Friday Squid Blogging: Another Squid Comic

Another squid comic.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 23, 2012 at 4:50 PM • 31 Comments

Comments

FigureitoutNovember 23, 2012 11:58 PM

In case you didn't hear, I'm kind of curious about the "leak":

On Sunday 11th November 2012, two machines within the FreeBSD.org infrastructure were found to have been compromised. These machines were head nodes for the legacy third-party package building infrastructure. It is believed that the compromise may have occurred as early as the 19th September 2012.
The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.

http://www.freebsd.org/news/2012-compromise.html

Nick PNovember 24, 2012 8:17 AM

@ Figureitout

Personally, the compromise doesn't bother me. Compromise is inevitable in low or medium robustness environments. Hence, why auditing and recovery are mandatory features in government protection profiles. That said, I think the FreeBSD team handled the situation as close to ideally as possible for such a scenario. Most users are only concerned with the integrity of the packages & their systems. They received quick verification of this.

I'd personally like to know more about the circumstances related to the key leak. That the compromised repository was the one for "legacy 3rd party" stuff makes it slightly more interesting.

Side note: I see CVSup is still in use. I ran into it while looking into alternative systems programming languages, esp. type safe. Modula 3 was an ancient one that's got nice features, good performance, a maintained compiler & development environment. A language in that family was also used for SPIN Operating System. Of course, CVSup is dying a slow death as FreeBSD page recommends switching to something else.

AC2November 24, 2012 8:20 AM

Storing and sharing personal photos on untrustworthy sites

Am thinking of ways to solve the problem of being unable to share personal photos with others (friends/ family) while using untrustworthy sites like Faceflickrcasa or even a hosting site...

Right now I do something quite elementary, put into a password protected ZIP file and email it to them. The password usually something we both know as an answer to a hint.

Option A:
- Scramble the contents of the image file (say JPG) so that it still resembles a valid JPG file and store on the photo sharing site
- Provide users with a link with the key in the HTTPS URL, pointing to a hosted site
- That URL will either retrieve the scrambled image, unscramble and display or serve up a Flash client that does the same (so the hosted site can't see it either)

Option B:
- Apply standard encryption tools to the JPG, so that it is not longer JPG compliant and so can't be shared via a standard photo sharing site
- Store on a hosted site and share via a link containing the key as described above
- Only downside here is increased cost of storing and retrieving photos on the hosted site

Would like to add that the same approach but hosted on a server at home, is not feasible as I don't get that level of broadband access at home

Each of the above could be tweaked as
- Single key for an album of photos instead of individual photos
- Salt in addition to the key

Any thoughts?

Clive RobinsonNovember 24, 2012 10:28 AM

@ AC2,

Am thinking of ways to solve the problem of being unable to share personal photos with others(friends/ family) while using untrustworthy sites ike Faceflickrcasa or even a hosting site..

Your main problem appears to revolve around,

Scramble the contents of the image file (say JPG so that it still resembles a valid JPG file

Because if you solve it well alll your options are available to you (and it has in effect be solved in jpeg2000 but it suffers from "its new" problems).

There are various things you could do but, I'm assuming by "resembles" you actualy mean just the file format not the contents. That is if viewed by a human it will display without error as some kind of "dogs breakfast" mess not a picture of "pink fluffy kittens" or some such.

That is due to bandwidth restrictions you don't want the near ten fold increase in size basic stenography will bring you on your raw image prior to jpeg compression.

This might work currently but I suspect in time a free site's tools will eventialy pick up the fact that the image is not real due to something quick and dirty like colour balance or edge detection etc ranging through to image recognition.

With raw images one way to maintain the colour balance is to use a transposition cipher only. That is in effect you simply shuffle the pixels of the image around. This does not work with the jpeg lossy compressor as it uses the slow gradients in raw images to get the 10:1 compression ratio.

So I would avoid trying to encode the raw image prior to compression as this significantly ups your bandwidth requirments. Thus you would be looking at encrypting the output of the jpeg compressor but still maintaining it as looking like a valid image.

That said you don't usually save the jpec codec bitstream to a file just on it's own (it has problems) you usually save it as a JFIF or EXIF format which use the APP0 and APP1 application markers.

Have a look at this paper for some ideas on what can be done as it also provides handy refrences to other work on encrypting ordinary jpeg,

http://hal-lirmm.ccsd.cnrs.fr/docs/00/12/27/34/...

You can find a reduced "web standard" version of the JIFF format that avoids patent encumbered bits of jpec at W3C,

http://www.w3.org/Graphics/JPEG/jfif3.pdf

And the detailed information on the jpeg compressor bit stream structure from the ISO/IEC 10918-1, appendix B,

http://www.w3.org/Graphics/JPEG/itu-t81.pdf

The W3C site contains other useful information on jpeg and other image files at,

http://www.w3.org/Graphics

AC2November 24, 2012 12:38 PM

@Clive

You're right I was looking at mess-of-pixels, not the steganographic approach. But I take your point that the scrambled images may trip up the image sharing site's filtering tools...

Thanks for that! I was under the impression that scrambling the JPGs would be the easy part and the harder part would be key management and getting the unscrambling done client side!!

Another issue that comes to mind is that some sites make slight alterations in the uploaded JPG before storing, usually trying to crunch the size a bit more. The JPG encrypted to JPG approach would fail there.

Of course if that (JPG scrambling) doesn't work out can always encrypt and store (i.e. resulting file NOT a valid JPG) on a separate hosted site...

Blog Reader OneNovember 24, 2012 4:18 PM

In 2003, John Walker released the writing "The Digital Imprimatur" about a possible means for corporate interests and governments to exert extreme control over Internet activity via digital certificates and "trusted computing" technology. (For supporters of privacy and freedom, this will likely not be easy reading.)

https://en.wikipedia.org/wiki/The_Digital_Imprimatur
https://www.fourmilab.ch/documents/digital-imprimatur/

(Also of possible interest is the writing "The Internet Slum," also from John Walker.)

https://www.fourmilab.ch/documents/netslum/

Clive RobinsonNovember 25, 2012 5:36 AM

OFF Topic:

I'm not sure what to make of this,

http://prx.aps.org/abstract/PRX/v2/i4/e041010

Basicaly Toshiba UK and Cambridge Labs have come up with a way to do QKD in the same fiber as the data. Previously this has not been possible due to residual photon noise in the detectors.

But it appears what they have done has not just solved the out of band QKD problem they also appear to have significantly uped the QKD distance/rate metric as well.

Whilst I would agree it's a significant development it still does not solve one of the basic QKD problems that it's only secure over a single length of fiber, you cann't "packet switch" it or even "circuit switch" it without having to come out of the "quantum protection" to ordinary classical physics with all it's security vulnerabilities.

So to be of real use currently QKD would have to be "link encryption" from node to node not "end to end" encryption. This means that the securety "weak links in the chain" become the link nodes/switches and how vulnerable they are.

As a historical refrence all the technical difficulties of "mag lev" monorail trains but one were solved and that unsolved problem was "points" nobody could work out how to reliably switch the trains from track to track. This banished mag lev monorail trains to "fair ground attraction" status where they still remain today.

Thus it can be seen that for QKD to ever go mainstream as optical fiber data comms has, it has to first solve it's "point problem" reliably.

Clive RobinsonNovember 25, 2012 6:00 AM

OFF Topic:

Now this is of serious concern,

http://www.bbc.co.uk/news/technology-20461752

Not for the "mark of the beast" reasons but because it's a full blown invasion of a persons privacy done under threat by an authority in a position in which they can over extend their authority in an abusive manner.

And don't fall for the "faux pro" arguments of safety and security these tags are absolutly nothing of the sort those in position of authority have an agenda be it simply cost saving or much more sinister and they will "work the crowd" with any "think of the children" or "it's anti-drugs" or "anti-terrorist" etc and will jump up and accuse any dissenters or protestors of being pro-drugs / pro-terrorism / pro-child abuse etc in any way they can to get their way.

Clive RobinsonNovember 25, 2012 6:16 AM

OFF Topic:

Over on Biran Krebs site are a couple of interesting items,

The first is a physical security risk at ATMs that either trap your ATM Card or some of the Cash you are trying to take out,

http://m.krebsonsecurity.com/2012/11/...

The second is about a person selling a zero day vulnerability of Yahoo for as little as 700USD,

http://m.krebsonsecurity.com/2012/11/...

Obviously that hacker is not in the same league as some vulnurability sellers. There is a new company selling zero-day vulnerabilities on SCADA / PLC / RTU systems and they claim to have them for all major vendors of these systems.

Their ethos is simple they won't be informing the system vendors only select 'subscription' clients,

http://www.networkworld.com/news/2012/...

To be honest I'm not sure just how long this particular business model will last, think of it this way just how many people are there out there at the Type II and Type III threat level that are going to keep paying top dollar for exploits to turn into cyber-weapons when they know the same exploits are being sold to others?

Clive RobinsonNovember 25, 2012 6:33 AM

OFF Topic:

Over on Finacialcryptoography IanG has put up a post about Facebook finally going all SSL and giving the reasons why all sites should do so,

https://financialcryptography.com/mt/archives/001397.html

Oh and his second but last link points of to one of his earlier posts "in praise of Bruce" over the selling of vulnerabilities and his reasoning for thinking that the NSA has a significant hand in why the Internat is so vulnerable to day and as to why the US War Hawks can go and demand appropriations for Cyber-Warfare.

SimonNovember 25, 2012 8:51 AM

@Clive ... re Mark of The Beast, etc. Hey, have you ever compared the compulsory situation to products we buy and want but do the same? The high school situation scares a lot of people because 1) it's compulsory and 2) it's attached to the person. So, what if products are made desirable and people really want them, but really do the same thing? It's like mixing some sugar with the poison, eh?

AndrewNovember 25, 2012 10:28 AM

@Simon, Interesting point - take the Progressive Insurance 'SnapShot' for example; it's a device that you plug into your car's OBDII port to record your driving habits (to convince the insurance company that you're a safe enough driver to get a discount on your insurance premiums). It's easy to imagine people far more willing to opt in to be tracked to prove that they deserve to pay less money than for them to complacently comply to being tracked in their cars to prove they aren't up to anything suspicious.

Nick PNovember 25, 2012 10:46 AM

@ Clive Robinson

"Over on Finacialcryptoography IanG has put up a post about Facebook finally going all SSL and giving the reasons why all sites should do so,"

I go to this SSL promoting site only to get an SSL "website not trusted" warning. Further exploration indicates the certificate was issued to www2.futureware.at. The issuer is a free CA I think, so what's the author's excuse for not having a valid certificate? Or maybe a browser issue?

Clive RobinsonNovember 25, 2012 11:51 AM

@ Simon,

So, what if products are made desirable and people really want them, but really do the same thing? It's like mixing some suga with the poison, eh

If you are aware of the products failings, are over 18 and it is realy your choice then, that's your choice.

If however you are doing it because "it's cool" or "what every one else does" then still your choice but, are you realy an independent person or a pack animal?

If however you feel you have to wear it like "gang colours" because otherwise you have misgiving or fears about how you will be treated then that is bordering on compulsion and not somewhere you want to be, unless you have good reason.

If however you are unaware of the features or cannot apreciate what harm they can do if you are correctly informed then again you are in effect being coerced by someone being decitful or taking advantage of you.

It's an awkward situation because we get compulsion such as addatives in bread and tap water, the ability to avoid them is dependent on your ability to be able to purchase alternatives or make an alternative.

Take for instance "corn syrup" it is a product of chemical aduteration of a geneticaly modified plant (even if only by controled cross breading) that current research appears to indicate has undesirable properties that give rise to behaviour equivalent to some forms of drug addiction.

Take cigarettes, they are not just tobacco in fine paper, both are adulterated with chemical addatives that you would not be allowed to put in food and also in effect "freebase" the adictive alkaloid drug that causes the addiction to be rather more than mild.

These forms of compulsion we appear to accept as a society for reasons that are beyond me as the longterm cost to society can be quite significant.

Is tracking adults continously any worse in longterm outcomes to these? I don't know.

But I assume properly informed parents will make a choice if they can for their children, but it appears there is no longterm option in this case. At the moment it's only two out of a hundred or so schools that ALL will be eventually put in thhe trial so moving your child to another school is putting off the inevitable not making a choice. It's a bit like being caught out in a storm and standing under a tree when you start to get wet and you could run to a tree where it's still dry but you know eventually even that tree won't provide shelter...

I don't like choices being enforced on me and I don't expect many parents like them being enforced on their children, especialy when you have good reason to belive that the coercion is not as presented and thus far from either benign or acceptable.

But at the end of the day there is societal norms, does this fall in line with the norms of the society you live in? if it does and you find it uncomfortable you have to choices protest by whatever means you can or up stickc and go to another society if you can.

FigureitoutNovember 25, 2012 1:39 PM

@Nick P
the compromise doesn't bother me...I'd personally like to know more about the..key leak.
--True, if one worried about every vulner. life would be an anxiety attack aka "hell" for anyone that's had one. What would bother you?

I go to this SSL promoting site only to get an SSL "website not trusted" warning.
--Ha, me too.

@Blog Reader One
--Good reads, like his analogies. I don't think people will "leave" the internet though, too much access to info & addicting & it's forced on you in various ways (& when you start putting automated live-feed video/audio footage over it, you are looking at very literally being unable to avoid it). Makes you wonder about spammer/"Anonymous" motives when they attack random users' computers for no good reason as it's a waste of electricity/productivity/mineral resources (go back to centralized flow of info).

@Clive/Simon
So, what if products are made desirable and people really want them, but really do the same thing?
--"Smart"[computer]phones of course come to my mind. It's less about being "desirable" & more about "avoiding people's stigmatization". It's impressive this sophomore in highschool is seeing bigger picture (& putting her reputation on the line), I think younger folk are becoming more and more "mature", has its pro's & con's as they may soon have practically no memories of being a "carefree child".

Clive RobinsonNovember 25, 2012 4:19 PM

@ Nick P, Figureitout,

I go to this SSL promoting site only to get an SSL website not trusted" warning

Hmm, as I use a smart phone that's a little creaky in it's old bones these days I actually went to the site using ordinary HTTP not HTTPS. However when I do I get a "Server Failed to Communicate" pop up fairly promptly, so it's not a timeout issue. Last time I saw that was on another blog when the admin had two different certificates for the site at the same time one for ordinary HTTPS-GET (ordinary link requests) and the other for HTTPS-POST (for button clicks such as "preview", "edit" and "post" buttons).

But I must admit the cert you are gettting is way off if I remember correctly the financialcryptography cert used to be an ordinary self signed cert.

Clive RobinsonNovember 25, 2012 5:51 PM

@ Nick P,

Speaking of Certs that don't match, the first one that pops up on this site has,

*.defendinovation.org

As they say "there's a lot of it going about".

Nick PNovember 26, 2012 4:47 PM

SECURITY NEWS

SCADA systems gutted by researcher. He claims to have found more than 20 bugs in a few hours.

https://threatpost.com/en_us/blogs/researcher-finds-nearly-two-dozen-scada-bugs-few-hours-time-112612

Best Quote

"It turns out they're stuck in the Nineties. The SDL doesn't exist in ICS," Terry McCorkle said. "There are a lot of ActiveX and file format bugs and we didn't even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable."

Cliver RobinsonNovember 26, 2012 5:32 PM

@ Nick P,

SCADA systems gutted by researcher

I'm not overly surprised.

Though one mild amusement springs to mind, up above I linked to a news story about a company that had been set up to sell SCADA zero-days etc, this researcher has possably just blown a big hole in their somewhat questionable business model...

Clive RobinsonNovember 27, 2012 4:49 AM

@ figureitout,

Google skeptical of WCIT-12

Google are not the only ones have a look at,

http://www.internetsociety.org/doc/...

With the reply from the ITU they are being a little disingenuous to put it mildly.

Firstly IT IS ONLY the nation states that can vote not any other organisations that might be attached to the delegations in an advisory position.

Second "freedom to communicate" does not in any way cover the privacy angles, or political suppretion...

As an example under various bits of human rights legislation and treaties you "have rights" but there are many places in the world where torture, control of food supplies, water (and more recently by Russia) energy supplies are used as political tools.

You need also to bear in mind that Governments are just like parasites that live on the host body of the citizens of a nation state. Like all parasites they want to survive at any measure including destroying the host as they feed off of it.

So a government needs a food source (taxation) and a method of ensuring it (control of legislation) and to defend it's self (rigged election and running process of representational democracy) and it's ability to control the populous in various ways including as we have seen with "terrorism" excuses to monitor and prejudice against what it sees as a threat to it's existance.

So from a government perspectiiive the Internet lacks "their guiding hand" and importantly they are not making tax off of it, they want this to change. Further they don't likee the way it does not conform to their Geo-Political view of the world as can be seen by proposals to effectivly turn the internet from the advantages of packet switched to the disadvantages of circuit switched traffic, in that Governments want to know not just where traffic originates but how it was routed.

So yes there is a lot at stake, because the ITU are looking to swittch from the harmonisation of methods and spectrum (it's original purpose) to control of traffic and importantly content.

One thing you have to watch out for is the use of "for testing". Testing is a method/tool that is agnostic to it's use. It is extreamly invasive and as such makes an idea vehicle for illicit monitoring etc. Go back to the CarrierIQ debacle on smart phones to see this, oh and other current thinks like "rage shake" fault reporting where by if you shake a beta "test" phone (see Facebook and Android smart phones) it sends it's whole current state back to the software developers. I can assure you that the low level "hooks" for such a thing will remain present in the final versions of software and OS because they are integral to the design methodology and thuss fundemental functions of the software. And the thing about such hooks is once they are there all somebody has to do to be malicious is work how to "hook up" with them (as was seen with the Greek Olympic phone hacking scandle).

codingNovember 29, 2012 2:46 PM

Hola! I've been following your web site for a long time now and finally got the courage to go ahead and give you a shout out from Humble Texas! Just wanted to say keep up the excellent work!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..