Friday Squid Blogging: Squid/Whale Yin-Yang
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Johnston • March 8, 2013 5:04 PM
In the news — the trainwreck that is Java.
With mockery comes either serious vendor auditing or public disengagement. My guess is, Orable won’t do anything to fix Java, and the public will thus disengage, installation by installation, until it is gone. I hope this is the case, and it should have happened ages ago.
Let’s make 2013 the year Java goes away.
Massimiliano Lincetto • March 8, 2013 5:45 PM
Interesting case about social engineering used to smuggle drugs: http://www.nytimes.com/2013/03/10/magazine/the-professor-the-bikini-model-and-the-suitcase-full-of-trouble.html
cshannon • March 8, 2013 5:54 PM
TSA is planning a partial lift on knives, and some sports gear in April. Bats will be allowed if shorter than 24 inches, gulf clubs are limited to two per passenger, pool cues, hockey and lacrosse sticks will be allowed as well.
Figureitout • March 8, 2013 8:58 PM
@Bruce
–Nice. One of those “focus” pieces of art.
Interesting chemical creation here w/ makeshift security purposes. Like say, very quick bunker making. tubeofyou video too.
Petréa Mitchell • March 8, 2013 10:05 PM
Once again, a highly-anticipated game requiring online authentication overloads its authentication servers on release day.
PCGames has various updates here, including some details of how the game is being frantically updated to relieve the problem.
Gweihir • March 8, 2013 11:48 PM
@Petréa Mitchell: I have been following this (the botched EA Sim City launch) as well. It really surprises me that they failed so badly. There have been a lot of similar problems in the past and it is almost impossible to not know that getting this right is very hard and that getting the server capacity right is critical. At the same time, a failure like this will stay for a long time in customer memories. And EA was already recently criticized heavily for the “pay to win” micro-transactions in the full-price Dead Space 3. So they have pretty high incentives to get it right. Instead they fail like this and are now frantically scrambling to fix it.
I can only conclude that there is a severe underlying problem here, and that the real reason for this disaster may not be an engineering failure as it seems to be on the surface.
kashmarek • March 9, 2013 6:17 AM
4th amendment applies at the border:
Administration supports journalist arrested for recording cops:
Google glass will identify people by clothing:
http://tech.slashdot.org/story/13/03/08/2027201/google-glass-will-identify-people-by-clothing
Nick P • March 9, 2013 10:35 AM
@ Gweihir
“I can only conclude that there is a severe underlying problem here, and that the real reason for this disaster may not be an engineering failure as it seems to be on the surface. ”
Agreed. I’d go further to say it’s a problem with competence. I’m not sure if it’s the management, techies or service providers. However, someone is incompetant. My frame of reference for this is the sheer number of launches of online-enabled games that happen without problems. We have the flash games, MMORPG’s, retail games with online support, FPS’s, etc. EA has had their hand in a few of them. So many games with huge audiences run without huge problems most of the time. Then, this one has half a dozen serious problems ranging from coding issues to capacity planning to authentication failure.
Maybe the management, coders and admins all showed incompetance. It would seem necessary to have failures in all these areas. This isn’t saying anything good for EA.
Spaceman Spiff • March 9, 2013 11:13 AM
In case you haven’t seen this: http://www.ted.com/talks/edith_widder_how_we_found_the_giant_squid.html
Petréa Mitchell • March 9, 2013 11:27 AM
The CDC’s latest attempt to call attention to the end of antibiotics features carbapenem-resistant Enterobacteriaceae (CRE). Not only do they have a 50% mortality rate, some strains have become resistant to every antibiotic we have, leaving hospitals to rely on basic measures like confining those infected away from other patients and tackling the curiously intractable problem of getting medical staff to wash their hands.
Since antibiotic-resistant bacteria generally show up as hospital-acquired infections first before moving into the broader community, this brings up a security tradeoff question: at what point does the benefit of putting a bunch of sick people together for ease of treatment become outweighed by the danger of superbug infection? And what does medical care for life-threatening problems look like after that? Perhaps, like safe rooms, a fashion starts for having a room in your house where a reasonably sterile environment can be maintained for an ill person? Apartment complexes replacing the on-site gym with the on-site clinic? Telemedicine allowing an operating theater to be set up in every neighborhood?
Jon • March 9, 2013 12:41 PM
On hacking the papal vote, I don’t think anyone considered the denial of service causeable by hacking the smoke.
If you can force the smoke to always come out black…
J.
Nick P • March 9, 2013 1:24 PM
Pwnium 3 concludes. Chromebook survives despite $3.14 million prize. (Or is that a $π million prize? 8)
http://paritynews.com/security/item/773-chrome-os-remains-undefeated-at-pwnium-3
Petréa Mitchell • March 9, 2013 1:26 PM
kashmarek:
“Google glass will identify people by clothing:”
The original article just says it can take note of what a person is wearing at the moment to help it identify them in crowds or bad lighting as long as they keep the same outfit on. Change your clothes, and it has to be retrained. Also it has to get a good look at the entire outfit to start with.
Petréa Mitchell • March 9, 2013 1:29 PM
Jon:
“If you can force the smoke to always come out black…”
…then people will be a little surprised when the announcement happens, but that’s all.
Petréa Mitchell • March 9, 2013 9:30 PM
Best reaction I’ve seen to the TSA announcement: “The Transportation Security Administration tacitly admitted last week that a big part of its job is a complete waste of time.”
And from the same story, Kip Hawley continues to campaign against everything he used to say when he was in charge of the TSA:
But in an interview with CNN, former TSA chief Kip Hawley said allowing sharp objects onto planes was such a good idea, he wished he’d done it himself.
Fortified cockpit doors, improved intelligence and a flying public that knows to fight back are the real deterrents, he explained.
“They ought to let everything on that is sharp and pointy,” he told CNN. “Battle axes, machetes…bring anything you want. … While you may be able to commit an act of violence, you will not be able to take over the plane. It is as simple as that.”
Gosh, does that sound familiar?
erica • March 10, 2013 1:23 AM
The largest risk factor on passenger planes is not what a passenger may legally or otherwise bring on board. It is the presence of passengers themselves.
Cargo planes – which have no passengers only crew and sometimes cargo-handling specialists – have several orders of magnitude lower risk for hijacking and related unauthorized acquisition exploits.
Therefore, the removal of passengers entirely has to be a national goal to make the airways above our heads safe.
Of course, planes being manufactured to fly only active and deadheading crews will initially cause decreased revenue for the flight operators.
For this reason, some of the TSA’s billions should be routed short-term (say a decade) as subsidies for the new crew-only aviation initiatives. This will continue until Google finds some way of monetarizing the new situation.
Rodrigo • March 10, 2013 10:35 AM
I thought you would post this this friday:
By the way your twiter feed is not working since the porn scam post.
Fil • March 10, 2013 10:51 AM
Former Newark Airport TSA screener says the job does little to keep fliers safe
Seems like the agent in question is mostly sad they have to use the back of their hand for part of the patdwn.
Ac2 • March 10, 2013 1:35 PM
@petrea
Kip has proved the oft repeated saw that it is difficult for a man to understand something when his livelihood depends on not being able to understand it.
On that note went through Heathrow security recently and pleasantly surprised how low stress it was.
Natanael L • March 10, 2013 6:56 PM
Remember that piece of software that reconstructs keys from photos?
http://vision.ucsd.edu/~blaxton/sneakey.html
Guess what happens when you combine that with Google Glass.
(I made a post about it on the blog linked in my nickname, too.)
What kind of lock types do you guys prefer?
Clive Robinson • March 10, 2013 7:16 PM
@ Natanael L,
What kind of lock types do you guys prefer?
One’s behind which neither secrets or valuables are kept, because they only encorage people to break them.
It’s sad but true, all mechanical and the majority of electronic locks are fallible, in the case of both because you want them,
A, To work.
B, Be reliable.
And it is also true that the more fanncy or imposing looking the lock the more attention it attracts, mainly from the curious.
The solution as always is defence in depth, with alarms and short timed response.
So for instance the outermost lock is realy just to stop nuisance behavior, the inner locks in combination of a number of factors provide the alarm and delay for a reasonable response.
So for arguments sake you have an outer “lock box” with a simple five pin mechanical lock. Opertaing this starts a timer. Inside the lock box is a keypad and a more secure electronic card lock. You have to know not just which buttons to press but where in the sequence you have to push in the card.
Another trick of old is anti-bomb-disposal covers. You have a metal plate held down by say eight torex bolts… You need to know not just which order to start undoing them but how many turns you have to use. You only get one chance to get it right…
Clive Robinson • March 10, 2013 7:49 PM
@ erica,
…what a passenger may legally or otherwise bring on board. It is the presence of passengers themselves.
More correctly it’s not the passengers but the passengers minds.
If a passengers mind was not functioning for some reason, then they can not realy do very much more harm than a package on a cargo plane.
So no more “red eye” it’s jump into your PJs a quick injection of pre-med to get you under, then “stack you in a rack” with “HappyThoughts (TM)” to keep you under untill you arive at your destination nicely refreshed.
From the airlines point of view you are just so much easier to cater for…
I’m sure atleast one Exec in every airline has thought how much simpler it would be to go down the “Stack-a-Rack (TM)” and “HappyThoughts (TM)” route and what the cost savings would be…
Petréa Mitchell • March 10, 2013 10:00 PM
Clive:
Personally I think suspended animation would be a major improvement over the present commercial air travel experience.
Natanael L • March 10, 2013 11:58 PM
Clive: Why not combine the Japanese tiny drawer-like bed hotels with airplane travels?
Clive Robinson • March 11, 2013 5:17 AM
@ Petréa Mitchell,
Personally I think suspended animation would be a major improvement over the present commercial air travel experience
Ahh, “suspended animation” the dream of deep space adventures and SciFi authors 🙂
Yes at first it does, seem a nice idea especially for sleeping through a recession [1] untill you’ve read one of the Gil Hamilton Long Arm of the law books by Larry Niven such as Jigsaw Man about Organleggers…
Or even this Register article,
http://www.theregister.co.uk/2010/08/20/organ_bank_research/
And comments,
http://forums.theregister.co.uk/forum/1/2010/08/20/organ_bank_research/
Esspecialy that one about freezing flys and gluing them to aircraft models to use as tiny engines…
[1] Obligitory Dougla Adams reffrence to the planet making planet Magrathea.
Clive Robinson • March 11, 2013 5:25 AM
@ Natanael L,
Why not combine the Japanese tiny drawer ike bed hotels with airplane travels
The idea has occured in a Bruce Willis film, where he gets on a flight to Paradise to get some stones out of a Diva… So that he and a scantily clad actress can go save the world…
The downside of course is the turn around time of the aircraft. If you consider the pre-med and wake up times…
Mind you it might stop you waking up in a crate at one of those “lost baggage” auctions…
TwelveZeroZero • March 11, 2013 5:36 AM
Clive: Ever read the Stephen King short story “The Jaunt”? It is about a family waiting for sedation before they can travel by teleportation.
scorche • March 11, 2013 12:31 PM
@ Clive:
One’s behind which neither secrets or valuables are kept, because they only encorage people to break them.
It’s sad but true, all mechanical and the majority of electronic locks are fallible, in the case of both because you want them,
A, To work.
B, Be reliable.
Of course there is no perfect solution, but as with anything else, one must do a risk assessment and figure out what one is trying to protect against. You seem to categorically discount locks for some reason. I also do not understand why you say that all mechanical and some electronic locks are fallible. Fallible in what sense? In general, mechanical locks are often more “secure” (for a veriety of definitions for that word) than electronic locks.
And it is also true that the more fanncy or imposing looking the lock the more attention it attracts, mainly from the curious.
So we should just put cheap, crap locks on everything? This argument is mostly bunk. It greatly depends on what one is securing and where, but there are many situations where placing a good lock on a door will not attract additional attention.
The solution as always is defence in depth, with alarms and short timed response.
Sure, but very few will implement the rube-goldberg-esque arrangement you propose.
One must understand the purpose of a high-security lock within a proper security solution (proper security solution including things like a solid door, lack of hung ceilings, etc). A high-security lock mainly extends the response window for a company. It doesn’t do any good to have a guard patrol every 10 minutes or take 5 minutes to respond to a detection if a lock takes 10 seconds to open. A good lock will extend this and can enable a company to have a response window fitting their security process. A very high-security lock will accomplish another thing for a company. The top-tier of locks which have no known non-destructive attack method will force a potential attacker to use destructive methods to breach one’s defenses. This is ideal (as far as breaches go), as then one can engage one’s incident response teams and deal with the situation.
Clive Robinson • March 11, 2013 2:00 PM
@ scorche,
You seem to categorically discount locks for some reason
Not as such my answer was in relation to a specific question which was loaded against the premise that an attacker could photograph the key and then cut a duplicate (context is a wonderful thing).
I used to design locks for a living and trust me in the main they are nowhere as secure as they could be for a whole multitude of reasons. But at the end of the day most locks you will come across are actually mechanical in the locking part of the mechanism (ie there are not that many proportianatly that use electromagnetic holding).
Essentialy “a lock” consists of two parts. The mechanical part that provides the locking or holding function (strike etc) and the actuator that contains the secret in the form of the key profile etc.
The linkage between the lock strike and the human is generaly not particularly hard/strong in nature as a human has to operate it with comfort in a reasonably short time and in the case of a mechanical key you don”t want it to wear down and in the case of an electronic usually battery lock you dont want the battery to run down to quickly.
Because both of these happen rather more often than you would think compared to people actually picking locks or drilling them etc there is usually a hidden weak point for a locksmith to get the door open in some way.
With regards,
So we should just put cheap, crap locks on everything? This argument is mostly bunk
Again context is everything.
Look on the cheap crapy lock not as a point of physical security but as a sacrificial goat. It’s sole purpose is to provide warning/time in the lowest cost way, the physical security begins behind it which is why I talked about defence in depth.
You realy don’t want an expensive difficult to repair/replace lock to be your first line in defence but your last. Banks are well aware of this with vault doors behind stout wooden doors behind the counter barrier which lies behind the glass front door. There are a whole variety of good well tested reasons for doing things this way which you can go look up.
It is actually very common and very far from your discription of,
Sure, but very few will implement the rube goldberg-esque arrangement you propose.
The purpose of using a keypad and card in a special sequence is multi-purpose and can be made to act in a number of ways including anti-duress alarms and extra dead bolting lock out etc.
The point is it takes a simple one factor lock to a two factor lock, which makes an attackers job a lot lot harder.
Even the “antipersonnel” features on munitions etc are well established and despite internationaly agread treaties still very much in evidence.
But contrary to your long description at the end most people actually want the minimum of damage in the deterrent not just because it’s inordinately expensive to repair but because in the security business most people do not like to advertise any weakness, nor do they want their normal day to day operations suspended. Something any security consultant with a few years under their belt would quite happily tell you.
scorche • March 11, 2013 2:16 PM
Not as such my answer was in relation to a specific question which was loaded against the premise that an attacker could photograph the key and then cut a duplicate (context is a wonderful thing).
This is not so much an issue with the lock, as it is the method of carry then. There are multiple products that keep the key obscured until use. There are also many key designs that would be much harder to decode from a photo than the average pin-tumbler
Because both of these happen rather more often than you would think compared to people actually picking locks or drilling them etc there is usually a hidden weak point for a locksmith to get the door open in some way.
Usually? – sure. However, this is why a higher level of security hardware exists for. Not all have a “hidden weak point”…
You realy don’t want an expensive difficult to repair/replace lock to be your first line in defence but your last. Banks are well aware of this with vault doors behind stout wooden doors behind the counter barrier which lies behind the glass front door. There are a whole variety of good well tested reasons for doing things this way which you can go look up.
I don’t see why what I was saying disagrees with this. What I was responding to at this point was your “…the more attention it attracts” comment.
But contrary to your long description at the end most people actually want the minimum of damage in the deterrent not just because it’s inordinately expensive to repair but because in the security business most people do not like to advertise any weakness, nor do they want their normal day to day operations suspended. Something any security consultant with a few years under their belt would quite happily tell you.
This is why I said in the very beginning that one must do a risk assessment and figure out one’s requirements. But, I am not sure what you are getting at here. What I was saying is that part of the purpose of a very high-security lock in the typical scenario (though this is quite vague, I grant you…) is to force an attacker to use destructive means to get access rather than use a non-destructive method such as picking or a bypass to get access. Are you seriously suggesting that most people would rather weaken their security and be vulnerable to non-destructive methods than protect against that which would force an attacker to use destructive methods to get past?
Figureitout • March 11, 2013 4:01 PM
@scorche
–I think Clive’s referring to being unable to open the lock and not attracting attention. So based off your risk assessment, you’ve had multiple attacks and need the MegaLock; regardless of the time it takes away from getting real work done. You’ve accounted for all the backdoors you (and other brain types) can think of that would render the lock null. Knowing Clive, he may have heard of your MegaLock, maybe not (he is human, I think).
Btw, I’ve seen people get waved in by security staff where person had not only the wrong type of card, but an entirely different person (different ethnicity too).
Clive Robinson • March 11, 2013 6:46 PM
OFF Topic:
I don’t read Forbes as much as I used to for reasons I won”t go into. So I’ve only just seen this little gem,
http://www.forbes.com/sites/kashmirhill/2013/03/04/nsa-utah-data-center-visit/
And not being a person who visits the US any more it introduced me to something new the “Sovereign Movment” weird but I guess not exactly unexpected. It has that wonderful ring of absurdity about it where somebody says I don’t recognise your authority” and the other party says basicly “I don’t care have some of this, to prove I don’t care and have some more so others don’t do the same”. If it was not the Federal Gov doing it, it would be called a “Protection Racket” and the purpotrayers subjected to some realy unpleasent punishment but as they are the Feds well “Bussiness as Usual”.
Petréa Mitchell • March 11, 2013 10:08 PM
Ah, the sovereign citizens, the right wing’s answer to New Age talismanic magic. This SPLC summary is good place to start if you want to know more.
Figureitout • March 12, 2013 1:24 AM
@Clive Robinson
–What you think is weird is just the reactions to a police state. It’ll get worse, much worse. All of which is wasting time and distracting from science (like unnecessary security) that isn’t discovering itself and the human species will die off on planet Earth.
Warning To All Known attackers are moving on from me and will be attaching themselves to another host soon. Black family from California w/ a son named “Julian”, maybe you’ll see the probation officers at their home. Never goes outside, drives a BMW and Range Rover. I held them off as long as I could.
Clive Robinson • March 12, 2013 7:35 AM
@ Petréa Mitchell,
Ah, the sovereign citizens, the right wing’s answer to New Age talismanic magic.
I see what you mean.
Mind you “eat my paper” is marginaly better than “eat my lead”.
But it highlights one thing, the gaps in US property laws that allow all sorts of shananigans. I’m aware of some of it from notary fraud but I’d have thought someone would have got around to fixing some of the more lax parts since 1900’s Noyes-Mckenzie claim-jumping up in Nome Alsaka.
Jeremy M • March 12, 2013 11:21 AM
For all you physical security and lock-picking/smithing/sporting buffs.
“The Lock Pickers: Victorian England made the strongest locks in the world—until an American showed up and promised he could pick them.”
Jeremy M. • March 12, 2013 11:50 AM
For you lock-picking/smithing/sporting types.
“The Lock Pickers: Victorian England made the strongest locks in the world—until an American showed up and promised he could pick them.”
Auroch • March 12, 2013 2:25 PM
This seems like a single point of failure, but I suppose married people, at least, are good at keeping track of highly-important rings. Would be hell for anonymity, though.
Clive Robinson • March 12, 2013 6:14 PM
OFF Topic:
@ Bruce,
Not sure if you’ve read either this article or other articles relating to it,
http://www.csoonline.com/article/730015/dna-hack-could-make-medical-privacy-impossible
Basicaly researchers have looked at data iiin a DNA database and by tracing anomalies in the Y (male) chromosome have been able to put family names to unidentified DNA samples thus verry much narowing down the list of people it can beelong to.
Once more as Ross J Anderson has pointed out in the past anonymity gets striped from medical data even though promises have been made that data is “sufficiently anonymous to prevent this”.
Natanael L • March 13, 2013 11:42 AM
@Auroch: No reason it would be bad for anonymity. It could absolutely have the site identify itself to the ring before the ring reveals anything, and it would have unique profiles per site.
Nick P • March 13, 2013 5:04 PM
Two cryptographers get the Turing Award for their work.
http://www.networkworld.com/news/2013/031313-turing-award-267635.html
Clive Robinson • March 13, 2013 11:50 PM
@ Nick P,
Two cryptographers get the Turing Award for their work
I know they are not quite “household names” even in the security industry, but they do deserve the award (shame they have to split the cash between them).
Nick P • March 14, 2013 12:24 PM
Security News
US national vulnerability database infected with malware
https://plus.google.com/u/0/106350285372295328202/posts/HNayDzUoYEz
Chinese hacker uses web as outlet for complaints. There is also some more circumstantial evidence for Mandiant’s claims.
http://www.latimes.com/news/nationworld/world/la-fg-china-hacking-20130313,0,7978305,full.story
Clive Robinson • March 15, 2013 4:42 AM
OFF Topic:
More on how China effects Skype users and MS is still ok with the surveillance which can also effect skype users outside of China as well…
Clive Robinson • March 15, 2013 5:41 AM
OFF Topic:
SSL attacks are back on the menu in a way that proves two points,
1, Attackes only get better.
2, Two methods are better than the sum of their parts.
Last year we had the CRIME attack which used a problem with the use of compression to fairly efficiently guess at secret data sent from the client. The major downside of the attack was having to sit on the network and observe the actual SSL traffic.
This year we have TIME that uses the same compression attack, but this time on traffic from the server, BUT importantly it uses statisitical timing on response times so does not need to observe the network traffic…
gina • March 15, 2013 3:57 PM
Bit Coin is trading at an all time high this month. It was up to nearly 50 dollars.
Three good articles on meta currency:
http://www.aljazeera.com/indepth/opinion/2013/03/2013391325331795.html
http://nakedsecurity.sophos.com/2013/03/13/anatomy-of-a-problem-bitcoin-loses-25-percent-in-value/
http://www.guardian.co.uk/business/2013/mar/04/bitcoin-currency-of-vice
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
cassiel • March 8, 2013 4:27 PM
My favourite story today:
http://www.guardian.co.uk/uk/2013/mar/07/businessman-bomb-detection-kits-golf
“Businessman’s bomb-detection kits ‘were based on novelty golf gadgets'”