Friday Squid Blogging: Squid Watch

I like watches with no numbers.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on August 2, 2013 at 5:59 PM • 70 Comments

Comments

JasonAugust 2, 2013 6:57 PM

What do you think the odds are that blowfish can be brute forced? Twofish? AES?

Does the NSA have copies of all Windows/Mac private certs? Is HTTPS, even if perfectly implemented, basically worthless since they can MIM attack anyone?

WhatDidYouExpect?August 2, 2013 8:33 PM

Attach on decoy water plant???

http://it.slashdot.org/story/13/08/02/2313228/...

This seems like propaganda to me. Why tell the world that this is a decoy? They should be using the intercepts to determine how the attempts are proceeding, upgrade the decoy to address the intrusions, determine how to fire back against the intruders (do real damage), attempt the same attacks against their infrastructure to see how they are handled (or rejected), figure out how to damage their infrastructure, BUT FOR CRYING OUT LOUD, DON'T TALK ABOUT IT. Crap, how dumb is that? Well, except for propaganda value (is that an oxymoron?)

Petréa MitchellAugust 2, 2013 8:52 PM

I never thought I'd be recommending a TV series here, but Gatchaman Crowds is going for a highly relevant science-fictional take on security, technology, and power. It's a near-future setting featuring a social network which has been designed by its inventor to actively encourage people to act in prosocial ways. That part doesn't really take center stage until episode 3, but you'll need to start at the first episode or you'll be completely lost.

For anyone reading this blog who's also a fan of sf, I highly, highly recommend that you check it out.

GarrettAugust 3, 2013 12:17 AM

Guy copies some source code to external site, no nefarious intent, and is accused of theft, arrested by FBI, gets 8 year sentence (later acquitted).

http://www.vanityfair.com/business/2013/09/...

He's questioned by technically clueless FBI officer, gives details of his actions. His openness and detailed info is interpreted as a "confession".

unknown.soldierAugust 3, 2013 11:18 AM

Godel • August 2, 2013 8:31 PM
"A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality."


There seems to be a lot of evidence China has been hacking the world up and down.

However, little to none of that evidence is conclusive, even with people who think they have 'eyewitness evidence'.

Consider the Mandiant story. Looks really good if you do not try and reverse engineer on "how hard would it have been for Americans to do all of that and leave false breadcrumbs to China". Not very, if you look at it that way.

The Carpenter-Sandia Labs story is another good one: so a regular guy who is patriotic works at a government lab. They get hacked, he hacks back, tracking them to China routers. He reports all of this all along, and is counter-investigated by the FBI while doing his good citizen bit. He is fired. He sues. He later gets over a million dollar settlement.

Proves it. China was hacking the US.

Bzzt. Wrong. Could also be a tremendously satisfyingly successful cover story. The FBI investigating him even would not know. They would believe it more then the public. Only the compartmentalized teams actually doing all of this hacking would have to know. And they would be glowing with a "job well done".

Even if China knew anything, they couldn't say anything besides a grumbling, "Anything online can be forged". Because in counter-intelligence, there is a huge advantage in playing dumb. As it is said about spying, "you don't want them to know you are spying on them so you can see them do things", so it is with counter-intelligence, "you don't want to let them know you know they are spying on you, so you can get them to believe your lies".

^_^

Food for those capable of deep thinking: You work for a government. You want to start a black ops (seriously black ops) hacking group. How do you get away with it. You know, unlike "on tv", there will always be substantial risk. There is only one solution. Appear to be coming from another country.

Cover identities, their set up of legends, their maintenance, is common work for intel agencies. How much easier to do with online world. They have a lot of money and resources invested in these things and decades of experience. Yet, consider, today it is normal for even average online users to be able to do this well.

Never believe someone is an incompetent idiot. One of the great flaws of man is to underestimate their opponent. Everyone is full of pride, and so considering others "stupid" is a very common error. People in intel fields can feed on that and turn it into an art. Not hard to do, consider how easy it is to get people to judge others wrongly.


unknown.soldierAugust 3, 2013 11:26 AM

Garrett • August 3, 2013 12:17 AM
Guy copies some source code to external site, no nefarious intent, and is accused of theft, arrested by FBI, gets 8 year sentence (later acquitted).

It would be nice if the writer of the article got to the point of how there was a legitimate reason for the guy to take the code out of the company.

I had to quit at page two, when they started to get into his lifestory, because they did not explain that well.

It is very possibly wrong, "subversion", for instance, is one of the most popular code systems. Thinking it is evil because of the name, does sound like they fouled up the case.

I assume they "get to this", but in general, it is expected for employees to keep their code on company networks -- really, by any company. Especially ones with sensitive code.

unknown.soldierAugust 3, 2013 11:30 AM

WhatDidYouExpect? • August 2, 2013 8:33 PM
Attach on decoy water plant???
http://it.slashdot.org/story/13/08/02/2313228/...
This seems like propaganda to me. Why tell the world that this is a decoy? They should be using the intercepts to determine how the attempts are proceeding, upgrade the decoy to address the intrusions, determine how to fire back against the intruders (do real damage), attempt the same attacks against their infrastructure to see how they are handled (or rejected), figure out how to damage their infrastructure, BUT FOR CRYING OUT LOUD, DON'T TALK ABOUT IT. Crap, how dumb is that? Well, except for propaganda value (is that an oxymoron?)


Totally agreed.


unknown.soldierAugust 3, 2013 11:41 AM

http://arstechnica.com/tech-policy/2013/08/...

Title says it all.

The biggest illegal hacker in the world is the US Government. ("It isn't illegal if a cop does it!" foolish argument aside.)

http://www.theregister.co.uk/2013/08/02/...

"The Federal Bureau of Investigation is using mobile malware to infect, and control, suspects' Android handsets, allowing it to record nearby sounds and copy data without physical access to the devices.

That's according to "former officers" interviewed by the Wall Street Journal ahead of privacy advocate Christopher Soghoian's presentation at hacker-conflab Black Hat later today."

"The FBI's Remote Operations Unit has been listening in to desktop computers for years, explains the paper, but mobile phones are a relatively new target."

"It would never work with tech-savvy suspects, though: suspects still need to infect themselves with the malware by clicking a dodgy link or opening the wrong attachment. This is why computer hackers are never targeted this way – they might notice and publicise the technique, said the "former officers", who noted that in other cases it had proved hugely valuable."


FigureitoutAugust 3, 2013 8:22 PM

unknown.soldier Re: Garrett's article
--I would go back and read it, I thought is was good (thanks Garrett). Another FBI FAIL perhaps, they were trying to learn how to code in 2-3 days! Not to mention hardware; it's constant learning even for experts b/c boards can't even be soldered by hand, not a chance today! Need the liquid metal bath. Love how they (the FBI) protect "The Goldman", what f*cking REAL product have they produced for society besides some financial derivative fluffy worthless sh*t? They do NOTHING but move money around and skim from other's money; seriously after getting into engineering from a worthless Public Affairs degree I truly see just how worthless these people are...Robot jobs in the very near future.

And the f*cking little techie guy goes to jail; and he just wants to make a better system from the bottom up! Too complicated, no one really understood the whole system, pathetic this is a top investment bank; they wouldn't even know if they were hacked in some ways.

Petréa Mitchell
--Nice article Re: CryptoParties. I love how they don't get all paranoid; but I would be paranoid w/ a group like that b/c it will likely either now or in future be infiltrated. Disgusting, you have to keep these groups underground to keep from infiltration. Agents keep getting younger and younger too which is very creepy in its own right; as their handlers are likely old creepy farts looking for some fresh flesh.

FigureitoutAugust 3, 2013 9:35 PM

BTW unknown.soldier
--Your 2nd register article has been known by me for at least 3 years and I work for and by myself so has probably been known by others for maybe 5-10 years. Sure you can remove the battery, but batteries are becoming smaller, I wouldn't rule out hidden batteries in phones that remain charged after your battery dies and plus a microprocessor doesn't allow your battery to die completely for battery-life reasons and RF can supply power to circuits......Whatever you can hide in a phone (ever taken them apart, pretty neat) can absolutely be hidden in a laptop and desktop easily.

GarrettAugust 3, 2013 10:05 PM

figureitout - thank you

unknown.soldier - it's a good article, I recommend reading it in its entirety.

all -
goldman has a right to protect their intel prop and the FBI has a right to investigate these matters. the shock is that the charges weren't dropped. to give an analogy, what if I use some code snippet from stackoverflow, make a useful change to it, and post it back. have I committed a crime?

and then there is the question of "crime" vs "company policy". these are not the same thing, and yet they seem to converge in this case.

we don't need our smartest programmers jailed due to a lack of analysis (and bias toward conviction over investigation) on the part of our law enforcement, but that's what happened here.

the biggest failure was that the FBI failed to protect the suspect in this case. he was a genius at programming but naive and oblivious on matters of politics and the world. the FBI should protect people like that from being victimized, not act as the victimizer to the vulnerable.

Clive RobinsonAugust 3, 2013 10:59 PM

OFF Topic :

Old hands who have been on this site for a few years might remember various conversations about how to hide malware on a PC in any mutable memory not just the BIOS or Hard Drive, and the problems it causes.

Well somebody has gone and done a proof of concept for Black Hat,

http://www.forbes.com/sites/andygreenberg/2012/...

The article is slightly pesemistic as there are ways to remove such embedded malware but such methods are beyond anybody without the appropriate tools and hardware knowledge.

Again it brings out the point that I've frequently made about the fact that a CPU that is in operation cannot tell good code from bad. Thus it cannot work out it is infected with malware if the malware was there prior to it starting operation.

Oh and don't put to much faith in Intel's argument about "code signing". As I've indicated many times before code signing is "magic pixie dust" thinking, as signed code can be good or bad, it's quality is entirely unchanged by it being signed. And we know that even the best of usefull code has bugs in it.

Further code signing is at best only as good as the security on the software development process and signing key, and as stuxnet showed this is not a barrier to those with the resources, and as recently talked about in the US it appears that the FEDs can use a NSL to get access to "master keys" so signing keys are vulnerable to NSLs...

Clive RobinsonAugust 4, 2013 12:48 AM

@ AC2,

    It's the cryptopocalypse I tell ya! Or the cryptocalypse maybe..

I've mentioned the "minor" technical problem ARS Technica brings up several times on this blog and other places over the past few years along with a workable solution.

The solution is "Mandated Frameworks" by the likes of NIST. The sooner they step up to the plate to do it the faster these problems will be solved. I've been mentioning it now for around five years (google my name along with NIST and Frameworks).

To see what I'm on about I put up some of my background reasoning on this, on this blog getting on for three years ago when the subject of mono-cultures came up.

So the ARS article is very slow out of the gates at best (they should read this blog ;-)

http://www.schneier.com/blog/archives/2010/12/...

In that posting I also mentioned the problem of "legacy issues" people tend to forget that embedded devices are not like PCs.

PCs have a relativly short life of maybe three to five years and are usually fairly easy and low cost to upgrade.

Think about medical implants or smart meters embedded devices, unless mandated to be properly upgraded during their expected operational life --of over 30years-- "efficiency" of the market place will remove that option by making it prohibitivly expensive.

Do you realy want to walk around with a "pacemaker" wired up to your heart that is effectivly --along with you--"free game" to anybody who wants to hack it and you?

Likewise do you want your freezer turned off and your heating set to max etc etc because your smart meter is an open door to your house electrical appliances?

Clive RobinsonAugust 4, 2013 1:16 AM

@ Petréa Mitchell,

These "CryptoParties" remind me of the old PGP Key signing parties (for those old enought to remember them).

The real difference back then was "proving who you were" where as now it's "proving your anonymous" how the times change...

Clive RobinsonAugust 4, 2013 2:37 AM

@ Unknown.Soldier, Figureitout,

With regards "mobile phones as bugging devices".

There are a couple of basic ways to do this,

1, Direct transmission.
2, Code-compress and forward at some point.

Both have consiquences that an alert / informed observer will notice.

The first is both methods consume considerably more power so the battery life will be noticably less, the side effect of this is the usage is inefficient so the excess heat may be noticble to the touch or IR therm or thermal imager.

In both cases the encoded audio has to be transmitted from the phone to the network which means it radiates energy that can be detected. In the early days of mobile phones you could get a replacment antenna for your phone that had an LED in it that illuminated each time sufficient RF power was transmitted [1].

In the case of mobile phones that turn the modulation envelope on and off rapidly, this can be easily detected by an adjacent AM radio or Hifi amplifier [2].

There are other slightly more complex techniques such as writing your own mobile phone app but it would be simpler for most people to take certain preventative measures.

One of which is to tune the AM radio to a weak radio station and put the phone mic side down on the radio speaker grill, with the radio at moderate volume.

Another is make a sound proof box with an internal mic connected to an amplifer and external speaker. The box issolates the phone from audio signals outside the box, and the mic and speaker allow you to hear it ring.

A slightly more complex version uses the phones "hands free" connector to bring the ring signal out, and uses an internal white or pink noise generator to ensure even loud external audio is masked.

For a customer I modified a commercial phone test box that also acts as a high quality RF shield with external RF connectors it had a feature that if the box was closed and it detected RF from the phone longer than the "re-registration time" without ringing it cut the RF path to the phone for a few seconds.

[1] These were fairly quickly baned in the EU and subsiquently other places. The reason was that the LED had the effect of being a fullwave rectifier to some of the RF energy which resulted in a very strong second harmonic signal that was well well outside of specification.

[2] Even continuous envelope systems due to various effects can be heard on an AM radio. However a simple "diode detector" set up as a "bug detector" will detect both pulsed envelop and continuouse envelop systems and can be built from just a few dollars of components (google VSWR detectors for a basic design).

name.withheld.for.obvious.reasonsAugust 4, 2013 8:28 AM

@Clive Robinson


Again it brings out the point that I've frequently made about the fact that a CPU that is in operation cannot tell good code from bad. Thus it cannot work out it is infected with malware if the malware was there prior to it starting operation.


Totally identify with your sentiment, as an old timer myself I just cannot believe the distance between "what was possible" and reality. As an old guy the truth is that basic human behaviour includes laziness and willful ignorance. The willful ignorance is important, it allows you to avoid being responsible and thus reduces the need to act--and there's the lazy. But, there are the antagonist, they're contribution is to make any simple act as difficult as possible to perform. I'm sure your NIST experience (I may have been part of a working group, or not) exposed you to the "specific" interests and the myriad of "What the heck are you doing?" experiences. Recently, while engaged with a scientist
on a project, I become the lead--and I realized how much like feral cats scientists can be...makes progress a challenge. I mention this to give context...


Back in the late 90's and 2000's a small group of us got together to seriously look at the landscape of InfoSEC/IA/Cyber Security as we understood the difference between what was known and what was possible. For the most part the network computing environment for commercial applications is a rubix cube without any faces.


It was obvious to us, that the difference between commercial, industrial, or other systems that included or provided some sort of security feature was a designed by "the tool they know" and not by the requirements or even the nature of the problem the product set out to address. I've have stories, the vendors provide enough fun by themselves--add espionage, intrigue, and the occasional...


I've seen the other end, the instrument pointed right back at you. Stand up people, doing the right thing, destroyed by those that had an interest in making things go their way...didn't matter the title or position or the mission of the organization. When an agenda competes with your concepts of fairness, decisions that are easy dissappear.



Further code signing is at best only as good as the security on the software development process and signing key, and as stuxnet showed this is not a barrier to those with the resources, and as recently talked about in the US it appears that the FEDs can use a NSL to get access to "master keys" so signing keys are v ulnerable to NSLs...


This peeked my curiosity, where or how did you come to this--I've not seen how one gets past the deliberate act of securing your communications and the expectation of privacy and the non-existent requirement to show cause? This is a direct attack...


G van GrijnenAugust 4, 2013 4:04 PM

The U.S. State Department announced that it will extend the closure of 19 embassies and consulates in the Middle East through Saturday, including a small number of additional posts.

A lot of European countries followed suit.

Normally a newspaper article like this would not attract my attention.

But when Rep. C.A. Dutch Ruppersberger, D-Md., told ABC's This Week that the threat intercepted from "high-level people in al-Qaeda in the Arabian Peninsula" was about a "major attack, I burst out laughing.

Osama Bin Laden did not have a telephone line, but nowadays high-level people in al-Qaedah seem to be totally clueless about the dangers of telephone lines.

Joe LoughryAugust 4, 2013 4:30 PM

Some multifunction copy/scan machines have been observed to be altering numeric values in documents. It is not an OCR error, but a change to the actual raw image. The reason appears to be an accidental side effect of image compression:

The original article:

http://www.dkriesel.com/en/blog/2013/...

SamourAugust 4, 2013 4:39 PM

@G van Grijnen

Actually this is related to all the prison breaks that have been happening in Iraq, Libya, Pakistan, etc.

Interpol issued a warning as well.

Now they claim the NSA surveillance program indicated there would be a "threat", which may or may not be the case.

You could pretty much figure this out by just listening to the news of all the prison breaks :)
It's a logical conclusion that they're "up to something"

Clive RobinsonAugust 4, 2013 9:28 PM

OFF Topic :

Make of this what you will, but ARS Technica have an article with the grovey title that suggests that the FEDs think the new BREACH attack on HTTPS pages is in effect unstopable.

http://arstechnica.com/security/2013/08/...

The reality is a little unclear at present as is the impact simply because the attack is new, so it's more of a generalised warning to get site owners to check their vulnerability rather than a "Your Doomed" message.

You can read the attack authors paper at,

http://breachattack.com/resources/...

The simple take from this is, cryptography is hard to get right especialy when designing "efficient" protocols that end up becoming standards...

Clive RobinsonAugust 4, 2013 9:53 PM

@ Joe Loughry,

I think Xerox might have made their "pentium bug" moment...

The likes of the legal fraternity photocopy large amounts of "evidence documents", as "officers of the court" they have a duty of care to ensure accurate copies are made for the whole legal process. If they find one example of modified doccuments they are likely to eviserate Xerox...

It will be interesting to watch this story unfold not just on the "human" side but the "technical" side as well.

I guess the problem as outlined may effect other products than those from Xerox as well as demonstrating why lossy compression can turn around and bite you badly...

FigureitoutAugust 5, 2013 12:15 AM

Both have consiquences that an alert / informed observer will notice.
Clive Robinson
--Yeah that tends to be the case; once you find it (after fake not-knowing to discover their tactics) the device becomes a throwaway troll machine to be used for the most extreme experimentation and then off to use up more precious metal resources seeking a clean device...

Re: Rakshasa
--The tools need to be more easily available but then to continue the chain of paranoia what if the tools are subverted? How were they made, where, who? Basically leads you back to paper and pencil, until circuits become dust in which case your pencil can now be compromised...Hope they never find Bababushka lol. She's had enough playtime for now.

In Other News...
TOR Compromised w/ javascript so just a problem w/ faulty configurations.

Shut down an airport w/ a beeping device (costs like $10-20 for custom) b/c the officers have watched too many movies and think all explosive devices have the beeping timer. So to get creative let's say you know an economic competitor is flying and you carry out a denial of service attack.

IndeedAugust 5, 2013 3:31 AM

The exploit that targeted the tor browser bundle was not limited to illegal porn sites, it also affected anybody using Tormail, HackBB forums, or legit non porn activist forums that were hosted by Freedom Hosting.

Now tormail users are being lumped in the same boat with degenerates if they were caught using outdated Tor Browser Bundle.

unknown.soldierAugust 5, 2013 9:13 AM

Clive Robinson • August 4, 2013 2:37 AM
@ Unknown.Soldier, Figureitout,
With regards "mobile phones as bugging devices".
There are a couple of basic ways to do this,
1, Direct transmission.
2, Code-compress and forward at some point.
Both have consiquences that an alert / informed observer will notice.

Not surprising.

I can not speak on the hardware details you stated, though sounds believable.

Telco infrastructure wise, they can surveil you mitm, as well. There are also a wide variety of ways to get call logs and location details, without any manner of difficulty. Trivial applications can do this, of course.

Security wise, I am aware that phones can be hacked either from proximity, from a distance in a wide variety of ways, and, of course, mitm, either at the telco infrastructure level, or at the local proximity level.

But, security concerns like these I see as largely relegated to nation based adversaries, where you have a very strong reason to be targeted. Though, of course, there are lower level everyday privacy concerns which are getting fleshed out for everyday users.

There are methods of sending out traffic which would be impossible for end users to be able to know about, of course. Some of these methods would be very difficult for organizations that require security to be able to handle. (I strongly down ground level agents, even undercover, have much protection/detection capabilities there.)

I would expect that using the phone as a "room bug" would be something relatively rare, as a "for instance", when there is a key meeting that is not already wired.

unknown.soldierAugust 5, 2013 10:43 AM

This attack, btw, is very trivial, and contrary to the article authors statement, enough details were given to trivially reproduce for anyone who has performed mitm attacks (eg, firesheep). This means that a firesheep for ssl post-sslstrip is very viable and trivial to make using existing codebase:

http://www.theregister.co.uk/2013/08/01/...

Ac2August 5, 2013 1:54 PM

@Clive, Joe

The Xerox problem seems to be limited to scanning to PDF, and not applicable to photocopying. But I do use it at work to scan and submit claim receipts!

@Clive

NIST mandated frameworks sound good, but isn't FIPS 140 that?

u.n.affectedAugust 5, 2013 2:35 PM

@Indeed

While it seems as you said, in fact I believe the tor exploit did not affect anyone but housewives using tor because theirs son installed it. I did not see a single .onion website, was it hacking or silkroad related, that required javascript. And I believe noscript comes with tor bundle functioning by default. Living in the world where javascript was a must to use web would be sad but it's not the case so far. So I even wonder how it became revealed at all, how could it be that someone browse darknets with scripting turned on.

Someone had access to tormail bases (seems to be mentioned on hackbb) was much worse.

unknown.soldierAugust 5, 2013 5:16 PM

Figureitout • August 3, 2013 9:35 PM
BTW unknown.soldier
--Your 2nd register article has been known by me for at least 3 years and I work for and by myself so has probably been known by others for maybe 5-10 years. Sure you can remove the battery, but batteries are becoming smaller, I wouldn't rule out hidden batteries in phones that remain charged after your battery dies and plus a microprocessor doesn't allow your battery to die completely for battery-life reasons and RF can supply power to circuits......Whatever you can hide in a phone (ever taken them apart, pretty neat) can absolutely be hidden in a laptop and desktop easily.

I would think it would be a far safer way for them to surveil someone, especially if they believed that person was working for a foreign intelligence agency and had unknown and possibly profound resources for performing counter-surveillance. What a great way to figure out how they operate. Get some attention, and wait for the local feds to come and use their uber technical secret tech and methods. :-)

Really would seem thoughtlessly stupid to approach such a subject in any other way. Never been in that situation, so never really had to deeply think it out, considering all the pros and cons.


unknown.soldierAugust 5, 2013 5:21 PM

Indeed • August 5, 2013 3:31 AM
The exploit that targeted the tor browser bundle was not limited to illegal porn sites, it also affected anybody using Tormail, HackBB forums, or legit non porn activist forums that were hosted by Freedom Hosting.
Now tormail users are being lumped in the same boat with degenerates if they were caught using outdated Tor Browser Bundle.

Just got this story today... I am sure it was NSA. Probably they don't want to dump their golden gathered eggs in China right now, because they realize China is not a good place to do this. Snowden just recently revealed they had compromised their routers.

And if you were tech intel, wouldn't you want to see - most of all - who is using Tor?

As open as people can be in the plaintext, is that really what anyone with serious secrets is going to do?

No, they would hide their shit in Tor, or similar systems.

NSA gets that, I am sure.

FigureitoutAugust 5, 2013 9:52 PM

unknown.soldier
--Yeah I would've made a nice cointel agent had I not been targeted and bullied for years now; and I don't like being bullied and outnumbered. To give you a sense of what it's like, imagine every car driving past you on the street rolling the window and gunning you down. Imagine turning the ignition key on your car and feeling that last millisecond where your limbs get blown off. Lately these aren't local feds, they were before and they were absolutely terrible; covers blown easy. Likely from attacking non-technical oblivious idiots. They broke into my home and cut up my nice leather jacket I got from my dad, then they cut up one wire from the transformer of one of my power supplies for some random projects, then they cut up some brand new wire I was going to make inductors with, ruining the entire roll. They installed a hidden encrypted partition on my laptop and attacked my open wireless for years, as well as bluetooth attacks. They attended my classes at school and joined any extracurricular activities I did. Not to mention the random bloodstains on my sheets and the odd medical symptoms I begin to experience after I first found out someone had broken into my property.

Pro: Fighting a police state and distracting its agents so others can live w/o harassment.
Con: Your life almost ruined and permanent mental damage.

Well, I will have the last laugh. Neigh Bababushka will and she will show them even a Russian grandmother can own them; if they can find it and they will find out the true meaning of paranoia. I'm not afraid anymore and I don't hide.

unknown.soldierAugust 6, 2013 2:35 PM



unknown.soldier
--Yeah I would've made a nice cointel agent had I not been targeted and bullied for years now; and I don't like being bullied and outnumbered. To give you a sense of what it's like

That sounds really bad. It reminds me of a person the Americans misidentified as "the ricin sender". They really harassed him. He had worked for them. Eventually, he was cleared.

I have been investigated and have been under surveillance, though in my case, it was foreign and local national. Usually the same story for me in different situations: I am a visible member of a larger organization. They want to try and figure out what that organization is, how we communicate, who belongs, and so on. At times, pressure has been put on me, which is to try and get me to communicate or meet people, and so on.

That kind of stress does force you to think in CI terms, from what I understand of how nations handle CI. When I had to really deal with that sort of stress, I turned to find whatever CI documentation I could which was even slightly believable "open source".

unknown.soldierAugust 6, 2013 4:03 PM

^^ was to figureitout:

@figureitout:

On deeper thought, IDK about your situation, sounds very different from mine, but the similarity of people *looking for something that is not there* is there. Frankly, I get no end of humor from this, I would hope you would as well -- though your situation is far more drastic then mine has ever been. (Never been truly harassed, again, because of a network. And I don't have to worry about my own security, others do that for me.)

I mean, look at your situation in terms of "end of the day". They did not get what they wanted. They wasted all that man power, all that funding, did all those deeply immoral things, and for what? They end up just eating your dust.

Some could lose their jobs. Some could look like fools to their bosses. They have the scars of doing immoral things forever on their souls. (Welcome to the pantheon of global bad guys, condemned forevermore.) They get nothing from any of it.

These things cost money and when they only end up in mazes chasing ghosts, that hurts them. Bad.

They become known as the boy who cries wolf. Their organizational respectability plummets. Usually there is some kind of aside for them, but end of the day -- they are fools. They probably get pat on the back reassurances ("you were so close"), at times; but..... that is just the kind of polite bullshit people tell each other. It is bullshit. Reality is next time they are "on guard" and say, "Wolf!" No one will take them seriously. They have become nothing more then a clown. And you know, nobody really likes clowns -- they are not even funny. Just sad.

FigureitoutAugust 7, 2013 12:30 AM

unknown.soldier
--These past few years have been w/o doubt the worst ever. At the same time I'm not really afraid of death much anymore and if I have to defend myself from hit[wo]men I will kill someone; as my dad says when it's life or death dirty fighting doesn't matter, it's who lives. He had to fight off older bullies many times as a kid and even took a hammer to the head of a local bully. The bully never messed w/ him again.

I'm glad you've got a network and you feel safe, just know that it can be subverted unless you've found some people that can make a network solid and potentially worth building some secure product or company on.

Re: Ghosts of unwelcome visitors
--Look, these agencies foster an illusion that you will be dealing w/ alien technology not subject to laws of physics. New recruits and the agents that are clueless, don't learn the basics (which actually are quite a handful if you truly understand them) or even worse find them boring. So what they will [maybe] eventually "figure out" is that a vulnerability has been exploited right in their faces that is so old even a Russian grandmother w/ practically no knowledge of modern advances (which are genius in their own right but if no security was needed they would be perfect) could pwn them. Of course it takes modifications of the basics that are only possible w/ random experimentation; and that is the last of the clues I will give about my creation that I won't reveal even if tortured to death. And people wonder why I marvel at the elegant OLD technology...

Clive RobinsonAugust 7, 2013 4:51 AM

@ AC2

FIPS 140/1 was released in the mid 1990's and version 3 is currently in draft but still reads like a 1990s document, as such it reflects the "throw away" culture of the time.

That is it is extreamly limited in scope and does not address issues such as upgrading inplace any system that has had part of it's functionality compramised. Even though at the time DES was known to have been compromised in what was just a decade of usefull usage.

In effect FIPS140 regards what it covers as "immutable throw away items". If a certified item becomes vulnerable it's certification is in effect revoked and it would become landfill but for later Waste Electrical and Electronic Equipment (WEEE) regulations.

Thus nor does FIPS 140 address most of the other asspects of embeded systems with long in service life times such as legacy security issues, and being to costly or risky to physicaly upgrade.

Unless such systems are required to be securely upgradable in place without physical intervention for their entire service life we are going to sleep walk into a world of hurt, which may take several human generations to resolve.

Clive RobinsonAugust 7, 2013 5:42 AM

@ Name.withheld.for.obvious.reasons,

My problems were not with NIST but with the UK and EU equivalents on the telecoms side. That's not to say I don't have significant issues with NIST but I'm outside looking in which means "no fear or favour".

As for "herding cats" in academia been there and have the scar marks to prove it. One major issue I have with academia is all the ways it's invented to hold it's self back and "Put power in the hands of a notable few" it realy has been "A Kingdom of the Blind", but hopefully this is now changing all be it slowely as "publishing" becomes more devolved and wrested from the hands of the self interested few (though that still leaves the patronage of funding and similar to maintain the status quo).

With regards "code signing" all it realy is, is marking a point in time on a code base, it in no way attests to the quality of the processes behind it or the honesty and integrity of the code developers, testers and their managment. And fately for the whole process it's security relies on a few crypto primatives and an integer of moderate length we chose to call a private key.

We already know that some crypto primatives (hashes) used in the past have issues and should nolonger be used, and in reality it's the output of th hash that is signed not the actual code base. We also know or suspect that the NSA or equivalent also have ways of ariving at existing hash values (colissions) that are not known publicaly so they can take an existing signed hash and use it for their illicit code. Then there is the problem of the security around the signing key, it is after all just a Kbit or so in size and can be easily copied by an insider or carefull outsider breaking in and stealing it, this is what was belived to have happened with Stuxnet. However signing keys are usually formed of two smaller prime numbers the knowledge of either gives the other thus the security is also dependant on the selection process of these primes, and as we know this process has had significant flaws in the past and continues to do so today. But to add "the frosting on the cake" we know that the likes of the FBI have been using NSLs to demand master keys and get them from smaller organisations almost without impunity. And as has been observed some organisations have a heirachy of keys derived from a single master key, for not just their comms but also for all their other keys including those for code signing thus they treat their code signing keys just like any other PKI certificate and their automatic software update tools accept any code signing key that has been signed by a key further up the chain...

Thus the security of signed code is in many respects an illusion of a magician who uses smoke and mirrors to deceive the eye of the audiance.

Clive RobinsonAugust 7, 2013 6:20 AM

@ Unknown.soldier,

Whilst it would appear that using a phone as a room bug is going to be by state level entities the reality is far from true.

At one level it depends on the security of the SIM card even for the most careful of users due to Over The Air (OTA) Upgrade facility. The crypto keys for which are held by the mobile phone SIM service supply/originator and are frequently known to service providers and many subsidurary organisations working on their behalf.

But it is also known there is a legacy issue where the SIM java code will respond to either out of date security protocols or have the sandbox broken and defaulting to no security. Various estimates indicate that upto 1/6th of newly issued SIMs and over 1/4 of SIMs in use are vulnerable currently.

On another level there is a similar situation in that the "phone module" software is likewise often writen in Java and has a number of security vulnerabilities which will alow over the air attacks.

At another level there is the issue of Pico-cells which can be used for all sorts of MITM attacks at all levels of thhe phones use.

And then there is the issue of Smart Phone apps.

So all in all there is a very broad attack surface for anybody with a modicum of skill and moderate resources to get their teeth into one way or another.

Oh and there is another issue of who can and cannot issue National Security Letters (NSLs) in the US and Regulation of Investigatory Powers Act (RIPA) notices in the UK, and presumably likewise in many other parts of the world. But it's not just letters/notices that can be issued with little or no oversight. Thus you might find that what you assume would be "state level" only could include your local firehouse or transport / university police force or any other very lowely civil servant, bank clerk etc etc who knows how to issue the letters/notices/etc to get copies of the crypto keys.

Clive RobinsonAugust 7, 2013 6:49 AM

@ Figureitout,

Sorry for not getting back to you sooner I usually watch the 100 last comments page, but these past few days it appears to have been hit rather hard by spam. Which not only makes it hard for Bruce/Moderator it means I sometimes miss peoples replies to me, or I just get that Oh gaud feeling and not look at all for a day or so.

Any way with regards the tools and the possability of them being subverted, yeah it's a very real risk which as we've discussed in the past goes all the way down and out the otherside of the silicon chip production. After years of government mandated COTS purchases we have in effect handed our security over to overseas manufactures in just a tiny handful of organisations that fall well within the Chinese sphere of influance. And way way to late we wake up and start worrying about supply chain poisoning...

You might find this of interest,

http://www.defenseone.com/technology/2013/07/...

unknown.soldierAugust 7, 2013 8:37 AM



Figureitout • August 7, 2013 12:30 AM
--I'm glad you've got a network and you feel safe, just know that it can be subverted

unless you've found some people that can make a network solid and potentially worth

building some secure product or company on.

"Network" as in "organization".

I would not trust anything on earth: not what you see, not what you hear.


Re: Ghosts of unwelcome visitors
--Look, these agencies foster an illusion that you will be dealing w/ alien technology

not subject to laws of physics. New recruits and the agents that are clueless, don't

learn the basics (which actually are quite a handful if you truly understand them) or

even worse find them boring.

Any nation is very bounded in what they can and can not do.

I usually see intel organizations as wanting to play themselves off as incompetent. Being underestimated is the game. That way their adversaries will believe themselves safe, so they can be better spied on. Or counter-spied on.

In your situation, it sounds like you were a target of law enforcement. That is very different. They often want to play up as being everywhere all the time.

That is the last thing an intel agency wants to do.

It is true, national law enforcement agencies like the FBI or MI5 are really intelligence organizations to a large part. So they may have a mixed agenda. They operate internally. On one hand, they want to play themselves up as incompetents, on the other hand they want to send a preventive message.

FYI, I do not work for any of these nations, and my opinions are simply from having to do similar work and studying how they operate. I do work in both offensive and defensive technology and roles.

unknown.soldierAugust 7, 2013 10:18 AM



Clive Robinson • August 7, 2013 6:20 AM
@ Unknown.soldier,
Whilst it would appear that using a phone as a room bug is going to be by state level

entities the reality is far from true.

That is a very surprising assertion: taking the battery out of your phone is unnecessary for confidential meetings where your adversary is nation based? (Yes, double battery, wired room, all else aside.)

Is that correct?

(I see below, you may mean by "state" level, regional, as opposed to "state" as in "nation", so I take it that is what you mean.)


Oh and there is another issue of who can and cannot issue National Security Letters

(NSLs) in the US and Regulation of Investigatory Powers Act (RIPA) notices in the UK,

and presumably likewise in many other parts of the world. But it's not just

letters/notices that can be issued with little or no oversight. Thus you might find

that what you assume would be "state level" only could include your local firehouse or

transport / university police force or any other very lowely civil servant, bank clerk

etc etc who knows how to issue the letters/notices/etc to get copies of the crypto

keys.

I view such official warrants simply officiality. Lower level dealings that go on on lower level matters. Keeps up appearance of legality, keeps up appearance of limits. For good and bad.

Newbie CryptographerAugust 7, 2013 1:13 PM

@Clive Robinson
> There are a couple of basic ways to do this,
>
> 1, Direct transmission.
> 2, Code-compress and forward at some point.
> ...

Maybe that is a problem if you are trying to steal recorded sound directly. However, a speech-to-text recorded phone call isn't much more then a kilobyte when compressed, but if you can manage the side-channel analysis captured keymat (or passwords or credit card numbers or whatever) are only a few bytes long, and captured metadata isn't much longer.

These amounts of data can then be spirited away quite easily over few days using, say, replacing ads on web-pages with specific attacker-controlled ones - maybe even getting a few more bits on timing.

Nick PAugust 7, 2013 5:52 PM

@ Clive Robinson re Radiation hardened PC's

I think this is the key line

"An alternative explanation for the intense Asia-Pacific interest is that a number of nations there with developing space capabilities likely would be interested in making sure their space-based systems are built to withstand things like solar flares and cosmic rays, according to the report. Australia, China, Japan, and South Korea all have space programs of varying size and ambitions."

That's one of the main reasons US uses it. Another use they neglected is to provide some resistance against the use of radiation to circumvent security. You often cite a RNG example of that. I've incorporated RH/LEON processors into designs for that reason. I had no idea they were export controlled items, though.

Nick PAugust 7, 2013 6:28 PM

@ Clive Robinson, Wael

Long ago on this blog I pushed separation kernels for security-critical software and electronic organizer style hardware for convenient hardware target. Well, I was updating myself of General Dynamics recent offerings and look what's on the cover of this one:

http://www.gdc4s.com/...

A separation kernel, trusted path, and small foldable computer w/ keyboard. Looks like a more featured version of the Transaction Appliance I described on this blog. The key differences are that they don't make security choices I did wrt text-only interface and DMA-attack resistance. That makes sense, though, considering their target market. It remains a perfect illustration of the kind of device I've described for a while now. Good for signatures, key management, trusted path, trusted storage, etc.

FigureitoutAugust 7, 2013 6:30 PM

Clive Robinson
--No worries, I assume work/life or hopefully not health issues. Yeah found it interesting and sad b/c I thought the only threat they should worry about is radiation from other stars not of our own making. Stupid that these weapons are being considered, the Earth's too small. On the ISS I also really hope nations aren't sabotaging each other's research, that would be very stupid.

I've been watching a lot of NASAtv lately, lots of ISS coverage and interviews w/ Chris Cassidy and Karen Nyberg. Definitely role models. They (the tv channel) could do better but I like it. They recently had a failure in the air vent in the helmet of a space suit that had water flowing around Italian astronaut Luca Parmitano's face. Scary situation, they had to cancel the spacewalk. But the channel also talks about preparations for the Mars expedition, how much of a challenge it will be b/c of no supply ships and all the technology has to be extremely reliable. They need to safely land heavier weight, bring all the air/food/water and make it sustainable, so much. So I wish I could help w/ the experiments to speed up the process but I'm a little scared about being in space. :/ The astronauts going on the Mars mission have to be really brave too.

A simple example of a tool not working (maybe a faulty connection was made), was I got different voltage values for a little wind generator. So I assumed one was more sensitive due to superior processing/components or better design; but how do I know which one is malfunctioning if the differences aren't extreme but not small either? You have to rely on test points on the circuit or dig even further w/o hopefully breaking the components. This could bite me in the A if I rely on voltage spikes for sensor logs or unwanted processing on my best attempt at a secure isolated custom pc.

WaelAugust 7, 2013 6:39 PM

@ Nick P, Clive Robinson

Long ago on this blog I pushed separation kernels ...

Yes! I remember that very well. I also like to see a principle of security applied here; "Separation of Domains". As you will remember, I look at principles first. I am a man of principles, what can I say ;)

Castle_v_Prison time?

FigureitoutAugust 8, 2013 3:23 PM

People who just paid for a year of Lavabit and relied on them just had their email accounts shut down. Kudos to shutting down the service rather than being subverted.

Clive RobinsonAugust 8, 2013 6:03 PM

@ Figureitout,

I guess Lavabit's boss is about to go to jail, because even that ambiguous letter breaks the rules, as does pulling the plug on the services...

Such is the state of supposed legislation with state level surveilence, that doing anything that reveals it or even hints at it is a "Go directly to jail, do not pass go" contempt of court, and as we know with a contempt you stay in jail indefinatly without trial till the judge decides otherwise (I think the US record is 17.5years over a divorce and supposed hidden assets).

With regards Mars trip, for the fourtieth Appollo 11 aniversary Buz Aldrin did a series of talks/book promotion, I went to one and he spent some time talking about his Mars-Cycler idea, and I think he's right NASA should not be going back to the moon as a goal other than a steping stone to Mars and then further out. As was mentioned a few years ago 1969 was the last year America felt good about it's self.

Speaking of tools and odd readings on a voltmeter, quite a few years ago I was designing an Intrinsicaly Safe power supply which had to have multiple over volt protection circuits. Well despite each individual part testing out as expected when all put together it was over volting on the output. I was getting a bald spot from scratching the back of my head. The voltmeter said I had 8V on the base of the series pass transister but had 12V on the emitter, eventually after a little more bald spot development and a strong cup or three of brown stuff the penney dropped and I got the osciliscope out and sure enough the Op-Amp was oscillating big style around 1MHz. It turned out that the Op-Amp was not what it said on the package, and we suspected at the time it was a "Chinese Knock Off". But back then the "Chinese" concernd was not mainland but Tiwan... How times have changed.

name.withheld.for.obvious.reasonsAugust 8, 2013 6:17 PM

With respect to lavabit, the screws they be a turnin'.

Dirk PraetAugust 8, 2013 8:42 PM

>outrage>
It would seem Lavabit, Edward Snowden's email provider, has been served with a FISA Court order or NSL and that its owner and operator Ladar Levison has therefor decided to shut it down: https://lavabit.com

This guy has bigger balls than the combined board of directors of Microsoft, Yahoo, Apple, Google and AOL.
>/outrage>

name.withheld.for.obvious.reasonsAugust 9, 2013 1:28 AM

@Clive

Too bad about the telecoms in the EU-UK, seems it could be worse. Not to familiar with standards bodies (the royal "whatever" societies) and the ISO/IEC are not unknown to me. Hope they don't treat you too badly or ask for and body parts.

Had a stint in the UK, ox-bridge, nearly had the opportunity to work with Brian Josephson. One scientist in the UK, he'd a project that was right out of the MI-6 wish list...couldn't get him to confirm or deny his association. Asked me to look at a project for him, reviewed the original work, realized that the scope of the project had to change, and it took three months for him to realize what I was on about. Produced a project proposal and suggested a new prototype be built (I knew who would be doing that work). Over the course of six months it was obvious that the pace and process that is "English" was a bit too much for my "American" do-it-now attitude. Later on a friend clued me in on how to work with proper British types. One of our associates, sharp fellow, a philospher by trade, got the whole concept rather immediately--let me know that all British PhD's weren't prats.

As far as academia--I stay away--but not too far. I have many friends and associates in the ivory towers and I don't want to dis-abuse them of their sense of place (not really, I let them know I am no fan of pretense and circumstance). But, I am a big fan of education--the most necessary of social efforts but so maligned by competing interests.

With regards "code signing" all it realy is, is marking a point in time on a code base, it in no way attests to the quality of the processes behind it or the honesty and integrity of the code developers, testers and their managment. And fately for the whole process it's security relies on a few crypto primatives and an integer of moderate length we chose to call a private key

Yes, as a researcher at IBM I was often asked to look into the CM and build processes, review code development standards and belonged to my fair share of committes and task forces--great background for know how things "should" work and how things "really" work.

My whole sense of the PKI as we know it is broken...has been for a while. Too many disparte pieces that individually may be strong but are dependent on other things being robust. From layer 2-3 protocol stacks and transport, network services, and application layers--the profundity that is the 509 space leaves little comfort. Certificate authorities not properly tasked or roled (Roots, CA, Subs, etc.) and the wide application for a pariticular cert (ID, code, server, etc.) along with the improper use (or non-use of CRL). And, I've got some really bad news on the layer one count.

See IETF RFC 4491, 5280, etc. for just an example of where things might go wrong...

Clive RobinsonAugust 9, 2013 2:02 AM

@ Newbie Cryptographer,

    Maybe that is a problem if you are trying to steal recorded sound directly. However, a speech-to-text recorded phone call isn't much more then a kilobyte when compressed

Whilst that will work moderatly well for an ordinary phone call as I've indicated in the past (see recent post on this blog about NSA data center). It won't work very well for bugging a meeting with three or more people.

The reason for this is that in an ordinary phone call it's generaly treated like a simplex radio call with each party talking in turn. If you've ever listened to a recording of a meeting you will find lots of "over talking" from side conversations etc. As humans we have a degree of directionality in our hearing and thus can filter out unwanted noises, pluss with a high dynamic range our brains can "tune in" to individual speakers, thus we tend not to notice what we don't want to hear.

Not so with the limited range noise cancelling mic and audio system on the majority of modern phones, you will get just the words of the dominant speaker at the mic getting converted to text and most often garbage when two or more people cross speak.

As anybody who has had experiance in "bugging rooms" for meetings will tell you you need two or more high dynamic range mics either organised with good space diversity or in an appropriate cardoid lobe cross over pattern. So that afterwards by frequency filtering and phase and time null adjusting of the two or more audio tracks you can pull out the required audio information from individuals.

FigureitoutAugust 9, 2013 2:05 AM

Clive Robinson
--So basically this guy couldn't even tell his fricken customers why there's a service outage, and he HAS to keep his business going to enable the subversion. Ambulance chasers, worthless paper flipping bureaucrats, and "secret agent" wannabe b*tches gone wild. Seriously, all you trolls out there saying this is a free country, get popped in the mouth. The STATE is subverting a PRIVATE company. This is what China does! Can't wait to leave this country b/c all the signs are pointing to the dumper; almost rather go to a country that can create its own goddamn hardware.

Eliminate the game people. That's what happening, no more privacy, just read books and get into technical fields. Eliminate the game and simply head to the books so if they spy on you they will have to learn something or most likely will become bored b/c they are too stupid to keep up.

Damnit...anyways on to things that keep my head straight.

The Mars-Cycler idea, nice. But there's still a lot of things beyond that, almost like my mission for THE secure trusted pc. Maybe you should've worked for NASA instead of some other agencies...

The intrinsically safe power supply looks nice (makes sense for where you've worked in the past), much better than my cheap-azz Chinese ones. I've got some so terrible (yet cheap like $1-$5) that a capacitor nearly blew up in my dad's face. So we have to go back and resolder the fricken leads on the board. Thought this was basic testing the company (LC Technology) should be responsible for. And I'm getting more just so cheap hardware from China, it just seems too good to be true. There's going to be a trap somewhere...I don't want to be 45 and bald and still not have a fricken power supply I don't trust.

But what I was meaning, was how do you ensure the voltmeter is performing exactly correct? Meaning the diagnostic tools doing the testing of the components. If the diagnostic tools are subverted it's game over and you should just stop. It's trust, isn't it? I know I'm pretty much every teacher's nightmare as I could basically ask questions until you say "Go Away!". It's what I do lol.

Clive RobinsonAugust 9, 2013 3:58 AM

@ Nick P,

I've so many replies to make on this thread I'm doing them alphapeticaly :-)

With regards Rad-Hard parts, yes it's not just ionising radiation they have tolorance to. The first ionising tolerant CPU part I used was the old 1802 (still available) but being CMOS it had other issues that could (and did) cause problems. It was used in "down hole telemetery", you'd be surprised just how much background radiation goes up when you are more than a hundred meters or so down in some rock types (have a google for natural radon gas emmissions to get a feel for it). I later used the same part in quite a few other projects some of which were not constrained by the niceties of an earth bound existance, as Douglas Adams observed through the charecter Ford Prefect "It's tough out here and if you want to survive you realy need to know where your towel is".

I tend to get a little upset when I hear journalists going on about the space race, originating as I do from the only nation to have developed a launch capability put one telecoms sat (Prospero) up and then given up on further development because of the "special relationship" with the US... As even US space engineers admited at the time the British launch platform was more reliable and more economic, even after shipping them half way around the world to Australia... However Britain did not give up on space entirely, which is why we have some of the best payload designers in the world.

The important question that journos fudge is why do nations want to have a space capability in the first place, and the usual fudge answer of "National Prestige" in terms of advertising/feel good factor is realy nologer relevant. Plain and simple it's about "power and control". Part of this is to do with the battle field, as last century showed us wars are won by high mobility and hight, with boots on the ground only needed for consolidation. From WWII onwards it has been about "air power" with space platforms reserved for "observation" due in the main to technology costs most of which are due to the "first twelve miles". Well these days both amatures and commercial NGO's are cracking 60,000ft and some such as SpaceX are putting considerable loads into near earth orbit and roboticaly docking with the ISS. With only minor changes such loads could be used for many things including ion-motor platforms that in time would get moon or other planet orbit. You can build an ion-motor in your garage with little difficulty and some such are being put on "cube sats" as experimental platforms for "garbage pick up". Supprisingly to many is just how much garbage there is up in most orbital belts which is making launching rockets a very risky business. Which is why quite a few commercial organistions are looking at space garbage removal as potentialy it is going to be a very lucrative market... But as with all technology it's more than dual use and as such is agnostic to it's use (Which gives a nice movie-plot senario of useing cube sats as black mail tools to bring down billion dollar comms etc sats ;-)

So yes the next ten years are going to see quite a shake up in space development and those nations with any sense will want to ensure they have a top table seat in the game.

With regards the GD-C4S TEE did you spot the two features on"time sync via NTP" and the "health status" reporting? Combined you have great potential for a covert side channel ;-)

It also appears to have the limitation of 64bit x86 platforms which might indicate a reliance on hardware virtualisation. Given Intels past CPU bug issues this might be an issue that could alow the platform to be attacked.

The simple fact is that nomatter how we do software security with OS's there is always the potential for kernel and below attacks unless there is good underlying ring zero hardware features. And to be honest I don't thing the harware support in standard x86 hardware is sufficient (as we have discussed befor with things like object and memory tagging in hardware).

All that said does it detract that much from the C4S TEE device, probably not, the chance of exploiting it would fall to an "inside job". That is applications loaded on it would have to be written to "conspire" and although not impossible it's a very big ask, esspecialy as it would not be to difficult to "clean room" develope command line only versions of the real critical apps in house, using appropriate methods.

The thing is we know that in real world working, perfect security is not possible so you have to settle for some lesser measure of secure. We know that even the most sensitive of organisations have finaly accepted this fact (as evidenced by the likes of specialised GPS modules etc) and thus the game has moved once again from technological attacks back to human attacks. The trick now is how to protect the humans against themselves yet still enable them to carry out usefull work.

unknown.soldierAugust 9, 2013 8:26 AM

Lavabit:
The guy did a good thing, and several good from this bad situation:

1. The message not to trust US systems is not out there very loudly for any would be secure service provider.
2. No matter how secure a system may be on paper, the US feds will seek for vendors to ensure these systems are made insecure.

This message is going out loud and clear, from this incident.

If I worked for a foreign government or corporation, I would take dire warning from this. They should, and US corporations should be forced to pay for this obnoxious behavior by the US.

Politically, I find the behavior obnoxious because it is symptomatic of corrupted nations. It is clearly fascist. These authorities seem to think that if they are acting like the Gestapo (or Stalinists or North Koreans) that they are being highly patriotic. I am not sure what country they are being patriotic for. Hell?


name.withheld.for.obvious.reasonsAugust 9, 2013 8:38 AM

Mentioned this before but maybe the issue has become more salient.

What is the issue regarding "at rest" cryptographic tools (i.e. messaging, data, etc.) given that the NSA is scarfing it all up--as Clive mentioned the issue of MD5 collisions for example--what about functional analysis, either derivative functions that produce "known" collisions--or for example extracting salts--breaking methods used for "at rest" data encryption (i.e. an attack on asymmetric functions)?

Nick PAugust 9, 2013 10:27 AM

"From WWII onwards it has been about "air power" with space platforms reserved for "observation" due in the main to technology costs most of which are due to the "first twelve miles". "

No doubt. Our recon planes were all black projects. The NRO was extremely secretive. Now, it's very secretive. ;) US politicians are constantly cranking out Cold War style ideas of space-based defence mixed with modern ideas of a Global Information Grid for the military using plenty of satellites. Then they had that secretive unmanned shuttle they launched on an unknown mission. So, yeah, I think they might talk pride and science but military benefits have always been priority.

Which is too bad because the space program gave us so many inventions and useful developments in the commercial sector. Not to mention, NASA used to have a whole organization dedicating their people's brains to solving our corporation's problems, leaving them the I.P. So, I'm not sure the moon mission was a good investment financially but the space program did produce many returns. It also had a morale/perspective value as we broke the chains that held us on Earth. Partly, temporarily...

"But as with all technology it's more than dual use and as such is agnostic to it's use (Which gives a nice movie-plot senario of useing cube sats as black mail tools to bring down billion dollar comms etc sats ;-)"

That's hilarious. I've thought about that many times myself. My thought originated in thinking about covertely destroying the other side's equipment. I'd need to get something up there with microwaves, projectiles or whatever. It would line up with them. It would take them out. I later considered putting a whole bunch up at once, putting each on a separate companies' satellite, and then pulling a Dr Evil style conference demanding a payout with a very short time frame. After all, the US can launch missiles that take out satellites far as I know. "And btw, I have a mole inside NORAD who will covertly signal us if a missile is to be launched. The consequences will be disastrous if you dare try that. Mwahahaha."

"With regards the GD-C4S TEE did you spot the two features on"time sync via NTP" and the "health status" reporting? Combined you have great potential for a covert side channel ;-)"

Haha good catch. I was just looking at the form factor and abstract design of it. Far as physical stuff, I was also looking at those RF guns that retailers and such use. They're very tough, have large screens, a bunch of buttons, support plenty onboard functionality, etc for around $400-800. Might be a nice foundation to build on for one of the interim security-enabling devices. Just swap out existing SOC and a few peripherals for some better ones.

"All that said does it detract that much from the C4S TEE device, probably not, the chance of exploiting it would fall to an "inside job"."

Too true. The inside job problem will always be around. If the insiders lack the technical skill, they can always contract it out or be extorted into giving the tech to others. I've got ideas on that but they're not ready for publication.

FigureitoutAugust 9, 2013 8:24 PM

Clive Robinson
I've so many replies to make on this thread I'm doing them alphapeticaly :-)
--Well, F becomes before W and N so you should be replying to me first unless you go by true first and last names. ;)

the British launch platform was more reliable and more economic
--Alright, I'm going to have to research this but I do know that the British and English are an extremely proud people so I'll keep that in mind.

which is why we have some of the best payload designers in the world.
--Give me names and I want to see these geniuses in action.

It also appears to have the limitation of 64bit x86 platforms which might indicate a reliance on hardware virtualisation. Given Intels past CPU bug issues this might be an issue that could alow the platform to be attacked.
--I know this very personally. In fact I may stupidly even allow it to happen right in my face and observe the attacks and study them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..