Schneier on Security
A blog covering security and security technology.
« Another WWII Message Decoded |
| Honeywords »
May 3, 2013
Friday Squid Blogging: Squid Escape Artist
It's amazing how small a hole he can fit through.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
EDITED TO ADD (5/4): It's an octopus. Apologies for the mis-identification.
Posted on May 3, 2013 at 4:33 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Senator Wolf's witch hunt to remove all foreign scientists from Nasa continues ( cough Von Braun /cough )
He organises a very public raid on the departing scientist's plane to retrieve a laptop:
"I am particularly concerned that (the) information (on Jiang's laptop) may pertain to the source code for high-tech imaging technology that Jiang has been working on with NASA. This information could have significant military applications for the Chinese Peoples Liberation Army."
The laptop contained porn - which to be fair, does involve high tech digital imaging technology and is no doubt of interest to the Chinese army.
Ummm... Octopus, not squid. Enteroctopus dofleini (Giant Pacific Octopus) to be exact. Sure, it's another Cephalapod, but not a squid.
That's an octopus. Not a squid.
> That's an octopus. Not a squid.
This being a security blog I wouldn't rule out the possibility of an impersonation attack.
Octopi have many interesting traits. They look neat too. I don't mind a Friday octopus thread.
The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint. The book was written by twenty authors.
- Download (2.1 MB PDF):
@Jasonr - I would be more worried about the Brits, they do have a history when it comes to dams.
The Hoover dam pictured in the article is especially sensitive. Despite being built of 7million tons of concrete this visitor was relieved of a very small swiss army keyring knife.
clearly a creature like the one in the video would be able to escape from most human-designed secure prisons - especially if we say, the prison was conveniently (for the escaper) situated on an offshore island.
future terrorists may therefore be (prior to their being deployed) treated genetically to splice some octopus genes into their DNA.
the take home lesson is that, in future, all secure containment facilities should be in deserts.
Big news in the UK at the moment:
Fake bomb detector salesman sentenced to 10 years: http://www.guardian.co.uk/world/2013/may/02/...
I'm at a loss to understand why it took so long for anyone to notice that these things just didn't work - or why no tests were performed - and why ludicrous claims for the technology (detects explosives at distances of several miles, or from aircraft) didn't ring alarm bells.
The security at Hoover and places like that isn't because someone might use a Swiss Army Knife to destroy the dam, its because they might use said knife to hurt someone (say a security goon) and gain access to otherwise off-limits areas to then cause problems (e.g. someone gaining access to control systems to mess with water release systems or power generation)
One good story this week is on how the NASA spy caught a month or so ago was not a spy, at all:
There were a lot of news reports on how that laptop was full of NASA secrets.
He may have been a real spy, but they did not catch him. The comments section has a good garden variety of points:
- maybe the secrets were hidden in the porn and movie files via steganography
- why steg that or carry it across country lines at all when they could upload it from someone else's wifi
- why take the NASA laptop in the first place? Why take it to China for a month long vacation? Why did he still have it after being fired from NASA?
- Maybe he was an agent and was playing dumb. Maybe the US was playing dumb.
- Maybe there were controls on the laptop which precluded exfiltration of the sensitive data he worked on.
- Why was NASA hiring student Chinese on student visas in the first place. To work on sensitive projects.
- He had no clearance. (But he worked on a sensitive project.)
Sorry -- missed "NobodySpecial's" first post on this subject.
@JW - amusement parks are exempt from OSHA (US health safety executive)
They are grandfathered in as if they were circuses - since it would be impossible for a travelling circus to have an engineer report every new pitch.
Why California and Florida allow this to continue is a mystery - and completely unrelated to large political contributions from Disney and others.
OFF Topic :
Anyone remeber how HBGary got hacked by Anonymous and all those documents got leaked?
Well amongst them were some quite frank EMails about other companies they had worked for and their state of "cyber-securit".
Well guess what in the Oh so Secret Tech Development world when it comes to ITSec unbelievably there are worse than HBGary a lot lot worse, some have been compleatly and utterly owned by the Chinese PLA for years even with HBGary's (supposed) help...
So bad in fact that I suspect some of the directors and executive officers have the old joke "Infamy! Infamy! They've all got it In For Me"  tattoed across their nether regions.
And not only did this company employ HBGary to (unsurprisingly unsuccessfully) sort out their problems, HBGary's vice president Bob Slapnik went on to say of them publicaly,
"When it comes to cyber security QinetiQ couldn’t grab their ass with both hands"
So no repeate business expected there then, and it should serve as another "red flag" warning to other (potential) customers of HBGary...
As for QinetiQ  in the UK and presumably else where they like to give the impression they are the decedants of Ian Flemming's "Q" charecter in the James Bond books and films  (I guess if QinetiQ did make a non fiction film they could call it "Prat Fall").
Any way what QinetiQ did (with HBGary's help) could make a very usefull "How-Not-To" of avoiding being compleatly and utterly owned by the Chinese PLA.
And presumably in the four years or so QinetiQ were owned, of losing every secret they ever had knowledge of many of which are critical to the US Military.
Importantly as far as secrets go another "red flag" warning about HBGary, it appears the PLA knew of their involvment either prior to or immediatly they became involved with (supposadly) helping QinetiQ. So there is a reasonable chance that the PLA had already done to HBGary what Anonymous subsiquently did to them (or HBGary's methords are in some other way very indescreat).
If you want to know more have a read of,
 The line comes from the film "Carry on Cleo" which is famous for a certain type of baser British humor from the 1970's which appears to now be popular in all places other than Britain (you can see the film clip of the line on You Tube http://www.youtube.com/watch%3Fv%3Dkvs4bOMv5Xw ).
 The "Q" link is actually quite tenuous, QinetiQ arose after the UK Government decided to split up DERA and sell of the bit that was not realy "hush hush" any more (the "hush hush" bit became DSTL). The fact that it was sold to some of DERA's managment for a criminaly low value has given rise in the UK to speculation as to whom had their hand in who's pocket, brown envolopes etc etc.
 If you are wondering how to pronounce QinetiQ the company has it up on their web page, however I amongst several others some of whom had the misfortune to work for them pronounce it as "Quaint sick" with a silent S.
 The obligitory "disclosure of interest" is required... back in the very early 1980's I worked with DERA and even back them they did not impress and I had on occasion refered to them to my own managment as "a bunch of clowns".
Convert gTLD Domains from .gov to .mil, hacking root servers not required...
DoD has a plan in place, it is the overthrow of the civilian authority and the realignment of the United States into an military junta. It may not be directly recognizable, but in the near future following a sequential and
incremental process, the federal government along with cooperating state and local governments, will transform the civil authorities and processes. Let's
describe the series of actions that will take us there...
HOW IS THIS POSSIBLE
The DoD, under the supervision of the President, owns the process that is
guided by the Director of National Intelligences (NDI). Under the
misguided National Security Act of 1947, grants to the President the authority
to designate "any other agency or department" as an Intelligence Community(IC) component--even worse--this authority rests with the DNI as long as the participating agency or department consents. For example, the DNI claims the need to designate the EPA as an IC, by function DoD enjoins the EPA, and, DONE DEAL. The EPA would now have the authority to issue NSL's, classify documents, keep state secrets, keep and acquire records from any number of sources on citizens; essentially the EPA could have the same statutory authority as the FBI. I digress, this is not important, we are only
describing the head of the beast, the point is that the executive has a "dangerous" process for managing government departments and agencies that can morph into intelligence organizations. Agent Smith-"Neo..."
HOW FAR ALONG IS THIS PROCESS
The United States government is past the planning stage for the implementation of new communications systems to deployed nationwide. Part of the cybersecurity EO released by President in Feburary of this year contains language that proxies federal powers. Here we have to pay attention, some have suggested that the NSA and/or FBI are engaged in scope/mission/constitution creep under the guise of keeping citizens safe from terrorism (they forget that their primary role is to
protect an idea, not persons). There is an overarching strategic plan to
federalize law enforcement; first responders, cyber security entities (commercial, utility, government) and the local police, fire, etc.).
The order allows local government and commercial entities with national security clearances not only access to
federally classified data but also provides a mechanism in which local
authorities may classify state or local government information. The federal
courts have already set the precedence for FIOA requests in such cases. Now,
FOIA requests can be spread not only across fifty states, but by local
municipalities and cities. Local "first responders" and cyber security personnel will gather information (designating the data as classified) thus making local agencies, governments, or businesses unaccountable to anyone except the most persistent.
Nice one - didn't realise it was a joke until the phrase "DoD has a plan"
OFF Topic :
A new piece of malware has been detected that infects mainly UK based machines.
It's been around in the wild for atleast 11 months but does not yet appear to have been used.
It possesses a number of new and interesting features but is apparently still under development.
Although it's final use is not yet known it looks like it could be used as the begining of the next tier up (of low hanging fruit) in banking fraud as some of it's capabilities are those we currently see used by high end attack code.
But it also has other features that would make it usefull as a "stepping stone" in attacks against services a legitimate user is logged into. Which could also put it in the APT class of "secret stealing" malware.
All most curious you can read a bit more at,
OFF Topic :
In what appears to be some sort of type up between Cyber-espionage and cyber- criminals the Chinese APT "Winnti Group" are going after game developer signing certificates, possibly for the purpose of money laundering or equivalent.
As long term readers of this blog know I have quite a downer on Digital Certificates used for code signing long predating known attacks on them (such as Stuxnet).
Code Signing Systems are at best difficult to setup in a secure way and further the backend process of code development is almost impossible to secure to the required standard as is the Human Resources process behind employee hiring of the likes of developers, testers and managers all of whom have access to the code during development as well as direct access to the Code Signing System/process.
Thus I would urge people to treat with considerable caution the CEO of Venafi, Jeff Hudson's comment in the artical of,
"There simply is no reason why any organization has to suffer from a certificate-based attack or worry about a related compromise. There are solutions available today that address these problems."
NZ refuses to be terrified - http://www.offsettingbehaviour.blogspot.co.nz/...
Summary - Student sends ranting letter containing threats to shoot lots of people to student newspaper and website. Student has not committed a crime so Student newspaper editors refuse to hand details to police. University not closed.
Jackson did not respond to questions about why UCSA would not release the name to police. But she did say the last paragraph contained content that "could be interpreted to look like a non-specific threat", but the "tone of the letter was largely hyperbolic".
Octopi are so good at deception, they fooled even you Bruce. Kind of looks like a physical representation of malware squeezing thru.
Someone 3D prints a gun. Looks like it wouldn't shoot straight from 30ft away. I had the privilege to 3D print a custom box; it's very cool technology and I was extremely impressed. The "printer scene" from Office Space, while being appropriate for most tech, doesn't apply here. I call it "engineering art" and like the paintings made up of thousands of tiny dots, you can see the crisscrossing lines of plastic and will be blown away at how intricate of parts you can make.
If you want to know more have a read of, http://www.bloomberg.com/news/2013-05-01/...
I did. The story almost reads like something only Tom Sharpe or P.G. Woodhouse could have come up with. I believe we have a very strong contender here for Bruce's movie plot contest and I am already picturing folks like Ricky Gervais and John Cleese in the roles of Aaron Barr and William Ribich. We could even try and set Bruce up for a small support role playing Richard Bejtlich as the Mandiant contractor whose advice was totally ignored 8-) .
Judging from this grotesque MFU, security seems to be the only IT discipline left where incompetence and stupidity still rule supreme, and where none of the actors involved ever get condemned to flipping burgers for the rest of their life, instead gently "moving on" with the monies they've pocketed to wreak havoc on the next clueless customer or government agency.
On a non-related sidenote: IBM has released its HElib homomorphic encryption library at https://github.com/shaih/HElib . Curious how they implemented the Brakerski-Gentry-Vaikuntanathan (BGV) scheme.
Oops, already posted, by Sverrir Rósuson. Sorry.
@ Dirk Praet,
Yup and a fine movie it would make, though I don't think Bruce would want to play Richard "I'm X special" Bejtlich ( See the photo at
On a non-related sidenote: IBM has released its HElib homomorphic...
Yes it is interesting Nick P mentioned it in last fridays Squid page and I dropped a response to him there ( http://www.schneier.com/blog/archives/2013/04/... ) including a guess / prediction of future usage.
though I don't think Bruce would want to play Richard ...
From what I've seen, there seems little love lost between the two of them. Which would make for a really great role indeed.
Hagan has a nice breakdown of how Lulzsec's failed OPSEC led to their demise. He also asserts that OPSEC is a 24/7 job if the enemy is a domestic LEO. Lastly, he gives good reasons why a domestic LEO is more dangerous than much-feared foreign "state actors."
In the past, I've stated that one must build a firewall around their personal and operational lives. Nothing must get through. If anything does, it should be disinformation. In business INFOSEC, the people are the weakest link. This is more true in covert operation security.
Storing GB's of data in youtube vid's via QRCodes
Gotta love ingenuity. Persistent, reliable storage and there's plenty of QRCode libraries available already. Looking for similar projects led to this unconventional backup solution:
Store data on paper 2MB
The effort they've put into backing up data onto paper via barcodes and printing presses is... surprising. As barcodes aren't going away, I wonder what current security issues we can solve with them. I'm especially curious about hybrid solutions that combine printed codes with network software, trusted devices at terminals, etc.
EDIT TO ADD
Forgot to mention that, if you're aiming for max data storage, hueCode is the way to go. I remember it could store several times what QRCodes can do. I'm not sure how well it would work on youtube. Microsoft's 2D barcode is probably the most visually appealing. Maybe use photostorage sites if not youtube.
My old way of storing lots of files was to use free web hosts. I'd figure out which were reliable. They would then have an account limit and file size limit. So, I'd break a big file into a bunch of pieces (WinRAR then, 7-Zip today) first. Then, I'd automatically upload them to the server (maybe with extensions changed). Retrieving the data is easy. I've also [ab]used Yahoo and Gmail for file storage.
Of course, today you can get plenty of storage from a web host or storage provider quite cheap. Most people would probably rather just pay a few bucks a month. The youtube trick is very interesting, though.
Uh Oh, problem: Jitter in Gmail
One of my Gmail email accts in the past weeks has occasionally begun to "jitter". The text seems to jump up and down while I'm writing email. It's noticeable, and very irritating, but not show stopping. I can still type and complete the email and send it.
I let it go, thinking it was gmail intermittent, or even my own connection.
Yesterday I cut and pasted a segment of an email from that gmail email account into a mac textedit file and sent it to a friend. He reported the same "jitter" problem when he tried to open the text file--a surprise to me.
BUT-- I sent the mac textedit file from a DIFFERENT gmail email account. One that does not seem to have the jitter problem.
I'd seen this same jitter while I was typing up emails under the suspect gmail account before, so I can't say it's related to only one email. I will recheck to see if it's from one organization however. But it is intermittent. :( I hate intermittent problems, don't we all.
Before you blast me with the obvious--yes it appears to be a "jitter bug". Very funny--NOT. Doesn't make my life any happier right now.
Anyone else seen this? Any ideas how to troubleshoot this or nail it down better? It doesn't happen all the time, but when it does I need to capture it or deal with it in real time.
Is it time to pull back and Nuke this system from Orbit?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.