Friday Squid Blogging: Fiona Apple Wears a Squid as a Hat in New Video

Even I think this is weird.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on October 18, 2013 at 4:10 PM • 68 Comments

Comments

ScottOctober 18, 2013 4:50 PM

@Sven

I'm glad to see my government has our priorities straight. Now if we can only cut 3.8 billion in food stamps to balance it out. I mean, people don't really need to eat, but we do need that ship to fight rebels with small arms and IEDs.

MichaelOctober 18, 2013 5:20 PM

@Bruce:

C'mon! It's not that weird. It's the usual pastiche of whimsical, absurdist, and surrealist imagery evoked by the substance of the lyrics. Standard fare for music videos since, I don't know, the 1970's*.

And it's an octopus, right? Source material doesn't know its cephalopods.

* E.g.: Devo, Siouxsie and the Banshees, Peter Gabriel, The Cure, They Might Be Giants, Bjork, and, sure, why not: Men Without Hats.

wumpusOctober 18, 2013 9:37 PM

@sven
Ruggedization (have to pass those pesky mil-specs) generally runs the price of hardware easily up to proper defense prices. If that doesn't work there is always customization of open source projects, "skinning", last minute customer changes, and of course "management fees".

You will note that lack of Windows (but plenty of linux boxes). The last US warship (prototype) to run on Windows was dead in the water. I don't think the US Navy will use it again for awhile. Institutional memory can last longer than consumer software.

GrammOctober 18, 2013 11:53 PM

NSA Delayed Anti-Leak Software at Base Where Snowden Worked - Officials
http://www.nytimes.com/reuters/2013/10/18/technology/18reuters-usa-security-snowden-software.html

The main reason the software had not been installed at the NSA's Hawaii facility by the time Snowden took up his assignment there was that it had insufficient bandwidth to comfortably install it and ensure its effective operation, according to one of the officials.

I would think that bandwidth wouldn't be an issue for an agency that has hooks into the backbone.

Nick POctober 19, 2013 1:43 AM

@ Sven

"Calling Nick P... calling Nick P"

Lol. An old friend used to say that here too. So, they finally got the thing ready and their advanced IT isn't vaporware. What can I say about it? Turns out I can probably say plenty without saying a lot. :)

Warning: I'm pretty tired and this is just a quick piece of research/analysis/review. Didn't want to delay too long on your reply.

There's good information available in these sources:

Main Presentation on Zumwalt with IT details

Product brief of the datacenter containers. Interesting properties.


The Common Display System. It's a terminal for displaying multiple security levels on one machine using a separation kernel. LynxSecure is the separation kernel. I've promoted it here before.

Capability

They want the benefits of COTS to start with. That's it being cheap, having plenty of talented labor, easy maintenance, easy integration, plenty of apps, size, weight, power, etc. The real improvement here over typical COTS is that they focused on standardization and interfaces to the point that changes to the application don't directly affect the architecture and vice versa. This "loose coupling" gives them enormous flexibility compared to more typical Naval tech where the various components are "tightly coupled" and hard to change.

"OACE is a set of international
standards designed to minimize the requirements for custom software, speed the
development of new applications and significantly reduce the cost of
technology upgrades and refresh."

Note: Loose coupling is also recommended by top IT Architects for enterprise use for same reasons. One of my tips on the "court order" page that involved splitting apps to reduce TCB would primarily use loose coupling. There's gotchas in the strategy but it's often superior for resiliency if you do it right.

Architecture
(to be filled in properly later...)

From what I see, they've partitioned the system according to function and grouped some. The DAP in diagrams is a "Distributed Adaptation Processor." What I know so far is it's a Themis rugged computer with a regular chipset running Linux. There was an effort to put some on much simpler computers just for sensors. Some may use them. They're using real-time Java as their language, running on Aonix's PERC VM (good btw). Chose it for safety/security, higher productivity, and better maintenance fit with their OACE strategy.

Most of it is built on their OA Computing Environment (OACE) standard. That goes back to Aegis at least. You can google papers on it to understand its specific functions. They layered an extra thing or two on top of that for further common functionality. It looks like these middleware layers do the heavy lifting for most OACE functionality. This is how underlying platforms can be changed easily. Also, Boeing's very thorough OASIS architecture proposal was endpoints + apps + middleware + infrastructure servers. Seems similar so I think that's a kind of standardized architecture they are going with.

(Remember seeing that I included middleware as a prime focus for high security, resilient systems in my layered breakdown of how to secure stuff? Middleware shows its ugly face and importance again here.)

Having a hard time getting specifics on this. I'm sure many of the important details will be in the OACE papers and resources, both general and for Aegis efforts. The current system probably reuses most of whatever previous efforts produced.

Security

Their security has graudally looked more like the commercial sector. I've already said what I think about military system assurance so I'll not repeat all that. Suffice it to say that this network will be very similar to a COTS network in how its protected and what risks it has. Main military differences are they'll keep tight control, try to get clean inputs, use trusted/cleared personnel, wrap key external connections with assured encryption systems, and do MLS stuff on the CDS systems. There's low enough risk for them here in practice (far as they see) that they're just not worried about advanced attacks. They think the many benefits of these COTS systems justify the extra risk. That's it in a nutshell.

Note: Raytheon and GD are both in on this. Raytheon has ultra-high-speed, Linux guards, high assurance type guards, and MLS endpoint tech. General Dynamics has MLS/crypto tech for VM's, networking, mobile, and so on. I know Themis also partnered for a LynxSecure solution before. These companies could have an ace in the hole solution or two in there protecting data or detecting intrusions. Or not. Who knows. However, I have a feeling that the middleware does most of the heavy lifting on security too. That would increase its flexibility and *maybe* reduce its assurance compared to dedicated solutions.

creepyOctober 19, 2013 2:17 AM

http://ilektrojohn.github.io/creepy/ http://ilektrojohn.github.io/creepy/faq.html

"creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services.

The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation."

SvenOctober 19, 2013 3:31 AM

@Nick P. wow you wrote all that whilst tired. That calling Nick P, I had to look that up. I realized it was from tommy. Someone I spoke with on this site a few years ago.. :) Enjoyed his comments but haven't read anything since from him. I think he might have been banned...

Mike the goatOctober 19, 2013 5:16 AM

Sven: banned? I would think that banning a user from a public forum - particularly one that allows connections from proxies and doesn't require registration - would be near impossible. That said, a lot of people on these sites occasionally change usernames. I suspect that there are a few people on here that appear 'new' but have just changed their handle.

Nick: Lynuxworks makes interesting products. I haven't looked at their hypervisor product but no doubt it will be thoughtfully implemented.

dbrdOctober 19, 2013 6:44 AM

Looking at court orders once again, and from a different angle, some interesting cases have recently come to light in Florida. Convicts sentenced to life have been released on the basis of forged court orders. In the two cases cited, the attack was so complete they went in to register as felons, as not doing so would have brought their scheme to the attention of authorities.

http://news.yahoo.com/2-killers-registered-felons-escape-172902113.html

name.withheld.for.obvious.reasonsOctober 19, 2013 6:49 AM

-----BEGIN FISA/NSA HYPOCRISY ALERT-----
Version: pgg v0.2a

SOURCE: FISA
DOCKIT NUMBER: BR 13-109
TITLE: AMENDED MEMORANDUM OPINION
SUBJECT: Aug 9 Bulk Collection of Telephony Metadata under Section 215

NWFOR: In quashing rememdies from the supreme court, the DOJ stated from this opinion

FISA Section 1861 "all petitions under this subsection shall be filed under seal"

NWFOR: The hypocrisy noted from the opinion is the statement regarding the scope of use for collected data.


In granting the government's request, the Court has prohibited the government from accessing the data for any other intelligence or investigative purpose.[6]


6. The government may, however, permit access to "trained and authorized technical personnel ... to perform those processes needed to make [the data] usable for intelligence analysis,"Primary Ord. at 5, and may share query results "[1] to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings or (2) to facilitate lawful oversight functions."

-----END FISA/NSA HYPOCRISY ALERT-----

name.withheld.for.obvious.reasonsOctober 19, 2013 6:59 AM

The ALERT was modified to comply with IETF standards, changes were submitted by Nick P on 29 Aug 2013.
In a completely unrelated note, my ball caps are now sporting foil tape on the top of the brim. Gets everyone's attention, I explain that it is a surface antenna for reflecting a 880 nm scanning array mounted on a satellite in non-geosynchronous low earth orbit.

SvenOctober 19, 2013 7:00 AM

@Mike the goat
Change handles, yeah guilty myself. tommy might have changed his - and in the past I was usually able to spot his writings - but I think he left. They had a certain flair and his word usage had a certain print, like I can usually tell if it's a Clive R or Nick P post.
Mod talks about banning him here and am sure I might have seen a post where he or his domain was actually banned.... :/

@Bruce
Not sure if you've listened to Fiona Apple's The Idler Wheel... or if men-with-beards would even admit to liking her music, but I was thinking perhaps you'd at least find the percussion on the album interesting. You know, having read that you beat the drums yourself quite a bit somewhere...
I've recently come across a new genre, call it Nu Jazz or Electro Swing.
Parov Stelar - Booty Swing and Caravan Palace - Rock It For Me make for a great start of the weekend :)
I've always wondered, what music do you listen to?

JoeOctober 19, 2013 9:22 AM

Forged release documents got two murderers out of Florida prison.

http://www.cbsnews.com/8301-201_162-57608297/florida-manhunt-for-convicted-killers-prompts-officials-to-ponder-what-went-wrong/

It's funny that so many places cling to horribly insecure paper-based systems because they don't trust computers. Speaking of which, I wonder how much longer people will keep using checks -- I'd guess until the generation of grannies who pay for their groceries with them dies off and the surcharge skyrockets. Next is cash.

name.withheld.for.obvious.reasonsOctober 19, 2013 10:45 AM

@ Nick P
Responding to your questions--in parts...but let me respond to your indirect questions (or your statements) first.

Having worked on a project, a LynuxWorks micro-kernel (not really, the LynuxOS core, version 4) as a separation kernel and is very unix-like underneath (more of a strict POSIX variant)...I'm trying to remember what was different about the syscall interface but it escapes me--have to go the the notebook archives to recall what I am unable to remember. I do that a lot, allows me to work on a lot of stuff without having to commit storage space in gray-ram. You reminded me of a great OS, Gem OS from Digital Research...Gary Kildel (sp?) was assume. Apple unfairly killed the OS...and he was poised to kick Bill Gate's Windows 1.0's ass. It should have happened. But I digress.
LynuxWorks is not unlike eCOS but not like VXWorx or QNX. VxWorks is probably the most worked RTOS in industrial/military application space...and its basically a posix compliant micro-kernel that has probably logged more hours than anything else. From a developers perspective (and that is not me) the environments all seem a bit of a kludge--I do have to say the Keil and Lauterbach toolchains are nice and is sufficiently mutable under a windows box (yeah, I know--but shops have their own systems for development) I say all this short of a discussion that include config, source, and change control systems. Subversion, GIT, RCS, SCCS, VSS, and others are just as mixed as the rest.Again, this is from the commercial/industrial application space. Mil-SPEC software systems are more mystery than mastery. The things I have witnessed in aerospace, avionic, marine, and space systems is noteworthy...
...
I worked directly with LynuxWorks--I have to bite my tongue--not to protect LynuxWork but to be fair to the company I will make what I call a "fair" statement. LynuxWork understands the process, it is always a challenge to stay in the space of DO-178B compliance and work with customers...I am not suggesting anything unethical, just that in meetings you are often pressed to say yes to a customer. For example, the customers app was a RT-JVM on top of LynuxOS...you have to ask yourself why would you put a JVM on top of a robust application platform?
1. A.) Nice to see you, so I am waving back.

2. A.) Probably the best thing I can saw here is that your are correct, I can say that the simplicity of these platforms is useful--Linux lost me back in the mid 90'when the community started going "high school rock". It wasn't about complexity--I did like the driver diversion (from a source code level) but have never liked loadable kernel modules (kmod). And a while back, the decision to load a jvm kernel level just left me with a bad taste in my mouth.

3. A.) Right now I believe the IEEE is looking at some of these issues, I have not considered joining the working group but I feel it might be worthwhile--there is also an issue of licensure for software engineers. First, most engineers--are not. Second, licensing incompotence (platforms and environments change, so do methodologies and processes) and only serves decision makers that cannot be bothered to do more...

That's the first round...

Clive RobinsonOctober 19, 2013 10:55 AM

@ Joe,

I suspect money (paper/plastic) will last as long as the institution of getting maried.

That is as they found in France and other European countries married women don't like to pay fro their "scanties, shoes bags and makeup and hairdo's" with anything other than cash. Likewise discerning gents who buy expensive trinkets and presents for young ladies of their aquaintance prefer to use cash.

The exception appears to be US Americans who "charge everything" then lose everything in divorce...

Maybe the Ed Snowden revelations will make those in the US seaking comforts their "other halves" won't like will get a bit wiser and the divorce rate / payouts might go down a bit...

As for "horribly insecure paper based systems", there's a couple of reasons for this due to the legal process. Firstly you need to understand the history behind "chain of custody" on objects and how this relates to court records. Secondly you need to realise that courts and the judiciary don't deal with "physical evidence" just documentation relating to "physical evidence". All testimony be it from witnesses or others get put on a peice of paper these get "entered into the court record" and indexed etc. Then the records are put in bundles in envelopes and box files and carted into some dusty storage room. Physical evidence is however often destroyed for various reasons...

There is a not inconsiderable beliefe in the legal fraternaty that paper records are in effect "self tamper evident" unlike most if not all electronic records and that duplication correctness is varifiable by the unaided human eye...

Such faith is only going to be shifted by the likes of "budgetary constraint" and it will be a painfull shift as people at first quite easily subvert the systems (more easily than with these two fellons). Over time increasingly expensive systems will be put in place to plug these holes, and like any bureaucratic cost saving measure will end up costing considerably more than the system it replaced...

Nick POctober 19, 2013 11:29 AM

@ Sven, Mike re ban

That was him and he was banned. Very brihgt, funny guy. He always linked his song parodies into his posts. That ticked the Mod off for some reason. They got into it and they're both strong defenders of whatever decisions their making. As such, it didn't end well. :(

This blog is pretty permissive but occasionally you might run into a rule or decision you don't like at the time. I've experienced it here before. A little common sense (i.e. it's not my blog) means I'll comply in those situations as continuing to have discussions here with the community around the blog is worth it. Plus, I see myself as a guest on someone else's blog. Gotta act respectfully and be an asset rather than a headache. ;)

@ Mike re LynuxWorks

It would seem so. Their goal is an EAL7 certification. They also claim innovative use of formal methods. They were also selected to be the SKPP-compliant kernel for Navy's ships. EAL7 also involves lots of pen testing by NSA with source code. Note that it *hasn't* been evaluated at that level. These things just make me think the quality or security of the hypervisor will exceed, say, VMware or a regular Xen deployment.

They actually have several product lines which is at times confusing. There's LynxOS for embedded RTOS, LynxOS-SE for medium assurance security-oriented apps, LynxOS-178B is DO-178B certified with ARINC scheduling, and LynxSecure is their hypervisor which can could run Linux or LynxOS-SE. A lot to consider for a guy putting together a solution.

One thing I keep thinking about is safety vs security. The DO-178B safety standards seem to enforce rules that will benefit security by reducing certain bugs or likelihood of backdoors. It's not security engineering, though, so it can only catch so much. I told them they should combine LynxSecure and LynxOS-178B's code somehow to get both the security architecture and the low defect code in one solution. I figured that would be pretty awesome. Then one day I saw a press release saying LynxOS-178B was ported to LynxSecure. (Smiles).

Nick POctober 19, 2013 11:57 AM

@ name.withheld.for.obvious.reasons

"The ALERT was modified to comply with IETF standards, changes were submitted by Nick P on 29 Aug 2013."

Huh?!

That better be a typo, a different guy or is there another explanation? I haven't been involved in any IETF, court, LEO or other efforts.

re your reply on 178B questions

I appreciate you taking the time to answer. Moving to the answers.

"I am not suggesting anything unethical, just that in meetings you are often pressed to say yes to a customer. "

That's basically the answer I was looking for. Enough said on that. ;)

"you have to ask yourself why would you put a JVM on top of a robust application platform?"

I see where your going with that. It might be a good choice if they're thinking along one of these lines:

1. They really want to use Java for its benefits, but also need a RTOS for whatever reason.

2. They might be required to for integration into a larger system thta uses Java. I noticed the new destroyer standardized on Java for middleware and apps.

3. They might just want their native code the JVM depends on to be something other than Linux. ;) I've often recommended that businesses with critical Java systems fearing Oracle VM attacks to use Aonix's main JVM on a reliable or secure RTOS. (Optionally on a non-x86 processor.) Kill several birds with one stone.

Who knows though why *they* were doing it. It could have been a much less sensible reason.

" I can say that the simplicity of these platforms is useful--Linux lost me back in the mid 90'when the community started going "high school rock". "

I'll add that I've had a hard time helping them improve it because of that mentality. They're more focused on whats cool at the time instead of what makes sense. Then businesses think of its as a mission critical server OS because it works 99+% of cases and that works until they hit a 1% corner case. ;)

"but have never liked loadable kernel modules (kmod). And a while back, the decision to load a jvm kernel level just left me with a bad taste in my mouth. "

JVM in kernel mode seems kind of ridiculous from a security or reliability perspective. Far as loadable kernel modules, you might find the SPIN OS that I sometimes link to interesting on that. They used a typesafe language and typesafe linking process to load code into the kernel at runtime while ensuring certain safety processes. Basically allowed certain features or accelarations without problems that would occur in, say, Linux.

"Right now I believe the IEEE is looking at some of these issues, I have not considered joining the working group but I feel it might be worthwhile--there is also an issue of licensure for software engineers. First, most engineers--are not. Second, licensing incompotence (platforms and environments change, so do methodologies and processes) and only serves decision makers that cannot be bothered to do more..."

Is there a public area where those discussions are visible? A web site or mailing list? I doubt I'll join but I *might*.

Mike the goatOctober 19, 2013 12:30 PM

Nick: how would they implement the ban (other than just stopping people using that handle, which would really only force him to change it) when many of us use tor, open proxies or have entire class Bs (uh, showing my 'net age - I should say /16) at our disposal? Not questioning why the guy was banned, that's up to Bruce and the mod, after all it is their site - my question surrounds on the technical side of it? It would seem it'd have to be trust based, i.e. "don't come around here no more"

re IETF: I believe he is referring to a thread a while back where I said he was doing it all wrong with his satirical PGP like header "BEGIN FISA/NSA HYPOCRISY ALERT" and suggested a few changes he could make to bring it in line with IETF recommendations. Not sure if you commented on the thread too or if he confused you with someone else.

also: I was thinking of putting in the "link" option on my posts here a link to a pastebin of a cypherpunk remailer reply block and the address of the remailer so people could establish contact with me if they wish. I did a bit of poking around and was dismayed to find many of them had closed down. I did find two remailers (cypherpunk type, not mixmaster) that were still up .. hardly enough to form a reliable chain but then again it might be sufficient for low security needs like in here. I surprisingly found a working nym server too - so I guess I could just send a config message to that and get a nym, and avoid forcing people to append a reply block to every email they want to send to me. I would use it pretty much for initial contact and vetting. Once I know who I am talking to then I would be happy to give out my usual public address to them on a less public channel. I guess a more usable solution would be for me to sign up to a webmail service through an anonymizing proxy and just publish a key for that alias on to the keyservers and append the keyID to my name on here.

dbrdOctober 19, 2013 1:07 PM

@Clive R re "Such faith is only going to be shifted by the likes of "budgetary constraint" and it will be a painfull shift as people at first quite easily subvert the systems (more easily than with these two fellons)."

If you read the story carefully, you will realize this was not two isolated cases. The authorities are reviewing releases to determine how many other inmates may have gotten out using this exploit. The only reason these came to light was because the family of one of the victims was alert enough to bring it to the attention of someone with authority to find out what had happened.

I imagine someone has been selling a service springing these guys, basically selling fake documents. But it wasn't just the paper, they had to be coached to go back to the authorities, register and be fingerprinted, in order to protect the technique. As elaborate a plan as this may have been, I am not sure that converting paper documentation to computer systems will make this exploit any easier.

However, to turn this back to the original story about court orders being a form of insider attack, the question I have is how would a sysadmin or the CEO of a communications or hosting firm know with certainty that a secret court order to turn over meta-data or subscriber information is legitimate? When everything is secret, how can the validity of anything be verified?

name.withheld.for.obvious.reasonsOctober 19, 2013 1:29 PM

@ Mike the goat

My apologizes Mike for the the inaccurate attribution. I will update my notes...I thought it was Nick that had made the ECO request. Never the less, the alerts are now more in line with IETF message formatting. Yes, I am having fun with it, but what else can you do. I have been reading an writing remarks on the releases from the FISC, and, this is not funny in any form, manner, or context. My respect for this ill conceived process is less than zero (nil/zed).

It is my intent to inform--if possible provide some levity in an environment that has changed my life in many ways. My instincts were not wrong but my tempered and ineffectual actions were not correct.

Nick POctober 19, 2013 1:34 PM

@ Mike the Goat

"It would seem it'd have to be trust based, i.e. "don't come around here no more"

Typically the Mod notices the person returned, says something to them, and deletes their posts. If there's filters or IP blocking, that I don't know. The method can be circumvented. However, it works well enough in practice. People banned here only occasionally come back and that's temporary. Aside from technical aspects, I speculate that it works because it makes things inconvenient for them and doesn't allow their posts to benefit them much. They simultaneously get more problems and fewer benefits for posting here. Maybe a good strategy for some other blog maintainers to adopt.

Note: Although the blog gives plenty leeway, I think speculating on working around its rules or enforcement mechanisms might be crossing a line. One of the reasons I don't rock the boat here is because this blog [somehow] attracts a more mature audience with more useful comments than most. I try to contribute some useful stuff myself. ;) I think it's better to not discuss things that might make the blog harder to manage and lead to more riff raff showing up. Imho, we should end this tangent discussion.

"re IETF: I believe he is referring to a thread a while back where I said he was doing it all wrong with his satirical PGP like header "BEGIN FISA/NSA HYPOCRISY ALERT" and suggested a few changes he could make to bring it in line with IETF recommendations. Not sure if you commented on the thread too or if he confused you with someone else."

Might be. We shall see when he returns.

EDIT just before submit: Pays to look before "Submit." A mistake in identity. S*** happens. It's all good.

re link

The Mod does pay attention to what people link to. Your plan might get a reaction, might not. In the past, the Mod was clear that he didn't mind people consistently linking to say a personal website or something. So, with that starting point, I propose you link to a personal web site with a contact form. (Or that's solely a contact form.) A server you control is ideal, but a free host with scripting is OK too. You can signup for it or access it anonymously. Its function can be a simple email, a mix protocol, use Tor, whatever.

This way, what's here remains static and yet how it actually works behind the scenes you can change at will. Readers here with no interest in your post just see your name is a link, the Mod always sees same link, and people who click on it see whatever you want. It also becomes more trustworthy if the same site/domain/page is linked to in your posts over time, esp on a variety of forums. Both readers and blog maintainers have a point of comparison.

A web site also gives you more flexibility in how you communicate your own preferences and ground rules to them. You can deliver more content obviously. Finally, if it has SSL support, it might add some privacy for them that will work across many devices. There's also JavaScript code out there that might suit some of your needs.

Just a thought.

noseyparkerunitOctober 19, 2013 1:49 PM

Thousands of Americans have been blackmailed or paid protection money due to having watched internet porn. https://www.eff.org/press/releases/eff-appeals-court-stop-porn-troll-shakedown-scheme I offer no opinion on whether it is good or bad to watch porn, an alternative is to view what is made at makelovenotporn which many women support .

But why do we condone something that could allow our officials to be blackmailed and our neighbors shaken down? Why don't the rest of us come together and have an "I am Spartacus" movement and admit it if we have watched it too? We cannot continue to allow a system of blackmail to exist about something that is fairly common, not to everyone, but to many. (some claim 100% of men have watched or looked)?

I am Spartacus. but at my age there's not much hope in anything else but watching so it's a very rare every month or two kind of thing. (besides I'm happily married thank you and perhaps just enjoy an occasional look at 70's golden age stuff as reminiscing over an age now gone).

name.withheld.for.obvious.reasonsOctober 19, 2013 2:08 PM

@ Nick P...CONTINUED

4. A.) The simple answer, yes. Mitigation is possible--but--the answer to such requirements are beyond the support of today's application platform environments. ABB has an interesting platform, it is highly integrated and supports some interesting configuration/programmatic features. Their FPGA implementations are not bad, but, I would suggest that their platforms are just shy of "robust" for an industrial environment for other reasons--and they're not obvious.
5. A.) This is not a bad idea, I probably have some suggestions for you--if your willing to entertain them. I am working on processes that are compatible with auditable (makes me laugh as if an NSA lawyer is saying something). Developing a BSP would be relatively easy, a minimalist and verifiable hw solution may be more elusive but I believe it could be done with a modest budget--I'd guess somewhere between 20-40K, and less if a EE design can be borrowed. Personally, I'd start from scratch on the hardware--verify every component selected (including sourcing) with a DUT suite, build a test platform, add a DUT and system test suite to that process, and, measure and document the crap out of everything--it is possible to exceed expectations. Which is often how something gets built--not on spec but on expectations.
6. A.) Don't get me started with CC (ISO 15408). The whole drama around the standard probably cost years to process that ended up hurting consumers, cost billions of wasted dollars, and god knows what else. Ironically, it seems not to matter as the government is busy unraveling the future. I have commented on this before--it was such a f'd up process and Microsoft has never been any help. What do call a boat that leaves the harbor with the anchor in the water taking every bouy with it?

Micro-sail--I mean Microsoft.

Hope your head stops spinning...

Mike the goatOctober 19, 2013 2:22 PM

Nick: re blog enforcement - I would hope that the mod would see that I was merely speculating as to how those operating blogs (not even necessarily this blog) manage to weed out the chaff when you can potentially have users visiting from a diverse range of IPs. That said, if as you suggest discussion on this topic is rocking the boat, I'll leave the discussion at that.

re blog link: perhaps even a link through a web2tor proxy to a .onion which I can post my keyblock and contact page on. Sound reasonable enough? I do have a business and personal website but would prefer to keep the two identities seperate for mainly professional reasons (I don't want the businesses I work with / still have support contracts with knowing I am posting here and vice versa. A troll on these pages could do damage by calling my customers, etc.). I suppose I can just register a .com or a .co (they are all the rage right now, aren't they?) through a 'domains by proxy' type organization and with a prepaid credit card. This may also be an option. Or I can say **** the opsec and just post my personal webpage and damn the consequences.

Nick POctober 19, 2013 3:06 PM

@ mike the goat

"That said, if as you suggest discussion on this topic is rocking the boat, I'll leave the discussion at that."

The Mod is intelligent. I'm sure he gets what you're doing. I've also never seen Bruce try to punish anyone who posted something critical although he's had countless opportunities. I'm just saying I'm not discussing it further. ;)

"re blog link: perhaps even a link through a web2tor proxy to a .onion which I can post my keyblock and contact page on. Sound reasonable enough?"

Probably. Or you can just have the page redirect to a Tor proxy. That way you can keep the page/source the same but change the behavior if you change your mind on Tor.

@ name.withheld

"ABB has an interesting platform"

You talking about their PEC scheme, IEC 62351 based systems, or something else entirely?

"Developing a BSP would be relatively easy, a minimalist and verifiable hw solution may be more elusive but I believe it could be done with a modest budget--I'd guess somewhere between 20-40K, and less if a EE design can be borrowed. Personally, I'd start from scratch on the hardware--verify every component selected (including sourcing) with a DUT suite, build a test platform, add a DUT and system test suite to that process, and, measure and document the crap out of everything--it is possible to exceed expectations. Which is often how something gets built--not on spec but on expectations."

Sounds interesting. Appreciate the insight. It's now on the Great Schneier Blog Collection of Insights. ;)

"The whole drama around the standard probably cost years to process that ended up hurting consumers, cost billions of wasted dollars, and god knows what else. "

Ok so we agree on that lol.

{@ Mike the Goat, Sven too for this next one}

"This is not a bad idea, I probably have some suggestions for you--if your willing to entertain them. "

I might in the near future. I need to deal with some personal difficulties first so I have time to focus on whatever a project needs. Then I hope to get a community started that focuses on highly robust system technology in all phases of its lifecycle. The idea is to get academics, professionals, managers, govt people on a blog where collaboration can work up plenty of good ideas or suggestions. The community would be semiexclusive where only people contributing and/or invited by reputable members could participate. Outsiders *could* read public threads for learning purposes, maybe even able to send comments to it that must be approved by the thread owner. Might have tags like "real-world deployment strategies," "certification," "formal methods," "better protocols," etc.

(The system would also implement select security-enhancing approaches suggested by the community. Call it bootstrapping for secure forums. Ha!)

That's all I'll say about it for now. A few people were interested in this sort of thing before. Obviously, the number of "symposiums" and "interest groups" out there shows approval for the collaboration among diverse parties in INFOSEC concept. Right now, everyone capable of building anything remotely resembling secure are kind of scattered. Need a place where they can bump into each other easily for any number of good reasons.

Or maybe I just *really* want to throw people like Clive, Wael, RobertT, Mike, you and I into a forum dedicated to solving problems. What's the worst that could happen?

name.withheld.for.obvious.reasonsOctober 19, 2013 8:39 PM

@ Nick P, @ Mike the Goat, et al

I appreciate and am considerate of your willingness to allow me to be a part of this group. I understand, not into believing, that the talented people I've encountered here are not just your casual day-trader--so to speak. As a late comer, a newbie so to speak, I defer to the judgement of the seasoned regulars...I am but a simple shrubber. I have to mention that I have a deep and profound respect for the history that I am a part of...I believe the framers of the United States of America legal doctrine was a masterful piece of hardware and software development for the day...I would have been proud to be part of the enlightenment. Instead I am to find my way when others have lost theirs. So, consider that my passion and sense of what it must have been like cannot be faithfullty expressed. My heart is heavy, the betrayal by my own countrymen to their inheritence, history, and opportunity. People complain about "Oh, but the Americans--they had slavery! They repressed women!
Persecuted gays and lesbians, look what they did to baby Jesus...from where I stand the fact that an monarchy, aristocracy, plutocracy, cleptocracy, fascistic government in some other part of the world is struggle to catch up. Not any more, the little respect we had have crossing the global to kill terrorists has set the world against us...can't blame them. And the insult to this injury (though I knew that's why the 2004 election had to Bush re-elected, the whole morass had yet to be codified into law an institutions--it would then be unstoppable. Well, what if it were "stoppable"?
President Obama came into office, was handed the keys to the "bat-mobile" I don't mean Bat Man's bat mobile, I mean the mobile that has all the baseball bats in it, and was told not to go too fast...his ability to manage this situation is a political act, the business of running this country into the ground is the job of the DoD.

FigureitoutOctober 19, 2013 9:33 PM

Then I hope to get a community started that focuses on highly robust system technology in all phases of its lifecycle.
Nick P
--Now there...there's an idea I didn't think you had in you. This is exciting. It's about time, let's get this rolling.

What's the worst that could happen?
--Well, kind of a bad question to ask on a security forum, I've been a "what if-er" since a kid asking insane questions. Some big ones for me are, poor team chemistry. I've experienced this and saw such a drastic difference in sports. Poor chemistry will lead to crappy work, possible subversion, and just total destruction of the project. So the "leader" or "leaders" of such a project need to make sure no petty cliques and other high school shenanigans take hold and make sure every member of the team is important for the ultimate goal.

Next, outside subversion coming in. This is personally the most scary prospect for such a project. Looking for expertise and they've falsified their backgrounds and they're looking to subvert the project or seed destruction for whatever messed up reason.

Lastly, the final "product" is monopolized, reserved for only the project members or the members get greedy and charge high prices for the product or the knowledge.

These are just a few issues, there's many more. Secure workspaces (I had an idea of working in a semi-truck, a mobile lab that can always move and not be a static target for subversion), all the issues of hosting a website. If we can get past all those and get to the "good stuff", the technology/science and most importantly, security; this could be a project that serves as a reference for security professionals for years.

name.withheld.for.obvious.reasons
--I didn't lose my ways, I just observed the existing political process I was born into and decided it was a total load of __ not representing the people and I didn't want any part of it when it collapses which it will. Plus to participate you "have to choose a side" when I thought both sides sucked so let it burn. If you have a new idea that "isn't approved" you get ostracized and the derp train choo-choo's on. This is the hard reality that a lot of people won't accept b/c it's so depressing, but it is what it is. Let's just stick to technology/engineering while we still have the time before it collapses. In the meantime, everyone should have at least a small supply of food/water/guns/ammo when the system collapses and pure anarchy/martial law sets in.

FigureitoutOctober 19, 2013 9:44 PM

Bruce
--It's pretty freaky lol. Maybe as much as you making a cameo in a transvestite rock video lol. That was awesome. I don't know if you heard Obama talking lately about "trust". Wonder if he's been reading the blog or he just had an epiphany himself. Regardless, the trust is permanently gone from me for him; maybe other derpers will give him another chance.

Mike the goatOctober 20, 2013 12:01 AM

Nick: I think that's a great idea. I will create a nym, find a free shell account somewhere and put up my PGP key block and the nym address and a brief "about the goat" page and put it as my website address within the next week or so if you want to get in touch. Obviously once I have validated who the hell is contacting me I will drop the pseudonymous layer.

Clive RobinsonOctober 20, 2013 5:12 AM

OFF Topic :

When we talk about "hacking attacks" it's almost always about injecting malicious software via some bug into the targets system.

But we forget that the term "hacking" derived from the hardware side of things (some argue "model railways") which goes back a long way with the origin of the term "Breadboard".

Whilst we do see hardware from time to time it's usually glued to the front of an ATM to slurp mag stripe and pin.

Occasionaly on this site we have mentioned about making "data diodes" and before that the likes of "pole jobs" and other "black bag" hardware related exploits...

Well it appears the criminal community are definatly going down that route. Any one remember the micro-mobile phone devices put in shop CC readers (that ended up in a UK supermarket chain) which were put in upstream in the supply chain?

Well there are some more quite interesting examples,

http://news.techworld.com/news/security/3474018/hackers-planted-remote-devices-smuggle-drugs-through-antwerp-port-europol-reveals/

In atleast one case it was down to what would be an "insider attack" by a "subcontractor".

It's one of the dangers of "outsourcing" your systems and also why you should have trained inhouse staff "walk the line".

Mike the goatOctober 20, 2013 6:58 AM

Nick: as an aside I noticed that almost all of the old nym servers are working anymore. I only found one that responded to my key request email! I found four plain remailers, but without a nym server (or expecting people to append a reply block to every email they send you) it is only good for unidirectional messaging.

That said I have spent the wee hours of this morning playing around and trying to setup something similar. Using my proprietary "double looped" tor (basically tor to an open shell account which is also running tor and a SOCKS proxy and using this through ssh forwarding) I setup a "free" email account with a major webmail provider. I then forced tor to use a new exit node and then used a "temporary address" service (set expiry to 6 months, the maximum) and told it to forward to the free account I created earlier. New exit node again, and I created a free webmail account and turned mail forwarding on inside its settings and entered the last address. I did this for another two hops. I then logged into a free shell account service and configured fetchmail to grab my email from the first hop's pop server, encrypt it with my public key (not my real one, a trash one I made just for this purpose), wait a little while and then forward it on to one of my actual email accounts (this one is behind a domain that is registered under one of those domains by proxy type services, adding another admittedly very flimsy layermm you'd hope to hell they never got that far).

So I used a fresh exit node and used a web based email to remailer gateway to send a test message. After a bit of troubleshooting (my spam filter was rejecting it at SMTP time) I finally got it working ... round trip (with no arbitrary delay in the script on my shell account) was 19 minutes. Wow. Headers (which I kept and are inside the pgp encrypted chunk in the body) are similarly impressive.

I don't intend to actually use this. I will likely just use the only nym server I know of that's still functioning and configure up a reply block to my nym to route through a few retailers but it was just one of those "for the hell of it" type things.

Issues that might arise from actually depending on this could include part of the path being uncloaked if one of the servers along the way decides it doesn't like you anymore and 550s it.

Anyway just thought you'd appreciate that story. Anyone know what happened to all the remailers and nyms (or have they all just stopped using the cypherpunk software and are now using mixmaster or whatever the latest variant is?). I recall penet.if was forced to give up one of its subscribers in the early 2000s ($cientology lawsuit - apparently their Xenu is the alien patron saint of litigation) but if implemented correctly this would only decloak him up to the next remailer in his chain.. Perhaps he was using it directly (as many were in simpler times I guess).

@Clive: indeed hardware hacks are far more interesting and probably more widespread especially when you are dealing with well funded adversaries. It is obly a matter of time before some evil dude puts an embedded PC behind one of those USB charging stations you see at airports. Given some of those phones will either allow debugging without prompting or be dead flat and thus boot thus exposing the bootloader momentarily I can imagine you could wreak some kind of havoc, at least on targeted model/OS combinations.

Nick POctober 20, 2013 12:37 PM

@ figureitout, Mike re forum

Don't get moving too quickly on it. I didn't say next week. I said "near future" for a reason.

@ Mike re email setup

Wow. That's a hell of a lot of trouble and complexity. I was just going to use TAILS to connect to a disposable account on a regular email host. It's worked for the Eastern European black hats for years. ;)

The situation with the remailers is sad but expected. Most of these secure and anonymous mailing tech was created by cypherpunks back in the 90's. They got somewhat popular among certain types of paranoid individuals, crypto geeks & some down to earth people who can read privacy guides. Even as they got popular, they still weren't *very* popular. There were hardly any users relative to email in general and I think they operated at a loss too. The number of users & importance of these services kept declining (esp in web app era) until I guess they just died off.

That's the bad news. The good news is that the same movement believed in writing and sharing plenty of code. The design docs and code are still available to any enterprising person wanting to get a new remailer started. There's also more tools for managing a mail service than there ever were before. So, it should be pretty easy to build a new one. A bunch of remailers running on hardened (or custom) OS's in a mix of local and privacy protecting countries would be a nice thing to have.

(Note: reply feature is overrated. You can use online dead drops, a disposable account for replies that forwards it to you, and so on. Reply feature is very useful, but complicates security of remailers at the same time. I'd advocate coming up with a simple workaround just in case only simpler remailers are available.)

Nick POctober 20, 2013 12:59 PM

@ Clive

I agree with the first link especially. We got into this situation by meddling with Iran's affairs and causing them undue harm for our benefit. We've stayed on that course with sanctions and covert ops. Yet, the Iran problem has only grown over time in numerous ways. The only solution that *wont* work is using even more coercion. That leaves only the more constructive approaches of rigorous monitoring of their operations.

I wonder about the monitoring, though. The main focus is on detecting the diversion of resources that would make a bomb. I'd imagine it's a people-centered inspection process that prevents this. So, what's to stop them from coercing inspectors into compliance? The scheme might be designed to prevent this but with Iran I'd look into this aspect a bit more if I were the inspection group

Note: We must also remember that many countries have several factions or groups in their governments with different opinions on things such as use of military. Iran might be sensible one year, then a crazy faction gets in control the next. Will they push the nuclear button? Who knows. Of course, the United States is the only country that's used nuclear bombs offensively.

888yyOctober 20, 2013 2:21 PM

What's the best way to get a private server to use as a proxy? I can't find any legitimate looking services that would let me bounce my internet traffic off a rented proxy somewhere. I'm also not clear on what search terms I should use- private proxy servers or rented vpn proxy?

Clive RobinsonOctober 20, 2013 4:46 PM

@ Nick P,

    I wonder about the monitoring, though. The main focus is on detecting the diversion of resources that would make a bomb. I'd imagine it's a people- centered inspection process that prevents this. So, what's to stop them from coercing inspectors into compliance? The scheme might be designed to prevent this but with Iran I'd look into this aspect a bit more if I were the inspection group

One of my neighbours (now sadly deceased) sons was an inspector, and I had a chat with him about this. Basicaly it's an audit process where you know what the yield from a process should be and how much feedstock goes in so you can reasonably calculate the processed output. If a process has too much capacity then you have reason for suspicion even if the feedstock and yield tie up. Obviously the process takes power and other resources and they can likewise be checked. But at the end of the day a chunk of it comes down to little bits of sticky paper called "security seals".

Apparently the worst offender of all countries inspected is the US and they have a large amount of missing yield certainly enough for quite a few weapons. Apparently one of the reasons the US is held in such low regard by the International Nuclear community is it's two faced behaviour and outright hypocracy. Much of which I'm sure you have heard before.

One point that has been made is the US desire to have all other countries be non nuke, is actually encoraging countries to go nuclear just to gain a significant barganing chip.

However the simple fact is we are running out of chemical energy and various countries know that they have at best a couple of decades of reserves at the current rate of consumption. And for all the nonsense you hear about fracking it's not realy going to solve the problem just put of the enevitable by a few years (at currently unknown environmental and health damage). The promise of "clean fussion" is as always "just around the corner" and that's the way it's likely to stay untill long after petro chem has run down. Green energy has it's own problems in that all currently viable systems are "unreliable" and there are not realy any viable storage options, and I realy don't think converting coal fired stations to burning wood or palm oil etc etc is a grean solution (just a bl**dy tax scam). That leaves us with nuclear fission energy production as every politico who has chosen to look/ask has found out for the past thirty years. People keep talking about thorium reactors being the non weapons option yet they appear to be "snake oil" for all the progress made on them.

So you have the US guzzeling fossil fuels faster and faster but like all WASP and most first world nations the voters are running scared of second and third generation nuke reactors and thus fourth generation research has stalled or been stopped. But worse the US is trying to stop other nations becoming nuclear self sufficient in anyy way they can. Which means you have to ask why? The simple fact is that the US antagonism to other nations is driving those nations of into the hands of the Russian's and Chinese, who in return are going to want something in return. We can already see with China they are using foreign aid to control raw resource supplys etc. It the US and other WASP nations don't wake up they will find they have quite willingly made a rod for their own backs and the only way out will be by warfare. Which might please the War Hawks and Plutocrats but will be a disaster for the more general populous...

redwarfOctober 20, 2013 6:31 PM

Does anybody know how much a data diode actually costs. I am getting the idea they are very pricey for such a straight forward ability.... prices appear to be absent from the online shops..... Just looking to connect two nodes here, not a bloody nuclear reactor intranet I hate being taken for a sucker and that's what these companies who sell them seem like to me. Any experiences? :)

I think you can use udp over some spliced fiber but am not tech enough to know how to achieve that for sending files from a to b. Pointers in the right direction? Am money short but long on time for some education.

redwarf

Nick POctober 20, 2013 10:25 PM

Watched The Fifth Estate today. The personalities of the characters were accurate enough. I liked how they visually conveyed the idea of the anonymous submission system so lay people might get it. However, certain issues I noticed:

1. Jacob Applebaum and The Architect were key players that weren't in the movie at all.

2. The movie makes you think the internal battle at wikileaks did them in, although it was actually the combo of that with banks cutting off their funding. I thought it was strange the American banks' attack got no mention. Maybe the director was afraid of them? ;)

I still think the book This Machine Kills Secrets is a better choice for the money as it goes from the start of cypherpunk movement all the way to Wikileaks breakup. Interviews many interesting characters along the way. Only bad point on it is its focus on more extreme characters makes the movement as a whole seem crazy, whereas most of them are sane enough.

Nick POctober 20, 2013 10:54 PM

@ redwarf

They're usually in the thousands of dollars. Here's a list of them. Contact their sales reps and haggle you might get a discount. If not...

Here's a HOWTO for making a fiber cable:

http://www.synergistscada.com/building-your-own-data-diode-with-open-source-solutions/

Here's one for a RS-232 serial cable:

http://homepage.cs.uiowa.edu/~jones/voting/diode/RS232tech.pdf

The best, simple alternative to a true data diode is to use an OpenBSD-based guard and configure its firewall for one-way traffic. It's effective enough that GENU also sells OpenBSD-based data diodes approved in Germany for protecting some classified information.

Clive RobinsonOctober 21, 2013 1:53 AM

@ Nick P,

With regards the Fith Estate and the missing bits (especialy the banks). As I've said before the best way to tell a lie is by telling the truth but "from your perspective".

The advantage of "Drama" is it's not required to be compleatly factual as "poetic license" is allowed and you can thus leave out "the dull" bits even if they are important.

Oh and think about who is the most creditable civil legal threat against the movie producers, the banks that control their finances, and who have very deep pockets, or some "apparently half mad bloke" "locked up in an embassy" who also happens to have alienated most of his previous supporters one way or another.

Oh and the place where any civil legal action is most likely to succeed is the place he's effectivly locked up in which is England.

Which brings us around to the question of why the UK is spending quite large sums of money keeping him bottled up...

I guess the stalemate is not to his advantage, and neither would be spending the rest of his life in South America, but either is better for the US/UK than actually having him stand trial in Sweden or be extradited to the US from Sweden.

My guess is as long as he sits tight in the embassy untill after the next US president is sorted out would be the safest thing to do currently. But after that I still don't rate his chances, there is to much money and the political influance it buys against him.

As for public opinion that is likewise bought and payed for by the press. The likes of the Murdoch's and their minnions have done far worse and are getting to the point where they are going to want to buy off political preasure not just for the journalists who have been arrested but the execs as well. The US has some interesting legislation on bribary and coruption and a few carefully worded anti-Wikileaks anti-Snowden etc etc stories will help to keep US regulators off of News Corps back on potential bribary and corruption charges putting the Murdoch's out of power. Though "Wendi deng" could stir things up if she wanted to. I gather Rupert is a bit of a "ranter" so he's probably told her a few things he probably wished he had not (if he can remember them). But Wendi surely does especialy if Australian billionaire Clive Palmer is to be believed he claims she is a Chinese Spy... But then politics and the press always have had a vitriolic relationship down under. That said she is Chinese born and was an exec in Richard Li's Star TV that Murdoch bought (for over the odds) that the Chinese Gov then later "ham-strung" to prevent it becoming influential. Some have made comment that the James Bond film Tommorow Never Dies was modeled on Rupert Murdoch and the film made the Chinse Gov wake up to what a threat he was... Stranger things have happened.

Speaking of China the UK appears to be going soft on them at the moment seaing as though they own a large part of the US national debt. There are talks about letting them open their own financial and banking market in London and lowering entry requirments on visa applications for wealth Chinese and their children who for some strange reason want to be educated here... Part of this appears to be a high stakes game of poker over who will build new nuclear reactors in the UK and when. Although UK and French companies have expressed an interest they want guarenties that would be financialy unsuportable in both the short and long term and the game had become one of the companies trying to "blackmail" the UK Gov which they see as being in a weak position... So it's now become a different possibly more dangerous game.

Mike the goatOctober 21, 2013 2:13 AM

Nick: indeed... it just got me thinking as to how to easily facilitate contact. Good news is I found a working nym server and a couple of cypherpunk remailers that are still working so I don't have to 'roll my own'. It is indeed a shame so many of them died.

RE data diodes - unfortunately with full duplex negotiaton it isn't as easy as just cutting a pair of wires with 100base. If you're willing to downgrade your connectivity or use optical then I guess you can do it that way but remember to have some kind of error correction as the sending side won't be able to verify correct receipt of the data it has sent. A way of doing this will be to include a checksum each packet and to retransmit the packets three times a few ms apart. Conservative, maybe - but you want reliablity.

The best thing to do is to actually make a hardware proxy as Nick suggested. I do the same with an ATMega using RS232 although the speed is a limiting factor. This way you can ensure positive and correct transmission of data to the intermediary, and let it worry about getting the data safely to the destination (using full flow control and hardware features available that would otherwise be broken by just passively implementing a data diode). Of course, you now have a point of failure or compromise - hence my choice of an 8-bit microprocessor - less exposure.

Clive RobinsonOctober 21, 2013 2:16 AM

@ Redwarf,

Data diodes are a bit of an odd market. As you note some are little more than standard cables with wires cut.

However this raises two issues reliability and covert channels. A simple cable with wires cut offers neither flow or error correction, adding these back in gives rise to their use as potential side channels. The usual solution to no flow control is to throtal down the channel speed, and the solution to no feed back error correction is to use forward error correction that slows the channel down even further.

Outside of restricted areas most people buying data diodes are doining it for "compliance" reasons and are thus looking for a "network appliance" they just plug in turn on and forget about. They don't want "data rate" or other issues, just something they can throw a bit of cash at and get back to business with minimal disruption and compliance audit box ticked. The reality is they are externalising risk, because if data does cross the diode in the wrong direction it's not them but the diode manufacturer who is to blaim, so they change the box and keep their compliance rating...

If that's what you want to do then you will have to stump up the price the suppliers ask for.

If not I would seriously suggest you don't look at just "diodes" but "sluices" and "pumps" as well as they offer aditional benifits over diodes and if you go to the trouble of seting up a BSD or equivalent box out of need then it should be worth the small extra effort.

name.withheld.for.obvious.reasonsOctober 21, 2013 4:28 AM

@ Nick P -- I believe there was one more outstanding question...

The PEC line/architecture, uh--the XA (specifically their 800 series) is not a bad piece of work. I don't believe there is a lot of deviation but I am just guessing--where's that notebook...If I understand ABB strategy it is a series of platforms, modular I/O, with ab "eco-system". I hate to use that phrase, it has all the bells and whistles of automated plant management...and it is architecturally consistent. I don't really concern myself with the presenation layer (this is a asthetics choice--kind of fashion, and I cannot believe how much people give to their platforms flair--I prefer a platform that doesn't flare).

The I/O modules pffer profi/modbus/Genius (their own bus is a SCSI bus--seems IEEE-488 will never die) and does some fairly seamless control integration. I have a fondness for VME, VME-3 I believe is ratified and adds some parallelism and bus speed. It is interesting that so many bus architectures are in use is kind of amazing...I'd assume that since the serial differential and PWN/Clock strategies in many two/four wire applications can produce sufficient performance and noise immunity that it isn't more widely adopted. For long haul, even modest signaling on Twin-X for example, serial comms become less practical. For non-critical (critical in terms of systems response--real-time performance) using repeaters can extend distances for serial applications. Of the fielded systems I have experience with, InfoSEC to the degree necessary, does not achieve the compliance level performance (oh yeah, it might pass an audit--but...).

GE has some platform stuff but I'm mostly impressed with their systems design, not their architectural platform. For example they have a very nice ED 7-dimension wire machine. When watching material be cut during a 4 axis rotational in 2 degrees, I get a bit dizzy. Oh wait, my ex-wife says I am always dizzy.
Sorry for the meandering and mental wondering...

Clive RobinsonOctober 21, 2013 4:50 PM

@ Mike the Goat,

Having read the paperwork I find myself entirely unconvinced by the first part.

It's only when they start talking about SR does the account become more cohearent. Thus I suspect a bit of parrellel construction going on in the early part.

redwarfOctober 21, 2013 7:43 PM

Nick P, Mike the goat, Clive Robinson, thanks for the replies, you guys are awesome. I know I couldn't afford to hire even a tenth of one of you so this means a lot to me. This is a great community :)

Mike the goatOctober 21, 2013 11:35 PM

Clive: yes, their story is quite fanciful, isn't it?! I suspect that they are just going through whatever logs our foolish friend kept at their leisure now and indicting whoever they can decloak.

Mike the goatOctober 22, 2013 11:17 AM

redwarf: well, on behalf of the others (who haven't responded yet and have probably left this thread behind as it is a few days old) - thanks. I think all of us that hang around here are passionate about infosec... Otherwise we wouldn't obsess over it. Right Clive? :-)

Clive RobinsonOctober 22, 2013 5:11 PM

@ Mike the Goat, Redwarf,

Hmm I don't know about "obsessing" over ICT Sec I guess it depends on your viewpoint... However I was brought up to be helpfull to other people where I can so you can thank/blaim my parents both of whom fought in WWII and kept the ethics and social outlook of the time. One aspect of which is to go a delicate shade of pink around the ears whenever anyone thanks me for help. I'm also a bit of a beleiver in "what goes around comes around" so if I help others I hope they in turn will help others, afterall being nice to people in little ways or major ways makes life that little bit easier for all of us and acts as a lubricant to the progression of society.

Mike I noticed a slight change and responded with a hardware comment not sure if you got it. When I've sorted out a few things at this end I will make some changes untill then I'll use gash / fill in data for one or two things.

Mike the goatOctober 23, 2013 6:59 AM

Clive: yes, I discovered it had somehow been flagged and not automatically approved. I figure the time had come to make an internet presence for this nym to facilitate contact with like minded individuals without unnecessarily exposing my real world identity. I hate commercial blogsites like WordPress but it was a quick and easy way to get a presence to discuss some of these issues without necessarily needing anything other than a disposable email account. I have a personal domain but felt it was best to err on the side of caution and not link the two identities.

Agree with your comments re assisting others. Not much more I can add here.

Dirk PraetOctober 23, 2013 8:14 PM

Has anyone seen the impressive Stop Watching Us video yet ? It would appear our host is one of the speakers at the Saturday October 26th Rally Against Mass Surveillance in Washington DC. Quite some heavy-weight names and supporters, judging by the list. There may still be some hope for the US.

Stay safe, Bruce. Keep away from the gas and pepperspray brigades.

Mike the goatOctober 24, 2013 4:36 PM

JustAnotherReader: well, it's Gibson - who isn't exactly the most reliable of people in the security world so personally I wouldn't hold my breath. His idea is neither new nor innovative. Some banks have had 2FA using similar concepts for years.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..