Schneier on Security
A blog covering security and security technology.
« Applied Cryptography on Elementary |
| Security Risks of Too Much Security »
May 17, 2013
Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture
Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on May 17, 2013 at 4:57 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Back when I lived in Japan in the early 80's I used to go to Shakey's Pizza in Tokyo and get cuttlefish pizza, it was very good.
OFF Topic :
Trawling around looking for something else I bumped into a project on GitHub call Bunny.py.
And it claims this of it's self,
Bunny is intended to act as a layer 1/2 technology for near unsignaturable wireless mesh communication. Bunny wraps all data in and out in a layer of obfoscation, it does this by passively listening to the local wireless and building a model of 'average' traffic. Then using this model it hides smal snippets of data within various fields of the 802.11 protocol, that are either poorly defined or prone to contain data that mutates a lot. These fields will include but are not limited to; vendor data, data packets of encrypted networks, duration fields.
Which sounds interesting if you want to have a side channel for private communications in a broadcast system such as WiFi. You can read more at,
OFF Topic :
Has anyone else heard the latest on the US diplomat the Russians claim to have caught with an Am-Dram style spy kit you'ld use for childrens pantos?
Well apparently he was trying to recruit an FSB officer as an agent, and the officer specialised in investigating the area where the supposed Boston Bombers came from.
In short the whole think sounds like a story line from a bad "Movie Plot". You can read more and see pictures of the supposed spy kit at,
In the UK, the NHS is about to sell of patient data:
"The records, which include sensitive information about hospital visits, such as a mother's history of still births, patients' psychiatric treatment and critical care stays, allow individuals to be identified by use of postcode, gender and age as well as their socioeconomic status".
What could possibly go wrong?
@Waywiser Tundish - I have read that chemo drugs are extremely lucrative and that altogether, chemo is not very effective.
I read your link about the Influenza vaccine. Is that a problem? Here's what I think is the real problem.
In Sneakers, Gregor warns Marty "you won't know who to believe."
With respect to MS and Skype doing an ET, you might want to have a look at,
As I've said befor why should the likes of the NSA go to the trouble of trying to crack your passwords / passphrases / private keys, when the likes of CarrierIQ, Microsoft and other commercial organisations are doing end runs around your security in the name of "technical support" etc and just putting it out on the wire to be just hovered up...
OFF Topic :
As many are aware the FBI is pushing for a global survailance capability by insisting all methods of Internet communications are "back doored" or any carrier carrying traffic that cannot be snooped will receive significant fines.
Timothy B. Lee over at the Washington Post has a post on this and some of the implications,
Some might argue that Microsoft are already well on the way with the "back door" they have put in Skype IM etc.
Transit e-tickets from a mobile app. The app itself provides verification as follows:
Once a fare is validated, it becomes animated, with a cartoonish landscape of Portland landmarks (including birds on a wire) rolling past the on-screen bus. Any suspicious bus driver or fare inspector can ask for the user to tap the screen, which turns the "lights on" inside the bus. For those tempted to hoard tickets until an inspector boards a train or bus, the time stamp flashes to show when a fare has just been activated.
So it's secure because no one can fake animation, and... did they just say this lets you mess with the bus? I'm holding out hope that the reporter misunderstood and what it really does is just light up something in the driver's computerized display.
This is a case where stopping the lazy cheaters, even if they are the vast majority, doesn't seem sufficient. It just takes one motivated person to produce a fake app that will mimic this one at a reasonable quality level, and then all the lazy cheaters can just download that.
OFF Topic :
Some time ago I predicted that there would be problems with the Near Field Communications (NFC) cards that at the time banks had just started to issue.
One thing that concerned me was the lack of transaction authentication by the user. That is you wave the card at the reader and it automaticaly deducts money without the user entering a pin or other authenticator.
Well I was listening to BBC Radio 4 and guess what this problem has started happening in UK stores but not by the NFC card being touched on the reader but at ten or more times the supposed range...
Anyway you can read about it at,
@Clive Robinson - that WashingtonPost article is good. Also notice comments there brimming with growing cynicism. For example...what if the biggest problem isn't even technological: what happens when the definition of who is 'good' and who is 'bad' can be changed at any time? What if you are considered 'bad' as soon as you opt out of surveillance?
Here's another problem, partly related. I was reading the latest Information Week in particular the article "IT's Attitude Problem." I found it online here http://www.informationweek.com/cloud-computing/...
WOW! Nevermind the negativity, the resistance to change, fear of the cloud, etc. The fact is, IT is increasingly being left out of the decision making process completely!
With regards the article you linked to.
The first thing you should note is that the author is trying to sell cloud services as part of his business.
That kind of puts an unbalaced spin on what he is saying.
Second he makes a dangerous assumption with,
... gem: 76% of IT professionals believe that it's better to err on the side of tighter standards, whereas only 55% of those same pros believe their companies' senior business leaders feel the same. This means IT is either inept at communicating why it does what it does (including resisting the cloud) or fundamentally misaligned with the needs and priorities of the organization. Unfortunately, based on our new cloud survey, we're pretty sure it's the latter.
He has ignored a well known issue with "managment" in that frequently they will take the compleatly unsupported word of an external sales person over their own internal staff.
This usually happens because the external person promises to make the bottom line better before next quater or some such sillyness.
IT staff are frequently caught between a rock and a hard place in trying to explain what is in effect "Deffence Spending" that is not going to show a profit only stop a possibly longterm loss.
Much of the modern managment ethos is ultra short term thinking and involves "slash and burn" to give "a small abundance tomorow, with a long term famine" rather than a "consistant long term return". The belief appears to be there will always be somewhere else to "slash and burn" when "the current patch fails due to exhausted resources".
On the few times I've investigated it's not IT failing to express the problems and issues clearly it's managment not wishing to listen as they've be sold a fairy tail by a managment guru with a sales agenda that promises a "crock of gold" but actually delivers at best a "crock of 5h1t".
I'm not saying that the Cloud does not deliver benifit to some people, but as always with benifit there is also risk. The problem is not so much being able to identify the risk but to manage it through a third party via SLA's and contracts.
In the UK we have seen very many outsourcing deals and most fail to deliver any of the promised improvment and many implode rather spectacularly with the only people profiting being the lawyers. Some organisations have ended up not only having to pay others to provide solutions but actually to buy themselves out of the current unsatisfactory outsourcing contract befor they do so...
Unfortunatly many senior managers are "chancers" looking to make the next headline deal rather than correctly manage the business they already have. Whilst most IT managers are looking to maintain stability and strong defenses against unseen attackers.
There is an old truism about defence spending which is,
You never know when you have spent to much on defence, only to little and by then it's to late.
The New Yorker is now offering people the ability to contact the (and presumably offer tasty tidbits of information) through StrongBox... any thoughts on how secure this technology might actually be ?
From the article you linked too, "The fear of cancer is legitimate: how we manage that fear, I realized — our responses to it, our emotions around it — can be manipulated, packaged, marketed and sold, sometimes by the very forces that claim to support us."
The article would have been stronger if it had centered around this point.
Google has send out another raid team to the borders of the neighboring dominions. The well-fare of the realm and its peasants demands dropping the XMPP server-server-federations.
"With Hangouts, Singhal says Google had to make the difficult decision to drop the very "open" XMPP standard that it helped pioneer."
Maybe one day my children will move to one of the open-source-cities in the empire and can live the free life of the townspeople
@Petréa Mitchell, re: Transit e-tickets from a mobile app.
>"did they just say this lets you mess with the bus? I'm holding out hope that the reporter misunderstood and what it really does is just light up something in the driver's computerized display."
I think it was you who misunderstood; the reporter was talking about "turning the lights on" in the on-screen image of a bus, not in the real bus.
Apple Snake Oil?
Apple has received a new patent (#8,380,991) for a "Hash function based on polymorphic code".
Based on a quick reading, it appears they are using the current data in each hash block to select from a predefined dictionary of code fragments to use in hashing that data.
The patent claims that this approach is "disruptive", and that it "has the advantage of avoiding an attacker collecting pairs of intermediate results for different messages." But isn't it just mathematically isomorphic to a fixed algorithm anyway? Does this really add anything new to the process of hashing, or is it just another great example of why mathematics should not be patentable subject matter?
@RCJ, here is the New Yorker announcement: http://www.newyorker.com/strongbox/.
Steve Gibson, on Security Now (https://www.grc.com/sn/sn-404.htm) says, "Aaron [Schwartz] used some very security-savvy people to design a provably secure, provably anonymous means of sending information to The New Yorker."
Thanks for the link to Gibson
@ RCJ and Spellucci. Re: StrongBox
"Aaron [Schwartz] used some very security-savvy people to design a provably secure, provably anonymous means of sending information to The New Yorker."
That's his opinion. I don't like the words "provably secure, provably anonymous." I've probably read more formal software engineering papers than anyone here. Thing I learned is it's hard to do right and works mainly for stuff we understand well. Crypto and anonymity have shown to be difficult to prove because we keep learning new things about constructions they depend on. Security is also hard to prove, in general. Security also depends on things below the application. So, let's have a quick glance at the platform.
Strongbox uses DeadDrop. DeadDrop is a Python web application that runs on a "hardened Ubuntu." Sources get a unique codename they can use to send or receive messages. Their site says one server does public facing web stuff, one contains messages, and one monitors the other two. Plus there's a USB dongle for random numbers. They get people to connect via Tor. That will help anonymity if the source isn't in an attacker observed network, like in some foreign countries. The source might also need to use Tor properly to reduce risks of exit point analysis.
Additionally, Ubuntu is a complex OS that isn't designed for security or anonymity. Quite the opposite. I'd have recommended OpenBSD if they want an UNIX-like OS w/ minimal customization for security. Python web applications add a bit of extra possible risk. Google went through a lot of trouble in App Engine to keep rogue apps from hurting their servers. They didn't even try to make customers' runtime/apps safe for subversion. It's still an open problem. As for attacker strategy, I see them trying to target the message or monitoring servers via the network. The alternative is regularly hitting the public-facing server to figure out what is monitored. Then, take a stealthier approach to use it as a beachhead to hit the message server.
Honestly, I can't really say how secure it is overall. The way they configure, combine and manage all of it is just as important as the components. This might create or reduce weakenesses. It does run on platforms and languages many hackers have experience in. These have had security issues in the past. However, it's also by design safer for the informants than regular signed email, comments on a web site, or typical HTTP submission forms. It's also more convenient than a privacy-preserving visit to the reporter. So, my overall grade on it is that it's useful, they are putting in good effort on security for a non-security company, and it's a step in the right direction.
And if they want to increase its assurance, they know where to find me. ;)
As many are aware the FBI is pushing for a global survailance capability
--B/c just the FBI in USA is pursuing this. I believe there are a "couple" others. Of course, they will fail; but you know let them try, it's funny to watch.
I've probably read more formal software engineering papers than anyone here.
--Yeah, well some of those may not be available to everyone; and if I try I get some 'lice in my hair. And the hardware bugs may be biting you in the ass as you speak; unless you got that knowledge too b/c it's at least 1X106 pages.
--I feel like there will always be more software bugs than hardware bugs, way more.
And if they want to increase its assurance, they know where to find me. ;)
--Yeah right, we know how business works. Some of the defenders are in fact attackers; and since all attackers don't reveal their ways...
"Yeah, well some of those may not be available to everyone; and if I try I get some 'lice in my hair. And the hardware bugs may be biting you in the ass as you speak; unless you got that knowledge too b/c it's at least 1X106 pages."
It's more like 1x10^(4-5) for the most important parts. I'm ignoring hardware in this, though. The reason is the same I gave to Clive way back. The attackers are mainly hitting software and system level problems. The industry hasn't fixed them or figured out how to prevent them. Hardware attacks to beat software systems are possible, yet very rare. So, the proper choice is to remove the low hanging fruit from the attackers' grasp by eliminating easy remote, software-based attacks first. Any trusted hardware should be used for that, like TPM's or memory protections. Then, if such attacks become hard enough, attackers will shift gears and start focusing on something else. Then, we repeat the cycle. Over time, we have more protection built into our products and they have fewer options.
--The gov't hasn't figured it out either; even w/ some rather intrusive looking.
BTW, they should know cutting random items in my house is normal activity that normal people do.
Rachel Maddow covered this story and contrasted it with similar US spy-caught-by-KGB perp-walk/interview/evidence footage from the cold war.
Would it be safe to say this is a bit of security theater?
@RCJ, et al
This week's episode of On The Media featured three segments on the AP phone records story, including the history and use of Strongbox and what one could do to communicate with the press by phone, cool spy stuff.
Bruce, it's even worse than you thought! Not only does the US Military justify its security approaches on the basis of "movie-plot threats", it justifies its erosion of civil liberties on the basis that it isn't even creative enough to come up with movie-plot threats:
"By making a few subtle changes to a regulation in the U.S. Code titled “Defense Support of Civilian Law Enforcement Agencies” the military has quietly granted itself the ability to police the streets without obtaining prior local or state consent, upending a precedent that has been in place for more than two centuries.
But the focus on the DoD regulatory change obscures the creeping militarization that has already occurred in police departments across the nation.
[T]he transfer of military training and technology has been so thorough, it boggles the imagination as to what kind of disturbance would be so overwhelming that it would require the suspension of centuries-old law and precedent to grant military complete authority on the ground. The DoD official admits not being able to “envision that happening,” adding, “but I’m not a Hollywood screenwriter.”"
In the massive irony department....
It appears that the Chinese cyberhackers that hit google and microsoft were interested in and got access to the warrants and court orders that the FBI had served on the ISP's. It turns out that once China has access to those warrants, they can tell which Chinese agents in the United States are under suspicion and which are not.
It's also explains why the US government is taking a very soft line against Chinese cyberhacking. Basically, if the US takes a hard line, then they pull into the open US counterintelligence operations.
OFF Topic :
In London there has this after noon (14:20 BST) been a very brutal attack in Woolich not far from the Army Barraks and very close to a school.
Reportedly two men hacked a young male member of the Armed Forces repeatedly and brrutaly with a machette or equivalent befor dragging and dumping him in the middle of a busy road. They then reportedly started waving the weapons in the air and told people to photograph them.
One of the weapons appeared to be a gun and reportedly police officers shot both men.
Unusually for a shooting incident the Home Secretary has called to gether CORBA which is the UK National Emergancy commity.
Now this may be precautionary and it may be because it is potentialy a terrorist attack (apparently people are sayiing the two attackers were chanting arabic etc).
It will be interesting to see how this incident plays out over the next few days and compare / contrast what the UK authorities do with say US authotities over similar incidents.
You can read more on the BBC web site,
OFF Topic :
In further terrorism related news it appears the FBI shot and killed an unarmed man during an interview, and are claiming the man had just verbaly confessed to killing three people involved with the providing of drugs and parahanalia such as Bongs.
The deceased was a Chechin who had had some contact in the past to the (alledged) Boston bombers through sporting activities.
Apparently the FBI man was accompanied by other Law Enforcment Officers and they tell a markedly different story to the FBI.
The father of the (alleged) Boston bomber who was killed by the police claims that this FBI killing is yet another setup.
Further to yesterday afternoons (terrorist) attack in East London there are various messages or thems comming through from politicians and (supposed) experts intervied by the BBC journos .
The general comment is "lone wolf" "clean skins" "radicalised by the Internet".
Whilst the first two points mean this couple of animals were not on any security services radars the third point is extreamly worrying.
It will not take long for the discussion to swing around to "greater Internet control" either with the equivalent of a "great firewall" or "deep packet inspection" being sugested and in all probability taken up by the politicos. Either would be unfortunate and as we are probably aware fairly usless as preventative measures.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.