Comments

kashmarek June 6, 2014 4:20 PM

Parents Mobilize Against States’ Student Data Mining

http://news.slashdot.org/story/14/06/06/2041236/parents-mobilize-against-states-student-data-mining

That is why people think there is a problem in education. Also, the State of Florida (or some such in that territory) uses an IBM system to mine such data for prediction of criminal juvenile activity…

http://gizmodo.com/5517231/crime-prediction-software-is-here-and-its-a-very-bad-idea

Based on some comments in the Slashdot post, who is to say that this educational data gathering won’t be used for the same purpose (guilty unless proven innocent).

And, if you want to avoid such shenanigans, then don’t do Xanadu:

http://tech.slashdot.org/story/14/06/06/1757210/xanadu-software-released-after-54-years-in-the-making

Those links will never be broken (speculation on somebody’s part).

Jonathan Wilson June 6, 2014 5:36 PM

The most likely reason for the feds censoring the Stingray stuff is because if it was released it would give people being charged with crimes where this tech was used a way to get the evidence derived from it thrown out. That or provide bad guys with info that could make it easier for them to detect the use of the devices and change their behavior pattern to avoid giving the cops evidence (just like the way criminals will change their behavior pattern if they think their phone is tapped or their house is being watched by the cops)

Rick June 6, 2014 5:38 PM

If Snowden & co. could somehow use known vulnerabilities against the NSA establishment in order to force the world to protect itself from snooping (given a disappointing lack of esprit de corps among the public to demand change thus far) then it might look like the announcement of this new SSL vulnerability, CCS injection. In my opinion.

Perhaps this vulnerability reveals what was meant to the reference in a Snowden story, “Just send it over for a decrypt…” with regard to the intercept and review of captured data in flight. Check out the “Bullrun” and “Cheesy Name” programs.

Benni June 6, 2014 7:17 PM

Openssl contains this nice undocumented API function that can jump to every desired adress

http://goo.gl/TFjQNl

It was written by Andy Polyakov of Openssl.

And there is this Critical infrastructure initiative that supports Openssl

http://arstechnica.com/information-technology/2014/05/openssl-to-get-
a-security-audit-and-two-full-time-developers/

This initiative gets its money from companies like Amazon which supports the CIA with hardware and Microsoft which helps NSA to spy on Skype.

So it is clear which persons the Core Infrastructure Initiative supports:

Today, the foundation announced that the first projects to get
funding will be OpenSSL, OpenSSH, and Network Time Protocol.

“OpenSSL will receive funds from CII for two, full-time core
developers,” the announcement said. “The Open Crypto Audit Project
(OCAP) will also receive funding in order to conduct a security audit
of the OpenSSL code base.”

The fellowships are going to developers

Stephen Henson and Andy Polyakov

Yes this Andy Polyakov is the same one who introduced that undocumented ROP function into Openssl. Of course the agents must be supported during these hard times, especially since they will need much time to figure out the NSA interfaces of future Openssl versions. Simply writing some wrappers to obfuscate the code and then intruducing an API function won’t suffice anymore, I guess… So their job will be much harder, which needs money…

cshannon June 6, 2014 7:51 PM

Interesting article over on wired about two security professionals that reversed engineered desktop IP phones and found buffer over flows, and other vulnerabilities that allowed them to take over the display of the phone and play audio clips over the speaker, all remotely.

http://www.wired.com/2014/06/desk-phone-hacks/

Marshall June 6, 2014 7:55 PM

http://theworldlink.com/news/local/crime-and-courts/wonnacott-guilty-but-not-contrite/article_bce5794c-ec07-11e3-839e-0019bb2963f4.html

“The new evidence was from a forensic examination of a GPS device that Wonnacott had with him showed that, even when it was off, it remained in contact with a satellite. That meant that investigators could track his movement throughout the days in question.

“Monson says it showed that Wonnacott flew to Reno on July 29 and retrieved a vehicle, which they could now prove he drove back to North Bend. It showed he arrived outside the victim’s shop at the exact time the incident reportedly took place, and then quickly sped away back to Reno.”

Hmmm, really??? … Out here in the sticks, this nutball perp pleaded on the eve of going to trial. I suspect maybe this was a bluff that speaks mostly to how modern surveilance tech is perceived by the public … blackest magic …

Thoth June 6, 2014 8:22 PM

@Benni

A few ways we can go:
1.) Make our own crypto libraries from scratch. (terribly poor choice)
2.) Leverage on LibreSSL that has been forked off OpenSSL which is still unstable. (Requires audits and funds)
3.) Continue OpenSSL. (Funded by Microsoft, Amazon and companies whom you accused are in cahoots with the Government of USA)

Honestly all of them are a bad choice from my point of view. Anything can go wrong at any point during the creating/maintenance of critical crypto codes. Crypto is easy to get wrong and very rarely to get right as Bruce have said.

What we need are active support from seasoned cryptographers and security researchers to help during the creating and maintenance of the critical crypto libraries side by side with developers and the community. Money have to come from somewhere so a paid for open source version like MySQL would be nice.

The basic crypto libraries can be given for free and the extended libraries with SSL/TLS and advanced protocol for some paid amount but everything is open sourced. The money are used to pay the people involved. Too much free work taken for granted out there.

On the crypto side, SSL/TLS protocols are rather complex and tricky and it’s not surprising people get them wrong most of the time. GNUTLS, OpenSSL, Apple’s goto bug are some classical examples of the complexity of the SSL/TLS protocol.

I would suggest scraping the protocol and coming up with a properly designed and field tested one before releasing it to the public. SSL/TLS was never field tested in real world conditions before being released into the wild and it’s security is still debatable. I am quite surprised that the IETF actually allowed SSL/TLS to be implemented without proper cryptanalysis until it’s deployed and cryptographers start to do cryptanalysis after it has been released into the wild. Shouldn’t cryptanalysis proceed before product release ?

These are just my few cents of thoughts on SSL/TLS.

Benni June 6, 2014 10:20 PM

@Thoth

I find it extremely problematic that the linux foundation supports openssl and not libressl. There is now money being paid to audit openssl. But what should come out of such an audit? A library that contains a function which enables you to jump to every adress is not secure and can not be trusted. A paid audit will just reveal what we already know.

They should found libressl instead.

By the way, Mr Robin Seggelmann, coder of Heartbleed, also introduced this newer vulnerability to openssl:

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002

Since Crypto AG, the german BND is very successfull in running entire Crypto hardware companies:

http://cryptome.org/jya/cryptoa2.htm

Gerard van Vooren June 7, 2014 1:33 AM

@ Thoth

“On the crypto side, SSL/TLS protocols are rather complex and tricky and it’s not surprising people get them wrong most of the time. GNUTLS, OpenSSL, Apple’s goto bug are some classical examples of the complexity of the SSL/TLS protocol.”

Actually they are not. The TLS spec is bad, but all the bugs are directly related to C. These are:

  • No proper error handling / type (GnuTLS).
  • Ambiguous indentation / scoping “{}” in the case of the double goto.
  • No buffer overflow check in the case of Heartbleed.

The language C, although still very popular, is over 40 years old and it shows. Today a bug can have a massive impact because of the internet. C has too many weak spots, on the semantic level, the implementation level, and the tool chain.

When do people start to realize that we need to get rid of C? And please don’t get me wrong, I am not a C basher, in fact, I like the language, but it is not safe anymore.

@ Benni

Let me be frank and ask the question: Do you think OpenSSL is a conspiracy?

Wael June 7, 2014 1:59 AM

@Gerard van Vooren,

– No proper error handling / type (GnuTLS).
– Ambiguous indentation / scoping “{}” in the case of the double goto.
– No buffer overflow check in the case of Heartbleed.

The first two are not unique to “C”, wouldn’t you agree? The last one is debatable.
As for “C”, whether you want to ditch it or not, The language today has gone many evolutions. “C” today is not the same as “C” in 1969. So, in a way, it’s not showing it’s age, because it got many face lifts 🙂

http://cm.bell-labs.com/who/dmr/chist.html

Thoth June 7, 2014 3:48 AM

@Benni

I do agree that LibreSSL should also be funded. I feel that Linux Foundation (LF) should decide who they want to fund and if better, to fund both LibreSSL and OpenSSL and LF has chosen to fund OpenSSL. One of the reasons I suspect OpenSSL gets most of the attention and spotlight for fundings is due to publicity and usage but LibreSSL should also deserve funds nonetheless in my opinion. One way to bring more funding for LibreSSL is to bring more attention and more publicity. Create an image for LibreSSL and funds would start pouring in. It’s more of the PR issue. Those who are good at graphics design and PR relations can aid LibreSSL in creating an image and getting more attention.

OpenSSL being full of bugs does not equate to just dumping the project and walking away. It requires auditing and fixing in-depth. LibreSSL being a fork should also require the same attention as well to remove bugs inherited from OpenSSL.

The coder who have introduced many bugs into OpenSSL should be removed from the commit list and his codes not be accepted anymore until all the bugs have been fixed.

@Gerard

The C language is indeed an aging language and should not be used for crypto-critical projects anymore.

Regarding the OpenSSL conspircy, I personally feel that it’s more of careless programming than someone trying to meddle with OpenSSL to create backdoors. The codes are in the open but no one spotted it until recently.

Once OpenSSL gets an overhaul and becomes slimmer just like what LibreSSL is attempting to do, it would be easier to maintain the codes and catch bugs.

Just a thought, if the NSA wants entry into computer systems, they would be in any moment whenever they wantand they have tonnes of methods to enter any computer system they want.

Jacob June 7, 2014 4:49 AM

Question to the board members:

Since the NSA is demonstrably interested in encryption, and
since this board deals with security and encryption items,
do you think that the each board member may be a “person of interest”?
And I mean not just monitoring talkback posting, but actually going into the poster computer to see if there are things of interest.

And if you do, does this hinder your postings?

Mike the goat June 7, 2014 5:06 AM

Jacob: I am almost certain that regular contributors to any forum the NSA deems to be of ‘interest’ would be flagged and added to the relevant database. Whether schneier.com is interesting enough, and whether such a low level ‘flagging’ would result in them actually attempting to compromise your computer(s) is questionable, but I have been wrong before.

Re ACLU: yes, I read about this. It is incredible to think that the government of a country which – at least prior to about ten years ago – considered itself to be the bastion of individual rights and free speech is behaving in this way, contravening its own laws and indeed the Constitution. I’m not sure where it stops, and if it will end – without their hand being forced by the people I’d say probably not.

Gerard: what are your thoughts on the legitimacy of OpenSSL? I heard that the initial author wrote the thing as an exercise in understanding how to code with bignum arithmetic?

keiner June 7, 2014 5:46 AM

@Mike t g

You didn’t get what it means “master the internet”? 100% coverage?

name.withheld.for.obvious.reasons June 7, 2014 6:02 AM

@ Jacob

And if you do, does this hinder your postings?

There may be personnel, an agent/mole, that participates in the discussions on this board. Most likely the NSA is auto-collecting blog data from Schneier.com (there is some automated blog slurping spider/crawler) and some trigger/process management invokes some other action automatically. I would find it hard to believe that some clod is sitting at a terminal watching this or other similar sites. Wonder how many hops out “we” are tracked…and…if your http referrer string is from schneier to x than that’s hit, if it’s from cnn/wired (not slashdot or arstechnica) to schneier than it’s dropped. If you’re launching from a bookmark–red alert. And if your using passive tools to scrap content–they’re parked outside in a black van.

Oh, the self censoring echos in my brain–NSA has completely transmogrified my own processes in so many ways. It even ruined my run at a new start-up (fixed investment from savings for a one-year tech boot–date of start-up–OCT 2012). In September I became aware of a series of problematic issues regarding the integrity and status of general technological market sectors in background research for the start-up.

In Feb of 2013, developed Draft of new Business process model to answer the lack of robustness in the SME/Tech business operations and the problems that would be revealed four months later. With experience in ISO 9000 (aerospace), 15408 (computer manufacturer), 27000 (assurance model, infosec) and a number of MilSPEC, NSA, and NIST-based standards, identifying the level of entropy a small tech company may experience, the need to adopt an appropriate framework that can be reliable used without inordinate costs.

Considering specific industry trends–the self censorship is indirect–the efforts of the last year would have been better spent in research, developing our base, and carrying out the design engineering we’d anticipated as the highest order activity. Now, after a year of preventing a sinking due to a hull breach, no measurable progress on a half-dozen projects. My consideration in this matter revolved around the amount of time I’ve spent in the industry, the long-term implications of business and government actions, and the reckless cyber warfare theoretical and statutory positions the U.S government has decided (in secret) is appropriate. Not only that, the devolution of power (and at the same time the centralization of power) in the Presidency to the DoD.

And in November I contacted an alumi relations department (a walk-in task) for my friend, a mathematician that apparently received threats from their government during the course of our business development efforts (several projects were discussed and entertained). My friend was excited about opportunity in Apr 2013, by July the problems began. In late summer, my friend expressed their fear about the situation–thus elevating my sensitivity to the situation. In December 2013 it was decided to terminate the effort for sanity’s sake. Nough said.

Alex June 7, 2014 6:14 AM

@jacob

I have no doubt that NSA has a list with every person posting here. If they had resources to spend on War of Warcraft, be sure they monitor more important places, directly related to their activity, like this board.

I was also supposing Edward Snowden is reading this blog, now that I saw the EPIC footage I am sure. Also, it’s probably Skeptical and one or two more people who were assigned for damage control and to report summaries of what’s going on.

Does this change things? I’m not sure, the whole world became aware of the amplitude of the surveillance and the consequences (and counter-measures) already occurred. As for the NSA guys, most of them are most likely just specialists doing their job. There are politics and big fat rich asses behind, at the power buttons, who are using NSA as a tool, taking the nasty decisions.

Mike the goat June 7, 2014 6:47 AM

keiner: I don’t know what you’re driving at. I also suspect that their coverage is far from universal. No doubt they would like to remedy that, though.

nwfor: I agree with your assessment of the general vibe here. There are certainly many puppets. Whether that is just a consequence of people with too much time on their hands or if it really is some kind of opinion shaping/etc. being done by an agency of some sort, I don’t know, but I definetely notice it and I see that others have too.

alex: Snowden is likely reading this blog – hell, he is probably an occasional contributor. More importantly, the future ‘Snowdens’ of the world are probably reading this blog. This is probably why – if I was an NSA agent – I would want to monitor a blog such as Bruce’s.

Benni June 7, 2014 6:55 AM

@Gerard van Vooren

What “Conspiracy”

Wikipedia Says:
http://en.wikipedia.org/wiki/OpenSSL#History_of_the_OpenSSL_project

Steve Marquess, a former military consultant in Maryland started the foundation for donations and consultancy contracts and garnered sponsorship from the United States Department of Homeland Security and the United States Department of Defense.[2]

The NSA Currently has a billion dollar budget. With that budget, one can fairly assume that they have created their own much better crypto library that is used by the US government. At some Spiegel interview, general Hayden said that the NSA would have “improved” the Blackberry of Obama a bit that its communications are harder to tap. This is only possible if you have your own crypto library that is easily portable to numerous platforms.

There is a law in the US saying that the NSA must collect all encrypted communication it intercepts as long as it is unable to encrypt them. This law should make clear that the US government is hostile towards the use of encryption in the general population.

Openssl is a library which contains an API function written in Assembly that allows you to jump on an arbitrary adress. For example it allows to jump to an arbitrary function and load your own arbitrary stuff there. Thats a hackers dream.

The author who wrote this function writes in a comment:

“This function can become handy under Win32 in situations when
-# we don’t know which calling convention, __stdcall or __cdecl(*),”

That makes no sense. The calling convetion of some function is defined in its C header.

http://msdn.microsoft.com/en-us/library/zkwh89ks.aspx

http://msdn.microsoft.com/en-us/library/zxk0tw93.aspx

Who wants to call some function, when he/she does not know exactly how that function which is being called, is defined. If you do not know e.g which parameters a function takes, which calling convention it has, what it does return, then you do not call it, right?

Well, only a hacker usually does not know exactly how the functions in a program are defined. The hacker also has to try to load some wrong data into a function, or at best start the call at some desired starting point, which would be illegal if you would follow the C language.

And according to the Openbsd developers, OpenSSL has a function for exactly this action included in its API:

http://www.openbsd.org/papers/bsdcan14-libressl/mgp00025.html

http://goo.gl/TFjQNl

The Random Number generator DUAL_EC that was deliberately weakened by NSA was introduced by the “request of an anonymous sponsor” into OpenSSL.

http://openssl.6102.n7.nabble.com/Flaw-in-Dual-EC-DRBG-no-not-that-on
e-td47744.html

That is no surprise. And it is no Conspiracy. That is the code quality you can expect when a publicly available crypto library is openly sponsored by the defense ministry and the homeland security department.

With these sponsors, contributions of OpenSSL developers into other projects must be granted with suspicion, as this can be potential sponsors from government agencies, or from people who earn their money from the department of defense and the homeland security department.

Please note that secret services like the NSA can officially not act as a sponsor of something.

In germany, the listening station in Bad Aibling is officially a “wide range telecommunication site” that is run by the german army. The OSZE military observers in Ukraine come from the centre for verification affairs of the german army, even if they have been briefed by the BND, according to the government.

Similarly, the NSA can not sponsor a Crypto Library directly. But I do not believe that the Department of Defense has large expertise in crypto software, because this is what the NSA was build for.

If the Department of Defense sponsors a Crypto library and hires the developers to do contraction work, then its clear what you can expect.

I guess there will be more to come than just some ROP entry point and a few bugs.

Project Flying Pig where the NSA fakes google servers in MITM attacks must work somehow….

Benni June 7, 2014 7:29 AM

To elucidate How unlikely it would be, if the OpenSSL developers were no government spies, I think the following passage from this Spiegel article suffices:

“But on the other hand it appeared like the German service had an suspiciously great interest in the prosperity of the Swiss company. In October 1970 a secret meeting of the BND discussed, “how the Swiss company Graettner could be guided nearer to the Crypto AG or could even be incorporated with the Crypto AG.” Additionally the service considered, how “the Swedish company Ericsson could be influenced through Siemens to terminate its own cryptographic business.”

So in 1970, the german secret service BND was not content with owning the major shares, employing the management and directing the engineers of One major crypto hardware company.

It also wanted to merge the crypto department of large companys like Ericcsson, a large phone company, into its fake corporation. They were, in early 1970, only content if all crypto hardware in the world is sold by BND or their partners. Motorola was “advised” from the same NSA agents than the engineers of the BND fake company.

One Openssl developers has it only 20 minutes from where he lives with the suburb train to Pullach, the BND headquaters. The ticket for that costs 2 Euro.

If the BND even considered buying the crypto department of Ericcsson, just for gaining control over the worldwide encryption market, it would be almost like a wonder to assume that given the marketshare of Openssl, its developer, living near BND headquaters, was not approached by the agents, if only for his expertise and consultancy.

So the Openssl developers certainly were approached by secret services. This is out of question.

The question is how they reacted.

But with that:

http://en.wikipedia.org/wiki/OpenSSL#History_of_the_OpenSSL_project

Steve Marquess, a former military consultant in Maryland started the foundation for donations and consultancy contracts and garnered sponsorship from the United States Department of Homeland Security and the United States Department of Defense.[2]

It is clear.

keiner June 7, 2014 8:30 AM

@Mike

The bad thing about reality: It doesn’t care for what we “suspect”, “think”, “assume”, it’s simply out there and does what it does… 😉

Mike the goat June 7, 2014 10:04 AM

keiner: I am with you there.
Re OpenSSL: I agree, there is compelling evidence that the EC rng support was added due to government coercion/pressure/etc.

Sasparilla June 7, 2014 10:05 AM

In light of the conversation on OpenSSL there’s this great quote from the article at the Register the other day:

“In one of the most alarming slideshows, NSA’s successes in smashing basic general internet cryptography security is described in classic style as “improving security”. NSA’s project BULLRUN was described thus:

For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies … Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable. Major new processing systems … must be put in place to capitalise on this opportunity.”

Makes you wonder what technologies these are?

(best review of one year since Snowden article I’ve seen so far):

http://www.theregister.co.uk/2014/06/05/how_the_interenet_was_broken/

Wael June 7, 2014 10:58 AM

@Alex,

I have no doubt that NSA has a list with every person posting here

You see the first link, under Blog Menu? It’s labeled “Archives by Date”.

Mike the goat June 7, 2014 11:02 AM

Shout out here to anyone with the bandwidth and server resources to host what I hope will be a viable replacement for the MIT style PGP servers. Backwards compatible with them, but with a newly fangled API for access to keys and key sychronization – it will hopefully provide a much more relevant search response and could be used by mail programs to further streamline the key acquisition process. If anyone is interested, please check out my blog – my key is on there and the email embedded within is watched.

Nick P June 7, 2014 11:14 AM

@ Sasparilla

Thank you for that link! The list of countries is invaluable. It shows some surprises. Example: many factors made me concerned about Switzerland’s level of cooperation, while I was thinking countries like Finland might be helpful in anti-NSA efforts. Then, the list shows Finland supports the SIGINT efforts, but Switzerland doesn’t. Oh, how The Game never ceases to surprise me…

I was still betting on Switzerland for a few things. Good to see they’re resisting SIGINT. Iceland I’ve promoted, although I can see how this might change later. Good to see the Irish are holding out. In retrospect, it shouldn’t be too surprising as corporations have been using Ireland to dodge governments’ wishes for a while now. The other two are too small for me to be sure they’ll last or still are resisting since those documents were published.

Nick P June 7, 2014 11:38 AM

@ Mike

I still think your should change your policy about never receiving unencrypted mail. There are many people without high assurance workstations (the 99.999%?) who are likely compromised at endpoint anyway. The spooks will be able to read the messages if they want with little more than a few clicks and keystrokes (eg QUANTUM). Many good developers are also relatively open about what they do and aren’t located in U.S. Even those that might use PGP might not care to open the dialog that way, hoping you prove you’re worth the trouble first.

I’m posting this here so anyone else with a blog notices the point. I think forcing a cumbersome process on any potential correspondent will just chase off plenty good ones. Best route, imho, is to encourage use of encryption on contact page and provide links with super-easy instructions on doing that. Maybe even a pre-built binary for worst case where that’s better than nothing. If we’ve learned anything in a decade, forcing a manual process doesn’t work out well.

Note: Anyone running the site on a computer you think you can protect physically and logically is best off hosting an online secure contact page. The system should be SSL protected by a non-Five-Eyes country’s CA with a good configuration. The communications app takes the input, sanitizes it, converts it to a usable format (w/ IP/port/timestamp), encrypts it with your public key, deletes original, and then stores/forwards it for later reading. It’s a nice compromise that lets users send you protected mail without knowing PGP, etc. Best if it’s a standalone app written in safest language/style you know which web server merely forwards HTTP to.

Herman June 7, 2014 12:23 PM

The latest compromise found in OpenSSL is not a backdoor by itself, but it provides a great DIY Kit to subvert the system and it is conveniently built right into the Windows software API: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00025.html

OpenSSL should not be lightly discarded, it should be thrown, with great force and the programmers who are responsible for subverting it cannot be trusted ever again.

OpenBSD needs your support to reconstruct this crucial piece of security software the right way – please donate: http://www.openbsdfoundation.org/donations.html

Mike the goat June 7, 2014 12:29 PM

Nick: I agree with you in principle. Perhaps I should at the very least provide a page with some instructions on how to grab a free TLS certificate from one of the many CAs that offer it and install it into their browser so that they can at least send me a S/MIME encrypted email? The learning curve for SMIME is a lot less than that for PGP, which is often not integrated. I agree it is a barrier to entry.

Leon Wolfeson June 7, 2014 1:10 PM

Herman – Say, you know the time period when OpenBSD was DARPA funded? Among other things. And everyone “knows” that the core devs do security audits, etc.

If you start drawing lines, you rule out a LOT of software.

(To be clear, I don’t believe in the conspiracies)

Jacob June 7, 2014 2:38 PM

@Nick P

Re the SigInt partners table in The Register, I wonder why no South American country is listed there. Not even Mexico.

Gerard van Vooren June 7, 2014 4:09 PM

@ Wael

“The first two are not unique to “C”, wouldn’t you agree? The last one is debatable.”

Whether these features are unique to C or not that doesn’t matter. What matters is that C has these features. And therefore C is not a safe language.

About OpenSSL:

The construction of both the FIPS consulting firm and the open source library makes it fishy. I wouldn’t be surprised if they deliberately obscured the code for “job security”.

@ Benni

Thanks for the reply. It is a good summation of the pain points of OpenSSL. I am still digesting all the information 😉

Buck June 7, 2014 4:59 PM

Wow!! This does indeed seem to be quite an important development in quantum computing…

Electrical control of nuclear spin qubits: Important step towards quantum computers (June 6, 2014)

To integrate nuclear spin-based qubits into electronic circuits and specifically trigger novel information processes, specific electric manipulation of nuclear spins is required. A team of scientists of the KIT and the Centre National de la Recherche Scientifique (CNRS) in Grenoble and Strasbourg recently succeeded for the first time in manipulating a single nuclear spin in a purely electric manner. “Use of electric instead of magnetic fields paves the way to addressing quantum states in conventional electronic circuits,” explains Professor Mario Ruben, Head of the Molecular Materials Research Group of KIT’s Institute of Nanotechnology (INT). “There, quantum states can be manipulated specifically by so-called displacement currents. Then, they can be directly read out electronically.”

http://www.sciencedaily.com/releases/2014/06/140606091423.htm

What was that about the NSA not being made of magic..? Perhaps they should get in touch with some persons of interest at the Karlsruhe Institute of Technology in Germany… 😉

Wael June 7, 2014 5:02 PM

@ Gerard van Vooren,

Whether these features are unique to C or not that doesn’t matter. What matters is that C has these features. And therefore C is not a safe language.

Good point! But some of the bugs you listed are logical bugs caused by the “programmer” rather than the “language”, such as the two goto statements in a row. This is “language” independent. Regarding the “goto” statement, maybe “C” makes it easy for a programmer to make such a mistake, and the syntax will have to be improved in a more “secure” language to prevent this sort of error.

We are being bred for slavery June 7, 2014 6:00 PM

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.

unamerican June 7, 2014 7:06 PM

Meta: in re controversy on a previous thread related to Skeptical and Mr. Pragma. I would suggest that Skeptical produces a quality of speech much more dangerous and offensive than that of Mr. Pragma. The greater danger is offensively calculated pro-neoliberal/capitalist/fascist, authoritarian, statist, putatively ‘democratic’ propaganda. I would urge readers going forward to examine the Skeptical narrative as prima facie evidence of a sophisticated (but not too sophisticated) military intelligence disinformation operation designed to co-opt dissent and distract from honest discussion of paramount issues of individual liberty and social justice. And to engage with the Skeptical identity only as an experiment in tactics to defeat that identity’s agenda generally in all venues.

Mike the goat June 7, 2014 7:15 PM

OctoMe: not only that, but many browsers now have OCSP certificate revocation lookups enabled by default, effectively providing who-ever runs the CRL server with a list of SSLized sites visited. It is a slow and slippery slope, and unfortunately I believe that we (those who value privacy by default) are losing the war.

Mike the goat June 7, 2014 7:22 PM

Clive Robinson (if you are watching): you’ll be pleased to know that I successfully created and tested an EMSEC ‘validation device’ against an MSI 15″ LCD laptop approximately fifteen feet away, separated by a single drywall. Sufficient contrast was available for the trained eye to observe the actions on the device. When we redoubled our efforts and developed a hand wire-wrapped directional antenna and aimed at what we believed was not the display but the notebook itself the results improved – we had a decent picture. It goes to show just how pathetic consumer laptops are against electromagnetic surveillance. We have more things planned for our little device, including perhaps some construction plans (ours is fancy only in that it has DSP to ‘clean’ up the received signal). That’s if we don’t get “disappeared” first.

Benni June 7, 2014 7:48 PM

@Hermann:
“right into the Windows software API:”

No, You cite a slide with the function I refered to in my earlier postings. According to the comments of the openbsd developers to which I linked above, it actually is not only built in the OpenSSL Windows API. It unconditionally compiles for EVERY platform, says the openbsd commenter.

I think Andy Polyakov who wrote this function into Openssl has a good way to prove that he is not an agent. Once he had learned that this function could be used by hackers, he could have and should have simply delete this thing out from Openssl.

But he has not done that yet. You can guess why….

What is somewhat troublesome is the code comment trying to explain why he wrote this function:

“It would come handy if you do not know the callinc convention stdcall or cdecl of a function”.

What nonsense. If you do not have the function header, where the calling convention is defined, you do not call that function. Its as simply as that.

Except if you are a hacker who wants to call some stuff illegaly and put some wrong data into there circumventing the ordinary compiler rules of a programming language, in order to see what happens then. So in some way the code comment indicates that this function was deliberately written for hackers wanting to subvert the system.

Clive Robinson June 7, 2014 8:27 PM

@ Mike the Goat,

Insomnia is yet again playing it’s little game with me, so yes I’m casting a bleary weary eye in this direction at the moment whilst waiting for the inevitable to happen around five minutes befor the alarm clock (I’m not being helped by a bunch of rutting cats in the garden and thoughts of cross hairs keep crossing my mind 😉

I must admit I’m far from surprised at your results, as I’ve said on the odd occasion before, to save money they find inventive ways to meet the EMC masks of the FCC or European CE rather than removing the actual radiated energy (check the BIOS for a spread spectrum setting etc).

Now I don’t know what equipment you have available to you, but with a decent spectrum analyser and a suitable output power signal source, you could try a HIJACK or TEAPOT attack.

Put simply you run the signal source into a directional antenna (say LDPA) pointed at the lap top and with the spectrum analyser in zero span mode (signal demod and display) connected to another antenna check and see if you can get data to cross modulate onto the sig gen frequency or on one of it’s odd harmonics. You might easily be able to extend your range out beyond 50meters…

There are other tricks you can try depending on what you want to get at, for instance rather than just the display get the keyboard scan/output to capture passwords/phrases etc…

If you have basic EMC test equipment you might be very shockd at what you can do, even without agumentation via broad band RF amps for both RX&TX.

Jean Meslier June 7, 2014 8:38 PM

Layperson here wondering what you security gurus think about the future potential of wireless ad hoc networks like Firechat to get away from the octopus. Get a secure device, crypto your message, break it up into different packets that must find different routes… is there hope?

Wael June 7, 2014 8:59 PM

@Jean Meslier,

is there hope?

Only superficially! Firechat, as far as I know, sends the whole payload to a device. It doesn’t break up a message into multiple packets that must go through different routes. Assuming we have control on the routes and the packet distribution among routes, there will be some requirements that have to be met to “enhance” the privacy, and this is just scratching the surface…
1- Your device “must be assumed to be secure”, un-tamered with, and doesn’t have other components that relay the message elsewhere — real time, or otherwise
2- You’ll have to have some assurance that there is no “crypto” functionality “deliberate degradation” on your device
3- Assurances that the packet went through different (and maybe trusted routes) — some routes could be compromised or “controlled”
But if designed well, I think it raises the barrier a couple of notches. If it’s not well-designed, it’ll reduce the “security” posture of the solution for the simple reason that the surface of attack has been expanded — a side effect of added complexity.

Thoth June 7, 2014 9:15 PM

There has been much talk about using crypto to defend here and it’s a good idea. There’s something I feel we left untouched during so much discussions which is the Rubberhose cryptanalysis. So far I don’t see a working defense against Rubberhose cryptanalysis and Julain Assange’s RubberhoseFS is not maintained anymore.

@Jean Miller
Our electronic data is sadly very very vulnerable. You can grab monitor screens via directional antenna, you can subvert crypto, software or hardware, you can use human engineering, you can do so much against someone to get at their data. What we can do is just try our best to delay attacks. Nothing last forever. Properly implemented crypto with proper libraries and software, use a trusted hardware with electronic warfare shielding and tamper evident sealing. Self-destruct devices (lots of people overlook this one) with RubberhoseFS (another feature people usually miss out) would be great.

Here’s my design for a RubberhoseFS with possible self-destructing capabilities. Segment data into blocks and blocks can be encrypted with any key and algorithm. Fix length blocks to be more specific. Extra spaces in blocks to be appended behind in random bits or bytes depending on what you want to use. Segment your data profiles into multiple layers using multiple keys and algorithms. Choose one or two profiles to have the hard-kill command embedded so once you give away your keys to unsuspecting people who attempt to decrypt your RFS without proper acquisition techniques, it’s going to self-destruct the data. In case they have a backup already, of course dont expose the self-destruct keys but give the keys to other profiles that are plausibly designed (if you are good at faking profiles). For the rest of the blocks of data, point out the fact that the RFS randomly sprinkles random blocks of data so you have no keys to the rest and they have to work hard.

Of course, if you give them the keys honestly, they will not let you off the hook and if you give them the wrong keys they will also not let you off the hook so might as well face the fact that you are now a captive of theirs and just give them wrong keys. Oh, maybe you can embed tiny executables and bugs into other portions of the RFS and give them those wrong keys so when they decrypt and attempt to run it, those exploits you have encrypted would be nice to rampage around their system if they attempted decryption on their secure environment.

That RFS above might cover up for the lack of discussion on the design of RFS here.

Chris Abbott June 7, 2014 9:29 PM

@Jacob

Given the topics here, the fact that it’s Bruce Schneier’s blog and most of are clearly anti-NSA, I’m sure they do. Especially given the professions most of us here have (e.g. anyone remember the document that was titled “I Hunt Sysadmins”?). It’s not going to affect what I say. I won’t self-censor. Freedom of speech is our God-given right enshrined in the constitution. It’s at the core of Democracy. I’d honestly rather die than let them do that. It simply disgusts me that we’ve gotten to the point where we have to discuss this. It’s seems like this is becoming an authoritarian government.

Thoth June 7, 2014 9:31 PM

Honest and open speech and conversastion are the basis and requirements for an open and democratic society. Sadly most “democratic society” are undemocratic due to Government interference.

Sasparilla June 7, 2014 9:50 PM

@Jacob

“Re the SigInt partners table in The Register, I wonder why no South American country is listed there. Not even Mexico.”

Seems pretty obvious, its not because those govts all said “No way”, I’m sure its because the document listing partners/targets for South/Central/lower North America hasn’t been released or wasn’t recovered.

Nick P June 7, 2014 11:26 PM

@ Leon

Always remember about funding that there isn’t one U.S. government. It’s a bunch of different groups with competiting interests collectively called U.S. govt. Tor has been funded by NSF for quite a while. Leaked slides indicate it’s giving NSA plenty problems as of 2012. So, obviously funding != backdoors or even weakness. Quite a few groups in government fund plenty of good work in INFOSEC for their own use, but release papers or prototypes to public. It’s the dual nature of US govt.

The thing is, though, that all code and protections should be treated guilty until proven innocent. Sponsored, government, FOSS… any must be reviewed for intentional or accidental vulnerabilities. So long as it’s well documented, it doesn’t matter where it came from. It will be vetted like anything else. OpenBSD, Tor, NSF’s many grants, DARPA CRASH projects… the government’s had a hand in many tools that can protect freedom in the right hands. Assuming they’re properly vetted, transmitted, installed, configured, and maintained. “Because that’s where they get you.” 😉

@ Jacob

That’s worth noting. The other comment suggested it’s on another list. That might be true. A lesser explanation is that we’ve angered so many of them with covert operations that they don’t trust wholesale taps of their fibers. That would depend heavily on the country, though. Some are allies, even with military agreements. Others are distrustful or outright opponents. My money is on there being no willing SIGINT taps in Venezuela, Brazil, or Argentina, for example. 😉

@ Gerard van Vooren

Take a look at this low-level language project I found. It’s actually from 2005, but has comparisons against Cyclone and SFI:

Cuckoo – a language for implementing memory- and thread-safe system services
http://www.flux.utah.edu/download?uid=89

@ Mike the goat

re EMSEC attack

It’s interesting that you know how to do that. Few do.

Nick P June 7, 2014 11:37 PM

@ Jean Meslier

First idea that comes to my mind requires no technical skill at all: dead drops and brush passes. The classic ways spies exchanged information. The idea was that it was local, physical, and hard to observe. I’ve heard years ago that bluetooth-type tech was already used for a modern brush pass without physical contact or briefcases changing hands. The signal was weak enough to reduce odds of detection. The modern version of dead drops is pretty much stegonagraphy, anonymous email/storage/hosting, etc. More detectable than the real thing.

I could see a peer-to-peer (P2P), mobile technology being used to do similar stuff. Making it a local or P2P phenomenon should reduce effectiveness of dragnet surveillance. One could further reduce effect of traffic analysis by using anonymous relay technology similar to Tor, I2P, or Freenet. Further, darknet (friends-only network) approach could be used for groups by having a shared password and even a maximum range in signal strength or hops.

So, I think there’s potential in that type of stuff. It’s just potential that will take time to understand both in theory and practice. Old school tradecraft is still more effective at dealing with an electronics loving spy organization, as various groups have been showing NSA over the years. 😉

Figureitout June 8, 2014 12:55 AM

Mike the goat RE: LCD TEMPEST “security”
–Thought you could sneak a radio post past me, eh? Those horns are busy, I always assumed you were letting the world know when you had a boner or some such thing. :p And here I am stuck reinstalling windows, drivers, and wiping harddrives…But I got these old PC’s and their power supplies “blown out” (they were dusty) today and getting ready for a couple digital radio stations (only problem is I can’t put up antennas how I want b/c of stupid neighbors). Neat, but prefer countermeasures and I’ve thought of trying some of these attacks on real targets…like my school. They have a testing center and I wonder if it’s shielded (the doors are clear glass). They’ve fcked up before like letting students print test results from the testing center…Then had us “sign a paper” saying we won’t do it, why don’t they fcking pull the network access there?! But you need to shrink the POC down to something you can carry mobile unless you just don’t give a what. Maybe before I’m done w/ school, I could get the IT dept. to let me do a Bluetooth logger for all the kiddo’s smartphones (which they won’t even touch default bluetooth settings), just to show people just how easy it is just sniff data…

koita nehaloti June 8, 2014 2:40 AM

Taliban video showing the release of Army Sergeant Bowe Bergdahl :

https://www.youtube.com/watch?v=H0_eMLM5DD8

The actual release is on about 6:40

This story is partly about trust. How it was possible for the 2 sides to gain enough trust to do what they did in the video?

I would have guessed that Bergdahl would walk 300 meters alone to a spot where helicopter would land, but no. It is surprising how the sides did meet.

This story may also be about communication? Did taliban and nato communicate with old analog 2 way radio format using coded language to hide from 3rd party gunmen? Did they communicate via internet at some point?

Are the special forces delta force?

Jacob June 8, 2014 4:25 AM

‘WASHINGTON – Edward Snowden does not appear to have taken as much as originally thought from NSA files, The Washington Post reported late Thursday.

The damage is still “profound” from the former NSA contractor who blew the cover on vast US surveillance programs of everything from everyday people’s phone calls to intrusions into high-tech companies’ servers, Director of National Intelligence James Clapper said, according to the Post.

Still, “it doesn’t look like he took as much” as first thought, Clapper was quoted as saying in what the Post called a rare interview Tuesday.

“We’re still investigating, but we think that a lot of what he looked at, he couldn’t pull down,” Clapper said. “Some things we thought he got he apparently didn’t,” the director was quoted as saying. ‘

Mike the goat June 8, 2014 6:39 AM

Clive: I am surprised that this hasn’t been brought up as a major issue and mitigated. For example, I found that there was pretty much an omnidirectional emanation from the laptop. I would have expected them to at least be partially shielded. I guess it depends on the vendor too – I have broken apart laptops with thick conductive foil backings that sit behind the LCD display. Then again, a lot of vendors are putting their wireless antennas up near the webcam areas of the screen now and I guess they don’t care too much about it anyway.

Obtaining emanations from the keyboard interests me greatly. I have an SDR and was hoping of using it, along with some kind of directional antenna and input amp to obtain data from the keyboard controller but I think at the distance we are talking about acoustic pickup via a directional mike “gun” would be more productive.

What really gets me is that it appears that the bulk of the signal leaks from the LVDS cable from the mobo of the laptop and the LCD, and the LCD controller board itself. It would appear to be relatively easy to mitigate, but hell even having some kind of encryption on the signal would render these attacks useless. Perhaps on first power on it can negotiate a key (assuming first power on is done in a secure location away from prying/EM listening eyes this should suffice) – or just do something like HDCP (except without the compromised keys ;-). I guess the simplicity of doing LVDS signalling bit them in the ass.

Nick: all the information is pretty much public domain. This is why it surprises me why the govt seems so damn scared of any information on EMSEC.

Jacob June 8, 2014 7:32 AM

@unimportant

If you refer to “to see if there are things of interest.”, then I can think of various things:

  • security / crypto development and discussion
    (e.g. internal business discussion about methods and vulnerabilities of specific products)
  • internal documents held by members of a security apparatus of foreign govs
  • Remote management related passwords (e.g. if you are a sys admin – or even a user – and use your home computer to remote access your place of work).

Mike the goat (horn equipped) June 8, 2014 8:36 AM

Ooh… By the way Nick, I am almost finished the RFC for blogsig.

In another unrelated project – remember when we were all complaining about ipv6 and what a failure it has been, and I spoke out saying what I would have done as an interim solution and called it ipv4.1. Turns out I figured I best put my money where my mouth is. I initially assumed it would be a five second job and a ten line diff to an existing ipv4 stack but the Linux stack is way complicated and changing the size of ipv4 addresses causes problems downstream with things like netfilter. So I have instead been playing with minix3 – which is convenient as the tcpip stack is in userspace so testing is pretty straightforward. I hope to have a few different systems – perhaps two MINIX VMs and three DOS/wacom stack machines in a test network shortly. Not to seriously propose any real alternative but more just to put my money where my mouth is and show it can be trivially accomplished.

Incredulous June 8, 2014 9:15 AM

@Jacob

“If you’re launching from a bookmark–red alert. And if your using passive tools to scrap content–they’re parked outside in a black van.”

Could you elaborate? How could a clean bookmark to schneier.com be a problem? How can you scrape with passive tools? I use scrapbook on firefox, but it sends actually requests, so it is not passive. Do you mean a scraper that collects data as I browse manually? How would passive scraping be detected?

Thanks. It is nice to hear that some of my concerns on the EPIC thread are shared.

Jacob June 8, 2014 9:50 AM

@Incredulous

That quote you cited was written by
name.withheld.for.obvious.reasons

I have no idea what he/she meant by that.

I'm going to be put on a watchlist, amn't I? June 8, 2014 9:58 AM

Hey fellas, I was planning to post this on the previous week but I forgot about it. Anyway, we all know the NSA has been subtley collecting massive amounts of data and even went to crazy extremes. (On the other hand, it’s not that hard to affect 13 year olds, and when combined with America’s emphasis on “Individuality” is actually a pretty smart plan that’s likely to have a good success:failure ratio.)

But I was thinking, does the NSA having your data actually makes you less suspicious? Say, like, you have a Facebook, Youtube, Whatsapp accounts, and other “popular” services. You’re basically blending in. You’re not setting off an alarm. I’m probably missing something, because just now I thought about facial recognition, but by the time you’re being facially scanned is probably the same time you already have your mobile phone on you being scared to death your battery won’t run out because you get instant updates from your 10+ accounts or whatever. On a different note I do wonder how many people who frequent Bruce’s blog actually have a facebook account, or maybe even more? 🙂

On the other hand, does lacking all of these actually put you in the clear? Sure, you might not be a criminal, but what’s the reason you really don’t have 10+ accounts constantly drowning you in updates to your mobile phone?

A more simple way to this would be I presume signal and noise. Noise is basically everywhere, but you probably want the signal, right? Or does the NSA want both? Is the NSA’s plan is to get security to absurdity?

koita nehaloti June 8, 2014 10:41 AM

Getting hashes for Linux distribution .iso s or getting public keys of the distro disseminators is really confusing and feels risky. Even when Linux is installed, adding more repositories in some distros gives even more confusing question about “do you trust this public key fingerprint? ” (actual wording may be something scarier than that) This kind of question may scare many people and organizations off from Linux.

Could we have more trust-inducing way to verify operating system ISOs etc.?

Some copy pasting from a tor hidden service (“torchan”):


Secure way to distribute hashes

We need a system to distribute a weekly or daily big packet of hashes (sha512) of important software and Linux distributions, public keys of people, websites and organizations and possibly even hashes of parts of bitcoin and litecoin etc. block chain. SHA512 hash of that packet itself will be disseminated by various of-band methods, like data transmissions in 100 megahertz to 100 kilohertz radio, text-tv, paid ads in paper newspapers and within satellite radio data transmission.

Radio is special, because the bigger the wavelength (smaller frequency), the bigger the transmitting antenna needs to be, while the receive antenna size does not grow so much. Submarine VLF antennas can be 300 meters wide with tall poles, but the receiving antenna fits on table(but is heavy with lots of wire rolled). Forging / spoofing those submarine radio sha512 hash transmissions would be extremely expensive and would be noticed worldwide, but using them normally would be cheap for those who already have them.

15 megahertz transmission would be easier to spoof, but it would be noticed in wide area. 15Mhz goes thousands of kilometers by reflecting from ionosphere, and I imagine that a cell phone or usb memory stick sized usb device could receive it with 1-2 meters of wire. I have seen old hand fitting radio that receive it and most of that radio is loudspeaker and other analog-audio-radio related things that are not needed with data when computer can handle all interface via usb.


VLF transmitter

https://en.wikipedia.org/wiki/Very_low_frequency#Antennas

For distribution of master hashes, much weaker transmitter would be enough.


“Why can someone not transmit their own hashes on the same frequency?”

It would be noticed. 2 simultaneous different transmissions would garble each other or if the spoofing transmission is drowning out the real, it probably can be noticed by measuring power levels and comparing them to natural sources (lighting, ionosphere, somewhere in the world), but that is complex question that I don’t know much about.

With separated real and spoofed transmission:
Know the error margin of your clock, then start waiting for the master hash that time before the announced time, until after same time, and if you got 2 transmissions that are in the master hash format, you know someone is trying to attack someone, and then you know to buy a magazine or newspaper with a small ad containing the master hash, from a random shop.

If military radio intel organizations want any useful function, they should locate the spoofed transmission.

If classified ads section has 2 hashes apparently from the same source, you know there is attack. Newspapers should and probably would be vigilant about their hash printing, and alert police if someone tries to print spoofed hashes. This system is anyway probably worth an article in that same newspaper, so they should know.

Nick P June 8, 2014 10:58 AM

@ Figureitout

You’re confusing all the benefits of desktop computers with the “feature” of power button in front of the knee. I had a problem with only one of these. 😉 The thing is that people wouldn’t have accidentally shut off their boxes if they had put the button… anywhere else on the box. lol

@ Mike the Goat

Cool on Blogsig and IPv4.1. Look forward to seeing them done. The Linux implementation being incredibly complex… Who’d have thought? I would’ve suggested a BSD but that’s what you’ll be using as MINIX 3 borrows from NetBSD. And DOS? Ok, I didn’t see that coming.

Btw, what’s this about PGP keyserver replacement? You going to put that on your blog (didn’t see it) or just keep in in private correspondence with interested parties?

Clive Robinson June 8, 2014 11:02 AM

@ Mike the Goat,

Clive: I am surprised that this hasn’t been brought up as a major issue and mitigated.

It had been brought up as a major issue over and over again in many different places for many different reasons, but almost always totaly ignored by those whos job it is to ensure EMC to FCC or even European CE standards.

The problem is what a test house might see as a transitory blip for EMC certification is actually acceptable providing the energy radiated after a one second normalisation is inside the EMC mask. Further testing of computers etc is done in what amounts to a passive way with no I/O active and no kby entery.

But lets say it does break the mask even after the one second normalisation, it will be looked at only as an EMC Cert failure not as a significant security breach…

And this is just another variation on the “free market mantra” that causes a race for the bottom in required standards and an almost hopless night mare in security.

Because often the solution is worse than the original problem…

As the designer of the laptop which is an FMCE device your three main tasks are 1, keep marketing happy, 2, meet required market standards, 3, minimise costs as much as possible.

2&3 trade off against each other, that is you want to reduce component cost and production cost in a way that only just meets the electrical safety and EMC requirments.

However whilst HiPot test measurements are generaly not averaged over time EMC measurments frequently are… thus a third vector to EMC costs arises “time”. If you look at the output spectrum of a computer at rest with no EMC components or measures in place, it looks like a broadband noise source, however focus in and you can see it’s actually a “comb generator” of hundreds if not thousands of discreate frequency spurs each with their own amplitude. The majority will be inside the EMC mask but some won’t. Traditionaly the solution was to add filter components that are large, expensive and add to production costs for no improvment in “marketing” functionality. So how to reduce the few problem frequency spurs without adding such components?

Well as I said the spurs are descreate with their own amplitude, if you FM modulate it itwill spread the spur energy across multiple frequencies and as a consiquence bring it’s amplitude by the ratio of the unmodulated to modulated bandwidth.

So if the chip manufacturer adds some circuitary to the master clock generator inside the chip the cost is virtualy zero to solve the spur amplitude problem. The simplest way to do this is with a Direct Sequence Spread Spectrum modulator which in effect is an XOR gate and a bunch of latches and xor gates aranged as a Linear Feedback Shift Register (LFSR). Quick simple and very low cost.

However the total Eam energy radiated by the device is still the same, it’s just spread all over the spectrum. Now with coding gains of 20dB easily achivable the reality is the laptop could radiate one hundred times the energy with the DSSS turned on than it could with it off. Greate for the designer as they have meet the EMC requirment without actuall spending any money on filtering components.

BUT… if the radiated EM is one hundred times greater it has to still go somewhere, and in practice this means that it travels ten times further than if it meet the masks without the DSSS modulator on the master clock.

Now if you happen to know the sequence used by the DSSS modulator then you can demodulate the spurs back to what they originaly would have been. Which is greate because you can evesdrop at ten times the range. But it gets better… the demodulation process is cohearant only to the transmitted signal you are tracking, all other signals will be spread into the noise floor by the demodulator. Thus you can not hide one computer in amongst many others when the attacker knows the chip sequence…

So the free market solution to the EMC mask actually makes your privacy/security margin range ten times worse…

The US Gov know this and have known it since late in WWII though the information was known to telco engineers since WWI or earlier.

The US Gov decided that the best thing to do was classify it (TEMPEST) and prevent people getting hold of screening materials and filter components etc. Untill the density of radios etc made EMC a requirment for simple usability, however preasure was applied to standards commities to keep the EMC requirments minimal so the likes of the DoD and NSA could keep spying on eminations as could other Five Eye nations. It was an easy sell as nobody wanted the EMC requirments to be overly onerous due to consumer cost and loss of profit involved.

But as you have found as far as privacy / security is concerned it’s a compleate disaster…

As I was commenting to @Nick P the other day, for various reasons although we intrinsicaly know the risks as engineers, we discount them away on the idea of “they won’t do it to me, or my customers unless they are evil and thus deserve it”… How wrong can one be?

The funny thing is some of us have said it over and over again and in effect got the “You’re paranoid” or “That’s just some silly conspiracy theory” from people who would rather “not think hinky” as Bruce so apptly put it.

We naturaly tend to think good of people not the worst and now people have had a little wake up call curticy of Ed Snowden, the question is are they going to not just smell the coffee but actually take a good long drink of it…

Jacob June 8, 2014 11:16 AM

@koita nehaloti

Linux distributions use hashes and PGP keys because the people involved are geeks and purists.
Had they not, they would have purchased a code-signing cert from a recognized CA and then it would be easy to verify for the non geek.

I trust many CA (not all, but many) to the same level as I trust linux maintainers, which is more than I trust the device drivers corporate writers who insert their own binary blobs into the various official distributions.

Incredulous June 8, 2014 12:02 PM

@Jacob

Sorry. I guess the threads aren’t as easy to parse w human intelligence as I thought. Or I shouldn’t ask questions until after coffee…

Nick P June 8, 2014 12:16 PM

@ Incredulous

Their main use of Internet eavesdropping is profiling via traffic analysis. That’s their passive monitoring goal. Then, if they need to target someone, they can leverage that information and infrastructure in the process. The passive collection uses filters to catch anything they think might be of interest. Interesting parties probably include hotspots for activity that hurts the NSA’s mission. This might be big time blogs, technical mailing lists, etc.

Name.withheld guessed, like I did, that they probably have monitoring scheme for this blog. They’d start with the list of all connections to it. From that point, they’d look at frequency of visits, whether comments were made, and how often. A passive monitoring tool, like a web scraper, was my first idea for how to keep up with this blog during busy periods. Anyone having that shows up as connecting to the site one or more times per day in identifiable intervals without commenting during such sessions. So, such a person would be grouped in with others that seem to be committed participants of the blog rather than casual readers. The dedicated participants are relatively few and could get more manual/automated analysis.

Many here consider Skeptical to be a plant pushing a pro-NSA agenda. The truth of that is irrelevant for this discussion. The point is that NSA and Britain both have programs to get people in games, blogs, etc to collect information and sway people. Hard to be sure how they’d allocate their resources. Yet, Bruce’s is a very high profile blog and he’s regularly in media. It’s worth targeting with humans in aforementioned programs. If that’s true, then it’s definitely worth targeting with their SIGINT collection systems that run 24/7 with abundant storage and bandwidth. The app in question I could throw together in a day on a cheap server. My mantra is, if it’s that easy and useful, assume they’re doing it.

Re bookmark thing. I have a few ideas on that. Yet, I think name.withheld just mixed his risks together: the “almost certainly doing it” with the “wild possibility I’m brainstorming.” A bit overzealous about getting the risk across, I think, is all that was.

Incredulous June 8, 2014 12:26 PM

Sniffing has shown me time and time again that there is no way to tell what your computer is up to unless you monitor it.

I was exercising my sniffer while working with my latin american proxy and I noticed something really strange under fedora yum — it was getting its repos from a us govt mirror: mirror.pnl.gov. DOE site. It advertises itself as a friendly aid to the internet. I wish I could believe the US govt has any such intention.

Research shows that yum looks for the most appropriate mirror based on your location. Seems an unlikely mirror for latin america. I wonder if it is designed to delay security fixes to latin american targets. Fedora packages are PGP signed so inserting a totally new one would be harder than simply delaying updates. Any opinions of what it might be up to? Or not?

You can edit your /etc/yum.repos.d/*.repo (Under Fedora 19) and place an ip parameter in the mirrorlist url to set your location somewhere else. And it works based on my sniffing. It might be a good idea if you think you might be offered fake or obsolete packages.

But this discovery makes me more hesitant to trust Fedora. I have used the PRISM-BREAK site to vet my OS choices. I used to use Ubuntu, but although it doesn’t take a site to let you know Ubuntu is intent on selling your private info, PRISM-BREAK did put a nail in its coffin.

I like TAILS on read-only media, but it is a pain for doing any development work. Anybody have a strategy or link for a use of TAILS for development? Or a linux alternative, besides air-gapping?

Incredulous June 8, 2014 12:40 PM

@ Nick P

Thanks for your comments. I wish the NSA didn’t think it was worth it to monitor us. I used to focus on tracking malware, rather than worrying about privacy and Big Brother. I would have been proud to work for the NSA. When Obama was first elected I was excited about the incipient new America that was facing its inequities and injustices and really living up to its potential.

WAH wah… What a disappointment. Maybe I am idealist, maybe even unrealistic, but idealism interacting with reality is the engine of change and growth. I foresee stagnation and reduced prosperity for all.

Figureitout June 8, 2014 1:28 PM

Nick P
I had a problem with only one of these. 😉
–Are you like putting the desktop b/w your legs and mounting it or what..? Oh you must have that dreadful “restless leg syndrome”. Ok, nvm don’t answer that (that would explain a lot though lol), the winky smiley face says it all… :p

I’ve got 3 split open PC’s around me now, all the power button consists of in one of them is a tiny board w/ LED’s and a button on a tiny board w/ screws; the other is a button again which is harder to get and goes back to the MOBO (still slightly movable). In other words you can move it or solder an extended cable to bring the button up in your face. It’s a silly non-problem, actually wait…Sometimes I run my fingers along a keyboard to remove dust (just a little quirk) and the other day I hit the power button by hitting this little button that tells the laptop that it’s closed. It takes forever for this laptop to boot up and I was working on it so I was pissed. If it was around my knee I wouldn’t be hitting it…

Oh BTW, found a CF card for that Cassiopeia thing, today is a good day.

MikeA June 8, 2014 4:47 PM

@clive: I have yet to see a motherboard that was decently reliable with spread-spectrum clocks enabled. Apparently that feature is only to pass tests, then disabled for actual use. I know of one (large, un-named here) company who left them enabled, and their time across clusters was, um, challenging.

As for shielding. A year or so back a mailing list I frequent was wondering about a large number of dropped (as SPAM or Malware by email “firewalls”) messages. Some triangulation determined that the “dirty word” was a brand-name for conductive paint used for EMI shielding. Oddly, the original message that triggered the failure avalanche was from a person in Oak Ridge TN. Got a lot of folks re-tightening their mu-metal helmets.

Clive Robinson June 8, 2014 4:51 PM

OFF Topic :

It would appear that China is further upping the anti against US service / software / hardware companies, which may actually end up costing the US economy rather more than the US Gov TLAs budgets for spying did…

http://www.reuters.com/article/2014/06/04/us-china-usa-tech-idUSKBN0EF0CA20140604

Which suggests that mass economic spying may turn out to have a very bad ROI, however I suspect well targeted economic espionage will as the French once pointed out continue to show quite a good ROI.

At the end of the day, currently the US is on the wrong end of the stick by poor/shortterm economic choice, the corps have chosen to “sup with the devil” but neglected ” to use a long spoon”. Whilst the issue is far from insoluable in the long term, share investors might well go for the “Sue Grabbit and Run” option as a “stop loss” in the very near term which will add more instability and might just act as a tipping point. Whilst it is of academic interst to watch it play out, it needs to be remembered it will have effects on employment in the high tech arena. Which perversely may cause an even worse problem by further out sourcing to other countries including Europe, India, Israil, Russia all of whom are in effect currently competitors…

Chris Abbott June 8, 2014 8:07 PM

@Figureitout, @Nick P.

That’s why I say hell with the power button. I just touch the appropriate pins together with a straight bit screwdriver. Works great!

Chris Abbott June 8, 2014 8:13 PM

@Paul, @Benni, @Thoth:

From what I’m reading it’s starting to look like OpenSSL is junk. I’m guessing it’s been getting more scrutiny and code review than ever since things like BULLRUN became known. Am I wrong, or do you think that’s all likely?

Buck June 8, 2014 8:34 PM

@Incredulous

Unfortunately, untrustworthy source repositories & DNS in general, surely are a real major problem, but you’d almost certainly be a fool to think that setting a specific IP address could possibly offer any additional security against state-level or organized-criminal attackers…
(See QUANTUM and FOXACID … and NSA not Made of Magic)

Nick P June 8, 2014 11:09 PM

@ Jacob

“Linux distributions use hashes and PGP keys because the people involved are geeks and purists.
Had they not, they would have purchased a code-signing cert from a recognized CA and then it would be easy to verify for the non geek.”

Idealism vs pragmatism. A theme I keep revisiting in discussions here. One must use pragmatism if widespread success is the goal.

@ Figureitout

“Are you like putting the desktop b/w your legs and mounting it or what..? Oh you must have that dreadful “restless leg syndrome”. ”

LOL. No, more like where they were located in typical work desks. And the button was always right in front of the knee and activated with the slightest touch. It’s why most modern power buttons require you to hold the button a few seconds. One huge annoyance replaced by a lesser annoyance so engineers couldn’t fix the root problem: location of button.

@ Chris Abbott

Yeah there’s always the geeky, over-the-top way to do it. Personally, I miss the power switch in the back that gave us the distinction between “soft” and “hard” resets. I prefer the hardwired switches for power, knobs for audio, and so on because they always work. Simply no firmware or drivers to screw up.

Clive Robinson June 9, 2014 1:45 AM

@ Chriss Abbott,

Hmm I would not try the “screwdriver tickle” method with any of the systems I’ve built, otherwise the “force will be with you” until you or the fuses pop which ever first…

@ Nick P,

Soft switches are a “no no” as far as I’m concerned even on laptops. I want to know “off means off” not just for my safety but security as well.

Also as I’ve mentioned before, the older systems I use have either proper UV wipe PROM with write voltage disabled or RAM without battery backup. Getting hold of old network cards without EEPROM is now getting hard but thankfully building them is still possible as the older NE1000 chipsets are suprisingly still available and cheap and the manufacture of double sided AT PCBs in “ten offs” is not a problem and can be done in 24hour turn around if you don’t mind paying the extra.

I like the old AT interface as it’s easy to work with with modern microcontroler chips, which makes certain novel solutions possible.

Benni June 9, 2014 5:35 AM

http://www.spiegel.de/politik/deutschland/nsa-affaere-maas-fordert-snowden-zu-voller-kooperation-in-moskau-auf-a-973873.html

The german minister of justice calls Edward Snowden for full cooperation in Moskow.

He says that Snowden should tell everything he knows to the german members of the parlamentarian NSA investigation Panel, when they visit Snowden in Moskow in July.

I would say, Snowden should only meet the germans if his german lawyer takes part in the negotiations and if he is in the room when they ask Snowden. During this interrogation, Snowden should tell the members of parliament which informations he has to offer, once they bring him to germany.

In his best interests, Snowden should give out details only after he has touched german ground, and not before that.

Before Snowden is in germany, these members of parliament should just get some kind of list what information they can expect, and nothing more.

Mike the goat June 9, 2014 9:45 AM

Nick: I was (and continue to be) surprised at just how much seemingly [at first glance] unrelated stuff I can break just by – for example – changing the length of an address in the IP stack.

PGP keyserver replacement is going to be my attempt to deal with the current abysmal state of the key servers. They are hard for newbies to use, suffer from a huge number of fraudulent and/or lost keys [owners lost the private key, didn’t have the revocation cert to upload, etc] amongst other issues. Sure, there are great things about them too but I hope to try and at least develop something better. Given my current workload and the number of existing projects and responsibilities I am already neglecting this one is going to have to wait a few months before it gets any real attention. I hope to publish a treatise, of sorts, on the problem and my intended solutions. Here’s hoping. I am also seriously thinking about physically relocating, perhaps to Cali, at least temporarily (say, 2-3 years) – that’s if anyone is still employing people like me. :-). Funnily enough you so often don’t find the kind of jobs I have worked at in the past posted up on career websites (or you do, and they are full of euphemisms like, “penetration tester”). But, realistically, I can work in a number of roles and am flexible re hours and pay; just want to have a bit of a holiday.

Clive: I had to laugh when – and I’ll paraphrase – you said that the USG’s response to an issue they couldn’t solve was to classify it. It reminded me of the whole “duck and cover” propaganda re nuclear bomb attack. It appears so utterly ridiculous to us in 2014 but I imagine the bulk of the population back then believed that this nonsense was a viable way to mitigate the effects of a thermonuclear blast!

I believe that the transititon from CRTs over to LCDs, operating over either LVDS (in the case of laptops) or DVI-D links has probably worsened the operational situation and not improved it. At least for the CRTs there were certain mitigations (copper shielding in ‘hot spots’ for leakage, ‘TEMPEST-proof’ fonts, etc.) that are either not effective at all (fonts) or less effective (shielding of the display cable) with the ‘newer’ digital tech.

Buck: I could whine on for hours about the sad, sorry state of the DNS roots and how DNSSEC won’t make a shred of difference but I won’t… all I really wanted to add is that I agree with you!!

Nick/Figureitout – re power buttons: yeah… at least the ‘hard’ off buttons were a definite, mechanical way of turning off power to the PC. In my first year of college I was introduced to our computer sciences lab and found out, after a bit of experimentation that all the PC’s had WoL enabled (and funnily enough this was in an era where they had separate NICs, and they actually had a small WoL cable that had to be connected between the NIC and a header on the mobo so it wasn’t like it was hard for the school to disable – but perhaps they used it for administrative purposes – eg insuring they were all on to roll out new software or something?).. anyway, great fun was had randomly turning on huge banks of computers. I also discovered a small script that mounted some network drives upon logon and used it to run a tiny 2k tool called, funnily enough ‘eject.exe’ that I pulled off one of the netware resource disks. There were optical drives moving all over the place! 🙂

Benni: exactly. Snowden needs to start thinking of his own hide, but I would guess that his legal team is already doing everything they can as far as positioning him for a potential ‘transfer’ elsewhere.

Nick P June 9, 2014 11:02 AM

@ Mike the goat

“Dependency hell” comes to mind re IP stack. Re PGP servers. Take your time. Re jobs. Yeah, I feel you on that. It’s worse in my area as there’s hardly any work outside big companies whose H.R. teams make it hard for talent to get in. I might relocate myself. I’m considering trying to do some work in an inexpensive European country so I can do some fun sightseeing and maybe take advantage of the no taxes up to $100k+/yr for a few years. 😉

Chris June 9, 2014 11:25 AM

@Mike the goat
Re: TEMPEST proof fonts, any suggetion on which font to use to make it harder?
//Chris

Chris June 9, 2014 11:33 AM

Hi, something that I have been waiting for but still havent seen or I might have missed it, is a device eather builtin or added by interdiction that sends data back to a listening device over AC Current Power Network.

What I can think of is that at least in theory thats how to do it, all this talk about using a loudspeaker to send data over an airgap doesnt make any sence to me.
If I would design anything like an airgap destroyer that would be it.
And not only for airgaps but it makes it easier to listen in to someone where the location is known.

Just a thought, using an RTL-SDR stick and looking at 50/60hz would probably see if there is something there or not. who knows?
//Chris

Nick P June 9, 2014 11:52 AM

@ Mike

Mine’s closer to ten. I had a selective disclosure scheme worked out for a while. Unfortunately, those references are no longer available so we’re in the same boat. What I recommended for ex-black hats in the past was to stage references. I mean, if one’s ethics arent an obstacle…

Jacob June 9, 2014 12:57 PM

@Nick P
“maybe take advantage of the no taxes up to $100k+/yr for a few years”

  • I guess you refer to the tax exclusion extended by the USG to expats, but you will pay dearly, OTOH, to the local European tax authorities…

Chris June 9, 2014 1:20 PM

Hmm, maybe there is something to the microphone loudspeaker airgap theory after all 🙂

Found this now:

24.641 MHz
Over on Reddit, user cronek discovered by using his RTL-SDR that the microphone on his HP EliteBook 8460p laptop computer
was continuously and unintentionally transmitting the audio from the built in microphone at 24 MHz in FM modulation

//Chris

True Randomness June 9, 2014 1:53 PM

@Clive Robinson

Oh, that explains why I just had to lock down a whole bunch of Chinese Military IP ranges after watching them hit my servers using a broad range of attack-types during the past few months. I already wondered why Chinese Mil IPs try to hack their way into US servers (the server itself; not some CMS).

Iain Moffat June 9, 2014 4:34 PM

@Chris:

Regarding power line networking I think the relatively common (here in the UK at least) use of in home ethernet-over-mains devices – as apart from devices operating over power company lines which I think you meant – must be another potential source of information leakage comparable to WiFi in the home, but I cant recall seeing any published investigation of what can be received remotely or extracted from the received signal. Are any of the blog contributors aware of any research in this field ?

I used to have some Devolo Homeplug devices which claimed to use AES-128 and some kind of multi carrier modulation scheme so maybe that has deterred people from trying to recover any information from radiated leakage ?

Iain

David C. June 9, 2014 6:42 PM

@ Jacob

Earlier you said this:

“Question to the board members:

Since the NSA is demonstrably interested in encryption, and
since this board deals with security and encryption items,
do you think that the each board member may be a “person of interest”?
And I mean not just monitoring talkback posting, but actually going into the poster computer to see if there are things of interest.

And if you do, does this hinder your postings?”

NSA’s knowledge of encryption technology is probably way more advanced than anything in the public sector. I doubt very much if they bother with people who post here. What could they possibly gain? I think you are being way too paranoid. The only hindering on my posts is that at present I dont want to reveal my full identity in case my employer determines it is not in the companies interest to have a publicly outspoken individual on the staff. However when I make a comment I have to enter my full real email address. But dont be paranoid, just be honest and believe in yourself.

Clive Robinson June 9, 2014 8:27 PM

@ David C,

I doubt very much if they [NSA et al] bother with people who post here. What could they possibly gain? I think you are being way too paranoid

You are making the mistake of buying into the “Myth of NSA superiority”. On a historical note it was the Mafia that invented things like the “infinity bug” that they used on the authorities, not the other way around. MI5 actually stole the design for land line anti-bugging technology based around TDR from a UK journalist who you have claimed is a traitor… lkewise they also stole the idea for using lasers to reflect off of objects in a room to recover audio and actually gave it to a UK company so that they could be made for both UK and US Intel services including MI6 who in turn passed it on to the CIA.

If you look back on this blog you will find that one or two of the regular posters have come up with attack vectors and other security solutions that were way way ahead of anything else published. Subsiquently some of those methods have appeared not in cyber-crime malware but State Level cyber-espionage malware, such as stuxnet and air-gap crossing being just one of several.

You will also see that “software signing” was called out on this blog as not being the security mechanism most people thought it was and identifying numerous ways it could be circumvented easily by an attacker, which was another idea that poped up in stuxnet subsiquently.

You will also find descriptions of transaction authentication methods that significantly reduce or can eliminate online banking fraud going back several years before the rest of the industry had realised that session based passwords are a compleate security fail.

I’m sure that others can provide other leading edge examples.

But back to the NSA Myth, if you have looked carefully at the TAO catalogue, you will not find anything in there that was new or novel, and equipment similar or superior to it had been discussed on this blog long prior to the dates given in the catalogue.

You will also see active fault injection via EM carrier has been repeatedly discussed on this blog and there is currently no direct indication that the TAO has yet got around to using such techniques (though they are known to work and have been demonstrated to UK intel agencies back in the 1980s).

You will also see in the early BadBIOS discusions some regular posters had already used sound and SDR techniques for air-gap crossing and accuratly described the what and how of it. It was only later that it was shown via the Ed Snowden revelations that the TAO was using such techniques.

Yes the NSA might be ahead in some areas to do with encryption, voice compression and data storage, but in others such as the work of the TAO they are behind the curve of some of the comments on this blog by a considerable amount.

The important point to note is in general people in the security industry are not objectivly analysing open data with a little “hinky thinking” to see how it might be used as an attack vector ( perhaps due to “Golden Goose Fears”). An example of this was SCADA security one or two posters to this site were waving red flags a long long time before most people in either the ICS or Security industries had realised that there was a significant danger related to them being connected to the Internet and other publicaly accessable networks. Years later in 2006 the USG started investigating with the likes of project aurora.

The NSA, DoD, DoE etc most certanly do not have a monopoly on “thinking hinky” and actually usualy lack the required industry experiance to be on par let alone ahead of the game in areas that they have not traditionaly covered.

So yes I would say that members of the NSA and related organisations certainly do read this blog and I would not be surprised to find that they had done background checks on some posters. In fact I would say they would have been failing in their duties if they had not…

Wael June 9, 2014 9:42 PM

@Clive Robinson, @Nick P, @Chriss Abbott,

Soft switches are a “no no” as far as I’m concerned even on laptops. I want to know “off means off” not just for my safety but security as well.

100% agree. Perhaps one should pry open smart phones and hookup a physical switch between the battery and the board. Turn it off, it’s off — unless there is a small backup battery hidden elsewhere in the device. There are many ways to do it, one can install a “reed-switch” with some minor circuitry. Reed switches are magnetically activated, so the outside of the device need not be defaced. Other innovative ways to use different types of switches such as mercury switches may be explored. Sounds like a worthwhile project. Be careful that this sort of switch may void your warranty…

Mike the goat June 9, 2014 10:55 PM

Wael: a friend of mine gave me a professionally produced ‘pouch’ made of what appears to be three layers – the inner layer feels like high density foam, perhaps for acoustic dampening; and the middle layer is some kind of brillo-like material and the outermost layer looks like a standard antistatic bag. Supposedly you can put your phone in one of these little pouches for some extra assuredness. I am a bit unconvinced though – if you had malware on the device, listening and buffering what is recorded for later transmission, perhaps a 1/4″ layer of foam isn’t sufficient to truly attenuate all of the sound?

Nick P June 9, 2014 11:12 PM

@ David C

Clive said it very well. I’ll simply say they can’t be so ahead if their BULLRUN program is mostly about introducing weaknesses into standard security so they can easily break them. I repeat: so they can break standard security products. 😉

Wael June 9, 2014 11:23 PM

@Mike the goat,

professionally produced ‘pouch’…

With DSP capabilities, and who knows how much the amplifier gain can be increased, plus the super sensitivity of the microphone, I wouldn’t trust it. You have three issues to consider:
1- Sound insulation, I don’t think it’s sufficient and you need to test it.
2- Electromagnetic isolation. Not sure the Brillo-like material is sufficient, you have to test it.
3- Your “friend” giving you a “gift”. Trust no one 😉

Best thing I know is leave the phone behind (I don’t practice what I preach), or completely cut the power off — and that can be counter measured as well 😉 But you know that I know you know all of that 🙂 Out with it, Mike the goat, what are you leading to?

Figureitout June 9, 2014 11:51 PM

Chris Abbott
–Hah, was turning a pot. on a [crappy] PIR sensor (while plugged in, smart) w/ a screwdriver and that little arc scared the crap out of me. Had another scare the other day, reaction time is never ever fast enough…Probably not smart that I plan on a small electric fence for a little garden b/c damn rabbits get nibbly, but I can’t shoot a gun in a suburban neighborhood…

Mike the goat
–Hah funny story. Had a couple random shutdowns in the school lab one time, better not have been you.. :p I wonder what they would do if I just unplugged the ethernet cable though, and I mean when I’m all alone in a computer lab it’d be kind of fun to put all that computing power to some use…like supreme SDR calculations.

There’s something funny w/ my school acct. so I don’t try much of anything, just sit and get compromised and log out. But I now can see the internals of the new Dell PC’s (which the case is mostly empty…fill it up w/ some RAM!) and can hopefully work a little on what causes the noise that I can hear from my headphones whenever there’s movement on the VGA/LCD screen (I can also hear high pitch noises when flashing a chip, so again I wonder what can be gathered from that noise…). I got confirmatory evidence of a signal but not enough, hopefully I can get my laptop to somewhat normal functioning and reliable to use for experiments.

RE: shielding
–Nothing new to people in the field but 3M sells copper tape which will come in very handy for shielding tiny crevices and such, extremely simple test showed it worked but I’m probably going to get a roll for many more tests. Also, while I’m looking for noise resistant components to build w/, I came across “metal-film resistors” which look like what’s commonly used today so that’s good.

Wael June 10, 2014 12:03 AM

@Nick P, @Dave C, @Clive Robinson,

I’ll simply say they can’t be so ahead…

I think you and @Clive Robinson based this assessment on the information that was leaked. You don’t know all of the capabilities were leaked. I even think the technology to listen to a regular conversation between two or more people from a satellite (or a drone) exists. I am aware that sound does not travel through space, by the way! Have you considered that an innocent looking insect flying by you could be a tiny robot listening and recording your actions? Remember! They have superior technology 😉

digitalBLOODHOUND June 10, 2014 12:41 AM

@Wael

NSA/et. all maybe put laser in satillite, laser acoustic window bounce?

Anyone know if orbital satillite accurate enough positiong?

Hubble accurate, why not laser sat?

Could aim window, listen in.

Idea?

PS: I no care if NSA listen here, browse through Tor/I2P…plus can’t hack this box.

Wael June 10, 2014 1:08 AM

@digitalBLOODHOUND,

NSA/et. all maybe put laser in satillite, laser acoustic window bounce?

That’s certainly one way. Quick! Break all your windows 🙂 What if there are no windows, how would you do it?

PS: I no care if NSA listen here, browse through Tor/I2P…plus can’t hack this box.

It’s free consulting 😉

Mike the goat (horn equipped) June 10, 2014 1:15 AM

Nick: I agree. The NSA are almost certainly unable to defeat conventional crypto – that’s why they have got so many programs focused on “cheating”.

Wael: now that I think about it, yeah, a phone pouch was an odd random gift. Then again – this is a guy who gave me a throat mic and an earwig set for my ICOM last Xmas.

Nick (o/t): I am at a bit of a crossroads with blogsig. I really like djb’s Curve25519 but there are lots of practical reasons to use ECDSA. What to do?!!

Jacob June 10, 2014 2:26 AM

@ David C.

In addition to what Clive said re thoughts and discussions to advance the state-of-the-art which you can occasionally find in these board postings, I thing along more mundane NSA interests:

This board is one of the watering holes for security professionals, and it is frequently visited by international sec officers/engineers.

The ROI for the NSA would be much better than the usual dragnet sweep by trying to get into the computers of these people to see if they can steal credentials or infect down the line their employers systems (which, having a security officer/engineer on board, means that they do interesting things, and, along the published motto of “we hunt sys admins”, does make a perfect sense).

Question June 10, 2014 3:14 AM

Can someone please point me to a simple and safe PGP based file encryption utility? After half hour of searching the internet still can’t find one from some trustable source.

Question June 10, 2014 3:19 AM

…windows version, freeware, no source code, just a simple tool to encrypt a file based on an external key. A link please?

Clive Robinson June 10, 2014 3:28 AM

@ Mike the Goat,

Back when ICOM made “headless radios” I had a need for their products and I still have many knocking around like original IC2E 4E, and now a member of the household is doing a bit of radio astronomy the R7000 has escaped the test bench for not just nights under stary skies.

Which reminds me of that PITA FCC “no continuous coverage” nonsence which stops the US versions of their kit also being good tools for testing. Another example of the usless “if we cann’t control it, we’ll ban it” mentality the USG practices ad norsium.

As for the gift of a pouch for posing with, that foam may not be there for achostic reasons, it could be just simple cushioning, or it might be a variation on the old “Hundred ohm foam” which is loaded with carbon or metal particles to act as an EM absorber (as seen in the horn like structures that give anechoic chambers that retro-Punk-Rock look.

As for curves, just remember the older you get the more atractive the curvier curves made by others become…

Wesley Parish June 10, 2014 3:29 AM

@Wael et alii

NSA/et. all maybe put laser in satillite, laser acoustic window bounce?

That’s certainly one way. Quick! Break all your windows 🙂 What if there are no windows, how would you do it?

I would suggest moving one’s stereo up close to the window and playing at full bore the latest and greatest from the hallowed halls of Death Metal. John Calvin Batchelor in his 1980 novel The Further Adventures of Halley’s Comet had one character do precisely that – though with The Who rather than Death Metal – to someone attempting to murder him.

I suppose that would fall into the realm of Psychological Warfare, rather than OPSEC, because by playing Death Metal at full bore, you are actively attempting to induce suicidal depression in a hostile, rather than preventing said hostile from interfering with your home environment. 😉

Jacob June 10, 2014 3:36 AM

@Question

I suggest you go to gpg4win.org and install their program. During installation, select from the options only the core gnuPG, Kleopatra, GpgEX and the compendium (help files).

gnuPG – core + command line capabilities
Kleopatra – GUI for key generation and management, files enc/dec and signing
GpgEX – allows enc/dec and signing from the context menu of the Win Explorer

Clive Robinson June 10, 2014 4:14 AM

@Wael and others,

Whilst space telescopes are fantastic people tend to forget why they are up there when mountain top real estate would be cheaper easier and a lot more conveniant.

The answer is important because of the effect it has on spy sats looking downwards to earth.

Even on the clearest and calmest of days the earths atmosphear is a very active and turbulant place. It’s the reason stars twinkle, shimmer and distort in various other ways.

Back last century a group of scientists in africa demonstrated a heated air lense. Essentialy all it was was an open pipe spun coaxialy at speed with an intense heat source applied to the middle. This caused the air inside to bend light sufficiently to make the object lense of a crude telescope.

Again thinking in reverse you can see why spy sats have a number of issues with these atmospheric optical effects.

Even a few years ago they represented what many regarded as an insumountable barrier to what spy sats could see and focus on, and it looked like reading the brand off of cigeret packets would not be possible. Well it turns out –as is often the case– what nature can do man can undo with sufficient computing power and whilst newspaper print is still belived to be beyond such techniques centimetre resolving is commercialy possible. However the likes of the NRO have also looked at the issue another way which is with drones. A UK defense contractor used a few hundred mobile phone cameras in an array such that resolving to less than 15CM whilst covering a 40 square mile area can be done from a drone or helicoptor mounted pod…

So settle back with a nice cup of Brownian motion producer and start thinking hinky about say bouncing lasers of car roofs, or even street trash such as thrown away soft drinks cans. Because you can make a reasonable bet, that if you can think that way, so can others who would also love to get a nice fat slice of DHS Pork to flesh them out.

name.withheld.for.obvious.reasons June 10, 2014 6:38 AM

@ Clive
Speaking of satellites…

A few years back worked on a satellite platform, SSMIS, that used some interesting method to integrate EM sources on the host platform. The size of the system is essentially a floating tractor-trailer container. NASA and NOAA have information on the platform and the platform operation is detailed to some level. I worked with the original design engineer/scientist, learning what approach from an architectural perspective to achieve design objectives. Had a chance to review and comment on the “replacement” system, wrote a report for program management and essentially shoot myself in the foot–told them what they didn’t want to hear.

The report described the problem with the implementation and components, designed based on the tool (in this case, Labview) constrained any attempt to meet the design criteria. Design should drive the technological decisions…not the other way around. The report also suggest an approach that could serve both the platform performance requirements and add some flexibility with respect to implementation and the production engineering process.

One interesting thing, the new platform survived and the report that detailed a way forward fell to the floor–part of what made this possible was the classified status of the program. Shedding any light on this would have made these choices difficult to defend.

Mike the goat June 10, 2014 7:29 AM

Clive: I too expect the foam is primarily for EM absorption, after thinking about it.

nwfor/clive: I have seen amateur sat tracking stations that can attain quite respectable accuracy. Would it not be outside the realm of science fiction to create a directed energy – perhaps a nice big magnetron focused in a narrow beam – to damage/destroy the satellite’s sensitive RX equipment?

Wael June 10, 2014 7:56 AM

@Mike the goat,

s/Curve/ED/g

Awww, poor goat! I hear something that rhymes with Niagara can help 😉

Re: Foam. Yes, it’s used for sound and EM absorption in shielded enclosures
@Clive Robinson,.

So settle back with a nice cup of Brownian motion producer

Sounds good! I’m in the mood for a cup of Turkish chaos this AM.

Wael June 10, 2014 8:16 AM

@name.withheld.for.obvious.reasons,

One interesting thing, the new platform survived and the report that detailed a way forward fell to the floor–part of what made this possible was the classified status of the program. Shedding any light on this would have made these choices difficult to defend.

It’s a wide spread problem. The NIH symptom. You needed a godfather there!

Autolykos June 10, 2014 8:27 AM

@Mike: That beam probably won’t stay focused all the way up to space. Wave optics is a female dog.
You could probably compensate by using a phased array (which would be huge), or just saturate the general area of the satellite with way too much power, but either way it won’t be long until your efforts are discovered and located.

Wael June 10, 2014 8:29 AM

@Clive Robinson, all

what nature can do man can undo with sufficient computing power and whilst newspaper print is still belived to be beyond such techniques centimetre resolving is commercialy possible…

Another fascinating example is the use of sound transducers in the ocean to pinpoint objects. The idea was to arrange several thousand microphones in the ocean, then calibrate them by making some noise at various locations in the ocean, say with a small explosive. When the calibration is done, the reverse can be achieved by replaying the recordings (with the proper amplification and phase) – the computing power you talk about – to focus the sound energy at arbitrary locations in the ocean. I believe the same technique is used for shattering kidney stones using ultrasonic waves.

Mike the goat (horn equipped) June 10, 2014 8:47 AM

Autolykos: I realize that we are probably talking on the order of thousands of watts eirp, but am pondering just whether it is conceivable. I imagine it would be easier than trying to physically deorbit the thing…

Nick P June 10, 2014 11:53 AM

Wow, it got crazy in here since I was gone.

@ Mike the goat

A list of pro’s and con’s of each would be a start. Then, people here might review and offer a suggestion. The first thought I have is NaCl implements a clever, timing channel mitigation. I hope your alternative thought that far. 😉

David C. June 10, 2014 4:27 PM

@ Clive Robinson, Jacob

You made many interesting points. Hard to counter them. Correct me if I am wrong but I thought Snowden’s leaks were mainly up to the Top Secret level not compartmented. There may be much more secret capabilities we are unaware of.

Clive Robinson June 10, 2014 5:16 PM

@ David C,

The difference between secret and code word level is usually more to do with the “circulation list” than it is technology.

Thus take something like signals analysis, what is required to direction find a mobile phone user is open knowledge, specific equipment to do it might be classified at secret, however a project to use the equipment to kill “persons of interest” in a specific class (drugs/terrorism) would almost certainly be code word or above classified.

Out side of abstract fields of endevor such as crypto math, most technology has to follow the well known “laws of nature” such as conservation of energy, energy/mass equivalence, speed of light and basic forces irrespective of who is using it (it’s why classifing some types of technology such as TEMPEST is fairly pointless as it can all be worked out from first principles by those with graduate level knowledge in the basic sciences).

The exception is where nobody has bothered actually doing rsearch into a particular sub field.

For instance we know that if you can generate a voltage or current at the input to a circuit then you can change it’s behaviour. We also know that EM radiation will be picked up by conductors, and if a semiconductor device is connected a junction will either act as a diode or a square law device, which will have the effect of rectifing EM induced currents/voltages, thus giving us the voltage/current that will disturbe the intended circuit function.

We have known since the late 1800’s / early 1900’s that not only are circuits suseptable to EM radiation they will also couple even very low frequency EM energy from one conductor to another in what engineers have long called “cross talk”.

Thus it does not take to much imagination to realise that EM radiation that impinges onto a conductor, will by the process of back EMF etc be reradiated, but importantly modulated by the “secret signals” in the circuit. This goes by various names and if you look on the internet at TEMPEST related sites you will come across the code words HIJACK & TEAPOT which are supposadly related to the exploitation of this effect.

However with a little further thinking you will realise that if the EM signal is modulated in some way, then this modulation waveform will be demodulated by the circuit. Thus you can inject complex waveforms into a circuit. Thus if you have a way to synchronise the modulated waveform with the circuits operation you can inject tailored faults into it.

As far as I’m aware little or no research in this area has been undertaken by those in the academic community, so there is little in the way of published information. However I was exploiting this back in the 1980s to get at electronic wallets and pocket gambeling machines. And from discussions with others it appears other design engineers had come across the problem and one or two like me had investigated further.

It is I think unlikly that the intel community has not researched into this area as –as I’ve indicated befor– I’d demonstrated it to them back in the 1980s.

Thus whilst they might appear to have some secret advantage –that might apear akin to magic–, the reality is there is nothing secret about it, it’s just a matter of joining the dots from well known engineering issues going back more than a century.

Nick P June 10, 2014 6:44 PM

@ Clive Robinson

“The “best” example of this maintainability problem could be found in the old implementation of the printf family of functions. The CRT provides 142 different variations of printf, but most of the behavior is the same for all of the functions, so there are a set of common implementation functions that do the bulk of the work. These common implementation functions were all defined in output.c in the CRT sources(1). This 2,696 line file had 223 conditionally compiled regions of code (#ifdef, #else, etc.), over half of which were in a single 1,400 line function. This file was compiled 12 different ways to generate all of the common implementation functions. Even with the large number of tests that we have for these functions, the code was exceedingly brittle and difficult to modify.”

Good Lord… The following paragraphs show they’re doing great work at the refactoring. Work like this has earned them good comments from me over past few years as they’re trying hard to improve their software. I’m looking forward to see that new system language they’re working on. I wonder if they’re just focusing on new software development or hoping to use it for legacy rewrites too.

re Type Erasure

It’s interesting stuff. The full impact might take a while to happen for me. Related note due to his mentions of lambda calculus. The more interesting (and useful) concept to me is keeping types throughout the compilation to assembler to improve performance, safety, and security. The this old proposal from the FLINT project summarizes many uses and approaches. Of course, once it gets to the assembler and linker we can apply type erause to get rid of the types. Unless the machine code is one of those tagged (i.e. typed) ISA’s I like. Then, the types stay and get enforced by hardware during runtime. 🙂

Mike the goat (horn equipped) June 10, 2014 7:04 PM

Nick: I guess – fundamentally – it is a about balancing whether to use something everyone knows, loves and understands (ECDSA) vs something that appears to be superior in terms of key length and other attributes yet isn’t quite as battle proven.

I believe I will be proceeding using ED25519. The advantages can’t be ignored, and as we have discussed before – the whole purpose of blogsig is to balance assurance against convenience with an emphasis on the latter.

Nick P June 10, 2014 8:55 PM

@ Clive Robinson, Wael, Mike

Found a nice C to FPGA compiler here:

http://c-to-verilog.com/index.html

They have examples like Ethernet and SHA-1. I’m wondering how useful it would be for prototyping safe processor designs. They’re a bit more complex than the examples given. Yet, when it comes down to it, they’re just state machines [possibly composed of other state machines].

I’m already aware of options such as SystemC. I’m just seeing how much closer it can be pushed to normal programming while still being synthesizable.

Rick June 10, 2014 9:14 PM

It looks like OPENSSL_indirect_call, the “undocumented ROP function” mentioned in previous posts on this thread was indeed written by Andy Polyakov and has been in place since 2005.

OpenSSL_indirect_call:
http://freshbsd.org/commit/openbsd/f868fc6f39a2c45a6c2bab70addc92525d467904

Email from Andy Polyakov:
http://marc.info/?l=openssl-cvs&m=113361101503116

OpenSSL needs to be purged. Someone with greater influence than myself has a solemn duty to expose these (intentionally introduced) flaws and assist with the cleanup effort. I’m willing, but I wield little to no resources and/or influence over the matter.

Thoughts?

Figureitout June 10, 2014 10:54 PM

So much radio, woohoo! My kind of thread.

Mike the goat RE: satellite beams
–Won’t help you take down a satellite lol (way too destructive for me) but I’m sure you could whip up a quick antenna, something like this, there’s much better (looking) ones, and these are some of my favorite kinds of antennas rather than something like a 4 element tribander, but the weird ones catch different waves. Then you need internet to get the timing right on whatever Sat you want to contact and it’s a pileup.

BTW, don’t know if you intended or it’s just another thing on my end, but your blog had quite the interesting picture: http://prntscr.com/3ro4rf Freaky, to say the least.

Nick P
–Neat link on reflections, creepy of course too…

Now to do my best Nick P act (I’d have to talk about type-safety and BASIC boobs though to really sell it :p), found some random links when an inverter caught my eye (have no affiliation w/ site nor any of the companies):

The OPTIGA Trust P (SLJ 52ACA) 16-bit Common Criteria EAL 5+ certified programmable security controller chip.

Op-amp noise sources and minimizing system noise

8-bit MCU handles safety critical applications

Secure Hardware and Software

Rick
–It doesn’t matter how much resources or influence you have, that you’re willing to help does though, a lot. There’s always something to do, always.

Figureitout June 10, 2014 11:45 PM

NSA: Our systems are so complex we can’t stop them from deleting data wanted for lawsuit

http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/09/nsa-our-systems-are-so-complex-we-cant-stop-them-from-deleting-data-wanted-for-lawsuit/

So complex that it’s worthless and the analysts are just getting flooded w/ data and there’s no usable intelligence. We know. Oh and one of your people just walked out the building and off to RUSSIA w/ an unknown amount of data and you wouldn’t have known about it if he didn’t speak up…

Wael June 11, 2014 12:01 AM

@Figureitout,

and you wouldn’t have known about it if he didn’t speak up…

Good point. What if someone already did and kept silent?

Wael June 11, 2014 12:08 AM

@Nick P,
Re:reflections…
I have seen this type of spying a while back. Can’t find the link, but the demo used a spoon or a tea cup for reflection. It’s why high security buildings have no windows and are shielded. That’s why people cover their mouths when they talk, so no one reads their lips from far away… But we know that from movies.

Wael June 11, 2014 12:36 AM

@Rick,
Re OpenSSL…
I don’t see this as the only way to accomplish the advertised reason. Why not simply have a conditional #IF DEF for Various OS’s? Whenever inline assembly is embedded with a “justification” one should be suspicious. Sometimes this tactic is used to avoid flagging by a static analysis tool — in the deliberate case. Sometimes developers try to be clever and introduce holes unintentionally. You can checkin code, or become a maintainer, which I suspect you already are, but maybe for a different component. By the way, where in the code was it returning to libc rather than libcrypto? I think I mentioned before that Macros are evil, so is undocumented in-lined assembler. And developers who write self-modifying code need to be…

Nick P June 11, 2014 12:45 AM

@ Wael

I mentioned here a while back I read an article describing something similar. Spy claimed he put a reflective, decorative sphere in the room with target computer during a visit. (Paperweight? Shrugs) Then, they aimed a telescope at it from an adjacent building to see reflection of monitor and keyboard. That’s what he claimed anyway.

Wael June 11, 2014 12:51 AM

@Nick P,
Right! It was you. Perhaps looking at the “milk of amnesia label is effective” 🙁
When we read a lot we sometimes forget who the originator was. My apologies…
Hopefully I didn’t get anyone upset with my sense of humor. When it’s late at night I get a little goofy… I know I got someone upset — unintentionally…

Wael June 11, 2014 1:31 AM

@Figureitout,
Thanks for the OPTIGA link. Was looking for a PUF type device – Physically Unclonable Function. Seems this chip contains a combination of some TPM functionality in addition to some GP functions. Took a glance at the data sheet, and it may work 🙂

Gerard van Vooren June 11, 2014 2:11 AM

@Wael, about OpenSSL #ifdefs

They have #ifdefs for everything. If the lib could make coffee, there would be an #ifdef for cappuccino, mokka, sugar, cream etc.

You can write a book about OpenSSL. Heck, you can make a textbook of how not to write code AND you can make a fictional detective about OpenSSL like a Frederick Forsyth book at the same time.

But…

The preprocessor is a part of the fundamental weaknesses of C and C++.

Bjarne Strousstrup (who is never abbreviated) made a funny remark at Lang.NEXT last week. The ISO committee came to the conclusion that C++ should have modules.

AFTER 25 YEARS!!!

Why are modules such a game changer? The flat scope of C and C++ allow macros to have a global reach. Macros can be controlled by header files, makefiles, M4 and in the C files. I have seen projects where the order of header file inclusion changed the program. If modules in C++ is implemented right, macros are only influential in the current module because of namespaces and that is the way you want it. With modules header file inclusion is obsolete, so that problem is solved as well. It also changes makefiles, drastically reduces compile times etc.

Modules in C++ is probably part of C++17. I don’t know whether it will be part of C.

Returning to the #ifdefs. They are just a nasty piece of history. It is a shame that in all this time the industry didn’t look forward to develop a decent replacement of C. While Wirth keep on developing his languages, from Pascal to Modula and Oberon, C only got minor changes and non of these changes tackled the fundamental problems of C.

Wael June 11, 2014 2:44 AM

@Gerard van Vooren,

They have #ifdefs for everything…

I got the point you have against C, and I more or less agree. I was not arguing for or against “C”. I was trying to argue that this indirect call looks suspicious with a seemingly lame excuse given that there are other known ways of handling it through a preprocessor directive — regardless of the goodness or weakness of the language. Until a “safe” language is adopted, we’ll continue to talk about the reasons some bugs have security implications, and whether circumstantial evidence point to “foul play”. The alternative is we just say:Well, see, “C” sucks — use something else. This will not happen overnight, and until then we’ll be talking about cappuccino, mokka, sugar, cream etc, so to speak…

Wael June 11, 2014 3:00 AM

@Gerard van Vooren,
By the way,

Why are modules such a game changer…It also changes makefiles, drastically reduces compile times etc.

I also agree with you on that part! and I’ll add that make files are another evil because you can do nasty things in them as well.

Mike the goat June 11, 2014 8:05 AM

figureitout: yeah, it is intended. I got sick of the wordpress default images. If you are interested, the montage is of (from left to right) – ascii art of goats, random hexdump, RSA in Perl (top), decss in perl (bottom), minix tcp stack sha256.c. Random, eh? 🙂

AlanS June 11, 2014 8:37 AM

Microsoft Protests Order to Disclose Email Stored Abroad

Privacy experts are concerned that the judge’s order, if it stands, will open the gate to unchecked investigations in the digital world, of anyone, anywhere. “United States search warrants do not have extraterritorial reach,” said Lee Tien, a lawyer for the Electronic Frontier Foundation. “The government is trying to do an end run.” But the Justice Department asserts that Microsoft is stretching the law. In a filing, Preet Bharara, United States attorney for the Southern District of New York, described the company’s analogy between physical search warrants and digital ones as “misguided,” and said Internet companies cannot avoid complying with a search warrant “simply by storing the data abroad.”

Nick P June 11, 2014 10:12 AM

@ Figureitout

Trying to act like me, huh? Where’s the solid frameworks, identification of threats 10 years out, and effective solutions to existing ones? Absent? Oh my, it must be an imposter! 😉

OPTIGA is interesting for its feature set. The assurance level is the minimum required for smartcards and security controllers. Infineon can do EAL5+ in their sleep. The noise sources link is nice as it briefly lists and describe the common sources people run into. I didn’t even know there was an 8-bit MCU for safety-critical. I keep it at 16-bits or higher, but I’ll give it to some people I know that do 8-bit work. I’ve never seen 8-bit developers caring much about safety though. (hmmm)

The last link I have mixed feelings about. It mentions that they’re getting concerned with security in microcontrollers. They’re adding things like firewalls. The other aspect is over the years they’ve been adding functionality such as embedded networking stacks. The problem is much of this is features whereas security comes from assurance arguments based on good engineering. I doubt an embedded, microcontroller has a secure anything if it’s network or filesystem related as it’s hard enough to do with a powerful desktop CPU. So, such products are a double-edged sword for me: (a) I can isolate more functionality onto dedicated chips because there’s new cheap chips with onboard support for certain things; (b) the chips themselves will have vastly more attack surface and I probably can’t effectively audit that.

So, first three links are nice. Last one is maybe a sign of bad things to come.

@ Wael

Yeah, the chip runs that Java platform you all like so much. 😛 In the past, I always said I’d rather have an assured OS such as MULTOS on such a chip. I updated that to JavaCard when Gemalto (Gemplus?) got their JVM to EAL7 to match MULTOS’s assurance. (Product was EAL5+, VM EAL7) I wonder what the assurance is of Infineon’s JavaCard 3.0.4 OS. We know they assure the hardware well, but software is said to be a significant attack vector these days. It pays to put effort into it.

Tried to find its JavaCard evaluation status with a quick Google. Instead, I found a job ad from Infineon for JavaCard programmers working in India for $11,800 a year. A guy I know outsourcing development of school software paid around $16,000 a year. Probably a good sign for security and quality of the software, yeah? 😉

@ Mike

Yeah, you’re goat ASCII art is awesome. I laughed my butt off when I saw it.

@ All

Check out the show Silicon Valley which parodies startups, billionaires, and programmers in the same area. The main criticism is there wasn’t enough character development and they opted for common stereotypes instead. Sure enough. Yet, two to three episodes in it was good enough to keep watching and got better over time. Also had a few truly original and hilarious moments I won’t spoil.

Benni June 11, 2014 11:21 AM

@Wael: “trying to argue that this indirect call looks suspicious with a seemingly lame excuse given that there are other known ways of handling it through a preprocessor directive”

Well, as someone who has used the Windows API, I can tell you that the comment of Andy Polyakov seems to be complete nonsense for me.
Polyakov writes:

“-# This function can become handy under Win32 in situations when
-# we don’t know which calling convention, __stdcall or __cdecl(*),
-# indirect callee is using. In C it can be deployed as”

The calling convention of a function is in its header. If you use the winapi, then it uses stdcall. All this is defined in the windows headers. If you call this functions from a C program, then the compiler should automatically take care of all this. I have written some dlls on windows, and I never needed such a thing like Andy Polyakov wrote in his function “Openssl_indirect_call”.

Polyakov says this would be usefull when you do not know the calling convention of something. But since this calling convention is in the c header, when does it happen when you do not know the calling convention?

Well, I say that if you have good intentions, then you do not call something whose definition you do not know.

In fact only a hacker usually does not know the exact function header of something, as he does not have the function header of the box he’s hacking into.

As a result, the hacker has to start his hack with function that is exactly like the code which Polyakov has written in “Openssl_indirect_call”. So even the comment from Polyakov himself, where he introduced this function indicates that this was implemented as some help for hacking purposes.

Wael June 11, 2014 11:43 AM

@Benni,

when does it happen when you do not know the calling convention?…

Totally agree, it can happen when the developer is developing his code on an OS for a different target OS. If he developped this on Linux and is not familiar with Windows, I can find a minor execuse. I can also find another “minor” execuse for him if he claimed “compatibility with diffferent compilers”, which peggs the Bullsh** scale.

Wael June 11, 2014 12:27 PM

@Mike the goat,
I liked it as well… Horn equipped too 🙂

@ Benni,
There is another possibility this function was added for instrumentation. The comment doesn’t support this hypothesis, though. I really haven’t looked closely at this, and I’ll do so when I have the chance. So I’ll stop at saying it looks suspicious, at the moment. Now I am convinced that “Open source” doesn’t add much more security than “Closed Source”. We had this discussion previously. I don’t have the time to embed the link, but will follow up at a later time…

Benni June 11, 2014 1:58 PM

@Wael:
Yes the function does not only look suspicious, it is suspicious.

And no, the argument of not being familiar with an OS is no excuse for writing such a function.
Even if you are not familiar with windows, you have to include the windows headers in your program, whenever you want to call a function of them.

Then, the Compiler recognizes the calling convention in the windows headers and you do not need to think at all about any “calling convention”. You can call these functions like ordinary C functions. That there are different rules for the order of what is put in the stack does not need to concern you at all, since the compiler does all this thinking for you, once you have the headers.

But now assume you want to attack some closed system. Then you would want to call some functions, where you, with certainty, do not have any C header. That is what a hacker does. Only a hacker does call some function from which he does not know the calling convention. With that comment

“-# This function can become handy under Win32 in situations when
-# we don’t know which calling convention, __stdcall or __cdecl(*),
-# indirect callee is using. In C it can be deployed as”

Poyakov basically says that he intended with this function to help people whose aim is to attack and hack into some computers running openssl.

Wael June 11, 2014 2:19 PM

@Benni,
Have you downloaded the source code, built it and tried to call the function? At the surface of it, I see a potential buffer overflow deliberate vector. I haven’t validated that “max” is used properly throughout rest of the calculations. When I have the time, I’ll go through the exercise.

@Rick,
Any insight you can shed on this? Have you seen an exploitation, or experimented with one? Can save us some time 😉

Wael June 11, 2014 2:21 PM

@Benni,

I looked at the module code, not just the diff, It’s perl code. Changes the view a little — will still look at it 😉

Wael June 11, 2014 3:47 PM

@Benni, @Rick,

The function was removed. I didn’t even pay attention to that, curtesy of insomnia and a nice tooth ache. I think I understand now the answer to my previous question about how the function returns to libc instead of libcrypto where proper handling of buffer overflows can be handled. False alarm, Rick — It has been removed, just make sure its not in the version you are using…
Also keep unto date with the security advisories they have there: http://www.openssl.org

AlanS June 11, 2014 8:31 PM

Eleventh Circuit decision that warrantless cell phone tracking violates the 4th Amendment: United States v. Davis.

The decision drew on the Jones case which was previously discussed on this blog here. And , maybe more importantly, didn’t follow the logic of other earlier cases e.g. Smith v. Maryland.

Jennifer Granick discusses the case and implications for NSA’s bulk metadata collection programs here.

Rick June 11, 2014 11:03 PM

@Wael,@Benni,

Thank you for your expertise– both of you. I am not a coding pro; rather, I have scripted a bit since I was once a data analyst for an AI/data modeling shop in Seattle in another life. Now I’m the 47 year old owner of a small networking shop. In these last 14 months or so, I have turned all of my spare time and attention to the subject of infosec, encryption, crypto, privacy, etc. I’m still learning and I’m benefiting from the process.

The fact that the function (openssl_indirect_call) was included at all is a testament to the fact that 1) open source can indeed be as surly and difficult as closed source on many levels 2) Andy Poyakov’s future coding efforts should be treated with reasonable suspicion (I largely agree with Benni’s hypothesis on this point), 3) Andy P’s efforts to audit OpenSSL should also be treated with suspicion (http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-audit-and-two-full-time-developers/), 4) now that we have evidence of the NSA’s subversive ways, we should treat just about everything with suspicion. It’s an Orwellian Twilight Zone.

As I mentioned before, it’s fairly obvious that OpenSSL should be purged. Apparently the code is a mess that receives little attention by way of maintenance while the authors pursue FIPS seminar gigs. Everyone requires an income, but too many individuals and institutions alike have grown dependent upon this project’s success to allow it to deteriorate or be compromised. Even if neglected by necessity, OpenSSL’s current condition creates an environment that welcomes attempts to subvert it.

I’ve been watching the progress of LibreSSL (http://www.libressl.org/) and I appreciate the team’s (apparent) noble motives. Perhaps this is a step in the right direction.

As to the removal of the ROP function in question, do you have a link to indicate that fact? Not that I doubt you, but I’d like to review it, study it. I’m coordinating security efforts with a VPN shop, and of course OpenVPN makes use of OpenSSL. I’d like to share this news with them.

All the best to all.

Wael June 11, 2014 11:54 PM

@Rick, @Benni,

The fact that the function (openssl_indirect_call) was included at all is a testament to the fact that 1) open source can indeed be as surly and difficult as closed source on many levels 2) Andy Poyakov’s future coding efforts should be treated with reasonable suspicion (I largely agree with Benni’s hypothesis on this point), 3) Andy P’s efforts to audit OpenSSL should also be treated with suspicion

I agree with the first point, as implied by my comment: Now I am convinced that “Open source” doesn’t add much more security than “Closed Source”. I am not in a position to comment on the last two points, although, like you, I agree with Benni’s hypothesis.

As I mentioned before, it’s fairly obvious that OpenSSL should be purged.

That’s a little harsh. Just compile it on your own, and make sure you are using the latest patched versions. Purging it won’t help that much — what you replace it with is likely to have it’s own issues.

As to the removal of the ROP function in question, do you have a link to indicate that fact? Not that I doubt you, but I’d like to review it, study it.

You should always doubt me 😉 But here are the links:
Firstly : The first link you sent! See the “-” signs on the left in the pink highlighted block? It means these lines were removed from the source code. And the comment in the header states the rationale. The block of code was removed from “lib/libssl/src/crypto x86cpuid.pl” as stated in the top of the “commit”. I would think this is the date it took place “2014-04-22 21:52:21”.

Secondly: I downloaded openssl-fips-1.1.2.tar.gz from http://www.openssl.org/source/ , and unarchived / uncompressed it and searched for “OPENSSL_indirect_call”, could not find it. On a related topic, I use SublimeText2 for an editor – It’s a great one. You can click CNTR P or COMMAND P on a mac then type the function or variable name, and it’ll search the whole directory tree for you… I have no vested interest in it, btw, (I like vi, too).

If you only have the binary, then try searching for the “OPENSSL_indirect_call” using something like “strings” command, although that may not be the best way to do it.

Wael June 12, 2014 2:00 AM

@Clive Robinson,

ARStechnica plays the role of the NSA for a week against an NPR reporter.

Interesting article indeed, I also recommend others to read it. Most of the information in it is not new, but I learned a couple of things from it. The article contains some dated information as well. I could write a few tens of pages of comments on it — not my style! I’d rather encode my reply in a limerick 🙂 – However, there are parts in the article that are remarkable and worth a comment, probably later tonight. One question though! Why did you tag the link as “OFF Topic”, given that:

  • It’s on a squid thread
  • It really is very relevant – my comments will show the relevance, later.

Benni June 12, 2014 6:27 AM

In Openssl-1.0.1h, which is described as latest in

http://www.openssl.org/source/

the function is still present. At least I can find it in its appropriate place when I unpack the library.

Of course, real agents do not delete their backdoors that easily.
This is observed by the Openbsd folks for some time now, even with bugs that compromise the security of the library:

https://twitter.com/MiodVallat/status/476581687338729476

The DUAL_EC random number generator was implemented in OpenSSL after the request of an anonymous sponsor, as Openssl said in an official statement I linked to in some posts above this one. There you can also find the OpenSSL statement that their implementation had a bug which prevented DUAL_EC’s execution except in test cases.

So the customer who made the request to implement this never really tested it. This means that the customer did not really need this function for his own.

And it makes clear that this customer has a very good trust in the openssl developers.

The NSA says:
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0

“Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

From this it follows that some crypto library which is responsible for “vast amounts of encrypted internet data” must be broken.

If I were NSA, I would trust the Openssl developers, too. They are probably among their best field agents they have…

One may note that code of these Openssl folks also made its way to GnuTls. Here is an example of code from Andy Polyakov which straigthforwardly made its way to GnuTls:

http://upstream-tracker.org/changelogs/gnutls/3.1.4/changelog.html

Mike the goat (horn equipped) June 12, 2014 6:35 AM

Rick: while I appreciate the efforts of the LibreSSL team, sometimes you just need to walk away from a code base that is demonstrably terrible. My feelings on this are compounded by the reality that there are more TLS libraries than I have fingers – and some of them are actually (structurally) very good. I know that some of us have beat on about this before, but you’ve got GNUTLS, Mozilla’s NSS, PolarSSL, CyaSSL, etc. and most of the aforementioned libraries can emulate openssl functionality (or at least a superset).

That said, there have been instances of people/teams taking ugly code and fixing it. I can only think of a few examples where this has worked and it is generally only done (commercially anyway) when a rewrite is out of the question.

I am sure a few people are going to flame me for this position, especially as I have used OpenSSL in previous projects myself (primarily out of laziness).

Mike the goat (horn equipped) June 12, 2014 7:46 AM

Benni: absolutely, your comment about Polyakov and GNUTLS being most noteworthy.

I am almost certain the NSA do not have the ability to defeat properly implemented conventional crypto en masse, my emphasis being on ‘properly implemented’. When you think about the number of vulnerabilities that the NSA likely have cached – vulns that we likely don’t know about yet, then some of the statements made begin to make sense. I guess the $64m question is a) what bug or vuln are they exploiting (there is additionally the possibility that this is disinformation, of course) and b) was this engineered or just the result of then exploiting an existing accidental bug.

That said – a lot of the info obtained as a result of the Snowden disclosures is bewilderingly contradictory. For example, if they had an effective way to target TLS/SSL encapsulated communications en masse, why are they bothering with MITM style attacks? Why try and exploit the admittedly ripe for the picking CA trust model with dodgy root certs? It all doesn’t make sense and likely points to the fact that their abilities are limited to essentially what we could do in the commercial sphere using unclassified tools and ingenuity if we had NSA’s resources (ie: essentially a mirrored feed of all traffic from their beam splitting intercept locations).

Probably the most important things that have or will likely come about as a result of this whole debacle will be;

  1. a critical review of default cipher lists, with a view to eliminate the ability to fall back to weak ciphers like RC4
  2. the implementation of PFS on the server side to ensure that if the server’s key is compromised any content which the govt has cached is not immediately decipherable
  3. widespread adoption of some kind of WoT based verification to alert users of a site whose cert appears to suddenly change – again, just like OCSP seemed like a great way to fix the CRL problem a Convergence/Perspectives like solution may betray information as to sites visited to the notary servers. At the very least, browsers could learn a thing or to from OpenSSH and keep a cache of known hosts to alert the user to changes.
  4. the elimination of the dangerous CA practice of issuing root or intermediate certs to organizations (eg. geotrust’s georoot program); despite the inconvenience this may cause legitimate large organizations.
  5. a view to ultimately ‘fix’ the CA problem – we need something to decentralize ‘trust’ in a meaningful way. Related concepts like DNSSEC that’s rely upon an ‘authority’ are to be similarly scrutinized.
  6. an audit of all commonly used encryption tools and libraries with a view that at least some of them have been deliberately weakened
  7. user education sessions to encourage the non-geek public to care more about what they send in the clear and what they can do about it both in terms of countermeasures like encryption and political efforts – perhaps their understanding and ultimately care about the surveillance state will lead to increased funding for folks like the EFF/EPIC/etc.

Just a few thoughts on what may and should occur once the world has got over the shock of the NSA revelations.

Wael June 12, 2014 8:42 AM

@Benni,
Good catch. I still didn’t find it in the version I posted. I’ll look at the version you posted… I wonder how many of these ‘gems’ are hiding in the code…

Benni June 12, 2014 8:47 AM

@Mike: “For example, if they had an effective way to target TLS/SSL encapsulated communications en masse, why are they bothering with MITM style attacks? Why try and exploit the admittedly ripe for the picking CA trust model with dodgy root certs? ”

Because they generally make things robust, so that, if one plan A fails, they have plans B and C and D as alternatives.

The same document from Bullrun which I quoted above also says that this technique, which would make many encrypted web communications readable, would be “very fragile”.

For me, that sounds much like an Openssl vulnerability, but which one they are using exactly is the billion dollar question indeed.

If openssl is cleansed properly, I assume the NSA folks are blind as in 1968 where CIA called a report of the german secret service on the invasion of warshaw pact troops a “german fabrication”.

http://en.wikipedia.org/wiki/Bundesnachrichtendienst#1960s

At that time, the BND was able to fully read russian cryptography whereas NSA was unable to do so.

Wael June 12, 2014 9:15 AM

Benni is correct…

The function exists in the so called “latest version”.

[openssl-1.0.1h] grep -ir "indirect_call" *
crypto/x86cpuid.pl:#    type OPENSSL_indirect_call(void *f,...);
crypto/x86cpuid.pl:#    OPENSSL_indirect_call(func,[up to $max arguments]);
crypto/x86cpuid.pl:&function_begin_B("OPENSSL_indirect_call");
crypto/x86cpuid.pl:&function_end_B("OPENSSL_indirect_call");
[openssl-1.0.1h]

It’s not in the “Fips” version, however. Regarding “trust” in a developer’s name, it’s not 100% foolproof to “blacklist” the untrusted name, because “names” can change as in a Sockpoppet, for example… hmmm

Nick P June 12, 2014 10:46 AM

@ Mike

Benni beat me to it. I’ll add that each tool has different properties in what control or data it gives them. Each tool might also have different properties far as detection by enemy goes. Some tools can also be used on many more targets than others. So, NSA is just practicing Offense in Depth.

Wael June 12, 2014 12:13 PM

@Nick P, @Mike the goat,
I also like “Offence in depth” – I really thought about posting it, but Nick P was faster, and I was sleepy 🙂 So I’ll have to expand on it. Creepy how we are getting to think alike — if you believe my claim, that is…
“Defense in depth” is not adequate against someone who has the capability to mount an “Offence in depth, width, height, and other dimensions they extracted from the poor aliens they have imprisoned at Area 51, hanger 18” operation 🙂

Nick P June 12, 2014 2:15 PM

@ Wael, Mike

Thank you and funny haha.

@ All

I previously posted this informative book about Capability-based Systems of the past. I read it by skipping to the more modern architectures. I also read the “Early Descripter Machines” chapter for info on Burroughs Architecture. Anyway, I regret skipping early capability machines chapter as it had this gem: the first capability machine was a PDP-1.

That’s right. The PDP-1 implemented a more advanced and secure system architecture than most modern machines. This was despite it having around 9KB of memory, 18-bit words, and 200 kilohertz memory clock speed. So, modern designers aiming for more secure and robust systems have little excuse technologically. If the PDP-1 could run a capability system, then a modern machine probably can too. And a whole lot cheaper, too.

Rick June 12, 2014 5:22 PM

@Benni, @Wael, @Mike the Goat, et al,

I am thankful that this subject is being discussed and vetted. At first when Benni mentioned the ROP function (openssl_indirect_call), and after reading about its potential as a hack, I considered that it could be devastating to privacy, and in particular, VPN services (of which I am a consumer and an advocate of). I am not yet convinced it is devastating, but I’m not not convinced, yet, either. I want to learn more.

I thank Benni for his astute observations about the NSA’s behavior patterns (which simply make good sense, almost to the point of being self-evident, bravo!), and Wael for his assistance with reading software development repository jargon. Very helpful indeed.

As for dumping OpenSSL altogether, Mike the Goat insists that such a move might be the best plan. Perhaps so? I am not qualified to determine that. But I am vaguely familiar the hurdles involved and I can understand his sentiment given what I’ve read about OpenSSL’s current condition. I mentioned “purged” before in this thread to convey the idea that it should be audited and generally cleaned up if salvageable. If the result is not worth the effort, then perhaps starting fresh is indeed the better route…

…But what of backwards compatibility? Someone is going to have to pitch the new code in a “dog & pony show” to those who hold the purse strings for all of the affected institutions. And so the switch to a new library/code base will take an unpleasant amount of time. Meanwhile, the 4th amendment shrivels away. Then again, this sort of thing has been going on already for years and years. Regardless, the sooner we reclaim privacy, the better, for surely the NSA will not relent, and the current political environment will continue to fund their ventures.

A question for the coders here: what, then, can you actually DO with “openssl_indirect_call”. Can you actually call any function and jump to any address you desire? A “ROP coder’s dream”?

I agree with Benni: project Bullrun (decrypting SSL en masse) has to function somehow. So, vulnerabilities in OpenSSL are surely choice weapons. This link provides additional thought on the subject: http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html

Gerard van Vooren June 12, 2014 7:04 PM

While we are at OpenSSL, I have a technical question about it.

We all know that OpenSSL is a library with lots of obfuscations. It has a unreadable style, its own overrides of standard functions, etc..

But assembly written in perl, is that valid? The readme file in “crypto/perlasm” starts with:

“The perl scripts in this directory are my ‘hack’ to generate
multiple different assembler formats via the one origional script.”

Personally I don’t like the word “hack” in security related software, however considering everything else it fits right in.

I always considered the gas / gcc style “.S” (with capital S) files as the norm but I am not an assembler expert so I ask the question whether this is (1) valid, (2) code from the past, or (3) obfuscation?

Nick P June 12, 2014 7:36 PM

@ Rick

I’m actually with Mike on dumping the whole thing. Gerard’s comment illustrates just how bad the codebase is. A codebase for safety- or security-critical applications should be well-documented, easy to understand, written to be easy to analyze (eg static analysis), well tested, and [in this case] use portability conventions. The OpenSSL codebase seems to be the opposite in every way. The amount of work LibreSSL team is doing to it would probably be better off building a library from scratch that’s compatible with high level OpenSSL API’s.

Clive Robinson June 12, 2014 9:42 PM

@ Wael,

You asked,

One question though! Why did you tag the link as “OFF Topic”

It’s steeped in the mists of time….

Back in the days of old the squid page was like a dress down friday for Bruce, and did not have the alowance it does to day of any other security related subjects.

I occasionaly would make an on topic comment but in an amusing way, then I would occasionaly post a mild mannered joke or link to something I and others might find amusing and called it a Friday Funny or equivalent. Sometimes as Nick P will probably confirm they took a walk on the risky side (like supposadly exploding breasts on aircraft due to faulty implants) but still had a security element even if it was a bit tenuous 😉

I also started puting links to security items up, that were news worthy, and I marked them as off topic to warn people. I did this rather than EMail Bruce and fill up his inbox, or muck up the current thread, and it was also in some cases more timely. Others started to do likewisew and some made further comment on them.

Bruce did not object to relevant subjects and even blogged about them in more depth later, it kind of became a tradition (and occasionaly has had the apperance of a competative sport 🙂

I thus use “off topic :” to let people know it’s a news or related item and thus could be the start of what you might call a sub thread. However if I reply to some one who has posted a new sub thread or has made an “on squid” comment I use their name to try to preserve some linkback.

Sadly the squid page now rarely sees squid comment from readers and thus if I make one I put “ON Topic :-)” at the top to signify the special status…

Yes I know, it might be mad but there is logic behind it, if not a little history.

Now having addresed your first point, it’s time for you to live upto your second point, as they say “I’m all ears” 😉

Wael June 12, 2014 10:33 PM

@Gerard van Vooren,

But assembly written in perl, is that valid?

Look at the make file:
x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
    $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
perl is used as a "script" to generate an assembler source file for different CPU's.
I tried to compile and build it on my machine, but it's failing for some reason -- and I don't have the desire to fix it -- It's "suspicious" after all...

If you have better luck building it, do this:
make | tee make.log
then edit the make.log file and see what is going on, and share with us...


@Clive Robinson,
You are next on the queue! I'll need an hour or so.

Clive Robinson June 12, 2014 10:34 PM

@ Gerard van Vooren,

Simple answer is it’s no more valid than using some other tool such as an enhanced macro language or for that matter things like YACC.

It is however undesirable, but can unfortunatly be necessary, due to limitations of standards and some major corporates pushing their own agenda.

When it comes to ASM there are various aproaches and none of them have realy been dignified as standard as it’s usually hidden at the unseen output end of the tool chain and thus the assumption it’s hidden and thus does not require to be standard… (an example of the greate “a round tewit” circular reasoning 😉

AT&T produced a CPU independent format for input to their assembler that the GNU crowd quite sensibly used for gas as their tool chain was designed not just to be CPU independant but cross platform as well. However Intel has it’s “house standard” for it’s CPU range that has been around for fourty years, and many tool chain suppliers use it for their assemblers as their tool chain is single CPU targeted.

As a consiquence we have the likes of nasm that does a similar job to gas but uses the Intel house standard as it’s input.

But if only these issues were only tucked out of sight at the bottom of the tool chain… sadly they are not. You will see issue with assembler support all the way up the tool chain, such as inline in the compiler or hidden away in preprocessor macros etc in some embedded development tool chains. For instance some compilers actually have a switch for inline code to say if it’s in “house style” or “AT&T style” which can cause some real problems with header files etc.

The big question though is why did the developers chose to use perl, it’s not as though it’s actually formaly part of most tool chains and it’s not guarenteed to even be available on any given platform…

The only advantage I can see is it is sort of standard across all major platforms, freely available and many programers will be familiar with either version five or six.

Could it be used to hide things away out of sight? Simple answer is Definatly, but then that’s true of all Turing compleate languages (even the much loved BrainF**k 😉

A better question would be one of why the asm is in the code in the first place, personaly I think the writter of the code should not have gone there. If you think about it there should be no “close to the metal code” required in OpenSSL it’s not as though it talks directly to hardware. As with the famous comments about “goto’s” you have to ask if it’s a “programer fault” with the developer trying to be clever or if there is a valid reason for it.

Currently the “reason” is very much under question/scruitiny and the “go faster stripes” argument which people would once have assumed by default may be found to be invalid, and possibly extreamly suspect. Which will almost certainly bring the developers ethics into question in a way they won’t be easily able to defend, even if originaly innocent.

Wael June 13, 2014 12:04 AM

@ Clive Robinson,

Now having addresed your first point,

Thank you for the history lesson! Much obliged!

it’s time for you to live upto your second point, as they say “I’m all ears” 😉

Sweet! And I’am all lips, and will start flapping them. First the introduction… I was going to reply yesterday, but the blog was suspiciously quiet, so I decided to delay my response. Any way, made a mistake yesterday and drank a cup of Turkish coffee late at night. Finished the Brownian random liquid, and continued into the Darker deterministic sludge — big mistake.

So the link is interesting because it showed how mach data can be collected, and it’s a huge amount. It’s a huge amount given that they used no malware and only looked at one of the channels — WiFi. They did not collect data from Bluetooth, Baseband (3G/4G/LTE) voice and data, etc… So I got a perspective of how large the surface of attack of a smart phone. In addition to that, the type of attack they conducted falls under “Passive Man In the Middle” — meaning the attacker is only observing packets and analyzing them. The attacker is not injecting the packets for replay. If you add the possibility of an “Active Man In the Middle” — meaning the attacker is capturing the packets, manipulating them, and injecting them realtime or at a later time, then the attack surface increases a lot, and so does the damage level. I think I said before that one will need to construct a bunch of attack not trees that will cover an area the size of the Siberian forest to describe the possible attacks on such a device.
At one point I mentioned that I was messing with wireshark because I noticed some strange behavior. I connected my smart phone to the hotspot, and started wireshark and collected packets with a basic filter (no broadcast and no multicast). Started looking at my phone traffic. It was constantly sending packets everywhere; Google, Apple, other strange places. Put it to sleep, it sent a ton of packets before it went to sleep and after it woke up — HTTPS and TLS stuff. By the way, wireshark can decrypt the packets if you enter the hotspot keys (either wpa-pwd or wpa-psk home, not enterprise). It usually works better in monitor mode for me.

One of the areas that has changed (and I said dated) is the UUID on iOS devices. It’s no longer available to the applications. It’s the reason I asked once about IV and encryption because I believed there is a way to fingerprint the device even with UUID obscured.

The article also doesn’t talk about cookie theft attacks and how to hack someones email account or login to their Facebook account for example through capturing the authentication cookie and injecting the cookie into another browser to go into the victims page without the ability or need to capture their password.

The main point to get out of this paper is that attacks are no longer “simple” type attacks. They are compound in nature, and harder to discover, as they are buried in the noise. These attacks are using the principle of divide and conquer, but in a strange way… And that’s just scratching the surface of it. I’ll continue on this thread later so I don’t make it too long, and I am not sure if my time is up. I also need a cup of coffee to keep up a little longer…

Figureitout June 13, 2014 12:39 AM

Wael
What if someone already did and kept silent?
–Uhh I think you know the answer to that..Then there would be a mole lurking in our intel agencies and other countries are working to copy or countermeasures.

Thanks for the OPTIGA link.
–NP, just a link; they should arrange for secure delivery services too if they really want a happy security customer. I say try to hack their product (not the development area, that’s cheating) if they’re going to push out a java-based OS in a product as secure and try to make money off it.

Nick P
must be an imposter! 😉
–Ah, forgot the winky smiley face, of course! (No one makes that face in real life BTW, you just look like you’re cringing).

You’ve mentioned your faith in EAL ratings before, can they not be “gamed”… or falsified…? And yeah there’s not a lot of room or time w/ 8 bits for security, but first off most times you probably won’t need it or will be able to see fragrantly malicious behavior. Importantly you will be able to see those CPU resources being used and make it semi-impossible to get at (unless..well..you know..). But who can write all these stacks from scratch? I don’t mind a ridiculously minimal machine (plan on putting an extremely small linux on my granny’s PC instead of a digital radio station as it simply doesn’t have the strength needed… 🙁 ), but most won’t even have machines compatible w/ my format. Even on my cell phone now, I can’t receive certain iphone text messages now for some stupid formatting issue (they can keep their stupid file format) and it’s annoying when people do mass texts.

Last one is maybe a sign of bad things to come.
–My visions are pure hell on a number of issues like sanitation, pollution, energy, water, and food…barring some sort of miracle on the order of a revelation like Newton’s F=ma (there’s many other extremely important contributions but that simple equation makes you feel like you understand a large chunk of the universe).

Oh by the way, Chris Abbott and his screwdriver may like this. Just heard another way (hilarious and old school) to seek out noise sources in a circuit which I’m going to try tomorrow, use a screwdriver handle to your ear on suspect spots. Based on some consultation, I may know where this noise is coming from, and it’s a repeatable bug, just weird and is initiated by a software program. Maybe put a ‘scope on it too.

http://forum.audacityteam.org/viewtopic.php?p=242483&sid=88e7af4c8421af009ed9e9a665b9736d#p242483

Clive Robinson
It’s steeped in the mists of time….
–You know you started saying “If you’ll have a read back in the past..” almost immediately when the blog started; and have stated it so many times since like some sort of professor angrily trying to get his/her students to read. And I searched out your first reference and was unable to find it lol (I checked diligently). Also I noted sometimes you strangely seemingly addressed people before they even responded or weren’t there, as if you had a time machine or something… :p. And…your little coin-flipping trick; I asked about it but got no response pretty much. At first I thought you would flip it, catch it, then look at it really quickly and decide to flip it again as you put it on your other hand if it was the wrong side. Now I’m thinking something magnetic since you said it stands up and goes on neither side; perhaps two magnets that keep it locked in an upwards position. Don’t care that much, just slightly irritating… :p

Buck June 13, 2014 12:43 AM

@Wael
It would appear that I’m on a similar wavelength with you 😉
At least partially; with a subset of your proposed exploitable spectra (phone basebands to be precise)…
Will share more shortly!

Figureitout June 13, 2014 12:49 AM

AH! Forgot.

Clive Robinson
–You’ve banged on about patents (in DPA) and how they restricted experimentation and new knowledge and technologies; and how that’s linked to the “free market”. Well, a rather big development, Elon Musk over at Tesla, another one of those people that “make things happen”, just opened up all patents on their electric vehicles. Notice how such a successful individual is beating all the other old business folks, making moves first before many other dinosaurs. No doubt, getting a patent is surely a good feeling and can lock in a business’s profits; but certain ones are restricting development in extremely important areas, and we need to be not so stupid to realize that.

Also, at the end of the day, they still built the cars w/ their processes and someone would have to eavesdrop on that entire process cough someone… cough to steal their entire business.

http://www.teslamotors.com/blog/all-our-patent-are-belong-you

Gerard van Vooren June 13, 2014 2:57 AM

@ Wael

Thanks for showing us code in the Makefile. I didn’t search for it because it would ruin my day. 😉

@ Clive Robinson

You mention lots of good points.

“A better question would be one of why the asm is in the code in the first place, personaly I think the writter of the code should not have gone there. If you think about it there should be no “close to the metal code” required in OpenSSL it’s not as though it talks directly to hardware. As with the famous comments about “goto’s” you have to ask if it’s a “programer fault” with the developer trying to be clever or if there is a valid reason for it.”

“Currently the “reason” is very much under question/scruitiny and the “go faster stripes” argument which people would once have assumed by default may be found to be invalid, and possibly extreamly suspect. Which will almost certainly bring the developers ethics into question in a way they won’t be easily able to defend, even if originaly innocent.”

In short it comes to this: Why invite the nasty guests for dinner?

The price to pay for optimization is high. It hinders portability, in the case of OpenSSL there is a massive amount of asm code with a staggering amount of magic numbers. It also depends on third party tools (perl, masm, gas etc..), which don’t always work as expected.

I agree it could/should be written in pure C and the crypto code optimized for speed with compiler flags alone.

It certainly questions the ethics of the developers.

“The competent programmer is fully aware of the limited size of his own skull. He therefore approaches his task with full humility, and avoids clever tricks like the plague.” — Edsger W. Dijkstra

Clive Robinson June 13, 2014 6:34 AM

@ Gerard van Vooren,

I’m glad you made the Edsger W. Dijkstra link, he made some pithy but quite valid comments about the art and science of programing, his comment about BASIC being one of the most remembered (and most misquoted 🙂 with the “goto” a close second.

Much as I have a love hate relationship with both C and ASM I have some fairly strict rules about using them together as did the originators of Unix back when I was almost –still– a lad.

Much of my work over the years has been either very close to the metal –and often below– or squeasing the last few drops out of hardware resources. However I always adopted the policy of writing the code in the high level language, then as required move that which had need of ASM out into a seperate header file with enough documentation –including the original high level code– in it such that it was easily possible should the resources become available to be easily and cleanly moved back into the high level source where it belonged. Which unsurprisingly happened rather more often than not simply due to the pace of increased resources to the same or reduced cost in a development cycle. Likewise it alowed for easy migration to different CPUs and platforms quickly and easily.

These days however with 32bit microcontrolers with a quater meg or more of RAMcosting less than 16bit and 8bit solutions the need to dip down in all but hardware register addressing is long past.

For those who want a rough rule as to when to use ASM and where not to, the bulk of your OS kernel should not be in asm nore your system libraries that act as helpers to apps nor the apps. The only part of the OS you should consider in asm is task switching and interupts that are not over kernel generated. Hardware addressing asm should be kept absolutly minimal. Think of all interupts as consisting of two parts, a fast interupt driven data to/from a small circular buffer handler written to a very strict API written in asm. And a slow polled handler not written in asm that moves data to/from the circular buffer to a kernel buffer, that then applies “line disaplin” / “raw to cooked” handeling. It has some disadvantages but in the vast majority of cases will make your life much easier in the long run.

In all cases when asm is used the case must be very clear cut and fully documented in the source, otherwise the developer is being negligent, macho or both.

Clive Robinson June 13, 2014 8:27 AM

@ Figureitout,

With regards patents for electric vehicals I can make a very clear business case for doing it…

Currently there is too little demand for electric vehical components, which means a masive price premium has to be paid over that of petrol or diesal vehicals. Which translates into eye watering consumer prices that limit consumer demand and little or no profit for the manufacturer.

Any patents held just causes further restrictions in the market which has the negative effect of causing much technology diversification –AKA patent dodging– that keeps that price premium on components high.

Thus if you open your patents up manufacturers will use the same technology and components you use or some small variation, this will mean much increased demand for the components alowing the significant reductions in cost mass production brings.

Thus Elon Musk will see a drop in component prices he uses which will enable him to either make more profit or reduce his consumer price and attract more buyers and thus get more profit that way. As he is also already setup to manufacture as prices of component parts drops he should be able with agile behaviour to stay ahead untill the market becomes more mature, by which time he can move into a niche high profit –hypercar– market or become irresistably atractive for a permium brand buyout by one of the big manufacturers.

As they say “watch this space” to see what happens and if I’m right or wrong.

As for the coin trick, unless it’s been taken down in a site shift etc then it should still be up here somewhere.

But to save you hunting the process is,

1, put the coin on your thumb,
2, flick it high into the air,
3, catch with an open hand,
4, slap the coin down still covered onto the back of your other hand.

Which is the normal way of doing things and what people expect to see.

Now the missing bits,

3a, glance up and see which side is uppermost in your hand.
4a, rememmber coin is now the other way up.

Now when the other person calls, if the coin is the otherway simply lift your catching hand off your rest hand to show the coin the other way and they have lost the call. If however they call correctly as you lift your catching hand use it to turn the coin over so the person again had lost the call.

The two hard parts are firstly making 3a non obvious, this is generaly easiest done if you flip the coin high and catch high. Most people will keep their eye on the coin not on your eyes and even if they do because the coin goes high you watching your hand looks natural. The second and perhaps hardest part is learning how to slightly cup your catching hand to hold the coin so it actually does not touch the rest hand but stays a few milimeters above it. Thus when the call is made you either just press it doen as you take your hand off, or dig one edge into the rest hand and partly slide the catching hand over such that it turns the coin over.

With practice you can do this over and over again and people will know it’s a trick but not know how you do it even if they watch carefully.

My son when a lot younger spent an entire afternoon loosing befor he got the message that gambling is a mugs game, I’ve since shown him the Hunt the Queen card trick and the Find the pea trick. I also had a bit of gentel fun with his maths teacher who at the time was teaching him probability, who was a very nice young lady and a good sport and did not mind being shown her “fair coin” was anything but fair.

Which is a point worth noting, simple magic tricks are a great ice breaker and generaly better than even the classiest of chat up lines, and often if you do it right you get another person to buy the drinks so saves you money as well 😉

Even if you are –suposadly– to old to chat people up, it’s still good practice to keep hand eye codordi ation in and keep your joints working even with a touch of arthritis. It also teaches you some “palming skills” which are needed for doing basic “fieldcraft” such as “passing” from a “brush” and “droping” into a dead letter box, or into a marks pocket. With further practice “lifting” becomes natural so you could do pick pocketing as well. It’s best to start with a thumb lift from a facing bridge, simply you have a flat surface with a couple of coins stacked up on it, you put your finger tips on the surface between the coins and the observer with your thumb behind your fingers. As you appear to lean forward your thumb slides and tips the top coin such that your thumb pushes it up into your hand where a slight cupping holds it your thumb then comes out quit naturaly you pause to say something then lift your hand up whilst making a distracting movment with the other hand like a nose scratch or cough drop the coin in your pocket and bring the hand back. A little more advanced is to close the hand slightly pushing the coin between your fingers a you turn your hand annd open it again such that your palm is visable, bring it across your body in a natural movement such as holding your hand outto shake, but in the process drop the coin in the other hand. This trick has been done against jewlers for years where you covertly lift one ring from a pad whilst obviously picking a second, as you try the second one on you transfer the first to that hand covertly, you then take the second ring off and put it back in the pad whilst covertly pocketing the first. The jewlers attention tends to stay on the second ring. I’ve seen this done with watches, and even seen a swap where in the process of trying on the second the first valuable watch is replaced with a cheap fake that is sufficiently good to pass non detailed examination. With some famous name watches in mall shops being up in the 25K-50K USD range and good fakes being less than 5K you can see why some people do it. And dishonest traders do similar swapping whilst wrapping up the goods you have carefully examined, likewise when exchanging money etc. Also, when you “present papers” or “credit cards” check carefully you are getting yours back not somebody elses or fakes your passport could be worth several thousand dollars to a person on the run who looks like you, and could be out of the country and landed in abother within a few hours, whilst even if you notice fairly quickly they have been swapped, by the time you have rerported it to the local authorities it might take half a day or more before border inspectors get told. Then of course a passport can be cloned fairly rapidly, so it might even get handed in at the local police station or given back to you fairly quickly with profuse appologies for a simple mistake which means you might not even report it missing so it does not get canceled, and your “look alike” has upto ten years to travel on it or borrow money, setup businesses etc etc…

Nick P June 13, 2014 8:53 AM

@ Figureitout

re Walter White

Quite appropriate because I am the one who knocks [bogus security claims down].

re EAL’s

“You’ve mentioned your faith in EAL ratings before, can they not be “gamed”… or falsified…?”

I have an evidence-supported belief (not faith) that higher EAL’s increase assurance in development process. The security comes in this combined with what’s in the Security Target or Protection Profile. Those list the requirements, features, safeguards, etc. What’s contained in them is where they try to game the system so read it closely for any vendor. The EAL says how rigorous your development process is when you produce it. Both have to be good. An EAL7 evaluation of a firewall that doesn’t include countermeasures to firewall bypassing techniques in its Security Target might be quite insecure, for example.

The EAL5 rating is commonly called medium assurance. The Cygnacom Evaluation Lab explains it as such:

“EAL5 permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance. It is likely that the additional costs attributable to the EAL5 requirements, relative to rigorous development without the application of specialised techniques, will not be large.

EAL5 is therefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques.”

So, it’s commercial best practices plus some specialist security engineering. It might be a little and it might be a lot. For instance, Boeing SNS Server is designed with assurance features of highest level (EAL7) in key places, but stopped evaluation of system as a whole at EAL5 Augmented to avoid unnecessary effort/expense. At other end, the French evaluation lab certified a version of Mandrake Linux at EAL5 because it met the minimum for the standard… somehow. (Doubt they did a covert channel analysis…) EAL4 should be minimum for any software you buy that matters, with EAL6-7 representing more secure end.

re Tesla

Personally, I think what they’re doing is dumb. Wael and I’s conversation on patents ended with his recommendation I stockpile my own for defense. That’s easier said than done but is the right advice. It’s how all the big players are doing it. Those that don’t just get sued and forced to pay up 99% of the time. So, if Tesla has no patents, then they can be hit in future for infringing on others patents and not have a chance of a countersuit. It’s not a great position to be in.

@ Gerard

“I agree it could/should be written in pure C and the crypto code optimized for speed with compiler flags alone.”

Mostly. Having optional assembler implementations for crypto primitives is fine as it’s a standard practice in this field. Programmers also have portability-enhancing libraries from Apache and Mozilla if they want to totally ignore platforms in most of their code. Those also get plenty of security review thanks to widespread use and big bounties on bugs in respective apps.

Note: A mix of imperative programming, multiple assembler routines, and readibility is ridiculously easy to do with LISP macro’s. If only the main imperative languages had them. (!)

@ Clive Robinson

“These days however with 32bit microcontrolers with a quater meg or more of RAMcosting less than 16bit and 8bit solutions the need to dip down in all but hardware register addressing is long past.”

That Oberon was targeted to ARM Cortex microcontrollers supports your point. A minimal RTOS can usually handle the rest. RTEMS, eCos, ucLinux, etc.

Benni June 13, 2014 9:35 AM

@Rick:

Regarding your statement:
“, and after reading about its potential as a hack, I considered that it could be devastating to privacy, and in particular, VPN services”

Well, what can this function Opensslindirect Call potentially do?

I can only speak a few programming languages. Mostly C and C++. So perhaps this is a question where someone from libressl can give a better answer. And they indicate here

http://www.openbsd.org/papers/bsdcan14-libressl/mgp00025.html

http://goo.gl/TFjQNl

that it can be used as an ROP hack.

For me, I only can only comment regarding on the source code comments from Andy Polyakov, when he wrote this function:

“-# This function can become handy under Win32 in situations when
-# we don’t know which calling convention, __stdcall or __cdecl(*),
-# indirect callee is using. In C it can be deployed as”

The windows Hello world program goes like this:

#include <windows.h>
int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
MessageBox ( NULL, TEXT(“Hello World!”), TEXT(“Test”), MB_OK );
return 0;
}

The function MessageBox is defined as follows

http://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx

int WINAPI MessageBox(
In_opt HWND hWnd,
In_opt LPCTSTR lpText,
In_opt LPCTSTR lpCaption,
In UINT uType
);

and this WINAPI is a macro like the following:
http://msdn.microsoft.com/en-us/library/zxk0tw93.aspx

#define WINAPI __stdcall

usually, as I said above, you do not need to think about this calling convention, __stdcall or __cdecl.

If you do not specify the calling convention, youf function is a __cedecl function by default. This callinc convention is merely responsible for the order how things are put into the stack when a function is called:

http://msdn.microsoft.com/en-us/library/zkwh89ks.aspx

Microsoft wants that the Main function, the first function with which the program starts is called int WINAPI WinMain.

But appart from that, your own functions can use __cdecl right away, If you export functions in a dll (that is some library in windows), you can use both conventions, one convention for a certain part of the exported functions and the other convention for the rest

http://www.codeexperts.com/showthread.php?745-What-is-the-difference-between-cdecl-and-stdcall

But of course, whenever you write a dll, you have to give a correct c header to the client which uses it that contains the function definitions. And that header contains the calling convention.

Now we come to this code comment from Andy Polyakov:

“-# This function can become handy under Win32 in situations when
-# we don’t know which calling convention, __stdcall or __cdecl(*),
-# indirect callee is using. In C it can be deployed as”

You do not know the calling convention, when you have either been given an incorrect header file, or no header file at all.

This happens, if you want to call something that is not supposed to be called, for example, if you want to hack into some closed source program.

Now what programs can this be?

Current versions of Microsoft Windows have memory protection:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366785(v=vs.85).aspx

However, MS-DOS, or Windows95 either have none (MS-Dos) or only partial memory protection:
http://de.wikipedia.org/wiki/Speicherschutz

But given that this Openssl_indirect Call was added in 2005, one can assume it was there for systems with memory protection.

OpenSSL itself apparently exposes most of its functions in its API. So Openssl can not be the target.

Wael writes in a posting above:

“There is another possibility this function was added for instrumentation”.

I believe this is in fact a possibility.

Openssl provides support for hardware random number generators.

http://freshbsd.org/commit/openbsd/ab683e568bf8833c84b88b4c827186bee90b84ea?diff=lib%2Flibssl%2Fsrc%2Fengines%2Fe_4758cca.c

these generators would, if called by openssl, run in an adress space which is accessible by Openssl regardless of some memory protection of the operating system.

Certainly, if e.g. the boss of Huawei uses some hardware random number generator, the nsa would have a high interest, to make it generate numbers that the NSA knows. For this, you would need some way of hacking into the driver of the hardware at the time when it is called by openssl.

Perhaps the “openssl indirect call” function is for this purpose?

Clive Robinson June 13, 2014 11:29 AM

@ Nick P,

Re Tesla patents,

I note the following “weasel statment” in Elon’s blog comment,

    Tesla will not initiate patent lawsuits against anyone who, in good faith, wants to use our technology

“Good faith” means many things to many people, and it means nothing to a patent infringer without a legal agreement. Thus if another company used Tesla patents and then tried restrictive practice with their own then that is not “good faith” and leaves Elon and Tesla an open field to litigate in.

In essense what he is proposing is not “open source” but “cross licencing” where the other party has patents, where they don’t have patents then he is free to use their technology. The exception is an entity that has patents but does not use them or any of Tesla’s patents, the way the wind is starting to blow with patent trolls and Washington, it may not be long before judges start vacating patents that the holders only use to exthort illegitimate licence fees. Further if Tesla owns what are in effect primary patents to other entities secondary patents then any licence they charge to tesla for use of the secondary patent, Tesla get back with bonus on the primary patent.

The thing is that for all the broughar on electric cars they realy are quite environmentaly unfriendly, the batteries are heavy and low capacity with a very short life time. Recovering the metals etc used is expensive and again quite environmentaly unfriendly. But worse there is not enough of these metals to ever have more than a small percentage of vehicals world wide use this sort of grosely inefficient storage technology.

Unless alternative low cost light weight efficient storage technology is developed fully electric cars will remain a curiosity.

As with trains and various boats a hybrid solution is best, that is you use chemical storage and a hydrocarbon power plant run at it’s optimum efficiency, excesse power is put into short term efficient mechanical or electromechanical storage (think gyro generators etc) that is also fed from braking etc. The power plant is stopped and short term storage used untill virtually depleated then the power plant kicks back in again. Based on what I’ve been told by various researchers you could today with a little thought and care get the equivalent of 150 –UK– MPG, further more efficient solar cells could provide a significant boost to this on crussing in sunny environments. Apparently a good power plant currently would be a gas tubine similar to a small jet engine, or for small light weight vehicals fuel cell technology.

The only sustainable way for vehicals to remain as numerous and viable is to up their efficiency and replace fossil hydrocarbons with hydrocarbons efficiently generated from primary energy sources ( ie from the sun or nuclear fission or if it ever happens fusion).

Now I’m sure that Tesla and most large volume vehical manufacturers are more than aware of the significant issues with batteries, the question is thus what technology will actually if ever make them anything more than niche curiosities.

In the long term I’d put my money on some form of gassification of plant waste such as corn wheat maize and rice stem and leaf stock, where solar derived energy is used to turn them into some form of liquid hydrocarbon fuel and fertiliser efficiently. Rather than just use it as waste that is at best destined for landfill.

One novel sugestion I’ve seen is solar heating of sea water for desalination and then irigation the excess heat from this is used to provide a bio-digester running a little over blood heat, with the excess heat from this ending up in the equivalent of green houses for rapid growth of equitorial swamp type plants, that also get fed sewage and industrial effluant and feed the bio-digester. The digester output is the likes of methane and an organic slurry which ends up being burnt at high temprature to recover various minerals, the heat is then used as part of a gassification process to convert the methane upto liquid gas etc. Novel as this is I suspect it won’t happen because fracking output will be used in CHP type gassification to produce liquid gas in the future simply because of the advantages it has in energy density and transportation. Such gas mixtures even town gas and hydrogen will very hapily and efficiently drive gas turbines.

I won’t say the writings on the wall for battery only electric cars but, with current and forseable technology they will not be anything other tha niche, and I’m sure Elon has fa tored that in his thinking. Also he may have decided his future is not realy with electric cars but space systems…

Mike the goat (horn equipped) June 13, 2014 1:48 PM

sockets instead of netbsd in my next embedded project. I have a cemetery display board project coming up soon – might be the testbed for it. All it needs to do is control an antique flipboard (for the memorial display) and drive a small console with a touch screen to let people look up grave sites. I have done this before with X, no window manager and then having Firefox with a set geometry with the kiosk addon which disables pretty much everything. I had to write a custom driver for the touch screen (warning: don’t buy generic Asian junk) but asthing with jquery (there were only 10k records). A daily cron job checked an email account for updates. If found and the signature is okay it would turn it into a CSV with catdoc and then parse it into all the HTML files. The kiosk itself was in a phone booth style enclosure with a magnetic lock on it to close it during the night etc. I ended up using a little USB to GPIO board and hooking up a reed switch on the door which woke the PC if it was asleep when someone opened the door, and had a latching relay controlled by the board for the door lock – normally controlled by time, with time clock changeable by sending a signed email of a specific format. I wrote a cute little windows app for them to run on their client machine that lets them modify the door clock from a GUI and it works as a shell extension so they can just right click their excel spreadsheet of the deaths and send it to the kiosk. Simple but effective, but I am rambling.

Clive: on the subject of old machines and why they were superior – coding software to fit into limited resources was an exercise in itself and we saw some really clever ideas. Ultimately it meant that people had to think about how to optimize their code and if they could do it in five lines instead of twenty. You could argue that legibility often suffered and I guess in the extreme case that’s true. Then everyone got lazy.

Re alternative fuels and inventions – I truly think that in the next decade direct methanol fuel cells will advance to the point where it will make sense just to fuel our gas tanks up with methanol and have it power a fuel cell which keeps either a bank of supercaps or batteries charged (as a buffer and for regen braking) and we can say goodbye to the internal combustion engine forever.

Speaking of fuel cells I got a 10W cell off eBay a while back with the idea that I could take it camping with me and keep my gadgets powered up. I made an enclosure and setup a reservoir, made a charging circuit that feeds into a few 18650’s and have a 2A USB charger integrated. The only problem is that it in cold conditions the cell must be preheated before it will function.

Wael June 13, 2014 7:10 PM

@Buck,

Will share more shortly!

The longest time holding the breath underwater was 22 min 00 sec by Stig Severinsen (Denmark) at the London School of Diving in London, UK, on 3 May 2012. I think I obliterated his record. But if I hold my breath any longer, I’ll suffocate 😉

Buck June 13, 2014 7:42 PM

@Wael

Bleh! I’m being lazy 😉
It’s more a collection of articles than anything new… Still working on it
Long story short – Stingray-like devices can be produced with COTS software at a very modest price because mobile phone encryption is an exercise in security through expense (money or time) that has been basically eliminated thanks to Moore’s Law.

I was thinking that I should just go ahead and make my own and release the plans, but there are two problems for me… First being potential legal issues (although legitimate LEA Stingray use itself probably runs afoul of multiple laws), but the second is the bigger of the two. Do I really want to up the ante in this cat&mouse spy/counterspy game!?

If these devices become widely available, then we’ll simply see another slight increase in security, and then have to do this whole mess over again in 5-10 years… If what we’re doing here is really just propping up a new tech industry, lets call it like it is! No more of this mumbo-jumbo ‘National Security’ nonsense…

Nick P June 13, 2014 8:04 PM

@ Wael, Buck

Stingrays work by mimicking a base station to get a connection to a phone, then using typical triangulation techniques to get a lock on its location. The triangulation I’m guessing an engineer like Wael can figure out. The other part is done by devices called IMSI catchers. Chris Paget does plenty of good work in that area. This Wired article reports on one of his that costs $1,500. It’s aimed at 2G calls, but can jam 3G signals to force fall-back to 2G.

Combine the two technologies and you have a DIY Stingray.

Note: I always thought they had an agreement with the carrier to easily impersonate their base stations and just made crap up about high tech, up-close attacks for deniability. Of course, maybe the carriers aren’t cooperative and it takes the equipment.

Wael June 13, 2014 9:35 PM

@Nick P, @Buck,
Hard to communicate wirelessly for a period of time without being located. But you can create a confidential secure channel between two end points.

Nick P June 13, 2014 10:07 PM

@ Wael

It is. Only thing I’ve heard of that’s been fielded was burst transmission. I later looked into meteor burst, moon bounce, FSO relays, entangled photons, hyperencryption, and neutrinos for potential options. Still can’t say I’ve found a good option.

@Nick P June 13, 2014 10:28 PM

Excellent! Burst is the one. Compress the data and send it in a burst of a few short seconds, then change your location. Spies do / did that at one point. Meteor burst, I know nothing about. Moon bounce, I know. EME – Earth-Moon-Earth. Saw that in the early 80’s with a Ham radio operator, 2KW station. His neighbors complained as it screwed up their TV reception. His location was not exactly difficult to find. I kid you not, when he pushed the transmit button, his house lights dimmed and were modulated with his voice.

Wael June 14, 2014 2:56 AM

@Benni,
I got OpenSSL to build on my Mac, but x86cpuid.s was not generated (as expected, since it’s supposed to be for Windows). Maybe you should try it on your Windows machine if you care. Also if you do a ./config -no-asm, I am guessing it won’t be generated either, so I doubt the comment by the OpenBSD guys claiming it’s “unconditionally compiled” is true. Their other concerns seem rational to me. By the way, the calling convention is not only about the order of pushing the parameters on the stack, it’s also about who cleans the stack (caller or callee). I don’t think I want to spend anymore time on this…

Iain Moffat June 14, 2014 5:41 AM

@@Nick P

The classic burst radio transmission device was the clockwork AN/GRA-71 which was used in the 1960s by the CIA and regular forces in Vietnam and the British in Malaya and Aden. The later RACAL MEROD devices and the EMU fitted to SAS UK/PRC-319 radios in Iraq was a solid state counterpart using 300 baud data. While faced with a scanning receiver or spectrum analyser as an adversary and using narrow band fixed frequency radios, shortening the transmission to complete in a small fraction of the time the scanner takes to tune across the band is somewhat effective in reducing the chance of being detected, but such things became unsafe as soon as Bragg cell and later digital FFT based wideband receivers became practical as they see all signals within their pass band in real time. Modern fast A/D converters with 500MHz clocks or faster should make an FFT analyser that can cover the entire HF and VHF spectrum quite affordable now.

Amateurs have done meteor burst at least as long as moon bounce (EME) – while it allows VHF communication over the horizon the meteor echoes can be received over a wide area and is certainly not secure from detection – it may be harder to locate a source from the ground than an HF transmitter of equivalent range however. I would say that an EME or meteor ground station is about as hard for an adversary to locate as a satellite ground station – a significant effort to do remotely if ground-bound but trivial if air or space based receivers are available. Meteor has some merit over moon for clandestine use in that the ground station needs less power and is easier to hide, and the adversary has to scan the whole sky all the time rather than follow one easily predicted moon.

The other factor to consider when assessing the detection and location threat (as apart from decryption) is how far radio signals travel. At one time it was possible to hide from all but very local receivers on the ground by use of VHF or UHF and low power. The existence of airborne and space based monitoring significantly changes that calculation. Amateur radio contact between space and ground stations using a few watts is routine so even a cheap handheld radio can be monitored with ease from low earth orbit where the radio horizon is thousands of miles. It must also be remembered that an airborne or orbiting platform is moving so provides its own baseline and can take multiple bearings on a radio source to enable triangulation much more easily than a ground based system that requires multiple coordinated stations or to relocate repeatedly.

I believe the only way for radio communication to genuinely be safe due to physical limits on an adversary now is to use spread spectrum communications at low power (low enough to be well below the noise floor at satellite altitudes) and if possible use microwave frequencies around 25 or 60GHz where range is limited by water or oxygen absorption in the atmosphere.

Iain

Clive Robinson June 14, 2014 7:37 AM

@ Nick p, Wael, Buck,

Hard to communicate wirelessly for a period of time without being located.

We have discussed this befor…

All EM radiation follows an inverse square law as simple mathmatics will describe ( ie Pwr/Area). You need a certain minimum bandwidth for any information content.

Thus anyone betweeny your TX and recipients RX has as good a chance of receiving your communication as they do.

Those are the basic rules of the game and they are underpined by various assumptions and laws that are believed to be valid.

You can however play with the area covered, the transmission bandwidth used and the length of time of the transmission.

The simplest thing to do is to reduce the area the transmission is radiated across, this is achived in a number of ways, the simplest being the use of high gain antennas at both the TX and RX. More complicated is the use of multiple phase cohearent antennas which can be taken to extreams by MIMO systems. In theory MIMO of the EM carrier and information will prevent any adversary who cannot see all information channels from seeing the information.

There are two bandwidths you can play with, the EM carrier bandwidth abd the information bandwidth. The former gives rise to the likesof Spread Spectrum systems the latter burst transmission and multiple information channel systems.

Finally the one that tends to get ignored, which is time, the information channel can be compressed in time but as a consiquence has to increase both power and bandwidth. This is the major problem of burst systems they tend to stand out like a lightning strike on a moonless summer night. However the opposit also applies, if you streach the time the information is transmitted on the bandwidth or power or both can be reduced.

I have used microwatts of power in the VHF band to send simple t’lem info at 0.2bits/sec hundreds of miles very reliably which people using conventional equipment cannot receive standing with in eyeball range of the TX antenna.

The next series of tricks to play is to bend the EM signal around the corner or corners, it is however generally very lossy due to the issue of beam spread. Almost any vaguely conductive surface or surface with a suitably different dialectric constant will bend or bounce what would otherwise be a line of sight transmission.

The simplest is bending LF and HF in the atmosphear layers and even VHF and UHF can be “ducted” at certain times of year and weather conditions. For instance the “Northen Lights” caused by particles from the sun ionize the atmosphear making it extreamly conductive and tiny amounts of power will be efficiently reflected.

The same applies to meteor showers, their ionized trails make efficient reflectors. As for the moon yup it’s got a largesurface, but it’s not a particularly efficient reflector for various reasons sothe uplink needs tobe in the tens of killowatts Effective Radiated Power (ERP) for a just above the noise floor return.

You can –and it has been done– reflect signals off of low orbit space craft, but unless it’s designed to do it (tri-corner reflector) the efficiency is going to be way way down.

However there is the option of a “passive repeater” which essentialy is two antennas joined back to back by a veryshort length of transmission line. These used to be used in hilly or mountainous areas to get TV and radio signals into otherwise screened valleys. The advantage of such as system is it’s bi-directional simultaniously without all the attendant problems of active systems. I’ve built and used a system using 70cm antennas to relay signals from south London upto the “Downs” near Epsom and down to the “South Downs” near Brighton so that two walkie talkes could communicate over an otherwise impossible 70mile path.

As I’ve mentioned before “gumstick computers” with WiFi and broadband mobile modems can be easily built for less than a hundred USD and put up on municiple carparks etc simply by parking a car on the roof level. A simple script acting as a timer keeps the GSM and WiFi sides down except for a short time window. And it’s not that difficult to make “port knocker” software. Or as I’ve mentioned befor use an old fashioned “pager” to act as a switch via a serial line. A chain of systems using WiFi or amatur radio equipment or even X-band traffic light doppler radars and satellite dishes and set top boxes can link hundreds of miles with few node points.

The problem with such systems is not putting them together or deploying them, but blending in such that traffic correlation is difficult even for the likes of s Boeing “Rusty Rivet”. This is where the “herd mentality” comes in. Most network traffic is not like voice comms thus VoIP and equivalent video comms stands out no matter how much you encrypt it.

Thus you need your signal to be variously compressed, expanded and apparently sent to multiple valid IP addresses such that it looks like HTTPS traffic to say Google or other service. All without being to objectionble by the end users. Writing software to do this is actually not that difficult and most 2nd year CS grad students could do it as a one simester project with little diffuculty, if given pointers in the right direction.

Personally I would avoid standard mobile voice comms it’s dessigned so it cannot be easily made anonymous, not just for billing but because the Five-Eyes Intel Orgs have been backdooring phone communications in the name of “customer/network safety” since befor the phone was in general service to anyone other than an exceptional few, and Strowger was lossing business to a rival “en-cryptor”[1].

[1] The word “encrypt” in many countries means the same as “entomb” or to bury a body safely. Strowger was an undertaker by proffession and believed he was loosing business to a rival undertaker, and went from suspission to belief when he found that a close femail relative of his rival worked on the phone switch board. Which led him to invent the “woman less, fickel less automatic switch board” that remaind in service in many places even in the 1990’s because it was largely very very reliable and unlike most electronic solutions EMP and solar burst proof, and realy it was the advent of Home Broadband that was the final nail for strowger systems in all but a few select places.

Figureitout June 14, 2014 10:41 AM

Clive Robinson RE: Coin trick
–Ah ok now I can see it, flipping in the palm of your hand. Takes quick thinking. I was thinking you catch it, look, then flip or not depending on the call (which the person could call “unfair”). You can beat that trick though by saying to let the coin hit a hard ground (and keep your paws away from the landing :).

RE: icebreakers and “game”
–Yeah I’ve stopped those and my game’s cold now lol. I’ve pissed off a lot of girls though b/c I don’t want to put up w/ their BS, then of course I run into them later…I don’t know what to say to some people…I’ll just buy cheap beer and go back to my lab.

RE: a life of stealing
–Not for me nor really interesting, don’t have anything to prove to anyone.

Nick P June 14, 2014 12:34 PM

@ Wael

I knew it was your post as it was in the same “time slot” as the rest of your posts and the writing style is similar. 😉 Far as moon bounce, I just think bouncing communications off the moon is a cool idea. My investigation into its covert use presumed an ability to narrowly focus the beam enough to avoid the problems you mentioned. I wasn’t sure if that was achievable so I didn’t investigate much into it past a fun comms tech to play with. Infrared point-to-point, burst, meteor, quantum, and E/VLF were my primary investigations.

@ Iain

Thanks for your reply. With what little knowledge I have I’d suspected the properties of meteor burst transmission might make triangulation difficult. I’m glad you mentioned satellites because I overlooked it for some reason. So, final recommendation is spread spectrum at 25 to 60GHz. You sure they can’t monitor the entire spectrum in real-time? In that case, does spread spectrum really have benefit?

@ Clive Robinson

Thanks for the [beyond my skill] tips. A few I can use immediately. Others I’ll archive as usual for my future team of EE majors that can build it all. 😉

@ All (esp RobertT)

Nice article on how analog engineering skills are still in demand and in shorter supply each year:

http://www.eetimes.com/document.asp?doc_id=1322672&amp;

I remember during our secure chip discussions that RobertT kept bragging that he mixed analog and digital components together for obfuscations because most engineers didn’t even understand analog. Inspired by that, I speculated here a little about all-analog security schemes for encryption and computation. Mostly left that to gather dust. Yet, this article shows the viability of his scheme is accelerating in somewhere between a linear and exponential way. Future efforts to slow TLA’s should probably learn from it and put some amount of control/confidentiality protection into clever analog circuits.

Wael June 14, 2014 1:10 PM

@Iain Moffat,

The classic burst radio transmission device was the clockwork AN/GRA-71 which was used in the 1960s by the CIA and regular forces in Vietnam and the British in Malaya and Aden.

“@@NIck P” happens to be my illegitimate sockpoppet. I accidentally put his name in the name field.
Thank you for the informative links… One other possibility is line-to-line laser modulated beams. If the laser is in the invisible band, it can’t be detected easily, but there will be significant effort needed to align the receivers, and mobility is not easily achieved.

Iain Moffat June 14, 2014 5:41 PM

@NickP:

There is probably greater expense and inconvenience to monitoring higher microwave frequencies. Having said that the choice of 25 or 60GHz is to ensure that, if the power level is calculated to be low enough, atmospheric absorption will ensure that the power reaching a remote detector is below its sensitivity.

A DSS type spread spectrum system (or indeed any kind of simultaneous multi channel transmission which requires knowledge of the spreading code or correlation over multiple channels known to the receiver to recover a signal) avoids the need to radiate significant and detectable power on a single frequency which also helps keep a low profile against local receivers.

@Wael:

Free space optical is definitely viable for point to point links. There has been a lot of work done by radio amateurs in the North of England recently with routine communication over 90-100km paths. See:

http://www.g4jnt.com/OpticalComms/OpticalComms.htm
http://www.earf.co.uk/nanotrx.htm
http://modulatedlight.org/optical_comms/optical_index.html

They mostly use LEDs rather than lasers as pointing accuracy is less critical and some atmospheric problems are avoided by using a physically large and non-coherent source. The emphasis to date has been on range and throughput; from the security viewpoint I do ponder about dust/rain/mist in the path being illuminated by the beam and visible from the side or above.

Regards

Iain

Wael June 15, 2014 1:48 AM

@Clive Robinson,

All EM radiation follows an inverse square law as simple mathmatics will describe

This law applies to the far field. The near field relation is a lot more complex, but far filed is what we mainly care about anyway.

I have used microwatts of power in the VHF band to send simple t’lem info at 0.2bits/sec hundreds of miles very reliably which people using conventional equipment cannot receive standing with in eyeball range of the TX antenna.

Microwatts going hundreds of miles! How did you achieve that? I am really curious. I had a hard time reaching 10 miles with tens of milliwatts of power in that frequency band. What kind of antenna did you build? Must have been a parabolic directional antenna at both ends?

final nail for strowger systems in all but a few select places.

You really needed to insert the word “coffin” after nail. Fits the amusing story!

@Iain Moffat,

They mostly use LEDs rather than lasers as pointing accuracy is less critical

Appreciate the links! I was referring to this sort of lasers.

Rick June 15, 2014 1:03 PM

@Benni,

I was down for a bit but I’m back, now. Thank you for taking the time and patience to respond to someone who cannot code to the same degree that many on this forum enjoy. I read through your answer, cross referenced the information to a few sites, and like a layman reading a journeyman’s guide, I was able to piece together the concept. (I can script a bit but I surely don’t code for a living.)

So, in conclusion, it would appear that the ROP function in ‘plain vanilla’ OpenSSL remains suspicious, is a potential threat, but the keys to the kingdom haven’t been handed over a 3-letter government agency du jour (at least through that function).

Still, the messy condition of OpenSSL welcomes subversion and that (in and of itself) is reason enough to be suspicious given its wide role to protect the public’s private information. Apparently, according to Wael (contributor to this thread), that ROP function is not included in the FIPS version. Imagine that.

The VPN shop I communicate with was interested to know this, and fortunately, due to the informed discussion that ensued here their OpenVPN package will now include the FIPS version in a forthcoming release to their (numerous) users soon. Positive change can indeed happen, one step at a time.

Thank you!

Benni June 15, 2014 6:29 PM

@Rick:

In order for details that you can use in your business, it would be good if you contact the openssl developers on this matters.

I can only say that the comment from Polyakov regarding Windows looks like nonsense to me, since i have learned C and C++ on windows machines, and there never occured any problem for which I would have needed such a function, even if you do quite dirty hacks involving function pointers of API functions.

What the function Openssl_indirect_call itself is able to, for this the Openssl developers who found it are the persons who can answer better.

Ask them. Perhaps others would be interested in their answer, if they provide one.

Regarding the Fips version of Openssl:
I can not give any recommendation, since I would have to look at the Fips module first.

For example, in openssl-fips-2.0.5.tar.gz provided by the openssl homepage, I see the function Openssl_indirect_call still there. And I see it at the same place where it is in the regular Openssl library.

I do not know which package Wael ment when he said it would be absent in the Fips version. But perhaps the Openbsd developers can provide more reliable information for which systems this is compiled and where it is available.

On my gentoo Linux system, the assembler file that contains it seems to get compiled, too.

There are some blogposts indicating that the fips module was not affected by heartbleed:

http://fips140.blogspot.de/2014/04/openssl-heartbleed-bug-and-fips.html

but since this announcement came from openssl developers, I would have to verify it, before i could jump to conclusions. And for this i do not have the time now.

I do not know if the fips version is affected by these bugs:

https://www.openssl.org/news/secadv_20140605.txt

Since it was last updated in June.

Wael June 15, 2014 8:03 PM

@Benni, @Rick,

I do not know which package Wael ment when he said it would be absent in the Fips version

I specified it here: Secondly: I downloaded openssl-fips-1.1.2.tar.gz from http://www.openssl.org/source/ earlier on this thread.

I did a search for the function in the files. Below, it doesn’t show in “openssl-fips-1.1.2” but shows in “openssl-1.0.1h”.

[openssl-fips-1.1.2] grep -ir "OPENSSL_indirect" *
[openssl-fips-1.1.2] cd ../openssl-1.0.1h
[openssl-1.0.1h] grep -ir "OPENSSL_indirect" *
crypto/x86cpuid.pl:#    type OPENSSL_indirect_call(void *f,...);
crypto/x86cpuid.pl:#    OPENSSL_indirect_call(func,[up to $max arguments]);
crypto/x86cpuid.pl:&function_begin_B("OPENSSL_indirect_call");
crypto/x86cpuid.pl:&function_end_B("OPENSSL_indirect_call");
[openssl-1.0.1h]

I also said, grep is not the way to find out since the function name “may” change to something else. You need to get the tree as I outlined above and build it on your own. You’ll need to check the commits and really check the source on your own. I am not saying the FIPS version is any better or worse. As such, please don’t take my comments as a recommendation for one or the other.

Benni June 15, 2014 9:02 PM

@Wael

“I specified it here: Secondly: I downloaded openssl-fips-1.1.2.tar.gz from”

Openssl-fips 1.1.2? You mean this file, which is dated from

Dec 1 00:25:33 2007 ?
https://www.openssl.org/source/openssl-fips-1.1.2.tar.gz

I would strongly discourage to use an old openssl version. Openssl developers usually do not fix bugs. They only fix bugs when they are so severe that they can not ignore them. An old openssl version has to be assumed to be vulnerable with all sorts of flaws, and more importantly, with known flaws that were publicly announced. So using an old openssl version is an open entry door for hackers.

The recent fips version is:
Jun 20 21:21:47 2013 openssl-fips-2.0.5.tar.gz (MD5) (SHA1) (PGP sign)

And this contains openssl indirect call.

And still I do not know whether the recent fips version it is vulnerable by something that the developers have fixed in their recent non-fips versions of the library. That the module has been certified by NSA agents who placed a fips marker on it does not mean that its secure then. Just that it delivers a sort of security that NSA wants to see. Like their weakened standard random number generator DUAL_EC that made it into the FIPS versions of Openssl….

Wael June 15, 2014 9:15 PM

@Benni,
Was looking at the history in the git (used sourcetree). The indirect call was added by Andy in Dec, 3 2005. If I were worried about this function, I would remove it from the tree and compile my own version. I could not find a FIPS-1.1.2 Tag in the tree. I checked openssl-fips-1.2, and found it to contain OPENSSL_indirect. I would just remove it or use the version from the OpenBSD guys, if I were to do it.

Benni June 16, 2014 8:41 AM

@Wael: Yes, removing these things by yourself is the only option.

Look at the libressl code. Look at the openssl code.

And then you might perhaps guess that some of the removals they made in libressl can also be made in your version of the openssl library.

And then you can start changing the library by yourself, making your own changes, appart from the removals they did in libressl, in order to make your openssl library more secure. But do not forget to send patches to libressl.

For a business concerned about its security that is the obvious way to go.

It is hard, but there is no other way.
The only person you can thrust is yourself these days.

Michael Moser June 18, 2014 7:38 AM

what’s all this fuzz about openssl? They can always put in a SSL proxy in the middle; no problem. Chrome will not allow this for google certificates because its own certificate (interesting if there is a feature somewhere that can disable this check), for the rest of the world there is no problem.

Another issue is that the protocol is way to complicated, whatever they do there will be tons of bugs left;

i guess it would be better to focus on a comprehensive and openly accessible test suite for ssl implementations, so that the library can be tested with valgrind as an automation test.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.