Friday Squid Blogging: Squid Anchor

Webpage says that it’s “the most effective lightweight, portable anchor around.”

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on February 1, 2013 at 4:40 PM73 Comments

Comments

MarkH February 1, 2013 8:22 PM

From a New York Times story about how their own computer systems have been under attack, apparently from China, this interesting bit of background (emphasis added):

Once hackers get in, it can be hard to get them out. In the case of a 2011 breach at the United States Chamber of Commerce, for instance, the trade group worked closely with the F.B.I. to seal its systems, according to chamber employees. But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.

The security magic of network appliances!

Bobby February 2, 2013 12:29 AM

@MarkH this is becoming the new big debate, M2M. It would be such a dissappointment to find out, that for the last 5 years, some guy called ying or yuri has been ‘virtually’ sleeping in your home/office, and waking late in the night to read all prints, scans, and stored jobs in your printer.

Clive Robinson February 2, 2013 3:18 AM

@ Mark H, Bobby,

Yes the “Internet of Things” is both vulnerable and fragile.

As bad as it is having your thermostat or printer turned against you, imagine if you will your electicity meter or you pacemaker start working against you…

Clive Robinson February 2, 2013 3:48 AM

OFF Topic :

In the UK there have been several stories about people hijacking their employers twitter accounts (notably that of HMV) to basicaly put out comments that (whilst true and factual) the employer does not like.

However, it appears that also various accounts have been hacked such as that of BBC Raido 4’s Today Program…

Well it appears that there has been a significant attack on Twitter with upto half a million accounts having been compromised.

But Twitter has in a way made it worse that they have changed a number of accounts passwords and Emailed the users they have done so.

But… Firstly they’ve changed the passwords on a large number of accounts that have not been hacked. And secondly Twitters Email apparently looks just like a phishing attack.

http://m.bbc.co.uk/news/technology-20256682

But a thought occurs to me Twitter amongst others have been trying to position themselves as a Single Sign On Service. What is going to happen in the future when organisations such as Twitter arbitarily change a users password and send out an Email with the new password, when the user uses the organisation’s service as a Single Sign On Service… Instant lock out…

Bobby February 2, 2013 9:51 AM

what will they think of next? Awlays thought of twitter as a simple grapevine for yapping. Actually, most social media.

Joe Loughry February 2, 2013 10:36 AM

Anyone else notice the comment-spam “marker comments” here are getting more clever?

Keygen • February 1, 2013 8:51 PM

Touche. Outstanding arguments. Keep
up the good effort.

  1. The latest ones are shorter and less obviously off-topic.

  2. The choice of username in particular here is inspired.

  3. Hypothesis (not mine, but I believe it; I wish I knew who thought of it): these comments are being placed by someone for the purpose of identifying blogs where (A) they can insert safely—i.e., no insurmountable captcha stands in the way; and (B) where not all the markers are deleted by a moderator. A few days later, that someone scans for places where the marker comments have survived…indicating fertile soil.

Nick P February 2, 2013 12:32 PM

@ Joe Loughry

“Anyone else notice the comment-spam “marker comments” here are getting more clever?”

Yes they are. I’ve almost replied to one or two of them. They were still obviously spam, but seemed like a human was writing them. Then, I remembered my past research into spam that showed answering one was the best way to get more. I decided to leave them to the Mod.

mike acker February 2, 2013 1:50 PM

Bruce has taught us that security consists of detection and response as well as prevention.

right now we have little in the way of detection. how do you know if your computer has been hacked ?

hint: it has an un-authorized program(s) on it.

how are you going to find that un-authorized program if you do not know what is supposed to be on your computer ?

a software audit is going to begin by making a list of what is supposed to be on a computer . next it will make a list of what is actually on the computer . and finally reconcile the lists reporting un-authorized programs — and updates . it is critical to check the size, date, and CRC of every program inventoried as hackers love to attach their malware to existing programs .

the inventory would have to be performed from a read-only stand alone DVD .

without this audit we are all running computers we hope are not infected .

it’s time we know .

if OEM don’t do this voluntarily we may have to make it law .

someone is going to yell at me that this cannot be done because the content of a computer changes constantly .

and that’s a huge part of the problem isn’t it?

when updates are disgtributed through proper channels there is no reason the master inventories cannot be updated at the same time . unless we have people shipping stuff they don’t know the content of . people doing that need to go into a different line of work . like parking cars .

RobertT February 2, 2013 3:51 PM

In the internet of things don’t forget smart TV’s. I’ve seen plenty of these devices connected up to home networks where the PC’s were all locked down tight but the TV’s were wide open and had complete direct access to the PC’s Harddrives.

There is also trend to connect the smart TV up so that it has the best bandwidth (meaning ahead of the router/firewall) this is done to better support live video streaming.

Even if the users set the passwords properly the security for smart TV’s is dreadful and many of the cable companies have connect software with builtin backdoors for service etc.
It won’t be long before we have botnets of smart TV’s.

Moderator February 2, 2013 4:48 PM

@ Joe Loughry,

Anyone else notice the comment-spam “marker comments” here are getting more clever?

> Keygen • February 1, 2013 8:51 PM

Touche. Outstanding arguments. Keep up the good effort

That one’s not particularly clever from my point of view. Anyone who deals with blog spam would instantly recognize that kind of vacuous praise. In the case of spam probes the obviousness might be intentional — they want to find unmoderated comment sections — but Mr. Keygen seemed to actually be spamming for a keygen site. I strongly suspect the main reason that praise is so common in spam comments is that new or obscure bloggers would hestiate to delete a positive comment even if they know it’s probably fake.

Every once in a while I see nonspecific flames instead of nonspecific praise, and those are much more convincingly human, but of course they’re also much more likely to be deleted for other reasons.

I think the smartest spammers are the ones that go meta. Bruce gets spam comments saying “why don’t you post a video with this” and “can’t you at least write a description when you post a video” — both have a pretty good chance of landing on a post where they’re plausible, and if the spam software started testing for video embeds, they could be even better. Best of all are the comments that claim the blog is displaying poorly in some browser or other. A comment like that could appear on any post, and it’s always possible that someone could really be having problems with a website design (especially since they never include enough details to test). But they give themselves away either by having obvious spam links, or by repeating the same comment over and over verbatim.

Clive Robinson February 2, 2013 5:02 PM

@ Joe Loughry,

“Anyone else notice the comment-spam “marker comments” here are getting more clever?”

Yes they are and no they are not…

You need to keep an eye on the 100 latest comments page, I’ve seen a few corkers on their.

For instance, just the other day there was odd “socketpupet” like behaviour on an old thread, I meentioned it looked odd and the modeerator agreed. What neither of us could work out was why, it was almost like somebody trying to plant some kind of story line it was most odd.

Another one was somebody had accidently copied and pasted not just one comment-pam message but the hundred or so in the wholes file. Interestingly some were very definatly tailored for this site, one of which had Mr Schneier in it… [1]

The sneaky way of doing it is one Ii’ve caught from time to time, where they copy a single parragrph from further up the thread. They’ve done it to both me and Nick P a couple of times.

Mind you there are two basic types hitting this blog at the moment, those doing the traditional product placement for pharmacy products, the other being the self advertising of others trying to get their own blogs visited… I kind of feel soory for them (not 😉

We’ve even seen “number station” type spam where. either the comment or name fields carried what looked like random strings of data.

I once (only half) jokingly suggested to Bruce that somebody could be trying to use the blog as a command and control head end from an idea I was working on at the time to do exactly that [2].

Sometimes it’s easy to guess what the motivation is other times it’s hard. Either way, it strikes me as a lot of work over and above getting the stories and writting the articles etc which strikes me as just one of several good reasons not to have my own blog.

Further this blog frequently gets pulled into search engines way way quicker than you would think, I’ve frequently seen the results on a search engine with an hour or two at the most. Which means that the spammers win as all they have to do is get into Google or which ever search engine cache and neither Bruce or the moderator can keep their eyes open 24×365.25.

[1] It’s not the first time such a daft or inexperianced mistake has been made by the spammers, I did think about suggesting keeping the comments and adding them to a black list to automate the removal process

[2] The idea is simply to post randomly to open blogs or blogs with only very weak authentication (such as SSO from a webmail etc service), using some odd name that would show up from a google search and you could pull the message out of the google cache without actually visiting the blog site…

Clive Robinson February 2, 2013 5:30 PM

@ Robert T,

In the internet of things don’t forget smart TV’s I’ve seen plenty of these devices connected up to home networks…

Yes they do worry me but, not as much as smart meters and medical implants.

Look at it this way as bad as the software is on these TV’s within five ten at the most years they will be landfill, but that pacemaker lurking in your chest will be with you for 20+years and the electricity meter in your home has a good chance of still being there long long after we are either toast or worm food 😉

I know I keep going on about it but these low cost embeded electronics realy are made for the lowest price, and nobodies going to pop round to re-flash your pacemaker or meter programe that has a new security flaw found after the device is more than five or ten years old… Unless people are dying from security breaches atleast a couple of hundred times a year or the company cannot keep it hushed up…

I’ll tell you one think that has a bit of black humour about it… Imagine if you can me lying in a hospital bed and a senior cardiologist comming around and telling me they are not real sure what the medical problem I’ve got is… Then telling me they want to crack my chest to put one of the latest all singing wizzz bang pacers in that they can adjust using what is a form of Near Field Comms. I say well OK but only when I’ve checked out the security protocols… You see this blank look on the consultants face then I explain the risks, and I tell you what his face ends up looking more sickly than my own as the proverbial penny drops…. Suffice it to say they’ve not yet got the medical bolt cutter etc to my ribs yet.

We realy need some proper security standards worked out before we go charging head down llike the proverbial bull in the china shop just chucking remote access comms with zero or worse security into people…

princeton February 3, 2013 1:16 PM

@Popsmoke – that would be considered cyber fear-mongering, especially because Soufan is a retired FBI agent. Haven’t you heard? The defense dept is stirring this stuff up just to scare everyone so they can get a bigger budget. And the CDC is fabricating reports of influenza just to scare everyone so they can get a bigger budget. The FBI? They’re working with the Chicago Police Dept to create crime waves so they can scare everyone and get a bigger budget and buy all new computers.

On a serious note, the WSJ released some stuff about Eric Schmidt’s upcoming book. He says the Chinese are going to eat our lunch.

Clive Robinson February 3, 2013 2:36 PM

@ princeton,

On a serious note, the WSJ released some stuff about Eric Schmidt’s upcoming book. He says the Chinese are going to eat our lunch

Are going to eat… or are eating… ?

We in the west think mainly in next quaters figures be it those who prowl and predat walnut corridor or broaden their butt cheaks lounging in political office, getting fat off of back handers etc.

The Chinese have traditionaly thought in multiple lifes span times which means they are not looking for the next quick buck but securing their longterm future.

Now I’ve mentioned it before but for the better part of the last hundred years China has been expanding it’s influence one way or another in various territories where limited availability raw resources are found.

More recently they have been stratigicaly investing in western companies etc in a way where they have a significant interest to the point we have allowed them to get into a possition where they threaten most western countries economic National Security.

We’ve not only alowed it but in most cases activly encoraged it due to our short term view.

The only thing that stops them currently destroying the weast economicaly is that it is in their current interest not to do so.

However they are now in a position where going to war against them would be futile in the extream. It’s why we see the current power plays over North and South Korea.

In the way it is mostly portrayed “The American Dream” is a “Busted Flush” and only possible for a tiny few represing the majority in a far from benign plutocracy that hides behind the illusion of Representational Democracy (what I refer to as “Monkey in a suit” “Chimps Tea Party Politics”).

The problem for such a Plutocracy is that they would actualy make more money by alowing others to have more money and the associated improvment in their standards of living. But the problem with this is that the plutocrats lose not wealth but the ability to repress through purchased political power and thus lose their control on others. It is this sort of power that was the reason the times before and including the middle ages in Europe were so bloody. Such Plutocracy nearly died out in the 1930’s which is why fascist politics were so popular with the old money and land classes. It also nearly died out again in the late 1950’s through 1970’s, but Maggie Thatcher came up with and sold to Ronnie “raygun” the idea of “light touch regulatory policy” that we saw up untill very recently with the 2008 crash. During that near 30year period saw the greatest differential build up between the average income and the incomes of the wealthy. Shortly befor the 2008 crash average annual earnings in the west were around 45,000USD whilst the average earnings of the super rich was as far as we can tell way north of 3000,000,000. It is not possible to lead a life time of basic consumption that will use that level of anual income even extrodinary consumption will not touch it. So what do they do with such income. Well we know in the likes of the Koch Brothers use it to buy of politicians and fund at best misleading adverts and misguided idiots who will sell their own long term self interest for a few fast bucks.

I”m sorry that folks have not studied history as they would know where this is going to end, and it won’t be nice. There is a reason why China in one way or another has been the worlds longest running empire, and that is not going to change any time soon. Also there is a reason why Europe has seen such political upheaval every few generations. The US might think that geographical distance and having a reasonable amount of natural resources might insulate them from such upheaval, but as both WWI & WWII proved they are dependent on other nations both for raw materials but also for markets for their finished goods. The west has lost it’s markets to the Far East and China is doing it’s best to ensure that they will take over and control manufacturing, not just by stealing market share but also by restriciting and controling access to raw materials.

Contrary to the ideas of Maggie Thatcher the west cannot survive by being a “financial service” industry for the rest of the world for fairly obvious reasons. Northern Europe is mined out of resources and quickly and irevicably depleating it’s energy resources to maintain an artificially high standard of living. Well just as with Northern Europe the clock is also running on this one on the US and middle east as well…

RobertT February 3, 2013 4:06 PM

@CliveR
As a young engineer I worked on heart pace makers. the company was very successful, early-on but eventually floundered. I still keep in touch with some ex-colleagues working in the medical field,. One thing I can say with certainty is that they do not understand the security / device communications risks that you allude to.

Now what’s interesting with heart ace makers is that it is all an image business. The circuits / systems are relatively easy these days but the market is impossible to enter.

Imagine what would happen to the dominate company’s image if someone intentionally constructed a remote re-programmer and took a walk down Wall St or maybe better Pen Ave. The FDA would have to investigate and the rest would be history…

The financial gain to an upcoming competitor would be enormous, just look at the market cap for the company that I’m talking about.

The financial gain would be so large that it is easy to conceive of a situation where even options traders or pension funds could benefit sufficiently to fund the whole undertaking. It’s a scary concept!

I guess our last line of defense is the honor of security engineers which is a truly worrying concept.

RobertT February 3, 2013 5:48 PM

Re Smart Meters,

It concerns me that “smart meters” are creating systemic fragility within the Electricity distribution system, with the only possible beneficiary being the retail electricity providers. Interestingly they benefit but they are not really part of the game because they are asset lite structures.

From what I can see ToU does not help average people and it definitely hurts the elderly / disabled. It also does not seem to help Electricity generators because their fixed costs investments are still required to cope with peak loads. (BTW TOU usually results in an increase in the systems worst case peak to average supply ratios)

On top of this we add the risk that someone will introduce malicious code to intentionally destabilize the national grid, and we are doing this so that retail electricity RESELLERS can make higher profits…amazing.

If the aim of Smart meters was simply remote meter reading than I’d be in favor of it, it ‘s the rest of the smart grid concepts that worry me.

Jay February 3, 2013 7:50 PM

@RobertT:

TOU metering bills people more during peak periods and less during non-peak, so in theory it should reduce the ratio of worst/average demand.

It certainly works for factories, anyway. Maybe factories are more likely to monitor the electricity market price than the average homeowner, of course – which is why providers keep investigating “in home displays” to deliver (amongst other things) rate information. Yes, another piece of comms-network-connected disposable electronics…

Jay February 3, 2013 8:03 PM

@RobertT (contd.)

As to the security aspects: not all smart meters are actually capable of controlling loads, either. (Ones that can’t are cheaper. Utilities like cheaper. Particularly for customers who pay their bills on time, and who never need to be threatened with disconnection or being moved to a prepayment scheme.)

In some areas, it might be easier to destabilize the grid with solar inverters…

Popsmoke February 3, 2013 8:16 PM

@princeton

Soufan is no rumor monger… If Ali releases this stuff I as someone who played the CT game for 20 years take note of it.

Clive Robinson February 3, 2013 9:02 PM

@ Jay,

…so in theory it should reduce the ratio of worst/average demand

The problem is that “in theory” does not cut it in practice for various reasons, just one of which is thermal mass.

I don’t know about the US but the UK smart meters usually have nice displays but don’t have an output you can connect up to external electronics in an “approved way” (you have to pay somebody lots of money for such conveniance etc etc).

Further most home systems give you the option of “Off” or “On” not “On at 14C” or “On at 21C” at different times of the day.

The bigest domestic use for energy is generaly heating followed by cooking. To get the best efficiency out of heating systems is difficult if you have a low thermal mass (which is true of most domestic properties).

In effect you need to know what the outside temprature, hudity and wind force/direction are going to be along with cloud cover and daylight hours for the future 12hours. You also need to know the number of people how often and for how long doors are going to be open, the same with curtains etc again for 12hours into the future. Knowing all this you then need to know the storage mass of the property and it’s contents and a few other bits of info…

You then model it around the electricity price. The larger the thermal mass of the property the easier the calculation becomes…

In essence you heat to 14C when people are out of the property and 21C when people are in. However to get the most efficient use it may be better to heat to 25 or 26 in the low cost period and allow the temprature to drift down slowly during high cost periods. And you end up with the delightfully sounding Rocket & Feather controler.

I’ve found in experiments that you save more money by using heavy lined curtains and keep them drawn and use low energy lighting as well as keeping internal doors shut and having room based thermostats than you do by trying to play smart with time based tariff switching.

Thus TOU metering is only going to show dividends for power suppliers who will rack up the price of peak electricity that “domestic” not “commercial” tend to use.

But seriously take a leaf out of the book of people living in the middle ages etc when fuel realy was expensive. Hang draft excluding cloth off of the walls (Tapestries for then curtains for now or for on the cheap low cost 10-15Tog king sized duvets) that trap an inch layer of still air between the wall and the air in the room likewise line the walls with an insulator like cork floor tiles or woodeen paneling for the same purpose. Keep inner rooms warm and halls corridors etc cooler especialy those involving external walls. Rather than having “decking” out the back of the house have a shuttered verander or better still conservatory these likewise hold pockets of still air. Further use energy recovering de-humidifiers, water takes 25 times as much energy per Kg per degree C than air, further more, humidity acts like a phase change heat pipe sucking the heat out of a room to condense it on external windows etc. Oh and the greatest cost saving of them all go out and by a reasonable weight jumper and wear it as you can turn the heating down by 5-7C without feeling uncomfortable.

It is fairly obvious that even current high fuel bills are not making people change… So smart meters won’t either so all smart meters will do is earn more money for the energy suppliers…

RobertT February 3, 2013 10:23 PM

@Jay
Thanks for the info on the intended purpose of ToU pricing, it is good to know that there is a purpose to this exercise.

Fundamentally businesses and residences are very different, because the business man can always decide that his electricity costs are too high so he will idle some production capacity. There is no real equivalent capability within the residential electricity market plus the average person has no way to profit from the spot market price.

As for smart meter “in home displays” what difference do they really make? As Clive has mentioned the thermal mass in modern housing is too low to properly store cold/heat. So the average user must use the electricity when needed.

Normal residential ToU pricing has a Peak, Off-peak, shoulder tariff rates which remain fairly constant regardless of the wholesale costs of electricity. This is done to appease regulators AND maximize profits.

The few markets where I have seen detailed figures the average electricity consumption decreases under ToU because people become more aware of their electricity bill and aware of ways to “reduce” the bill. What’s wrong with this is that absolute worst case Peak occurs for less than 10 hours per year YET this is the load that the generators/distributors must design their systems for. The typical variable cost of electricity is about 3c/kwh whereas the capital costs can be as high as 20c/kwh.

When ToU encourages people to keep the AC off till they can’t stand it anymore and then cool the whole house it adds to the peak and reduces the average. this is exactly opposite to the intended behavior and is what I find the most significant problem with ToU theory and Practice diverging.

joequant February 3, 2013 10:41 PM

One thing that I found useful about the NY Times coverage of the Chinese hacking incident is that it’s given “permission” for other newspapers to say “yes, we’ve been hacked too.”

That any company that does business in China will be subject to hacking is something of an open secret. However, there are strong pressures to keep this quiet, since someone that publicly admits to being hacked will likely lose their jobs. Worse yet, there are pressures to not look at security because you might find out something that will cost you your job.

However, if the NY Times says “yes, we’ve been hacked” this gives a few days for other companies to either internally or externally look at their security systems.

One other thing this (like the stories about Wen Jiabao’s fortune) is likely to have almost zero impact in China itself. The New York Times is not particularly trusted in China and is seen as a tool of US foreign policy, and the fact that one of the main articles today is about the US strengthening cyberdefense is going to cause lots of people to come up with conspiracy theories.

Not to mention that there are pretty large numbers of Chinese who think it’s a good thing that the government was hacking the NYT (i.e. imagine the reaction in the US if it were known that the CIA had hacked the People’s Daily. A lot of people would think that the only bad thing about this was that they got caught.)

joequant February 3, 2013 11:10 PM

One note is that I find it rather unlikely that the Chinese military is involved in this, simply because the Chinese military is autonomous and doesn’t take orders from Wen Jiabao.

It probably came from the the Party Central Disciplinary and Inspection Commission, Ministry of State Security or possibly the State Council Information Office.

One trend in China over the last few decades has been to reduce the role of the military in areas that have nothing to do with war-fighting, in part because there is a strong historical fear of the military getting too powerful. Also militaries are just not set up for covert operations.

The other thing that is interesting is that I think what the hackers were looking for were which particular documents that the NYT used to create their story. One thing that people doing due dilligence on Chinese companies is that it’s been quite hard to get corporate documents.

The other thing is that people have suspected that a lot of the information that went into the story was leaked by Wen’s political opponents (including one former Politburo member who is due to go on trial shortly). The NYT has denied this, but if true, some people in China are in pretty hot water right now.

What’s more if you want to get really tricky, one should point out that the net result of all of this publicity is that no confidential source is going to talk to the NYT or any other Western newspaper ever again.

joequant February 3, 2013 11:28 PM

Something that is useful in a global context is to realize that its not obvious who “we” are. Don’t assume that when you are in a conversation that everyone in the room is American. This matters a lot with security. Having the US government in charge of security is going to end up with some resistance if the company involved is French.

The idea of China as an “ancient empire” is interesting, but there are problems with it. One is that China is in some ways a very new country. The United States has had the same constitution and the same government since at least the 18th century, and it’s legal system has roots that go back to the 12th century. Most of China’s institutions date only from the 1980’s.

Also a lot of the things about China that are “unique” really aren’t. I don’t think that China has a particular “long term” view of history. Rather, I think that Americans have a particularly “short term” view in comparison to everyone else in the world.

The other thing is that’s odd is that I don’t think that anyone in China right now really wants to “take over the world” any more than anyone in Britain or France want to do so. Right now China is trying to get out of high labor manufacturing since there is no future in it.

db February 4, 2013 2:57 AM

Wonderful. I always like it when someone manages to work around so called fundamental limits, especially when they imposed by something as arbitrary as information theory.

Do you have a perpetual motion machine for us as well? We could use that to power the computer when it is doing the compression.

joequant February 4, 2013 3:01 AM

Here is an example of “smart electricity” that works….

http://www.austinenergy.com/energy%20efficiency/Programs/Power%20Partner/index.htm

The way that this works is that you get a free thermostat that lets the power company turn off your air conditioner if it needs to. The reason this is a good thing is that if the power company can’t turn off air conditioners then if it has a power surge, it has to resort to rolling black outs (which has happened).

Also the power consumption dynamics are very different in Austin than in the UK. People in Austin, Texas usually don’t have electric heating. Heating and cooking usually takes place using natural gas which is a lot cheaper than electricity.

joequant February 4, 2013 3:07 AM

One thing I have found interesting is that home users can be extremely disinterested in security because most break-in’s aren’t aimed at the user. Mostly what happens is that the hacker is using the home machine as a component of a botnet, and is pretty careful not to disturb the home machine.

RobertT February 4, 2013 4:51 AM

@joequant
this free thermostat is precisely the sort of equipment which can create security problems. Sure AustinEnergy wants to use it for the greater good and network stability and lots of other positives BUT what they are creating is a remote switch to enable / disable heavy residential AC loads.

Each AC is probably about 12kW with a startup current of maybe 80A to 100A. If I can control 100 of these on the same MV net(11KV in Texas I believe) than I can remotely create several hundred amp surges in the MV local distribution lines. This will typically be enough to cause under/ over voltage tripouts. think about the inductance of the system and the effect of 100A coordinated surges Think about flux saturation of the transformers and other similar physical limit effects.

At the moment the grid relies and over design, shunt loads and a measure of blind dumb luck to manage these problem.

This thermostat give the grid attacker an entry point to destabilize the grid. Most hackers probably would not want to do this but for security reasons you need to consider how an enemy might utilize this feature.

Clive Robinson February 4, 2013 6:12 AM

@ Mural,

The “Man outsources his job” story is quite old history on this blog…

Joao February 4, 2013 6:21 AM

This 01/27 there was a fire in a nightclub in Santa Maria, southern Brazil where at least 231 people were killed. http://edition.cnn.com/2013/01/27/world/americas/brazil-nightclub-fire/index.html

It was a pileup of incompetence that caused the tragedy: starting with the club owners who that didn’t bother putting more than one exit door, government and fire department that issued licenses when the club should never be granted one under those conditions, and the band that used pyrotechnics during its performance.

The greatest fault, of course, is the government’s. It’s been rumored that the fire department was bribed to issue the license, but even if it’s not true the club’s primary goal is profit and the band’s is popularity. The fire dept’s should always be the safety of people.

President Roussef went to Santa Maria shortly after the fact to display the government’s “grief”. Hopefully it will actually lead to heavier laws regarding public officials that do not properly do their jobs.

Eric Hacker February 4, 2013 10:29 AM

There have been several comments about the smart grid which I think need an insider’s perspective.

  1. I can’t speak for medical devices, but for the smart grid there has been extensive work on security standards. Just look up NISTIR 7628 for example. Now, these are not perfect, nor are they necessarily very well implemented, but recent smart meters are no easy pushovers.
  2. @RobertT Your point may be valid, but that’s one reason why there are smart grid standards which make it very difficult to execute such an attack. There are also grid design standards that reduce the cascading outage effects from such an attack put out by NERC.

I don’t believe such attacks are practical, but I haven’t yet convinced an academic to pursue the research. It is harder to convince someone to do research to prove a non-threat than to prove a threat.

My premise is that the communications systems used by most smart grids are not capable of the widespread broadcast messages that would have any sort of instantaneous effect. The bandwidth requirements for collecting meter data are relatively minimal. Some rural coops are even using powerline communications that are still measured in low BPS. Most deployments are using meter to meter meshes with broadband uplinks. Getting messages out to a meter quickly just doesn’t happen.

To send a malicious command out to a many meters will encounter two bottlenecks. The first is that the central management server will have to encrypt each message individually to each meter (because there are security standards that are followed). Second the commands will have to propagate across the bandwidth constrained mesh network. Neither one of those will happen quickly enough to create the kind of instantaneous load swings that would cause large scale damage.

  1. As to the value proposition of smart meters overall, I’m in agreement with others that by themselves smart meters with ToU pricing probably won’t deliver the return on investment that the industry anticipates. Most people simply won’t make the effort to reduce energy consumption that much. However the future will be energy constrained and we are laying the foundation for much more distributed generation and microgrids. I also think there is value in enabling the proactive consumer to manage their energy use better, even if it costs a bit more for the uninspired.

MarkH February 4, 2013 2:23 PM

@db:

Andrew didn’t claim that the output file can be uncompressed, so no fundamental limit is applicable.

I have an algorithm that can compress a file of unlimited size to 1 bit, and runs quickly:

while not end-of-file: read from file
print 0

As an optimization, the first line may be omitted without affecting the results.

Moderator February 4, 2013 2:47 PM

Andrew Haynes, you used up all your chances on this blog long ago. Don’t try to post here again. This goes for all your sockpuppets, too.

Moderator February 4, 2013 4:11 PM

Andrew, you’re still not getting it. You used up all your chances. After hundreds of comments’ worth of sockpuppetry and gibberish, you don’t get to come back and keep trying to come up with something that might be acceptable. You are banned and anything you post will be removed. This is permanent, so there’s no need to test it again.

Bruce Clement February 4, 2013 6:15 PM

@Clive Robinson “It’s not the first time such a daft or inexperianced mistake has been made by the spammers, I did think about suggesting keeping the comments and adding them to a black list to automate the removal process”

My wife has a WordPress blog & I have a link directory that are both hit by spammers on a regular basis.

In both cases submissions need to be approved before becoming publicly visible. I’ve noticed some interesting things about the spam.

There is no single technique spammers all use that make it easy to detect them, but some things make it easier to detect a large percentage.

Firstly, CAPTCHA. Some spammers are obviously using automated methods to overcome these, I see dozens of repeated attempts at submission in a very short period until they eventually get through. When I first saw this I was moved to wind the captcha hardness setting to the top but this:

  1. meant that some humans were unable to solve them
  2. just meant my server had to endure many more repeats before they got in.

All I really achieved was to use more of my bandwidth and computer power, unlike the spammers I pay for mine. I ended up deciding that it was more cost effective to let them through with minimal effort and then delete them in bulk.

The second thing I’ve noticed is that occasionally the spammers haven’t configured their submission scripts correctly and text that was obviously meant to be “spun” (randomish text element replacement, e.g. of synonyms) was sent with the replacement markers and options still in the text. Attempting to manually use their spun text for automatic blocking is likely to be of little benefit. I suppose that Bayesian filters would have a reasonable chance against the current spinners, but how long that would remain effective is an interesting question.

The target web address may have been obfuscated by misusing free services such as url shorteners, but ultimately the real target has to be divulged. Typically it is an affiliate link, a free web host or a throw-away domain name. For the moment this could be used to detect many of them until the next round of spam software finds some way around this.

RobertT February 4, 2013 6:36 PM

@Eric Hacker

I can assure you that everything I have outlined is possible, I’m not really wishing to educate others so for the moment I’ll keep the execution details to myself.

I think you are too focused on the communications & control system bandwidth and not sufficiently focused on the load on/off synchronization task.

Every ToU meter (or smart load controller) has a builtin system clock so the hacker simply needs to tell all the meters the time that he wants them all to turn off/on the AirCon. All clocks throughout the whole Grid network are synchronized by the line frequency 50/60Hz. So all load controls are perfectly sync’ed at the Line Freq. This means the control bandwidth is unimportant. I could take a day to setup just one event and all meters / events would be perfectly sync’ed across the grid. Technically it is do-able the big question is why would anyone want to do this.

For example: everyone knows that Iran is refining Uranium, we even know the precise geographical locations and the type of Centrifuges they are using. If the refining plant is connected to the normal electric grid then a lot of damage could be done to the centrifuges by deliberate manipulation of the Grid. Even if the Grid does not collapse the instability will cause the centrifuge contents to mix which dramatically reduces the centrifuge separation efficiency. The Iranian sites probably has its own powerplant making such an attack impossible, but a similar attack against a Taiwan wafer fab might be achievable and might disrupt supply of vital electronic components.

My point is that there are VERY high value industrial targets connected to the national Grid these places rely on a very stable grid. For the semiconductor plant you may not ruin the lot but you could easily reduce the yield, creating an economic incentive for someone to deliberately interfere with grid stability.

As you have indicated the grid is well designed, meaning that lots of things need to go wrong simultaneously for consumer Load events to propagate back up the grid from LV to MV and onto the HV level where they can start to cause wide spread damage.

If you are really interested in this topic then we will need to take the conversation off line. I’ve written a lot on this site about attacks on embedded security systems, so you can check out for yourself if I have the technical knowledge / capabilities to implement this attack.

Clive Robinson February 4, 2013 7:00 PM

@ Bruce Clement

You and your wife know one of the reasons why I don’t have a blog of my own…

The problem with all blogs is how to reduce the problems without unduly increasing the owner load.

One idear from IanG over at finacialcryptography was to use self signed anonymous certificates to build up trust.

That is you generate a certificate just to post to the service and you use this to sign each posting. As time goes by the moderator gets to trust your comments and thus your certificate becomes likewise trusted. The moderator thus nolonger needs to moderate any comments signed with your trusted certificate in the usual time consuming way. If as an individual you breach the trust in some way the moderator can reduce the trust they place in the certificate for a while or compleatly.

The problem is of course the anonymous user managing the certificates. Both legislation and in the main web browsers want to have a one to one corespondance between a certificate and a user which breaks the anonymous side of it.

What browsers should realy do is alow you to have multiple certificates, one (or more) for each role in your life in an easily managed way. So that you would not need to use the certificate you use for accessing your bank for posting to a hobby related blog etc. And likewise the one you use for your “woodworking hobby” is different to your “cake baking hobby” which again is different to your “Power Boat Racing hobby” etc etc (Yes I put my hand up to baking as a hobby but bread and pies not cakes as they involve to much fafing around and life is realy to short for filo and puff pastry 😉

Clive Robinson February 4, 2013 7:44 PM

@ RobertT,

You beat me to it for pointing out the problem in Eric’s point 2.

What surprises me is that it’s not just one or two people who make the mistake of not thinking seperatly about the delivery mechanism and the payload of an attack. It appears to be endemic in people who were not in on the early days of non electronic network delivered malware with “Friday the 13th code” launched a month or so before hand.

Not so long ago we saw the re-emergance of boot sector virus code and I remember it came as quite a shock to many people, even though it was very old hat stuff.

Anyone who had worked within the early “sneaker nets” would have known about how to cross air-gaps so why did Stuxnet come as such a nasty surprise to so many…

It all gives supporting evidence to Nick P’s comments that we are forgetting and having to re-learn and re-solve problems that had be solved thirty years ago and usually much better solved then than the re-boiling of today.

I guess in some ways it points to the fact that technology in this area is developing to fast for people to keep up in both breadth and depth of knowledge.

It also sadly points out the lack of real engineering technique in the industry in that at the very least software development is still very artisanal and much like the trade of wheelwright or boilermaker in the first part of the Victorian era.

But sadly I see things moving in the wrong direction. Instead of software becoming more disaplined in engineering technique we see areas where engineering techniques were used extensivly forgo them and take on some of the less creditable ideas of software development.

For instance “code re-use” is not in most cases done properly these days. Whilst code that goes into OS and system libraries has and often is usually well thought out and well tested, the same can not be said of application libraries.

This idea of libraries has slipped down the computing stack to the development of hardware, I don’t know the percentage numbers but many chips these days are made up from parts libraries that in turn are made up from other libraries. Few of these higher level libraries have been tested as thoroughly as we might like, which means that generic bugs appear in many different chips which thee chiips designers are unaware of.

And it is this lack of awarness that is making some people in the security field quite nervous.

Clive Robinson February 4, 2013 8:02 PM

@ joequant,

… home users can be extremely disinterested in security because most break-in’s aren’t aimed at the the user

Disinterested or unaware?

If as you say the attacker is not targeting the user and takes care so that the user does not see what the attacker has done how is the user going to become aware there is a problem?

In essence what you have described is why businessses suffer so badly form APT attacks, they are unaware despite taking precautions that an attacker is in their systems.

Thus I suspect that like businesses most home users fall into the unaware category and only a few of those who have become aware they have been successfully attacted then fall into the disinterested category. Many home users however do fall into the category of ineffective or counter productive response. The sales of faux AV show this to be a significant problem.

Clive Robinson February 4, 2013 8:20 PM

ON Toppic 🙂

@ Bruce,

Squid Anchor Webpage says that it’s “the most effective lightweight, portable anchor around.”

A friend of mine has one for use in their cannoe and has pointed out that whilst what you quote is true it’s not the full picture.

On it’s own the anchor is just about usless, you also need a bucket of gravel or stones to weigh it down before it works. Otherwise it floats alongside…

So what you save in anchor weight is lost to having to have ballast weight and importantly remembering to take the balast with you.

As my friend acidicaly pointed out, when you need an anchor in a hurry, that’s the time you don’t want to be trying to either find gravel or put gravel in the anchor bag, and if you’ve forgoton your bucket of gravel or somebody else has chucked the gravel out then…

RobertT February 4, 2013 9:38 PM

@Clive Robinson

I’m not sure what to make of Eric’s comments, I suspect he wants more attack details, so he just presented an argument with an obvious error, hoping I’d respond with detailed attack information.

If the comments are genuine then he is looking at the grid system security through the eyes of the security provider rather then the eyes of the attacker, which takes us right back to the age old problem that you cant teach hacking.

Frankly most system hackers won’t even try to get in through the front door because it tends to be noticed. Also backdoor attacks can be more powerful because the deliberate throughput limits on the front door are bypassed.

Eric is also ignoring that the fan-out limitations of a mesh network entry point are only a limitation if you’re focused on a single point control center, if you implement a parallel control botnet then you can have enormous bandwidth available across the whole network.

Overall, i’d say Eric is fishing.

Nick P February 5, 2013 1:44 AM

@ RobertT

“Overall, i’d say Eric is fishing.”

If true, it’s kind of sad for one reason: you guys typically give plenty of good advice on such matters if one only asks nicely. No need for such antics to get technical information on this blog. One of the great things about the more vocal of our community.

Clive Robinson February 5, 2013 5:32 AM

@ RobertT, Nick P,

“Overall, i’d say Eric is fishing.”

Possibly or someone who is claiming a little more experiance/staus than the actualy have. This frequently happens when engineers and the like move into managment.

Often years later they still see themselves at heart as being an engineer not a manager, but in reality have been out of the game to long as not only have the rules changed but the game as well and they would be lost if they had to go back to being a “Coal Face” engineer again.

It’s a problem with all engineering industries but especialy so in a fast moving one such as ICT and the accompanying InfoSec.

Back in the late 1970’s and early 1980’s I had a fairly good grip on what was involved with ComSec and Computers in general having designed some of the brutes from 7400 series logic ECL and AMD Bitslice processors and put others into Comms gear. And was thus a bit of a ‘hot property’ at the time. However now I’m just about hanging onto the Merry Go Round by my fingernails as the field has both opened up and sped up way way beyond what it is possible to have an indepth knowledge of in all areas. So much so that “generalists” who have breadth are not just an endangered species, they are positivly prehistoric, in effect dinosaurs that have refused to lie down and go the way of history.

And yes it feels like a “red queens race” where “life long learning” is not just a nice idea but more akin to a “life sentence”. And the only way to survive is by knowing the fundementals well and by being able to view all new information in that light.

The sad thing is you see the new guys come through, they have not learnt the fundementals well enough, and have had to drill down real hard to make their mark, so are not generalists but specialists with a very narrow field of view.

And no matter how many specialists you have in the room they don’t give the proper breadth needed for a good view on InfoSec. They just don’t work well at the edges of their knowledge and thus they don’t realy interact well with other specialists in even closely related specialisms. Worse they view all problems through their own tool set thus they realy do “hammer in screws”.

Anyway time to shift my slowly fossilizing carcass over to the “brown brew with caffeine machine” befor I become ossified in reminiscence mode 😉

MarkH February 5, 2013 7:29 AM

@Clive:

Does the “machine” you mentioned have the capability to dispense a cup filled with a liquid that is almost, but not quite, entirely unlike tea?

Vles February 5, 2013 7:31 AM

One idear from IanG over at finacialcryptography was to use self signed anonymous certificates to build up trust.

That is you generate a certificate just to post to the service and you use this to sign each posting.

I always sign my posts here with the same string of characters in the email address field…is a lot simpler… 🙂

Clive Robinson February 5, 2013 11:17 AM

@ Mark H,

Does the “machine” you mentioned have the capability to dispense a cup filled with a liquid that is almost, but not quite, entirely unlike tea

Err no revolting as it sometimes is it’s not quite up to Eddy’s improbable abilities [1]. But yes it does make a good source of “brownian motion” to get one to the places you need to get to (I’m still working on the hostess under garments though 😉

[1] And for those that want a drinkable cup of tea, after considerable research may I commend the following recipe. First ensure your kettle is free of lose scale and preferably free of scale altogether. Fill to just the required amount with soft water or water that has been softened that has been “refreshed” by pouring from one jug to another three or four times. Bring to the boil and take of heat immediatly a roling boil is reached. Pour some into your brown china teapot and let stand for a minute to warm the pot. pour out warming water and add a tea bag or leaf tea in a holder. Pour in the required amount of water (aprox 900ml) onto the bag. Stir for ten to fifteen seconds and put lid on pot and add the tea cosy if using. After three minutes remove the tea bag/holder. Always Always put the milk into the cup first, then pour in the tea, don’t used skimed or semi-skimed milk. Depending on taste you need between 10 and 20% milk. If you have a sweet tooth then use a sugar that brings something other than sweetness to the party, most semi refined cane sugars have a molasses content that enhances base notes in a cup of tea and gives a richer flavour as a result. If you have continental tastes then put the tea in first and add freshly squeased lemon juice from unwaxed lemons. If you have the taste for Russian or Arabic mint tea then you need to use fresh mint leaf from the top of the plant, you roll the leaves and bruise them and add to the pot at the start of the brew process and you leave them in the pot after the tea bag/holder is removed.

Clive Robinson February 5, 2013 11:23 AM

@ Vles,

I always sign my posts here with the same string of characters in the email address field…is a lot simpler… 🙂

Simpler yes, but known to you and the blog admin staff as a minimum and possibly a lot of others as well so is “security by obscurity” compared to “security by signiture”.

As has been observed many times before “You pays your money and you makes your choice, change is optional”.

Figureitout February 5, 2013 1:09 PM

The sad thing is you see the new guys come through, they have not learnt the fundementals well enough
@Clive Robinson
–It’s the new books too. They assume knowledge and the older books really lay out the fundamentals in an easier to learn fashion, they’re just “better”. My dad also shakes his head, a new network engineer he was working with had never even heard of a “capacitor”. Not the kind of people I want setting up important networks…

Nick P February 5, 2013 1:20 PM

@ Vles, Clive

I was PGP-signing my posts here for a while. I later realized that my writing style was unique enough, along with many claims redundant enough, that I was pretty easily identified. People rarely mistake my identity. So, I just put my name on my posts and keep a copy (with link) to all the important ones. I think a URL crypto timestamping service might be useful in this regard too.

@ figureitout

“It’s the new books too. They assume knowledge and the older books really lay out the fundamentals in an easier to learn fashion, they’re just “better”. My dad also shakes his head, a new network engineer he was working with had never even heard of a “capacitor”. Not the kind of people I want setting up important networks…”

I totally agree about new vs old books. I don’t think you really need to know how to wire embedded boards. That’s useful for some projects and I wish I knew more of that stuff. However, most security solutions assume trusted administrator and physical security. That means you mainly just want hardware that works properly, is safe from remote over-the-wire attacks, and system is secure at firmware/software level. Greatly simplifies things.

The Anderson report, MULTICS security evaluation, Lessons learned from MULTICS, and Orange Book gave me a nice foundation. That’s why so many of these “new” “inventions” looks kind of old. I kept on reading about the exemplar systems, evaluated products, academic work, military work, etc. Commercial world is catching up a little in some ways. However, Clive’s points about general security engineering skill vs specialists remain true. And people still forget the past.

An example is the paper below on memory attacks and countermeasures. Great piece of work summarizing plenty of clever tactics. My problem? Author didn’t mention (or know) that MULTICS had a stack that grew in reverse direction to prevent overflows. In the 70’s. Academics in 2010 ported that to x86. Memory protection techniques in the likes of KeyKOS and tagged architectures might have defeated some of the other attacks. Yet, the new people are still playing catchup to the old stuff while thinking they’re “ahead of the curve” or “cutting edge.”

http://www.isg.rhul.ac.uk/sullivan/pubs/tr/technicalreport-ir-cs-73.pdf

(Note: maybe the stuff was in there and I overlooked it. Can’t guarantee.)

Figureitout February 5, 2013 11:36 PM

@Nick P
–Thanks for paper, no I saw no mention of the issue. You would be quite the beast if you could rattle off EE knowledge easily on top of your of course very heavy software background.

There’s…too many…attacks…

Wael February 6, 2013 12:37 AM

@ Clive Robinson,

Possibly or someone who is claiming a little more experiance/staus than the actualy have. This frequently happens when engineers and the like move into managment…

How true… This comment was full of pearls of wisdom, not unlike most of your comments :), but I don’t like the sad tone. Gotta make it more cheerful…

As for

so are not generalists but specialists with a very narrow field of view.

A colleague of mine told me a few years ago during interviewing me:

Generalist: Someone who knows less and less about more and more, until they know nothing about everything

Specialist: Someone who knows more and more about less and less, until they know everything about nothing.

They are both doomed, one way or another (sooner or later, that is).

I also noticed that your (soft)keyboard is not miss-behaving these days! What happenedddddddddddddddddddd?

Figureitout February 6, 2013 1:57 AM

@Wael
–So, you’re saying everyone knows nothing. In the context of the universe, yes true. In the context of our planet, no. We can’t even comprehend the universe so that’s currently a waste of life. Plus, you can never assume what someone else knows that you don’t b/c of brain complexity and sheer luck.

Regarding Mr. Robinson’s keyboard issues…the script kiddie was “taken care” of..Clive Robinson style 🙂

Keith February 6, 2013 5:11 AM

Cliave

On it’s own the anchor is just about usless, you also need a bucket of gravel or stones to weigh it down before it works. Otherwise it floats alongside…

I assume when I first saw it that it might partially function like a storm anchor. I.e. to reduce the risk tipping in interesting weather.
But then there is not much need for that with a cannoe.

Eric Hacker February 6, 2013 8:52 AM

As a conscientious security practitioner with many years experience I am always fishing for more information to improve my current risk worldview. I believe that there is a lot of FUD in regards to the vulnerabilities in the smart grid. It is through open and frank discussion, without name calling or attributing false motives, that we can improve our understanding. Maybe I am getting old and have lost my engineering edge and can’t see all the weaknesses, or maybe I’m getting wiser and am appropriately discounting well managed threat scenarios. At least I am willing to question my beliefs and open them to scrutiny.

Speaking of names, I used my real name. You can search LinkedIn or elsewhere if you need to see if I am really in the industry.

At the 2010 TCIPG Industry Workshop, I pointed out that a real threat from ToU pricing is the assumption that consumers will always do what one thinks they will do. What if they get angry at the “system” and in mass protest strike back by programming their devices to turn on when the price goes up knowing that the grid is getting overloaded and trying to push it further? But even that doesn’t shut down the big grid, just local areas that get load shed. It could contribute to problems, but other things have to fail as well. At least, that’s my understanding based on the research I’ve read and presentations I’ve seen.

I think the assumption that the devices are programmable to all go on/off synchronized and in rapid succession is not valid. I know it is not true for the two brands of smart meters I’ve seen deployed. There isn’t even the capability to program them to do that. If we’re talking about devices the consumers can program, is that a smart grid risk, or an Internet of things risk?

I also doubt that smart AC controllers would use the grid as a time source, but would be happy to see the specifics if I am wrong.

I also know that the encrypted mesh networks used by smart meters today are not going to become bot nets any time soon. Can we talk about real threats and not theoretical FUD? Exactly how does one introduce new code into the meters when they only talk with devices they are allowed to talk with, and they’ve been developed under an SDLC with some security testing. Sure any attack can be done with enough effort, but these are not Siemens PLC’s with no security.

I am not saying there is no risk here. I am saying that there is a fair amount of security work already done for smart grid, and that there are other high impact areas that are still comparatively lacking. There are certainly legacy grid systems, not quite so smart but not dumb either, that are very insecure. Overall encouraging smart grid gets these systems replaced with secure ones.

RobertT February 6, 2013 4:32 PM

@ Eric,
Sorry, I’m not into name calling either. I think the big disconnect here is the level of Hacker that we have in mind. I’m focused on state-level actors purposefully developing and weaponizing smart grid attacks. This is not an area for script-kiddies, think about the level of effort to create Stuxnet and double it, triple it or multiply it by a factor of ten.

The point Clive has made earlier is that once deployed the meters have a 25 year life time, during which time it is highly improbable that anyone will be turning up a your house to re-flash the meter. Software/ security upgrades must then occur over the mesh, this fact alone creates an obvious opportunity for MitM attacks. (BTW It is equally improbable that anyone will turn up at your house to test if the meter software has been tampered with or re-flashed by unknown parties)

From a hacking perspective, there is very little value in “owning” one meter but if once owned, I own it for the next 25 years hmmm, that creates a little more value.

How many smart grid controllers do I need to “own” before I can cause grid instability. This is directly calculable and simulatable, YES the hackers will have very accurate models of the US national electricity grid, remember they are not script kiddies, they are professionals doing their job.

How to gain entry to the meter:
First thing to remember is that this is a high valued target that is deployed in a physically insecure environment. All papers on protecting / securing high value computing assets, will start with a discussion on physical security and trusted system administration. If you lack either of these, than your system security is easily compromised. This rule even applies to the most advanced military grade systems think A1 EAL7 whatever. Check with Nick P on this point.

So for the smart controller, I have 15 years to develop an attack and slowly accumulate meters under my control.

BTW all of the above assumes that the meters didn’t start life already backdoored and effectively just sitting there waiting for the right activation sequence. This takes us on a long discussion about supply chain vulnerabilities that is way outside the scope of this reply, BUT is important to consider when securing any mass produced high value assets.

Nick P February 7, 2013 3:29 PM

People in the NYT thread have been talking about IT security. Here’s a few links that you might enjoy. They’re articles by Roger Grimes, who has pentested plenty of networks.

Safeguard your code: 17 security tips for developers
http://images.infoworld.com/d/application-development/safeguard-your-code-17-security-tips-developers-211339

9 popular IT security practices that just don’t work
https://www.infoworld.com/d/security/9-popular-it-security-practices-just-dont-work-199548?source=rs

I take issue with his arguments against appliances and sandboxing. Most appliances simply aren’t built, configured and maintained correctly. That’s the cause of those problems. Regarding sandboxing, I don’t care how many vulnerabilities white hats find and submit to be patched. I only care if it reduces my risk of being infected by malware. Certain sandboxing strategies do. So, they’re useful.

10 crazy security tricks that work
https://www.infoworld.com/d/security/10-crazy-it-security-tricks-actually-work-196864?source=fssr

Excellent advice in that one. I’ve done a few of these consistently with good results. It surprises people sometimes just how easy it is to throw many attackers off.

My favorite piece of the article. Grimes illustrates the large script kiddie ratio well:

“Years ago, as an experiment, I moved my RDP port from 3889 to 50471 and offered a reward to… find the new port. Two people discovered the port right away… no surprise; because I told them what I did, it’s easy to discover the right spot. What blew me away is that tens of thousands of hacker wannabes, scanning my system for the new port using Nmap, didn’t realize that Nmap, if left to its own defaults, doesn’t look on nondefault ports. It proved that by doing a simple port move you significantly reduce your risk.”

That’s just great. 🙂

Figureitout February 8, 2013 1:28 AM

@Nick P
–Sorry, you really piqued my interest w/ an operational protocol around meteor burst comms. I’ve got a sat.-bounce antenna, but meteors, that’s better/cooler. If you can say anything about problems you ran into/interesting things you learned; much appreciated. Just curious, likely won’t turn it into a commercial solution myself. If you’re trying to keep it under wraps; no prob. I guess, don’t reveal too much (seriously, I’ll find it out).

Figureitout February 8, 2013 2:05 AM

@Nick P
–BTW, this isn’t a god-awful attempt at social E. I am a sincere person, especially when it comes to people I respect (sometimes you can only establish trust w/ people you can physically touch). Again, just tell me “No” if you’d rather keep it encrypted.

md5sum February 8, 2013 4:00 AM

I would like a tree view of the comments, like on http://news.lugnet.com/market/services/?n=449&t=i&v=d with the browser automatically showing in violet (or any color) the posts that I have already read. The news reader FLRN does that too, but it would not scale up to schneier’s audience if he does not setup a news feed of its comment.

@Clive Robinson: “We’ve even seen “number station” type spam where. either the comment or name fields carried what looked like random strings of data.”

My post http://www.schneier.com/blog/archives/2013/01/identifying_peo_4.html#c1112577 has an md5sum of my Google account (salted) in the name field, just to let me authenticate as the author of prior work about rsync of binary files.

@Clive Robinson: “I meentioned it looked odd and the modeerator agreed.”

Would you publish the way you report to the moderator ?

Clive Robinson February 8, 2013 4:45 AM

@ Keith,

I assume when I first saw it that it might partially function like a storm anchor. I.e. to reduce the risk tipping in interesting weather.

I’ve had to juryrig a storm anchor out of two oars and a jib sail and a fender, and chucking them over the side was a real test in faith (I did however tie a second ‘trip line” so I could get them back). It was an eventful 36hours that I would urge others not to try…

But then there is not much need for that with a cannoe

Agh that depends on how you cannoe… I have a friend and their spouse who like sea cannoing and have a large indian style canadian cannoe which has been “canvas decked” in (I jokingly say they should register it as a working narrow boat ;). They have been known to actually sleep at sea in it on long journeys, and a sea anchor gives you a degree of stability which makes sleeping and other “domestic” activites considerably easier.

As for getting my name wrong no worries, there are many people out there who think my name is Cliff (and not because I look like one 😉

Clive Robinson February 8, 2013 5:04 AM

@ OFF Topic:

This story is such that at first I thought it was a joke of some kind, however, it appears not.

There was a terrorist attack in Russia where a suicide bomber killed 35 people.

However during a press conferance it became clear that the attack was part of a more concerted series of attacks one of which had gone wrong due to the way the bomb was designed.

Apparantly a woman blew up without harming others because the bomb she was wearing was detonated by a mobile phone on receiving a text message.

Her attack was planed for a crowded area in Moscow on new years eve, but her mobile phone service provider sent out an unsolicited (ie spam) good wishes SMS which caused the bomb to be detonated…

http://www.news.com.au/technology/suicide-bomber-blown-up-prematurely-by-spam-text/story-e6frfro0-1225997374717

Clive Robinson February 8, 2013 9:37 AM

@ md5sum,

Would you publish the way you report to the moderator

I generaly do it the way others do, I simply put an entry in the thread concerned and mark it for the moderator or Bruce’s attention with a comment about what I’m drawing to their attention.

For instance if I see a paragraph or comment that’s been taken from an earlier posters comment but has a different name in the name field I simply make a comment to that effect and add the posting URL if required.

If Bruce or the Moderator agree then they take the appropriiate action and then remove my entry otherwise it looks odd in the thread sometimes they will also leave a reply as well.

Figureitout February 9, 2013 12:23 AM

an unsolicited (ie spam) good wishes SMS which
@Clive Robinson
–So…spam partially saved the day? rubs eyes I can feel the ground vibrating from Mod. rage, must be a glitch in the matrix.

Eric Pearson November 3, 2018 4:13 AM

I generaly do it the way others do, I simply put an entry in the thread concerned and mark it for the moderator or Bruce’s attention with a comment about what I’m drawing to their attention.Ideas blog

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.