Friday Squid Blogging: Squid Bicycle Parking Sculpture

Neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 4, 2012 at 4:01 PM • 50 Comments

Comments

llewellyMay 4, 2012 5:18 PM

Geoff, the NSA already installed the Cthulhu version of the FBI's wiretapping request. It's busy filling data warehouses in Lindon and West Valley Utah.

MichaelMay 4, 2012 10:14 PM

A security checkpoint. A metal detector passage, a table nearby and a security officer. I am told to put my bag on the table together with anything that can set off metal detector (I put my keys and my phones on the table) and pass the metal detector. Then I take my bag which received no attention. The bag is around 15 kgs, has appropriate size for its weight and would set off any detector because there is a notebook with metal lid inside.

I am afraid that the worst part is that this theater has around the same practical efficiency as any other kind...

On the bright side - it is the only checkpoint in Sheremetyevo without a queue

Clive RobinsonMay 5, 2012 2:31 AM

ON Topic :)

I realy like the idea of this structre at many levels, it will be nice to see the finished item.

I only hope it's not killed off by the H&S people, who are bound to say as it's functional it will bring people into what (maybe) a tripping hazzard, and then elaborate on how people will climb on the metal body and if it's wet (I know it does rain in Seattle from various visits ;) slip and fall into the gaps caused by the arms/tentacles etc

As a piece of "civic art" it's realy nice having both form and function.

Unlike the supposadly "iconic" structure in Kingston SW London called "Out of Order" which consits of a series of old BT/GPO red telephone boxes progressivly laid over. Which has taken function and lost it to very bad form,

http://www.tiredoflondontiredoflife.com/2010/09/see-kingstons-phone-box-dominoes.html

Apparently this "image" is rapidly replacing the one of the red RouteMaster Bus in Trafalger Square as the "Post Card to send home" image. Which is odd because it's actualy ten miles outside of the center of london and most residents still call the place "Kingston, Surrey" on their corespondance not "Kingston, Greater London" (Kingston used to be "The market town of Surrey" where the County Council had it's offices, and it is now a major shopping center and University town). Also it appears that most of the pictures of the artwork on the Internet appear to have been taken from the worst possible angles (ie all but the one vaguely ok angle;)

Clive RobinsonMay 5, 2012 3:27 AM

@ Daniel,

Not really new but it's in the news again...

And I would expect it to stay that way untill they get their way.

Essentialy the reason is simple nearly all "Social Networking" especialy those with SSL/TLS access (especialy if it allows TOR or other anonymising access connection).

I identified this as an issue on this blog some time back before the "Going Dark" episode.

In essence "Social Networking" is a "communications cut out" and as it's almost always on privatly owned systems who's companies don't have "Common Carrier" status it's not amenable to much of the current legislation (which assumes point to point communications with identifiable end points for "pen&trace" wire tapping).

Much worse some social networking is "store and forward" in nature with multiple end point termination, which makes "traffic analysis" difficult at best.

To see why a little scenario,

You and your "Mafia / Columbian partners in crime" wish to communicate privatly, with a little thought you will realise that most forms of traditional communications paths are moniterable, and worse those that are not (think traditional Spy Craft) are not very timely and quite difficult to implement.

Ordinary Internet traffic is likewise "point to point" thus you are only effectivly changing "telephone numbers" for "IP addresses". And even where you can hide the distant end point through an anonymising network such as TOR it's "immediacy" allows "traffic analysis" to be performed.

So on the face of it the Internet is little better than the telephone network for hiding in.

However what if you could combine the electronic communications asspect with a tried and trusted bit of "Spy Craft" such as a "drop box" or "dead letter box" or similar?

Well you can through major service providers such as the "Social Networks" and "Search Engines" and open post blog sites. So much traffic goes into these sites that from a "traffic Analysis" point of view there is little or nothing you can effectivly get a correlation on except "simultanious connection" or "packet size".

The "simultanious connection" is easily broken by using the "store and forward" nature of these services (think writing on a popular friends wall etc) and the "packet size" can be likewise broken by using an interactive function such as an online editor where you type in and delete mainly "filler" that is several times larger than the network packet size and in one encrypted connection session you edit several messages.

The existing legislation does not in any way cover these usages and the simple solution of "banning them" we know does not work (think various totalitarian regimes such as China and Iran who have tried and so far failed). Thus "back doors" into these services and "encryption technology" is the next best thing from their point of view. However as I've indicated in the past there are ways you can use search engines etc to fully decouple a communications path between users, so from that point of view even "Social Media Supplier back door access" is not going to work for them.

The simple fact is there is way to much redundancy under the users control on a peer-to-peer network like the internet so smart people will almost always be able to communicate not just securely and privately but importantly anonymously as well. It's not so much a "cat and mouse" game but a "blundering elephant and agile flea" game, most times the elephant cannot even see the fleas it needs to see and only manages to crush some more by accident than design.

Clive RobinsonMay 5, 2012 3:45 AM

@ Joe,

Rand Paul wants to end the TSA

I predict that his current attempts will fail, and unless he lines up some very powerful political allies who cann't be "bought off" easily he won't get a subsiquent more likley to succeed attempt to cut them down (to size).

Fleas can kill a 600lb gorilla but it takes many bites to do so, usually there are not enough fleas to do it by just biting alone, sometimes you need a serious pathogen as well (the plague). The best pathogen's are ones that destroy the mind as well as the body and have a "self inflicted" asspect (syphilis being one, historicaly leprosy being another) which causes others to avoid not assist the afflicted.

In the case of the Terrorist Supporting Agency finding a single suitable pathogen will be difficult, therefore several should be found most of which will be strongly correlated to the "seven deadly sins".

Clive RobinsonMay 5, 2012 4:44 AM

OFF Topic:

From time to time and much more frequently of late the vulnerability of "critical infrastructure" and the associated APT attacks comes up.

Usually it is in connection to the lamentable behaviour of the utilities and government agencies involved.

Well for once their might be a little good news...

http://www.nextgov.com/cybersecurity/2012/05/dhs-cyber-chief-industrial-system-threats-are-growing/55541/

The DHS deputy undersecretary for cybersecurity at the National Protection and Programs Directorate (Mark Weatherford) appears to be atleast in touch with the subject.

Importantly note from the article,

Much of the technical infrastructure running the machines was installed between 30 and 50 years ago, and security flaws are introduced when digital enhancements are layered on top

Critically this is not just "a past problem" but also "a future problem" and as I keep banging on needs proper "framework standards" that "mandate effective and efficient security upgrade paths for embedded infrastructure", otherwise the likes of "smart meters" etc are going to be a very major security risk upto 50 years out from now.

If you want a reason to think about why it must be a "framework standard" with "mandatory upgradability" think on most if not all our lower level crypto algorithms and security protocals have had to become second or (considerably) more generation in considerably less than 50years, and many many attack vectors exist from having to support embedded hardware with now known to be weak protocols and algorithms.

And also as indicated in the article,

The main upgrades needed, according to Weatherford, are clarifying Homeland Security’s function in civilian cybersecurity, eliminating legal barriers to information sharing in the private sector, and ensuring critical infrastructure systems institute baseline security practices.

Whilst a good idea the implementaion could easily become a disastrous "straight jacket" not just on industry but all of us. Thus I would urge people not to follow the usuall US path to such things but the European approach of a tiered framwork of requirments and standards each of which has a tight focus and can be individually upgraded as required in a timely fashion and has a required review process built in.

One size "fits all" solutions often don't work because they are overly complicated, self contradictory, with many edge cases and exceptions, all of which makes for excessive baggage and thus "legal burden" whilst providing so many loop holes most sensible people will just play the "lawyer game" and carry on doing as they please with ultra short future objectives encouraging "Russian Roulette" stratagies to compliance.

Alice MarshallMay 5, 2012 7:08 AM

Another article about News Corp/NDS pay TV pirates. I particularly recommend the part about the time stamp:

Oliver Kömmerling said that when he downloaded the Canal Plus file on DR7, it showed up on his computer directory as having been created at exactly the same time as the identical Canal Plus file that the NDS Black Hat team created in Haifa nine months before – July 6, 1998, at 15 seconds past 4pm.

There are 23 million seconds in a year. Two identical files, the only ones not held by Canal Plus. What are the odds that they would be created at exactly the same moment?

Clive RobinsonMay 5, 2012 12:29 PM

OFF Topic:

Have you ever wondered what happens when a company resorts to using lawyers to attack it's competition because it knows it's not going to win in the open market place?

Sometimes it's obvious othertimes not...

Well Samsung got sued by Apple over some obscure look and feel (Trade Dress) on the Galaxy smartphone, where Apple tried to claim "it owned the rectangle" when it came to phones etc (on the ugly iPhone).

Well journolists noticed with the Galaxy III Samsung had changed the design and they thought it was odd/ugly/amorphous...

Well one person thinks the "look and feel" of the new G3 is down to Samsungs lawyers doing the design,

http://www.androidpolice.com/2012/05/04/the-samsung-galaxy-s-iii-the-first-smartphone-designed-entirely-by-lawyers/

While it might sound daft it's actually a lot less daft than Apples original law suite on "trade dress" and if anyone looks at some of the latest Apple products it looks like their lawyers have got into the design game as well...

Whilst case design and "trade dress" law suites might not be directly security related, the process behind it of lawyers-as-designers very much is. Whilst there are old saws about there being "More than one way to skin a cat", actually in the design of by far the majority of things there are usually only one or two ways that make sense. And whilst in non security related design areas a few minor almost "cosmetic" tweaks won't cause problems in security almost the opposite is true minor tweeks will kill your security major changes won't.

Thus having a lawyer say you can do AB&C legally but also doing D will get you sued out of existance is of critical concern. It's a bit like saying you can build a bridge with an arch almost the same but you have to leave out the "Keystone" the whole arch is fatally weakened and so is the resulting bridge that will probably collapse during building or shortly there after. Whilst the keystone is just one of hundreds of other stones in the design, trying to get an arch to work without a keystone is so difficult that you might as well go for a suspension design for the bridge it will be less bother and a lot more secure.

Jonathan ThornburgMay 5, 2012 2:01 PM

It seems Apple's "FileVault" disk-encryption in MacOS Lion 10.7.3 has a small bug... it stores the login password of any user of an encrypted home directory tree, in *plaintext* in a system-wide logfile readable by anyone with root or admin access or with physical access to the hardware. :(

See
http://lists.randombit.net/pipermail/cryptography/2012-May/002874.html
for details. No word yet on patches.....

MWMay 5, 2012 5:56 PM

I like the squid bike rack. For quite some time, I've been attracted to the idea of art which also serves a practical purpose. My favourite subgenre is art which children can play on. I've seen some 3-D network of ropes climbing frames which, in my opinion, would fit right in to the Museum of Modern Art.

Clive RobinsonMay 5, 2012 7:01 PM

OFF Topic:

For some time now various commenters on this blog have said in effect,

You cann't stop crackers get over it and learn to mitigate them like other crime

Further some of us have derided "best practice" as at best a sad and meaningless joke.

Well it appears that others including a senior retiring FBI person are finnaly saying the same thing (It's only takenthem XXX years to catch up ;)

http://www.wired.com/threatlevel/2012/05/everyone-hacked/all/1

Sadly nobody quoted in the Wired article mentione the fundemental reason why ICTSec is not realy working...

For several years now I've been saying that ICTSec lacks any kind of scientific rigour and the reason for this is it's not currently possible due to a total lack of real metrics/measurands. Almost the first step of the scientific process is observation, not just looking, but looking combined with meaningful measuring, collecting and colating the observations so that they can be meaningfully analysed. Without doing this we have not got a hope of moving ICTSec forward into a more enlightend future, instead of it's current dark ages of "magical thinking", "magical pixie dust solutions" and "casting of bones prediction" (thankfully we are a mainly too squeamish bunch to try prediction by freshly eviserated animal entrails, but I know some who might be happy to try it on certain "carders" etc ;)

AntonMay 5, 2012 7:34 PM

The Swiss Federal Government sponsored E-Banking article published by the Reporting and Analysis Centre for Information Assurance (MELANI).


E-banking increasingly targeted by cyber criminals: eighth report of the Reporting and Analysis Centre for Information Assurance

"The spread of malicious software directed at e-banking applications and phishing attacks directed at Swiss Internet service providers continue to be a huge problem in the second half of 2008. Even the use of USB sticks as a means for possible attacks and dealing with waste data which is continually growing are topics of the eighth semi-annual report 2008 of the Reporting and Analysis Centre for Information Assurance (MELANI). The report assesses the situation in the second half of 2008."

Clive RobinsonMay 6, 2012 7:03 AM

OFF Topic:

As many have been aware one or two agencies under the DHS have given briefings about "Cyber-attack" and "Cyber-War" and it was getting to a point of sillyness because most of it had the same "ramblings" the "Chinese APT War-Hawk" mob have been getting uptight about for some time..

Does anybody remember the alert of water/sanitation supposadly issed by the DHS last year that caused much embarrassment and consternation in equal measure and was later attributed to poor equipment maintanence?

Well the DHS agencies changed their reporting methodology (especialy ICS-CERT) more it would seam to stop further embarisment than be of use to industry.

Well it appears to be happening again this time with the Gas supply side. Again through directed Spear Phishing attacks (a good reason not to have a linkedin, FaceBook or other social networking account).

Importantly it may have been detected upto a year ago by some commercial organisations (as part of the McAfee "Night Dragon"). ICS-CERT issued some general advisories at the time (such as http://www.us-cert.gov/control_systems/pdf/ICSA-11-041-01.pdf ) and things appeared to have died down.

Well the first public acknowledgment of the resurfacing or possibly new series of attacks from ICS-CERT was as a lead comment in their month end round up report for April released on Friday ( http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf ) where they are saying they detected it towards the end of last year...

Well it appears there is quite a bit more behind the story, however what is fact and what is half truth is difficult to tell.

What has happened is the Cristian Science Monitor has released an investigative style report by one one of their Staff Writers (Mark Clayton). It gives some interesting details but not much that can be corroborated and it has a brushed up FUD style in places (see comment on Amber alert). In particular the piece alledges that ICS-CERT wanted the activities to not be interupted by the commercial organisations. If true this is unprecedented as the general rule of thumb is "slam the door and erradicate the vermin" in order to reduce legal liability...

Any way read the CSMonitor report ( http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural-gas-pipeline-companies ) for your selves, as since it's release it's all gone a bit viral and is being regurgitated on most news feeds and subjected to the usuall "Chinese Whispers".

I would however urge caution though as the ICS-CERT has neither a good history nor a good reputation amongst many in the ICS industry for a whole variety of reasons (including a reputation in some places of "collecting and stockpiling cyber-weapons" for use by various US agencies), and this is almost certainly going to colour many re-reports.

Clive RobinsonMay 6, 2012 12:44 PM

In the UK it's Sunday evening which would normaly mean bleary eyes and parched throat of a monday morning is just a few hours away.

This would normaly require a large infusion of double or quad espresso in the throthy latte etc to try to restor normality prio to entering the office.

Sadly for many monday mornings is the day you are most likely to spill your "bring back from the dead juice" all down the front of your best suit and blouse/shirt just before that important meeting you spent the weekend slaving over a hot keyboard making that special presentation (that I assure you most others in the meeting will be to brain dead to appreciate or even be interested in when compared to the option of starring with a smirk at your steaming coffee stain).

Well as it's a bank holiday in the UK tommorow that nightmare will be delayed for a day for some.But for all of us an article that explains in part how to avoid some of the likely spills,

http://news.sciencemag.org/sciencenow/2012/05/the-physics-of-spilled-coffee.html

However for those of us of a certain age or older this is not news, we know that the best solution is to have a verticaly damped support on a gimble orthagonal to the axsis of motion in the horizontal plane to reduce the sloping process in a cyclinder (think bucket full of sea water on the beach when building sand castles ;)

FigureitoutMay 6, 2012 3:46 PM

@Clive & MW

As a piece of "civic art" it's realy nice having both form and function.

I like the squid bike rack. For quite some time, I've been attracted to the idea of art which also serves a practical purpose.

Definitely would have to agree, one of the many things I miss about living in Europe was all the art, it was everywhere, especially the magnificent cathedrals. Here in "Yankee Land" we have mostly new buildings with cheap materials..but, I think with enough time the U.S. will blossom. My area has begun to embrace art, and even though the tax bills and utility (or lack thereof) may dissuade others from following suite; I think it will turn out to be a smart decision that brings flavor to an otherwise bland place.

In case you needed another reason to delete your social media accounts, Facebook can decide what is and is not appropriate

I understand the need to delete spam and obscene pr0n and other worthless garbage, but I think the best method right now is to have the users flag comments for spam like on U-tube (whoever goes by the name "1" on this site and only posts "1", F off and STOP). When I had my accounts, I thought I tested the limits on what could be posted, and the only time I had an odd slip-up where my post was deleted was when I was posting something about the history of the NSA (surely it's all part of a massive conspiracy and they're out to get me:).

Regardless of the subjective nature of what is and is not garbage that needs to be deleted (isn't most of what's on FB mindless drivel anyway?;), this should give all current FB users pause for thought. Combine that with the stories I read on Brian Krebs blog about the Tibetan and Russian "Twitter Bots" that prevented real people from "hash-tagging" about their anti-Chinese rule protests and anti-Putin rhetoric; and the implications are that these sites could be used to fraudulently influence public opinion.

DoubleDownMay 6, 2012 7:44 PM

@ Clive Robinson

And to think that this entire attack was because some minimum wage employee opened an attachment on his Windows box.

It is amazing how shoddy the security of these utility companies are (i.e., they don't air-gap the corporate network from the critical SCADA systems, they still use Windows, etc).

Petréa MitchellMay 6, 2012 7:53 PM

Just to show the TSA isn't the only travel-related government security agency driving people nuts: The UK Border Agency is under fire for enormous lines at Heathrow, the situation getting so bad that it's allegedly given up trying to stop smuggling.

On another front, it's also the agency responsible for issuing passports, which now include biometric data, which is all stored in a highly unreliable computer system.

All this is coming to a head because the London Olympics are coming up, with the corresponding influx of visitors...

Clive RobinsonMay 7, 2012 2:19 AM

@ Figureitout,

Here in "Yankee Land" we have mostly new buildings with cheap materials... but, I think with enough time the U.S. will blossom

Sadly in the UK we have Local Councils stuffed with philistiens, who believe their true calling in life is to have their sad little blip of an existance marked by some architectural edifice with their name scrawled across it's frontage in som vulgar way.

Which in of it's self is bad enough, however in most towns and cities building land is at a premium so in the words of the song "somethings gotta go". And when it's not the local municiple recreation grounds, sports facilities both often bequeathed under covernant or school it will be some other historic building of merit.

Because the idiots concerned have no concept of what "architectural context" is, nor for that matter do they care, they call in some consultant who then calls in some overpaid "architect" of little merit to provide some hideous concept design. Sir Richard Lord Rogers, of Millennium Dome and Lloyds Building fame for instance is a man who has shown that "selling an emperor new clothes" is a fast track to fame, fortune (with attendant tax avoidence scams) and a title or five.

Worse still are those with responsability for churches or famous historic buildings, they insist that things have to be added to them to provide modern amenities such as, conferance rooms, educational centers and spiritual enhancment facilities all with other attendent supposed "revenue enhancing" facilities such as restaurants and all the other "then necessary" bits such as offices and sanitary facilities fire escapes etc etc. All of these invariably slapped on the side of the building of merit, usually ruining the lines and the setting the building is in. Worse in some cases these glass and concrete "amenities" are designed by an architect who want's to make a "personal statment" to get the awards etc that can be capitalised like Lord Rogers. So you end up with something designed not for those paying directly or indirectly (the community that has to live with the results) but what some aspiring idiot thinks will exicte another bunch of idiots they call their peers, but are in reality a clique abusing patronage to enhance their positions to get the honours of nighthoods etc.

What the churches or other buildings of historical and architectural merit end up with is a glass "lean to" or box unsympathetically grafted on like a clowns nose painted on the Mona Lisa.

I used to shudder at the concreat brutality of some places (look at Blake's Seven to see fine examples such as Leeds Poly, Royal Festival Halls London, Rutherford Labs Didcot and Oldbury nuclear plant used as various settings). However they are almost enchanting compared to some of current designs around and some are hideously ruining the sky line over a thousand square miles or so (the Shard next to London Bridge station that is clearly visable from well over 30miles away and it's not yet even compleated). But some are plainly ridiculous, in South west london there is a building that looks like an outsized Lip Stick and has thus earned it's self the nick name of the "Lippy" it is truly awfal to look at as those traveling by train to Waterloo or Charing Cross are only to aware as they wince from overhearing comments made by amongst others "American" tourists about how silly / ugly / out of place it looks.

Mind you Lord Rogers has just recently come out to criticize plans to change UK planning laws, using L.A. as an example of what could happen ( http://www.dailymail.co.uk/news/article-2061260/Britain-Los-Angeles-style-ghetto-planning-reforms-warns-Lord-Rogers.html ). However one can not help but feel this is self interested due to his history.

Clive RobinsonMay 7, 2012 2:37 AM

@ DoubleDown,

It is amazing how shoddy the security of these utility companies are (i.e., they don't air-gap the corporate network from the critical SCADA systems, they still use Windows, etc)

It would be nice to say it was all down to the accountants and stock option directors in walnut corridor, but it's not entirely their fault.

You have two choices play the game with the hand you are dealt or don't play at all.

As has been pointed out before the Internet connection might be the cheapest and most insecure option but in some cases due to local planning/zoning legislation it's public telecoms or nothing.

Likewise the choice of OS is "what you get" not "what you may want" because that is the OS the system supplier has chosen to use for a variety of reasons.

However as others will nodoubt note they are the customer and should use their "purchase power" to get what they want...

That said there is a certain degree of inevatability about the short term view points that have started the "race for the bottom" which under public perception happend due to the likes of Enron etc. However the reality goes back further than that.

Clive RobinsonMay 7, 2012 4:41 AM

@ Petréa Mitchel

All this is coming to a head because the London Olympics are coming up, with the corresponding influx of visitors...

Superficialy yes...

The real reasons are more complex, but can also be seen from the French, Greek and UK elections.

Basicaly there is to use the old expression "Not enough money to buy a pot to piss in" through no real fault of the electorate, it was mainly caused by the banks and politicians (look up the history of "Bank deregulation" and "Off Book borrowing" via PFI/PPI) who scheamed toggether to quite deliberatly keep the bad news hidden from the electorate by what would be fraud if carried out by other organisations or persons.

Sadly in Europe we are suffering the end game of a series of "dilitante experiments" where those with no training or competence in finance or economics have been running the Tresuries rather less well than you would expect from a group of alcoholics running a distillery.

One essential fact they have failed to take on board is that the "tax take" will fall due to modern communications enabaling increasingly large numbers of businesses to "Off Shore" their income into zero or low tax zones. But worse in the UK they have allowed serial offenders such as Tessco's, Vodafone and numerous other large businesses to get away with it on a "nod and a handshake" of senior tax and revenue officials parachuted in from the private business sector and big four accountancy firms. Thus very firmly putting the foxes in charge of the hen house.

Another thing that appears to have been forgoton is that for the home economy to recover you need people to spend money (basic economic churn) within the home economy and not else where. The UK is also suffering the tripple blight of a strong currancy (compared to the Euro) zero confidence in business due to government policy of severe fiscal cut backs and business organisations "out sourcing" as much as possible to other countries with much cheeper labour etc.

Another big joke is "spending only on savings" for many years the only way government projects have been funded is that they must show cost savings over a relativly short period. Thus the easiest target has been "man power" so there has been a big push on IT systems. Sadly because the focus is on labour force reduction the focus of all these projects has been wrong and thus they very rarely work. Current estimates indicate that one in five large government IT contracts are going to fail compleatly, and the rest fail to deliver even basic objectives. But just to make it more difficult certain high cost government projects change more rapidly on political whim than any supporting IT project could hope to keep up with. So in the past the government departments concerned have had to take on more temporary staff to do the work manually. But with a 25% cut in finances across the board and some departments seeing 30% or more cuts in finance they can nolonger take on temporary staff and have to lay off the more experianced staff (as they cost more).

So the result you see in the UK border Agency is just the visable tip of the iceburg which is currently ripping the vitals out of the UK Civil Service, and just as happened to the Titanic one hundred years ago the results are not going to be good.

Clive RobinsonMay 7, 2012 6:15 PM

OFF Topic:

As some of you know Bruce used to do a piece in the UK Guardian newspaper (when they still had their printed technology section).

Well they still do an occasional technology piece, and this one is an interview with Major General Jonathan Shaw (one of my contempories back in the days I wore the green),

http://m.guardian.co.uk/technology/2012/may/03/hackers-breached-secret-mod-systems?cat=technology&type=article

Put simply he is saying that the UK has had it's fair share of APT and that to expect 100% security is not possible.

However he goes on unfairly (to us old'ns) to state,

"My generation  … we are far too old for this; it is not what we have grown up with. Our natural recourse is to reach for a pen and paper. And although we can set up structures, we really need to be on listening mode for this one"

And he's only 54 the cheeky git ;)

The actual problem is two fold "unfamiliarity with the problem domain" and "rigid thinking".

One of the problems with becoming a staff officer used to be that you learn from the history of your predecessors to re-run the last battle (something that has been taken to ludicrous extreams by the TSA). Often with no change in tactics (an example from the Falklands war being, still using "salt-n-pepper" style advancing and commander lead assult attacks on dug in machine gun positions).

Over the past thirty years more flexibility in thinking has been encoraged in the armed forces command structure to keep up with the weapons development, but it still lags well behind that you would expect from those of similar age in the leading edge of comercial technology development.

And a big part of that problem is "command structure", it's way to deep and upwards progression is to put it bluntly to slow to encorage more than a limited degree in flexibility, especialy with the old "seniority" card being played more often than not.

But even if the command structure was flattened and the problems of seniority removed there is still the lack of familiarity with the problem domain that needs to be addressed. It is all very well to listen to youngsters but at the end of the day somebody has to be mature enough to take the responsability of making a command decision and they need the knowledge to evaluate what they are being told other wise they might be better served by throwing darts at a newspaper.

Now if any army wants to get "cyber-smart" soldiers and thus commanders they need to provide the career paths and rewards to encorage this progression or the "smarts" will follow the money out the door to a keenly paying commercial technology sector.

Oh and it's also long past the time where politicians should be using armed forces as cannon fodder on political windmill tilting.

Nick PMay 7, 2012 8:20 PM

@ Clive Robinson

I disagree with his statement about the older generation for one reason: orange book. Shaefer goes into the development of infosec in detail in a paper. However, the requirements of even a B1 system would stop APT's (read: regular malware + social engineering).

Most malware would have a hard time rootkiting systems like GEMSOS, LOCK, XTS-400 or even Trusted Xenis (B2). Add ins like Argue Pitbull might as well. The old generation came up with this stuff. The new generation is still trying to reinvent the wheel instead of using or imitating these solutions from the old days. I say y'all should get deserved credit.

Clive RobinsonMay 8, 2012 6:52 AM

With regards the new underpants bomb plot...

The first question to ask is "how long since the last one" and "what shape is the graph currently"

There is one main reason behind the attack "fund raising" and thuss there are two main sources of such an attack,

1, Three letter agencies.
2, A Terrorist organisation.

As the plot "supposedly failed" both sides win and will as a consiquence get increased funding.

Why do I say "supposedly failed"? It's simply that like the photocopyer bombs, it is the need to have the bomb discovered that is important, if the bomb went off and the aircraft went down over water or mountain, dessert or most other places then there would be a considerable period of time before it was confirmed as being a bomb, the "impact shock" would be dissipated and of no benifit to either the TLA's or the Terrorists.

The problem is as both sides win on this particular "fund raiser" it's going to be very difficult to work out who is actually responsible, because neither side benifits by telling the truth.

However I will say that as the terrorists concerned have developed and deployed the "ass bomb" if they seriously wanted to succeed then it would be relativly easy to implant another one...

But then it would have to go off and that's not only not good for business it means one or more persons get hurt or killed which as the US are not the actual target (the house of Saud is) it would be undesirable to both sides. It is important to remember that for fund raising it is important that no civilians be harmed, especialy women and children, making war on them is a definate no no in Islamic eyes, thus would diminish not increase the funds comming in.

Clive RobinsonMay 8, 2012 6:56 AM

@ Bruce,

A simple question,

Why the two certs on your site?

You have the EFF one for basic "read" connection and the Rapid one for "write" connection...

Clive RobinsonMay 8, 2012 7:01 AM

@ Nick P,

I disagree with his statement about the older generation for one reason: orange book. Shaefer goes into the development of infosec in detail in a paper.

I'm glad that I'm not the only one that thinks the "older generation" still has a lot to give to ICTSec and I'd place a small wager that Bruce does as well (pluss Oh atleast half a dozen of the readers who don't comment as much as the used to).

Clive RobinsonMay 8, 2012 7:34 AM

With regards my post above about the latest "underpants" bomb plot.

I identified two groups who would benifit from such a "fund raiser" but forgot to mention one group subdivides.

Three letter agencies can be divided into

1, Agency staff.
2, Suppliers to agencies.

Now whilst it is unlikley that "suppliers" could directly carry out such a plot on their own, there are plenty of agency staff who might do it out of self interest.

One set of suppliers in particular fit the frame as it were at that is the suppliers of very high profit "advanced scanners"...

Now in the UK at present and I suspect from reading certain news sites in the US as well the claim is "The CIA foiled a plot" (apparently not true) for "an undetectable under pants bomb (definatly not true).

The very expensive "nearly nude" scanners can detect an underpant's bomb (if makers claims are true) but a bomb without metal parts is undetectable by a magnetometer scanner such as were in common use prior to 9/11 and still today.

Now what we also know is that even the fancy scanners will not work against "butt implanted bombs" that we know the terrorist being blaimed for the design of this current bomb has perfected the "butt implanted bomb".

We also know that certain high placed politicos and senior three letter agency staff have "cusshy jobs" either taken up or will take up with these fancy scanner firms, provided contracts get awarded by the smae staff to the companies...

What others may think on this depends on how cynically the think and how much evidence they have seen of "revolving door jobs" being taken up by various political and senior staff.

As I've said in the past it is difficult to argue backwards from event to cause because it's not the natural order of things. However what does flow in natural order is being rewarded for services performed...

2Easy2Worry2MUCHMay 8, 2012 10:38 AM

@ Alice Marshall

How many millions of seconds are there in an [earth] yearr? A question recently posed by my six-year-old!

mooMay 8, 2012 3:13 PM

@2Easy2Worry2MUCH:

Google claims there are 31556926 seconds in a year. Apparently that's the number for a "solar year"; a calendar year has either 31536000 or 31622400 seconds in it, depending if its a leap year. (A solar year is apparently 365 days plus another 20926 seconds, or 365 days plus approximately 5.8 hours).

Anyway, you can tell your 6-year-old that there are a little over 31 and a half millions of seconds in a year. =)

Clive RobinsonMay 8, 2012 6:53 PM

@ moo,

How many days are there in a year depends on where you are standing...

If you are an observer in space the number is different to standing on the earth or on the sun...

You can see this with two identical milled coins. If you get them messed together like a couple of gears, rotate both coins once then they turn once each. However hold one coin firm and rotate the other coin around it then that coin does two full rotations...

For those thinking "so what" have a think of the problem of a satellites...

Peter E RetepMay 8, 2012 9:32 PM

Competitive Personal Amplification technologies and Information Fluidity
now mediate in favor of the earned trust of management, and of employees,

rather than the older model of universal suspicion
to immobilize information and limit any person's abilities.

powdered fleshMay 8, 2012 11:29 PM

SKorea finds smuggled capsules contain human flesh

http://preview.tinyurl.com/stilltasteslikechicken

"South Korea has seized thousands of smuggled drug capsules filled with powdered flesh from dead babies, which some people believe can cure disease, officials said Monday.

The capsules were made in northeastern China from babies whose bodies were chopped into small pieces and dried on stoves before being turned into powder, the Korea Customs Service said.

Customs officials refused to say where the dead babies came from or who made the capsules, citing possible diplomatic friction with Beijing. Chinese officials ordered an investigation into the production of drugs made from dead fetuses or newborns last year.

The customs office has discovered 35 smuggling attempts since August of about 17,450 capsules disguised as stamina boosters, and some people believe them to be a panacea for disease, the customs service said in a statement. The capsules of human flesh, however, contained bacteria and other harmful ingredients."

Clive RobinsonMay 9, 2012 5:08 AM

@ Kashmarek,

With regards the NBC article you provided a link to, it makes the following statment,

The bomb aboard Northwest Flight 253 was the second failure of such a device. Four months prior, a suicide bomber attempted to kill Prince Mohammed bin Nayef director of Saudi Arabia’s counterterrorism program, at his palace in Jeddah. The bomber died in the attack, but the prince only suffered burns to one hand

It was reported at the time that the bomber who attacked Prince Mohammed bin Nayef had the bomb in a body cavity not his underpants...

So either either the article has one or more errors or what was reported about the bin Nayef bombing at the time was inaccurate...

One thing that is probably accurate (and has been reported in other articles) is,

The new bomb had a more refined detonation mechanism...

Usually the hardest part of making a bomb is making the detonator train/chain (what you call it depends on which side of the puddle you are on)

In bombs usually there are a minimum of three stages with one being the "arming port" that prevents the main charge going off if the pistol is accidentaly triggered.

However some detonator chains are five stages long to boost the initial charge in the pistol or cap to the required energy levels and rise times to make the main charge go high order.

Getting the detonator chain/train right is rather more difficult than making the explosives for the main charge.

[For those that have their doubts try making your own match (not bomb) using just chemicals you have ordinary access to and friction as the initiator. Then see just how difficult it is to get it to work correctly, that is does not spontaniously goe off and always "strikes". Most early matches were not just excidingly poisonous but needed a small bottle of acid etc to initiate the burn (sugar and conc sulphuric acid being one initiator tried).]

Clive RobinsonMay 9, 2012 5:24 AM

@ Powdered flesh,

I think some things are getting "lost in translation" with the story...

In the version you quote it's,

... babies whose bodies were chopped into small pieces and dried on stoves before being turned into powder ...

Other English language articles say "microwaves" not "stoves", A Korean friend tells me it's actually "medical desicators". Which sounds more likely because if it was a stove or microwave, the flesh would be quite well cooked before it had dried out and thus bacteria likewise would be cooked and thus not harmfull.

However he urged me to treat the story with caution as the state of play between South Korea / US and North Korea / China is getting perilously close to an excuse to "go to war" and all sorts of extrodinary and many mainly baseless stories are surfacing since the North Korean "space missile" launch (including one that the misssile had a biological war head on it and that the supposed failure and break up of the missile was actually the way the biological component was released...).

kashmarekMay 9, 2012 5:24 PM

Now we are going to be recognized by our speech (metaphors)...

http://developers.slashdot.org/story/12/05/09/1838211/us-metaphor-recognizing-software-system-starts-humming

I expect this applies to speech and writing. Is this more FUD on how we recognize people? How about running this against political speeches, especially during campaigns, and against advertisements, internet terms of service, privacy notices, and Congressional legislation. Oh, with regard to speech, that means everything we say must be recorded. Will the internet implode with all that data being sent to the NSA center in Utah?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.