Schneier on Security
A blog covering security and security technology.
« Book Review: Cyber War Will Not Take Place |
| US Government Monitoring Public Internet in Real Time »
October 25, 2013
Friday Squid Blogging: Dynamic Biophotonics in Squid
Female squid exhibit sexually dimorphic tunable leucophores and iridocytes. Just so you know.
Here's the story in more accessible language.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on October 25, 2013 at 9:08 PM
• 115 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Haven't seen any mention of either of these here:
First up we have a report that legislation to curtail the NSA is soon to be introduced in congress:
in the form of the USA FREEDOM act. The fact that its backed by the original author of the PATRIOT act (who claims he never wanted the PATRIOT act to be used for wholesale spying and drew it up in a way he thought would prevent such spying) might help it get passed (its also got quite a few supporters already).
Whether Obama would sign it if it was passed is another matter altogether and even if its passed, its doesn't do a thing to address the far more serious issue of the NSA and government working to deliberately compromise security (encryption, cryptographic protocols, web sites, software, hardware, standards, certificate authorities etc) in order to allow them to carry out their spying more easily but it is still a VERY good start in ending the unconstitutional spying.
The second issue is this:
where un-redacted copies of TSA documents were accidentally released that basically say what we already knew, namely that all of this airport security crap (body scanners, groping, pat downs etc) does nothing to increase security and is merely security theater. (and to funnel more taxpayer dollars into the pockets of companies that make expensive passenger screening equipment)
Johnathan: I think the fundamental truth here is that a lot of government projects are basically just corporate donations in disguise, likely aided by inappropriate lobbying. Washington is corrupt and I am not sure how it could even be fixed. The US has strayed so far from the ideal of being the 'land of the free' that the framers of the constitution would be astonished to see how such an integral document could be dismissed as 'outdated' and unimportant by so many influential Americans.
Incidentially - anyone read the NSA's explanation for the outage of their website? Supposedly it was not a DDoS but a 'internal error'. Anonymous and co are taking credit for the outage on twitter. Perhaps those in IXPs could put this to bed by letting us know if there's been a spike to their AS as of about 24h ago? Doubt we'll get answers though. Incidentially there is a new DDoS visualization tool called Digital Attack Map that's worth a brief look.
@ Johnathan, Dirk Praet,
Haven't seen any mention of either of these here...
And more than surprising the news has not menthioned "the British" involvment on eavesdroping on German's "Mummy Merkle's' telephone conversations...
Whilst the US almost certainly wanted the intel it's been less mentioned that the original BRUSA (now UKUSA) two are thicker than theives and oddly whilst the NSA do a lot of the back end and equipment manufacture it's the UK mainly doing target selection and on point down and getting your hands dirty especialy when it comes to spying in Europe (it's why the US got realy agitated a little while ago when members of the current "rulling coalition" started talking up leaving the EU and Obama was forced to make public comment along with other senior US political figures).
If you think about geo-location and network access points and ask the simple question of who is better placed the UK or the US it might go some way to explaining the sudden change in message types comming out of No 10 (Downing St, official home of the PM and cabinate teams).
When you add into the mix "Mummy Merkel's" age and what the East German Secret Police were upto (stealling and putting jars peoples dirty underware and worse), you can understand Mummy's and a whole load of older Germans sensitivity and revulsion around this behaviour.
Oh and I'll mention again it was the UK government through the "Post Office" now BT who forced into place the parts of the digital telephone standards (via System X and ISDN) which have ended up in the international SS7 and GSM standards, that make such spying simple, and again ask people to think back to what happened with the Greek Politician's mobile phones back when they had the Olympics a few years back...
Technicaly such spying has got much much cheaper and easier, as you know longer need the very very expensive front end and middle ware software that the switch manufactures used to charge an arm and a leg for, as quite a few system level hackers/phreakers have made available software that hangs easily on the switch backed hooks.
It's been quite funny listening to various UK "officials" who know rather more than they are saying trying to dance around the "Mummy Merkle" issue whilst the media interviewers who don't know stray accidently into it. And as a result the officials and others are being caught off guard and releasing little snipits of confirmatory information. I expect there will be an "emergancy regrouping" with the issue of a "new song sheet" for every body to sing from today. Hopefully certain Journalists will sit back and listen to their tapes and realise what a story they've let slip through their fingers and "go get" sufficiently quickly to catch a few officials out further (like the likes of Malcom Rifkind) before the've learnd the new song words off by heart...
Clive: there was a funny bit of footage showing an EU politican speaking on his cell phone while putting a hand over his mouth presumably to stop the media - who were filming - from lip reading. Figured it was funny given the main topic in the papers today re Merkel. Incidentally the UK might find themselves between a rock and a hard place as they try to appease other euro countries yet remain loyal to the US. It will be interesting to see how this plays out and what backlash (if any) there will be for those countries involved.
I wish Bruce could break his squid fetish. :)
DNT: what's hilarious is that if Hayden didn't pose for a photograph the guy's twitter ramblings would have been dismissed as lacking authenticity.
StuckIn2003: if true then this is big. I would love to get a sample of a rogue flash drive to analyze on old, trusted hardware of a different endianness just to be sure.
A (relatively easy to understand)
primer on elliptic curve
Those who transfer data to/from an air gapped system via thumb drive and/or optical disk (cough... Bruce S.) will want to keep an eye on this.
I transfer via bad ol' diskettes. Kinda forced to, because the air gapped 80286-10 system has no USB, no optical disk. (Has no math coprocessor either.) Since new diskettes are rapidly becoming unobtanium, I am forced to scrounge from friends ... the few who didn't throw away their diskettes eons ago.
Nostalgia: Several weeks ago I installed PGP version 2.62I (Nov. 1994!) on that 80286 system and generated a 1024-bit key, just for grins. Not including the time it spent gathering entropy, PGP crunched for *seven*minutes* before spitting out the key. :-O ;-)
@StuckIn2003, Mike: On my network I experienced similar symptoms, probably hinting to some kind of low-level-intrusion in summer of 2011.
Seemed like a never ending cascade of faults, hopping around, including very strange behaviour of USB-devices and CD/DVD-devices and "hidden" fonts in the OS. Fixed one, had three others. Full new OS-installation on workstations didn't help. Memtesting and other hardware analysis hinted to nothing unusual. One RAID-5-server seemed to have a "shadow-volume", the Adaptec-controller then refused BIOS-flash with meaningless error-code, which it had never done before. CMOSes on workstations couldn't be resetted in the normal way (jumper based), which worked just fine times before; if I succeeded (going the hard way) though, they seemed to modify themselves back to the malicious(?) status when I reconnected the workstation with the rest of the (probably infected) network.
Because most of the hardware is quite old (HP netserver 2000lpr, Dell Optiplex GX-150 e.g.) and at least one Dells RTC had a mysterious malfunction (set it to, say 06:00:00 AM now, it "runs" immediately to 06:01:32 AM or so, then "slowed down" to normal count rates and then counts up "normally" -- in the future :-) I couldn't rule out tne possibility of some hardware malfunction though.
So I overthought the minimum-needed network-structure, changed to that, reinstalled the OSes on some of the workstations again, kind of "airgapped" the network from the internet. Since then, I'm able to do my "little normal work" at last, the disturbing faults have vanished.
In the end I'm convinced, more than ever, on the truth of my sayings in the early 1990 (as I started college and working with computer-systems as I kind of hobby): sometimes it's a kind of magic -- don't bother. :-)
CallMeLate: you can buy FDD emulators on eBay. Not sure how that would alter your threat profile though. I recently generated a 4096R pgp key on my 25yo airgapped SPARC. I didn't time it, but it was done when I got back from brunch.
Re the clock, obviously it could be bad hardware but remember that once booted the kernel takes over the job from the RTC. I imagine such a system could be used to leak, say a key using software that publishes a timestamp when queried (like a http server for example). Or you could just have a schizophrenic ntpd.
grisu: I would love to get my hands on a suspected "infected" maonboard. pgp key is on my link if anyone feels like donating suspect hardware.
I noted an article this AM about tracking companies supplying police. Seems many of these are doing bulk surveillance too. While there are Constitutional issues with this, the surveillance is designed to avoid claimed need for warrants.
If new laws are provided to rein in NSA, they should also include provisions about private bulk surveillance in some form. This starts to get tricky; forbidding photographs at large gatherings (e.g., rallies) would seem undesirable. However, doing bulk face recognition to get lists of attendees or automated trolling of, say, Facebook to record where large numbers of individuals are going, without their consent, starts getting into automated stalking whose undesirability should be more clear.
Ereshkigal: I recall that Facebook had to wind back their facial recognition tech because debt collectors/bounty hunters/criminal organizations were uploading photos of their targets and letting Facebook link it to a real identity. Apparently a u/c cops cover was allegedly blown by the feature. Only then was the thing wound back - and eventually relaunched with the default set to only autotag those who are friends or friends of friends. Similar complaints about privacy violation are now surfacing re their new "graph search". It is laughable that both fb and Google+ keep removing users that use nyms (ostensibly to keep their networks "more like real life" yeah, more like more valuable to their advertisers) yet can't guarantee the privacy of those users who do entrust them with their actual personal info only to find that unsolicited update #649392 has exposed information they previously thought was guarded.
No doubt the furore over Google Maps continues in a few countries but many have accepted that it is okay to have a car driving around recording any wifi traffic they might encounter and taking detailed photographs, often into private property and from a vantage point which a citizen on the street couldn't attain without a ladder (where they would be prosecuted for invading your privacy)
See something, say something...is it a good idea?
Not about security, but an attempt to bring in amateur help solving a problem.
@Mike: I'ld love to contact you on this matter. Unfortunatly I don't have a GPG-key ready at this moment. Used to have, but don't trust it anymore.
Thought of setting up a new one but ended up at this:
1. The Internet is not "secure" (e.g. MITMA).
2. Given, GPG-software is trustworthy itself (acc. to B. S. "trust the math"), I "only" have to install it on an airgapped system and calc a new key.
3. GPG-software I only get over the Internet.
4. If GPG itself is trustworthy and I were the NSA et al., I would consider MITMA on people who download this software to let them get an untrustworthy version, which I had coded.
5. gnupg.org doesn't even provide SSL/TLS (https), so I can't trust at least a little bit the published SHA-1 checksums.
6. Without regarding other security aspects I therefore have no opportunity to verify the downloaded sources and builded binaries, cause my ability to review the sources is restricted to zero on matters of time not to mention my lack of coding-experience.
7. If so, why should I accept a lower (in this case: NONE) level of trust at stage of the tools than at stage of the product made with the tools?
Can you help me out of this, please? 8-)
You have not discussed DNSSEC for some time. How likely is it that the NSA has the private key for the root zone? And if they have the private key, does the entire DNSSEC house of cards come crashing down?
NSA could set up a MITM attack and feed me bogus DNSSEC responses that they signed with their own keys.
Seems to me that DNSSEC only works to protect me from a malicious free hotspot, or some other oppressive regime that does not have the resources of the NSA. Against a targeted NSA attack, DNSSEC isn't enough.
I'd love to hear what others think.
Tin foil hat off.
Mike the goat
--The google car took pictures of the inside of my garage. If I knew when it was coming I'd have a nice jammer ready as well as using the car to test some other sensors.
The key to this is using an already trusted older version of gpg/pgp to check the signature file they publish on the new one. If you don't have an old version you can ask a friend who does (and has kept the chain of trust going through the release cycle) to check that the package presented on the website is legit and to verify that the checksums they put up for those without a copy of pgp to verify are correct and true. You'd then download and verify the sha or md5.
You could also use a version of pgp made prior to the presumed beginning of these NSA programs (likely pushed into hyperdrive around 2000-2001) if you felt better about it and were happy to live without some of the newer choices of cipher. You could get a copy of PGP offline from a friend you trust in this case.
That said if the NSA was MITMing gnupg.org they would be doing it selectively and only to targets of interest lest someone on the Internet get wind of it. If we work on this theory (and don't consider total subversion of the gnupg team and website) the sha1sum of your downloaded gnupg 2.0.22 bzipped tar will be the same as mine - which is 9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 if you're interested.
Even if you believe that gnupg has been stealthily subverted to, say leak its key - the security you get from it will still be better than plaintext that everyone can see (vs ciphertext that your recipient and the NSA can see) so there is still a benefit. Of course an overt ttojan would be quickly noticed so the logical attack is a subtle downgrade of security or a key leak in the produced ciphered output.
So yeah I wouldn't hesitate creating a key. ;-)
The only thing I will caution you about is be aware of the key metadata if you want to maintain anonymity. If you put your real name and a nym's email address (or vice versa) and someone uploads the key to a key server then your identity is compromised. If you sign something that your nym said with your real life pgp key - same thing. Best to keep two keys and have two IDs.
An interesting privacy item buried in one of the sad bullying-suicide stories:
"Police arrested a second suspect accused of intensely bullying Rebecca, and they also confiscated the laptops and cell phones of 15 girls at Crystal Lake Middle School, which Rebecca had attended."
It doesn't say, but it seems likely these 15 were selected based on social circle and not evidence that they were directly involved. (which, in the adult world, probably (?) still wouldn't be enough evidence for confiscation.) Probably a good teachable moment for parents at least, that's a good analogy to the adult world: "if you even *know* a bully, you can have your personal communications inspected by people who are looking for a reason to blame you, even if we don't give parental consent."
@ Mike the goat
It's funny you mention GPG because I was just about to post this:
Turns out they've ported it to a bunch of OS's and processor architectures. Those older UNIX systems & non x86 chips are the main strategy I posted for knowing your PC isn't NSA subverted. Good to know GPG will run on many of them. Means I won't have to roll my own.
VMS and OpenBSD are both on the list, too. ;)
Nick: funny... the sources compiled fine on my SPARC as of at least a year ago if not more. Was this something done just recently?
Not entirely unrelated: human-generated entropy for crypto keys probably sucks.
Very good, you managed it! My tin foil hat is off -- for now at least.
Despite on this, it will take some time, maybe even months, till I'll contact you. I'll have to do a lot of things. Only one of these is to build a real airgapped machine and to build a key.
And I'm out of unix, aix, sunos, linux, gcc etc. pp. sind 1996. Had to work on windows-machines since then (as you might have guessed, I'm no IT-pro) and have forgotten almost everything. *shrug*
Many of the crypto solutions for mobile phones like the German Secusmart or the Swedish Sectra uses hardware based ECC with AES256 co-processors.
Should these companies and their customers be worried in the case Secusmart/Sectra are using NSA recommended curves in their own hardware or commercially available ECC crypto hardware chips?
grisu: that's no problem. there is gpg4win for those of you on Windows. It is very easy to use and even comes with its own mail client. If you are already using thunderbird then you will find the enigmail plugin easy as pie. I prefer encrypted mail. If you wanted to contact me in the clear, that's fine (unless you are spekaing of something that could be a risk) just use pgp.mit.edu to lookup my keyID and use the address you find. To get an actual sample of hardware that's supposedly been subverted would be really cool. I am surprised others haven't asked?
@ Mike the goat
I've only sporadically used GPG, even signing comments here for a brief time. It was ugly and wordy though haha. So, instead I signed a local text file and posted the text here. If I needed to prove authenticity, I could. Next I realized everyone pretty much knew if Clive or I were posting by our writing and thinking styles. Plus, there was almost no uptake in high assurance security engineering (my specialty) for years straight so what was the point... This combo led me to just stop signing things. Might start again with air gapped machine, hence the research into GPG. I'm sure what I posted has been the case for a while and I simply didn't know about it.
@ Stanislav Datskovskiy
"Not entirely unrelated: human-generated entropy for crypto keys probably sucks."
It's why I designed my method of using a deck of cards or 8-sided die. A bit inconvenient, but understandable and fairly secure for the lay person. ;)
And I'm out of unix, aix, sunos, linux, gcc etc. pp. sind 1996. Had to work on windows-machines since then (as you might have guessed, I'm no IT-pro) and have forgotten almost everything. *shrug*
I'm picking up serious coding again after farming for more than a decade. It's coming back slowly. They've changed everything on me. Only the overall framework is the way I remember it. I can be thankful my professional coding and sysop career was mostly on UNIX of some sort. This NSA thing has got me very angry, but I can't say I didn't see it coming.
Counterpoint to Bruce Schneier: Don't "Trust the Math"
Bruce has told us a few times we can trust the math, if not the code in the cryptosystems. This slogan sounds really nice and all. It's only problem is that it's a BAD idea that creates a false sense of security for that aspect of things. It's also meaningless with some crypto constructs when they become code.
The simple truth is:
1.Computers don't run math. They run *code*. And it may or may not implement the math spec.
2.Math pro's make plenty of mistakes. And cryptographers keep giving us different advice over time, so I think they're not in the "infallible" category themselves. ;)
Potential Problems With The Math
1. Relies on unsound formalism. If the underlying logic/tool is unsound, then all proofs or constructions on top of it might be incorrect.
2. Math model doesn't reflect reality. Our models must reflect what's actually going to happen or their properties are kinda useless, yes? This might come from overapproximation, underapproximation, an error class I can't think of right now, or even outright deception.
3. Math looks good but is simply wrong. This has happened many times in the math field, including with crypto. They thought their theory, proof, construction, etc was correct/secure and it wasn't. It often takes a long time for the peer review process to catch the math errors even when many people see the theory/proof. More disconcerting, some problems might be subtle, require new analysis techniques, etc.
4. Poor problem catching. Building on 3 I originally learned this from Bruce's adage that almost anyone can design something they can't beat themselves. If experienced flaw finders haven't looked at the math, we have no way of knowing if it hides a flaw. Like with open source, the mere possibility of peer review doesn't mean a bunch of people were looking at the math for problems.
Making Math More Trustworthy
So, for those who don't find mathemeticians infallible, here's some abstract solutions to manage the risk of math:
1. Use sound formalisms and theories.
2. Model any security critical aspects of operation when forming arguments of correctness and/or security.
3. Use only tried and true theories, tools, lemmas, etc. Although risk still exists, reducing the amount of unknowns and/or building on vetted work reduces the risk.
4. The math must be vetted by a diverse thinking set of people who are experts in both math and the domain it applies to.
*Only then* can you trust the math. Then you have to implement it correctly as computers run code, not math. (evil grin) The code is essentially a concrete version of the math. Its properties must correspond to the properties of the math model or else the math is again irrelevant. Informal methods dominate this area for better or worse (often worse). Formal specification/verification of code is steadily growing in capability but still not the norm. So every implementation will have "hand waiving" arguments to get from the math to the 1's and 0's.
Lesson from the NSA?
Even Orange Book A1 security engineering didn't fully trust the math of a given algorithm: it combined math specs, English specs, math security policy, math proofs that specs met security policy, strong code correspondence to math spec, covert channel analysis, functional testing, hardware testing, pen testing, and strong lifecycle management. That's what the NSA required for a given system or software before they'd trust it. Over time, security requirements for a secure system or implementation have only increased. I see no reason to trade such rigorous vetting processes for blind faith in cryptographers' math constructions. ;)
The Good News
Good news is that cryptographers aren't as overconfident as they seem. ;) They're careful, thorough and their math has improved over time. There are tools available that seem pretty sound. Certain aspects of crypto have been very thoroughly vetted and analysed. Bruce has contributed to such work, which I actually use. ;) There have been more books over time on how to correctly implement crypto. There's plenty of academics worldwide looking into algorithms, hardware issues, etc. There's also quite a few constructions with formal proofs of security, also being vetted.
So, it's mostly good news for us at least for the basics like ciphers, hashes, & signing. The rest needs more work on the math and code sides. It's the strong design and vetting choices that result in math you can *trust.* It's strong and secure implementation choices that result in math you can *use.* And anyone wanting truly secure crypto needs to look at everything from the abstract theory itself all the way to how its internal components interact with a cache. Doing all this, you're not really trusting the math: you're trusting a total process & the product that results from it.
Note: Peter Gutmann, another math crypto guru, wrote the definitive paper on problems that occur when math and software meet. Link hosted on the Cypherpunks web site. Goes to show that these problems have been known for a long time although mathematicians don't like to talk about them so much.
Nick: there have been comments that have appeared once or twice and I have looked back and think "did I say that? it looks like my writing style kinda but it is certainly not my personality?" - honestly I just play along and go with it because by the time I go back to the thread to respond I've long forgotten where and when I was when I wrote the original comments. Now my memory is like that of a deadbeat alcoholic. I can remember most things fine - probably more than fine. Song titles, lyrics, code, commands, citations, who did what when and where, etc. but I can't for the life of me remember small actions that happened in a day of other bigger events should I need to a few days down the track. In my teenage years I had some brain injury in a prank gone wrong (don't ask! seriously though I am okay now and am not writing this from a wheelchair or anything) but no doubt I feel that these little chunks of memory that go 'walkies' are somehow related. Or some jerk is posting randomly as me once a month (or maybe once every two months) and making me doubt my sanity :-). But getting to the point - message signing certainly has utility. Nothing stops impersonation on blogs. Only trust (and an eagle eyed moderator who can make tough calls with limited data - often both users may be on services like tor or otherwise won't have a static IP so you won't be able to just go "oh, *normal* IP = good guy).
I think perhaps signing with, say a 4096 PGP key is a bit excessive for blog use. Perhaps a 512 DSA key just for signing? It's not earth shatteringly important after all.
@ Mike the goat
Hope this gets to you in time, yes large keys sizes can be problematic for use on a blog. But I would assume "out of band" comms would be best served by robust key lengths. I'm not speaking for Nick, just using the opportunity to side channel with well known opsec methods. Thanks --- nwfor
Namewithheld: oh, absolutely ... for "out of band" (ie off blog) comms I would use my ususal nym key (which for 6054D4D2 is 4096 R/R). The low strength DSA key would be used only for signing blog posts. See, you really don't want to spam a blog - any blog for that matter with - well, let's see there is two lines at the top for the header and version line (plus a blank to delineate the beginning of the signed text), then there is the footer and even a 1024 sig is going to be, say three lines. Add the final footer and you have used up eight lines of text and you haven't even said a word. Whether eliptic curve would be better (and less verbose) than Elgamal/DSA I don't know. What we really need is a system with no headers and the data is confined to a single 80 character line at the end of the post. Even if we end up with an effective key length in the 50 bit range it still poses some degree of difficulty and would make forging blog posts a high effort affair which really doesn't have a payoff at the best of times.
... of course I meant 500 bit, not 50.
Uh, and here is my answer - 380 bit DSA sig produces 80 hex characters. When base64'd this becomes 54. So you'd even have room for some metadata and perhaps a tinyurl to direct them to the validator website for those who don't know what is going on.
There we go Nick and namewithheld .. Shall I code up a sample implementation in perl? :-)
@ Mike the Goat
You can do whatever you want. I might use it, might not. It's a decent idea, though. Long as it looks better than my old signatures. The signature took up almost half the space.
One easy solution might be a sig link at the bottom of the comment that links to your own site with the comment, the URL and a signature. So, people here see almost no clutter and those that care can check your comment for authenticity. It also works across blogs.
Your compact signature scheme would still be useful on your own page to reduce clutter & storage requirements. The link can be smaller than a small signature. And you can put any instructions or other relevant material on your own site. (Example below.)
PGP sig here.
Another idea would be to use a tag that's not filtered by the blog to convey the necessary signature without cluttering the blog viewer's view, i.e. link to, say <a href="blogsig://MmQxZjExZjQ3YmMxMjYzOGJkYWUwZjBjMGNiYzBhNWQ1MTRjNDRiNSAgLQo=">verify</a>
Phew, hope I escaped everything. An even neater way of doing this is have the URL be a http:// one that has the first portion redirect to a real web server to tell people about it and then follow it with a ?SIG= and dump it in there. That way those without the app installed will at least be able to learn about it and perhaps even it will have a cut and paste function for them to use to check if the SIG is okay. Even nicer would be the website used the referer field to suck down a copy of the web page, pull out the relevant post (it would need only grep for the embedded string and use some heuristics based on known metadata (e.g. message length) to know where to find the beginning of the message without having an actual header delimeter.
Man, I gotta say I love brainstorming with you guys.
Posting the sig in the URL might be cumbersome. You could just paste a signature somewhere like pastebin.
Note: no one actually has my PGP key, so no one will be able to verify my signature. However, as you can see, I'm using GnuPG 1.4.15 (GNU/Linux) so if you see that, you can just go ahead and assume it is me. Also, I know there is at least one other person who posts here as "Scott" - they are probably not an impostor; my theory is that there is more than one person with the given name "Scott" with access to the intertubes.
Scott: the key is that it should be tiny enough to be embedded in the blog post - either covertly (in an element like a 'title' for a link for example, or as an actual link) or overtly (the last line in the post). I am working on this concept just for fun... and it will give me something to fill up my next weekend. The concept is that we don't need high security - we just need something that makes spoofing expensive and time consuming for the adversary. By putting the data on an outside link you are making the system centralized and forcing users to either use "our" server that we put up for testing (if we went this way) or run their own. that said we could probably use an API for something like pastebin to populate the full signature in a paste. Given blog posts are going to be checked within a few months of submission this might just work.
Nick: I might just hack up something quick and dirty using either shell or perl that parses a blog post and generates a 'tiny' signature line - and of course another script that can take a blog and verify the signature line.
I imagine people would just generate in-app keypairs for use with this, but with a bit of mucking around there is no reason why we can't integrate this with their exisiting PGP keypair. Now we can't directly import ours as a subkey as PGP requires >1024bit (gpg is okay with 512 in expert mode) and it is handled a lot differently. The easiest way to do this would be to create a subkey on a trusted key of theirs and use their blogsig public key as their comment field. By putting their PGP keyID in the metadata space of their blogsig instead of some other identifier (which would be limited to about 16 chars by necessity) they can advertise the link and the client software can validate it by pulling the key from the servers and verifying if a subkey exists, etc. Again love sounding ideas off everyone here. One day we'll come up with something that is not just useful but indispensable. We're not there yet, of course.
Interesting - the Russian secret service is buying up old electrical typewriters; now those can't be intercepted, can't they?
Maybe with the Merkel phone thing and other governments with the same problem; now there is a chance to bye into stock of companies that still do typewriters ;-)
If the goal is simply identity verification, and not making sure Bruce doesn't change your message after you post it, instead of signing the posts, it might be best to sign a timestamp. The post is going to have contents parsed, and what you sign and the post content might not be the same, making it a pain to verify.
1. Insert with preformatted text with a noscript block, that'd require a mod to the blog service.
2. Use an agreed upon coding scheme that would allow for a single line tag--it doesn't have to be a working URL for example.
OT for Bruce
--Someone again broke into my home the other day while I go to school and turned on a space heater in the room I sleep. Maybe they planted some false evidence or scooped the exploit I'm searching for. Really pathetic given how I've basically revealed my identity, no encryption, leave my (current) devices out in the open, and they're still bullying me. I'm not like having delusions or anything, I just remember pictures well and where all my things are left in the house...this is actually happening Bruce...I can't believe it's still happening...Where do I go to make it stop? Do I have to kill them or what? That's what they want me to do. B/c I've had goddamn enough of it.
It might help them and it might not:
Funny thing is the IBM Selectric also appeared in a State dept document where we noticed different keys took different amounts of power (if I recall right). So, it was the favored weapon by both parties using different techniques lol. Might still be an improvement vs using computers though.
A (relatively easy to understand)...
Nice link. Thanks!
Someone again broke into my home the other day while I go to school and turned on a space heater in the room I sleep.
I suggest, if you can afford it, to purchase and install a home video camera system with a DVR. Samsung makes one with 8 cameras for less than $500.00, and less expensive ones with fewer cameras. They have motion detection and you can view the stream remotely from your Smart phone. There is no service charge needed as it streams directly to your phone. Next time you capture a picture of the intruder, post it here. You can even photo-shop his head on that pumpkin you shared ;)
I also have an idea that requires some blog modifications. Use the E-mail Address field just under the name to put a secret code that you register with the blog. It could be a large random value, as large as the field can accommodate. The server saves the name / value pair. For example, you will post with your name:name.withheld.for.obvious.reasons, and put your secret code in the next field (the email address): fde1234567890deadbeef54321... The server should only accept your post when the two pairs match what you registered with, which is saved on the server. Will require posters to register, and share a "key" with it. May also cut back on spam. Duplicate names will have to be handled somehow...
Old news, but just ran across Glenn Greenwald's comments about encryption standards on reddit:
"There are hundreds of encryption standards compromised by the program the Guardian, NYT and PP all reported on. I have never seen any list of those standards and don't have it. If I did have it, I would publish it immediately. As a result, the reasoning went (as I understand it), publishing one or two examples would be unhelpful if not misleading as those are tiny fractions of the overall compromised standards. "
Wael: the problem with that solution is it requires the cooperation of the blog owner. It is also arguably just the same as authentication - you're just supplying your email and secret on each post. That said, it would most certainly work.
Scott: you'd want message verification too as other blogs may not be as trustworthy as Bruce's. I was planning on stripping all whitespace, CRs, LFs from the "message" text before signing (and obviously on validation). In plain English additional whitespace doesn't appreciably change the meaning of a message - and this is being intended to be a low assurance system anyway. It would be a lot easier if any HTML tags are also stripped out as we can't be sire that the tags the user selects aren't going to be stripped from the post when it hits the blog. Of course this means someone could change the location a link directs to and the message would still be "valid". The only tag that you'd really care about all that much (and would be passed through and not stripped by post blogs) is a href. You could use one of the metadata bits on the SIG to denote whether the hash should be validated as 1) completely stripped plain text with exception of href tags or 2) strict.
Not having a header shouldn't be an issue if the metadata includes the message length (in stripped characters). The validation tool can then grab the page, strip out all HTML except a href tags, strip all spaces, CRs and LFs then grep out the "blogsig" parse the metadata for message size and count back from the blogsig by n characters and then put this into the hash verification routine.
GregW: my personal belief is that the redactions made by Greenwald and his female colleague are harmful. Only the names of witnesses and assets whose compromise would affect personal safety should be redacted. You could argue for even full disclosure - if Greenwald and friends have the documents then the genie is out of the bottle and these people need to know they have been compromised. There is no good reason to redact the names of companies and encryption products from the Snowden trove. Commercial concerns are irrelevant. Companies who have collaborated with the NSA - especially those who have done so willingly and without coercion should understand that if you sleep with dogs, you're going to get fleas. Their products should be tainted by the revelations and never trusted again.
Figureitout: Wael's advice is good. You can get very small battery powered CCDs that record on to SD and are very concealable. They record only when motion is sensed by a PIR and for a configurable period. They also have a VOX and can record audio. I would buy a few of these (they are cheap enough to afford on a student budget) and scatter them around. Good places to hide them include in an empty smoke detector housing, in the carefully dremeled "eye" of a stuffed toy, behind a light switch (you can get ones with the CCD and sensor module on a tiny PCB with about 6 inches of ribbon cable attaching it to the guts of the thing which will fit behind a larger style light switch if you are creative), in a book on a bookshelf (again taped to a pinhole in the binder of say a bible) or even just put it in a playing or tarot card box and leave it on your desk pointing in the right direction. I would conceal a camera on your ingress and egress points to your abode so you can hopefully catch a face shot. You may consider using mains powered cameras if you don't want to be going around changing batteries all the time. You can get a really cool one that replaces a standard wall socket and takes power from the socket. Another looks like a wall wart and even has a functioning USB port on it if you are averse to mucking around with fixtures. There are many reputable online vendors. Google "nanny cams" and similar keywords.
--Someone again broke into my home the other day while I go to school...
The way to deal with persistant offenders is to hold their activities up in public for punishment be if civil / criminal prosecution or just ridicule.
The latter may be the only course of action open to you. As always I would advise against physical contact or threat as this would leave you open to civil or criminal prosecution, or even death with them claiming. "Standing their ground" as an LEO etc.
So first step is "softly softly catch your monkey". Whilst those doing invading your space might be idiots or at best unskilled it would be wise to assume otherwise.
Thus the first rule of the game is neither over or under estimate your opponent. The second rule is you can not monitor everything.
Thus you need to limit their degrees of freedom, in aproach, entry, egress and scope of activities.
The basic tennent of physical security is limit them to a single aproach path and single point of entry/egress. There are various ways to do this but much of it depends on the specifics of your location and environment.
There are also three basic classes of non criminal intruder,
(Oh and there is a supposed fourth level of mythical all seeing all knowing uber/ninja pros that people talk of when doing risk analysis etc, basicaly the argument is they are so good nobody can detect them let alone catch them... so they can not be shown to exist ;-)
By and large a chancer has the minimum of training and technical skill and their intrusion will more than likely be more oportunistic than planed and prone to the failings of all "spur of the moment" actions. They don't realy know what to look for in the way of alarms and tell-tales etc and signs of their intrussion are usually fairly clear as they tend to hurry and don't put things back the way they found them even aproximately. The chances are they will leave fingerprints or other readily identifiable evidence which would be found by an ordinary scene of crime investigator. It's the kind of approach some LEO's have exhibited in the past and has often lead to evidence etc being inadmissable in court...
A semi-pro will have had some reasonable level of training and skill, and is about what you would expect from a "field trained officer" or survailance trained LEO, they will plan their intrusion somewhat and will do a "stakeout" and probably do a "dry run" observation to look for routes of entery/egress, and obvious alarms or other indicators of security. Thus well placed CCTV will probably catch them when they do the dry run likewise good observation in the surround area will bring to light their vehicles etc, and quite often "stakeout signs" will be obvious enough for a "nosey neighbour" to spot with ease. The reason for this is they concentrate on hiding from the person they are watching with the result they ignore how they look to others, in a number of LEOs under training on the streets of London around Vaxhall Cross and into Victoria and Westminster around New Scotland Yard I've watched whilst sitting in a cafe window seat, they might as well have a "proppeler hat" on their head. Their use of technology will be minimal and often quite visable in use, though with personal electronics of good quality becoming the norm these days this is becoming harder to spot. When they do enter your premises they will have spotted obvious alarms and obvious CCTV and will take some methods of protection and won't leave the likes of finger prints etc. They probably won't spot less obvious CCTV or normal "tell-tales". Again they will leave signs that they have been there because they will be in a hurry, but they won't be easily obvious signs, that is they will put books and newspapers etc back where they were but won't take care to correctly align them, likewise other "surface clutter" and they almost certainly won't bother puting the contents of draws and cupboards back correctly.
Pros have both a high level of skill and a lot of training, they have to it's how they eran their living as "Contractor" and they know they are out on their own due to "deniability of employment". They will perform a stake out, but whilst you might with care spot it a nosey neighbour won't. Usually they will stake out the area from a distance first to get the rythm of the area so they will know who walks dogs when and where; when ,where and which companies do regular drop offs/deliveries, the makes models and registration of all vehicles where they usually park and will check ownership of them and all buildings. They will know who all the utility suppliers are, the uniforms and ID cards vehicles etc, they will know where utilities are routed and where all the control points like stop cocks, switch gear, distribution cabinets, man hole covers etc are. If possible they will "move in" to the area by "going under cover" usually not adjacent to or overlooking your property, but where they can stake out their own stake out equipment/bods to cover their backs etc. They will establish routiens to "fit in" and might even get to know the nosey neighbours dog walkers and delivery people to the point of wishing them good day or even stopping for a chat and realy good ones will do it to you. They will do many dry runs and will look for not just obvious alarms but less obvious ones they will look for and find outwards facing CCTV using "red eye" techniques and will also look for other signs of surveilance on your property by you, those protecting you or semi-pros doing it badly as normal. Good ones will also look for "inwards facing" CCTV and ground alarms and signs of "route forcing" security and will do "thermal imaging" "EM radiation" and "residual energy" scans to find nearly all electronic alarms and their associated wiring. They will do a number of dry runs that move in, in decreasing stages and will often put electronic "stake outs" in objects like vehicles and street furniture or covering foliage etc, usually they will "instill them in" such as park a car in different places moving it closer to your property on a day by day basis. They will "bug your utilities" to find out what your usage and usage patterns are, they will steal your garbage, sort through it and put it back etc. They will try to get copies of credit card and check payments. In short they will know you better than joe average knows themselves. They will intrude into your property several times good ones might even get you to "invite them in". The first entry will be a minimal photo shoot where possible from outside the building to not only know what you've got but where you've got it. They will then probably go back to photograph one object in detail sufficient to make a copy into which they put surveilance equipment, if absolutely necessary they might risk doing this by "phoney break in/robbery". They will then take the pulse of your activities and watch what you do when you think you are not being watched. Thus they will see you "set" obvious tell-tales and use any covert equipment or storage etc. On return visits they will search bit by bit they will photograph each item and use it to restore things as they were including photographing the insides of draws cupboards etc they won't hurry and they will be thorough including removing all electrical face plates, the sides etc of all "white goods" and will look inside fixtures, furniture, and furnishings, including taking things away and replacing them with copies/duplicates before returning the originals etc, some will even use the equivalent of "ground penetrating radar" to look for hidden voids in walls floors and cealings. Having achieved the objective they won't cut and run they will carry on observing for a while to see if your habits etc change in response to their visits, they will finaly withdraw slowly in easily explainable ways so not to raise any alarms in you or neighbours.
There are however some pros that are used to mess with your head, they leave deliberate clues to having been there that only you can see and if you tell people they will think you are paranoid. This is usually done as a prelude to setting somebody up for a fall such as priming/pushing them into an altercation with an LEO or simillar where the expected result is jail time. There was a lot of this in the US in the 1960s & 70s and was part of the Cointelpro stuff that you can find and read up on. Back then it lead to the deaths of quite a few innocent people "but hey they might have been carrying out anti-American activities...". Hence my earlier warning about keeping your distance, "better to be thought a pussy than be a tigers head nailed dead on somebodies trophie wall".
Importantly however there are somethings even the best of pros cannot do including those supposed mythical uber-pros... and this is due entirely to the laws of physics that they cant hide from, thus they can be caught in the act.
Alarm sensors for instance do not have to be electronic or emit EM fields or other energy that can be picked up by anti-surveilance/alarm sensor equipment. As an example most older houses have squeaky/creaky doors, floor boards, stairs, draws etc. You cannot use them without making a noise, if somebody attempts to "fix the squeak" they cann't easily unfix it so you will know it's been unexpectedly fixed. These annoying noises are produced by what are in effect unpowered physical sensors that only re-emit energy put into them by their use / activation. They emit they energy as radiated or conducted sound or vibration and that travels quite nicely around the building, not just through the air but in the walls and floors and pipe work, thus an active pickup such as a mic plastered into a wall some distance away will pick it up. With a little care these active pickups can be placed where they won't be visable to the likes of thermal imagers and out of reach to EM energy and residual energy detectors. Likewise floors bend when you walk on them and you can get strain and balance gauges quite cheaply these days. Even re-bar in solid concreate floors "sings" and conducts sound very effectivly especialy if welded not wired together befor concreat is poured (remember the old movies where somebody put their ear on a rail to hear a train comming from miles away, it's the same principle). Likewise even a plastic or rubber pipe of water conducts sound very well, and "under floor" heating systems are becoming popular in new homes a hydraphone attached to the system does very effectivly pick up foot falls, the main problem being filtering out "circulation and thermal expansion" noises. But this sort of non energised sensor and active pick up also works outside as well pea-grit / gravel paths/drives crunch and external decking and veranders are just like floors they bend under load and conduct the sound of foot falls.
Likewise the movment of people and the opening and closing of doors creats drafts or "preasure differentials" modern high efficiency homes are so sealed that the opening of an internal door can be detected by the preasure switches in "environmentaly friendly" air circulation/extraction systems in the roof space... Likewise the 0.1KW of heat human bodies emit can be detected by non optic heat sensors that use conduction or convection not radiation. And as they are non optical they don't have focusing mechanisms that give 180 degree internal reflection that "red-eye" detection systems use.
But as is seldom mentioned "red-eye" detectors have a major failing, just like radar systems. They both emit EM energy in charecteristic ways, but they are realy quite insensitive and range limited, in that the red-eye device sensor is looking for relfected energy thus an equally as sensitive detector will pick them up long before any reflection off of the detector is seen by the red eye device's sensor... This problem has long been known to those doing ECM/ECCM systems and for various laws of physics reasons it's a game the prepared defender has the win/draw outcome advantage whilst the attacker has only the draw/lose outcome disadvantage...
However remember one thing when it comes to the mythical uber-pros, there is an argument made that if they know of such sophisticated alarm systems they will try to "piggy back" them to observe you in greater detail, or they build up the "system noise" slowly so that either you turn it off due to the level of false alarms or the real alarm gets burried in the false alarm noise. Whilst this has actually been seen in military ECM/ECCM and other systems in war conditions, I've never come across a verifiable case of "piggy-backing" nor of "gaming" sophisticated alarms (though I have seen occasional unsophisticated gaming of simple "stock" alarm systems such as putting random faults on "red-care" alarm telephone lines to control centers to deley response times).
The important think though is that you need to put in sophisticated alarm systems before you become under surveilance, otherwise the watchers will see you put them in and will thus know about them and plan counter measures before the alarms are operational let alone had time "for the paint to dry".
Wael/Mike the goat/Clive Robinson
--Thanks for advice. I bet they'll charge me w/ "outing" an agent if I post pics, hence I have to use general terms applying to many and I have their faces in my head. Want to know what's really sad? My attention to detail is genetic, my grandma has that trait (it's really amazing how she remembers all the notes she leaves everywhere) and she suspected someone going thru her house moving things, which my dad blew off as dementia. Some weird bald guy got in the house too, he really put me off. So, they're going thru my granny's house too, so disgusting. Anyway, this is really retarded. They aren't going to gain any valuable intel, it's basically spiteful losers who were too slow to catch me so now they're going to try and frame me. They're not going to find my sensors nor my methods either, so suck my dick f*ckers. I'm out.
Clive/figureitout: I guess you could also consider non-electronic methods of surveillance. A good one is to put a small amount of UV reactive tracer powder (you can buy the stuff to reconstitute into a solution for leak testing purposes) on the carpet around known points of possible ingress. If someone enters they will trample the dye elsewhere in the house and you should be able to get an idea of where they have been.
If you create your own seals this is also a great way of tracking entry. Use a UV pen and sign one side of your seal and then use a readable ink pen to sign the other side. You want to configure them so that they must break them to enter. Obviously you need to break and reset your main entry seal each day. This isn't a problem - just ensure you incinerate or otherwise destroy any broken seals and keep an audit of which ones exist so they can't get them. Consider unconventional means of access too - seal any roof access points and HVAC vents. Number each seal and keep track of them. You can get the red "evidence control" seals pretty cheap. Old school but worth a try.
Other ideas include some tiny snap lock bags filled with UV dye taped to the underside of rugs or secreted under the carpet. Even if they discover they have tripped it there isn't much they can do. Of course they may not care that you know that they've been there, in fact this might be the "chilling effect" they are going for.
Assume all communications are insecure and obviously eBay is out of the question given they will figure out your opsec. Use local sources to gather surveillance devices. A series of well secereted cameras remains a good defense. Of course if you are already under surveillance then they will know their locations and take countermeasures.
Personally I would think of using some kind of man trap. :-)
Bruce: can you please cover #badBIOS and whether you consider Dragos Ruiu's revelations to be legitimate?
@ Mike the goat
"Bruce: can you please cover #badBIOS and whether you consider Dragos Ruiu's revelations to be legitimate?"
I haven't heard about these. Got any links?
Nice, thorough treatment of the subject. :)
It's why IOMMU's are all the rage these days. People learn their controllers can't be trusted, so they do some isolation at the PCI level. I just put certain functions on dedicated devices and connect them carefully to the main system. Cumbersome, less flexible, simple and effective. Always tradeoffs to be made...
Nick: on my cell phone at the moment but if you check my page you'll find a recent article with a heap of links to the source material and reddit discussion on it. Seems very far fetched including supposed ability to use sound card as a SDR to breach an airgap!!! Claims it reflashes firmware of USB thumb drives to cause some kind of sploit to give BIOS access. Yeah ... ?! If this was an unknown guy I would dismiss this as crap but he is behind pwn2own.
@ Mike the Goat, Nick P,
The first thing to say about the badBIOS reportings is that whilst they sound unbelivable and fantastical and some bits impossible sit back and have a carefull thought on it first.
Firstly we know that BIOSs can be reflashed, and if you overwrite the loader code then they are ineffect bricked unless,
1, Your overwrite is a new loader of some form.
2, You have an approropriate in circuit or over chip pin programer.
We also know that all PCI cards have provision for the storage of BIOS augmenting code and often where there, it's stored in Flash ROM, with exactly the same issues of the mainboard BIOS Flash ROM.
Likewise we know that many designs are taken off design sheet / manufactures suggested / recomended circuits. These high function chips usuall contain either MIPS or ARM core CPUs large quantitied of RAM and eitherEE or Flash ROM to store the code. And again just like the mainboard BIOS they can be overwritten by somebody with the right knowledge.
And as we know from Stuxnet getting the knowledge and signing keys for even quite exotic systems and software is very far from impossible and in some cases probably quite easy and relativly low cost (because those responsible for the design of exotic systems don't consider themselves targets for malware developers and assume obscurity is security...).
And it's something discussed on this blog, prior to Stuxnet and prior to TI calculators. So it's hard for any long term reader or commentor to say they've not read or discussed the issue of semi-mutable memory in PC systems and how code signing is a bit of a bust.
As for some of the other sugestions yes I can see how in some cases this can be done, but I'll reserve judgment as to it's actual utility. Also people carrying out any kind of investigation need to remember,
What looks like a duck,
Walks like a duck,
And quacks like a duck,
Is actually a goose.
Thus sometimes things are not quite what they appear to be at first glance, and the thinking process of the investigator ends up in a "dark cave with lots of twisty little passages running hither and vither".
Clive: I think hardware hacking has come back into vogue. An interested party could perhaps survey market penetration of certain hardware in the target market. For example if I target Seagate HDDs I know I should be able to get 30+% of American PC HDDs. Add in Western Digital and I can get another 40%. So just by targeting two vendors I can conceivably make something that could potentially affect a large number of PCs with HDDs. Of course you then have to look at the controllers of these vendor's drives and see how similar they are between revisions, ideally dump the firmware from a series of disks and disassemble and compare. If we were to target the most popular consumer 1TB and 2TB WD and Seagate HDDs and perhaps compile a list of the top five HDD firmwares perhaps we would have, maybe at best a 15% chance of finding a supported device. Ideally we would write a generic exploit for each vendor but this isn't likely to be a realistic option given changes in hardware between vendors.
What could we do with an evil HDD? Plenty. Perhaps the most obvious use would be hacking some rudimentary NTFS awareness into it so you can move your shim into a file that windows will execute on each boot. You could then have truly persistent malware. NTFS may not even be needed. Think about this - we run our code for only 300 seconds at drive power up so our code doesn't impact on performance. We know that the power up will likely immediately precede a boot. When the MBR is read the evil HDD can inject its own loader and then chainload the real MBR. Alternatively it could grep each read block for the magic of said driver that it wants to replace and then feed back altered data. Many ways it could be done.
What about RAID controllers? Plenty you can do here as they are pretty much embedded systems themselves. Some even run commercial RTOS' like VxWorks. Given many are used on *NIX systems you could code something to modify /etc/passwd or similar.
Ethernet controllers could do all sorts of crazy stuff. More interesting are video cards and the access being on the bus potentially gives them. Again many vendors have simple or even no firmware authenticity checking other than a simple crc to guard against corruption.
The lowest hanging fruit here is the BIOS. You really need to only support Phoenix/Award and you have got the bulk of COTS PC hardware covered. They have also made it easy for you with the modular way third party code can be inserted into the BIOS image. I did this to about 200 computers about ten years ago for a high school. It was trivial. I compiled etherboot, generated my image, downloaded the latest BIOS ROM from the vendor website and user their supplied flash modification tool to "unpack" the image into its component parts. I was then able to remove the PXE code, insert the etherboot code and also change the BIOS full screen logo. Repacked and flashed. As the flash on these boards wasn't removable I used freedos to make a bootable USB thumb drive and then just went to each machine and booted from USB. The other cool thing about the BIOS editor is we were able to set a global admin password thus negating the need to individually set them. The cool thing about using etherboot as opposed to PXE is we didn't need any kind of hackery. We just edited our DHCP server to send the required attributes to show where the images lie. No BOOTP was required and the etherboot software was able to connect using TFTP and grab the kernel. We had it all setup so that the initial stuff was pulled via a read only NFS server. Our scripts then made a tmpfs, extracted a gzipped tar into it and then pivoted root into the tmpfs volume. We then loaded the X server and gave them our own highly modified xdm, which was quite idiot proof. The pushed their student ID card into the gemplus readers we got (we got ones that fit in 3.5" floppy bay and connect to the internal USB header on the motherboard), the screen would show a 100px wide icon showing their "mugshot" and their name would appear prominently on the screen. They had two attempts to enter their key lest their account gets locked and they must see IT helpdesk. You could switch between our UNIX system and Windows (via a m$ terminal server and rdesktop) by hitting the break/pause key. Home directories were shared between both systems so it was seamless. Nobody except some of the maths tutors used the windows boxes but it was a good feature. Openoffifce was excellent and we also had ms office via wine/crossover office. Pulling out your smart card locked the workstation for thirty minutes, initiating a logout if the time is exceeded or a staff member inserts their card and clicks to killvthe session. It was a beautiful thing! But I have digressed wildly. Point is - BIOS modification is easy and you could do all sorts of collw things with an evil BIOS.
As to how UEFI will fit into the picture - I don't know! Having such a full pre boot environment would make development of evil tools much easier but features like secure boot may make subversion harder. I haven't played with UEFI enough to comment.
Sorry for rambling a bit. Everyone has a project that went completely to plan, was brought in under budget and worked with minimal mucking about. This was one of those projects.
I guess to paraphrase - I expect to see more hardware hacks. I hope Dragos Ruiu is correct and this malware is legit. I doubt the software radio claim that he says uses the sound card (perhaps he meant tuner card which has been successfully done before) to breach airgapped networks. If it is true this will be the biggest story of the year.
If only I could get one of these evil sticks so I can use my USB data analyzer on it and get more of the story.
> Interesting - the Russian secret service is buying up old
> electrical typewriters; now those can't be intercepted, can't
At risk of belaboring the obvious, yes.
The same tech that was once supposed to be able to grab scan signals from CRTs would probably work.
But even simpler, at least 20 years ago on comp.risks there was an article on a password-less system, where the user simply started typing text. The system identified the used by variations in timing between characters, like a telegrapher's "fist."
A variant of that algorithm, build a table of common keyboard pair-stroke relative timings, bounce a laser off a window to pick up some sound, and some time, you could probably snarf most of the data from a manual typewriter or even a 10-key.
@ mike the goat
It's interesting but not entirely surprising. I remember these events separately:
1. Malware infecting BIOS's for persistence/privilege.
2. USB based infections.
3. Attacking host by first compromising firmware of DMA enabled device.
4. Steve Gibson's site details a BIOS bug that's in many of them that shifts data 32 bits consistently.
5. Several A1 certified products had custom firmware for their x86 machines might mean they were concerned about something.
6. The move for IOMMU's in Intel chips show they didn't trust the devices. ;)
7. Joanna Rutowska also hinted that more problems are to come.
So, just these points by themselves mean that a USB or PCI based attack on the host system with BIOS subversion is possible. I've explicitly considered this in risk analysis: any device with memory access or flow of untrusted input into trusted software must be justified. It's why my air gapping solution pushes one-way links or highly robust guards instead of USB sticks.
The one surprise was the .ru links. I figured the first time I saw esoteric, BIOS attacks would be NSA sponsored. Of course, .ru doesn't actually mean they're Russian for real. It might be misdirection. Like many commenters on the links you gave, I can't wait to see more *data* rather than second- or third-hand info.
The solution is simple: secure from ground up. I've previously listed projects doing that. I've hinted I have a paper release coming up with links to many such pieces of research and usable prototypes. Whatever is done will need high assurance code for the initial bootloader and verifier in read-only memory. That will load up a firmware image that is robustly written, verify it and pass control. Devices will not have access to a portion of the system reserved for trusted host code and this is hardware enforced. If these parts aren't done, then the system can't be secure in the face of untrustworthy devices.
@ mike, Bryan
Looking back at Bryan's link, I just realized they have a whole damned stack in this thing:
"Includes compiler, drivers and RTOS kernel to support user firmware development."
The DMA access being the main attack vector, the other stuff gives them everything they need to pull it off with the utmost convenience, eh? ;)
Nick: I guess I will respond in the order of the issues you mentioned. 1) I guess the first piece of malware that attempted to modify the BIOS was CIH/Chernobyl. This doesn't really count as it just wrote random junk into the flash to brick the PC. I believe that the first bit of malware that actually used the BIOS to maintain persistence was Computrace. Some would question why I am referring to a commercial product as malware. My answer is that a) it was installed in the official Dell laptop BIOS and on some models activated by default, b) the majority of users were unaware that such an insidious piece of software was preinstalled on their computer and c) it presented a genuine risk to the privacy of any subsequent owner who happened to purchase a second hand laptop with this software installed. (Now this isn't directed at you Nick but at those who don't know what I am talking about - Computrace was a theft tracking solution produced by Absolute Software and installed en masse on Dell laptops from the late 90s to around 2009 or so. It had functionality similar to other theft tracking software in that it a) phoned home periodically to a command and control server to see if it was flagged as stolen. b) if flagged the C&C server records the source IP. The software also searches for nearby wireless networks that may assist in geolocation. c) on later models equipped with UMTS it used cellular network information to improve geolocation, and moreover could send information via the cellular network if the thief does not connect the laptop to his own network. d) a few laptops that were GPS/GLONASS receiver equipped sent direct coordinates to the C&C servers and finally e) the webcam can be used to take a photo of the alleged thief and it was said the disk could be erased (although I took this to believe a ATA password was set just to make recovery difficult - not physical erasure which would be time consuming and obvious)). Anyway Computrace had one trick up its sleeve that differentiated itself from its competitors - a BIOS module that checks to see if the Computrace executable exists on the drive and if not copies it in place. I believe it simply renamed a zwindows service that was executed during bootup and put its code under the original filename. Windows would execute it and tjen Computrace would execute the real file once it had loaded itself. Thus I believe Computrace was used as a model for the persistent malware that we have occasionally seen since then.
2. More and more organizations are coming to the realization that USB is a bigger threat than originally anticipated. The threats from rogue USB devices don't stop at autorun malware. The most realistic threat that has many corporate bigwigs worried is the great "suck". USB 3.0 flash drives are concealable, fast and have large capacities. Data can go walking out your organization in masse if you are not careful. Regarding evil USB thumb drives which have rogue controller firmware reflashed on them to do something nasty - if Dragos is right then this is yet another good reason why USB should be locked down in a corporate environ. That said you can't completely disable USB as most essential peripherals now use it and PS2 ports have disappeared from modern motherboards. Even if you did disable it in the BIOS there isno guarantee that the exploit Dragos spoke of could still work if the USB controller on the motherboard enumerates the devices despite the BIOS not passing anything on to the OS. Perhaps the best solution is a combination of disabling USB mass storage and friends in your OS and using a physical port guard on the rear. I have seen such things that are designed to fit around the back of your case where the motherboard has its plate with all the ports. It physically cups over it and is locked with a key. You'd then want to unplug the front USB ports and use security screws and a luggage style padlock on the little ring that allows you tonsecure the case closed. At least it is a deterrent and if you use a security "lock" (like a one way cable tie with a validity tag that clearly shows if it has been tampered with) you can confirm the case has been unmolestered. This may also help prevent hardware keyloggers. Of course they can just cut a USB cable abs and get access this way but realistically you are just trying to stop your employees from doing something dumb (and not necessarily malicious).
3 - is there a PoC of this technique? 4 - yeah, but it is Gibson we are talking about here! He lost my respect when he launched that "shieldsup" page. I noticed ages ago he was advocating using spinrite for forensic recovery of hard drives that have bad blocks, something everyone should know is a no no. We use write blockers because we can't write to the media. SpinRite supposedly works by doing just that - moving around suspect blocks and writing to the media. I suspect that if the defense knew you used a tool like this your evidence would be inadmissable as it was knowingly modified by the forensic tech working for the prosecution.)
5. I would go further and say that we can't trust x86 - period. The architecture is hack after hack after hack all in the name of maintaining compatibility. That is not to say that ARM is much better. I like RISCy architectures - keep it simple, but the truth is we can't trust anything. PowerPC and SPARC are my two favorite architectures if I had to name something semi-modern. PowerPC was well ahead of its time.
6. Yes, IOMMUs have distinct advantages. That said - Intel maunnot trust devices but I don't trust Intel. :-) 7. No doubt we are going to see more being done in this area.
Re .ru links (I assume you are speaking of #badBIOS and his claims that the malware is likely Russian) - this isn't all that unexpected. If you remember back to agent.btz the US claimed that it was Russian made (with some comments made about Chinese help) and the payload got into the airgapped systems via a USB stick that was dumped in the parking lot of an overseas military base. Social engineering at its finest - people are naturally curious and if they find a USB stick then chances are they will want to see what is on it. Doing that on a workstation connected to a classified airgapped network, however happens to be a pretty stupid idea.
We know that most of the tools used to reflash USB thumb drive firmware to display fraudulent capacity come from Russia with love. Given their experience with these devices perhaps it isn't all that unusual after all. That said, perhaps you are right and they are trying to finger the Russians. Wouldn't be the first time they have been blamed for the world's ailments.
Wow. That was a verbose reply.
@ Nick P,
Looking back at Bryan's link, I just realized they have a whole damned stack in this thing
Come on man, keep up :-)
Seriously I thought you knew it's actually a lot worse than Bryan has pointed out...
Nearly all USB controlers contain MIPS or ARM cores running almost identical very flaky code. In fact quite a few memory device controlers have 3 cores in each chip all with their own memory and stacks as well as DMA into the other cores maps.
Atleast one of the cores will have a "generalised serial communications hardware interface" which will have atleast two TX and two RX shift registers of a K or so in size for each USB interface. An almost identical interface can talk to SD etc cards, various serial busses like I2C / CAN Buss / SATA / Firewire / Ethernet and Motorola and similar interfaces to DSP and DDS chips.
Basicaly inter chip "serial buses" are "the new parellel bus" often they will be differential in nature because they solve one heck of a lot of problems with PCB design as well as internal issues in chips with driver circuitry etc ( ask @RobertT for the low down on this).
Whilst the serial hardware works (fairly) well writing the in chip drivers for the CPU cores is as much if not more of a black art than it is for conventional OS kernels.
Worse whilst you will have one core talking USB and another talking to say a harddrive controler another will be talking to the cache memory and internal block remamping tables etc. Often this low level IO code will be taken from the chip manufactures recomended design notes on the data sheet. Over this dogs breakfast of unknown code comes the dog's vomit layer of code to hook things up together. This is often done with "MMU & DMA Ju-Ju code" written by somebody for an entirely different device a couple of years ago, they didn't comment the code or leave documentation and have subsiquently left for a better job or longterm rest in a "locked ward" somewhere. Which means some five dollar a day expensenises code cutter fresh out of their first year adult education on an intern / work experiance scheme will get to cut-n-past it all together for the latest product oh and USBn+1 interface which is 10x times faster than the USBn interface the code was originaly written for...
Which kind of means that actually the code is very buggy but huge easily recognisable parts are the same in nearly all products no matter who sells them under whatever brand name.
For instance around twenty years ago I wrote in 8bit CPU assembler some code for phones. As was my practice at that time not only did I heavily comment the code (about 5x comment to code) I also wrote copious documentation explaining how to make it sing and dance in just about any way you wanted it to. I know (because somebody asked me to check over it) it was translated into C code and it's still going into product today...
Come on man, keep up :-)
I have to give you props for the 5x coding/comment ratio. It is the responsible engineer that assures the clarity, usability, reusability, and serves as a teaching tool. It sucks that engineers are not encouraged to approach code development with a thoughtful, I'd argue the bottom line can also be served, but we all know how this story ends. You can see it in commercial and industrial products worldwide. I haven't trusted Agilent for a while.
Addendum: the closed-source compilers are of course still a source for potential back doors.
@ Clive Robinson, Nick P
This is often done with "MMU & DMA Ju-Ju code" written by somebody for an entirely different device a couple of years ago, they didn't comment the code or leave documentation and have subsiquently left for a better job or longterm rest in a "locked ward" somewhere.
There is a reason they don't comment code. Once upon a time, I was debugging an issue in a device driver. Code was two years old, and the bug suddenly appeared after Windows enabled fast user switching. The guy who wrote the code was no longer there. So I looked at the source (may the source be with you), and saw a strange comment in a function header. The comment said: // This function always returns true, even if it fails. If we return false, I don't know why things don't work and causes a blue screen
. I thought that was peculiar, I wouldn't put a comment like that. So I searched for that comment, and low and behold! It was copied from a tutorial on the internet, verbatim, with the comment! There is a whole class of code cutters -- a level below them. They don't cut anything, they take the whole thing -- lock, stock, and barrel, including incriminating comments!
They either don't have the skill to know what to "cut", or are too lazy to "cut code" properly :)
-----BEGIN FISA/NSA HYPOCRISY ALERT-----
Version: pgg v0.2a
SOURCE: U. S. House of Representatives
BILL: H.R. 2189
TITLE: VA Disability Claims Backlog
SUBJECT: Continued expansion of NSA/IC data abuse
The code words are becoming obvious as they are stated in congress; the list consists of:
1.) "...we will do what ever needs to be done to address..."
2.) "...added efficiecies through automation..."
3.) "...more cooperation with the DoD..."
4.) "...streamling communications between federal agencies..."
It appears that Democrates and Republics believe in Big Government "Data".
-----END FISA/NSA HYPOCRISY ALERT-----
From The Guardian, Oct 25, 2103: As Europe erupts over US spying, NSA chief says government must stop media:
The head of the embattled National Security Agency, Gen Keith Alexander, is accusing journalists of "selling" his agency's documents and is calling for an end to the steady stream of public disclosures of secrets snatched by former contractor Edward Snowden.
"I think it's wrong that that newspaper reporters have all these documents, the 50,000 – whatever they have and are selling them and giving them out as if these – you know it just doesn't make sense," Alexander said in an interview with the Defense Department's "Armed With Science" blog.
"We ought to come up with a way of stopping it. I don't know how to do that. That's more of the courts and the policy-makers but, from my perspective, it's wrong to allow this to go on," the NSA director declared.
Let me guess: General Alexander has never heard of the "Streisand effect." This is something that is out there, and is going to continue to be out there until the Internet totally melts down, and all of the papers are physically shuttered. This is a pumping phenomenon: the more you push on it, the bigger it's going to get. The effect is probably similar to gas expansion in a balloon, where gas=hot air from authority, and balloon=press attention.
@ mike the goat
"is there a PoC of this technique?"
I don't have my old links on these things. Hmm. For similar POC's, look up Jonathan Brossard's Rakshasa and Heasman's PCI rootkit. Heasman focuses on PCI and PXE. Rakshasa was a BIOS backdoor that also flashed peripheral firmware (eg network card) so if it got cleaned the firmware would be a beachhead back into the system. And I figure you might like this very detailed presentation on Broadcom network card firmware teardown and rootkits.
"yeah, but it is Gibson we are talking about here! He lost my respect when he launched that "shieldsup" page. I noticed ages ago he was advocating using spinrite for forensic recovery of hard drives that have bad blocks, something everyone should know is a no no. We use write blockers because we can't write to the media. SpinRite supposedly works by doing just that - moving around suspect blocks and writing to the media. I suspect that if the defense knew you used a tool like this your evidence would be inadmissable as it was knowingly modified by the forensic tech working for the prosecution."
I'm not going to hate him for that one thing, although I'm all for calling him out on it. It's fair to say Gibson has a few bad points. He still has my respect because he's made many useful tools, keeps the lay people informed with his podcast, doesn't price gouge for software, releases many things free, & is one of few people still capable of writing software that can fit on a floppy.
"I would go further and say that we can't trust x86 - period. The architecture is hack after hack after hack all in the name of maintaining compatibility."
The second sentence is about the exact words I've described it as here. x86 is shit. If I kept it, I'd keep a watered down open core version of it just to run GEMSOS or STOP OS. ;)
"That said, perhaps you are right and they are trying to finger the Russians. Wouldn't be the first time they have been blamed for the world's ailments."
I'm just saying it's a possibility. The Eastern Europeans have probably been the most effective malware writers over the past years so I wouldn't put it past them.
@ Clive Robinson
"eriously I thought you knew it's actually a lot worse than Bryan has pointed out..."
You know I think of most hardware as a black box. USB was just a dangerous untrustworthy black box probably full of plenty nasty stuff. Now I've finally seen some of the specific ugliness.
"As was my practice at that time not only did I heavily comment the code (about 5x comment to code) I also wrote copious documentation explaining how to make it sing and dance in just about any way you wanted it to. I know (because somebody asked me to check over it) it was translated into C code and it's still going into product today..."
Sounds nice cept the 5x comment to code ratio. *That* sounds like a bit of an exaggeration unless you're embedding huge chunks of documentation in the comments at the beginning of the file. I mean, this is assembler you're talking about and it's renowned for taking many lines of code to do the simplest things.
" It is the responsible engineer that assures the clarity, usability, reusability, and serves as a teaching tool."
That's also why such engineers rarely write assembler. ;)
"It was copied from a tutorial on the internet, verbatim, with the comment! There is a whole class of code cutters -- a level below them. They don't cut anything, they take the whole thing -- lock, stock, and barrel, including incriminating comments!
They either don't have the skill to know what to "cut", or are too lazy to "cut code" properly :)"
Lol. Nice observation. I shamefully admit to doing this when I was learning Win32 and MFC. If it was a quick and dirty app, I just copied entire segments of code from MSDN library and other sources. Usually worked. Never fully learned the monstrosity that was Windows C++ development. ;)
Thanks for that link! Excellent!
@ Nick P,
Sounds nice cept the 5x comment to code ratio. *That* sounds like a bit of an exaggeration unless you're embedding huge chunks of documentation in the comments at the beginning of the file. I mean, this is assembler you're talking about and it's renowned for taking many lines of code to do the simplest things
I guess you've not writen a lot of 8bit asm where an instruction might be,
And the comment for it be
Get value from serial port baud rate devisor register
And at the top of each block of code be it a function or sub aheader block saying exatly what it did what registers and memory was used for input and output to it where it was called from any subs it called and a who/when/what table of modifications.
You can pick up my assembler code source files from the time and just read the header blocks, or just the instructions on the left or the comments on the right of each instruction line and know exactly what the code was doing. If you found any disparity then almost certainly where a bug or error was.
I used to write the code by first deciding the code functionalit as blocks and write skeleton headers for the block then write the more detailed comments and then fill in individual lines of instructions.
It might not have been the fastest way to write lines of code, but it generaly worked fine as written and needed little modification due to "bugs".
I know it sounds odd but I see my code like a picture in my head that sort of becomes a high level flow chart. I can do this because I've already mentaly designed the heirachical layers and API format long before deciding on specific functionality.
It all goes back to having to cut time share programs where you would punchyour code on cards or tape and only then drop them in a reader to run. So you needed to get it spot on before it was your turn otherwise you would have to wait a day to get to next run code.
@ Clive Robinson
"I guess you've not writen a lot of 8bit asm where an instruction might be,
And the comment for it be
Get value from serial port baud rate devisor register"
That's one line of comment to one line of code. 1 to 1. :P
Joking aside, appreciate the clarification on your particular process. Sounds like you just do it in a kind of old school way that leads to the higher amounts of comments. Makes sense too.
@ Nick P.
I shamefully admit to doing this when I was learning Win32 and MFC. If it was a quick and dirty app, I just copied entire segments of code from MSDN library and other sources.
Sounds familar 8-) . I remember the days when I had to write some Win32 C++ DLL's as an API between Lotus Notes and OS/400. Horresco referens.
Sounds nice cept the 5x comment to code ratio. *That* sounds like a bit of an exaggeration unless you're embedding huge chunks of documentation in the comments at the beginning of the file.
Way back, I used to do RPG II and III on IBM S'36, S'38 and AS/400 midi systems. Absent a standard source code skeleton, the code was entirely incomprehensible for anyone else but the author without a comment to code ratio of at least 3 to 1, especially in RPG II.
--Please excuse my terrible post on this thread, as you can imagine, being physically violated as many times as I have, is not a pleasant time. It's happened more than I've made know on this site, just so they don't know what I know; b/c what "seems too good to be true" is also what "seems to easy to be true" and they fall for traps like my little derpers. However, the information needs to get out b/c people need to be warned that there are people out there that attack you on behalf of idiots. Me, on the other hand, attacking people, I made 100%, not 99.9, 100% sure that attackers attacking/bullying me will pay b/c they will attack many other people who will just take it. I do not stand for bullying the weak/vulnerable and all you bullies out there will pay, count on it. Everyone out there judging me needs to understand this, that I do not attack pre-emptively, only after the fact.
--Not trying to be a dick (again), but in terms of real security, should one place trust in comments that can simply be lies. Instead of truly following/understanding all the code so there are no doubts. C/C++ code can get very messy, I can make some very unpleasant code, so can you presumably; and be a dick. If my school had a tutoring center for coding like it does for math, that would be epic, there would be serious innovations happening based off the quality of the math tutoring center; but it would be harder for the tutors. ASM is even worse, and binary is the ultimate god-level status of coding. So, we need to tamper down all these capabilities we have now b/c they are fundamentally insecure; until we can't even physically exchange files/code/hardware in which case we need to stop and it's time to revolt.
It all goes back to having to cut time share programs where you would punchyour code on cards or tape and only then drop them in a reader to run. So you needed to get it spot on before it was your turn otherwise you would have to wait a day to get to next run code.
--I guess I need to share, my dad has a couple funny coding stories. One is the turbo pascal he coded for a product that remained in the product 10years later (pretty good I think). The other is when he was in school, and on the day of a test, one student tripped or stumbled and dropped his like 300 or whatever number of cards all over the floor like throwing a bunch of papers everywhere. A disaster as this was the order of the punch-cards for your code so he likely failed the test. Well nowadays you can save these files as many times as you want multiple ways, and if state-level agencies are attacking your coding projects; then lol, I'm sure they get a lot of good intel lol.
should one place trust in comments that can simply be lies.
The comment was a clue to a series of problems. The code was fixed, and it took only half a day. The problem was caused by an uninitialized object -- forgot what kind of object, this was many years ago, but I think it was an improper driver initialization. Fixing the bug is a small part of the problem. Of course fixing it meant checking the code, and rectifying the root cause. Fixing the attitude was the major part.
so can you presumably; and be a dick.
Again? Hopefully this is the last time I hear that from you -- don't mess with me, or we'll both be banned, and that would suck!
"IMHO Copernicus BIOS verification tool, (From John Butterworth / MITRE - presenting at PacSec) is one of the most important new security tools in recent history. We've already found some persistent BIOS malware that survives re-flashing with it. And that isn't even the interesting part, the malware seems to have a hypervisor and some kind of SDR (software defined radio) that bridges air gaps, even in laptops with the wifi and Bluetooth cards physically removed.
It's also OS specific, the one we found targets Windows... Time to recheck the OSX boxes too. In case you are looking for it, it seems to send TLS encrypted commands in the HostOptions field of DHCP packets."
"So it turns out that annoying high frequency whine in my soundsystem isn't crappy electrical noise that has been plaguing my wiring for years. It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers... one "ghost" located at least.
And now we know how the "hypervisor" functions, its probably stored in the realtek firmware, and thats one of the ways it survives reinstalls and BIOS reflashing. Off to find tools to dump the RealTek audio chips, and to try to find clean firmware to compare it to. Haven't ruled out video firmware yet, either."
re badBIOS: unfortunately this is the same info we already have and Dragos hasn't announced anything particularly enlightening since. He did, however put up "kit.tar.gz" which supposedly has files in it that were modified on a supposedly infected machine. I haven't been able to download it from mega.nz, unfortunately. I believe the smoking gun will be inside the controller firmware of the infected flash drive. Even if the thumb drive only allowed one to upload fresh firmware and not dump it (and pretend we couldn't desolder and analyze in vitro, so to speak) you could capture the firmware that the malware uses by simply using a USB analyzer and inserting a "fresh" USB thumb drive into an infected box and let it infect it (while sniffing).
"unfortunately this is the same info we already have"
'Copernicus BIOS verification tool' wasn't mentioned here. The Kabelmast blog link is very important too for additional references.
Marjorie: I wasn't being rude to the OP - was just stating that I have been following this for the past two weeks and so far we still have nothing conclusive. When Dragos posted initially (a few weeks back) it was called BIOS SDR. Now we hear of "badBIOS". I assume they are one and the same.
Another interesting point is that Dragos mentioned on his Facebook page that said laptop was acting up for a long period of time prior to analysis with Copernicus - by long I mean years. So if this turns out to be accurate then the malware that is recovered won't be "new" but will have actually been in the wild, undetected for a very long period of time.
Nick: interesting link. As you know I am all for throwing x86 out and starting over. Re Gibson - indeed he has been educational for many. I don't have anything personal against him, just how he has approached certain topics made me scratch my head. Re Eastern Euros being malware kings - indeed. Have you had time to see their latest masterpiece, the ransomware Cryptolocker. I wrote a brief article about it last week - very clever indeed. Uses a domain generation algorthim to find its C&C servers like Zeus and co. Encrypts your office documents and scrubs the original so file carving tools like photorec or encase won't work. The only thing they forgot was volume shadow copy (win7+ does an automatic snapshot every so often) but seems it barely ever manages to work properly anyway and the average user isn't aware of it either. You give the author two bitcoins and you can have the private key and get your data back. Classic stuff.... But done right unlike pgplocker which left the secret in a text file on the HDD (rookie mistake I guess).
helicopter pilot: yup, guess topics in security are cyclical (haha, helicopter ... cyclical.. I made a funny). Guess that the collective (I will stop now) malware community reads the same stuff that we do and attends the same conferences, so it is to be expected. It is sensible given that hardware is notoriously easy to compromise. Damn, I can't think of a sentence which includes autorotation. Not to worry. I will leave comedy to the experts from now on
I just saw this video about 'cyclic numbers'; and as if crypto stuff didn't already seem obscure to me, simple numbers suddenly become very mysterious. :P http://www.youtube.com/watch?v=WUlaUalgxqI#t=610
I found it interesting that it was said that something like a third of all known prime numbers are cyclic and I can't help but wonder what implications this might have for cryptography in general. Is there somehow any link to elliptic curve cryptography from, eh, use of 'cyclic numbers'?
"Way back, I used to do RPG II and III on IBM S'36, S'38 and AS/400 midi systems. Absent a standard source code skeleton, the code was entirely incomprehensible for anyone else but the author without a comment to code ratio of at least 3 to 1, especially in RPG II. "
I've seen RPG II and I feel for you. I bet it gets plenty unreadable. I actually got offered a chance to work on RPG, AS/400, COBOL and maybe a zSeries. I only had partial details. So, I looked up a bunch of sample code & administration for both systems. It was like it was from an alternate reality stuck in the 60's or 70's. I said "screw that..." and went back to my usual stuff.
In retrospect, I wish I could stomach mind numbingly boring IT work because the COBOL/RPG/mainframe segment jobs are remarkably stable. They also often pay a premium due to limited availability of talent & most of them I've noticed work pretty normal hours. Sounds less "exciting" than my own work got at times. Might have been a good thing. ;)
Thanks for the tidbit about cryptolocker. Yeah, that's pretty clever. That darned shadow copy. It's always the little things. That's one of several reasons I've stayed out of cybercrime: one slip up does you in and there's so many little things ready to provide that opportunity. I'd be more concerned about mistakes in moving the money, though. I figure I'd be on top of the "stealth control of systems" aspect. ;)
Hey, just imagine a rootkit that flashed the BIOS with a trusted boot code to load the now-encrypted OS/data volume, prevented exfiltration by most methods, and zeroized/bricked everything if its environment changed in a noticeable way. And its operation was polymorphic. That would be a ransomware to see, yeah? I'd rather it stay in my head, though, for my own well being.
Nick: yes I have often thought about that and have decided that moving the money would be the hardest bit. When brain wallets began to come into vogue I tried a few combinations, just for the hell of it and found a wallet with about 80 BTC. I know it sounds terrible but if I knew there was a zero risk way to uh, borrow it I would be tempted. I guess it is human to think like that, right? Right? Perhaps it would have been a learning experience about not using an obvious English language string which my perl script found within an hour. I haven't followed bitcoin for a while but hope people are more careful with their coins nowadays.
Re your rootkit idea. I love it. Kind of like how bombers rig up mercury switches, gyros etc to ensure that any attempt to relocate or disable results in immediate detonation.
While waiting for Rolf Weber's comments I wanted to comment on this paragraph in the article you linked:
What makes MUSCULAR so puzzling is that under the terms of the PRISM program, US intelligence services already have access to the records of both Google and Yahoo! Either Snowden's documents are incorrect or the NSA and GCHQ have decided to cut out the middle man and go for the data directly.
According to The Register there are only two alternatives to how this latest finding can be consolidated with what we have been told about PRISM. But to me it looks like there could be a third option: that MUSCULAR was originally operated as a separate project and was later constructed to feed to PRISM.
So the actual source for PRISM is the technology they built under the MUSCULAR project. But what the NSA "administrators" see is PRISM. So based on this PRISM could include a set of tools and processes that are used on NSA-side, while MUSCULAR is the technology originally built to tap to Google etc.
@ Nick P, Mike the Goat,
It would appear that Silent Circle and Lavabit founder have got together to come up with a new EMail protocol that is more appropriate to modern privacy concerns,
I know no more about it than what it says on the above link. However it might be worth watching if for no other reason than to see their architecture choices and how they intend to make it as a minimum NSl proof.
Thanks for the link. I might sign up and follow the progress on it, maybe offer some suggestions. I hope something good comes out of it.
Of course, I can't help but think: "Wow the two companies whose operations were so unprepared for major govt intrusion that they had to shut down are now leading the effort to engineer a govt proof system." Really qualified for the role, yeah? Least they will be duly motivated.
(Oh, more irony: recall that Silent Circle advertises it has former US Navy SEALs on its team who helped with usability and marketing. I'm sure ex-SpecOps types are the perfect people to have in an anti-surveillance company with code/data the DOD might be interested in. wink)
Clive: interesting! Seems very light on the details. I presume it will be DHT based to remove the risk of exposing metadata.
Nick: agree with you wholeheartedly. It is like hushmail when they were forced to serve a rogue java applet to a govt target, remember that? They should have envisaged this possibility and engineered their system so that they had no way to subvert the encryption process.
A sensible way would be having a "client" that is distributed as source and compiled and attested to by the community. Perhaps use a deterministic build system like gitian. Take the control out of your hands. The whole java applet thing is convenient but dangerous. There should be a client side app that is downloaded once from a reliable source.
Yes all sources could be compromised but at least you avoid a single person being sent the wrong java applet in a targeted manner.
@ Nick P,
The irony of Seals leaving their mark on Silent Circle is not lost on me (nor the potential for puns either ;-)
I suspect one of the reasons no organisation has been prepared for NSLs and their like is two fold,
1, Despite many warnings, few new what the NSL / GCHQ were upto.
2, Nobody was prepare to fix what they thought was not broken.
As we've seen a major problem with the Internet is "First to market" is nearly always "Winner takes all", it applies to the protocols as much as it does to social apps/services . Once established even if bad it usually remains and gets incrementaly changed  often not for the better. Human nature pushes "quick and dirty" faster than any other solution  as a delivery system to perceived market need. With the result that major legacy issues become apparent  and unsolvable unless there is a sufficient external to the market driver that causes sufficient users in the market to make a painful transistion.
So the question is, has the Ed Snowden revelations provided a sufficient driver to the users in the EMail market to endure the pain of change?
Especialy when they realise that it has to be a compleatly new system and for good and proper security reasons it cannot in any way be compatible with the old totaly insecure system as that will give an "end run" around the security, much to the delight of the NSA, GCHQ et al.
Oh and this problem is not just with EMail it's with all hierachical systems used to connect one user to another, such as phones, texting, messaging etc. The design has to incorporate methods to hide routing metadata at all points except the last hop and to make that secure a recipient needs to have an anonymous and random mail drop communicated to them by another anonymous notification system.
It's an interesting problem to solve and whilst I have some ideas... the problems of secure anonymous notification remains in a system with fluid routing issues.
 This is also a key indicator as to why Free Market economics fails when there is not a "distance cost" metric involved, and thus the market invariably fails to a monopolistic market rapidly, with at best a doomed "race to the bottom". Thus the key to success is guessing what the new market is going to be and "getting in first and loud".
 What happens is that the "first to market" is usually at best rough around the edges and distinctly lacking in various areas of user functionality. However if there is a need for the market the app solves there are sufficient first users to get it going, and irrespective of if closed or open source it evolves and the surface rough edges disappear and usability in other areas gets "bolted on". However the core Internet functionality usually remains the same along with all it's failings in the security area which is one reason the NSA, GCHQ et al have been so successful at getting in and staying in.
 It is at heart the need for a new market being realised in one or more individuals heads that drives a quick hack "proof of concept" which then alows this to get major market share, and unfortunatly nearly all additions remain quick hacks even long after market dominance and the monopolistic position well established .
 Often the product evangalists / marketers are the last to see when they have sufficient market dominance to switch from bug ridded "feature creation" to "stay ahead" of the competition, share holders and other investors, to cleaning up the mess so far produced and establishing stability and then possibly security. And often it's "car crash politics" that finaly pushes the change, by which time legacy issues have become a major problem not just for the developers but public relations as well, so often security gets sacraficed entirely to supposed compatability.
Clive: one could easily run a protocol gateway to allow users to transition from email to whatever the new standard is - just like we did with uucp and fidonet. You could probably even provide some security by designing the gateways to work like the old retailers that existed during the 90s. Of course it will be nowhere near as secure as the new system as the data would be sniffable from the exit point onwards as it will need to use standard SMTP to interface with the old email services but at least it will give people an upgrade path.
The new service needs some kind of proof of work system to reduce unsolicited messages. This may take long as ten minutes on an old processor - but it is necessary as the spammers will be using ASICs or FPGA's. Given most people have a graphics card that supports cuda or similar you'd expect the majority of users to only have delays of a few minutes. You would then need to have the proof of work system scale over time to take into account Moore's Law. Perhaps it can use average time measurements across the network to adjust the delay on the fly. Perhaps the cost of work should increase exponentially if a host exceeds a certain threshold of messages over a set period of time. You could penalize new hosts to avoid them creating many different ones to spread the load and perhaps adjust the proof of work burden bases on a web of trust where a score is calculated. The more people on the network that sign your host key as a legitimate and trusted net then the better your score. All endorsements could be time limited or otherwise have some kind of revocation list.
Just a few ideas.
It's nice to see some do-ers out there putting out a product to critique instead of circle jerking and arm-chair quarterbacking; thus hopefully getting some buttsniffers off me and I can get to work (finally...).
--I'd say that the gov't had to go to his house and demand the keys, instead of subverting it, says otherwise. Everyone should take notice of how pissed off Levison seems, b/c he now knows how unfair and BS dealing w/ buttsniffers is.
Mike the goat
I really find it hard to believe you can't find a PC w/ some nasty malware on it.
@ Mike the Goat,
The problem with interfacing to the current email system is as we know it's compleatly vulnerable at almost every level due to it's design and usage.
Thus there are many attacks that can be made against it, which in effect puts an end run around any more secure system both technicaly and also due to human user issues.
As @ RobertT noted the otherday you have no control over the far end in any way.
However that asside there are very real other issues the first of which is how do I find your details to communicate with you without that being monitored in some way by GCHQ, NSA et al?
The first way is I meet you in person and hand you my business card with some kind of contact point PubKey etc encoded on it. Obviously this means that I'm effectivly giving out the equivalent of my name (PubKey) and addreess (contact point) unless I generate a new set, one for each and every individual card.
The second way is through a "trusted" intermediary or courier, but trusted or not they still provide a link back that various types of survielance will reveal.
But both have the issue of knowing where you are physicaly located at some point in time, which is likely to leave "digital breadcrumbs" or other traceable information.
Most other methods you might consider suffer from these failings.
However there is a way around it to see it you have to think back in time when the world was considerably less technology blighted.
The worlds largest machine was --and may still be-- the telephone network each entity has a unique identity (phone number) and a bunch of non unique data (name address etc) which when combined together provided another unique or near unique pointer to the phone number. Now back some time ago running a dial in "directory service" was expensive and thus most phone service providers sent each and every subscriber a printed directory every year or six months. In effect it was a "broadcast" service with "memory" and multiple access points. Now these printed directories were not in any way monitored and were also freely available in thousands of places. Ine effect the directory service worked on the "Broadcast" model with "memory" in the form of a "multiply replicated" "data base" that was "widley distributed" with "multiple access points" for any user.
Thus provided you were not already under very intense surveilance looking up a persons phone number was a compleatly anonymous process.
Thus if we build a directory database and put it in multiple places within a suitably anonymous mix network with a couple of extra features we can replicate the old fashioned anonymous paper telephone directory.
I could go on to describe how to do other bits.
However two points arise, firstly all users computers have to be part of the mix network, there should be no "entry or exit" points and each node should use fixed rate encrypted communications to other nodes with both "null traffic" and "traffic padding" and fixed sized burst of traffic to many nodes which are randomly rotated. This fixes one or two of TOR's problems. Secondly each user needs fully distributed and multiply replicated storage within the mix net where by letters / messages and other information can be held for them in ways that are difficult if not impossible for the various authorities to deal with.
One such way is as a sender I randomly select a virtual node and it gives me a random but unique identifier. I then put the encrypted object at that virtual node under that identifier and I give it a time to live. I then send you via your directory identity and public key the virtual node identifier, random object identifier and the decryption key through the mix network. What I put in that encrypted object is upto me but the minimum amount of information the better. As the recipient and knowing the encryption key and identifiers you can change the content of the file to provide other contact info such as another private network identifier and non public public key which can then be used to further communication.
There are a few augmentations that can be added to decouple the communications path further but hopefully I've given you the general idea of a starting point for such a Dark-mixnet service.
Getting this highlevel protocol correct and making it form a framework flexible enough that many different lower level protocals can be used in a Plug-n-Play way without losing security should be the number one part of the design.
From what the article discusses it sounds like they are starting at way to lower a point on the protocol stack.
Thus the link might be secure but it hemorages other information that makes traffic analysis relativly simple, and as pointed out on several occassiions traffic analysis can be considerably more of an issue for privacy than revealing the plain text.
Also they are making a big mistake with developing the client software themselves this gives the NSA et al a single point of failure to attack both directly (ie backdoor it or go to jail) or indirectly via errors and malware or other end run attacks.
As I've indicated before it's better that an entirely unrelated organisation or collective outside of the Five Eyes and associated countries writes the software in an Open Source way to a standard that has been produced in an Open way and been peer reviewed by those with a good knowledge on protocol issues and security.
The comment was a clue to a series of problems.
--What if it was leading you down a false path?--Ok just kidding.
I wasn't saying that to you specifically just FYI, meant the programmer so don't misinterpret. At least at that point in time :p
Hey does anyone know about these vehicles? I got flashbacks this morning as I saw one heading towards my house as I go to school. Just wanted to make a public record that I am not making any explosives whatsoever in case some false evidence placing may take place. I thought the ATF was in charge of these things but of course the TSA is expanding and they'll be grabbing my nuts soon enough. As I've said in the past, I ID'd spies from prior intel gathering driving towards my house, presumably waiting for me to leave, as I go to school. When they get to my house they may have found some sensors that weren't set up. So they thought...
Anyway, I'm pretty much done w/ the kiddy spy games breaking into homes and tailing losers and I'm trying to focus on engineering. Stop affecting my grades. And stop being idiots and leave me alone b/c you won't find anything b/c that was long gone eons ago and you've been played for fools morons. You've proved to me just how stupid you all are and can't do real intel gathering as I blew many of your covers in my spare time at my leisure b/c you suck.
Figureitout: I wrote a little attack on the big tech site journos earlier. dragos has been talking of badBIOS for over two weeks and sixteen hours ago arstechnica puts out a story. Now all the tech sites have articles up rehashing the AT story. What counts for journalism these days? A follow the leader mentality (and a 2 week lag on the part of the original tech site that published the first big tech site article).
Re malware - yes it is very hard to find a sample of malware of the complexity dragos is implying. He is now speaking about "auctioning" infected thumb drives. Hardly the openness we expect in the security arena... Mr Popescu claimed in his blog that his claims are exaggerated. I will give him the benefit of the doubt until I see some solid evidence as he is not unknown in the industry (he is behind pwn2own). Extraordinary claims need extraordinary evidence.
Figureitout: if I were you and you truly believe something is afoot then write all your claims down on paper, get it signed by *two* notary publics and lodge it at your attorney's office. It might be a good idea to gpg -c it with a password and upload it to a couple of file sharing systems. Call it "figureitout-evidence.asc" or something. Distribute the password to trusted intermediaries to release if anything comes of it.
What counts for journalism these days?
Mike the goat
--Christ, don't get me started. I'm tired of ranting about failures and I want to see many little projects and more citizen journalism. You all can be your own investigators, if they all suck so much do you own journalism and report it.
--Look, I've made some rather "loud and raunchy" outbursts that there are some extraordinary capabilities w/ malware. Auctioning off the info though is BS; the problem is do you even have the tools to extract the evidence of these kinds of attacks? If you want, give me a PC and I can get it infected. Like, every malware you come across, do you instantly know how to remove let alone find it?
Re: False evidence/Framing
--No, I want to see my points come true; I wanted them to murder me (which I haven't ruled out for reasons I will state if I have a death bed) so I could die proving my point of an out of control police state. I can live just fine w/ some books and food/water and a cage will be nice for my concentration. Any buttf*ckers I will fight in prison. I will waste taxpayer dollars being locked up as this country continues to spiral towards total collapse w/ this heaping mass of derp. It's time to take this sheer stupidity to its logical end.
I wasn't saying that to you specifically just FYI, meant the programmer so don't misinterpret. At least at that point in time :p
No worries my friend! It doesn't bother me. I just don't want to see the moderator banning your angry arse :) and at the same time, I'm afraid I'll lose my control and hit you with a vulgar limerick, and get banned as well. It's so tempting ;)
Mike the goat
--I don't have any "trusted intermediaries" anymore. I guess I might as well make it public that I have lost most to pretty much all my friends, all my international contacts, and all I got is books and my hardware toys and cool software. Not to have a pity party, I'm just stating how far these agencies have taken this stupidity subverting all my networks, all my activities, even the rooms I sleep in again and again and again. And I have done nothing for years b/c of the overwhelming surveillance and seeming infinite supply of new agents I had to adjust to.
--Alright...friend. You could send me an email and it could be totally secret just between you and me and no one else could know about it on yahoo.com :p
I do worry about imposters though saying things that the Mod has explicitly outlawed and then getting me banned. Guess will have to wait and see.
Figureitout: if you get in touch with me I will be happy to put an encrypted statement as a post on my blog that will be archived by waybackmachine and others. Not only that I can ensure that it is kept at several different locations indefinetely. I don't want to know what's in it for obvious reasons. I am sure someone else on the blog would volunteer to hold the key in the result of you requiring disclosure.
Mike the goat
--I appreciate it, I really do. It's just, how can I trust you aren't another agent...I'll done a tiny and I mean tiny bit of searching into you and I've got some possibilities but nothing certain by any means. I'm not going to drag anyone into my problems, I've wasted all these spies time so they wouldn't be spying on others; soon enough I will be killed/charged/ or just watched and every employer will receive an order to not hire me and they just watch me by myself. What can I say, I loved seeing the reaction on young spy's faces who thought espionage would be exciting when in fact it can be extremely boring and an unbearable waste of time.
@ Mike the Goat,
There may be a good reason for auctioning them off, and that is it acts as a legal stop gap.
In many juresdictions an action is not subject to much trading legislation such as "fitness for merchantability". Thus he may well be protecting himself from litigation down the line, which he would not have if he gave them away or sold them. One such is he knows that the memory sticks are probably dangerous and difficult if not impossible to investigate safely without the use of proper tools etc.
All somebody seaking compensation would have to do if they went to court without the auction was that the seller was not duely dilligent in who he sold one to or gave away one to. Courts make comparison when judging diligence, such comparison of known to be dangerous items might be to firearms or alcohol to minors or fertilizer to terrorist, basicaly whatever the legal representative of the person claiminng compensation can make the judge go with. You would then have to come up with counter argument, mean while the clock is running on the legal costs...
Mike the goat
--Want some computers to analyze? Come to IUPUI in Indianapolis, IN. Look it up, and come. My accounts have "unknown USB" devices making their appearance all but obvious now. I've got some white dot on my screen that is another sign of malware. Just today, I lost access to my "H:" drive b/c there was "no servers" which is total BS so there is more hacking on my school computers which if I really start to hack and investigate I may get kicked out of school. So I had to waste a lot of time working on a programming project, redoing a bunch of work. B/c they lock each computer and then kick me out and I have yet to get legitimate access to a lab.
Clive: his official explanation was that he was auctioning them (or intending to) to cover expenses - he claims that he has bricked several machines during his "research" and thus wants to cling back his losses. Sounds plausible but very iffy. Re merchantability - I assume selling the items for, say $40 USD (he recoups the postage and makes a little on the side depending on the buyer's proximity, and he can't be accused of profiteering - at least not to the extreme). He could also require a completed waiver. Not saying it is water tight, but you know. I think legal issues are not the driving force here as he has already put some suspected infected files online.
Figureitout: you can't be sure that I am not an agent. But if I act in your interest and publish your "evidence" files then it is irrelevant what my motives are.
And more than surprising the news has not menthioned "the British" involvment on eavesdroping on German's "Mummy Merkle's' telephone conversations...
Whilst the US almost certainly wanted the intel it's been less mentioned that the original BRUSA (now UKUSA) two are thicker than theives and oddly whilst the NSA do a lot of the back end and equipment manufacture it's the UK mainly doing target selection and on point down and getting your hands dirty especialy when it comes to spying in Europe
UKUSA is of course the same 100+ year old "Anglo-American World Power", just a different label. Anyway you are correct that it is surprising that UKs role in reporting this spying has not been highlighted more.
Germany should be equally upset on UK as they are on USA. And it is not just Germany that should be angry because it is surprising there does not seem to be much complaints from other European governments.
Maybe it is a bit halfhearted reporting? Or the article writers want to avoid stirring the pot too much? Or they got orders to avoid mentioning UK so that Merkel can do the public show of complaining on US without risk of anything changing too much?
After all maybe (some folks in power in) EU countries have asked for this surveillance so that they can keep an eye on (some other) folks in power?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.