Schneier on Security
A blog covering security and security technology.
« Hacking Marathon Races |
| Another Stuxnet Post »
September 7, 2012
Friday Squid Blogging: Controlling Squid Chromatophores with Music
Wacky. Other stories about the story.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on September 7, 2012 at 4:41 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, isn't this peachy keen?
Face recognition by the FBI WILL include every accessible photo that can be acquired, especially those "standard" pictures taken for Real ID compliant driver licenses (and non-driving ID cards), probably passports, any/all FaceBook photos, or other sources, public and non-public. I bet they refuse to count and report on false positives...
Well, someone's gotta mention the Hugo Awards webcast being halted by copyright-policing software which (correctly) detected copyrighted clips of the nominees for Best Dramatic Presentation, Short Form, and (incorrectly) assumed they were being used without permission.
Wired has a roundup of that and other similar incidents from the past few weeks.
"Yet another security company (VirusTotal) bought up by a large one (Google):"
Let the WHITELISTING of State Sponsored Rootkits BEGIN!
Aw man, I miss people talking about the squid, too. Can't we have a minimum 5 posts about the squid links before everyone posts their great finds?
Governments Recruiting Backdoor Authors #germany
Friday, September 7, 2012 | Posted by Mikko @ 12:17 GMT
Just couple of years ago, it would have been unthinkable that governments would be openly recruiting trojan and backdoor developers to work for them.
Yet, that's exactly what's happening now.
For a fresh example, here's an ad from the website of the German Federal Criminal Police Office (BKA)
They are looking for a developer. Let's take a closer look at the job description
Ihre Aufgabe: Mitarbeit bei der Softwareentwicklung und -pflege zur Schaffung der technischkriminaltaktischen Voraussetzungen zum verdeckten polizeilichen Zugriff auf entfernte Rechnersysteme
Translated to English:
Your task: Contribute to the development and maintenance of software to provide covert police access to remote computing systems
This isn't new: We know that German Government has been using trojans against their own citizens before. However, they used to buy their trojans. Now it looks like they are developing their own.
How the heck can we top the squid story that Bruce found??
Some Americans believe that cloud computing has to do with weather
Not strictly security related, but it would be good for all developers to read that and then remember that these people are the ones using your software.
An interesting podcast by Nassim Taleb about his upcoming book on "Antifragility". He presents the contents and ideas in his personal idiosyncratic style. But I agree with many of his ideas like:
- Complexity is bad
- Small systems are better than big systems
- Tiny probabilities are impossible to estimate and - in the long run - can prove to be not small at all
- You can make guidelines about what *not* to do - you cannot make guidelines about what you *should* do
"Deaf police officers have been recruited to monitor security cameras in the Mexican city of Oaxaca because of their ‘heightened visual abilities":
You frequently state that a government monitoring their own citizens is bad security, but what is better security then? You frequently espouse what is bad, but I don't often see you talk about what is good.
Researchers attack Heisenberg uncertainty principle. Maybe make progress on cracking quantum crypto.
Part that jumped out at me the most: "The problem with Heisenberg's theory was that it vastly predated any experimental equipment or approaches that could test it at the quantum level: it had never been proven in the lab."
That kind of thing is why I prefer proven & measurable approaches to security over things that are theoretically better.
@ Nick P
Interesting article. I will quote (an edited) Wikipedia article here:
Historically, the uncertainty principle has been confused with a somewhat similar effect in physics, called the observer effect, which notes that measurements of certain systems cannot be made without affecting the systems. Heisenberg himself offered such an observer effect at the quantum level as a physical "explanation" of quantum uncertainty. However, it has since become clear that the uncertainty principle is inherent in the properties of all wave-like
I still don't see an experimental counter example from those guys. They use terms such as weak observing. I will have to see more before I am convinced. As for:
That kind of thing is why I prefer proven & measurable approaches to security over things that are theoretically better.
Both theory and application are important; a theory without an application is a limp theory, and an application without a theory is a blind application.
Honetly, when I first read the title of that article, I read it as: "Quantum pricks test uncertainty"... But I am not certain :)
@ Nick P
Interesting article, we shall see how it stands up to the rigors of time.
After reading the article, not the BBC one but rather the PRL 109, 100404 (2012) journal article, they are attacking the theoretical limit of HUP and not the fact that there is uncertainty. After one read through they take a polarized femto pulse, scramble it using a multimode fiber, and then use the now unpolarized light to do the experiments. They make the assumption that the now unpolarized photon packet is exactly the same in all the different polarizations. They look at one temporally using a BBO (frequency shifting), if your timing is off you will not get the new “color” photon, so they probe position this way. Since only the correct polarization will mix (let’s say S), the P polarization will continue though unaffected (another assumption). The P is now probed energy. If the assumption that the polarization are IDENTICLE, and nothing else occurred, maybe you can do the measurement this way.
I am not a physicist. I am a physical chemist. I use pico/femto laser systems myself to probe other systems. I DO know that when you take a picoseconds pulse with a certain bandwidth and you compress it temporally your bandwidth increases, aka the more you know where the pulse is in time, the less you know about its energy distribution. This is what occurs in a regen cavity (regenerative amplification).
Ultimately the paper sounds like they disagree with the number Heisenberg set (Planks constant), not the fact that there is inherent uncertainty. To be honest though, if you have to come up with a number that has the same units as Planck’s constant (m^2 kg / s) and about the same magnitude, wouldn’t you pick a very rigorously tested number that’s already in the literature?
To address "The problem with Heisenberg's theory was that it vastly predated any experimental equipment or approaches that could test it at the quantum level: it had never been proven in the lab." This is ubiquitous though out science. I could droll on and put many more people to sleep but it is always theorists coming up with ideas, experimentalists proving them or finding something new, and the theorists re-explaining. A very productive circle that drives basic research!
@ Wael and Brian
I didn't read the original article. I'm not a physicist or hardware guy, so I lack the expertise to check it with any honesty. I figured the blog readers would enjoy reading, reviewing or refuting it. ;)
"To address "The problem with Heisenberg's theory was that it vastly predated any experimental equipment or approaches that could test it at the quantum level: it had never been proven in the lab." This is ubiquitous though out science. I could droll on and put many more people to sleep but it is always theorists coming up with ideas, experimentalists proving them or finding something new, and the theorists re-explaining. A very productive circle that drives basic research!"
It seems so. At the same time, many theories that come without experimental backing prove to be time-wasters. This is especially true in the medical field with the "alternative" medicines. We also see it in software "productivity enhancers" and other things. I say this not to discredit theoretical research. The takeaway from that quote is: "If there's no experimental evidence backing the theory, don't be surprised if the theory and reality differ significantly."
Read another way by the security engineer: rely on something else until the new theory proves itself out both theoretically and experimentally. That something else should be more proven & reliable than the theory in question. This rule of thumb may or may not apply to "basic research," the sciences in general, etc. It does apply to security schemes more often than not.
@ Nick P
I'm not a physicist...
I'm no physicist either. Was just expressing my opinion which maybe incorrect as well. Was an interesting article though.
@ Nick P,
"Violation of Heisenberg’s Measurement-Disturbance Relationship by Weak Measurements"
I've yet to read the actual letter, however I've never been happy with "Weak Measurements" because they are in effect bassed on an assumption. That is they have "little or no effect" on what is being measured.
After a little thought many people will realise there is a considerable difference between "little effect" and "no effect" certainly well more than a proverbial "country mile".
The problem is that "little effect" may not be measurable over a short term whilst after a long term it might well be so if the effect can be considered in some way where the difference accumulates with distance/time .
One of the ironies of the "very very small" is that sometimes you have to have an experiment that is "very very large" to distinguish the signal from the various noises and uncertainties. Thus I suspect there is going to be a lot of "wriggle room" for physicists to argue on this for some time to come.
 You also have to consider that an effect may not directly accumulate with time/distance in which case it will either remain unmeasured or you may have to work out some way of getting the effect to impress it's self onto another medium where it will accumulate with time/distance.
The judge is wrong.
The whole of law is based on the simple premise that even though something is possible you should still not do it.
If the judges thinking was applied to killing people then murder would now be considered OK because you can easily go out and get hold of the tools to do it...
The "because the public can" idea has been run before with privacy many times. It boils down to how high do you make your fences bearing in mind there is always going to be a way for people to look over them. It's why we have "a reasonable expectation of privacy".
Further as it's wireless communications the judge appears to be ignoring certain rules the FCC have made. There is considered a significant difference between "a general purpose receiver" and "a test instrument". For many years you were not alowed to sell a general purpose receiver that covered non "broadcast bands" unless the purchasor had a licence to utilize those bands. Likewise test equipment should not be used to receive transmissions that where either not for public broadcast or were not within the terms of a current issued licence.
Now consider the same ideas the judge has espoused when applied to mobile phone bands, you can easily buy or rent test equipment for the frequencies used and the software is again easily available to make recovering what is being said or sent as data for use which means that there would be no privacy for all mobile phone users.
The fact that the ISM band alows "unlicensed use" is in no way equivalent to "Public Broadcast".
The problem is that "little effect" may not be measurable over a short term whilst after a long term it might well be so if the effect can be considered in some way where the difference accumulates with distance/time.
In the spirit of this comment (and not particularly security-related!) I recall reading in a recent British Airways in-flight magazine an observation that were I to hide a simple tea bag in some obscure part of an aircraft, over the course of a year it would cost the airline approximately a litre of fuel.
Returning to a slightly more security-related theme, perhaps this is the opening of a whole new economic attack upon the airlines - hiding lumps of lead and other heavy stuff on planes!!
You have beaten my to it :)
You have forgoton to say they call the new attack "CRIME" and unlike BEAST is SSL/TSL version independent as it's actually a protocol attack not a cipher suite attack.
Oh and it appears that over 70% of the more popular sites are still vulnerable to BEAST currently even though patches etc have been available for some considerable time.
Computer worlds take on it,
Does anyone know?? Also calling Bruce:
Could I have a state sponsered rootkit??
I'm running Win7, current IE, Word 2010. When I paste a snipped from a web page into Word, I see "contacting the server for information" in the bottom bar of Word. This is even though IE already has the info loaded.
First a couple of technicaly biased links,
An interesting "how to" read that mentions Bruce a couple of times on traps and pit falls in coding conventional crypto,
With regards unconventional crypto and "quantum communications" it appears that researchers have got the current distance up to 143Km in free space, which is the sort of distances you need for LEO satellites.
But that sort of "security" is but a pipe dream for now, more practical concerns are getting high on the political agenda, especially as it appears that in the UK (atleast) big business is not doing what it could do to protect it's self against Cyber-attacks. So much so that the UK's GCHQ (equive of USA's NSA) is pulling some of the biger organisations onto "the naughty mat" to receive a stern telling off...
But GCHQ (like MI6 are under UK Foreign Office) and MI5 (under UK Home Office) have decided to open up the number and type of organisations from whom they will aquire Cyber-gadgets of various types,
The article also provides some info which indicates the scale of losses by organisations getting an invite to the "naughty mat".
But it's not just the UK's GCHQ that's getting (justifiably upset with business) the NSA has likewise been drawing attention to the "very reckless" behaviour shown by a number of nations (not just China named this time ;-) Apparently little or no restraint is being shown and the number of attacks has increased 17 fold within a very small time. The concern appears to be that lack of control, even back in the "cold war days" nations stayed well on the caution side of the line,
But could the reckless ness be due to the bountiful nature of exploitable bugs in what is very poor application and OS security seen in over 90% of those in use?
Well there is evidence that it's not just governmental organisations stock piling Zero Day attacks. There is a group of Cyber-attackers who are full time "guns for hire" and appear to have found themselves some very well healed sponsors. Symantec have identified what appears a very proffessional group of full time cyber-attackers which it has dubbed "Elderwood" who are in many ways rivaling the abilities of those that wrote Stuxnet. They appear to have a research group that has produced many Zero Day attacks and supply them to attack coders who have modularised their code sufficiently efficiently that as and when security researchers have discovered what they are currently using they produce a new attack within days. They appear to have a stockpile of Zero Days and are getting through them at an average rate of about one zero day every seventy six days but with a peak of four zero days in a sixteen week period.
The group appear to be attacking fairly specific targets and so are actually low visability with limited collateral damage due to the use of "watering hole" style attacks, which indicates they have quite good intel about their chosen targets which are less well defended second tier suppliers to defence subcontractors which the group use to get a foothold against the better defended defence subcontractors.
Meanwhile the spat between the FBI and AntiSec over the Apple UDID info goes on with one person speculating on how the FBI agent was targeted,
Speaking of the FBI it appears they and the DEA and many other US agencies are getting access to peoples utillity, communications, health, bank and many other records without oversight or court autherised warrant thus bypassing the US constitution rights to not be subject to such searches and siezures... Basicaly the use "Administrative Subpoenas".
Now this is quite important for a cople of major reasons,
Firstly is the potential effect on individuals is apparently not clear to the judiciary who in some cases not working in the "public interest",
Secondly on a less directly personal basis because it effects the like of "cloud providers"... Which is something Bruce should be thinking about in relation to his CISO/CIO Cloud concerns.
Another "Cloud Question" is what do you do when the man incharge of your chosen cloud development decides very suddenly just before a major release to become an "Olive Farmer"?
Finaly an interesting read on how OS file systems mediate between Apps and HD's from Dr. Marshall Kirk McKusick (He of Berkly CSRG BSD / FreeBSD fame),
If there is a picture in the copied text, it could be contacting the server to try to get the picture. It may even be on a different server than the rest of the webpage.
You could try pasting it to notepad, then copy that to paste into Word.
There is definately a lot to know about this subject.
I like all of the points you've made.
> You have forgoton to say they call the new attack "CRIME"
Yes. And I'm rather curious about the meaning of the acronym ;-)
@Clive Robinson: "For many years you were not alowed to sell a general purpose receiver that covered non "broadcast bands" unless the purchasor had a licence to utilize those bands. Likewise test equipment should not be used to receive transmissions that where either not for public broadcast or were not within the terms of a current issued licence."
Not in the US. Until 1993 there was no restriction —none— on any radio reception; although the 1934 Comm. Act made disclosing intercepted information an offense. Wideband scanners picked up everything and were sold in popular shops. Pressure from the cellphone lobby led to a law blocking the sale of scanners receiving cell frequencies and making it an offense to "intentionally intercept" or "intentionally disclose" cell bands. Digital phones have made this law obsolete.
@hoodathunkit, re:Clive's comment
Nice link. My dad told me that he could pick up neighbors cell phone comms with no special software or decoding. I'd have to talk with him some and get him to show me the transceiver he used but it's kinda random to bring up. People should have been made aware of this, that your comms were just in the open; especially if you're say, cheating on your wife and don't want your neighbors to know (whoops too late). You never know who's listening...
Makes you wonder how secure comms are today...oh right...
Ah sorry, I should've pointed out that my father likely stumbled upon this accidentally just like I do with vulnerabilities; they just happen. That I don't approve of this and we don't spy on our neighbors and that if someone figures out who was cheating on their wife based on my statements then they likely already have the incriminating info is a db somewhere...
@Anonymo, "I don't often see you talk about what is good.":
I don't exactly speak for Bruce, but what I've seen pop up from time to time:
1. Invest in emergency response. Emergency response pays off better than surveillance, censorship or prohibition because it is a single investment that pays off against many problems, both accidental (house fires, for example) and intentional (murder attempts.)
2. Invest in human intelligence. We currently have more data than analysis. We need more humans with real intelligence looking for needles, not a bigger haystack.
The FCC guidence note I was given way back when indicated that,
"Section 705(e)(4) of the Communications Act (CA) of 1934"
Also covered "manufacture of equipment" and thus "placing on the market" of equipment for receiving non broadcast signals with a significant fine. Which was what I was refering to.
That said, however I've had a quick scan arround on the net and I haven't yet found an "unammended" copy of the 1934 act, to verify this. However what I have found refers to it as the section that covers "theft of signal" ie what is in effect intentional or unintentional reception whereby the information is used for "gain" be it personal or commercial (in theory recieving the local emergancy services and using the information received to change the route you drive home is an offence...).
Although I was not refering to an individual receiving a non broadcast signal, the same note also refered to various US Federal criminal codes, including the 1986 Electronics Communications Privacy Act (ECPA), which generally prohibited the intentional interception of non broadcast signals.
Both the CA and EPCA are mentioned in the link you provided.
Personaly I have difficulty keeping up with the changes in Europe (RT&TTE Directive and spin offs), thus the US (FCC etc rules and codes) I leave to others to let me know what's required (even though I have several "stack of crap" piles with various regs from around the world weighing the bottom draws of several filing cabinates down).
The reason for this can be seen by one small example (of very many) is the somewhat wierd requirments for FM broadcast transmitters the FCC has put in place years ago for "emergancy service" in the event of National or regional disasters (I'm told that on the few occasions it might have served a purpose it has generally either not worked or has not been used). It appears to be an attempt to replicate something that was done on AM Broadcast stations...
As far as the medical field “claims,” those are easily tested. Give the meds to a group of people (with the appropriate control group) and test. Lots of these have been debunked. The problem is science cannot keep up with the snake oil salesmen, or there is a conspiracy mentality that the government is covering up the results for the big pharma companies
Heisenberg, however, was part of the peer group that gave birth to our current quantum mechanics. This field has not changed much since then (albeit some addendums like string theory, widely accepted as most likely correct, but 100% untestable at the moment). The Higgs boson was predicted about 1964 (http://prl.aps.org/abstract/PRL/v13/i16/p508_1), by a respected, peer reviewed theorist (much like Heisenberg was). Only now (literally), are we getting experimental conformation on it. Gravity has been theorized on by Galileo and Newton. So we have been using a theory for hundreds of years, never knowing how it truely works. Yet, if you drop an egg, well there you go.
I have passed this paper to a more qualified friend. He has already stated that my example of time vs energy in laser pulse compression is not absolutely correct as time and energy commute with a simple Fourier transform, and momentum and position do not commute. This means we should see changes in previous case, but not in the latter, which is the rub. Why would they communicate?
I do not know if this article is correct or not, though I am interested. I will wait until other members of the field publish on it. If it is incorrect, it will be pointed out vehemently. If it is correct, much more complex experiments will follow. My money is on incorrect. In physics, usually, the simplest corollary is correct, usually...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.