Schneier on Security

Clive Robinson • October 18, 2021 10:40 AM

@ SpaceLifeForm,

With regards,

“revil ransomware shuts down again after tor sites were hijacked”

Looks like someones “Root of Trust” has gone “Walkabout”…

Speaking of which apparently their glorious leader “Unknown” has also gone “Walkabout”.

The dots might be very close, and not far from a nice little room, with spartan furnishings and no view to speak of. In fact SAM or equivalent might be to blaim.

Clive Robinson • October 18, 2021 7:09 PM

@ SpaceLifeForm,

Have you read the second paper?

“AMD Prefetch Attacks through Power and Time”

https://publications.cispa.saarland/3507/1/amd_prefetch_sec22.pdf

You will find that “your favourit itch” Amazon’s EC2 Cloud gets mentioned as being vulnerable.

The thing about these types of attack is people say “they have not been seen in the wild”… But they neglect to mention that spoting them is something that whilst is not impossible is not realy going to be possible for by far the majority except by well down the road “knock-on” effects.

The thing about “Power and Time” is as indicated the side channels leak all sorts of information and the majority of people realy do not understand just how serious they are especially when it comes to things like “Roots of Trust”.

As you are known to say “join the dots” 😉

@ ALL,

Perhaps people should start reading up on “Hardware Security Modules”(HSMs) for use with ALL their Internet accessable computers with “Roots of Trust” like “private keys” and similar on them or generated on them.

Clive Robinson • October 20, 2021 5:40 AM

@ name.withheld…,

The phone, a Snom 870, a Cryptophone.

So it’s a “fixed line VoIP” not mobile phone, but either way it’s not an “ordinary phone”[1] thanks to GMSK in Germany who’s “available source” crypto work went into Snom’s IP-19 hardware…

https://www.cryptomuseum.com/crypto/gsmk/ip19/index.htm

Which means that any “oddity” that “magically appeared” was not a “one off special” for the journalist, but something specifically created by a suitably large and financed organisation for “any person of interest” with that make/brand of phone[2].

Which as they say,

“Is usefull to know”

It also raises some questions about “approvals processes”…

But I think it does make one thing clear,

Possession of a Crypto Phone is painting a target on your back.

Which is something that has been discussed here from time to time.

It is one of the reasons I always suggest doing the “security end point” stuff in a way that is seperate from any communications device.

Another good reason to seperate is “upgrading” with the crypto on a comms device not only are you putting security at risk in many ways, you are also stuck with a costly specialised device and you loose flexability to respond to changes etc which as they say “Slow to respond, quick to die”.

[1] The sales/marketing leaflet (PDF) which indicates the availability of the phones source code can be found at,

https://www.cryptomuseum.com/crypto/gsmk/ip19/files/snom_870CP_leaflet_en.pdf

One oddity, the link you gave, produces an error I’ve not seen before with my browser, which is a “your clock is forward” and it won’t connect… Unfortunately the browser does not alow me to see what time the site thinks it is as far as PubKey use is concerned. Most odd I’ll have to do a little digging.

[2] When propperly “torn down” I suspect that what will be found is highly modular programing of the chip. The reason is in reality there are very few ways you can do a KBY and Mic/Spk interface. So it makes sense to have a near generic design for “all devices” in mind when you design the chip code. With modules developed to take account of individual differences from some norm for all devices not just phones or individual models/ranges of phones. So development for new devices is just a PCB design and a small new module developed or just repurposed. I further suspect there will be no attempt to do “key translation” that is it will just store and send the raw keyboard matrix X/Y numbers. The translation will be done by ordinary software at the agency end of the communications link as and when required. It’s more or less the way I’ve developed such low level systems for flexability for the last four decades or so and I suspect so have many others doing embedded design.

Clive Robinson • October 20, 2021 3:01 PM

@ SpaceLifeForm,

The “Atlas” web site appears to have two things going for it,

1, It is totally borked currently.
2, It appears to be Apple development related.

From the very little information you can currently glean from the site it is written in Lua for some reason (why I’ve no idea).

But not much else to say other than I guess the site is in the very early stages of development.

Clive Robinson • October 21, 2021 1:13 AM

@ SpaceLifeForm,

Case matters to the AI. It should not.

Actually it should, compare

1, See the polish machine working.
2, See the Polish machine working.

It changes from an action to a place of origin.

There are a couple of other words like that but I can not remember them off the top of my head.

Then there are more fun words where you wish capitalisation was required. For example,

3,See buffalo buffalo buffalo

Is less easy to understand than,

4, See Buffalo buffalo Buffalo

But there is the reverse,

5, English English

Oh and don’t get me started on the likes of rare usage words with side effects. @MarkH used one the other day when facecrook was in Yo-Yo mode, and as it was an otherwise “slow news day” for me in a hospital,

https://www.schneier.com/blog/archives/2021/10/facebook-is-down.html/#comment-389950

Clive Robinson • October 21, 2021 5:12 PM

@ lurker,

The first theodolite I had to use seriously forced a rethink of my Anglocentric education: it had 400 “degrees” around its circle, because it was Italian

Ah that French invention the “grade” we call the “grad”. The downside is that the prime factors are 2 and 5 only… Which makes doing things with compass and ruler not as easy as 360 degres with prime factors of 2, 3 and 5.

Most do not realise that 360 degrees came to us via the Babalonians that used Base/radix 60.

Clive Robinson • October 22, 2021 4:36 AM

@ SpaceLifeForm,

If you spot this, best to stand to the side.

At just a glance I would say it has nothing to do with “Havana Syndrome”.

What it looks like at first glance is a mock up or prototype an anti-drone weapon (a real anti-drone weapon would not have cables hanging off of it).

Basically in the middle what looks like a “black gun” looks like a mock up of some kind. Maybe a canister round launcher of some form, or it might be a mock up of a sighting device like a laser range finder not enough detail to tell.

The top antenna is a high gain yagi antenna that is a non-optimal design with a narrow bandwidth for the transmitter. You could work out the frequency range by measuring the weighted average length of the directors (you’ld need a known measure refrence but there are probably hundreds in the picture already).

The white tapered box like object underneath is very probably yet another antenna, this time broad band probably a “Log periodic or similar.

The two antennas look sufficiently “generic” to probably be “bought in” items from a microwave component supplier for scientific / test / military markets. There are hundreds of such suppliers to chose from.

Interesting points to note, the two antennas look like they are cross polarised that is the top antenna is clearly vertically polarised and the bottom antenna probably horizontally. The question is “Why?”.

I’m guessing because it makes the mock up look better.

However the two antennas might form the equivalent of a doplar radar system designed to pick up on the rotors as much as the drone frame. So the cross polarisation might be an attempt to reduce receiver desensitization.

But the cross polarisation would more likely tend to suggest something else… That is maybe they are both TX antennas to cover the ISM bands used by just about every toy manufacturer, maker of WiFi style networking, and of course drones. That is it is some form of “jammer” that covers a couple of chunks of the 1-10GHz range including GPS frequencies.

The reason I think it has nothing to do with “Havana Syndrome” well it’s simple for someone who has spent most of a lifetime working or playing with RF transmission systems.

If you look up the radiation pattern for a high gain yagi antenna, you will find that whilst it does have a large forward beam it also has a “back to front ratio” which indicates how much “spill” or “side lobes” there are. I can tell from just looking at the lack of reflectors that there will be quite a bit of radiation “off the back” of that yagi antenna directly at the operators head.

As I’ve mentioned before the power drop off of an antenna as a first approximation or “rule of thumb” is roughly to 1/50th in the two wavelength near field to far field transition and then as 1/(r^2) there after.

That drop off with the square of the distance “says all”. The operators head is what half a meter behind the yagi that has less than 20db of back to front ratio. Which is saying about 1% –or actually a lot more– of the power going into the antenna is going out backwards at the operator. So the square root of 100 is 10, that means that to get more power at the target than the operator the target has to be less than ten times the distance the operator is or about 5m. Not quite arms length, but you can hold a 16 foot pole in your hands, there are longer “painters poles” and “window cleaning poles” you can by for maby $20 at Home Depot or similar.

Further, if you do the radiological modeling using the thermal heating model to be safe for the operator the maximum TX power would be less than 10watts.

So if that yagi antenna was generating a “Havana Syndrome” beam to attack somebody say as little as 50m / 165ft away the person holding it would be “dead on their feet” first.

Oh and I also doubt the system would be an effective balistic anti-drone measure as well. If that is a canister launcher in the middle, it has a quite limited range probably less than a shotgun if it is to be a reliable reusable device.

It’s likely any semi-sophisticated attacker who was going to use a “suicide drone” would know this and what the range is. They would also know the limited “kill-range” of any device they had attached to their drone. So they would probably use one of two basic tactics,

1, Bite the ankle.
2, Shit from on high.

That is in the first case the drone would be at rest in cover very very close to where the intended target was going to go and basicaly at the last moment gets switched on and “leaps from cover”. So that they do not give the target any time to identify and respond to the threat. With that anti-drone weapon be it canister launcher, shotgun or even just a directional jammer, the time window before effective response would be around 5secs for a person holding it in the ready position not facing directly on (watch people doing clay-pigeon shooting, compared to hunters to see the difference how you are positioned to a target makes).

The second case is to come in higher than the range of the anti-drone weapon from behind or from cover then just follow an expected orbital/ballistic path trajectory to the target (basically drop on). Which the anti-drone weapon could not realy alter thus the device and drone would fall under gravity to within range of the target if hit by the anti-drone device or not.

However one thing I would expect any semi-sophisticated attacker to do that I’ve not, is firstly find out if it is a canister launcher and if so, what goes in the canister in the way of a payload…

Oh and as a sophisticated attacker, I would make my drone more or less “jamming proof” that is modern MEMS used in mobile phones make sufficiently good electronic compasses and inertial navigation systems and cheap small mobile phone PCBs are easy to aquire. So whilst GPS would get you much of the way to the target you would “go inertial” to avoid GPS jaming for the last half mile. Likewise they might even us an IR laser illuminator and paint the target, making such a device is a “high school senior science project difficulty at most these days (it’s only a bit more difficult than building a “solar tracker”). Oh and most definately change the TX RX frequencies from those used as standard which is something quite a few Amature Radio or other RF electronics hobbyist could do fairly easily, as could a lot of under graduates on engineering courses. And I also would think they might consider the benifits of not using “one drone” but several, so I’d consider a half dozen or so not flying in formation might be likely. Kind of like the old “multiple war head” ICBM designs that launched quite a few “decoys” to saturate anti-missile defences.

It’s why cheap drones with a 1kg and up load lift capacity are scaring the living daylights out of “close protection” operatives, because they have no real defence against a “flying claymore mine” as one I know has dubbed it, they have become the new “worst nightmare”…

So a new “Snake Oil” market has formed around anti-drone devices at eye watering prices. Lets assume that mockup was just a jammer, it’s got maybe a production “Bill of Materials”(BOM) of $200. That would put a commercial high volume product around $2000 and a LEO product at $8000-20000 and Mil up in to $64,000 or much more bracket.

Clive Robinson • October 22, 2021 4:57 PM

@ echo, ALL,

I fear too much intellectual energy is going into the wrong things.

In a capatalist system intellect by necessity has to “follow the money” just just about everybody else.

Those who hold the money, only pay for profit.

Due to various factors “war” or more correctly the manufacture of war materials has always been profitable.

But today it is “obscenely profitable” the mark up on the actual component value is not the 5-20 times of consumer products, or 20-50 times for comercial devices but in the 100+ or 10,000% and up range.

Part of the reason for such a mark up in MIL products is the argument that “they have to pay for all the intellect”…

How you break this cycle I have no idea short of extinction, nor do I suspect does anybody else, but that is the way it is currently. Worse I can see why certain people would fight tooth and claw with every dirty trick known to mankind to keep those profits flowing into only their coffers…

I opted out of MIL work early on when I recognised it for what it was. However I can see why even people who despise the system keep working in it, basicslly to make the money to live a life or because that is the only way they can get the funding to pursue their research interests.

I can also see how –past tense–
society was moved forward technologically because MIL investment had “spilled out”. But times have changed, the spill out is less and less useful to society in general, and steadily way more usefull to authoritarian led guard labour for wide surveillance and oppressive activities. The sad fact is the flow is also the other way these days, research funded and carried out well outside of MIL / LEO circles for societaly benificial reasons is being repurposed to be used by MIL / LEO entities.

Back many years ago a fiction writer predicted this effect would happen. Part of the plot line was a researcher injured and disabled in a vehicle accident and confined to a wheel chair developed systems to make disabled people more mobile in society. To find to his horror the military stole his inventions to be used in clasified weapons systems…