Friday Squid Blogging: Encounter Between a Submersible Robot and a Giant Squid

Wow.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 28, 2014 at 4:08 PM • 148 Comments

Comments

KnottWhittingleyMarch 28, 2014 5:46 PM

About license plate databases and the privatization of mass surveillance---because it's so much better for private corporations to have unchecked power---an earlier article from Greenwald at The Intercept:

https://firstlook.org/theintercept/2014/03/17/1756license-plate-tracking-database/

While we wait and see if EFF and ACLU we can get around FOIA stonewalling and get anywhere in the courts, I'm wondering about alternative strategies for exposing the extent and significance of license plate databases.

The companies don't quire warrants to service requests from LEOs, so if we could get some righteous Law enforcement officer to start requesting data, and testify about what's in it, maybe we can bypass the stone wall.

(Say, an enterprising DA somewhere adjacent to to LA county who thinks this is going too far, and wants to show that LA is violating suburbanites privacy? They'd have the rationale that they have reasonable suspicion that the privacy invasions are illegal or unconstitutional, right?)

Or maybe ask a thousand random LA folks to request records about their own cars---whose privacy would that violate? I bet a significant fraction of them would be up for it, on principle or for $20, and think its worth letting EFF or ACLU see how easy it is to figure out they were gay, or had gotten an abortion, or whatever.

It would be funny to look for information on cars owned by, for example, LA police honchos, execs and lobbyists of license plate tracking corporations (esp. Vigilant), politicians, etc., and see what dirt you could dig up. Unfortunately I don't see how to do that without getting in to real trouble for really violating people's privacy. But maybe it would be worth it to some Snowdenesque whistleblower in law enforcement, leaking anonymized versions of those things with funny examples. (E.g., that some Vigilant lobbyist is sometimes at the same gay bar as some DA, some Republican politician's wife seems to have had an abortion, etc.)

AndrewMarch 28, 2014 5:57 PM

Hello Mr Schneier,

While searching around internet for cryptography information I'm becoming less and less confident that anything is thrustable.

I discovered this article from 2007 (http://www.codeproject.com/Articles/10154/NET-Encryption-Simplified), where the author mentioned:

"Even worse, this weird little "key container" file usually goes to the current user's folder! I have specified a machine folder as documented in this Microsoft knowledge base article. Every time we perform an asymmetric encryption operation, a file is created and then destroyed in the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. It is simply unavoidable, which you can see for yourself by opening this folder and watching what happens to it when you make asymmetric encryption calls. Make sure whatever account .NET is running as (ASP.NET, etc.) has permission to this folder!"

Obviously, a key once written on the hard disk could be restored later, even if deleted (but not overwritten). This looks rather like a backdoor in the encryption library, although the author may be wrong, of course.

My question is, do you think they really gone that far, like exposing directly the keys with such methods? I can only think that if this is real and happened in 2007, obviously nothing is really encrypted now. Do you think encryption libraries are still thrustable?

CatMatMarch 28, 2014 6:18 PM

@Andrew,
of course nothing you've done on a compromized platform is trustable, but I don't see how anyone would have considered the .NET wrapper implementation secure in the first place. Even if it doesn't expose the keys directly.

Spaceman SpiffMarch 28, 2014 6:31 PM

Shades of 20,000 Leagues Under the Sea! Neat! That must have been one REALLY big calamari... :-)

BenniMarch 28, 2014 6:46 PM


Severe security hole in dozens of fritzbox routers and other fritzbox products:

http://www.heise.de/security/meldung/Jetzt-Fritzbox-aktualisieren-Hack-gegen-AVM-Router-auch-ohne-Fernzugang-2115745.html

is now used by criminals, to remotely get into the router, and make expensive phone calls with the connected phones. estimated money loss 200.000 euros with 400 victoms in germany, after the first three weeks:
http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle-nutzen-erbeutete-Fritzbox-Daten-aus-2155168.html

You want the sourcecode of a real huawei router, in order to see whether it has backdoors?

Well, the devices speedport-ip W723v Typ A, and speedport-ip W724v Typ A, Speedport HSPA, Speedport LTE Speedport LTE II, are distributed by the german ISP deutsche Telekom, but are manufactured by Huawei, And the deutsche Telekom pressed Huawei to publish the source.

For example, here you apparently can find the source of speedport 723v type A (which is the router of a neighbor of mine):

http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-66139021/Speedport-Serie/theme-66140359/Speedport-W-7xx-Serie/theme-293811306/Speedport-W-723V-Typ-A

The source can be downloaded under the "Quellcode" which is german for sourcecode:

http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20W%20723V%20Typ%20A/Speedport_W_723V_Typ_A.tar.bz2

I have not checked the source out myself, since I dont have time now as I am busy with other things.

If you find any backdoor or other security leak, Just poste it, I would be curious to read.

KnottWhittingleyMarch 28, 2014 7:25 PM

Benni, they don't claim that. They claim to have witnessed an NSA-style breach.

They say that think it probably wasn't NSA itself, but CIA or some other US or allied intelligence agency.

"The compelling attribute of the information they grabbed is that it was useful only to American intelligence. The narrowness of the SQL query clearly identified why they wanted the data. It wasn't support information, something that a support engineer would want. It wasn't indiscriminate information, something a hacker might grab. It wasn't something that would interest other intelligence services -- except to pass it on to the Americans."

I don't know what the data could be that would be of interest only to US intelligence agencies, or somebody wanting to pass it on to one.

FigureitoutMarch 28, 2014 9:04 PM

Wow.
Bruce
--Said the same thing w/ the major layout change you did to the blog. Where's my blue?! I need my blue. Oh well lol. And I know you're probably jelly it wasn't you at the bottom of the ocean having a smushfest w/ a squid; you know they get lonely done there. :p

Andrew
--Welcome to the club! Something else is becoming "thrustable", as you put it. I believe it's also possible for malware to add a file everytime you insert external media or try to create new ones. This malware even persists in RAM so LiveCD/USB's get compromised too. Problem is, when I get down to the level I want to be at, w/ the assurance I want, encryption will take all day. So extremely impractical OTP "in your head" encryption prior to entry and hand deliver code book would give plenty of false intel and false decryptions is all I got...

Nick P RE: Minitel
--Sorry for delay, busy as always, barely have time to breathe. Of course it died off...However it also got spammed...(grr). I'd say it needs to be closed off and "opt-in" membership type deal but that's elitist. But otherwise it gets spammed...I'm pretty curious about the code that would make a "non-web" on the web; I don't know though if it's javascript I'm out. I'm not going to win brownie (or brown-nose) points but this new storage system at my school, my 1st impression is garbage! So much javascript and of course it crashes and couldn't even move my files from the local hard-disk. And it's all untrustworthy internet so all my files can be copied and changed at will (I guess like always..) Anyway, like your design idea, there needs to be no possibly physical way for a file to reach the core of my computer from internet, just have a separate processor. You've talked about this extensively but it's the most practical/do-able way I think.

Nick PMarch 28, 2014 10:15 PM

@ Figureitout

Look up Tanenbaum's Globe project. The recent Minix conversation made me look it up. It was a HTTP alternative that originally built on a distributed OS (Amoeba). They even implemented HTTP and Globe together at one point. Much more interesting than the French option. I only mentioned the French option to show that a limited, custom, separate network could be useful at a national level.

Nick PMarch 28, 2014 10:21 PM

New site design threw me off at first. Figured it was glitching. Anyway, it looks alright except that it's so bright. Grayish, thin text on a background of lots of white. Squinting at it gave me a headache on one of my machines. Red links are an interesting choice. They fit with the design. I like the top right image and prominent 'featured essays' section, too.

BenniMarch 28, 2014 11:20 PM

The original spiegel article on Huawei

https://magazin.spiegel.de/digital/index_SP.html#SP/2014/13/126149146


which has to be bought, contains much more information than the online article. Among it, are thefts of the chinese. The snowden files contained details what the chinese have stolen.

two chinese generals are cited by Spiegel: "the influence of a hacker would be greater than that of an atomic bomb in the information age." And the article says that the chinese generals assess, the US are only damageable in cyberspace. So the chinese stole the plans for the fighters B2, F-35, F-22, the design for air defense missiles of american atomic submarines, as well as 33000 personal files of officers and hacked their way into 300.000 accounts on the navy. In the Pentagon 500 computers were infected. They also hacked their way into a major US oil company, and one of the largest us software company was attacked so that the chinese could even change the sourcecode.

A major reason for the chinese attacks seem to be economical.

"We are years back in our development, a chinese general is cited. Even india is, 60 years before us, when it comes to technique"

But then the article goes to the american activities.

In Honkong, snowden just said, the nsa would have tapped the communications of the university and students in Honkong.

This is made more precise by the spiegel article, where it is additionaly writen that nsa attacked "several chinese universities in the mainland"-

Attacking of university professors and students is strange, I think. Especially the university of Honkong is very good. On Honkong, there even is a fields medallist teaching, the mathematics genius Shin Tung Yau. Attacking this university would nevertheless fit that attack on Prof. Quisquater: http://en.wikipedia.org/wiki/Jean-Jacques_Quisquater

Then, nsa spied on chinese government. They tapped 219 mobile phones and 53 other phones of chinese officials, among them Hu Jintao.

Two major chinese telecommunication providers were hacked, allowing, among others, the tapping of the entire communications from the chinese army, a full take of all communications of the chinese trade ministry, the communications of the chinese news agency Xinhua, the import export bank, the tourism ministry, the customs authorities.


Huawei was attackt not only once but first in 2006, and then in 2009 again. The nsa was supported by the white house and the us trade ministry.

(The article leaves it unclear why the trade ministry, that supports us companies with intelligence from with its advocacy centre, does support the nsa in attacks on foreing firms?)

The article reads

"With the attack, the nsa just follows the top secret policy "national intelligence estimate" that was decided by the whithe house and all secret agencies.

It says "we act on the assumption that the leading role of international corporations and foreign single persons in the sector of component suppliers for the american information technology creates a danger of a permanent, invisible threat"

"Up to now, the network infrastructure is dominated by western industries, but the chinese companies work hard to make american firms less relevant. By this, technical standards that are now dominated by us companies would change, and china could, perhaps bit by bit control the flow of communications"


In other words, the us are just pissed of that the market share for their companies is shrinking. And that means they must attack foreign companies.

This definition of a security threat is very wide. For example, with a similar construction, one can say that "the german company SAP is working hard to make american office software producers less relevant. By this, technical standards for office software defined by oracle, could change, and germany could, perhaps bit by bit, once controll the way how american businesses create their bills, with SAP software instead of oracle products".

So that explains perhaps, why they monitor SAP
http://www.dw.de/report-nsa-spying-on-merkel-aides/a-17452381 in addition to merkel.

The Spiegel article furthermore describes that

The former NSA boss Minihan wrote a secret letter to nsa officials, telling

"similarly, as the control of industrial technology was the key to military and economic power in the last 200 years, the control of the computer technique is the key to power in the 21 century. Any of our efforts must serve one goal: the informational control of the world by america"

"In Oktober 2012, president Barack Obama signed a top secret directive, which should transform america to a new age.

Obama authorised the US military, to prepare for a regular war against other nations on the internet. The goal of the preparations was to be able to manipulate, jam, weaken, block, or destroy computers, information systems, or networks of other countries.


Explicitely, it is stated in this directive that the United states insist on their right of a preventive first strike against a coutry."

"The article ends with: Wellcome at the preparations for the war tomorrow"

From what is written in the article, it seems that tech companies now have to face it being attacked by military organizations of western governments, when their only wrongdoing was, to work hard enough to reduce the market share of an american company. (From the chinese, they are attacked anyway too, but more because the chinese want to develop their industries.)

I would recommend that readers of the article in DER SPIEGEL view this ingenious movie afterwards, "Dr Strangelove, How I sopped worying and startet love the bomb."

https://www.youtube.com/watch?v=iSZJbJ4Mfis


AnuraMarch 28, 2014 11:30 PM

@NickP

"Grayish, thin text on a background of lots of white. Squinting at it gave me a headache on one of my machines"

It's the drop shadow that gives it that effect. If it were me, I'd remove that styling for comment/article text and just have it straight black.

DanielMarch 29, 2014 1:02 AM

A BIG thumbs down on the blog. KISS and that applies to the blog. Please go back.

Ellen HayesMarch 29, 2014 1:07 AM

Not a squid comment, but - when I first saw the redesign I assumed your blog had been linkjacked, Simpler is better.

DBMarch 29, 2014 1:24 AM

New blog layout is great, looks more professional... though I'd recommend removing the drop shadow at least on body text please. It makes me feel like I need glasses (which I may, but that's not the point) :)

BenniMarch 29, 2014 2:10 AM

By the way, this idea:

"Up to now, the network infrastructure is dominated by western industries, but the chinese companies work hard to make american firms less relevant. By this, technical standards that are now dominated by us companies would change, and china could, perhaps bit by bit control the flow of communications"

reminds me somewhat on the idea of fluoridation:

http://en.wikipedia.org/wiki/Water_fluoridation_controversy#Conspiracy_theories

Water fluoridation has frequently been the subject of conspiracy theories. During the "Red Scare" in the United States during the late 1940s and 1950s, and to a lesser extent in the 1960s, activists on the far right of American politics routinely asserted that fluoridation was part of a far-reaching plot to impose a socialist or communist regime.


https://www.youtube.com/watch?v=Qr2bSL5VQgM

Remind me when make a doomesday machine....

Jonathan WilsonMarch 29, 2014 2:13 AM

No way would I trust any encryption built into .NET (although if the SSL implementation they are using is the same one they use in IE, it might be safe)
As we have seen recently, even open source crypto like OpenSSL and GNUtls can be compromised. Proprietary crypto could be worse (especially from a company like Microsoft that might well be blackmailed/pressured/forced/bribed into adding a backdoor for the NSA.

yesmeMarch 29, 2014 3:28 AM

@Jonathan Wilson

Sigh... Open Source doesn't guarantee the quality is better than closed source. With software (FOSS or not) you don't have any guarantee. That's it.

No way would I trust any encryption built into .NET (although if the SSL implementation they are using is the same one they use in IE, it might be safe)

Sigh... again. You trust IE, so you trust the SSL implementation, but you don't trust the .NET stuff...

As we have seen recently, even open source crypto like OpenSSL and GnuTLS can be compromised. Proprietary crypto could be worse (especially from a company like Microsoft that might well be blackmailed/pressured/forced/bribed into adding a backdoor for the NSA.

Maybe you should see this video. Let me put it this way: OpenSSL is a piece of sh*t. GnuTLS is probably the same quality. These guys didn't knew what they were doing.

The benefits of Open Source are clear, but if you write a library that has a million lines of C (with tons of #ifdef and goto), Assembly, M4 and the crappy .configure stuff, no-one can help you. Security software is supposed to be small. That way anyone can check the code and auditing is also possible.

About companies being pressured/blackmailed that is actually happening. A NSA top lawyer said this in a hearing. But the NSA also contacted Open Source projects. Linus Torvalds himself admitted that.

JacobMarch 29, 2014 3:32 AM

Regarding the claims that Microsoft's .NET is untrustworthy:
Your claims may be based on two things:
- Microsoft intentionally weakened the security framework of the code
- Microsfot has not implemented the relevant algorithms in the code properly, leading to faulty security in the framework.

Considering that the container of the .NET framework, namely Windows OS, is also written by Microsoft, I wonder why to specifically target the .NET framework. It is much easier to subvert and/or write bad code in the OS itself than in the .NET framework - not only because it is at a deeper binary level and accesses more potent services, but also because every Windows user has Windows, but not all Windows users run the .NET framework.

Also, would you never touch the Keepass program (V.2.x) since it is based on .NET ?

ThothMarch 29, 2014 4:16 AM

@Bruce, now your site looks so much better than the previous one :D . Appreciate the web design change.

ThothMarch 29, 2014 4:19 AM

@ Bruce, probably tune the colour to abit more neutral. It can be rather bright if the room the reader is in or the monitor the user is using is set to high. Otherwise, it looks really great.

Clive RobinsonMarch 29, 2014 5:27 AM

@ Bruce / Moderator,

In the "site change" the "link to main" that used to be between the next and previous pages is missing in my browser.

Also when a page loads it does it very badly in this browser with text initialy ocer writing it's self. It does settle down after a while after a load compleats but it sufests there are differences in the ordering of html tags.

anonymousMarch 29, 2014 7:35 AM

The new design sucks. Go back to the old one.

**********************

http://www.ibtimes.co.uk/turkey-youtube-ban-full-transcript-leaked-syria-war-conversation-between-erdogan-officials-1442161

Turkey YouTube Ban: Full Transcript of Leaked Syria 'War' Conversation Between Erdogan Officials

Turkish Prime Minister Recep Tayyip Erdogan's ban of YouTube occurred after a conversation was leaked between Head of Turkish Intelligence Hakan Fidan and Turkish Foreign Minister Ahmet Davutoğlu that he wanted removed from the video-sharing website.

The leaked call details Erdogan's thoughts that an attack on Syria "must be seen as an opportunity for us [Turkey]".

In the conversation, intelligence chief Fidan says that he will send four men from Syria to attack Turkey to "make up a cause of war".

BenniMarch 29, 2014 8:03 AM

@anonymous:

Well even though these leaks may be spread as the propaganda of a secret service, (I could think that FSB which supports assad would just like it to get a nato country into trouble) I think they are quite important, as the persons talking there should resign from politics,

Similarly, the leak of timoshenko where she says on the phone she wants to kill russians with machine guns and sent an atomic bomb to the russians in eastern ukraine, are important. Such persons should not go into politics.

If all secret services start leaking things like this, this probably has some cleansing effect on politics.

JoelMarch 29, 2014 8:06 AM

@Nick P

Anyway, it looks alright except that it's so bright. Grayish, thin text on a background of lots of white. Squinting at it gave me a headache on one of my machines. Red links are an interesting choice. They fit with the design. I like the top right image and prominent 'featured essays' section, too."

I agree with you and I like everything except the blinding white.

Nick PMarch 29, 2014 8:39 AM

@ Jacob

re targeting Windows OS vs .NET

Microsoft's security initiatives under Steve Lipner seem to have worked. From XP to Vista, the number of severe vulnerabilities went down despite amount of code going way up. Then Win7 seemed to do better. Overtime, the low hanging fruit in Windows OS goes away more and more. So, what to attack next?

Answer: privileged, complex libraries and runtimes! They might be written by less capable programmers or simply be less understood in a security sense. The result is more vulnerabilities. A good example of this trend is Java. The attackers are hitting Java at every layer, while using it to compromise Windows OS. Apparently, Windows OS is harder to hack than Java. This might be case for .NET, too, so TLA attackers could look for (or plant) weaknesses in it.

Along same lines, I'd also check their C++ redistributable and anything else major enterprise apps from Microsoft depend on. Such dependencies sometimes create a "hack one, compromise many" effect professionals would definitely look for.

BenniMarch 29, 2014 9:28 AM

News from DER SPIEGEL,seems they really want to make the NSA as small as the BND:

http://www.spiegel.de/politik/deutschland/ueberwachung-nsa-speicherte-mehr-als-300-berichte-ueber-merkel-a-961414.html

Now the newspaper reveals that NSA not only stored 300 reports on chancellor Merkel, with her name stored in a database of 122 high ranking politicians: They also say that the last autorisation from a secret fisa court which allowed the nsa to spy on germany was from march 7, 2013. DER SPIEGEL claims that such an authorization gives the nsa in the US the right to access, store and tap the communications of all german citizens.

In a second operation GCHQ spyed on german internet providers. Especially, they were interested in internet satellite communications. As this is often used by oil companies of the external employees of large international companies who work in abroad

Alex CoxMarch 29, 2014 9:41 AM

I don't think that the local or national secret police keeping tracks on license plates is a violation of anyone's human or civil rights. Getting into a car and driving it on the highway isn't any kind of right. It's a privilege - for which the user must pass a driving test, acquire a driving license, purchase insurance, and agree to abide by all manner of rules which don't apply to non-drivers.
Even in Los Angeles, no one is obliged to drive. The choice to do so involves the surrender of a number of freedoms. There is no freedom not to have your license plate photographed.

SteveMarch 29, 2014 9:41 AM

I like the new design.

I had to mag up the old site in order to make it readable, even with glasses. This is readable even at normal resolution.

Nick PMarch 29, 2014 11:51 AM

@ Steve

I agree about the readability. I usually zoomed in on my phone on old site. That's no longer necessary. So, if they can just fix the aspect that makes it seem blinding, perhaps add contrast, then new design would be fine.

BenniMarch 29, 2014 12:02 PM

When this article appeared months ago on spiegel online, how to "harden" a laptop

http://www.spiegel.de/netzwelt/web/hardware-hacker-wie-man-einen-laptop-vor-angreifern-schuetzt-a-955702.html

I wondered what Spiegel was up to, since certainly none of Spiegel Online routers cuts most interfaces from the laptop motherboard.
Now we know what they were planning,,,,

Here is an amazon link to the new spiegel book on the NSA Complex:

http://www.amazon.com/Der-NSA-Komplex-Snowden-%C3%9Cberwachung-Edition-ebook/dp/B00IN3H1Z8/ref=sr_1_1?ie=UTF8&qid=1396112454&sr=8-1&keywords=nsa+komplex

I wonder whether this is also available in english, so our friends in Forth Meade have an easier read....

DBMarch 29, 2014 1:20 PM

OMG all you people who hate white backgrounds because they're "too bright," why don't you adjust your monitor? White is the standard color of web pages, and has been since ancient times when they used to be dead tree material called paper...

Thanks for removing the drop shadow though, my eyes can focus now :)

Nick PMarch 29, 2014 1:32 PM

It's actually not bothering me now. I think it was the drop shadow mixed with bright white that caused my headaches.

AnonimousMarch 29, 2014 1:32 PM

@Terry Cloth -- Second that. I'd rather have something simple than something that looks nice. My eyes aren't as good as they use to be. It's easier to work with simple.


@Alex Cox:
Nice Troll. Most of what you're describing is just jumping through hoops.

Tell me, given the state of the art in technology today, and your beliefs, then surely you won't have any problem with a drone being deployed to watch your every move. Follow you whenever you leave your house. Photograph everyone you meet. Record conversations if they are outdoors. Record every store you visit. Now I'm sure you had no idea that shop where you bought a newspaper also sold sex toys. But can you prove it?

Nick PMarch 29, 2014 1:42 PM

@ Bruce

I noticed another potential improvement.

Comments come in on both new and ancient threads. This is why "Last 100 comments" link is main way some of us use site. Pattern is: Look at Last100, click on a thread to read/reply, Last100 again, read/reply another thread, etc. Last100 link really helpful when responding to discussions on multiple threads.

The old design had it in top right. It was pretty easy to get to in various ways. New design means we scroll through, say, entire Squid thread to get to link. It would be nice if it was near top somewhere to save scrolling on mobiles. Maybe on top (tiny shortcut) and bottom (in menu) to cover all use cases.

GadgetronnMarch 29, 2014 3:20 PM

@Nick P


The attackers are hitting Java at every layer, while using it to compromise Windows OS.

Mac OS X as well. I've seen some, sent attached to e-mails.
I surmise it can be worse on Macs, since Apple bundles Java with the OS… correct me if I'm wrong.

ps. The new design is not bad. I'm used to the old one, though.

anonymousMarch 29, 2014 4:03 PM

US is donating free border control database software devellopped by BOOZE ALLEN HAMILTON to interested countries. Software will report travelers' data (including biometrics, biographical info, phone numbers etc.) back to the US. Phone numbers can conveniently be used to target suspects for drone strikes.

https://en.wikipedia.org/wiki/PISCES

For countries where PISCES is currently deployed, see the Wikipedia article. A few more countries I won't set my foot in the foreseeable future. China and Russia are starting to look like good alternative holiday destinations, at least they won't try to harm me personally.

my little ponyMarch 29, 2014 6:30 PM

"OMG all you people who hate white backgrounds because they're "too bright," why don't you adjust your monitor?"

adjust it for one site and readjust it for others? nah, brah, not going to happen.

BenMarch 29, 2014 6:52 PM

I'm not from the US, but I'd be really surprised if civil rights did not apply when you were benefiting from a privilege. I do recall you had this Rosa Parks incident, which established that the right to equality between people of different skin colors was not nullified by being in a bus, which is a privilege.

Nick PMarch 29, 2014 7:20 PM

@ Gadgetronn

The rising popularity of Apple products led to a larger number of motivated attackers. So, in the past years, we've started seeing Mac botnets and such. We're also seeing more portable software (eg Webkit, Java) than we did in the past. I wouldn't be surprised at all if they attacked Java on Mac.

The issues with firmware mean I'll probably consider the old Mac I bought untrusted. I'm thinking about installing MorphOS on it for an interesting desktop. A PPC Linux alternatively. Might still make a decent air gap if I keep it offline & unnecessary HW disabled.

I think what I need to do is build a guard on open hardware. Open CPU, high speed PIO I/O, watchdog timer, firmware writable only with physical modification, and simple layered software in [mostly] typesafe language. Seems like a small team could put this together. The basic components could suffice for many use cases from data diodes to full app-level guards.

DBMarch 29, 2014 7:59 PM

@my little pony

Read my next sentence...

White is a common, professional look. It makes things look clean and fresh. It's extremely common. It's not rare. If you don't believe me... shrug.

Put another way: 95% of websites have a white background, the exact same intensity of white as the new schneier.com. If they're all too bright for you (and they must be, for this one to be too bright), then you should adjust your monitor, yes. Not just for one site... for all of them.

Chris AbbottMarch 29, 2014 8:07 PM

If II hadn't mentioned it already, would accessing your Facebook and webmail accounts from a different computer and different IP protect you from "I hunt sys admins"?

trapspam.honeypotMarch 29, 2014 8:20 PM

Like the new format and update. Much better contrast. Vision impaired myself, no focus in the right eye and limited vision in the left.
Again, Many thanks.

Coyne TibbetsMarch 29, 2014 9:15 PM

Re "Prominent security mailing list Full Disclosure shuts down indefinite" leads me to some interesting speculations.

Cartwright gives this reason for the immediate shutdown:

"But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done."

So the immediate cause of the shutdown is the actions of one individual who apparently could not be made to "go away". He goes on with this rather negative view:

"There is no honour amongst hackers anymore," he said. "There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

Regulated by who? Dishonor by who? What comprises this industry he mentions? He mentions companies that have objected to the mailing list publications.

But I'm wondering of the straw that broke the camel's back, the "hacker" he mentions, isn't someone working for the NSA (directly or indirectly). Someone who insisted that exploits not be published because the NSA would buy or had use for them.

It would seem to me to better explain his frustration.

Nick PMarch 29, 2014 9:26 PM

@ Coyne

I saw that and was disturbed by it as well. Taken literally, shutting down for such a reason would be the lamest defeat in history of mailing lists. I mean, some individual is ticking you off so you shut down your whole project? It's almost unbelievable.

Like you, I wondered if there was something else that happened (maybe with NSA), they can't talk about it, and are trying to convey it without risking harm to them. If so, then they couldn't give us the specifics and what they're doing is already risky. I hope it's the latter.

DBMarch 29, 2014 11:53 PM

@Chris Abbott

Lots of things might help... slightly. Probably not having a Facebook or webmail account at all would help more.

But nothing really protects you. It makes me mad that my government has become the biggest threat to the safety of the world. Who does Obama think he is, a young budding Hitler or something?

Sancho_PMarch 30, 2014 10:26 AM

@Moderator / Bruce:

With the new design, when replying, below the preview the order of “Previous Comments” seems to be reverse now, showing the oldest in the first place.
It was very convenient to see the last posting first, in case someone else has replied in the meantime.

DBMarch 30, 2014 11:43 AM

@Nick P

I love open hardware. I'll buy it if it's built... It does seem to be the only "safe" hardware possible, and there's precious little of it today.

Unfortunately, as it becomes popular someday in the future it becomes a target of intelligence agencies. How would one protect against, for example, the NSA infiltrating the chip fabrication plants and substituting your design for something that's functionally the same except with a kind of backdoor or other weakening? It sounds crazy, I know, but given their current level of threat to global society I wouldn't put it past them...

Which means, you have to kind of design your software to run safely on untrusted hardware. But how can it trust any inputs and outputs then, when those can all be compromised right down to physical keyboards and screens? It just boggles my mind the level of intrusion they are willing to do to innocent people, and I see no real cure for it. More openness helps, it helps tremendously, yes, so we should do that, but even that's not a full cure.

SkepticalMarch 30, 2014 1:19 PM

@DB: It makes me mad that my government has become the biggest threat to the safety of the world. Who does Obama think he is, a young budding Hitler or something?

Just a little overstated.

How would one protect against, for example, the NSA infiltrating the chip fabrication plants and substituting your design for something that's functionally the same except with a kind of backdoor or other weakening?

One would protect against it contractually. The NSA doesn't have the legal power to compel a manufacturer to insert backdoors or weaken a design.

Of course, if the chips are being manufactured abroad, all bets are off.

It sounds crazy, I know, but given their current level of threat to global society I wouldn't put it past them...

For 99.9% of the world, the NSA as a threat ranks somewhere after 419 scams but before orcs and goblins.

Nick PMarch 30, 2014 2:20 PM

@ Skeptical

"One would protect against it contractually. The NSA doesn't have the legal power to compel a manufacturer to insert backdoors or weaken a design."

What are talking about? The gist of many leaks is that NSA forced companies to hand over data, weaken crypto, etc. One of few to refuse, the Qwest guy, ended up being destroyed by govt. Yahoo CEO said she faced similar prison threat.

So, it's actually the exact opposite of what you said. Anyone who wants to avoid backdoors should avoid locating a company in US just as much as Russia or China. Whereas certain foreign countries have strong privacy and property laws, while others are known for more transparent or less corrupt govt. So, certain foreign countries are much better optiom for Americans wanting privacy.

If your stuff is in US, then all bets are off.

YeahSureMarch 30, 2014 3:19 PM

Skeptical, go away. All disinformation, all the time. It behooves us to ignore the "content" of his posts, and simply tell him to go away.

BenniMarch 30, 2014 3:35 PM

@Skeptical

"The NSA doesn't have the legal power to compel a manufacturer to insert backdoors or weaken a design."

Appart from this linux kernel dev

https://plus.google.com/+TheodoreTso/posts/SDcoemc9V3J

being proud and happy that he resisted pressure from intel to only use intel hardware random number generation because: ""By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors....""

SPIEGEL reported early in 1996 how nsa and BND deliberately weakened crypto boxes:

http://www.spiegel.de/spiegel/print/d-9088423.html

here is the google translation:

http://translate.google.de/translate?hl=de&sl=de&tl=en&u=http%3A%2F%2Fwww.spiegel.de%2Fspiegel%2Fprint%2Fd-9088423.html


@Skeptical:
"For 99.9% of the world, the NSA as a threat ranks somewhere after 419 scams but before orcs and goblins."


Well, According to
https://www.schneier.com/blog/archives/2014/03/friday_squid_bl_420.html#comments

Sees foreign companys as a security threat if their only wrongdoing is to reduce the market share of an us company.

For striking back security threads, the military is what is really responsible. So Obama signed a top secret order to us military, to prepare for a preemtive cyberstrike.

There is even an indication which coutries are perceived as a security thread to the us.

In this funny article:
http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html

It is mentioned that a secret Fisa ruling allows the NSA to spy on all citizens of the following countries:

Germany, Japan, China....,

Certainly, in Japan, there are many terrorists there.

Especially, they have a mighty optics and camera industry. And the phone industry of japan, is a very important threat, because these terrorists at samsung are working hard to reduce the marketshare of US companies.

For Huawei, the case for industrial espionage was made according to a criterium that can be as well applied to the german software company sap, which is monitored by nsa. You can also change the names to samsung in the follwing quote:


"the german company SAP is working hard to make american office software producers like Oracle less relevant. By this, technical standards for office software defined by Oracle, could change, and germany could, beginning bit by bit, at the end, control the way how american businesses create their bills, with SAP software instead of Oracle products".

If you have such a definition as a "threat", and if you say, us military cybercommand can make "preemptive strikes" against a "threat", and if a government comes to think, that everything Its secret service and military should do is for

"Any of our efforts must serve one goal: The informational control of the world by America""

Then I would say, this government poses a a very large threat. A global threat, to all non us people.

Please bear in mind that nsa plans to use turbine to deploy malware on millions of computers:

https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/

This action makes sense, if you believe, companies reducing the marketshare of us companies are a security threat, and that you must make preemptive strikes against all of these threats and that "Any of our efforts must serve one goal: The information control of the world by America"".

Since only way for america, to gain total information control of the world is, by having a malware on every computer.


And by the way, from Huawei, the nsa stole the client list.

Please note that according to this funny article,

http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html

they also stole the client list of the german company Stellar.

Of course the nsa is supported in their attacks by the us trade ministry.

I believe in 5 things: In Santa Claus, the easter bunny, in wonders, saints, and that the nsa does not give the client list to US companies...

SkepticalMarch 30, 2014 4:27 PM

@Nick P: What are talking about? The gist of many leaks is that NSA forced companies to hand over data, weaken crypto, etc.

They can certainly compel a company to hand over certain data. DB asked about the NSA forcing a chip manufacturer to insert backdoors into the product.

So far as I can tell, the NSA cannot legally compel a company to insert backdoors or deliberately weaken a design.

In the RSA case, which remains questionable, Reuters reported that the NSA paid RSA to select DUAL_EC_DRBG as the default encryption algorithm in one of its products.

I know of no law that would allow the NSA to compel any manufacturer to insert backdoors. If you know of one, or think you do, I'd be happy for the suggestion and interested enough to look into it. The only thing that comes close is CALEA.

One of few to refuse, the Qwest guy, ended up being destroyed by govt.

This guy (that's a link to the SEC's civil case, but the facts alleged are the same as in the criminal case). The guy who was indicted for 42 counts of insider trading, and convicted of 19 of them.

Essentially Qwest had been pumping up its stock price with false accounting and impossibly charged earnings forecasts. As CEO, Nacchio knew this, and while it occurred sold $100 million worth of stock. He attempted to claim at trial that the NSA had failed to award Qwest certain contracts in retaliation for his refusal to participate in a wiretapping program (in February 2001), and that, if the NSA had awarded the contract, Qwest's earnings forecasts would have been accurate.

Yahoo CEO said she faced similar prison threat.

She said that it would have been illegal for Yahoo to disclose FISC orders, and that, rather than illegally telling the public, Yahoo instead opted to challenge them legally.

She did not say that the NSA compelled the company to insert backdoors or weaken designs in the manner DB suggested would be possible with respect to manufactured products.

Anyone who wants to avoid backdoors should avoid locating a company in US just as much as Russia or China.

The facts don't support this conclusion, as detailed above. The only reported instance that comes close is RSA, which is certainly not a case of a company being compelled to do anything.

Indeed, not only does the US offer excellent legal protection with respect to the integrity of a manufacturing process, but it also provides protection against commercial espionage by foreign companies and governments.


SkepticalMarch 30, 2014 4:50 PM

@YeahSure: All disinformation, all the time. It behooves us to ignore the "content" of his posts, and simply tell him to go away.

I'm very honest and open about what I think and why. I try to source what I say. I give my reasons for what I say. You're free to disagree with me; in fact I enjoy a discussion more when someone disagrees. But accusing me of disinformation is rather silly.

And the individual (by which I mean you) who wrote these gems about China isn't in a strong position to accuse others of disinformation:

As far as freedom of speech goes: Try actually reading about China. There is a strong press that criticizes the government all the time. And it is effective in forcing reforms.

I especially liked this part:

Now speech that risks the integrity of the government in China doesn't fly, it's true, but try suggesting that the US government be overthrown at some point of crisis - like 9/11 - and you'd get a similar result here.

Note that in response to these claims, I didn't accuse you of anything, but instead merely pointed you to a report by Freedom House on the subject.

Groundhog DayMarch 30, 2014 5:01 PM

A touching scene:

A man caught in a Reagan era timewarp: Awakening each day from dreams of Evil Empires in complete innocence of the news of the prior months and years...

And the brave posters who remind him. Again. And again. And again.

It should be a movie. Wait, it...

JacobMarch 30, 2014 5:03 PM

From the Guardian:

Sen. Ron Wyden, who is a member of the Senate intelligence committee, said today:
“I believe strongly we ought to ban all dragnet surveillance on law-abiding Americans, not just phone records but also medical records, purchases and others.”

This is the second time that bulk collection of financial data is brought up. And I wonder what the "others" are.

BenniMarch 30, 2014 5:19 PM

@Skeptical:

Yes the nsa can not compell someone to weaken a crypto box. They can just make the economical future for a company which does not comply, very grim.

For example, mircosoft says it was forced by nsa to introduce an nsa key into its crypto library, since otherwise, windows would not have complied to us export regulations, which means microsoft could not sell windows to non us countries if they had not included an nsa key.

And sometimes, the nsa and bnd even found the "crypto companies" which sell the weakened products themselves.

This spiegel article:

http://www.spiegel.de/spiegel/print/d-9088423.html

Says that only six of the entire 6000 shares of the company "Crypto AG" did not come from BND.

Even the chairman of that crypto was a BND agent....

And that is how the nsa came into the "Crypto AG": They introduced themselves with a female agent named Nora Mackebee.

SPIEGEL mentions that this NSA woman, who advised how to properly weaken the boxes of Crypto AG, previously was an "advisor" for Motorola...

So the boxes of Crypto AG were weakened by BND and NSA together...

The fact that the NSA agent previously "advised" Motorola could be interesting for those non spiegel readers who still use motorola crypto products.

SPIEGEL writes "In practice, everyone knows how this works. Of course, such boxes prevent an unauthorized third party from listening, as in the advertisements. The question is just who is the authorized fourth person".


The spiegel puts everything from last year into its free online archive. This search term should cover most of its funny stories on spies:

http://www.spiegel.de/suche/index.html?suchbegriff=schlapphut%2C+schlapph%FCte%2C+bnd%2C+cia%2C+nsa%2C+mad%2C+kgb%2C+verfassungsschutz%2C+abschirmdienst

In this video; https://www.youtube.com/watch?v=gpj051zBQeE#t=35m35s You can see the bnd "institute for questioning". Actually, only the flats on the fourth floor are from BND. This was the institution that produced the liar curveball, who gave the us their info on Iraqi weapons of mass destruction.

If you see how small this "institute for questioning" is, that is the same size the nsa should get to. It took Spiegel 50 years to make it that small. But it eventually got to this stage. This is the BND Budget:
http://de.wikipedia.org/wiki/Bundesnachrichtendienst#Journalisten-Aff.C3.A4re

It gets 500 Millions each year. The nsa gets 50 billions every year. The BND has around one percent of the NSA budget.


yesmeMarch 30, 2014 5:31 PM

@Benni

For example, mircosoft says it was forced by nsa to introduce an nsa key into its crypto library, since otherwise, windows would not have complied to us export regulations, which means microsoft could not sell windows to non us countries if they had not included an nsa key.

Serious??? Do you have any proof ot that?

BenniMarch 30, 2014 5:46 PM

@Yesme:
Yes, Microsoft says that:

http://cryptome.org/nsakey-ms-dc.htm

"CryptoAPI ships as part of every Microsoft platform. Several cryptographic modules -- known as Cryptographic Service Providers (CSPs) -- ship by default, and customers can install additional CSPs at will. The fact that third-party cryptographic software can run under our CryptoAPI architecture raises an issue that ultimately touches on the raison d'etre for the so-called "NSA key". As a US company, Microsoft is bound by US export laws. Not only are we required to ensure that all of our products comply with US export laws, we're also required to make reasonable efforts to ensure that technologies like CryptoAPI also support US export law.

he US Department of Commerce, Bureau of Export Administration (BXA) has oversight authority regarding US export laws. However, they rely on the National Security Agency to perform technical evaluations regarding cryptographic export. NSA doesn't specify how an architecture like CryptoAPI must operate; it only provides a technical opinion regarding whether the architecture meets the export requirements. In short, NSA did not tell Microsoft to build CryptoAPI a certain way, it only evaluated our design and advised the BXA as to whether the design met export law. So the back-up signing key is present because the design that we submitted to the NSA for technical review included a back-up signing key, the NSA opined that this design satisfied US export requirements, and BXA issued the necessary license approvals."

And here is the translation of the wikipedia article on the BND I linked to above:
http://translate.google.de/translate?sl=de&tl=en&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fde.wikipedia.org%2Fwiki%2FBundesnachrichtendienst&act=url

What is listed under "Affairs" are just the things that were revealed by journalists where a public investigation by a parliamentarian comission took place. These ten "affairs" are mostly Spiegel achivements.

For revelations like weakening crypto boxes, the parliament won't start a formal investigation. But the fact that Spiegel revealed most BND operations anyway, had a very healthy effect on this secret service.

If the BND Boss now is saying that from the embassy in washington, "no surveillance activities are done" then one can certainly believe him, and assume they do not tap the communications of any politician in the us. BND neither has the budget nor the abilities nor the interest to do such a thing. But there may be someone in Pullach, wo translates all public speaches of Obama and then compiles it into a weekly report to Merkel.

SkepticalMarch 30, 2014 6:27 PM

@Benni: A few friendly disagreements first:

Microsoft does not say anything of the sort. You're thinking of this.

Neither does Der Spiegel provide confirmation that CryptoAG weakened its products (which doesn't mean it didn't). There's a good discussion of the issue here.

And you multiplied NSA's actual budget by 5.

An agreement: I am glad that we agree that the NSA cannot compel a manufacturer to introduce backdoors or weaknesses into its products, though.

I also think the protection offered against commercial espionage, including that practiced by Chinese and Russian governments, by operating within the US is a significant factor, and I would guess that this protection will grow substantially in the near future.

Frankly, if the US Government were smart about this, they would turn the Snowden leaks into marketing for establishing companies there. The US explicitly does not practice commercial espionage, cannot legally compel a company to weaken or alter its products, has some of the strongest intellectual property protections in the world, and can provide unparalleled protection from governments and companies that do practice commercial espionage.

BenniMarch 30, 2014 7:32 PM

@Skeptical:

The quotations that I made in my post regarding NSA Key in crypto API were from a microsoft official, Richard Purcell, Microsoft’s Director of Corporate Privacy.

The Microsoft guy is saying:

"(The name reflects the fact that the key is present in the design to satisfy the NSA technical review per US cryptographic export regulations)."

So if Microsoft would not have put this second key into its Crypto API, the nsa would not approved that this design satisfied US export requirements, and BXA could not issue the necessary license approvals required to sell Microsoft windows to foreign countries.

"An agreement: I am glad that we agree that the NSA cannot compel a manufacturer to introduce backdoors or weaknesses into its products, though."

Please read the statements of the Microsoft man again: Microsoft could not sell Windows in nun-us countries if they would not have introduced an nsa key.

@Skeptical
"And you multiplied NSA's actual budget by 5."

No, I just took all secret services of the US together, which is reasonable, as the germans have almost only the BND and not 5 equally well staffed agencies:
http://de.wikipedia.org/wiki/NSA#Budget_der_US-Geheimdienste_2013

Yes 45.225 billions is not 50 billions, but almost.

@Skeptical:
"Frankly, if the US Government were smart about this, they would turn the Snowden leaks into marketing for establishing companies there."


that wont work either. DER SPIEGEL reveals in his article

https://magazin.spiegel.de/digital/index_SP.html#SP/2014/13/126149146

that the chinese went on to steal blueprints for the US military fighters B2, F-35, F-22, the design for air defense missiles of american atomic submarines, as well as 33000 personal files of officers and that they hacked their way into 300.000 personal accounts on the american navy. In the Pentagon, 500 computers were infected.

But the chinese of course did not stop on the military sector. They also hacked themselves into a major US oil company, and one of the largest US software companies (this implies either Apple or Microsoft) was attacked in 2012 in a way that the chinese could even change the sourcecode. A company that admits being attackd by china was google:


So if anything, DER SPIEGEL not only reveals that the US would conduct what SPIEGEL describes as:

http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html

"classic acts of economic espionage"

It also reveals that the NSA spooks, while infiltrating World of Warcraft http://www.spiegel.de/netzwelt/games/world-of-warcraft-nsa-und-gchq-ueberwachten-online-spiele-a-938014.html

and angrybirds:
http://www.spiegel.de/netzwelt/netzpolitik/angry-birds-nsa-und-gchq-zapfen-apps-an-a-945872.html

the nsa even fails to protect not only US oil companies, but their own navy and airforce.

If the NSA would turn this into a marketing campaign, it would have to use slogans like

"ever want to distribute the blueprints of ypur F-22 air dominance fighter? Or even the mass distribution of blueprints for defense missiles in atomic submarines? Then come to the NSA and introduce real open door policies to your network with NSA security solutions.

If you have plans for "US information control of the world" by infecting millions of computers with malware, Join us. Our turbine developers are welcoming every new employee"

Coyne TibbetsMarch 30, 2014 7:44 PM

@Skeptical

What is your source of information for the NSA budget again? Last time I heard, it was all buried in the "black budget". This article provides Snowden information ostensibly showing that budget totals $52.6 billion; of which $10.8 billiong supposedly goes to the NSA.

But then it gets gray, of course, since no one knows how the funding is distributed: program and agency relationships being incestuous to say the least. So if, for example, the DIA hands over a couple billion of its money to NSA to create a few "cool gimmicks", who is to know? And if, for example, the CIA manages use a couple of it's billions to tap into, say, an undersea cable, and hands access over to the NSA, wouldn't that be a couple billion in "benefit"?

Further, no one knows how much of the "white" budget for the military and law enforcement budgets flows to NSA, NSA related programs, or supports the development of programs that will then be used by NSA.

It's all one big blob. The actual "NSA budget" could therefore range anywhere from the $10.8 billion given in the article, to 10 times that, I think. Not that $10.8 billion isn't enough, given how the cost of technology has dropped.

As to the NSA's ability to compel manufacturers to weaken products: It's true the legal authority doesn't seem to exist in Federal Code. But then, as we have seen repeatedly, the 3-letter agencies don't exactly regard that code as reading the way the rest of us do. So, say they come "hold a gun" to a manufacturer's "head" and say, "Do what we want." Where would the manufacturer appeal this? To the secret courts that the 3-letter agencies apparently have converted to big shiny bobble-headed rubber stamps?

To me, that sounds like compulsion; arguing about legal authority is merely sophistry.

BenniMarch 30, 2014 8:05 PM

@Coyne Tibbets, yes this snowden doc was where I got my 52 billions. The BND has not any "black budgets", but only his 500 annual millions a year.

And what worries me, and makes the nsa so irresponsibly dangerous is this

"Any of our efforts must serve one goal: the informational control of the world by america"

In the SPIEGEL article, the chinese trade ministry is cited, that the only thing to get peace would be a "balance of deterrence".

In the graphics where the nsa planted most of their bugs, you see china as a nation where most bugs are. Spiegel says the bugged chinese telecommunication providers.

In other articles, wpiegel mentioned that the NSA would have developed tools for manipulating up and downloads. And perhaps one can use the Headwater exploit to simply corrupt the chinese routers. SPIEGEL mentions that attacking these providers gave the nsa access to all communications of the chinese army. Thereby, the us could, by pulling the plug from these providers, simply interrupt the chinese army's communications.


Now when china says that we need a "balance of deterrence" to get peace, this would mean that china also has to develop bugs and hack into all us telecommunication providers. So, china and america can both pull the plug of each other and we have "a balance of deterrence".

The problem is just that this would mean, every computer having malware from both the US and china in it.

The chinese just have stolen from the US. This is something, I can somewhat understand. I can understand that if a country says, "we are so much behind in technology, even india is 60 years ahead of us" that it then steals.

The US are a developed country. To see them saying that all what they do is for gaining "the total information control of the world by america" with plans for distributing malware to millions of computers, this is completely disturbing. A developed country should not aim for "total control" of the world.

All this leads to is an armament race, with every computer infected first by american, chinese, and perhaps russian malware, and then, the european countries will jump the bandwagon, and eventually you will find germany distributing millions of malwares, to protect its interests.....


Coyne TibbetsMarch 30, 2014 8:10 PM

@Nick P

Not sure if this was changed after you inquired above, but there is a "100 Latest Comments" link in the "Blog Menu", down the right side of the page.

Nick PMarch 30, 2014 8:52 PM

@ Coyne

On Mobile, the right-side menu appears at the bottom after the post and all the comments. This is in both default Android browser and Chrome. Of course, the recent comments link is the only one of them that's critical, so it's the only one I asked to be on top. Saves around 10 seconds of scrolling or tricks going to bookmark manager a lot (current approach).

FigureitoutMarch 30, 2014 8:59 PM

To All RE: Skeptical
--You're arguing w/ an individual who can't wrap his head around sophisticated coercion. Not even Clive Robinson himself could convince him just how wrong his viewpoints are. It was part of my experiments to see just how evil it could get; I'm afraid it's beyond what I could've imagined...As has been stated here sooo many times about how intel agencies (you got the nerds behind closed doors and the agents in the field; and internet/phone protocols are such crap that it's easy to track down someone who decides to express their "free speech") can pressure any individual and certainly any small and even large companies to comply w/ compromising their user's security (Intel CEO wouldn't address the main questions about chip backdoors, Yahoo! CEO was scared of going to jail), and of course how could we forget the "Clipper Chip" and more recently the courageous acts of Ladar Levison fighting complete compromise of his business (!), and who like I can personally confirm 100% attest agents were tailing him and its scary. Those events have been highly publicized, it's the unknown and covered up events that I want to know about; there lies the true evil.

Coyne Tibbets
no one knows how much of the "white" budget for the military and law enforcement budgets flows to NSA
--The one NSA "agent" that openly stated he used to work in crypto during the Cold War and I had a small chance to talk to, stated that if you wanted to join NSA to join the military. It wouldn't surprise me (in fact I'm quite sure he has) if he reads the blog. I bet there is a lot of back-and-forth funding to-and-fro' from military and vice versa. That's part of the OPSEC only militaries w/ legal authority but most importantly a sh*tload of guns, planes and bombs can pull off and try to obfuscate intel-gathering from the proverbial "enemy" (another human being). Out of all the agents I've grown to...hate (unfairly so, my opinion is permanently tainted w/ regards to...an agent); this individual represented what initially attracted me towards intelligence work and "serving & protecting" my country. I would trust his judgement to not be a complete lunatic and go too far; and I would trust him w/ the power he's given. These older more reserved intelligence officers (actually fighting the enemies trying to steal US IP and put the country in poverty) are dying off and the young "noobs" are weak arrogant pricks that need to be put in their place.

Nick PMarch 30, 2014 9:28 PM

@ Figureitout

I respond to him for the sake of other readers just dropping in. He's a much more sophisticated plant than the usual type. So, I like providing alternative view to any dropping in on the page.

" stated that if you wanted to join NSA to join the military"

That was true a long time ago. The NSA is a quasi-military organization with a huge chunk of its people either coming from the military or on loan from military. They also work closely with military as military units depend on their SIGINT. So, naturally, being a person in the military who could get things done and understand tech can get a foot in the door.

In past decade, NSA and its contractors experienced a lot of growth. Hayden also transformed the agency. The result was that they wanted to hire many more people in many categories. It was easier than ever to get in the NSA if you had a degree, a decent resume, and could get a clearance. There's plenty of job posts for them even as I type this. So, the old wisdom stopped applying with options being broader.

However, post Snowden and paranoia over inside threats, it wouldn't surprise me if getting into good NSA positions is harder now. That they wanted to fire half their [loyal] sys admins after Snowden leaks should make people pause before sending in that job application. Of course, any job that produces something (intel, 0-days, etc) is usually fairly safe so long as their budget stays high.

All that said, people wanting to do real security should get a job at a private organization. There's a few in commercial sector, the defense contractors, and some with academic/R&D focus. These have groups that put extra effort into security of their products. Working for NSA is only for people who'd rather compromise systems as their information assurance offerings are mostly a joke designed to lead to hacks.

SkepticalMarch 30, 2014 9:40 PM

@Coyne: My source for the NSA budget is the article you cited. We could speculate all day about how agencies account for expenses on joint programs or services, but I don't think the budget compartments here are quite as meaningless as you suggest. Agencies think about such expenses in creating budget requests, and budgets tend to be jealously guarded by the bureaucrats to whom they are given.

As to:

as we have seen repeatedly, the 3-letter agencies don't exactly regard that code as reading the way the rest of us do. So, say they come "hold a gun" to a manufacturer's "head" and say, "Do what we want." Where would the manufacturer appeal this? To the secret courts that the 3-letter agencies apparently have converted to big shiny bobble-headed rubber stamps?

Where would the manufacturer appeal what exactly?

A request from the NSA made without any legal authority? The manufacturer could simply say no.

NSA: Do this.
Manufacturer: Why?
NSA: We said so.
Manufacturer: Talk to my lawyers.
Lawyers to NSA: F*** off.

End Scene.

A threat of force from the NSA (which is wildly implausible)? They'd call the police and the FBI.

What else are you thinking of?

@Benni: You stated that Microsoft said this:

For example, mircosoft says it was forced by nsa to introduce an nsa key into its crypto library, since otherwise, windows would not have complied to us export regulations, which means microsoft could not sell windows to non us countries if they had not included an nsa key.

That's not what was said. If you read Scott Culp's (Richard Purcell isn't in the correspondence you cited) emails carefully, he says that Microsoft included two keys, a primary key (called KEY) and a backup key (called NSA_KEY), to conform with export regulations. He says specifically that the NSA did not instruct them on the design of the relevant software. He says specifically that Microsoft has never used the backup key to sign a production version of the software. And he says specifically that Microsoft has not shared the private key with the NSA or anyone else.

MS has always strongly denied that NSA_KEY is "an nsa key" as you described it.

As to the NSA's budget, I just noted that what you actually wrote, namely The nsa gets 50 billions every year., was off by a factor of 5. You say you meant the entire US intelligence budget. That's fine. Is Germany an appropriate point of comparison for what the US should spend on intelligence? No.

As to PRC commercial espionage (and military espionage), they certainly seem to have acquired a fair amount of valuable intelligence. If you think they're not doing the same to companies and governments in other developed countries, but with equal or greater success, you're kidding yourself.

As to the PRC justification for commercial espionage, it's slightly true but mostly false. The primary beneficiaries of PRC commercial espionage are the CCP elite, i.e. those who control and derive great personal benefit from PRC SOEs (state owned enterprises). China is a remarkable country with enormous potential, and with many good people in its government who genuinely want, simply, to do well by China. But it's also an authoritarian, anti-democratic system that benefits a highly privileged elite, whose power is maintained by the authoritarian state.

As to Der Spiegel's claims of commercial espionage by the US, the answer is that they're wrong. The authors either pretend not to understand the national security reasons for collecting intelligence on certain entities (like Petrobras or Gazprom), or they actually don't understand. If Der Spiegel ever comes up with an actual case of commercial espionage conducted by the US Government, my anger will match theirs. But to date, they haven't.

As to "information control of the world", I'm not sure where you're getting that or what it means. It sounds like a bad translation from English to German to English. The US doesn't control the world, and doesn't aspire to control the world. That's why US allies tend to be independent, democratic states who can (and do) openly disagree with the US regularly.

AtmanMarch 30, 2014 9:47 PM

@Skeptical

All of you post seem to be designed to incite conflict. Its boring and I would like it if you would be a bit more harmonious in you interactions us.

FigureitoutMarch 30, 2014 10:10 PM

He's a much more sophisticated plant than the usual type.
Nick P
--I think he may, in a twist actually not be as good as you think; at least the tech. aspect. His arguments also directly ignore evidence against his; almost comically but it's not funny someone spreading falsehoods.

That was true a long time ago.
--Makes sense, this would be like 40 years ago. And yeah hell no would I consider any intel job, my experience in gov't was horrible. Everyone was way too uptight and I couldn't even get good projects to work on no matter how much I begged. No challenges, and no rewards for going "above and beyond", so you get stuck in being miserable; I hated it. Being in intel agency, hell no, I would have to be a complete butt-kisser w/ no personal opinion and lie about so much.

And I'm pretty sure I won't get into defense contractors after my stated opinions and the "covert" (not very much so) investigation into a whole lot of nothing. I'm not brainwashed.

And the thought of some script kiddy using tools they don't understand (like when they betray them back) isn't for me (I think I forced some of them to learn a little more to attack some of my setups lol, they kept trying to get me to use a smart phone).

Barry GMarch 30, 2014 10:18 PM

On the new site design:

It does seem a bit bright, but that could just be because I'm used to Schneier.com being a nice "low-light" room where I come to read security news.

I will be a bit nostalgic for the old design for a while, partly just because change after having the same for so long is a bit jarring, but also I guess because I just like the old school aesthetic being present on this particular site.

The site did look dated (which is I assume why it was changed), but I kind of liked it that way because it was like a homage to old school computing. And it kind of said "this is a place where techies who've been around the block a few times gather, and don't need to have a shiny new site every 6 months."

I'll definitely miss it. I would certainly welcome the option to view it in the old way, like the proposed "oldstyle.schneier.com" subdomain, but I can understand if that would be too much to maintain two styles.

As long as all the old content and links are still present, I'll be okay.

BenniMarch 30, 2014 10:18 PM

@Figuretout:
To All RE: Skeptical
--You're arguing w/ an individual who can't wrap his head around sophisticated coercion.

I actually believe that sceptical is an NSA spook.

For example, general Hayden has also said in his interview in SPIEGEL that he is in sorrow because of the evil threats in russia and china, and If I would be an nsa boss, I also would write sentences like

"Frankly, if the US Government were smart about this, they would turn the Snowden leaks into marketing for establishing companies there. The US explicitly does not practice commercial espionage, cannot legally compel a company to weaken or alter its products, has some of the strongest intellectual property protections in the world, and can provide unparalleled protection from governments and companies that do practice commercial espionage."

If one reads this, one either thinks one reads the comments from a journalist of the german "bild" which writes similar arguments here:
http://www.bild.de/politik/inland/julian-reichelt/snowden-neue-enthuellungen-peking-sagt-danke-35191508.bild.html

Or "Skeptical" is someone from the NSA public relations department.

Or someone like Hayden, or another spook, defending his employer.
That is how you may react, when it rurned out, that you worked for something evil.

And by the way, i do not think, the threat is russia or china.

Russia acts on crimea, because it sees the nato as a threat. Nato has installed a missile defense system near russia. The russians are masters in ballistic calculations. This is how putin reacts if one asks him whether the nato missile defense is aimed towards iran: https://www.youtube.com/watch?v=8ux3oiWELIQ

I think one should be honest with them and tell them that the missile defense system is indeed against russia, since the fear of the US may be that some Chechnyan terrorists (russia has plenty of them) walk into a russian missile base and take their shot. The russians have a zero tolerance policy regarding to islamic terrorists. Russians even prefer to install and support dictators, when the other alternative are terrorists. This is, why Russia supports Assad in syria. This rigorous view that the russians have comes from a century of experience with islamic terrorists. Stalin was there in Grosny, telling that he will introduce the sharia, if necessary. Stalin said this because he feared suicide bombers of chechnya.
Given their experience with islamic terrorists, the russians might even accept a missile defense system targeting their bases, if they are told that this is a measure against terrorist who could take their bases and take a shot. But perhaps there are even other measures, to secure these bases than such a defense system.

Mostly, the russians are afraid of us influence and therefore they see the nato as a threat. When the soviet union collapsed, the russians accepted recommendations of us government people, advising a "weak government". The result was increasing crime and a government that could not pay salaries and rents anymore, leading to massive poverty.

It was Putin then, who had a simple election program "a government is there to protect people from gettign poor". So he strengthened the government, which then could take collect its tax money again. Putin trew the rich oligarchs, who installed a corrupt mafia system, into prison, and the government now can pay the salaries and rents from its oil money. This is why Putin is so popular in russia.

But when you ask russians on america, they will immediately say that from there came the people making them poor after the soviet collapse.

Faced with having something they deem as "american" like the nato, near their borders, this makes the russians aggressively reacting, in presumed self defense.

The problem with china stealing US property is more the usual problem with "how can a development country get access to modern tech". Perhaps similar problems will arise, when african nations develop more and more into technical industrial countries. The solution to this is simple: Just make your network more secure.


Currently, a major threat are terrorists.

And a government called United States of America, which aims to get "information control of the entire world", according to snowden docs, by "infecting millions of computers with malware".

BenniMarch 30, 2014 10:34 PM

@Skeptical:
"That's not what was said. If you read Scott Culp's (Richard Purcell isn't in the correspondence you cited) emails carefully, he says that Microsoft included two keys, a primary key (called KEY) and a backup key (called NSA_KEY), to conform with export regulations."

And then, Culp said

"(The name reflects the fact that the key is present in the design to satisfy the NSA technical review per US cryptographic export regulations)."

So if they would not have an nsa key, they would not get conform with export regulations.

This is equal to being forced to introduce such a key.


asdf28March 30, 2014 10:44 PM

I prefer the old blog theme, instead of this new one. Could you add a button for classic ui ?

FigureitoutMarch 30, 2014 11:04 PM

I'm used to Schneier.com being a nice "low-light" room where I come to read security news.
Barry G
--Agreed, that's a good point RE: the brightness. Some "free-time" research I'm doing is on noise coming from keystrokes and movement of pixels on VGA LCD screens; I was able to get some signals which I look forward to digging much deeper. Maybe Bruce should consider making tempest attacks that much easier, at least make the agents squint.

I prefer the old site much more, even before it had all the "tweet me", "like me" buttons; this was such a major change! It's like a pretty girl who suddenly chops off her hair. At the end of the day, it's his site and the internet isn't a democracy (or secure).

Benni
--I have a slight suspicion I may know Skeptical, but I'll leave it at that. If he works for the NSA PR-dept. then lol; what a worthless job. Who would believe an intel agency's PR-dept? Seriously, they have a legal obligation to lie and cover up everything they do. Here's the cold hard truth, a global elite is *the* threat to the world. Your "democratic" gov'ts mean nothing if it's run by them; and they ensure that any threats are killed (my suspicion is chemical/hormone injections) w/ the agents under their control. They create terrorists by giving them weapons and egging them on, leading to easy controlled investigations and easy money for the next "underwear bomber" that lights his nuts on fire. We're doomed to repeat history, but where's the precedent for all this technology today? It's going to be abused so extremely and at the same time we're going to run out of resources and be stuck and die while we've got our telescopes pointed inwards spying on each other instead of working together and cleaning up the atmosphere and getting a manned mission to Mars; so human history lives on, maybe on a USB stick flash memory instead of a faded manuscript/cave paintings. Maybe all computers are insecure-rootkit infected so there won't be any trustworthy account of history and will be easily falsified. So there's the cold hard truth summed up in a paragraph; warmth only exists in our heads, and the sun; in the vacuum of space you freeze to death and suffocate. Soon you will stop linking to political stories b/c they're worthless; get into science, it's so...so much more satisfying.

Coyne TibbetsMarch 31, 2014 12:41 AM

@Skeptical

"A request from the NSA made without any legal authority? The manufacturer could simply say no."

You argue in circles, but okay: you the manufacturer have said, "No."

So the NSA drags you into FISA court. The NSA tells the court it has the legal authority to order you to do this, according to a law you are not allowed to read, for "national security" reasons. The court bobs its heads and confirms that is so. It then orders you to comply with the NSA order, or be prosecuted for treason and sent to prison. It adds that any discussion or publication-even to another court-will result in your prosecution for treason and imprisonment.

Your next move?

Clive RobinsonMarch 31, 2014 1:00 AM

@ Benni, Figureitout,

    I actually believe that sceptical is an NSA spook

I can see where you are coming from on this, (s)he certainly does have either a lot of time on their hands or a backup team, to do research. Not just research for facts --which is time consuming enough-- but facts/comments given in a paticular style which would require considerably more effort.

It could easily be argued --but by no means proven-- that due to the speed of the response time that the comments/facts given are "made to measure" from a database made for the job.

Now let's assume just for the sake of argument that there is a germ of truth in it, what other points might be deduced from it?

Well one line of reasoning might start with "Why / what does it achieve?"

One thing is it will cause one or two on this blog to start doing their own research to find counter points etc. Which would leave a "research footprint".

There are organisations that specialise in finding "research footprints" to deduce what areas companies and organisations are moving into. The ones I had direct knowledge of were related to drugs companies but I know there are similar for other "bleading edge" research such as aero engineering and electronics. One organisation had it's own search engine of academic and patent databases that built up profiles of what users were searching for. Which provided valuable data for investment and similar purposes.

Way back then I did some idle speculation on what else such information might yield for those who shall we say might not be incumbered by moral or ethical dilemers, and let's say the prospects are scary if you can find customers. For instance in the use IP infringment is big business, and going to court is seriously expensive, but the rewards can be high, especialy if you can show the infringment is deliberate not accidental where it tripples the payout... How much do you think "research footprints" would be worth to either party in such a court case? and that is the least profitable and riskiest idea --outside of criminal activities-- I came up with. I later thought about gathering footprints in other ways which made me make comments some years ago that botnet owners were not capitalising on their nets in anything like the way they could (I ruffuled a few feathers over at the Cambridge Labs at the time with that idea and a few years later it got named APT by those who looked for it and were shocked by what they had found).

But another thought I had was in "unmasking people" from the likes of TOR or other "PET" and we were later to see certain organisations doing exactly this for US TLAs and IP holders when confidential EMails etc from the likes of H B Gary became public. In the process revealing a half dozen other companies plans/actions to develop such activities.

On old fashioned idea to detect traitors / leakers / whistleblowers is "Canary Documents" which "sing out like canaries in a coal mine", and a well known writer of Spy Thrillers --Tom Clancy-- actually gave various examples in several of his books. The modern version of this is at it's simplest having a server with documents on that push you up the search engin rankings and when the documents are pulled down they put a small piece of malware on your machine that sends a "fingerprint" back to a server...

Now with Bruce "upping sheilds" by changing first the search engine (to Duck Duck) and later to HTTPS unmasking people becomes harder. So you need other ways what better than to get people to pull a Canary Document by various means.

If you look into the aformentioned EMails you can see such plans by these organisations were already being put in place atleat three years ago by "contractors" but the ideas as I've mentioned a few times in the past go back 15years or more.

So "Skeptical" or similar does not have to be working directly or indirectly for the NSA but could be working for a "freelancer" looking to double triple or more sell "Intel" to who ever is daft enough to part with their money (similar to ZeroDay marketiers). Then again they could just be somebody who due to various defficiencies has a lot more time on their hands than others with 9-5's and regular social habits have.

But the important point is not "skeptical" specificaly but when you search online you have to think all the time "am I going to be unmasked by my searches" because we have good reason to belive such organisations exist and will thrive not just in Gov domains but Com domains as well where "high payed staff" these days get "background checks" the likes of which Stalin could only dream of.

Clive RobinsonMarch 31, 2014 1:09 AM

@ Bruce,

I forgot to mention in my above that, the more security precautions etc you put in place the more valuable you make not just your commenters but other readers as well, such is the perverse economics of the modern market created by "The Need to Know" mentality.

So I for one don't mind you "increasing my value" with a little luck we can bankrupt a few of them or atleast price them out of the market :-)

AndrewJMarch 31, 2014 1:21 AM

@Benni/FigureItOut/Bruce
Doubt that Skeptical is a current employee of the NSA, and whilst he has similar views to John Schlinder (@20committee on Twitter) I doubt they're one and the same because of differences in style and anonymity preferences.

I was actually wondering if the Moderator could force a name change on him to something like 'SkepticalOfSnowden' or perhaps 'Skeptical-but-not-of-Gov-3-letter-agencies', both of which more accurately reflect his viewpoint. The Mod action would be in light of the research that shows end of article comments influence readers, and that his name/handle is one of the only ones on this blog implying a value judgement (i.e. being skeptical is a good thing and therefore the opinions of someone named Skeptical are afforded extra value).

yesmeMarch 31, 2014 2:57 AM

@Benni

I think Skeptical is a spinner. Altough technically not very well, he knows laws. So I think he is a lawyer. A very well informed lawyer.

So either he could be:

1) A very right wing dumbass without morals. But he is smart, which is a scary combination.
2) On someone's payrole. It is not the first time that agencies actively influenced communities.

Why is he a spinner? He reminds me of that movie "Wag the Dog".

He only talked about small details. He "tells the truth and nothing but the truth, but certainly not the whole truth".

And then he brings in a totally different subject, such as the B3 bomber in Wag the Dog (do we have the B3 bomber? Yes.. No..) And then everyone talkes about the B3 bomber instead of the real subject.

He is not a troll. He is way to good informed. Yes, I think he is a spinner.

Of course, Skeptical himself will probably deny that.

Wesley ParishMarch 31, 2014 5:25 AM

@yesme et alii

Well, Skeptical is nowhere near as well informed as people make him out to be; and he's incapable of seeing US actions in perspective. I gave him a sample of classical inter-Great Power niggling with the details of pre-WWII US harassment-at-law of the then British Dominion of New Zealand over several islands in the Cook Islands archipelago, and he didn't even notice.

I also quoted US behaviour in its "near abroad" as an example of typical Great Power behaviour towards neighbours who don't have much power, and he pulled out a set of excuses that would never pass muster with any sane academic in either the History or the Political Science fields. Frankly, I learned to think that way about the US as a classical example of a Great Power from Garthoff's book Detente and Confrontation: American-Soviet Relations from Nixon to Reagan. (Raymond Garthoff is that classical stereotypical anti-American, a former US ambassador to Bulgaria IIRC.)

And Skeptical proved he really should rename himself Gullible. He refused to acknowledge those simple realities. If I was paying him to write this sort of comment on Bruce Schneier's Blog, I'd be wanting my money back pronto, no excuses or it's the debtor's prison.

DBMarch 31, 2014 5:48 AM

I see skeptical, the guy with the morals/ethics of a cow or a tree stump is back again. All he knows is, if it benefits him somehow, then it's good. That's the extent of his "moral decisions" and I'm pretty sure he just gets off on seeing us all get angry at him.

AntisepticMarch 31, 2014 7:56 AM

@yesme: "Maybe you should see this video. Let me put it this way: OpenSSL is a piece of sh*t. GnuTLS is probably the same quality. These guys didn't knew what they were doing. The benefits of Open Source are clear, but if you write a library that has a million lines of C (with tons of #ifdef and goto), Assembly, M4 and thecrappy .configure stuff, no-one can help you. Security software is supposed to be small. That way anyone can check the code and auditing is also possible."

Do you happen to know anything with a small source code base that implement a secure remote protocol, or at least a secure encryption library ?
The only pointer I have is http://www.madore.org/~david/weblog/2004-05.html#d.2004-05-13.0639 and it is RC4 which is way outdated :-(

@Atman about Skeptical: "All of you post seem to be designed to incite conflict. Its boring and I would like it if you would be a bit more harmonious in you interactions us."
Thanks Atman, this is exactly the kind of answers Skeptical desserves. We should stop writing any other answer to Skeptical, he is a troll, conforming to http://cryptome.org/2012/07/gent-forum-spies.htm techniques to divert discussions.

Sancho_PMarch 31, 2014 8:33 AM

Hmmmm…

I see @Skeptical as a honest, well informed American citizen who has a different point of view.
His comments are tactically excellent.
Neither rude nor imprecise, he tries to make his point - As I see it, a valuable point, because it reflects the majority in western society (the voters), but far less than 1% could express their thinking / feeling as he does.
We should acknowledge this fact.
Groupthink is dangerous, for both sides.

The question would be:
Why are there so many of them nowadays, all over the world?

And of course you’d have to define “them” at first.

At this point I want to thank Clive Robinson again for the link to Bob Altemeyer’s book:
http://home.cc.umanitoba.ca/~altemey/

KnottWhittingleyMarch 31, 2014 8:46 AM

Re manufacturers saying no...

Didn't one of Snowden's docs say that the NSA has several thousand cooperative people various places in the tech industry?

I got the impression that they effectively have scattered moles pretty much everywhere that matters---presumably at Apple, Microsoft, Google, IBM, AT&T, Verizon, Cisco, Intel, AMD, ARM, etc. and can inject exploitable flaws (or just leave natural bugs unfixed) into everything from fab processes and VLSI design to every level of communications protocols, middleware, apps, ad networks, etc.

Given the things we already know for sure that they do, it would be surprising if any important kind of technology wasn't broken in a way that allows the NSA in---if anything isn't broken already, as most things are, presumably they'll find a way to break it.

I would guess that there's some secret "legal authority" that they can cite to compel people to break things, if absolutely necessary, and to keep it a secret a la NSL gag orders. But maybe not---maybe they rely on finding occasional "patriots" who "want to help" even if their bosses don't, as necessary, and mostly rely on things being so pervasively broken they can almost always hack in without telling anybody. Or just finding greedy people and bribing or blackmailing them under convenient false flags.

Really, I'd guess they do all those things, heavily prioritized to minimize chances of exposure and blowback:

0. Pay mercenary hackers to find exploits (natural bugs and insecurities)
1. Pay contractors to find them (e.g., Booz)
2. Bribery under false flags (e.g., claiming to be spies for US companies against e.g., Samsung or Huawei, or better yet, Samsung against Huawei)
3. Blackmail under false flags if necessary (with parallel construction to make it plausible, and hide any info from e.g., PRISM or Hemisphere and account hacking that revealed the basis for blackmail)
4. False-flag appeals to patriotism (with gentle, noncommittal, completely deniable approaches and lots of spying to see if the mark is sincere, or possibly a whistleblower---e.g., reading their email to friends and family, to see if they're doubtful or luring a spy out to expose them, and reading their blog comments etc. to see if they're politically unreliable.
5. Real appeals to patriotism, but with cutouts---e.g., claiming to be working for a patriotic US corporation when in fact employed by or contracting for NSA/CIA/DHS/FBI/M-O-U-S-E
6. Real appeals to patriotism, admitting who they are, often with bribery to sweeten
7. Real appeals to patriotism, admitting who they are, with bribery and a blackmail stick
8. Secret "legal" compulsion---the last resort, used very sparingly, because they don't want it to come out that they have a secret "legal" compulsion authority to use, because they might lose it.

This is all just basic spy "tradecraft"---always do the least risky thing that gets the job done, revealing as little as possible about yourself in the process of gathering information about others. (I didn't read all those le Carre novels for nothing, did I?)

One real possibility is that they've never needed #8---they can pretty much hack anything anywhere anytime, and cope well enough when they can't, so they've never been desperate enough to tell anybody what their "secret legal authority" is. (Or would be, if they have to fabricate one.)

One version of that is that they sometimes tell people they do have such an authority, but never tell them what it is. ("If we told you, we'd have to gag you if not kill you, but trust us, we have ways to make you talk, so talk already---you don't want to make us tell you why you have to.")

It seems to me that the biggest benefit (to the spies) of dragnet spying is in assessing and monitoring the marks that you target for more intrusive and riskier forms of spying.

If you know who's likely to be co-optable by "benign" approaches, and who is likely to balk, and how to best approach a given mark---you are way the hell ahead of the game, because it gives you the information you need to choose the least risky avenue at every step.

Consider the Pakistani doctor that they got onboard to identify Osama Bin Laden for assassination, with a fake vaccination program to gather DNA for a positive ID---how did they pick him? (I have no idea if that's really what happened, but it's a fine example even if a fictional one.)

If you can read people's email to find likely marks, and install malware on their laptops and cell phones, etc., to monitor their private conversations, you can minimize risks of exposure by identifying people who can be turned most easily, cheaply, and reliably by the most deniable means, and making sure you're really turning them, or know when to back off and find an easier mark.

IMO, that's what Total Information Awareness / information dominance/ Mastering the Internet is mainly for. It's about maximizing ROI and ROR (return on risk), finding the most useful and least risky suckers to exploit, and making it easier to do the occasional really audacious spy-novel shit without getting caught.

And that's largely about avoiding it coming to the public's attention (or Wyden and Udall's) that the NSA et al. are even claiming to have secret "legal" authority to compel people to do whatever the hell they want.

Of course they'll make that claim, if and only if they "have to", but they'll strongly prefer to do it via deniable intermediaries.

(Imagine a Blackwater contractor telling somebody that with CIA backing, they will ensure that the mark's family disappears very unpleasantly if they don't cooperate. It may be believed, and it may or may not be true, but the CIA can always deny it and blame things on a rogue Blackwater contractor "pretending" to have the backing of the CIA. Perfect. Same goes for Booz or Lockheed or whoever contracting for NSA, trying to bribe/coerce somebody into compromising security.)

In spying, the ideal scenario is the one in which everybody who needs to believe you does, and nobody else finds it too credible: the victims of your bribery and coercion should believe that you have the funding to reward lavishly, and the means and resolve to punish horrendously, and everybody else should think that's just paranoid conspiracy shit, or that your victims are probably lying to save their own asses, or at least be uncertain enough to never take effective action.

Spying 101, writ large.

SkepticalMarch 31, 2014 9:05 AM

Quite a bit of personal acrimony in the above posts.

I've stayed on topic, and discussed issues. I've never personally attacked anyone.

Yet above I see a string of personal attacks, all distracting from actual discussion.

Believe it or not:

-> That someone doesn't believe the worst speculations about the NSA doesn't mean he is gullible, or a plant, or an employee of the NSA, or engaged in some bizarrely convoluted scheme to identify people who comment on a blog.

-> The conclusions I regularly see expressed here with an air of certainty (e.g. the US engages in commercial espionage, the NSA can compel chip manufacturers to insert backdoors) are actually contrary to the facts as known thus far. Since I think this subject is important, I point that out.

-> While I appreciate Clive's speculation that I have a database on hand to draw forth relevant facts, I simply have a brain with a good memory and Google. I type fast.

Since I try to engage everyone here respectfully, and without personal attacks, I'd simply request that you do the same.

SkepticalMarch 31, 2014 9:11 AM

@Coyne: ... okay: you the manufacturer have said, "No."

So the NSA drags you into FISA court. The NSA tells the court it has the legal authority to order you to do this, according to a law you are not allowed to read, for "national security" reasons. The court bobs its heads and confirms that is so. It then orders you to comply with the NSA order, or be prosecuted for treason and sent to prison. It adds that any discussion or publication-even to another court-will result in your prosecution for treason and imprisonment.

Your next move?

There are no laws that you're not allowed to read, especially when you're a party in federal court.

So here you're proposing that the FISC will compel a manufacturer to insert backdoors, even though there is no law permitting it to do so.

This would be a level of impropriety that would result in the impeachment of any judge doing so. And there's no indication whatsoever that the FISC would do such a thing.

In the event the FISC did so, a manufacturer's attorneys would immediately appeal the decision, and would certainly obtain a stay pending the appeal. The appeal would be heard by the FISC Court of Review, consisting of three judges. If the FISC-R were to uphold, the manufacturer would then appeal to the US Supreme Court.

Now, the scenario you propose here requires:

1 - that a federal judge on the FISC orders a company to do something on the NSA's request even when there is absolutely no basis in the law for such an order.

2 - that three federal judges on the FISC-R then approve of such an order (mind you, this is a level of misconduct that would end the careers of all of these judges).

3 - that the US Supreme Court would then approve of such an order.

This is an extraordinarily unlikely series of events. The judiciary in the US is strong and independent, and adheres to rule of law.

I think the real danger of "backdoors" comes not from the NSA compelling anyone to do so, but from manufacturers voluntarily doing so. That is a danger worthy of discussion, but it's obscured by the unfounded but persistent speculation that the NSA can actually compel these backdoors to be inserted.

vas pupMarch 31, 2014 10:10 AM

@all respected blogger regarding of @Skeptical postings.
1. Stay in rational area (as security/IT professionals, not politicians or PR folks) when do not agree with anybody point of view, provide facts, links, verifiable sources of your objections.
2. Consider all posts of this respectful forum as deliberation, not argument.
3. Respect good opponent as a chance to see weaknesses/vulnerabilities of you own view and dig for additional fact not going into emotional spiral.
The key as usually is reciprocity.

KnottWhittingleyMarch 31, 2014 10:13 AM

"There are no laws that you're not allowed to read, especially when you're a party in federal court."

Srsly, "Skeptical"? SRSLY?

The real practical meaning of the Fourth Amendment to the Constitution of the United States, if any, is highly classified, and you clearly know that full well.

A lot of US congresscritters naively thought it was plainly illegal and unconstitutional to try to bulk-gather all Americans' phone logs under the "USA PATRIOT Act", without (1) warrants authorized by a court based on particularized probable cause, though most didn't come out and say rude words like "illegal", "unconstitutional", and "I'm a lawyer, and you did WHAT? Are you fucking kidding me??!!" or "Do you really think "collect" is a highly technical piece of super-specific spy jargon that makes it completely okay to gather very revealing information on everybody, just in case they might have done something wrong?

I dunno if you're just a thoroughly dishonest troll who really believes he's ultimately on the right side, or a cynical paid shill for the surveillance state in some way, but it doesn't matter much.

Do you really think that a system that "legally" authorizes mass surveillance and extralegal kidnapping, torture, and assassination can't "legally" authorize compelling the modification of "intellectual property" such as as BIOSes, antivirus software, etc.

If the former hasn't reached the Supreme Court, why would you think the Supreme Court is relevant to the latter? The whole system is clearly designed to minimize the chance that such things are (a) exposed, (b) properly understood, (c) forced to the attention of overseers for action (d) acted on in courts and (e) ever get to any court that would do anything about it.

We know that much already. The idea that misdeeds would inevitably go through the courts and be rejected by the Supremes is just laughable. The idea that it would assuredly have already have happened is pathetically inane.

That only happens if we make it happen. (Maybe with the threat of overruling the Supreme Court with a Constitutional amendment that amounts to "The Fourth Amendment actually means what it says," which is admittedly a long shot.)

See my comments above about risk minimization and the avoidance of claiming "legal" authorities except when really necessary, precisely to avoid them getting to any point where a court might say no.

The history of NSL's with gag orders is enough to show that you're full of horse poop.


Nick PMarch 31, 2014 10:48 AM

@ Antiseptic

re OpenSSL Alternative

MatrixSSL was designed for that very reason. It's for embedded use supporting a ton of stuff with 50KB footprint. It tries to minimize system calls, complexity, etc. Dual licensed for commercial or GPL. Supports many OS's. Have fun with it.

Alternative libraries that can support protocols (and sometimes implement them):

Cryptlib is Guttman's library. It supports many OS's/languages, has a security kernel model for internal operations, many algorithms/protocols, free option available, and low cost VIA Padlock acceleration. Has reference and technical manual for users.

Botan is an encryption library for C++ under BSD license. It's been around a while. They have a nice brief description: "It provides useful things like SSL/TLS, X.509 certificates, ECDSA, AES, GCM, and bcrypt, plus a kitchen sink of crypto algorithms of various utility. A third party open source implementation of SSHv2 that uses botan is also available. In addition to C++ you can use (parts of) botan from Python or Perl (both included in tree), or with Node.js."

Crypto++ is an old library in public domain that's been continually updated. It's algorithms rather than protocols. It has everything that's needed to implement something like SSL (or a secure subset of it).

(Note: Sad state of affairs in INFOSEC when I feel the need to describe a "secure subset" of SSL.)

Nick PMarch 31, 2014 11:11 AM

@ Skeptical

re ad hominem, personal assult, or merely due consideration?

I certainly won't condone personal attacks on you as it only weakens' attackers' credibility or character in mind of casual readers. However, it's entirely reasonable for them to think you're trying to spin the discussion based on the content of your posts, the timing of you appearing, your conversational style and other attributes that suggest a spinner. It's even more important given that psy ops is a common technique in both US and British intelligence. Both of these organizations oppose people like Bruce publishing leaks and hence might go on the attack. There was even a nice leak with tactics eerily reminiscent of your conversational tactics.

In any case, considering whether you're paid to influence discussion is valid as spy agencies are paying people to do that. Yet, I still try to avoid downright trash talking you as I think (a) it won't change anything and (b) reduces the appeal of this typically civil blog. Regarding (b), I'd rather it continue to attract new commenters with interesting perspectives and keeping things civil helps.

dunmoreMarch 31, 2014 11:17 AM

re: license plate scanners. I have two problems with this.

First, the sale of DMV information to private third parties. When you are at the mall, you are not at home. If I could buy this address information I could dispatch a team of burglars to your house.

Second, the problem of authentication. When the police claim they have license plate evidence placing you at the scene of a crime, how will you acquire and vet the raw data to defend yourself?

BTW, I find that carrying my bike around on my trailer-hitch-mounted bike rack coincidentally makes it difficult to read my license plate.

vas pupMarch 31, 2014 11:40 AM

@KnottWhittingley • March 31, 2014 8:46 AM. Knot, I see your point. My addition is to always separate intelligence and law enforcement/prosecution. Yeah, I know that internal (inside the borders of the country) intelligence could be misused (like suddenly you denied employment, fired without reason, blacklisted for different purposes - all those tricks Stasi used against
dissidents, not real criminals or terrorists. Their only crime was to have own opinion not shared by those in power and utilize constitutional right for free speech). That is bad because they (LEAs) were never told in their Academies that there is huge distance between dissent and disloyalty. Sometimes dissent is even the most patriotic path, not snitching in all forms you've described. But absolutely other case when such intelligence information obtained bypassing/ violating all safeguards of your rights is used to prosecute you, i.e. deprive you not only "pursuit of happiness", but liberty. That is why (my own opinion) all concerned should concentrate not only on collection, but rather on potential misuse of collected (legally or illegally)information.

CuriousMarch 31, 2014 12:15 PM

I find it amusing when Skeptical makes a point about backdoors, and mentions the obvious one (CALEA) first, as a way to dismiss it first. Somehow.

So Skeptical, since you couch your sentences precisely to help people draw inferences you do not make, will you say:

- It's not a backdoor by definition, but a front/side door, since the requirement is technically public ?

- Does it not count because it was not compelled by NSA, but by another govt agency ?

- Something else ?

And about the RSA backdoor. The NSA did not compel RSA by law. They defrauded them, and this is apparently legal. Oh, I'm sure you'll split hairs on the precise definition of fraud here. Obtaining an advantage by deception that you wouldn't have had had you not deceived. Sounds like it matches.

Explain it all away, I'm curious.

Clive RobinsonMarch 31, 2014 12:36 PM

@ Coyne Tibbets and others

Whilst I can't for obviouc reasons find comment on what the NSA / FISA court might be upto in the way of coercion to force back doors into products I can claim that the practice is a known tactic of other US governmental organisations.

The New York DA sanctioned a "swating" of a software developer and gave --currently unknown but pressumably known to be false-- information to obtain a warrent to do it.

The NY DA then --falsely-- accused the developer and his family with a whole series of charges and saif they would lock him and his family up for thirty five years unless he accepted a plea bargin to put a back door in his software that he would then secretly operate for the NY DA and othe LEAs...

http://www.techdirt.com/articles/20130107/11140121596/developer-bookmaking-software-gets-full-kim-dotcom-treatment-promoting-gambling.shtml?_format=full

Needless to say he has suffere not just hugh personal stress but in fighting he has lost much of his business abroad. As for the charges they have misteriously disappeared to be replaced by a single ludicrous charge.

So if a Hicksvile NY DA can pull such a stunt I imagine that the likes of the NSA could do a whole lot better at inventing charges via the likes of the "parellel construction" they are already known to employ.

Nick PMarch 31, 2014 2:08 PM

re Can or has NSA used legal powers to force weakened security of US goods?

I think what constitutes a backdoor is an interesting point. I'm almost in favor of getting rid of the term as it's almost meaningless in covert operations. Point being, security is predicated on an argument that a specific instance of a system satisfies a security policy. Taking over that system requires defeating the security policy and inserting modifications to the system (eg malicious code). In other words, any weakness in security posture is a backdoor in practice. This has implications for discussions with people like Skeptical who claim there's no evidence of NSA "backdooring" US products.

So, NSA wants in. That means anything that helps them get in is equivalent in practice to a backdoor. It follows that anything US govt agencies do to create security weaknesses is sabotage in practice. That these programs are highly classified mean that they must make each weakness look accidental or otherwise deniable. By this definition, there's plenty of evidence of NSA is forcing US companies to produce insecure systems.

1. Protections against emanation attacks are classified despite our enemies using them against US companies and agencies. Additionally, TEMPEST certified computers are not allowed to be sold to people outside of defense. Put another way, the US govt requires that every American system (except theirs) be vulnerable to this attack. Attacks via emanations are also in NSA's TAO catalog showing they have a conflict of interest here.

2. Prior export restrictions on advanced security tech, tough crypto, or highly secure systems largely prevented their development. One author noted their A1-class secure system was cancelled in part due to uncertainty of export controls. If they couldn't be sure of sales, they couldn't justify spending $10-20mil on securing & evaluating the system. By this, US govt forced foreign citizens (even allies) to forgoe having strong protections and forced American companies to build weaker designs to ensure a return on investment.

3. The NSA and Israeli sponsored Stuxnet attack used 0-days in Siemen's products. We later found out that Siemens gave NSA access to its tech to find (and help fix) vulnerabilities. The goal was to improve security. Yet, NSA deliberately left flaws in it to hack the system later. These were the types of flaws that our adversaries regularly find in products and could use against our infrastructure later. That NSA deliberately left security flaws in the product, then lied to Siemens that it was safe, shows clearly that they prefer our systems to be weak [enough for them to attack].

4. NSA submissions to the cryptosystems our national security depend on actually weakened them across the board. Given that NSA's employs top crypto experts, a continuous stream of rookie mistakes, complexity, and poor design decisions would only happen if they wanted it to. The fact that NSA's Type 1 certification process wouldn't even allow such constructions shows they know better. Finally, while NSA insisted their IPsec additions was secure, they won't allow IPsec to protect classified networks. They use an alternative version of it called HAIPE. If IPsec was secure, they'd have used it, no doubt?

5. NSA defined the computer security requirements against regular malware and high end attackers. They define various levels of robustness: Basic, Medium and High. Only High can stop sophisticated attackers that hammer away at our networks. Yet, NSA pushes products certified to Basic-Medium for protection of commercial and classified networks. These include NetTop, HAP, MDDS, and DTW. As NSA knows they're all vulnerable to sophisticated and high end attacks, promoting them only makes us insecure. Given their rationales in No 2, this is probably intentional as it benefits the spies by undermining actual security. That they have attacks against all such system designs in their catalog furthers my point that they MUST be lying when telling stakeholders such solutions will stop cybercriminals.

6. NSA's solution to infrastructure protection was inserting backdoors for monitoring and control. I already outlined that NSA knows requirements for stopping high end adversaries. They also have tech, both COTS and GOTS, that certified to High requirements with the features necessary to protect infrastructure sites. They can also give out the GOTS solutions free to cheap. So, why do they advocate a combo of basic-med assurance systems (easily hacked), backdoors, and monitoring? This choice guarantees failure against sophisticated enemies, while simultaneously giving them surveillance and control of critical networks. Effect is negative to security.

7. NSA had legal authority to enforce security requirements. In past, they required very high assurance for systems that sit between unclassified and classified networks. They did evaluations & made purchasing decisions based on them. Private sector responded by producing plenty of secure offerings. Then, they killed that off and started accepting low assurance offerings. The end result was our networks were compromised by all kinds of attackers. There are believable reasons outside conspiracy for the choices they made. Yet, the end result is that their policy caused most of the hacks that happened afterward and they therefore can't be trusted to protect classified networks.

8. Snowden leaks show NSA has tried to get key manufacturers, service providers, etc. to give them backdoors. All of them complied with few exceptions. The few that resisted were hit hard in court over various claims. The big picture here is whatever NSA is doing to weaken security of US offering is working regardless of which company they use it on. That implies they have *some* way of motivating them to cooperate. Probably several.

9. One of the leaks mentioned NSA uses "HUMINT" to bypass companies' protection. HUMINT is a standard term in intelligence circles for use of human spies against individuals or organizations. The methods include bribery, blackmail, theft, infiltration, sabotage, and deceptive persuasion. Under national security legislation, intelligence services such as NSA are authorized to use such measures to carry out their missions. That the operations are classified means it's difficult to prove or challenge their crossing the line. That the leaks say they use HUMINT to defeat software/service security indicates they might be using such methods to pressure US companies to weaken their security. That they *can* is a risk in itself.

10. The NSA poses a legal threat to security in several ways. That all of the above are legal for them should be frightening enough to a person in US trying to maintain confidentiality of data on American soil. Intercept laws in public courts requiring attaching Fed-controlled black boxes to servers can pose a risk to other uses. (Lavabit was an extreme case here.) While lawful intercept capability is reasonable, the US has this plus secret National Security Letters managed by a secret court which doesn't imprison government offenders. This overall combination makes the United States TLA's uniquely threatening to US entities' data or systems relative to some other countries.

So, there's many instances where the NSA provably weakens security. These range from targeted (HUMINT for crypto backdoors) to those that affect everyone (TEMPEST). There is also a huge number of legal threats NSA poses to an entity in the United States. So, from a security perspective, NSA's past and present activity show conclusively that they're the greatest opponent to information security in the United States. And they've largely succeeded in their goal to rid us of it while promoting an illusion that they're strengthening it.

The only solution is that this agency must be banned from influencing the development of commercial system security with long prison sentences for violations. Until that happens, the safest way for those concerned about NSA is to avoid operating on US soil and/or via US electronic systems/services. They also must choose alternatives that are actually safe from both black hats and snooping by another government. This is tricky to say the least.

KnottWhittingleyMarch 31, 2014 4:47 PM

ZOMG!

Chris Inglis, who just retired as the top civilian official at NSA, has now revealed the scope and extent of our email, text, and phone call location gathering in one specific country, and named that country, which we're told is a traitorous thing to do because the terrorists will avoid the dragnet, many people will die, and the sky will fall right on our completely helpless, hapless noggins.

In Iraq, for example, the National Security Agency went from intercepting only about half of enemy signals and taking hours to process them to being able to collect, sort and make available every Iraqi email, text message and phone-location signal in real time, said John "Chris" Inglis, who recently retired as the NSA's top civilian.

http://www.latimes.com/nation/la-na-alexander-nsa-20140331,0,3369988,full.story

Presumably he'll be raided and have his computers confiscated, and be led off in chains to be tried in a top-secret court, where he'll be duly convicted, and justly "hanged by the neck until he is dead," or poor Woolsey and Hayden will never stop screaming about his getting away with "treason." Right? HE BROKE THE LAW!!!

KnottWhittingleyMarch 31, 2014 5:48 PM

Greenwald (at The Intercept) on Inglis's treason, and the cynicism of accusing people of aiding the enemy for leaks about surveillance abilities, drone strike targeting, etc., but leaking similar things themselves just for PR purposes:

NSA Blows Its Own Top Secret Program in Order to Propagandize

While I wait for Inglis's accomplices at the LA Times to be rounded up, I'll be out at HENHOUSE, counting and cross-indexing my CHICKENLITTLES.

P.S. NOFORN. Nobody here but USCHICKENs, OK?

Coyne TibbetsMarch 31, 2014 7:44 PM

@Skeptical

"There are no laws that you're not allowed to read, especially when you're a party in federal court."

Okay, I admit I made an error in my argument. It should have said "interpretation of law" instead of simply "law". There are, of course, the public versions of the law passed by Congress. Then there are the interpretations made by the DOJ, which have clearly been widely divergent from the clear meaning of the "public law" and, which even Congress still is not allowed to read.

It will be the secret interpretation of the law that the FISC (yes, I keep saying FISA for some stupid reason but FISC is what I meant) uses to justify its order. That interpretation will dispose of the rulings for FISC and FISC-R, both of which will rule against you according to this interpretation you aren't allowed to see; even though the public law you can read seems to say exactly the opposite.

So, okay, you fight it to the Supreme Court. That takes, depending on DOJ strategy, from 1 to 3 years (it took the Library Four more than a year; Padilla more than 3). What happens then depends on the winds of the SCOTUS. Let's suppose for the sake of argument that it looks like SCOTUS will rule in your favor.

So what happens is, 3 days before the ruling is due, NSA rescinds the order, and DOJ withdraws their part of the case. SCOTUS shrugs and dismisses the case, never actually having made a ruling: the case is moot.

You've won. Or have you?

DOJ follows up with another NSL gagging you, so you can't talk about the order or your win (wouldn't want to give anyone else any ideas). Somehow, you seem to have mistakenly wound up on the "no fly" list. You have a heart condition and ulcer from stress. Your company finds itself on an "ineligibility" list for US government contracts, for some weird reason. And you're out $10 to $50 million in legal fees that are non-recoverable.

In the meantime, it being clear they can't just tell you to comply, the NSA will have subverted someone on your staff, or hired someone in. Or broken into your network and made the change themselves (as it seems they did for Apple). So either their sleeper will do what the NSA wants without telling you, or the code will just magically change to what they want.

Technically, yes, you won: but Pyrrhic victories suck. And maybe you didn't win anyway; maybe your software/hardware is still corrupted.

KnottWhittingleyMarch 31, 2014 9:34 PM

Skeptical:

So here you're proposing that the FISC will compel a manufacturer to insert backdoors, even though there is no law permitting it to do so.

We don't know that. There is certainly secret law that we don't know, as the Snowden revelations and some subsequent declassifications have made very clear.

There are no laws that you're not allowed to read, especially when you're a party in federal court."

There may not be specific laws (statutes) that are secret, but there is secret law which we are not allowed to read, and some of that law is far more important than most individual statutes---in particular, and precisely relevant, is the law created by judges interpreting the constitution.

You don't need secret statutes if you have secret law like that, e.g., law that allows you to define what's "relevant" to mean anything that might be relevant, or define "torture" to exclude things that most of the relevant experts consider torture.

If we can compel people to talk by torture, surely we can compel tech execs to install backdoors. After all, not having such backdoors gets in the way of obtaining critical evidence that we have a right to.

I'd think that if they can compel companies to turn over bulk data without particularized probable cause, you're selling them way short to think they can't compel the installation of backdoors.

That would of course be a close-to-last resort, because somebody might squawk and the whole thing could become public knowledge, but it would be naive and certainly unskeptical to believe they can't do that, or that they would never try.

If they have a "legal basis" to collect it all, they probably have a "legal basis" to infect it all as necessary to enable that collection.


KnottWhittingleyMarch 31, 2014 9:46 PM

Shorter version: they backdoored the whole legal system so that they can shove secret law into it, and create legal compulsions that violate people's privacy on the broadest possible scale.

Why on earth would you think they can't or wouldn't use that backdoor to create a legal compulsion to install mere software backdoors?

You seem to be a studiously slow learner about these little surprises in FISC rulings.

FigureitoutMarch 31, 2014 10:45 PM

Clive Robinson
--You mentioned another possibility I already considered (as usual) that I wouldn't express b/c it reveals too much (it's a typical occurrence w/ you :/). I know of a psychologist in the neighborhood that makes occasion trips to "D.C.". My usual way of expressing my situation is much messier than you are able to b/c you've already seen the evil and I'm just getting introduced to it (wow, they will kill your family; as in poison your entire family just to get you). You are on the side where they don't attack you, just people like me (and someone was able to successfully evade me very well and I want to know how). I look forward to a media outlet eventually picking up my story; if they don't then they won't know of the cancer I've been infected w/, these attacks were happening in the '60s. You have 55 years to improve on attacks to kill all threats to your livelihood, and hey someone is grumbling on the internet; kill that individual. I'm already not expecting to be hired by the typical agencies that need my help (I would catch many foreign agents, guaranteed). I don't care but it would be really nice to have a lab that was "semi-secure" as in 24/7 guarded w/ people I made promises to (secure devices).

Nick P
--Case closed. I get a little carried away from time-to-time and make statements that are a "little extreme". I don't hide that my bias is agents are almost always carrying out an evil mission; maybe if I was included in missions that weren't so, I wouldn't have my opinion. Skeptical won't be able to beat that argument besides the usual trolling and he hasn't been conscious of actual security threats for long enough. What's funny about people like Skeptical is he could be compromised as he speaks; why would I say anything to hint that he's owned...there's people on the 'net that will own you all on the internet; they are so elite.

AndrewJ
--The Moderator (I like to think I'm "cool" w/ him) won't change names and allow discussion as long as it doesn't get too "trolley". I would love to help him track down some spammers and show them "who's their daddy" but I leave that to Bruce Schneier. Maybe he's hiding behind a tree w/ a knife, I don't know lol.

Coyne Tibbets
And maybe you didn't win anyway; maybe your software/hardware is still corrupted.
--Yeah that's one of the main points I'm trying to express to agents and their ilk. In fact, I may have proven that w/ my experiments but since they have turned me into a terrorist they won't ever know w/o some other operation.

BTW to ALL: RE Last night
--Immediately after my comments last night the background screen on my PC was changed. It's the typical hacks I deal w/ day-to-day; every single computing device gets hacked 24/7. Agents attack me non-stop 24/7 all-day everyday. You want to experience my hell, there you go. Too bad they've been fooled like imbeciles and thankfully I'm able to evade these attacks b/c there's other devices that are hidden from all. Maybe if they weren't such asses I'd tell them my secrets, but they can suck it and yeah I can bet foreign intel agencies have found my methods b/c I have been primarily focused on domestic agents (foreign ones would be more fun to find).

FigureitoutMarch 31, 2014 11:18 PM

My background just changed again lol. I know where they live, they're just obsessive losers. My infected laptop has been a distraction. Agents fell for it like the typical idiots they are; they don't understand fundamental humanity. Only the agents I wanted to infect, I showed them "who's their daddy". The secret will die w/ me or be discovered by good western intel-gathering (lol that's a fantasy). I'm saying it will die w/ me or be used by foreign agents, that's too bad. When you have your own citizens going against you, you're going down lol. Suck my penis, agents. And enjoy the 0-days in your systems that you will never find, I guarantee it. HAHAHA. :)

FigureitoutMarch 31, 2014 11:45 PM

And just changed my background again lol; AGAIN. Owned and I traced the connections back to the source, you idiots. You have my home but I have yours too. Their computers are toast now too, congrats you dumbasses. They track me in real-time; it's the neighbors that I identified. Foreign agents, if you would like verifications; please contact me. Screw my country the gov't has betrayed me.

The look on this agent's face, when I just "showed up" and cracked his identity; that was so glorious. He found out my OPSEC is flawless and so extreme; the agents can't sleep at night b/c I may be watching them.

If there are any "Law-Enforcement Officers" out there that could prosecute the crimes being committed against me, that would be great. Otherwise, I have to track down these noobs. I've been abused w/ "1st strikes" carried out against me. To live up the "America", I don't give up by some pussy gov't order; come and force me to comply you pussies. I will give strength to others which will then lead to an actual 2nd revolution after I'm dead. That's my prediction. The agents really aren't that scary, they're pussies and I could kill them easily just like they have done to me and are watching 'til I die from physical injections.

AntisepticApril 1, 2014 4:54 AM

@Nick P: ""secure subset" of SSL."

Every ssh logging attempt results in the sshd server knowing the tried password *unencrypted*.

This is why I would prefer a much simpler but verified interactive protocol. Then slirp could be used to help that simple protocol to tunnel connections.

Unfortunately, NaCl.cr.yp.to does not define an interactive protocol.

SkepticalApril 1, 2014 5:40 AM

@Nick P: I certainly won't condone personal attacks on you

followed by

it's entirely reasonable for them to think you're trying to spin the discussion

even more important given that psy ops is a common technique

tactics eerily reminiscent of your conversational tactics.

considering whether you're paid to influence discussion is valid

followed by

I still try to avoid downright trash talking you

I can't help but laugh at the juxtaposition (not saying it was intentional, just that I found it humorous). More seriously, the idea that the NSA is paying someone to conduct psychological operations in the comments section of this blog is ridiculous. I'm somewhat in disbelief at the remarks above suggesting that I'm a plant because of my views.

@Curious: I find it amusing when Skeptical makes a point about backdoors, and mentions the obvious one (CALEA) first, as a way to dismiss it first.

Yes, I mentioned CALEA as being the closest thing to a law empowering the NSA to compel a manufacturer to insert backdoors. Very manipulative of me to bring it up, obviously.

CALEA requires that carriers of communications services be able to allow the government, with a court order, to tap the communications of a specific named user of the service.

I was responding to the suggestion that the NSA is able to compel chip manufacturers to insert a backdoor. It's not. CALEA is inapplicable in this context.

And about the RSA backdoor. The NSA did not compel RSA by law. They defrauded them, and this is apparently legal.

It's certainly possible that the NSA knew there was a vulnerability and did not disclose that knowledge to RSA. We don't know at this point. We do know that RSA was free to decline to use NSA's choice of default encryption.

@Knott: Do you really think that a system that "legally" authorizes mass surveillance and extralegal kidnapping, torture, and assassination can't "legally" authorize compelling the modification of "intellectual property" such as as BIOSes, antivirus software, etc.

Scope of power in one domain does not imply identical scope of power in another.

Example: The President legally can order a massively destructive air strike on targets in many areas of the world. However the President cannot compel the NY Times to not publish something.

Re: Iraq disclosure: Not exactly a huge headline given previous reporting on the RTRG. When Inglis starts telling us how they collected it, then Greenwald can start the legitimate hyperventilating.

SkepticalApril 1, 2014 5:52 AM

@Nick P: You want to redefine "backdoor" as meaning "any action that has the effect of weakening overall security." This of course allows us to define everything from Defense Department cuts in purchases of secure communications devices to erroneous suggestions by the NIST as "backdoors."

Instead of trying to redefine the term, why not simply say, "hey, the issue isn't only whether the NSA can force a company to insert a backdoor, but whether the policy of the US Government as a whole has enhanced or diminished security." That's a lot more reasonable than what you propose in your first paragraph. And while I agree that that is an important issue, it's a very different sort of issue than the question of whether the NSA can compel companies to insert backdoors.

This discussion began with DB's suggestion that the NSA could compel a chip manufacturer to insert backdoors into its products, and so one could not locate such a business in the United States.

I disagreed with that, for reasons I have explained at length.

The topic you introduce is different, and much broader. You ask not whether a company can manufacture a product to its specifications and not be subject to legal compulsion by the NSA to weaken its design, but whether US policies as a whole, ranging from export regulations to NIST recommendations, enhance or diminish security in some overall, macro sense for the nation (sometimes the world, if I read your comments correctly).

As to the various items you mention, with one exception, none has anything to do with the NSA compelling anyone to insert backdoors. Some concern the impact of export policies on commercial incentive to integrate strong encryption into products, others whether the NSA disclosed everything they knew about a product's vulnerabilities, and still others gripe that the NSA uses more security than it recommends for systems in which security is less essential or the threats are not developed state adversaries.

Protections against emanation attacks are classified despite our enemies using them against US companies and agencies. Additionally, TEMPEST certified computers are not allowed to be sold to people outside of defense.

Government standards for EMSEC are classified. If someone wants to research EMSEC and publish about it on their own, they're free to do so.

Any source for the claim that Tempest certified products cannot be sold to entities outside the defense industry? Even if true, this can be avoided, if a company wants to sell to entities outside the defense industry, merely by not submitting a product for certification.

Put another way, the US govt requires that every American system (except theirs) be vulnerable to this attack.

If you think there's an underserved private market in the US for devices resilient to state-level EMR attacks, start a company and sell to that market. If you can establish that EMR attacks are a significant means of commercial espionage or cybercrime, you'll see the development of such a market overnight.

Prior export restrictions on advanced security tech, tough crypto, or highly secure systems largely prevented their development. One author noted their A1-class secure system was cancelled in part due to uncertainty of export controls. If they couldn't be sure of sales, they couldn't justify spending $10-20mil on securing & evaluating the system. By this, US govt forced foreign citizens (even allies) to forgoe having strong protections and forced American companies to build weaker designs to ensure a return on investment.

"Tough crypto" couldn't get off the ground until 1996? I'm almost entirely ignorant of these technical matters you know, but it seems to me that I read somewhere about advances in cryptography even before US export restrictions were substantially ordered to be loosened in 1996.

And really, the US "forced foreign citizens" to use weaker systems through such restrictions? No cryptography research or production outside the US eh? This kind of overstatement weakens some of the better points you make.

The NSA and Israeli sponsored Stuxnet attack used 0-days in Siemen's products. We later found out that Siemens gave NSA access to its tech to find (and help fix) vulnerabilities. The goal was to improve security. Yet, NSA deliberately left flaws in it to hack the system later.

Even if true, not telling Siemens AG everything they know about vectors for attack is not the same thing as forcing Siemens to include such vectors. I wouldn't expect the NSA to tell a foreign company about every possible line of attack; that is not the primary mission of the NSA, and doing so would actually compromise its primary mission.

I'm curious though: Any source for the claim that the NSA deliberately "left" flaws (as though it were NSA's job to ensure that Siemens produced a flawless product and service) in Siemens's products?

4. NSA submissions to the cryptosystems our national security depend on actually weakened them across the board. Given that NSA's employs top crypto experts, a continuous stream of rookie mistakes, complexity, and poor design decisions would only happen if they wanted it to.

All of their submissions weakened our systems? Can you name two specific submissions that you think were designed to weaken systems?

They use an alternative version of it called HAIPE. If IPsec was secure, they'd have used it, no doubt?

So if the NSA develops security enhancements to something, it should be required to share those enhancements with everyone, as otherwise we're all less secure?

The White House, I suspect, employs certain security features that my own residence lacks. Is security for my residence therefore insufficient? Should the Secret Service share with us the technology it uses to secure The White House? Is that technology likely to be cost-effective for the needs of most?

5. NSA defined the computer security requirements against regular malware and high end attackers. They define various levels of robustness: Basic, Medium and High. Only High can stop sophisticated attackers that hammer away at our networks. Yet, NSA pushes products certified to Basic-Medium for protection of commercial and classified networks.

Does "push" mean "compel" here? Last I checked, the NSA does not determine how much or how little security a private company or individual in the US has. If one wants to run a more secure system, no one is stopping you.

That they have attacks against all such system designs in their catalog furthers my point that they MUST be lying when telling stakeholders such solutions will stop cybercriminals.

So in your view there should be one security level, High, and the NSA should only qualify a product as such if the NSA cannot attack it by any means? Certainly this would greatly simplify defense budgeting across the world, though it would massively increase the cost of consumer and commercial computer/mobile devices.

6. NSA's solution to infrastructure protection was inserting backdoors for monitoring and control.

Every part of that sentence, from claiming that the NSA proposed a "solution to infrastructure protection" to the nature of the projects it did undertake as one part of a broader initiative involving other agencies and departments to protect critical infrastructure, is overstated.

7. NSA had legal authority to enforce security requirements. In past, they required very high assurance for systems that sit between unclassified and classified networks. They did evaluations & made purchasing decisions based on them. Private sector responded by producing plenty of secure offerings. Then, they killed that off and started accepting low assurance offerings. The end result was our networks were compromised by all kinds of attackers. There are believable reasons outside conspiracy for the choices they made. Yet, the end result is that their policy caused most of the hacks that happened afterward and they therefore can't be trusted to protect classified networks.

Who should we trust to protect classified networks instead? That kind of statement is akin to "NASA's mistakes caused the Challenger accident, therefore they cannot be trusted to run these projects."

I'd also love to read more about how the NSA weakened security, allowing "most of the hacks" that occurred. No sarcasm in that statement, by the way. Any good sources?

8. Snowden leaks show NSA has tried to get key manufacturers, service providers, etc. to give them backdoors. All of them complied with few exceptions. The few that resisted were hit hard in court over various claims.

The Snowden leaks do not show that "all of them complied with few exceptions" and that those who did not "were hit hard in court over various claims." You gave Joseph Nacchio as an example of the latter, which is not remotely plausible.

As I've mentioned earlier in this thread, claims about the NSA forcing companies to insert backdoors obscure the actual mechanism, which is that of companies voluntarily altering a product in a manner helpful to the NSA.

9. One of the leaks mentioned NSA uses "HUMINT" to bypass companies' protection. HUMINT is a standard term in intelligence circles for use of human spies against individuals or organizations. The methods include bribery, blackmail, theft, infiltration, sabotage, and deceptive persuasion. Under national security legislation, intelligence services such as NSA are authorized to use such measures to carry out their missions. That the operations are classified means it's difficult to prove or challenge their crossing the line. That the leaks say they use HUMINT to defeat software/service security indicates they might be using such methods to pressure US companies to weaken their security. That they *can* is a risk in itself.

HUMINT simply refers to intelligence derived directly from a human source. This can be a defector, a whistleblower, a disgruntled employee, a police informant, an anonymous tip, a guy at the bar who talks too much, a person subject to blackmail, a person with a gun to his head, etc.

The NSA isn't set up for that type of intelligence work; that's a CIA mission. And the CIA cannot engage in any of that within the United States. Nor, for that matter, can any other government agency (though "deceptive persuasion" is broad enough to be included).

While lawful intercept capability is reasonable, the US has this plus secret National Security Letters managed by a secret court which doesn't imprison government offenders.

NSLs can be challenged in any federal court, and there are many decisions from federal courts across the country. They're not the province of the FISC.

This overall combination makes the United States TLA's uniquely threatening to US entities' data or systems relative to some other countries.

No, now you're attempting to slide back from the broad policy question of whether US policy enhances security overall for the country to the previous argument. That won't work.

Neither the NSA, nor any other intelligence agency, can bribe or coerce a company in the US into altering the design of their product. The closest instance to this is CALEA, which does mandate that communications carriers provide a lawful intercept capability, but this is not applicable in other contexts, and is a feature universal in the developed world.

In the United States, a company is free to ignore any request by the NSA to weaken or alter its design. And the US is teeming with lawyers who are more than happy to defend, quite aggressively, a company's ability to do so. Neither export regulations nor NIST recommendations nor ignorance of the government's own EMSEC standards affect that freedom.

Companies in the US, PR hype in response to the Snowden leaks aside, are concerned about commercial espionage conducted by foreign governments and by private competitors, and about other forms of cybercrime, not the NSA.

Now, if you're a company based almost anywhere else, you have none of the protections of the US and you're likely in a nation where the intelligence services are absolutely used to conduct commercial espionage.

BenniApril 1, 2014 10:58 AM

Well, I just post some excerpts of the new Spiegel book. This is really in there, I'm not making this up.

A document from Februar 2012 describes the goal of the NSA: "Owning the internet" p. 124.

A high ranking official of the nsa law department writes: "The nsa wants worldwide dominance of information". p 118

NSA Director Kenneth Minnehan writes in a message to all nsa employees: "we must align our traditional expectations on technical intelligence and information security, if we want to be relevant and have a leading role in the new national undertaking, whose goal is the information control of the world by america " p. 119

From this the NSA went on, to install certain programs:

Now we can learn a few new codenames for phones: (p. 129)
Basecoat is the codename for the mobile network on the Bahamas.
Eveningangel is the mobilenetwork of mexico, A list that could be endlessly extended, according to SPIEGEL. NSA got 6 Billions of metadata from phones in 2010 every day (p. 11).

Then they tapped internet fibers: (p. 130)
Rampart M is a maritime fiber they tapped in 1986,
orangecrush tapps fibers in eastern europe.
2006 nsa threw a party by tapping the first 622Megabit fiber.
Shelltrumpet is the codename for the database where all this is stored...

And on their way to world dominance, Obama gave the nsa the tools for attacks (p. 211):

In phase 0, called shaping, weaknesses of adversaries should be found.
in phase 1, nsa should let the adversary know that they can attack
in phase 2, critical data of the adversary should be changed by the nsa
in phase 3, the weaknesses exploited in phase 0 are used to get control over the systems of the adversary for destroying them.

By this, nsa can attack not only military, but also the economy, the transport sector, thee telecommunication of a foreign country.

Obama ordered the nsa and cybercommand, to be ready for these actions by 2013 with all the necessary personell.

I'm not making this up. The page numbers refer to the german edition of

http://www.randomhouse.de/Buch/Der-NSA-Komplex-Edward-Snowden-und-der-Weg-in-die-totale-UEberwachung/Marcel-Rosenbach/e460131.rhd

Ah, and by the way, NSA and GCHQ speak very highly of the BND, since BND tapped undersea fibers already in 1975, and therefore has still better technical capacities, that is, BND tapping has 100 Gigabit, while GCHQ just had 10 at a certain time (p. 128)

Nick PApril 1, 2014 12:31 PM

@ Skeptical

"Instead of trying to redefine the term, why not simply say, "hey, the issue isn't only whether the NSA can force a company to insert a backdoor, but whether the policy of the US Government as a whole has enhanced or diminished security." That's a lot more reasonable than what you propose in your first paragraph. "

I agree. The issue is NSA + govt as a whole. Remember, we're taling about both NSA backdoors and the recurring tangent of "is a product safer from legal compulsion in US vs some other countries?" I'm hitting two birds with one stone.

"As to the various items you mention, with one exception, none has anything to do with the NSA compelling anyone to insert backdoors. "

On the surface it seems. Yet, the key policies are all strongly influenced by the NSA. Examples include Common Criteria, Certification & Accreditation, export controls pertaining to INFOSEC, FISA, NIST standards/recommendations (backdoors if include RNG), and so on. That almost every carrier and software vendor is cooperating with them, sometimes installing taps or backdoors, shows an enormous amount of influence there. So, NSA's role in this can't be ignored, although it's hard to measure at times. What do people expect with so much secrecy?

"If you think there's an underserved private market in the US for devices resilient to state-level EMR attacks, start a company and sell to that market. If you can establish that EMR attacks are a significant means of commercial espionage or cybercrime, you'll see the development of such a market overnight."

Unlikely. It takes an average of 20 years for a radical idea to propogate into a full industry. Commercial industry was lied to by majority of manufacturers and security industry that certain solutions protected them. They're still being lied to. There's a multi-billion conflict of interest here. Anyone trying to get the threat across and profit off of it is almost certainly looking at a massive financial loss.

This, plus that their undetectable with commercial gear, is what makes emanation attacks a great way to deal with otherwise hard to reach targets. eg why Russians used them against us and NSA TAO catalog uses them against their targets.

"Any source for the claim that Tempest certified products cannot be sold to entities outside the defense industry?"

It's described here. They specifically say it's for government and certain contractors processing classified information. There's also rules about what labs and manufacturers can do. (Classified, so don't ask.) In the past, they wouldn't sell me anything but who knows might have changed. One can at least see what products they have available. That govt is biggest customer and only buys TEMPEST certified products, which can't be shared, kind of forces the private market in one direction.

""Tough crypto" couldn't get off the ground until 1996?"

US wouldn't allow it under export controls and tried to fight it in general. Clipper, escrow, DES 40/56-bit limit, etc. They pushed garbage that made us vulnerable or increased their control repeatedly. A random agency might be ignored. However, NSA controlled both security standards and outcome of product evaluation under Orange Book (NCSC). So, if NSA said do it, it had to be done or govt sales weren't allowed. Evaluations cost millions and could lead to tens of millions in contracts so resistance was risk.

Change didn't happen until DJ Bernstein and Phil Zimmerman handed US govt's ass to them. Effectively, they made stopping strong algorithms worthless. Although references are to State Dept, it's the NSA that handles COMSEC requirements they enforce and wanted restrictions on crypto [so they can crack it]. Restrictions got loosened toward end of 1990's. NSA changed tactics from pushing obviously bad algorithms to endpoint attacks (QUANTUM), subtle protocol flaws (eg IPsec), poisoning govt standards (eg NIST RNG), and bribing companies (eg RSA). These have worked *much* better.

" I wouldn't expect the NSA to tell a foreign company about every possible line of attack; that is not the primary mission of the NSA, and doing so would actually compromise its primary mission."

Now you're compromising your own position here. NSA and DOD repeatedly claimed that people leaking documents [from Wikileaks on] were aiding and abbetting the enemy. Although, they couldn't cite specific examples of deaths and such. Fast forward, we have DOD and NSA telling us on TV that advanced attackers (eg China) have capability to smash our infrastructure and we must trust NSA/DOD to handle it. Then, I find that they intentionally left vulnerabilities in products they reviewed for security, vulnerabilities of the type adversaries find regularly. If anyone is aiding & abbetting enemy, it's the NSA.

They certainly have two missions. Yet, it's totally unacceptable for a guardian organization to leave holes in our critical infrastructure and INFOSEC standard just in case they want to hack someone who used the same product. Put all of us at risk so they can target a select few. It's unsurprising given their *primary* mission is collection, with securing networks a distant second. Yet, once we know that they will deliberately leave or insert flaws in products we depend on, that's the point Americans should consider them a threat to security.

"All of their submissions weakened our systems? Can you name two specific submissions that you think were designed to weaken systems?"

Famed cryptographer John Gilmore blasted them here. Two jump out at me. One is unnecessary inclusion of algorithms that were weak enough that even a non-TLA could crack them. The other was including a command to send that would make it look like it was encrypting when it wasn't. (User wouldn't be able to tell.) Both of these aid a man-in-the-middle attack in an obvious way while having no rational justification in a security protocol.

That NSA prohibited such things internally and with their policies, yet pushed them on us indicates they were probably deliberately weakening our security for their benefit.

"So if the NSA develops security enhancements to something, it should be required to share those enhancements with everyone, as otherwise we're all less secure?"

NSA recommended AES and used it internally. They recommended SHA-2 and used it internally. They recommended IPsec despite cryptographers protests, then used a very different version of it internally for security purposes. If IPsec was highly secure like they told us, then why wasn't it allowed to protect classified information? I wouldn't ask for every *enhancement* to be made public. However, if the standard they're pushing is insecure & they have a secure construction, they should share it. Otherwise, they're just harming us by lying to us about security level of their standard.

"So in your view there should be one security level, High, and the NSA should only qualify a product as such if the NSA cannot attack it by any means? Certainly this would greatly simplify defense budgeting across the world, though it would massively increase the cost of consumer and commercial computer/mobile devices."

In reality, there are *only* two types of product: easy to bypass and strong security. Untrustworthy and trustworthy. If NSA says a product will resist malware and strong attacks, yet they have vanilla malware to bypass it, then they are lying. If they push it for business critical or classified use, they're weakening our defence against enemies for questionable reasons. That simple.

Private companies marketing their products will always try to oversell them. The agency charged with defining security standards, setting evaluation criteria, and protecting our classified networks I expect a little more honesty from. At least they've narrowed it down to Basic, Medium, and High now. With Medium kind of being meaningless. If they want three, here's labels reflecting what happens in practice: strong enough to stop most or all hacking; hackable with significant effort; effortlessly hackable.

"Does "push" mean "compel" here? Last I checked, the NSA does not determine how much or how little security a private company or individual in the US has. If one wants to run a more secure system, no one is stopping you."

It's easy to miss as it's complex. The NSA decided how security would be done for various certifications of anyone selling to the government. It *has* to be done a certain way. Rather than having two separate product lines, most companies try to make a mostly compliant product for commercial sector and small extensions for full govt compliance to ensure they'll cut a profit. This was under Orange Book, then Common Criteria.

Seeing as all top tech companies participate, you'd have to buy all of your tech from different companies that did a ground up secure system. You would loose all legacy functionality (eg Windows, Oracle, mainframe) in the process and have to *safely* migrate all existing software over to them. This effect of combining legacy incentives and US govt security requirements is already a huge obstacle.

It gets worse when you look at economics of highly secure systems. The first A1 system was promised many contracts, but sold only to 20 sites. Another claims around 200 sites. Most of the market for such "trusted" systems are local and [allied] foreign governments. Selling to them means complying with established CC protection profiles [which are insecure lol] and export restrictions [may prohibit highest security stuff]. So, if one wants to get ROI via govt sales *and* get private sector sales, it's going to be an uphill battle for both security and success.

So far, there's so few exceptions I can count them on my fingers (eg SKPP, Secure 64). Honestly, this is the kind of situation that is best served by private sector solutions subsidized by government investment. It's how our security industry was started in Orange Book days. Since then, NSA has only shown interest in weakening systems, so them having most say in evaluations & export is a threat. Fortunately, NSF, DARPA and private sector continue to fund developments in truly secure systems that might eventually be turned into more marketable products.

In short: NSA sponsored regs + legacy problem + market incentives + deceit about security of existing products + inertia in system = current situation keeping high security offerings very minimal.

"Every part of that sentence, from claiming that the NSA proposed a "solution to infrastructure protection" to the nature of the projects it did undertake as one part of a broader initiative involving other agencies and departments to protect critical infrastructure, is overstated."

I appreciate your unsubstantiated opinion. Meanwhile, the actual sources on it such as I linked said they'd implant the systems, monitor everything about them, and could take control in event they decided something bad was happening. (Always had bad results in the past.) This as opposed to putting a high security device (eg guard) in front of it that hackers were unlikely to breach. (That's how they internally handle such situations.) That they want implants and control rather than using existing high security solutions says something about their intent. Or competence. One or the other.

"Who should we trust to protect classified networks instead? That kind of statement is akin to "NASA's mistakes caused the Challenger accident, therefore they cannot be trusted to run these projects.""

An organization with funding, technical expertise, a sole mission of protecting, and the ability to set security requirements (eg Common Criteria). Many organizations, private and public, already exist that might be able to pull it off given authority. That NSA's primary mission requires subversion, weak security, etc. is the reason that they're the *worst* possible choice. And I've posted here before that I don't blame them: it's their overly broad mission that compels their dirty deeds. Yet, giving the hen house security over to the hungriest fox in the room doesn't seem wise.

"I'd also love to read more about how the NSA weakened security, allowing "most of the hacks" that occurred. No sarcasm in that statement, by the way. Any good sources?"

I think you might like this source. He co-invented US govt's formal security model. He outlines the start of our industry, the strong standards, the NSA's decisions that destroyed strong standards, NSA pushing weak standards, and current market remaining weak as a result. Only minor things in his paper are debatable imho. Recall, though, I said it might not be conspiracy as Bell paints a picture of NSA destroying market by just making foolish decisions. The kind one expects of a big DOD beauacracy.

Nevertheless, we had the real thing largely thanks to them, the incentive model was working, some private companies used same products, and then NSA killed it all off. New regs incentivized stuff that met security evaluation while being vulnerable to kids downloading tools off the internet. This continues to this day with SKPP being only high security protection profile they've endorsed. Bell criticizes it saying there's no evidence backing its security. So, clearly, NSA's regulatory decisions led to insecurity in COTS offerings being easier rather than harder. Especially those the govt bought with NSA's approval.

"which is that of companies voluntarily altering a product in a manner helpful to the NSA."

We don't know that. If they're compelled, they're not allowed to talk about it. And I've already outlined how their govt sales can be cancelled if they don't comply to NSA's requirements via CC or C&A. That's pressure enough in a publicly traded company. IBM makes several billion a year off public sector alone.

(Note: IBM learned the hard way as they failed to meet requirements in Orange Book days, resulting in only C1 cert ever issued. C2 was minimum for contracts, so shame and lost sales followed plus costly product rework. Vendors from then on took NSA's requirements more seriously, even the bad ones.)

"The NSA isn't set up for that type of intelligence work; that's a CIA mission."

NSA does it as well. They have military and field agents. They also have a joint program with CIA for HUMINT. That much of leaks targeted Americans undermines your other argument about intelligence service not allowed to do that.

"Neither the NSA, nor any other intelligence agency, can bribe or coerce a company in the US into altering the design of their product. "

"In the United States, a company is free to ignore any request by the NSA to weaken or alter its design. "

An official spokesperson for NSA just said otherwise. Link is right below your post by "EpicFail." He said the programs were a "compulsory legal process." They had no choice and PRISM wasn't NSL's either: it was part of a NSA collection program. So, for the taps, they were "compelled" according to NSA spokesperson. Other programs are about subversions and such. So, that they can force companies to comply with one doesn't speak well for others.

Thomas_HApril 2, 2014 3:12 AM

@ Bruce & Moderator:

With regards to the new layout:

It seems links that have been followed show up as regular black text that is not underlined. This makes it impossible to see that text is a link once a link has been followed, unless you remember there was a link and move your mouse over the text to find the link. Please fix this, it is bad website design.

@All:

Clapper admits the NSA spied on Americans:
http://www.theguardian.com/world/2014/apr/01/nsa-surveillance-loophole-americans-data

BenniApril 2, 2014 6:12 AM

@Thomas H
Well, at least for the nsa, everyone is equal.

these scientists here http://projectbullrun.org/dual-ec/tls.html
have now succeded in decrypting tls connections with Dual EC DRBG. They also found that

"Windows SChannel (the library used in Microsoft Internet Explorer and Microsoft IIS) does not implement the current Dual EC standard: it omits an important computation. We show that this does not prevent attacks; in fact, it allows slightly faster attacks."

SkepticalApril 2, 2014 2:02 PM

@Nick P: Thanks for the considered response and the good points. Since our comments are becoming lengthy, I'd like to summarize the state of the discussion as I understand it:

You argue that (I'm putting these in my words not to twist what you've said, but to verify that I actually understand what you've said):

US policies as a whole have not been properly supportive of good information security, in that:

(1) US export regulations reduced the incentive for companies to create products with strong encryption included;

(2) Tempest certified products are limited to sale to the government or government contractors, and cannot be exported, reducing the incentive for companies to create products resistant to emissions vectored attacks; the government lies about the extent to which EMSEC is needed by the commercial sector, reducing private demand for such products;

(3) The NSA has deliberately weakened protocol standards, as evidenced by John Gilmore's recollections of the crafting of IPSec and the fact that NSA does not use IPSec;

(4) Companies who wish to sell a product to both the government and the private sector must attempt to comply with both NSA security requirements and various legacy system compatibility requirements that exist for a large portion of the commercial sector;

(5) The NSA can legally compel a company to insert backdoors into its products or weaken the designs of its products, and the NSA does so;

(6) The NSA's solution to critical infrastructure protection was to insert backdoors for monitoring and control rather than installing protection features;

(7) The NSA has a HUMINT capability, and is able to bribe, coerce, and otherwise deceive companies into doing what it wants, even within the United States.

What am I missing?

Let me address (5) first, since that's closest to the original issue. As I've said and as we agree, certain lawful government requests for information are compulsory. These would include court orders under Section 215 of the Patriot Act and Section 702 of the FISA.

However, this would not include a request from the NSA to a company to game its random number generator, or a request from the NSA to a company to use a flawed encryption algorithm, and so forth. It would certainly not preclude a chip designer from contracting with a merchant foundry to fabricate chips to spec without fear that the NSA could legally compel those chips to be altered in production.

You ask "then why do so many companies comply with NSA requests?" Companies comply with lawful requests for information (sometimes after fighting them in court). I've yet to hear of an example of a company receiving a request from the NSA to knowingly weaken its product and doing so. The closest example is the RSA case, but that's not clearly a case of NSA subversion, much less RSA's knowing complicity. And even then, that would be a single case.

Well, what about bribery, blackmail, and coercion, you ask (per (7))? Classic forms of bribery, blackmail, and coercion are illegal in the US. The Intelligence Community is not permitted to use them here. Abroad, it has been reported that the CIA works with the NSA in the deployment of signals intelligence capabilities, and certainly that the NSA has personnel who are "in the field" in the sense that they are outside secured facilities while collecting intelligence. But it has not been reported, as far as I'm aware, that the NSA has a HUMINT capability, nor can I see any reason why the NSA would.

What about economic pressure, in the form of an implicit threat to cancel other contracts unless a company complies? This is the most plausible mechanism, but is doubtful for several reasons. First, a company that knowingly weakened a product design on government request could face enormous legal liabilities once exposed in the form of securities litigation. This is especially the case if the company represented its product falsely. For this reason alone, it's unlikely that a company's lawyers would sign off on it. Second, large companies in the US, such as IBM, have considerable clout with Congress and any President. Threatening them with the cancellation of all government contracts would require a political will and leverage that the NSA doesn't have. Third, if any large company in a given year suddenly lost all its government contracts, the event would attract enormous attention, dramatically increasing the probability that reason for the cancellation would be leaked.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Okay. So that's the "compulsion" side of things. On the general policy side, while I have some disagreements with your particular points, which I put below, I'd agree that as a historical matter, US policy was concerned about controlling encryption capability, and that the US today remains concerned about encryption disabling all types of intercept capabilities. While the BULLRUN program strongly hints at efforts to undermine encryption used by targets, the excerpts I've seen actually don't state that this weakening is undertaken with respect to encryption products in general. In fact I frankly suspect that it is not, given the obstacles to doing so and the remarkable number of points of exposure such an effort would have.

So what about 1-4 and 6?

As to 6, I'm not sure what you're referring to, though you say that you linked to something supporting your claim. Are you talking about the Perfect Citizen program?

As to 4, I'm not sure what legacy system issues in the commercial sector have to do with the government policies we're talking about. Regarding NSA security requirements, you seem to be saying that they're too lax for much of the government, and that this in turn forces companies to make systems that only meet the bar of those lax requirements. My answer is that if the private sector sufficiently valued products that exceeded those requirements, companies would make them regardless of how low government requirements are.

As to 3, obviously Gilmore is an eminent authority, however there are multiple explanations for his memories. I'd also note two things: first, it's hardly unusual for a complex and flawed product to emerge from a diverse committee grappling with competing values in design; second, it's interesting that Gilmore remembered these things only after the Snowden leaks (or has he published on this beforehand? I'm not suggesting dishonesty here, to be clear, only that human beings unconsciously tend to impose certain interpretations on their memories to fit current observations).

As to 2, if you think EMSEC is a serious source of loss for companies and you can prove it, you'll have a market very quickly. I'm not sure what's radical about the idea. If you can't prove it of course, then yes, it'll take a while (but that's not because the idea is radical, but because you won't have shown that the extra security is worth the cost).

As to 1, those export regulations are of course much looser today, which makes this somewhat of a historical point. But, I'd note that PGP was released in 1991 (well prior to the loosening), that companies did in fact produce domestic versions with stronger encryption and international versions with weaker encryption (see e.g. Netscape), and that foreign companies continued to produce versions with progressively stronger encryption notwithstanding export restrictions they faced in their own countries.

To sum up on the question of overall policy, it appears to me that the US transitioned during the 1990s from a world in which computational power was weaker and less widely distributed, and in which, consequently, what you would term today to be strong encryption was less widely needed. It was also a world in which US consumer demand was much more dominant, rendering export regulations, for some time, less relevant to development. That changed very rapidly, and US policy struggled to keep up with developments.

BenniApril 2, 2014 2:14 PM

@Skeptical: Here is a good article how the us government puts severe pressure on companies to create a backdoor into products:

http://cryptome.org/jya/nsa-sun.htm

It is an article on Crypto AG which was runned by BND and where an advisor, who worked for the nsa, and used to formerly "advise" Motorola, told how to weaken crypto devices.


Then, the article gets more specific in how NSA persuades other companies to insert backdoors:


Engineers 'turning white'

If crypto AG was offered a deal by NSA in return for rigging its products, it would not be alone. The approach to American firms usually comes during discussions with NSA's export licensing office.

"It is not unheard of for NSA to offer preferential export treatment to a company if it builds a back door into its equipment," says one person with experience in the field. "I've seen it. I've been in the room."

NSA's pitch varies. "Generally with high-level executives it's an appeal to patriotism -- how important it is for us to listen to the world," this source says. "With the mid-level commercial types, it's, 'Do this and well give you preferential export treatment.' To the real technical people, it's, 'Why don't you do this?' And you don't realize what's being suggested until you see the engineers are turning white."

In addition to the carrot of export approvaL NSA also can brandish a stick, this source says. "There's the threat: You'll never get another export approval if you don't start to play ball."

While this source says he has never seen a company executive explicitly agree to such a deal, he and other industry insiders say they believe some U.S. machines approved for export do contain NSA trapdoors. What is certain is that NSA for decades has meticulously scrutinized developments in the U.S. encryption field.

In 1978, when George I. Davida, a University of Wisconsin computer scientist tried to patent an encryption device he invented, NSA slapped a secrecy order on the device. Under the Invention Secrecy Act of 1951, the government can clamp a lid on any invention deemed to be potentially damaging to national security.

Dr. Davida fought back and NSA backed down. But the resulting talks between NSA officials and academic experts led to an agreement under which most, though not all, encryption scientists agree to permit NSA to review their research before publication.

Meanwhile, export controls have discouraged software giant Microsoft Corp. from building strong encryption into its best-selling Windows programs, so that encrypting computer messages remains complicated and most U.S. businesses don't bother. As a result, says Stephen Walker, whose Maryland company writes encryption software, U.S. firms are preyed on by foreign spies. "I don't want [NSA] not to be able to listen to Iraqi terrorists," Mr. Walker says. "But you're hamstringing U.S. industry in the hope of hamstringing some Iraqi terrorist who, if he's smart, can get around it anyway."

Internet privacy

The smart terrorist can, for instance, download from the Internet a program with the folksy name Pretty Good Privacy, or PGP. The work of Phil Zimmermann, a computer consultant and peace activist who works from his home in Boulder, Colo., [missing words] the Internet.

Despite its humble origins, PGP may be too tough even for NSA to break. Its release on the Internet prompted a long-running Justice Department investigation of Mr. Zimmermann for "exporting" the encryption program without NSA's approval.

Mr. Zimmermann's many defenders in the computer world -- one of whom dubbed NSA "the occupation army of cyberspace" -- say trying to stop software such as PGP at the U.S. border is folly when a Baltimore teen-ager's electronic mail may circle the planet on its way to a friend across town. They say PGP is just the beginning of an era in which cheap, powerful encryption automatically protects all electronic communications -- not just government secrets but lovers' whispers, consumers' credit-card orders and corporations' marketing plans, too.

NSA and FBI officials warn that unbreakable encryption could be a terrifying tool for criminals and terrorists. They cite a California case in which police could not inspect a child molesters computer files because they were sealed with PGP.

Mr. Zimmermann says that's regrettable, but counters: "A pedophile can drive up the street and pull little girls into his car. Should we ban cars?" Chinese dissidents, Latvian nationalists and even the Dalai Lama use PGP," he added.

'Accident of technology'

The prospect that NSA might lose its ability to eavesdrop on the world does not appear to trouble Mr. Zimmermann. Until the invention of the telephone, he says, conversations could be protected merely by walking away from the ears of others.

"I think it's an accident of technology that we lost the ability to have private conversations," he says. Encryption such as PGP merely ends the historical fluke of electronic eavesdropping, he argues -- and tough luck for the spies.

Yet the obituary for NSA may be premature.

Once, says Louis W. Tordella, the gray eminence who was the agency's deputy director for 16 years, the Pentagon's research chief solemnly informed him that encryption was improving so fast that NSA "would be out of business in five years."

That was in l981.

"Could technology put NSA out of business?" he asks. "Absolutely. Will it put NSA out of business? That remains to be seen."

Nick PApril 2, 2014 3:57 PM

@ Skeptical

"You argue that (I'm putting these in my words not to twist what you've said, but to verify that I actually understand what you've said):"

Close enough.

"These would include court orders under Section 215 of the Patriot Act and Section 702 of the FISA."

The NSA representative mentioned a program that does massive collection, not invidual requests. It's obviously much broader form of coercion than that. If they can be legally coerced into modifying their systems for this program, we must assume they can be coerced into others. Given the deception so far, the only reason an American should assume different is if a credible independent review with full access & legal authority to declassify information tells us otherwise. The legal authority isn't for leaks as much as circumventing any rules of "you can't talk about that so you might as well lie or use these weasel words." That sort of thing.

"I've yet to hear of an example of a company receiving a request from the NSA to knowingly weaken its product and doing so. The closest example is the RSA case, but that's not clearly a case of NSA subversion, much less RSA's knowing complicity. And even then, that would be a single case."

It's clearly a case of NSA subversion as RSA's customers secrets were put in NSA's control without their knowledge due to a partnership between RSA and NSA. Single case or not, it establishes that NSA is willing to pay companies to backdoor their products. Then, we see all these *potential* backdoors in products of other companies who are in a position to be influenced by US govt. A default of no trust is reasonable here.

If US govt is concerned, they can pass laws explicitly banning subversion of US products and instead only allow selective information sharing (a la per target or group intercepts). That they're unwilling to do something like this shouldn't inspire trust.

"Abroad, it has been reported that the CIA works with the NSA in the deployment of signals intelligence capabilities, and certainly that the NSA has personnel who are "in the field" in the sense that they are outside secured facilities while collecting intelligence. But it has not been reported, as far as I'm aware, that the NSA has a HUMINT capability, nor can I see any reason why the NSA would."

All the outsourcing and partnerships mean that whether NSA owns the capability isn't relevant. Whether NSA has access to HUMINT assets to further its mission is. This is one such organization although I'm not endorsing all that material on this particular link. One can look for other sources on the agency. NSA and GCHQ also work very closely on these capabilities. We know GCHQ has a team dedicated to HUMINT against telecom companies via recruiting their employees to sabotage their security. That BULLRUN partly used relationships with companies to bypass their security in combination with GCHQ says enough.

Of course, mentioning these in speculation was just to see if you've read the actual slides. That they work with (or coerce) companies to backdoor their products is indisputable. There's already a smoking gun:"

"The SIGNINT Enabling Project actively engages the US and foreign IT industries to influence and/or overtly leverage their commercial products' designs. These design changes make the system in question exploitable through SIGINT collection (e.g. Endpoint, MidPoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." (NSA document)

"Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets." (NSA document)

"Influence policies, standards and specifications for public key technologies." (NSA document)

QED. You're faith in them was mistrusted. They *are* influencing vendors here and abroad to backdoor their products, even up to "design" level changes and standards.

Note: I also found it interesting that they said "to the consumer and other adversaries." Implies the consumer is an adversary to them. Normally, I'd write it off as a phrasing issue, but their programs try to target nearly everything. So, it's probably how they look at all of us.

re economic pressure

"First, a company that knowingly weakened a product design on government request could face enormous legal liabilities once exposed in the form of securities litigation. "

They wouldn't if they were required to under law via national security. I believe those involved in the warrantless wiretapping got criminal immunity, as well. No doubt those involved with other programs would get this. The only criminal decision is not following the legal mandate.

"This is especially the case if the company represented its product falsely."

Whether they lie participating in a national security program is typically irrelevant in court. Those getting even NSL's were typically prohibited from talking about them to the public. The court documents in the Lavabit trial, linked here at one point, feature the Lavabit owner making that exact argument against giving FBI his private key for all users. The FBI's response, which the judge agreed to, was that if he wasn't allowed to tell customers then they'd never know he lied about their privacy and no damage would happen to his service's reputation. My jaw dropped when I read that as I never thought I'd see them be so openly devious in a court document. Supports my notion that these US govt TLA's are fine with subverting a service while protecting the company's lies about its privacy.

"large companies in the US, such as IBM, have considerable clout with Congress and any President. Threatening them with the cancellation of all government contracts would require a political will and leverage that the NSA doesn't have. "

The key Congressional committees and the President support NSA's programs. The major players in IT that get most contracts do it by kissing the governments butt, along with generous bribes, err, campaign contributions. They would see the coercion as a cost of doing business which had little to no effect on them otherwise, along with promised secrecy as a risk mitigation. My theory plays out well with real world data where we find all these American companies were secretly and knowingly giving over data, sabotaging products, etc. Then, upon the leaks, they feign shock and ignorance while complaining about lost trust and business.

"Third, if any large company in a given year suddenly lost all its government contracts, the event would attract enormous attention, dramatically increasing the probability that reason for the cancellation would be leaked."

The one strong criticism. This means they'd have to take one of several options:

1. Influence people running company (benefit or coercion) instead of the company's contracts themselves. eg not use contracts themselves as a threat, but as a justification for decision-maker they control.

2. Make them loose key contracts to competitors and more often. Make up beaurocratic excuses as to why. This has happened plenty of times in defence industry for both big and small companies. Questions can be raised, yet a malicious version of this is deniable & severely impacts bottom line.

3. Use the FBI, IRS, or SEC against them with false or real charges. If the charges are severe, esp involving fraud, then DOD has a decent public explanation for why contracts were suddenly cancelled. This would also hurt a stock price. The mere threat of this happening would be enough to make many give in, especially if the subversion had deniability.

Of these, options 2 and 3 seem most plausible. Remember, though, that the whole thing can be seen as a cost of doing business that has almost no cost and little risk to the business. Many NSA backdoors are designed to be subtle and look like programming flaws, a common thing in IT. Others, such as certain TAO implants, are designed to be invisible by residing in areas no hacker, sysadmin or user are likely to see. So, would a profit-motivated company with a lot of contracts do a little favor for influential DOD entities to maintain a privileged position? The answer is "Yes for any rational company in that position maxing out their bottom line."

And who knows, they might get paid $30 million or something in the process. *cough* RSA *cough* ;)

"As to 6, I'm not sure what you're referring to, though you say that you linked to something supporting your claim. Are you talking about the Perfect Citizen program?"

Yes. NSA already had technical solutions to the problem that even their pen testers didn't beat during certification. Advocating weak solutions that merely give them control is devious at worst and foolish (versus protection) at best. Offering strong protections with "optional" free monitoring would be acceptable as at least they spy and protect at same time.

" second, it's interesting that Gilmore remembered these things only after the Snowden leaks "

Schneier and others criticized IPsec going way back. NSA's secrecy on their programs and appearance of aiding security standards meant that people weren't as concerned about them in certain situations. Then the Snowden leaks showed how actively they were trying to undermine everything. So, everyone takes a fresh look at things and Gilmore notices that NSA-sourced submissions caused glaring security weaknesses. Anyone looking at NSA cryptography knows they normally filter out such nonsense. So, he connects the dots that they might be intentionally introducing weaknesses along the lines of that BULLRUN program that mentions weakening cryptosystems and standards for easing SIGINT collection.

Very sensible concern and the closest one can typically get to solid evidence against a covert op by a professional spy organization. It cannot be overstated how hard it is to catch good, well-funded, high-tech covert operators. That evidence is more circumstantial is natural to the game. It's not like he can sue them, request their top secret files in discovery process, and cross-examine key witnesses to the programs. The pervasive secrecy makes investigations hard, yet Gilmore's points are still strong enough to have reasonable suspicion NSA corrupted the standard. And, hence, enough reason to distrust those who made the submissions and reform/replace the standard.

" I'm not sure what's radical about the idea."

You've never explained it to someone. I speak from experience that this is one of those risks that's hard to get across. Even now having NSA catalog showing the devices, it's still so esoteric that it's hard to sink in the concept or justify the cost of a defense. These attack methods are also used mainly by pro's who are great at not getting detected. It just all adds up to make it a hard sell. Such things are better off being incentivized by regulation & government investment. That it's not even permitted is... worse than a hard sell.

"and that foreign companies continued to produce versions with progressively stronger encryption notwithstanding export restrictions they faced in their own countries."

Yeah, they showed the foolishness of those restrictions. Additionally, high assurance security engineers pointed out restrictions on those systems made little sense as the methods for producing them were public knowledge and Europeans in particular were ahead of us in some aspects of them. Banning would just cause domestic production of equivalent or better. Happened just like you said.

"To sum up on the question of overall policy, it appears to me that the US transitioned during the 1990s from a world in which computational power was weaker and less widely distributed, and in which, consequently, what you would term today to be strong encryption was less widely needed."

It's incorrect. There was a transition in computing. The core problem for NSA remained the same: collect everything they can and never be blocked by privacy technology. They fought to limit software level of it from foreign sales, with hardware weakenesses existing domestically as well. Cypherpunks beat them with widespread crypto, while OSS software and security tech also undermined it. U.S. TLA's struggled to prevent a blackout of information. So, they produced programs to undermine security everywhere in many ways and pushed for legislation to force US companies to secretly provide them information. Post-9/11 both activities got major boosts, including solid legal support, resulting in massive expansion and success of such efforts. The end result is that, today, one can't be sure if a product in a number of countries is working for the customer or for certain spy agencies.

That's it in a nutshell. The other points and docs are just about filling in the details of their methods, their policies, effects over time, and current effects. That said, I think we've hammered out this topic enough. I'm leaving the discussion but feel free to comment further if you want.

Nick PApril 2, 2014 4:07 PM

re Benni's post

"In 1978, when George I. Davida, a University of Wisconsin computer scientist tried to patent an encryption device he invented, NSA slapped a secrecy order on the device. Under the Invention Secrecy Act of 1951, the government can clamp a lid on any invention deemed to be potentially damaging to national security."

I forgot to mention that in my list. Secrecy orders on inventions, also called black patents, can be used to squelch security technology. Such legal power needs to be severely limited to exclude things such as encryption, robust computers, etc. It's actually one of the reasons I never patented my designs. Trade secrets protect by contract law, OPSEC and [if published] First Amendment made more sense to me given how I developed solutions and for who. The secrecy was also nice insurance in the event of a monumental screwup in my designs as other layers and how they're obfuscated might prevent/contain the attack. Did, in more than one case. Another commenter here also pointed out using obfuscation to hide details of design to prevent patent trolling, as well.

BenniApril 2, 2014 4:32 PM

@All How do you read this paper:

http://cryptome.org/2014/03/DualECTLS.pdf

Is this saying that the NSA can decrypt any tls connection from windows Internet explorer?

They are writing;
SChannel (“Secure Channel”) is a security component in the Windows operating system (introduced in Windows 2000) that provides authentication and confiden tiality for socket-based communications. A

lthough it supports several protocols, it is most commonly used for SSL/TLS, including by Microsoft’s Internet Information
Services (IIS) server and Internet Explorer (IE).

Windows SChannel does not implement the current Dual EC standard: it omits an important computation. We show that this does not prevent attacks; in fact, it
allows slightly faster attacks.

BSAFE-Java v1.1 min 63.96
BSAFE-C v1.1 min 0.04
SChannel I min 62.97

min are the minutes to break on a 16 CPU computer.


"In sum, 4 million of the servers we contacted exhibited
selective fingerprints. As described in Section 4.2, SChannel exhibits a fingerprint in the first 4 bytes of the session ID. 2.7 million of the servers we contacted
exhibited this fingerprint. We requested HTTP headers from 1,000 of these IPs (randomly selected), and 96% of the responses included the string “Microsoft” in the server field, suggesting that this is a selective fingerprint."

So the nsa can just read 65% of all "securely" "encrypted" tls sessions? Am I getting this right?


Do other browsers, appart from Internet Explorer, use Microsoft SChannel?

What does, for example, chromium use here?

Nick PApril 2, 2014 10:35 PM

@ Dom

I'll be darned it seems that's exactly what these scumbags are doing. There are more specific claims related to their technology in the claim section that might have their differentiators. Virtually everything in the abstract, though, existed before their patent application. Someone should tell all the major vendors in the access control industry so they can squash this patent.

SkepticalApril 3, 2014 8:05 AM

The NSA representative mentioned a program that does massive collection, not invidual requests. It's obviously much broader form of coercion than that. If they can be legally coerced into modifying their systems for this program, we must assume they can be coerced into others.

I'd call the amount of data being requested, as reported, under 215 and 702 to be massive. Nor is the deduction from "companies can be compelled to produce information under law X" to "any company can be compelled to alter product designs" a valid one.

Given the deception so far, the only reason an American should assume different is if a credible independent review with full access & legal authority to declassify information tells us otherwise.

Knowing something about the law, I disagree. I've yet to see any leaks revealing illegal surveillance activity by the NSA. While I was somewhat surprised by the mechanism allowed by the FISC with respect to the telephone metadata program, the FISC's interpretations of the law are not unreasonable.

By contrast, I cannot see any reasonable interpretation of a law that would permit the NSA to legally compel any US company, such as a chip manufacturer, to alter product designs. If anyone has a candidate, though, my mind is open.

It's clearly a case of NSA subversion as RSA's customers secrets were put in NSA's control without their knowledge due to a partnership between RSA and NSA. Single case or not, it establishes that NSA is willing to pay companies to backdoor their products. Then, we see all these *potential* backdoors in products of other companies who are in a position to be influenced by US govt. A default of no trust is reasonable here.

It's a bizarre backdoor if that's what it is. They set a default on an encryption procedure which includes other encryption options, all faster and all more favorably reviewed. They documented the features fully. The default itself appears to be heavily disfavored among products incorporating RSA's library. Concealment is only a good explanation for the weird nature of this as a backdoor if the NSA is attempting to cloak its backdoors in ineffectiveness.

So, let me pose an alternative explanation: someone at NSA who had both a bureaucratic self-interest, and perhaps a genuine benevolent interest, in widespread adoption of elliptical curve cryptography pushed for the adoption of the ECC option as the default. For any one of several reason (perhaps this person, or persons, had a good high-level understanding of cryptography, but did not have a detailed understanding of the particulars of how each algorithm works), one detail of the implementation went unexamined by both parties.

Of course, it's possible that the algorithm was included as part of a more complicated exploit, in which the availability of the algorithm as a default plays a role. But I don't think we know at this point.

If US govt is concerned, they can pass laws explicitly banning subversion of US products and instead only allow selective information sharing (a la per target or group intercepts). That they're unwilling to do something like this shouldn't inspire trust.

Which country has laws "explicitly banning subversion" of products?

Of course, mentioning these in speculation was just to see if you've read the actual slides. That they work with (or coerce) companies to backdoor their products is indisputable. There's already a smoking gun:"

They *are* influencing vendors here and abroad to backdoor

As I said earlier in the thread, voluntary compliance with certain requests is much more plausible than highly speculative claims of compulsion.

Even with respect to the BULLRUN excerpts, there are still huge questions as to the scale of acquiescence and as to the type of enabling being undertaken. Keep in mind that we're viewing an incredibly brief summary written to persuade that this program is valuable enough to justify the funds being spent. We should expect exaggeration and brevity, which in combination rarely produce clarity.

In fact, the absence of information as to the proportion of IT companies who have provided assistance, much less provided something approaching a backdoor, may be an indication that these numbers are small, as I would expect this type of document to brag a bit, in a sufficiently vague fashion, if the numbers were impressive.

Re economic pressure

Note: My three points below all describe why it is unlikely that a company would acquiesce to economic pressure to weaken a product. The points were addressed to the argument that even if the NSA could not legally compel a company to introduce backdoors, it could bring economic pressure to bear to win a company's agreement.

Your responses however consistently reintroduce the assumption of legal compulsion, and do not attempt to address the problems with the economic pressure argument.

"First, a company that knowingly weakened a product design on government request could face enormous legal liabilities once exposed in the form of securities litigation. "

They wouldn't if they were required to under law via national security. I believe those involved in the warrantless wiretapping got criminal immunity, as well. No doubt those involved with other programs would get this. The only criminal decision is not following the legal mandate.

No, remember economic pressure not legal compulsion is the method under discussion in this section of the conversation. Here we're discussing a case where the company's reason for weakening a design isn't that it was legally compulsory here, but that it was economically beneficial.

So under the case of economic pressure, the excuse of being required by law does not apply (and, again, there are no such legal requirements).

"This is especially the case if the company represented its product falsely."

Whether they lie participating in a national security program is typically irrelevant in court.

There are no national security exceptions to laws against securities fraud. If a company weakens its product deliberately, and then misrepresents the nature of that product to investors who, on the basis of those material statements, purchase stock, then the company and certain personnel within will be liable for securities fraud, among other things.

Again, we are discussing here the possibility of the government using economic pressure, NOT legal compulsion.

The court documents in the Lavabit trial, linked here at one point, feature the Lavabit owner making that exact argument against giving FBI his private key for all users. The FBI's response, which the judge agreed to, was that if he wasn't allowed to tell customers then they'd never know he lied about their privacy and no damage would happen to his service's reputation. My jaw dropped when I read that as I never thought I'd see them be so openly devious in a court document. Supports my notion that these US govt TLA's are fine with subverting a service while protecting the company's lies about its privacy.

You raise an argument here again that assumes the presence of legal compulsion rather than economic pressure.

(though as an aside: the government did not give the argument you described in response. Levison argued that the order for the key was unduly burdensome in that it would harm his business model; he further argued that he should be able to disclose the order immediately in order to avoid loss of trust. In response, the government argued (i) that a lawful subpoena interfered with a business model is not a sufficient reason to quash it, and (ii) that Levison noted in his privacy policy that he would comply with lawful demands for information. Even if Levison had promised not to comply with all lawful demands for information, the fault would lie with him for making such a promise, not the government for insisting on compliance with the law. See Levison Pleadings via Wired. See also Orin Kerr's analysis.)

"large companies in the US, such as IBM, have considerable clout with Congress and any President. Threatening them with the cancellation of all government contracts would require a political will and leverage that the NSA doesn't have. "

The key Congressional committees and the President support NSA's programs. The major players in IT that get most contracts do it by kissing the governments butt, along with generous bribes, err, campaign contributions. They would see the coercion as a cost of doing business which had little to no effect on them otherwise, along with promised secrecy as a risk mitigation. My theory plays out well with real world data where we find all these American companies were secretly and knowingly giving over data, sabotaging products, etc. Then, upon the leaks, they feign shock and ignorance while complaining about lost trust and business.

You're mixing things here again. Handing over information subject to a lawful demand is one thing; deliberately and deceptively weakening a product design is quite another. The latter has no legal protection, because it would be a voluntary act by the company. That kind of request is not just another "cost of doing business." And if the government were doing this broadly, there'd be a lot of very powerful companies complaining and looking to donate elsewhere.

Now, that said, there are ways that the US Government could accomplish the same thing without forcing companies to make that kind of decision. But within the US their means of doing so are very limited. Outside the US...

"Third, if any large company in a given year suddenly lost all its government contracts, the event would attract enormous attention, dramatically increasing the probability that reason for the cancellation would be leaked."

1. Influence people running company (benefit or coercion) instead of the company's contracts themselves. eg not use contracts themselves as a threat, but as a justification for decision-maker they control.

So classic bribery? Not a means available to the US Government inside the United States.

2. Make them loose key contracts to competitors and more often. Make up beaurocratic excuses as to why. This has happened plenty of times in defence industry for both big and small companies. Questions can be raised, yet a malicious version of this is deniable & severely impacts bottom line.

This would be fairly complex to do without the shape of the reason why (that the US Government wants to punish Company X) becoming an open secret. It's also something that would poison the relationship between the NSA and key players in relevant industries, something the NSA is very keen to avoid.

3. Use the FBI, IRS, or SEC against them with false or real charges. If the charges are severe, esp involving fraud, then DOD has a decent public explanation for why contracts were suddenly cancelled. This would also hurt a stock price. The mere threat of this happening would be enough to make many give in, especially if the subversion had deniability.

This would involve blatantly illegal activity on the part of the government as well.

... the whole thing can be seen as a cost of doing business that has almost no cost and little risk to the business. Many NSA backdoors are designed to be subtle and look like programming flaws, a common thing in IT. Others, such as certain TAO implants, are designed to be invisible by residing in areas no hacker, sysadmin or user are likely to see. So, would a profit-motivated company with a lot of contracts do a little favor for influential DOD entities to maintain a privileged position? The answer is "Yes for any rational company in that position maxing out their bottom line."

Many NSA backdoors... How many confirmed NSA backdoors have you seen?

In any case, the risk here isn't just discovery by an outside examination of the product, but also the risk that any of the numerous people you'd need involved would leak it.

" second, it's interesting that Gilmore remembered these things only after the Snowden leaks "

Schneier and others criticized IPsec going way back. NSA's secrecy on their programs and appearance of aiding security standards meant that people weren't as concerned about them in certain situations. Then the Snowden leaks showed how actively they were trying to undermine everything. So, everyone takes a fresh look at things and Gilmore notices that NSA-sourced submissions caused glaring security weaknesses. Anyone looking at NSA cryptography knows they normally filter out such nonsense. So, he connects the dots that they might be intentionally introducing weaknesses along the lines of that BULLRUN program that mentions weakening cryptosystems and standards for easing SIGINT collection.

Except Gilmore didn't represent it as a fresh look, but as something he had previously noticed. It's also something he appears to have drawn from his memory and impressions of the process, and not from a review of records. Those types of recollections are especially subject to various human biases.

It cannot be overstated how hard it is to catch good, well-funded, high-tech covert operators. That evidence is more circumstantial is natural to the game. It's not like he can sue them, request their top secret files in discovery process, and cross-examine key witnesses to the programs. The pervasive secrecy makes investigations hard, yet Gilmore's points are still strong enough to have reasonable suspicion NSA corrupted the standard. And, hence, enough reason to distrust those who made the submissions and reform/replace the standard.

Weak evidence doesn't become persuasive just because good evidence is hard to get.

KeymakerApril 3, 2014 3:34 PM

ZunZuneo: The Twitter copy built by USA for Cuba

(it's probably not the only web-based service that was built by US government without the public knowing it...


With all this as a backdrop, USAID evidently thought it a good idea to help facilitate the creation of a barebones “Cuban Twitter,” which ran on cellphone text messaging to avoid Internet censors. It was thought that if the program caught on, it could help activists form “smart mobs” to protest the Cuban government.
[...]
There’s also the fact that the ZunZuneo team was apparently using the service to gather data on Cubans without their knowledge.

Source:
http://www.slate.com/blogs/the_world_/2014/04/03/zunzuneo_the_u_s_government_s_bizarre_and_ill_advised_plan_to_build_a_fake.html

Nick PApril 3, 2014 8:52 PM

@ name.withheld
(continued)

"May give it a go, not for an application platform but a hardware/router device. My plan is to build out a new secure perimeter and proceed with virgin builds of other platforms. "

Starting small is smart. Yet, I'm telling you that if you have embedded experience you might be going in the wrong direction. Almost all attacks hit code (in various places) and abstraction gaps. The Orange Book, MILS architecture, etc seem to focus on everything but that. Closing these holes is paramount to a clean slate redesign. The SAFE project is doing that with a tagged memory processor, CHERI with segmentation, and I've been looking at every architecture going back 50 years. I'm trying to find something good enough to stop most threats, yet with quick implementation potential.

I like taking mental shortcuts. Eliminating unsafe code from the system, first done by Burroughs B5000, is a good one. Ensuring that code & data are treated separately/safely at instruction set level (via whatever mechanism) is also nice. If implemented properly, it lets you prevent code injection just by designing a small TCB and initializing the system right. Updates are easier, too, as a dedicated module can verify it with anything from signatures to human review of text. Point being, whichever architecture should support HLL development easy enough while being immune to memory, IO, and control flow attacks we've seen so far.

Tall order. What to do... Well, while I kind of hate the language, the one shortcut that keeps coming back to mind is Java. There are Java processors, from OSS (JOP) to GOTS (Sandia SCORE) to patented (jHISC), that run Java bytecode natively and eliminate abstraction gap that causes 99% of attacks on platform. There is also a capability secure kernel (J-Kernel), a capability secure subset (Joe-E), a distributed obj-cap language (E), a maybe secure OS (JX), a desktop OS (JNode), a certifying compiler (forgot), formally verified equivalents (Jinja), information flow control (eg Thober 2007), and so on. I'm sure that *some combination* of these methods, starting with an enabling SOC, can be used to make a secure system design easy as hell compared to native code.

Long term, I'd rather it not be Java & there might be alternatives out there. Regardless, there are so many tools out there for Java and a suitable subset (eg Middleweight Java) should be easy to analyse/implement... esp if on a machine natively executing bytecode. The resulting system might involve FPGA's, COTS components, custom boards, low-level interfaces, etc. This is where you embedded guys have an advantage that might lead you to achieve a solution faster than most others. There will be the central processing unit, the memory subsystem, and IO subsystem. Whether Java or tagged processor, I recommend modifying IO subsystem to do the following:

1. Assign each device one or more specific areas of memory, assignable only by privileged software.

2. Enforce that with IOMMU.

3. Seemlessly add proper tags (general IO or device specific) to data sent to memory and remove tags on data retrieved from memory.

4. Possibly add security checks based on tags or arbitrary policy.

5. Possibly use open cores for each type of IO (eg Ethernet).

Bare minimum for IO has to be safe comms with privileged software on CPU, an IOMMU for device access, and respect to memory tags/types/capabilities. These protections must remain even if 5 is used in case of accident.

Boot Process

First stage is loaded from an actual ROM. You gotta make this one flawless as possible or at least make ROM's easy to *physically* swap out. The ROM tests basic instructions, optionally tests security critical functionality, optionally executes entirely in onchip memory, definitely loads software from on-board flash into main memory, hashes it, validates the signature attached to it, and if succeeds passes control. This combo of ROM and flash boot allow you to change firmware as much as possible while still having trusted boot process. Updates would be signed images flashed by privileged software and only with a physical switch enabled. IO would default on not accessing a certain segment of memory and blocking most devices on startup. It might even stay off until the TCB is fully ready.

Kernel

I gave you plenty of options. You can copy a microkernel approach. You can do it like a library that all programs connect to. You can use capabilities. You might just use regular objects, function calls, etc as Java processor can be made to enforce all that. For resources, I'd copy INTEGRITY RTOS's approach making non-privileged programs donate their own CPU/memory to accomplish kernel calls. You might modify the processor code to speed up or handle certain tasks. I'd add an open core for onboard crypto, for instance. I also remember Intel 432 had onboard support for segmentation of memory via objects and garbage collection. JOP and others added concurrency enhancements to prevent most problems. Others protected control flow. And so on.

Non-kernel

You know the rules here. Modularity, careful interfaces, layering, making each object/module do one thing well, minimizing shared state, and so on. Pay careful attention to the protocols, replacing insecure ones with secure one where possible. Isolate or monitor what you can't replace.

Compilation

There's certifying compilers. If you can't get one, I suggest testing the code with existing compilers and then just hand-rolling the initial implementation. Or retarget a simpler language (eg Oberon, Forth) to Java to make the compiler easier to write. The core routines (eg kernel) you might even hand code in java assembler initially. Regardless of approach, you must ensure you're compile, link, sign, and deploy cycle is correct. The sign part is easier for target machine to check than a full source validation, saving you time. Plus, if you keep compiling machine safe you get source validation and trusted loading. :)

Admin

Admin will be a two step process. The first is for building your system. There will be four computers total: untrusted powerhouse you do all your work on 1; a trusted guard 2; semi-trusted admin box 3; trusted, safe target 4. You use 1, pref with LiveCD, to fetch source copies of all the tools you think you'll ever need. Check them every way you can. Move them to admin box via guard. The guard will be a simple batch/interactive type system that pulls data in over safe IO to memory, lets you validate it using deprivileged programs, and lets you visually validate anything. You can check as many sigs, hashes and source as you want for each thing you move.

Once it's all on the admin box, you have a semi-trusted machine to develop prototypes on. The rest of the source you move should be simpler, often aiding your own developments. You will visually check them through the guard, maybe with certain input processing involved. The admin box will do all the rest from SCM to deployment to management. This process lets you use all the needed tools, easily vet new ones at your own pace, and still be isolated from many threats. Over time, the admin box's functions are replaced by more trusted HLL code that your trusted target supports and eventually admin functions run on your secure architecture with full security.

Services

There's already a ton of libraries, algorithms, protocols, and entire applications coded in Java. Getting things running initially is just porting a bunch of stuff. That makes your architecture more productive. Porting something like Jython or Clojure later on will make it even more productive.

Interconnection

If secure IO, safe CPU, and POLA software, then running untrustworthy protocols or apps might be safe for system as a whole. My old externalized IO trick still helps if you have doubts as the comms layer on trusted device can be simple while real work of eg HTTP/TCP/IP/Ethernet is handled on untrusted device. There's also verified parsers (eg INRIA) that, combined with safe code, might make input validation a non-issue. In the past, I just used LISP syntax subset and made the best parser for it I can. From there, each parser just produced and accessed different AST's that LISP lexer automatically created. You can replace parentheses with less used character if it helps in certain scenarios.

Clustering

Might be load balancing, failover, isolating certain services and so on. The easiest approach is a dedicated management interface that connects to trusted software. (assumes physical security) The single node software can be modified for the other use cases with all the commands and coordination sent in native (or near-native) form over the management line. All potentially hostile stuff is restricted to untrusted network. Requires two lines per node but is *so* much easier to build-in secure management, coordination, etc.

Trusted Path

Your system needs one. Console will be simple enough: process that reads input and redirects it to whatever has focus; an ability to track and change focus; part of console reserved for trusted path to say what has focus; dedicated key sequence to activate trusted path if it's a separate thing; all other processing handled by individual apps (which are basically executing java classes); app with focus's virtual console output copied to real one by TP. GUI is similar just copy Nitpicker or EROS windowing system, optionally using protected IO to dedicate a GPU or other accelerator to a given app.

Backups

A CD/DVD drive in you admin box will be easiest. Alternatively, if you have existing SAN, sending a crypto sealed version of data over guard to it might be alright. Just have offline backups and check them, preferrably with the guard. Have separate backups of your admin server itself and the user data it stores. The former might be an image on trusted media, while the latter are files that might be stored and used wherever.

So, that should about cover it. Start with safe core in hardware, build a TCB software can't mess with, and put robust software on it. Anything less will be bypassed by attacks below software abstraction in all likelihood. Btw, consider using anti-fuse FPGA's and open FPGA synthesis tools for final deployment if you're concerned about subversions at that level. Whether you adopt any or none of this, good luck.

Re your movie plot idea

It's interesing. Even on a limited scale, such a scheme could be quite beneficial for hedge funds in event-driven and relative-value classifications. Many conspiracy theories focus on event-driven model with a disaster upping someone's bottom line, either caused by them or with them tipped off. A less tragic version could happen with level of foreknowledge NSA has on businesses in more ways than I can count. The relative value one can be done similarly with stolen information about state of the business.

The bigger picture you're going for, though, seems to be the other classifications that focus on market trends and big picture bets. Given enough influence, an organization with this amount of information could use it to set trends that do more than profit: straight up power can be had. Quite a few ways to go about it and complex to discuss. However, the *working* methods of Wall St and Big Data are even more complex.

Of course, if one of the existing cabals (eg Bilderberg types) are as powerful as some believe, they're almost certainly doing something like this right now. The elites ties to both the surveillance state and 2008 crisis show that they're not ignorant of such manipulations. If anything, the brilliant people they hired kept them many steps ahead of the majority and made their dominance of markets/govt easier. It's rational to believe such organizations continued to develop new schemes to leverage every asset they have available, including Big Data or NSA if possible. Their very nature says they're planning/executing one or more such schemes right now.

I mean, the last one worked so well for them: $1 trillion with criminal immunity and all profits included. Two profitable wars before that. They're on a winning streak. Why stop now!?

FigureitoutApril 3, 2014 10:02 PM

Nick P
You use 1, pref with LiveCD, to fetch source copies of all the tools you think you'll ever need. Check them every way you can.
--This is 1 of the first steps and it's one of the hardest in my view. My school account showed the exact same symptoms of my insanely-infected laptop; I really would've liked to make some LiveCD media from there. First off the origin of the LiveCD is from the internet; I suppose one could order a CD from some of the bigger distro's and I have to "trust" that someone else is as paranoid as me. Next, everytime I burn a LiveCD another "[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183" desktop.ini file pops up everytime. When I find this files they then have "found" files that then likely relay back to the agents to implement operation 666, I don't know. This file has appeared on everyone one of my computers I've looked at that was also connected to the internet (and some other stuff).

Maybe some out there are thinking, "I'm fine, I haven't had my house broken into by agents"; to which I first say, "How do you know?". But not even that, how can you verify a modern computer? That would take more than a lifetime. Have you ever been MITM'd before? You need to at least experience that to see some of the digital deception that is possible; you'll never be the same.

I suppose one could take a LiveCD, use that to make another LiveCD, and play hopscotch until you wonder, "Surely, the infection couldn't persist". Or another thing is what other chip in this computer has a nice chunk of flash memory...oh god nevermind...

Anyway, great post. Not only does it help a lot of people getting started; I think it helps you organize your thoughts as well.

yesmeApril 4, 2014 12:40 AM

@Figureitout

About that PC of yours. What you could do is:
1) Backup
2) Format and reinstall the system. Maybe the bios too.
3) Use sandboxie. With sandboxie you see exactly what each program does. And you can limit the access control of a sandbox. This is really interesting for a quick test of an new program.

name.withheld.for.obvious.reasonsApril 4, 2014 5:00 AM

@ Nick P

Regarding the plot--honoring the propriety of certain information and the sensitivity of the subject, I collapsed the facts and simplified the top level story. As the plot identifies a potential nightmare and the method(s), theoretically, and are not entirely complex, a bit of dancing had to be done to tell the story. And, I am glad you can see it--this issue is what keeps me up at night. What deliveries me to this conclusion is an exhaustive analysis of multiple institutions, rule making, laws, financial systems, and the frailty of our humanity. I'd rather concluded my supposition, or hypothesis, is incorrect, be found a fool, and live life a bit more simply but I am afraid that is not to be.

This all started for me a year and a half ago and I almost found myself in Snowden's shoes...you have no idea how close. Let's just say I had a conversation with someone in DC one morning, the next day they were on C-SPAN speaking directly to the issue we discussed. The person I reached out to for advice was not on the same team, so to speak, and was protecting his interests and was preparing to throw me under the bus (in a way he did). The issue has become so stark, abhorrent, and disturbing that it has consumed my ambitions and re-framed my career, living conditions, and my sense of the future.

My Snowden moment came in September of 2012. Built a research facility in remote location with the appropriate operational controls. The location allows for simplified security and reduces costs and stress. My objective is to re-tool a commercially appropriate computational environment short of building everything from the fab level--but I have plans to go fab if warranted.

I appreciate your suggestions and enjoy having "operational" feedback--my preferred methodology is simplicity, reproducible, audit-able, and open hardware and software platform stacks. Even thought of using PC-104 for network appliance due to simplicity, availability, and costs. The architectural emphasis is on integrity and scalability (this means multiple things in the context of this short post) that can be placed in the OSS community for broader deployment may help in countering the "brown shirt" disease that is infecting our waters. Sorry to be so obtuse but given the circumstances I don't need to show everyone my cards--at least not yet. I am not going to use COTS or OSS components initially--the design should be neutral enough to support similar efforts without re-defining hardware/software platform choices. I intend to go one step further than you suggested, FPGA's are too large a question to be confident--maybe structured ASIC's, but ideally dedicated ASIC's (don't need rad-hard or milspec for now). Have considered developing an analog computing core with discrete digital interfaces (addr, mmu, tbl, opcodes, smbus, etc.)--could be useful for doing logical translation auditing at the bus level in real-time. I just hate having to pay for ECL memory. Biggest issue is the global clock and proper grounding with an analog/digital combo proc. Also thinking of a scalar board level design--logical components for the core platform, separate hardware to plug into the base platform instead of the monolithic Intel Sandy/Bridge or ARM pllatforms.

Scripting languages have always been too clunky for me but I am not building this for me...this is an area I'd leave to others but much of that will be driven by the lower level architecture. API's supporting the inclusion of other components must be a consideration. I like separation kernels for just this reason. And, Java--unless I find myself in a cold dark dungeon--and I see dragons--this is not an option I will entertain. I will leave that to others. My first thought was to implement a forth shell as a basic programmatic interface. Others may want something more familiar and accessible--again--I leave that up to others.

BJPApril 4, 2014 9:27 AM

@figureitout

About that PC of yours.... EVERY Windows machine contains desktop.ini files with the exact same content as you listed. I'm not sure if you're trolling or simply a lunatic, but you've now officially given yourself away.

Nick PApril 4, 2014 11:47 AM

@ name.withheld

"The architectural emphasis is on integrity and scalability (this means multiple things in the context of this short post) that can be placed in the OSS community for broader deployment "

If that's your goal, I'd recommend not doing anything too unusual like analog computing engines. Whatever it is the average OSS hobbyist needs to have a shot at understanding. It's funny that you mentioned an analog/digital combo as the Sandia Secure Processor did that, except in reverse. They also used a hardware event queue to eliminate interrupts. Their front end was analog, with a timing chip converting it into digital in a way that preserved realtime/behavioral properties. Their methodology resulted in this:

"The total synthesis time spent was just short of
3 weeks, where comparably sized ASICs at Sandia
typically take from 6 to 18 months. The synthesis
work resulted in a design where 100% of the 8000 reg-
isters were covered by the automatic insertion of 9
scan chains, and cover 98% of total logic. This work
required roughly two days where typically it takes
roughly a week to reach 70% logic coverage, and ad-
ditional 6 weeks to even approach an end goal of 95%
coverage. It also yielded a design with zero timing vi-
olations for a very aggressive target clock of 25MHz.
Such results are very rare, as most synthesis outputs
yield hundreds of timing violations, and each must be
reasoned away."

Their co-simulation methodology might be worth copying if your chip is relatively simple and your aiming for ASIC deployment.

"Biggest issue is the global clock and proper grounding with an analog/digital combo proc. Also thinking of a scalar board level design--logical components for the core platform"

Can't help you there as I'm not a hardware designer.

" I intend to go one step further than you suggested, FPGA's are too large a question to be confident--maybe structured ASIC's, but ideally dedicated ASIC's (don't need rad-hard or milspec for now). "

I mentioned FPGA's mainly for their prototyping. Most better architectures I've seen were FPGA-proven before ASIC-proven. The reason I mentioned anti-fuse was that a solid FPGA can let you use your architecture in practice while you're preping the ASIC release. Let's just say being in the position of depending on an architecture for real work can tell you plenty about its actual value.

"And, Java--unless I find myself in a cold dark dungeon--and I see dragons--this is not an option I will entertain. I will leave that to others."

Ok, well that's out. The chips are still worth looking at for how they handle things like object hiding, protected stacks, etc. Such are useful outside of Java.

"My first thought was to implement a forth shell as a basic programmatic interface. Others may want something more familiar and accessible--again--I leave that up to others."

Definitely a decent start. One idea that comes to mind is to implement a stack machine that high level languages can target with enhanced safety. The one that popped in my head was the field-proven Lilith system of Wirth. It implemented M-code and the entire system was written in safe Modula 2. You can start with Forth to get the thing running and usable. Over time, someone else might port a HLL language to it leveraging its properties. The Active Oberon System, already a nice foundation for a safe system, could probably use a safe [hardware] foundation itself.

Another idea is you contributing to one of the clean slate efforts. They have money and brains, but I'm sure pro's could extend their designs plenty. This processor comes to mind. Ignore all their fancy high level language crap and focus on the machine itself. Implement a low level language or interface ("SafeForth?") that lets you code it while leveraging its tags to protect memory or control flow. Extend it to handle IO and boot safely using simple mechanisms as possible. They're publishing papers, code, etc on their web site and might give you more if you ask. They already verified an abstract version of it to be secure w.r.t. an info flow security policy.

Course, if I can't talk you out of doing a basic Forth chip then I'll at least throw in a core to speed it up. It's already FPGA-proven with minimal silicon use. Of course, I know you'll toss out the other thing that comes with it. ;)

FigureitoutApril 4, 2014 12:01 PM

yesme
--Don't really want to back it up and store whatever this is that persists across systems. It's the only PC I use to access the internet so I don't want to bleach it yet, but I don't want a new BIOS. I don't know what's being loaded before BIOS when I run in RAM and it breaks LiveCD's loading and causes errors. Perhaps something in Optical Disk Drive, I really want to know what that is...

BJP
--Does a CD-burn always add that file to the disk too for you? Why would I need that file burned on a CD for a live-system? And let's see who's more sane after a 4+ year investigation by agents that track every aspect of your life and break in your house. I've started having "anger blackouts" where I don't remember what happens, just had another one above w/ that f*cked up post; don't remember doing that...Then it's followed by a day-long headache and I can't eat. I've also offered to physically meet people (call me a troll to my face please) so you can see that I'm not a lunatic, but a victim. If you want to have email correspondence so your account gets hacked or I have a USB drive I'd like to put in your computer; and you have fun figuring it out.

FigureitoutApril 4, 2014 12:06 PM

yesme
--I *do* want a new BIOS but have issues as to where and how I can securely flash it.

name.withheld.for.obvious.reasonsApril 4, 2014 1:53 PM

@ Nick P

I mentioned FPGA's mainly for their prototyping. Most better architectures I've seen were FPGA-proven before ASIC-proven. The reason I mentioned anti-fuse was that a solid FPGA can let you use your architecture in practice while you're preping the ASIC release.

Several development boards provide me with multiple classes of staged development environments--don't like to be more than one hop away from a hardware encapsulation logical layer. With the Sandia fab, what was the register mix as a percentage of the netlist(s)? Some FPGA devices have some strange LUT/CPLD allocation limits/specifications. And, I do use FPGA prototypes in most projects. It reduces test and verification cycles and makes building a robust design possible.

Most of what is problematic is the legal, operational, and supply chain environment and have had to go back and develop a new business and management model.

name.withheld.for.obvious.reasonsApril 4, 2014 3:55 PM

@ Nick P

All very good suggestions, except the java. Don't get me wrong. Sun had the model for Java just about right after the second release. The sandbox was operational and there weren't a lot of extensions to the AWT--then it just went to hell and a hand basket as features that others pushed for were included...it became a public toilet. I myself entertained/suggested a P-Code standard for use with NIDL to provide an object broker and dynamic services model for distributed computing in 1990. You brought a tear to my eye when you mentioned Nickolus Wirth--and Modulus 2 is not a bad choice and ranks between Smalltalk and Prolog.

Here is what I see as necessary for the design:

1.) No legacy architecture support (i.e. drivers) I/O security is issue.
2.) Simplified bus glue layer.
3.) MMU and DMA isolation layer (a physical interface, not internal to proc).
4.) ALU and CPU cores also as an isolated physical layer.
5.) Interrupt controller, inline, with programmable mode (more restrictive than current architectures), polling would be safer but another idea would be a hybrid--pooling on boot and reset and interrupt driven by function call (API).
6.) Memory tag and access violation hardware support (dma, bus, possibly spi) via snooping -- could use a dedicated/separate hardware core
7.) Secure boot--firmware could be socketed--a simple boot to first stage is linked logically to firmware.
8.) Robust and simple micro-kernel doesn't need to be RTOS but, a separation kernel is that supports a virtualization layer with hardware level monitoring of the context data
9.) Most components socketed
10.) Flexible bus stack backplane and attached bus, thinking VITA like
11.) Able to run dedicated applications, can work as a an application processor or a general purpose system. (Used in SOHO/SME routers and switches)
12.) A coherent IPC architecture, this requires some work as with these types of systems the use of DMA, MMU, and tagging is antithetical to a high performance inter-process communications component (in hardware. I've seen it done before.
13. A method to insure post boot is non-reentrant--i.e. the firmware has a mutated relationship to virtual memory (this is a challenge with multiple cores)

Not really comfortable with using the same architecture for the distribution layer (i.e. network) and other general purpose applications. Though if the development, fab, production, and API process is robust their may not be a reason to to take advantage of the re-use opportunity. All of this could be transparent to the analog processor(s), the primary reason for the analog system is to prevent inflow perversion and enable parallel hardware monitoring that is co-linear/equivalent but not equal.

Nick PApril 4, 2014 11:28 PM

@ name.withheld

"what was the register mix as a percentage of the netlist(s)? Some FPGA devices have some strange LUT/CPLD allocation limits/specifications."

The paper said 8,000 registers and 35,000 gates total. Not a hardware engineer so that's all I can give you. The FPGA *might* have been a Spartan 3 as most smaller designs I read about use them. It even seems like a bragging point to many of these designers: "Our design is so compact it can run in the cheapest, mainstream FPGA you can get. Beat that!"

"The sandbox was operational and there weren't a lot of extensions to the AWT--then it just went to hell and a hand basket as features that others pushed for were included..."

I wasn't going to push Java anymore, but then I saw that. I have to remind you that what you describe is the popular desktop/server Java, which is an atrocity. The Java processors tend to support a subset of it that's more low level and might not even do garbage collection. Many don't even support most of the Java libraries because they use features not supported by processor (and native code). SSP, in particular, is closer to embedded, real-time Java standards than anything else. JOP is for embedded, too. jHISC started that way, got upgraded every year and now claims to be ready for desktop/server. Don't have hard data on *that* upgrade, though. Point being, hate mainstream Java or not, the Java processors are targeted for a different type of it that you might not hate so much.

Or maybe you will. Who knows lol. (shrugs)

"You brought a tear to my eye when you mentioned Nickolus Wirth--and Modulus 2 is not a bad choice and ranks between Smalltalk and Prolog."

The guy was a genius. Modula has sadly died off for the most part. Yet, the Oberon systems and compilers were ported repeatedly. A2 Bluebottle is the latest, although I'd use AOS for a minimal system. There's even an IDE for a microcontroller now.

I'll briefly comment on your requirements.

" No legacy architecture support (i.e. drivers) I/O security is issue."

Yeah screw that stuff that only holds us back.

"3.) MMU and DMA isolation layer (a physical interface, not internal to proc).
4.) ALU and CPU cores also as an isolated physical layer."

The more protected they are, the better.

"6.) Memory tag and access violation hardware support (dma, bus, possibly spi) via snooping -- could use a dedicated/separate hardware core"

SAFE processor includes a tag management unit tied into the processor. So, the main chip works hand-in-hand with unit dedicated to checking tags. Says your idea is feasible. Also, typical approach with tagged processors is to go ahead and do the computation, but don't write it to memory/whatever unless tag unit says Ok. Boosts performance plenty.

"8.) Robust and simple micro-kernel doesn't need to be RTOS but, a separation kernel is that supports a virtualization layer with hardware level monitoring of the context data"

If you don't want to spend $$$, check out Fiasco.OC. It's the latest version of Dresden's L4 kernel with an object/capability focus. You could easily modify it to do things like periods processing. Might also negotiate a deal with market also rans like VxWorks MILS, LynxSecure, or PikeOS. GHS is dominating with INTEGRITY-178B, so I'm sure you could scheme a discount out of the others if your project will give them recognition.

"11.) Able to run dedicated applications, can work as a an application processor or a general purpose system. (Used in SOHO/SME routers and switches)"

Similar to one of my approaches so we're both on same page here. More versatile it is, the better ROI and higher chance of success.

"12.) A coherent IPC architecture, this requires some work as with these types of systems the use of DMA, MMU, and tagging is antithetical to a high performance inter-process communications component (in hardware. I've seen it done before."

I agree. It's tricky and very dependent on exact type of system so I can't help directly here. You have more experience in such things than me anyway. Although, the MIT Alewife machine I posted here in past was a DSM machine *with integrated message passing.* I wasn't sure if it would be important so I bookmarked it thinking it had tricks that might be useful later. Who knows, might get your creative juices going on this tough problem.

"13. A method to insure post boot is non-reentrant--i.e. the firmware has a mutated relationship to virtual memory (this is a challenge with multiple cores)"

Interesting.

"Not really comfortable with using the same architecture for the distribution layer (i.e. network) and other general purpose applications. Though if the development, fab, production, and API process is robust their may not be a reason to to take advantage of the re-use opportunity."

Do your architecture right, you can definitely reuse it. What would be different for sure is the programming model. I'd look at existing high-end network processors to see how they're doing things. Then, I'd see if I could implement a variant of that on a general-purpose machine. Of course, you could always design your general purpose chips to allow accelerator chips to be linked in.

name.withheld.for.obvious.reasonsApril 6, 2014 12:39 PM

@ Nick P

Do your architecture right, you can definitely reuse it. What would be different for sure is the programming model. I'd look at existing high-end network processors to see how they're doing things. Then, I'd see if I could implement a variant of that on a general-purpose machine. Of course, you could always design your general purpose chips to allow accelerator chips to be linked in.

Most high end network gear achieve performance by providing an asynchronous hardware architecture where ASIC/FPGA DSP's perform the I/O labor and GPU's used for the logical glue and transport functions. Haven't seen much variation from this approach. I am interested in a scatter/gather methodology--almost a radar sort of system--where the network transport functions are treated as detection side of the source beacon. There's some logic behind this and it has to do with heuristic modeling--adding some behavioral intelligence to traffic management. QoS just doesn't work, hysteresis becomes the limiting factor and is bound by the use of classes of traffic (functional) instead of the "behavioral" aspects of traffic. Which underpins another set of reasoning to moving is this direction. I met once with the head of GCHQ in 2004 and discussed a paper I'd written on intelligent networks--I had formalized network traffic analysis as functional and added a "behavioral" layer that performed shaping/management. The model is not simple and has a few intrinsic qualities that make implementation awkward--there is a logical distribution fabric that adds a bit of fragility. I knew this at the time of the design and felt I could also return to the problem once the overall architecture had been flushed out thus I could avoid adding too much complexity and making the concept more accessible. After reading my paper he asked if he could have a copy--I said no. At the time I didn't realize that England had a silicon fein.

Nick PApril 6, 2014 5:28 PM

@ name.withheld

"Most high end network gear achieve performance by providing an asynchronous hardware architecture where ASIC/FPGA DSP's perform the I/O labor and GPU's used for the logical glue and transport functions. "

Interesting. Check this one out. That was what I discovered when seeing what MIPS tech was up to lately. Those kind of specs and features used to only be in a SGI Origin or Onyx machine. Anyway, my takeaway from Cavium was that multiple MIPS cores with app accelerators and good IO fabric could handle plenty network processing. Several secure architectures also use RISC cores, with CHERI being 64-bit MIPS. So, a future homebrew network processor might use several of those combined with a high throughput IO system, open accelerator cores, and maybe FPGA logic on the side just for swappable accelerators.

" I am interested in a scatter/gather methodology--almost a radar sort of system--where the network transport functions are treated as detection side of the source beacon. There's some logic behind this and it has to do with heuristic modeling--adding some behavioral intelligence to traffic management. QoS just doesn't work, hysteresis becomes the limiting factor and is bound by the use of classes of traffic (functional) instead of the "behavioral" aspects of traffic. "

Interesting. I probably wouldn't understand the theory too much. Do post prototypes if you ever get them working, esp with comparisons to existing tech.

"After reading my paper he asked if he could have a copy--I said no. At the time I didn't realize that England had a silicon fein."

The *head* of GCHQ wanted your paper and you said No. Most surprising part of the story. Do you regret that?

AlanSApril 7, 2014 7:12 PM

@Skeptical

Why do you care "how many confirmed NSA backdoors" Nick P has seen when you yourself claim that NSA backdoors are everywhere?

Nick PApril 7, 2014 8:04 PM

Speaking of backdoors, I got curious about which companies evaluated their product's security under Common Criteria EAL1. It's the standard that says "Screw it, let's just give the attackers a blank check!" First one I found:

http://www.lancope.com/company-overview/press-releases/common-criteria/

Their quotes are quite hilarious when one understands what an EAL1 evaluation means vs others. I hope that they chose it just to get government sales without spending much on evaluation. Might also be a joke mocking CC. I was going to EAL1-evaluate an ultra-secure product for the latter reason, with a private (cost effective) evaluation determining real security. I also thought about getting a EAL1 cert for version 1, then EAL7 for version 2, and then claiming the largest increase in security by any vendor in history.

I don't know. I just think it's funny there's a bunch of vendors compliant with EAL1 talking about how secure they are. Many were data protection systems, too. Haha.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.