Schneier on Security
A blog covering security and security technology.
« Unsafe Safes |
| State-by-State Report on Electronic Voting »
August 3, 2012
Friday Squid Blogging: SQUIDS and Quantum Computing
It seems that quantum computers might use superconducting quantum interference devices (SQUIDs).
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on August 3, 2012 at 4:08 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Inside the Suprisingly Lucrative World of Cardboard Theft": another example of misaligned security incentives. The businesses that currently leave the cardboard lying around in the open who are the ones who could secure it better, but it's the legitimate recyclable-haulers who take the financial damage.
Internet guy reporting in.
I wonder, could "homomorphic encryption" be used to encapsulate an already encrypted file, effectively tagging the file with data or perhaps inserting some kind of code or commands for later execution, but more importantly for mimicing the original encryption scheme for the original file, so that the file can later appear as being decrypted as normal to the owner (while discarding hidden superfluous content in the process), while anyone having already taken control of the encryption scheme for that file can perhaps add, delete or edit any content of the original plaintext and any content in the added data?
Or maybe "homomorphic encryption" doesn't/couldn't really work that way with regard to this idea of assimilating already encrypted data? (Adding another layer of encryption over any type of encryption used prior.)
Researcher's proof-of-concept malware infects BIOS, network cards without trace
New Rakshasa hardware backdoor is persistent and hard to detect, researcher says
Not impressive, and I don't believe most of the claims there. The guy flashed his own custom BIOS that contains backdoors. So much for a proof of concept! He'll have to demonstrate he can flash a signed BIOS on a computer remotely before I believe him. He claims it will work only "99 % of the time". I say BS...
The article about cardboard "theft" is very interesting and revealing. The "thiefs" are doing exactly the same thing as the "real" companies; taking the cardboard to the recycling facility. And more promptly, too.
When they do it it's "theft" and they money they earn is "free money". When the businesses loose said money it's "damage" and a "cost", as if they were somehow entitled to it...
Clearly the real reason for the kerfuffle here is that the commoners are daring to sip from the gravy train of economically productive opportunities that the big business owners want to keep for themselves, instead. And indeed, want a monopoly on, to enhance not their absolute wealth but relative privilege by denying opportunities to others.
And they're doing it for free, too, which would seem like a net plus for everyone. However, the article implies that NYC regulations require a business to contract with a licensed recycler.
Further analysis would require being familiar with the Mafia attempts to take over garbage hauling that those regulations were written in response to, which I'm not.
The article is not very clear about the economics of cardboard recycling, but from the reference to businesses getting discounts for the cardboard they put out, my guess is that waste removal companies are taking all kinds of waste -- some of which isn't lucrative -- and that selling the cardboard defrays some of the cost. That's certainly how residential recycling works around here, although the high-value item that's commonly stolen is aluminum. In that scenario, what the unauthorized haulers are doing is equivalent to stealing a cash payment left out for a contractor.
And we already have a successor to the Aurora shootings: some lunatic just shot dead at a Sikh temple in Wisconsin at least six people and wounding others before being taken out by a LEO: http://www.aljazeera.com/news/americas/2012/08/... .
I'm sure the NRA will issue an appropriate statement shortly that guns had nothing to do with the issue, except maybe for the fact that if all worshippers had been packing too, the number of casualties might have been lower.
The way AES and other symmetric crypto works, you can't alter it in any way (including adding layers like homomorphic encryption), because the decryption tool will not use that homomorphic algorithm, it will only run AES on it.
To do what you suggest, one would have to trick the user to use a custom tool and provide both the homomorphic crypto key and the AES key to it, so that it can perform all that stuff on the contents in the AES encrypted file.
It's easier to just go the route of sneaking in some other trojan or rootkit if you can get the target to run code of your choice.
I pretty much agree (and find quite funny occasionally) with everything you have to say on this blog, but your unrelated NRA joke (for the love of political trolling, I don't want to start a damn gun control argument; hence this is the last time I talk about this topic) ticks me off a bit. I understand your European (you're Belgian?) position though.
You call an "idiot with a gun" a dangerous person. How about just a psychotic person who's unsatisfied with their life and wants some attention? Am I the only one who senses way more psychosis among people than I care for? What's my definition of psychosis?--Coldness, total disregard for other life forms; kind of like some little s__t head kid pointing his finger and laughing at a homeless individual. So, you take away my right to carry reasonable protection (I'm SOL if someone plants an IED or drops a nuke on me) What if he stabbed the worshippers in the eye with a pencil? Maybe he taped two eraser ends together, yielding a double-sided killing machine! Should we all be required to be permitted to own a pencil, or not be able to own one? Don't let an idiot get his/her damn hands on a pencil!
The point is that without the morality, the "gun control" debate with morph to other things. Morality is the most cost-effective form of security in my view, and without it..well..you can see; I expect much worse things to come (I'm still waiting on a suitcase nuke). What can we do about it? I say remain vigilant, don't give the pleasure of any attention or recognition and go about your life doing moral deeds. What is moral?--I think we can all agree upon what can be reasonably presumed to be "moral".
Someone (it was a "jacob") brought up a debate topic that I have debated amongst other people; and that was to what extent should my right to "bear arms" be? What are "arms"? Could private citizens have the intelligence, responsibility, and morality to own their own nuclear weapon?--Given the sorry state of "most people", I would say hell no. But, think what that means; most people are too stupid to have such power. And look how things have changed, American colonists used to burn "politico's" houses down if they violated their rights or enacted an unpopular tax, do you think they would be more apt to listen to them if that were an option?
Taking your stupid double-sided pencil analogy a bit further, even if the attacker had been carrying a knife he wouldn't have got too far, as every sikh male in the gurudwara would be packing a kirpan (a ceremonial blade), of which a fair fraction would be more than just purely ceremonial.
Guns are a very different class of weapon (concealed/ ranged/ low effort/ high impact). The sooner you and the idiots at the NRA admit this we'll all get along just fine...
And declining morality has nothing to do with it. People have been killing people since time immemorial for different reasons.
An easy access to guns is indeed a problem, as they are much more highly effective weapons compared to knives or other accessible weapons.
And to speak frankly about this matter, there has been a time that the having a gun accessible would have caused me to kill people.
But (I am European) here guns are not sold to every psychotic idiot just like that, hence I didn't kill any people.
Although I can agree with your psychosis claim. Most spree killers are most likely psychotic persons unsatisfied with their lives.
I suppose I got carried away a bit, and I didn't mean no offense. Coming back to my idiots and guns meme, you can easily substitute idiot by lunatic/psycho/berserker, or even a normal person having a serious mental breakdown. Although in this particular case - but this is pure speculation on my behalf - we're probably even dealing with an idiot psycho as chances are he mistook Sikhs for muslims, which they are not. Some ignoramus on CNN also mistakenly portraied them as hindus. Sikhs actually came to being as a reaction against muslims and have no love whatsoever for them, quite to the contrary. I find them fascinating people and I even speak some Punjabi.
Being Belgian indeed, myself and most other Europeans come from an entirely different cultural background with - in general - very strict gun control laws, supported accross the entire political spectrum. Over here, this is not even a political debate. We do understand where historically the 2nd amendment to the U.S. constitution comes from, and I can even agree that our as moralising perceived stance on the issue regularly draws bad blood with Americans who live in an entirely different context. We've got more than enough problems of our own I can easily imagine Americans criticising us for.
Let me put it this way: I seriously doubt there are any simple solutions to the problem, if any at all. The right to carry firearms is so deeply embedded in American culture that any attempt to change it would imply instant political suicide. And even if such legislation as by miracle would fly, there are so many guns going around that for all practical purposes it would be impossible to disarm the entire nation.
But I do think you'll have to agree that every time an onslaught like this happens - especially when there's several in a row - inevitably the issue will be raised again just how many innocent deaths-by-firearms can be considered acceptable and what can be done about it. As I said before, it's all about societal values. Personally, I feel relieved to live in a place where the right to affordable health care is considered way more important than the right to carry firearms. Your mileage may vary.
I'm at a loss to see how this could be considered theft. Maybe New York has weird property laws, and IANAL but ... the merchants have abandoned the goods, and the licensed recyclers do not acquire title except by possession after abandonment. It doesn't matter that they were contracted to ensure the material was gone (that happened, and at no cost to them!)
It would be a different story if the recyclers were paying for the privilege of taking the stuff away -- which sounds like it is what should be happening if the city hadn't distorted the market.
Don't you realize the contradictions in your own argument? You're saying knives wouldn't be very effective as murder weapons because all or most sikhs carry knives. That almost exactly mirrors the NRA argument that guns don't get you very far in a situation where all or most people carry guns.
@ Dirk Praet re firearms
It's amazing that people often miss one of the most important aspects of this debate. The vast majority of people who will be victims of an act of violence aren't better trained, tougher, etc. than the attacker. Makes me more elated when I see headlines like the taekwando grandma who beat the crap out of her attacker. Usually doesn't happen, though.
I live in, near and around a city that's consistently in top 5 for murder and/or violent crime. (Depends who you ask...) The neighboring rural areas aren't as violent, but are shady as can be. So, here's my first hand experience:
1. Having a gun or specific people/groups thinking I'm armed has saved my life numerous times & protected many family members numerous times.
2. Opponents have included adrenaline junkie teenagers, pretend thugs with ambition, real gangs (ever had a contract on your family? ;), dirty cops, cracked-up neighbors looking for money, aggressive drunks & more.
The common theme in those situations is the enemies had the upper hand. I'm bottom of the chart by birth in reflexes, hand-eye-coordination & fight/flight response. When there were others, our opponents were usually many or armed. You do NOT want to be the weaker guy surprised by a knife or metal blunt object. It's not pretty like in many action movies. Worse would have happened except for one thing: they were lead-a-phobic. ;)
Well, when dealing with the gangs & dirty cops, sometimes leaving or taking a loss is better. Done that plenty. However, the issue I'm pointing out is that a gun is a force multiplier for a person whose not a great fighter, not in great physical condition, or whose outnumbered. Many actual lives have been saved in this area that I know first and second hand. Do we not have a right to life? If I ran into these people in Europe, my whole family might be dead.
The other side is that I've seen what happens to people who were naive and unprepared. Many people in this area have been beaten, robbed, raped, maimed & murdered. I remember a few months ago I met 2 or 3 confessed rape victims (so many in a month sigh). Horrible thing that's said to take around 8 years on average to really get on top of. Then, a customer whose brother was murdered for nothing. In each case, they weren't packing heat. A concealed firearm might have given them a chance, but each are scarred for life or dead.
When I see these debates, the real question is: do would be victims have a right to prevent this realistically (guns = realistic) or should they be forced to endure it? I say, should I have been beaten, watched them do whatever to my family (shivers), or been murdered? They like bats & knives as much as guns. They're usually able to cause harm with about anything, but I'm not. Neither were those men & women I mentioned above. We need something that works. I've watched people stungun themselves & do brutal fights for fun. Around 5% of people are immune to pepper spray, many sources say. (I have bad luck, so that's significant.) Yet, guns work. A bulge in the jacket often does, too. Anyone who denies this privilege is sentencing many to pain, disability, rape and death.
Note(s): Important things to note. I don't think the average psycho or whatever should be able to legally acquire weapons, but that woudn't stop them here. More important, the reason gun rights are in the Constitution has less to do with personal protection & more to do with protecting people from govt. There are MANY people in this country who still think in those terms. If govt goes totally corrupt, how to fight them off if they have all the guns? Having seen much of our govt's ugly side, it's hard for me to criticize their view.
Disclaimer: I'm not a NRA member, hardcore republican or anything like that. I know guns make for more effective weapons than knives and... pencils. More accidents happen with them. There's a huge cost to society. My experience, plus the "stop govt tyranny" theory, leads me to believe that they're worth the cost.
@ Nick P, Dirk,
There is on this blog a considerable debate about guns in many cases it's actually emotionaly based on amongst other things the perception of the environment in various forms people live in and sadly as with driving their own self deception.
We all live in different environments, the European perception of the US is based on what is effectivly the worst examples not the norm or best because this is what the news and entertainment shows such as CSI et al tell us.
I'm fairly sure there are large areas of rural and urban America that are considerably safer than on the surface equivalents in Europe, we just never here of them. Likewise I'm sure the oposit applies.
The perception people have is as much based on their life style as it is on news. For instance I live in a local area of outer London that has a very high degree of resident contentment with the supposed non existance of street crime. The simple fact is there is quite a lot of street crime but most of the residents don't see it because they park their car in their private drive way or garage, they drive to either another private parking area or one where there is a lot of security presscence. They simply don't put a foot on the pavment of the road or street they live in and therfore just see it at best from afar.
I also visit for family reasons another area of London that is in the top ten of street crime etc.
Guess what as a "boot on the ground type" I know both areas and I actually feel safer in the supposed high street crime area. And this is not just a feelling the simple fact is the half dozen or so times I've been actually attacked on the street it's always been in the supposadly low street crime area...
I beleive this effect where the majority of people are effectivly deluding themselvess is known genericaly as "Perception Bias" and it has another effect where people over rate their abilities.
We see this quite often with drivers who over rate their ability to handle the vehical they drive and actually represent a considerable danger to others as the old saying has it "I've never been in an accident, though I've seen hundreds in the rearview mirror".
Whilst we appear to accept that "power tools" are dangerous and treat them with a modicum of respect we don't generaly percieve of cars and guns as "power tools" which they both are.
The secret to being able to use power tools effectivly and safely as any craftsperson who uses them can tell you is "caution and practice, the more you learn the more you realise there is to learn".
When it comes to guns I was trained by the armed forces to use them to not just scare people (covering fire) or just kill them but also to wound them in specific ways. I had the advantage of having been taught whilst I was quite young not just how to use air rifles but shot guns and various rifles for vermin and pest control as well as for the pot. The people who taught me originaly made darn sure I knew they were tools they had a function just like a hammer drill or saw and that you need to put the hours in not just to use them but use them safely.
I'm also lucky in that I live in a part of the world where contrary to common belief gun crime is still relativly low outside of gang culture and as a general rule the police do not carry guns. I had the misfortune to see guns go "general issue" to the police after 7/7 and it scared meto be on the streets because it was obvious that most of the police carrying them were both very tired and scared of what they were holding and lacked the training to do things properly as their tiredness increased.
Owning a gun is a responsability not a right and part of that responsability is to be acceptably competent, sadly insufficient are which is one reason the US has a higher rate of gun related death and injury.
Personaly I think that some areas of the US are sufficiently dangerous to consider carrying personal protection but I also believe they are very few and far between, and I see it as a failure of the political establishment they are not doing more to remove such areas.
The US "right to bear arms" had an unwritten assumption underneth it of competance of use. The reason it was unwritten was because it did not need to be as by far the majority of gun owners then used them as an essential tool of survival to put food on the table and keep vermin down and to hunt not for sport but for their lively hood. This is nolonger true and the US people are going to have to come to terms with gun ownership comming with the price of showing competance not just once but on a continuous basis.
Controversial with many but if the US people want to see death and injures from guns to reduce outside of crime then that's the price they will have to pay.
Within the US, there appears to be no relationship between stricter gun laws and crime. Vermont has the least gun regulation of any state in the US and has the second lowest homicide rate.
Finally made contact with a Belgie! I like Belgians, they're a very malleable people, especially with languages as you speak a little Punjabi I wouldn't be surprised if you spoke French, German, Dutch, and maybe Spanish or Italian (their chocolate, beer, and waffles aren't too shabby either!:). I used to live in Antwerp and I assume since you go by "Dirk Praet" that you're Flemish. So, yes I do understand your argument and perhaps we've walked some of the same streets and ate at the same restaurants etc etc.
I just don't appreciate being stereotyped and identified with NRA-'git-er-dun'-'yeehaw'-types. I can almost always rely on a European to understand others history, so I'm pleased that you can see the historical context. My reasoning is based on many things which I won't get into (look at Nick P's post), not because I'm being told what to do by some interest group.
Instead of trying to make current technology (like guns) illegal, which is like telling people not to use stuxnet in my opinion, why don't we take a more proactive approach of your argument and use the power of social pressure to try and prevent "geniuses" in their "infinite wisdom" from researching and creating the latest way to kill someone in the snap of a finger (or the pulling of a trigger). Of course the argument people would use against that is "our enemy will discover it first" and I say let that happen.
Cheers and I won't bring up this topic again.
"why don't we take a more proactive approach of your argument and use the power of social pressure to try and prevent "geniuses" in their "infinite wisdom" from researching and creating the latest way to kill someone in the snap of a finger (or the pulling of a trigger)."
You MUST be joking. People wanting power or money will find that to be a good use of their brain. Likewise, many "mad" geniuses get that way due to the pressures of society. I doubt that social pressure on people already ostracized a bit is the way to go. Will result in more harm.
Some of you may be aware that a Chines Telecoms manufacturing company called "Huawei" has had the finger pointed at it by some of the US "China APT" hawks.
Well in the UK they appear to be working quite happily with the "civil" side of GCHQ known as CSEG providing secure solutions for industry and others,
So as "me old gran used to say 'shows you never can tell'".
@ Clive Robinson
I appreciate the response. There are certainly many safe areas in America. No area is totally safe, but many have very few violent crimes. Many of those are rural areas. The news mainly reports on whatever captures attention and gets ratings. Hence, they don't usually run stories like "quiet town remains quiet for 23rd year in a row." ;)
Regarding cops with guns, their competence doesn't really bother me. Out here, most cops know how to shoot. Anyone watching our news will also have seen plenty of cops end violent situations with bullets. It's very uncommon for a problem to happen because a cop carried a gun. The reason I mentioned them is that two nearby cities are known for dirty cops. When THEY have guns, they make me a tad more nervous.
I agree that perception bias is a big issue. I encourage people on both sides of the debate to get numbers from sources unbiased as possible. Authorities should record whether a gun was present at each crime & what effect it had. I'd add that the training or preparedness of the shooter should be taken into account. Then, we can crunch the numbers & have better feedback on whatever legislation we're passing. Meantime, my intended purpose of a handgun is protecting innocent people w/out blackbelts from their attackers via an easily-used tool, which we don't have an effective alternative solution yet.
"The secret to being able to use power tools effectivly and safely as any craftsperson who uses them can tell you is "caution and practice, the more you learn the more you realise there is to learn"."
I'm all for mandating some kind of training and regular practice to keep the gun privilege. The states I stay in and around require quite a bit of time with a qualified instructor. You have to learn plenty about guns & gun safety. Problem with putting extra costly requirements is that it harms impoverished people who are more likely to run into violent crimes. I remember there was an effort to ban the $100 pistols b/c detractors said they were just disposable weapons for crooks. They actually benefited defenders living "dollar to dollar" in rough areas. The crooks always had cheap, sometimes "hot", weapons available on the street. So, all this talk about preparation should have a provision for the tremendous number of Americans that can barely afford rent, food & insurance, much less gun ranges.
(Note: many people with minimal training have successfully defended themselves. Good CQC gun techniques & situational awareness can reduce risk to others & increase ability to hit target. I personally think courses should include more of those techniques.)
"The US "right to bear arms" had an unwritten assumption underneth it of competance of use."
I'll add that the other assumption is that the US was created partly via the guns of the militia. In other words, we overthrew British rule with guns. The 2nd amendment's main purpose was to ensure a balance of power between the govt and the people. If the new govt got totally corrupt, a willing people could overthrow them. It was a valid concern: the current govt does many things that are way worse than some specific complaints in Declaration of Independence. I don't know if it's unique to America, but being able to defend ourselves from our own government with force is part of our constitution.
Justice Story (1833) put the whole thing nicely:
"The importance of this article will scarcely be doubted by any persons, who have duly reflected upon the subject. The militia is the natural defence of a free country against sudden foreign invasions, domestic insurrections, and domestic usurpations of power by rulers. It is against sound policy for a free people to keep up large military establishments and standing armies in time of peace, both from the enormous expenses, with which they are attended, and the facile means, which they afford to ambitious and unprincipled rulers, to subvert the government, or trample upon the rights of the people. The right of the citizens to keep and bear arms has justly been considered, as the palladium of the liberties of a republic; since it offers a strong moral check against the usurpation and arbitrary power of rulers; and will generally, even if these are successful in the first instance, enable the people to resist and triumph over them. "
Note: Isn't it refreshing to have a calm and rational discussion about an issue usually flooded with emotion? Good thing about this blog is its audience is much less likely to let a discussion turn into a flamewar. Worth a special mention. ;)
Some of you may have heard about a talk given at Defcon over the weekend that effects the security of a range of Huawei routers targeted at the SOHO end of the market (these were the only ones tested by the researchers as the larger enterprise and telco grade routers were not available to them).
From what has been said it appears that Huawei engineers have quite a bit of work on their hands to play catche up to other. router suppliers,
As some of you may be aware I take a passing interest in the security of Implantable Medical Devices, Smart Utility Grids and other industttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttembedded systems. This is because they have expected product lifetimes not measured in months but sizable fractions of a century.
Well some of you might also have noticed I'm less than impressed with NIST's way of going about various standards processes.
As it happens the two are not unrelated, in the US back in 2007 NIST got tasked with securing the power infrastructure and developing standards for the Smart Utility Grid.
Well NIST have just recently published their latest missive in this "standards framework" area,
I was digging up information on the Sandia Secure Processor when I accidentally ran into this gem. It was published in 2002, but I thought yall might like it.
Modernized system to manage codes for nation's nuclear weapons complete
@ Nick P on Sandia Secure...
Can you highlight what impressed you? I am curious :)
@ Nick P,
what realy cracked me up and had tears flowing from my eyes was the artical that followed about the "secure chip" they had made.
Read the bit that says,
"Basically, we wanted to select a language that protects programmers from themselves," says Greg -- one that helps identify and correct errors. The Java language fits the bill"We're leveraging its safety and security capabilities to the maximum extent," he says
Java != safe & secure
Even back in 2000 I wonder how secure that Nuclear CMS realy is ;-)
Also of interest was the article on "water" before it. I often go on about energy being the new water when it comes to political control of others (as seen by Putin and Co on old Soviet States).
The thought occurs that as Sandia is primarily an "energy" oriented organisation maybe they have another use for the model.
Further clean water is actually "energy intensive" we tend to forget just how much of the suns radient energy that falls on earth contributes to the "water cycle". The fact that our current energy consumption is (supposadly) around 1.4 times radient energy, there definatly does appear to be "storm clouds on the horizon".
ON Topic :-)
On reading the ARS description when using the achostic oscillator to change the capacitance of the resonant cavity and thus modulate the SQUID resonant frequency my mind immediatly thought "Parametric amplifier".
Like the ARS author I to am interested as to what asspect of the system they cannot get working.
I guess I'm going to have to read the actual paper and get my pencil and paper out and have a little scratch around the idea.
@ Nick P
You MUST be joking
Just an idea. Since everyone seems to be so obsessed with "social" anything these days, just trying to "steer" fads. Of course said research will likely be classified and anyone trying to see what they're up to will be "taken care of". However, making an ass out of just me and not you by assuming insecure systems and there's always an adversary knowing what someone else is up to, can we assume said research will be copied?
Or maybe we could change "societal pressures" with gradual change in value structure. Start simple, what have you done (physically not virtually) today to brighten someone else's day?--and operate with that mindset all the time.
I won't ever force my ideas on anyone, only with consent; think for yourself.
Or we can worry about it when the problem becomes a catastrophe we can't ignore like we do with so many other things. How human, now off to take a 40 min shower after watering my lawn to the point of flood-like conditions so my homeowner's association can marvel at my green lawn while billions suffer from thirst :/
The article I named about replacing the nuclear CMS. Getting govt overhauls done is hard and doing that in the nuclear area is harder. They made a diverse array of stuff that works together, that was safety- and security-critical, etc. They were deploying it. I just thought people might find that interesting. The other thing I liked was the SSP chip, leading to the next part of this post...
@ Clive Robinson
"what realy cracked me up and had tears flowing from my eyes was the artical that followed about the "secure chip" they had made."
"Java != safe & secure. Even back in 2000 I wonder how secure that Nuclear CMS realy is ;-)"
I agree on the Nuclear CMS. Ironically, the SSP chip was what led me to the page. I have several papers on it and I love it. The end all solution to the problem? No. Definitely better than trying to do the same thing securely on the average cOTS chip of similar performance.
The Java language & mainstream platform are anything but secure. However, there are safety-critical embedded Java products that have existed for a while that use a subset of the language & a robust implementation of the VM/verifier. Aonix products come to mind. They also ran on safety-critical RTOS's with small TCB's. Many developers were finding both productivity and security advantages to switching to Java for embedded applications. We know that a restricted form of Java eliminates entire classes of attacks that C/C++ apps are vulnerable to. So, a Java processor (read hardware VM/runtime) w/out dynamic loading can make for quite a good baseline of security.
They didn't stop there, though. The thing that interested me early on about SSP was that it was a high assurance implementation of hardware and software. They considered accidental faults like radiation, as well as malicious attacks. They put efforts into the design to reduce their effect. They used very robust methods for specifying requirements/design & making a corresponding implementation. Originally, I looked to the project for ideas on how to do the same thing myself for a safer hardware/software TCB for appliances. Then, I was thinking, "this thing is way better than baseline and might be useful for many smaller security-critical appliances." They also had a semi-automatic transformation tool (Monarch), also built rigorously by Winter et. al, to allow COTS development tools to be created & also trust (to a degree) what ends up loaded onto the machine.
All in all, I call it good work & going in the right direction. Maybe useful as a component in a larger system design, too.
The problem with "Hinky" profiling
A man in Surrey UK (not far from where I live) was very forcefully and violently arrested by Surrey Police for "Breach of the Peace" and detained and questioned for five hours.
Apparently he was sitting quietly on a wall and Police decided he was suspicious because he was not looking happy...
The man has Parkinsons disease which effects the way his muscles work and esspecialy the fine motor skills needed for facial control.
Surrey Police are now considerably after the fact making statments that appear false/invented simply because it's been picked up by the press (UK's Private Eye then others) and the Police are using spin to try and justify their crass and violent behaviour.
There are getting on for 130 thousand sufferes of Parkinsons in the UK which I suspect significantly out numbers those who might even be considered terrorist suspects or active civily disobedient protestors.
Further there are a considerable number of other diseases/syndroms over which the sufferer has little or no control and as far as I can see represent ~3% of the UK population (1.5-2million people).
It turns out that those who have the misfortune to be sufferes of these diseases/syndroms are doubbly cursed as they regularly get problems from those in positions of authority because of the symptoms the suffer...
Found a paper on a new security architecture that, oddly, uses Java & can run arbitrary untrusted apps. Avoids many issues. Low TCB. There's potential problem areas & I have minor quarrels with the paper, but it's overall a nice piece of work. Enjoy!
JX - Secure Java OS Design
More were killed by Breivik than the Sikhs and aurora combined. Gun control has been a failure overseas.
@Anon: We also have about 1/1000 as few shootings as you, so even with 100x the victims per shooting, you're the ones with the highest number of casualties.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.