The problem that Markus and others have is it's all well and good talking about Defence-v-Offence, but it does not do anyone in the Information Security business any favours.
Not because they are wrong but... because what they have failed to apreciate is that what they mean when they talk about defence is not what those who should be listening to them think is defence (it's a similar problem as trying to explain "trust").
Thus we have a major failure to communicate because the talker and listener are not on common ground for their thought processes, thus their thoughts jibe.
I keep banging on about assumptions about the tangible physical world not having meaning in the intangible information world, but it appears that the idea is not getting across not just to the "listeners" but also the "talkers".
So just to put it in context the "listeners" such as the general public and politicians who hear the "talkers" like Markus are thinking in terms of "Physical world defence" not "Information world defence" and the two are very different.
The problem is that the gulf of difference between their thought processes is greater than between 18th Century "Earth Works for defence" mentality that gave us the static French Maginot line and 20th Century "Defence by ECM" that stops agile fighter aircraft and other systems being detected and thus becoming targets.
And the reason for the gulf is two fold. Firstly because at a fundemental level all cyber-weapons are based on intangible information nothing more, they have no physical existance.
Which is why the only reason the information that is "malware" can have any effect, is that the defenders systems use the information incorrectly as valid instructions to act upon.
Effectivly it exploites defects in the defenders systems to turn them from trusted friend into unwitting foe.
Secondly this is a major change in thought processes because unlike traditional "military thinking" we are not defending against others systems but our own systems that have been turned against us.
That is we should not think in terms of "the enemy without" as is the normal military defensive viewpoint but in terms of "the enemy within"
As I've said before it's the difference between thinking about defending a castle and defending a prison.
Hence the communications problem, the "listeners" are thinking "tangable physical defences" like castle moats and walls and other defended positions that act as lines of demarcation between friend within and foe without. Where as the talkers are often thinking "intangible information defences" such as monitoring devices analogous to "stool pigeons" and "police informants" that provide information on the behaviour of others within the society by which their intentions may be determined and investigated.
We should therfore not talk of Cyber-war as it's not, but either Cyber-espionage or Cyber-crime, both of which need an "investigators mindset" not a "military mindset".
Thus as insiders within the InfoSec community have known for a considerable period of time it is actually defects in our own systems that alow the exploits not the attackers offensive abilities, and thus it is our own systems that either hurt or betray us, not the systems of others.
And if we stop our systems executing others illegitimate or unauthorised instructions then no amount of information thrown at them will cause them to work for the attacker. Thus at best all the attacker could hope for is to block legitimate communication to our systems.
But "comms fail" is a known problem from control engineering and in terms of control systems they used to be designed such that a "loss of comms" was mitigated in the design by making the receiving system act autonomously to "fail safe".
Thus rather than thinking of "adding defensive perimeter system" ontop of otherr defensive perimeter systems, which at best can only be reactive to "known threats" we need to think in terms of training our systems developers to build defence in to systems as part of the process.
The sad thing is that we also know how to do this, but those who say it are drowned out by the Hawks blowing their battle horns and banging their marching drums.
All the hawks will achieve (apart from their own self enrichment) is to lead people astray, and divert resources away from effective defence.
Just saw a story that nasa lost an unencrypted notebook computer that had code for controlling the International Space Station. WTH? Will agencies never learn. Encrypt it!! Even a simple Whole Disk Encryption, one password...Jeez and you would think if someone had that notebook for work they would be a competent enough geek....Just shaking my head..
Just saw a story that nasa lost an unencrypted notebook computer that had code for controlling the International Space Station
Was it by any chance,
It looks like it was lost/stolen over a year ago, and as described not as important as it's being made out to be (but who knows with such "naughty boy" presentations to Gov committees).
It needs to be said though, that in most cases the loss or theft of a laptop or notebook computer is nothing what so ever to do with what's on it's hard drive. It's almost always a crime of opportunity to make money from the high value hardware and NASA researchers are likley to have very high end hardware that "gamer types" are going to desire.
But lets suppose it was a "targeted attack" to get project related information you have to ask of what value it is to whom and why.
The reason it may be unimportant is that firstly the ISS is "International" and much of what goes into making it is shared with so many people it's effectivly "public knowledge". Which sugests it would not be a State level attack.
Secondly it's given as "control code" or "algorithms" in a very inspecific way, which begs the question of 'what algorithms?" and "for controling what?". Arguably the description could cover anything from a "light switch" through to "station keeping".
To be of use to anybody "the code" in whatever form needs to contain some information of value to them. But what information and in what form.
The use of "algorithms" suggests it might possibly be propriety information that might be of use to somebody wishing to replicate that part of the ISS or those systems used to deliver loads to the ISS, which as this goes to competative bids might be of comercial value.
But is it of any use to anybody planning to attack the ISS directly for some reason?
Which brings us around to the example of Stuxnet. The argument about how much or how little damage Stuxnet did to Iran's nuclear program still goes on and will do for some considerable time yet. But some things have become clear, firstly the authors of Stuxnet knew one heck of a lot about the target, right down to specific details of plant level configuration getting this level of information was difficult.
But in the Stuxnet case the attackers almost certainly had highly specific information from captured equipment from a delivery from Khan labs/industries to Lybia. As well as access to highly detailed reports from the international nuclear inspectors. Which would have given "nuts and bolts" details not just of the hardware but software as well. Even with this level of information Stuxnets effects appear to have been somewhat limited at best.
So in all probability the information lost on the NASA laptop would not have been of any real use to somebody wishing to directly attack the ISS because it would be unlikely to contain sufficient detail about the underlying systems to be of use.
Thus I suspect the biggest harm is to NASA's reputation, which in many respects won't be much as NASA is known to be almost as open as a 1970's University Campus, which is one of the big attractions for the majority of people who work with them.
But as you pointed out they should "know better" today and full disk encryption is on new equipment almost a "no cost" option. But what of a year ago?
Well as I remember it full disk encryption was just starting to become available as a manufactures option on new laptops etc and carried a significant price premium. I don't know how many laptops NASA has but I suspect that it's rather more than most similar sized commercial organisations. And also I suspect the expected life time of NASA laptops is likely to be 5years not the more usual commercial 1.5-3years write down period. NASA is also "publicly funded" and "their books" are open to many many eyes, so they are expected to be "tight with the pennies" lest they get bad press for being "profligate with tax payers dollars".
You can see this in some of the other comments, for instance over 5000 attacks and a cost of 7million dollars cleaning up or less than $1400/attack. Based on industry averages thats fairly remarkable and when you look at what the FEDs etc claim in court casses, not even on the same planet.
So yes I would agree that NASA should "know better" (and very probably do know based on their cleanup costs). But can they afford to do better, probably not even now let alone a year or more ago.
And that's the problem in quite a few places CapEx stops organisations doing what they know they should be doing, and in current times whilst write down of equipment might remain 1.5-3years for tax reasons the chances are that "make do and mend" is going to feature more highly in IT departments with real equipment life pushing out to 5 or more years becoming more normal...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.