Schneier on Security
A blog covering security and security technology.
« Luggage Hack |
| Using Science Fiction to Teach Computer Security »
July 29, 2011
Friday Squid Blogging: 25-foot Giant Squid Caught in Fishing Net
A 25-foot (or maybe 23-foot) giant squid was caught off the coast of Florida.
Also, I'm going to try something new. Let's use this weekly squid post to talk about the security stories in the news that I didn't cover. I'll be doing this every Friday, so please save any stories you want to post about for squid threads.
Posted on July 29, 2011 at 4:22 PM
• 67 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Found on Slashdot...
House Panel Approves Bill Forcing ISPs To Log Users
Posted by Soulskill on Friday July 29, @04:18PM
from the uncle-sam-wants-to-know-you-better dept.
"Under the guise of fighting child pornography, the House Judiciary Committee approved legislation on Thursday that would require internet service providers to collect and retain records about Internet users' activity. The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections. A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses. Per dissenting Rep. John Conyers (D-MI): 'The bill is mislabeled... This is not protecting children from Internet pornography. It's creating a database for everybody in this country for a lot of other purposes.'"
I will bet that bill has nothing in it about keeping that data secure, or maintaining the integrity of the data, and will probably NEVER lead to an internet porn conviction of any kind. All of that information makes everybody a target for fraud. Why would crooks ever have to use SPAM or install trojans on any computer ever again when they can (and will) get that data directly from the centralized ISP files, which will probably be searchable by Google (oh, and wide open for the spy agencies as well).
I read the actual text of the bill (http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.1981:) and I'm not sure where they get the idea that ISPs are required to store names, addresses, bank account numbers, etc. The bill only says the ISP has to keep a record of the IPs assigned for 18 months. Undoubtedly, your ISP already has your name, address, credit card, etc. on file (so they can bill you), but there is no requirement (or even suggestion) that this info all be lumped together.
Furthermore, the second of the two statements related to ISPs says "It is the sense of Congress that records retained pursuant to section 2703(h) of title 18, United States Code, should be stored securely to protect customer privacy and prevent against breaches of the records."
Over all it sounds like a pretty stupid bill, but I don't think it is as troubling as many have made it out to be. I wouldn't vote for such a bill, but I'm not surprised that 19 people did.
This is just to get the squids more attention, isn't it?
Well, okay, here's an interesting story about an inmate who was able to post bond due to an unexpected condition in the system of a company that provided phone service to the jail:
Note that in this case, it was uncovered by something we wouldn't normally think of as "security"-- by someone, or some software, noting a high number of connection problems.
Why does Thomas Gov URLs end with a smiley face?
Is a proxy a "remote computing service"? How about that newfangled cloud?
Ryan: I think the point of storing the IPs is precisely because they have to be matched to a customer - which means all the rest of the customer ID info is likely to be stored as well.
It's a back door way of requiring everything to be stored. Because most companies aren't going to bother to sanitize the data, just back up what they already have.
So, yes, the bill does just create a big database for absolutely no criminal prosecution value whatsoever.
Do you want us to stop sending you news stories?
While it's a nice idea, the only problem with saving the "off topic" stories for the squid thread is that it will end up being confusing with several different stories being discussed in the same thread.
OTOH, that's probably not so different from the current situation. :-)
The real problem is there's just too much fun stuff to talk about in security. And too many smart people here to discuss it with! :-)
Meanwhile, the Antisec crowd nailed another FBI security contractor, Mantech. The hackers point out: ""What ManTech has to do with the FBI? Well, quite simple: In Summer 2010 the FBI had the glorious idea to outsource their Cybersecurity to ManTech. Value of the contract: 100 Million US-Dollar."
"Do you want us to stop sending you news stories?"
No. Please keep sending them.
"While it's a nice idea, the only problem with saving the "off topic" stories for the squid thread is that it will end up being confusing with several different stories being discussed in the same thread.
"OTOH, that's probably not so different from the current situation. :-)"
Right. The alternative seems to be discussing off-topic topics in the comments to posts with an actual topic. This can't possibly be worse than that.
Bruce: "This can't possibly be worse than that."
We can try! :-)
> This can't possibly be worse than that.
Famous last words?
So this becomes an "open thread" sort of thing? Not a bad idea.
If it turns out well, you could start putting a link in the sidebar to the current "open squid thread" to show visitors the way. (Would be most useful when the latest one is almost a week old, I imagine.)
Wish I'd known this back when... :-)
Researchers Say Vulnerabilities Could Let Hackers Spring Prisoners From Cells
Of course, where the hell you go once the cell is sprung is another matter... Even if all of the prisoners are sprung at once with the intent of starting a prison riot and mass escape, there's no guarantee anyone can make it out of the facility.
You'd have to spring ALL the doors and almost all prison facilities have multiple sealed doors between the housing units and administration area, let alone the outside world. There are some exceptions - Florence Federal Correctional Institution has only one set of mantrap doors between the housing units and the central grounds, for instance. It's a medium security facility, which means surrounded by double alarmed fences topped with razor wire and guard patrols between the fences.
OTOH, the Alameda Country Jail in northern California has locked doors between the housing units and the mess hall, between that part of the building and the external corridor (and the central control room for the housing unit), and between the corridor and the central yard - and more doors between the central yard and the administration portion of the facility. Some of those doors are large sliding steel doors which are quite impenetrable if locked. The entire facility is poured concrete. Getting out of that facility would not be easy even if you had the run of the place.
"Getting out of that facility would not be easy even if you had the run of the place"
What's your meme about security?
I know someone who claims that if "food and water can get in, and waste out, then given time people can and will get out." Their job used to be advising on the design of high security facilities but not of the normal correctional type.
Speaking of prison breaks,
Seams they only got caught by accident in that "brick dust" was spotted by an eagle eyed individual.
Do please check the thread first to make sure you're not posting a duplicate story.
One hundred Schneierbiscuits to those who can answer these questions three:
1) ManTech worked with what other insecure security firm? Hint: HBG--y.
2) Who is the ManTech board memeber who was once part of a disinformation plame-war? Hint: R-ch-rd Arm-t-g-.
3) What is the name the ground-breaking Talking Heads album which is also the number of police department domains AntiSec hacked today. Hint: http://www.thetechherald.com/article.php/201130/...
(That's the only "news" site carrying the story now, so take it with a grain of salt.)
A: Red... No.... Blue. Ahhhhhhhhhhhhhhhhh!
Squids & security thread: Oil and Water?
Why not just post a thread every Monday labelled ``Extra stories'', or if your CMS requires unique titles, ``Extra stories-2011-07-01''? That way we
a) don't mix squids and blags, and
b) don't need to save all our stories through the week in anticipation of the squid's appearance.
First, a nice new weapon and some cases of subversion illustrating why subversion resistant development & deployment processes are necessary. (Currently, most development methods ignore subversion & most OS's are vulnerable to it.)
Flying drone can crack WiFi, Intercept GSM
ALDI sells hard drives with malware on them
Indian hacker plants backdoor in Symbian phones
Android malware roots phones, steals data
Second, another example of how traditional software development practices fail to get the job done. And on a compiler, no less.
Third, examples of using high assurance development to prevent those kinds of problems.
CompCert: Formally verified C compiler (now w/ x86!)
CompCert survives six CPU years worth of tests
So, USE IT ON PRODUCTION CODE! They're doing another one right now to compile the type of ML, called Mini-ML, that the Coq proof assistant automatically generates from formal specifications. FLINT, a certifying ML compiler, is already pretty good.
JINJA: Formally verified Java-like language, runtime & compiler
And on building secure systems or high quality software, I have to hand it to Green Hills for cranking out offering after offering over the past few years. Their marketing is over the top sometimes but their DO-178B offerings undoubtedly have low defects, maybe none. (Leaning toward low...)
Commemorates 10th year anniversary of INTEGRITY-178B
Praxis is leading the pack showing low-defect software can be built repeatedly using the right processes.
Correct by Construction: Manifesto for High Assurance Software
OK Labs has come a long way from merely commercializing L4 kernels. Lots of good stuff.
Ada and SPARK still keeping quality up
"Perfect Developer" making formal development easier
(their company blog is really insightful too)
Certified human machine interface generator
SCADE: Model-based dev., verification & generation
Note: All the DO-178B tools and middleware are primarily developed for the embedded market but could (and probably should) be used in network appliances, thin clients, & "secure" general purpose OS's.
Here's some new architectures & approaches that might help solve our big security woes.
Bastion Architecture (a favorite of mine)
TIARA Security Architecture (MIT & DOD)
(I independently invented something very similar for special-purpose computing. I haven't looked at this in detail but it's worth posting.)
Mirage: Ocaml-based, minimal TCB runtime & compiler
SIF: Tool for building secure, auto-partitioned web apps
And of course what everyone needs to have read already (both 1st & 2nd editions). I'm re-reading it selectively now because it's easy to forget little, important things over time.
Ross Anderson's "Security Engineering" books
And I dug up some links to countermeasures for TEMPEST and EManation SECurity issues. Would be great to see RobertT or Clive vet the material.
Design of Shielded Enclosures: Cost-Effective Methods to Prevent EMI
(Do check out the "Customers who bought this... also bought..." part. Many interesting things popping up.)
Electromagnetic Shielding - Wiley Books
@ Bruce Schneier
I like Terry Cloth's idea about having a weekly thread for security stories. Particularly that we could post them as we come on them. This would prevent us from having to wade through however many stories your readers can come up with in a week. More manageable discussions, too.
Although it is a day after Friday, the following may be of interest:
In a Salon article, Glenn Greenwald talked about Norway responding to the Oslo attacks. In particular, Norway's political response emphasized openness and tolerance, and did not emphasize a rush to implement increased security measures.
In other news, Randi Zuckerberg (a marketing director at Facebook) has put forth the view that disallowing anonymity and requiring real names will lead to improved behavior in the case of Internet environments.
The Electronic Frontier Foundation has talked about the benefits of allowing persons to use pseudonyms in online environments.
Following up on the post above about Anonymous hacking cops:
"In retaliation to the unjust persecution of dozens of suspected Anonymous "members", we attacked over 70 US law enforcement institutions defacing their websites and destroying their servers. Additionally, we have stolen massive
amounts of confidential documents and personal information including email spools, password dumps, classified documents, internal training files, informant lists, and more to be released very soon. We demand prosecuters immediately drop all charges and investigations against all "Anonymous" defendants.
The 10GB of private law enforcement data contains:
* The mail spools of police officers from dozens of different PDs
* Usernames, passwords, social security numbers, home addresses and phone numbers to over 7000 officers
* A list of hundreds of snitches who made "anonymous" crime tips to the police
* Hundreds of internal police academy training files
The leaked data also contained jail inmate databases and active warrant information but we are we redacting the name/address info to demonstrate how those facing the gun of the criminal injustice system are our comrades and not our adversaries. On the other hand, we will be making public name and contact
information about informants who had the false impression that they would be able to "anonymously" snitch in secrecy.
While many of the recent "Anonymous" arrestees are completely innocent, there is no such thing as an innocent cop, and we will act accordingly.
"The day will come when our silence will be more powerful than the voices you are throttling today." - August Spies, Anarchist Haymarket Martyr
I'm beginning to love these guys... :-)
"Sheriff John Montgomery says the server for the sheriff's website was shut down Tuesday. He also says he doesn't have any specific information about a hacking incident, but that he's not too troubled about any alleged security breach."
YEAH WE OWNED YOUR NEW SERVER TOO! SHOULDA EXPECTED US ... HACKLOG COMING SOON!!
Over 70 US law enforcement institutions were attacked including:
20jdpa.com, adamscosheriff.org, admin.mostwantedwebsites.net,
bakercountysheriffoffice.org, barrycountysheriff.com, baxtercountysheriff.com,
baxtercountysherifffoundation.org, boonecountyar.com, boonesheriff.com,
cameronso.org, capecountysheriff.org, cherokeecountyalsheriff.com,cityofgassville.org, cityofwynne.com, cleburnecountysheriff.com,coahomacountysheriff.com, crosscountyar.org, crosscountysheriff.org,drewcountysheriff.com, faoret.com, floydcountysheriff.org, fultoncountyso.org, georgecountymssheriff.com, grantcountyar.com, grantcountysheriff-collector.com,hodgemansheriff.us, hotspringcountysheriff.com, howardcountysheriffar.com,
izardcountyar.org, izardcountysheriff.org, izardhometownhealth.com, jacksonsheriff.org, jeffersoncountykssheriff.com, jeffersoncountyms.gov, jocomosheriff.org, johnsoncosheriff.com, jonesso.com, kansassheriffs.org,kempercountysheriff.com, knoxcountysheriffil.com, lawrencecosheriff.com,
lcsdmo.com, marioncountysheriffar.com, marionsoal.com, mcminncountysheriff.com,
meriwethercountysheriff.org, monroecountysheriffar.com, mosheriffs.com,
mostwantedgovernmentwebsites.com, mostwantedwebsites.net,newtoncountysheriff.org, perrycountysheriffar.org, plymouthcountysheriff.com,poalac.org, polkcountymosheriff.org, prairiecountysheriff.org,
prattcountysheriff.com, prentisscountymssheriff.com, randolphcountysheriff.org,rcpi-ca.org, scsosheriff.org, sebastiancountysheriff.com, sgcso.com,sharpcountysheriff.com, sheriffcomanche.com, stfranciscountyar.org,
stfranciscountysheriff.org, stonecountymosheriff.com, stonecountysheriff.com,talladegasheriff.org, tatecountysheriff.com, tishomingocountysheriff.com,
tunicamssheriff.com, vbcso.com, woodsonsheriff.com
7000+ Accounts from Missouri Online Training Academy (mosheriffs.com)
Names, addresses, phone numbers, user IDs and passwords (in the clear, apparently!)
That last is ridiculous. Do cops have ZERO concept of IT security?
Clive: ""Getting out of that facility would not be easy even if you had the run of the place"
What's your meme about security?
I know someone who claims that if 'food and water can get in, and waste out, then given time people can and will get out.'
Oh, sure. I was talking about how if you got out of your cell as a result of someone springing your lock, you'd still have a problem getting out of the compound, particularly in the case of an active response from the staff.
The Guardian case is in a prison with bricks. Most of the new prisons in the US are poured, steel-reinforced concrete. Even the bunks and desks are just extruded out of the wall. The only possible exit might be through the toilet if you can rip it out. The only window - which is thick safety glass (which can be set on fire and broken that way, I've seen that done) - is too narrow to fit a human head through.
The one vulnerability I noted at Alameda County Jail was the small court used for recreation in each housing unit. It's monitored by cameras. The only escape route would be to somehow get up to the 20-foot high roof which is open and covered by a wire mesh. Spiderman or someone well versed in climbing probably could do it - if he had the tools to get through the mesh. That would put him on the roof of the facility from which presumably he could get close to the surrounding fence.
Probably the only realistic way to escape from one of these facilities is by social engineering. Allegedly someone was preparing to try that at Florence FCI. They managed to somehow acquire one or more guard uniforms and hid them in the chapel. The idea apparently was to disguise themselves and somehow talk their way past the various checkpoints into the administrative area and out the front door. Someone ratted them out, however.
Reminds me of the Peter Sellers movie where he had someone come in who looked like him while he escaped. When he got outside, he tugged the "fake" beard, which wouldn't come off. He exclaimed, "The wrong man has escaped!" :-)
@ Richard Steven Hack,
"The Guardian case is in a prison with bricks. Most of the new prisons in the US are poured, steel-reinforced concrete"
Yes it was an old prison built many years ago before more modern building techniques were available. Mind you from what has been said the particular escape could only have been done from two out of the very many cells.
Oh and even "poured cement" has it's vulnerabilities to those with a lot of time on their hands. So the security could rest on the spacing and type of re-bar used.
"The one vulnerability I noted at Alameda County Jail was the small court used for recreation in each housing unit. It's monitored by cameras. The only escape route would be to somehow get up to the 20-foot high roof which is open and covered by a wire mesh. Spiderman or someone well versed in climbing probably could do it - if he had the tools to get through the mesh."
It's actualy been done.
Not all the details are available but from what is publicaly known apparently,
(1) The first major mistake made by the authorities was to have a blind spot which the cameras did not cover in one corner.
(2) The second major mistake was to think a prisoner would not notice and work out the blind spot.
(3) The third mistake have a policy of "solitary prisoners" exercising on their own in the yard.
A prisoner did notice the blind spot and the routien for "solitary prisoners", he made a rope out of dental floss and a small weight. He did whatever was required to become a "solitary prisoner".
What is not known publicaly is how he got through the mesh at the top of the yard (I'm assuming the mesh holes alowed a hand to get through to the fastenings or the mesh could be cut in a non obvious way).
I'm further assuming that over a period of days he managed to work a fastening loose etc and then climbed up and did one or more reckies before actually making his escape.
And no he did not get clean away. If I remember correctly he did not as such just want to escape, he wanted revenge and was stupid enough to act on that and other impulses.
Which reminds me of another important escaping prisoner issue, it's the way "goal oriented" prisoners who escape don't always think far enough ahead (it's the same with robbers and the proceads of the crime)...
In Colditz they had a problem which was not fitting in to the suroundings outside the castle and the general hue and cry raised when a prisoner did escape. That is difficult as it was, getting out of the Castle was effectivly the easy bit.
So they realised the solution was to escape without leaving the Castle and then at some later point leave the Castle for real.
So for the sake of a movie plot,
You would have to have two escape routes and a reliable hiding place to actually get away.
One route actually being realisticly within your capabilities, the other being only just doable if you were an Olympic class Spider Man in the last step.
So for arguments sake you find a route which the last step is virtually suicide / impossible and another route where you say sneek out with the garbage (not that this should be possible).
You stage your escape with an obvious trail leading to the suicide/impossible step, but instead of taking it you sneak back into your prepared hiding place. You then sit it out and some time later sneak out with the garbage.
It's movie plot, because not only is "ghosting" a known trick which should not be possible in a modern prison, it actually has been used as a movie plot (most recently I think in "Numb3rs").
However it shows that you do have to think on how you go about not just reaching a goal (escape) but actualy how you achive the next goal (evasion) which are just the first two of many steps needed to be a successful escapee.
And to be honest if a person has the brains to accomplish those next steps, they should not have been in prison as a criminal in the first place (though as the officers in Colditz knew sometimes you could be a prisoner for other reasons).
As my father told me when I was quite young when he found out I had a skill for picking locks, "If you have the brains to commit the perfect crime, you have the brains to earn more money honestly", and for some reason I have not chosen to try and prove him wrong.
@ Clive Robinson
"As my father told me when I was quite young when he found out I had a skill for picking locks, "If you have the brains to commit the perfect crime, you have the brains to earn more money honestly", and for some reason I have not chosen to try and prove him wrong."
He is wrong. Certainly right about earning more honest money, but crime still pays more if executed perfectly. I've already worked out the perfect crime recently. It would net over a billion dollars. It's also not really illegal: a gray area that lawyers would have a hard time convincing a judge on. The investment for the crime will range from a few hundred thousand to a few million dollars.
Although being a billionaire seems awesome, I don't intend to execute this plan. There are simply too many headaches that come with acquiring that much money & a similarly criminal individual finding out about it. (Or the IRS/FBI/NSA...) Far as they're concerned, I'd rather be a curiosity than a target. ;)
Clive: Interesting story, especially the dental floss. That is something prisoners have lots of time to do - make their escape tools. Which is why guard do random searches of cells in the US Federal system. Of course, their searches are usually crappy and more for harassment than actually finding anything.
Which is why prisoners frequently select other prisoners who are not considered much of a risk and have them hold their tools - assuming they believe the guy isn't a rat (which is so common it's almost ridiculous.)
I used to hold stamps for some of the gambling bosses at Leavenworth in my locker in my cell because the guards didn't suspect me of gambling and the bosses knew I wasn't likely to steal the stuff. That earned me an ice cream from the commissary once a week and occasionally some illicit pizza made from the mess hall... :-) Eventually I quit because it was becoming too much of a "job".
Nick P: With a billion dollars, you can buy your way out of almost anything. OTOH, if your plan requires you to maintain the facade of being "legitimate", then you will have all the security issues you mention.
The only solution is get the money, then disappear. Then use the money to maximize your security instead of just your comfort.
This sort of thing was discussed in the various Syngress books: "How do you get away with stealing, say, four billion dollars?" Most of the considerations they brought out were possibly legitimate, but being hackers and not criminals, the authors really were wimps about solving some of the problems.
The main problem is the low imagination of criminals. They want money so they can BLOW money. One of my cellies was a Boston townie who robbed armored cars. He'd get away with $50-75K or more - then go down to Miami and blow it all. If he'd kept it, after ten jobs or so, he could have retired with 1/2-3/4 of a million invested at twenty percent.
If I managed to steal a billion dollars (or even a few million), I'd use it for much more than wine, women and song. And I'd make sure no one could find me in the process - and if they did, I'd make sure they'd end up dead as a result.
When you make a big score, security is your first concern, followed by making good use of the money to develop oneself. Enjoying life is a very limited goal - survival is the only primary goal.
I wouldn't say crime pays more than "honesty" - provided you can say Bill Gates is "honest", which is stretching the term to complete distortion. Or a lot of other rich people as well.
But like most generalities, it's mostly a worthless concept. Some criminals do well, most don't - just like honest people. It's all in the planning and the execution of one's life.
Unfortunately for me, I seem to be amazingly bad at that. :-)
It's a thread for the stories that Bruce didn't cover during the week, so Friday makes most sense. Plus this way it's on top all weekend, when Bruce usually isn't posting.
That said, you don't really have to wait if you don't want to -- you can post stories in the most recent squid thread anytime. More people will see them if you wait for a fresh thread, but it's up to you.
"With a billion dollars, you can buy your way out of almost anything. OTOH, if your plan requires you to maintain the facade of being "legitimate", then you will have all the security issues you mention."
I guess you have a point here. The "legitimacy" facade is the easy part and would probably cost a few million here and there in legal disputes. Keeping the Mob, elites, governments, etc. away from the money involves enough parties that it's a difficult proposition even with that much money on hand. (They make more by NOT working with me. ;)
I haven't even brought up coercive attacks on friends, family and supporting organizations. Whether it gets them the money or not, I try to ensure whatever I'm doing keeps determined attackers from using that tactic. They have to know it will get them nothing. They might think it's a great plan if they know I have a billion dollars, excellent all-around security, and a quite a few people whose lives matter to me. See the problem?
Did you reject my post from yesterday containing all the links? Or is it still awaiting your approval? I do a post like that every six months to a year to summarize important concepts, research and products that we've discussed over that time period. I would much appreciate it if you click "Allow" or whatever you do on Movable Type. Appreciate it.
I've released your comment from spam jail.
I actually thought I had turned off that "more than ten links" filter a while ago, but either I'm confused or it reverted. I'm going to turn it off for real now and see what happens.
@ Moderator and All
Appreciate it, Moderator.
My stories and plenty good links are further up if you want to check any of it out.Plenty of good stuff in there.
Nick P: "a quite a few people whose lives matter to me. See the problem?"
Yeah - having quite a few people whose lives matter to you.
Fortunately I don't have that problem - courtesy of everyone else. Or as my mother used to, "There must be something wrong with YOU!" Of course, there is! I'm rational! :-)
Bottom line: If you're going to engage in conflict with other than "riff-raff", you pretty much have to either 1) give up having people around who matter to you, or 2) make sure they can take care of themselves, or that you can take care of them. A billion could go a long way to enabling the latter - but probably not if they're not "security-aware" people.
That's why I said you need to "disappear". The one place where "security through obscurity" works fairly well is "invisibility", a la the ninjas. If they can't find you, they can't mess with you. The ninja had families, too - but they were trained in security as well (at least until they got too influential and Nobunaga wiped them out. :-) )
As William S. Burroughs once said, you need to be in "Third Terminal Position": that position from which you can influence but cannot be influenced. It's hard to get there. You pretty much have to be external to whatever other conflict is going on - sort of like the "Man With No Name" in the Clint Eastwood movie "Fistful of Dollars" (or the original Japanese version, "Yojimbo".)
Your motivation has to be obscure to the other parties. Although self-interest can always be assumed, the question is how it is being expressed. Conceal that and you're halfway there.
In most spy movies and thrillers, the question is always "what is the Bad Guy up to?" Without knowing that, it's hard to deal with it.
I'm reminded of a funny bit in one of "The Destroyer" novels. The old Korean guy sets up a scenario for Remo: what if you set out a bowl of rice in the evening and every morning it's gone? How do you defend? Remo says he'll get a dog. Chiun says the next morning the dog is dead and the rice is still gone. Remo says he'll try something else. Chiun says it doesn't matter what he tries, he will fail because you cannot defend from something you don't know.
That's the position you need to be in - the attacker who is unknown. Your enemies don't know who you are, where you are, what your resources are, what your motivation is, and how you will attack them.
The Norway shooter pretty much adhered to that which is why he was effective.
The other requirements are: 1) be so mobile that the enemy can never know where you are, and 2) have sufficient local firepower that you can never be overwhelmed by whatever forces the enemy can mobilize locally if you are spotted.
The Norway shooter didn't adhere to those, which is why he's in jail, probably for the rest of his life.
A billion bucks can go a long way to providing all of that, used wisely.
@ Anon Bruce Poster
Thanks for reminding me about that stuff. I wonder if I should get some money together from local investors offering a 30% rate of return, have a trusted associate pay those store clerks/owners something to say when the time was right, & beat those gamblers to the punch. Might have a discreet communications device whereby the clerk, upon seeing one of the two start buying tickets, signals my guy to go to another store & buy out that game as quickly as possible. Sound fun? ;)
Is this a advertising database or to stop access to parts of the internet. I thought a law was passed that company's can't take your personal information without you agreeing.
Ultra-fast broadband at 50k/s
@ Bruce and Moderator:
Nick P. once suggested moving to a forum-type model, with threads for each of Bruce's posts, and places where others could start new threads based on news stories, ideas, etc. Yeah, anyone could start such a forum, but Bruce's name, reputation, and accomplishments bring an extraordinary collection of bright minds here (and mine, too ;) and especially, of outside-the-box thinkers. The model of building trust via a non-published e-mail address could keep it registration-free while still avoiding turning it into Slashdot or worse. Just a thought...
@ Clive Robinson:
Cache cookies? Older Firefox 2 had an add-on called SafeCache, and another called SafeHistory, both from Stanford University, which is one reason I sometimes use Fx2. Throw disinformation into the data pool.
Persistent or reinstantiated cookies or Flash cookies? Hah! The browser is always run inside Sandboxie, and closed/reopened frequently, which empties the sandbox and destroys the virtual files/folders/drives created ad hoc. *Nothing* can write outside the sandbox (i. e., to the hard drive) without user configuration of permission to do so. So all those "undeletable" cookies get written to a virtual drive that disappears. Somewhat similar in concept to booting from a Live CD each time, though of course not nearly the same thing, and the rest of the machine can change state as you allow it. But not from the Web.
Changing IP addresses occasionally goes without saying. As does lying. My e-mail provider thinks I'm a 17-year-old girl who lives about 25 miles from here. For greater disinformation needs, coughwardrivecough.
Yeah, the databases get built up eventually, which is why the US needs a comprehensive set of data privacy laws. But I do my part...
GAO report blasts DoD computer security ability:
Is it time for the Pentagon to turn cyberwar over to someone else?
There is a military term for armies so uncertain of their own skills, resources, strategy and command that the enemy is able to find out more from spying missions than the commanders can by asking questions:
The term is "loser."
Feds Say They Can Search Bradley Manning's Friend's Laptop Because They Can
Especially this part:
"On a separate note, the reason given for having to keep House's laptop for so long? Because the laptop ran both Linux and Windows and the tech geniuses at Homeland Security had trouble understanding how to deal with that."
@ Richard Steven Hack
That last part was priceless. It could have been worse if he was running MenuetOS & using TrueCrypt. If they didn't know Linux, they surely won't know an OS written entirely in assembler. ;)
Course, I've always considered any laptops I bring over a border to be disposable. I do have a scheme where the disk is encrypted & decryption requires multiple keys. The simplest is to split it between one on you and one on a person in the destination country. If cooperation between countries is an issue, then the key could be split between the courier, a person in the destination country, and a trusted person in Hong Kong.
The most likely worst-case scenario would be loss of the device, with the critical data simply transfered to the newly purchased PC in the destination country. Another solution is to use a thin client approach, keeping the software encrypted on a cheap DVD. If one's computer is seized, a very cheap one can be purchased in target company. Authentication consists of username/pass, device ID, and a phone confirmation calling the hotel. Only then is access provided.
The key attribute of these schemes is that coercing the person possessing the laptop & encrypted data doesn't result in its decryption, even if they comply with orders. The tradeoff is flexibility & cost.
I wonder: would that CompCert thingy be immune to http://cm.bell-labs.com/who/ken/trust.html ? My gut feeling is that it's not, and they may be trying to solve the wrong problem. Consider for instance that they depend on the CPU microcode on the machine running the compiler - or compiling it, for that matter - to have the same level of trust as the compiler itslf, but with no equivalent formal proving, or any chance of ever getting that. (Am I missing something?)
Nick P: Interesting ideas.
The only problem with being unable to decrypt the data even if the person is ordered to do so is that by definition he has set it up to defeat that. In a lot of jurisdictions, that would be the same as being guilty anyway. In some cases, I suppose it would work to defeat a prosecution.
It would work well if the goal was merely to seize the data and not prosecute the owner. OTOH, if the owner is kidnapped and follows orders and the data still is not retrievable, he'll end up dead again.
So really it only works if the laptop is seized and the owner remains free and not coerced.
The safest way is probably to keep the data on a 64GB flash drive shoved up one's butt - and hope they don't do a rectal exam.
Which is something that always bugged me about that episode in "Terminator: The Sarah Connor Chronicles". Connor sends back a Resistance fighter who is wounded in the process. Dying, he stumbles to Sarah Connor's pad and spends half an hour scribbling inadequate info on the wall of her basement before stumbling upstairs and dying in her arms. They then spent the rest of season two trying to figure out what his scribblings meant.
It would have made more sense to put all the data on a flash drive, shove it up his butt and send him through the time portal (because the only metal that comes through must be surrounded by flesh.) :-)
Of course, not everyone does a rectal exam when someone dies in their arms. :-)
Especially on broadcast networks...
"The key attribute of these schemes is that coercing the person possessing the laptop & encrypted data doesn't result in its decryption, even if they comply with orders"
The critical problem is NOT if you are obeying orders but rather if the LEO believes that you are complying with their orders.
This is something I mentioned a few weeks ago, on a "Destruction of evidence" thread.
It must be absolutely clear that data decryption is not solely within the control of the person in possession of the laptop / smartphone / pad. Furthermore it must be technically obvious that no amount of "coercion" can result in the recovery of the data after the time out period. In our case if the two factor recovery time window lapses, than the ONLY recovery mechanism is possession of the two keys AND direct association with the default 3G network in the country of origin. (what we look for in direct association is of course our secret)
Unfortunately customs officials have opened a real can of worms by claiming this laptop data snooping right, and it is not just a US problem because many countries have obscure laws that can be applied. In the one case it could be businessmen with Japanese legal (K1ddy P0rn) entering the US only to find he faces 20 years federal time. Equally applicable are rules limiting munition exports, remember cryptography was regarded as a munition (in the US) up until a few years ago, and many other devices are still regarded at munitions. One example of interest to me is high accuracy, high speed Analog to Digital Converters. If the export of the ADC device is illegal than the export of the design database for making a high accuracy ADC is certainly illegal.
There are lots of other cases of laptops, phones, cameras, Mp3 players.... containing details of illegal activities by Americans, such as business dealings with Cuba or Iran. Donwloads of torrent movies.... These transgressions were only revealed because they were stopped at customs. Similar problems exist for the Israeli businessman with extensive Iranian ties.
Strong encryption is only part of the problem, because the judicial system MUST be satisfied that the data cannot possibly be recovered. This action takes us right back to my point of a few weeks ago which was. Can there ever be a charge of destruction of evidence, if the owner of the data has no reasonable grounds for believing he is under investigation?
In this case encrypting the drive equals destruction or the denial of this evidence to the customs official.
My own laptop solution today, is to take a disk image of the newly configured laptop and reinstall that image on a spare hard disk before every trip. This means I have no Email history and no files or fragments of files that can possibly get me into trouble.
@Robert T, "It must be absolutely clear that data decryption is not solely within the control of the person in possession of the laptop / smartphone / pad. Furthermore it must be technically obvious that no amount of "coercion" can result in the recovery of the data after the time out period. In our case if the two factor recovery time window lapses, than the ONLY recovery mechanism is possession of the two keys AND direct association with the default 3G network in the country of origin. (what we look for in direct association is of course our secret)"
Was just wondering if there is a time server on the internet that sends you a hash from some value that keeps incrementing. A friend could pass you the hash from some unknown time from there site.
"It would work well if the goal was merely to seize the data and not prosecute the owner. OTOH, if the owner is kidnapped and follows orders and the data still is not retrievable, he'll end up dead again. So really it only works if the laptop is seized and the owner remains free and not coerced."
In many cases, the crooks want the data. Customs even wants the data to look for high profile prosecutions. Preventing recovery of the data in the event of equipment seizure is the purpose. The protection of the owner is a separate issue.
Interesting view. The only way I think the scheme could meet your standard is if we got a working scheme endorsed by a government lab and mentioned on their web site. A commercial lab would work as well, but government trusts government more. The inquiring customs official would be told that "the system would only decrypt the data if it was plugged into the right hotel & several people gave their keys. There's no other way around it. Consult (site name) to see results of a government evaluation of the protection scheme that showed it's unbreakable."
That's a tamper-resistant scheme that I see. Unfortunately the method looks easy to circumvent. It's actually less safe than a few schemes I saw in McGuyver, which didn't work. ;) The trick to my approach is ensure the *person* can't be coerced to give up the information, even while *complying* with customs. The scheme you linked to seems to require something that courts would call destruction of evidence & non-compliance with customs. My approach can be sold as a sophisticated, coercion-resistant protection scheme. It's useful beyond just stopping customs, meaning courts might not rule against it. Unless they read this blog. (Damn, damn, damn)
Nick P: "Preventing recovery of the data in the event of equipment seizure is the purpose. The protection of the owner is a separate issue."
But it's actually not if the fact of preventing recovery puts the owner directly at risk. And it's not just criminals that are the issue, it's law enforcement. And not necessarily US law enforcement.
RobertT: Your imaging solution is good only if you don't actually need to take any data with you that might be incriminating.
In that case, clearly the only solution is that the data should go separately from any device that might be searched. Which means either concealed in a flash device elsewhere which is fairly certain not to be found even with a fairly complete tear-down - or it has to be carried by someone else not likely to be inspected (like those unwitting drug mules discussed earlier) - or it has to go by the Internet.
I think when one is deliberately confronting authority - such as at a border crossing - the only rational approach is to have a computer that is completely clean - and to know the country's laws so you can be sure what you do have on it IS completely clean under their jurisdiction.
Just like any hacker with brains has his home PC completely clean and uses a separate machine hidden elsewhere which cannot be discovered or traced to him to do his hacking.
With near ubiquitous VPNs and wireless these days, why carry (dangerous) data around when you can access it fairly securely from any place with Internet access?
@ Richard Steven Hack
"With near ubiquitous VPNs and wireless these days, why carry (dangerous) data around when you can access it fairly securely from any place with Internet access?"
One scheme of mine was an ARTIGO or Gumstix type small PC hidden somewhere near a wifi hotspot. Maybe several. They'd have encrypted data, tools, etc. on them. Could travel with an innoculous laptop & connect to it remotely over SSH from any hotspot. This in itself doesn't look suspicious. The data can be retrieved or the PC could be used as a relay. If it's picked up, so what: the data is encrypted, the temporary data stored in RAM disks, and all intermediate data (incl. RAM disks) wiped upon disconnect.
The hardware would be COTS at around $200-300, but the OS would need some customization. Microkernel + Linux VM actually makes this easy. On boot, all "trusted" software boots first into physical memory in a predictable location, then the Linux VM is loaded to run apps. If a disconnect occurs, a trusted app is notified. It shuts down the VM & overwrites all RAM it used with random data. Then, it loads a new VM in its "locked" state, waiting for authentication from the owner. (The authentication process supplies a necessary part of the decryption key, of course.) The existing OKL4 + Iguana + CAMKES + OK Linux already has most of the functionality. Only the wipe feature need be added.
Come to think of it, the Turaya/Perseus Security kernel and framework implement a trusted service called "secure storage" to isolate secrets from untrusted apps. I bet it has a wipe feature built in. It also has a Linux layer. It's built on top of a TPM, though, meaning we'd have to find some cheap, small TPM-equipped PC's. And by cheap, I don't mean for orders of 5,000 or more. ;)
"On a separate note, the reason given for having to keep House's laptop for so long? Because the laptop ran both Linux and Windows and the tech geniuses at Homeland Security had trouble understanding how to deal with that."
Not hard to understand. When collecting evidence that may be used in court, they have to obey certain procedural rules. The rules are cumbersome, inflexible, and largely written by lawyers. It's extremely likely that the /rules/ don't understand dual boot.
I seriously doubt that any of the techies doesn't understand dual boot; when you do something for a living, even if you start off as an ignoramus you will be aware of these sorts of issues within a few weeks.
I recently did some fairly extensive international travel for the first time for some years. Took a laptop with me, also a palmtop, a smartphone, two digital cameras (with spare SD cards) and a cheap disposable phone. The first 3 of these all contained encrypted data (mainly, PDFs of my travel docs.) I also took a dozen other electronic appliances (e.g. a hotel room security alarm, wearable GPS, altimeter, water steriliser, oh yeah I'm a gadget freak). Those did not contain data, but there's no way you could tell that without inspecting them. (I was actually a bit worried that on an x-ray image, the room alarm might be mistaken for a bomb!)
In 20 border crossings on 3 continents, no-one expressed the slightest interest in any of my electronics. I paid attention to other travellers, and didn't see any other electronics being examined, either. At least, not in public, but I also didn't notice even one single passenger being asked to take extra screening. In Abu Dhabi they even had a sign out saying something to the effect that you don't need to get your laptops out for x-raying.
I shouldn't have been as surprised as I was: it's a lot of work to inspect a laptop, and with the huge crowds they deal with, it's obvious their main emphasis is throughput, throughput, throughput.
Not saying this isn't something that can be a problem, but it is much less common than I had expected after reading this blog. I'm now beginning to suspect that they will only examine your laptop if you have already been detained for some other offence, and the "border guards search your laptop" meme is a bit of a movie plot threat.
Anonymous: You're probably right. The case in point was someone connected with Wikileaks in some manner. However, that's not a movie plot, but a real situation in which there wasn't even any allegation of impropriety on the part of the individual. It was simply an investigation because of the individual's being involved with a support network for Bradley Manning. There was ZERO probable cause to seize House's laptop.
Like Thomas Gabriel said in "Live Free and Die Hard", "The rules can always change." And governments like to change the rules to suit them, as in the House case, which is why DHS is being sued.
So the problem generally is you can't be sure what circumstances you'll encounter in every case. You could walk into Abu Dhabi right after some Mossad or Al Qaeda hit locally and everyone is paranoid and checking everything. Or more likely, you come home from Abu Dhabi right after another terrorist hit in the US and the US security is on full alert and checking everything.
So the point is if you have anything at all questionable on a laptop (whether legally questionable or just proprietary or personal), don't take it into the presence of authority, especially at a border crossing.
You may be right about the rules being the issue with a dual boot system. But 1) I don't really see how those rules couldn't be applied for two OS just as well as one - unless they've been written strictly for Windows which would be stupid in itself, and 2) I really do believe that DHS probably has a lot of people who have never seen a Linux system. Linux systems are only being used by maybe 3% or so of the population, let alone a dual boot (especially with, for instance, Windows 7 which is a different beast than XP.). So maybe they did write the rules just for Windows...
I doubt procedures were an issue. SOP is just to created a hashed replica of the hard disk itself, make a copy of that and work on the copy. The lack of expertise is most likely issue.
"The only way I think the scheme could meet your standard is if we got a working scheme endorsed by a government lab"
I agree, the system needs to require two keys one that can reasonably be delayed for longer than the time-out key period.
This way the owner of the laptop does everything he possible can to help, but it is not within his control. The external stored time-out key will also prevent any playing around with the system clock. and it allows a time window for verification of the safe arrival of the laptop and owner of said laptop.
But as you point out to be accepted it must be a known method, government approved, and accepted as fool-proof.
"But as you point out to be accepted it must be a known method, government approved, and accepted as fool-proof."
In a nutshell. So, anyone want to sponsor an NSA EAL7 evaluation of a eavesdropping prevention system? Oh what irony!
Duh...what else is new?
Report on ‘Operation Shady RAT’ identifies widespread cyber-spying
"“We’re facing a massive transfer of wealth in the form of intellectual property that is unprecedented in history,” said Dmitri Alperovitch, McAfee’s vice president of threat research."
He says that like it's a Bad Thing...
How about the "massive transfer of wealth that is unprecedented in history" from, say, Wall Street? Or the military-industrial complex in terms of three to five trillion dollars for current wars?
"Scott Borg, chief economist at the U.S. Cyber Consequences Unit, a research group, has assessed the annual loss of intellectual property and investment opportunities across all industries at $6 billion to $20 billion, with a big part owing to oil industry losses. These firms spend hundreds of millions of dollars to explore oil fields before bidding on them, Borg said."
$6-20 billion? Across ALL industries? That's chicken feed!
What is the current oil industry profit level? CNN Money: Exxon Mobil profit nearly doubles By Ben Rooney, staff reporter, July 29, 2010. "The world's largest public energy company reported net income of $7.56 billion, or $1.60 a share, in the second quarter, up 91% from $3.95 billion, or 81 cents a share, in the same period in 2009."
The MIC? "Halliburton's revenue was $18.0 billion for the full year 2010, an increase of 22% from the full year 2009, and consolidated operating income was $3.0 billion, an increase of 51% from the full year 2009."
Oh, pity the poor multi-score-billion-dollar transnational corporations! China is stealing their intellectual property!
I say good for the Chinese (and anyone else ripping off corporations and the government for IP.) They're leveling the playing field after US corporations have bled the rest of the world's population dry for the last hundred years.
with regards your "using science fiction to teach security"...
How about "using ninja secrets to teach computer security",
As some people know I don't hold "best practice" in very high regard at the best of times but regard it as being a real waste of space and time when used at the user end of the security industry.
Here is a typical example of why,
@ Clive Robinson
Thanks for the link. I'll have to read it before I can comment on whether the analogy is a good strategy. The comments on the book so far seem to be from people with an existing security background, so I can't derive anything from them other than it was well-written.
I think I'll like this book for a different reason: I've done Ninja training in the past. When I was younger, I stumbled upon Ninjitsu after three years in Karate. Aspiring to be a Ninja, I studied wall climbing, flash explosives, deception techniques, stealth techniques and human anatomy (Dragon's Touch & Black Medicine are great guides ;). I sought to modernize Ninja principles & apply modern techniques/tools. (I could've saved time if I knew about Krav Maga or USMC L.I.N.E. systems, but too bad.) My friends and I had a lot of fun, especially with disappearing tricks & wall scaling.
I was never quite coordinated or reflexive enough to be anything close to a real Ninja. I've also been out of training for a few years. However, I can say that the Ninja mindset is very similar to the security mindset. However, it was more limited due to adherence to traditions. Funny how Ninja were a threat then because they were unconventional, but the orthodoxy of current Ninjitsu styles makes them less effective today. The modern equivalent of Ninja are probably Israeli covert operators or security geeks who made it through SEAL training. I'd rather not be on the opposing side. ;)
@ Clive Robinson
I just got the book and skimmed it. It's a combination of entertainment via esoteric information & advice relevant to that information. The focus on strategy, tactics, stealth, unpredictability & psychology make this book better than many that focus on purely tactics or HOWTO's. And for $23 on Amazon, I guess I'd say it's a good deal.
@ Robert T, Nick P, RSH,
With regards having a "cleaned laptop" for border crossing etc.
The problem is (by and large) not the computer but the "container" of information that you don't wish for whatever reason to expose to the LEO's/who ever, irrespective of what rights they believe they have.
As we know copying a container of information is not difficult if you know it is there, so the first aspect is ensuring it is not there (ie secure erase the laptop). But this means you cannot take the data container with you on the laptop or on other media you have with you.
Now there are two asspects with not having the data container with you but needing access to it. The first is you become reliant on others for access to the data container, the second is as you are within a juresdiction you can be reasonably certain that if they have their eye on you for some reason then they are NOT going to take it off you all the time you are in their jurisdiction. Thus if you attempt to get access the chances are the LEO's are shadowing your footsteps and have the same level of access you use.
Now even if we assume we use unbreakable encryption for either the data container or the communications media we use, the LEO's can simply copy the container or comms (or both) for future refrence.
Thus the LEO's know at some future time you will gain access at which point they drag you in and extract the keys from you one way or another.
So the trick is to make the key unavailable to you thus you cannot reveal it.
Well one way is to have the data container out of jurisdiction and use a comms protocol to access it that generates a random session key which the user cannot (reasonably) get access to.
However this does not stop the LEO's putting spyware on your machine to capture the symetric session key.
Thus you can see that which ever way you dodge around the LEO's will get access to the data if we limit ourselves to just a key and data container both of which can be copied.
Therefor a third element that cannot be (easily) copied by the LEO's needs to be brought into the equation.
However this third element needs to be coercion proof, which is where the problems may arise if careful thought is not devoted to it.
The simplistic version of this is the NSA Inline Media Encryptor (IME) it consists of two parts the actual encryption hardware and the crypto ignition plug that contains the key.
Let us assume that we have a non standard compound encryption algorithm that we can have high confidence in (for instance some variation on AES such as AES with a rolling key/whiting) embedded into a tamper proof/evident device, do we actually need a physical key/plug?
No, we can give it one or more embedded private key(s) which can be used to load information from across the internet or other global communications infrastructure (even POTS or POST).
Thus the device that could be of a USB key format, which needs N of M shares of the key to be sent to it from outside the jurisdiction before it can be used. The device contains a real time clock or equivalent that gives the key a defined life time such that it auto destructs etc. Because neither the public or private keys are known or held by the device holder they cannot be coerced into making the "keys" available.
Now the hard bit and this revolves around the use of a silicon structure that supposadly cannot be duplicated the PUF (or it's equivalent).
The compound encryption algorithm used is programable and the actual method to be used also gets programed via the PK messages but stored internaly encrypted by the PUF
Thus you travel with an unprogramed device, even if the LEO's do take it and strip it down it tells them little or nothing (hopefully) because the private key(s) are stored encrypted under the PUF they will have to destroy the device in the attempt to recover them.
Thus no keys no device and no access to the data container.
There are a number of other wrinkles that can be added to the model (ie duress keys etc).
NEW TOPIC: Chromebook Security
I'm excited to see that the Chromebook incorporates some of the "below the OS" security features we've been discussing on this blog, particularly a verified boot process. The Chromebooks have both a custom firmware chip & TPM. The firmware has two parts: read-only firmware & read-write firmware. The read-only firmware loads first, signature checks read-write firmware, and loads it. (This allows for trusted firmware updates.) The process repeats throughout each software layer. It also has a switch developers can flip to load their own customized Chrome OS's. (That's actually a concern for me, but moving on.)
It also includes TPM-protected user data stores & a recovery mode that one can boot into to fix a malware infected PC, uploading a fresh OS via USB stick. The Chromebooks also auto-update for security purposes. The Guest Mode acts like Incognito mode, neither requiring a login nor saving browsing data. Maybe could add a few concepts from BitFrost. Overall, I like it from the vantage point of average user's protection.
It appears there are one or two goodies popping up from Blackhat...
First up is "Degate",
“Degate is essentially a disassembler in the hardware world, Nohl said. The software recognizes structures on chips, traces the connections between them, and pieces together the algorithms implemented by the circuits. Nohl said the tools are intended to make it easier for software experts to assess the security of chips stored on credit cards and other types of smartcards.“
Second up is Chrome OS security issues,
"According to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.