Schneier on Security
A blog covering security and security technology.
« NSA Cracked the Kryptos Sculpture Years Before the CIA Did |
| Obama's Continuing War Against Leakers »
July 26, 2013
Friday Squid Blogging: Squid Song
It's "Sparky the Giant Squid."
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on July 26, 2013 at 4:27 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm digging the new pic. The last one had a "staring into your soul" vibe.
On pic, yes, more friendly, but can understand that.
... on subjects missed...
Rest in Peace, Barnaby Jack.
A truly bright and beautiful soul in computer security has passed.
For me, today, my highest security risk has to do with brushing my teeth. I really should be brushing them twice a day.
I read the artical a few days ago and the response from Toyota shocked me, the obviously don't have a clue about security in semi-autonomus real time systems.
Their attitude is a little like the old joke on the front of a *nix SysAdmin manual about the castle defence being a forty foot pole with a notice on it.
The sort of security Toyota is implementing is not even perimiter security but "gateway security" and is like Bruce's adaja about puting a vault door on a tent.
Most control systems these days consist of semi-autonomous units linked by some form of network. These units have limited functionality and as such almost act like repeaters in some modes of operation.
For instance a braking unit is designed to control the slow down and stopping of a wheel or two, what it does not usually do is autonomously decide to apply the brakes. That is it receives real time commands across the network from another unit.
Unfortunatly these slave and master unit communications are almost invariably in some form of plain text (understandable in Real Time Systems due to processing delays with crypto etc) and are not authenticated either, thus they are in effect insecure from the network point of view.
Some of the newer crypto and authentication modes have minimal delay and can have pre-computed keys etc, but often these modes carry some form of IntProp licencing etc and for cost savings reasons don't get used.
For Toyota to say they are only addressing remote non physical access security is a serious addmittion of their lack of technical ability when it comes to passenger safety. Which should be a grave concern for anyone buying their products.
OFF Topic :
Mobile Phone SIM card security breached.
As some of you are aware I have a bugbear or two about legacy issues and lack of plug-n-play frameworks for security primatives and protocols.
Well this article gives a real world example with significant implications that not only demonstrates these points but also effects around 1 in 8 mobile phone users,
Put simply the two issues are using known to be broken "single DES" crypto and having significant problems in error handeling in the Java Card sandbox from both the major SIM providers.
I guess as the issue is being presented next week at BlackHat we won't have long to find out the more interesting technical details.
Last weeks, all major companies announced that they will release their chat/documents/mail/cloud encryption systems in the next months.
It seems that they now have to be concerned about privacy, after the PRISM scandal.
A security product called "Gith", released just a few weeks ago, is making some "noise" in Europe : http://www.gith-systems.com/
@ Clive Robinson
"Unfortunatly these slave and master unit communications are almost invariably in some form of plain text (understandable in Real Time Systems due to processing delays with crypto etc) and are not authenticated either, thus they are in effect insecure from the network point of view.
Some of the newer crypto and authentication modes have minimal delay and can have pre-computed keys etc, but often these modes carry some form of IntProp licencing etc and for cost savings reasons don't get used."
I'm not sure that there's an easy solution. The standard protocols/parts, plus the "cheap" requirement, mean that most solutions would turn the product into a luxury car. In price if anything else. Plus, do you really want "more" computers on your car? MTBF, etc. So, I'm not sure where they're going to go with this one.
Re crypto vs real-time
I suspect this may not be as bad as you think. I don't use any specialized crypto in designs. Yet, some were real-time. The trick was combining the fastest ciphers (sometimes hardware supported) with a predictable, small data stream. Ciphers in a streaming mode without key changing seems better for this domain b/c it eliminates key handling except at startup (or factory pre-program) and the encryption is done in place (no extra data).
This doesn't address authentication. Someone can still mess with a signal a bit. However, I'd honestly rather have my brakes default to "turn on" than "fail-safe" to "stay off." ;)
Gith Security Review (Preliminary)
If inspired by PRISM, it's ironic that most of these solutions popping up can be subverted by NSA using their legal approaches. There was one security writer that pointed out that we must distinguish domestic and foreign TLA's because the legal support of domestic TLA's makes them quite effective: they just tell you to do it, then you do it or suffer the consequences.
Here's the security page of this
The three properties it mentions are good. They are very similar to the promises of Hushmail a long time ago. Of course, Hush eventually began subverting its own software for the government in a way that seams to undo its end-to-end encryption trait. Like Hush, the binary is closed and should be easy to backdoor. Positive point for Hush is that they at least provided their crypto source code for independent review.
(Although, I've often criticized the alleged value of this saying there's been more compromising flaws in how crypto is used and how apps are configured than the crypto engines themselves. Their providing the source for review is still A Good Thing, though. Cryptophone also does this.)
Their algorithms are RSA-2048, AES-256 CBC, and SHA1. A combination that's starting to feel old. ;) I see why they might use the algorithms though: maturity of implementations and widespread support for each cipher. Matter of fact, those are the same algorithms I posted here a year or two ago when discussing my VIA Padlock accelerated options. Padlock would make the crypto almost invisible. I'd prefer new projects to use Bernstein's NaCl library for the same reasons, though.
"All security parameters (private key, password) don't leave your computer to guarantee a complete security. "
Less information on their systems is good. Phrases such as "to guarantee a complete security" always bother me though. There's not a single product (outside fixed-purpose devices) that can make that claim. Second, this application of the claim ignores that the most common threat, malware, would circumvent the practice. So, extra bogus marketing.
"To limit this risk, when creating your account, you will be asked to export this private key as a QRCode. This is a representation of your key, ciphered with your username."
Exporting the private key to a QR code is a cool idea. It has a benefit they might not have noticed: the user is more likely to spot the paper with the private key in a file cabinet of otherwise identical looking papers. It does require a scanner, camera or interface with a smartphone. These might create additional risks. If they have a plaintext private key export and import option, that would be nice for people who keep simple PC's.
Enciphering with the username sounds pointless: anyone that can get the enciphered key could get the username even more easily. And the cipher strategy is built into the executable for black hats ease of discovery. ;) If they *really* want to obfuscate, they can just use a XOR-based steam with preplaced key. I've previously used xorshift128 w/ truly random seed for non-security-critical, high-speed, simple obfuscation. It takes a decent amount of data before the patterns in the stream become obvious to a non-expert. A black-box test might think you are using real crypto.
"When you travel, you simply need to take this QRCode with you to get access to your mails from any computed connected to the internet !"
Something about this seems unsafe... something...
"When you want to add a new contact, a request is sent to them.
If accepted, Gith server sends your respective public keys which will be store locally on your KeyStore.
This keystore is protected with your password, your contact list is then protected and no-one will known with whom you're in contact.. "
Sounds much like the old PGP type systems. That's a good thing.
"To prevent this, Gith stores all received data on their ciphered form. Gith deciphers them on the fly when accessed by you. An internal mecanism is used to erase all memory traces after viewing a message (the RAM memory zone containing clear data is overwritten after usage).By default, our servers do not store your messages. Once delivered to all their recipient, we keep no trace of them.
The Gith interface allows you to choose what you want to store "online" if you want to consult some of them from another computer/smartphone. "
This is good. I assume, but someone should test, that the files stored online remain encrypted with AES so that Gith can't read them.
"Gith uses very few external libraries and those appear only in "non-critical" parts of the software (graphical libraries, etc.).
This guarantees a complete control over the executed code and fast response time in case of discovery of bugs."
It's good that they are minimizing external libraries. That has proven value. The rest of the claim is too vague for me to evaluate.
"The software is distributed freely on Windows and MacOS X and available on iPhone and Android."
And it runs on the most important platforms. Well, the Linux desktop people might claim to have been slighted. But they always do/are so who cares. ;)
It seems like an extension of the PGP model for new content. It will inherent the end-to-end properties of that model for messages, keys and contacts. That assumes it's implemented properly. I'm unsure of it's usability without a hands-on review. If usability beats PGP-type solutions, that would be a huge plus by itself. Lacking independent review, we can't verify *any* claim they make without reverse engineering.
I'd say one nice thing they could do is have a third-party lab such as Matasano or even a well-known cryptographer assess the security claims. This would give users confidence that they are using the crypto right, the software does what they say it does, and that there were no backdoors at time of review. Plus, it might differentiate them from the competition.
Very interesting review, thanks !
There's a reference to a Linux version at the bottom of the first page ...
Who knows ! :)
Just to raise some issues:
To what extent should information security be taught as part of a K-12 school curriculum?
What minimum degree of knowledge would we consider desirable for an adult to have in order to make, with a reasonable amount of effort given the heavy demands on time, intelligent decisions about information security?
What minimum degree of knowledge would we consider desirable for an adult to have in order to formulate an informed view about public policy on information security?
I raise these issues because background knowledge is often essential to being able to analyze new information about a complex subject and to alter one's views accordingly. The lack of background knowledge, it seems to me, is the biggest hurdle to a citizen becoming truly informed about a policy area, and therefore the biggest hurdle to an electorate able to exert intelligent pressure on politicians.
This isn't a new insight I realize - Walter Lippmann famously wrote quite a bit about this - but as I learn more about information security, I'm struck both by how much background knowledge is required to truly understand it, and how little of that knowledge seems to be a part of public school education.
Coming soon to an ISP near you...
Now, why would they block all that stuff when the ISP data collection can do more damage to the populace by making them guilty of a crime? That is what they are after, making you "guilty" of something that they can hold it over your head (intimidation/control).
@ Different View re INFOSEC in classroom
Honestly, it's not yet appropriate to worry about this for K-12. Teaching some basics as part of computer courses in upper middle or high school should do for now. A prerequisite to INFOSEC would be understanding the basics of managing risk in general. A prerequisite to that would be critical thinking: esp. rational thinking, identifying fallacies, and the scientific method. The underlying critical thinking skill will help the students solve more problems than many specific instances of it put together.
There are two similar obstacles to this: politics and religion. Any belief system or authority structure built on something other than reason can be challenged by it. Teachers, preachers and such don't like students that question their dogma/methods. That is a side effect of critical thinking. Creativity can be a nice aid to critical evaluation of policies, processes and ideas in general. However, the rote memorization and rigid nature of the educational system also punish it. So, currently, there's too many forces working against both critical thinking and its byproducts in the school system.
The conclusion is that the best battle to win is the one for critical thinking. A longterm goal would be to make it second nature to most people growing up. They should also learn the proper place for and value of intuition, which is good for things you have experience in. With these in place, more scientific disciplines such as risk management can be built on top.
Joseph Bonneau receives award from NSA on cybersecurity. He then states that a free society and the current NSA are not compatible.
Bruce has mentioned the need for treaties to deal with cyber offensive / defensive rules.
While we aren't there yet, apparently there are at least some understandings of "red line" de-facto rules issued privately, according to a Washington Times article last week:
"Mr. Lewis said the U.S. government has placed “red lines” that will trigger a significant offensive U.S. cyber or other response.
They include cyberattacks that cause the deaths of Americans or significant economic damage.
“China, Russia and others have been very, very careful not to cross that line, not to use force,” he said. “And we have the best cyberoffensive capability in the world.”"
Seems like you could just use a write-once pad and XOR all the data between vehicle systems. It's dirt cheap to implement. Large storage isn't a problem. Replicating or creating a random pads isn't a problem. You could even just XOR periodic checksums to validate messages.
The problem arises with what to do when your real-time system fails it's communication security? 999,999 times out of 1,000,000 it's going to be a hardware failure. What do you do when the vehicle is traveling at highway speeds? How about when it's traveling at 5mph in the school parking lot? Fail on or off on the brakes can be equally deadly. If we just ignore the security, then why have it in the first place?
I've mentioned before how the feds like to act like they're in a James Bond movie; well my observations seem to have a little truth to them it would appear.
Sorry can't reveal methods, but they do the same to the entire U.S. public; so...regardless it's comical to think these are "professionals". Some things you can't teach.
Just a request for Bruce... I have always wanted to get a vpn but trust is always a problem. It occurred to me recently that pretty much the only people who could run a thoroughly implemented secure vpn service that would be trustworthy would be EFF. Given your new status there perhaps you could give this some thought. I am sure you would have a flood of customers.
Not to be passé or cliche, the old standards still apply. Until the Supreme Court can pull its collective heads out of our arses, money will be a substitute for speech. So I guess it is time to pucker up and take another hit to the groin in the land of the free and the home of the depraved. Thanks wired!
Check out Airvpn. They claim that they are affiliated with the EU version of EFF. (As I understand it, not from EU).
How practicable would it be for someone to use fake National Security Letters to steal sensitive corporate information?
Given the restrictions on disclosure when you receive one - which have been widely publicised - this would appear to severely restrict a victim's chances of figuring out that it's fake.
> To what extent should information security be taught as > part of a K-12 school curriculum?
Let's see... I was incarcerated in the US public school system circa 1965-1977, in various states.
We never covered any law whatsoever. We had "math", but nothing about credit or interest. (or balancing a checkbook, something many members of Congress also seem to have trouble with) There was nothing about computers, of course... but a niece recently graduated, and during discussion I found out the several years of computer classes she had in high school were "make-work in Microsoft Office," which wouldn't necessarily teach you anything about security, or computers.
Perhaps one of you could explain why taking over a cars computer network is material different from cutting the brake cable or loosening the lug nuts. And why the countermeasures against loosening lug nuts won't work against attacks on the CANbus.
Curt Monash, a top database industry analyst, had some interesting thoughts on limiting government/corporate data surveillance that I thought some of you might appreciate:
--One of them takes more sophisticated tools and intelligence in programming and microcontrollers while the other one almost anyone can do w/ some snippers or wrench. My little brother and a friend used to do some shithead shenanigans when he was younger and collect valve caps off cars.
You could physically check your lug nuts and brake cables visually but would have to gut the car and whip out a comp. w/ some software to check the CANbus. That would make you more paranoid than me so if you can sustain that I tip my hat to you.
--Forgot to mention, OnStar already does remote diagnostic checks and horn/lights/door unlock/ignition shutdown...So the systems are already there...
Well as @Figureitout has already noted one is a mechanical system which is visable to the human eye whilst the other electronic and most definatly not visable to the human eye.
But you need to consider further one is a simple system that due to history and science is a well engineered system which is sufficiently well understood to not only be minimalist in design whilst also being reliable and in most designs safe. The other is a vastly overly complicated system that has so many interacting parts it's complexity is such that it cannot be tested in anything but a miniscule fraction of it's possible states. Thus even with the best will in the world it cannot be considered either reliable or safe in the majority of states it might get into.
Further the mechanical system being a physical tangible system can and is protected by simple physical means. So if you have checked and tested it and then locked it up in a secure garage etc you can be reasonably confident it has not been tampered with some time later when you come to use it. Further as long as you are physicaly with the vehical at all times whilst out and about you can be reasonably confident the system is not being tampered with.
The networked system is in use not a tangable physical system but an intangible information system that you cannot adiquatly examine or test. So even if you have carried out the "recomended" tests you have little or no real confidence that the system has not been tampered with in some way. Further as the number of non direct connection systems available that can connect to the network increases due to regulatory reasons the risk has crossed the point where you can test it and have confidence that ordinary physical protection will prevent it being tampered with. But worse because of the non physical contact required to tamper with the systems it could be done whilst you are driving at speed down a motorway/freeway just as you come to a part where due to bends and on/off ramps or slip ways the need to stear/break becomes required for continued safety of the vehicle and it's occupants. Thus in effect it becomes like a snipers bullet but lacking in the physical skills to employ it.
But another consideration needs to be accepted, whilst after a vehicle crash the tampering with a mechanical part to cause the crash will leave atleast trace evidence that the tampering will have occured. Thus a reasonable chance that the tampering will be found and thus an investigation to find and punish those responsible will occure.
The same is not of neccessity true of an information based system. A record of the tampering will only occure if their is a suitable logging system (Black Box) that will be capable of both faithfully recording all details and be immune to attempts to subvert it's purpose. But where do you log, obviously just the network is insufficient as malware could be loaded into say the memory of the breaking device sufficiently far back in time such that the logging device on the network has overwritten it's self or never seen it. Thus the malware remains hidden. Likewise just monitoring the physical actuator output will not provide sufficient evidence of tampering malware.
These logging issues / considerations have been hashed and rehashed over and over for many years in the aerospace industry where most engineers will admit the issues are in effect insoluable at any point in time. Because as more technology is added the complexity rises at some high order power in the process opening more and more vectors of attack.
Are there solutions to this complexity problem? Well yes but they bring a whole new set of issues to the table that rapidly increase the cost of adding them to an existing design. However as in many engineering issues there are "sweet spots" where when you "design in" from day one the costs are dramaticaly reduced and in some rare cases might actually reduce the manufacturing cost below those currently required for systems that only have some subset of the desired features (this can be seen with crumple zones, side impact bars, and many other mechanical vehicle safety systems).
Few people keep their cars under lock and key or guard at all times. Fewer inspect their car for sabotage. The security measures most people use are:
1) Not many people want to kill us.
2) Most of the few people who want to kill us are far away.
3) We hope that the threat of being caught and punished will deter those that have both motive and opportunity.
The first and third continue to operate against tampering with a cars electronics.
The second is yet one more good reason not to connect cars to the Internet, but it continues to operate if altering electronics requires proximity or physical access.
The question of whether or not electronic tampering leaves traces is interesting. The fact that the system is complex and impossible to fully understand increases the chances that tampering will have unforeseen side effects and leave evidence. So we have the question of whether the investigators are smarter than the bad guys, but this has always been in play, even in the case of physical tampering.
"I'm digging the new pic. The last one had a 'staring into your soul' vibe."
Thank you. The old photo is on the "about" page, if you start missing it.
Wondering if anybody has thoughts on this, allegedly able to encrypt software so that it can be run but can't be reverse engineered:
There's a paper, which Science Daily doesn't link to:
http://eprint.iacr.org/2013/451 Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits (Garg, Gentry, Halevi, Raykova, Sahai, Waters)
One of the authors, Craig Gentry, is best known for homomorphic encryption.
Does anyone remember the scene from "Catch Me If You Can" where Hanratty asks Abagnale's father where his son is? "You aren't a father, are you? I won't give up my son." Powerful scene, a father will rarely give up his son; even when he's former military.
Doesn't help if even his father doesn't know of his exploits, let alone anyone; a secret he wishes to tell someone he trusts, but will be instantly said to be impossible b/c maybe the possibilities of the brain are a little too much to handle (aka beyond known physics) and the first and only response will be laughter...Just like being a kid all over again...
Have you made recent changes to the blog? Or are you being impersonated?
It's just that comments by you or the moderator used to be highlighted with a yellow background and the comment above ( #c1595377 ) is not.
"Does anyone remember the scene from "Catch Me If You Can" where Hanratty asks Abagnale's father where his son is? "You aren't a father, are you? I won't give up my son." Powerful scene, a father will rarely give up his son; even when he's former military."
It was a good scene in a great movie. Another one like that is in Jumper where the failure of a father is confronted about his son, then makes the one good choice in his life. I really like how that part happens so subtly and quickly.
Snowden's dad seems honest. Mentioning a "firewall" between him and his son was an odd choice of words. All in all, though, he comes off as genuine and having his son's back all the way. Good man.
OFF Topic :
As many of you are aware a couple of Chinese Telco Equipment manufactures have been told their products are considered to be a security risk and thus are in effect banned from being used in US Gov.
And Michael Hayden re-iterated this recently when being interviewed for an Australian news outlet.
Well it appears that it's not just Huawei and ZTE with bans, the Chinese company Lenovo that bought up IBM's laptop manufacturing is also baned by the BRUSA/UKUSA top five nations (these "Special Relationship Agencies" are sometimes called the "Five Eyes" and mostly not under the control of their host nations democratic processes).
The problems with hardware and firmware is that it is frequently not under the control of the final equipment manufacturer. Thus the security issue starts much further up the supply chain well beyond ordinary private and corporate purchasors control. Whilst these issues have occured since the very early days (1970's) of IC manufacture it is only in recent times (early 2000's) it has become known as "Supply Chain Poisoning" and become a more widely considered problem. For a quite good general managment overview, with more technical links have a look at,
At the bottom of the above linked page are a number of other links to articles by the same author, they are also worth a read, especialy this little gem,
Which point's the finger at Intel for supposadly doing the same...
As I've indicated in the past some parts of Intels chips are distinctly suspect, in particular the "magic pixie dust" design of their on chip Hardware Random Number Generators (HRNGs) which don't qualify as True Random Number Generators (TRNGs) for various reasons.
Bababushka likey. Damage control lol. Roy Apseloff lol.
Lol Powell-Cretu emails up at cryptome; hilarious. Obvious affair.
Another FBI FAIL. I mean, if they had more money and power they could have prevented this attack! Yeah!
Bruce Re: NSA Secrets Kill Our Trust
--The FBI is in fact involved in operations where they try to egg on and tempt targets into committing heinous acts. It's waste beyond what I can imagine; and absolutely KILLS TRUST which will ruin our society along w/ our stupidity in rushing to create waaaayyyyy tooo complex circuits and software w/o a thorough understanding. Working by myself isn't a lot of fun so I sometimes have to make assumptions and compromises to work w/ others, unless someone likes to work on the bare basics in which case that's a lot of fun. So, like a very wise and prominent poster stated, "the possible states are impossible to model, predict, and prepare for". Thus anyone and their mother can hack and no one will have a clue what they are doing; epic fail.
At least I can do math w/ some at the NSA, but w/ the FBI creeps I just want to get away from at all costs.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.