hershey January 4, 2013 8:51 PM


Finally, as an avid reader of your Schneier on Security blog, what’s your obsession with squid about?
I did actually get an email from someone telling me I should post more on security and less on squid, as though there was some kind of trade off! What can I say? I just like squid.

Also I believe squid have 10 tentacles and an octopus has 8, so 10 is more secure. Perhaps squid seem more confident and “secure” with themselves and that is a nice quality Bruce respects.

Toothbrush Prompts Shutdown of World’s Busiest Airport

Al Lowenstein January 5, 2013 2:57 PM

This is a new thread.

Defending Embedded Systems with Software
provides a new approach to secure computers. I see lots of flaws and hype (as there would be with anything new and innovative). I am interested finding out what the Schneier Jury thinks and to ferret out and vet any good ideas.

Perhaps, even more important is that Symboites are basically an attack, albeit as described in the paper, a white hat attack. Do we know how to look for, much less detect or protect against, a black hat Symbiote?

Also, if Symbiotes have value, is that value for firmware or for firmware and software?

Nick P January 5, 2013 4:25 PM

McAfee (the man) posted something interesting on his blog.

He claims to have been the spymaster in a massive espionage operation against Belize’s elites. He claims to have employed around 29 spies to use lies, bribery, and sex to get critical information out of phone company and government-connected personnel. And so on.

I wonder how much of this is fiction and how much is fact. With his money, he could afford to do something like this. Of course, his story sounds more glorified and successful than most operations. Example: ” Being “pillow talk” masters, they also knew, and had verified, every secret thing the persons had ever done. Phone Project complete.”

Clive Robinson January 5, 2013 4:36 PM

@ Hershy, ntnt,

What can I say? I just like squid

I’m still not sure what sort of “like” it is that Bruce has for them, they are however very interesting in a whole manner of respects.

Personaly being a practicing protovor I like them nicely cooked with chille etc. I also find some of the larger ones like the Humbolt (Red Devil) to be distinctly scary, whilst their cousins the octopus and cuttle fish I find both cute and engaging due to their behaviour.

The one thing that can be said for squid is that as man has overfished many fish stocks the squid have moved in to fill the ecological niche, which unfortunatly means some fish stocks won’t recover unless we remove the offending squid…

So you could look at eating them as being the ecologicaly friendly thing to do, now where did I leave my squid recipie book 😛

Bryan January 5, 2013 6:22 PM

@Al L

Interesting ideas in the paper, but I have some doubts about the claims. To start with, Figures 6 & 7 are missing.

The authors elide virtually all discussion of RTOS, esp those w/hard rqmts. It’s hard to see how one can be sure that real time rqmts in an arbitrary RTOS can be met.

Also, as said in the paper, vendors have little [read NO] incentive to add this to end-of-life products. Esp for hard RTOS apps or apps for a regulated industry (air travel, medical, etc).

For such apps, this robustness technique would be a fundamental rqmt that cannot be convincingly added after the fact without a full product test cycle.

Tundra Wookie January 5, 2013 6:34 PM

Here’s a tidbit on counterfeit merchandise being seized by law enforcement:

Some interesting points on the initial detection of counterfeit goods by sub-standard packaging, the danger of such goods as a hazard to life and property and of course forgery of both the manufacturer’s trademark and a certifying laboratory. Another point is the agent’s statement implied that Apple accessories are made “here.”

kashmarek January 5, 2013 7:27 PM

@Tundra Wookie:

I once ordered an item through an online system, and after ordering, received conflicting information about the delivery, and determined that the item was coming from China (so all bets were off about delivery times). Yet, the vendor actually delivered in much better time than the online system declared.

Upon arrival, the exterior of the package had a declaration label that the contents were something completely different. When I asked the supplier about the incorrect specification for the contents, I was told that was done to get the package through customs. WHAT??? While this was not substandard packaging, it was illegal labeling, and for what purpose? Perhaps the item I ordered is illegal in this country, toxic, or simply substandard (maybe even stolen) goods.

We let all manner of trash come in without bothering to check the goods.

Clive Robinson January 5, 2013 11:54 PM

@ Nick P,

Of course, his story sounds more glorified and successful than most operations. Example: ” Being “pillow talk” masters they also knew, and had verified, every secre thing the persons had ever done. Phone Project complete.”

Whilst I remain sceptical of what he is upto or why or if he has actually done the things he’s claimed, some of it rings true.

I’ve had commercial dealings with people from Africa and South America, at many levels, and as you may know London is still the money laudering capital of the world, though nolonger the terroist capital of the world.

During my dealings with the supposed Military and regional officers from these countries, whom I had no doubt were taking bribes as they told me about it ad nausium as did their supposed friends they introduced me to. It became clear they had a need to “boast” about their exploits etc.

Now I don’t know if they had a major inferiority complex or were just plain daft, but a little alcohol and a relaxed social setting and a little ego stroking produced vast torrents of information about their activities. Even if you discounted most of it as “talking it up” much of it was sufficiently self consistant to make it difficult for the person to have fabricated the stories “on the hoof”. And a little checking on some of the more factual details (names places dates and activities etc) confirmed they were likely to be atleast partialy true.

For instance I had been given advice on money laudering and how to get around export controls, I checked this with a couple of friends from my days wearing the green one of whom now worked in the relevant part of the banking industry and they confirmed that what I’d been told was quite accurate in detail and quite effective in practice.

So I don’t think you’d need to be very “expert in pillow talk” to get the same information, as the desire of these people to appear influential and well connected and thus impress appeared to be geneticaly embedded.

And I suspect that they know it’s a major issue which might account for why they wanted to buy electronic security related equipment.

One bit in the story that did amuse was the bit about chromosome rearangment such a tactful way to put it. In my past dealings with “Nigerian Generals” I’d noticed that some of the more macho types had shall we say a number of “pretty boys” hanging around. And as has been seen with the fall of various Middle East dictators there is an awful lot of porn that is shall we say not quite the usuall X-rated stuff you’d expect bearing in mind the laws and religion of the countries involved.

So even if the story is a fabrication (and I can think of a number of reasons why it might be), many of the details do ring true, so he is well versed in the goings on socialy and morally in that part of the world (but then many Ex-Pats are as it’s essential to doing business in such places).

Figureitout January 6, 2013 9:42 AM

Finally, some video; even in the dark depths of the ocean, squid can’t escape surveillance. 🙂

@Nick P re: McAfee
–There’s so much to say and wonder about this guy and his latest shenanigans. I’ve heard some possible environmental reasons, and the anger w/ being stolen from I can attest to, but the first would be, why would you do this to yourself instead of sipping pina coladas and fine dining. I believe he stated himself that his start into business was “social engineering” or convincing someone to pay shipping for a “free” newspaper, going door-to-door selling. You can see that to this day with McAfee anti-virus being optional and “free” in some big software downloads. It’d be nice to see his skill in person, but having admitted to all this (and admitting to installing key loggers while making your reputation as an anti-virus/spy/malware fighter); you just don’t know if this guy is telling the truth or is just a fantastically and dangerous liar.

Clive Robinson January 6, 2013 1:31 PM

@ Nick P,

Another thought on Mr Macfee’s posting you link to 😉

Did you notice that the tools he used were fairly ordinary comercial voice recorders and software tools that had probably crossed the inbound check desk at his company?

That is he’s staying within his comfort zone and expertise for his posting content.

But mad as it might sound he might be telling the truth from his point of view. The reason I say this is some things happening are even more unbelivable than his story. Try this current one on your increduality filters,

I suspect when Bruce reads it it’ll give him pause for thought as well…

Any way I’ve included a few other links you and others might like,

First off SANS has worked out what to do with that model railway you got given for Xmas 😉

And I guess it’s fully tax deductible 🙂

Sadly the US Politico’s are still polishing their jackboots,

And Tom Engelhardt has an interesting view on why this is happening, it’s because the Intel and Politico communities are “future scared”. They are so frightened of the unpredictability of the future and the changes that have happened since the fall of the Iron Curtain that they have adopted the “head down” position so hard they buried their collective heads not in sand but way down in shale rock and become addicted to it and saying probably to the improbable rather than maybe to quite likely events such as global drought, and the attendent resource wars,

Oh and as it’s New Year there has to be a predictions list or a hundred 😉

Am I the only one to notice that many more people are using the full four digit year rather than the more normal usage two digit. I wonder if they are superstitious or thing their readers are and thus avoid “Unlucky 13”.

Any way of the predictions lists I’ve read this one looks the least tedious whilst actually being probably close to the mark,

(I’ll also admit I like the graphic of the burgler sneakin through the computer screen, I’d actuall put that one on a nice black T-Shirt and wear it 😉

Nick P January 6, 2013 2:33 PM

@ Al Lowenstein

Thanks for sharing the paper. I have enough time to give it a quick review. Let’s see which pieces we like and don’t.

Symbiote claims four security properties:

  1. Full visibility into code/execution state w/ passive and active monitoring. Most solid proposals aim for this. This is good.
  2. Runs side by side with program on that program’s host computer. Implementation is said to allow software on host to help monitor and react to malice, while said software is also protected from modification. (Here be dragons.)
  3. Can be injected into arbitrary executables on arbitrary hardware w/out source. (More practical.)
  4. Stealthy and low-overhead. (Icing on cake.)

This is relevant to Al’s “attack” analogy:

“Lastly, the techniques used by Symbiotes, such as function interception, ran-domized payload injection, have been undoubedly used by malware authors in the past. Indeed, a Symbiote-like rootkit [?] has recently been disclosed for Cisco IOS. The Symbiote structure incorporates such traditionally ”offensive” tech-niques for defensive purposes in order to hide and harden itself against attacks which aim to disrupt the Symbiote.”

Immediate answer: the product certainly uses tactics similar to malware but what defines malware is its goal and how it performs its without user’s authorization or knowledge. Sneaky software doing sneaky things without user’s permission. In contrast, whether known to user or not, are an improvement that the users wouldn’t mind having.

Their assumptions:

  1. Remote attackers trying to compromise or crash host with 0-day exploits. (Fair. My designs mostly focus on that.)
  2. They assume attacker has access to unmodified firmware image. (I like that one.)

  3. They ignore any configuration changes or replacement of firmware images because they say conventional methods work. (Fair. Can always improve in other areas later.)

  4. Their current capability only affects attacks on static (unchanging) code.


“However, the SEM approach can also be used to detect ex-
ploitation in dynamic areas of the target embedded device like the stack and heap. Symbiote control-flow interception methods and payloads which defend against return-to-libc, return oriented and heap related attacks are currently under research.”

Isn’t smashing the stack the first thing hackers try? Return-to-libc and ROP are also popular now where vulnerabilities can be found. I’ve heard that, unlike our [more] hardened desktops, the embedded systems this product aims to protect have plenty of basic security issues. So, that puts an X on the whole thing. It’s a technology to protect legacy systems from remote attacks that [currently] can’t stop the main remote attacks in use. That’s a bit like a car whose seatbelts only protect the middle and rear-right passenger seats.

I’ll continue to read this and note good points as I go. The technology can be worthwhile if it offers benefits currently unavailable. Moving on.

  1. The injection techniques that use randomness, focus on most used parts of code, and happen with automatic binary analysis are pretty cool. The randomness is part of software diversity concept. If done right, it can force malware authors to customize their attack for each target.
  2. One of their main protection strategies is whitelisting and code-integrity verification that they claim uses only 336 bytes for detection payload. If it’s effective, it’s very efficient.

  3. They provide evidence that it will be hard for the attacker to remove their intercept points or disable the symbiotes.

However, the main attack vector would be dynamic attacks it doesn’t cover, so this inspires little confidence. The main subversion attack I see on current version is two-pronged: an initial dynamic attack(s) to gather info on symbiote instance, then another to inject symbiote subverting code. This is already much harder than attacking embedded systems in general. Also, crashing it may require just one dynamic attack, so DOS with 0-day still seems possible.

  1. “If the attacker attempts to perform a linear comparison, at least portions of the unmodified host program will have to be transferred over the network during the online attack. The attacker can also attempt to dynamically disassemble the 10 MB of live code. Both attack strategies require a very large amount of network I/O or CPU which raises the bar quite high for the attacker to overcome without being noticed.”

(So maybe they get noticed in the process. However, remember Dick Marcinko’s classic way to deal with alarms: set them off repeatedly with no malicious indicators and people just eventually start ignoring the alarms. Then, the real attack comes.)

  1. Bryan already mentioned real-time issues. This seems safe for “soft” and “non” real-time systems in that they have mechanisms to control the exact CPU cost of their program. That their symbiote can constantly suspend in mid-execution is nice. I might have overlooked it, but I didn’t see caching in analysis. Programs jumping around in random spots might throw off “precise” timings. Worth looking into.

5-1. I have another objection. As Clive often noted, many of these legacy embedded systems are designed to cost as little as possible. There’s plenty of 8-bit, 16-bit and low end 32-bit stuff out there with barely any CPU or memory to spare. Additionally, many of these critical and control type apps are developed to a hard real time profile with stringent timing requirements and analysis of their software. It might be tricky or impossible to symbiote them without requiring full re-analyses. Picking Cisco IOS and Linux kernel isn’t really representative of the full system functionality you see in most embedded systems. I’d rather see experiments on control systems and the like running hard RTOS’s.

So, overall, it’s a nice piece of work. Its main issue is that many of the legacy systems might be too constrained to use it and it doesn’t have provable protection against the most common attacks. That said, it already provides some benefits in combination with other technologies for protection of legacy software. I hope they continue their research to further develop the technology.

Nick P January 6, 2013 5:58 PM

@ Clive Robinson

Re gambling software

Wow. We’re all for software liability to improve security. This is a different kind of liability. I think Bruce should definitely throw his opinion on this. It would be a terrible precedent. Even more, it’s several bad things in one:

  1. Police have evidence a person might be involved in a crime. SWAT’s their house and immediately begins “confess or else!” tactics. Bad trend.
  2. ISP’s, service providers, and manufacturers often have an exemption from liability for how people use their service. They’re expected to do a bit of due diligence and give LEO’s basic cooperation. This case is being handled oppositely.
  3. Procedural issues with how this was carried out violate constitutional rights (maybe or should if not).
  4. LEO’s shouldn’t be able to force a software provider to backdoor arbitrary customers. At the least, it should have court approval per target and I prefer the LEO’s themselves do the work. So much reputation at risk with providers doing it.

So, yes, this is all kinds of bad. What’s worse is this legislation could affect security and privacy consultants/researchers like me. A proof of concept or communication tool used in a crime? One of your (Clive) warnings of possible attack avenues weaponized and you get aiding/abeiting? Slippery slope… and US LEO’s bring sleds, rafts and skateboards to those. 😉

Re Mcafee @ figureitout too on this one

Interesting counterpoint to the original stories below. I haven’t seen any big response to his spying claims yet.

So, the guy they suspect him of killing had already upset him. It wasn’t anything murderous at that point. So, McAfee starts walking with armed guards. He’s acting weirder than usual. The alibi he has on the night of the murder comes from women he bought. He’s definitely worth talking to from a police standpoint. (Note: the drug activity happened near him and the murder might be related to that.)

Back to the spying

“Did you notice that the tools he used were fairly ordinary comercial voice recorders and software tools that had probably crossed the inbound check desk at his company?

That is he’s staying within his comfort zone and expertise for his posting content.”

Yes. To his credit, a good bit of it sounds like stuff he could actually do. He’s also eccentric enough to teach people who to do basic spying. His company background helps. He might even have paid people to show him how to do it. That he could find suitable women in Temptation Island is also believable. My feeling is that he’s either made a believable fabrication that turned him from a guy retreating into the lone survivor and action hero. Or that he’s exaggerating a true story.

The one thing that gets me about it is we have no witnesses. I’ve looked into enough covert ops and alternate history to know many schemes do stay quiet for decades and some remain opaque forever. Utter pro’s did those, though. MOST that are spontaneously done by mentally unstable amateurs have cracks in their secrecy. If they succeed at all. People start getting arrested, writing books, blogging their side of the story, betraying for money/power, etc. There’s a total absence of any such claims so far, esp since the story is new. We’ll have to wait a while to see if anything comes out.

Article below says McAfee has pulled some stunts in the past that inspire doubt in this.

Re more fascism in America, surveillance states and cyberwar stuff

We might as well not even discuss that stuff on this blog anymore. (Unless it’s big events or tech like NSA’s ThinThread.) It’s (sadly) something that keeps spreading. The public only stops a few little Bill of Rights invasions here and there. The propaganda against Americans largely worked. Worse, the elites consistently use the brilliant and highly effective fait accompli strategy to prevent majority of Americans from seeing what they’re actually doing. Either we’ll have a near revolution break out with Americans taking their freedoms back or we’ll have more of the same. I’m betting on the latter.

Re: Truth-out article on future forecasting.

Now THAT was a nice article. I appreciate you posting it. I mostly agree with the author’s conclusions. I’d add that what we see in that is about more than their fear or limited imaginations: it’s also about control. They want control of everything, all the time. They know they’re loosing it or never totally had it. I think such parts of the document might also be there to try to assure those at the highest levels who effectively control our “democracy.” Probably includes some of the people who those 13ak3d C1t1gr0up reports were meant for.

(Let’s see how long this lasts: it’s been taken down from many other sites. That’s when you know something might be legit. Used 7337speak for extra protection.)

“Am I the only one to notice that many more people are using the full four digit year rather than the more normal usage two digit. I wonder if they are superstitious or thing their readers are and thus avoid “Unlucky 13″.”

Interesting thought. It might be so. I do recall seeing someone at a grocery store freak out because the balance was $6.66. They actually bought an unneeded item to “fix” that. The clerk told me afterward that it happens all the time. It’s a perfect example of superstition because, even under Christian religion, 666 is just another number until it’s used in a very specific context. Yet, they freak out haha.

Re Computerworld Article

“Any way of the predictions lists I’ve read this one looks the least tedious whilst actually being probably close to the mark,”

It seems accurate enough. Most of it says that what’s happening now will continue to happen. Quite creative, yes? 😉 Then we have the dispute between Verizon and the others. Verizon says most of it starts with authentication failures and attacks are low-and-slow. The others propose radical new attacks. I think Verizon is right in that they won’t stop doing what works.

For the rest, I’ve always thought attackers would gradually get into it. They’ll dip their feet into the water. That’s the obscure initial attacks that definitely happen, but get little publicity. Once it gets enough attention, the masses of lower tier cybercrooks start doing it with kits and step-by-step instructions. At this point, vendors start offering protections… or products… 😉 So, I definitely think this extra stuff will happen to some degree, but I think it will be a gradual progression that builds up to something (or not).

“I’ll also admit I like the graphic of the burgler sneakin through the computer screen, I’d actuall put that one on a nice black T-Shirt and wear it ;-)”

Yeah, it’s nice. I’ve always liked the OpenBSD fish. I brought a real one from a beach gift shop. I could dress it up or frame it with an OpenBSD caption. Why this one over others? It has a physical security benefit: you can throw it at the attacker’s face. 🙂

T-shirts for the more civil people

Clive Robinson January 7, 2013 6:49 AM

@ gollum,

Have a look here for more info,

It appears that the idea is the work of W J Scheier and T E Boult. However the company mentioned in your article appears to be a spin up by Prof Boult without Walter Scheier.

From a brief read of the company blurb it looks like the tokens use some aspect of biometrics to provide semi unique data that is somehow encoded with other sources of information to produce one signitures for transactions and the like.

I’ve not downloaded and read the papers from Walter Schiere’s site, however I can tell you from past experiance (quite a few years ago) one of the problems with using biometrics to derive KeyMat for cryptography activity is reliable/hard entropy.

Biometrics are almost by definition both soft and variable, thus you have to find some way of finding longterm reliable biometrics to providee entropy.

Clive Robinson January 7, 2013 1:07 PM

OFF Topic :

I can not remember who it was the other day asking but I told them to check out the frequency tables of “A Sin To Err” or more correctly “Eat On Irish Lid” (with swap TA and RS).

Well it appears that our use of English has changed somewhat and the frequency tables have changed. So it’s now,


Which is now where near as easy to remember. There’s also been changes in the N-Gram tables.

Have a look at,

Green Squirrel January 7, 2013 2:19 PM

Did anyone see this in the news:

The leader of the (more than a little comical) English Defence League has been arrested for flying to the US on a false passport.

He managed to get out of the UK without any rigorous check of his identity and even when his finger prints didnt match, he was able to leave the airport in the US and spend a night in New York.

To add to the comedy value, he then managed to fly out of the US on a second passport that had never entered into the country.

Figureitout January 7, 2013 2:23 PM

@Clive Robinson
–3/24 of the 20+letter words mentioned ≥100k times each in book corpus were electroencephalographic/graphy/gram. I think this warrants a new “Schneier Fact” and Bruce has some explaining to do. 🙂

Clive Robinson January 7, 2013 4:09 PM

@ Green Squirl,

Long time no post, I trust you are well.

With regards the “muckup” with the passport, I’m realy not surprised.

When the Border Control Agency brought out those self check kiosks some time ago I had my doubts and expressed them on one of the pages here.

I also know from experiance that you can travel into the UK on somebody elses passport, it’s happened to me by accident.

Very quickly, I and several friends had been staying in a hotel abroad that is the sort that keeps your passport so the local police can photocopy them / stop you running away without paying etc.

We checked out in a group and due to the girl behind the desk moving with all the speed of a snail on tranquilisers we were running late so just grabbed our passports as she gave them to us and shoved them in our pockets and hurried off.

It was not untill sometime after we were back did I realise I had traveled back on one of my friends passports and he on mine.

So yes it can be done even unintentionaly, and it gave rise to me making some discrete enquires that lead me to find out about ID Shopping. Apparently you can buy stolen passports with ID’s of people who look a lot like you, or even have them stolen to order to match you. It also appears that several countries Israel especialy keep travel document of people who emigrate so that the countries Intell Officers have clean legitimate documents to travel on.

More importantly this shows that the US side checking of finger prints is of little “timely” use as he managed to gain entry to the US and leave again…

It will be interesting to find out exactly what went wrong on the US side. I’m assuming that the person who’s passport he borrowed had actually traveled to the US on that passport before and it was checking against the record of those fingerprints that failed. That is it was not his own fingerprints on some kind of watch list that triggered the alarm.

I must admit in the past I had wondered if it would be possible to travel to the US on my friends passport and use fake fingerprints which readers of this blog with long memories will know I’ve been able to make since my childhood with the red wax from edam cheese and ruber solution glue and a little WD40 as a mold release agent.

Clive Robinson January 7, 2013 6:01 PM

@ Green Squirrel,

Re EDL leader jailed.

As far as I can see from various news reports the reason Stephen Lennon went to the US was he had been invited by somebody called Pam Geller who is associated with an organisation call SION that was holding some rally or conference.

Some commenters on the story belive that Ms Geller is worried about her own freedom as she may well have committed a federal crime in inviting and aiding and abetting Stephen Lennon’s attempt to circumvent US immigration restrictions against him for various crimes he has been found guilty of in the UK.

The story as reported in various places is a bit confusing because on reading it it reads like Stephen Lennon was using a false passport, rather than what he had actually done, which was obtaine a legitimate passport that belonged to a person who looked like him.

The circumstances behind Stephen Lennon getting the passport are not clear his legal representitive in court said it had been loaned but did not say why. As Stephen Lennon is according to other commentators apparently also facing three charges of deception over trying to obtain a mortgage he might possibly have obtained the passport for other reasons such as opening a bank account in another name etc.

It appears also that Stephen Lennon may not be his real name. Whilst he is known for using the name “Tommy Robinson” it’s use is more like that of a “stage name” rather than an attempt to decieve for fraud or other reasons.

This duplicity of names and identifing documents has givien rise to several conspiracy theories that he was originaly a UK Security Services agent provocotour who has since gone rouge (as some people know the Met Police have suffered one or more of their undercover operatives going rouge in recent times causing the colapse of various court cases).

What ever the true story is (and we may never know) it is certainly proving entertaining watching him and his organisation the EDL and also various other significantly right of center supposed UK political parties self destruct.

Clive Robinson January 7, 2013 6:10 PM

@ Figureitout,

I think this warrants a new “Schneier Fact” and Bruce has some explaining to do.

Yes indeed “you have read my mind” 🙂

All jokes asside it is odd but is it just a statistical anomaly or something else?

I can see an idea for a fairly harmless competition here along the lines of the annual “movie plot” where to enter you pick one of the words on that list and spin up some sort of reason for it’s prevalence.

Clive Robinson January 7, 2013 7:46 PM

@ Nick P,

With regards the McAfee story long may it/he run it’s got the potential to make January (supposadly the most depressing month in the Northern Hemisphere) more enjoyable.

With regards the removal of H3C kit, it’s one of those “damed if you do damed if you don’t” problems.

A few years ago it made sense for countries not to use product from other countries in sensitive areas (Maggie Thatcher banned elected members of the Government and Civil Service mobile phones from secret and above areas for good reason as we now know). The more globaly connected we have become the more of an issue it has become.

Is the hurumphing over Hawalie and ZTE justified or just saber rattling or protectionism?

Who knows unfortunatly it’s now a case of shutting the stable door so it’s fairly irrelevant. The simple fact is you would be very very hard pushed to find a piece of high tech comms equipment these days that does not contain a SOC or similar that did not come from the Far East.

If you could lift the lid of the chips what are you going to find? The reality is that the problem is not what you find but how it’s used and your ability to recognise if it’s threat or not.

As I’ve pointed out on this blog before certain circuit configurations are dual use. The one I chose to usually use for explanation is a “whitening circuit”. Many many moons ago the CCITT were faced with a problem, modems created significant cross talk due to the nature of their operation. That is they put a lot of signal energy into quite small bandwidths, which leaked. Ordinary phone conversations however used much wider bandwidths and spread much of the energy across this band the cross talk from conversations was thus like an echo of noise, that from the modems however was easily and anoyingly audible. However the data rate of modems was comparitivly slow at around 1200baud with one bit per baud and to get the data rate up ment using multilevel signaling where you would have four or more bits per baud. But this ment that to get the same distance charecteristics the signal level power would have to rise proportianatly (actually as the square of the signal amplitude) which would put it outside the acceptable single or multi tone levels.

The solution was actually quite simple which was to spread the tone energy across the available bandwidth by modulating it with pesudorandom noise in a very simillar way to Direct Sequence Spread Spectrum (DSSS) signaling. For the simple reason the pseudorandom noise looked indistinguishable from real random or “white noise” the process was called “whitening”.

Now it just so happens that DSSS was developed for “secure signaling” with a Low Probability of Intercept (LPI) which is another way of saying it was a “covert signaling system”.

Now it turns out for many reasons “whitening” solves a very great many communications engineering issues. One is to help meet EMC emission standards another is by applying jitter to data transmission time it can solve the Colision Detect problems of network systems (CDMA).

If you look at a PC we know that it emits “compromising emittions” that corelate with user activities (TEMPEST / EmSec issues). Whilst the use of whitening solves EMC issues by spreading the energy across the available bandwidth as opposed to having high energy “mask breaking” spurs it does not solve the TEMPEST issues. In fact it makes them considerably worse, because not only does it alow the manufacture to put out more energy, it alows an EmSec receiver to corelate with the pseudorandom generator thus in effect de-spreading the compramising emittions back to “spurs” but also removing interferance by spreading it out.

So a circuit designed to improve EMC actually makes TEMPEST worse and makes the effective intercept range many times greater. The question for a person seeing such a circuit is “did the designer use it for EMC as it appears or to improve the covert surveillance range?” The simple answer is “You don’t know”.

Likewise that CDMA jitter can that be used to estabish a covert channel? Again the answer is yes. If the jitter is slow enough it will make most intervening “efficient” system effectivly transparent. Students of Mat Blaze proved this beyond dought with their Keyboard logger JitterBugs system ( )

Thus a quite innocent looking circuit in a system with a good reason to be there might also actually be a tiny keyhole through which private communications are being leaked deliberatly.

There are many such circuits, recognising them is just the first step, checking for leaking data would on the face of it be logicaly the next step. Only it isn’t, the problem is that it could be “switched off” when you do your checks only to be turned on at some later point in time.

Even if you can check and control tthe entire design process from day 1 you still cannot be certain something is not leaking information…

There are techniques I’ve outlined before to deal with time based covert channels, the problem is they make systems a lot less efficient in general…

Nick P January 8, 2013 2:20 AM

IN THE DOGHOUSE, Then the Courthouse

Many readers miss Bruce’s In The Doghouse reviews of snake oil crypto vendors, esp. as some of their BS was entertaining to the trained eye. My two favorites for how convincing they were to lay people was PMC ciphers and Vadium technologies. PMC ciphers is still releasing positive press. (sighs) But…

Bruce’s piece of Vadium

Vadium’s AlphaCipher current marketing

The thing about Vadium is that they should have died off pretty quick but kept in business. Well, I caught a recent newsbite that was all too satisfying.

Vadium voluntarily files bankruptcy…

Thought Doghouse fans might like that one. For me, I say: it’s about damned time.

LinkTheValiant January 8, 2013 8:11 AM

@Nick P

Wow, I remember coming across that one in the archives when I first started reading here. It stood out from most of the other doghouse pieces because of Hammersmith’s “enthusiastic” participation here. Very definitely about time.

LEO’s shouldn’t be able to force a software provider to backdoor arbitrary customers. At the least, it should have court approval per target and I prefer the LEO’s themselves do the work. So much reputation at risk with providers doing it.

The thing that stands out to me about this point is that there are no guidelines for how it’s done or what is/can be done. There is no standard procedure. And we all know just how effective ad hoc law enforcement procedures are.

No One January 8, 2013 11:47 AM

@LinkTheValiant, “And we all know just how effective ad hoc law enforcement procedures are.”

They’re extremely effective. Implemented properly they adequately protect people’s perceptions that bad things only happen to bad people and that such tactics would never be used “against me.” This allows the police state with almost unlimited power while still putting up a front of checks and balances. I don’t see why the police would want anything less than such total control.


Figureitout January 8, 2013 11:21 PM

is it just a statistical anomaly or something else?
@Clive Robinson
–A lot of the words seemed to deal with chem/bio (perhaps b/c so many of those words are tongue-fulls), and some with politics (meh who cares). A German word snuck in I guess stands for “research community”; so maybe there’s a lot of medical research taking place in Germany? You should check out yours and Bruce’s names; yours of course had a nice spike right on 1980 🙂 and Bruce’s looks like f(x)=2x starting around 1990 when he started to become popular. 🙂

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.