Schneier on Security
A blog covering security and security technology.
« Smart Phone Privacy App |
| The Trouble with Airport Profiling »
May 11, 2012
Friday Squid Blogging: New Book on Squid
Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on May 11, 2012 at 4:58 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A client's financial management company recently discovered
that their comprehensive audit log trail
[ who looks at what, in their internal secret records, when, for how long, and does what with it ]
was not detecting an intruder.
Does anyone know how many laws are being broken in a case like this?
Does it make a legal difference if the intruder is inside or outside the U.S.?
[The internal records are inside the US]
For some reason I thought this book would be about Squid, the type that resides on a computer and acts as a proxy.
Interesting book nonetheless.
As much as you like squid, you should watch the anime Ika Musume ("Squid Girl") someday. It's hilarious.
Dr accused of terrorism via Twitter, then evicted from cruise where he was programmed to give an address:
Surprised this wasn't mentioned here this week.
Turkish hacker team "redhack" attacks on government websites. motivation: protesting anti-secular propaganda of the government.
It sounds like a nice idea at first, but I think it will just give a false sense of security. Using DNS poisoning or malware you can make people think they're on the supposedly .secure toplevel domain, when in fact they're not.
This may be an important and sensational security story. In the interests of security, the US FBI has risked the safety and security of people around the world: the operators of an anonymous remailer service had their server seized, and then silently replaced, by the FBI; they now suspect that the FBI may have implanted snooping software.
IMO if someone has physical possession of your hard drive for four days the only sensible answer is: game over.
I would take that server and immerse it in an acid bath until it was destroyed. It's sheer arrogance to think you are better than the hive mind at the FBI and even if you are is one willing to risk the lives of many people on that faith? I'm not.
Personally, I wouldn't even trust back-ups at this stage in the game. The whole seizing of the server could just be a feint knowing they compromised it a long-time ago and hoping you'd restore from back-ups to give you a false sense of security.
Sorry, it's game over. Sucks to be one of their users but I don't see any other answer.
The solution is terribly simple: ditch that server & get a new one. They might use a virtual private server at another company until their new dedicated server is up and running. And I'd put any anonymous remailer service offshore in a country with strong privacy laws, if possible.
Example: Panama corporation with the servers in Hong Kong. Let Hong Kong government or kingpins have free use of the system for greater assurance of its protection.
@ A Nonny
The plan for .secure is also to control who can issue CA certs for a site.
wassup with posting the same thing twice.
i demand a refund!
With regards the ".secure" you might want to also read,
Personaly idealistic as "a gated community" on the Internet sounds, I don't think it's going to work...
First off it's not a gated community in the slightest, because nearly all the users are going to be out side comming in, thus it's more like a "shopping mall".
Secondly much of the attacks carried out on users these days for financial gain are not at the "server" but the users "PC". Why bother trying to break TLS linked to DNSSEC when you can just do a quick end run around it's security at the users end.
Thirdly SSL started out this way with high and mighty ideals that CA's would only sign certificates etc of fully vetted companies etc. But the usuall "free market" "race for the bottom" followed as surely as night follows day due to too many players chasing to few customers where the only thing of interest to the customers was minimum price.
The only way this is going to be even remotely viable financialy is if it is "a closed monopolistic" market, and I cannot see that happening. The reason being Governments, they just will not ceed that sort of power. And as we have seen with the likes of Microsoft, RIM, etc when it's a choice of rolling over to a government to do business within the country or not doing businesss there, they will roll over every time...
So personaly I think the seed money is "blown" unless it's a wierd marketing campaign by the parent company.
The following article written by Marc Weber Tobias, is somewhat amusing, whilst it contains some factual (as well as factually incorrect) information it iss written in a "Here be Dragons" or "The Bogie Man is out to get you" style that almost renders it to FUD,
U.S. Army Wants Keylogging Software to Help Prevent a Second Cablegate
The full story and additional reporting on DARPA research into the matter is available from the Army Times:
@Daniel, Nick P:
"The solution is terribly simple: ditch that server & get a new one."
Personally, I don't believe that the FBI has super magic ultra X-ray invisible secret technology, but even if it did, to me "the problem" isn't that of the remailer organization verifying the integrity of their server.
"The problem" I'm focused on, is the willingness of the US government to threaten privacy.
Since Ike mentioned it, here's a bit more information on Shinryaku! Ika Musume
Personally, I'd say the humour in it gets old pretty quickly. I've been debating whether it was worth mentioning for some time.
I'd been debating bringing Squid Girl up too. Since neither Ike nor Aaron has given you the direct link to the official US stream, here it is.
Given that it's on Crunchyroll, that stream is probably accessible in other countries, most likely in the Americas and Europe.
Part 1, part 2, and part 3 of a story about a mistaken eyewitness identification. In this case, the witness really had seen the guy she identified as the shooter shortly before the shooting. If you're just interested in the neurobiological explanation, skip to part 3.
@ Mark H,
Personally, I don't believe that the FBI has super magic ultra X-ray invisible secret technology, b
They don't need magic super or otherwise and examining the HD is probably not going to find anything...
For instance how do you know the HD and it's on board controler in your computer is yours?
The simple answer is unless you have marked it in some forgery proof method then you don't. And even if you know the hardware is yours how do you know that the software on it has not been changed in some way?
You don't, and the same applies to the rest of the hardware including the actual CPU chips.
From the article  it appears the organisation is going looking for changes, from my point of view that is a very bad idea. However the damage is probably already done by the FBI agents reconnecting it up.
Also "black box testing" of the server is a waste of time as you don't know what might have been added by the FBI and what it does and how, or if it's even still on there. And what if you do find something what do you do, do you stop or carry on looking as it might be there as a decoy etc...
For instance let's assume that it's to ket at the KeyMat, what bandwidth is required to get one (master) AES key out of the box over say a six hour period?
It's tiny compared to the actual "normal traffic" in fact so far down in the noise you could quite easily hide it in the jitter on the edges of basic system network traffic caused by a SysAdmin using a TLS/SSL link into the box.
This is possible using what is effectivly Spread Spectrum techniques used for Low Probability of Intercept radio systems, and was carried forward into "Digital Watermarking" some dozen years ago.
The advantage the attacker has is "system efficiency", this makes the system full of side channels that can be exploited in numerous ways. As a general rull of thumb the more efficient a system is or the faster it's response time the more channels there will be and the more transparent the system will be to "covert through channels". As an example have a look at work done by a couple of students and Matt Blaze  to leak information from the keyboard through the computer without having to add anything to the computer it's self.
Basicaly if it was my system I would regard it as toast, and find some way of extracting replacment costs out of the FBI, one of which might be "theft of services" after all they did not follow the normal established proceadure for returning property. Instead they returned to the co-lo site either with a warrent or illegaly gained access, they the reconnected the server and powered it up without appropriate permission thus incuring an un authorised usage of electricity and usage of communications.
And this might go some way to mittigate your concern of,
"The problem" I'm focused on, is the willingness of the US government to threaten privacy
I know that the FBI appears to have unlimited resources, but it does not, and having to deal with a court case for theft / illegal entry is not a minnor issue for them either in terms of resources or reputation. Even if they eventually win it will draw unwanted attention via the press etc. Especialy if they are stupid enough to try justifing it in some way as that gives rise to the "do you still beat your wife?" type response with say a simple question of "So it's still OK for the FBI to kill innocent people in the name of an investigation... just so we know how many innocent deaths are needed to stop it being OK these days?".
 For some reason the original link does not come up properly at my end so... http://redtape.msnbc.msn.com/_news/2012/05/11/...
 G. Shah, A. Molina, and M. Blaze. "Keyboards and Covert Channels." Security Symposium. Vancouver, BC. August 2006. (PDF http://www.crypto.com/papers/... ).
"Personally, I don't believe that the FBI has super magic ultra X-ray invisible secret technology, but even if it did, to me "the problem" isn't that of the remailer organization verifying the integrity of their server."
I don't know how you jumped from "backdoor" to "super magic ultra X-ray invisible secret technology." I was thinking more on the lines of a rootkit or hardware/software modification to defeat confidentiality. Clive seemed to get that.
""The problem" I'm focused on, is the willingness of the US government to threaten privacy"
Then your post was still a waste. Those of us on security and privacy forums are a minority who are well aware of the issue. In the US, the majority (e.g. lay people) have to make a politician "know" he or she will loose votes if they pass a law. Or take useful direct action. (I'm leaving the definition open & vague intentionally). If the majority or the power players don't have your back, then you will accomplish nothing. That's how things work in the US.
It's why gas is high, the media is full of crap, the entertainment industry sues grandma's, defense spending is ridiculous, and gas keeps spiking. The cartels and elites (i.e. power players) pay the politicians in the form of campaign contributions & sometimes kill anyone that's a threat to them. If you can't outdo them, then you can't change the situation. Might be better to move to a different country. I know that sounds like quiting and sucks, but it's the only way to avoid most of US govt issues.
@ Clive Robinson on Marc Tobias
I am at a loss for words. There was some accurate information there. He's connecting this guy to the hacking situation in general and they don't really fit together. If Weber thinks this is typical, he's extremely uninformed. Most hacker gangs and so-called APT groups don't work like that at all. If real at all, it was a few hackers & a want-a-be hacker gang.
Also, he spent all that time infiltrating them only to bail at the last minute? That's utterly lame compared to others like the black hat carder who hacked all the carders' computers & forums, stealing their stuff, destroying PC's, etc. Grey-hats I know have conned service providers out of personal information & intimidated would be hackers until they quit (far as we know). And this guy is the entertainment industry's heavy hitter? Yeah right....
Had Weber done some research, he would have found that the entertainment industry's main target isn't hackers: it's pirates. Pirates get a copy of a movie, share over things like bittorrent, and possible sales are lost. The heavy hitter of the entertainment industry, including porn recently, is a law firm that seeds torrents and files to trace IP's. The firm then sues on behalf of entertainment clients & often settles.
This is an effective strategy for recovering losses and deterring pirates. But hacking forums with 10 hackers and hundreds to thousands of script kiddie followers? Why, that could make them millions and save the entertainment industry overnight!
As an ante-terrorist measure, the street trash bins have been covered with plastic and buckets have been placed alongside (you need to dump trash somewhere).
@ Nick P,
Might be better to move to a different country. I know that sounds like quiting and sucks but it's the only way to avoid most of US gov issues.
Sadly I live in another country where US Gov issues haunt the population every day. Because the Politico's of both major parties think the US is a shining example...
Despite all logic indicating that in general the US way is far worse (Political system/prisons/health care/armed forces/education/open markets/unregulated banking/etc/etc, the list is very very long) the politico's keep saying it. Then guess what we find out that those espousing "the US way" are all on the take one way or another from "industry" or "media".
So you need to find a country where the Politico's can not be "bought" (impossible I'd say) or one which has nothing worth buying the politicians for, or one where there is "actual democracy".
What do I mean by "actual democracy", certainly not "representational democracy" in all it's forms as when boiled down all you are doing is "voting for a monkey in a suit", no I mean one where people actually vote directly on substantive issues as they arise.
Are there any such places? well yes there are one or two Swiss Cantons where once or twice a year the eligable voters gather in the town square and vote directly on issues that have been proposed by various people in the preceading period.
The problem is in a hierarchical society (which is what we live in regardless of politics) it does not scale well, so you end up with "representatives" who as they are human can be "influanced".
Thus you realise that Winston Churchill was right with his observation that democracy is the worst form of political system, except for all the others...
Thus the initial fundemental problems being the inability of human societies above a certain size to be anything other than hierarchical in nature and keeping those towards the top of one hierarchie having undue influance on those at the top of other hierarchies.
However there are a couple of other fundemental problems that need to be resolved, the first of which is "federation" does not work because what is good for one group of people is not good for another and thus to get them to agree they either get suppressed or bought off. We see this in the Northern Hemisphere with industrialisation to the north -v- agriculture to the south and similler but the other way up in the Southern Hemisphere. Simplisticaly those in the high population industrial areas produce most of the wealth whilst those in the sparsly populated agricultural areas don't produce wealth just the food to keep the industrial population alive...
The result is very different viewpoints and usually a desire by the agricultural areas to become industrialised. Thus what is good for one area is bad for another area and if the areas are semi autonomous politicaly but dependent in other ways a federation often results. But as we have seen with "The grand plan for Europe" it fails due to regional self interest...
Now scale up to "National Interest" and we see the same game played out, politics, especialy democracy is broken by self interest and influance applied to the hierarchical systems that society builds.
So I'm not sure there are worthwhile places to live in the world where US Gov "self interest" does not make it's self felt, and as was seen with the invasion of Iraq it will fight to protect that self interest . Unfortunatly the US Gov has kind of shot it's self in the foot, whilst squabbling over "oil" it's dropped the ball with respect to China.
China has a long term view, not the more usual "Western" short term view. Historicaly it regards it's self as "the only world power" and thus regards the current Western dominance as an abberation to be removed/resolved on it's terms. It can be easily seen (by those who care to look) that China is obtaining influence in economicaly poor but resource rich countries and embeding themselvs there. Unfortunatly the US appears to be going about dealing with this in it's usual manner of alowing the War Hawks to run the show. So we have the China APT mob talking up Cyber-war, whils also pushing much more quietly for the reopening of the Korean war...
As most historians will tell you the US-v-China "proxie wars" have not gone the way the US would want when involving the Chinese "buffer nations" such as Korea and Vietnam. Hence my reason for keeping a watchfull eye on that part of the world including Australia which will almost certainly become the next "unsinkable aircraft carrier" should the saber ratteling get out of hand.
 Essentialy Sadam Hussain tired of having the US trying to starve him out, after the first gulf war, went to various EU countries and their main oil companies offering to sell Iraq oil exclusively in Euro's in return for Europe getting trade embargos/sanctions lifted. As observed by the likes of Paul Wolfowitz with his infomous "lake of oil" comment the US could not alow this to happen for various reasons, one of which Mr Greenspan alluded to which would be the cessation of the US Dollar as the "worlds trading currency". If this were to happen the US would get "flipped back" to almost "colonial status" with Europe within about 50 years.
Hey, Bruce, I came across Kraken yesterday. Since you had recommended it, I took a look. So far, I have skipped about reading a few pages here and there. Eclectic and fascinating. Thanks!!!
Science of squid intelligence and adventures.. Wonderful book for reading. Thanks for this recommendation.
For this coming Friday, /me suggests taking a look at Rafe Sagarin's risk/security book "Learning from the Octopus" --
DoD Taps Commercial Internet Providers to Help Protect Defense Industry Networks
"The Pentagon would like to see at least 1,000 companies join the so-called “Defense Industrial Base Cyber Security/ Information Assurance” program, Hale said in a May 14 conference call with defense journalists and bloggers."
As usual, the good stuff comes up on a Friday...
The Operational Attorney of the US Army Cyber Command Robert Clark has been at AusCert giving a talk and interviews. So what you are probably thinking but...
He is happy to label so-called outbreaks of “cyber-war” portrayed by almost countless journalists as “B.S.”...
Basicaly he is saying that various people are over egging the pudding not just journalists and that upto the current time there has been no acts of Cyber-war, as they have not met the "legal requirments" of war. He goes on to say that
“Stuxnet was not a cyber ‘attack’, Estonia was not a cyber ‘attack’, that pipeline that some people say ‘yeah, that was malicious code’ wasn’t a cyber ‘attack’”
However back over at the Christian Science Monitor they have a followup story to the one a week or so ago about the US gas supply industry getting a quite serious warning and apparent change in policy from the DHS Industrial Control Systems Computer Emergancy Response Team (ICS-CERT).
Basicaly back in 2006 the American Gas Association was coming close to finalising a security standard (AGA-12) to protect legacy systems using "open comms" over accessable networks in the various utility companies. Then for reasons still unexplained the funding was pulled within a very very short time of the standard being finalized.
The basic story the CSM is pushing is that the reason AGA-12 never went to bat was the industry "short term" "bottom line" or the faux argument of "enhancing shareholder value". That is execs looked at the unit cost (about 500USD/bump in the wire) and simply said "it ain't happened yet so don't ruin my bonus". Even Stuxnet a very clear example of what could be done only caused a short flutter in walnut corridor before it was back to business as usual.
Thankfully though AGA-12 has not sunk without trace the Institute of Electrical and Electronic Engineers is reworking it as a new standard (IEEE 1711-2010).
What the article does bring up is the argument about wether the approach to improving the security and stability of the critical infrastructures of the utility companies should be "mandatory or voluntary" and sadly this appears to have become a political football between Congress and the Obama administration with all the usual pointless point scoring you would normaly expect being steped up into "turkey walk" posturing simply because it's an election year. The chances are is that it will once again get kicked into the long grass where it will stay untill it's to late.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.