Schneier on Security
A blog covering security and security technology.
« Summer Schools in Cryptography and Software Security at Penn State |
| Buying Exploits on the Grey Market »
March 30, 2012
Friday Squid Blogging: How Squid Hear
The squid use two closely spaced organs called statocysts to sense sound.
"I think of a statocyst as an inside-out tennis ball," explains Dr Mooney.
"It's got hairs on the inside and this little dense calcium stone that sits on those hair cells.
"What happens is that the sound wave actually moves the squid back and forth, and this dense object stays relatively still. It bends the hair cells and generates a nerve response to the brain."
"They react in about 10 milliseconds," he says. "That's really fast; it's essentially a reflex. That's really important in terms of behavioural responses because they're not thinking about processing it; they're not deciding whether they should react -- they're just doing it.
And he adds: "The responses can be really dynamic. They can be a change in colour; they can be jetting (moving quickly) or inking responses. Squid are also very cool because you can look at a range of colour changes -- is it a really startling colour change or a more subtle change?
"Squid can probably use their hearing to find their way around the environment -- to sense the soundscape of the environment; for example, to find their way towards a reef or away from a reef, towards the surface or away from the surface."
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on March 30, 2012 at 4:28 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Balls? How directional are their hearing?
Ome of the companies Visa has hired has been hacked. Card data seems to have leaked.
Also, our Swedish Skatteverket (tax department, like IRS) ALSO had one of their infrastructure providers hacked. About 9000 people are thought to be affected, sensitive info can have leaked, maybe about people with some degree of protected identities.
i don't know your opinion on the cissp, but some interesting and homourous article. Find it here www.infosecisland.com/blogview/19914-CISSP-Certification-Information-Security-and-Risk-Management.html
In the 2000s, there was the prospect of a "data haven" being provided via hosting on Sealand, a World War II-era platform located in the ocean about seven miles from Great Britain. In 1967, the platform had been claimed as an independent nation, the Principality of Sealand, by one Roy Bates. As it was, and possibly not surprisingly, the business of data colocation did not work out for a number of reasons.
Mentioned by Richard Stallman was a Wired News article on US FBI agents and lawbreaking.
The Electronic Frontier Foundation has mentioned an issue that would seem to be of importance in cybersecurity debates: the practice of firms selling "zero day" (unpatched) security exploits to paying customers. (Claims have been made that these customers include governments.)
@ Petréa Mitchell,
At last, we have an example of a literal data spill.
It would be funny (as in Keystone Cops) if it was not so serious.
IBM is blaimed by the state for not properly securing the packages containing the data cartridges, even though the shipment should have been by the states own chosen secure data shipper Iron Mountain, who apparently don't fly so it "fell" to FedX where the package spilled it's guts mid flight.
But... according to Christine Lally, --- a spokeswoman for the California state's Office of Technology Services,--- it's nothing to worry about realy because,
"There's a chance the information from the California Department of Child Support Services won't be accessible because a specialized machine is needed to run the cartridges the data is stored on, and special hardware and software are needed to read it"
Who further qualified her statment with,
[it] is definitely not something that you or I could just pop into your laptop,"
So that's alright then because in the world view she wishes to present hacking is obviously only done on laptops these days.... talk about "out of the mouths of babes and fools".
Personally I suspect that if this comedy of errors is just accidental then one of four things will happen,
1, The data cartridges will be found by FedEx.
2, Or, they will be floged off on Ebay.
3, Or, they will be given to a journalist.
4, Or, they have become landfill.
I'm not saying the data cartridges won't come into the hands of criminals, it's just unlikely if the loss was genuinely accidental. Not that that is any consolation for those people who's PII has gone missing.
After some sleuth-level Wikipediaing, it turns out that the statocyst also has security implications for creatures less sapient than the squid:
"Because many echinoderms of this group have only simple nervous systems without a controlling "brain", they are limited in their actions and responses to stimuli. The statocyst is therefore useful for telling the animal whether it is upside down or not. An upside-down echinoderm is in danger since its belly is not protected by its spiny skin." [Emphasis mine.]
@ One Blog Reader,
a "data haven" being provided via hosting on Sealand
That takes me back a long long way, and I'm not sure all the history of Sealand will ever come out as many in the original "Pirate Radio" world are getting very long in the tooth (I'm long in the tooth and I'm not in the original "Pirate Radio" generation).
At the end of the day the way to secure data against nations is to set one nation against another and have your data not in a "free nation" but in all the rival nations. That is you spread it thinly across the globe with multiple copies in multiple countries in such a way that getting hold of one copy does not give you openents the data nore does it alow them to stop the data being used.
I actually started looking into this back in the 90's as a potential PhD project, whilst working at both a Uni and for a company involved with "read only" databases.
You kind of need to look at the problem as a global RAID array with each country holding just one slice in a two or three dimensional array encrypted in an orthagonal manner. Simplisticaly encrypt the actuall data normally (ie network order) then split into say byte wide slices/stripes, encrypt these slices normally and put multiple slices in multiple places to achive the required level of redundancy.
This then raises the problem to the next level which has two main parts 1) The head end 2) Network choke points (I'm not even going to go into the issue of updating data ;).
The head end is where the bytes get unscrambled decrypted and put back together, it has both a physical location and an Internet location both of which have to be known. Which makes it vulnerable so that requires mitigation by redundancy of multiple heads, which gives problems at another layer.
One problem with the Internet is it's backbone, the way it is currently designed means that there are just a handfull of physical points through which all data goes through. These choke points have significant issues that neither redundancy or clever scheams are going to solve easily.
I'd like to use my own choke point on my head end in order to achieve ultimate security and solve the great Cosmic Cryptogram, but I don't have the backbone.
Charlie Stross has an interesting blog page about the evils of social media in our ever increasingly paranoid world,
His point is that the underlying model used by free social media that mines out personal details either directly or indirectly and makes it increadibly easy to track groups makes nearly all users considerably less safe.
"it has both a physical location and an Internet location both of which have to be known"
If you believe what is coming out of quantum mechanics that is a false statement. It's true today, certainly, but it may not be true in the future.
@ one blog reader on Sealand
Thanks for posting. That's an excellent article. I'm surprised nobody has got mercenaries to blow the place up on general principle.
On Data Spill
That's just funny. Goes to show you can't trust these providers. A big name company like IBM screwing up so much doesn't help the situation. This is also another argument for encryption of backups.
funnily enough, I started talking a few weeks ago of "a RAID Array of Dropboxes"
At the time I was jokingly referring to ways of building a secure cheap (free?) cloud service, but you seem to have found an application for what I thought was a totally fanciful idea.
If you believe what is coming out of quantum mechanics that is a false statement. It's true today certainly, but it may not be true in the future
I was refering to the fact that the "current Internet" is in effect a "wired network" which has like any other large non local network currently in commercial use to use a circuit or packet switched/routed communications structure layered over a basic point to point network to get efficient utilisation of it's fundemental "physical" network resource. The only other method in common use is the so called "Broadcast model" where by every end point gets to hear every other end points traffic which is grossly inefficient use of the underlying "physical" network resource.
As far as I'm aware any current communications process uses one or more fundemental physical forces to shift the energy / particles on which the information is encoded from one place to another and is thus limited by the speed of light and other fundemental limitations of our physical world which boil down to the limitation of distance by noise and rate of transfer by bandwidth in the chosen channel.
The only thing I've heared talked about outside of this started with Einstein's "spooky action at a distance" to deride the notion of quantum entanglment which gave rise to Bell's inequality. The consequence of which is one of the cornerstones of the proof of security of Quantum Key Distrubution (Ekert's E91 protocol). However another view by David Kaiser (from MIT) of Bell's theorem indicates that longrange instantanious communications is possible. The last time I talked to some one "in the know" on this they indicated you could have one or the other, that is either security or instant communications but not both... but which was still unknown hence the continuing experiments into the "loopholes" of Bell's Inequality...
Now I will put my hand up to not following the latest thinking in quantum physics because it makes my head hurt at the best of times because it's one of those fields of endevor you have to realy be an all in immersed practitioner to understand all the nuances that are it's current drivers.
While the human race worries about little things like terrorists with bombs, the next big security threat may be the "post-antibiotic era".
If you think people are risk-averse now, what would it be like to live in a world where minor wounds have a much better chance of being fatal? Before antibiotics, of course, people just accepted the possibility as part of life, but now that humans and human society have become accustomed to the assumption of safety that antibiotics provide, does anyone think that everyone will just go "oh, well" and go right back to accepting the risk?
@ Petrea Mitchell
I don't know what their reaction will be. I'm too busy trying to stop the trend. It's kind of ironic that the germophobes are empowering the germs. We need to get rid of pervasive antibiotics, while looking for new ways to kill them. The amount of antibiotics out there is ridiculous. We have antibiotic counters, antibiotic door handles, doctors prescribing antibiotics for the flu... the list goes on.
The potential "post-antibiotic era" may be attributable to the economic motive or lack thereof that Bruce has repeatedly mentioned with companies in possession of people's information. *sigh* (anyone surprised..? ..anyone..?)
The development of new antibiotics now could help stave off catastrophe later. But few drug makers are willing to invest in drugs designed for short term use.
“It’s simply not profitable for them,” said Dr. William Schaffner, chairman of preventive medicine at Vanderbilt University Medical Center in Nashville. “If you create a new drug to reduce cholesterol, people will be taking that drug every day for the rest of their lives. But you only take antibiotics for a week or maybe 10 days.”
One of my professors recently said that in the past, skinning your knee on concrete or dirt wasn't a big deal if you couldn't wash it out right away. But now, she said she'd be scrubbing the wound like a paranoid schizophrenic asap; I would imagine urban environments being worse.
Full disclosure, I'm a bit of a germophobe; but I've managed to avoid sickness more than most people. One of the things I do is I don't breath in for as long as possible if someone coughs or sneezes near me. I love all the touchless faucets, dryers, light switches and flushers in restrooms. My dad worked on a touchless handicap-door switch for hospitals, and they're selling like hot cakes.
My mom is a nurse and has also said that there has been an "over-prescribing" of antibiotics for viruses that can be taken care of by the body.
One third of the population spends its time injuring and sickening another third of the population so that the last one third can heal them.
Such is the world.
Security over-reaction of the highest order...
In order to combat a series of bomb threats, University of Pittsburgh has removed the stall doors from the men's toilets and stationed a security guard outside.
Honestly, you *cannot* make this stuff up!
but you seem to have found an application for what I thought was a totally fanciful idea
I'm told the best ideas are the ones where people say "I could have thought of that!" well you seem to have proved the point by doing it independently ;-)
I originaly came to the idea when looking in the early 90's at how to make a highly fault tolerant high capacity Data Base over an unreliable network with unreliable limited capacity machines.
The idea being to put bits of the DB onto many different servers and send your query out as an "agent" that builds your query results by fiinding out whiich machines are available with the parts of the records needed and stich the whole thing together.
It turns out that even on a small network there are subtle problems due to time delays and other edge effects that reduce security.
As for RAID it's self the idea did not originate where most people think it did (University of California Berkeley in 1987)...
But a small company in Surrey UK developing body scanners back around 1983, they actually had a UK patent on the idea. And trust me the 8" hard drives they used were most definatly not "inexpensive". The guy who came up with the multiple disks part of the idea was also called David and quite a few people put in their "two penny worth" at the time, including myself (I sugested using two extra drives for "geometric pariity" as well as storing Hamming error correction in the data across all drives).
@ Petrea Mitchell, Nick P, by: Figureitout,
With regards to anti-biotic misuse, I've been aware of it foor a number of years one way or another (perhaps the hardest being a botched Op that means I now have to take anti-bs for life).
Twenty years ago I used to joke that the reason the famous Jewish "chicken soup remedies" cured most ills was because of the factory chickens being force fed antibiotics.
For those old enough to remember there was a bit of a disaster in Mexico where children as young as three were entering puberty due to the fact that hormones used to promot rapid growth in the chickens were not being withdrawn from their feed in sufficient time before slaughter (if at all) and had made it into the human food chain.
If I remember correctly the US had it's own scare with milk production for similar reasons.
Now the problem identified with Big Pharma and antibiotics has a secondary effect you can lay at the doors of the FDA amongst others. The cost of getting a drug through the process is exorbitantly high and this has a couple of knock on effects,
Firstly the resulting drug is to expensive for all but some Western markets.
Secondly that alternative treatments that arise in other markets due to the first problem also don't get into Western Markets.
One such other market treatment is "phage therapy", potentially it is far better than antibiotics and has less harmful side effects ( http://en.m.wikipedia.org/wiki/Phage_therapy ).
If you look back in this blog you will find the subject has come up before.
A post on squid on a security blog? Now that's something fun to wake up to!
Also, BBC News just released a new post regarding the website named "pastebin" to hire more staff to tackle hackers.
@ Safer Sites: You must be new here.
@Clive Robinson - this is one area where the danger might not come from the US.
India and China now have a massive middle class who can afford to buy antibiotics for themselves and their children, see the ill health around them, and remember the conditions their parents lived in.
Combine this with little government regulation and you get 'N' 100million people popping antibiotics like candy when they are ill or not.
Yes, I know the topic's come up before, but that particular story hadn't been posted, so it seemed worth mentioning.
Hmm, still not a torrent or PDF link for Liars and Outliers. They upload almost any mundane book in a short time. I wonder why this book isn't being shared anywhere. Maybe they were willing to pay for it? lol
As some of you are nodoubt aware the Kelhios P2P botnet was discovered earlier this year and it has got around a bit since then.
You might also have read that a couple of AV/Security firms had decided that as it was not possible to "behead" the bot net because it's control channel is not a central server but a peer to peer system they were going to "sinkhole" it.
Well the initial results looked promising, but the malware authors responded remarkably quickly and launched another version of kelhios.
And it's this rapid evolution to "technical fixes" that's interesting,
In all honesty I think this is a tipping point in that the malware writers as "attackers" are outpacing the AV/security companies that act as a Swiss Gaurd "defenders" for many organisations and individuals PC's.
And as I've indicated in the past there are many many ways to "decentralize" the control channel most of which will be difficult to stop.
It appears that Al Qaeda websites (might be) subject to "cyber-takedown" and fingers are being pointed at the US with allegations of "cyber weapons/warfare" (although last time it was supposadly the UK with "fairy cake" recipies disguised as PDFs or some such).
It is reported in the UK's Daily Mail Online  that the original story came from the Washington Post that some sites had been down since 22nd March,
 As normal I issue a "health warning" with anything to do with the Daily Mail or it's journalists, in case you are wondering why have a look at this story about a Daily Mail Freelance Journalist,
As many of you know "eMoney" has not had a lot of success for several reasons (mainly either attacked by existing banks or Government Regulators).
Well there's a new one on the starting blocks, only this one is different in the fact it comes from the Royal Canadian Mint...
It uses direct non mediated messages from device to device and as such offers a degree of anonymity, which you don't get with any EVM offerings. In fact the device appears to be set up to be a rival in the low value micro/nano payment market to EVM...
It will be interesting to see what happens to it.
On the topic of Chinese cyberwarfare/espionage, which Bruce seems to believe is illusory, I was curious if anyone has read a translation of:
"Informationized Joint Operations" Cao Zhangrong, Wu Runbo, and Luo Dong, eds., Xinxihua Lianhe Zuozhan (PLA Publishing House, 2008)
In case it's not a trolling comment, Bruce probably does think there's plenty of espionage from China. I'm sure you might find supporting evidence of this, his belief and its occurrence, if you googled it. (include site:schneier.com for relevance) What we all often criticize is how anything from Chinese IP's is considered Chinese cyberwar.
That's a flawed approach for numerous reasons. First, IP doesn't = identity. Second, many people use Chinese relays for black hat work b/c Chinese cooperation with US law enforcement isn't great and people will probably just blame Chinese cyberwar units. Third, somewhat a tangent, the "cyberwar" media stream is a poor metaphor that tricks people into thinking in terms of conventional physical war. The cyberwar scheme is about control and especially money. Billions of dollars in contract are at stake and most "cyberwar" promoters have a conflict of interest. (surprise!)
The real issue is that systems are designed, used, and maintained in ways that are risky. The attackers know this. Getting into most systems is like grabbing low hanging fruit. For instance, many "APT's" (laughs) are just a con job email with an exploit or two linked. Much of the low hanging fruit is trivially eliminated with better designs and implementation strategies. An example is using a reverse stack to totally prevent buffer overruns or Trusted Xenix's approach to preventing setuid vulnerabilities. Had mainstream OS's been modified this way, every vulnerability of this type (thousands) would've been completely prevented with almost no extra effort for app developers.
US Govt has had systems designed that are ridiculously hard to exploit in practice & usable, although inconvenient. They know how to build them, too. Instead, they push low assurance crap (see the Bell link below) on people. They have little incentive to tell people how to make ultra-secure systems like those available to them, as they want control and information. They know you just have to apply good security engineering and operation principles to stop plenty of these attacks.
At this point, you might be asking, "Well, why don't they just invest in and market that to these vulnerable US businesses and customers?" Good question. Short answer: they and their collaborators get more money & power by hyping the cyberwar them than simply telling people it's just a security mgmt failure. The cyberwar hype let's them have "cyberwar units," "cyberdefense tech," "cyberreadiness tests," "cyberborders," etc. Billions in contracts for the likes of Booz Allen Hamilton, Boeing, Raytheon, BAE, and NG. If you see the word "cyber", read it with skepticism & knowledge of how profitable it is.
Bells paper on rise and fall of high security
This XKCD strip about safeword choice mentions Bruce Schneier by name (in the hover text). Also, is there anything available about achieving out-of-channel exchanges by using statistically unlikely, preagreed valid tokens in-channel? (My best shot at a communication-theoretic definition of safewords. Feel free to improve.)
Also, there's probably some cryptography applicable to safeword use, like:
- Alice and Bob are having an encrypted conversation. They have agreed that if Bob uses a safeword, he may include additional information after the safeword in the ciphertext. However, Alice would like to be able to spot the safeword itself in the ciphertext stream as soon as it arrives, without needing to decrypt it, as long as Eve can't use that for a known-plaintext attack on the session keys, or Malcom to insert or remove safewords from the ciphertext. What options do Alice and Bob have?
Over in the UK we are getting new that a US Navy F18 from Oceana base has crashed shortly after take off into Virginia Beach. Thankfully with (so far repeorted) no deaths or serious injuries,
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.