Schneier on Security

Clive Robinson • February 5, 2014 8:20 PM

@ n0n3,

Have you actually read the patent?

It’s one of those that is distinctly questionable.

To see why replace “brain waves” with “vocal waves” and you will see at best it’s a reworking of very early –and mostly usless– voice recognition (which ended up being used in very unreliable “voice opperated locks” etc).

The earliest patents on “stored waveform comparison” systems are now out of date and as far as I can remember never earnt their inventors a brass nickle.

Based on this patent you should have a look at how voice recognition systems have improved and then patent them to work not with voice but brainwaves…

Clive Robinson • February 6, 2014 9:58 PM

@Ben Brockert, Brandioch Conner,

Can any computer with a wifi adapter in it be said to be “air-gapped”? If I was doing air-gapped work I wouldn’t want the computer to have wifi, IR, powerline gigabit, wireless mouse or keyboard, etc.

I would say that any computer not following “EmSec Best Practice” is a liability.

This applies not just to pasive TEMPEST “emmissions”, “active EM” attacks including “injection attacks” but also importantly to other types of “energy emmissions” be they by sound, mechanical, gravitational etc and secondary emmissions by other means.

For instance the bandwidth of “convected heat” may be low but it does convay one bit of information “the equipment is energised” which might be sufficient (ie to send in the SWAT team to catch you “logged in”).

Likewise “gravitational” mad as it sounds back in the 1970’s researchers found that buildings with “concreat raft” construction bent and distorted when people walked across them and this could be detected and measured with a relitivly simple pendulum type device. Three such devices enabled other researchers to triangulate the distortions to get a positional fix… The modern equivalent used in some high tech alarms with appropriate DSP processing could potentialy follow a number of individuals around such a building…

Clive Robinson • February 10, 2014 4:26 AM

@ Iain Moffat,

Hmm it’s been busy the past few days so it’s rebuild the comment from the old grey cells, that I guess are now turning white with age 🙁 so the rebuild is going of necescity to be larger to ensure I’ve not forgoton anything ).

The question that arises about the “exploitable faults” you and others have found is,

Did they occure by accident or design?

Especialy those that don’t get fixed.

I’ve been saying long before the Ed Snowden revelations that protocols and standards are the places I would expect the likes of GCHQ and NSA to be playing in these days, since other unsubtle approaches such as that of the “clipper chip” have been recognised for what they are and the resulting hew&cry ment such obvious legislative initiatives failed.

Partly because I’ve seen it in action with the likes of MI5 / GCHQ working through the GPO / BT with phone standards and other 5eye’s nations at ITU and similar international bodies. And mainly because as history shows us the problems will exist for a good third of a lifetime after the standard gets fixed (if they ever do). Due to embedded infrastructure and other “backwards compatability” giving rise to “MITM fallback attacks”.

The clasic example being, causing communication link encryption to “fallback” to “plaintext/ascii” without informing, let alone warning the user “in case it scares them” and they end up “calling tech support”…

I’ve called foul on the NSA on the NIST AES competition for a considerable period of time and in this I’m not alone [1].

As you are probably aware the AES algorithm though theoreticaly secure causes all sorts of side channels when implemented practicaly. The NSA would have known well befor the competition rules were set that this would be the likely outcome, and at the very least the NSA should have warned NIST, but they chose to keep quiet, much to their advantage.

Likewise other standards bodies such as the IEEE have produced standards that were either not realy in their domain of expertise or were “finessed” in some way. In fact when you look at how standards organisations are set up you could not wish for a better system for finessing [2].

The only reason it came to light over the EC random generator was the compleatly ham fisted way it was done. Which NIST had been pretending was not an issue –presumably on seaking advice from the NSA– untill the Ed Snowden docs forced the issue [1].

The way to go about finessing is to either make a simple task complex by mandating different methods for “edge cases” or by not documenting behaviour under exception, either way you make “holes” in the standards. You then produce prototypes where you use these holes to down grade security, knowing that “as your prototype works” everyone will either use it or ensure they are compatible with it… at which point it’s now “baked in” and will only go away when the standard is finally fully obsoleate some 25 to 50 years hence. The second trick which we see in GSM Standards is to encode your old standard into a sucsession of newer standards for which “regulatory compliance” is required… thus the “listen in” feature of the old POTS makes it’s way forwards in time through early digital telephony through ISDN into mobile telephony. And the way to get it in, in the first place is the old gag of claiming it’s a nessecary “test” or “safety” requirment or both.

For a recent example have a look at how unnessary GPS hardware is mandated for all US mobile phones and thus by extention of mass production cost savings into all other phones that might be usable in the US…

Thus the question “accident or design” answer depends in part to the skill of the finesse. Thus I view unexploitable bugs as “accidents” or incompetence of which we are all capable. But those bugs which are shall we say “fortuitously exploitable” with a degree of suspicion, especialy when as the result of a “commitee decision” with representatives of a dubious pedigree (as many commitee members are due to trade and other associations 😉 Thus it’s best sometimes either to just shake your head in disbelife or as made famous by Watergate “Follow the money” because somebody is paying those commitee members wages and expenses…

Which brings me back to the issue of “comercial spying” money has to come from somewhere, and as has so often been observed “wheels need greasing”. Crude greasing with brown paper envolops stuffed with high denomination notes cause problems to both parties. A nod to the wise on an investment or two is a lot lot less problematic, as is information on what R&D routes won’t get results and which will. All of which nicely side steps US national and international corupt practices legislation by not leaving a paper trail that’s actionable unless one of the parties is particularly stupid (which might account for why US politicos have exemptions etc).

The French have made no secret of the fact they spy on foreign companies to cut the cost of R&D in the favourd French companies. The Japanese are likewise known to do industrial espionage with government paid agents, it’s one of the reasons the South Koreans have such stiff legal penalties to deter such activities. We likewise know that the US spys on trade delegations which often have industry representatives on board. Thus US claims “we don’t do that’ are frankly not belivable, and in the fullness of time I expect the press will find sufficient evidence of this in the Snowden document cache.

We also know from Olly North that commercial organisations –legal or otherwise– and the hidden money they make are vital to the intel game. For a front company to make money it has to have “product” in one form or another and “information” is the most profitable primary product there is. And with the likes of “parellel construction” it’s virtualy impossible to trace the source of the information.

So yes I feel on balance that the US intel entities are very much into industrial espionage for one reason or another. And it matters not if the NSA designes and builds the resources and supplies them to other agencies to collect the intel or if they do it directly themselves. Such “compentmentalised hair spliting” is the game of politics just as Pontious Pilate supposadly “washed his hands” of the awkward political problem of the Hebrew Massiah and Jewish religious leaders who were playing their own political game. Such games are older than mankinds recorded history. In fact it is often joked that “Spying is the real oldest proffession, but keep it a secret”.

[1] The problem with pointing out such things is that it suffers from the “Lead the horse to water…” problem, people don’t in general want to take it on board as this means “thinking and acting” all of which is messy and complicated. So you say it politely and give your evidence / reasoning / suspicions and then don’t push it. Because if you do push, the not wanting to “thing&act” people will simply cry “your wrong”, “your reasonings faulty”, “you don’t understand”, “your evidence is wrong” etc etc through to writing you off as a “conspiracy nut” because that way they neither have to think or act… And when the evidence comes in to force them to think and act do they say sorry? To use the old saws “Don’t be daft…” and “don’t hold your breath…”. I’m sure if Peter Gutmann or Niels Furguson are reading this they will be nodding their heads as will many others 😉

[2] The word “finessing” is an odd one and it comes about due to the British upper middle classes and upper class interest in the card game called “bridge”, which is basicaly “Whist” with a whole bunch of other rules on top used to make the betting/playing aspect more intresting. In essence Finessing means “puting one over” onto your opponent “to win a trick” in their full view such that you can mislead them without any come back in essence you “force their hand”. It’s derived from the word finesse which is in turn derived from a “French courtly word” from the “Old French word” ‘fin’ meaning subtle or delicate which also gives us the common English word ‘fine’. The use of the word in cryptography started with the British and seems to have come to the fore during WWII, though certainly in use in espionage etc well back into the 1800’s.

[]