Schneier on Security
A blog covering security and security technology.
« I Seem to Be a Physical Security Expert Now |
| Platform Fragmentation as a Security Issue »
February 8, 2013
Friday Squid Blogging: Squid Recipe
Chorizo-stuffed squid with potatoes, capers and sage.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on February 8, 2013 at 6:28 PM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
For a change I though I'd share my favorite squid recipe.
First you need to start by getting the freshest squid possible, best if it is still live. Squid are easy to catch at night if you have a bright light and find a good spot with some weed / rocks and deep holes.
1) in the evening, just after a full moon when High tide occurs at about sunrise, venture out and catch some live squid
2) put live squid in a bucket of saltwater with portable airaetor to keep them alive
3) Store overnight
4) In the wee hours before sunrise awake and prepare.
5) At, or just before sunrise, arrive at your planned squid preparation spot, preferably a rocky headland or beach.
6) Insert 8/0 hook through the top of the squid hood
7) Insert 4/0 hook through one of the squids legs
8) Cast Squid bait attached to 30lb line into a likely looking hole preferable near where waves are breaking
9) Hookup on the ride of your life with a 15Kg Malloway (also known as Jew-fish)
10) If you land the Jewie (which is most improbable) Take it home for a meal that will wow the senses and forever rid you of the desire to find tasty ways to prepare Squid!
An interesting (explosive) read...
That area would include the nation's capital, the administration, congress, and the supreme court. It also includes a rather heavy percentage of the nation's population. Good luck with that ruling. That organization needs to be disbanded and held accountable for their actions against the citizens of this country.
Adobe released an out-of-band update for two critical zero-day vulnerabilities just a few days in advance to its regular monthly patch cycle. The Buffer overflow vulnerability (CVE-2013-0633), which exists in Flash Player can lead to remote code execution or denial of service conditions when exploited.
The wired story is more informative: The DHS's declaration that it can seize and examine (at their own weeks-long pace) any electronics within 100 miles of the US border:
Also, note the time of the late Friday afternoon release of this story.
The PCI Security Standards Council (PCI SSC) published a 50 page PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG) on the 7th of February.
The supplement provide guidance around the following primary areas and objectives:
Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
PCI DSS Compliance Challenges- describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.
Additional Security Considerations – explores a number of business and technical security considerations for the use of cloud technologies.
The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including:
additional considerations to help determine PCI DSS responsibilities across different cloud service models
sample system inventory for cloud computing environments
sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client and
a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.
Well I've had bacon with lobster before, so pork and seafood is not an unprecedented combo.
But spicy pork sausage infiltrating and concealing itself within a squid carcass sounds like a dangerous form of Trojan Horse to me.
Cryptocat founder is under attack. claims Canadian government tried to acquire cryptocat. Then he's dodging shady people, his computers are acting up, and people seem to know what he's saying on the phone. His blog has also been reduced to a minimalist form.
He's been pretty open about his activities in the past. I have no reason to immediately dismiss his claims. What does the blog think? Canadian backed nation-state attack against cryptographer in action?
What are the top encryption apps for androids?
Can anyone recommend the top encryption apps for androids?
@Blog Reader One - amazingly the complaints seem to be that nobody told the students it was a drill and so they were frightened.
Nobody seemed to be bothered by the fact that kids are staying inside a potentially burning school becauase of an imagined movie plot threat!
What does the blog think?
--More saddening here. Someone else has to live w/ this. First off, I considered Canada somewhere where I could escape this insanity, with fresh air, nice people and clean water that isn't "downstream"; nay like other things this mental illness has "gone global". Second, this (I believe him) will have significant &PERMANENT mental effect on him which will affect everyone new he meets and things he does; b/c he should know that a way of gathering intel is "randomly" befriending a target. Some of them are well trained, and only let a few details slip. I believe since he's managed to put a cryptographic product on the market that he can manage some extreme precautions he's now going to have to take. I hope he can protect his product.
Whatever he decides to do, do NOT kill yourself, Nadim; we need you.
OFF-TOPIC *thank god*
Miny Quadcopters are here. My mind explodes w/ many potential applications; I guess it doesn't help that I was an avid RC car and RC plane hobbyist for most of my life. :)
Business as usual. Just repeat these lines a couple o times and carry on:
Karma police, arrest this man
He talks in maths
He buzzes like a fridge
He's like a detuned radio
@Nick P: "cryptocat"
I think TLA wanted to buy a backdoor in cryptocat. They may have succeeded.
@NobodySpecial: school drill
They are doing more than not leaving, they are barricading themselves in the room. So if there is a real fire, hope that you smell smoke immediately. Otherwise move all the desks in front of the door, and hope you don't start smelling smoke while or after this is accomplished. Perhaps having an acute sense of smell will become a requirement for holding a teaching license.
Brilliant. Let's try to make ourselves more secure against intruders by making ourselves less secure against fires. Let's not worry too much about whether the new policy accomplishes its goal of increased security against intruders or about the (likely) consequences of less security against fires.
Or why not start a fire before starting the 'assembly point b' shooting spree?
Or that suggestion just silly?
Thought this bad trade off might help you kick of your role as a physical security guru. Apparently lifeboat drills kill more people than are saved by lifeboats.
Nothing wrong with lifeboats; just don't test them yourself.
Excellent find. Some safety practices carry non intuitive risks. A great example is keeping emergency exits free of obstacles. Everyone runs toward them, get locked together, people are crushed and many don't make it out. A simulation showed putting a pillar in front of the exit to force the crowd to divide prevented many deaths and more people lived. Partially block door, save more people. Non intuitive, but true.
@moz, the question then is how many people who are currently saved by lifeboats would die if it weren't for the familiarisation from the drills. There may not be suitable statistics available.
Facebook massively breached during test using a 0-day. Responds well.
My favorite part was how they got all the credentials. They used the movable and zoomable security cameras. I've been opposed to networked cameras (and esp online IP cameras) for some time. Talk about using one security setup to totally defeat the purpose of a bunch of others.
I just had a really nasty thought...
What if the TLAs *claimed* that they'd decrypted a secure file that contained clear and incontrovertible proof of something very heinous (perhaps kiddie porn... a terrorist plot... who knows...), certainly worse than what the file actually contained.
About the only way you could wriggle out of it would be to *actually* decrypt the document and demonstrate the lesser offence.
It wouldn't be hard to bamboozle a judge into believing they'd decrypted your file.
This all started when I was musing on the possibility that another decryption key could potentially produce a different plain-text from a given encrypted file. How could you prove it was untrue?
@ Nick P,
. They used the movable and zoomable security cameras. I've been opposed to networked cameras (and esp online IP cameras) for some time
First off the way the story is written I think the cameras were at another pentest site that was not facebook.
That said I call that sort shoulder surfing credential snatch an "End Run" attack and I've cautioned against it a few time on this blog as there is very little a user can do to prevent it with covert or overt cameras unless the user wants to use an umbrella indoors...
As a user not wanting to seem "more than a little odd" or "downright paranoid" to their colleagues by using an umbrella indoors every time they login, another trick is to train yourself to type keys under your hand with the thumb of that hand. It takes a bit of practice but depending on the size of your hand you can cover six to ten keys with your hand held flat. When done with both hands a shoulder surfing attacker is going to have a hard time deciding which thumb is actualy pressing a key etc.
Such end run attacks also show that interesting "security trade off" between the extra security gained by observing "your" employees and the loss of security by outsiders likewise observing "your" employees...
But it's not just video, a similar problem exists with voice recorders on phone networks, especialy where it's been added for "regulatory requirments" such as to catch "insider trading". I know of atleast one occurrence where the back end voice recorder has been hacked on an internal phone network...
So you also need to remember the thing about these cameras is not just what they see but the backends they talk to, many of the network video recorders are likewise easy to get at so even if you cannot get a live feed you can still see the delayed feed and that may be enough on occasion to do the same thing.
But worse it can also mean that the recorded audio/video is at best unreliable at worst a fabrication that will render an "insider investigation" usless.
Then of course behind these backend systems lies yet another backend system, that which backs up the recording systems both short term and long term. In many places it's mandatory to keep atleast a month of video and for regulatory work that is usually a minimum of six months but could be as much as seven years...
And with the extra added bonus of "electronic discovery" now hanging over many peoples heads you need legal advice not just on the backup policy but also on the retention and destruction phases as well. Lest you be charged with some form of "Willful destruction of evidence" pertaining to your jurisdiction or perhaps worse suffer the consiquences of some smart legal team on 30% of damages worming through all your company records looking for things to hang you by to make those damages even fatter...
The funny thing with the IP Cameras is, Bruce posted about not being a "physical security guy" just the other day, did you notice that a few places nearer the top of that list was the guy credited with inventing the IP CCTV camera :-)
What if the TLAs *claimed* that they'd decrypted a secure file that contained clear and incontrovertible proof...
This is true of all Stream Ciphers and the most secure encryption system we know the One Time Pad (OTP).
Infact the OTP security is defined by the fact that "all plaintexts from any given ciphertext are equally probable".
Although harder to show and do the same is assumed to apply to all "random oracle" ciphers which includes block ciphers.
It wouldn't be hard to bamboozle a judge into believing they'd decrypted your file
If any given judge is easy to "bamboozle" then it should be fairly easy to sow sufficient seeds of doubt in their mind such that the see the burden of proof cannot be met.
Thus you would first demonstrate with dice, pencil and paper an OTP but first ask the judge to make up two sentences of different lengths that were entirely unrelated. You would then make two random key streams with the dice and encrypte message 1 with key1 and message2 with key2. You would then put message2 under ciphertext1 and make key3 and then show that key3 is just as random as key1 put then show that for ciphertext1 key1 gives message1 key3 gives message2. Do the same with ciphertext2 and message1 to make key4 and again demonstrate that ciphertext2 decodes to message2 with key2 and message1 with key4. And just to nail the lid down just use the dice to make a fake ciphertext then show how you can make either message 1 or message 2 appear by making two more false key streams..
Even the slowest of judges by this point should be able to see that you can make any given ciphertext give any given message you please.
Then chalenge them prosecution to produce the ciphertext and decryption key infront of the judge, and then chalenge them to prove how they produced the key stream.
The problem for the prosecution is to demonstrate their method of finding a key and then show there can only be "one and only one" key to that given ciphertext...
However slow / easily bamboozeled judges are not the problem, some are biased and will take a view that nomater what you say the prosecution are right. Thus you will have to show your secrets.
But which secrets... There are tricks you can do to kill the prosecution argument stone dead that even the most biased of judges are going to find difficult to stick with the prosecution. The tricks are mean and they are nasty but then so are the prosecution and biased judge, so it evenss the score.
Heres one way,
Get your real secret file and then find a private and intimate photo of you and your favourit squease (by intimate I mean romantic-naughty not top shelf-plainwrapper) thats 25% or more bigger than the real secret file.
Preappend the real secret file with it's length, then expand the file by inserting a random byte after every four real bytes . Then using an appropriate AES mode encrypt the file then add sufficient random bytes to the file to make it of the same length as the picture file.
Call the resulting file K-xxxxxx.key where xxxxxx is a number. Then use it to simply XOR encrypte (basic stream cipher) the picture and call the resulting file P-xxxxxx.yyy where xxxxxx is the same as the K file and yyy is whatever the original picture format is like jpg.
Create two directories on your hard disk, one marked personal pictures the other a hidden directory called K-files. Put the K file in the K-files directory and the P file in the personal pictures directory. You then need to find some more romantic-naught files and using just randomly generated files  make up more K-files and P-files to populate the directories also add lots of other ordinary picture files to the personal picture files.
Now you have a series of naught-but-nice files that are encrypted simply on your HD along with the key files to decrypt them. It should be obvious to all but the densist of judges why you don't want them made public especialy not to a buch of red-neck LEO's. Also that as the pictures all contain you and your current squease (or earlier) then the prosecution are going to have a tough time explaining the files are anything other than what they apear to be.
 There is a problem with the process of generating the random files in the above in that they need a similar statistical property as your original secret file.
 The process of converting the secret file is a little to simplisiticaly regular that is don't pad every fourth byte use some sufficiently random looking but actually determanistic method to make it less structured (say another crypto function)
With regards the Malloway, apparently its's also called the soapie or schoolie in Auz depending on it's size.
I'm told by a friend (who has "a twelve toe in tow") that you want to throw the soapies back as they get their name because of the way they taste. That is 4Kgs or less are not good eating (which is unusual for fish which mostly taste sweeter the smaler they are). Also apparently the reason they are difficult to catch is the way they bite the lure or bait and will often drop it, and the solution is to strike early and hard on a run.
Either way they don't sound like my kind of fish, I'm not a game fisherman, I go for the longshore line and a night in the pub, with fill the freezer the following morning at low tide (that is I fish to eat not for sport, the same as I do hunting).
@ OFF Topic,
In the news, the Pope has said so long and thanks for all the fish fridays to the Cardinals, who thought they were there to hear about three new saints being canonised.
It is said that the leaking of a very large number of Vatican emails/correspondence which showed him as being politicaly weak was in effect the lasst nail for him.
So he's indicated 28th Fed 2013 8pm his Vatican office is vacanti and he's probably off to a Swiss monestary with his extensive personal libray for a life of quite contemplation in exile rather than stay in the Vatican acting as a thorn in the side of whom ever succeeds him...
OFF Topic :
Some of you might have heard of the security company Bit9, who sell to Fortune 500 business.
Most probably did not till they very recently successfuly got attacked because they failed to put their own security software on their own machines....
The result was their signing certificates got compromised and thus malware could appear to have come from Bit9, as atleast three of their major customers have discovered via other companies security software. So I guess mark one up to multilayer diverse sourced security ( onion omelette anyone ;-).
Well there has been a sort of update from Bit9 that reads more like damage limitation,
I guess the moral is "don't put all your eggs in one basket" when it comes to security vendors and use multiple layers of defence no matter how expensive it appears.
But whilst this might be a workable solution for Fortune 500 companies, what about the bulk of employers who range from those "Mom&Pop stores" SOHO's and those organisations with upto 50 salaried/payrolled staff that produce over half the GDP?
For them they have little choice, but to put all their eggs in one basket and with AV vendor products now routienly missing 30% of known malware when subjected to independent testing, their outlook does not look good and this has knock on effects for the whole economy.
And from the UK Guardian News Paper Bruce used to write the occasional piece for,
It appears the defence contractor Raytheon who appear to have a finger in every tax dollar rich pie have come up with another set of bits of software for Governments to use against their citizens and those of other nations via smart phone and social networking etc bread crumbs.
It's called Rapid Information Overlay Technology or RIOT. It falls into the "Extream Analytics" class of application that TLA's, dictators, despots and tax collectors are salivating over.
Supposedly Raytheon has not yet sold it... but they have gone to the lengths of getting it an EAR99 rating which basicaly means any old despot with the cash can buy it no questions asked.
Unsurprisingly this has got the likes of EPIC seriously concerned.
Apparently the RIOT promotional video is also available for download.
re Clive's post / RIOT,
I'm seeing lots of talk of companies, etc looking at 'Big Data'.
Data mining and extrapolation seems to need better / new terms.
i.e. Is it big data is the info is yours. What do we call it whew the 'Extreme Analytics' is based on info 'in the public domain' or other sources and used against you.
We (here) think of the usage and value of our info that we leak, but the lay do not so - yet. and a buzz work to help explain would be handy.
@ Clive Robinson
"That said I call that sort shoulder surfing credential snatch an "End Run" attack and I've cautioned against it a few time on this blog as there is very little a user can do to prevent it with covert or overt cameras unless the user wants to use an umbrella indoors..."
Two factor authentication my friend. However, I think this makes the OTP style methods less secure in face of sophisticated attacker. Perfect Paper Passwords, for instance, has them all on a sheet. The attacker could see quite a few passwords ahead watching just one login. So, it must be dongle, card, biometric, etc.
"The funny thing with the IP Cameras is, Bruce posted about not being a "physical security guy" just the other day, did you notice that a few places nearer the top of that list was the guy credited with inventing the IP CCTV camera :-)"
I didn't notice that. That's funny. Maybe Bruce's image should have leaned across the page telling him "you're doing it wrong." ;)
I'd just like to add: When buying chorizo, check the ingredients first. I don't recommend the "saliva glands and lymph nodes" stuff.
@ Some Dude,
When buying chorizo, check the ingredients first. I don't recommend the...
I guess you might not be from the EU?
Currently ther is a bit of a scandal in the UK and Ireland (and one or two other places) about 100% Beef being anything but.
Basicaly horse DNA has been found from trace to 100% in products supposadly oriiginating from Silvercrest (who supply various of the big stores).
In the UK you sometimes hear Spaghetti Bollognase refered to as "Bolloxnase". Well a cartoon has been drawn with a man and woman sitting about to enjoy a valantines meal in an Itallian bistro and the waiter has just put a plate of spaghetti with two large balls on top infront of the woman "Seniorita your Bollx Neighs"...
Also as both the French and Italians like eating horse meat for as long as I can remember various people in the catering industry have refered to Italian salami as "Donkey Dick"...
Oh and if you realy want to make your stomach churn their is a firm in Europe that turns the skin, and various other not so choice parts (including the guts naughty bits) of pigs, cows, sheep etc into a protien powder that forms a frog spawn like gell to use as meat filler. The trouble is they have some method of destroying the DNA so that it is not possible (using the usual tests) to tell what animal has provided the material...
I guess it's world wide news by now.
The South African olympic gold "Blade Runner" Oscar
The South African Olympic and Paralympic. "Blade Runner" athlete Oscar Pistorius has shot and killed his Girlfriend model l Reeva Steenkamp.
From what has been said so far, Mr Pistorius lives in a "gated community" with high security (not unusual in SA with the crime rates, where some people actually pay security firms to lock them in their homes at night). He however sleeps with a loaded pistol (which is believed to be a licenced firearm).
It has been said his Girlfriend apparently decided to surprise him for valantines day and he shot her a number of times and she died at the scean.
However the SA Police are surprised at this and it appears they have been called to the address before due to disturbance.
Mr Pistorious has been arrested on the charge of murder and is to be taken before magistrates today to decide bail conditions.
With regards your BBC link...
I'm in the UK and get a page that starts,
We're sorry but this site is not accessible from the UK as it is part of our international service and is not funded by the licence fee. It is run commercially by BBC Worldwide, a wholly-owned subsidiary of the BBC...
So can you let us know a bit more so we can find what it is you are mentioning by googling other BBC pages that have the same or similar content.
@ Nick P,
I've lost the page (or plot ;-) where you linked to RSH's and your conversation on the Krebs site. So I'll pop my reply here now the next Squid Friday page is posted.
However I did read through the Krebs page :-)
And what surprises me is how little noise Bit9's failings are generating on line, barley a whisper after the initial pages on one or two sites.
I guess we've become blazei about the theft of code signing etc certs, which is a bit worrying seeing as how difficult it can be to revoke such certs....
@ Clive Robinson
Here's the pastebin link of Richard Steven Hack and I's debate. It was fun. Although nobody commented on Krebs, you can tell people were paying attention: it has 251 hits. :)
"And what surprises me is how little noise Bit9's failings are generating on line, barley a whisper after the initial pages on one or two sites.
I guess we've become blazei about the theft of code signing etc certs, which is a bit worrying seeing as how difficult it can be to revoke such certs.... "
Yeah, I could see the concern. It might not be apathy toward code signing theft per se as much as high profile hacks in general. Long ago, the public was made to believe their desktops getting owned by hackers was inevitable. They might be adopting the view that these kind of breaches are, as well. Plus, it's a name many probably haven't heard of.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..