Friday Squid Blogging: New Squid Exhibit at the Monterey Bay Aquarium.

It's called "Tentacles."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 25, 2014 at 4:17 PM • 108 Comments

Comments

JacobApril 25, 2014 6:41 PM

Does the FBI get envious of the NSA?

"..the (FBI) informant directed at least one hacker to extract vast amounts of data — from bank records to login information — from the government servers of a number of countries and upload it to a server monitored by the F.B.I., according to court statements.
The details of the 2012 episode have, until now, been kept largely a secret in closed sessions of a federal court in New York and heavily redacted documents. "

http://www.nytimes.com/2014/04/24/world/fbi-informant-is-tied-to-cyberattacks-abroad.html

FigureitoutApril 25, 2014 9:43 PM

Jacob
--Sounds like the NYtimes is rehashing an old story. That fat-lipped snitch caved to the FBI b/c he wasn't paranoid enough if you're hacking over the internet. It's why all you hackers out there, if you didn't know your friend from when you were kids and you couldn't trust him/her w/ your darkest secrets, you cannot trust them w/ your hacks. Shut your mouths on hacks and use them when appropriate; like snitches and agents. 0days by hackers in the wild is one of the last remaining checks to intel agencies capturing all of them; guard them w/ your lives.

AspieApril 25, 2014 11:42 PM

@Figureitout
A known tactic against hackers "Go on then, show me what you can do ..."
Many can't resist the chance to show how smart they are instead of getting value (not necessarily monetisation) from them. Perhaps it's a blessing sometimes.

Don't know if anyone has posted this, if so apols for the duplicate;
http://arstechnica.com/security/2014/04/covert-bitcoin-miner-found-stashed-in-malicious-google-play-apps/

Apparently Google didn't check the app thoroughly enough. People are pointing out that 'phones are way too underpowered for this kind of thing but it's still a free distributed computing grid.

AspieApril 25, 2014 11:59 PM

Oh, and this is quite interesting:

http://arstechnica.com/information-technology/2014/04/new-search-engine-points-way-to-buy-drugs-guns/

Looks like google, almost plays like it too. Prices quoted in BTC and the bitcoin price is given in 3 major currencies... er... I've been told.

Thinking on the 'phone app thing, it seems to me that they were either stupid or super greedy. The app should run when the 'phone is quiescent (say by time of day or by so many minutes after last activity) and should suspend the moment things get busy. If it just does little bits and bobs it needn't drain the battery or turn the 'phone into a hand-warmer. Perhaps it could also be used to launch mini DDOS attacks for short periods... I imagine.

As Conrad Brean would say "They just didn't think it through."

Clive RobinsonApril 26, 2014 2:22 AM

OFF Topic :

Over the past year this blog has directly or indirectly discussed the issue of mass data storage in the petabyte and above range by the likes of the NSA/Googel et al.

The assumption has been either millions of HDs or tape or some hybrid to find a cost sweet spot.

Well I like many others could be off the mark, have a read of,

http://storagemojo.com/2014/04/25/amazons-glacier-secret-bdxl/

In a number of respects it makes sense.

It also raises another issue we tend not to talk about, the big internet companies like Amazon / Facebook / Google are sufficiently large to get bleeding edge tech at little more than break even cost from large tech firms simply because they can pay to keep a fab line etc at break even operation with all other production being profit...

If two or more large companies buy the product then the manufacturer has no real need to go through the very expensive marketing process of the more normal sales channel aproach. Thus making anything upto a 90% saving on the first year expendature...

Clive RobinsonApril 26, 2014 2:46 AM

OFF Topic :

For those who have a "tinkerers" outlook on life...

Turn a Raspberry Pi into a smart phone...

http://www.davidhunt.ie/piphone-a-raspberry-pi-based-smartphone

From my own experiance at tinkering with GSM units it's not that hard to do the radio side (it's just like writing an extended modem interface using the old AT command set of which there is much C code available).

DBApril 26, 2014 3:00 AM

@ AlanS regarding magistrate revolt

eeeexcelente!

@ ismar regarding fake router patch

just goes to show, "security by obscurity" is no security at all... I'm unsure why it's so common for technical people to "not get" this... (i.e. their patch is trying to hide the flaw better by making it more obscure, rather than actually making it any more secure)

@ Diego regarding nsa humor

how does he manage to zing everyone at once? lol that's talent :)

DBApril 26, 2014 3:14 AM

Hey guys, stop buying drugs and guns at that site, you're getting me all watchlisted now... ;)

Clive RobinsonApril 26, 2014 3:27 AM

OFF Topic :

"Be afraid be very afraid" is a line from Douglas Adams "Hitchikers" books, which in an odd ball way show the havoc that technology can wage on the unsuspecting...

But thirty years later we have in our everyday lives technology that is so diverse that even specialists in the field cannot fully grasp the issues involved.

One such area that I used to be involved with is Medical Electronics be it implanted (pace maker etc), worn/carried (pumps and infusors), diagnostic or record keeping it's all got a microchip or two embeded in it and some kind of communications interface. Often as not in newer equipment it's a radio based standard communications interface working in the ISM band(s), such as WiFi or Bluetooth which your Smartphone Pad or Laptop can talk to directly or indirectly.

As a person about to have such electronics connected to you, you would presume that it had been tested and was safe and secure to use...

No chance it's nearly all vulnerable to simple attacks a scriptkiddy could put together or is taught in Cracking101.

Wired has an article that you should read if you are about to go into hospital,

http://www.wired.com/2014/04/hospital-equipment-vulnerable/

And hopefully Douglas Adams words will not be aplicable for your visit...

PaulApril 26, 2014 9:57 AM

Netcraft's last couple of newsletters have talked about certificate revocation in light of HeartBleed. They are a good read to understand the mechanics (and huge gaps) in CRL and OCSP revocation processes.

This morning's post talks about sites that were vulnerable and have replaced their SSL certificates, but have not yet REVOKED their old, vulnerable certs.

Specifically mentioned on the list is this blog.
http://toolbar.netcraft.com/site_report?url=https://www.schneier.com

Posts can be found here:
http://news.netcraft.com/archives/category/security/

CallMeLateForSupperApril 26, 2014 9:59 AM

The Wired article Clive brought to our attention above - about the security of networked hospital equipment - claimed my rapt attention yesterday. Cognitive dissonance!

In another life I worked around ventilators, pumps, anesthesia carts....serious, life-sustaining hardware. That was many years ago, long before PCs and even Token-Ring, and nothing was networked. If you wanted to alter dosage, change mixture or volume rate, you bloody well had to *be*there* and *turn* knobs or write on a (paper!) chart; you could not do it while polishing your pants in a remote location. So there were speed bumps in the process, perhaps a PITA for caregivers but some margin of safety for the patient.

Today, it seems, those speed bumps are rapidly disappearing. As Clive put it, the serious, life-sustaining hardware is "vulnerable to simple attacks a scriptkiddy could put together or is taught in Cracking101." We could argue the utility of networking that hardware in the first place; I suspect it is quite unnecessary. But what is not arguable is that, generally speaking, security too often is poorly designed and bolted on instead of built in. We see it with game controllers, mobile phones, TVs, cars. Refrigerators! So sure, why not medical devices as well?

Gotta run. I'm having elective surgery to change my planet of origin

name.withheld.for.obvious.reasonsApril 26, 2014 11:57 AM

@ Clive Robinson

From my own experiance at tinkering with GSM units it's not that hard to do the radio side

Don't get me started, I tore down a Qualcomm (no matter the OEM, the chipset supplier is Qualcomm) and discovered that it was a piece of junk. The management interface is an AJAX based platform that provides the control and management layer. My immediate thought was how much fun could be had just doing client-side injections and other forms of systems engineering fun. Some of the code comments revealed a serious lack of professional level engineering. Also, the feeling of disappoint about the quality of the device was not to be outmatched by the lack of technical expertise and responsiveness of support personal.

I'd performed a radio audit and spectral analysis of the platform in an attempt to resolve a station hand-off problem (the site is located in an RF shadow of a tower that is approximately 1/4 of a linear mile and nearly two miles from a line of site tower). The transceiver, a 3G/4G Qualcomm device, constant renegotiates the connection between the two towers in base-band availability. The far tower supports the providers network and the near supports a higher base-band transmission frequency/protocol. Thus making my experience with the provider a truly fruitless endeavor. My resolution, drop my provider and select the service/device that would allow me to connect at higher than RXTT level speeds (150kbps). Also shot a video with spectrum analyzer live to demonstrate the issue but have yet to post it to YouTube.

To summarize: one month (calender, not staff) of troubleshooting, 10 hours on the phone walking technical support personnel through the difference between diagnostic logging and signals measurement and the combination thereof. Four different devices (three torn down, one in service), external hi-gain antenna, and two service providers, and four hundred dollars later resulted in nominal operations.

The industry is crap. To top it off, my taxes pay the NSA AND MY SERVICE PROVIDER AT&T to spy on me and I pay AT&T to provide the NSA access to my data, content, and transactions. When is it my turn to the the screws on executive management. It's not like I can choose a competitor to opt out if I don't like the service. A.) Verizon does the same thing, B.) Due to the way licensing and peering agreements work othe providers are not a choice due to the "behavior" I described above. I need to go Rambo on these idiots.

AndrewApril 26, 2014 12:21 PM

"The industry is crap. To top it off, my taxes pay the NSA AND MY SERVICE PROVIDER AT&T to spy on me and I pay AT&T to provide the NSA access to my data, content, and transactions"

We also pay for phones, operating systems, internet providers, routers and computers to make these "beautiful" things possible.

Directed ThreadingApril 26, 2014 12:37 PM

@ Clive Robinson

RE: Sliding Window CPU design

That type of architecture can be generalized further by allowing the program counter to decrement or increment depending on the type of instruction used to to call a subroutine.

Byte codes of subroutines can then be laid out back to back to share the same NEXT token at the end of the subroutines. One subroutine increments from token to token, and the other one decrements, walking the tokens back to the shared NEXT token.

This saves a byte of program space and may be useful for reusing cells in the addressing/literal memory window as well.

Since this a compile time optimization, there would be no runtime penalty. The compiler could figure out the best memory packing and calling configuration to maximize code density.

Directed threading can be further extended to change the size of the increment between tokens to produce an n-dimensional layout like a crossword puzzle, with the step size encoded in the call instruction to subroutines.

Thank you for that interesting article!

FigureitoutApril 26, 2014 1:12 PM

Aspie
--Good to hear from you. Yeah me and my dad got in an argument (must've been the homebrewed cider :p ), where I said it's likely his computer is infected b/c mine has been completely commandeered and our modem got owned the day of installation; even after cutting cables. He blew up and started egging me on to hack him and get a file from his computer remotely; he wouldn't listen when I said it wasn't me. Not happening w/ my methods when a triangle of agents are w/in 500 ft. of me, more further off and unknown extent of devices installed in my home and all IP packets being logged. Also not happening "on command" by my dad let alone some blowhard on the internet. He now likes to joke in the morning, "Hack me yet? I'm waiting." and have a good laugh. I don't think he'll be amused when I'm laughing.

RE: The sketch search engine
--I was glad when Bitmessage stopped their "open market" feature, getting all these sketch-ass adverts for drugs, guns, and "other services" was really annoying. Talk about a honey pot?! Anyone immediately trying to sell you drugs w/out knowing them is not someone to do business w/. Eventually the goods get delivered via like Fedex and you need some well thought out protocol to anonymously retrieve them and brush off the risk to someone else. Regardless, if the service is being written about on Ars Technica then you're damn sure it's riddled w/ agents. I've had my fun there, so I guess younger kids need to find out for themselves; I guarantee some will come up w/ some insane protocols and OPSEC as they are presented w/ even stronger police presence.

FigureitoutApril 26, 2014 1:50 PM

Clive Robinson RE: PiPhone
--It made hackaday today. While cool, I'd really prefer a better protocol than GSM, something like a winlink system for storing small messages, and maybe not a touch screen which will eat battery and it sounds like there heat problems w/ the current design. Admittedly not an easy project at all someone can just whip up. This is still neat of course.

Mike FossApril 26, 2014 3:04 PM

I just read an article in Ars Technica about Stanford's new password policy. In a nutshell, they increase the restrictions on your password (use numbers, special characters) if it is of a short length, but they gradually reduce these restrictions as you choose a longer password. There are no restrictions if your password is at least 20 characters.

This looks like a great step in the right direction. What do you think?

http://arstechnica.com/security/2014/04/stanfords-password-policy-shuns-one-size-fits-all-security/

JudassApril 26, 2014 4:28 PM

Two interesting stories from Israel. First is a news article in Israel's largest newspaper, Yedioth, about the new "cyberwarfare police department" that got in the spotlight recently due to a senior police officer that was killed by a palestinian gunman near hebron (this is screenshots of the hebrew ipad version of the article posted by the Israeli internet privacy activist Halemo):
http://halemo.net/tmp/cyber/ipad.php

One interesting part of the article is an interview with senior official in the Israeli justice department, Dr. Chaim Wismonsky, that says they have extraodinary technological weapons to collect evidence against criminals, but they usually do not present them to court in order to keep them secrets, and they would even prefer to abandon the case then to expose them. And we are talking about regular police work, not security services. The reporter doesn't do his job and doesn't whether they try to introduce those presumably illegal means through the backdoor like the famous DEA case, I.E, using illegal wiretaps to "accidantally" collect admissible evidence without ever needing to explain how they originally knew where to search this evidence.

Another even more interesting article was published in Israel's third largest news website, Mako, about the secret cyber unit of the notorious Shin Bet/Shabak/GSS/ISA (you can read it with google translate):
www.mako.co.il/news-military/security/Article-3798d4004389541004.htm

In one particular passage, an officer in the unit says they have installed devices on all the "main internet junctions" and all three fiber optic cables that connects Israel to the internet. He says those devices are used to monitor "anomalies" and warn the Shin Bet about incoming foreign cyber attacks, but it's clear from his words that the Shin Bet has permanent direct access to the entire internet data flow in Israel. Again the reporter didn't do his job and didn't ask whether they, like the NSA, actually record and store the entire internet traffic, but it is hard to think otherwise. And of course he doesn't ask whether data collected this way can be transferred to other parts of the government.

Howether there is problematic history in Israel with regard to this. Whe have on record the former Shin Bet chief Avi Dichter says in a conference two years ago that they used illegally special Shin Bet collection sigint practices to help the police solves crime under the false pretense, and he says they knew back then that it was false, that the crime was a terrorist act:
www.calcalist.co.il/local/articles/0,7340,L-3564040,00.html

Incredibly, in both articles the word Snowden doesn't appear, and it's not that the story wasn't reported massively in Israel. Perhaps the Spokesmen from the government that arranged those interviews has explicitly forbade it in advance.

Nick PApril 26, 2014 6:29 PM

@ Clive Robinson

Thanks for bringing it to my attention. It's a clever modification. I think the technique might have undiscovered applications in control flow integrity or capability machines.

Nick PApril 26, 2014 8:56 PM

@ Judass

Interesting stories. It doesn't surprise me in the slightest that Israel is doing something similar to NSA. U.S. gave Israel plenty of funding and military tech. Their engineers develop plenty of stuff on their own. Their spy agencies steal plenty of stuff from all sorts of people, the U.S. included. They even have a domestic chip fab to produce their covert goods. So, that's the backdrop.

What of the technology? Tapping communications links? Using malware against vulnerable middle or end points? Traffic analysis? These are all really old techniques. If anything, we've just seen a massive amount of effort putting them into practice. If U.S. is doing it, one can be sure Israel is doing it as their intelligence services have consistently had more leeway than ours. So, I've assumed Israel is doing it. It's nice to have confirmation.

I also find it unsurprising that the reporter isn't pressing them. The assassination where around twenty Israeli agents got busted shows that they're not fearful of throwing a bunch of resources against one target *on camera*. I can only imagine what they'd do to someone considered a threat to capabilities as important as these. That a bunch of countries do something like it is already known thanks to Snowden and others. They might allow that revelation about Israel as well. Past a certain point, I'd imagine the person digging for dirt might have... an unfortunate accident. ;)

BuckApril 26, 2014 9:37 PM

Yes, of course media degrades and formats become obsolete... If the data has not been transferred by that time, it will be lost.

Unfortunately, I suspect that this data loss happens far more frequently to that neglected work or pet-project that never quite made it to fruition vs. the metadata & dynamic selectors that so intricately document our daily lives and provide insight into the major life-decisions that lead us down our own personal paths... :-\

AnnoyedApril 26, 2014 11:10 PM

Looking for opinions: Is Sandboxie still trustworthy?

For those who don't know, Sandboxie is software that lets you run programs "sandboxed" such that it is difficult for them to damage your system.

Last year they were bought by a company called Invincea which is a contractor for the DoD (as seen on their employment page: Director of Sales - DoD).

Given that Sandboxie is closed-source and installs a system driver, would you consider it untrustworthy with all that we know about the NSA's hunger for unfettered access to the public's machines?

In one forum post, a person from Invincea said:

There isn't much point in denying that we work for/with the NSA. If we did work for them, we would have to deny it -- so the denials would be identical.

Sounds like a logical yet cryptic answer.

DBApril 27, 2014 2:08 AM

@ Annoyed

That is the most honest answer I've seen from any company in the past 10 months!

Frankly I wouldn't trust them unless they made their source open, and even then it would only go up slightly, never to a full absolute 100%.

Not trusting something doesn't mean I don't use it though, sometimes there's no better alternative. You gotta use what you gotta use.

DBApril 27, 2014 2:11 AM

Although in this case, there may be a really good better alternative: an old spare machine.

Wesley ParishApril 27, 2014 2:19 AM

@Judass

Doesn't surprise me at all. Only problem I see is that when "anti-Semitism" is defined by the Israeli government and the likes of AIPAC as "being in disagreement (polite as well as vehement) with the current Israeli government's current policies (mostly towards the Palestinians)", what definition of "terrorist" do they use?

Of course the death threats issued towards Gush Shalom's founder Uri Avneri a few years ago, don't count as terrorism ... the carte blanche issued to the fanatical West Bank settlers to destroy Palestinian liveliehoods and homes, doesn't count as terrorism ... ditto for the carte blanche issued to IDF in the West Bank to randomly harrass and kill Palestinians at will ... (sounds terribly like Jews under the Tsar in Odessa and the Pale when the Black Hundreds were gathering force ... )

PetrobrasApril 27, 2014 3:28 AM

@ Clive Robinson "http://www.fpgarelated.com/showarticle/44.php Firstly is the twist on CPU design, second is the very short interpreter the author uses to prototype."

To summarize for those not having the time to read these four long pages: StrangeCPU has 255 chunks of 32-bit binary instruction that are called by a chunk of 8-bit binary instruction. The 256-th chunk always means return. At each call to another chunk of 8-bits binary instructions, the set of 255 chunks are changed (and the previous set possibly remains in cached memory). The compiler choses carefully these 255 chunks when compiling code.

StrangeCPU needs only one cycle per instruction, and can be simply implemented by transistors or FPGA.

@Directed Threading: " That type of architecture can be generalized further by allowing the program counter to decrement or increment depending on the type of instruction used to to call a subroutine."

NO: this complicates binary auditing. We do not need that.

JudassApril 27, 2014 4:47 AM

@Nick, I don't think the reporters were intimidated. Generally speaking, the media elite is very strong in Israel, perhaps even stronger then the defense elite. We had a Snowden-like leak named Anat Kam few years back that the supreme court reduced her sentence to 3 years, and she's just got out of jail as a mini-celebrity and a promising journalistic carear ahead of her.

The problem is that the military correspontents are very close to the military, they are usually former military officers, and the military "background talks" are their main source of journalistic info. Few years ago during the Galant/Harpaz scandal when the IDF's chief of staff's office recordings were exposed, everyone heard how the number 1 military correspondent Ronnie Daniel (a former colonel in the IDF) from Channel 2 spoke with the chief of staff like a best friend and promised him to mention all his talking point on TV.

So basically I think that the military correspondents won't ask about this, and other reporters who would gladly ask just don't have the access. Of course, there is also military censorship in Israel, but in recent years every major censored story, like the Ben Zigyer afair, was quickly leaked by the Israel media to foreign Websites like Richard Silverstein's, so if there was a gag on a story like Snowden's it would have definitely been leaked, IMHO.

And of course, yes, the Israeli public is less concerned about these things, even thought there is no distinction in the Israeli law (AFAIK, b/c there is a secret chapter in the Shib Bet law) between domestic and foreing citizens, which means that if the Shin Bet wiretaps the entire net traffic then it would include everything with no legal restrictions nationality-based (except American perhaps per the NSA-8200 treaty). It might be attributed to the recent second Intifada during which presumably the Shin Bet used net traffic analysis heavily in order to stop suicide bombers (the entire Palestinian internet access is done through Israel, it's important fact), and even today after the Intifada has ended, the legal means to do those wiretaps were probably never revoked.

PetrobrasApril 27, 2014 4:58 AM

Two corrections:
1) The "chunks of 32-bit binary instructions" are either branchless or a single
call to another chunk of 8-bits binary is done in another mode.
2) All numbers in my post can be changed, although there are (documented) constraints.

Room ServiceApril 27, 2014 6:04 AM

@ All Greybeards

Questions about BIOS passwords:

1. Can the Evil Maid next door defeat a BIOS password by reflashing the BIOS? Admittedly it wouldn't be a secret that she had done this.

2. Is the BIOS password stored in clear text or hashed? Is it possible to read the ROM to get the information?

3. If the BIOS password is hashed would the hashed BIOS password help the Evil Maid?

4. If the Evil Maid opens up the computer can said Evil Maid temporarily swap in a chip to use own BIOS to get into computer?

Thanks,

Rooom Service

hermanApril 27, 2014 7:05 AM

Geez. That ostrich post above sounds like it is related to a transmission from a numbers station.

FigureitoutApril 27, 2014 9:30 AM

Room Service
--First off even though I just shaved and don't wear hats, we're fedora-wearing neckbeards (M'lady).

1: Yes (you can test this very simply for yourself), she better wear gloves, not let one of her hairs fall out and detect other sensors though. While not end all, locks and strong cases can slow this down a lot.
2: Depends on BIOS, I'm sure it's possible to read ROM's.
3: Yes, check out http://bios-pw.org/
4: Part of my ongoing investigations on how someone would do that, and where w/ what tools. A benefit of diversity would mean she would need to research the architecture, unless she gets all that info from (il)legally compelling all vendors; she would be one evil bitch then. Slightly OT, but when my dad was working on DirecTV, the gov't needed entire backdoor access to the service and encryption from Israel b/c it was believed foreign agents would use the encrypted sat comms to rely info back to home base. So they could read all data and also get free service (I'm sure the backdoor never "slipped" into the wild).

Check out this site too: http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

DBApril 27, 2014 10:27 AM

@ Room Service

Generally speaking, physical access gets you FULL access to any computer data on any computer if you know the technical details of how to do it. BIOSes usually don't contain the kind of logic necessary to limit that, and the passwords are easily defeated by someone who knows how. For example, most desktop motherboards actually contain a jumper to simply reset the BIOS back to factory default. For another example, you could always take out the hard drive and put it in another computer to access all the data on it.

One notable exception to this general state of things.... is TrueCrypt disk encryption! That protects your computer data way better than any simple BIOS password would.

AnonyApril 27, 2014 11:28 AM

Physical security: Try Deviant Ollam's lockpicking talks at Defcon. You'll never look at physical security the same way again...

https://www.google.com/#q=youtube+deviant+ollam+lockpicking+defcon

Is the BIOS password stored in clear text or hashed? Is it possible to read the ROM to get the information?

Back in the day, about 20 years ago, with Sun Solaris on Sparcs, I used to cat /dev/eeprom and read the hardware password in plaintext. Much to the amusement of my colleagues, if not our local sysadmin.

Room ServiceApril 27, 2014 11:36 AM

@ Figureitout, DB, Anony

Thanks for the information. I was curious about the use of a BIOS password because it would allow you to prevent automatic booting from ODD or ext USB by setting the boot order and then locking access to BIOS to reset the boot order. But from what you're saying, this is only going to stop the rank amateur. As for FDE, yes that's the only plausible defense, and even then no one is 1000% sure.

Will that be champagne & caviar?

Rooom Service

FigureitoutApril 27, 2014 12:25 PM

DB
--Yep yep, Room Service I misread your 1st question, this has been talked about on the blog before, probably some people here are the ones actually coding the BIOSes, if Nick P chimes in he'll mention IOMMU (not sure how that works yet or used it) but what I'm interested in is somehow reading data touching the pins of the chips or some random looking test points in the PCB or test pins that just spill their guts; bypassing all security.

Yeah the BIOS PW stopped me at my school, as well as locks so I can't get at the motherboard jumpers and personnel peeping in every lab (but patterns have of course emerged w/ each staff, which ones are lazy, which are *very* diligent). I want to see the logging software but I'm not 100% what already is on it, and of course I risk getting kicked out. I want to do it b/c I suspect a massive infection in our school network. I found one mis-configured computer where I got in (looked like I wasn't the first) but it's gone now before I could search more (was perfect location too...); looking for more...

In the case of the evil maid, they need to know what type of computer you have (remote fingerprinting) and they need to be quick for it to be an attack that's actually worrisome. I intend to defend against it by carrying my computer w/ me at all times, using older protocols and chips, and obscure languages; just need a non-infected system worth protecting first lol.

Someone summed it up best though w/: "There is no limit to the what can be done to a physically-molested computer."

Jacob
--Ridiculous hackers were breaking DirecTV all the time, upgrade the encryption and soon enough broken again. It was back-and-forth and always a concern; old news but a funny story, the hackers really pissed them off lol:

http://slashdot.org/story/01/01/25/1343218/DirecTVs-Secret-War-On-Hackers

Nick PApril 27, 2014 1:00 PM

@ Judass

Thanks for the extra input. So, in short, it's a form of self-censorship is it? We *extensively* have that problem in the United States albeit for different reasons.

Mike the goatApril 27, 2014 1:38 PM

Figureitout: slightly unrelated but you reminded me of a situation I had yesterday when decommissioning one of my laptops. The laptop had FDE and the BIOS was locked down with a password to prevent the honest people from breaking in. In addition to the FDE an ATA password was set. Layering.. It is smart practice. Anyway, whip out the HDD, and put in a clean one before selling it on ... And do you think I could remember the BIOS pwd? Grenier's excellent cmospwd didn't work... Finally after stripping the laptop to reset the CMOS the old fashioned way didn't work I eventually worked out a way to flash a new BIOS image which cleared the password. no JTAG pins or anything so I guess you are at the mercy of your vendor's tech support if you do this. If this had have been a regularly used (say a boot password) pwd it wouldn't have been forgotten. Sh$t happens to the best of us.

AdjuvantApril 27, 2014 7:40 PM

OFF TOPIC:
Here's a very interesting piece I just stumbled upon. From the developer of the SpaceFM file manager (who claims to be a Cypherpunk from way back), some startling reflections on what he perceives as the ongoing undermining of Linux by Red Hat et al.

The more-current item by the same author that brought his blog to my attention was an article entitled "Julian Assange: Debian Is Owned By The NSA", summarizing Julian Assange's recent pronouncements. Confusion over lexical ambiguity of "owned" in the title led to a minor kerfluffle and forced Wikileaks to issue a clarification of Assange's meaning.

The article that really grabbed me, though, is the following:

https://igurublog.wordpress.com/2014/02/17/biography-of-a-cypherpunk-and-how-cryptography-affects-your-life/

A tiny excerpt:
"One of the first and foremost principles is honesty. It’s time to start telling the truth about what’s happening in Linux, despite all the paid disruptors interfering in such discussions. Many Linux users and developers operate from myths that are simply no longer true, and really never were. Linux is a government, military product, right down to its core. There’s a start to truth-telling for you."

He also brings in, as support, Poul-Heening Kamp's satirical keynote from FOSDEM 2014 on NSA's "Operation ORCHESTRA" and, in another recent post, he cites Theodore Ts'o's recent discontents vis-a-vis systemd,

Sad to say, this sort of analysis no longer smacks of paranoia.

FigureitoutApril 28, 2014 12:18 AM

Mike the goat
to prevent the honest people from breaking in.
--Ha...aha...aha...Hmm that's weird the most reliable way didn't work. Doesn't even have to be JTAG though, even on something simple like a remote control, there's test points where pins can be soldered in; on a motherboard they're everywhere. Regardless you got it to work lol; I finally got OpenBSD installed on my infected little mystery pc, the ethernet port wasn't working to get the kernel/comp/etc! And it didn't have the drivers for the wifi dongles that just work booting live of Kali on an admittedly way more modern pc. So I had to get the files from my infected laptop and put them on a flash drive, then the path was simply the folder name! Gah! Euphoric when that finally worked and had some scare moments like always lol. Got some interesting info from the infected flash drive I'm using too, seeing if it infects OpenBSD too.

Adjuvant
--Nice links. The guy's right about being an "ignorant guru", unfortunately that's the current reality of computing systems but I don't agree w/ it.

He had some sentiments I share, I even for a while tried to put them into motion (not well enough, but I wasn't going to settle for fake change); and ultimately failed b/c taking on Washington DC as it stands today and changing *ALL* current politicians would bring on a terrorist investigation into you. If you don't believe me then be brave and test it yourself. Here's the political quote:

Ask yourself why we need elected representatives (vastly overpaid, corrupt lawyers) deciding the laws that control our societies? Why can we not simply micro-vote on each issue ourselves? We cannot do this because we are not allowed to, and the technology that could easily make it happen is suppressed. If the current electronically corrupt voting systems were replaced and recreated, many old tricks wouldn’t work. It is simply ridiculous that we have legal representatives in their current form – it is a total failure to use cryptography effectively.

We don't need them as they are worthless. They simply tell others to do work; I had a hard time even getting work that wasn't trivial stupid sh*t in my gov't time. The system can be run more efficiently w/o them; this means in people's free time we can't be playing games and be lazy. This means a big reduction in Federal power and a return to local and state power; the US will become more like a Europe (as I predict) where people are actually active in their community and it's healthy and strong and held together w/ mutual benefits. That's the dream at least, putting it into practice now...you're going to be a terrorist according to billionaires pulling the strings of sold out and butt-kissing people. While it feels nice to rant and fantasize, the situation is so out of control now, that frankly the final step is a revolution. I say this as I have nothing to lose really. I'm not going thru proxies, track me all you want, I don't care. By revolution I mean w/ guns shooting and people dying; I'd probably get a bullet to the head. It'll eventually happen as more young people see their future is bleak w/ no money and old rich people doing jack sh*t just get richer. Either this or the country collapses in on itself as all the immigrants doing the dirty work keeping this country afloat simply stop; no one willing to work for below slave wages will mean infrastructures shutting down, no one to butcher meat, clean the sewers, take out the garbage. Nice future as what really matters is the ability for the human race to escape planet Earth if imminent extinction is seen.

Back from politics and into tech again b/c real security doesn't obey human laws, it obeys laws of physics. As I'm working on building my own PC, I knew it was going to be hard (especially w/ an agent element to it), but I don't want it to turn into some hackash*t out of control machine I can't elegantly explain. At the same time I want basic file storage, read, write, compile capabilities; not just blinking LEDs giving me binary data (that's too extreme to be useful). At the same time I need to just build it and put it as a notch in my belt; and accept a deeper layer that I don't understand at all yet. It doesn't click yet for me, the path from power coming in, powering up memory that can then send a bunch of pulses on my screen; it's extremely frustrating as it isn't clicking, the patterns. How does transistors read other transistors? Where does the computation come from?! How does it happen, down to the electron level? It's these fundamentals that don't fully click yet for me and that's wrong and scary. I'm guilty of this but we need to start actually appreciating what all is happening in computing; and not expect too much gooey (GUI). Simplify and cut the crud in our computers! More education and more clean designs, even more than we have now. We need quality from the start, striving for ultimate quality and cleanliness.

DBApril 28, 2014 1:32 AM

@ Figureitout

Rather than "striving for ultimate quality and cleanliness" how about just "striving for better than what I had before"... It might be a more easily reachable goal. Then once you get there, set another goal to improve again in another iteration. And so on. This builds momentum, and forward movement, and helps the human brain feel good too :)

That's what I do with my computing experiments. I only seek to improve it a little at a time, not bite off more than I can chew at a time.

FigureitoutApril 28, 2014 1:59 AM

DB
--B/c I'm hungry and impatient. Want it now and start running tests. And I have pure sh*t right now, all mostly the same architectures. Not trying to do x86 ASM right now. But yeah you're right...it's the realistic way. I just don't want an infection to persist across the stepping stones; it'd be a nightmare for some hidden infection that continues to remotely shutdown my pc, alter files, alter service; even in a small attack surface (supposedly...). Don't have any baseline of trust and that's the root of my issues right now.

DBApril 28, 2014 3:23 AM

@ Figureitout

Some iterations are total new machine builds from scratch, in a newer better way... those are the ones that have less chance of "infection to persist across the stepping stones"... but it's still multiple steps, I'm still learning one thing at a time, or at least very few things at a time. This way is easier to localize the source of any new problems too.

EvanApril 28, 2014 6:48 AM

@Figureitout

This means a big reduction in Federal power and a return to local and state power; the US will become more like a Europe (as I predict) where people are actually active in their community and it's healthy and strong and held together w/ mutual benefits.

Ahahahaha. Hardly. European politics are a mess from a governance standpoint; the relative weakness of the EU compared to state governments is largely due to conservatism and intransparence at the level of national government, not effective because the polity is constituted effectively. And for the most part, national, regional, and local governments (where they exist) care less about the interests and welfare of the people and more about the perpetuation of elected officials + bureaucrats as a joined socio-political class. Party-centric electoral systems mean you can't obtain a stake in the political system without subscribing to that logic.

Switzerland is an exception, although that system has its own problems, and to a lesser extent the Nordic countries are as well, but it works there because these countries have a long tradition of individualistic cooperation.

AdjuvantApril 28, 2014 7:12 AM

I'm a total outsider, but I will be so bold as to call things as I see them. Reviewing the Debian mailing lists re: their recent init vote, I've got a terrible gut feeling, as though I've witnessed a coup. The drama here:
https://lists.debian.org/debian-ctte/2014/02/maillist.html

And culminating:
"Four people decided the fate of debian with systemd. Bad faith likely"

Finally, a post that I think says it all:
systemd and Linux are *fundamentally incompatible* -> and I can prove it
"There is no boundary where systemd stops and linux begins."
"They will keep on absorbing pieces of linux until systemd is the entire
operating system -> and there is no coherent design to how it does / should
work."

"IgnorantGuru" and the commenters on his blog lay out a far more eloquent case than the mailing list denizens, and I'd recommend reviewing the links above as well.

I thought I'd bring this to the notice of anyone who might be interested and in a position to have some influence or offer some perspective. This is a matter of immediate practical importance, and seems to be almost entirely off the radar and in need of greater exposure. There's been talk of a General Resolution to override the tiny committee that drove this decision, but for whatever reason this action not appear to have materialized. Here's hoping it does go forward to a vote. Meanwhile, as an outsider, I've got a LOT of catching up to do.

kronosApril 28, 2014 8:35 AM

@ Figureitout: Yeah the BIOS PW stopped me at my school, ...

Back in the early days of Windows there was no real security to anyone who had physical access to your computer. I had a problem with my office PC (a Compaq if I remember correctly) and suspected someone with a key to my office was booting it up and trying to use it to play games when I was not in the office.

First I wrote a simple program named MEMTEST.EXE (to hide it in plain sight in the AUTOEXEC.BAT file) that simply wrote the time and date to a file and if the file existed it appended the new data at the end. After several weeks I noticed a few entries after I had left work for the day and on a Saturday when I was off. Then I knew when the miscreants were doing their work.

I removed the screws from the back of the PC case and every time I left I would power it off, slide the case open and unplug the power to the hard drive an then slide the case back on.

The very next week a junior manager who happened to have a master key to the building asked me what was wrong with my PC. Bingo! I took my evidence to upper manager and they discovered from phone logs that the junior manager was using my office to make long-distance phone calls while messing with my computer.

kronosApril 28, 2014 8:46 AM

@ Figureitout: This means a big reduction in Federal power and a return to local and state power...

While I would stand by and applaud wildly should there be a major U.S. power shift from the federal government to the states (or to the people), it just isn't going to happen. The 10th Amendment has been dead for quite some time and the feds have been sucking power into DC with ever increasing speed. It doesn't matter very much if the White House is occupied by an R or a D. ;(

Thomas_HApril 28, 2014 10:20 AM

@ Mike the Goat:

Current Apple Mac firmware passwords appear to work the same way. The password is a four to six digit number (although you can type in more characters/numbers, which may brick the machine) that can only be reset if you know the password, using a Raspberry Pi-based tool that tries all passwords one by one, or by Apple reflashing the firmware. The latter works by pressing a special keyboard combination at the firmware password screen, which shows a key. This is sent to a special Apple team, who then match it to the machine's tech specs (possibly using MAC-number), run some cryptographic algorithm, and send the tech working a file that is put on a specially-formatted USB stick, which is used to reflash the firmware to unlock the machine. There also seems to be a bug that can cause a machine to set its own firmware password when a harddisk is erased and Mac OS X is reinstalled (the existence of which Apple denies).

name.withheld.for.obvious.reasonsApril 28, 2014 12:22 PM

I believe the current malaise that is part of the political process in the United States of America, Kermit the frog has proved it useful in helping develop a definition for the major problems in the United States:
...
...
...
It's not easy being "STUPID"!

Shawn SmithApril 28, 2014 3:07 PM

I get very nervous when I hear people talking seriously about "States Rights" and 10th Amendment absolutists. As an atheist, I would definitely be relegated to 2nd class citizen status, as there are not an insignificant number of states that have laws on the books (currently unenforceable but still there) saying that I would (and should) not be allowed to sit on juries, be employed by the state, or receive any state benefits, like unemployment insurance, Medicaid support, etc. How many states would go back to making homosexuality illegal? How many would pass "personhood" laws that would make not only abortion illegal, but most forms of birth control, and turn 30% - 50% of all menses after sex into crime scenes? How many would impose selectively enforced extreme prerequisites to vote? It seems like the people most vociferously arguing for States Rights support those kinds of laws.

Just because a government controls a smaller geographic area does not necessarily mean that it will be any less authoritarian. I would point to some homeowner associations as an extreme example of extremely local but completely out of control governing bodies. The only advantage that smaller areas would provide is a possibly easier ability to move away, or a somewhat greater chance to change the government more to your liking.

Nick PApril 28, 2014 6:47 PM

Interesting paper on hardware assurance and covert channels.

Sapper: A language for provable hardware policy enforcement
http://www.cs.ucsb.edu/~benh/research/papers/li13sapper.pdf

"We described Sapper, a language for creating critical hardware components that have provably secure information flow. Most systems that enforce information flow policies place the hardware microarchitecture within the trusted computing base, and also assume that the observable behavior of that microarchitecture is fully and correctly documented. However, the reality is that this behavior is incompletely (and sometimes incorrectly) specified, and that the microarchitecture itself often contains implementation bugs. This fact means that all such systems are vulnerable to attack by exploiting undocumented or buggy hardware features. Sapper addresses this problem by enabling flexible and efficient hardware design that is provably secure with respect to a given information flow policy. Sapper uses a hybrid approach that leverages unique language features and static analysis to determine a set of dynamic checks that are automatically inserted into the hardware design. These checks are provably sufficient to guarantee that the resulting hardware prevents all explicit, implicit, and timing channels even if the hardware is otherwise buggy or poorly documented."

FigureitoutApril 28, 2014 11:50 PM

DB
--Yes, but you can't use any hardware you're currently using touch it at all. And if it's going to be an internet device, none of your accounts can touch it either. So how do you install security software from the internet that hasn't touched an older known compromised machine? It's just annoying, need a new router, new ISP, new location. You have to plan all this out, configure the machine then put it in storage in case of still compromise so no benefit to attackers.

Evan
--I base my prediction on who eventually conquered America, where the people came from. Long term.

kronos
--Haha, that's great. Glad you caught the f*cker. I know it won't happen *tomorrow*, more likely another financial collapse like 2008 first. I'm done caring about the joke of our political system though, just stating a very awkward and harsh truth (probably one of the most awkward); no need to waste any more brain RAM trying say it nicely, it's ugly. Turns out electronics are way more fun and the people are more fun to work w/. :)

Shawn Smith
--I'm guilty of generalizing sometimes w/ my small-minded biases, but I honestly don't care about religion, gay marriage, birth control, or any of these "old issues" distracting from the real issues of extreme financial inequality and a police state killing anyone questioning its funding. Does a bunch of smaller tyrannies that will likely fight and weaken each other scare you more than a big one that can pool resources and then become insane and kill its host?

Apologies all. No more politics for me for awhile. It's just unfortunate when I want to ignore it, but they drag us all down; and we don't even need them. Think it's about time I retreat back to my hole; I've taken up enough bandwidth and got serious amounts of work ahead of me. The rest of you carry on the conversation of secure, clean, non-malicious technology and protocols. We need more designs. Something brilliant would be no need for shielding as the RAM creates enough random interference to deter easy TEMPEST. Then I can just chill and my house and use encryption w/o worrying about wasting my time as someone bypasses it all.

FigureitoutApril 29, 2014 12:08 AM

And...I want to make one more little point. If you haven't already read well known hacker Bunnie Huang's book on Hacking the Xbox, check out the first 30 pages. Hear his story, maybe policy makers may want to hear his observations that American hackers are so afraid of persecution to do research and hack, thus leading to a deficiency in secure IT skills (leading to our systems getting owned). Hmm, I'm afraid of my own shadow these days and agents have been breaking into my residence off and on for ~4-5 years now. Asian and European areas w/ more freedom to explore (or rather less of a knife to the throat) provided more interesting info to him in his research. He was deeply touched by Aaron Swartz's suicide as he experienced some of the legal coercion first hand and he now lives in Singapore, not US.

http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf

DBApril 29, 2014 5:13 AM

@ Figureitout

If you're doing an air-gapped machine, I imagine you'd use original CDs or something to install everything on it... But if you're doing any sort of network-connected machine, then I imagine you'll have to accept some compromises instead, and trust some firewalls to some degree. Nothing is 100% trustworthy, but some things are more than others, it all depends on the situation as to how much risk can be lived with. To be clear though "living with" a certain level of risk for now doesn't mean stopping from looking for ways to further reduce risk in the next iteration.

Clive RobinsonApril 29, 2014 9:07 AM

@ Figureitout,

As always in life you have to pick a point on a line and start from there... In this case it's the line between fully secure and totaly insecure (though remember neither end point can be reached).

As it happens there is another line that runs broadly parallel to the security line for much of the secure end of the security line and this is related to hardware and it's level of complexity.

As you are aware to a certain extent the less complex a part is the less space there is for unknown functionality to remain undetectable. Thus if you built a computer entirely out of individual transistors and diodes you would find making it secure to be less of an effort than by using an SoC of the type used in the Raspberry Pi.

However I'm not going to suggest you start building NAND gates on stripboard or using TTL MSI chips to build your one CPU (though others have and put the designs up on the internet). Nor am I sugesting you exclude COTS parts.

What I am sugesting is you use low cost parts that are LSI or much greater in complexity, but in a way that controls complexity.

For instance there are many low cost network card chips out there and there are also many lowcost microcontrolers that do a lot of serial comms hardware support. Often these are on low cost development boards or if you hunt around old AT interface PC cards.

What you do is you limit the functionality in each given block and put strongly controled interfaces between them. The more you limit the functionality in each given block the easier it s to design build and test as well as limit the security attack surface.

As I've said in the past I use various microcontroler prototyping systems to make the equivalent of network diodes and pumps to limit the attack suface of interfaces that are exposed to insecure environments such as a radio interface or Internet "modem" interface.

Whilst it alone will not stop a determined attacker it will very much limit what they can do at any given level of cost, thus you can quite easily price yourself well out of the "low hanging fruit" tier and tie up significant resources of a directed attacker such that they are forced into doing a cost/benifit analysis on any proposed attack.

Further as you can easily change blocks within your design as and when you feel like it you will as you evolve your system become a moving target as far as any attacker is concernd which significantly reduces the "benifit" of any cost they expend on attacking you (the trick though is to alter the equation in your direction only so far, otherwise they may well decided on a different method of attack which you don't have any control over).

That said currently the problem you are outlining is one you can not win (ie getting untampered software across an insecure environment) because you don't have control over the remote end point. So an attacker can attack the remote end point to get inside of any trust layers you put in place. Thus in this case you are forced to either take a risk on the download or to inspect it to look for tampering. And to be honest if you have to go to the extent of having to inspect it you might as well write your own code as it will be a more effective use of your time both now and in the future.

That is not to say do not use other peoples code or hardware, but chose wher to put your trusted point and the security around it. I am quite happy using a minimal comand line interface across a serial line for what I do a lot of, and know how to use tools from the 70's era, thus the footprint of my trusted area can be very very small (ie not much bigger than a Z80 system). You can if you look around find microcontrolers for a couple of USD that will give you a serial interface for a terminal and a serial interface for a memory card and the manufacture or others have made available code to put a usable file system on the memory cards.

You don't need an "operating system" for such a system or even a "BIOS" (although it would make life easier). All you need to get started is a BASIC interpreter which will alow you to write inline ASM. From this you can quickly build out from. As it happens there are numerous BASIC interpreters written in C or ASM you can use as a starting point. As you build your tools and confidence you can grow such systems to the point where you can make a jump to the next level.

Which is "Portability" of code, there are two ways to do this which is the AT&T C way as pushed by K&R or the UCSD P way as developed originaly by N.Wirth.

Whilst neither way is exclusive of the other you do have to be carefull how you mix them. The C way originated from having minimal very expensive and often slow resources, which are a series of constraints that usually do not apply any more. The P code way was unfortnatly ahead of it's time and effectivly got hit by the constraints the C code way avoided. However the P code way of bytecode interpreters was reborn in java, unfortunatly it fell into the trap of trying to be "all things to all men" and has suffered badly for it and any notion of security went out the window a long long time ago.

As a result bytecode interpreters have got an undeserved bad name, which is unfortunate. The problem lies not with the bytecode interpreter but the high level language you chose to saddle it with...

As has been discussed on another thred of this blog some high level languages are inapropriate for the use they are being put to. Personaly I cut my teeth on BASIC then Fortran then Pascal finaly ending up on C (I don't use C++ as it's very inappropriate for the work I tend to do), of them I still like "old school" BASIC and Pascal but work more frequently with C/ASM due in part from what I do and mostly having to fit in with an "Industry view point".

However the Pcode way has colourd the way I do things when doing microcontroler work, it's quickest to write drivers and a BIOS layer in ASM then write a bytecode "Tool" ontop in ASM and port pre developed code over before doing a rebuild.

The trick to writing the initial bytecode interpreter is to use very limited ASM instructions that are present in all CPUs thus you can take prewritten ASM source and using a minimal cross assembler convert the source code file into those required by the new toolchain. Once up and running you can optomise the bytecode interpreter but often it's not worth the effort unless the target is constrained by "storage" in ROM (which is rarely the case). The constraint of "speed" is usually either not an issue or dealt with by in very small parts of the code dropping down to inline ASM.

As for "Multi-Tasking" on a small system it's easier to use a second microcontroler than write the required code to securely have to entirely seperated jobs run on the same CPU. It's a view point the industry is starting to move towards by having as little as possible in kernal space and as much as possible in user space including the likes of I/O. It's a way of thinking I would encorage for a whole host of reasons other than just security.

Clive RobinsonApril 29, 2014 11:54 AM

OFF Topic :

A couple of things I've been saying on this blog and other places has finaly been recognized by those drawing up industry reports...

1, The Russian's and East Europeans covert attacks represent as big if not a bigger threat than the more obvious Chinese attacks.

2, The US over reliance on Elint / Sigint at the expense of Humint is going to cause the US and others with similar bias significant stratigic and tactical problems (Which Crimea has just shown).

http://complex.foreignpolicy.com/posts/2014/04/22/it_s_not_beijing_s_hackers_you_should_be_worried_about_it_s_moscow_s

The fact that the Russian's are making the west appear impotent / incompetent and clueless should be no surprise, after all the indicators of this "inwards focus war on the citizens" was predicted back in the 1980's as being a very lkely consiquence of the colapse of the cold war. Back then people were asking the obvious question of what would the Intel communities do... The obvious answer was find a new ememy closer to home and back then there was talk of focusing on drugs and serious crime. Well 9/11 showed beyond doubt that the western intel agencies were swallowing tax take in large measure for no return. Rather than clean out "he Ageian Stables" style mess the politicos chose instead to pile the equine/bovine fecal output they were producing into an ever enlargening pile.

With the result that the US and quite a bit of the West has less defence than when Hitler startd invading Europe. And to be honest I realy cannot see a significant difference between what Putin is trying and what Hitler tried. Some times you have to recognise that you have to stop making excuses and stop trying to talk a situation to death befor it gets to the point where you have to fight a world war and then hang the political loosers at a war crimes tribunal.

Klutzy the GazelleApril 29, 2014 12:22 PM

And if one wanted to speak with a human being at the IRS, via a telephone, would one need to travel back in time?

czernoApril 29, 2014 3:06 PM

@Clive : with due respect, I'm calling Godwin. Please stop the questionable attacks against whichever country and / or leader, esp. as in the conflict you alluded to it's not at all evident whose side is "the Nazi"!

Whatever, I believe Mr Bruce does not approve of heavy politicaly predjudiced statements in this his blog.

Regards

--
Czerno

vas pupApril 29, 2014 3:48 PM

@Jacob:"Does the FBI get envious of the NSA?"
Yeah, I guess. In their wet dreams they want to combine their "muscles" with "brains" of NSA and then we will have monster. My vision is that FBI is like surgeon (could do more, but knows less), but NSA is like general physician (knows much more but could do less). That is why whatever reorganization of NSA is on the gov to do list, all meta data /not targeted collection and analysis should NOT be under FBI umbrella, but under direct command of DCI. That will provide mechanism of checks and balances within
LEA/Intel.
@Judass. You provided example of wise practice to separate intel collected as source/tool of further investigation versus intel/information collected for usage as court admissible evidence.

Nick PApril 29, 2014 5:05 PM

@ vas pup

"In their wet dreams they want to combine their "muscles" with "brains" of NSA and then we will have monster. "

One purpose of Dept of Homeland Security, IIRC.

Clive RobinsonApril 30, 2014 5:45 AM

@ Czerno,

I will give you the benifit of the doubt over invoking Goodwin's law, and assume you actually don't know when it applies or why.

Your use fails two of the Goodwin tennents which would normaly indicate false usage for the purpose of censorship.

Importantly you show that you have not studied 20th Century European history (or have failed to utilise such study) otherwise you would see the parellel between Hitler's political and later military stratagy to grab land and economic resources.

Further I did not claim either side of the current issue to be a Nazi nor did I even mention them, I simply drew a parellel between the 1930's German stratagy to grab land which Hitler was responsable for and todays Russian grab of land which it's fairly safe to say Putin is behind.

Further based on the behaviour of other countries they to belive that the Russian grab of the Crimea is likely to follow the same pattern as that of the 1930's as they are starting to take military action to limit the possability.

Further it can also be seen that Russia has been practicing Cyber-Warfare against quite a few Western nations not just against political and journalistic entities but corporate entities as well for the purposes of what would more normaly be called Industrial Espionage.

Such activities against ICT infrastructure and user systems are very much what this blog is about and occasionaly the political and military activities in this area and the causes of them have to be considered both in the current and historical perspectives such that future behaviour of such attackers can be reasonably assesed. Bruce himself does get involved with the political aspects of security after all it's exactly what "Security Theater" is, ie the political use of FUD to obtain certain political objectives wher there is neither logic or fact or for that matter reliable science behind the political FUD/posturing.

I am aware that Bruce does not like "Party Political" discusions and I am well aware of why, but my comment was not in any way "Party Political" in the normal accepted sense. So it brings into question your motives for suggesting I was.

I will note however that it is fairly well known that there are a number of groups of people who take various forms of action in order to prevent any of what they percieve as negative comment about Russia, it's leaders or the criminal classes that have profited dwell from both. We have seen similar with China, Israel and more than a few dictatorships. Thus people that exhibit similar charecteristics and behaviour are difficult to differentiate from such actavists.

SkepticalApril 30, 2014 7:32 AM


The White House has provided additional information on how the US Government decides whether to disclose a vulnerability here.

Some highlights:

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.

Considerations in the decision process include:

How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

Does the vulnerability, if left unpatched, impose significant risk?

How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

How likely is it that we would know if someone else was exploiting it?

How badly do we need the intelligence we think we can get from exploiting the vulnerability?

Are there other ways we can get it?

Could we utilize the vulnerability for a short period of time before we disclose it?

How likely is it that someone else will discover the vulnerability?

Can the vulnerability be patched or otherwise mitigated?

The entire post is worth reading.

When the NSA's statement in response to Heartbleed disclosed the "Vulnerabilities Equities Process", I was hopeful that more information would be forthcoming. That post represents a good, and careful, attempt to do so.

As described, at least, the process sounds exactly right.

yesmeApril 30, 2014 7:49 AM

@Skeptical

At least they are honest about it. They are not denying anything.

We can discuss the politics, motivations etc. but that would probably end up in some sort of flame war (which has been going on for quite a long time now).

It makes sense to me and is clear English. No double talk.

Now we only have to see what they think is relevant to disclose and what not and that's something we can't influence.

AlanSApril 30, 2014 8:52 AM

@Skeptical

What "process sounds exactly right"? The Whitehouse tells us almost nothing about the disclosure of "cyber vulnerabilities".

"This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities".

There's not much that is new here. This is mostly about re-assurance.

"We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure."

Details? Who makes the decisions and how? How are these decisions made accountable?

"While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability..."

So we get a list of things that the current Special Assistant to the President and Cybersecurity Coordinator "wants to know". That doesn't tell us very much.

"Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated.... I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue."

This is complicated, we're going to tell you practically nothing about the process, but hope you feel more confident. Trust us.

Jennifer Granick's summary:

"...Daniel makes comforting noises. But, while the questions he asks appear facially sensible,  the answers are almost unknowable. The Administration’s decisions will rest on what are essentially guesses about what might happen with network insecurity. And those guesses take place within a secret interagency process governed by secret, internally crafted policies and norms. This is how our government is deciding one of the most important security, economic, and civil liberties issues of our time—how secure and reliable  modern communications technologies are going to be allowed to become."

CzernoApril 30, 2014 9:14 AM

@Clive : I willl _not_ engage in further discussion about History of the "3rd Reich" or politics in general; let it be known I disagree entirely with (almost) every point in your long comment, in particular the false analogy you drew of the recent events in Crimea with Hitler's annexions during the 1930s - but we shouldn't and must not discuss politics here.

I have nothing against you Clive Robinson, like most I do appreciate and respect your scientific, technical and even human experience that you do us the honour of sharing with the readers of this blog but

My point is that provocative and/or partial and/or questionable political statements are unwelcome on this blog, however sincere they may be. I assume this is in line with Bruce's oft repeated demands; if i'm wrong let him correct me.

Let's agree to stop arguing over matters which clearly do not belong to oura technical discussion, will you, please !

Regards

--
Czerno

Clive RobinsonApril 30, 2014 10:02 AM

@ Alan S,

I think you missed the real weasle words bit,

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.

The idea of a "huge stockpile" is ridiculous, most of the vulnerabilites get known fairly quickly, especialy after they first get used. Thus I don't believe the number will ever be huge in comparison to the number currently being found...

With regards the NatSec statment, to date the likes of the NSA have not shown any interest in securing the US military let alone military or commercial entities that any one can point to when it comes to vulnerabilities. Infact the opposit appears more likely to many observers including belatedly NIST.

As for the "forego" bit it actualy indicates the exact opposit of the preceding NatSec statment.

Personaly I suspect in the near future there will be a small chang in what the DHS and NSA do. I think they will stockpile vulnerabilities untill it becomes clear that they become known to others then they will give discreat notice to one or two major industry players and the effected software company (if US based).

This is the DHS model as seen with embeded and industrial control systems, that they were overly public about.

As for the rest of us users outside the "favoured few" I suspect we will be hung out to dry just as we have been todate.

I might be wrong on this but the dalmation does not change it's spots unless you skin it first, and I can not see any elected US representative getting out either the skinning or gutting knives on either the DHS or NSA et al, simply because there is no upside for them and one heck of a downside.

vas pupApril 30, 2014 10:08 AM

@Nick P • April 29, 2014 5:05 PM.
Not really. DHS combined primary 'muscles' of other LEAs, and being not directly "under the roof" of DOJ is not close to DOJ prosecution potential as FBI (formally under DOJ). DHS does NOT conduct operations where person comes first (because somebody does not like opinion of that person which is not in sync with mainstream, and such opinion is just usage of Constitutional Rights or wants to burn particular person for other reasons which have nothing to do with real criminal or dangerous to public actions), and searching for crime to be attributed second. DHS never ever will burn person like General Petreus because of his affairs with a woman (US military intel. senior officer reservist - not Russian/Chinese honey trap). I do respect FBI activity when they are fighting real & serious Federal crimes violent first, including counter intel. and counter terrorist activities, but not in favor when its potential is used for the reasons stated above (kind of 'Thought Police'). That is the difference in my view.

SkepticalApril 30, 2014 1:39 PM


@yesme: Now we only have to see what they think is relevant to disclose and what not and that's something we can't influence.

That will indeed be interesting to see.

@AlanS: This is complicated, we're going to tell you practically nothing about the process, but hope you feel more confident. Trust us.

So far we've learned that there is an interagency process established to determine whether, and how, vulnerabilities ought be disclosed. We've learned that this process incorporates economic and political considerations that may go beyond what an agency focused purely on intelligence would consider. And we've learned that there is an interest on the part of some in the Obama Administration in talking more about that process.

All of these things are quite good. Now, we clearly don't have many details. Given that the process seems to have taken shape in the last few months, I'd hope that they're proceeding very cautiously as to what details to disclose.

What "process sounds exactly right"?

The inclusion of perspectives and agencies other than the NSA in determining whether it is in the national interest to disclose a vulnerability. The process as vaguely described incorporates the range of considerations that should be weighed in making that kind of determination.

Could it all be a fig leaf? Sure. But the unprompted statements on the process are promising.

As to Granick's criticism of the secrecy of the process, I don't find it persuasive (at least as it is vaguely hinted at in her post). While I think that more information about the process could be (and probably will be) made public without harm, I don't think the deliberations involved in that process can be public as those deliberations will obviously involve classified information. What's the alternative to this approach? An automatic release policy?

@Clive: to date the likes of the NSA have not shown any interest in securing the US military Oh?

Nick PApril 30, 2014 2:24 PM

@ Skeptical

Clive's comment is overstated yet party true. Refer to that link to the Bell paper I gave you in previous discussion. It pointed out that they took the lead creating standards and demanding assured products. Then the killed the market off and started pushing EAL4 (certified insecure) solutions for govt and military use. Only their COMSEC gear that's Type 1 is assured.

So, if NSA pushes govt & COTS use of insecure solutions, then they either dont care about security or are intentionally weakening it. They cant plead ignorance as they do high assurance evaluations & hack the kind of stuff they push. So, I rank their policies as one of greatest threats to classified information.

At least we have other govt groups, mainly DARPA & NSF, doing their part to create real deal. They're not all bad: just NSA and other agencies who have conflict of interest.. ;)

BuckApril 30, 2014 5:58 PM

@Skeptical

@Clive:
to date the likes of the NSA have not shown any interest in securing the US military
Oh?
Yo Ho! Indeed...
60 Minutes shocked to find 8-inch floppies drive nuclear deterrent
Air Force says archaic systems aid cyber security of Minuteman missiles.
http://arstechnica.com/information-technology/2014/04/60-minutes-shocked-to-find-8-inch-floppies-drive-nuclear-deterrent/
Beyond the floppies, a majority of the systems in the Wyoming US Air Force launch control center (LCC) Stahl visited dated back to the 1960s and 1970s, offering the Air Force’s missile forces an added level of cyber security, ICBM forces commander Major General Jack Weinstein told 60 Minutes.
Although Leslie Stahl expresses surprise, I'm more likely to breath a sigh of relief knowing this... As anyone who knows anything about modern computing infrastructures certainly also knows how horribly insecure they are for life-or-death situations! Perhaps we'd all be a bit better off if we hit that great reset button in the sky and took a trip back to the 60s knowing what we know now... :-\

AlanSApril 30, 2014 7:12 PM

Read Bamford's Shadow Factory to find out what sort of reputation the NSA had with troops on the ground in Iraq. He quotes the associate director recounting a meeting with a lieutenant colonel in Baghdad who tells him: "You're a mucky muck at NSA; you guys are such ass-holes....You guys are the huge rusty gear, and we're the fast gear--and there's no way your gears are going to engage in our gears and help us."

AlanSApril 30, 2014 7:23 PM

@Skeptical

"unprompted statements".

The statement was prompted by Heartbleed and accusations that the NSA knew of the vulnerability and withheld information, an accusation that has some credibility in light of the Snowden revelations. This is made clear in the title and the opening paragraph. The purpose of the statement is made equally clear in the last line: "I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue."

The Whitehouse accurately perceives that the executive has a public confidence problem on this issue but there is fake meat sandwiched between the "denial of irresponsibility" and "assertion of responsibility" slices at the beginning and end of the statement.

"The process as vaguely described"

That's being charitable.

AlanSApril 30, 2014 7:28 PM

@Clive

Yes, but at this point doesn't it go without saying that there's always an escape hatch or diversion in everything they utter? Eventually they might figure out that no amount of perfume slathered on an old porker covers the inherent stench of the beast.

Nick PApril 30, 2014 10:40 PM

@ Buck

I enjoyed that. It makes a nice supplement to this article. Thing is, it's not as good as they think it is. The systems they use are insecure. How do I know this? I have old papers about the prototype "secure" systems (eg AUTODIN II) designed to replace them... that weren't fielded. ;) Government agencies with similar computers and strategies were also penetrated in the past by famous hackers. So, I'm thinking the security comes from a combination of internal controls, dedicated protected communication lines, and a ton of obscurity partly due to old systems & software they use. It could actually be the most successful case of security through obscurity ever designed.

Of course, a modern organization could benefit by taking a similar approach for the most trusted functions of their critical networks. They could even leverage tech designed in those secure prototypes I referenced which solved those kinds of problems. The least they could do is disconnect systems containing millions of I.P. or running critical infrastructure from the Internet. Yet, seeing as they're not bright enough to do even that says plenty about how they would approach the rest.

Tails Linux version 1.0 releasedMay 1, 2014 12:32 PM

After nearly five years of development, Tails[1], a Debian-based distribution known for its strong privacy features and pre-configured for anonymous web browsing, has reached version 1.0: "Tails, The Amnesic Incognito Live System, version 1.0, is out. Version 1.0 is often an important milestone that denotes the maturity of a free software project. The first public version of what would become Tails was released on June 23 2009, when it was called Amnesia. That was almost five years ago.

Tails 1.0 marks the 36th stable release since then. Since then we have been working on the many features we think are essential both in terms of security and usability: USB installer; automatic upgrades; persistence; support for Tor bridges and other special Tor configuration; MAC address spoofing; extensive and translated documentation." Read the rest of the release announcement[2] for a full changelog and a note on future plans. Download[3] from here[4]: tails-i386-1.0.iso (909MB, torrent[5]).

- http://distrowatch.com/?newsid=08413

[1] http://distrowatch.com/tails
[2] https://tails.boum.org/news/version_1.0/index.en.html
[3] https://tails.boum.org/download/index.en.html
[4] http://dl.amnesia.boum.org/tails/stable/tails-i386-1.0/tails-i386-1.0.iso
[5] https://tails.boum.org/torrents/files/tails-i386-1.0.torrent

Me againMay 1, 2014 1:11 PM

How do we who want the web to enhance civic discourse handle the problem that entities with maximal skill and minimal moral constraint can, by judiciously employing keywords at judicious moments, game the system to drive away and/or smear people?

Wesley ParishMay 2, 2014 12:39 AM

@Netanyahu rants against smartphones

LOL! ROFLMAO! You made my day! Bibi's own dad was less than impressed him. Now we see why. But it never took much effort to see that anyway!

I'd be much more impressed if he bothered to consider the security implications of continuously documenting one's life with the localization capacity of an insecure smartphone - but then as I say, his own dad never considered him the sharpest knife in the shed.

SkepticalMay 2, 2014 5:20 AM

@Nick P: Clive's comment is overstated yet party true. Refer to that link to the Bell paper I gave you in previous discussion.

I quoted the comment because I was surprised at how overstated it was.

@Buck: Although Leslie Stahl expresses surprise, I'm more likely to breath a sigh of relief knowing this... As anyone who knows anything about modern computing infrastructures certainly also knows how horribly insecure they are for life-or-death situations! Perhaps we'd all be a bit better off if we hit that great reset button in the sky and took a trip back to the 60s knowing what we know now...

I was disappointed to see that US nuclear forces do not use a web 2.0 interface that is linked to all their social media accounts. Doesn't the public have the right to know, instantaneously and in 140 characters or less, how its nuclear missiles are doing? ;)

@AlanS: Read Bamford's Shadow Factory to find out what sort of reputation the NSA had with troops on the ground in Iraq. He quotes the associate director recounting a meeting with a lieutenant colonel in Baghdad who tells him: "You're a mucky muck at NSA; you guys are such ass-holes....You guys are the huge rusty gear, and we're the fast gear--and there's no way your gears are going to engage in our gears and help us."

This is the officer who, in the book, requested that the NSA simply push all the raw data they were collecting in Iraq to his military unit for analysis?

The point of the story is a bit more complex than your portrayal here, though I'm not sure how this connects to what we were discussing.

SkepticalMay 2, 2014 5:26 AM

@AlanS: The statement was prompted by Heartbleed and accusations that the NSA knew of the vulnerability and withheld information, an accusation that has some credibility in light of the Snowden revelations. This is made clear in the title and the opening paragraph. The purpose of the statement is made equally clear in the last line: "I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue."

They smashed the Heartbleed/NSA story by issuing a rare, very direct and explicit denial of any knowledge of the vulnerability. The nature of the comment and denial was enough by itself.

Now, it's interesting by itself that they issued such a blunt comment on this kind of story, but it's even more interesting that they went beyond what was necessary to debunk the story.

The disclosure of the Vulnerabilities Equities Process is an extra step that was unnecessary to address the Heartbleed story. And of course the post I linked has continued a discussion about the Vulnerabilities Equities Process well after the Heartbleed/NSA story has faded.

All of that is a promising sign. The broader number of considerations, and the multiple perspectives involved in the process, are precisely the features that the process should incorporate. And the fact that they're talking more about it without an immediate need to do so is consistent with a hypothesis that some in the government have recognized the benefits of increased transparency on certain matters.

To be sure, there's a lot we don't know. That's to be expected. Nonetheless, what we do know is actually substantial, and some reason for optimism.

I suspect we'll learn additional details in the near future.

Clive RobinsonMay 2, 2014 7:23 AM

@ Skeptical, Nick P,

I don't think the comment is overblown when it comes to the US Gov computer networks, US military networks and a number of others it's the overloaded admins that are saying that all their network security is from off the shelf commercial software. Further the old NSA advice on setting up systems etc can clearly be seen to be both inadiquate and a combination of commercial best practice.

Where the NSA has been seen to make a difference is on the likes of point to point comms and data at rest products, which have a reputation of being physicaly a problem, clunky/difficult to use and burdened with paperwork rules procedures and a whole lot more that makes the use of such equipment prohibitivly difficult and expensive, and this is before you start talking of the burden keymat procedures add on top.

As one person in that area put it to me the NSA solution to the problem of not being able to run fast enough to keep up is to add so much dead weight it breaks your legs if you try to stand let alone walk or run.

But getting back to the point of having to use commercial products to build secure computer networks, if the NSA are as some are trying to imply "helping" there is no visable sign of it in the maket place so unless they are running some very deep cover to all the security vendors (that are used) the NSA would have to be feeding such alerts in at a higher level via CERT et al, and again there is no evidence that indicates they are doing this in any way.

So please feel free to disagree but first how about finding evidence the NSA are helping with computer and network security for the products the fontline schmoos have to use because of Congressional spending requirments. And even if you can't find indicative evidence smoking gun evidence might be nice but not the tissue of lies propped up on smoke and mirrors that we currently have.

If you want to think of it another way, how come so many public facing Gov sites get attacked / cracked / defaced causing much political embarisment? Politicos hate being embarresed likewise the heads of government agencies because it effects their funding.

Likewise ask what NSA type security was in place on the COST computers and networks to stop Manning / Snowden? From what has been said publicaly and from the panic measures that went on after I would hazzard a guess of between very little and none.

I saw a cartoon of a "Warning Protected by the NSA" poster thumb tacked to a fifty foot pole in front of a tent with a hollywood style "arabian sheik" cutting the back out of the tent with a large scimitar whilst rats were runnig out with documents in their mouths, it was on an internal noticeboard of a "big data" organisation sadly they would not allow me to copy it because I think it would look good as a wall poster or cover of a book.

Clive RobinsonMay 2, 2014 7:49 AM

@ Alan S,

Sorry not to get back to you earlier I've been a bit tied up over the past few days...

You have however put an image in my mind of a "Miss Piggy" dressed as a mermaid spraying herself with "Old Cod Oil" muttering "Kermit won't know it's me"...

As for weasel words to alow wriggle room for escape hatches, they remind me of the hinges on old farm gates, the wriggle/play is such that the hinge is worn through and the only thing holding the gate up is delapidated string that is so broken and re-knoted it's become attractive to birds for nesting.

Nick PMay 2, 2014 12:17 PM

@ Clive Robinson

The comment was simply wrong. You said:

" to date the likes of the NSA have not shown any interest in securing the US military let alone military or commercial entities that any one can point to when it comes to vulnerabilities. "

NSA played a role in INFOSEC ever since Anderson Report. They aided in design/evaluation of many B3/A1-class systems, sponsored high security in a few COTS under SPOCK program, maintained TEMPEST defense standards, produced plenty Type 1 COMSEC gear, and so on. So, they've made quite a few contributions including supporting some of most secure stuff US ever built and which military *can* use if they choose.

So, any comment that they've shown no interest in or done nothing for security in either military or commercial sector is wrong. However, I'd totally agree with you if you modified your comment to say something like:

"Since the early 90's, NSA has shown almost no interest in securing either commercial or most government networks. Instead, they withhold what secure solutions they have from commercial sector and most government agencies. They also promote solutions that they know are insecure in face of both dedicated black hats and nation state opponents."

One could say more post-Snowden but I'm trying to keep the statement in a form relying on only NSA's own claims before that. They defined C2/B1/EAL4 tech to be adequate only for "casual or accidental attempts to breach security." As in, wouldn't stop a low level black hat much less Russian or Chinese hackers they gripe about. Then, they pushed EAL4 solutions to protect classified & commercial networks. That they're a liability for security (post Orange Book era) is provable just by that. Snowden leaks are icing on the cake with several extra cakes on the side. ;)

re your statements on Type 1 restrictions

Those are good points. It's hard to for me to say if that's them intentionally subverting things (as they promote the stuff) or if it's just DOD-style mismanagement whereby sensitive tech gets drowned in regulations. I'm thinking the latter. The effect is still the same, though, in that most groups can't get the good stuff without being overly burdened. Hence, they turn to inferior solutions that are readily available & make nice promises.

re US govt contribution to INFOSEC

If I had to speak positively of a military group, I'd pick Naval Research Laboratory as they at least produced a decade or two's worth of papers that gave me plenty good designs and wisdom on the field. Their people are at least as great as they can be within confines of US govt R&D. Other's I'd credit with laying the foundation of all good INFOSEC are Burroughs (good architecture), Air Force (eg Schell/Karger work), DOD in general (sponsored plenty stuff), SDC (good early R&D), Saltzer/Shroeder, and KeyKOS/capability people.

Btw Clive, check this old paper out. It's from a guy (Schaefer) who was there from the beginning of INFOSEC well into the peak of its execution. He has an interesting perspective on it, esp Orange Book. Lot's of lessons learned in there.

Clive RobinsonMay 2, 2014 1:30 PM

@ Nick P,

We are actually in agrement over much of this but it's the differnt meanings that are ascribed to words that are the point at issue, not what is and has happened in the past.

The NSA glory days era you mention was back in the days of big iron and not realy contested budgets. But as you've mentioned on a number of occasions, the problem was the NSA solutions were glacialy slow to market, in many peoples --who count-- views over engineered and eye wateringly over priced to the point it made the legandary $600 hammer look like a bargin. And market rigging to try to bring the cost down failed mainly for political not economic reasons.

As we have discused befor cost control started and IT became more cost sensitive than paper clips, big iron centralized systems got the heave ho and comercial of the shelf PCs network cards and networking came in along with Micro$haft OS and applications. Worse security products were also commercial off the shelf.

But my point still stands the NSA has shown no interest in fixing vulnerabilities, the stuff you mention has never fixed any vulnarabilities found in commercial off the shelf technology. What it did was to design systems that were inordinantly expensive that by design prevented vulnerabilities. There are several country miles between between prevention and fixing and confusing the two appears to be a security industry failing. And this is realy the point of our diagrement.

Look at it this way, which would you prefer to do, go drag racing on tyres designed not to blow out at those powers and speeds but are eye wateringly expendive. Or inexpensive car tyres that are not designed or tested for those powers and speeds that somebody has slapped some rubber solution glue around in the mistaken belief all will be OK come race day.

As for the designs of diodes, pumps an sluces by the Naval research two points to note firstly they are not the NSA in the way most on this blog would see it, secondly they are again not fixing vulnerabilities but preventing access to them in various ways. And it's important to realise this, they are designed to segregate networks at different classifications they in no way change the vulnarability of each network or the hosts connected to it.

Now all this said it does not mean I don't think the NSA did not do a lot of good fundemental work on security they did, but due to political posturing and lack of budgetary control, cost constraints happened and the NSA designed/mandated systems never became main stream, whereas insecure by design commercial systems did...

So if you can find a solid example of the NSA finding a vulnerability in the commercial systems and then making it known --whilst it is still otherwise unknown-- such that it gets fixed for all the Gov, Mil & Com users of the commercial systems effected I'd be interested in seeing the evidence.

Nick PMay 2, 2014 2:44 PM

@ Clive Robinson

"So if you can find a solid example of the NSA finding a vulnerability in the commercial systems and then making it known --whilst it is still otherwise unknown-- such that it gets fixed for all the Gov, Mil & Com users of the commercial systems effected I'd be interested in seeing the evidence."

I don't have a single example of THAT haha. Googling it just led to examples of NSA leaving vulnerabilities in. So, it's case closed on that point.

AlanSMay 2, 2014 4:47 PM

@Skeptical

"This is the officer who, in the book, requested that the NSA simply push all the raw data they were collecting in Iraq to his military unit for analysis?"

Thanks. I missed that. Yes, what the NSA was giving them must have been bad if they thought they could get more out of doing the analysis themselves on the raw data in the field.

Clive RobinsonMay 2, 2014 6:25 PM

@ Nick P,

I don't have a single example of THAT haha.

And that's what makes hat whole document a compleat nonsense.

Don't get me wrong I realy would like to see evidence of it on more than one occasion, because it would show that the NSA was living up to it's primary purpose of "Protecting the communications of the United States of America" which includes the Gov, Mil, Com and Citizens of the US...

But I'm not as young and idealistic as I once was, and with age comes a realisation or viewpoint that "when I wore a younger man's shoes" I would have called cinisisum. Now I chose to think of it as hard won insight into the ways of those who claim to govern us... So I'm not expecting to see real evidence of change for the better from them, their spots won't change any time soon, they will just slap on another coat of whitewash as the previous whitewash wears thin.

Nick PMay 2, 2014 8:24 PM

@ Clive Robinson

"the NSA was living up to it's primary purpose of "Protecting the communications of the United States of America" which includes the Gov, Mil, Com and Citizens of the US..."

That's a common misconception. The NSA's primary purpose is gathering SIGINT. The defensive part is barely a footnote in the various directives, executive orders, etc. This document, previously Top Secret, traces how it formed from different pieces in military and intelligence. Compare how often they talk COMINT vs COMSEC or COMPUSEC (old term for INFOSEC). Other directives also usually just mention COMSEC if they talk defense at all. If anything, NSA could argue that they're *not* required to protect us given SIGINT is primary & adding INFOSEC makes their mission contradictory. They effectively did argued that during crypto wars when they blocked good crypto on grounds of it hampering SIGINT.

So, further supporting both our points against NSA, there is *no* definitive requirement for NSA to protect us, while there is a requirement that they intercept as much as possible. Letting them do security at this point is fox guarding the hen house.

"But I'm not as young and idealistic as I once was, and with age comes a realisation or viewpoint that "when I wore a younger man's shoes" I would have called cinisisum. "

It's an organization that specializes in crime for gathering useful information. Being skeptical of them is barely cynical: it's just sane. ;) Although, age has definitely made the both of us cynical.

"And that's what makes hat whole document a compleat nonsense."

What document? If you're referring to Schaefer paper I linked, it's not about NSA so much as evolution of INFOSEC practices and standards up to right after Orange Book. It only has a few references to NSA as others did most of the work. The part on how the process failed was more enlightening than anything else.

Clive RobinsonMay 3, 2014 3:01 AM

@ Nick P,

The document from the Whitehouse blog that Skeptical gave the link to and quoted much of.

AlanSMay 3, 2014 8:21 AM

@Clive

Run Kermit! Run!

Political statements of this sort are ritualistic. We know they are lying; they know they are lying. It's a game. I think that's why some people called foul on Wyden when he asked Clapper about spying on Americans e.g Joel Brenner (senior counsel of NSA from 2009-2010). They perceived him is violating the tacit rules of the game. Wyden already knew the answer but by asking Clapper the question in open session he forced him to lie under oath.

We can take a step back and argue that the truth value of the words is really not that interesting. We should ask not what are the truth values of various representations but what what do the words perform? This would be a ordinary language approach (e.g. see J.L. Austin) or in sociological works that are related to this philosophical tradition (e.g. see The Spectacle of History: Speech, Text and Memory at the Iran-Contra Hearings). The question becomes what are the practices, how do they work and what do they perform? I certainly think it is more interesting when one views Wyden in Intelligence Committee heasrings to ask not what is he saying but what is he doing and why? He's not asking Clapper for information.

SkepticalMay 3, 2014 10:35 AM

@Clive: And that's what makes hat whole document a compleat nonsense.

The process referred to in the document is an inter-agency process, which means that it involves more than the NSA.

The interesting, and positive, aspect of the disclosures is precisely that they are involving agencies and perspectives beyond that of the NSA in deciding whether and how to disclose vulnerabilities that they have discovered.

So that the NSA has been primarily responsible for sigint is not especially relevant. NSA can give good input into the process as to the importance of the vulnerability in question for intelligence collection, which should be weighed as a factor in determining whether to disclose the vulnerability.

As to the quibble of whether the NSA has ever identified vulnerabilities in particular commercial systems, while this isn't exactly what you're asking for, it's been widely reported that the NSA has, at the invitation of particular companies, examined and identified vulnerabilities in their particular networks and computer systems. I mention this mostly as trivia, as it's irrelevant to the larger point as I describe it in the above paragraphs.

@AlanS: Thanks. I missed that. Yes, what the NSA was giving them must have been bad if they thought they could get more out of doing the analysis themselves on the raw data in the field.

Yes, you've definitely identified one possibility.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.