Schneier on Security

Clive Robinson • February 15, 2010 1:54 PM

I’m getting well known for my “beware of China” attitude.

The reasons are quite simple.

1, China unlike the US takes a very longterm view.

2, China has learnt that invade and hold of buffer countries does not work the way it used to.

3, China has adapted to that change unlike other countries and can be seen using that stratagie in the southern hemisphere.

4, China has about 1/6th of the worlds population and fifty years ago 99% of them where farmers etc. And the belife and work ethic are inextricably linked in their minds.

5, China has to feed 1/6th ot the worlds population

6, China has developed economicaly far faster than just about any other similar population.

7, China needs raw resources and external markets to keep it’s forward momentum.

8, China is on it’s way to being the world #1 for energy consumption.

9, China has bought into the US economy in what at first appears to be an endless mutual pact.

The first thing most people think (incorrectly) is that China has a significant investment in the US that ties them together in a Mutualy Asured Destruction (MAD) Pact. This is actualy incorrect due to certain differences in outlook China most definatly has the upper hand. In that it can develop other market places over the next ten years the US being a consumer nation and the worlds largest debt hole does not have that escape ability. The Chinese could if they wished pull the plug on the US in less than a year. Over and above that the US curancy is so over subscribed that any loss in confidence will cause both the US and China to suffer in the short term, the US for maybe the next 3 to 6 generations.

Senior Chinese Military figures are already talking openly about having a “cold war” with the US in the next 10 years. Meanwhile the US has been ignoring the warning signs for well over that period. We see the US press spouting surprise at China in recent times, the world press however has been overtly commenting on the China-US cool down since halfway through the last Bush administration.

China does not need the US long term or even medium term. It has as noted above two pressing needs,

A, Bring China out of it’s agrarian fuedal past.

B, Maintain the central fiefdom.

That is the “head of the snake” wishes to be incontrol in much the same way it has for centuries, the difference being they want to be world leaders in technology etc so they can spread their writ far and wide without the problems of overt occupation or Empire.

Thus to feed their own people they have an issue in that the new “Technocrats” want the baubles, trappings and status symbols of the “western world” which cost significantly (how many days rice and vegtables do you get for the price of a top of the line European Car?). This means that China has to balance the want’s of the increasing few against the needs of the many.

This can only happen with a rapidly expanding economy. However this creates more “technocrats”…

Hence the point about feeding the 1/6th of the worlds population is by no means the major problem any longer.

The point most people forget is 8 this is the real Achiles heal. If you look into history about “Water Rights” you will see a “blue print” of how the energy wars are likley to be fought.

Keep an eye on the south pole and even the moon…

Clive Robinson • February 16, 2010 8:36 AM

@ Winter,

“1 Chinese are humans. When China develops, 1.5 billion more humans will become rich. What is bad about that?”

It depends on “at who’s expense” it is and the colataral damage caused along the way.

“2 Powerful states can inflict damage on others. If China becomes a world power, they will be able to harm others. Destroying China is the only thing that could prevent that.”

Hmm any state with the right resources can destroy another state it actually takes very little effort if you are not looking for imediate results.

However there is no need to destroy a state and or it’s people to prevent them doing it to you.

The simplest way is not to make it worth while and there are a number of ways you can do that.

“3 International cyber attacks are a non-issue. With US bridges and levies falling apart and complete industries mismanaged into bankruptcy I do not see what makes the Internet special as a vulnerable resource.”

Localisation and force multipliers. In the tangable physical world you would require to be at a point in space and deploy a force multiplier to do any significant damage.

In the intangable information world the weapons are information they have no physical limitations that place any real constraints on them.

For instance let’s make an assumption that I have a zero day attack that enables me to “covertly” infect 30% of the work based servers in the US with a piece of malware at a very low level such that it encrypts data going to or from hard drives and tape backups etc.

I send out a message that tells them to forget the key on such and such a date and time…

Bang something between a 1/6th and 1/3rd of companies backend systems become locked as do their backups over say the past three months.

The stats show various figures but you are looking at something like 80% of those effected businesses ceasing to trade within another three months.

It is estimated that as little as a 1% real shrinkage in the US economy could put the US and dependent nations into a downward economic spiral. If that is the case ask yourself what losing 25% of the economy in three months would do?

“4 The US does not need China for a meltdown. Remember the great power blackouts? The most prolific Spam relays are in the USA.”

Oh so true, the real question is though who runs those Spam relays not where they are geo-located.

“The only times the Internet was really in jeopardy was due to holes in MS Windows (produced in the USA) servers. It is estimated that 80% of PCs running MS Windows (produced in the USA) are infected with malware of some kind. The botnets used in cyber attacks almost exclusively run MS Windows (produced in the USA).”

Hmm not sure about that there is the story of half the US going “off-line” due to the DNS servers becoming unavailable due to a rodent with a taste for data cables (just wish I could find the link).

However you are correct that a “mono-culture” is not a good idea as it removes hybrid vigor from the system which is normaly always a very very bad idea.

“More likely this whole cyber attack madness is about diverting attention from mismanagement and bad policies.”

That may be so but there are very real vulnerabilities which can be and are being exploited.

I suspect it is only the “short term” outlook of cyber-naredowells that actually limits the amount of damage done.

It is this aspect of short term high visability that makes botnets fairly easy to detect and currently deal with.

Imagine what the result would be of longterm covert conversion to making PC’s members of an “Intel gathering botnet”.

It brings you around to that cascade of questions starting with,

1, Why are we connecting PC’s in the workplace to the internet?

2, How are we making a valid inventory of the IP and it’s security on these PC’s?

It is at this point if you have done the analysis correctly you can generaly say that not all PCs are equal.

Therefore you might be tempted to state that not all security needs to be equal.

However that is a dangerous assumption to make for many reasons.

And although you are correct about mismanagement and bad policies I think you have your comment the wrong way around. This “Cyber attack madness” is a direct result of the failings of management and policy and it tends to high light them not cover them up.

However perception is rarely based on reality so with a bit of judicious spin a manager could absolve themselves of responsability for their inabilities, by effectivly arguing it was an inevitable consiquence of having to use poor software from one major supplier (back to the mono-culture issue).

So yes, you are correct from one perspective and wrong from another…

Just the sort of place a FUD-Spin meister loves to thrive…

Clive Robinson • February 17, 2010 3:53 AM

@ IT Nija,

“the National Security Agency was recently hacked.”

If it was (and I’d need to see other supporting independent evidence).

It only confirms the “elephant in the room” of high complexity software. That is any code more than a few tens of lines long is vulnerable when connected to the Internet and it is just a question of when the zero day happens to it (arguably a pesimistic viewpoint on my behalf, but then “I’ve got the scars” to show why 8(

As others know, I have a problem bordering on a “chuck the toys out the pram” issue with,

1, Companies connecting all internal computers to the Internet (either directly or indirectly).

2, Assuming that “one size fits all” for computer security.

3, Executives assuming it is not going to happen to them in their short tenure, thus playing Russian Roulet with their share holders reputation.

Yes IT staff appear complacent with the situation but it is more likley to be “battle fatige”.

There are solutions to the issue but…

The original question should allways be asked,

What potential information on this users computer might be of value to others outside of the company?

Then the second question,

Does the company gain anything by connecting this information to either the rest of the company or the outside world through provably insecure software?

Then the next question should be,

What are the companies liabilities to regulators shareholds and customers should the information go outside of the company?

At this point if the assessment has been done correctly which is highly unlikley* (even for real as opposed to faux security experts) you should have a bottom line risk value.

This should then be used as a base line “expected loss” (in any faux ROI calculation). This should then be used to see if the “potential business advantage” is larger than either the “expected loss” or the cost of mitigating the “expected loss”.

Thus I’m generaly in favour of “air gaps” and heavely controlled “media transfer” across the gap.

There are ways to do this and still get the business benifits, the problem is at an almost marginal cost. However modern execs are into reducing / eliminating such costs to “maximise return” or perceived (the faux) shareholder value.

• The reason for this is it is extremely difficult to assess the value of information. Especialy if you don’t realise the information exists or what it’s value is.

Information value is something a “domain expert” in a “field of endevor” not a “security expert” can calculate.

For example a researcher makes searches of external online DBs, the usual and incorect assumption is this is ehpemaral information.

The search information can give another person in the same field of endevor a very good idea of what the researcher is doing. Thus the search information offers competative advantage if known.

However secondly if it can be shown in court at a later time that a person in the company searched a patent DB and pulled up a patent that might just concevably (in a Judges corkscrew mind) cover a product the company makes then in the US this automaticaly tripples the damages should it become known. as the defence of “inocent infringment” nolonger holds. Thus even the “domain expert” in the “field of endevor” might not assess the information correctly, so what chance has the “security expert”. Oh and remember when asking a legal person for advise they are “never wrong” as they know what litigation can cost thus they always cover themselves, which generaly makes their advice “it is inadvisable…”

Oh and in the US have a look at the new little money earner for tort (civil litigation) Lawyers and judges “electronic discovery” it will make your mind bleed.

Clive Robinson • February 17, 2010 7:19 PM

@ Nick P,

“I like a lot of the principles in your reply to Conner, but I have to differ on a few.”

That’s OK by me they are informal rules, for those who feel they must do what they should not 8)

Not rules for those who realy do know what they are doing (I just wish I knew somebody who did though 😉

“The first is about state-based design. That’s merely one way to do it…”

Yes there are other ways but untill recently they where not as amenable to analysis by your every day code cutter.

Also most team leaders and their next two managers up can usually understand them as well 😉

“The other issue was state transitions with payloads. There’s no reason to get rid of payloads. They are the very basis of asynchronous systems, for which there are many verification tools available.”

Ahh I think we are talking at cross purposes.

When it comes to “protocols” it is best to not have the protocol acting on the “data” content or payload.

Likewise it is also good to have protocols “lock steped” or synchronous for other reasons (redundancy side channels).

The two are seperate issues but the solutions have a large overlap.

Irespective of if the protocol is synchronous or asynchronous data and control are best strongly segregated to minimise potential interaction.

That is the data or payload is encapsulated from the protocol and it’s control channel, and thus the protocol state cannot be changed by the payload only the control channel (with two exceptions, error & data end).

It also has to do with “redundancy” and “optional path” issues that open up their own nasty little side channel potential (side channels are like roaches every time you look you find another one 😉

Unless you realy do know what you are doing (and those people, in general assume that they are fallable which is why they “peer” for sanity) It is best to maintain clear and rigid segregation between data and control.

With regards the EmSec “clock the inputs and clock the outputs” giving rise to pipelining and master clocking. It is a “tangable world” concept that is being mapped onto an “intangable world” where the tangable is a subset of the intangable….

Which is why you have seen work that makes you say,

“This would seem the intuitive response, but other methods and definitions of clock have been devised.”

And yes an incorectly implemented “master clock” can add a whole host of side channel issues. But in general it is something that is much more easily checked and verified than, say checking for a “Direct Sequence Spread Spectrum” (DS-SS) modulation that goes right through the system effectivly invisably in either direction.

It is again a question of what the protocol designer can truly be conversant with. At the “code cutter” end, a master clock (where possable) is less likley to cause easily exploitable side channels.

The MIT paper you refer to “Synchronization with eventcounts and sequencers” is it the ACM feb 79 paper?

If so I very vaguly remember it from when I was designing multidrop host communications in safety critical systems, but my brain is getting old and hazy. So I don’t see the connection.

Do you have a non “paywalled” URL to the document you are refering to?

Anyway it’s 01:15 in the UK and my brain is most definatly not at it’s best, and being rushed to hospital A&E (ER) with anemia yet again has not helped 8(

Clive Robinson • February 20, 2010 6:31 PM

@ Nick P,

The real question is not the rules,

But how do we make “little Johnny code cutter” follow them.

Or more correctly,

Get his boss to give him the time to use the tools that are just starting to become available as “FOSS” etc…

Whilst high assurance systems are not cheep to build etc, in the majority of cases it’s not high assurance we need just a slightly better quality of code cutting.

Almost perversly, at the moment a 5-10% improvement in security programing will make around a five to ten fold improvment in real security…

Such is the lack of ability in Jo Average code cutters to do secure coding…

Well hopefully Bruce’s new book will make interesting reading for them.

Mind you I’m still waiting for a book from Bruce and Ross J. Andreson but I guess if it happens now it will be on thee economic perspectives of security 8(