Friday Squid Blogging: Bobtail Squid Photo

Pretty.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on August 30, 2013 at 4:40 PM • 48 Comments

Comments

Calvin LiAugust 30, 2013 5:08 PM

It is reported that David Miranda was carrying a password (related to data leaked by Snowden) on a piece of paper.

I understand that Bruce has advocated writing passwords down.

Any comment on this latest tidbit?

HermanAugust 30, 2013 5:26 PM

It doesn't matter if Miranda carried a password on a piece of paper. The NSA has all the original plaintext, so they don't need to decrypt it.

CuriousAugust 30, 2013 5:52 PM

Correct me if I am wrong, but I did not see this story here the last week:

NSA spying on UN
("Der Spiegel report says U.S. agents hacked into video conferencing system last summer")
http://www.cbc.ca/news/world/story/2013/08/25/... (selected randomly from the internet)

In my country, one of the bigger if not the biggest newspaper had this piece of news seemingly hidden away as a small Reuters-like notice (NTB), which I only found on their website by searching for it the day after I initially learned about this.

CuriousAugust 30, 2013 6:09 PM

Glenn Greenwald's twitter account has this message: *shrugs*
"Anyone claiming that David Miranda was carrying a password that allowed access to documents is lying. UK itself says they can't access them."

CuriousAugust 30, 2013 6:12 PM

I realize now that GG's message ends up being both specific and vague, depending on ones interpretation. Like a conditional denial of something, that might be somehow true outside the stated condition.

AspieAugust 31, 2013 3:44 AM

Some imminent grandstanding to try to stem the growing tide of mistrust amongst their users.

So, probably more detailed aggregate figures of numbers of requests ... rather than some of their remaining users getting individual conciliatory emails.

SpellucciAugust 31, 2013 5:59 AM

Can the Racketeering Influenced and Corrupt Organizations Act (RICO) laws be used to to push back against FISA, NSA, et al.? I would love to see a conspiracy charge leveled against the NSA and the Bluffdale, Utah police seizing the NSA's new data center as evidence the day it opened. Better yet, the NSA could not have it back until after a trial. But then I always long for simple answers to complex problems.

HermanAugust 31, 2013 10:39 AM

So, now PJ at Groklaw is also shutting down. I wonder how long this site will last. It was nice knowing you Bruce... ;)

kashmarekAugust 31, 2013 12:53 PM

Bruce has said fight rather than switch. He should be here until they take him out.

CallMeLateForSupperAugust 31, 2013 1:28 PM

Twitter's head legal council will leave the company. He is "is the key figure responsible for aggressively pro-free speech position of the social giant."
http://www.pentagonpost.com/...

In other news, Twitter is all a-twitter about it's coming IPO. (I lost the link. Sorry.)

Could it be that Macgillivray is gettin' while the gittin' is good, before Twitter goes public and the NSLs start raining down?

Nick PAugust 31, 2013 5:04 PM

Very interesting and kind of surreal article below.

The Internet Explained by Prisoners Who've Never Seen It

Hard to tell ahead of time whether not knowing these things is a huge drawback or a benefit [seeing how online privacy has become]. I'm sure many will enjoy the new functionality. However, I'm sure there will be others whose conviction or betrayals by other crooks will see it as a huge risk.

NobodySpecialAugust 31, 2013 8:53 PM

Even if they did succeed - What could Microsoft, Google and indeed the US govt, do at this point to make people actually believe them?

For example - We don't manufacture certain critical components of our product in China because we know that whatever the law says they will be copied. We don't sell in Russia or most of Africa (except SA) because we know we will never get paid and the legal system won't help us.

Petréa MitchellAugust 31, 2013 10:51 PM

Here's a New York Times article describing mass computerized NSA surveillance, largely unchecked by Congress or the FISA court due to its extreme secrecy.

In 1983.

What's happened since 2001 looks less and less like an unprecedented expansion and more like the NSA trying to get back to where it was before the Internet went mainstream.

This article also gives the earliest cite I've seen for the "we can't make this innocuous-looking information public because terrorists might find it useful" attitude, tracing it to the Carter(!) administration.

Petréa MitchellAugust 31, 2013 10:59 PM

From New York Magazine: "The NYPD Division of Un-American Activities"

It describes a unit that was set up after the 2001 attacks, but again, repeating an old pattern:

The NYPD had last been involved in such surveillance activities during the sixties, when there was an NYPD “extremist desk” to watch antiwar groups and a “black desk” to investigate African-Americans. Police maintained hundreds of thousands of case files and more than a million index cards containing names of citizens whose activities were deemed suspicious.

There's a lot of detail I hadn't seen before about how the would-be informants went about their business. One unexpected tip: If you want less scrutiny at your cafe or deli, serve terrible food.

Michael MolSeptember 1, 2013 12:02 AM

So, I've just published to Github an early-alpha spec for a message passing system I've had brewing in my head for a week or two. URL to relevant repo is presented as the "URL" metadata field in this form. Looking for feedback.

Clive RobinsonSeptember 1, 2013 4:55 AM

OFF Topic :

The WashPost has an article on Anti-polygraph prosecution,

http://www.washingtonpost.com/local/...

It appears in the main to be little more than a "re-boil" article on what has already been said, however they add at the end that prosecutors are asking for a minimum term on sentancing...

However if you want to know a bit more about polygraphs and the techniques that cause them to be considered un-scientific at best or more correctly snake-oil have a look at,

https://antipolygraph.org/lie-behind-the-lie-detector.pdf

It appears that Bitcoin is begining to feel the effects of regulation and as a result Tradehill bitcoin exchange has stopped trading currently,

http://mobile.bloomberg.com/news/2013-08-30/...

There is also a degree of compulsion on those who have accounts in that Tradehill has told them to join a particular US based credit union or liquidate their accounts.

Speaking of companies applying preasure it appears that Google and Microsoft have got tired of the USG using delaying techniques and are "going to court" but don't say which or when,

http://www.theguardian.com/law/2013/aug/31/...

And speaking of delays and prevarications involving courts as many know the US Patent system alows "software patents" which most other juresdictions don't currently. The EU for instance has been humming and harring on the subject since the last century one way or another. Although lobbied for strongly by large US software firms in general the evidence suggests that far from helping software invoation and thus promoting and developing a software economy it infact only brings benifit to those excercising what is in effect a strangle hold monopoly. Unsuprisingly this has been seen before in other technical development activities. Thus perhaps unsuprisingly New Zealand has passed legislation preventing it by 117-4 votes.

http://arstechnica.com/tech-policy/2013/08/...

But it's not just NZ, it's also the US Gov's GAO in a report they recently released, Timothy B. Lee has posted his thoughts on this over at the WashPost blog,

http://www.washingtonpost.com/blogs/the-switch/...

Part of the problem has been telling a "process" which is patentable in most juresdictions from a software program or other human activity that is not. The main problem of which is that "process" is one of those weasle words that those of the legal proffession love to argue over at others expense.

As an engineer I've been involved with patents one way or another for some years and what has struck me the most is their arbitary nature and the capricious nature of many involved with them. All I can realy say for them is that in modern times they appear not to be a solution for "the public good", especialy where fast inovation is concerned.

BenoitSeptember 1, 2013 7:41 AM

@Nick P. : A few weeks ago, in a very interesting review of Gith, you were regreting that no linux version was available.

That's fixed ! (https://www.gith-systems.com/download/)

Concerning the fact that and independant review would be a "plus" : I'm working on that. I'll meet the "ANSSI" (the French organism for IS security) very soon, which is a first step.
Being evaluated by real private and independant labs is most of the time quite expensive, and I'm not ready for that yet !

Nick PSeptember 1, 2013 9:06 AM

@ Benoit

Glad to see you're continuing to improve your software. Congratulations on successfully handling the breach of hosting provider a while back, both damage prevention and notifying your users. That and the clear warnings you give about the beta inspires some trust in your organization. ;) If I find time, I'll check out your software and see what using it is like. No promises, though.

Btw, nice video of MITM attack. I'd kind of feel that the middle person should say something that would worry the other two more. Yet, the video had also seemed more laid back than most. I was torn between which direction to suggest you go on that. I think you can improve its effect if you change the conversation a bit but keep everything else the same.

Random extra. NoScript results in some funny error messages sometimes. Before I allowed scripts the video player said "DailymotionPlayer is not defined at undefined line undefined." Very enlightening. I'm sure tech support people love debugging information like that.

Clive RobinsonSeptember 1, 2013 11:03 AM

OFF Topic :

In the EU some politicos are getting tough and talking of trade sanctions against the US over the illegal activities of the NSA on European soil,

http://www.theguardian.com/world/2013/aug/26/...

Now I don't know if this is for real or not because Germany has elections in three weeks and it might just be pre-election "tough talk" to gain extra votes. Perhaps German and other continental Europeans would care to express their views?

However there is another issue that is now coming up to bite politicos in the US and UK and other nations. It's the thorny issue of "what rights do individuals have in borders and internacional waters and airspace"? Both the US and UK pretend that you have none, but it's actually not true as both nations have signed international treaties and signed up to UN and other conventions.

Thus contrary to what the likes of US and UK border officials would have you belive you do have rights that they can arbitarily or with juresdictional laws ignore.

And some journalists are now starting to dig into this and make some of your rights visable,

http://www.zdnet.com/...

AlexSeptember 1, 2013 12:03 PM

I know it's not SQUId, but I'd like to talk about SQUIrrels instead, and the threat they pose to our national security.

I was reminded about this by Joe Mooallem's article in this Sunday's NY Times: http://www.nytimes.com/2013/09/01/opinion/sunday/...


Closer to home, earlier this year half a million people were without water service in the city of Tampa, Florida due to a squirrel. It would be 3 days later before everything was restored and the water was declared safe to drink. http://tbo.com/news/politics/... I also find it difficult to believe that no one ever bothered to reinforce this particular feeder against hurricane winds, but then again, it's the City of Tampa and they do everything half-arsed.

Brandioch Conner`September 1, 2013 3:25 PM

@Calvin Li

I understand that Bruce has advocated writing passwords down.
Not just writing down the password(s). But then keeping them in a physically "safe" location. Such as your wallet.

Essentially moving more complex digital security to easier to understand physical security.

You know when your wallet has been stolen/lost/compromised.

Dirk PraetSeptember 1, 2013 7:58 PM

@ Benoit

That's fixed ! (https://www.gith-systems.com/download/)

Un grand merci de ma part aussi, Benoit.

I somehow missed @Nick P's review of Gith a while ago, but if I can spare some time I'm definitely going to give it a good test drive in the days to come. It's heartwarming to come across a growing number of non-USUK (pun intended) companies taking up security/privacy related software, and I seriously hope/believe the market for such products is only going to expand dramatically in the time to come.

One question: AFAIK France has some seriously restrictive laws and regulations about the use of cryptography. Have you got this angle covered for Gith ?

AspieSeptember 2, 2013 4:44 AM

@Tom

Caller: "so ... you don't keep track of email and internet data?"
NSA: "... not [in] the way you're saying."

Splendid!

TomSeptember 2, 2013 5:15 AM

I'm wondering a couple of things:
What if he would have given his contact information?
And what if he would have given the contact information of some else?
Or is the NSA already checking him out?

It's maybe a good suggestion for the NSA to offer such a service so they can make GOOD use of (at least a part of) the tons of data they collect.

AspieSeptember 2, 2013 1:30 PM

Or is the NSA already checking him out?

Probably from the moment he dialled the last digit to their help-line. As a side-note, I heard that NSA types are known to use their access to check the fidelity of their nearest and dearest. They call it LOVEINT, apparently.

Nothing like insecurity and paranoia to grease the wheels of "progress".

BenoitSeptember 2, 2013 2:50 PM

@Dirk Praet

Thanks for your support !

One question: AFAIK France has some seriously restrictive laws and regulations about the use of cryptography. Have you got this angle covered for Gith ?

The french laws around cryptography are not really restrictive anymore as long as your product is not considered as a "military product".
I just met the ANSSI today, and concerning Gith I simply need to make a simple declaration to be able to "export" it outside france. That's all !

Concerning the "meta-data", I'm supposed to keep the IP addresses and user names for a period of one year. This doesn't apply to the contents hopefully.
I don't seem to be exposed to the same sad problems than Silent Circle and Lavabit had encountered last week.

Dirk PraetSeptember 2, 2013 8:33 PM

@ Clive

In the EU some politicos are getting tough and talking of trade sanctions against the US over the illegal activities of the NSA on European soil

I watched the Merkel-Steinbrück debate yesterday and the NSA topic was indeed brought up. Although challenger Steinbrück has been trying to capitalise on the matter for a while and Merkel is definitely on the defensive, the Bundeskanzlerin according to the latest polls still has a very comfortable lead. In addition, Steinbrück has very little credibility on the issue as his SPD party in previous coalitions was part of the government (thus fully aware of what was going on) and less than enthusiastic about a proposal by the left and green parties for a full parliamentary investigation into NSA surveillance practices. I don't expect anything to come out of it soon.

In South America on the other hand, Greenwald has been doing an excellent job in stirring up several governments againt the US. After the Morales incident and revelations about massive communications hoovering in Brazil, the Brazilian and Mexican governments have just demanded a formal explanation from the US over new claims that the NSA spied on their presidents.

adrenalionSeptember 3, 2013 9:20 AM

The revelation of the NSA surveillance has caused legitimate (albeit belated) concern about the security of all the data that organizations have been moving to the cloud. As a result, a number of companies have popped up and are touting their encryption services as a way to protect data.

However, some of these solutions do some strange things, like individually encrypt every word in a document or SaaS application, rather than do the entire block of plaintext at once. In addition, they claim to be able to sort and search within these encrypted strings without first decrypting them! And they claim to do all this using NIST-approved crypto.

To me, this sounds too good to be true, so: What are the implications of encrypting short text strings, in a way that allows some manner of search and sort capability? Is there a way to quantify how much more crackable the data is? Or is there a way to determine the likelihood of collisions?

What should companies ask when looking at these solutions?

Clive RobinsonSeptember 3, 2013 11:04 AM

@ Adrenalion,

    However, some of these solutions do some strange things, like individually encrypt every word in a document or SaaS application, rather than do the entire block of plaintext at once. In addition, they claim to be able to sort and search within these encrypted strings without first decrypting them...

If what you are saying is true they are using a "code book" mode on the words or strings. It's also known as "a weak substitution" system.

Look at it this way in non specialised english about two thousand words are used ordinarily with another two to five thousand specialised words. This gives around 2^13 substitutions, so even using AES with an output block size of 128bits you are only using 1/2^115 of the available output.

Such "code book breaking" is crackable to an easily readable state with around ~90words of a document of known or reasonably guessable context.

The weakness of such "code book" systems has been known for a couple of centuries which is why they usually get used not to "encrypt" but "compress" a document, the actual encryption and the security of the system being done with "Super Encryption" which if done with an One Time Pad properly would be theoreticaly unbreakable.

But if "super encryption" was used in the system you describe then "decryption" of some sort would have to be performed.

Clive RobinsonSeptember 3, 2013 2:10 PM

OFF Topic :

As you have probably heard Microsoft is to buy Nokia.

Both companies have been losing market share etc for some time. Many (slightly incorrectly) view Nokias woes as being due to the use of Microsofts OS for mobile/smart phone devices, others attribute it to taking on an Ex MS staffer in a senior role.

What ever the actual causes Steve "balmy" Balmer is crowing about the aquisition to MS Full Time Staff (not the PTs or orange badge workers/contractors).

Any way MS has stuck it up on the web,

http://www.microsoft.com/en-us/news/Press/2013/...

KevinSeptember 3, 2013 8:19 PM

Quick question: is anyone else having trouble accessing this blog through Tor? I have been trying for about three weeks and it always says the connection has timed out.

AlexSeptember 4, 2013 2:07 PM

@Clive Robinson: Big mistake there. Nokia doesn't really have anything to offer MS at this point, and MS certainly doesn't have anything to offer Nokia.

Realistically, MS should have bought Blackberry. Blackberry has always been the businessman's phone. Out in the suburbs & such you'll see iPhones. Come to Manhattan and you'll see iPhones (think advertising, fashion, media) and Blackberries (Finance, legal, business). Even now, people are still using their 5+ year old Blackberries.

An MS-Blackberry partnership would have been good. 99% chance Blackberry users were using MS Office and often MS Exchange to begin with. MS could do a proper integration and have made it something wonderful.

Then again, MS could use its crack-pot focus groups and turn out another turd like Windows 8 or Windows Phone.

Dirk PraetSeptember 4, 2013 8:31 PM

@ Alex

Nokia doesn't really have anything to offer MS at this point, and MS certainly doesn't have anything to offer Nokia

Not entirely. M/S can still try to capitalise on the still huge Nokia user base as it totally missed out on the smart phone market, and for Nokia it's a way of averting the chronicle of a death foretold.

It would have made sense in 2002. Today, it looks a bit like putting two turkeys together hoping an eagle will come of it.

FigureitoutSeptember 4, 2013 11:56 PM

Bruce
--I don't know if you've had such a sustained output of Op-Eds for a while, but the last 3 were good. The IEEE was hilarious (what are you doing jacking cards?--Ha), I've had some silly situations w/ RFID cards and gaining access to places doing a nice sidestep of the security just to see how much it isn't protecting me (never anything else nor putting them at more risk than they are already); and I will never forget a very large company's "security" waving in someone using a card w/ a black man (he was white) and someone else just using a random card; just to get legitimate physical access to premises. And from there you can observe. It happened b/c the place was massive and they skimped on competent/vigilant guards.

I also don't know how many backdoors/side channels you have witnessed and tried to figure out; surely a lot of debugging, but you are correct in that these are the main security threat of the 21st century that should be the focus of security engineers. Side effects, unintended consequences, and side channels; the recipe for a paranoia heartattack. Too many modules, too many shipping places for a final single product, automated Wifi/Bluetooth that should be separate modules to add if you want. Circuits too small us mere mortals and individuals w/o $$ can't afford the equipment to properly test these circuits; have to rely on "simulations of reality", pfft. Implement the math (crypto) on a secure platform and I can finally get a nice night of sleep. I trust the math too, I think....

Clive RobinsonSeptember 5, 2013 6:33 AM

@ Bruce,

I know you keep an eye on nature mimicing security, well this might be a "breaking story" on a new example,

http://www.wired.com/wiredscience/2013/09/...

Basicaly some as yet unknown bug is suspected of making a structure that looks a lot like an antenna mast with a high security fence around it in miniture,

The "who, what and why" of it is currently unknown...

Clive RobinsonSeptember 5, 2013 7:27 AM

OFF Topic :

Some stories off of wired that may be of interest or concern...

Firstly unsuprisingly the NSA prefers to go after routers and switches that don't get upgraded, updated or patched for months if not years (unlike servers and user devices that do),

http://www.wired.com/threatlevel/2013/09/...

This is actually a very real concern and is one of those "hidden / neglected" security areas much like PABXs and SCADA systems once were, and alows any attacker to hover up truckloads of data as it passes through the router/switch...

Secondly, and perhaps not unserprisingly it appears there is a race on to develop a more secure EMail system that is presumably both NSL and NSA proof,

http://www.wired.com/threatlevel/2013/09/...

This may turn into a "Holy Grail" chase for while encrypting the Email contents and making such functionality usable to your granny are solvable problems other issues are not so easy to see workable solutions to. In particular is the issue of routing and it's meta data. The current Email model is "push to send", "pull to receive" which requires as a minimum a third party storage point. This storage point is a vulnerability and not under the control of both parties and often neither of them, thus it's a point of vulnerability. Other communications systems whilst "P2P" for content have the issue of "finding the end point" which again usually involves a directory server or heirarchy which again is not under the control of both parties and frequently neither and it's vulnerable to many attacks as the DNS system has shown over the years and still does.

Even when these mid-point servers are not used for communication just knowing who has made a lookup and when is sufficient with statistical algorithms to do reasonable traffic analysis.

I've looked into how to resolve these mid-point issues in the past when looking at how to control a bot-net without having a vulnerable fixed "head server" for command and control. There are solutions but they have practical issues when dealing with millions of users. One solution that comes to mind is mix-networks with broadly distributed directory services and the use of PK messaging. But the weakness is still the initial "lookup" of contact meta-data.

Thirdly Bruce has an OP-ed on how far ahead the closed community of the NSA et al might be compared to the open community. He covers much of the stuff covered by this blog but lightly and does not mention other areas,

http://www.wired.com/opinion/2013/09/...

Ann OniSeptember 5, 2013 7:56 AM

@Clive:

Freenet has an interesting model for storing content. If fragmented group filesystem storage could be used with encrypted email it could be an effective mid-point.

Nick PSeptember 5, 2013 9:34 AM

@ Clive Robinson

"Secondly, and perhaps not unserprisingly it appears there is a race on to develop a more secure EMail system that is presumably both NSL and NSA proof,"

All the solutions were cute. I say this because, despite good ideas, they don't solve the problem of NSA being able to legally comply you to do their bidding or shutting you down entirely. Even the Chrome extension idea can be subverted from that angle albeit with more steps than usual.

I'll also add that wrapping email as secure messages with modern third party distribution and delivery is easier than securing existing mail protocols and infrastructure. People should focus on that b/c it would be simpler. It also allows things like preview, content scanning, etc to work in corporate settings. One must merely tweak the proxies that move and scramble the emails.

@ Ann Oni

https://freenetproject.org/freemail.html

Nick PSeptember 5, 2013 9:49 AM

@ Clive Robinson

Slashdot reports Mailpile's crowdsourced funding was frozen by PayPal. They've previously blocked funds for both Wikileaks and Bradley Manning fund. I'd like to place a wager that they've become one of Washington's tools to harass projects that undermine Washington's power.

So, there's another threat that people in the Wired article must consider. Their funding could get frozen for mysterious reasons just before their secure solution gets off the ground.

name.withheld.for.obvious.reasonsSeptember 5, 2013 10:33 AM

Timely but off topic:

Senate Foreign Relations Committee

Authorization for the Use of Military Force committee deliberation was made a joke by the senators occupying that committee--except for Rand Paul. During the hearing the import and gravity of the decision to go to War was expressed, some senators suggested that this isn't War...but what is the use of the military? A picnic that includes guns and ammo?

There is a major constitutional issue in this decision and action, actually there are several. First, the use of chemical weapons is not a mechanism by which congress or the president can act or use the military--period. Rand Paul brought up the issue addressing both points. One, the authority to declare War (I argue the authorization for the Use of Force is not equivalent) rests with congress. Two, that there is no authority derived from "the use of chemical weapons" that allows congress or the president to fire a single shot out of a revolver.

There is more--the legislative authorization includes laying the ground work for "regime change". What bull crap. We have a senate that believes that foundational law has limited relevancy. We are screwed. What happens when congress reviews the NSA debacle? I have absolutely no confidence in our government--when it can ignore the tenets, basis, and language of the very law that enables their office--then they are hypocrits and scoundrels. We need to elect persons that understand the what, WHY, where, when, and how of our laws. People express the steadfast support for the rule of law--no we have the rule of [wo]men!

Jaridatoka.com Keyword3September 6, 2013 12:43 PM

unquestionably like your web site but you must check the punctuation in several within your posts. A lot of them are filled along with punctuational concerns and I to seek out it pretty disturbing in truth on the other hand I most certainly will absolutely come back once again.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..