Friday Squid Blogging: Squid Art

Happy Easter.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 6, 2012 at 4:14 PM • 39 Comments

Comments

AntonApril 6, 2012 8:42 PM

Bruce, was just reading the chapter in your book about group interests.

Thought you would probably be very much interested in what Philip Pettit has to say on group agents and what he calls the digressive dilemma on the Australian Broadcasting Corporation Radio National program called "The piylosopher's Zone".

All of it is interesting, but group agent stuff starts at 6:48.

DanielApril 7, 2012 6:52 PM

There is now an "iBrain" which the inventor claims can read people's thoughts and whose chief test subject is none other than Stephen Hawking.

The ultimate brain hack.

http://www.10news.com/news/30829661/detail.html

I do like how the article stresses all its benign medical uses and not all its scary 1984 uses.

Clive RobinsonApril 7, 2012 8:44 PM

OFF Topic:

It would appear that "anonymous" may have struck again. This time various sites of the UK Government, were alledgadly DoSed, the hardist hit site being that of The Home Office,

http://www.bbc.co.uk/news/uk-17648852

It would appear that "anonymous" has more heads than the hydra had snakes it appears that every time the authorities (supposadly) loop one off another arises in its place.

On another matter the UK "University Boat Race" was hit by a protester,

http://www.guardian.co.uk/sport/2012/apr/08/protester-halts-boat-race?cat=sport&type=article

So far just a news item, however the "talking heads" on various TV news / discussion programs are talking it up as a security incident that does not bode well for the Olympics, they then hint at how. easy it would be for simillar attacks to be made on a number of the Olympic sports. Some have indirectly mentioned the "T Word" by refering to anti-terrorist precautions...

It will be interesting to see how it gets talked up tommorow (or later this morning as its quater to three in the morning in the UK).

GabrielApril 8, 2012 4:54 AM

@NobodySpecial: Haha, I love how the author asks Bruce first, who tells him it's all nonsense. With Bruce not only being the inventor of the term Security Theater but also very outspoken about it, one would think the author would have connected nonsense->security theater. Later, he finally gets it when a confidential source explains security theater. Seems like he could have saved himself some trouble by reading up on Bruce, perhaps catching up on his TSA related posts first.

Now, regarding jamming equipment in a laptop/smartphone/toaster case. How many TSA agents would be able to identify a laptop with an extra PCB, perhaps a mini-PCI card that has some strange and non-typical chips on the board? Could they tell that apart from a typical wireless card with an Atheros or Broadcom chipset? I doubt they could.


Clive RobinsonApril 8, 2012 5:35 AM

OFF Topic:

This is an odd one from Norton in Singapore, and I came across it whilst looking for more details on the Symantic source code theft (try googling - "David Freer" symantec passwords singapore ).

Apparently Norton ran a survey in Singapore which (supposadly) indicates that 76% of people interviewed would not give up their Internet persona via their PC for 1millionUSD (around 1.3million Singapore dollars),

http://nortonprotects.com/2012/04/norton-survey-76-percent-of-internet-users-in-singapore-would-rather-forgo-us1-million-than-give-strangers-unlimited-access-to-their-computers/

It also shows that the Internet is quite integral to the lives of the people living in Singapore who were interviewed.

However the piece lacks details, and I'd take a large pinch of salt with some of the things it says. For instance Norton/Symantec appear to claim the average person in Singapore would pay upwards of $180 a day for Internet access with,

To have a day’s worth of Internet access Singapore Internet users would be prepared to pay an average of S$180, with the younger generation (18 to 34 year olds) willing to pay an average of S$220

Which if you think about it is $66K a year which I would think is higher than many Singaporeans annual income.

I've left a reply on their site pointing this out lets see if the actually post it "after moderation" and if they modify or agument the statment ;)

Clive RobinsonApril 8, 2012 9:14 AM

OFF Topic:

Have you ever wondered what Facebook sends out when it gets a legal request for information on your account?

Well Facebook has been very secretive about it and apart from them and the legal personnel few have seen it.

Well some of you might remember about "the Craigslist killer" well the Boston Police Dept has released the case files etc part of which is what Facebook sent on Phillip Markov's account.

Interestingly it appears that Facebook print it all out and send it on paper (thus following my maxim of "paper paper never data" in legal cases).

Any way you will need that "going out of fashion" flash player to see it,

http://blog.thephoenix.com/blogs/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx

DanielApril 8, 2012 1:07 PM

@Clive

Not strange at all. Consider that similar studies have been done about on-line personas (avatars) in games like World of Warcraft or Team Fortress 2. People literally spend many thousands of dollars on those games. To some people those in-game characters are their reality. The mental identification goes way beyond anything the term avatar implies. The psychology of it is interesting.

hardtruthApril 8, 2012 8:53 PM

Like an open heart surgery there has to be a basis for such a life threatening operation and with all other crucial impositions, were's the basis. 911 is a basis for air port security--prove the basis. Prove it.

Clive RobinsonApril 9, 2012 7:33 AM

@ NobodySpecial, Gabriel,

It takes 13inches to frighten America, 11inch just doesn't do anything for the TSA anymore

Then I guess the 17inch's I've got would get "their panties in a wad".

Mad as it might be the TSA are not the only people with apparently wierd rules. There are a number of well known world wide "over night" shipping companies with their own planes, that have what appear to be sstrange. rules...

Prior to the "AQ photocopier shipment" they had implemented a rule known as "volumetric weight" which in it's implementation makes some of the weirder TSA decisions look both rational and sane.

For instance let's assume you wish to send a household broom...

If you just wrap it it will cost you big because the aproximate rule is max length times max width times max height... But with various constants included for the size of the dimension. So it's Length times length constant A if under X, conastant B if between X&Y etc, Oh and the constants are different for each dimension...

But you have to be carefull because of that hidden in the small print "irregular shape rule" max length is actually not the length of the broom, but from the tip of the handle to the furthest point on the broom which is actually at the end of the bristles at the end of the broom head...

But what if you take the broom head off, logicaly you'ld tape it to the broom handle about half way down.... Err no, remember those constants, you might be better off taping it length wise not to the side of the handel but actually onto the end...

If you ship a lot of items like broadcast antennas it realy realy matters exactly how you, wrap them up and it changes if you are sending multiples in the same package.

But what if you have an "Online Business" and have to show the shipping as the customer selects items for the shopping basket the numbers go up and down faster than a child on a trampoline...

And if you think "it's not worth the software coding effort or CPU cycles" remember the customer realy does not care if they get the product from you or your competitor, it's the price including "shipping costs" that counts on the Internet...

Michael ToeckerApril 9, 2012 10:13 AM

OffTopic:

Project Basecamp has released a whole bunch of !new Automation system attacks, basically aimed at demonstrating that Stuxnet attacks are easy.

http://www.digitalbond.com/2012/04/06/stuxnet-type-attacks-are-easy/
http://threatpost.com/en_us/blogs/project-basecamp-adds-stuxnet-type-attack-module-metasploit-040512
http://www.wired.com/threatlevel/2012/04/exploit-for-quantum-plc/

FullDisclosure: I work for Digital Bond, the company that released the attacks.

Mike

Nick PApril 9, 2012 12:36 PM

@ Mike

"FullDisclosure: I work for Digital Bond, the company that released the attacks."

Now they know who to sue, threaten, or arrest. Nice work, though. ;)

squidApril 9, 2012 10:53 PM

http://cryptome.org has posted this:

FBI Backdoor: Templar NVIDIA GPU Factoring Suite March 29, 2012
http://cryptome.org/2012/03/Templar.zip

Other sites and twitter tweets have picked up the story and linked to the zip archive.

But, what is inside?

No one seems to know or wants to blog/tweet/talk about it on discussion forums, searching the web only reveals links to cryptome's url for the zip archive.

I'm not downloading the zip, but I'd like to know what is inside. Is this a separate program offered by NVidia, a hardware or firmware exploit?

What?

Please begin posting to blogs and discussion forums indexed by Google and other search engines, what this mystery zip archive contains!

Is anybody reading this?

A New Microchip Knows Just Where You Are, Indoors and OutApril 9, 2012 11:32 PM

A New Microchip Knows Just Where You Are, Indoors and Out

April 10th, 2012

http://cryptogon.com/?p=28522

"The chip achieves unprecedented accuracy by processing information from many different sensors."

Via: MIT Technology Review:

http://www.technologyreview.com/communications/40075/?p1=A1

By Christopher Mims

"Broadcom has just rolled out a chip for smart phones that promises to indicate location ultra-precisely, possibly within a few centimeters, vertically and horizontally, indoors and out.

The unprecedented accuracy of the Broadcom 4752 chip results from the sheer breadth of sensors from which it can process information. It can receive signals from global navigation satellites, cell-phone towers, and Wi-Fi hot spots, and also input from gyroscopes, accelerometers, step counters, and altimeters.

The variety of location data available to mobile-device makers means that in our increasingly radio-frequency-dense world, location services will continue to become more refined.

In theory, the new chip can even determine what floor of a building you’re on, thanks to its ability to integrate information from the atmospheric pressure sensor on many models of Android phones. The company calls abilities like this “ubiquitous navigation,” and the idea is that it will enable a new kind of e-commerce predicated on the fact that shopkeepers will know the moment you walk by their front door, or when you are looking at a particular product, and can offer you coupons at that instant.

The integration of new kinds of location data opens up the possibility of navigating indoors, where GPS signals are weak or nonexistent.

Broadcom is already the largest provider of GPS chips to smart-phone makers. Its new integrated circuit relies on sensors that aren’t present in every new smart phone, so it won’t perform the same in all devices. The new chip, like a number of existing ones, has the ability to triangulate using Wi-Fi hot spots. Broadcom maintains a database of these hot spots for client use, but it says most of its clients maintain their own."

© 2012 Technology Review

Nick PApril 10, 2012 2:12 AM

@ squid

You fear mongering or truly afraid to open it? I opened it. I haven't googled the attack. The summary is "Templar is an NVIDIA CUDA implementation of the Pollard Rho factoring method, and includes birthday attack optimizations collectively referred to as a "reduction sieve" attack." Includes recommendations to reduce attack keyspace and factoring time.

The thing is it mentions numbers. Well, the folders have files with RSAwhatever.txt. I figure they're the RSA challenges. The numbers are 576 and 640. Quite short of the 2,048 I've always recommended. I do allow 1,024 for short term uses or temporary asymmetric key pairs. (Kind of like rekeying a symmetric cipher, just in case.)

I went ahead and just googled it anyway. Turns out the same team broke 576 and 640. The 704-2048 challenges remain open. So, this is probably the same group or a similar one theorizing that throwing GPU/cloud at the problem will do way better. Maybe, maybe not. Looking at how it takes almost exponential increases in power to defeat a slightly better RSA version, I doubt they've stumbled on anything spectacular. Little to be paranoid about, for now.

nullApril 10, 2012 7:48 AM

"We need a program of psychosurgery and political control of our society. The purpose is physical control of the mind. Everyone who deviates from the given norm can be surgically mutilated.

The individual may think that the most important reality is his own existence, but this is only his personal point of view. This lacks historical perspective.

Man does not have the right to develop his own mind. This kind of liberal orientation has great appeal. We must electrically control the brain. Some day armies and generals will be controlled by electrical stimulation of the brain."

Dr. Jose Delgado
Director of Neuropsychiatry
Yale University Medical School
Congressional Record No. 26, Vol. 118, February 24, 1974

Toby SpeightApril 10, 2012 8:32 AM

Verizon 2012 Data Breach Investigations Report published. It claims that 97% of breaches are "easily preventable" (but doesn't tell us much about the remaining 3% unless I missed that when skim-reading).

And also, "73.6% of people will believe a statement that includes a statistic, even if it is completely made up." which we knew already, of course, but it's nice to have an authoritative source. ;-)

Michael ToeckerApril 10, 2012 8:55 AM

@Nick

Oh, they know. The attacks are research on vulnerabilities in automation systems. Basically, a demonstration of what it takes to build exploits against those systems.

Mike

XuthApril 10, 2012 10:39 AM

University of Pittsburgh has evacuated buildings 57 times in the last month over anonymous unsubstantiated bomb threats. This includes high rise dormitories in the middle of the night, a 42 story high rise and a facility for housing patients and families who are in town for outpatient treatments but live too far from the hospital campus nearby.

With the exception of the first few bomb threats, all have been by anonymous email through relays around the globe.

How is evacuating these buildings for several hours at a time (costing tens of thousands of man hours that either the university is paying for or students paid the university for) along with the police response and search of the buildings a reasonable response?

BrandonApril 10, 2012 4:49 PM

I'm wondering if/when Clive Robinson will start his own blog. His comments are often longer than Bruce's posts! Along with the quantity, the quality of his commentary is better than most bloggers. That's an impressive and rare combination for someone to not have their own blog ...

That, or CR is Bruce's twin and simply has a lot of spare time that Bruce doesn't.

Nick PApril 10, 2012 7:25 PM

@ brandon

Definitly. I think the main issue is health problems and how hard it is to blog on a tiny phone. He might also use Bruce's blog for exposure. I do this.

BrandonApril 10, 2012 10:35 PM

I wasn't aware of those issues. I've also wondered sometimes if Clive is one of Bruce's alter egos. Very well informed on so many diverse topics ...

Nick PApril 11, 2012 1:36 AM

@ Brandon

I can't be certain, but I doubt it. Clive convincingly talks like an old geezer with more knowledge than Bruce, but usually less skill at presentation. Bruce has also asked him to contact him on more than one occasion. I've speculated that Clive is actually a spokesperson for a secret think tank or agency with tons of specialists and generalists.

In all likelihood, he's just a somewhat eccentric Brit with a gifted mind, unconventional thinking and lots of very useful experience.

Clive RobinsonApril 12, 2012 3:30 AM

@ Brandon, Nick P,

Clive convincingly talks like an old geezer with more knowledge than Bruce, but usually less skill at presentation.

Hmm whilst I'm 'cough cough' years older than Bruce, I hope I'm not yet old enough to be considered an "old geezer" (in the way it's used in the UK ;-)

As for "more knowledge than Bruce" hmm as I don't know what Bruce knows then it's not realy arguable. But yes Bruce certainly knows more than I do in certain areas and I would guess the opposite is likely to be true as well. But that applies to most other people on this blog who either have a proffessional speciality or specialist hobby (I can guarantee the Bruce knows more about his chosen musical hobby than I do ;-)

With regards,

In all likelihood, he's just a somewhat eccentric Brit with a gifted mind, unconventional thinking and lots of very useful experience

Hmm most "Brits" over 30 are considered "somewhat eccentric" in the US especialy those with a "Home Counties" accent. As for those with a Scotish "burr to their voice, and wearing a Kilt" as well as being 2m tall tend to get quite a bit of attention in the US...

Nick PApril 12, 2012 1:25 PM

@ Clive

The Scottish point reminded me of something. One of my cousins is more Scot than me and nobody would doubt it. He jams to headbanger music, drinks heavily, and wears only a kilt to local volleyball/basketball games. Needless to say, I've missed out on all of those games. ;)

Clive RobinsonApril 13, 2012 6:34 AM

@ Nick P,

One of my cousins is more Scot than me and nobody would doubt it.

Yes it's always "ones relatives" that let the side down (I'm the one with the "Home Counties" accent) though I guess they think the same of us :-).

Although not my direct cousin (I could never get the hang of 2nd 3rd etc relatives) we look sufficiently alike to put the fear of all deities into you if we come out of the gloom at you, he also used to take part in historic battle re-enactments and he used to not only dress the part he could use the weapons correctly and actually taught himself to make them in the historicaly correct way. It was because of this he got invited over to the US many years ago to give a talk or two and due to the friendliness of the people spent the next year hitchhiking his way around in his kilt (with his weapons) and acording to him hardly ever having to put his hand in his pocket...

With regards,

and wears only a kilt to local volleyball/basketball games

You did not mention if he is a spectator or player... And I'm assuming from the "wears only" that the games are held in the warmer states ;-)

There is an old "truism" about holes in the ground to explain how some Brits ended up in various perts of the world,

"Tis only a Mine, if thars a Cornishman at the bottom and a Scot in ta engine house".

Whilst Cornishmen continued down the Americas many Scots stayed in the southern USA building and maintaining farm engines and the like as well as moving back up northwards as industrialization happened. The result I'm told is that there are more Scots in America than Scotland and the second largest "Highland Games" in the world is in Atlanta...

Nick PApril 15, 2012 4:01 PM

@ Clive Robinson

"Although not my direct cousin (I could never get the hang of 2nd 3rd etc relatives) we look sufficiently alike to put the fear of all deities into you if we come out of the gloom at you,"

Like hell. If you know Scots/Irish, you know that I'd just pimp slap anyone glaring at me. :P

As for the rest, interesting story about Scots in the USA. I'm in the Mid-South, so I can't verify or add anything to that. And my cousin was a player, not spectator. Kilts are nothing to worry about if the person is sitting down. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..