Schneier on Security
A blog covering security and security technology.
« How Apple Continues to Make Security Invisible |
| Protecting E-Mail from Eavesdropping »
July 5, 2013
Friday Squid Blogging: Giant Origami Squid
Giant origami squid photo found -- without explanation -- on Reddit.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on July 5, 2013 at 4:01 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How many Citizens does it Take to Screw in a Republic
No--Access to my all my papers and affects? Are you insane?
"It seems my hypocrisy knows no bounds."
Doc Holliday (Val Kilmner) from the movie Tombstone
Part II of III
"Done because it you can, means not it should be done." --Yoda
There is no inherent right for any individual to stalk citizen(s), and possible person(s) given the U.S. government is a signatory to the U.N. Convention on Human Rights, in fact felony charges can be brought against persons willfully stalking, intimidating, harassing, or otherwise producing an environment where a continuous presence results in psychological trauma or stress. Sometimes this has been referred to as "terrorism". But the U.S. Government seems to believe that the "surveillance" of everyone is not problematic, this sounds like what the stalker might say "Don't worry, I may be falling you all the time but I don't have a knife or gun on me so I won't kill you." This is the position the U.S. government currently finds itself in as it fulfill its role as "Stalker to the World".
An important issue that is missing, and it goes to the foundation of law itself is the social compact that allows society to trust law enforcement and government officials. Without legitimacy, society we derive its own form of justice when it becomes necessary. If law enforcement cannot be trusted and are seen as criminal elements (officials that will not observe the basic tenets and foundational law represent authoritarian and tools of a tyranny. This will leave fewer options for maintaining social order. As a community reacts, the possibility that a cascading effect might move from community to community. But I digress, the main point to explore cannot wait.
With the U.S. government surveilling and collecting information, data, e-mails, videos, pen registers, phone call records, bank records, travel information, postal and parcel tracking, credit agency reports (that can hold secret information about you) and any of a number of other "things" gathered and held and accessible by one entity at one time is completely dangerous. Let me explain, it would be as though law enforcement, using a proper "warrant" issued by a judge respecting the theft of an automobile (someone called in a description of it being in the Thomas family's garage). Officers knock on the door to serve the warrant (this is a courtesy you won't get). They do not inform you that you are being served, they wear masks so they can execute the warrant in secret, and while their pistols are draw ask the couple "We are looking for a stolen car, a Volvo!", they'll tell the surprised couple and before they can even get a word out--LEO proceeds to;
- pull everything out of the refrigerator,
- the closets,
- children's toy boxes,
- and the second floor bedroom dressers,
- their teenager's study,
- the den where the parents take care of bills,
- attend to their continuing education,
- and store some family heirlooms.
After ripping through whole house, the officers' proclaim, "Well, the vehicle isn't in the house. Let's get on to the back yard!"
From Ars Technica: http://feeds.arstechnica.com/~r/arstechnica/...
"Developers of the Cryptocat application for encrypting communications of activists and journalists have apologized for a critical programming flaw that made it trivial for third parties to decipher group chats.
The precise amount of time the vulnerability was active is in dispute, with Cryptocat developers putting it at seven months and a security researcher saying it was closer to 19 months. Both sides agree that the effect of the bug was that the keys used to encrypt and decrypt conversations among groups of users were easy for outsiders to calculate. As a result, activists, journalists, or others who relied on Cryptocat to protect their group chats from government or industry snoops got little more protection than is typically available in standard chat programs. Critics said it was hard to excuse such a rudimentary error in an open-source piece of software held out as a way to protect sensitive communications."
Here's the analysis from the guy who discovered the problem: http://tobtu.com/decryptocat.php
"Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs."
I'll agree with that. I've criticized it similarly. I actually used this point against Diaspora very strongly and predicted it would fail to full stop. It did. Fortunately, Cryptocat is less ambitious so it has a better chance of surviving.
" As a result, activists, journalists, or others who relied on Cryptocat to protect their group chats from government or industry snoops got little more protection than is typically available in standard chat programs. "
Originally, they were specifically saying not to use it for such purposes. I was about to blast whoever wrote that but decided to update on cryptocats website just in case. It had been modified to brag about how journalists and such use it for private communications. (Rolls eyes...) So now they're asking for the criticism.
I did write a piece on this blog about cryptocat before. I basically said it's a decent tool for people who would have used IRC, facebook chat or some other insecure method. It's very easy to use and most non-experts aren't going to crack it. So, if it's something like it or nothing, a tradeoff many lay people might make, then it's good to have around. Security community just needs to make sure people don't get a false sense of security and keep recommending proven (or well-engineered) solutions for situations where you want "real" protection.
No activists or whatever should be using this product... there are better options for them right now.
Technology and power: ACLU blog post about James Otis and his 1760 speech against writs of assistance, which were basically the mass search authorizations of the time and one of the things that the Fourth Amendment was written specifically to block.
In the speech, Otis talks about the use of general warrants in earlier times, replaced by the use of specific ones by more a more enlightened judicial system. Which all seems to show that every country falls into the same situational trap after resetting to specific ones and thinking they've learned better.
Bruce et al,
Hate to be a curmudgeon, but in an unjust world a scoundrel must be made.
Cyber and electronic warfare will invariable make casualties of all manner of systems, organizations, and no doubt innocent civilians and citizens. The shear contempt that is represented by a government where automated systems can be used to exercise the powers of government reaches a new level--but the crime is the government will knowingly do harm. In fact, they'll hire contractors that cannot be sued and the contractors cannot be subpoenaed or served with warrants--so much for redress of grievances.
This harm will be in various and unpleasant forms. I know this from personal experience. When government automates the delivery of "injustice" the consideration that we live under an unlawful system is more than obvious.My small business is already retooling based on the coming confusion. Now codified in law, HR 624, passed by congress in June, the Cyber Intelligence Sharing and Protection Act (CISPA V.2), the relationship between government and entities is a wholly dangerous and completely antecedent to our republican democracy. Government, not answerable to the people for actions taken in their name--and--private entities immunized from disclosure or discovery. The insult here, the feds makes safe (for some) what could only be accomplished by a constitutional amendment. The fact that the bill is an amendment to the highly controversial Nation Security Act of 1947 should make everyone nervous.
Here is an allegory using the legal framework applied to the automotive industry:
1.) Government and Ford share a particular cyber security incident, it is codified as a state secret,
and the two parties collude to not inform General Motors about the findings.
2.) Tesla motors trying to comply with the new mandates (is unable to certify its assembly line workers with security clearances) and not be a significant enough player to afford or be recognized as a protected or self protected entity.
3.) Ford purchases a majority share interest in SAIC and Harris Corp., investment analysts see this move as a way to improve Ford's corporate communications.
4.) Tesla begins have problems with various devices and hardware on their assembly line
5.) Ford announces new products from their recent purchase in SAIC and Harris (the firmware for the new hardware has been in the works for five years.
6.) Tesla, after two years, successfully achieves a "certified entity" status
7.) Two months pass, SAIC is awarded a broad government contract to be a Cyber Security Provider.
8.) Tesla cyber security services are provided by the new SAIC contract...
9.) Ford executes an internal plan to disrupt the operations of Tesla
10.) Six months Tesla is totally decimated by a series of security problems (production equipment doesn't work, capital accounts liquidated in what appears to be some fraud, the FTC and SEC have Tesla under investigation, nearly 50% of Tesla's work force has been harassed or arrested. Tesla's shares become junk--
11.) Ford offers to purchase Tesla for $10.00
I was amused by a line in this guardian post
"She asked the squirming recruiters a few uncomfortable questions about the activities of NSA"
I had never (before) thought of NSA people as "squirming". I think there is (or was) an institutional pride in its employees. My own personal experience with individuals that worked there was that of individuals of the highest integrity.
Moreover, to judge by the adverts in AMS Notices, the institution portrayed itself as a "cool", interesting place to work. Maybe it is. But there is a deep chasm between this self-perception and the reality of the NSA as an impenetrable and unforgiving fortress. Perhaps that should change. One basic principle of security is that "obscurity" is never a guarantee of security. And maybe this fortress culture of secrecy isn't a guarantee of security either. I find it very hard to believe that the "adversaries" can alter there behaviour significantly knowing that particular channels are tapped. What's their alternative? Tin cans? In the same way encryption algorithms are public why shouldn't the algorithms used to process "metadata" (traffic analysis) be made public? That kind of scrutiny would allow public debate about what is acceptable data gathering and might make the algorithms that are acceptable more effective.
McClatchy wire story summarizing the NSA revelations so far contains this fascinating tidbit:
NSA’s doubters point, in particular, to the agency’s push to build the massive data center in Bluffdale, Utah, whose storage capacity will be measured in the highest metric now used – “yodabytes,” named for Yoda, the “Star Wars” character.
It also appeared in my local paper, but isn't available on their site. Hopefully because it's been withdrawn for a correction.
Beautiful capture by someone, just...man just beautiful. Cops find the camera eventually and turn it around; great work. All w/o getting his hands dirty.
Oh, the drug mutt scratched his car, so I expect the police department to fully pay for the repairs and then some for the time wasted repairing the paint.
" First talks to soothe transatlantic
tensions to be restricted to data
privacy and Prism programme after
Britain and Sweden's veto "
If any more confirmation was needed that the UK isn't the US' sole security lapdog in EU
Just tried the "sparkling water" link and it came back with story nolonger available...
The move from tangible printed newspapers to intangible virtual newspapers is realy anoying and it's helping destroy journalism.
Once upon a time a journalist would take time to check the facts of a story and write it up in a considered way, which would be read and checked by subs before the editor put it into print. If there were errors either an appology would be made in writing or the litigation option was open.
Now because in a virtual newspaper the story can be removed in a trice there is nolonger the downside to ensure the honesty of the journalistic process. There is no editor as such certainly no subs and journalists have turned into Cut-n-Paste mouse jockies geting paid $50 per story irrespective of length or accuracy just first past the post payment driving their ethics...
Issue 1: poor design of commercial security software that leaves it vulnerable to hackers or government intrusion.
Issue 2: the NSA has capabilities beyond what is publicly known. This point was made clear by the design of flame, stuxnet, and duqu. So even if the software is open source, and well-designed, we can never be sure that there is not a vulnerability that is only known and only accessible to the extensive capabilities of an agency like the NSA.
Issue 3: it is conceivable that the NSA could design a backdoor into software that is not detectable on analysis of the software's code.
"I had never (before) thought of NSA people as "squirming". I think there is (or was) an institutional pride in its employees. My own personal experience with individuals that worked there was that of individuals of the highest integrity."
I think the keyword there is "was".
The NSA has done now more work, we now know, in dismantling the foundation of freedom in the US - and so the world - then any other organization in the history of man.
They were children of the founding documents. Now, who are their predecessors? Hoover, Stalin, Hitler, Pol Pot, the Caesers, the slave masters and traders, the KKK... the list of tyranny goes on and on.
Right now, I am sure, they are shrugging this off. Evil is never understood when it is in power. It is mistaken as good because of its' ability to express power.
But the legacy they are facing is one of shame. A legacy many already are able to clearly see.
Well, Sweden, as well. And we know Sweden did aid the US in rendition activities.
Though, I am not sure how sincere these other nations are, considering how so many of them treated the Bolivian President.
They do, however, have to give lip service to their people.
That is, democracy, after all, isn't it?
Serve one master and give lip service to the other?
Isn't that obvious?
When the first set of revelations were made, the EU response was limited to making statements. Partly because they too were doing the same e.g. German intelligence tapping into a major peering exchange.
Only when the revelations re surveilling EU delegations were made did a stronger response come. Because, obviously, the powers that be can't have their own privacy violated.
Now that UK and Sweden have limited the scope of discussion to the earlier revelations, no doubt we will see some suitable joint statement being issued at the end.
Some interesting titbits from the Netherlands.
A few days ago I wrote this in the Guardian's comments section about European involvement in PRISM:
"As a Dutchman I can add this.
Big news in the world, but not in Holland.
Two weeks ago an anonymous agent of the Dutch Secret Service confessed that he had full access to the PRISM files.
Due to the gigantic stupidity which keeps the whole of the Dutch-speaking area in an iron grip, this made no headlines."
Today CEO of Dutch hosting provider Intermax, John Knieriem, had some very interesting information to add.
What it comes down to, that basically, in the Netherlands , you are obliged to hand over all information to everbody and his grandmother.
Provided they had clearance.
This would include the Dutch Secret Service, Internal Revenue service and the Dutch Foresters Society.
Goodbye "free" world... was fun while it lasted.
What should be obvious is: if you are doing the same things as North Korea does -- you *are* North Korea.
Sadly, I know these guys in power have their underlings duped. But, there is no excuse for anyone in comp sec to remain duped at this stage. Is it so hard to calculate that if you are spying on the population that you are making the population your adversary?
That while you might get an ego blast telling your self you are a "public servant" and "fighting for freedom" or "serving the interests of freedom"... that if you are part of a machine that has denied the basic freedom of right to free speech and beliefs you are the monster you claim to be fighting against?
When you do what the bad guys do, when you sink to their level -- you are the bad guy?
I think they need some kind of mirror or something. Are they this uneducated about what the definition of a police state is?
Sorry you did not study this in school, but post-holocaust that is your responsibility to educate your self. Especially if it is your *job*.
It would have been better if all these guys worked in mines and farms.
G van Grijnen
What it comes down to, that basically, in the Netherlands , you are obliged to hand over all information to everbody and his grandmother.
But, wait... -- how do you really know your grandmother is not a terrorist if you don't watch everything she does?
Sad to hear, but no surprise. They are all the same. The lights were turned off and the cockroaches are playing.
I guess everyone who was sorry the Nazis lost went into government, if skinheads and the KKK found them too idiotic to join... :/
--Hmm, just give me your address and I'll send you a paper copy :). Still worked for me. I've noticed some funny stuff sometimes w/ other people's links so I'm not sure here; if that's the case you've got to trust that it's not me. Google (or duckduckgo) "elizabeth daly" and you'll get the story.
Yeah, it really is copied & pasted, whoever writes the story first. I just want more investigative journalism (like Krebs but more stateside); I sent both an email and snail mail thank-you letter to a local journalist who has done more digging than any I've seen recently. I think he liked it and he continues to push w/o (I assume) any cracking or getting too antsy.
I recommend watching Daniel Suarez's TED talk on Drones. There is a lot of overlap between Bruce Schneier's ideas and those of Daniel Suarez especially regarding concentration of power. http://www.ted.com/talks/...
European states were told Snowden was on plane:
So, NSA tells these European nations Snowden is on the plane, and lapdogs that they are (sorry!) they scramble their jets and work all of their infrastructure to obey their master.
Really sad, but how else would the world know just how bad things really are?
My guess is Russia tested their systems to see if the NSA was listening. And they were.
I doubt these nations will refuse to stop trusting the NSA, as many people will also refuse to stop trusting the NSA.
Though is obeying commands really a situation of trust, or simply of fearful obedience?
Will be interesting to see what effect it has on the French president's ratings.
Shooting down the plane because you felt like it would be considered a minor matter - who cares what Ecuador thinks - but jumping to the orders of the USA isn't exactly the de Gaulle model of French leadership
var cnonce = MD5.hexdigest("" + (Cryptocat.random() * 1234567890));
Re The "detournement" of Morales' plane.
"It's not the crime, it's the cover-up." The "alleged" crime is (possibly illegal) collection of data by NSA, lying by gov't officials etc. However, whether any of this is really a crime, we may never know.
I use "detournement" advisedly.
In spite of all the furious song and dance in Europe about PRISM it is absolutely clear that Europe is doing the same and working closely together with the US.
Only Martin Schultz, head of the European parliament doesn't know this.
Which tells you a lot about the European parliament.
I was about to post that when I saw you posted the link.
Actually the key sentence there for me had to do with the type of UK data capture, an approach which surely will spread to other shores and had interesting implications for Germany.
@ Dirk Praet
"Snowden: "The NSA and Israel wrote Stuxnet together." "
But is this a fact he learned as an insider or does he believe it for the same reasons we do? I was one of the people digging early on trying to figure it out. This blog saw each piece unfold in every story and post on others' blogs. By the end, it was certain that it was Israel and US working together. Snowden, if he reads current ITSEC news, would have heard that.
Had he made his statement before all of that, back when Stuxnet was a mystery, it might have meant something to me. Right now, it's something anyone would have known w/out clearance and might just be him trying to show off.
The move from tangible printed newspapers to intangible virtual newspapers is realy anoying and it's helping destroy journalism.
--Actually, it may be helping to destroy history; b/c it's not tangible(!). We find proof of history w/ physical artifacts, bones, books, drawings, etc. One of the way too many dark thoughts that curse my mind. I'm currently amongst many other things trying to compile some of the most practical knowledge the blog has to offer b/c even back in its infancy you were saying "well, if you have a look back, I talked about this...". Well, a lot of links Bruce provides in the beginning are "dead" so, yes, very annoying.
So, perhaps Bruce has a more physical backup of all information contained in links (not the dreaded penis-enlargement spam that does in fact still exist on the blog, for the lulz I assume b/c it made me laugh while trying to do research).
@ Nick P
But is this a fact he learned as an insider or does he believe it for the same reasons we do?
I don't know. We could ask former vice-chairman of the joint chiefs of staff Gen. James Cartwright, but he's probably not going to comment 8-) ( http://www.guardian.co.uk/world/2013/jun/28/... ).
There's no telling whether or not he made this assertion based on insider information, but from what we have learned so far, he definitely knows more about what's going on than we do, so I'm willing to give him some credit. I do however have a sneaking suspicion the details are in the rest of Snowden's 41-slide .ppt deck of which less than 10 have been published to date. We are living in interesting times indeed.
Figureitout: I think you may find the Waybackmachine on http://archive.org a valuable tool. It might not have copies of everything (probably a lot of PDF:s are "lost" unless you specifically ask people here who might have saved them to repost them), but it should have a lot of it saved.
I bet it's a modular origami, not a 'true' Japanese origami. Looks pretty decent, though
I have a nominee for Worst Website Security Practice. I recently created an account at ZenniOptical.com. My "welcome" email contained not just my user ID, but also my full, plain-text password.
When I complained to the site's service email address, their response was:
Thank you for your kind feedback and suggestion. We have to tell you that we do not have other way sending the username and password. However, we will take your suggestion into consideration and try to do better.
Since this response implied I had asked for the password, I decided to see what would happen if I used their "forgot my password" link. I entered my email address and half expected to have my old password emailed to me. Instead, I received a new password. Not a one-use password; just a new, short, low-entropy password: XiZVBj.
--Yeah I've heard of it before, visited, never used it. But it's worked for at least 2 links already. Thanks.
@ Natanael L
"Figureitout: I think you may find the Waybackmachine on http://archive.org a valuable tool. It might not have copies of everything (probably a lot of PDF:s are "lost" unless you specifically ask people here who might have saved them to repost them), but it should have a lot of it saved."
Very good advice. I've used it to dig up copies of old research, tech, marketing claims, news articles, etc. that disappeared off the net. That thing is one of the best non-profit projects on the net. The internet version of a museum, but also useful. Definitely worth donating to for people so inclined.
OFF Topic :
What is the cost of malware when paranoia gets into managment thinking in a US Gov agency?
I kind of get the feeling that "chicken little" thinking had got into them and as it's funded from the US Tax Take there was no rational counter argument presented...
OFF Topic :
This article is (supposadly) the edited highlights of an interview with a Cyber-Warrier,
There are some things that are odd and jibe a bit which may be the result of editing or lack of knowledge. Anyway read it and make up your own minds.
@ Clive Robinson re US Govt Hacker article
Thanks for the article. Good read.
"There are some things that are odd and jibe a bit which may be the result of editing or lack of knowledge. Anyway read it and make up your own minds. "
I was feeling that too. I'll first say that the author jumped off the page: Grimes. He's quite reputable with a track record in the security industry. He says this hacker is a friend he's known for a long time. So, unless Grimes just failed to validate key claims, then the guy probably is a hacker who gave Grimes enough reason to believe him.
I think he might be exaggerating at times. His story about having $100,000 in a storage shed that the feds busted into, narrowly missing him, sounds suspicious. His numbers on vulnerabilities in common applications, both the bug/LOC and stockpile, seem high. I mean, it's possible that they found that many vulnerabilities across the board in applications. However, many major applications have had so much scrutiny over the years that finding shallow bugs is much harder now. And I doubt his whole 1,000+ person organization is dedicated to bughunting.
What I do believe, however, is the line that he was with a group of people that challenged him as so many were of or exceeding his intelligence. And that the people interviewing him were smarter. I recall both NSA and Google job hunters sayings similar things. It's quite an experience to go from being the smartest guy in an organization to "a regular employee." I'm sure he did that.
Thanks for the link. I've been waiting to see a published case of a major organization doing this. (Most that do it just do it rather than talk about it.) Wonder if one of the Russian security service's people were reading Clive's recommendations on using paper instead of computers. Haha.
"However, another expert said that paper documents were still unreliable because they could be stolen or photographed, or could go up in smoke in case of a fire. "
This is technically true. However, for practical purposes, it's kinda foolish: it would have taken Ellsberg years to photocopy the amount of documents Bradley Manning grabbed. And stealing paper documents can get noticed, whereas stealing computer files can go unnoticed permanently if done correctly.
Personally, I think there's a decent middle ground: switch back to old school computer use. I'm talking Orange Book era stuff. Simplified clients, no DMA, trusted networking, centralized apps/data and security kernels in front of everything important. This by itself will reduce risk considerably and is easy to implement. Those concepts can be modernized to eliminate many problems of the old era using the fruits of modern research and deployment experiences. The resulting platform will be horrific to the average IT geek, but work can get done.
And, of course, paper + cold war tradecraft for the most critical stuff. ;)
cutting edge secure digital technology for dox & comms; the typewriter, paper, and a pencil
What, no carrier pigeons ?
As Nick P has indicated I've advocated the use of pencil/pen, paper and typewriters in the past on this blog and other places and as I've frequently told people "Paper Paper, never data" for many things.
However a couple of points to note about writing,
1, no matter how faintly you write by hand you leave an impression.
2, Most surfaces you write on in a home or office will hold an impression.
3, Impressions in surfaces that are not visable to the eye can be made visable by many simple methods.
So you first need to find a surface to write on that won't hold an impression, I could give you a list but the simplest to source and use which attracts almost no comment is glass. A large photo in an older style frame with glass frontage rarely looks out of place on a persons desk and is almost expected in some environments. Glass also has another usfull attribute in that a static charge is easy to deal with by just a wipe with a silk hanky or various soft cloths, just breathing on it to create condensation works at a pinch.
Just one point to note, any surface layer on the glass such as dust or fingerprints will hold an impression from writing so wipe before and after use.
Type writers can be a real pain, there are few true mechanical only type writers, most are electric so have EmSec/TEMPEST issues. Also many have "electronic memory" (RAM etc) into which what you type goes. But all type writers have two "mechanical memories" which store what you type in, the type ribbon and the rubber platten roller. A lot of paper these days has a "chalk finish" for verios reasons (ink in printers, look and feel, etc) this leaves a residue of the printed text on the rubber platten roller and without going into details you can detect it and thus read the last things typed.
So when buying a type writer go for an older mechanical type where removing the ribbon and roller to put in the safe is easy. Also don't use coated/finished paper, then there is the issue of "carbon paper" acting as another memory device, likewise "white out ribbons" and other correcting systems.
I could go on but as the old saying has it "Security is never easy".
As I've indicated before I have the luxury of an RF Cage to work in when I need to and I use a very old floppy disk only computer and a dot matrix printer with multipart stationary which I use for making One Time Pads and an appropriatly rated safe to put them in.
Speaking of multipart stationary, you can get paper that is neigh on impossible to photocopy and it does not photograph very well either, but it can be a strain on older eyes and in some case where people are colour blind next to impossible to read.
None of these security measures are even close to being prohibitivly expensive to use, and ladies who did secretarial work prior to the mid to late 1980's would have probably passed their "Pitmans" and thus used type writers, carbon paper etc and thus be comfortable with it.
Oh and as for a "deal maker" it's been noted several times that "office productivity" was greatest back in 1973 when type writers and filling cabinets were all offices used...
The resulting platform will be horrific to the average IT geek, but work can get done
--No, what's horrific is the thought that you haven't done enough. Unless I have the wrong copy of the "Orange Book", seems like more value is to be found in the cited papers. Plus some of the parts they may advocate probably aren't fabbed anymore; like I found out w/ some other older books.
--Good one. Makes you wonder about people in a park feeding the birds.
as I've frequently told people "Paper Paper, never data" for many things.
--I know, I swear I'm going to have nightmares w/ that phrase if you don't stop going on about it. If I'm going to wipe my glass picture frames to have a secure writing space, I might as well wear one of these too. Makes me feel normal.
Anyway, thanks for advice.
"No, what's horrific is the thought that you haven't done enough. Unless I have the wrong copy of the "Orange Book", seems like more value is to be found in the cited papers. Plus some of the parts they may advocate probably aren't fabbed anymore; like I found out w/ some other older books."
Recall i said...
"...Orange Book era stuff..."
Yes, directly going by the Orange Book would be a pain in the arse. The Orange Book is outdated, as well. The proper starting place is looking at how they constructed their exemplar systems, especially those that had successful production use, in those day. From that point, one conducts a systematic analysis of it on each level using modern knowledge looking for problems. Many that are found can be dealt with individually with ease in a new design.
The resulting system is simple (hardware and software), minimal, can be prototyped onto new hardware easily with modern tools, useful for basic stuff needed to get intelligence work done, can't be leveraged as an anchor for other stuff, and can be evaluated to high assurance if the labor is put forth. Russia has plenty of bright engineers, mathemeticians and hackers. And motivation. Dare I say they could probably construct the systems better to us if they really tried.
Like you said, though, the papers in those days had much more interesting wisdom than the Orange Book itself. It's why I collected all of them that are available from any source. ;)
Sidenote: You mentioned the problem of parts for the old machines. Perhaps you should have been consulting for our ICBM project cuz they apparently never thought that could be a problem and now we're left with...
EDIT: I meant to say "can" be leveraged as a trust anchor for other stuff. Oops.
OK, I'd rather use the system to store my research, and I'd rather engineer than consult. Maybe someone should start making the parts since we can be forced to use insecure systems by controlling the fab labs and f*Cking bluetooth will be baked in everything.
According to the Google security blog, There are thousands of new email phishing schemes going on in Iran with the current elections. Most likely this is being done to gain access to politically affiliated individuals or activists. When will the internet giants have a better grip on phishing attempts.
As a new member to EFF's board I needed to share an idea related to the 'Clapper' decision with regard to standing.
I believe EFF can bring a claim, using harm, in that EFF has had a negative finding before the court. Thus, the dismissal of the case before the court (the harm) was a direct result of the covert program(s). And, what better witness can you have but the court itself.
in this will all be in the same portal life cool is he will be its fine
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.