Schneier on Security
A blog covering security and security technology.
« Peter Neumann Profile |
| Loopholes »
November 2, 2012
Friday Squid Blogging: Squid Costume
This is great.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on November 2, 2012 at 6:30 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
BBC Radio program Four Thought, Series 3, episode 29: Anna Minton, author of "Ground Control", argues that the increasingly high security surrounding public and private buildings creates a sense of fear rather than safety. (I don't know whether or not this is available outside the UK)
5x5 on IE in the US. Thanx for the link.
Content was, I suppose, well intended but seemed a little weak as to cites. Probably sounded good to the choir. (As is the case with agendized presentation, both left and right, IMHO.)
That said, the SBD's respnse was even lamer, right out of Cliche 101, both the text and the "3D Virtual Design" app.
WWII carrier pigeon skeleton discovered with an encrypted message around its leg in the UK.
The BBC link : http://www.bbc.co.uk/news/uk-20164591
It seems GCHQ is taking a crack at it :-)
Is anyone else willing to have a go at decrypting it?
OT ....and now for something completely different....
Iv'e been playing around with analysis of long tail risks in financial markets (and naturally if there is a way to profit from this knowledge). The big investment banks tend to label these long tail blips as "black swan" events but the truth is that unexpected correlation is far more serious than some completely unexpected event. Correlation and "correlation skew" are the life blood of derivatives pricing which all centers around a group of algorithms called the "Gaussian Copula". Fortunately you don't need much of an education in stochastics to see huge errors in the very foundation of these algorithms, especially if non-linear forces act within the market.
From a societal Risk perspective the failure (and inappropriate use)of these relatively simple (Gaussian copula) algorithms has caused over an order of magnitude more damage than the 911 attacks BUT I don'e see any major shakeup ( where is the TSA equivalent? where is the new Homeland security equivalent for investment banks?,.....)
This is probably not the right forum... but if anyone is interested the following paper is a good spot to start your education...
ISPs & The Case Of 4567 [REVISED]
"It has come to our attention that Verizon, Qwest/Centurytel, and other companies have numerous ports open for the modems which CAN NOT be disabled. Now, before you question if we're just all idiots that don't know what forwarded ports are, or how to disable remote admin - Simply look up "Qwest Port 4567" "Centurytel Port 4567" and realize how much of a wide spread issue this open port problem truly is. Now, why is it that these companies can't get this right? Could it be a backdoor? Could it be poor programming? Could it be that these companies are working with governments? The following is a conversation with a Qwest representative. Take what you will from it."
"Kaspersky's top 10 list mainly shows problems in Adobe and Oracle products. Not a single Microsoft product on this list. Way to go Microsoft!"
Has Kaspersky poured over the source code of Microsoft's products? Probably not. So IMO this ranking is worthless.
One vendor of proprietary apps ranking another for the same type of software?
Alright, I've been on another paper downloading blitz. I've been looking into all the usual topics, but one's standing out this month: using type systems rather than memory controls for security. Most flaws are a result of low-level nature of programming languages that implement OS's. A few projects tried to make a useful OS with all or most critical stuff written in HLL.
In SPIN, made in late 1990's, they built the OS with Modula 3. They use its type safety & module system in an interesting way. First, there's a microkernel & some core services. Then, extra funcitonality is included directly into kernel space using restricted, type-safe linking. This means applications can safely integrate functionality into the kernel to avoid crossing kernel barrier, leading to excellent performance. They've already used it in a web server, database system, firewall & numerous other projects. I saw a more recent project use similar language & techniques for trusted browser extensions.
My favorite, though, & what inspired this post is JX. I've mentioned it on here before. Here's the paper. Besides JX, it does an excellent summary of many security strategies & previous systems implementing them.
JX architecture, performance & security evaluation
They have designed it to run apps & even most critical OS services on their JVM. That includes parts of device drivers & the CPU scheduler. The programs benefit from Java language type safety. They have mechanisms for controlled communication & resource access. The performance is great considering most of it is running in Java. The TCB is really small. It's altogether excellent work.
Progress on it seemed to stop around 2002. They already had a pretty functional system at that point that was a 3MB download. They ported a few applications to it. I think others could use it for critical applications (DNS or Directory services, for example) or use elements of the project (e.g. design) in a similar project. If using JX, a deep analysis & maybe rewrite should be used before putting critical stuff on it.
I could also see it benefit from recently "verified" java-like runtimes, GC's & JIT compilers (or JIT extensions for Native Client). Aonix has nice attributes in their Java tech that would be worth copying, esp. where real-time is concerned. There's also more complex type systems that claim to prove extra security, safety or functional properties. Opa, SPARK, Dafny & the ML TCP/IP stack come to mind. These kinds of technologies might be re-targeted toward JX or a similar low-TCB, managed runtime.
OT Country dependent decryption
I'm wondering if there are any products that encrypt information in such a manner that the GPS location determines if the software's customers can decrypt the files that they have stored on the device.
Has anyone heard of a product like this?
I actually started to build one of those and discussed it on this blog with Clive, I'm pretty sure. His talks about GPS spoofing & jamming motivated me to not do that unless I thought I could obscure its use. Anyway, Google is only going back to 2010-11 & we had our most interesting technical discussions in the 2007-2009 range. If I find the reference, I'll give it to you.
So, let's say we have to design one from scratch. GPS is kind of imprecise, so I'd say you need an algorithm that says "User's GPS coordinate is within acceptable range (or not) of Expected Input." The crypto would be simple enough: use existing libraries & protocols to do heavy lifting. Gotta build in GPS location, though.
It may come down to one of these:
1. a trusted cryptosystem that bakes GPS into key generation, where wrong or way inaccurate GPS gives nothing
2. trusted computer that acts as a black box checking GPS coordinate & decrypting as a result. output can be made to always look like crypto was applied to it so attackers can't be sure if they guessed right. limited number of tries per whatever to make brute force harder.
3. semi-trusted computer w/ tamper-resistant crypto module. those crypto processors & smartcards usually have TRNGs, crypto, & secure storage. Can store the GPS coordinate in there. Will work similar to 2, but keeps GPS & other secrets locked up. Tougher to crack than a PC's RAM.
All in all, the trick is getting an authentic GPS signal & keeping the secret GPS value from leaking. The coordinate comparison function must be done in a way that doesn't leak the secret, necessitating physical security or tamper-resistant computation. Either of these issues make GPS-based decryption suck if the enemy knows you're doing it & get's ahold of the device (and/or does GPS spoofing).
Thanks Nick, but I think we might be talking about different target applications.
My interest is to protect corporate information by providing a portion of an encryption KEY from the GPS with the rest of the KEY being user supplied.
Clearly GPS spoofing is an issue especially if you want to protect against state actors, but for normal corporate info it seems that all data which resides on an employees laptop can by default be irretrievable when outside a range of GPS coordinates.
It would probably be necessary to keep secret the exact way that GPS was being used. But even that might be unnecessary given the prevalence of smartphones as WiFi / USB tethered 3G data links for laptops and the ubiquity of GPS on smartphones.
anyway that's what I'm thinking about
This report could literally give you a heart attack.
According to a recent report by the US Government Accountability Office the FDA has failed to properly evaluate the information security of medical devices.
"FDA considered information security risks from unintentional threats, but not risks from intentional threats"
Full Report (US GAO)
Report Highlights (US GAO)
Quick summary (TL;DR version on my own blog - BUT I HIGHLY ENCOURAGE YOU TO READ THE FULL REPORT INSTEAD!)
Quantum shopping security
I originally saw a reference to this in New Scientist, but it's behind a paywall (or at least very shortly will be) so I found the original sources.
When users attempt to sign-up for the UK firm "The Co-op" the sign-up page says:
When you manage your account on line or phone us with a query, we will ask you one of the following security questions; (for your own personal security please ensure you use different responses to those on other sites). [empahis mine] [...]
- Memorable name
- Place of birth
- First school you attended
- Last school you attended
Presumably, as New Scientist noted, membership of The Co-op is limited to quantum members who were born in more than one place and attended more than one first school.
Interestingly enough this isn't something new. This choice piece of crazyness was reported back in 2010.
Quote from someone in downtown Manhattan: “We had prepared for an emergency,” Mr. Norich said. “The emergency we had prepared for was an act of terrorism, not this.”
Nothing new for us in risk management. People get all worked up over some risks and forget about others that could affect them.
People get all worked up over some risks and forget about others that could affect them.
Or they follow the money that keeps them and their organisation going...
I've said many times that the best training is generalised training that covers as broad a range of risks as possible (eg "Fire Evacuation" covers fire/bomb/earthquake/etc localised evacuation).
The proplem is since the "war on terror" started the funding has in effect only been for "anti-terror".
And we are starting to see the knock on effects of this that effect everybody, which are only likely to get worse not better...
The US has now had a couple of "Thousand Year Storms" on it's Eastern/South Eastern coast from Hurricanes in what is in effect a decade, the general trend in the severity of these storms is getting worse along with adverse conditions such as drought at other times of year. I don't propose to argue why (gloabal warming / sun spot activity / etc / etc / etc) just note that it has stressed the US emergancy response capability rather harder and faster than might otherwise have occurred.
But it is not just hurricanes where weather extremes have occured. Those living in and around NYC/WashingtonDC have experianced significant power outages this year for considerable periods. Heatwaves and droughts have been more severe as well.
I don't know what the direct and secondary death tolls are from this years outlying "tail" weather has been, but the economic cost just in increased food/fuel prices has moved a very significant proportion of the population from boarder line poverty into poverty.
What is known is that such a change in your personal and family fortunes can take ten to twenty years of of your life expectancy due to getting stuck in an 'ill health spiral" where you don't have the means or the support out of the "poverty trap". Recent studies in epigenetics suggest that this effects upwards of four generations as well...
And whilst those not in such a trap might well "blaim the victim" for the position they find themselves in, they should remember that a healthy population is a necessitie for their own continued existance and good health.
That is ensuring good health in all the population is a "social good" that like a rising tide floats everybodies boat not an "individual good" that a few benifit from. This is because disease spreads more rapidly and considerably further in an unhealthy population than it does in a healthy population.
It is fairly clear to many that the "war on terror" is directing increased resources into areas where at best the resources are being wasted, at worst it is "beggering the nation" for the benifit of a chosen few.
And lets be honest the chosen few are not going to share the mis directed wealth that has come their way, for various reasons not least of all is their sense of "self entitlement" and "short term thinking" that engenders a view point that they are above society and it's morals and laws.
We have seen this mind set amply demonstrated by the likes of Enron seniors and many Bank seniors and many major corporations seniors like major News Corporations. Clearly what they have done is not just moraly wrong but legaly wrong as well.
Sadly their "me me me" attitudes are draging the rest of society down, and not only does this cause a shrinking economy and thus an increase in povert and ill health it, in order to sustain their sense of entitlement they have to "socialy engineer" the population and politicians so that they can continue to get an ever increasing slice of the national pie to every one elses detriment. And this can clearly be seen in the way emergancy resources are appropriated currently.
Bruce might call it "Security theater" but attending the show at it's exhorbitant price is not optional it's compulsory, and this makes it in reality a "tragedy of the commons" which those in NYC and environs are having to currently deal with first hand, including those select few who thought themselves above such things...
My interest is to protect corporate information by providing a portion of an encryption KEY from the GPS with the rest of the KEY being user supplied.
In "theory" it's a nice idea in "practice" it's not practical for a whole bunch of what are practical every day reasons...
As @ Nick P mentioned we have talked about it before and what he was not aware of back five years or so ago I was actualy trying to do almost exactly what you are trying to do but for a more exacting customer than your usuall corporate customer...
The first major technical problem you will need to think about is the use of PCs is generaly an indoor pursuit where as GPS is mainly an outdoor "clear sky from horizon to horizon" technology.
The simple fact is indoors in an office environment you usually cannot see the GPS satellites overhead only those on the horizon out of the windows. The positional accuracy of GPS is dependent on not just how many satellites you see but how orthagonal they are to each other. So if you can see only three satellites out of one window that only gives you a 60degree angle horizontally and 10-20 degrees verticaly then your positional info accuracy is not going to be good, if your receiver will even lock up at all (speak to any IT Dept that decided to go for a GPS based NTP soloution to get a good fund of war stories about where to mount the box).
There is a sort of solution to this problem which is use as secondary location information other systems that are designed to work indoors as well as out. So Wifi and Cellular Base station proximity is one but it's a bit fraught with issues as Google amongst others are very much aware. However this might be OK for the corporate customers you are looking at.
So if the unit remains powered all the time the user when outside gets a GPS fix plus several WiFi and Cellular base stations. When LOS on GPS happens when they go into the building the fact that the unit can still see the same WiFi and Cellular base stations may be usable as a position fix (dealing with full LOS when getting into a lift and reaquisition on gettting out I'll leave as an excercise to the reader).
Then there is another practical issue of "positional granularity" and how you go about deciding what is or is not acceptable.
The first aspect of this is how accurate a fix can you get when standing at a known position? Well if you look at some displays of smart weapons you might think it's a meter or so the reality is even with the SA Code off it's not good, you need continuous averaging to keep any kind of accuracy below 50meters diameter.
The second problem is how do you work out if this reading is in or out of the acceptable usage area? This is actually quite hard as first you have to decide on how you mark out any given area. Do you use a center and distance algorithm which is relativly simple or do you go for a mapped boundary defined by three or more points, which is not just hard on the unit but also on the person setting up the system. In the end I went for a combination of both with a "bubble map" approach. That is you use overlapping center and distance areas to build up the coverage.
However there is a hidden gottcher in this which is position is usually given as "northings and eastings" degrees of longitude and latitude which don't always map to well to the oblate spheroid of the earth especially when you get towards the poles, so you might find yourself doing a lot of "great circle" re projections.
The next issue that might be of concern to some of your potential customers is "GPS Spoofing" even if it is not you are still going to get asked about it.
The simple answer is that the current GPS system without some kind of side channel is and will remain vulnerable to two basic types of spoofing (relay and synthetic code generation) when a receiver has only one antenna or no high precision clock. The sort of clock required to prevent spoofing is usually expensive and power hungry. The distance needed between two or more patch antennas to prevent spoofing is relativly large so not practical for this application. Which leaves you only the side channel option as being practical.
And it's using a side channel and secondry location refrences that makes you start to think for most customers why bother using GPS at all...
In essence, they did a bunch of large withdraws all within the span of 1 minute or 1 minute intervals. Citibank's processing software has duplicate detection built-in & duplicate transactions for security logging purposes (it seems). Yet, due to its implementation, this trick allowed the thiefs to net around $1 million.
There's obvious, even inexpensive ways to fix their duplication detection strategy to prevent such attacks in the future. The thing I find amusing is that ATM withdraw limits should easily prevent such a feat. The withdraws took place in casinos, who have an incentive to loosen limits. Perhaps, the banks with ATM's over there should enforce stricter controls anyway.
Thanks for the feedback on GPS security problems. Fortunately most of the accuracy / availability problems, that you mention, are not actually problems for this product. The customer would be happy with positional accuracy of +-1000m, actually they would be happy with 10000m accuracy. Availability is possibly an issue we are still working on the availability spec because it is really a device power spec (battery life issue). (How many times per day will I attempt GPS sniffing, and is there anyway to make these times correspond with times when we have unobstructed view of the heavens)
GPS spoofing is possible an issue I'm trying to address this by detecting relayed GPS signals. Intentionally generating faked GPS signals is outside the scope of the project, but there are a couple of fall back methods that detect location by more other means. Together this creates the need to fake a very complex environment. Hopefully most people will be put-off by this complexity and those that dont will need to spend LONG time figuring out what is the required environment.
For the type of Information that they want to keep secure a few days to a few weeks is whats required.
You might not even need GPS. Maybe if you re-define "location" to anchor-point or environmental variables. You might have the system sniff to find network addresses, timings of a non-noisy channel, etc. If it detects a huge variance during production run, it acts as though it was relocated.
Another version is using covert channels to your benefit, esp. invisible ones. Having used this before, I don't want to give any good ideas as it spoils my scheme. You're smart enough to come up with some. Here's an abstract framework & a concrete example.
You have a Source, a Receiver, & a transmission medium. The receiver thinks it's in a safe location if it's receiving information from the Source, otherwise self-destruct or something. If transmission MEDIUM is hidden, it may be a little used/monitored signal like 10Ghz, disguised IR, disguised wire connection*, etc. If transmission itself is hidden, then you might pass Source material embedded in IP or other protocol packets using existing low detection covert channel techniques. The signal from the source will be obscure so you get to choose between a static signal & one that changes often. Another thing, if it's an SOC, is timing & interaction properties of connected PCI devices. I remember a few projects showing different configurations had different, measurable & pretty stable properties. If these properties change, an alarm might be called for.
Not saying any of this is practical for your use case but you might have some use in the future. Oh yeah, if you want to use covert network channels, a recent research paper came up with an adaptive one that greatly boosts the performance of timing channels & let's you make specific tradeoffs in detection vs bandwidth.
*The general idea with a disguised physical connection is that the wiring is hidden in something looking commonplace or obviously non-electionic and the connector between the system & hidden signal wire is just a piece of conductive material. Makes it low bandwidth & noisy. Former is dealt with using protocol & latter we have algorithms for.
Lightbulb just went off. Maybe useful, maybe not... you decide. We keep talking about side channels, info leaking over power lines, emanations, etc. Assume (1) you can intentionally cause specific emanations/leaks with software (example below) and (2) you can put a tiny antenna/detector in a COTS system, then (3) you can implement my security scheme using emanations as the medium & hiding the source in a common object. Who do you think would ever look for THAT? ;)
Monitor naturally emanates something (AM?). Software 's effect on monitor causes it to emit Beethoven.
(His playback starts at 1:48.)
@ Nick P, RobertT,
You might not even need GPS. Maybe if you re define "location" to anchor-point or environmenta variables. You might have the system sniff to find network addresses, timings of a non-noisy network addresses, timings of a non-noisy channel, etc
It was the conclusion I came to a long time ago hence my two comments,
"And it's using a side channel and secondry ocation refrences that makes you start to think for most customers why bother using GPS at all.."
"So Wifi and Cellular Base station proximity is one but it's a bit fraught with issues as Google amongst others are very much aware. However this might be OK for the corporate customers you are looking at"
And it is this last sentance that is the all important one.
Basicaly if the customer has control of the area (ie it's their office etc" then you could design a fairly simple beacon that uses the VOR principle to get a reliable direction and modified JPL Ranging Codes to get a reliable distance all of which was easily possible with 1970's style technology. Both of these "antiquated" technologies I've mentioned in the past because they are easy to look up and get ideas from. I'm aware from Robert's pevious comments on "Near Field Communications" to @ Wael he is well aware of much more moder techniques than VOR and likewise Ranging Codes.
However this only partialy solves the problem, because the use of a Beacon of any kind that "has to be installed" will leak out to an adversary on way or another (Shannon's "The Enemy Nows The System" maxim) and thus open the oportunity for spoofing. One solution is to use a ranging code that is infact the output of a stream cipher which is in effect what the non civilian GPS uses to "authenticate", similar can be done with the VOR signals if done with care (hey that's waht "on frequency DSP" is made for ;)
However the customer I was working for had much more exacting requirments and very much higher expectations and having to install a beacon no matter how secure or reliable did not nor was ever going to fit in with their "in the field requirments".
Look at the commercial business equivalent, when you are bidding for business tendered by another company you don't normaly have all the meetings in areas you control like your offices.
In practice many of the most important meetings where realy sensitive info is needed on hand are the initial meetings and almost without exception some if not all will be held in places which are not under your control such as the offices of the company that is tendering. This is the equivalent of the "TEMPEST/Surveillance Traps" that your average nation state has to watch out for when entering into treaty negotiations or peace talks etc.
Obviously in such situations the sales people (ambassadors ;) want to "Be Heros not Zeros" (or worse) and bring home the deal that is most advantageous as their future is also dependent on it. Now one asspect about heros that is not normaly talked about is that they are in fact "reckless gamblers" with their eye very firmly focused on what they consider the prize and they just will not let anything get in their way such as "Rules and Proceadures" put in place not just for their safety but the safety of the organisation.
It is these reckless gamblers who will take any throw of the dice to "Be a Hero not a Zero" who are most likely to destroy an organisations security by blatantly flouting or breaking the rules and proceadures. And unfortunatly they are the ones that generaly the organisation gives greatest leeway to as "They Get Results" in the short term (which in many non owner run organisations is all that the directors are interested in so the reckless gamblers get away with breaking all the rules over and over again...).
Thus you know from the outset that such people will go to any lengths to bypass such proceadures if they can as they also know that there is little or no downside to doing so (Think back to a CIA Director who used to let his kid surf the Internet on an agency issued machine that was used for his work which involved highly classified material, not even a slap on the wrist...). Thus as a minimum any system has to be beyond the ability of such Zero's to bypass even with assistance from those who are more technicaly competent (but less than type I attacker) than they are.
Further the system has to be beyond the ability of not just a Type I attacker but in many cases of large organisations with multimillion to multibillion contract a Type II attacker as well. And the reality is it would be sensible if it could be beyond a Type III attacker as well if you think back to the French Secret Service cheif who on being interviewd by CNN let slip that his organisation performed commercial espionage for French companies as it was a lot cheeper than R&D...
Now if you remember back Nick P and myself have had a number of discussions as to the design of a hardware device that might accomplish keeping data away from "judicial compulsion" and we discussed ways of doing the extra jurisdictional (geographical) control such that you could also get the encrypted data through customs and other such border controls etc. A system for protecting large organisational sensitive data would have to also as a minimum do all ot that.
Now I will mention a point that Bruce and others have often made about National ID scheams and similar as putting to much faith in one single system or method, and thus giving attackers on single target to focus their suborning effots on. In effect a single strong system is more likely to fail than multiple weaker systems. However it is much worse than the normal engineering "single point of failure" because it activly encorages many many different sources of effort and we have seen this with the issues of RSA and further with CA's and similar "top of hierarchy attacks" of recent times. It is also why the likes of *nix's get considerably less successful attacks than the more popular MS OS's. Thus it can be seen in the reality of human attackers that diversity is in practice considarably stronger than the sum of the diverse parts.
And this is a key point we know thhe US Civilian GPS is spoofable and in all probability the latest Mil versions with their reliance on a (supposadly) tamperproof crypto modual is also likely to be spoofable. But we also know the US GPS is not the only one... Therefore there is even in this very narrow market some diversity available. Further due to earlier use of the SA code people developed differential systems forUS Civilian GPS which if it was still used would provide a space diversity element that would make the job of spoofing GPS considerably harder.
But that still does not remove the fundemental issue of all satellite navigation systems being "clear sky" in operation and unsuitable for many urban applications as well as distinctly unreliable in indoor "closed sky" applications.
Currently all our electronic navigation systems have as their fundemental underlying mechanism the measurment of time as constrained by the speed of light (ie some relatvistic effects) to calculate distance from a point of refrence. We further know it is impractical to have a sufficiently accurate time standard in a usable device for attaching to a laptop or other easily person portable computing device such as a smart phone so an external time refrence is required.
During WWII the early electronic navigation systems used various methods. The first was to "cross beams" which as it was not realy time based as such was quite inaccurate but suitable for identifing an area of a few square miles. From that point on all systems were time based and used either a ping pong system where the plane would transmit a pulse and see a time delayed reply from the base transmitter or multiple space diversity systems at the base transmitter end. Such systems can be incredibly accurate provided allowance for the defects in the total channel are alowed for.
Now as a first guestimate in many places there are multiple cell phone services, simply placing two phone calls with different providers should provide some space diversity at the mobile end provided the different service providers are real (not virtual) and do not share transmission sites.
If both calls were placed to a single time source then the path delay for each could be calculated realitivly easily. As audio calls are traditionaly "circuit switched" not "packet switched" changes in path latency are likely to be minimal even with modern digital systems. All that would need to be known is which base towers and down haul routes are used to calculate a curve on which the device must be on. If three or more towers could be used (and there are ways to do this using forced hand off) then a reasonably accurate position fix can be obtained. Google for instance uses a much weaker variation of this to try and get a position fix for phones that either lack GPS or currently can't use GPS.
Now as I've mentioned in the past a modern "smart phone" contains all that is needed to run a drone or other autonavigating pilotless vehicle even when GPS is unavailable and RobertT has given an aproximate price for a chip set in the past. These days such chip sets usually contain not just cellular and GPS radio systems but WiFi as well, and in quite a few cases accelerometers as well.
Thus this provides a great deal of diversity in what the security system has available, so much so that spoofing would be fairly easily detected simply because the spoofer would not know which signals the security system was actively monitoring. Further the spoofer could not spoof and provide the correct aquisition and loss profiles from the RSSI detector in the system simply because the spoofer has to also be a jammer to spoof (I won't go into details on this because I'm not sure what is and is not in the public domain etc).
One thing that cannot be reliably spoofed is the position of the jamming signals themselves and they wont be at the expected positions of the signals they are spoofing. If such a security system were to be built into a laptop or hardend case for a laptop then multiple antenna for GPS (~2GHz) Wifi (~2.5GHZ/~5GHz) and cellular (~1GHz) are fairly easily possible and at orthagonal planes to each other (think four of the six corners of two sides of a cube). It would be reasonably easily possible using a "Phase Sensing" diversity receiver to model what the expected behavior of multiple single point refrence sources should be to any given movment of the security system which would be a known to the system from the accelerometer inputs. As this movment is most definatly an "uknown" to the spoofing system it cannot compensate for the movment and would thus be liable to detection. However it would require some interesting and somewhat complex signal processing to decide what was spoofing and what was due to movment in the evironmeent of things like users, but as they say "Such a system has potential".
So yes it is possible to build a navigation system using modern smart phone chip sets that by knowing fixed points of refrence could establish it's possition within a hundred meters or so quite reliably even if one of the systems (GPS) was not available continuously. Thus such a navigation system could be used as part of a security device.
The main problems being knowing where the fixed points of refrence are, CPU/battery consumption and anti-spoofing technology.
As indicated Google have partialy solved the first problem, building the security system into a ruggedised clam shell case for a laptop would go a long way to solving the second problem along with providing the antenna diversity for the third problem.
The real question now becomes "is there the money/market available to take such a product forward in a viable way".
@Nick P and @Clive Robinson
From his comments I think Clive might have a good idea what the customer really wants. The automatic denial of access for some data in certain jurisdictions is definitely part of the spec. It also must be transparent, at a system level, that data decryption is completely outside the control of the person transporting the data.
I will have a typical 2G + 3G cell phone chipset as the hardware base for this product, so GPS is available, 3D accelerometers are available, WiFi might be available, the RF interface will support all the usual cellphone frequencies. Additionally I will have, if needed, direct access to the RF module to enable some out-of-band environment sniffing. Jammers generally do not work over wide bands, so the presence of a jammer can be discovered by changes in the noise floor between in-band and out-of-band signals. GPS spoofing will be treated as a special case of jamming whereby a ratio between the strongest and weakest GPS signals will be used.
The typical RF module uses a diversity antenna so the ratio of the antenna signals RSSI can be easily combined with accelerometer information to give crude signal direction information. However, I also intend to use the accelerometer information to indicate suitable times to do GPS sniffing. Think about it, im sure you you'll be able to understand why the environment will be exceedingly difficult to fake.
I don't really foresee any difficulty finding a suitable encryption algorithm, this will run on the laptop so in my mind the product is all about providing the key and ensuring that it is obvious to all, that this Key cannot possibly be obtained from the person in possession of the laptop.
It does raise an interesting jurisdictional problem of does the data exist at all if it is indistinguishable from random noise by anyone physically present within that geographical area.
@ Nick P,
The receiver thinks it's in a safe location if it's receiving information from the Source, otherwise self-destruct or something.
Search for "Location Attestation Service".
@ Clive Robinson,
I was visiting this blog the past few weeks, but had nothing to say :( Besides, my ears have been ringing for the past two month -- need to see a doctor...
location attestation service, www.google.com/patents/US20080209515
It was filled in Feb 2007, which is long after I'd mentioned on this and other blogs I've prior art from back in 1995 and I believe there is a UK pattent belonging to the UK Government as well from the work I did on location systems for belive it or not, jammers for protection of VIPs against radio detonated bombs.
From your description of the way you are doing things I would look at definatly seperating the navigation element from the storage element and use an appropriatly protected trusted path between them.
For arguments sake make the navigation unit look like a NEMA serial device format wrapped up in some kind of signed message format sent across a USB interface implementing one of the serial protocols. This way you are reasonably assured of having compatability with several generations of laptops and those to come (and if I remember correctly the USB-Serial device is one of those "standard" interfaces that is not encumbered in the way the non standard ones are).
My experiance has taught me that the best way to do a navagation system is to layer up with the least stable localised system used as the master to which corrections are applied in an acculamative maner by the more accurate nonlocal systems.
So I'd assume you would use the localised acceleratometers to provide continuous position updates to the last known location. As and when a more accurate location fix comes in you calculate the drift average to provide future corrections and update the actual location fix.
This way you know how the drift from the accelerometers happens you can continuously make updates even when a good external refrence is not available.
Also there is a side issue if you think about how humans navagate they realy don't care for their absolute position with respect to the earth but do need some kind of fixed refrence from time to time they can move awayfrom and backto with reasonable accuracy.
They also need a highly acurate local refrence that can be any point that is stable for the time they are chosing to navagate around it. If you look at it as moving around inside a vehical from one place to another. The person piloting the vehicle needs to know the vehicals position with respect to a fixed geographical start, destination or way point. The passengers however only need a local refrence inside the vehical as their nominal position (seat) and various object refrences such they can move around them to get to say the toilets etc. The passengers care not a jot about what point the vehical is at in the journy only the entrance position at the journy start and exit position at the journy end.
This peculiar situation arises because although humans do have a quite reasonable inertial system in their inner ears it's used in a differential manner to keep balance not to aid navigation. Humans navigate from object to object with their senses of sight, hearing and touch with respect to a local point on the object that may or may not be fixed to another refrence.
Which brings up the notion of using a visual system to add accuracy to the navigation as some may have noticed their are now online services that try to display on their screen the same image a user sees when they point the phone at it. In theory you can do the opposite ie view the image from the camera looking for a recognisable point of refrence to take a fix.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.