Friday Squid Blogging: Squid/Whale Yin-Yang

Pretty.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 8, 2013 at 4:06 PM • 47 Comments

Comments

JohnstonMarch 8, 2013 5:04 PM

In the news -- the trainwreck that is Java.

http://isjavavulnerable.com

http://java-0day.com

With mockery comes either serious vendor auditing or public disengagement. My guess is, Orable won't do anything to fix Java, and the public will thus disengage, installation by installation, until it is gone. I hope this is the case, and it should have happened ages ago.
Let's make 2013 the year Java goes away.

FigureitoutMarch 8, 2013 8:58 PM

@Bruce
--Nice. One of those "focus" pieces of art.

Interesting chemical creation here w/ makeshift security purposes. Like say, very quick bunker making. tubeofyou video too.

GweihirMarch 8, 2013 11:48 PM

@Petréa Mitchell: I have been following this (the botched EA Sim City launch) as well. It really surprises me that they failed so badly. There have been a lot of similar problems in the past and it is almost impossible to not know that getting this right is very hard and that getting the server capacity right is critical. At the same time, a failure like this will stay for a long time in customer memories. And EA was already recently criticized heavily for the "pay to win" micro-transactions in the full-price Dead Space 3. So they have pretty high incentives to get it right. Instead they fail like this and are now frantically scrambling to fix it.

I can only conclude that there is a severe underlying problem here, and that the real reason for this disaster may not be an engineering failure as it seems to be on the surface.

Nick PMarch 9, 2013 10:35 AM

@ Gweihir

"I can only conclude that there is a severe underlying problem here, and that the real reason for this disaster may not be an engineering failure as it seems to be on the surface. "

Agreed. I'd go further to say it's a problem with competence. I'm not sure if it's the management, techies or service providers. However, someone is incompetant. My frame of reference for this is the sheer number of launches of online-enabled games that happen without problems. We have the flash games, MMORPG's, retail games with online support, FPS's, etc. EA has had their hand in a few of them. So many games with huge audiences run without huge problems most of the time. Then, this one has half a dozen serious problems ranging from coding issues to capacity planning to authentication failure.

Maybe the management, coders and admins all showed incompetance. It would seem necessary to have failures in all these areas. This isn't saying anything good for EA.

Petréa MitchellMarch 9, 2013 11:27 AM

The CDC's latest attempt to call attention to the end of antibiotics features carbapenem-resistant Enterobacteriaceae (CRE). Not only do they have a 50% mortality rate, some strains have become resistant to every antibiotic we have, leaving hospitals to rely on basic measures like confining those infected away from other patients and tackling the curiously intractable problem of getting medical staff to wash their hands.

Since antibiotic-resistant bacteria generally show up as hospital-acquired infections first before moving into the broader community, this brings up a security tradeoff question: at what point does the benefit of putting a bunch of sick people together for ease of treatment become outweighed by the danger of superbug infection? And what does medical care for life-threatening problems look like after that? Perhaps, like safe rooms, a fashion starts for having a room in your house where a reasonably sterile environment can be maintained for an ill person? Apartment complexes replacing the on-site gym with the on-site clinic? Telemedicine allowing an operating theater to be set up in every neighborhood?

JonMarch 9, 2013 12:41 PM

On hacking the papal vote, I don't think anyone considered the denial of service causeable by hacking the smoke.

If you can force the smoke to always come out black...

J.

Petréa MitchellMarch 9, 2013 1:26 PM

kashmarek:

"Google glass will identify people by clothing:"

The original article just says it can take note of what a person is wearing at the moment to help it identify them in crowds or bad lighting as long as they keep the same outfit on. Change your clothes, and it has to be retrained. Also it has to get a good look at the entire outfit to start with.

Petréa MitchellMarch 9, 2013 1:29 PM

Jon:

"If you can force the smoke to always come out black..."

...then people will be a little surprised when the announcement happens, but that's all.

Petréa MitchellMarch 9, 2013 9:30 PM

Best reaction I've seen to the TSA announcement: "The Transportation Security Administration tacitly admitted last week that a big part of its job is a complete waste of time."

And from the same story, Kip Hawley continues to campaign against everything he used to say when he was in charge of the TSA:

But in an interview with CNN, former TSA chief Kip Hawley said allowing sharp objects onto planes was such a good idea, he wished he'd done it himself.

Fortified cockpit doors, improved intelligence and a flying public that knows to fight back are the real deterrents, he explained.

"They ought to let everything on that is sharp and pointy," he told CNN. "Battle axes, machetes…bring anything you want. … While you may be able to commit an act of violence, you will not be able to take over the plane. It is as simple as that."

Gosh, does that sound familiar?

ericaMarch 10, 2013 1:23 AM

The largest risk factor on passenger planes is not what a passenger may legally or otherwise bring on board. It is the presence of passengers themselves.

Cargo planes - which have no passengers only crew and sometimes cargo-handling specialists - have several orders of magnitude lower risk for hijacking and related unauthorized acquisition exploits.

Therefore, the removal of passengers entirely has to be a national goal to make the airways above our heads safe.

Of course, planes being manufactured to fly only active and deadheading crews will initially cause decreased revenue for the flight operators.

For this reason, some of the TSA's billions should be routed short-term (say a decade) as subsidies for the new crew-only aviation initiatives. This will continue until Google finds some way of monetarizing the new situation.

Ac2March 10, 2013 1:35 PM

@petrea

Kip has proved the oft repeated saw that it is difficult for a man to understand something when his livelihood depends on not being able to understand it.

On that note went through Heathrow security recently and pleasantly surprised how low stress it was.

Clive RobinsonMarch 10, 2013 7:16 PM

@ Natanael L,

What kind of lock types do you guys prefer?

One's behind which neither secrets or valuables are kept, because they only encorage people to break them.

It's sad but true, all mechanical and the majority of electronic locks are fallible, in the case of both because you want them,

A, To work.
B, Be reliable.

And it is also true that the more fanncy or imposing looking the lock the more attention it attracts, mainly from the curious.

The solution as always is defence in depth, with alarms and short timed response.

So for instance the outermost lock is realy just to stop nuisance behavior, the inner locks in combination of a number of factors provide the alarm and delay for a reasonable response.

So for arguments sake you have an outer "lock box" with a simple five pin mechanical lock. Opertaing this starts a timer. Inside the lock box is a keypad and a more secure electronic card lock. You have to know not just which buttons to press but where in the sequence you have to push in the card.

Another trick of old is anti-bomb-disposal covers. You have a metal plate held down by say eight torex bolts... You need to know not just which order to start undoing them but how many turns you have to use. You only get one chance to get it right...

Clive RobinsonMarch 10, 2013 7:49 PM

@ erica,

...what a passenger may legally or otherwise bring on board. It is the presence of passengers themselves.

More correctly it's not the passengers but the passengers minds.

If a passengers mind was not functioning for some reason, then they can not realy do very much more harm than a package on a cargo plane.

So no more "red eye" it's jump into your PJs a quick injection of pre-med to get you under, then "stack you in a rack" with "HappyThoughts (TM)" to keep you under untill you arive at your destination nicely refreshed.

From the airlines point of view you are just so much easier to cater for...

I'm sure atleast one Exec in every airline has thought how much simpler it would be to go down the "Stack-a-Rack (TM)" and "HappyThoughts (TM)" route and what the cost savings would be...

Petréa MitchellMarch 10, 2013 10:00 PM

Clive:

Personally I think suspended animation would be a major improvement over the present commercial air travel experience.

Clive RobinsonMarch 11, 2013 5:17 AM

@ Petréa Mitchell,

Personally I think suspended animation would be a major improvement over the present commercial air travel experience

Ahh, "suspended animation" the dream of deep space adventures and SciFi authors :-)

Yes at first it does, seem a nice idea especially for sleeping through a recession [1] untill you've read one of the Gil Hamilton Long Arm of the law books by Larry Niven such as Jigsaw Man about Organleggers...

Or even this Register article,

http://www.theregister.co.uk/2010/08/20/...

And comments,

http://forums.theregister.co.uk/forum/1/2010/08/...

Esspecialy that one about freezing flys and gluing them to aircraft models to use as tiny engines...

[1] Obligitory Dougla Adams reffrence to the planet making planet Magrathea.

Clive RobinsonMarch 11, 2013 5:25 AM

@ Natanael L,

Why not combine the Japanese tiny drawer ike bed hotels with airplane travels

The idea has occured in a Bruce Willis film, where he gets on a flight to Paradise to get some stones out of a Diva... So that he and a scantily clad actress can go save the world...

The downside of course is the turn around time of the aircraft. If you consider the pre-med and wake up times...

Mind you it might stop you waking up in a crate at one of those "lost baggage" auctions...

TwelveZeroZeroMarch 11, 2013 5:36 AM

Clive: Ever read the Stephen King short story "The Jaunt"? It is about a family waiting for sedation before they can travel by teleportation.

scorcheMarch 11, 2013 12:31 PM

@ Clive:

One's behind which neither secrets or valuables are kept, because they only encorage people to break them.

It's sad but true, all mechanical and the majority of electronic locks are fallible, in the case of both because you want them,

A, To work.
B, Be reliable.

Of course there is no perfect solution, but as with anything else, one must do a risk assessment and figure out what one is trying to protect against. You seem to categorically discount locks for some reason. I also do not understand why you say that all mechanical and some electronic locks are fallible. Fallible in what sense? In general, mechanical locks are often more "secure" (for a veriety of definitions for that word) than electronic locks.

And it is also true that the more fanncy or imposing looking the lock the more attention it attracts, mainly from the curious.

So we should just put cheap, crap locks on everything? This argument is mostly bunk. It greatly depends on what one is securing and where, but there are *many* situations where placing a good lock on a door will not attract additional attention.

The solution as always is defence in depth, with alarms and short timed response.

Sure, but very few will implement the rube-goldberg-esque arrangement you propose.

One must understand the purpose of a high-security lock within a proper security solution (proper security solution including things like a solid door, lack of hung ceilings, etc). A high-security lock mainly extends the response window for a company. It doesn't do any good to have a guard patrol every 10 minutes or take 5 minutes to respond to a detection if a lock takes 10 seconds to open. A good lock will extend this and can enable a company to have a response window fitting their security process. A very high-security lock will accomplish another thing for a company. The top-tier of locks which have no known non-destructive attack method will force a potential attacker to use destructive methods to breach one's defenses. This is ideal (as far as breaches go), as then one can engage one's incident response teams and deal with the situation.

Clive RobinsonMarch 11, 2013 2:00 PM

@ scorche,

You seem to categorically discount locks for some reason

Not as such my answer was in relation to a specific question which was loaded against the premise that an attacker could photograph the key and then cut a duplicate (context is a wonderful thing).

I used to design locks for a living and trust me in the main they are nowhere as secure as they could be for a whole multitude of reasons. But at the end of the day most locks you will come across are actually mechanical in the locking part of the mechanism (ie there are not that many proportianatly that use electromagnetic holding).

Essentialy "a lock" consists of two parts. The mechanical part that provides the locking or holding function (strike etc) and the actuator that contains the secret in the form of the key profile etc.

The linkage between the lock strike and the human is generaly not particularly hard/strong in nature as a human has to operate it with comfort in a reasonably short time and in the case of a mechanical key you don"t want it to wear down and in the case of an electronic usually battery lock you dont want the battery to run down to quickly.

Because both of these happen rather more often than you would think compared to people actually picking locks or drilling them etc there is usually a hidden weak point for a locksmith to get the door open in some way.

With regards,

So we should just put cheap, crap locks on everything? This argument is mostly bunk

Again context is everything.

Look on the cheap crapy lock not as a point of physical security but as a sacrificial goat. It's sole purpose is to provide warning/time in the lowest cost way, the physical security begins behind it which is why I talked about defence in depth.

You realy don't want an expensive difficult to repair/replace lock to be your first line in defence but your last. Banks are well aware of this with vault doors behind stout wooden doors behind the counter barrier which lies behind the glass front door. There are a whole variety of good well tested reasons for doing things this way which you can go look up.

It is actually very common and very far from your discription of,

Sure, but very few will implement the rube goldberg-esque arrangement you propose.

The purpose of using a keypad and card in a special sequence is multi-purpose and can be made to act in a number of ways including anti-duress alarms and extra dead bolting lock out etc.

The point is it takes a simple one factor lock to a two factor lock, which makes an attackers job a lot lot harder.

Even the "antipersonnel" features on munitions etc are well established and despite internationaly agread treaties still very much in evidence.

But contrary to your long description at the end most people actually want the minimum of damage in the deterrent not just because it's inordinately expensive to repair but because in the security business most people do not like to advertise any weakness, nor do they want their normal day to day operations suspended. Something any security consultant with a few years under their belt would quite happily tell you.

scorcheMarch 11, 2013 2:16 PM

Not as such my answer was in relation to a specific question which was loaded against the premise that an attacker could photograph the key and then cut a duplicate (context is a wonderful thing).

This is not so much an issue with the lock, as it is the method of carry then. There are multiple products that keep the key obscured until use. There are also many key designs that would be much harder to decode from a photo than the average pin-tumbler

Because both of these happen rather more often than you would think compared to people actually picking locks or drilling them etc there is usually a hidden weak point for a locksmith to get the door open in some way.

Usually? - sure. However, this is why a higher level of security hardware exists for. Not all have a "hidden weak point"...

You realy don't want an expensive difficult to repair/replace lock to be your first line in defence but your last. Banks are well aware of this with vault doors behind stout wooden doors behind the counter barrier which lies behind the glass front door. There are a whole variety of good well tested reasons for doing things this way which you can go look up.

I don't see why what I was saying disagrees with this. What I was responding to at this point was your "...the more attention it attracts" comment.

But contrary to your long description at the end most people actually want the minimum of damage in the deterrent not just because it's inordinately expensive to repair but because in the security business most people do not like to advertise any weakness, nor do they want their normal day to day operations suspended. Something any security consultant with a few years under their belt would quite happily tell you.

This is why I said in the very beginning that one must do a risk assessment and figure out one's requirements. But, I am not sure what you are getting at here. What I was saying is that part of the purpose of a very high-security lock in the typical scenario (though this is quite vague, I grant you...) is to force an attacker to use destructive means to get access rather than use a non-destructive method such as picking or a bypass to get access. Are you seriously suggesting that most people would rather weaken their security and be vulnerable to non-destructive methods than protect against that which would force an attacker to use destructive methods to get past?

FigureitoutMarch 11, 2013 4:01 PM

@scorche
--I think Clive's referring to being unable to open the lock and not attracting attention. So based off your risk assessment, you've had multiple attacks and need the MegaLock; regardless of the time it takes away from getting real work done. You've accounted for all the backdoors you (and other brain types) can think of that would render the lock null. Knowing Clive, he may have heard of your MegaLock, maybe not (he is human, I think).

Btw, I've seen people get waved in by security staff where person had not only the wrong type of card, but an entirely different person (different ethnicity too).

Clive RobinsonMarch 11, 2013 6:46 PM

OFF Topic:

I don't read Forbes as much as I used to for reasons I won"t go into. So I've only just seen this little gem,

http://www.forbes.com/sites/kashmirhill/2013/03/...

And not being a person who visits the US any more it introduced me to something new the "Sovereign Movment" weird but I guess not exactly unexpected. It has that wonderful ring of absurdity about it where somebody says I don't recognise your authority" and the other party says basicly "I don't care have some of this, to prove I don't care and have some more so others don't do the same". If it was not the Federal Gov doing it, it would be called a "Protection Racket" and the purpotrayers subjected to some realy unpleasent punishment but as they are the Feds well "Bussiness as Usual".

FigureitoutMarch 12, 2013 1:24 AM

@Clive Robinson
--What you think is weird is just the reactions to a police state. It'll get worse, much worse. All of which is wasting time and distracting from science (like unnecessary security) that isn't discovering itself and the human species will die off on planet Earth.

*Warning To All* Known attackers are moving on from me and will be attaching themselves to another host soon. Black family from California w/ a son named "Julian", maybe you'll see the probation officers at their home. Never goes outside, drives a BMW and Range Rover. I held them off as long as I could.

Clive RobinsonMarch 12, 2013 7:35 AM

@ Petréa Mitchell,

Ah, the sovereign citizens, the right wing's answer to New Age talismanic magic.

I see what you mean.

Mind you "eat my paper" is marginaly better than "eat my lead".

But it highlights one thing, the gaps in US property laws that allow all sorts of shananigans. I'm aware of some of it from notary fraud but I'd have thought someone would have got around to fixing some of the more lax parts since 1900's Noyes-Mckenzie claim-jumping up in Nome Alsaka.

Clive RobinsonMarch 12, 2013 6:14 PM

OFF Topic:

@ Bruce,

Not sure if you've read either this article or other articles relating to it,

http://www.csoonline.com/article/730015/...

Basicaly researchers have looked at data iiin a DNA database and by tracing anomalies in the Y (male) chromosome have been able to put family names to unidentified DNA samples thus verry much narowing down the list of people it can beelong to.

Once more as Ross J Anderson has pointed out in the past anonymity gets striped from medical data even though promises have been made that data is "sufficiently anonymous to prevent this".

Natanael LMarch 13, 2013 11:42 AM

@Auroch: No reason it would be bad for anonymity. It could absolutely have the site identify itself *to the ring* before the ring reveals anything, and it would have unique profiles per site.

Clive RobinsonMarch 13, 2013 11:50 PM

@ Nick P,

Two cryptographers get the Turing Award for their work

I know they are not quite "household names" even in the security industry, but they do deserve the award (shame they have to split the cash between them).

Clive RobinsonMarch 15, 2013 5:41 AM

OFF Topic:

SSL attacks are back on the menu in a way that proves two points,

1, Attackes only get better.
2, Two methods are better than the sum of their parts.

Last year we had the CRIME attack which used a problem with the use of compression to fairly efficiently guess at secret data sent from the client. The major downside of the attack was having to sit on the network and observe the actual SSL traffic.

This year we have TIME that uses the same compression attack, but this time on traffic from the server, BUT importantly it uses statisitical timing on response times so does not need to observe the network traffic...

http://www.computerworld.com/s/article/9237593/...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..