Friday Squid Blogging: How Bacteria Terraform a Squid

Fascinating:

The bacterium Vibrio fischeri is a squid terraformer. Although it can live independently in seawater, it also colonises the body of the adorable Hawaiian bobtail squid. The squid nourishes the bacteria with nutrients and the bacteria, in turn, act as an invisibility cloak. They produce a dim light that matches the moonlight shining down from above, masking the squid's silhouette from predators watching from below. With its light-emitting microbes, the squid becomes less visible.

Margaret McFall-Ngai from the University of Wisconsin has been studying this partnership for almost 25 years and her team, led by postdoc Natacha Kremer, have now uncovered its very first moments. They've shown how the incoming bacteria activate the squid's genes to create a world that's more suitable for their kind. And remarkably, it takes just five of these microbial pioneers to start the terraforming (teuthoforming?) process.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 20, 2013 at 4:25 PM • 63 Comments

Comments

Bauke Jan DoumaSeptember 20, 2013 4:41 PM

Does anyone remember Naomi Klein's article in Rolling Stone, China;'s
All Seeing Eye:
http://www.naomiklein.org/articles/2008/05/...

Which leads me to the issue. In what way would the NSA also gather
intelligence from camera's, RFID systems, tolls, reservation systems
(airlines, hotels), etc., etc.?

Has anything been disclosed on this?

bjd

Tony H.September 20, 2013 5:39 PM

You had a Googlewhackblatt for a few minutes there with "teuthoforming". What a great word.

JCSeptember 20, 2013 6:15 PM

Thanks Bruce, I love squids :)

Speaking of squids of a different kind: are there some serious studies about the volume of the cybercrime business in 2013 ? With detailed activities: botnet renting, spy/hackers/mercenaries for sale, credit cards and other credentials sales, etc. ? Ventilated by countries/regions ?

CuriousSeptember 20, 2013 7:37 PM

"Documents from the archive of whistleblower Edward Snowden indicate that Britain's GCHQ intelligence service was behind a cyber attack against Belgacom, a partly state-owned Belgian telecoms company."

http://www.spiegel.de/international/europe/...

http://www.theguardian.com/uk-news/2013/sep/20/...

Just 4-5 hours after my national online newspaper (Aftenposten) apparently published a small notification about this story late friday evening (NTB), this piece of news is at this moment not to be found on the front/splash page, but instead stowed away in a sub-section.

JacobSeptember 20, 2013 10:44 PM

Firefox, as of V.24, removed all CRL management. Maintainer claimed that nobody uses it and it is just a nuisance. Mistakenly, the maintainer claimed that neither IE nor Chrome use it since they don't show a UI for that, unaware (as indicated by a user) that those two, contrary to Firefox, use the Windows' CRL store to check for revocations.
https://bugzilla.mozilla.org/show_bug.cgi?id=867465

LOLSeptember 20, 2013 10:57 PM

The same private outfit that vetted Eric Snowden for the NSA also vetted the recent Navy Yard shooter.

http://www.washingtonpost.com/business/economy/...

So who else did they investigate that is right now working for the NSA who is "beyond reproach"???

It seems the federal government is good at spying on everyone except its own employee's mischief.

Jesse VivianoSeptember 21, 2013 3:30 AM

I am not a cryptanalyst so I could be wrong, but I thought about something scary. The U.S. Digital Signature Algorithm depends on a good random number generator or pseudorandom number generator. We now know that Dual_EC_DRBG is probably backdoored. If a certificate authority was using DSA instead of RSA to sign certificates, and was using Dual_EC_DRBG to generate the pseudorandom numbers used to sign the certificate, could the NSA break the certificate authority's private key with enough certificates signed by the certificate authority?

hellohumansSeptember 21, 2013 9:23 AM

Greetings humans.

I thought this would be a good place to ask a security question.

It is possible to get a uni directional usb cable? It sounds like a simple thing but I've been unable to find it. I know unidirectional gateways exist but that seems like overly complicating the matter.

It would be a good way to create physical isolation for secret keys.

Plaintext goes from computer A to computer B via the one way cable. Is encrypted on B. Then ciphertext is transmitted to C en route to A and B is switched off. Or something like that.

Ideas, thoughts much appreciated thank you.


UKJimSeptember 21, 2013 10:34 AM

We know NSA/GCHQ has been hoovering up data from cables. Some of those surely belong to BT.
Bruce, how come you know nothing about this?
Aren't you paid as BT's chief security officer?
What are you going to advise them to do?
Anything you can say?

Your comments suggest that you are on our side (the side of privacy), but how does that square with being employed by BT, specifically on security issues, yet being in the dark (or worse, knowing what's going on...)?

FigureitoutSeptember 21, 2013 11:32 AM

hellohumans
--Look up data diodes, or just a diode in general. They're extremely important components. For instance, practically every electronic circuit needs a DC voltage. A diode circuit like a bridge rectifier, during the negative half cycle of the sinusoidal input (AC), the diode is reverse biased. During this time, it's an open circuit, current=0 and output voltage=0. On a graph, the wave is converted to a bunny-hops and the bridge rectifier is even more efficient than a 2-diode one.
Quick google search yielded:
http://www.cru-inc.com/products/USB-DataDiode.php

http://www.positronlabs.com/mla-data-diode/

http://www.owlcti.com/dualdiode_technology.html

http://www.blackbox.com/Store/Detail.aspx/...

DanielSeptember 21, 2013 1:50 PM

@00000 regarding NSA job.

If Obama had any chutzpa he would pardon Snowden and stick him in that job.

either that or appoint Bruce.

/better to have them in the tent pissing out than out of the tent pissing in.

PeterSeptember 21, 2013 3:52 PM

@ Greendemon: It is well known among lawyers that the banking laws can be summarized very simply: "The bank wins." "We don't have to obey the law" is just an alternate formulation.

Wesley ParishSeptember 21, 2013 7:00 PM

@Bauke Jan Douma

Interesting reading. Yes, I remember reading something along those lines that far back.

Looks like the PRC's got itself into the same predicament as the US with its infernal NSA - you have all this data, which is only so secure. There are ways of managing and reading that data that turn out to be extremely lucrative - and any foreign "Intelligence" agency that invests and reduces the hosting "Intelligence" agency - to use the requisite seige metaphors - will have a gigantic handle on the hosting state's economy.

I had thought the Chinese, with their experience of being run under the wheels of an expansionist West during the 1800s, would've thought more deeply about this. Evidently not.

kashmarekSeptember 21, 2013 7:45 PM

Well, if this just doesnt beat all...

http://yro.slashdot.org/story/13/09/21/2045223/...

To pump up employee moral, apparently the NSA tells them they aren't doing anything wrong or illegal.

I suspect their biggest worry is not being taken down from without but rather from within (the Feds generally feel the same way - someone outside the U.S. won't take us down but someone within the U.S. will; the Vatican thinks the same about its membership, in that they are more worried about failure within the Church rather than some religion outside the Church being a problem).

MaximilianSeptember 22, 2013 4:22 AM

Seen At 11: Getting Personal – Your Pulse Could Be Your New Password

Pin Numbers, Credit Cards, And Passwords Could Soon Be A Thing Of The Past

http://newyork.cbslocal.com/2013/09/16/...


"Our heartbeats are as unique to us as our fingerprints and now they are being used to replace passwords, key cards, and bank cards, CBS 2′s Kristine Johnson reported. “It’s like your personal pin number is your heartbeat,” Mashable.com’s Lance Ulanoff said."

‘Pulse Passwords’ Are Next Step Towards Permanent Human Microchip Implantations

http://www.nowtheendbegins.com/blog/?p=15043

CallMeLateForSupperSeptember 22, 2013 8:42 AM

Re: "Your Pulse Could Be Your New Password"

Oh great. More snake oil. As if fingerprints and lie detectors don't already give us enough to doubt.

No, my "New", biometric-based password definitely will not be my heartbeat. I might be persuaded to go with my skull's morphology. ;-)
http://en.wikipedia.org/wiki/Phrenology

Clive RobinsonSeptember 22, 2013 9:24 AM

@ CallMeLateForSupper,

    I might be persuaded to go with my skull's morphology. ;-)

Agh har, you've been n gorn n given away your true identity of "Edna Bucket", thar secret is out :-)

(Sorry not realy sure how to type a "pirate panto voice")

on nist and nsaSeptember 22, 2013 10:59 AM

I've seen some posts here where it is surmised that NSA was ham handed by using a slow, biased, PRNG with EC.

Now, I think the first bit of logic is spot on:

Yes, they recognize that ECC is strong and they needed a backdoor, i.e, they couldn't break it.

But the second conclusion that some are making is just wrong, imho.

That is, the NSA cludged this abomination into the NIST standard. I can see where you would get that. But, consider things from their perspective: ECC is a rising star, flavor of the month, if *we* don't do something, they (the NIST), might just pick one independently and we'd be screwed.

So looking at it like that, one can possibly see how they would rush to put their ECC in, that they know was broken, instead of someone elses, that they knew would work.

All in all, its quite the vote of confidence in Eliptical Curve Cryptography.

NobodySpecialSeptember 22, 2013 12:34 PM

@hellohumans
You can't get a unidirectional USB because the protocol needs to request/acknowledge data packets.

You can simply cut the data wires to make a charge-only cable but this will limit the maximum power available (the protocol requires a high power device to request extra power form the host)

Nick PSeptember 22, 2013 1:12 PM

@ NobodySpecial

Remember that was a gripe about TCP which was solved by the NRL Pump. There might be a way to make a Pump for USB. Id prefer a secure gateway or converter though.

anyoneSeptember 22, 2013 2:24 PM

About NRL Pumps and other such technologies, this is shamelessly copied from p.574 in "SOFSEM 2008: Theory and Practice of Computer Science" published by Springer (2008).

(Sorry but that image in 'Figure 1' could not be included here - hopefully the text is sufficient to provide an idea)


2.2 Physical Separation

As a simple but intuitive security concept, the principle of ”Physical Separation” is to find a way to transmit data between two different networks without having to establish a direct and physical connection. Currently, there are many different ”Physical Separation” implementations, such as e-GAP-based Intelligent Application Gateway (IAG) [11], DualDiode [12], NRL Pump [13], etc.

Lock-Keeper is also implemented based on this ”Physical Separation” idea. It works as a sluice ("an artificial channel for a flow of water that is controlled by a valve or gate") to guarantee that hackers and malign data have no opportunities to break into the internal network by any means of online attacks. we use a SingleGate Lock-Keeper system as an prototype to briefly explain what the Lock-Keeper is and how it works [10], [14].

As shown in Figure 1, a SingleGate Lock-Keeper system consists of three independent Single Board Computers (SBCs): INNER, OUTER and GATE, which are connected using a patented switch unit. This hardware based switch unit restricts the connection so that GATE can be connected with only one partner at any time, either INNER or OUTER. Besides these hardware components, there are also Lock-Keeper Secure Data Exchange (LK-SDE) software running in the Lock-Keeper system. LK-SDE software includes several application modules located on INNER and OUTER, which work as interfaces and provide popular network services to outside users. Currently, there are four LKSDE application modules implemented, i.e. File eXchange (File-X) Module, Mail eXchange (Mail-X) Module, Database Replication (DB-Rep) Module and Web Service (WS) Module.

Normal communication protocols, such as FTP, SMTP, HTTP, etc., are stopped and analyzed respectively by these application modules.

Then, standard file-based Lock-Keeper Message Containers (LKMC) can be created to carry the data for the received network traffic. These LKMCs will be transferred to the other side by ”Basic Data Exchange Module”. In particular, because GATE is also a normal PC, it is possible to integrate Third-Party security software, e.g. virus scanning software, mail analysis tools, or content filtering methods, etc. into LK-SDE architecture, which help to check data traffic and prevent offline attacks, e.g. virus, malicious codes, etc.

References:
10. Cheng, F., Meinel, Ch.: Research on the Lock-Keeper Technology: Architectures, Applications and Advancements. International Journal of Computer & Information Science 5(3), 236–245 (2004)
11. IAG 2007 website in Microsoft (2006-2007), www.microsoft.com/iag
12. Menoher, J.: Owl Computing Product Overview: Secure One-Way Data Transfer Systems. White Paper, Owl Computing Technologies, Inc. (2007)
13. Kang, M.H., Moskowitz, I.S.: A Pump for Rapid, Reliable, Secure Communication. In: CCS 1993. Proceedings of 1st ACM Conference on Computer & Communications Security, Fairfax, VA (1993)
14. Lock-Keeper WebSite of Siemens Switzerland (2005-2007), www.siemens.ch

Clive RobinsonSeptember 22, 2013 2:40 PM

@ Anyone,

The Lock-Keeper idea is not new you can view it like the three switches on a "Sample and Hold" circuit used to move an anolog sample via a "hold capacitor" for measuring.

I've seen security systems designed on this idea around the mid to late 1980's when "Cambridge Ring" networking was in vogue. But if I remember correctly that in turn was based on work done at the UK's National Physics Lab in Teddington SW London just up the raod from Hampton Court Palace.

Clive RobinsonSeptember 22, 2013 3:09 PM

@ Bruce,

    body of the adorable Hawaiian bobtail squid.

Hmm, that's a word that normaly has a distinct gender bias in use and can be heard when talking about Golden Labrador pupies, babies and such like. And when they grow up and the word "adorable" gets replaced by others of a less "Oh how..." and more of "Get off you..." nature.

If I remember correctly the Hawaian bobtail is not large enough to make a tasty snack and it lives by predating small shrimp, so I guess it never grows out of the "Oh how..." stage.

anyoneSeptember 22, 2013 3:17 PM

About "DualDiode":
(this is from: http://www.owlcti.com/dualdiode_technology.html)


DualDiode® Technology & Owl System Functionality
The core technology driving Owl’s secure data transfer systems is the DualDiode - a robust, data diode transfer platform. Initially based on Sandia National Labs’ data diode technology, DualDiode provides a fast (Up to 2.5Gbps), one-way data stream to safely link discrete networks.

Comprised of two Owl-designed communication cards, and optical fiber, DualDiode hardware is literally a physical connection for fail-safe, one-way data transfer. When deploying a DualDiode data transfer system, Owl’s Send-only and Receive-only cards are installed into respective host computer platforms, fitting into standard card slots, connected by optics.


Owl DualDiode Protocol Break
One-way transfer is achieved through a simplex optical link that has just one light source (at the source computer) and just one photo detector (at the destination computer). No information of any kind, including handshaking protocols, (TCP/IP, SCSI, USB, serial/parallel ports, etc.) will ever travel from the destination computer back to the source computer. Special patented protocols are used to assure this reliable, absolute one-way transfer. One-way transfer is redundantly enforced in the communication hardware and driver software applications to ensure that data residing on the isolated domain, and the isolated domain itself, are fully protected. Thus, DualDiode hardware and proprietary software are a non-routable protocol break between sending and receiving domains.

Clive RobinsonSeptember 22, 2013 3:22 PM

OFF Topic :

Under the "U-Make-um, We-brake-um" and "We-told-U-so" departments the Chaos Computer club has come up with a very simple work around for the new iPhone "finger print reader,

http://www.ccc.de/en/updates/2013/...

It's going to be fun reading the "spin" on this when Apple Marketing Dept get back to their desks...

FilbySeptember 22, 2013 3:41 PM

@Clive
about CCC breaking iPhone fingerprint sensor: that is ridiculous. Although they do write:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Maybe that was the *real* reason for the introduction of that sensor...;-P

Nick PSeptember 22, 2013 4:01 PM

@ anyone

Thanks for bringing it to my attention. It looks like a cross between old guard tech and a DualDiode. Those kind of approaches are more versatile than basic diodes. My only gripes on initial reading are:

1. It's quite patented and many of its key strengths are old ideas/techniques. I've used some myself. Hopefully the patents can't stretch to them. The novel, specific contribution is probably the switch/sluice design aspect. That part might be patent-worthy. I try to avoid patented tech where possible.

2. It's made by Siemens. People who discussed Stuxnet on this blog might remember that name. Our main focus in this thread is subversion resistance, esp against NSA, and they've been subverted by NSA before. Oops.

Of course, I'm sure there's a way to negotiate implementing it on other hardware (or software). Long as patent holders and Siemens make money they probably wouldn't care. Thing I liked about The Pump was that it was *very* simple to clone. That said, I'm always happy to see more innovation and products show up in the high security market.

I just wish most of it would happen for guards. They're the most flexible & powerful. Just need more options to both bring their security close to fixed-purpose devices like Lock-keeper and get their cost down.

@ Clive Robinson

Yeah, I remember it. After a while they shifted focus from hardware issues to a CMW-like solution on Xen (QubesOS). It's been continually improving with some things that might spill into other projects. If you look at her blog, she also had interesting articles on dealing with untrusted PDF's, USB security issues, and on Intel's latest security extensions. The Intel info is new to me. I'm sure Wael will have a reaction to the fact that they're ditching the TPM (sort of). We don't have enough information on the specifics of their new tech to say anything of its security. All in all, I think the simplified chips we've recently been dicussing will have fewer flaws than whatever Intel builds. ;)

Brian M.September 22, 2013 4:47 PM

Oh, knock if off, you lot, about diodes, etc.! Ever hear of a "ring network?" Like IBM token ring? And at a simpler level, it's what's used to connect gasoline pumps to the controllers in the station.

Gasoline pumps use a ring network comprised of a one-way RS232 connection, TX to RX. The terminal is hooked to pump A, then A to B, C to D, etc, until the last pump is hooked back to the controller. It's done for low cost, not for security. And it has been hacked before.

If you don't mind higher latency, write the data to a tape, walk it over to the other computer, and read the tape.

"Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway." —Andrew S. Tanenbaum

name.withheld.for.obvious.reasonsSeptember 22, 2013 5:17 PM

Last Wednesday at a house committee hearing, people in the gallery were wearing tinfoil hats. It was great. Got me to thinking about a protest movement against unlawful government surveillance. I am donning my hat collection with tinfoil applied to the surface--so my ball caps, hiking, and other hats will be covered in a layer of foil. Make your own, tell your friends and family. This could be the way to launch the campaign.

Dirk PraetSeptember 22, 2013 6:35 PM

@ Raouf

According to the NSA, 171 of its cryptologists have died in the line of duty

>tinfoil hat>
I once read that some pharaohs had their pyramid builders killed as to make sure that they would never reveal their secrets.
>\tinfoil hat>

@ Clive, @ Filby

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

I don't know about its veracity, but in my Twitter stream I have seen some alledged security researcher claiming that he had been successful in registering with Touch ID and unlocking his phone by means of an entirely different body part than his finger. Although his method could by all means defeat coercion, the downside would be that unlocking his phone in public would make for a bit of an awkward situation.

@ CallMeLateForSupper,

I might be persuaded to go with my skull's morphology. ;-)

In which case I would be massively screwed because all of my Indian friends keep telling me that I look just like a famous Bollywood movie star currently serving a 5 year's sentence on terrorism and illegal arms possession charges.

@ Brian M.

Oh, knock if off, you lot, about diodes, etc.! Ever hear of a ring network? Like IBM token ring?

Er, you know of any USB/PCMCIA token ring adapters that support SNA on Linux/BSD/OS X ?

Nick PSeptember 22, 2013 6:47 PM

@ Brian M

"Oh, knock if off, you lot, about diodes, etc.! Ever hear of a "ring network?" Like IBM token ring? And at a simpler level, it's what's used to connect gasoline pumps to the controllers in the station."

I was a big fan of Token Ring. The marketplace was not. :(

"And it has been hacked before."

And what's Token Ring-based gas pumps being hacked have to do with using physical security devices for their intended use case? It especially seems a meaningless comparison for the {total or mostly} one way technologies.

Have you been Xboned by Kinect?September 23, 2013 3:23 AM

Will security firms detect police spyware?

How true this is today as it was yesterday....

By Declan McCullagh, News.com
Published on ZDNet News: Jul 17, 2007 11:00:00 AM
-
* This article is being archived on pastebins because it is not available at the original location where it was published. This copy/paste does not include the links (urls) within the article.

original story url: (***://news.zdnet.com/2100-1009_22-6197020.html

* Attention ZDNet News: Please do not move or expire articles as they age.

-

"A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police.

In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger–call it fedware–to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.
Spyware survey

Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey.)

Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.

Some companies that responded to the survey were vehemently pro-privacy. "Our customers are paying us for a service, to protect them from all forms of malicious code," said Marc Maiffret, eEye Digital Security's co-founder and chief technology officer. "It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools." eEye sells Blink Personal for $25, which includes antivirus and antispyware features.

Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted. A Check Point representative said, though, that the company had "never been" in that situation.

This isn't exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that "McAfee Corp. contacted the FBI… to ensure its software wouldn't inadvertently detect the bureau's snooping software." McAfee subsequently said the report was inaccurate.

=

Later that year, the FBI confirmed that it was creating spy software called "Magic Lantern" that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.)

Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds.

More recently, after the BBC reported last year on supposed talks between the British government and Microsoft, the software maker pledged not to build backdoors into Windows Vista's encryption functions.

A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police.

In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger–call it fedware–to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.
Spyware survey

Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey.)

Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.

Some companies that responded to the survey were vehemently pro-privacy. "Our customers are paying us for a service, to protect them from all forms of malicious code," said Marc Maiffret, eEye Digital Security's co-founder and chief technology officer. "It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools." eEye sells Blink Personal for $25, which includes antivirus and antispyware features.

Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted. A Check Point representative said, though, that the company had "never been" in that situation.

This isn't exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that "McAfee Corp. contacted the FBI… to ensure its software wouldn't inadvertently detect the bureau's snooping software." McAfee subsequently said the report was inaccurate.

=

Later that year, the FBI confirmed that it was creating spy software called "Magic Lantern" that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.)

Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds.

More recently, after the BBC reported last year on supposed talks between the British government and Microsoft, the software maker pledged not to build backdoors into Windows Vista's encryption functions.

Even if the FBI, the Drug Enforcement Administration or other federal police haven't tried to compel security companies to whitelist fedware, security experts predict that such a court order is just a matter of time.

What remains unclear, however, is whether police have the legal authority to do so under current law. "The government would be pushing the boundaries of the law if it attempted to obtain such an order," said Kevin Bankston, an attorney with the Electronic Frontier Foundation who has litigated wiretapping cases. "There's simply no precedent for this sort of thing."

One possibility is a section of the Wiretap Act that says courts can "direct that a provider of wire or electronic communication service, landlord, custodian or other person" to help with electronic surveillance.

"There is some breadth in that language that is of concern and that the Justice Department may attempt to exploit," Bankston said.

In theory, government agencies could even seek a court order requiring security companies to deliver spyware to their customers as part of an auto-update feature. Most modern security companies, including operating system makers such as Microsoft and Apple, offer regular patches and bug fixes. Although it would be technically tricky, it would be possible to send an infected update to a customer if the vendor were ordered to do so.

When asked if it had ever received such a court order, Microsoft demurred. "Microsoft frequently has confidential conversations with both customers and government agencies and does not comment on those conversations," a company representative said. Of the 13 companies surveyed, McAfee was the other company that declined to answer. (Two others could not be reached as of Tuesday morning.)

Some security companies refused to reply to the initial version of our survey, which broadly asked about fedware whitelisting. In response, we revised the question to ask if they would alert a customer to the presence of keystroke loggers installed by a police or intelligence agency "in the absence of a lawful court order signed by a judge."

Cris Paden, Symantec's manger of corporate public relations, initially declined to reply. "There are legitimate reasons for not giving blanket guarantees–one of those is a court order," he said at first. "There are extenuating circumstances and gray issues."

But after we altered the question, Paden replied: "Barring a court order to cooperate with law enforcement authorities, Symantec would definitely alert our customers to the presence of any malicious code or programs that we detect on their systems." He added that Symantec had "absolutely not" received any such a court order.

One danger with whitelisting fedware is that it creates a potentially serious vulnerability in security software. If a malicious vendor of spyware were clever enough to mimic the whitelisted government spyware, it would also go undetected.

But if fedware becomes more common, savvy criminals could simply turn to open-source software that's less likely to have backdoors for police. ClamAV and OpenAntiVirus.org both offer open-source security software, and it's also possible to boot off of a CD-ROM and inspect the hard drive for malicious tampering.

At the moment, at least, there aren't any industry standards about detecting fedware. "CSIA does not currently have a position on this issue nor has the issue ever been addressed by its board of directors," said Tim Bennett, president of the Cyber Security Industry Alliance.
Even if the FBI, the Drug Enforcement Administration or other federal police haven't tried to compel security companies to whitelist fedware, security experts predict that such a court order is just a matter of time.

What remains unclear, however, is whether police have the legal authority to do so under current law. "The government would be pushing the boundaries of the law if it attempted to obtain such an order," said Kevin Bankston, an attorney with the Electronic Frontier Foundation who has litigated wiretapping cases. "There's simply no precedent for this sort of thing."

One possibility is a section of the Wiretap Act that says courts can "direct that a provider of wire or electronic communication service, landlord, custodian or other person" to help with electronic surveillance.

"There is some breadth in that language that is of concern and that the Justice Department may attempt to exploit," Bankston said.

In theory, government agencies could even seek a court order requiring security companies to deliver spyware to their customers as part of an auto-update feature. Most modern security companies, including operating system makers such as Microsoft and Apple, offer regular patches and bug fixes. Although it would be technically tricky, it would be possible to send an infected update to a customer if the vendor were ordered to do so.

When asked if it had ever received such a court order, Microsoft demurred. "Microsoft frequently has confidential conversations with both customers and government agencies and does not comment on those conversations," a company representative said. Of the 13 companies surveyed, McAfee was the other company that declined to answer. (Two others could not be reached as of Tuesday morning.)

Some security companies refused to reply to the initial version of our survey, which broadly asked about fedware whitelisting. In response, we revised the question to ask if they would alert a customer to the presence of keystroke loggers installed by a police or intelligence agency "in the absence of a lawful court order signed by a judge."

Cris Paden, Symantec's manger of corporate public relations, initially declined to reply. "There are legitimate reasons for not giving blanket guarantees–one of those is a court order," he said at first. "There are extenuating circumstances and gray issues."

But after we altered the question, Paden replied: "Barring a court order to cooperate with law enforcement authorities, Symantec would definitely alert our customers to the presence of any malicious code or programs that we detect on their systems." He added that Symantec had "absolutely not" received any such a court order.

One danger with whitelisting fedware is that it creates a potentially serious vulnerability in security software. If a malicious vendor of spyware were clever enough to mimic the whitelisted government spyware, it would also go undetected.

But if fedware becomes more common, savvy criminals could simply turn to open-source software that's less likely to have backdoors for police. ClamAV and OpenAntiVirus.org both offer open-source security software, and it's also possible to boot off of a CD-ROM and inspect the hard drive for malicious tampering.

At the moment, at least, there aren't any industry standards about detecting fedware. "CSIA does not currently have a position on this issue nor has the issue ever been addressed by its board of directors," said Tim Bennett, president of the Cyber Security Industry Alliance."

XORSeptember 23, 2013 4:06 AM

CBC Byte Flipping Attack—101 Approach

http://resources.infosecinstitute.com/...

"As usual, there are some explanations about this attack out there (see references at the end), but some knowledge is required to understand it properly, so here I will describe, step by step, how to perform this attack.

Purpose of the Attack: To change a byte in the plaintext by corrupting a byte in the ciphertext.

Why?

To bypass filters by adding malicious chars like a single quote, or to elevate privileges by changing the ID of the user to admin, or any other consequence of changing the plaintext expected by an application."

ElizabethSeptember 23, 2013 8:15 AM

"Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted."
By this logic, if I create a program with a "legitimate" purpose and nice looking website to back it, but insert a trojan into it, I just have to send a nicely-worded letter to Check Point and they'll whitelist it?

WaelSeptember 23, 2013 11:33 AM

@ Nick P,

he Intel info is new to me. I'm sure Wael will have a reaction to the fact that they're ditching the TPM (sort of)...

I'll have a reaction alright, but not before I get some blog stuff off my queue. Didn't want to waste a weekend in Seattle on subversion stuff...

David HeathSeptember 24, 2013 8:37 AM

If anyone happens to be in the UK at the time, I'm planning to visit Bletchley Park on either Sat 6th or Sun 7th October and would love to turn it into a Schneier-blog get together.

Clive, if you're up for it, I'll even make a special trip to pick you up!

Clive RobinsonSeptember 24, 2013 12:19 PM

OFF Topic :

Anybody in need of something to smile at ?

Well you may be aware that Google are encrypting all searches and this has a knock on effect in that it's snatched some mrketing droids "free lunches" out from under their noses and will either have to pay Google by taking out advertising or actually do some real work for once (as they are supposed to do).

http://blog.hubspot.com/...

The down side is it's going to put more cash into Googles pockets...

Clive RobinsonSeptember 24, 2013 12:44 PM

@ David Heath,

A Bletchly meet up might be of interest especialy if Bruce can be cajoled into comming along (though I can see good reasons why he might not, I guess even if he is not at some other event he might just want to get some "home time" in).

As for a lift that's very kind of you to offer, however for medical reasons I avoid long journies in cars and coaches as they have both in recent times put me in hospital due to blood clots even though I'm on sufficient "rat poison" for three or four little old ladies. The look on the average Dr's face when I tell them the dose generaly makes it clear they want to call the nearest consultant as I'm well off their dosage charts. I once had to spend two weeks in hospital whilst they "adjusted the dose", and I can assure you the hospital food still causes me sleepless nights especialy the Vegi "spicey mexican beans" which looked and tasted like pink dental impression glupe and smelled worse :-(

Nick PSeptember 24, 2013 2:35 PM

One software security risk that's often overlooked is obsolescence or lockin. You write code on a nice platform now, you get stuck with expensive and risky rewrite later if it isn't popular. How can you gauge risk and is there a way to avoid it? a person asked on one site. I've often said I ways to reduce the risk of this. Here's what I posted in case Schneier readers developing security tools are interested in avoiding the trap.

On future proof software development

"...future-proofing is a kind of security or risk management really. It often requires you to give up certain conveniences and cost/productivity benefits *now* to avoid problems *later.* I've been making nearly future-proof tech for quite a while now. There are certain patterns that can help. Here's a few.

1. Data should be stored in an open format that's easy to extract or transform later. Odd file formats are a big lockin technique & trap area in general. Also, prefer simpler approaches such as CSV, ASN.1, or JSON over complicated crap such as XML or, say, Word 97 format ;). The idea is that it's simple enough to throw a parser together yourself and the low-level format parser is reusable across your apps.

2. Applications ideally should have vendor- and tech-neutral interfaces built into them, plus a precise description of *what* they do. You should design stuff where you can change or throw away the implementation without breaking anything. Also, moving to a new platform is easy if your method of calling procedures or processing data works across platforms. So, the interfaces are the *most* important thing to get correct. The simpler, faster, and more open the interface implementation method the better.

3. The stack should be *entirely* open source and free to modify. GPL, LGPL, BSD, MIT, etc licenses are fine on this angle. The idea is that, if community starts dying off, then the stack might need to be moved to new [hardware/OS/protocol/etc]. And you need the code to do that.

4. The stack's design should be extremely modular with each piece being understandable by one person. This makes it easier for a new group to pick it up and maintain it. Having even the lowest levels of the runtime, libraries and compiler factored out nicely can have a huge payoff if it needs to be ported. Often, just that one part can be ported and all your old code will work.

5. Your app should be made in a modular way that factors out platform details to minimize rework in that area. It helps to structure functions into input/processing/output blocks where possible too. This can aid an analysis of what will be affected by a port (and correctness analysis in general a la' Cleanroom methodology). Lowest risk approach platform wise is to use lowest common denominator features that are supported about universally with one interface that lets you use them, further reducing porting. (I said you'd be loosing something...)

6. Dynamic typing, type inference or other flexible typing approaches help. A port to a new platform might change the definitions of the base types. Languages that do strong typing internally mean you worry less with this stuff.

7. Keep the concurrency model simple. Event-driven, message passing through clear interfaces is portable to... basically everything. There's also coroutines. You just want to avoid routes that are prone to both errors and portability problems.

8. Look at Mozilla and Apache's portable runtimes. They factor out many platform specific issues with certain interface and implementation choices. They can clue you in on what to worry about, along with providing good solutions to many problems.

Perfect example: Tcl. I know, plenty of people hate it and I rarely use it myself. Yet, Tcl is an *extremely* easy language to understand, implement (12 main rules), and code in. It's small, fast enough, integrates with Web servers, embeds in native apps, has been ported to tons of stuff, has certain safety features, and has been updated regularly since the 80's when it was made. You or I could implement a whole TCL runtime in no time for the core language. *If* we had to port the standard library, it would be easier than porting .NET or Java. And there's quite a bit of useful code written for it. And it's been used in web tech as far back as "mobile agent" craze that Java applets also aimed at. For instance, OpenACS web framework goes back to 1998 with server older than that.

Other examples: BASIC, COBOL and LISP (Scheme or CL). These languages all go back toward the 50's or 60's. They are simple enough to ease understanding, implementation and mechanical translation. Yet, you can build useful stuff with them. COBOL still powers most of world's transaction processing, has been updated a few times, & runs on .NET even. Old QBasic/QuickBASIC apps still run today with open/free tools on modern platforms, along with porting possibilities to better tools like GAMBAS or RealBASIC. LISP coders naturally make their systems modular and functional, easing porting. There's been a steady stream of implementations for it over decades, open and commercial.

So, interfaces, openness, simplicity, modularity, and platform-neutral architecture/design/coding. THESE will get you the future-proofing you require. Most of the time, anyway. "

Any thoughts on this?

(Note: I think the functional approach has proven to be superior to others for this sort of thing over time, esp such as Haskell. Less state and platform issues by nature. However, I mentioned LISP instead of Haskell or modern functional platforms b/c a prime trait in these is "Were they useful commercially and did they last over time?" Many nice things in modern time whose longevity is yet to be established and it seems porting functional toolsets to new platforms would be a TON harder due to less developer's understanding them. So that's why I left functional programming out of the recommendations mostly. Maybe one day when the situation changes...)

name.withheld.for.obvious.reasonsSeptember 24, 2013 4:08 PM

@Nick P

Interestingly you bring up a very salient topic. A couple of years back I was working on a hardware platform for a device of my own design (using my own capital). I decided to take a short cut in the prototype development, used a lot of inline code instead of a parametrically neutral design (typing, interfaces, and modules were absent). Well it bit me in the arse. Of issue was a Analog Devices' micro-controller and one of their analog sensors. A problem was revealed in the operational power curve (should have modeled with a Bode plot) and the device had varying rates of current consumption based on some operational parameters. What was obvious from the data sheets would be what I would term "continious sampling" where the designers thought that the operational model is periodic. Because of the method I used to perform acquisitions the "runtime" current load didn't resemble the data sheet's momentary current load ratings. Add to that, three components on the same PCB had their own power down (energy saving) mode management system. Needless to say it cost me dearly to unwind the prototype development effort. On a side note, the Analog Devices' App Note demo code was a disgrace. I would never put anything out there that looked like that (non-polling sampling, disastrous change control, and poor commenting). It was the example of what NOT to do. A friend said I should "Fix it for them". I just looked at him like he was from outer space (or the NSA).

iseewhatyoudidthereSeptember 24, 2013 9:50 PM

Ok. Maybe this is paranoia.net but....

Either this blog is receiving too much traffic, or your blog is being throttled Bruce. I can't get here except through a fairly circuitous route. Anybody else having problems like this? It happens periodically, not every time.

FigureitoutSeptember 25, 2013 1:06 AM

name.withheld.for.obvious.reasons
--Lol, engineer trying to talk to a programmer; apples and oranges but they're both still fruit and good to eat. What type of sensor was it? I have a weird interest in sensors, I like them, and they can be made to sense an object anonymously to provide a real benefit in a crowded world.

Nick P
--I don't really trust code at all so that is my main gripe w/ programmers and the trust they put into code. Likewise many engineers and almost everyone places a lot of trust into circuits of a calculator and your phone and a computer w/ no testing whatsoever. I don't like XML either. One of my favorite games was written in Cobol. I prefer C, it's my favorite, but I hear talk of making it irrelevant, not sure if that's really going to happen. If I could could code in ASM good I would like that, but the patterns don't make sense to me now.

Squidcrypt0rSeptember 25, 2013 9:27 AM

From what I've heard, the bacteria use a form of what marine biologists call "squidcryption" that effectively makes their hosts immune to NSA surveillance via some onerous back and forth academic argument about which standard the NSA compromised secretly at some nebulous past date.

Glowing squids are said to benefit from this chiefly by floating around in the ocean and not giving a fuck.

David HeathSeptember 26, 2013 7:00 AM

@Clive (and Bruce)

I visited Bletchley about a year ago and thoroughly enjoyed it. Looking forward to a return visit.

I'm arriving in UK this weekend (a pox upon those 24 hours flights from Australia!), but still not sure which day (Sat 6th or Sun 7th) we will be visiting. Guess it depends on the weather and my companions.

Clive - surely its possible to drive to Bletchley from anywhere in London in 2 hours - you can't sit in a car that long?

Anyone else - come along for the party - I'll know by mid week what the plans are.

Nick PSeptember 26, 2013 12:32 PM

People interested in tamper-resistant chips or systems? This talk on PS3 hacking has a nice list of useful features for you to include starting around 12:50 into video.

https://www.youtube.com/watch?v=PR9tFXz4Quc

Earlier in the vid they also show how long each system lasted before being hacked and how it was hacked. Many smart, motivated people tried to hack these consoles. So, I think this gives you a useful measure of what protection period to expect from these types of features when the attackers aren't thought to have a whole lab of equipment for chip hacking.

Brian LeitnerSeptember 27, 2013 7:41 AM

We have no reason to trust these squid. Have they ever had any contact with the uber-venomous Box Jellyfish? Are we sure they're not communicating in some way? We need to get a team of people on this!

WaelOctober 8, 2013 2:07 PM

@ Nick P,

I'm sure Wael will have a reaction to the fact that they're ditching the TPM (sort of).

What a coincidence! Reaction under a title of "How Bacteria Terraform a Squid"!! I have a reaction alright! Sure, trust us, don't trust them! Forget the TPM, use this "emulated TPM" in the latest backdoored, frontdoored and middledoored, CPU, instead! Pure Crock, if you ask me. The Bovine excrement meter just exploded on this one!

Nick POctober 8, 2013 7:48 PM

@ Wael

"What a coincidence! Reaction under a title of "How BacteriaTerraform a Squid"!! I have a reaction alright! Sure, trust us, don't trust them! Forget the TPM, use this "emulated TPM" in the latest backdoored, frontdoored and middledoored, CPU, instead! Pure Crock, if you ask me. The Bovine excrement meter just exploded on this one!"

LOL. I figured the reaction would be along those lines. :)

squidcrypt0rOctober 15, 2013 10:17 PM

The last time Vibrio Fischeri appeared before congress, their representative swore under oath that their motive was purely for the squid's benefit. Now we've discovered that they colonized the squid much earlier in it's lifecycle than anyone previously thought, and also for their own bacteriological benefit.

We can no longer be certain that Vibrio Fischeri are our most trustworthy teuthoforming partners; it could be that the Hawaiian Bobtail Squid has only realized too late that it has maneuvered into a trap.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..