Schneier on Security

Clive Robinson • January 11, 2013 5:34 PM

@ Petréa Mitchell,

The latest newly theft-prone commodity: Hay!

Yes it's quite a problem in the UK and worse in Europe.

Even with subsidies farming is in the main a very very low profit endevor. Most of the money is made by either middle men or the major comercial enterprises such a supermarket chains etc.

It does not matter what the type of farming is it's getting hit. For instance timber forestry, one person growing trees for comercial foresting for softwood etc discovered that getting close to Christmass as his stock looked sufficiently like christmass trees it was getting stolen. He was interviewd by the BBC for one of it's farming related programs and he showed a clasical turn of mind when he remarked that "it's like Hamlet".

I've seen reports that in some southern european countries where food is now so expensive and unemployment etc high there is serious organised crime involved with livestock being taken at gun point.

Which kind of sounds ridiculous when you read a report released yesterday in the UK from one of the engineering institutions that shows something llik 50% of usable food is wasted in one way or another...

In the UK and some European countries the politicos are trying to convice us that it's a meritocracy with "we are all in it together" style slogans etc. However even a cursory investigation shows that we are being significantly lied to by the politicos and main stream media, on behalf of the plutocracy who actually want the "euro crisis" etc as a way to consolidate their position and further exploit the 95% or above of citizens.

And it is this "legal crime" of the plutocracy, that leads to much of the "illegal crime" we see...

I know that I'm probably going to cause howls of disagreement, but if you think about a resource limited environment (which we now live in) the "American dream" of unlimited riches for individuals cannot happen except by a small handfull of people "criminaly exploiting" everyone else.

Clive Robinson • January 11, 2013 5:50 PM

@ kashmarek,

"Apparently, with every breath, we exhale a plume of identifying chemicals."

Yes it's been known for some time that various medical conditions cause various chemicals to show up in the blood and thus breath and sweat, urine etc.

And as most of us have inbalances in our bodies that are similar or infact mild forms of these medical conditions then yes it's quite conceivable that the levels/combinations might be sufficiently different to be considered sufficient for some forms of identification.

Further our saliva contains DNA, thus I'm assuming that as we exhale we actually eveaporate/aerosol sufficient of it to put "DNA" into the air...

I don't know if you are aware or not but in the old East Germany the security services stole peoples underwear and kept it in sealed jars (just like jam jars) because a persons "scent" could in this way be recorded along with small parts of their DNA.

Infact one good reason for soaking your underware in "biological" washing powder for 24Hrs prior to washing, is that the "biologic" part along with some of the bleaches destroy the residual DNA you leave in your underware including body hair, dead skin cells and other far less pleasant secreations etc...

Clive Robinson • January 11, 2013 6:08 PM

OFF Topic:

Bruce bloged about a cat being used to smuggle prohibited items into a prison the other day. Well it appears a hacker in Japan straped a memory card onto a cat and sent it to the authorities...

http://news.techworld.com/security/3419296/hacker-uses-cat-deliver-virus-clues-japanese-police/

However of much more serious interest to me is an article on concerns with medical records and implants from CSO Online. As some longterm readers know I've been extreamly unhappy with the slipshod ideas of security (or lack thereof) in implantable medical electronics. Well it looks like somebody else agrees, as it gets mentione a couple of times in and amongst the issues to do with health care records.

http://www.csoonline.com/article/725880/ransom-implant-attack-highlight-need-for-healthcare-security

Clive Robinson • January 12, 2013 1:26 AM

@ Bruce Clement,

I'm inclined to believe it has more to do with covering their tracks over their earlier coercion of 4 uninvolved people to confess

Getting confessions out of people tends to be the MO of many police forces, and some (as recently aledged in India) tend to be unfussy about how they go about getting them.

It was once pointed out to me and several others that "the more god fearing a culture the more likely it was that people would be tourtured by the authorities" and as you can imagine a quiet lively philisophical debate followed.

And I admit that on looking into it the more I looked the more examples I found. However It turns out to be not religion being the direct cause, but more the cultural state of mind of the people of a nation where authority is "respected" as it's due rather than judging individuals on a case by case basis.

However that being said both cat stories appear improbable on reading, but then you have to remember "witch craft and familiars" from history and the fact that althought cats have an evil reputation they are very close to human affection. For instance the lady in your life would probably not be upset by being likened to the favourable asspects of a cat but a dog?... We talk about sleek, feline grace and the cutness and playfullnes of kittens etc, but dogs tend to be regarded as brutish in terms of strength ferocity and determination with their only socialy benificial charecteristic being loyalty.

Most of us assume dogs can be trained and cats cannot, but the truth is cats can be actualy easier to train than dogs, you just have to find their favourd reward. I have a friend who gets around in a wheel chair, and they have trained their pet cat to fetch small items that they have dropped and also to respond to simple voice commands such as Up and Down.

For me the most improbable part of both stories is the attacing of stuff to a cat, because cats tend to use their fur as a sense organ rather more than other pets do, it's one of the reasons they like rubbing up against things and being stroked etc.

Clive Robinson • January 13, 2013 4:32 AM

@ Natanael,

And DSA keys factored with head couting, no tools. Schneier Facts got competition

Agh the delightful Nadia Heninger struting her stuff :-)

IIRC She has actually appeared on this blog a couple of timed via papers she has co-written, with the "Mine your P&Q's" from back in the middle of last year and one on "Cold Boot Attacks on Encryption Keys" on DRAM persistence back in 2008.

You can see more of her work at,

http://www.cs.princeton.edu/~nadiah/

Oh and she has a much better Pony Tail than both Bruce and Chuck combined, and as can be seen from the photo she has it in a delightful Skein ;-)

Clive Robinson • January 13, 2013 7:33 PM

@ Dirk Praet, Nick P,

For a discussion of the charges brought against Aaron under the CFAA have a look at,

http://www.litigationandtrial.com/2011/07/articles/series/special-comment/aaron-swartz-computer-fraud-indictment/

Many in the legal fraternaty who have commented are pointing the finger at the Federal prosecutor Ms Carmen Ortiz, and in the odd sort of diplomatic legalize they use casting aspertions on her mental state and fitness for office (though little is said about Stephen Heymann who in effect was the lead prosecutor).

However a number of people are blaiming preasure from various IP Holding interests for the way Aaron was treated and one has noted that the US Secret Service were invited in by the MIT Police, and at that point all proportionality went out the window.

However whatever the actual facts are the Obama Administration is now in it up to their eyeballs and there is obviously the question of fitness for office against those political appointees at the U.S. DoJ responsible for the Justice Department's "Executive Office for United States Attorneys", which oversees and regulates US Attorneys via the "United States Attorneys' Manual".

But from what has been said by other attorneys in Mass Ms Carman Ortiz has "previous" on "striping rights" from those not possessing the political and financial muscle. That is she plays at best lip service to the requirments of proportionality, and activly persues cases against "the little people" whilst ignoring much worse activity by big people for the perposes of grandstanding her career.The fact that she is actually considered to be considerably worse than her predecessor (a republican appointee) in may peoples eyes is a clear indication she should be removed. However she also stands accused of a politicaly motivated witch hunt over appointments in the probation service, which appear to made her a number of enemies politicaly...

Over on Y-Combinator there is a thread about a Whithouse petition to have her sacked, the arguments are a little polarized but on reading it you get the definate feeling that Ms Carmen Ortiz is going to be getting a phone call or two down the chain of command.

But what do people want and what is proportionate... A man is dead accused of Federal crimes that many think a tribunal of justice would throw out and a tribunal of truth would find against, and that legal proffesionals say were not federal crimes but civil offences and should have been dealt with as such.

But the reality is Ms Carmen Ortiz set the dogs on Aaron via Stephen Heymann who has a reputation for getting disproportionate sentences for quite minor crimes. She ensured that Aaron vass both vilified and hounded way beyond any proportionate measure.

Certainly as a minimum untill a full investigation of what went on in her district under her authority gives satisfactory answers, her perceived behaviour is at best questionable boardering on malicious. Which at the very least calls into question Ms Carmen Ortiz's fitness to be one of the selected U.S Attorneys who are invited to participate in the Attorney General's Advisory Committee (AGAC) of United States Attorneys.

Clive Robinson • January 13, 2013 8:35 PM

@ Petréa Mitchell,

With regards the statment from th NYPD spokesman Paul Browne of,

"We silenced British cannon fire in 1776 and we don't want to hear it again in Central Park,"

Opps, it has already happened.

Cannon of this sort are also called guns and as such they are usually heard atleast ten times as far as their effective range. Last year saw the 200th anniversary of the US attacking what we now call Canada that at the time was territory claimed by the British and mainly populated by american civilians.

At the time the English were a little tied up in Europe dealing with a man with pretentions to become the Emperor of Europe. And there were few resources available to defend the territory, which is why it is so surprising that the attacking US troops made so little progress

Well as history tells the european half pint met his Waterloo and the English then had the resources to deal with the US transgretions. The result was the landing of troops in various places along the US eastern seaboard some of which were in DC and in all probability within cannon fire sound range of what is now Central Park. In fact some of these troops marched on Washington and the Whitehouse, where the then US President ran out the back door and across the swaps leaving his wife and servants to face the troops. You can still see the damage the gun fire inflicted on the Whitehouse to this day if you know where to look. Anyway the British had little interest in actually fighting another major conflict so the result was a peace deal where the teritorial boarders were re-established as they had been prior to the US invasion.

However there was one major difference, those American civilians living in the territory that had been attacked (and worse) by the invading US troops and were still alive re-evaluated their position and thus changed their allegiance away from their previous home of America and in effect became the founding fathers of a new nation that became Canada.

Now I don't know if the NYPD spokesman was not paying attention in class, or the school he went to chose not to cover the 1812 war, but all I can say is history is somewhat different to the way he was telling it.

As for muzzle loaded cannon still being loaded, yes it happens and one of the reasons is "spiking the guns". A cannon that can fire a 42pound ball usually weighs in excess of 6000pounds and needs something like thirty horses to move it at just about walking speed. This lack of manoeuvrability ment that unless properly defended by soldiers the gun could easily be taken by a verry small party of attackers coming in on it's flank and over running the position. Now rather than capture the guns for use in the battle the aim was to put them out of use.

The problem with a muzzle loading cannon was how do you fire the charge? This was by a vent that ran down into the end of the bore and was called tthe touch hole.

Now to prevent the cannon being fired the easiest thing to do was seal up the touch hole vent. This was often done with a six inch nail or spike that was driven iremovably into the vent, hence "spiking the gun". Now the question is what do you do with a 6000pound lump of metal that is nolonger of any use as a weapon? Simple you leave it there, which usually ment the cannon was draged after the engagemment to the town square etc to display as a civic trophie.

Now if the gun was spiked after it was loaded but before it was fired you had a problem as you could not easily unload the gun except by firing it.And usually nobody bothered to check as there was nothing they could do about it.

Often as people tend to put rubish down the barrel the barrel would be later blocked with a plug consisti.g of a wooden or metal plug. Thus permanently hiding the fact the cannon has powder and shot inside it...

Clive Robinson • January 14, 2013 6:00 PM

@ AC2, Nick P,

First off criminals are not scared of DNA marking or particularly about leaving their own DNA around. Due to cost DNA testing of a crime scene is still rare, and done mainly for "crimes against the person" or if it's bring political heat from above down on the LEA.

A recent case of such heat is of a well known "singer" trying to prove he was a man by beating up on two girls who did not want to get with him in a petrol station ( http://www.getsurrey.co.uk/news/s/2126868_dappys_dna_found_on_fight_victim_ )

But the norm in South London and North Surrey is a scene of crime officer to dust for prints and make casts of tool marks with dental alginate and record other obvious physical evidence.

Sometimes if a criminal has not left finger prints but has left behind an item of cloathing such as a hat or glove that might be tested for DNA. This is simply because it is a fair assumption that it's the criminals and the test will not require screening of others.

With regards the "sticky bullet" I would hazzard at a guess that the idea came from the Judge Dred movie staring Sly Stalone.

It is actually unlikely to effect the smarter criminal who knows that having your fingerprints on the outside of a gun can be argued out in court. It's having prints and DNA on the inside especially on the unfired round casings or magazine that's fairly difficult to argue away. So your smarter criminal either cleans and loads with gloves on or gets someboody lower down the food chain to do it for them.

As I've noted before smart criminals evolve around static technology leaving those who are either unknowing or stupid to fall afoul of it.

And the reason even stupid criminals get away with crime is that the crimes they commit are to far down the priority list to receive anything other than a cursory investigation.

What has been tested and found to work well in places like Lewisham, Croyden and other high crime areas of South East London is rapid response to crimes in progress. Effectivly catching the criminal at or very close to the crime scene with the goods on them. Even if the criminal dumps the goods and gets away it causes all but the most stupid or sociopathic to think that it was way to close a call to repeate. Whilst it has caused the local crime rate to drop it is not clear if it is actualy a deterant or just causing the criminals to go somewhere else.

@ Petrea Mitchell,

Speaking of crime rates dropping, you've posted a couple of items in the past about the drop defying "conventional wisdom". Well there may be a good reason there appears to be increasingly good statistical evidence that the level of crime is corelated to Tetraethyllead in petrol for cars (TEL). It is known that lead is a significant neurotoxin and arests brain development in the young and many previous studies have shown a correlation with paint and water pipes.

Well the bigest source of non metalic ingestable lead in the environment was the anti knocking / pinking agent TEL. It's been posited that TEL has had significant effecs on brain development in babies and the very young which was why it is now banned for on-road vehicles and other engines used in urban or city environments (and total bans in many countries). It's now suggested that TEL may well have been responsible for the baby boomer crime wave that is now starting to die back.

What has been seen is a drop in crime starts around 23years after the use of TEL has been banned in a given area. The statistical evidence is actually quite compelling for a number of reasons, judge for yourself,

http://www.motherjones.com/environment/2013/01/lead-crime-link-gasoline

However we now need to consider what effect the falling crime rate is going to have on society.

Specificaly in the US and in the UK jails are or are in the process of being privatised in one way or another. And certainly in the UK it's likely to be by the horrendously expensive PFI which is hugely debilitating over thirty or fourty year terms, and it's only advantage is in the very short term for the politicos of being "off-book" spending.

Such longterm private facilities will need to be paid for for very long term periods irrespective of if there are prisoners for them or not. The simple solution for the politico's is to remain tough on crime by making even petty crime carry long term jail sentances and to criminalise activities that were not previously crimes. In the mean time start expecting traffic violations to start carrying considerably more expensive fines and within a few years jail time as well.

This sort of behaviour by governments in the past has been found to be compleatly ineffective because it destroys the ability for people to be anything but societal outcasts and thus have to return to crime just to survive. If we as citizens want criminals to be rehabilitated back into society we need to concentrate not on punishment but rehabilitation by education and opportunity. Some countries in Europe have found that taking the short sentance with good rehab training does indeed cut re-offending rates quite significantly, Further studies in the US from the 1970' and 80's show that spending money on good public education in deprived areas actually reduced longterm cost. That is for every dollar spent on education when children where of primary and junior school age (ie pre teen) showed about a 25 to 1 saving. Further every dollar spent on appropriate secondary and college education increased the tax return something like 70 fold.

However such long term investments don't have any positive political value over the usual political lifetime, and actually show negative political value initialy. However what voters should remember and remind the politicos is "quick fixes" are almost always "bodge jobs" that cost a fortune over time (it's like the old joke about a 50dollar pair of boots lasting a life time whilst a 10dollar pair only lasting the winter and the workman would drink 90dollars of beer over the summer rather than save up 50dollars for decent boots).

The reality is that crime is like a disease, it is better to spend a small amount on the right sort of prevention than it is to spend huge amounts to cure those who suffere the disease.

Clive Robinson • January 15, 2013 12:35 AM

@ Nick P,

The US Gov has been claiming that the DoS attacks on US banks is an Iranian attack.

But as various people have indicated there is no evidence that's been presented to show this is actually the case so there has been a number of people saying it's cyber-saber-rattling by the US or it's a redflag operation etc etc.

So information week asked those who have made investigation to comment and they all pretty much say not only no evidence, but theres actualy not realy any evidence it's state sponsored at all, and atleast on saying it could be done for 1000USD/month or less so could be virtualy anyone with a bit of skill...

http://www.informationweek.com/security/attacks/bank-attacker-iran-ties-questioned-by-se/240146001

So it could conceivably be anyone, and the US Gov blaiming the Iranian State actually makes it counter productive because it makes it in effect a Diplomatic Incident, not a crime that would be investigated in the normal way by LEAs etc.

But what of the claims of "state sponsored", lets look at the historic evidence of such activities,

The US is the only country who has been caught using Cyber weapons against another country and due to various reasons admitted it.

It's been suggested that Russia has used cyber attacks against break away states and those it once occupied, but Russia has denied it's state sponsored.

Likewise China has been accused countless times but again denied it's state sponsored.

South Korea has made many claims that the supposadly economicaly and technicaly backwards North Korea are waging almost continuous cyber-attacks against them.

For all of these claims there is atleast some credible evidence found independently that supports the claims, not so the current US claims against Iran.

But is there any evidence it is actually "state sponsored" well nomore than it could be privatly sponsored.

So for instance you could for arguments sake say it could be Russian Cyber crooks getting smart revenge over the fact that their pharma scam funds are drying up due to the actions of US credit card issuers. The same lack of evidence applies as for the US case for Iran. Likewise you could turn around and then say it's some one with a grudge against the US banks for ruining the western economy, or even trying to manipulate their share price. Again you have the same lack of evidence, but if you think it must be state sponsored, how about it's Chinese rouge agents attempting to destabilize the US banking sector, again the same lack of evidence as for Iran, or you could say... and so on, the list goes on as there is no evidence to show who is actually behind the attacks. Conceivably it's some one who reads this blog, and is sitting there having a good old chuckle over it, that's the great thing about lack of evidence almost anything is equally probable.

Which is all very convenient for the Cyber-War-Hawks who want to come out wild west style with guns ablazing and making noises about going kinetic.

Which brings us around to the old "follow the money" argument, but there's a problem which is "What money?". Which is maybe why some have actually sugested that the people with most to gain from this attack are various people in the US Gov who are on a "fund raiser" to get a bigger slice of the War-On-Terror money.

What worries me is not the fact that such claims may be used as a pretext to a blood and bullets boots on the ground invasion of Iran, but the very old idea of "The boy who cried wolf". If the US Gov keep making claims that they can't or won't substantiate and others cannot find corroborating evidence for, then they US Gov credibility is going to sink even further in the eyes of other Governments and people living in other countries.

Right now you can be sure that some are making jokes comparing the American Eagle with Chicken Little...

Clive Robinson • January 15, 2013 6:21 PM

Compleatly OFF Topic :-)

Bruce,

If this is to be belived,

http://en.m.wikipedia.org/wiki/Bruce_Schneier

Today you have hit the big "Five 0hh", if so may I wish you many happy returns for today, and also say you are now allowed to start think about having a midlife crisis in a few years time ;-)

Having already passed the Big Five Ohh mark, I can assure you it's not as scary as you might have thought yesterday.

All gentle leg pulling aside have an enjoyable day (even if it's not realy your birthday)

Clive Robinson • January 16, 2013 3:31 AM

OFF Topic:

This is tangentaly related to security.

As some of you know I travel through south London as part of my normal daily activities well it's gone rather bad today at a railway station I use to switch onto a bus at is all closed down.

The reason is not the usual terrorist related allerts or somebody being taken ill but because a helicopter has flown into a crane in a part built building in Vauxhall south London just a few hundred yards from the MI building Vauxhall Cross.

According to the reports parts of the wreakage have hit the bus stop area and two cars, so far no reports on casualties etc. You can see pictures of some of the burning wreakage here,

http://www.youtube.com/watch?v=rUVdNbiwu-Q

The Guardian Bruce used to write pieces for is doing live updates,

http://www.guardian.co.uk/uk/2013/jan/16/helicopter-crash-in-vauxhall-live-updates

The BBC has a report here,

http://www.bbc.co.uk/news/uk-england-21040410

Not a good start to the day and a shocking reminder that security is a bit broader in scope than we tend to think here...

Clive Robinson • January 16, 2013 11:50 AM

@ Jacob,

The gental joke about "start thinking about having a midlife crisis ina few years" when you are fifty is I'm wishing you to live atleat twice that long if not longer.

As for the TWIC yes like the UK National ID card you could see that it was an idea that nobody other than a desk jocky bureaucrat and the card suppliers realy wanted. As was noted in one article it had all the hallmarks of a money raising scheme with no other function.

I suspect that what the DOD are not saying is that it's impossible to actually authenticate a user prior to issuing them with a card as the corroborating paperwork is not up to doing the job (true of 99% of currently proposed ID schemes including all passports).

It was a point Steller Rimington (retired head of MI5) made in Nov 05, but the bureaucrats just stuck their fingers in their ears and went "la lal lal la" and in some cases left their gov payed employment to join the supplying companies to discover they had not job when the current political encumbrants pulled the plug on entering office.

Clive Robinson • January 18, 2013 8:52 AM

@ Jacob,

Here is another. Should have a contest on how many ways this one failed....

You beat me to it :-(

I'd seen a link to The Register on two SCADA system fails in US Utilities and the useless ICS-CERT the DHS insists should have primacy... And was following it back to it's Reuters source came here to post it and low and behold...

That said yup it's a sad state of afairs, and happened almost exactly the way I worked out to infect air-gaped voting machines long long befor anyone had heard of Stuxnet. You'ld think nobody read this site ;-)

After all why would they we're terrible here we make predictions on this site that are so good and sufficiently far in advance that ours 'sphericals' are not made of Glass but Diamond :-)

Oh speaking of the DHS (Dept of Hopeless Sexpests) there is a rumour going around that within a year all the "nuddy scanners" are to be removed from airports...

Turns out it's not quite true apparently the TSA is cannceling the contract for the RapeMe scanners

http://rt.com/usa/news/tsa-rapiscan-contract-273/