Friday Squid Blogging: "What Does the Squid Say?"

Minecraft parody.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 20, 2013 at 4:21 PM • 97 Comments

Comments

francDecember 20, 2013 6:47 PM

Pompei: Reuters is reporting that the NSA paid RSA, inc. $10 million dollars to use what both sides knew to be a flawed formula for generating random numbers in the RSA product BSafe (software).

Was the RSA compromise a while ago related to Dual_EC_DRBG?

ToniDecember 20, 2013 7:45 PM

Well now...

It certainly appears at first glance that the friendly folks at RSA will be having a very bad weekend. And a Monday from hell.

10 million.

Seems cheap for this kind of thing, if true. Very cheap.

And dangerous.

kashmarekDecember 20, 2013 8:40 PM

@Pompei:

I worked for a company that used the RSA devices extensively. However, we hit a point where we were informed the devices had "failed". All had to be replaced.

Now, was the "failure" due to the Reuters discussed event, or was this a false positive to force all the devices to be replaced with versions that were now breachable?

Methinks the latter, but only the timing of the event would tell. I no longer have that information.

BlackAngelDecember 20, 2013 9:29 PM

NSA spying cost Boeing 4.5 Billion dollar project.

http://yro.slashdot.org/story/13/12/19/141251/us-spying-costs-boeing-military-jet-deal-with-brazil

NSA, British spy agency targeted... aid agencies

http://www.washingtonpost.com/world/national-security/2013/12/20/b44f9314-6992-11e3-8b5b-a77187b716a3_story.html

(I love what the first commenter there had to say:

Ed Gray

"It's good thing NSA is keeping an eye on UNICEF. I'm postive those hungry kids are just Taliban recruits. I hope the NSA is also watching the Salvation Army and the Red Cross and the Girls Scouts. There is an endless list of these so called charities that are most likely raising money to fund terrorists groups and undermine America's economy. The disabled Vets and other deserving groups should live in abject poverty so we can finance our spying operations. I can sleep much better at night knowing them Thin Mint cookies won't explode.")


Opinion: Would be nice if people stop apologizing and justifying these excesses. It will only get worse. It is also bad intelligence -- clearly they are not professional enough to keep their own secrets. They should not be paid to be doing this work.

Snowden, an amateur - without even training in what he did - out did them all.

They are too busy getting angry at Snowden to realize they are forgetting to plug the holes of their own sinking ship.

Being on the wrong side of history for the rest of eternity is a bitch... they might want to get two seconds thought towards that instead of "oh I hate that guy and these critics, but here I will take my stand".

These intel clowns have done far more damage to the US then the KGB ever dreamed of doing in their wildest fantasies.


sparkygsxDecember 20, 2013 10:16 PM

@BlackAngel: I think (or actually, hope) your sarcasm detector needs to be recalibrated.

MikeDecember 20, 2013 10:43 PM

@BlackAngel
"Snowden, an amateur - without even training in what he did - out did them all. "

He was an insider. Any one insider could have done this. He's not THAT special. Inside jobs in general aren't all that remarkable.


GarfieldDecember 20, 2013 11:19 PM

This is about Telegram which is an application created by the founders of VK (originally called VKontakte, Russia’s largest social networking platform). According to a TechCrunch article, "Telegram is a new messaging app that offers speed, security and features such as secret chats with end-to-end encryption and self-destructing messages".

Telegram issues $200,000 in Bitcoins challenge to crack code
http://telegram.org/crypto_contest
Telegram backer, Pavel Durov, will give $200,000 in BTC to the first person to break Telegram' encrypted protocol. Starting today, each day Paul (+79112317383) will be sending a message containing a secret email address to Nick (+79218944725). In order to prove that Telegram crypto was indeed deciphered and claim your prize, send an email to the secret email address from Paul’s message.
[...]
Encrypted Telegram traffic from and to Paul’s account is publicly available for download from this page. You can send Telegram messages to Paul and view his traffic in real time.

DBDecember 21, 2013 12:04 AM

@garfield aren't email spammers already claiming the $200k prize? if we can take a page from the NSA's book, we shouldn't necessarily directly attack the crypto, but try to cheat... it's much cheaper, easier, and more effective...

BJDecember 21, 2013 2:58 AM

News:
The National Security Agency’s oversharing problem -
Ars talks to an ex-NSA pro who filed unlawful sharing complaints—only to be shunned. http://arstechnica.com/information-technology/2013/12/the-national-security-agencys-oversharing-problem/

Critics: NSA agent co-chairing key crypto standards body should be removed -
There's an elephant in the room at the Internet Engineering Task Force. http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/


Judge: NSA domestic phone data-mining unconstitutional http://www.cnn.com/2013/12/16/justice/nsa-surveillance-court-ruling/

US changes its mind, tells FISA Court it’s cool to publish metadata rulings -
Justice Dept. drops objections against ACLU case as it faces pressure elsewhere. http://arstechnica.com/tech-policy/2013/12/us-changes-its-mind-tells-fisa-court-its-cool-to-publish-metadata-rulings/

Polynesians may have beat computers to using binary -
A mixed binary/decimal system may have made some calculations easier. http://arstechnica.com/science/2013/12/polynesians-may-have-beat-computers-to-using-binary/

Clive RobinsonDecember 21, 2013 6:13 AM

OFF Topic :

A question for people to ponder...

    "Childrens games as a security issue"

I don't know how many people remember the original furbee toy it looked cute and would randomly say things. However it was also apparently iresistable to some adults as well and they started poping up all over the place ontop of computer monitors some in secure areas.

Back then apparently a story did the rounds about Furbee's acting like "parrots" and would listen and repeat phrases "they heard" and this story got extra leggs when one or two government secrecy related departments band them.

Since then quite a few childrens toys that look cute have become "parrots" and will record speech and play it back and some are getting quite sophisticated in what they can do. We have also recently seen stories of "white goods" and other household electrical goods with built in WiFi being used for various questionable or illegal activities (it's been difficult if not impossible to get the "real goods" on these stories for various reasons.

Now I know of atleast one gaming platform with in built WiFi microphone and cameras which at best has very poor security (considerably less than smart phones). Where some game cartradges turn on the WiFi even where it's been disabled in the consols setup menu, and go hunting for WiFi access points and other games consols to either connect to the Internet or set up what is in effect a mesh network.

Having had my curiosity activated I hunted out a second hand unit and some "unapproved" developer software which has been used to make unofficial games or put other OS's (linux etc) onto the device's ARM processor. With only a scan around the Internet it was possible to find information for "homebrew gamers" to access thw WiFi, Mic and cameras and it appears from minimal probing to be accurate...

So the question comes to mind how long before a game is released that can be used as a bugging device, using either the Internet or a mesh network to the Internet to spy on chosen people via their childrens toys?

Further could other sensors such as bluetooth headsets be likewise accessed.

But at another level there is still the "cute" aspect of toys ending up on or around peoples work computers. In commercial environments many systems are "air gapped" at the standard connector level but sit on the same desk as non air gapped systems. So cute toys could be used to pick up "sound" which we now have sufficient "public knowledge" to know is a viable channel to exploit for APT type attacks.

I know it sounds "big brother" but it's something we should consider as more and more toys / appliances get these SoC devices put into them especialy when looked at in terms of the "network of things" that is being heavily pushed by marketers and Gov regulatory bodies (smart meters etc).

name.withheld.for.obvious.reasonsDecember 21, 2013 6:33 AM

It appears that the first mae culpa by the United States has been expressed by the former ambassador from the U.S. to Brazil S(2009-2013), Thomas Shannon. With Brazil's purchase of aircraft from the Swedes, leaving the United States company, Boeing, with the loss of a sale of a number of aircraft) the United States is starting to feel the pain of being castigated by the victims of the actions of the United States. During a talk given at the Wilson Center on Thursday, Shannon expressed the situation as "We have met the enemy, and it is us."

With this development, the estimate about the losses to the United States economy due to the actions of the NSA could reach well past the original numbers estimated by many to be in the $30 billion dollar range. I wonder how many millions/billions the aircraft sale was to be realized by Boeing...what's ironic is Boeing, via SAIC, is involved with the NSA. Talk about shooting yourself in the foot.

Shannon also talked of the interest in the asylum status of Edward Snowden, it is obvious that the United States cannot operate unilaterally. Petitioning Brazil to help with granting of asylum of Mr. Snowden, the relationship between the two countries has a new importance. The United States is hoping to quash the attempt by Mr. Snowden to successfully exit Russia. Apparently the position of the United States is to clean-up the mess that the United States finds itself in. One of the questions is "What is it going to take to get Brazil back to the table?" (I'm paraphrasing). Shannon also expressed that it sell Brazil on the United States intelligence services, including the need to suppress cyber threats (is this a veiled threat). In my opinion it appears that the talking points are starting to be developed (don't know if their using Brazil as their NSA scandal clean-up focus-group).

The more general issue of the NSA scandal, a question from an audience member expressed concern about the level of "trust" given what's known about the programs run by the NSA. It appears that Bruce's book "Liars and Outliers" has come semi-circle with respect to his thesis. Way to go Bruce.

I believe a friend of mine who rarely contacts me (a VP of research at a Telco) sent me a e-mail possibly in an attempt to reach out to a friend. There will be many people involved in the NSA scandal that are going to need a/their friends.

65535December 21, 2013 7:09 AM

@ Clive

“..the question comes to mind how long before a game is released that can be used as a bugging device, using either the Internet or a mesh network to the Internet to spy on chosen people via their childrens toys?”

I would guess not long. If RSA is willing to get in bed with the NSA for $10 million you can imagine how quickly a marginal or money losing game maker would do the same. A cheap game maker would probably due it for a cube of C notes. This will only make USA made products unattractive for foreign buyers.

[Reuters]

“Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.”

RSA sold their customers a “secure” product only to stab their customer’s in the back – for a relatively small sum in dollars. Is there any way to sue RSA for their gross business misconduct?

FigureitoutDecember 21, 2013 8:17 AM

Clive Robinson
"Childrens games as a security issue"
--Oh you mean spy games? :) Which gaming platform was it?

And the furbies...jeez trying to hold back the lulz, broke a few of those back in the day. Here's the best hack job of one from a quick search by me, and a quote from it:

Digging into this lead, I learned that Furbys in fact perform inter-device communication with an audio protocol that encodes data into bursts of high-pitch frequencies. That is, devices communicate with one another via high-pitch sound waves with a speaker and microphone. #badBIOS anyone?

And the bluetooth, cmon you know the answer to that one too; hence I act like a child "chucking the toys out the pram" anytime I hear that word and it's being burned into every chip...

Nick PDecember 21, 2013 9:29 AM

@ Garfield

Good to see work in the area, esp published source and API's. What bothers me a little though is these points all being made together in the FAQ:

"Telegram is cloud-based and heavily encrypted. As a result, you can access your messages from several devices and store an unlimited number of photos and videos in the cloud. Thanks to our multi-data center infrastructure and encryption"

"We believe in fast and secure messaging that is also 100% free. Therefore Telegram is not a commercial project. It is not intended to sell ads, bring revenue or accept outside investment.If Telegram runs out of money, we'll invite our users to donate or add non-essential paid options. "

So, it's a cloud-based crypto solution with a bunch of datacenters, clients on two platforms, and no business model. Sounds legit.

@ 65535

"RSA sold their customers a “secure” product only to stab their customer’s in the back – for a relatively small sum in dollars. Is there any way to sue RSA for their gross business misconduct?"

Like I said before, people often word this situation like RSA sold hacker bait crypto that black hats everywhere were compromising to get NSA money. That's far from the truth. The backdoors could only be accessed by the NSA, the protection against other threats remained, and the NSA would have switched to coercion if they didn't take the money.

As Bruce's book indicates, the pressures both within RSA and from govt said "take the money, cooperate, don't ruin the business over an issue Americans don't even vote about." The option they picked was rational at the time. That said, it's safe to say that no American technology product can be trusted to be free of subversion from NSA because their pressures are highly effective (and big companies highly selfish). The foreign companies racing away from American software/hardware are entirely justified.

They better be careful, though, that they don't inadvertantly run right back into America's arms via one of its foreign subversions.

UnokoshiDecember 21, 2013 10:29 AM

Just as some spin-off of discussions of security. As most of popular systems like windows, linux unixes are spoiled often by design, what about OSes which were designed from scratch with very serious decisions about security and ways about restricting apps, users, external hardware. I know system which had lot of these on very basic layers - Inferno OS. I examined it few years ago and it was really surprising regarding the design of the OS and ideas behind it. Namespaces, easy ways to restrict apps, etc.

FigureitoutDecember 21, 2013 11:35 AM

Potential home intrusion by agents on Jacob Appelbaum. It's why in my ideal security setup, w/ likeminded individuals, someone is always awake and occupying the residence. Any real opsec like a previous commenter, where you don't have utilities in your name, constantly moving, disguises and new clothes/shoes. Eventually it gets unrealistic (except for agencies that waste money and play the waiting game for targets to go to work or try to have a life) and stupid so it's a losing path and will lead to crappier and crappier intel being gathered until there's no trust or new advances.

BlackAngelDecember 21, 2013 12:57 PM

@BlackAngel: I think (or actually, hope) your sarcasm detector needs to be recalibrated.>>

You misread my post. Not sure where.

@BlackAngel
"Snowden, an amateur - without even training in what he did - out did them all. "
He was an insider. Any one insider could have done this. He's not THAT special. Inside jobs in general aren't all that remarkable.>>

I see, that seems an unusual opinion to me. I have found inside jobs - especially in intelligence - to be extremely remarkable. Kim Philby to Robert Hanssen... really bizarre and fascinating stories.

And there are plenty of fascinating whistleblower stories, under which category Snowden falls.

All of these insiders, even those working for intelligence, were amateurs, however. Some received some training, technology, intelligence, resources. Some definitely had career boosts from the foreign agency they worked for that enabled them to crawl higher on the ladder.

But largely they all made it and continued by their own cunning.

Snowden clearly worked alone, and like Manning, had the advantage of the extraordinary incompetence of the agencies he worked against.

I do not think Snowden got data which truly needs to be gotten, and is likely much more well hidden. For instance, how are they using this data? Likely they have large programs of extortion, sabotage, harassment, and many other forms of malfeasance.

Probably they are using this data for financial empowerment and political control, as Hoover and totalitarian states use it for.

BlackAngelDecember 21, 2013 1:03 PM

@Figureitout

'Potential Home Intrusion'


No doubt they do, and any of these guys are heavy on intel agencies radars. I would stick to having cameras that are highly secret and wired, not wireless, with timestamps and the like in that situation. Whole point is "let them come" but get evidence when they do to throw to the media.

Where you *want* them to take such bait.


Brandioch ConnerDecember 21, 2013 1:07 PM

@Nick P

The backdoors could only be accessed by the NSA, the protection against other threats remained, and the NSA would have switched to coercion if they didn't take the money.
While I agree that all of those points are completely correct today, all it would take would be for someone like Snowden to release the exploit info and then there is a problem.

Or for someone to be able to be threatened or paid for that info now.

And being able to switch to coercion of a company is a different kind of problem.

Nick PDecember 21, 2013 1:50 PM

@ Brandioch Conner

"While I agree that all of those points are completely correct today, all it would take would be for someone like Snowden to release the exploit info and then there is a problem."

It's very unlikely to happen. It's possible though.

To be clear I'm not supporting their efforts. I just take issue with people talking like the RSA issue was equivalent to leaving a bunch of kernel overflows in their product of the sort vanilla hackers find. It implies people were at much more risk than they were.

Not that NSA hasn't done that sort of thing in the past... They deserve all the harsh judgement they can get in such situations. Just not the RNG attack.

NobodySpecialDecember 21, 2013 2:20 PM

@Nick P
So RSA either put in a backdoor for the NSA which will immediatley have been leaked by a crooked/incompetent/blackmailed employee at RSA or NSA. Or they weakened the crypto so that the NSA would be able to break it and of course nobody else would be able to (when did you last hear of a Russian/German/Chinese/Israeli/Japanese mathematician)

So not only is RSA's value as a brand now zero and will be after the shareholder lawsuit - what are the other effects?
Did any US company discuss anything vital to the US interests using this encryption? Do we assume that is now all in the hands of the opposition?

Nick PDecember 21, 2013 2:38 PM

@ Clive Robinson, RobertT

Self-clocking logic to defeat timing channels

Clive used to tell me to avoid timing channels by using self-clocking or asynchronous logic. I decided to look into the stuff due to recent discussions. I found this excellent paper you guys might like that does several things:

1. Enumerate many side channel attacks and countermeasures.

2. Discuss attributes, pro's and con's of asynchronous logic.

3. Design an asynchronous processor for cryptographic operations.

http://www.era.lib.ed.ac.uk/bitstream/1842/860/1/Spadavecchia_thesis.pdf

Pretty nice work. Done in 2005. Good news is that there are ARM and MIPS chips built with this kind of logic already. Any security enhancing tech targeting those architectures can realize timing channel resistance more quickly. And I'll add that the APT group behind the ARM chip has a lot of interesting work in self-timed DSP's and NOC's on their web site.

FigureitoutDecember 21, 2013 2:39 PM

BlackAngel
--Problem is having some sort of trigger that is robust for movement/heat (which could be animals or trees/leaves blowing around) and leaving timestamps to check footage. Otherwise you're watching a lot of film. Many-a-traps I have laid though; they do go for bait easy and reveal themselves.

All RE: RSA subversion
--At some point, you have to wonder, since it is a US company, could this be a foreign intel operation? What if Gen. Alexander is a foreign agent? If our country is so stupid to attack it's own companies then I guess we should all start learning Mandarin.

Nick PDecember 21, 2013 3:22 PM

@ NobodySpecial

"So RSA either put in a backdoor for the NSA which will immediatley have been leaked by a crooked/incompetent/blackmailed employee at RSA or NSA. Or they weakened the crypto so that the NSA would be able to break it and of course nobody else would be able to (when did you last hear of a Russian/German/Chinese/Israeli/Japanese mathematician)"

In a nutshell yes. That means the tech could protect companies from almost everyone they were worried about. Only the most sophisticated, well-funded attackers could break in. Attackers who... always broke in anyway without RSA's help. Let's face it, running Windows or UNIX-based platforms in the way companies typically did gave attackers much more opportunities in than any RNG flaw.

The one thing they didn't count on was Edward Snowden. (And some good academic research before him.) Had he not leaked the information, much of this would still be going on in secret and the US companies would still be making money while sleeping at night. So, taking the NSA's side isn't what hurt their brand or bottom line. The disclosure was what did it. Rightly so I'll add. It's like any risk: it can payoff or bite you in the ass. It paid off for a while then they got the fangs.

"Did any US company discuss anything vital to the US interests using this encryption? Do we assume that is now all in the hands of the opposition?"

We don't assume anything. We act on evidence. The evidence will be a combination of what is known and what is probable. My assumption for ten years was that any US telecommunication was tapped and traceable. The evidence was that they constantly sought to do that publicly, were caught making deals with US companies in the past (eg Lotus), and did similar things privately to foreign countries. It was probable that they'd succeed so I assumed they had access to anything running unprotected through US companies, servers, crypto products, etc.

It rationally followed that their attacks would only get better. Hayden's transformation meant that their operational effectiveness would as well. That's why I advocated use of multinational designs for secure comms multiple times on this blog and used it in the past. Most recently, I enumerated many options for chips and software that have a low probability of U.S. subversion. I've enumerated designs to prevent most attacks by even sophisticated opponents domestic and foreign assuming the chips are clean.

Remember that I've done plenty and for free to help people get secure. The reason for our problems is that voters put power into bad people's hands and bought products that traded off security/privacy for everything else. The surveillance state followed. The NSA and RSA deal followed that.

My honest reaction on RSA hack...

Our systems from hardware to protocols have tremendous inherent vulnerability that makes security hard and subversion easy. People loose real money and I.P. due to this all the time. In foreign countries, some loose their freedom or their lives. The marketplace profit incentive (and lemons market effect) means they've continually produced false or flawed security offerings. This hasn't changed for decades.

So, it's hard for me to see why people would trust a US govt supplied RNG in a closed-source commercial product of a U.S. publicly traded company with a tight relationship with US govt to be safe against US govt subversion. And be extremely pissed off when a tiny risk is present there, while continuing to use insecure systems that hackers target regularly with losses estimated in billions.

People's priorities and expectations are sometimes mindboggling to me.

EDIT TO ADD: modular, open source software is your friend if you're really worred about backdoors. People rarely were hacked because they started with OpenBSD+Botan instead of Windows+RSA.

@ figureitout

"-At some point, you have to wonder, since it is a US company, could this be a foreign intel operation? What if Gen. Alexander is a foreign agent? If our country is so stupid to attack it's own companies then I guess we should all start learning Mandarin."

I doubt it but it's a good idea. A movie with that plot, done using our laws and Congress people's real statements defending NSA, might be just the thing that's needed to get lay people worried enough to push Congress. Enemy of the State did so much damage to NSA's reputation that they still gripe about it. I think it's time for a sequel.

AspieDecember 21, 2013 3:32 PM

Time to pull out that old speak-n-spell and have a closer look at its innards. Anyone see In The Loop where the late James Gandolfini was sitting in a girl's bedroom calculating troop numbers on a girl's clamshell calculator that spoke out the numbers?

Happy nonsecular consumer-oriented break to you all.

RobertTDecember 21, 2013 4:40 PM

@Nick P
I'm not a big fan of self timed logic because it typically increases the sensitivity of DPA attacks. However IF DPA is not on the threat list than I can certainly understand the attraction of self-timing. Unfortunately self timing systems also typically increase the instruction timing sensitivity of the data path all they really do is to create an observability problem(as in which cycle did it end on ....opps no cycles). I think of self-timed logic timing channels as being the equivalent of Doppler shifted RF transmission, the signature is the same, all that happens is that it dilates or expands in the time domain. If you can discover the frequency change than it is easy to undo every advantage that self-timing creates.

Personally I'm more interested in fixing timing channels by focusing on matching the clock cycles for all operations so that Branch-Taken and Branch-Not-Taken always have the same number of cycles, similarly Multiply's do not exit early because the upper bits are zero. There are many Real-Time operating systems where this is style of programming is very desirable, so maybe Security guys need to learn some tricks from RTOS guys.

I realize that what I'm saying is not really practical because many of the operations that cause timing channels are not really accessible at the applications programming level AND as a programmer you dont want to give up the execution speed advantages of skipping unnecessary cycles.

I think it all comes down to understanding the capabilities of your adversary, script kiddies are easy to confuse, top class state-level guys have a few more tricks up their sleeve.

Clive RobinsonDecember 21, 2013 5:14 PM

With regards the NSA paying RSA to "back door" stuff people are not asking themselves a simple question,

    What did the NSA ask for and get for the money?

The problem is that everybody is arguing from effect to cause with 20-20 hindsight which as I've frequently said is "not science" and can be used to portray all maner of falsehoods which forensic investigators frequently do and falsely call it evidence.

Thus try asking the question as though you are the NSA and you want to get RSA to do something but without telling them why (which is the lesser part of the practicing of "finessing").

If it was me I would explain like an "off the record source" that Gov procurment policy was changing and it was going to move in direction Y (ie the use of the suspect EC-RNG). After all it was no secret that is what the NSA acting in it's advisary role to NIST and various Gov Orgs was doing. I would say that it was likely that suppliers who supported the new standard would get preferential treatment on contracts in future.

Having "primed the pump" I would then get a little while later some kind of secret request to tender or equivalent organised and sent out to look like it was from the DoD with the illusion of "every serviceman gets one".

You then actually find some excuse to pay the R&D + Setup costs for a compliant product and a sufficiently large order to justify it (for which 10mill for a few thousand units might be reasonable). By then putting out orders from other Gov Depts that make use of the unit effectivly compulsory for civilian contractors you get the product into market, the word will go around and fairly soon others will buy them simply because it effectivly got the US Gov "seal of approval"...

And the joy of EC RNG like BBS RNG is it is secure unless you know the magic secret numbers, which can be seen in analagy as like the RSA algorithm's P&Q primes which make both the private and public keys. In effect the EC RNG given in NISTs specification used the "public key" and the NSA --might-- have the "private key".

So yes the NSA --might-- have the ability to predict all users of the EC RNG but nobody else could unless they new how to get back to the secret numbers to recreate that equivalent of a "private key". And currently it's belived that you cann't do that even as a "state level" adversary, no matter how good your mathematicians are.

The point is that the NSA need never have told the RSA the why of what the EC RNG --might-- have been designed for. In fact I would consider it highly unlikely that they would have, when all they had to do was play "lead the donkey" by hanging a suitable "comercial carrot" infront of RSA's managment and that of their parent company.

After all it looks like this is what was done with Microsoft, only Neils Ferguson thought "why this lame old dog of a protocol" being used and went looking for the "what's the magic ingredient" that the NSA belives it's got but won't tell. And might well have been assuming it might lead him to the next Differential Cryptography technique as had lain hidden in DES. I bet it was quite a shock when he realised what it was a --potential-- backdoor.

After all if the NSA had been "telling people" the real reason do you realy think Microsoft would have let him investigate let alone publish his findings?

MikeDecember 21, 2013 6:09 PM

@BlackAngel
"I see, that seems an unusual opinion to me. I have found inside jobs - especially in intelligence - to be extremely remarkable."

Insiders, especially in intelligence, are technically supposed to be cleared and trusted personnel. Moral codes aside, I don't think much credit is deserved for them to misuse their trust and walk out with secrets, amateur or not. It's simply a trust based system. Now had an uncleared, outsider somehow gotten access to the same info via other means, that would be far more remarkable.

Clive RobinsonDecember 21, 2013 6:36 PM

@ Nick P,

    Clive used to tell me to avoid timing channels by using self-clocking or asynchronous logic

Err I think something has got a little lost in translation.

What I've said in the past is "clock the inputs and clock the outputs" and "fail hard and long on errors" and that "each segregated block should use it's own clock" to do it. Whilst this means that the connecting interfaces of two blocks are asynchronous to each other I did not intend to imply the logic inside a block was asynchronous.

Doing this stops the block being transparent to low bandwidth covert time channels from previous stages that communicate by adding either edge jitter or packet jitter (like the Keybugs trick Matt Blaze and his students published). Or for that matter phase/frequency modulation of the clock signals.

As it happens I'm very much against logic that does not use a properly designed clock signal. That is "self clocking" by being the equivalent of a simple free running feedback oscillator using gate delays to generate the effective clock [1]. Because of the principle of "injection locking", whereby you inject a signal at about the same frequency into the logic and the logic in effect "locks up to the signal" in the same way as the chroma signal locks the colour oscillator in either an NTSC or PAL analog TV system.

I'm sure I've mentioned on this blog before I coresponded with Ross J Anderson about this problem when he was investigating self clocking logic to mask DPA signals in Smart card back in the 1990's (it was one of the first tricks I exploited for "fault injection on an EM carrier" back in the 1980's). And very shortly there after he droped self clocking and started investigating other avenues.

I also informed the supposed discoverer of DPA about this issue however he chose not to discuss it and then went on to seek patents for anything and everything he could to do with DPA. And as a result killed it as a field of endevor in the US.

[1] One way of self clocking at the TTL chip level is to use an XOR gate with one input tied directly to a signal and the other input to the same signal but with a small RC delay element. The result is a narrow clock pulse every time the signal changes state. You then --after clean up / debounce-- use the trailing edge of this pulse to clock your output latch. You see this sort of thing on the output of differential shaft encoders to generate "direction" signals as well as the rotational angular displacment clock. The same clock pulse can be slightly further delayed and used to clock you input latch for the next cycle. The signal you use has to be selected with some care in that it needs to have the longest path delay in a given block and importantly change state for any change of input state which often means using a converter on all inputs gated by the longest delay path. One such converter is to compare each bit either side of the input latch signal with an XOR gate these all feed an OR gate to generate the "change" signal into the longest delay gate. All in all it's to much effort and gate real estate for to little gain and that's before you take into account metastability issues with the latches.

DanielDecember 21, 2013 7:57 PM

@Clive Robinson

Your post about RSA was a really long-winded way to say, "Hey guys, maybe the RSA was just dumb." In my view, however, that is to some degree even worse than being bribed. Someone who can be bribed away from you can be bribed right back to you. Dumb is usually not fixable.

kashmarekDecember 21, 2013 9:04 PM

Found on SlashDot:

http://tech.slashdot.org/story/13/12/21/2011253/ford-engineers-test-predictive-logic-to-improve-cruise-control

This most likely belongs in the "what-could-possibly-go-wrong-dept".

Logically, automotive control systems will be one of the big targets, foremost for stealing the cars, and most likely for hijacking cars (probably even by law enforcement). With a speed adjusting routine in the computer, a malware invasion could target the driver's ability to properly control the speed. Start looking for "hold harmless" clauses in car contracts to relieve all vendors from any responsibility for how these systems perform, be it the car, deaths, or injuries (seed companies already have such clauses for farmers using their seed).

kashmarekDecember 21, 2013 9:19 PM

By the way, in the predictive speed control on the Slashdot story, that same car company was at one time talking about their car seat that would collect health related data on the occupants, most notably the driver (a captive audience sitting in a suitably wired sensor arrangement that can take your pulse, monitor your breathing rate, take your temperature, probably get your blood pressure, and with a head scanning unit and breathalyzer above the driver, see what you are thinking and determine what you have been drinking...hmm...add a sensor below the buttocks and determine what gas molecues you are emitting - a literal trove of information).

And, the data can be combined with measurements on how you are driving, and since the car manufacturer is not covered by HIPAA, sell the data to insurance companies, credit bureaus, law enforcement, and whomever else wants to use such information to blackmail you. Oh, and based on our experience with NSA data collection, anybody on the planet should be able to get this data.

Clive RobinsonDecember 21, 2013 11:58 PM

OFF Topic :

Over at,

http://ethanheilman.tumblr.com/

Ethan Heilman is trying to put together a historical list of NSA Backdoors, and he's asking for "anyother info" to be added at,


https://news.ycombinator.com/item?id=6947133

(Which for some reason does not want to play with my web browser and gives off useless messages about login not matching...)

So any way if Ethan passes this way he can pick up my comments below,

It is known that atleast one US Army mechanical cipher had built in backdoors.

The reason was that mechanical ciphers would fall into enemy hands and would thus be copied and used by them (which is the reason by the way that the likes of the Five-Eyes only deploy systems they know how to break and importantly how long they are secure for).

The backdoor was to have different key strengths in the key range. Depending on who's giving the details, about 20% of the keys were strong 40% moderate 15% weak and 25% very weak. However you would only know this if you had sufficiently advanced maths skills.

The trick was the US Army key scheduals only included the 20% strong keys whilst an adversary would most likely use random keys or keys calculated by some formula which would in effect be random. Thus on average one in four keys would be quickly and easily broken and the information recovered used to help build catalogs of "probable words/phrases" and add background to traffic analysis.

The catalogs enabled even the strong keys to be broken so on average around 25% of signals could be read in real time (often faster than the enemy) and a further 30-40% in near real time with over 80% read within a few hours. However in most cases the message contents were not nearly as much use as the traffic analysis by direction finding and frequency usage along with message indicators.

These machines were also sold very cheaply to third world countries and ex-British teritories such as Lybia.

In one of David Khan's books he mentions that the fiddely key setting often caused problems, and that a couple of US girls who were tourists doing part time house keeping etc to pay their way were used for several weaks to "set the keys" because their more nimble fingers got the settings right.

Also if you read Peter Wright's Spy Catcher you will see that he and Tony Sale (who rescued Bletchly Park from the wreaking ball) who both worked in MI5 regularly used to tap telephones in Diplomatic Mission Crypto Rooms because many cipher machines made recognisable sounds that provided strong indications of key settings and plain text being typed up. They also subsiquently discovered that high grade electronic cipher machines often put out sufficient electrical noise from the teleprinter tape/punchout circuit that the serial plain text could be read with an oscilloscope put across the telephone line.

From other sources of information it appears that a lot of continental European NATO countries equipment did this so it was often not necassary to "backdoor" the actual encryption just ensure the plain text circuits radiated well unless certain difficult issolation steps were taken.

AES can also be added to the list of NSA backdoored encryption. Whilst it is theoreticaly/mathmaticaly secure and thus data at rest is secure, practical AES implementations are not, in nearly all the original systems using it.

The reason for this is that NISTs advisors the NSA gamed the competition in a quite subtal way. One of the requirments was that all submited code be made available for download by anybody who wanted to. Another requirment was for code to be either optomised for code or minimum gate count. Such optomisations almost always open up time based side channels and of the AES finalists the winner was by far the worst offender due to it's odd design. The NSA would have known without a shadow of a doubt that the side channels would be guarenteed to happen and the said nothing. And secondly just about every software developer would download copies of the competition code and put them in their own code without change. The result is almost before the ink was dry on the winner anouncment somebody was developing an across the wire attack that used the CPU cache to leak AES key bits... which they then published. But even now you find AES code in apps and code libraries that has these side channels, which is why I advise people to use AES "off line" on "air-gapped" machines.

65535December 22, 2013 4:01 AM

@ z

Yes, they will. I hope RSA’s (RSA/EMC) legal department also has a rough week. Lawsuits seem to be the only way of disciplining a misbehaving corporation.

@ Brandioch Conner

Your point is well taken. It’s very possible that someone/some country will use the RSA back door for criminal purposes. RSA is widely used throughout the world. It’s attack surface could be quite large.

@ Nobody Special

“…they weakened the crypto so that the NSA would be able to break it and of course nobody else would be able to (when did you last hear of a Russian/German/Chinese/Israeli/Japanese mathematician)…”

I agree. The USA doesn't have a lock on mathematics or mathematicians. That is a real risk.

@ Figureitout

“At some point, you have to wonder, since it is a US company, could this be a foreign intel operation?”

That is an unpleasant thought given RSA’s wide use. It also could happen to other USA companies. The world economy could shun USA made products.

@ Clive

“I would consider it highly unlikely that they [NSA] would have, when all they had to do was play "lead the donkey" by hanging a suitable "comercial carrot" infront of RSA's managment and that of their parent company.”

Maybe. But, they did. The only recourse for consumers appears to be a lawsuit.

As, for NSA’s bribery stunts, there are laws in the USA against bribery – but it seems the NSA is above the law. As others have noted the only way to control the NSA is through budget reductions (Until the Congress puts constraints on the NSA – if and when that ever happens).

@ Nick P

“…it's hard for me to see why people would trust a US govt supplied RNG in a closed-source commercial product of a U.S. publicly traded company with a tight relationship with US govt to be safe against US govt subversion…”

I did. And, I would guess others that use RSA products put Their trust in RSA because of their accumulated track record, safety and trust that RSA has built over its long and wide history. This type of rote bribery is a slap-in-the-face to all of RSA’s customers.

For example this blog’s cert is basically: sha1 With RSA Encryption. I am sure many others have the same. RSA acceptance of a bribe to hurt its customers and leave a backdoor to sensitive information is a boot kick to shins!

How much of this of bribery goes undisclosed with other RSA products? How much bribery between the NSA and other Certificate companies occurs?

If RSA can be bribed then I would guess other CAs can also be bribed. Trust in American companies is at stake. The whole American cloud computing industry is at stake. This is a self-destructive situation.

AspieDecember 22, 2013 5:00 AM

@Figureitout

//Shout out to Aspie
--I'm still looking forward to when (not if :) you get your computer working and see you featured on hackaday. :) Would like to know where you're at and any problems you're having where maybe someone or me can help b/c I have some time now even though I've got other stuff.

Sorry .. missed this .. bloomin' holiday noise etc.

I'm some way from "presenting" this modular solution but it's functional insofar as the FORTH bytecode on an 18F26K22 (I use a cheapo 28-pin programmer because I can't solder smaller pin pitches) is running and happily yakking over RS232 to the console and SPI to other modules. Basic config is 128k SRAM and 8k EEPROM for each module - i.e. one 23LC1024 (SRAM) and one AT24C64/256 (EEPROM). Using 24-bit addressing each module could be pumped up to 8MB but the philosophy is keep them simple and fluid in purpose so they can be quickly reassigned. (Anyone here remember the venerable INMOS Transputer?)

I'm still waiting for Microchip to deliver some parts that they promised me 3 months ago. Tsk.

There's a fair bit of code-cutting left but the initial tests are good. I'll have time over the next few weeks to really bite it hard and shake it some more, then I'll definitely post up some pics and code and you'll get to see how crummy my soldering is. ;-)

Will keep you posted.

Mike AmlingDecember 22, 2013 7:53 AM

Nick P: "... people often word this situation like RSA sold hacker bait crypto that black hats everywhere were compromising to get NSA money. That's far from the truth. The backdoors could only be accessed by the NSA,..."

Agreed, the secret that makes DUAL_EC_DRBG vulnerable (namely the n in P=n*Q) is not going to be discovered independently [barring a general ECC break]. But that n can't be just kept in a safe. It has to be used operationally if the D_E_D deployment is to have value, and one wonders if a mole couldn't leak it.

The question I have is what else RSA put out that was compromised. Surely the decision to retain copies of all the Secure-Id keys is suspicious. What else?

ericaDecember 22, 2013 9:35 AM

@ Anonymouss:

Lots of good, common sense from Cracked. If only our politicians had the same strategic sense as comedy bloggers.

Ethan HeilmanDecember 22, 2013 10:49 AM

@Clive Robinson:

Can you provide some good sources on this? I know I should read all of Kahn's stuff but that is going to take some time. It is being done on rotor machines, it is probably a Crypto AG rotor machine as they were very popular with the US during the war.

Its funny that you should mention a weak keys/strong keys backdoor as I proposed something similar a while ago: http://ethanheilman.tumblr.com/post/28951702391/imagining-a-secure-backdoor-cipher
I thought it was an original idea but perhaps I heard it somewhere else.

I've often wondered about the AES side channel. Do have any information beyond a "Cui bono" analysis?

Nick PDecember 22, 2013 11:02 AM

@ Clive, RobertT

Well, darn, here I was thinking I was onto something. Appreciate the replies.

"Personally I'm more interested in fixing timing channels by focusing on matching the clock cycles for all operations so that Branch-Taken and Branch-Not-Taken always have the same number of cycles" (RobertT)

I came up with the same trick so maybe it's a good idea. My concern was "does making things take same number of cycles solve a timing channel at the algorithm level?" Remember that the algorithms use certain things more often than others. Instructions that are identical timing makes masking easier but how effective is masking *really*? Does it take just one identical looking computation to mask the emanations or power draw of the real one? Or 100's of them with nondeterministic execution sequence?

"There are many Real-Time operating systems where this is style of programming is very desirable, so maybe Security guys need to learn some tricks from RTOS guys. " (RobertT)

A few years back I was posting RTOS-based solutions here. :D I particularly liked the potential of ARINC fixed scheduling and the way INTEGRITY manages CPU/memory. The kernel makes the user mode processes use their own memory and time for every kernel request. It's also structured internally & with fast instructions to run with interrupts on in a way also subject to RMA. Clever, clever. BSD/Linux guys need to start learning tricks like this.

"I realize that what I'm saying is not really practical because many of the operations that cause timing channels are not really accessible at the applications programming level AND as a programmer you dont want to give up the execution speed advantages of skipping unnecessary cycles. " (RobertT)

It's always a concern. My system level solution in the past was to fuzz test to determine the timing variation of a critical component, then make it always take the longest time. Of course, the algorithm chosen had an acceptable longest time. The idea was the algorithm timed its own execution and didn't even return to calling code until enough time had passed. Such designs were never independently reviewed but they *seemed* like they should defeat at least software level timing attacks.

@ Clive

"Whilst this means that the connecting interfaces of two blocks are asynchronous to each other I did not intend to imply the logic inside a block was asynchronous. "

Ah, I get it now.

So, are there *any* security or other advantages to using asynchronous logic? Two of the non-deterministic processors in the paper sounded interesting esp if combined with randomized instructions or execution block locations. It wouldn't even take a modification of the processor.

@ Adryna

"To add to your list of chips using asynchronous logic, there's also the 144-core GA144, "

Ahh, I see they hit their 100+ core target. This fits nicely into the previous Forth discussion as that's its underlying technology. It also might be useful in my "one piece of hardware per function" investigation. My worry is its network on a chip nature might bring new attack potentials and (like the Cell) might be hard to program. Worth looking into, though.

@ 65535

"I did. And, I would guess others that use RSA products put Their trust in RSA because of their accumulated track record, safety and trust that RSA has built over its long and wide history. This type of rote bribery is a slap-in-the-face to all of RSA’s customers."

And none of that has changed in reality. Their products quality (good or bad) is unchanged. The mistake all of you made was assuming their dedication to stop attackers translated to their host government. Companies must always be assumed vulnerable to their host country. It might have been bribery, a national security letter, a warrant, a good speech about "protecting our country" to the board, and/or extortion using their state power. This is true in *every* country. So, RSA might in fact protect you from as much as possible. Just not the US govt.

Another issue is how everyone is handling trust. Quite simply, many are doing it wrong. They treat it as all or nothing: "I trusted RSA" "RSA has ruined my trust." Even Bruce's posts show he agrees trust is more context sensitive. You trust X to do Y under Z circumstances. RSA and other security vendors should be treated no differently. So, do I trust them to make crypto that stops the general hacker? Yes. Do I trust them to not try to cause me damage via their products? Mostly yes. Do I trust them to tell a TLA in their home country to f*** off for my sake? Not a chance.

I think people worried about such issues should pause to take a hard look at each vendor and tech they use to determine what trust they can have in them under what contexts. And plan contignencies for what happens if they're wrong.

@ Aspie

Best of luck on your project.

"(Anyone here remember the venerable INMOS Transputer?)"

Funny you mention that because we were just talking about Transputers yesterday here. Petrobras was kind enough in that comment to link to papers describing not only its operation, but parts of how its made. I also noticed it was used in a workstation by Atari and another company put a distributed UNIX-like OS on it. It's been long surpassed by Massively Parallel Processing (MPP) systems but the Transputer was an innovator in its time. Too far ahead of its time actually.

On a related note, I proposed a while back(bold part of that comment) that we should copy MPP architectures b/c they solve some of our biggest POLA vs performance problems already. It's one of my only pieces of research that's still original as I've not seen one paper on POLA via MPP model in academia.

@ Mike

" Surely the decision to retain copies of all the Secure-Id keys is suspicious. What else?"

I agree. That in combination with probable govt cooperation is why I never used RSA products. There's too many vendors offering stuff here and abroad to have myself worried over one product/vendor.

Nick PDecember 22, 2013 11:19 AM

@ Ethan Heilman

"The biggest problem with the scheme is that SpookNet must store all the secure keys it has generated and transmit these keys to its users. Given the danger of these key being compromised prior to use one would have to develop hardened key stores for physically distributing the keys."

Is that a problem or standard practice at NSA/DOD? ;) I've referenced the EKMS system here in analysis of crypto OPSEC, esp key mgmt strategies. Now you just gave us another potential reason they prefer it over commerical practice, although I doubt it's their main reason. That it handles seed and public/priv key generation for NSA COMSEC devices gives some weight to your hypothesis.

I've told people many times that copying how NSA handles ultrasecure comms might stop unknown attacks. As in, they're doing one thing and telling commercial sector to do another thing maybe for a good reason. So, for intranet key/secret management, my preferred approach has been to have a secure device handle all of it and transfer the stuff using semi-automated methods (manual + safe basic tech like serial port). If automated, my simple trick was to send OpenPGP-protected messages (commands, key data, etc) to an untrusted process on destination machine with optional port knocking. Each easpect is so simple that odds of failure are small, with authentication ensuring only legit commands are executed.

Having a secure PCI-based computer sitting between the host and intranet, with privileged host access, can greatly help with this and all kinds of things. It provides assured firewall/gateway features, link encryption, rate limiting, host inspection, trusted boot, secret/pass mgmt, and host recovery. Yet another idea I shamelessly ripped from govt (see TNI, DiamondTEK B2 LAN & Boeing OASIS).

AspieDecember 22, 2013 12:05 PM

@Nick P

Thanks for the encouragement and the links. I *have* to stop skimming and do more patient reading - blast my impetous nature!

Not that reinventing the wheel isn't instructive ... and fun ;-)

Nick PDecember 22, 2013 12:47 PM

@ Aspie

"Not that reinventing the wheel isn't instructive ... and fun ;-)"

I only discourage it when people are trying to solve problems in real world. Like you said, though, it can be a good thing if doing it for fun or enlightenment.

Bruce SchneierDecember 22, 2013 2:06 PM

Recruitment is down at the NSA: "Applications to work at the NSA are down by more than one third, and retention rates have also declined. This is a serious problem for an agency that, until now, has thrived because of an esprit de corps within the organization. Traditionally, when analysts joined the NSA, they joined for life. This is changing, and not for the better from the NSA's perspective. Snowden has also changed the way the NSA is doing business. Analysts have gone from being polygraphed once every five years to once every quarter."

Well, that's one way to force the NSA to cut some programs.

Steven GriffinDecember 22, 2013 2:20 PM

Slashdot has an interesting topic going regarding commercial routers and whether we can trust them anymore. Given Mr. Schneier's recent book on the topic it seems highly relevant to share it here.

Nick PDecember 22, 2013 4:56 PM

Neutrinos used to send message through rock

http://www.newscientist.com/blogs/shortsharpscience/2012/03/neutrinos-send-wireless-messag.html

Ive specifically expressed interest in a neutrino based communication system in the past for secure comms. This demo is simply awesome. I hope it only gets better, smaller and cheaper. Next best thing to quantum communication.

@ Bruce

Thats great! A central prerequisite to success of an organization like NSA is maintaining the right image, culture and environment. Their mgmt seem ineffective in these areas. I hope those managers stay in their positions for a long time. ;)

FigureitoutDecember 22, 2013 10:44 PM

65535
--Yeah; I mean this is what intel agencies do, sabotage other countries economically.

Aspie
--Well cor blimey mate, them bloomin' holidays...But hey it's working! Ha, yeah I'm not great at soldering, but you know just takes practice. Check this out to make you feel better (pretty funny too). The ass-clown also tried to imitate an FBI agent to scare the guy for his epic f-ups.

Will keep you posted.
Alright thank you! No pressure to hurry or anything too. You're way ahead of me! :)

Nick P
it's all interesting but our specialist here has dimmed my hope of such stuff working.
--With all due respect to Mr. T, and using your own arguments, do you think it wise to put all your trust in one opinion? I understand it's a pretty nerve-wracking project to even be a part of, let alone lead...Maybe a better goal to aim for is cheaper tools for custom fabs, that will be really cool (yet what if they're subverted...arrrggg!!!)

I guess just continue making it known to consumers just how much garbage can be in a chip these days; and it's getting so out of hand when components smaller than wavelengths of light get put on the frickin board...

Bruce
--Well, as fun as getting interrogated every quarter and working in an extremely tense atmosphere (make a joke at your own risk), and then never being able to tell anyone what projects you worked on sounds; not for me. TI is looking like a company I'd really like to work for now (maybe I could get some nice access to their fabs too).

FigureitoutDecember 23, 2013 12:38 AM

Nick P RE: O Canada
--Seriously lost it when they said that was the message they sent. To me, it opens up side channels I can't close (well guess better I know them) but still scary a little.

RE: Neutrinos used to send message through rock
--Pretty neat...guess being a ham any new way to send a message somewhere gets my attention. The last paragraph of the nice short article really should get people to perk up:

Even a very low-bandwidth system might be useful for exchanging encryption keys though. These could then be used by two parties on opposite sides of the planet to communicate securely through more conventional means. Because neutrinos require specialised equipment to detect, and travel in a straight, focussed beam - unlike radio waves, say, which spread out - they should be pretty secure.

Buck
--Pretty cool, NASA stuff is pretty much always neat.

AspieDecember 23, 2013 1:37 AM

@Figureitout
... Check this out ...
That's pretty bloomin' awful gor blimey strike a light and no mistake guv'nor me old china plates of feet!

The "FBI" message had me in stiches before I'd even reached the sig: ... Please choose option A. Haaaa! Haaaa!

Right, time to get the iron warmed up ... I couldn't *possibly* feel bad about my work after that little gem. :-)

hermanDecember 23, 2013 3:46 AM

"Analysts have gone from being polygraphed once every five years to once every quarter."

I find it amusing that the spooks put their trust in polygraphs. Employing an African Muti Man to roll some bones would be way more accurate.

AspieDecember 23, 2013 3:59 AM

@Nick @Figureitout
Neutrinos as messengers? They are *unbeliveably* difficult to detect as witnessed by the Irvine-Michigan-Brookhaven experiment which caught 8 out of something like 10^58 that were emitted by Supernova 1987a. And that was with a tank of 2.5 million gallons of ultrapure water and 2048 photomultiplier tubes. I suppose if you have a few acres to spare and a disused salt-mine ...

MarkHDecember 23, 2013 5:13 AM

To weigh in on the RSA/DUAL_EC_DRBG fiasco:

(0) The speculation that NSA rigged DUAL_EC_DRBG is effectively confirmed, because the reported contract between NSA and RSA labs would be senseless without the NSA trapdoor.

(1) Nick P correctly observes that the DUAL_EC_DRBG trapdoor is usable only to someone knowing the "magic number" (specifically, an exponent). Presumably, it was intended that only NSA know this exponent. So the trapdoor does NOT mean that any arbitrary bad guy can read your secrets, but rather that Uncle Sam could. (BTW, despite claims by the tinfoil hat brigade, it would NOT make sense for NSA to insert trapdoors other folks could open. For strong reasons, they want EXCLUSIVE access.)

(2) Given the Snowden leaks, one must consider the possibility that secret exponent did not remain secret. However, it is quite plausible that this number is protected by extraordinary safeguards. Unlike the reports, briefings and systems about which Snowden obtained documents, there is absolutely no need whatever for any knowledge of the secret exponent, outside of those computers performing specific types of analysis. The secret exponent may be protected by a tamper-protected hardware module. The scope of need-to-know is near zero.

(3) Assuming that the secret exponent remains secret, it perhaps makes no difference whether {insert malevolent state here} possesses one or more competent mathematicians, and here's why: if {malevolent state} doesn't know how to efficiently compute discrete logarithms in multiplication groups, then they can't open the NSA trapdoor; but if {malevolent state} does have an efficient way of taking such discrete logs, then they can efficiently break several public key cryptosystems, perhaps including RSA*.

(4) If RSA Labs thinks they can hide behind some "plausible deniability" that they didn't know about the trapdoor ... nobody in the crypto community will be fooled. Anyone who has followed RSA Labs through the years knows that they have some very strong cryptographers on staff, whose published papers have made important contributions to the state of the art. That they didn't know that DUAL_EC_DRBG could be trivially trapdoored is simply not possible. Knowing this, who could believe that were not certain of this trapdoor, when they were offered big money (see point 0 above)? Maybe RSA Labs will do damage control ... and maybe they'll survive ... but for the community of professional cryptographers, they are utterly, totally and permanently destroyed. Their greatest asset was to be worthy of trust, and this can never be restored.

*If you can efficiently compute discrete logs modulo a semiprime, then you can efficiently factor that semiprime (Eric Bach).

65535December 23, 2013 6:05 AM

@ Nick P

“It might have been bribery… and/or extortion…”

It might? Do NSLs or search warrants come with a $10,000,000 check?

“Do I trust them to not try to cause me damage via their products? Mostly yes… That in combination with probable govt cooperation is why I never used RSA products.”

Mostly? You seem to be saying that on one hand, yes I trust them – but on the other no I don’t trust them.

As others have pointed out there are several problems with a “blue chip security company” accepting $10,000,000 to open a backdoor. Someone in that company could “accidentally accept” a check for $15,000,000 from a clever soviet plant to do the same. This leads to a slippery slope.

You may have not been burned - but RSA customer list has! The RSA customer list is quite large.

@ Figureitout

“…this is what intel agencies do, sabotage other countries economically.”

I agree. And, other countries have more that $10 mil to spend plus the planted agents to do the dirty work. RSA cannot fully guarantee that the next bribe will be from the NSA. It could easily come from the Russians.

@ Bruce Schneier

“…that's one way to force the NSA to cut some programs.”

Yes, it is. But, I would like to see a 35% cut in their budget or more!

Bruce, I watched your 1.5 hour ‘Eben Moglen’ discussion on the NSA. I do agree that routers are target of choice for the NSA (and good hackers).

You also brought up the possibility of the NSA spying on the UK. I believe that is happening at a high level.

From what open source material I have read the largest percentage of US spies are in the UK. As you point out the NSA spies on it own US citizens thus it is very likely that the NSA spies on the UK.

Nick PDecember 23, 2013 9:34 AM

@ figureitout

"With all due respect to Mr. T, and using your own arguments, do you think it wise to put all your trust in one opinion? I understand it's a pretty nerve-wracking project to even be a part of, let alone lead...Maybe a better goal to aim for is cheaper tools for custom fabs, that will be really cool (yet what if they're subverted...arrrggg!!!)"

Find one counterargument from someone with experience working at nanometer scales and I'll listen. Haven't heard anyone make an argument for verifiable fab process at that scale in years. Even the chips that are made for scrutiny are being fabbed by a regular company although a few aren't being fabbed because they couldn't solve the fab problem.

Far as economics, people have been saying that for a few decades. Since then we've only seen fabs for lower process node tech close down. They must be expensive to operate because they sell in the high millions of dollars and that's considered a *mark down.* So, a few decades latter and fabs for chips of decent capabilities are still only for the richest to operate (at a loss). Thinking it will change is putting blind faith into something that hasn't worked for a long time and shows no signs of getting easier.

(Even many homebrew systems like Magic 1 use TTL chips are are essentially a black box fabbed by someone else.)

So, I'm having to approach the problem in new, inconvenient ways. Of course, pessimistic as it may seem, that's an indicator that I'm on the right track because few things in trust engineering have been easy for me. It was always an uphill battle.

MarkHDecember 23, 2013 12:01 PM

Correction to my comment above:

Using the NSA trapdoor in DUAL_EC_DRBG (without already knowing the secret exponent) would of course require computing a discrete logarithm in the finite field of the elliptic curve, a problem quite distinct from the discrete logs to which I referred.

Dangers of commenting whilst drowsy.

RobertTDecember 23, 2013 3:38 PM

RE: Chip Fab

There's a very simple fact that you all need to understand about Chip fabrication, namely that it is a BATCH process. There are very few operations that are unique to each chip, normally the only unique step is the ID which will be stored in Flash or Fuse.

On a given layer every Contact, metal layer, Via .....etc gets processed the exactly the same way, this means that selectively creating just one OPEN or one SHORT is actually a very difficult task. If some individual in the Fab intentionally miss processes any layer the wafer Yield will rapidly drop to zero. So the most likely outcome of any intentional miss processing by a fab operator is Zero yield (i.e. No products to sell...none at all). BTW Yield is a parameter which Fab management monitors VERY closely, so any employee that intentionally changed the settings causing miss processing of a wafer batch would probably be fired immediately. Truth is there are very very few changes (none that I can think of) that a Fab operator can make which change the functionality of a chip and most backdoors require a functional change.

As far as I know the only way to intentionally change the function of a chip is by manipulating the MASK information. Most fab's don't even make their own masks, so owning the fab but outsourcing the Mask manufacture is an amusing way to reduce the risk of subversion.

The ONLY time I'd even involve fab processing in the subversion of chips function would be if I wanted to create plausible deniability for the guilty. Think of it this way
If I change the design database the change is logged and when someone later discovers the intentional error the finger will be pointing straight at me.

Similarly if I worked in the Mask shop and intentionally changed the data (adding or substracting polygons to specific masks) The wrong information is there to be found by someone in the future, they can simply recreate the masks and compare the masks you made with the masks they made and see where you made changes. BTW Mask making typically takes less than ONE week. so even for the most skilled chip design engineer it would be amazing if they could recreate the design database, find a suitable way to intentionally create mask errors that normally works but sometimes leaks information or weakens certain functions. If this guy exists I want him on my design team.

So plausible deniability is created when a potential weakness is created in the design database and then either intentionally enabled through Mask data manipulation or slight miss-processing at the fab.

AnuraDecember 23, 2013 4:49 PM

There has been an insane amount of discussion about making secure hardware in the comments of this blog (not that I have a problem with it, it's a very interesting subject), but it seems to me that 99.99% of the problem we have today are backdoors in firmware/software, exploits in code, lack of government oversight, excessive secrecy (at both the government and corporate level), and a disconnect between the goals of private enterprise, government, and the people, as far as internet and communications are concerned.

The fact is that you can't make 100% secure systems, but the short term focus, in my opinion, should be on the quickest ways to make privacy and security as easy as possible and surveillance as expensive as possible. The long term focus should be on replacing secure protocols, pushing for more and more open source software and firmware, government oversight, open government, and better organization in the open source community in respect to development, bug tracking, and coding standards.

Until we have nanoassemblers that can construct CPUs atom by atom, then building custom hardware isn't really going to be an option for anyone but the most technically knowledgeable people in a handful of domains.

Nick PDecember 23, 2013 5:33 PM

@ Anura

"There has been an insane amount of discussion about making secure hardware in the comments of this blog (not that I have a problem with it, it's a very interesting subject), but it seems to me that 99.99% of the problem we have today are backdoors in firmware/software, exploits in code, lack of government oversight, excessive secrecy (at both the government and corporate level), and a disconnect between the goals of private enterprise, government, and the people, as far as internet and communications are concerned."

Our discussion, much broader than hardware, cover most of that often with specific recommendations. Except for the last part which I don't think I can solve.

"The fact is that you can't make 100% secure systems, but the short term focus, in my opinion, should be on the quickest ways to make privacy and security as easy as possible and surveillance as expensive as possible."

That kind of thinking led to subverted SSL/IPSec standards running on vulnerable OS's running on possibly subverted Intel hardware that also makes it hard to write correct code. In other words, it sounds good in theory but didn't work out in practice. The attackers simply had too many layers to hit to do an end run around whatever protocol or software strategy the security community came up with. So, the solution is to look at every layer or aspect of system operation to find the risks. And deal with as many as possible.

So, I've been pushing discussion along many levels in parallel:

1. Secure ground up hardware and software architectures preventing as much as possible (eg SAFE, CAP, Intel 432)

2. Modifying existing hardware architectures to prevent huge problems easily while allowing legacy operation (eg CHERI, IBMON, CODESEAL, HISC)

3. Creating abstractions and tools that let us existing hardware in a safer fashion (eg SVA, H-Layer, separation kernels, JX)

4. Modifications to core of OS's to enforce stronger application security (eg Xax, Capsicum, Trusted OS's)

5. Use of safer systems programming languages without very complex runtimes for key apps/services (e.g. Ada, Oberon/Pascal/Modula, Cyclone, Ocaml)

6. Very different protocols from the norm that solve plenty of security/complexity problems of current protocols (e.g. SILENTKNOCK before VPN, ZRTP instead of SRTP, XDR/JSON instead of XML)

7. Improvements to existing protocols to remedy their weaknesses (e.g. TLS/DTLS in transport, PGP in email, DNSSEC instead of DNS)

8. Robust or secure implementations of legacy protocols and services (HYDRA for web firewall, secure64 DNS, MicroSINA VPN)

9. Ways to protect firmware from attack (e.g. physical write protect, BootSafe, SHIELDSTRAP, Chromebook architecture).

10. Diversity in hardware among implementations of both standards and ISA's.

11. Diversity in usage where individual instructions, data encapsulation strategies, system internal labels, etc. can change repeatedly to hamper attacks.

12. Certifying or proof-generating compilation & linking systems so we don't worry so much about that step.

Fortunately, there's been work in every area as I've referenced. Much of it when in a final form is plug and play for user, developer, OEM or wherever is most convenient. Some enhancements are already on the market or are free with helpful guides on usage.

For example, just how hard is it to write code in Python or a form of BASIC on a platform that's immune by design to issues like code injection? How technical do you have to be to accomplish this?

On the other hand, how hard is it to design a secure service written in an unsafe language (eg C/C++) calling unsafe user+kernel code on an OS & hardware platform designed to be fast/flexible rather than secure? The current CVE lists make me think one would have to be a technical genius that makes top IT people drop their jaw regularly.

AnuraDecember 23, 2013 6:37 PM

I'm not saying that all that's been talked about was hardware, just that the amount of time spent is disproportionate to the threat.

I'm not going to get into all of the individual points, but I do not consider designing a protocol like TLS a short term fix; I think that as a long term fix we should use DNSSEC for authenticating DNS and work on a replacement for IPv6 to have end-to-end authenticated encryption instead of TLS. A short term fix would be to patch browsers to treat websites encrypted with a self-signed certificate as the same as websites with no certificate (Browser: "This website is trying to encrypt traffic, we recommend against this, go to the unsecured website or leave") and then patch Apache/IIS/Whatever to generate a self-signed certificate by default for each website.

Things like PGP are great for many cases, but suck for widespread deployment, which is the problem I have with most solutions: we can't realistically expect them to be used by the majority of people. I don't think that email can be both secure and usable by the general public: security is easy, but usability requires that the end-user doesn't have to keep backups and can forget their password without losing their email. The only solution here is one of regulations to protect the user from abuse by the provider, and oversight to protect both of them from the government.

AnuraDecember 23, 2013 6:58 PM

RE: Previous post about TLS and self-signed certificates

I do realize that there are problems with that, such as type https://www.example.com worked before and would generate an error if someone attempted a MITM, but with just allowing self-signed certificates would be more subtle, e.g. a lock icon not showing up instead of showing up. A compromise solution could be to extend HTTP for explicit TLS like FTP did; again this is something that would still be a short term fix.

Nick PDecember 23, 2013 8:10 PM

@ Anura

"I'm not saying that all that's been talked about was hardware, just that the amount of time spent is disproportionate to the threat."

I sort of agree with you. I think it's partly the unknown: nobody can see under the software, plenty of evidence that level is being targeted, academic papers on new ways to target it, and no knowledge of how to deal with it. That they know the opponent is tech savvy, employs spies, has taps in Internet, and has a $200+mil budget just freaks people out. Their paranoia starts focusing on stuff too much that's unjustified. People start worrying so much about securing hardware that they don't invest said time in basic steps like updating their router, ensuring their DNS is configured, making backups after clean install, etc. Is this what you're referring to?

Funny thing about your point, though, is that it's true if made opposite: there's been an "insane amount of discussion" about using inherently insecure chips and standards to build secure systems. These chips are designed to share data and jump to code easily. There's also plenty of complexity, including poorly documented functions, in most standard systems. Yet there's no shortage of software advice on making them "secure." An entire industry spends billions on every aspect of that parallel discussion. They have little to show for it. So, seeing the foundation is quicksand, do you build the house/mansion on it or do you first lay a better foundation?

So, our discussions aren't just about stoping an attack on hardware: it's about changing hardware to enable more robust systems against both faults and attacks. An example result of the previous discussion was my discovering several true Java chips. (Most are RISC chips emulating JVM machine.) All these SCADA folks worried about the crazy amount of low-level attacks on their OS's and software for embedded control systems. Most are impossible on a Java chip, Java tools are more productive, and isolation via object-capability model is more intuitive. And they're affordable. Next thing one might notice is JIF and E (running on JVM) both solve distributed app security issues with little code. See how getting the foundation safe/secure makes the next layer easier? And the next layer. And the next.

The attackers always go lower or sideways when facing a tougher defence. So, start that the foundation then build the system layer by layer watching every component, interaction and potential state transition. The few systems of the past that were never hacked (even by NSA) were built this way. It's the only known way to build [seemingly] secure systems. Anyone doing anything else is just providing job security for professional hackers.

re your suggestions

"A short term fix would be to patch browsers to treat websites encrypted with a self-signed certificate as the same as websites with no certificate (Browser: "This website is trying to encrypt traffic, we recommend against this, go to the unsecured website or leave") and then patch Apache/IIS/Whatever to generate a self-signed certificate by default for each website"

It's a decent idea. Encryption and authentication by default without spooky warnings is preferrable to status quo. Then, notaries might supplement CA's for trust management.

"I don't think that email can be both secure and usable by the general public"

I agree. That's why my proposals lean toward secure messaging with client-side apps and untrusted servers. The apps can be proxies for email clients if necessary. Several very secure email architectures of the past took that approach. Works for more than email. It can also re-use tech like SMIME or PGP without the user ever knowing.

"The only solution here is one of regulations to protect the user from abuse by the provider, and oversight to protect both of them from the government."

That's not anything to depend on in the slightest. Even post-Snowden, most people don't care enough. There's also *tremendous* industry effort moving in the opposite direction as it's a huge business model and surveillance opportunity. So it's not going to happen. Those in control have nearly mastered their methods for managing public reaction to these things. So, it will be necessary to take extra (inconvenient) measures if one wants to control their digital activities and extremely involved efforts if one wants to have assurance the control is real when facing talented attackers.

dqDecember 23, 2013 8:32 PM

http://www.businessinsider.com/bittorrent-chat-2013-12

File-sharing company BitTorrent is at work on a chat product that makes use of a number of security techniques that effectively render it invisible to anyone trying to eavesdrop on your conversations. (Yes, like the NSA.)

It's called BitTorrent Chat, and it relies on a decentralized, serverless system to shuttle messages back and forth across the internet.

AnuraDecember 23, 2013 9:17 PM

That's not anything to depend on in the slightest. Even post-Snowden, most people don't care enough. There's also *tremendous* industry effort moving in the opposite direction as it's a huge business model and surveillance opportunity. So it's not going to happen. Those in control have nearly mastered their methods for managing public reaction to these things. So, it will be necessary to take extra (inconvenient) measures if one wants to control their digital activities and extremely involved efforts if one wants to have assurance the control is real when facing talented attackers.

The problem is that we aren't trying hard enough, or focusing on the right place. As it stands the biggest threat is not the NSA, it's corruption. Corrupt politicians in bed with the public sector. No matter what we do hardware/software-wise, there is only so much safety we can offer ourselves without reforming the power structure, without turning America back into a Democracy.

I do believe it's possible to do, the focus needs to be on convincing enough talking heads to abandon the status quo. This does not mean campaigning for specific agendas, it does not mean campaigning for or against a specific party, it means campaigning against TWO specific parties. Congress has a 10% approval rating, yet we vote in the same parties. This is the perfect time for letter writing campaigns and grassroots movements saying that until we stop seeing in terms of Democrat and Republican and start voting for third parties, things will not get better. Tell people that no matter who they vote for, make sure it is a third party.

It is doable, the problem is people feel it's hopeless to try and change anything; it's a self-fulfilling prophecy. It's actually not hopeless; you don't even need a majority to do it. We have a horrible electoral system in the US; with three candidates, you can win with 34% of the vote. With four candidates, 26% of the vote. The closer you get to making a third party a viable candidate, the more people that will switch over.

AnuraDecember 23, 2013 9:32 PM

That should read " Corrupt politicians in bed with the private sector."

Anyway, my point is that we don't control corporations, and currently corporations control government. As much as we try for openness, I wouldn't be surprised if, without intervention, 20-30 years down the line, system vendors controlled all software on your computers and ISPs restricted all traffic and protocols - you know, to protect against piracy - and they handled all encryption on their end so you had an encrypted connection to them and they decrypted and re-encrypted to connect to the other ISP, justified as "maximizing user's security."

Clive RobinsonDecember 23, 2013 10:01 PM

@ Anura, et al,

With regards security and it's non 100% achivability.

As @ Nick P and others will confirm I've been talking about this for a number of years and my thinking preceads this and goes back into the last century (yup I've got the whiskers to match ;-)

It's difficult enough for security gurus to admit you cann't get 100% and as for many of the overly paid consultant's out their it's not what their customers want to hear. And as we can see with "terror" people are prepared to pay more than a kings ransom for the illusion of safety/security in fact most have sold their soul for the illusion (that it's possible or even required).

One problem we have is we talk about "foundations of stone" or "shifting sands" as though the quality of the underlying ground is the primary requirments to build on... gues what it's not. It's actually cheaper to build a barge of the same square footage as it is a house and that will be as secure resting on rock, sand shifting or otherwise and even water.

The point is "you build your foundation to build on" not rely on what is there by chance of nature. What you have to do is find some way to mittigate the problems of what you get to work with.

Now arguably you could go all the way down to the silicon or you could just assume it's likely to be unreliable and go to a higher level the only question is where and how much it is going to cost to be able to build a secure base.

Once upon a time I was happy to build it above the CPU level at the assembler level, these days I'm looking lower at the memory/IO level due to issues with updatable microcode. But like Nick P and Robert T I can see that with time I will have to set my sights lower, but I can also see that this is exponentialy resource hungry.

On investigation you come up against a problem that due to the way we "abstract" things the shear time involved in aquiring the knowledge and abilities goes up. And this gives rise to an interesting problem of "when to start"... And by my estimation we've already missed the bus by about ten years. That is we should have started on the silicon chip security issues over ten years ago to have a viable solution for todays chips. And the longer we leave it the longer it will take, and in fact we may nolonger be able to do so...

So on the assumption we cann't get to the point the silicon can be relied upon we have to find some other way to get the level of security we need.

Basicaly we need at the memory/IO level to find ways of mitigating against defecting / untrusted hardware.

I won't go into it again here but if you google this site for my name and "voting protocols" or "Castle-v-Prison" or "Probabalistic Security" you will find more indepth information.

FigureitoutDecember 23, 2013 10:14 PM

Aspie
I suppose if you have a few acres to spare and a disused salt-mine
--Damn I got the images in my head (I liked the representation of a Germanium crystal lattice w/ springs & tennis balls), but I'm pulling a blank on the particle this scientist was looking for (they were extremely rare too) like oh...(57?-probably wrong) stories underground. Still blows my mind that they are sure that they are detecting that particle and how can they be sure...? I'm not expecting to rig up my neutrino transmitter anytime soon lol, just something cool to think about.

Nick P
Find one counterargument from someone with experience working at nanometer scales and I'll listen.
--Grr, fair enough. They're hiding, but challenge accepted.

We keep letting FAB's be the business of billionaires, they're going to monopolize the business and backdoor all chips, I know it.

Anura
--As far as I'm concerned, this is kind of new (this is originally a cryptography blog which is more algorithms and math). We need a baseline of trust, real trust, verifiable. Let's say you use a computer in a public area, that's a lot of bags/people moving around and prior bugs that can detect your unshielded computer. How do you know that the OS you're running is the only one currently running? Are there hidden sectors of memory, or are operations being stored somewhere hidden? These questions kill me...and they can kill all software security b/c they're beneath it and I'm trusting the screen to not lie to me.

I want a functional computer that I can actually use for something besides computer security, but it amazes me sometimes how shortsighted people can be for verifiable security, even geniuses (Bill Gates saying we'll only ever need 640KB memory...).

FigureitoutDecember 23, 2013 10:35 PM

Clive Robinson
And the longer we leave it the longer it will take, and in fact we may nolonger be able to do so...
--That really makes me sad...Given the technology of today a verifiable chip should be f*cking easy! I don't trust "workarounds" (sounds like another javascript/windows or java software patch that will get owned next week) no matter how clever there will still be the baseline of lies and falsehoods that can be exploited. We need a baseline of trust, period. Electrical engineering, using tools that have gained a lot of trust over the years; and simply the designs, we (or just me) need it.

FigureitoutDecember 23, 2013 11:33 PM

Anura
--Ah, I forgot to address your political aspirations. I remember my naive dreams and the years I wasted trying to think how I could possibly achieve them (then getting crushed by reality). Try what you propose, and let me know how it works out for you; maybe you have what it takes.

Fact of the matter, the political system is controlled by old people who drink Metamucil for lunch; and they don't understand real democracy that changes w/ time. If someone can implement a real-time direct-democracy system; rendering representatives pretty much useless and getting what we actually vote for, that's progress.

Oh, and I forgot to warn you, you will be labeled a terrorist and maybe you will have agents infiltrate any effort you put into this dream. Just so you know; I say let it collapse w/ all the derpers. Unless you want agents breaking into your home and either framing you or seeking ways to undermine your efforts. The world is evil, and I find the nerds to be the most trustworthy and technology will render them useless eventually b/c they don't understand it.

AspieDecember 23, 2013 11:42 PM

@Figureitout and all others concerned about fab miscreants

If this has been said then apols for repeating it .. but it bears repeating/thinking about.

Concerning the numbers it seems to me that any effort in fab subversion should be put into the most popular and commonplace devices. To do so means a *lot* of devices to consider and there has to be some limit where a device has less value in yield of useful intelligence than it would cost to subvert.

Sure, given an infinite budget and irresistible legal reach the IC could subvert everything from a shiny new multi-core Intel palace to a weeny transistor. But unless some huge advance in physics has been kept quiet I cannot conceivably see how the baddies can cross all boundaries without someone letting the moggy out of the bag.

As many have pointed out, operating a fab plant is incredibly expensive. Therein may lie a weakness if some IC type turns up with a blank cheque as an offer of assistance in return for some influence at the mask stage. But this would have to take place quite a lot and in countries that the US IC doesn't have a (visible) interest in. So many weak links, something would leak out. The stakes are so high. And thanks to Mr. Snowden, Trust - and the provability of it - is going to become the new first-tier commodity of 2014.

I'm just mulling at a top/simple level - there may be things that can be done beyond, say, an EMP to befuddle devices but to do so in a predicable way that can be repeated without detection and then exploited seems to be on the very fringes of credulity.

And as many others have said here; there has to be some trust. It's not like we can carve our own germanium cat's whisker as resistance movements did in the second world war to listen to allied radio transmissions.

Black box devices are just that but I'm sure there are some sound statistical ways to evaluate the less complex devices and pronounce them fit for their main purpose without overlooking vulnerabilities.

Like the river, the IC will take the path of least resistance. As long as there are fallible humans in any equation there are pressure points that are easier to exploit than the tech they trust.

Until we all have access to our own 3d printers that can assemble our own wafers atom-by-atom we have to use a different kind of magic to ensure that what we use is what it says it is.

Viivi and WagnerDecember 24, 2013 12:03 AM

Bruce's book "Carry On: Sound Advice from Schneier on Security" is on sale (in ebook format, i.e. non-DRM PDF, EPUB or mobi) for $14.99 USD at O'Reilly (oreilly.com).

This is actually the same as the price for the Kindle at amazon.com.

It is one of their "Ebook Deals of the Day" so I am not sure how long that lasts (I mean I would guess it depends on their timezone).

FigureitoutDecember 24, 2013 1:27 AM

Until we all have access to our own 3d printers that can assemble our own wafers atom-by-atom we have to use a different kind of magic to ensure that what we use is what it says it is.
Aspie
--That would be so cool, assuming a police state doesn't physically limit what I can create w/ my machine. Magic? It's just pure human trust, something that's similar to "love". It's just a human emotion and depending on the personality the human doesn't want to "100%" verify such a process (not the actual doing it, just the desire).

Such fluff to base a secure system on, but if one was to tell a story about humans and how we trust such a system to..oh let's say..aliens. That would be pretty neat. Most likely, they would laugh in their language and then either eliminate or enslave us.

WaelDecember 24, 2013 1:29 AM

@ Clive Robinson,

I won't go into it again here but if you google this site for my name and "voting protocols" or "Castle-v-Prison" or "Probabalistic Security" you will find more indepth information.
The "Probabilistic Security" concept you talked about was not treated in as much depth as the C-v-P topic.

Clive RobinsonDecember 24, 2013 6:23 AM

@ Aspie,

    And as many others have said here; there has to be some trust.

Does there?

I'm of the opinion that the less the trust you place in an entity or object then the less harm they can do by betraying it. Arguably you can never get down to 0% trust but that depends in part on your definition of trust.

I'm also --unlike most humans it seems-- no beliver in past performance being an indicator of future performance (just as they are required to say on investment adverts).

That is I don't expect anyone on this blog to trust me, I actualy expect them to think and verify what I say. As an expectation it also keeps me honest, and hopefully give me an indication where I've erred due to being insufficiently informed or not upto the minute on the latest research (though I've been known to be a quarter of a century out in front on the odd occasion).

Speaking of which you state,

    Black box devices are just that but I'm sure there are some sound statistical ways to evaluate the less complex devices and pronounce them fit for their main purpose without overlooking vulnerabilities.

As individual supply lines sadly no because it requires destructive testing on all parts. You simply cannot prove the negitive case of "it's not been backdoored" all you can say "I've not found one within my limits".

One such problem is abberant or untrusted behaviour happening after a change of state caused by the output of a matched filter. In essence as it's not possible to go through all combinations of a 512 bit sequence, you cannot test for it. Thus a 512 bit shift register where the selection of Q or /Q (barred / inverted output) into an NOR gate is a matched filter which only triggers for a single 512 bit input and sets a latch that enables the abberant behaviour. Such a circuit is relativly small compared to much other circuitry thus crude and obvious though it is when seen it can be "lost" in there and thus missed, or made as part of other functionality such as a USB RX buffer.

However if you have three fully independent supply lines of black boxes where the published function is identical within the limits of which you wish to use it then you can get some assurance. The independence means that although three black boxes are all sabotaged they are very unlikely to be sabotaged by the same sequence.

Thus if the three black boxes are given identical inputs their outputs will be identical untill one of them either fails or has it's sabotage circuit triggered. As they will not be triggered at the same time a "voting circuit" on the outputs will indicate the black box as having failed.

And it is this form of "mitigation" I would recomend thinking about and implementing as a method by which you can reduce your dependancy of having to place trust in black box entities/objects.

This sort of mitigation means that you have a method of detecting trust failures as and when they occure and then need to take steps to remove/issolate trust failed parts of a system.

Nick PDecember 24, 2013 10:40 AM

Snowden says mission accomplished
http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

I say BS on that headline. The political side of this in the US, the only thing that can change it, has been an abysmal failure. NSA is still in charge. Far as Internet security issues, there is awareness and work going on as a result of the leaks. That's a good effect.

Change, though, will require powerful private or public interests putting the squeeze on Congress and President to put sqeeze on NSA. That's about the only way to stop them. Snowden failed to have an impact there. That's where power interests are winning. That's where almost all effort needs to be focused.

Nick PDecember 24, 2013 11:25 AM

The most important contribution of Snowden

I've been criticized in the past for talking as if Snowden has no value. To be clear, I think the exact opposite: his actions are a great contribution. I just think the contribution isn't slamming NSA as they're still incredibly powerful & their machines are still running. No, Snowden gave the next freedom fighter something far more valuable that I haven't seen a single article on: a field test of how the establishment will react to them featuring what works and what doesn't.

I can't quite give details as I'd rather have a thorough analysis by credible people in each category. Here are a few things to look at.

Media portrayal. Look at the Snowden situation in the very beginning, in the middle after his credibility was established, and currently. Determine which US media outlets reported on specific things, which tried to spin it in a negative way, which were fair, etc. Do the same for the top foreign outlets. You now have a guide for which media outlets to work with on the next project.

Safe countries for residence. Snowden situation if I recall came down to around 3 countries to decide from. I'd like to know if there were more than 3 countries trusted against US and they just filtered it to 3 by their preferences. Or were there just three? Well, those three are your future base of operations.

Safe countries for temporary status. He chose Hong Kong. It worked for a while. More analysis is needed on how much effect US has on different countries and how long they can be stalled in each. Hong Kong also has good data protection laws that *might* be helpful for storing information people want to take down. Iceland is trying to take the throne there, now.

Legality. The reaction to Snowden and Wikileaks showed us the extra-legal measures the establishment will go to when it deems it necessary. Surrounding an embassy with cops, intercepting diplomatic planes, etc. Many people might have assumed these would be safe middle routes. They're not. Snowden and others before him showed it.

Finance. This was more Wikileaks contribution but it's important to remember. The big banks, the country's most powerful organizations, took Wikileaks down by cutting off their funds. That was mainly credit cards and PayPal. We also know US govt monitors SWIFT transactions. Put it together, operational funds will have to be cash, electronic transactions immune to US influence (whatever they are), or third parties acting on one's behalf.

Spy/military stuff. The OPSEC they were using was too weak to defeat professional covert operators with TLA-level support. My bet was that, if they really wanted Snowden dead, he'd be dead quick along with anyone helping him. There's two possibilities here: they had no intention of killing the whistleblower; the locations he chose meant they wouldn't risk sending in pro's. Future whistleblowers might want to know which is it to assess their risk.

Public's reaction in US. What was the effect on voters that can change the law? Nothing? ;) A little? A lot? The less effect it has, the less someone should leak if this is who they're doing it for. However, a story that might have a huge effect (eg Pentagon Papers) should be leaked.

Companies reaction. This has been mostly self-serving defence. There are companies publicly saying they want NSA activities reigned in. They're apparently also cooperating privately. Two or three companies shutdown which, while commendable in courage, just provides people fewer opportunities for safe communications. So, the Snowden leaks show us the companies with the power to push politicians (eg campaign contributions) will only invest in public relations stunts like denouncements and link encrypters between data centers. (Admittedly the latter has benefit against *other* attackers.)

Foreign reaction. This is where the real effect was. Foreigner's were shocked US was spying on them. Of course, they spy on the US too. ;) The sheer scope of the NSA subversion, told by Snowden leaks, shocked them into actually changing purchasing decisions and *potentially* supporting the next freedom fighter with something to offer. There's more chance now for subversion resistant designs/tech to take off. A whistleblower aiming at this effect might actually accomplish something.

Security industry reaction. Most of them are just pushing their products saying it will protect communications. They won't. The industry is mostly just serving its own bottom line. However, this means if you own stock in such a company, you might as well support whistleblowers for the sales boost. ;)

NSA security. This was subject to plenty of discussions originally but I think we can't say much now. They actually are in flux changing policies to try to prevent another Snowden. Hard to say what would or wouldn't work here. However, my previous analysis on their weaknesses still applies: keeping a low profile; targetting data a whole group of people has access to and keep in mind they will narrow suspect list based on access; copy information in ways that doesn't create records within the system. They're doing more polygraphs now. There's books on dealing with that pseudoscientific device. Most important I encourage people only leak evidence of illegal or corrupt activity. First time someone hurts national security for almost nothing they're gonna run with that in the media.

Last but not least: technical measures. We have an idea of what their capabilities are. They have attacks on major smartphones, web browsers, Tor, the weaker aspects of top crypto standards, carrier links, and possibly most popular desktop chips from US companies. This means the freedom fighter is safer using a widely used/inspected open source platform on foreign hardware if NSA is the concern. Russian, Chinese or Japanese tech with a security focused/hardened BSD or Linux is preferrable. Do same for router. Don't trust DNS, cellphones or the middle link. Keep your docs, private key and possibly master copies of software on air gapped computer using only serial ports for incoming data. Use open firmware. Use people, paper, and old school tradecraft where possible. Tech features are just weapons to NSA. Gotta turn down one to turn down the other. :(

So, even though NSA is still in charge, Snowden's actions taught us plenty. The next person should learn from them if he or she wants to maximize success.

FigureitoutDecember 24, 2013 1:10 PM

OT
--Quick software/website question, if anyone can answer would be great. Was searching for a link to this story about finally some legal action being taken against the NSA and of course the individual will notice funny glitches in his tech. trying to scare him:

http://www.usnews.com/news/articles/2013/12/23/nsa-lawsuit-attorney-ignore-white-house-panel

That would be a single page b/c clicking a new page and loading is annoying when reading. Didn't work but I could, silly enough, go to page -9999999(repeating). Why does the site let me do that?

http://www.usnews.com/news/articles/2013/12/23/nsa-lawsuit-attorney-ignore-white-house-panel?page=-99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

Mike the goatDecember 26, 2013 1:16 AM

Nick P: I agree. Very little has been achieved by Snowden's highly selective disclosure. The only somewhat good thing that can be said is that the public now has solid confirmatory evidence that the NSA has been spying on them, something those of us in the business have known about for a very long time. Hell, even those who didn't knew after the dude blew the whistle about the fiber tap room in CA.

Oh, and by the way - merry christmas guys!

AspsieDecember 26, 2013 3:03 AM

@Nick P
You make some fair points. One that stood out is that if I were Gen. Alexander and agency boys were pushing to liquidate Snowden I'd sent a detail of assets to protect him. From the agency's perspective a martyrdom would be far more damaging to their attempt to spin this as a benign protection operation because even if they weren't responsible there'd be almost nobody with an IQ above room temperature who would believe their denials.

Also Snowden called the idea of a "dead man's switch" a "suicide switch" because of the risk that someone who wanted the remaining documents dumped into the public domain would just have Snowden killed. I'm sure at least two countries would take that option if it were available.

@Clive Robinson
Fair point wrt hiding a spider and as processes get smaller and mask complexities increase it's easier to hide. I was also trying to make the point that if the design passes before enough unbreifed eyes maybe one or more pairs would pick up the case and if that got out into the media the landscape could drastically change.

@Mike the goat
Without being sure that all the Snowden docs have been examined it's impossible to say if the biggest cats have been let out of the bag yet or if there's a tiger or three still waiting in there. If the NSA don't even know what Snowden took they will probably prepare for the worst - which might be hinted at by their next moves - and it may be that the "worst" revelations are yet to come. It's a bit of a game - don't play the strongest cards just hint that you have stronger ones to play if you don't get what you want.

@Figureitout - Google making their own chips
What a gift to the IC that could be! Centralise the snooping and snooping tech. Next story: Google raises its own army to go into the CAR to protect tanalum mines.

Nick PDecember 26, 2013 7:31 AM

@ Spike

Did you just read that Snowden leaked something and then slept in a cave for a while? The US govt has effectively endorsed him by:

1. Putting an insane, goodwill-burning amount of effort into trying to get him back

2. Straight up saying that he was leaking real classified information

3. Trying to get the rest of the docs back before he leaks them.

So, regardless of who Snowden is personally, we can be sure that at least *some* of what he's been leaking is genuine classified information and highly important. All of it might be. So far claim about the data's origin & sensitivity have been proven out as above.

@ Mike

"Hell, even those who didn't knew after the dude blew the whistle about the fiber tap room in CA."

Exactly! I mentioned the previous revelations here when the Snowden affair started. I said that Americans already received evidence and whistleblowing about the surveillance. They didn't care. So why would new revelations on that help? Fast forward a while: it didn't.

@ Aspie

" I'm sure at least two countries would take that option if it were available."

I was thinking that at first but now I'm not so sure. Well, he lived so that's one reason. ;) The other reason was that the Russians said he didn't tell them anything they didn't know already. And even US govt agencies have reported how thoroughly our country is compromised by Chinese, Russian and Japanese agents. At one point, Mitsubishi was found sending the President's Daily Brief to Japan. (!) So the big countries that could find him probably already knew about the efforts if not every detail.

Google chip

" Google making their own chips
What a gift to the IC that could be! Centralise the snooping and snooping tech. Next story: Google raises its own army to go into the CAR to protect tanalum mines."

Lol. Yeah, a Google chip to solve trust issues is like Enron creating a subsidiary dedicated to preventing financial fraud that they promise they will use.

I bet Google's chip will use the classic PIO technique for keyboard so it goes right to the processor. They'll say this is so their algorithms can "analyse user input... uh metadata... to deliver ads more customized to the needs of the user." And any passwords or such that are intercepted are "wiped as a matter of company policy. Internal policy that's separate from our terms of use contract you agreed to by opening the box. We swear we follow it though."

Clive RobinsonDecember 26, 2013 8:57 AM

@ Nick P,

The question of if Ed Snowden has achived his task or not depends on your "expectations of outcome".

Arguably the first step to change is "knowledge" without which you may not know you are being harmed.

Whilst to "old timers" such as Bruce and others old enough to have lived through Ronnie "Ray Gun" and "Mad Margret" Thatcher or earlier events of the "Cuban Missile Crisis" or the "Raising of the Berlin Wall" and the "Berlin Air lift", Freedom is aligned to Liberty, it is not so to those considerably younger.

In the US (and other places) people have been subject to the "Boil the frog" experiment of of lobyists and lawyers working for corporations, who have given both money and pre-written legislation to politicians to vote into law against the citizens. This "Death by a thousand cuts" has caused freedom to change it's meaning in peoples minds and the word Liberty to languish in dictionaries, no longer in most minds is the idea of freedom being something to do with how people are treated, it's now all about "freedom for companies to own property". Which in turn has enslaved people with "IP rights" where you as an individual nolonger have even individual property rights, you nolonger buy a book, a song or your home, you get a licence to use that can be revoked at any time without any real right of recourse. Soon if the corporations get their way you will not even own a car or the clothes on your back, you will mearly lease them. You will not be able to sell second hand because even "property rights" will have gone, we have seen this with "format licences" which stop you as an individual being creative, you cannot write a game for a games console because the console supplier "owns the format".

Thus the Freedom of personal creativity is going little by little and with it a fundemental right to self expression which over many years has been the halmark of a democratic society and once enshrined in law as "free speach".

Is it to late to stop?

In the US perhaps the tipping point is long since gone, each generation is born to less and less liberty but they don't know this they just accept it, unless they have the knowledge to see just how hot the water has become.

Ed Snowden has lifted a small corner of the curtain which has been slowly drawn around our Liberty and in so doing has shone light on the dark recesses of unelected government that we pay for through taxes but is controled not by us but the corperations with fat wallets and smart lawyers.

It has been said that sun light, the essence of daylight is the strongest disenfectent killing all that florishes in the dark. Hopefully Ed Snowden's revelations will provide the much needed light to start the cleansing process.

However what is needed is to destroy the unseen money supply which makes "representational democracy" the new slavery of the masses to the largley ignored plutocracy hiding in the shadows as pupet masters who have bought the politicians by the bushel.

There are a number of ways this can be done one such is legislation, but as frequently observed "turkeys don't vote for Xmass", so I can not see the turkeys on the hill voting to get rid of the teat of largess of the corporate wallet on which they greadily suckle, rather than work honestly for those who voted for them. And for various reasons untainted individuals will not be allowed to stand, because at the very least they will not get the publicity required and probably much much worse not just for them but their loved ones as well.

Outside of the "mutiny" of rebelion with it's attendant civil war blood loss and years of endless retribution, it appears there is little that can be done from within the US by it's people. The seperation from the rest of the world the US people craved prior to the Second World War has always been an illusion which was used to hide many dark deeds carried out in their name. Unfortunatly it has left the US weak and dependent like a drug addict, the drug being technology. On 9/11 the double edged nature of technology and the US dependance on it beacame bleakly clear to all who had access to a television, radio or newspaper, US technology was turned against the US people by just a handfull of people. The awakening occured the sins of past US behaviour had come back to hawnt the US people they nolonger had the illusion of isolation. Questions started to be asked of the representatives, that they dare not answer with the truth, so a state of emergancy was "created" and a "War declaired" and the drums started to beat and nationalistic furvour was brought forth, and sadly the truth was lost behind a handfull of chupatz.

Much of what has happened since is an almost desperate fight by the plutocrats and wanabees to regain the illusion of isolationism, this time as "the world against America" with notions of "Cheese eating surender monkeys" and worse. One thing that became clear was that US companies owned other countries money supply. The Fed has in effect "stolen the gold" of many nations, and non cash transactions via credit cards is controled by US companies thus as WikiLeaks and many others have discovered AVM and PayPal can cut them off or even steal their funds and earmark their supporters to the US Gov.

So whilst knowledge is but a first step, a vital second would be the establishment of funding routes that are independant of not just the US Gov but all Gov's as well as being very strongly anonymous. Whilst there are such systems some hundreds of years old modern "cyber-currancies" are not even close. It appears that our "financial instruments" still need to be in some physical form as tokens to achieve both independance and anonimity.

A usefull third step is to devalue the plutocrats and the companies they depend on. If non US citizens stoped buying goods "tainted by US investment" and "US secret laws" and importantly international trade stopped using the US dollar then the US dollar would lose it's value significantly and may even produce a "run on the currancy". Unfortunatly this would have a major effect on US citizens which the US Gov would quite happily go to war to prevent (which they did when Sadam aproached various European countries to move from selling oil in dollars to only selling it in Euros).

But in some ways the US Gov has gone to war against the rest of the world via trade. It's not very newsworthy for some reason but what the US is currently doing with world trade agrements is quite frankly shocking, and for some reason other countries appear to frightened to fight it out.

One of the more recent is the TPP over in Singapore involving Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the United States and Vietnam.

Apparently the US has insisted on absolute secrecy such that negotiators cannot even discusse it with other parts of their own governments.

One such term the US is pushing for is the right for US companies to side step other countries courts and basicaly make claim on the countries tax income for what is basicaly alegations of counterfitting by the US companies. It appears a favourd tactic by the US is "landing zones" where by various techniques small weak countries votes are in effect bought cheaply on "vague promises" and used against other stronger countries... No doubt any US favourable arangment in the TPP will be used in turn as a "landing zone" to bludgen similar or more US favourable arrangments at the next WTO talks.

This sort of behaviour is only realy possible because the US dollar is considered the "world trading currancy" because it in effect forces countries to treat the US as a preferential trader irrespective of any actual real requirment to trade with the US.

This then has other knock on effects which end up causing harm to citizans of other countries that in turn causes not just resentment but furtile breading grounds for terrorism be it domestic or international. When domestic the US is one of the first to step forward to offer "aid and assistance" one way or another to either side thus pushing the spiral arround and creating debt etc. Eventialy resentment grows to the point where the terrorism becomes international in nature which causes further US "aid and assistance" explotation which makes the problems worse.

This foreign political instability is often exploited by what are --or seen as-- US companies as it provides cheap labour for extracting raw resources at "bottom dollar" price. So as we have seen the US has used intelegance and military muscle frequently in support of US Corps including regeim channges with what are at best indebted governments or worse puppet governments (such as Iraq).

History shows that such policies tend to end badly not just for the citizens of the countries but for US citizens as well (Persia - Iran).

So it is perhaps unsurprising that the NSA wants to spy on foreign countries so heavily. But likewise having been the cause of many civil wars in other countries it is mindfull that the same could easily occur in the US, therefore has to spy on what are in effect the "domestic enemy" of US citizens.

The question thus arises that now it's been clearly shown that the US Gov fears the US Citizen and thus shown that the US Gov is raising the water temprature will the "frog" of US citizens chose to jump or carry on being boiled alive?

For the rest of the world we appear to hold the conviction that "Joe Sixpack" wants to enjoy the heat of the technology drug at any cost...

As the words of the Jim Croche song says,

    Which way are you going, which side will you be on...

http://www.youtube.com/watch?v=6FPlHot8QQk


Or perhaps "Barry McGuire" was right about the "Eve of Destruction" (they killed his career after it).

http://www.youtube.com/watch?v=qfZVu0alU0I

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..