Schneier on Security
A blog covering security and security technology.
« The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot |
| My Last Post About Ethnic Profiling at Airports »
May 25, 2012
Friday Squid Blogging: Squid Ink from the Jurassic
Seems that squid ink hasn't changed much in 160 million years. From this, researchers argue that the security mechanism of spraying ink into the water and escaping is also that old.
Simon and his colleagues used a combination of direct, high-resolution chemical techniques to determine that the melanin had been preserved. The researchers also compared the chemical composition of the ancient squid ink remains to that of modern squid ink from Sepia officinalis, a squid common to the Mediterranean, North and Baltic seas.
"It's close enough that I would argue that the pigmentation in this class of animals has not evolved in 160 million years," Simon said. "The whole machinery apparently has been locked in time and passed down through succeeding generations of squid. It's a very optimized system for this animal and has been optimized for a long time."
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on May 25, 2012 at 4:01 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Now this is interesting. This article claims the FBI noticed malware on a lot of PC's, and is allowing them to connect to the internet all the same via a "saftey net", but in a few weeks this will cease and these PC's won't be able to connect anymore ...
What? Is this true?
The article goes on to claim Google will soon start showing a message on its search-results-pages to users of infected PC's so they'll know they have the infection and how to address it.
How is this possible? Do viruses leave cookies? Does Google know based on an IP address's activity?
@Brandon: Google is probably working in tandem with the authorities now controlling the DNS for the affected machines. This allows them to serve different content to anyone using one of these machines, much as the attacker intended to do, except that Google will be informing instead of defrauding them.
The site http://dns-ok.us/ works in this way. See also Krebs.
You can read more about it here:
Basically, the malware changes the infected computer's DNS to redirect its user to some fake sites to steal data. So when it got caught, the authority set up "real" DNS to replace those fake ones. However, since the court order expires next month, they need to tell those with infected computers to change their DNS back to normal settings, and that proved to be difficult.
Google stepped in to help with the language problem (apparently many of those infected do not speak English as mother tongue).
Quite fascinating in its potential: "Bioengineers at Stanford University have discovered a way to encode, erase, and rewrite data within the strands of life itself: DNA. "
They don't mention any way to encrypt it though I imagine it must be possible.
I've heard of people attacking truecrypt with a brute force password attack before. A couple years ago, the FBI failed at it while trying to decrypt the hard drive of a corrupt Brazilian banker
If you pick a good password, then I couldn't imagine this software being much of a threat.
You're correct - choosing a strong, long password defeats this approach both in the number of possible permutations, and the memory access patterns involved in dealing with a long string.
However, if the NSA puts a bunch of GPUs in every machine they have in that Utah datacenter they're building at what point does an attack become feasible against any length? Or a botnet?
Six-year-old Etan Patz disappeared in New York in 1979. Lenore Skenazy at FreeRangeKids has mentioned the arrest of a man who confessed to having murdered Etan. Among other aspects, there is the question as to whether the disappearance of Etan Patz led to a mentality of "stranger danger" and similar anxiety about the safety of children (the existence of 24-hour media may have contributed to the impact of the case.) Also, there is the question as to whether certain efforts, such as establishing missing children's organizations and public alert systems (i.e. AMBER alerts), have helped increase the number of missing children who are found. For parents and others who are interested in protecting children, there is the question as to whether children would benefit more from safety education (not specifically about strangers) as opposed to increased parental vigilance and watchfulness.
From Ars Technica there is an article about a teenage hacker bypassing the security sandbox in the Google Chrome browser. (Note: From what Mr. Schneier has said in the past, a lack of winners in a hacking competition does not necessarily indicate strong security.)
"However, if the NSA puts a bunch of GPUs in every machine they have in that Utah datacenter they're building at what point does an attack become feasible against any length? Or a botnet?"
For every bit you add to the length of the password, you double the search-space. So you'd need twice as many computers to find the password in the same time.
Let's say adding a character (since we don't use all of them, nor entirely randomly), adds about 5 bits. Then we need at least 32 times as many computers for each character added.
Say a computer can crack a 10 character password in a second, and let's say it takes up a volume of 1 liter (~ 1/4 gallon), then cracking a 30 character password in a second requires as many computers as fit in the entire volume of the earth.
So, no, an attack against any length does not become feasible.
(NB, all these numbers are highly inaccurate except for the order of magnitude.)
Adding GPUs to the existing (or all future) computers at the NSA Utah facility, isn't a solution for such key cracking. If that is done, then the CPUs of those computers will now be engaged in something other than their prime directive, which is to collect and analyze the data on EVERYTHING about EVERY citizen in the U.S. The NSA is unlikely to use much more than 1% of that data for anything of value. In fact, as technology improves (processing and storage), old data is likely to be considered a waste of time as moving old data to new technology will take so long that new technology becomes old before it can be used for its prime directive. The Utah facility may likely become just a place to have data as opposed to doing anything with the data (somewhat like storage of unusable nuclear waste).
As technology improves, it seems to be followed by an explosion of new data that often exceeds the ability the new technology to process that data. The internet itself is a prime example of this. While network speeds have gotten faster, the network with the higher speed has not been able to keep up (a self defeating inward spiral; we may need 100s of such facilities so it all doesn't have to go to Utah). However, when this realization comes to pass, we may experience an attempt to lock down the technology pace while someone takes the time to determine if anything of value can be gleaned from the effort.
The only thing the government is really good at is throwing away data or politicizing the results for pre-conceived benefits.
See also the recent works of Ian MacDonald. (And there a probably many examples predating him.)
Home burglaries have become much more profitable in Greece lately due to fears of an imminent exit from the euro. People fear that if it happens, their bank savings will be redenominated into a new currency that will then depreciate rapidly. So they're pulling their savings in euros, and then stashing them in locations with much lower security, like their homes.
The story does mention one person who hid his savings better-- so well, in fact, that when he died his family couldn't find them.
Headline(s) of a (UK) Daily Mail article:
Revealed: Hundreds of words to avoid using online if you don't want the government spying on you (and they include 'pork', 'cloud' and 'Mexico')Department of Homeland Security forced to release list following freedom of information request
Agency insists it only looks for evidence of genuine threats to the U.S. and not for signs of general dissent
The article includes a link to a scribd copy of the DHS document that includes the list of search words.
@ A Nonny Bunny, ShadowHatesYou,
Let's say adding a character (since we don't use all of them, nor entirely randomly), adds about 5 bits.
I know you said "all these numbers are highly inaccurate" but each character in a 'human rememberable' pass word/phrase of moderate size (~10 chars) is realy only worth between 1.5 and 1.8 bits in practice, and this decreases well below 1 bit for longer pass phrases simply because most humans usuall take them from well known sources such as poems or songs etc. Thus anyone who want's to attack them can usually pre-compute the more likely ones (Google "dictionary attacks" or "rainbow tables" to get more info) and most password/phrase cracking software (including "truecrack") usually does this as a matter of course.
Some estimates put the "real entropy"  of (the average) human rememberable password/phrase below 30bits...
However the situation is actually a whole lot different for the likes of the NSA than for other organisations. The reasons for this are primarily two fold, mass communications harvesting (what the NSA does best) and for want of a better expression "human limitations".
Most comercial and nearly all open source etc "secure communications" software use PubKey encryption to send a "randomly selected" key for AES etc that is used to encrypt the actuall communications.
The problem with a lot of these PubKey systems is that the random number generators used to generate the initial two primes that are the PQ pair have been found in practice to be quite predictable for a number of reasons (usually a lack of entropy or broken design of random generator).
Now as discussed on this blog a little while back, you don't need to factor out the PQ pair composite to see if two PubKeys share a prime. And the test to group PubKeys with a shared prime is very very fast. Thus the likes of the NSA who will have tested just about every available piece of software or hardware random number generator can make up "test keys" containing the most likely primes to be generated by a particular software random generator and quickly break large numbers of PubKeys.
Thus when doing "mass communications harvesting" for data collection" they would be going after these "low hanging fruit" in an automated way.
Now this does not mean they can break all PubKeys or even specific PubKeys, just a lot of them that are used on the Internet currently.
But even if they cannot break a specific individuals PubKey they may well be able to break the PubKey of someone they corespond with, and as humans have a very very bad habit of "including" the other persons message when replying... there is a reasonable chance the NSA will get the conversation in part or whole...
Then of course humans make other dumb mistakes like emailing passwords and passphrases using emails that may be in plain text or encrypted using PubKey. Or they may use the same or verry similar passwords or passphrases for "web accounts" that they do for their other accounts or for their TrueCrypt volumes. Gathering these is of course trivial due to poor protocols and implementation in web browsers etc that allow those "bogus" CA certificates to be used for man in the middle attacks on SSL etc. And of course if a users online account is in the same juresdiction as an interested LEA then the chances are that the account passsword/passphrase will be made available with just a simple request these days.
Thus the NSA does not need to have vast arrays of GPU's cracking away... they just have to be patient and wait for the passwords/phrases to be giffted to them.
 Even though the "real entropy" of a password/passphrase may be quite low the "work factor" to find it is most likely to be considerably greater for a variety of reasons.
@ Nick P,
I suspected this might happen
Not surprising ;-)
Afterall we know that fingerprints change with age and disease which is why the parameters used for recording them (ie pattern types not dimensions etc) are the aspects that are most stable with time.
I certainly remember commenting at some point that the colour of peoples irises do change with time (and this is well known).
Thus I would have (and if I remember correctly I have) said it was a near certainty for a very large part of the population.
This is because the eyes are very sensitive to a whole raft of diseases of "modern life" that afflict well over 50% of the population as they age.
Anything to do with long term blood chemistry or preasure is going to have an effect on the eye iris, retina or both.
It may well be fairly easy to show, diabetics usually have their retinas photographed every six months to a year to check for degeneration. I don't know about all the systems in use but I suspect that quite a few will include the iris in the photograph as well. Some of these records go back over twenty years or so for both type 1 and type 2 diabetics...
However on reading the article I LOL when I read,
Biometrics expert Vijayakumar Bhagavatula of Carnegie Mellon University in Pittsburgh, Pennsylvania, says: “In my opinion, the impact of this research is to suggest that iris templates should be periodically updated.”
Does the guy live in the real world... In the US there are well over 300million people, lets assume that the eyse need to be "rescaned" every five years. Now with less than 300 working days in the year this would mean 200,000 people across the US getting rescaned every day. Who is going to pay for it, I guess it's just going to be another burden on the US tax payer via the DHS, and thus probably more expensive than providing free visits to opticians for eye tests, which would be a much better "security" investment for the US population as a whole (think about the number of auto accidents and subsiquent injury and death caused by or contributed by poor eyesight each year).
@ Clive Robinson
"Biometrics expert Vijayakumar Bhagavatula of Carnegie Mellon University in Pittsburgh, Pennsylvania, says: “In my opinion, the impact of this research is to suggest that iris templates should be periodically updated.”"
Yeah, that was the obvious solution that popped into my mind. Then, almost immediately, it was an obviously un-doable solution. However, that's on a large scale. I think it's still viable in smaller organizations, such as sensitive department in a corporation. Employees could regularly be rescanned without too much cost. Probably still way cheaper than using things like thermal (e.g. Aurora).
To get a HazMat endorsement on a Commercial Drivers License, you submit new fingerprints (2 each at $30 a pop) every two years, to support a FBI background check.
Ever wonder why you need new prints?
@ Nick P,
A question arises from all of this,
"Are there any Bio-metrics that do not age, or can change due to illness or medical treatment?"
For instance it is known that the "Bio-Metric Gold Standard" DNA will change after certain medical treatment such as "bone marrow transplant". Likewise in certain cases "DNA trace evidence" will be wrong or have a probability of providing false results (ie after a blood transfusion, your blood is a mixture of yours and somebody elses, thus you have their DNA in your blood stream, and if you cut yourself whilst committing a crime then the blood stain will likewise be a mixture...)
Thus if we assume all Bio-metrics will need to be perriodicaly re-tested it raises the question of,
"At what point is a Bio-metric use to wide-scale?"
Also of course there is the question of proving identity for the "first" bio-metric reading.
There are some people who have no preceding generation relatives alive, and whose preceding relatives were cremated or buried sufficiently long ago that no viable DNA remains. Thus they cannot prove who they are reliably or at all, other than by knowledge within their heads (which as it is "learned" could have been learnt only a very short time prior to the test...).
So untill we grab a baby in the birth canal and DNA test it, then immediatly fingerprint it and retina/iris scan it what is the actual point of taking Bio-metrics...
As quite a few readers are aware German Banks like TAN's (Transaction Authorization Numbers), originaly sent on a paper list by the bank, some now do it through an SMS to the account holders phone. Although the original TAN list was fairly secure and could have easily been made tamper evident the SMS system is less so for various reasons.
However the new malware exploits a security failing that is not due to a technical fault with the SMS or bank systems but with "social engineering" of the account holder via malware (based on Tatanga Trojan) on the account holders computer..
It works as follows,
1, At some point the account holders PC becomes infected with the Tatanga Trojan based malware.
2, The malware detects the account holder loging into the bank system and uses a "Man in The Browser" (MiTB) attack to inject a new HTML page to the account holder that says a security verification procedure is taking place and instructs the user to enter the SMS TAN from the bank into the verification box in the HTML page.
3, The malware selects from the account holders balances the account with most money and sends a money transfer to a mule account. This transfer request is kept hidden from the account holder.
4, The transfer request triggers the TAN SMS from the bank to the account holder. However the SMS does include transaction details, the malware (in step 2) covers this by saying it is irrelivant "experimental" data...
5, If the user believes what they read and types in the TAN it gets sent to the bank and the money transfer compleates.
6, To prevent the account holder quickly discovering the transfer the malware adjusts the account balance displayed on the account holders computer.
Thus the whole fairly sophisticated scheme revolves around and hangs on step 5 and if the account holder "believes" the "social engineering" that is in front of them on their computer screen and ignore the information with the TAN in the SMS...
Now I know most readers will think they will not get caught out by such a trick, but I'm not so sure (unless like me you DON'T do online banking or e-finance in any shape or form).
Then there is the question of can the scheme be extended on smart phones, where the malware might also be able to effect the way the TAN SMS is displayed...
As Bruce has noted in the past "Attacks only improve with time..."
And the speed criminal hackers are improving their attacks suggests that getting at the authorization Side Channel (SMS) in a smart phone will happen within a year or two at most.
Thus there are only two mittigations,
1, Stop the malware getting on a smart phone (highly unlikely).
2, Develop an authentication side channel that cannot be tampered with by malware.
It is this latter option banks should be investigating and however it works it must fully authenticate the transaction through the account holder (to prevent "end run" attacks). As some readers will know several people including Nick P, and myself have discussed this in quite some depth in the past on this blog.
The original report from those discovering this current criminal scheme can be read at,
I believe that financial institutions are more interested in pushing the liability for fraudulent transactions back to the account holder rather than trying to stop them.
@ Dirk Praet
"We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. "
Google "morons" and these people's name should be a t the top. Couldn't they substitute China for say Taiwan or an American fab? This stuff is why I've been pushing for a local fab for military use.
@ Clive Robinson
More of the same. Another thing for you to look up is PassWindow. I liked the brief I read on it. It could make a nice temporary measure & work at stores & web sites alike. Still must deal with the social engineering aspect. I think standardized procedures & informing the customer of them, specifically what the bank WON'T do, could help.
So untill we grab a baby in the birth canal and DNA test it,
@Clive, funny you should mention this-- this pretty much happens with DNA blood tests already right? In the US and UK (and many other places), baby's have their heels pricked at birth and the blood tested for various diseases.
BUT, the "dried blood spot" (google those keywords plus the word "retention"...) is then retained by the state for long periods of time, under who-knows-what security precautions (ie probably minimal). In the US, the retention time is not yet set federally and varies by state but is often somewhere between 18 years and indefinitely. Parents are typically notified that the original genetic tests are being done, but not that the dried blood spot is being retained.
The dried blood spots are retained both to allow population-wide research and as I remember it, if an individual shows some latent abnormality during the first 18 years of life, some retesting of the original spot can be done.
http://www.wadsworth.org/newborn/nymac/docs/... (note the filing system on slide 9 that will no doubt be modernized into a database eventually if it hasn't already)
So, Clive, what do you think-- should a new dad attempt to opt out of this dried blood spot (DNA) retention?
@Dirk, any idea how the UK researchers would be able to know that the flaw were introduced by a Chinese manufacturer rather than the presumably American/UK designer which might have had its own reasons for designing such a backdoor?
The attack you described is basically the same as the one a few month ago on security tokens for UL banks.
Most german banks disallow the use of the SMS TAN when they detect a mobile browser. But i agree that soon there will be malware which tries to infect both, your desktop system and your smartphone to get arround this.
With SmartTAN+ they also already have a authentcation channel which can't be tampered with malware. At least I can't think of one, as the FW can't be updated by the user. So someone has to steal the security device somehow manipulate it and put it back.
I got that thing from my bank:
Disadvantage is the rather clumsy usage modell, so it is probably easier to trick people into a fake training session.
@ anonymous coward
Great link! So rule No. 1 stands: if enemy has physical access, consider it compromised.
"Although they do not have any specialised DPA countermeasures, the PA3 devices
are at least 100 times harder to attack using DPA than non-protected conventional
microcontrollers such as PIC, AVR, MC68HC, MSP430 etc...."
That statement about sums up what I've been saying for a long time.
The "high security" devices are only a factor of 100 better than practically no security. You Crypto algorithm guys argue about security of AES256 vs AES128, yet with DPA the security difference from "no security" to "high security" is less have 8 bits.
Once I can reliably extract information about the nature of ALU operations and probability of MULT commands having a carry, the game is over, your encryption is broken.
BTW: the Chip hardware hacking world has moved on from DPA to more powerful attacks using optical probing and emissions
Google: PICA backside Failure Analysis
Now imagine a differential signal analysis system and you'll have a good idea of what I'm talking about.
> So rule No. 1 stands: if enemy has physical access, consider it compromised.
And if the enemy built your device, you're fucked.
Hardware assurance - a backdoor in chips manufactured in China and used by the military.
Interesting research from the security group at Cambridge computer labs ...
@ Nick P,
You might find this little "do-hicky" of interest,
Not just for "Backside FA" (which is more than a decade old now, early papers were from M.K. McManus &co out of IBM's TJ Watson Research labs) But all sorts of Optical Tempest and Quantum Crypto etc.
Note the following about the device,
1, Single photon detection
2, Very low "dark count" rates
3, Operation in the hundreds of MHz
4, Jitter rates below 50pS.
It does have a few disadvantages detection wavelength being one, but I'm told there are now much better detectors avaialble...
As some of you know I've a few rules of thumb about security, the one I mention most often is,
That is the more "efficient" you make something the less likely it is to be secure (due to inadvertantly opening up covert channels).
But another another and more important rule is,
That is the more "testable" you make something the less likely it is to be secure (due not just to inadvertantly opening up covert channels but actually opening up overt/unconcealed channels and labeling them "test", the fact you don't publish how to use them is the same old "security by obscurity" nonsense").
Both these rules have a rider on them with the use of the word "inadvertantly"... That is these rules do not prohibit you making things more efficient or putting in testability, it means you Realy Realy MUST Know what you are doing at ALL levels.
Such people are extreamly rare, and we know from experiance (WEP, ISO C, et al) being on a "Standards Body" does not make you anything near an expert in fields of endevor outside your own narrow perspective or that of your employer (which might be the reason you were put on the standards body in the first place ;-)
I've "dabbled" in Communications Security and related areas for over a third of a century, and what it has taught me is I'm not a specialist, and thus should not be afraid to get a "domain expert" in as and when required. And in my view the earlier the better (ie before you draw up the product spec is probably to late).
Which gives rise to the important rule,
"If you do not understand it, at all levels, you can not say it's secure."
Which gives rise to another general rule, not just about security but life in general,
"Much of what we do is unkown, and time can teach us our mistakes, but only if we are prepared to learn."
This is a very important rule because it effects the way you look at life, and thus your philosophy with respect to what you do, and importantly how.
As some of you know I occasionaly bang on about "framework standards" with regards to security (and when NIST are going to step up to the plate on them). This is because I know from experiance that the likes of AES, RSA, and all the other "nuts and bolts" we use for security will in practical terms not be secure at some point in the future.
In the case of practical implementations, it's usually before the standard has even been agreed (AES and cache timing attacks).
Thus you have to design systems so that you can repair them easily and most importantly in the case of security quickly. This means "plugable modual" design, where you can pull out the broken part and put in a new (hopefully) stronger part. To do this you need to think long and hard about the framework these moduals plug into.
Importantly when something breaks, don't keep reusing the broken part....
It should go without saying but in security we do it all the time, usually without the users knowledge and this invariably gives rise to a type of MiTM attack where the attacker causes the system to "fall back" to use the broken and insecure part...
Why do we do this so often, well because there are so many products out there that can not be patched, but importantly can not be replaced either. Both faults due to poor design choices made before the product spec was thought of...
(And please don't get me started on penny pinching managment of features crazy moronic marketing types ;-)
Any way having said that it's time for a cup of hot brown stuff :-)
@Dirk Praet it seems like the Backdoor is put in by design .. so not by some chinese Fab but rather by the company that designed it in the USA. Makes also sense to do this to be able to shut down the hardware in case it is used against the US.
Well, I'm not a crypto guy: I'm a systems security guy. Anything I design, with some nice exceptions, must be physically guarded b/c I assumed hardware attacks would only get better. Everything certified near or at Common Criteria EAL7 also requires physical security. They weren't even trying to solve that one.
@ Clive Robinson
Could you put the capabilities of this thing in English for non-hardware people? So, the last chip crack link showed pulling a key out in less than a second. Then, we have things like Ion Beam Workstations reverse engineering chips. So, what exactly does this new SNSPD do for us?
Kaspersky has released a little info on a new probably state sponsored cyber worm/trojan whatever you want to call it. Named FLAME. It is infecting mainly middle eastern countries with a big differential pointed at Iran.
Interesting. Curious to see what the C&C is, distributed or not, uses network printers, etc. Dlls use and 20 modules with a size of 20mb total. This thing is big. I think maybe the unusual ports for comms may be a way to spot it, until or unless someone does it differently. Interesting.
@ jacob and Bruce
Thanks Jacob for the catch. Bruce you might want to post on this.
On Flame (summary)
They're classifying in Stuxnet's category of "super-cyberweapons" (LOL) because " the geography of attacks, use of specific software vulnerabilities, and the fact that only selected computers are being targeted." It's been in the field since 2010.
It's purpose seems to be stealing information from machines. It has all the functions for that, from screenshots to collecting audio. Vector is unknown. Can replicate over network using the Stuxnet printer vulnerability and USB method. Flames operator is "consistently surveilling infected systems."
Jacob overstated its size. It's 20 times larger than Stuxnet, with several MB over multiple modules. They have a huge team reverse engineering it right now.
@nick sorry for overstating size of it. I saw it start to leak out last night. When no one else mentioned, I thought I would. If this dates to 2010 like I've heard. I just wonder what else is out there. If specialized enough it would even harder to find. I.e. you want to get at just one computer belonging to $$$$. Cyberhackers or criminals should be aware. If they want you, they can get you. Hide in an I frame, server directs, etc. give them a link they just can't resist clicking.. Just free thinking here. Criminals could do the same thing. Reverse engineering certs and experience just clicked up several levels. Pun intended.
Sorry meant to add hit wrong button on touchpad. Walk up to site or target, Bluetooth spreads it. C&C disables and disinfects any not on target list. 0 day exploit, maybe upx pack, I don't know. This is the equivalent of a very smart bomb or sniper weapon..impressive from what I can tell. Kaspersky, and many others are throwing big teams at this. Wanting credit, recognition, or just curiosity. This is a huge deal to them. The only ones not are the ones who made it. :)
Flamer / Flame Trojan removal tools 32+64bit from BitDefender.com
"Download the 32-bit or the 64-bit removal tools and find out if you’re infected with Flamer, the world’s most discrete and dangerous piece of malware ever. If you are already protected by a Bitdefender security solution, you do not need to run the removal tool."
@ jacob and all on FLAME
Hmm, jacob, now this guy is saying 20MB in all. He also points out that they're keeping the number of infections static. That's very interesting. Otherwise, it's mostly just a press piece.
I've been thinking and reading more on this. Specifically, Symantic, Kaspersky, etc. I am trying to no overblow the significance of this. The press is doing enough of that.
I would like to know if you, bruce, and clive think this might be similiar to the breaking out of cryptography. Back then private research, universities really didn't have much information. Then the government made the mistake of commenting, helping and releasing info. Hence, PGP and many others came into existence.
I'm wondering if this modulular, complex piece of software may do the same thing. If this is not criminal in origin, but state sponsored you can bet every malware engineer, RE, and network security guys are going to be looking at it.
Just my thoughts. Hopefully, I haven't overblown this in this short post. oh, also anomoly detection systems are going to get more scrutiny.
I would like to know if you, bruce, and clive think this might be similiar to the breaking out of cryptography
The first thing that comes to mind is "why has it taken so long?"...
I quick look back through this blog will show that there have been several conversations on how to do the individual parts of Stuxnet, Duqu and now Flame either around about the time they are alledged to have been designed or before that. So we can safely say the overall design / methodology has been out in the open to anyone who cared to read thi or one or two (lightbluetouchpaper) blogs.
I've also banged on for quite some time that "bot herders" realy did not know how to capitalize on their "assets" and made it fairly clear that stealth/covert removal of information had a way better rate of return than SPAM AND DDoS. You can see my thoughts on how "fire and forget" is actually more likely to get you into a target than "directed attacks" (mainly because the obvious rat holes have been blocked).
As for modular design well I keep going on about it for amongst other things "standards"... It's actually a real indicator that this has been designed by people that have been around the block a few times and realy know what they are doing at the strategic level as well as the code level. Thus they are probably in their mid to late thirties with a wife and the usuall 2.7children and 0.1dog and 0.3cat that "Mr average" has.
What I'd be most interested in seeing would be the targeting method and algorithms, this would provide a very clear idea of the thinking and reasoning behind it. Again I would urge caution that where it appears to have ended up may not be the designated target, but a potential steping stone towards the target that might be effectivly shut off from other methods of access.
As for the people behind it there is by no meanss sufficient information to say, even if there was it would more than likely be a false indicator such is the "smoke and mirrors" deployed by most players in the game.
Oddly one of the strongest players (the UK) is not normaly "fingered" for such activities which might tell you something about their skill levels. Likewise the Russian's who are directly or indirectly in it upto and beyond their necks are likewise not that frequently mentioned. As for some places like Sweden, Germany and other north European nations you get to hear nothing. For some reason most "pundits" be they "arm. chair" or "news organisation" appear incapable of thinking further than their next drink. And thus almost always point the finger at the most obvious candidate such as the US or Israel with zero supporting evidence.
My gut feeling is a year or more of speculation will go nowhere except technicaly and it will be another "seven day wonder" for the press that has conveniantly poped up in time for the US elections...
As for the Intel organisations being "ahead of the game" actually probably not, they don't pay very well and unlike the old days where the mathematically inclined had limited job options this is not the same game or the same rules. Collectivly I suspect there are more clued up and better paid "hackers" of the "old school" variety out there on way better money than the various Govs can offer and many Govs are going the COTS route as paying even quite large sums for first rate exploits is still better value than employing a couple of hundred second hundred second or third rate code cutters.
Any way that's my "pennies worth" I shall now retire to my comfy chair in my "dead tree" reading room with a cup of nice hot brown stuff to sip whilst I contemplate :-)
thanks, I feel scolded for not thinking of this in the strategic sense. I agree with what you said for the most part. There are players and we may not know who,what, etc. The Russians, Chinese, Israel, U.S., crime syndicates, and so on.
I agree these were not 16yo anons, or hobbyists in the usual sense. This was a professional crew with strategic almost military midset.
So you agree with me that this is a similiar event to cryptography?
Another point is the old school can still show the kids a thing or two....What was that phrase about age and treachery beating youth....?I would gladly join you if I were in U.K. but my choice would be Guinness....and some fish and chips, please... :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.