Schneier on Security

Clive Robinson • February 2, 2013 3:18 AM

@ Mark H, Bobby,

Yes the “Internet of Things” is both vulnerable and fragile.

As bad as it is having your thermostat or printer turned against you, imagine if you will your electicity meter or you pacemaker start working against you…

Clive Robinson • February 2, 2013 5:02 PM

@ Joe Loughry,

“Anyone else notice the comment-spam “marker comments” here are getting more clever?”

Yes they are and no they are not…

You need to keep an eye on the 100 latest comments page, I’ve seen a few corkers on their.

For instance, just the other day there was odd “socketpupet” like behaviour on an old thread, I meentioned it looked odd and the modeerator agreed. What neither of us could work out was why, it was almost like somebody trying to plant some kind of story line it was most odd.

Another one was somebody had accidently copied and pasted not just one comment-pam message but the hundred or so in the wholes file. Interestingly some were very definatly tailored for this site, one of which had Mr Schneier in it… [1]

The sneaky way of doing it is one Ii’ve caught from time to time, where they copy a single parragrph from further up the thread. They’ve done it to both me and Nick P a couple of times.

Mind you there are two basic types hitting this blog at the moment, those doing the traditional product placement for pharmacy products, the other being the self advertising of others trying to get their own blogs visited… I kind of feel soory for them (not 😉

We’ve even seen “number station” type spam where. either the comment or name fields carried what looked like random strings of data.

I once (only half) jokingly suggested to Bruce that somebody could be trying to use the blog as a command and control head end from an idea I was working on at the time to do exactly that [2].

Sometimes it’s easy to guess what the motivation is other times it’s hard. Either way, it strikes me as a lot of work over and above getting the stories and writting the articles etc which strikes me as just one of several good reasons not to have my own blog.

Further this blog frequently gets pulled into search engines way way quicker than you would think, I’ve frequently seen the results on a search engine with an hour or two at the most. Which means that the spammers win as all they have to do is get into Google or which ever search engine cache and neither Bruce or the moderator can keep their eyes open 24×365.25.

[1] It’s not the first time such a daft or inexperianced mistake has been made by the spammers, I did think about suggesting keeping the comments and adding them to a black list to automate the removal process

[2] The idea is simply to post randomly to open blogs or blogs with only very weak authentication (such as SSO from a webmail etc service), using some odd name that would show up from a google search and you could pull the message out of the google cache without actually visiting the blog site…

Clive Robinson • February 3, 2013 9:02 PM

@ Jay,

…so in theory it should reduce the ratio of worst/average demand

The problem is that “in theory” does not cut it in practice for various reasons, just one of which is thermal mass.

I don’t know about the US but the UK smart meters usually have nice displays but don’t have an output you can connect up to external electronics in an “approved way” (you have to pay somebody lots of money for such conveniance etc etc).

Further most home systems give you the option of “Off” or “On” not “On at 14C” or “On at 21C” at different times of the day.

The bigest domestic use for energy is generaly heating followed by cooking. To get the best efficiency out of heating systems is difficult if you have a low thermal mass (which is true of most domestic properties).

In effect you need to know what the outside temprature, hudity and wind force/direction are going to be along with cloud cover and daylight hours for the future 12hours. You also need to know the number of people how often and for how long doors are going to be open, the same with curtains etc again for 12hours into the future. Knowing all this you then need to know the storage mass of the property and it’s contents and a few other bits of info…

You then model it around the electricity price. The larger the thermal mass of the property the easier the calculation becomes…

In essence you heat to 14C when people are out of the property and 21C when people are in. However to get the most efficient use it may be better to heat to 25 or 26 in the low cost period and allow the temprature to drift down slowly during high cost periods. And you end up with the delightfully sounding Rocket & Feather controler.

I’ve found in experiments that you save more money by using heavy lined curtains and keep them drawn and use low energy lighting as well as keeping internal doors shut and having room based thermostats than you do by trying to play smart with time based tariff switching.

Thus TOU metering is only going to show dividends for power suppliers who will rack up the price of peak electricity that “domestic” not “commercial” tend to use.

But seriously take a leaf out of the book of people living in the middle ages etc when fuel realy was expensive. Hang draft excluding cloth off of the walls (Tapestries for then curtains for now or for on the cheap low cost 10-15Tog king sized duvets) that trap an inch layer of still air between the wall and the air in the room likewise line the walls with an insulator like cork floor tiles or woodeen paneling for the same purpose. Keep inner rooms warm and halls corridors etc cooler especialy those involving external walls. Rather than having “decking” out the back of the house have a shuttered verander or better still conservatory these likewise hold pockets of still air. Further use energy recovering de-humidifiers, water takes 25 times as much energy per Kg per degree C than air, further more, humidity acts like a phase change heat pipe sucking the heat out of a room to condense it on external windows etc. Oh and the greatest cost saving of them all go out and by a reasonable weight jumper and wear it as you can turn the heating down by 5-7C without feeling uncomfortable.

It is fairly obvious that even current high fuel bills are not making people change… So smart meters won’t either so all smart meters will do is earn more money for the energy suppliers…

Clive Robinson • February 4, 2013 6:12 AM

@ Mural,

The “Man outsources his job” story is quite old history on this blog…

Clive Robinson • February 4, 2013 7:00 PM

@ Bruce Clement

You and your wife know one of the reasons why I don’t have a blog of my own…

The problem with all blogs is how to reduce the problems without unduly increasing the owner load.

One idear from IanG over at finacialcryptography was to use self signed anonymous certificates to build up trust.

That is you generate a certificate just to post to the service and you use this to sign each posting. As time goes by the moderator gets to trust your comments and thus your certificate becomes likewise trusted. The moderator thus nolonger needs to moderate any comments signed with your trusted certificate in the usual time consuming way. If as an individual you breach the trust in some way the moderator can reduce the trust they place in the certificate for a while or compleatly.

The problem is of course the anonymous user managing the certificates. Both legislation and in the main web browsers want to have a one to one corespondance between a certificate and a user which breaks the anonymous side of it.

What browsers should realy do is alow you to have multiple certificates, one (or more) for each role in your life in an easily managed way. So that you would not need to use the certificate you use for accessing your bank for posting to a hobby related blog etc. And likewise the one you use for your “woodworking hobby” is different to your “cake baking hobby” which again is different to your “Power Boat Racing hobby” etc etc (Yes I put my hand up to baking as a hobby but bread and pies not cakes as they involve to much fafing around and life is realy to short for filo and puff pastry 😉

Clive Robinson • February 4, 2013 8:02 PM

@ joequant,

… home users can be extremely disinterested in security because most break-in’s aren’t aimed at the the user

Disinterested or unaware?

If as you say the attacker is not targeting the user and takes care so that the user does not see what the attacker has done how is the user going to become aware there is a problem?

In essence what you have described is why businessses suffer so badly form APT attacks, they are unaware despite taking precautions that an attacker is in their systems.

Thus I suspect that like businesses most home users fall into the unaware category and only a few of those who have become aware they have been successfully attacted then fall into the disinterested category. Many home users however do fall into the category of ineffective or counter productive response. The sales of faux AV show this to be a significant problem.

Clive Robinson • February 5, 2013 5:32 AM

@ RobertT, Nick P,

“Overall, i’d say Eric is fishing.”

Possibly or someone who is claiming a little more experiance/staus than the actualy have. This frequently happens when engineers and the like move into managment.

Often years later they still see themselves at heart as being an engineer not a manager, but in reality have been out of the game to long as not only have the rules changed but the game as well and they would be lost if they had to go back to being a “Coal Face” engineer again.

It’s a problem with all engineering industries but especialy so in a fast moving one such as ICT and the accompanying InfoSec.

Back in the late 1970’s and early 1980’s I had a fairly good grip on what was involved with ComSec and Computers in general having designed some of the brutes from 7400 series logic ECL and AMD Bitslice processors and put others into Comms gear. And was thus a bit of a ‘hot property’ at the time. However now I’m just about hanging onto the Merry Go Round by my fingernails as the field has both opened up and sped up way way beyond what it is possible to have an indepth knowledge of in all areas. So much so that “generalists” who have breadth are not just an endangered species, they are positivly prehistoric, in effect dinosaurs that have refused to lie down and go the way of history.

And yes it feels like a “red queens race” where “life long learning” is not just a nice idea but more akin to a “life sentence”. And the only way to survive is by knowing the fundementals well and by being able to view all new information in that light.

The sad thing is you see the new guys come through, they have not learnt the fundementals well enough, and have had to drill down real hard to make their mark, so are not generalists but specialists with a very narrow field of view.

And no matter how many specialists you have in the room they don’t give the proper breadth needed for a good view on InfoSec. They just don’t work well at the edges of their knowledge and thus they don’t realy interact well with other specialists in even closely related specialisms. Worse they view all problems through their own tool set thus they realy do “hammer in screws”.

Anyway time to shift my slowly fossilizing carcass over to the “brown brew with caffeine machine” befor I become ossified in reminiscence mode 😉

Clive Robinson • February 5, 2013 11:23 AM

@ Vles,

I always sign my posts here with the same string of characters in the email address field…is a lot simpler… 🙂

Simpler yes, but known to you and the blog admin staff as a minimum and possibly a lot of others as well so is “security by obscurity” compared to “security by signiture”.

As has been observed many times before “You pays your money and you makes your choice, change is optional”.

Clive Robinson • February 8, 2013 4:45 AM

@ Keith,

I assume when I first saw it that it might partially function like a storm anchor. I.e. to reduce the risk tipping in interesting weather.

I’ve had to juryrig a storm anchor out of two oars and a jib sail and a fender, and chucking them over the side was a real test in faith (I did however tie a second ‘trip line” so I could get them back). It was an eventful 36hours that I would urge others not to try…

But then there is not much need for that with a cannoe

Agh that depends on how you cannoe… I have a friend and their spouse who like sea cannoing and have a large indian style canadian cannoe which has been “canvas decked” in (I jokingly say they should register it as a working narrow boat ;). They have been known to actually sleep at sea in it on long journeys, and a sea anchor gives you a degree of stability which makes sleeping and other “domestic” activites considerably easier.

As for getting my name wrong no worries, there are many people out there who think my name is Cliff (and not because I look like one 😉

Clive Robinson • February 8, 2013 9:37 AM

@ md5sum,

Would you publish the way you report to the moderator

I generaly do it the way others do, I simply put an entry in the thread concerned and mark it for the moderator or Bruce’s attention with a comment about what I’m drawing to their attention.

For instance if I see a paragraph or comment that’s been taken from an earlier posters comment but has a different name in the name field I simply make a comment to that effect and add the posting URL if required.

If Bruce or the Moderator agree then they take the appropriiate action and then remove my entry otherwise it looks odd in the thread sometimes they will also leave a reply as well.