Friday Squid Blogging: Giant PVC Squid

Neat art project. Another link.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 14, 2012 at 4:44 PM • 48 Comments

Comments

QnJ1Y2UDecember 14, 2012 5:05 PM

A comment on comments ... the comment author now appears at the top of their post instead of the bottom. The change is apparently in response to this: http://www.schneier.com/blog/archives/2012/12/buy_your_own_at.html#c1032915

I find it a bit distracting, and not particularly helpful. It's not like it was tough to spot Clive's posts before the change. And as always, if I want to learn something, I read what Clive wrote. If I'm in a bit if a hurry, then I might skip it.

No matter where the signature appears.

Joe LoughryDecember 14, 2012 5:20 PM

I always look for Clive's comments first (and Nick P and Bruce and a few others).

It was like a game, spotting new Clive comments before you'd scrolled down far enough to see the name...

Nick PDecember 14, 2012 7:31 PM

@ Joe Loughry

"I always look for Clive's comments first (and Nick P and Bruce and a few others)."

Always glad to hear people are enjoying my posts. ;) Your work on optical emissions of LED's caught me off guard. A few designs of mine were vulnerable. I quickly applied a countermeasure: duct tape. A wax drop is an alternative that can blend in. Made for interesting conversation when people asked why I did it.

"It was like a game, spotting new Clive comments before you'd scrolled down far enough to see the name...""

Yeah, I used to play that game with Clive's posts too. I once copied an entire post of his with my name at the end just to mess with everyone. Got a few laughs. Clive was only slightly less amused.

Re your own work

I see you're interested in medium to high assurance product evaluations. One problem in that area is that an evaluation costs a ton of money. Producing all of the evidence does as well. Aesec's GEMSOS was $15mil to develop, then NSA quoted $50mil evaluation cost. LOCK was $25mil WITHOUT evaluation. And so on. Business's (excluding defense contractors) are unwilling to spend that kind of money unless they see long term sales being likely.

As Bell's Looking Back paper shows, the US Govt promised vendors they would buy their stuff if they evaluated. Companies invested in, evaluated and brought to market a bunch of highly assured products. Then, via MISSI & policy changes, the government killed off many and mostly ignored others. The government also didn't make good on the RAMP promise, asking to total re-evaluation under CC. BAE's STOP is now at EAL5+ and I still don't know why Boeing SNS started "in evaluation EAL7", but ended up as "EAL5+." (Admittedly augmented with much assurance from EAL7.) GEMSOS is unevaluated under CC, but is still maintained.

So, to the point of it. The Orange Book and CC were designed to give us a way to know the assurance of products. High assurance security is inherently long term. What's the point of doing an EAL6-7 evaluation if the criteria are somewhat imprecise and the government might dump its promises? For non-government sales, isn't a glowing evaluation report from a group like Matasano all that's needed to convince most customers? (Secure64 DNS does that.) Or perhaps bypass CC and use DOD C&A, since you often have to do that stuff anyway? (Argus brags about how many groups accredited it.)

It's hard for me to see the value to be gained from a high assurance govt evaluation, esp CC. Honestly, I think the act of preparing for one (producing key evidence) is more valuable for security than the evaluation itself. Karger implied that in his paper on the EAL7-targeted Caernarvon. It's also incredibly inefficient: even EAL4 evaluations can cost over a million dollars. Bell figured govt should (as a start) create a B3 or A1 updated protection profile, then RAMP up the old B3/A1 candidates, only evaluating changes made to them. I also think the different processes (C&A vs DCID vs CC) need integration where certifying under one will allow use by all so long as extra criteria are met.

My conclusion is that medium to high assurance certification is a huge risky mess they need to clean up before I'd advocate anyone doing it. SKPP vendors and defense contractors with existing product lines are an exception: they have a likely ROI. Your thoughts, Joe? I'm particularly interested in any improvement ideas.

Bell Paper
http://selfless-security.offthisweek.com/papers/Bell-LBA.pdf

quick brainstorm

If we can't change it, I think we can hack around it. In my own designs I noticed long ago that many required "security features" that are hard to assure can actually be built outside of core TCB. Also, the "system" might be a collection of physical systems working together. I promoted this around half a decade ago. (I learned from old INFOSEC papers.) I've noticed the idea is finally showing up in modern research projects and products.

Micro-SINA puts Linux transport VM's for internal and external networks on each side of the trusted "Viaduct" component that does security-critical IPSec. My version would make them separate (cheap) physical machines connected with non-dma wires and talking an easily parsable language. The TCB for middle part would be tiny and simple enough that an EAL7 effort might be doable. (Actually, Navy already has a crypto-gateway ready for an EAL7 evaluation, which was cancelled. Maybe just license theirs if possible.)

Rockwell-Collins later exploited the principle in their Turnstile guard. Just like my old designs, they have a high assurance component connected to untrusted single-level components that do the transport (Ethernet here). The trusted component, an AAMP7G processor, can share the data with little possibility of compromise and in a fairly straightforward way. The (newer) MLS LAN project is doing this for network security and applications. JX OS is indirectly doing it by making almost everything typesafe and controlled by the runtime, making for a small certifiable TCB.

So, if I ever do a EAL6-7 evaluation, it will be very hacked together. Otherwise, the evaluation will cause the product to be so expensive, minimalist and inflexible that it's not worth the money. Meanwhile, I'll simply design or build stuff, produce evidence, and let clients (or 3rd party's) evaluate it. This process has less overall assurance, but I'm still not bankrupt: just not wealthy either. ;)

KaitheDecember 15, 2012 6:12 AM

Somewhat tangential to the broad theme of 'security' (unless you find yourself tangled up this situation), but an Australian military analyst is asking if those who tweet in support of one side or the other in a military conflict may be considered legitimate targets.

Tweeters are legitimate military targets?


Sam JDecember 15, 2012 8:34 AM

@Kaithe

That's not how I'd phrase what the report says. It seems to be specifically about whether certain social media activity is sufficient justification for targeting someone as a militant, such as tweeting information on troop movements or posting pictures of a firefight from such a perspective as to make the poster seem to be a combatant.

It's not proposing that those who simply tweet "in support" of a military conflict are targets. Just because I support one side in the war does not make me a combatant.

Blog Reader OneDecember 15, 2012 9:13 AM

Recently, Richard Stallman mentioned the issue of data recording by implanted medical devices. A Wall Street Journal article talks about the issue of who should have access to the data generated by such devices. (In particular, it is not automatically the case that a patient with an implanted device has easy access to the generated data.)

MikeADecember 15, 2012 2:10 PM

The Krebs article mentions the possibility that the email addresses were easily guessable. I certainly get guessed-address attacks on some domains (even one that I swear must have been guessed by a human, as it inferred the username from the guessed language of the domain name).

OTOH, I got a porn-spam within a half-hour of registering an Adobe product, using a just-created throwaway address that was not a proper name or dictionary word, so this sort of thing does happen.

ModeratorDecember 15, 2012 3:10 PM

A comment on comments ... the comment author now appears at the top of their post instead of the bottom. The change is apparently in response to this: http://www.schneier.com/blog/archives/2012/12/buy_your_own_at.html#c1032915

Yes, in the sense that that rather obnoxious comment called attention to an old and dubious piece of design. It seems almost universal now for comment sections to put the commenter's name near the top. And in general, I don't think that good design should create guessing games. But if you like it that way, the commenter's name is wrapped in a span with class "commenter." You could use CSS to make it white-on-white, so you'd have to highlight the name to read it. Or a Greasemonkey script could move it back to the end of the comment. Or even encrypt it, if you really don't like spoilers.

Clive RobinsonDecember 15, 2012 5:32 PM

@ DOR,

There's a problem with the list, which is the last item,

37. 50 Points for making it to Schneier's Doghouse.

Maybe my beards getting a tads to much grey in it, but I cann't remember the last time Bruce "put a mutt in the kennel".

I guess either "they don't make'm the way they used to" or "the varmint's are so thick on the ground you cann't see the toes of your boots".

Nick PDecember 16, 2012 12:36 AM

@ Clive re doghouse absence

I think I mentioned something about this before on the blog. My guess was along two possibilities: (1) he's long proven his points and was bored with it; (2) it's part of his overall shift away from many technical aspects of security to things like psychology and economics of it. It might also be both. Or neither.

Clive RobinsonDecember 16, 2012 1:43 AM

OFF Topic:

As some of you might be aware the UN's ITU has been meeting for the past two weeks in Dubai.

Of great contention was the "power grab" by the ITU over the Internet. The grab was proposed by various countries many of whom we would regard as represive (China and Russia being but two). The US and other western nations basicaly voted with their feet and refused to sign.

However in the usual political dirty tricks small nations were offered what is in effect a bribe to sign up on the promise of aid to become more connected.

However a lot of other bribes were on the table including transparancy etc on mobile phone roaming charges etc.

The problem is of course the 'all or nothing' style nature of the UN and thus ITU accords.

I'm still quite surprised at the lack of publicity over the ITU meeting in Dubai, any way you can reed more on the results at,

http://www.khq.com/story/20344086/un-telecom-chief-surprised-by-us-led-treaty-snub

http://www.cbc.ca/m/touch/news/story/2012/12/13/un-us-internet.html

And other editorials behind various comercial / pay walls but something sticks in my craw about giving any kind of legitimacy to the Piracy of the Funnel Web Poison from Auz.

Clive RobinsonDecember 16, 2012 1:51 AM

@ Nick P,

Yes it's a bit difficult to deny the shift from the purely technical to the more social asspects both of the blog and Bruce's writing (Likewise Ross Anderson).

Arguably this social asspect is a mark of the maturity that the field of endeavor has passed and also the way it is becoming recognised as part of the general fabric of life rather than a fairly remote haunt of those with a geeky background.

itgrrlDecember 16, 2012 3:16 AM

@QnJ1Y2U: Regardless of the motivation for changing the comment layout, I, for one, much prefer to see attribution at the start of a post rather than the end (not just here, but as a general principle). I like to be able to prioritise my reading based on source if I'm pressed for time.

Clive RobinsonDecember 16, 2012 4:24 AM

@ Nick P,

Mentioning Ross Anderson and the fact we were talking Authentication the other day, reminded me about a comment he made about how many authentication factors there are and challenging his students to find more.

Traditionaly the industry thinks there are three,

1, Something you know.
2, Something you have.
3, Something you are.

This view almost certainly come from various Government and Industry standards.

However you and I have discussed using 'Place' and 'Time' as factors for securing data when traveling across borders. Whilst we treated them as seperate factors during discussion, the question arises are they actually seperate factors or part of 'something you know'.

Then there was that 'guitar hero' system which promoted the idea of something you are combined with something you know but don't know in a transferable way. In effect a biometric you could change without the use of a scalpel and surgeon.

It raises the question of, are our thinking processes on authenticatiion factors shackled by the 'Black or White' binary thinking and the need to put a new idea only into one of the traditional three factors.

JakeDecember 16, 2012 10:47 AM

Can anyone tell me how secure a Verizon MiFi4620 jetpack is?
Every now and then I note 3 users when I only have 2 assigned to the jet pack.

supersaurusDecember 16, 2012 11:43 AM

the iranians claim to have "decoded all the data" in a captured drone http://news.yahoo.com/iran-data-decoded-cia-drone-captured-2011-115550385.html. I wonder 1) what sort of data would stay on the drone rather than being transmitted and forgotten (maybe all of it if it would prevent detection while in hostile airspace?); 2) how hard would it be to have a deadman (e.g. inertial switch) that would destroy whatever the storage is in the event of something-bad-happening; 3) if data is present on the drone would the cia really have been dumb enough to use an algorithm that could be broken in this lifetime?; and 4) am I just displaying my ignorance?

FigureitoutDecember 16, 2012 10:53 PM

am I just displaying my ignorance?
@supersaurus
--No, do you ever wonder how many breakthru's are lost b/c people capable of discovery are scared to ask questions?

@Petréa Mitchell
--That would be hilarious (and a source of empowerment for everyone)if it is the plaintext, first-letter-acronyms?! Not even a Caesar. It wasn't a complete decoding though, maybe he left it out or there's other books? Goes to show the power of OTP's.

D0RDecember 17, 2012 4:51 AM

Speaking about the Doghouse...

This one is two years old, I must have somehow missed it:

Emirati ex-banker builds 'unbreakable' code

I don't know what is the most laughable, the absurdities written in the article, that the code is claimed to be "unbreakable" because "it uses made-up symbols", or that it looks a rip-off of Futurama.

Adric NetDecember 17, 2012 7:28 AM

As noted by a blog commentor, Charlie Stross sums up the authentication factors in a rhyme in his novel Glasshouse:

"The height of authentication security was expressed in a poetic rhyme in Stross’s Glasshouse:

Something shared, something do, something secret, something you."

quote found here http://www.saysuncle.com/2011/04/28/the-future-3/ before I could open Kindle.app

hth,
adric

Clive RobinsonDecember 17, 2012 9:28 AM

@ supersaurus,

In reverse order,

4) am I just displaying my ignorance?

Yes and no it depends on what you know about the military and the difference between "tactical" and "strategic" weapons / systems.

3) if data is present on the drone would the cia really have been dumb enough to use an algorithm that could be broken in this lifetime?

The CIA would not normaly be involved with the decision as it's probably "not their bird". The choice of crypto is something that would originate from the NSA directly or indirectly to the Military who technicaly own and fly the drone and the drone manufacturer.


As the Military would treat the drone as tactical not strategic and the drone manufacture would consider most NSA kit "dead weight" there may well have been no storage crypto on the drone.

2) how hard would it be to have a deadman (e.g. inertial switch) that would have a deadman (e.g. inertial switch) that would destroy whatever the storage is in the event of something-bad-happening

It's a bit more complicated than just having a deadmans switch, you have to ask what the switch would do, and if (as supposadly happened) the location information is spoofed so that the switch never triggers.

Lets assume the storage is hard disks and that an Inline Media Encryptor (NSA has an IME you can look the specs up for to get an idea of what might be done [1]). In effect the two critical parts are the IME and the Crypto Ignition device that holds the KeyMat, because it's only ever encrypted data that goes to the disks and after power down the "data is at rest" and thus rated to the higher levels of "secret".

It is doubtful if conventional explosives would sufficiently destroy the IME or Crypto Ignition device and for other more prosaic reasons be undesirable (you don't need a bomb in the maintanence, fueling or arming areas). It would need somethinng a little more "hot" like one of the higher temprature forms of thermite plus the equivalent of a fire proof safe for it to be put in this is a very significant weight (50Kgs would be a rough estimate)

Now like explosives you realy don't want large blocks of thermite in an "armed state" hanging around especialy on landing or take off and in any of the flight prep and maintanence areas. And as the deadmans is supposed to be a failsafe device for destroying the crypto gear you don't want the normal "arming inhibit" devices you have with munitions.

So whilst the IME and Crypto Ignition device might be little more than a couple of quite small circuit boards weighing an ounce or three. When you have added the specialised (EmSec filtered) interfaces and power supplies, and then added your fail safe deadmans stuff around it in a way where it will work "securely" you've effectivly turned it into a 100lb incendiary bomb, that you can not defuse (easily or at all) a little bit larger than a 155mm howitzer shell... [1]

It is also likely that any drone reconnaissance data recorded would very probably be known to the enemy as well either by assumption (they probably know the hight and flight path etc) or directly from monitoring the feed back to the control center (as happened in Afghanistan).

So encrypting what is in general tactical not strategic data would have a significant overhead, before you start giving consideration to the KeyMat issues.

1) what sort of data would stay on the drone rather than being transmitted and forgotten(maybe all of it if it would prevent detection while in hostile airspace?)

That depends on what the drone is being used for, if for tactical battle field information, the importance is in speed of delivery back to command so little or none. The less tactical and more strategic then the less likely it is going to be transmitted either in the clear or at all.

For instance some data has to go back if the drone is being activly controled as the controler needs to know where it is at all times to control it. If however it's running on "auto pilot" then the pre programed route etc will be data stored on the drone as will the enabaling of various sensors etc.

The drones the CIA are supposed to have a main interest in are the "Amber" General Atomics RQ-1 MALE UAS reconnaissance platform (Preditor) and the later MQ-9 (reaper) , which carries a significant ordinance payload (15times MQ-1) and be considerably faster (three times).

In the case of the MQ-9 whilst capable of autonomous pre-pland flight, when loded with ordinance the rules of engagement have put a human in charge of engaging targetss, which means that an active control link must be maintained.

It is interesting to note that the MQ-9 Block 1 plus upgrade originaly destined for fall 2012 will have significantly upgraded VHF/UHF communication (Dual ARC-210V SDR systems [2]) and what appears for the first time fully encrypted communications... Thus possibly finaly giving rise to the need to have encrypted data storage).

[1] This is technicaly pre NSA Crypto Modernisation Initiative, where the equipment was considered to be as valuable (if not more so) as the data/communications protected. Post initiative many previous requirments have been ditched or significantly modified. One of which is the requirment for "physical destruction" of the equipment should it be likely to fall into enemy hands.

[2] AN/ARC-210(V) Is a 30-400MHz system utilising Software Defined Radio (SDR) that also benifits from the NSA Crypto Modernisation program (see http://www.rockwellcollins.com/sitecore/content/Data/Products/Communications_and_Networks/Communication_Radios/AN-ARC-210_Gen_V_Programmable_Digital_Communication_System.aspx http://www.fas.org/spp/military/program/nssrm/initiatives/arc210.htm ).

drxzclDecember 17, 2012 10:12 AM

Clive Robinson, Nick P:

Joseph Bonneau of LightBlueTouchPaper, who has graced these pages before, considers authentication to be a classification task. Inputs (such as passwords, tokens, IPs etc) are features on which the decision (access, no access) is based.

This is an elegant and graceful generalization of multi-factor authentication.

http://www.lightbluetouchpaper.org/2012/1
2/14/authentication-is-machine-learning/

supersaurusDecember 18, 2012 4:40 PM

@clive

I *was* displaying my ignorance! thanks for the enlightenment (no sarcasm intended), there was much to know that I didn't.

999999999December 18, 2012 6:26 PM

Simple code.

7055808370220470211748377692161148676721719715211726730515817692c23c14ab_09%

Mark S. PriceDecember 18, 2012 9:29 PM

Dear Mr. Schneier:

My Suicide Bomb Deterrent and I were the subjects of one of your security blogs. Please see http://www.schneier.com/blog/archives/2010/07/pork-filled_cou.html. Although I believe that everyone is entitled to voice their opinion, whether privately, publicly, or both (including the voice of silence), it is a factoid of the blogosphere that, comparatively stated, some public opinions are shouted louder, echo for longer periods of time, and travel further distances to be heard by an exponentially greater number of persons.

You did not contact me or otherwise solicit information directly from me prior to your above referenced blog, nor did you offer me the courtesy of any notice or an invitation to join the discussion - or, as to the latter, should I say any notice or an invitation to enjoin a defense-shy-and-ill-informed- prosecution of myself and my device as "a joke," "a dolt," "simply bonkers," and "a bit of stupidity."

If you're still reading this, I submit a comment in reply to a specific observation which you made in the subject blog, a separate comment addressing my supposed religious ignorance as alleged by several misapprehending commentators, a question to you, and a closing comment, as follows:

Comment One. My "partial patent application," as you referred to such application in your blog, made available by me through download, free of charge to visitors at http://www.plan-a.us, was intentionally redacted by me prior to public display on the advice of patent counsel. Only the claims were removed, and for only one reason. The reason: In order to minimize the possibility of creating a vulnerability which could negatively affect the position of my Patent Application through nefarious outside exploitation resulting in inappropriate usurpation of my patent claims prior to the award of an actual Patent, i.e., a person copying my claims and submitting their own Patent Application including a false assertion that their claims predate my claims. It’s not who files the claims first, but rather who can prove they had documented the claims first.

Comment Two. I have suffered many things. Religious ignorance is not one of those things. Over a period of many months, I had read two independent and highly respected English translations of The Holy Koran (also Qur'an), from right cover to left cover, on six separate occasions prior to submitting my Patent Application. During those readings, I comparatively verified the complete and truthful accuracy of each and every quotation of verse taken from either the Koran, translated from Arabic into English by George Sale in 1734 A.D., or The Qur'an, translated by Mahomedali Habib and originally published by Habib Esmail Benevolent Trust of Karachi, Pakistan, and thereafter set forth by me as the exemplars at pages 16-19 of my Patent Application. If there is religious ignorance to be had, it is not mine.
Question. Is my Suicide Bomb Deterrent, with its methodologies for saving lives through integral incorporation of the derivative of my device into the raw materials utilized to manufacture buildings, commuter aircraft, and rail/subway trains, see Patent Pending, pages 23-31 thereof, http://www.google.com/patents/US20120145583, so repugnant to human dignity and religious respect that the - otherwise avoidably deterred - continued death of innocent people at the detonations of suicide bombers is less repugnant?

Comment Three: Patent or no Patent, in the midst of blindly casted stones bearing the labels "a joke," "a dolt," "simply bonkers," and "a bit of stupidity," I can, with sincere humility, a clear conscience, and a great sense of personal satisfaction, say “I tried to save lives,” and that’s good enough for me.

Sincerely,

Paradise Lost Antiterrorism Network of America

Mark S. Price, President

EMPS: I had originally intended for my email address to cryptically suggest death. That intention has been lost on those persons who have come to the erroneous conclusions that I am Fat and that my name is Albert.

Clive RobinsonDecember 19, 2012 1:54 AM

@ Mark S. Price,

Why have you posted here nearly two and a half years after the original post? Especialy when you have made comment on the orignal post page back in Feb 2011?

With regards your "Fat" and "Albert" complaint, nobody on the original post called you either fat or Albert. Further the usual shorterning of Albert is 'Bert', it is Alphonse that gets's shortened to 'Al' with perhaps the most famous name being that of
Alphonse Gabriel Capone, a Chicargo prohibition Gangster also known in the press as "Scarface". It was Al Capone's taste in suits that has given rise to the idea of costume for films where a certain short porterly actor who played an apparently psychotic gangster made such costume a clasic for fancy dress parties. Some costumers refer to such costums as "Fat Als" and in some places "Fat Al" has become an insult for some one who pretends they are a "Gangster". If you care to check back on the original post page you will find that people brought up either part or all of your email address, and simply commented it was a joke. You admit in your posting on that page that Fat-Al was an attempt at word play for "fatal", and some consider word play or punning as a form of humor. However you appear to have missed the more obvious point that "it's a Joke" in modern usage amongst adults is rarely used to indicate something is humorous, more that it is something that is faux or pretentious in a clumsy way and most definatly unprofessional. The fact that neither the person name or server/domain name of your email address appeared connected to you or your organisational name is normaly considered at best to be an amateurish attempt at setting up an Internet business presence.

Thus you should be aware that people will view you as you portray yourself and that when you say,

Although I believe that everyone is entitled to voice their opinion, whether privately, publicly, or both(including the voice of silence), it is a factoid of the blogosphere that comparatively stated, some public opinions are shouted louder, echo for longer periods of time, and travel further distances to be heard by an exponentially greater number of persons

What people were doing way way back then was what you claim they are "entitled" to do voicing their opinion of what you were claiming (it's known as fair comment).

The simple fact is it was forgoton long long ago and the commenters have moved on to other more interesting and consequential things.

Which brings us around to the fact, that you are the only person who keeps bringing it up on this blog long after people have forgoton about it. Thus it begs questions about you and your motivations...

That is do you have some desire to keep re-humiliating yourself in what is in effect a publicaly visable place?

Or some strange desire to self-justicate at all costs?

Or is there some other more fiscally minded reason?

It has been said "For a brand to exist, people must not just know the brand, they must communicate about the brand, therefor getting your brand known is all about publicity, not good publicity, not bad publicity, only effective publicity".

At the end of the day your arguments about researching into religion are an irrelevance. As was pointed out at the time of the original blog post there was much "prior art" on this form of deterant and in modern times much more meaningfull threats of contamination by pig flesh had not had any noticable effect on acts of violence carried out.

Why do I say more meaningful, well it's based on the laws of physics and what happens in a blast from a body worn explosive device. When the bomb explodes the body of the wearer receives a compresive blast that cuts them up much like a shaped charge, the rest of the environment on the other side of the explosive gets an outwards radiating blast. Thus your tub of porcine protiens assuming they survived as anything testable as porcine would be blasted away from the bombers body due to the blast wave, and little if any of it would be expected to contaminate the bombers body.

Thus when you consider this minimal risk of contamination by your device to the much more significant, direct and certainty of having your body parts picked over by unclean women and then being sown into the hide of a pig. And the certainty of this still does not deter bombers but actually may have encoraged them what deterrent does your minimal risk device actually offer?

Mark S. PriceDecember 19, 2012 9:47 AM

@ Clive Robinson

I thank you for the stones. I collect them, and yours are so personal, with plenty of dirt obscuring the substance.

As this blog you apparently spool upon is not the only thread in cybertown, it may be a few years before I get back with you again. So I ask now: Assume that the physical structure of the buildings and all of the vehicles in the immediate area of detonation of a suicide bomb are permeated with porcine derivative, as thoroughly explained for easy reader comprehension within my Patent Application, how could what you have to say be justified by resort to credible reality and not fuzzy physics? That is, how do your laws of physics conclude that, as you espouse, “porcine protiens assuming they survived as anything testable as porcine would be blasted away from the bombers body due to the blast wave, and little if any of it would be expected to contaminate the bombers body?” By the way, protein is spelled like I just spelled it, not as you have spelled it.

I’ll remember your advice that one should forget personal offenses had in public, just because, and when, the offender has.

Mark S. PriceDecember 19, 2012 10:04 AM

@ Clive Robinson

I thank you for the stones. I collect them, and yours are so personal, with plenty of dirt obscuring the substance.

As this blog you apparently spool upon is not the only thread in cybertown, it may be a few years before I get back with you again. My only excuse for tardiness to your schedule is that this blog responds that my attempts to post comments have “failed” because, according to the blog’s gatekeeper, my previously posted comment disenfranchised my subsequent attempts at comment as “too many” in a short period of time. I guess free speech, like so many vacuous comments here, is an empty idea, not an ideal.

So I ask now: Assume that the physical structure of the buildings and all of the vehicles in the immediate area of detonation of a suicide bomb are permeated with porcine derivative, as thoroughly explained for easy comprehension within my Patent Application, how could what you have to say be justified by resort to credible reality, and not fuzzy physics? That is, how do your laws of physics conclude that, as you espouse, “porcine protiens assuming they survived as anything testable as porcine would be blasted away from the bombers body due to the blast wave, and little if any of it would be expected to contaminate the bombers body?” By the way, protein is spelled like I just spelled it, not as you have spelled it.

I’ll remember your advice that one should forget personal offenses had in public, just because, and when, the offender has.

999999999December 19, 2012 12:23 PM

@ Mark S. Price

I like your product. I agree completely that potential evil-doers will turn away at the thought of being sprayed by pork products.

They also don't drink alcohol,shave their beards and wear western decadent infidel blue jeans, except the ones who do. Also, no attacks have happened since governments have buried them in pork, except the ones that did. And lets not forget that they have never joined forces with other evil-doers who do not share their dietary restrictions, except when they did.

Yup, I agree with you completely. As long as you don't think about it, it makes sense. Let's recap: you invented a single use product that does not fulfill it's use.
I love it.

FigureitoutDecember 19, 2012 2:16 PM

@Mark S. Price
--First off it is unwise to flame a CompSec blog. None of your links worked for me, and I had to go to the archives separately to see your patent. Regarding why it took you so long to respond (now is a very random time to bring up your beef), you're comments are nearly identical; so if you're writing nearly the same thing again in 2 separate posts, it's reasonable to delete one. Notice how Bruce or the Moderator haven't deleted either yet; and they generally let most anything fly that relates to security. Ultimately it's Bruce's site, so if he wants to cut off your speech, he's free to do that IMO. I personally encourage everyone to speak freely, so don't include me in your statement about "vacuous comments".

I read most of your patent, it kept repeating itself and used far more words than I thought necessary. It mentioned Figures, but I didn't see any. Are you serious in that you want to label taxis, buildings, etc. w/ a warning: *Contains Porcine Derivative*? Do you think when someone is about to blow themselves up and get tunnel vision, they will see that? What about remote detonation, avoiding any splatter? What about chem./bio. attacks? What about bullets, getting only molecules of backsplatter? Recall the Mumbai attacks? Your chemical invention won't offer much protection in those instances.

Anyway, you just noted a spelling error of Clive's and didn't address the content of his questions; so don't expect to hear from him again. I'm not going to touch the religious debate. If you want more people to look at your patent, you could've linked the url in your name; and make relevant comments to whatever's being discussed.

Liberty BelleDecember 19, 2012 2:49 PM

I was recommended to this site by a well-meaning friend. I have read the comments. I went to the suggested website and was completely capable of quickly downloading the Patent Application of Mark S. Price.

I am appauled, evidently a great deal more than any guilty party is ashamed, at the high percentage of gratuitously condescending degradation directed at the person of Mr. Price. So much so that Mr. Bruce Schneier can have his site, which I will never enter again.

Nick PDecember 19, 2012 8:18 PM

@ Liberty Belle

On this blog, we usually discuss things with depth. People proposing products or security strategies offer evidence that they might work, then many blogs and commenters put them under plenty of scrutiny. What doesn't give you credibility is a first-time comment that adds nothing to the discussion but blind support of your friend, Price. You could be Price for all we know. That kind of thing happened many times before. (Demiurge comes to mind.)

@ figureitout

Good summary of issues with Price's comments. I like how you've pointed out that there's so many ways around it that it should have little to no impact. Plus, under rules like taqiyyah and kitman, Muslim warriors are often allowed to bend their rules to further the spread of their faith. They'll weigh getting a bit unclean against the success of their mission and promises made to them. They'll probably choose serving their God over fearing pork weaponry. (And this assumes they won't think it's a bluff.)

To be clear, though, I don't criticize the idea of religious deterrents: it has some history and the people who came up with it were clever. I'm criticizing this use of it for stopping suicide bombers. Random fact: During the US hostage crisis in Iran, one Delta Force attack plan called for parachuting pigs onto the property before their assault. It was a clever idea. However, it imposed plenty of risk and logistics issues. It was abandoned. This didn't hurt anything because the operation totally flopped anyway after months of expensive planning. (rolls eyes)

MapesDecember 19, 2012 8:31 PM

Hmm yeah that last post is legit. Look out Bruce you won't be able to sell your products on this site anymore once liberty bell gets the word out. Oh yeah you don't sell anything here....

Joe LoughryDecember 20, 2012 12:41 AM

@Nick P.:

Sorry for the delay in responding; I'm writing up my thesis for the end of the year and my supervisors would really rather I should be working on that now.

Reducing cost of C&A is the key to everything. That's what my thesis is about.... But the directions we can go to accomplish that are several, and not all of them compatible with the same project. So the thing to do is take Gen. Groves' approach: do them all, in parallel. You might even end up with more than one working solution. You're likely to get at least one.

First, immediately lower the cost of cross domain solutions from an acquisitions perspective. A hundred thousand dollars for a device that it's difficult to explain how it differs all that much from a Cisco router is no longer justifiable now twenty years after automated guards were first a novel and dangerous idea. Reduce the cost firstly by eliminating complexity. Graphical user interfaces, rule development and testing GUIs, and video screens and keyboards do not belong on a guard. Abstract away all the rule development, testing and monitoring functions and get them away from the TCB. Quit rolling your own flow control. Get the core data flow switching and decision logic down to a minimised chunk of reliable code in the language of your choice and make it run fast (but without side channels!) on hardware designed to run completely hands-off.

I am of two minds when it comes to choosing hardware. Some companies, like LineRate Systems, are doing the right thing: fast, inexpensive, and scalable with agility on commodity white box hardware. That'll do for your average PL-2 and PL-3 systems. To get a cross domain solution certified at what we used to call PL-4 or PL-5, I would really rather see it on trustworthy
hardware. I don't mean VME cards; that's for reliability, not trustworthiness. I mean simple,
fast, hard-coded processors developed with formal methods and fabbed on a line we control. Getting from there to a certification that data owners will trust at a price they can afford is the part
that's going to take some large capital investment and three to five years. But if the result is LEGO-like cross domain systems that cost $4000 instead of $200,000 each, would it not be worth
it?

That's where I want to go.

Clive RobinsonDecember 20, 2012 3:33 AM

@ Mark S. Price,

Hmm as Figureit out notes you did not answer any of the questions. However what you did say is even more revealing about your mentality,

So I ask now: Assume that the physical structure of the buildings and all of the vehicles in the immediate area of detonation of a suicide bomb are permeated with porcine derivative,

So you want every building and every vehicle in existance in the US now and in the future to contain sufficient "porcine derivative" to be sufficiently "permeated" that the result of the "detonation of a suicide bomb" would be the terrorist became sufficiently contaminated to not rissk detonating the bomb...

First question "is there realy that much naturaly made pork protein available?"

The second but perhaps more important question is "how do you expect the US's considerable population of people that regard pork as unclean to go about their quite lawful occasions everyday?"

Anyway the USPO and attorney etc have taken your money so I guess you might think your idea now has value. I guess an open and honest market would give you a real idea of it's value but that would involve you sinking more money into the idea before you found out the real meaning of "sunk costs" on your or others pockets.

Clive RobinsonDecember 20, 2012 7:45 AM

OFF Topic:

Regular readers will know that some years ago I worked out built and tested a way for Botnets to communicate to the comand and control system in a detached way that would be difficult or impossible to block.

The idea was in three parts only two of which I described,

Firstly is I assumed Google Searches would not be cut off and thus Google could be used as a proxie via it's search and cache services which could be used by a zombie to get instructions from another server.

Secondly I assumed that the command and control channel could be fully decoupled and not require a server that could be blocked or cut off from the Internet by using random servers that host blogs and other open Internet resources that allowed insufficiently verified posting of messages etc.

Well it looks like somebody has finally got around to writing a bit of malware that uses a part of the idea.

Symantec have anaylised a relatively new pice of malware that uses the first step of he idea, in that it uses a Google Docs service to act as a proxie to the real command and control server.

http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs

Obviously without the use of special techniques nearly all HTTPS coms to Google Docs are going to look the same. And without a reliable distinquisher any site that might get such a malware infection has three choices currently,

1, Block all Google Docs traffic.
2, Implement special techniques to check HTTPS.
3, Cross their fingers and hope.

What made me smile was Googles response that such usage of Google Docs was against it's allowable use criteria... As if that would stop anybody.

The current solution available to Google is in effect to identify the real malware command and control server and block it. At which point I fully expect malware writers to move to stage two of my original idea.

There is a solution to stage two for Google but there is a way around that as well which is why I did not talk about stage three...

WaelDecember 20, 2012 11:41 AM

@ Mark S. Price,

Geeez, pigs keep showing up on security blogs !!!

Question. Is my Suicide Bomb Deterrent, with its methodologies for saving lives through integral incorporation of the derivative of my device into the raw materials utilized to manufacture buildings, commuter aircraft, and rail/subway trains, see Patent Pending, pages 23-31 thereof,

  • Prior art exists -- your patent would not go through. The british did that in India many moons ago by coating bullets with lard for a similar purpose.
  • This will not deter a suicide bomber, and shows your complete lack of understanding of "religions" ;)
  • "I have suffered many things. Religious ignorance is not one of those things"
    Umm, many things + 1 ... definitely

    You cannot deter suicide bombers. You can impede them, by putting barriers in their way.

    FigureitoutDecember 20, 2012 12:36 PM

    @Nick P
    --I was thinking the same thing w/ Ms. Liberty Belle (french for beautiful woman). Maybe it's his patent lawyer b/c the language smacks of an ambulance chaser.

    Nick PDecember 20, 2012 1:08 PM

    @ figureitout

    My thoughts exactly. Lawyer.

    +1 to Mapes.

    GRAPHING CALCULATORS WITH GRAPHICS!?

    TI-84 just got a graphical interface, inspiring someone to put this comic on slashdot.

    http://xkcd.com/768/

    Nick PDecember 20, 2012 1:57 PM

    @ Joe Loughry

    "Reducing cost of C&A is the key to everything. That's what my thesis is about.... But the directions we can go to accomplish that are several, and not all of them compatible with the same project."

    Agreed.

    "A hundred thousand dollars for a device that it's difficult to explain how it differs all that much from a Cisco router is no longer justifiable now twenty years after automated guards were first a novel and dangerous idea."

    I'd say that's true for a PL2-3 type guard. High assurance technology still takes a ton of money, time and effort to build stuff. The DO-178B stacks, for instance, usually have less than COTS counterparts and cost way more. It's because of the assurance cost. Maybe we need to learn to explain & justify assurance technology as well as we do features, b/c at certain levels you're mainly buying assurance.

    "Reduce the cost firstly by eliminating complexity. Graphical user interfaces, rule development and testing GUIs, and video screens and keyboards do not belong on a guard. Abstract away all the rule development, testing and monitoring functions and get them away from the TCB. "

    Absolutely! There's almost no reason for it to be in TCB or on guard period. Mature M2M, remote shell and remote scripting technologies should allow for easily splitting the functionality between an Admin and Target machine, with only "simple" on target. I've noticed improvements there in that recent TCX project papers used XML for configuration language, but tools converted it to simpler binary for target. That's a step in the right direction. (Side note: Sun's XDR makes for an excellent platform-neutral M2M language.)

    "Quit rolling your own flow control. Get the core data flow switching and decision logic down to a minimised chunk of reliable code in the language of your choice and make it run fast (but without side channels!) on hardware designed to run completely hands-off."

    Most of the switching and decision logic developments are redundant. The industry would benefit a bit from a joint, high assurance codebase in that area. Again, DO-178B shows us it can be done in security with how so many companies sprang up offering robust, certifiable versions of many components. I'd say a robust codebase alone would be a great improvement even if it's not hardware-based or timing channel secure. (We have interim countermeasures to use for those issues.)

    " Some companies, like LineRate Systems, are doing the right thing: fast, inexpensive, and scalable with agility on commodity white box hardware. That'll do for your average PL-2 and PL-3 systems. "

    Yeah, the attack model is casual. For these, COTS plus a little extra assurance is fine. Here's some examples in industry that might inspire better guards. The McAfee Sidewinder firewall used MAC and type enforcement to isolate each security app in it. The GenuGate products put a hardened OpenBSD at their foundation. Several MILS/DO-178B networking stacks allow "partitioned" operation on microkernels on COTS hardware. So, we have plenty that can do better assurance than the guards that just run Linux or something.

    " To get a cross domain solution certified at what we used to call PL-4 or PL-5, I would really rather see it on trustworthy
    hardware. I don't mean VME cards; that's for reliability, not trustworthiness. I mean simple,
    fast, hard-coded processors developed with formal methods and fabbed on a line we control. Getting from there to a certification that data owners will trust at a price they can afford is the part
    that's going to take some large capital investment and three to five years."

    I've read the DCID. I like how they have separate levels for Confidentiality, Integrity and Availability. Smart move to me. The PL-4 and PL-5 guards' assurance requirements are similar to B3/A1/EAL5-7 requirements. That said, previous experience shows that they can be done with software and certain tradeoffs. I'd consider reusing previously evaluated products in PL-4/5 systems. Aesec (GEMSOS), BAE (XTS-500) and Boeing (SNS) are trying to do that right now in various ways. This is good. Maybe add hardware acceleration for crypto, networking or sharing.

    You called for "fast, hard-coded processors developed with formal methods and fabbed on a line we control." I agree that this is one of the easiest things to assure. The original was C.L.I. Inc's verified stack from microcontroller to compiler. Heck, Verisoft even assured a full MIPS-like processor (VAMP), microkernel, and C language platform. The Rockwell-Collins AAMP7G and recent Cassion work show formal methods are stomping hardware assurance problems to this day. The problem is flexibility.

    What the processor can be used for and the difficulty of evaluation are often proportional. A key thing that writers like CHACS often mention is the TCB, hardware or software, must provide protection primitives that support many different types of security policies (military, Biba, Clark-Wilson, etc.). So, what primitives or protection mechanisms would you put in your hard-coded processors? Would they just be kernel/user-mode processors like VAMP? An isolation mechanism like AAMP7G? Capability support? If it's robust hardware, what did you have in mind?

    (I'm always open to new ideas in that area as you've undoubtedly seen in discussions with RobertT and Clive.)

    "But if the result is LEGO-like cross domain systems that cost $4000 instead of $200,000 each, would it not be worth
    it?"

    It would be very much worth it. This brings up another aspect of my previous question. In my designs, I try to find a way to reuse a design element as often as possible to increase payoff post-build or post-C&A. Two good examples from old days are XTS-400 and LOCK project's Type Enforcement tech: they've been reused and expanded on repeatedly over time, increasing ROI. I think Secure64's SourceT OS & resilient networking could do something similar. So, when you design you're guard's verified hardware, it might be advantageous to design it to support other problems down the road.

    Regardless, I wish your group the best on coming up with solutions and look forward to seeing the results.

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..