Friday Squid Blogging: Antibiotic-Resistant Bacteria Found in Canadian Squid
This is not good news.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Comments
tyco bass • June 13, 2014 5:52 PM
Along the lines of Guy Debord’s “integrated spectacle,” we are seeing perhaps the integrated Panopticon:
Extreme-ish • June 13, 2014 7:17 PM
I’m not sure if this is better or worse for privacy:
Comcast turns 50,000 paying customer homes into public hotspots, millions more by the end of the year
http://www.extremetech.com/computing/184263-comcast-turns-50000-paying-customer-homes-into-public-hotspots-millions-more-by-the-end-of-the-year
Liam Plummer • June 13, 2014 8:42 PM
The Computer Security Threat From Ultrasonic Networks
“Computer speakers can broadcast at frequencies nobody can hear. Now security experts have shown how malicious attackers can exploit this to circumvent even the best laid security measures”
Ref: http://arxiv.org/abs/1406.1213 : On Covert Acoustical Mesh Networks in Air
Alexis Marlons • June 13, 2014 10:34 PM
This is a rather alarming news! I hope it doesn’t spread elsewhere, seeing that many actually enjoys eating squid (humans and other animals included). Thanks for the heads up!
Victor Desmond • June 13, 2014 11:02 PM
That’s extra sad if it impregnates your mouth while you’re eating it https://www.ncbi.nlm.nih.gov/pubmed/21834723
koita nehaloti • June 14, 2014 1:38 AM
To prevent or reduce use of vulnerabilities relying on malformed inputs, I think we should have separate 3rd party format checking programs especially for proprietary formats like flash, but also open source like ogg and jpg. The format checker verifies that a file or protocol message is not malformed. Additionally it can check that some parameters are not too big, like picture 1000 million pixels large, or banned features / functionalities used.
Having such format checker inside firefox to shield flash would mean installing 2 plugins: format checker that gets the input first and then outputs it to the proprietary flash, as it comes. It would cause small delay.
To give example: read image file’s claim about how many pixels the image has and then count them. If the numbers don’t match, the file is malformed.
When using flash or javascript, it’s best to have only a subset of all features in use and others blocked. Usually it’s best to allow only enough features to make youtube working.
Just some thoughts…
Wael • June 14, 2014 4:33 AM
@ismar,
badBIOS was covered here back in November 2013
Bob S. • June 14, 2014 5:55 AM
This article seems to infer Pentagon generals were determined to get Ed Snowden back to the good ol’ USA…
CIA rendition jet was waiting in Europe to SNATCH SNOWDEN
(puts new meaning on the phrase, ” free ride”)
Mike the goat (horn equipped) • June 14, 2014 7:23 AM
Alexis: I haven’t had seafood since I saw this.
Bob: I am sure the NSA would just love to catch up with Snowden. Just for a debrief, you know… snaps rubber hose
Wael: it sort of just evaporated though, didn’t it? I know many at the time insisted it wasn’t possible, even after PoC code was released to show that this kind of air gap breach was indeed possible – but I don’t think Ruiu was ever actually able to prove anything at all?
AlanS • June 14, 2014 8:29 AM
@Bob S
Interesting case of surveillance operating in reverse: the signals of the government agents being tracked by regular citizens. They usually don’t like this sort of thing (e.g. police making arrests being video recorded with cell phones):
N977GA was detected heading east over Scotland at the unusually high altitude of 45,000 feet. It had not filed a flight plan, and was flying above the level at which air traffic control reporting is mandatory….N977GA was not reporting its progress to air-traffic controllers, and thus it would normally have been necessary to use a massive commercial or military radar installation to follow its path. But, even if pilots have turned off automated location data feeds, ordinary enthusiasts equipped with nothing more than suitable radio receivers connected to the internet can measure differences in the time at which an aircraft’s radar transponder signal reaches locations on the ground.
Mike the goat • June 14, 2014 9:12 AM
AlanS: unfortunately xpndr transmissions are unencrypted, so we can freely monitor both aircraft position reporting using nothing more than a RTLSDR supported USB TV tuner and one of the many ADS-B decoders. Unfortunately, this limits us to mode S equipped aircraft (the larger ones) – many of the small GA aircraft still have the old mode C (mode A squawk code with pressure altitude). If the FAA really cared about safety they would spend maybe $20m getting an electronics lab to mass produce a transponder that can be offered to GA aircraft for a nominal charge. The unit would have an LCD display and show on screen a TCAS-style ring with other aircraft it can ‘hear’ in the vicinity, along with the current squawk code. By hitting a button you could change display mode, with alternate display modes showing GPS alt, lat/long, pressure alt, and a AH/DG. The latter display modes will show information that isn’t necessarily flight certified but only intended to be a welcome backup in the event of the failure of primary instruments. You could achieve the latter with a consumer grade MEMS gyro and magnetometer. The device should have an internal GPS unit, as well as an NMEA input on the rear both for redundancy and to allow aircraft owners who don’t yet have a panel GPS to merely affix an external antenna. By interfacing with the intercom the unit will provide aural warnings and resolution instruction in the event of a loss of separation and will greatly assist those flying VFR to ‘see and avoid’. It should also incorporate a small 408mhz ELT, armed by either an accelerometer detecting impact or by detecting vertical speeds in excess of norms. Just the relatively small expense of engineering such a device and then making it available to everyone will enhance safety, but the FAA would be completely unwilling to do such a thing. (end off topic rant).
Going back on topic – I assume that everyone has heard the news about P.F. Chang’s customer credit card data having been compromised? Their CEO put out a press release yesterday saying that they are supposedly sorry and are looking into it, but this can’t look good.
Clive Robinson • June 14, 2014 9:30 AM
@ ismar,
If you follow the second link from your first link you get to the primary article that is full of FUD.
You can whitle it down to,
- Once the malware is on the phone, it scans for electromagnetic waves which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server.
Whilst not quite utter crap, this step is very difficult at best. Basicaly the claim is the phone somehow infects the computer/server. You need to consider what is required to do this step.
The only easy way to do it is if the computer/server has had some kind of software installed that can turn a part of the computer electronics not just into a receiver but one capable of also demodulating the data and coherantly loading it as code into the computers memory at the right location…
For this to work with any computer it would require that all computers had this susceptability and thus most likely had been deliberatly placed in the OS code by the OS manufacturer/supplier and likewise the computer motherboard or other hardware had been suitably modified by the manufacturer/supplier.
Whilst I can see some manufacturers might be complicit, I don’t believe all are. Therefore I feel there is rather more to this than the journalist was told…
AlanS • June 14, 2014 9:44 AM
@Mike the Goat
Too technical for me (sorry). I’m better on the social science aspects of the topics discussed here. But why “unfortunately”? The reversal of the visibility relationship is bad?
CallMeLateForSupper • June 14, 2014 9:46 AM
A taste of The Internet of Things (IoT). Set in the future, after 2022.
(I note the mention of “Humboldt County”. No squid there though, I’d guess.)
http://www.wired.com/2014/06/the-nightmare-on-connected-home-street/
“Basically, my home is a botnet. The whole situation makes me regret the operating system I installed years ago, but there’s not much I can do. I’m pretty much stuck with it.” Defeatist. Of course there is something you can do about it; first, let go of that security blanket of familiarity that you hold in a death grip..
Nick P • June 14, 2014 10:10 AM
@ Mike the Goat
Both the hack and their “solution” made Slashdot. Here’s an article on their response. The usual M.O. for hackers is the internal database is compromised. So, I’m sure changing the initial collection method will change that. 😉
Dejan • June 14, 2014 10:14 AM
Amazon AWS continues to use TrueCrypt despite project’s demise
“Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued”
“Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future”
http://docs.aws.amazon.com/AWSImportExport/latest/DG/encrypting-using-truecrypt.html
AlanS • June 14, 2014 10:15 AM
@CallMeLateForSupper
Relates back to the earlier discussion of Dan Geer’s Lawfare post: Dan Geer on Heartbleed and Software Monocultures. And also a more recent discussion e.g. see Clive’s post here.
Geer from Lawfare “One example of an effective monoculture, albeit within a domain that is almost but not quite Internet-scale, is the home and small business router market. Most on offer today are years out of date in software terms and there is no upgrade path. Those routers can be taken over remotely and how to do so requires low skill. That they have been taken over does not diminish their usefulness to their owner nor is that takeover visible to their owner.”
Geer took the issue of proliferating embedded systems and their security in a much longer and more developed discussion at Boston BSides last month. The video hasn’t been posted to their YouTube channel yet.
Mike the goat • June 14, 2014 10:20 AM
Nick: sorry, I don’t follow /. anymore – too much irrelevant junk. Their proposed solution is indeed a joke. What I really want to know is why they were storing the data in the first place.
Just found this paper on hacker news:
It focuses on the usage of mass surveillance to make algorithm substitution attacks, or compromise of encryption security without detection.
Wael • June 14, 2014 11:10 AM
@Mike the goat,
it sort of just evaporated though, didn’t it? I know many at the time insisted it wasn’t possible, even after PoC code was released to show that this kind of air gap breach was indeed possible – but I don’t think Ruiu was ever actually able to prove anything at all?
It’s possible under one or more of several conditions:
1) BIOS already has the functionality
2) some rogue Option ROM on a peripheral
3) a virus that infects his MBR with a first stage infection – incubation period
I buy propagation through sound, but I believe the infection of a clean state computer is something he has not proven…
Mike the goat • June 14, 2014 11:16 AM
Wael: it would have to be damaging to Ruiu’s career. Unfortunately we often come out with claims and suspicions ‘too early’ in the interest of providing the community with an early warning, but this can backfire, as I think we have seen in the case of badBIOS. I was really rooting for him to be vindicated, too as there wasn’t anything outlandish about the concept of using sound to bridge an airgap – and we have seen proof of concepts that demonstrate that it can work. Of course, there are going to be many computers – especially desktops – which don’t have a connected microphone so I can only guess that such a creation would be designed to ‘play the numbers’ or with laptops as an intended vector.
Nick P • June 14, 2014 11:20 AM
re badBIOS’s style audio channels
It should’ve been considered earlier as audio was a well-known covert channel. I did a search going way back. The use of audio for covert signaling existed in the 90’s and in patents no later than 2000. The use case was typically watermarking. However, if you can embed a watermark you necessarily have a covert communication channel. Perhaps the industry needs to include that concept into our formal investigations for covert channels. Such a criteria might have gotten it (and others) noticed well before the badBIOS debate.
So, the covert acoustical mesh networks aren’t a “new” attack vector. They’re a new construction built on an old, known covert channel that security researchers simply didn’t pay attention to. Hence, the value of a more encompassing framework for identifying such things.
That said, I still think Kemmerer’s Shared Resource Matrix is fine and that people just ignored hardware/peripherals during analysis.
Jericho Trumpet • June 14, 2014 11:32 AM
CallMeLateForSupper,
Honan? Isn’t that the guy who was hacked not so long ago?
I don’t remember the details but it looks like this hack has quite struck him.
Mike the goat • June 14, 2014 11:45 AM
Nick P: can’t agree with you more about people ignoring peripherals – we saw exactly this a few years back with the proliferation of USB flash drives and the numerous cases of corporate data exfiltration via that route before businesses woke up and started putting policies in place to prevent it. I guess it is another demonstration of the fact that it appears that people fail to correctly analyze the risk posed by a technology(ies) until they get burned.
Jericho Trumpet • June 14, 2014 11:46 AM
AlanS,
The fact that he, Snowden, and Laura Poitras were all citizens shouldn’t have mattered, because protections for U.S. persons are all farcical. Yet it’s pretty clear that none of these people were under surveillance by NSA prior to the disclosures, which took the agency by complete surprise.
…
If it has monitored them, it has not taken action against them
I suspect this is not entirely correct since Poitras has been detained and interrogated by aeroport security numerous times. This is hardly no action.
Jericho Trumpet • June 14, 2014 11:48 AM
And one more post:
Reaction to new security threat class.
Abstract:
Each new identified security threat class triggers new research and development efforts
by the scientific and professional communities. In this study, we investigate the rate at
which the scientific and professional communities react to new identified threat classes as
it is reflected in the number of patents, scientific articles and professional publications
over a long period of time. The following threat classes were studied: Phishing; SQL
Injection; BotNet; Distributed Denial of Service; and Advanced Persistent Threat. Our
findings suggest that in most cases it takes a year for the scientific community and more
than two years for industry to react to a new threat class with patents. Since new
products follow patents, it is reasonable to expect that there will be a window of
approximately two to three years in which no effective product is available to cope with
the new threat class.
Wael • June 14, 2014 11:53 AM
@Mike the goat,
it would have to be damaging to Ruiu’s career.
There are several possibilities, one of them is that the systems he ordered were interdicted, or maybe he messed with a STUX… type virus, maybe his media is infected, maybe… He just hasn’t given enough information. If I were in his position, I would capture the sound transmission and analyze it or post it somewhere to get expert help on the subject matter. His “root cause analysis” techniques were not very rigorous. Then again, one of the possibilities is he was simply told to STFU. The thing I get out of this is to build an acoustic-ultrasonic detection/capture device and keep it next to computers.
AlanS • June 14, 2014 11:55 AM
@Jericho Trumpet
I’m missing the thread here. You appear to be quoting someone else.
AlanS • June 14, 2014 12:31 PM
@Jericho Trumpet
Now notice you were quoting Wittes. I linked primarily because he used the word panopticon. I liked the question but I’m with you on his argument not being entirely convincing.
Wael • June 14, 2014 12:38 PM
@Mike the goat,
Of course, there are going to be many computers – especially desktops – which don’t have a connected microphone so I can only guess that such a creation would be designed to ‘play the numbers’ or with laptops as an intended vector.
You still seem to be trying to vindicate him. I am not sure that’s necessary. Our questions are not really about his credibility. They are objective.
@Nick P,
I was just kidding about the sockpuppet thing! Your grammar is perfect — much better than… mine 😉
@All
So the thing I am failing to convey is: Yes, the audio bridge covert channel is possible — not science fiction. Papers, research, early modems, and other recent demos have clearly proven it is doable, long time ago — this aspect is not being questioned. The thing that is being questioned is how can a pristine out of the box computer have the ability to receive sound packets, decode them and store them in persistent memory if the target laptop doesn’t have this functionality already in? And if the functionality is not already built-in the target laptop, what is the attack vector used to create this functionality? That is what I am questioning. To be able to write to BIOS or to Option ROM you need an API. Suppose there is no published API’s for creating such an attack vector, or more accurately, enabling it. Then someone has found a way to send a special type of magic packet that causes a fault in the sound hardware and allows arbitrary code execution. Then that means there is a zero day vulnerability in some firmware which was not published, or the functionality is intentionally available. Short of that, I don’t see the possibility. He did not say anything about other peripherals…
Mike the goat • June 14, 2014 1:03 PM
Wael: re Ruiu – I just hate to see someone’s credibility ruined by such a thing. I agree with what you’ve mentioned. The whole thing doesn’t make any sense in that there is really no end game. Ruiu wasn’t a person of interest (as far as we know), so if it was present in his machine then presumably it would be present on everyone’s – and that hasn’t been the case. Samplings of the supposed communication appear to be just noise from the switching power supply.
Nick P • June 14, 2014 1:07 PM
@ Wael
“The thing that is being questioned is how can a pristine out of the box computer have the ability to receive sound packets, decode them and store them in persistent memory if the target laptop doesn’t have this functionality already in? ”
Audio controllers and drivers have such functionality built-in anyway, don’t they? I’m admittedly just guessing as I’ve never built them.
“And if the functionality is not already built-in the target laptop, what is the attack vector used to create this functionality?”
IIRC, most of the claims were that the PC was attacked somehow and the audio was used for C&C. And then there were other discussions/claims of audio attacks. The NSA TAO catalog has USB implants that hit the BIOS for persistence, while providing built-in radio for C&C. So, that part is explainable easy enough: some kind of privileged access (kernel or DMA) is used to either inject code into a running BIOS or insert a malicious BIOS. The BIOS is usually used to initiate reinfection so it’s the root of mistrust. They had similar attacks on hardware firmware and on wifi. So many 0-days in so many potentially exposed places that there wasn’t even a need to attack via audio.
That said, if they did attack the system that way I’d look into the microcontroller and drivers. At some level a routine will interpret incoming data. These routines are probably tightly coded and privileged. There are certainly vulnerabilities in there. So, one might be able to craft audio data that gets through any initial signal processing, hits a weakspot, and causes execution of malicious code. Then, there’s always the subversion risk as RobertT pointed out that most components in the market are an oligopoly and most audio controllers are blackboxes made by one vendor (RealTek?).
All in all, it’s just stuff that IOMMU’s and a POLA architecture probably would’ve prevented automatically without us even worrying about the vector past hacker-induced audio playback problems (eg injecting death metal into Beethoven).
NobodySpecial • June 14, 2014 2:48 PM
@Mike the goat – a system like that exists in europe called FLARM. It was invented by glider pilots who fly a lot closer and lot less predictably than power aircraft.
IIRC it isn’t sold in the US because of the cost/complexity/legal implications of doing anything remotely involving the FAA.
Interestingly it’s most profitable use is in open cast mining where it warns you that your SUV is about to be crushed under a 300ton haul truck that won’t even notice.
NobodySpecial • June 14, 2014 2:57 PM
@Nick P – we developed, patented and failed to sell, a covert audio channel in the 90s.
The idea was that you could broadcast a data channel in the audio from an unmodified applianse and peripherals would hear it and respond. The main sales pitch (for some reason) was toys that would respond to commercials/cartoons.
You could of course also use it to command everyone’s robot vacuum cleaners to rise up and enslave the world.
The big challenge was to get a spectrum that wasn’t annoyingly noticeable to the listener but would survive the various broadcast codes which were explicitly trying to remove sound information that wasn’t noticeable to a listener!
Skeptical • June 14, 2014 4:02 PM
@Nick P re: Part A and Part B of Snowden Material
Define Part A as that material which sufficiently shows activities of such illegality or immorality that law-breaking to distribute it is justified.
Define Part B as that material which does not sufficiently show activities of such illegality or immorality that law-breaking to distribute it is justified. I further assert that Part B includes material relating to legitimate intelligence operations that may have required great sacrifice to implement.
You asked for evidence concerning the existence of Part B material.
(1) Many journalists, consultants, and activists who have viewed parts of the Snowden Material have stated that it contains information which is legitimately kept secret and which does not show illegal or immoral activities. These are individuals who would, if anything, be inclined to publish rather than not, so their statements count for quite a bit. Greenwald, at one point, asserted that Snowden had information that could do grave damage to the US military.
(2) Snowden himself, according to some of those he spoke to, stated that he did not want parts of the documents he distributed to be published. So he seems to recognize the existence of Part B.
(3) Much of the material that has been published falls into Part B territory. There is nothing illegal or immoral about spying on Russia’s President, nor eavesdropping on the political leadership of other countries, nor developing devices to be used to facilitate tracking and access to specific targets. Yet information regarding all these things, and more, was handed over to various persons across the world, and much of it was published.
On another note, a possibly interesting interview of Clapper by David Ignatius of The Washington Post was published last week. What’s interesting is that Ignatius’s column, after recounting a few remarks by Clapper, then proceeds to quote an unnamed senior intelligence official on the utility of a legal resolution (i.e. plea bargain) for Snowden. Ignatius receives quite a bit of access and is well respected. I’m not entirely sure why Clapper chose to grant the interview, but I found the subject discussed for nearly half of the column to be interesting.
@Jericho Trumpet re Poitras: with respect to the objection you raise, Wittes’s point is that if the NSA had Poitras and Greenwald under surveillance, then the NSA would likely have picked up on Snowden before anything could be leaked. His argument isn’t that Poitras was never subject to other types of security attention by the US, such as being questioned upon entry/exit of the United States.
Buck • June 14, 2014 5:37 PM
@Skeptical
So we meet again…
Circumstantial or Hearsay!
More in the pipeline?
Today's Big Lie • June 14, 2014 6:46 PM
Nothing illegal or immoral about spying on political leadership or “targets.” NSA persona Skeptical is going to pop a hernia trying so hard to maintain his wilful ignorance of Vienna Convention on Diplomatic Relations Article 27 clause 2 and Article 30 clause 2, ICCPR Article 17, UDHR Article 12, American Declaration Article X, American Convention on Human Rights Article 11, European Convention Article 8 clause 1, or the legal precedent of Questions relating to the Seizure and Detention of Certain Documents and Data (Timor-Leste v. Australia)
Dishonorable panty-sniffing sneak thief Michael Rogers thinks repeating the same lie over and over and over will make you believe it. That’s how stupid NSA thinks you are.
Clive Robinson • June 14, 2014 9:06 PM
@ Mike the Goat,
Ruiu wasn’t a person of interest (as far as we know), so if it was present in his machine then presumably it would be present on everyone’s – and that hasn’t been the case.
I wouldn’t say Ruiu was not a person of interest without defining a few things first.
From memory he had been involved with research for over fifteen years and has had a reasonable degree of contact with people who’s hat colour is darker than most. Also he has knowingly swapped USB drives with presentations on with some of these people (not wise but then most humans don’t have the time/patience for sensible OpSec 100% of the time).
The FBI had a real problem around five or so years ago over various political and direct activists some of whom were suspected of being “counter culture hackers”. As we now know with Anonymous the FBI MO was to look for “an in, and turn” or to place an agent provocoture in some way.
Ruiu was known to have contacts that could well be persons of direct interest to the FBI, thus he might well be used as a stepping stone to get to them.
As I’ve said befor sexy as BadBIOS is as a name it’s misleading at best and having injudiciously talked to certain jornalists Ruiu found himself on the wrong end of a lot of publicity based on salacious surmise.
Now let us suppose for a moment that the FBI were on a body scavenge, it’s known that those whos hats are darker than average do practice a reasonable degree of OpSec, part of which is “sleeping with your rifle” ie keeping their laptops etc in sight or under the pillow at all times. And importantly not connecting to any networks etc.
As I’ve mentioned back when IBM ATs were the highend system of choice malware moved from machine to machine via removable media, not by local area networks because they did not realy exist in the wild back then and in research and similar places had thumb thick cables and large boxes of TTL chips as Techno Balls&Chains.
There are a few of us “old cannons” still hanging around even if we are not as limber as the modern “young guns” and like elephants of old we remember these tricks esspecialy when young guns believe we can not be taught new tricks 😉
The reality is the other way around, people think USB memory sticks are like removable media of old and thus can be scanned for malware. Some of us old timers know way way better than most that, that idea is “a pile of fetid dingo kiddnies”. So I suspect the FBI have sufficient tame old farts to tell them of the opportunity it presents.
So I suspect Ruiu was targetd at some point with a poisoned USB pen drive and assumed that what his AV software told him was true, and thats how he caught the virus, which then spread to all his other computers over a relativly short period of time.
I further suspect it’s purpose was to literaly “sing out” so that those practicing a semblance of OpSec at confrencess and other gatherings could be identified and thus subject to monitoring or recruitment, to give the FBI their “In and Turn”.
Whilst a high bandwidth would be required for the initial infection the limited bandwidth of a covert audio system would be more than sufficient to act as a becon or headless control channel.
I would also expect State level firmware rootkits and malware to have self destruct codes for various reasons (some of which Flame and Stuxnet identified). Which might well have been improperly implemented and thus it was in effect the ghostly reminants that Ruiu was seeing.
However even if Ruiu was “lent on” to shut him up, or just imagining things, the cat is most definatly out of the bag for covert audio and lying thumb drives. Others have –as I thought they would– produced “proof of concept” software that’s now in the public domain so neigh saying deniability is now not possible and those practicing OpSec will have added wire cutters to their toolbox to snip the speaker and mic wires in their laptops.
Further Ruiu got overtaken by the Ed Snowden revelations and the appearance of the TAO catalogue, and as such his BadBIOS is now just a foot note in security, that is nolonger worth getting to the bottom of.
Of more interest is the notion of all computers being exploitable by a co-located but unconnected device such as an infected laptop or smartphone.
If this ia not FUD then the implications are worrying to say the least.
As noted by @Robert T the audio chips are a prime suspect simply because they nearly all originate from a single source one way or another. Likewise certain “server grade” chips which reputedly have compleate GSM RXs and TXs for “technical support” or Over The Air updates etc.
Wael • June 15, 2014 2:11 AM
@Nick P, @Clive Robinson, @Mike the goat, @all — Including MIA @RobertT
Audio controllers and drivers have such functionality built-in anyway, don’t they? I’m admittedly just guessing as I’ve never built them.
They do. But unlike a network card, they have two differences:
1- They are not always on, receiving packets, discarding uninteresting ones, and handling packets that are addressed to them.
2- They need an application to communicate with the device driver and send it commands to do things — either openfile(), readfile(), createfile(), or any of the other IOCTLS implemented by the driver.
It is a requirement of the target system to be ready for a remote acoustic command to start doing its thing. If that is the case, then subversion is a probability. If not, then there is vulnerability that no one has published. It’s not really that difficult to examine the device driver and monitor it’s behavior under various inputs, given that we make sure all code was covered.
some kind of privileged access (kernel or DMA) is used to either inject code into a running BIOS or insert a malicious BIOS.
As far as I know for any application to write any persistent data to the BIOS, the BIOS must export such an interface. On most systems I worked on, the BIOS flashes itself when you update your BIOS. And the BIOS usually verifies digital signatures or at the very least some checksums before accepting to flash an image. I haven’t worked on BIOS for close to 10 years now, and I only worked on it for two or three years, so I forgot some stuff.
The link you posted (CodeAurora) is a good example to illustrate the problems I see with the badBIOS claims. In the link you sent, the buffer overflow in the audio driver needs something to exploit it and run “arbitrary code” — through well known methods. These methods are other applications or drivers that exploit the vulnerability. The problem with badBIOS claims is the attack channel is no longer a piece of software smashing the driver stack! It’s an acoustic packet, see. An acoustic packet that’s causing a buffer overflow on a device driver thats not even accepting commands from an application. For this to work, subversion at some level is needed, meaning the system is in a state to accept such an acoustic packet to start it’s thing.
Just before I posted this article, it hit me that I was talking about legacy BIOS. If his systems were using UEFI, then my view will change, as I am not as familiar with it. I went to their page, http://www.uefi.org/specs/access, to get the specifications, and there are some forms to fill out… eh, not in the mood to read that at this point. But it’s an area that needs to be looked into. Subverters, you see, will always try to sit underneath the target so that the target cannot detect them. The “joke” I borrowed from you and expanded to offense in depth, hight, and width,.. is not really a joke 😉 So UEFI needs to be looked at as a possible culprit.
All in all, it’s just stuff that IOMMU’s and a POLA architecture probably would’ve prevented
EXACTLY! That’s the reason I was saying a security architect cannot wear the hat of an attacker during the design phase of a system. Start with the principles, map the needed security capabilities to each principle that needs to be applied, then implement your system, and give it to your pen testers (penetration testing) and your QA people. This is all fine, with one small missing part! How do you know what principles you need, how do you prioritize them, and how do you test the system at the principle level? Then we’ll go back to the C_v_P discussion, and you’ll see where I was going with my previous attempts 🙂
Gerard van Vooren • June 15, 2014 3:31 AM
@ Skeptical
“(3) Much of the material that has been published falls into Part B territory. There is nothing illegal or immoral about spying on Russia’s President, nor eavesdropping on the political leadership of other countries, nor developing devices to be used to facilitate tracking and access to specific targets. Yet information regarding all these things, and more, was handed over to various persons across the world, and much of it was published.”
It might be legal, I don’t know about that (IANAL).
When you are in Russia caught placing an eavesdropping device in the phone of Putin, you have a problem. A serious one! And that is because we, humans, just don’t like to be sniffed at, and definitely not on a professional basis. So I am quite sure it IS immoral and when you are caught in the act the legality (even if you have a court order signed by the highest judge) doesn’t matter.
uair01 • June 15, 2014 3:42 AM
In response to the “panopticon” comment at the top:
Recently I’ve found the interesting concept of the “oligopticon” in an old article by Bruno Latour. It feels like a useful concept for the mental toolbox.
Latour states that large control organisations (and he uses traffic, water and police as examples) can only see “all” because they choose to see very little. He then describes the detailed filtering and transformation steps by which an organisation controls “all” by seeing just a thin slice of reality.
“We now know, every panopticon is an oligopticon: it sees little but what it does see it sees well.”
“Water, electricity, telephony, traffic, meteorology, geography, town planning: all have their oligopticon, a huge control panel in a closed control room. From there very little can be seen at any one time, but everything appears with great precision owing to a dual network of signs, coming and going, rising and descending, watching over Parisian life night and day.”
“As their name indicates, the “pan-opticons” make it possible to see everything, provided we also consider them as “olig-opticons” … In the oligopticons we don’t see a drop [of water]. If the SAGEP operators are able to run such a complex network so skilfully, it’s because of the parsimony with which they accept data – obtained – on their screens. Their wisdom is proportional to their deliberate blindness. They gain in coordination capacities only because they agree to lose first water and then most of the information.”
What caught my attention is that Latour does not see these organisations and their control systems as “evil” or “coercive”. And finally he concludes that there is still space for freedom:
“As big as the oligopticons visited in our inquiry may be, they occupy only a few square metres, and if they spread everywhere, it’s only through very fine cables that the slightest trench dug in the ground for the flimsiest motive. But what is there between these cables? Nothing. So there’s the space we need to be able to breath more freely! No cloth is big enough to wrap up the whole of Paris like Christo wrapped up the Pont-Neuf.”
It is food for thought. Antidote against “we’re all lost because the NSA is so powerful”.
http://www.bruno-latour.fr/sites/default/files/downloads/viii_paris-city-gb.pdf
koita nehaloti • June 15, 2014 4:20 AM
RE: Radio absorption instead of reflection for reducing emission leaks from electronics
At least in the past there were microwave absorbing millimeter thick disks to aid food heating in a microwave oven. It was civilian use of a “stealth plane’s skin”, for 2.45 gigahertz.
We need to have that kind of material in common widespread use for both security reasons and for separating WLAN bandwidths between rooms and neighbors to increase bandwidths. (and maybe, if it is true that radio has some health effects on some people, animals or plants, to shield them)
On what principle does that kind of material work? From what kind of parts or layers is it made? Does it need any horizontal structure or just layers of something? How to make something close to that from common materials? It is probably not possible to achieve same performance and thinness as the food company with it’s pizza heaters or as lockheed martin with it’s stealth fighters, but it does not matter in home use.
Mike the goat (horn equipped) • June 15, 2014 4:51 AM
Koita: in principle it is quite straightforward to attenuate EM emanations from your home or office by laying down copper foil or fine copper mesh on the walls prior to erecting the drywall. The critical thing is to ensure that each wall is bonded to each other via soldering and metallic tape. Windows can be protected using a specialist conductive “sticker” of sorts designed which contains a fine honeycomb like structure of fine wire. Obviously this needs bonding to the rest of your cage. Your roof also needs attention. Some would argue you could get away with ignoring the floor esp if you are on ground level and are on a large slab of concete but by simply pulling the carpet and laying conductive mesh and replacing the carpet you can make a pretty reasonable cage for little $$$.
Obviously you still have penetrations for plumbing/HVAC/etc. and unless you solve these issues you will still have some leakage, with HVAC vents a major issue. Fortunately the same strategy – a honeycomb like meshed wire over the vent opening (and bonded to the rest of your cage) can work here.
I have tested such improvised shielding and found that it eliminates WiFi emanations from the apartment where I was staying – I stood directly outside the door (which I of course had lined and bonded) and could pick up nothing using a cantenna and a laptop. Of course your adversaries may have much more sensitive equipment, but any em protection is better than none. Unfortunately I didn’t consider the obvious – that I would no longer have cell service in my apartment but in a way that was a feature anyway ;-).
tjallen • June 15, 2014 5:36 AM
Government Spying Trove Now Being Used for Political Vendettas
Just as predicted, politicians are now using the trove of American-on-American spying to further political vendettas.
I expect in no time lawyers will subpoena records from the spying trove in court cases, from divorces to personal vendettas. The politicians are already doing it.
Iain Moffat • June 15, 2014 6:47 AM
@Mike, Koita
Koita actually has a point – absorbent materials that convert RF to heat, as apart from screening have the merit that they don’t need earthing or form slot radiators at bad joints. I suspect without trying the experiment that a good screened room is much better than a good absorbent wallpaper, but a bad attempt at screening may be worse not least because it gives a false sense of security due to joints degrading over time.
Years ago at work we had an indoor EMC test facility which was a screened room lined with copper plate covered on the inside by pyramidal carbon loaded foam rubber pieces. It used to be common in amateur radio to use pads of the black anti-static foam that protected static-sensitive chips in transit to line the lids of RF screened boxes to prevent unwanted oscillation of microwave and UHF amplifiers due to coupling between stages – I believe it is much the same stuff although if I remember the foam in the EMC room it was quite hard and brittle in comparison. 6mm (1/4 inch) thick anti static foam is about £10 (US $1.60 approx this week) per square metre (10 square feet) in the UK although I would want to investigate fire safety and fumes before using it on a large scale indoors !
The materials used in microwave food packaging are actually much more conductive – the common matt grey finish is probably cardboard with a layer of aluminium flakes printed/painted on – the idea is that they get very hot very soon and transfer heat to the food by radiation (to achieve browning of chips/fries) or conduction (to help the outside of the food to cook at the same rate as the inside). A google for “microwave susceptor” will find much more on the topic. http://www.google.co.uk/patents/US5389767 has a useful “Prior Art” section. The materials are available as card and paper for use by food manufacturers e.g. http://jiffycrisp.com/37723/index.html . I doubt that the use of these materials for wallpaper would meet Clive’s standards for a Tempest screened room but it would likely reduce WiFi leakage by a useful amount.
In the amateur radio world it is generally good advice to test any plastic proposed for use as an insulator in antennas or high power amplifiers in a microwave cooker for a few seconds to make sure it doesnt get hot – I guess the reverse of this test could be used to identify suitable candidates for RF absorbent wallpaper.
Iain
Mike the goat • June 15, 2014 7:10 AM
Wael: yeah, UEFI changes everything. Gheez, isn’t UEFI an example of working group design?! Intel and friends assured us that Secure Boot was going to help make things so much more ‘secure’, along with key storage in their fantastic TPM – oh, and they’re even nice enough to speed up our key generation with RdRAND and native AES instruction set. They truly are on our side. </sarcasm>
Going back on topic – I think that badBIOS could have made its way into the machine via two ways – a) The evil code was added as a BIOS component before Ruiu even got the machines (ie: his PCs were interdicted on the way from Dell; or a black-bag approach when he was not present at home). Alternatively his PC was infected by normal means [email attachment, browser exploit, evil USB stick as suggested by Clive, etc] and the malware modified the BIOS. Adding a component isn’t difficult – I did just years back for some computers destined for a high school to include etherboot code in the BIOS (these days I’d probably just use PXE that’s integrated into all NICs nowadays anyway). From memory I used a tool that Phoenix actually supplied OEMs called ‘cbrom’. The BIOS modifying conventional malware route is convincing (you could actually make this pretty universal these days given there are only really two BIOS manufacturers and both of them have tools you could include to insert your components on-the-fly) and in a limited sense it has been done before. Given the small amount of space the code would likely just be something that maintains its persistence, perhaps by injecting itself into the boot process by replacing one of the files Windows executes on boot with its own self. Implementing enough NTFS support to be able to do this deed is possible even with these space constraints – look at Computrace/Lojack. Yes – they could have shipped the PC with an evil audio chip or similar compromised peripheral. Is any of this highly likely, particularly when the guy is just an event organizer and is clearly not a high value target? No way would they risk discovery of something like this on Ruiu.
I think the most likely conclusion we can reach is that Ruiu observed something he perceived as unusual, jumped to some pretty far out conclusions and spoke too soon. We all know that the concept of badBIOS is certainly possible and that someone will probably do just that now that the seed of an idea has been planted in those who have observed this.
Skeptical: I would argue that most of the released Snowden material was in the public interest, and most of the details released came as no surprise for the initiated in the computer security industry. The way they slowly dribbled out the documents may have been good for the newspapers but it wasn’t helpful to those of us trying to make sense of things without much context. The redactions that the Guardian et. al. made to the documents were even more peculiar – for example the removal of the names of the compromised VPN appliances. I know some – and if past posts are any indication – you will call Snowden’s actions out as dangerous, un-American, unpatriotic – whatever you want to label it, but I believe most of us here see him as a whistleblower and someone who obviously genuinely cared about the country and its constitution – which was being flagrantly violated.
Clive: as always I appreciate your “old cannon” insight!
Benni • June 15, 2014 7:26 AM
SPIEGEL is up again:
More than 200 american spies are working as “diplomats” on german ground. To this come several hundred members of the nsa working in germany.
And they spy on germans with help of the german government. For example, a special treaty says that NSA can tap all german communication to get information on terrorists, and they can tap everything if the communication partner is on foreign ground.
NSA says “the cooperation with the listening station used by both americans and germans who work together on the same tasks” would be “unique”.
NSA writes that the “joint sigint activity” of BND and NSA should remain top secret under all circumstances.
The NSA writes furthermore that german BND data has been used to successfully capture or kill 40 alledged terrorists.
Apparently this is the new vision of the german government of a fair trial. http://www.spiegel.de/politik/deutschland/mehr-als-200-us-geheimdienstler-spionieren-offiziell-in-deutschland-a-975285.html
But this is only the online version. As with Huawei, spiegel online published this short message
and in the print version was this much more detailed and longer piece:
http://www.spiegel.de/spiegel/print/d-126149146.html
translation:
which revealed, among other things that Obama has ordered the NSA to prepare for manupulating, jamming, weakening, blocking and destroying computers, information systems and networks in foreign countries.
This time, the print version has three NSA articles on the cooperation between NSA and BND:
https://magazin.spiegel.de/digital/index_SP.html#SP/2014/25/127626332
https://magazin.spiegel.de/digital/index_SP.html#SP/2014/25/127626333
https://magazin.spiegel.de/digital/index_SP.html#SP/2014/25/127626334
For some weeks, these articles can be fully read only if you pay, but then they become accessible from the search machine of the magazine for free, but they get translated only rarely.
Sadly, for example the Huawei article has not been translated to this date.
Benni • June 15, 2014 7:34 AM
Oh no, even the visible parts of the new spiegel articles that are behind paywall say that the nsa has stations to copy the content of german internet fibers distributed through all of germany….
x1188Ae • June 15, 2014 7:35 AM
@uair01: While I agree that the current nature of pantoptica is that they are superficial, the biggest danger I see is that the data are increasingly being filed away in long-term storage, which completely undermines forward secrecy.
Consider someone who uses Gmail and archives old e-mails rather than deleting them. if that person loses control of their gmail account in 10 years, they retroactively lose privacy for every conversation they’ve had for over a decade. What really worries me about these mass-surveillance efforts is that they’re creating large databases of private information with no concern for forward secrecy, and so we not only have to worry about currently extant threats, but all future threats as well.
I feel like that definitely has some serious chilling effects, because even if you could manage to verify that no one is targeting you for surveillance today, at some indeterminate time in the future, an unknown attacker, possibly using a currently-unknown attack vector, can retroactively target you, and use that information as if you were being targeted now. In a lot of ways the “broad but shallow” panopticon model is only better than a true panopticon when the nature of the surveillance is ephemeral. When they store all data for sorting through later, it’s a different story.
Benni • June 15, 2014 9:21 AM
In the print article, there is indeed more information.
At the NSA Dagger complex near Darmstadt, germany, where these weekly anti NSA protests take place every weekend, the entire communication content, not just metadata is regularly intercepted, in order to analyze “complex lifestyle habits”….
AlanS • June 15, 2014 9:38 AM
@uair01
Thanks for the reference. I wasn’t aware of that. I read of a lot of Latour’s earlier writings years ago and saw him give a talk once at Stanford years ago. There are a lot of writings in the social sciences that try to extend and adapt the notion of the panopticon. There have been all sorts of ‘opticons’ (in 2006 Kevin Haggerty published a paper that listed a whole weries of ‘opticons’ culled from the surveillance studies and associated literature). But Foucault’s writings on surveillance and the techniques of power can’t be reduced to panopticism. He actually discusses a whole series of techniques of power and individualization that come and go to various degrees at various periods. Panoptic techniques are very much still with us but so are other techniques: judicial and security.
In Foucault’s 1978 lectures (Security, Territory, Population — STP for short):
(Discussing punishment): “The third form is not typical of the legal code or the disciplinary mechanism, but of the apparatus (dispositif) of security, that is to say, of the set of those phenomena that I now want to study. Putting it in a still absolutely general way, the apparatus of security inserts the phenomenon in question, namely theft, within a series of probable events. Second, the reactions of power to this phenomenon are inserted in a calculation of cost. Finally, third, instead of a binary division between the permitted and the prohibited, one establishes an average considered as optimal on the one hand, and, on the other, a bandwidth of the acceptable that must not be exceeded. In this way a completely different distribution of things and mechanisms takes shape.”
“The idea of the panopticon is a modern idea in one sense, but we can also say that it is completely archaic, since the panoptic mechanism basically involves putting someone in the center– an eye, a gaze, a principle of surveillance – who will be able to make its sovereignty function over all the individuals [placed] within this machine of power. To that extent we can say that the panopticon is the oldest dream of the oldest sovereign: None of my subjects can escape and none of their actions is unknown to me. The central point of the panopticon still functions, as it were, as a perfect sovereign. On the other hand, what we now see is [not] the idea of a power that takes the form of an exhaustive surveillance of individuals so that they are all constantly under the eyes of the sovereign in everything they do, but the set of mechanisms that, for the government and those who govern, attach pertinence to quite specific phenomena that are not exactly individual phenomena, even if individuals do appear in a way, and there are specific processes of individualization (and we will have to come back to this, because it is very important). The relation between the individual and the collective, between the totality of the social body and its elementary fragments, is made to function in a completely different way; it will function differently in what we call population. The government of populations is, I think, completely different from the exercise of sovereignty over the fine grain of individual behaviors. It seems to me that we have two completely different systems of power.”
The STP lectures sketch out practices of government up to the the birth of the modern liberal states. The following lectures in 1979 take on what we would recognize as modern liberal and neo-liberal notions of government; and the on-going contradictions and tensions between ‘free’ individuals in the market and the role of government in relation to the market. Understanding the “apparatus of security” is important to making sense of Foucault’s understanding of the functioning of power in neo-liberal states like the US and much more useful in making sense of surveillance practices involving electronic networks and databases.
See also Gilles Deleuze’s short essay, Postscript on the Societies of Control (1992), which picks up in these ideas.
NIck P • June 15, 2014 9:50 AM
@ Wael
“1- They are not always on, receiving packets, discarding uninteresting ones, and handling packets that are addressed to them.”
Mine is on shortly after boot. There’s something waiting for a mic to be plugged in. There’s an audio stack already loaded. There is a boot-up sound that uses it.
“2- They need an application to communicate with the device driver and send it commands to do things — either openfile(), readfile(), createfile(), or any of the other IOCTLS implemented by the driver.”
The microphone needs an app to communicate with it to receive something? I thought you needed a mic for audio communications between unmodified nodes. That’s the part of the stack I’d think injection would happen externally.
“It is a requirement of the target system to be ready for a remote acoustic command to start doing its thing. If that is the case, then subversion is a probability. ”
Or it’s just been hit by another exploit. They chain them together. The combo is typically (1) get privileged access, (2) implant BIOS or some firmware for persistence, and (3) enable covert C&C between nodes or master/slave.
“As far as I know for any application to write any persistent data to the BIOS, the BIOS must export such an interface. On most systems I worked on, the BIOS flashes itself when you update your BIOS. And the BIOS usually verifies digital signatures or at the very least some checksums before accepting to flash an image.”
Membromi (2012) flashed Award BIOS’s as part of its operation. Others might be subverted in that NSA gets components signed without questions asked. There were only a few BIOS’s before UEFI. And a few of us here have suspected UEFI is partly to make it easier on groups like NSA. Could explain a certain amount of secrecy around its operation that existed a while back. Not sure if that’s still the case.
“The problem with badBIOS claims is the attack channel is no longer a piece of software smashing the driver stack! It’s an acoustic packet, see. An acoustic packet that’s causing a buffer overflow on a device driver thats not even accepting commands from an application. ”
See microphone stack issue above. If your argument still applies to it, then yes this would be a problem.
“So UEFI needs to be looked at as a possible culprit.”
Yep. Clive and I haven’t trusted it since they started building it. It’s guilty until proven innocent far as we’re concerned. 😉
Todays Big Lie • June 15, 2014 10:02 AM
@ GvanV, immoral, certainly, because of the NSA’s ingrained contempt for honor and honesty, but the DoD shills don’t mind being dishonest scum. They’re quite touchy about the legality of spying, though.
An offense like espionage that is criminalized in every jurisdiction is a natural part of customary international law. Wartime espionage is recognized in the Geneva Conventions as “une activité préjudiciable à la sécurité de l’Etat” (it justifies certain restrictions on the rights and actions of detained suspects, for example.) Peacetime espionage is a breach of the principle of non-intervention, which is a legal absolute just like the ban on use or threat of force – coercive intervention is as serious a crime as aggression. And under the law of diplomacy, espionage is duplicitous proceedings, which give legal grounds for suspending or invalidating international agreements. Knowing what we know now about NSA duplicity, countries could demand renegotiation of all sorts of agreements: trade treaties, international organization charters, even alliances. Despite the fact that NSA is a bunch of uncontrollable loose cannons, the US as a treaty party is responsible for making good for NSA espionage and sabotage. That’s what scares the NSA shills most – the potential restitution for NSA’s conduct is unknown and potentially ruinous. The consequences for US international standing and influence are even worse, but the NSA can’t get that through their thick military skulls.
Mike the goat (horn equipped) • June 15, 2014 10:29 AM
Nick re UEFI – well, there’s a helluva lot to distrust. From the get go there was suspicion; closed working groups with secure boot basically designed to help vendors lock in (Microsoft’s wet dream). Even now, full documentation being unavailable without going to a lot of trouble and signing an NDA doesn’t provide me with a lot of confidence.
Now the UEFI lovers would exclaim – “but you don’t need low level documentation; it’s easy, just pop your code in the EFI system partition, blah” but it isn’t the point. We were supposed to be working to make the PC more universal, more ‘open’, better documented and more secure (and secure in the traditional sense; in Wintel land secure means “more locked down to prevent or at least discourage FOSS operating systems”, with of course a second definition relating to DRM and being secure against the owner!) but this achieved only the opposite. There wasn’t a massive need for it, and many people still run the thing in legacy BIOS emulation mode anyway!
I will reiterate that I don’t think we can – at this point – salvage the x86. Our best bet is to move forward with something new, something RISCy and something built from the ground up with simplicity and auditability in mind.
I was a big fan of both SPARC and, funnily enough DEC Alpha. Unfortunately the latter is gone, UltraSPARC is pretty much dead in the water post Oracle takeover and PowerPC is available only in select configurations for embedded clients.
ARM is a disaster; MIPS is okay but again, targeted to the low power embedded segment.
In short – there is a trust deficit and I am not sure how the hell it will be fixed.
Wael • June 15, 2014 1:25 PM
It’s a dilemma of two mutually distrusting parties. We as consumers don’t have full control on devices we own and lack awareness of what goes on our devices. Other party needs to protect us from bad things. As such, they need to have full control and access to our devices. Not a technically solvable problem…
@Mike the goat, “something RISCy and something built from the ground up with simplicity and auditability in mind.” I like it 🙂 – good luck!
@Nick P,
Mine is on shortly after boot. There’s something waiting for a mic to be plugged in. There’s an audio stack already loaded. There is a boot-up sound that uses it.
Explain to me how a pristine system is infected with acoustic waves. If you are saying the infection happens beforehand through other channels, as in:
Or it’s just been hit by another exploit.
Then the problem is trivial, and there is nothing to discuss from my side. My main interest in the subject was the method of exploit. The assumption I had was systems are not subverted. I wanted to understand how a sound wave can cause a weakness and exploit it, then install a piece of code that accomplishes the deed – all through sound. This is the aspect I am most interested in. And since I haven’t seen any evidence or viable explanations, BadBIOS just caused the El Turdo meter to explode.
Mike the goat (horn equipped) • June 15, 2014 1:34 PM
Wael: reminds me of that episode of Bones where the bad guy leaves behind a sample of DNA he’d synthesized to supposedly cause an overflow in their DNA sequencing software and somehow this results in their network being compromised.. Ridiculous, but creative huh?
Re trusted processors – yeah. That’s the problem. Nobody wants to get their hands dirty and try and fix the problem, and those that do simply don’t have either access to expertise, fab labs and cash.
Wael • June 15, 2014 1:49 PM
@Mike the goat,
reminds me of that episode of Bones…Ridiculous, but creative huh?
Very creative. A lot of what we see in technology today came from science fiction movies and TV shows. I personally think the iPad and it’s predecessors from HP came from Star-trek — or… just as likely, from an Acid-trip Steve Jobs went on 🙂
and those that do simply don’t have either access to expertise, fab labs and cash.
That’s the easy part. If they were successful in achieving their goal, they wouldn’t be left alone, and the system shall be subverted or compromised one way or another. You need the law on your side!
Moderator • June 15, 2014 2:42 PM
“Today’s Big Lie,”
Is that the name you’ve chosen to use on this blog in the future? It would be better to pick a name that describes you rather than what you are responding to — after all, the uninitiated might think you’re labeling your own comments as lies — but I’ll allow that one if you do stick to it. You are clearly coming back to continue the same conversation here, so you must stick to a single identity for it.
Also, I asked you to work on your tone and I think maybe you are trying; if so, thank you. Still, the constant insulting rhetorical flourishes like “pop a hernia,” “panty-sniffing,” etc. are really wearing, and they’re not making your argument more convincing — really, they just weigh it down. So no more of that, please.
AlanS • June 15, 2014 4:02 PM
@uair01
More on your Latour comments above. I haven’t had a chance to read it yet but your description sounds sort of like he is talking about what Foucault would describe as practices focused on populations. One of the examples he gives is public health. A disciplinary approach to small pox (or some other dread infectious disease) was to close up urban spaces and watch and enforce very strict controls on the behavior of the inhabitants. The focus is on control of individuals (the dossiers and actions are concerned with individuals). This is panoptic. At some point the surveillance shifts to populations–not confined–on which one collects enormous amounts of data on different characteristics (e.g. location, gender, age, etc.). By looking at the data, using statistics, one can deduce patterns and one can exert control by acting on qualities or combinations of salient characteristics. It’s an increase of power through through abstraction. The focus of action isn’t necessarily at the level of the individual. In the public health sphere there are enormous benefits to this type of knowledge and action. As Ian Hacking comments somewhere, most of us are alive now because of this type of surveillance. It can be good or bad or various shades between. The type of surveillance Google (to use an obvious example) or the NSA does is very similar. It is different from the population surveillance in the 19th C. and into the 20th C. because it no longer depends on paper, and filing cabinets, and what have you. The power to collect data, link it and process it is infinitely greater. And of course one can move back from the statistical level, and in many cases this is the intention, back to the level of the individual and judicial and disciplinary power. “What is at stake, then, is this: How can the growth of capabilities be disconnected from the intensification of power relations?” (Foucault in “What is Enlightenment?”).
Nick P • June 15, 2014 4:18 PM
@ Wael
“Explain to me how a pristine system is infected with acoustic waves.”
“I wanted to understand how a sound wave can cause a weakness and exploit it, then install a piece of code that accomplishes the deed – all through sound.”
You’re really hung up on the fact that the original source is a sound wave. Let’s rephrase that a bit:
“…is infected with electrical signals traveling over copper.”
“…all through electricity.”
“…is infected with photons traveling down an optical fiber.”
“…all through light.”
“…is infected with electromagnetic waves flowing through a home.”
“…all through radio”
So, assuming your computer doesn’t use sound in native form, let’s restructure it a bit: sound wave -> 1’s and 0’s -> microcontroller firmware -> driver -> potential kernel functions -> potential user-mode application. The sound wave part is indeed pretty harmless, much like the light on fibers of my Ethernet. The microcontroller firmware, driver, and kernel, on the other hand, have privileged software that interprets 1’s and 0’s. Incorrect interpretations can lead to malicious code executing. Now, I’m not educated enough on internals of how this is handled on sound cards to say if they’re at risk of this. However, it’s been a problem on almost every other device.
So, I’d have to eliminate the possibility of a software vulnerability interfaced to a mic before I’d think it was impossible. I’d also look at any codec’s or other software that transform the newly digitized audio. There’s likely stacks, buffers, and so on in there. So, there’s potential for attack. Just not sure how much.
I do think the majority of audio networking use is for covert channels of already compromised systems, though. Early badBIOS dicussions, academic work, and TAO catalog all support this.
Gerard van Vooren • June 15, 2014 4:24 PM
@ Mike the Goat
Why do you call ARM a disaster? Just curious.
Nick P • June 15, 2014 4:55 PM
@ Mike the goat
re x86
I agree far as secure architectures goes. However, getting rid of it is unlikely to happen. There’s SO MUCH legacy software on it (i.e. Windows). Remember that Intel tried repeatedly with i432 APX, i960, and finally Itanium. Itanium was a nice combo of Intel and HP PA-RISC expertise. It was their best chance due to its speed, RAS features, easy compiler development, and many built-in security features. It’s roadmap indicates it’s about to be buried due to almost no market acceptance outside SGI (bankrupted) and HP enterprise servers. The lesson goes back to Orange Book B3/A1 systems including a painful UNIX compatibility layer: the legacy software must be preserved somehow if wide market is to buy it.
Note: DEC and IBM both used binary translation tech to solve some of these problems in the past. Not sure if that will work today. Loongson is trying for x86.
Now for the fun part: building new systems. These we can throw x86 out. So, you want simple and RISCy. The DARPA CRASH processor designs I’ve referenced meet that requirement. VAMP and AAMP7G do given they’ve been formally verified for correctness, the latter for separation too. That Intel bought Alpha means it will likely stay dead unless revived by open core effort. SPARC isn’t dead as it’s getting continued investment by Oracle, Fujitsu, and others. There are also two versions of it opened up and a consortium to license the architecture for redevelopment. IBM recently created an organization to do something similar with POWER architecture. It’s not being opened, though.
I’m not a fan of ARM besides its chip efficiency and price. Funny that you say MIPS is low end as my first exposure to it was SGI Octane workstation and Onyx2 servers. For something modern, maybe specs on Cavium’s Octeon III will change your mind. There’s also possibility of cheaply licensing something that’s nearly dead and getting owners less all the time. Intel’s i960, HP’s PA-RISC, Renasas’s Super-H, or even Alpha might be available. (Itanium given time haha) There’s also free, open cores such as OpenRISC.
“In short – there is a trust deficit and I am not sure how the hell it will be fixed.”
If legacy compatibility is maintained, I’m not sure it can be. If clean slate, I have methods to fix it all the way to the hardware. That’s when limited expertise and small number of chipmakers cause risk to mount. Yet, getting to that part knocks out vast majority of risk and attackers. It’s why I’m mostly focusing on that aspect of the journey.
Wael • June 15, 2014 4:56 PM
@Nick P,
You’re really hung up on the fact that the original source is a sound wave.
Yes, it would seem so. But I’ll drop it.
I’d also look at any codec’s or other software that transform the newly digitized audio
You’ve just identified a viable attack vector — The codec. If the codec can be exploited with a sound packet — something that we’ve seen on PDF readers, then there exists a security hole that has not been published.
Nick P • June 15, 2014 5:20 PM
@ Mike
I was trying to figure out who owns the I.P. for Alpha processors. Apparently, Intel just took over Compaq’s business and it’s Samsung that has the processor. They were manufacturing it for a while. This article says they and Compaq invested $500 million to get it where it was. They got essentially no return so coffin was closed on it. So, it’s doubtful they’d do anything but license existing work given what was already lost on it. And that gives an idea of what a cutting edge chip with custom circuits can cost. Ouch.
@ Wael
That’s one vector. Like I said, I no nothing of how soundcards and drivers actually process the digitized audio data. There’s plenty to explore in there. Just look for common issues in buffers, stacks, DMA handling, and so on. There might be something, might be nothing. (shrugs) Still think it had nice subversion potential due to both few vendors and the fact that few worry about such chips. The s
Nick P • June 15, 2014 5:24 PM
(Hit… something… and the post submitted. Wasn’t enter. Apparently another key press can do it.)
(cont.’d) That the microphone chip gets the audio of the room makes it an even better idea to subvert it. If it has onboard software, one can always do more with it later. And my PCIe trapdoor I devised here previously could be accessed using almost any peripheral. In theory, anyway.
Jacob • June 15, 2014 5:27 PM
@ Mike the goat
You have been mentioning time and again your desire to have a secure system built from scratch.
It is not clear to me whether you are interested in a personal or in a commercial system that can be sold to a large audience.
If this is just personal, why don’t you use FPGA, which is clean from any code, and burn into it some IP blocks that will give you the high-end functionality you desire while the source is being vetted by you beforehand (difficult but still a lot easier that fabbing your own devices)?
Since the FPGA IO blocks are fully programmable, and you can load software to any logic block location, I think that the trust level would be much higher than, let’s say, Intel X86 chips which are more like a black box to the user.
P.S. If you feel that the stuff that goes to the niche dev-oriented industrial market is more secure than standard consumer/Corp style stuff, you might want to consider these very reasonably priced systems (being Hybrid ARM/FPGA thay are not trustable to the same level as a virgin FPGA that you burn core IP blocks into it, but it is a start..):
http://linuxgizmos.com/open-sbc-runs-linux-on-altera-arm-plus-fpga-soc/
and
http://linuxgizmos.com/arm-fpga-com-runs-linux-on-zynq-7000-soc/
Nick P • June 15, 2014 5:57 PM
@ Jacob
Those tend to be made in Five Eye’s countries with plenty of closed hardware, firmware and software. Subversion is a key concern there. So, it’s a great suggestion if those countries’ agencies are outside threat model. Otherwise, it’s a big question mark of risk. Even in latter situation, I’d probably still use them for prototyping or for less trusted components.
KnottWhittingley • June 15, 2014 6:42 PM
Mike the goat,
Like Gerard van Vooren, I’m curious why you think “ARM is a disaster,” whether it’s about the ISAs or the core/GPU designe logic IP, or what, and basically why which flavor of RISC it is matters.
I’m not a security guy or a hardcore hardware guy, so small words would be much appreciated. :-/
Clive Robinson • June 15, 2014 6:48 PM
@ Wael,
I’m with you on the “subversion by soundwave” there is –or should be– a big chunk missing between the waveform out of the transducer and excutable code in main memory.
In general DSPs, CODECs and similar are not Turing compleate, and don’t “act on data” but “filter/modify data”[1] in a near inveriant way. The exception being the case on reaching the maximum value where some DSP systems “hard limit” rather than “roll over”.
Whilst some DSP systems can be made to act as turing machines –I’ve made TMS chips into Forth machines– in general they are not designed in a way that makes this easy to accomplish.
Further you can not just take output from a DSP function and execute it, because you have next to no control on the level of the analog waveform. So even if you did find some way of breaking out of normal DSP activity you would still have to do some significant conversion with a large number of unknowns and errors at the input…
Breaking out of a PDF file by comparison is very easy because a PDF file is in essence an executable program to start off with, thus it “acts on the data” by default. Further information is conveyed in PDF files by absolute value, not as in WAV or other audio files by relative or difference value to preceading values.
[1] For those that are not versed in Digital Signal Processing, the overly simplified explanation is that the analog waveform is sampled at precise time intervals and the digitised “number” that represents the analog level is fed into a tapped shift register delay line. The DSP transform involves reading the values from the taps multiplying them by a constant for each tap and adding all the values together and outputing them to either another DSP function, a DtoA converter or to be stored in sequence in a file for later use. The important point to note is none of the DSP transforms alter their behaviour due to the value of the input number, that is they transform all values the same way, they don’t modify the functions behaviour if the value is at one particular value or above/below a particular value.
Buck • June 15, 2014 7:49 PM
@AlanS
“What is at stake, then, is this: How can the growth of capabilities be disconnected from the intensification of power relations?”
(Foucault in “What is Enlightenment?”).
The answer is almost painfully obvious…
The power relation exists in a direct correlation with the power disparity! Remove any distinctions between the surveilled/ surveillers and the problem will disappear; metaphorically ‘over-night’ 😉
Figureitout • June 15, 2014 8:17 PM
Mike the goat / koita nehaloti / Iain Moffat RE: shields
–Yes the main bands I’d test first are around 2.3-2.5GHz (focusing first on published bands for bluetooth and wifi channels), 850 MHz and 1,900 MHz (or all relevant GSM bands); all of which digital/SDR makes much easier than it used to be. There still (and will be for a long time) is some possible freakish behavior that would allow some radiation to peak in…it’s the nature of the ridiculously complex/chaotic world of radio, it’s scary. For instance, when testing a cap. touch sensor, this plastic was more conductive than the 9V batteries I originally intended to use as “fake fingers”; non-intuitive. Turns out conductive plastic is way more common than I had any idea of. Also, the magnetic side of shielding needs to be taken into account, magnetic-Q antennas are popular in the ham world, are antennas designed to receive only the magnetic field of a wave, and the standard for that shielding is Mu-metal for 100kHz and below.
I have some [un]original ideas like some “active” shielding inbetween shields, a sort of “No-man’s land” for radio waves, using a legal 1.5kWatt amplifier driving out nonsense and white noise from sources I’d manually change from time to time to prevent simple DSP filtering. Also, there’s a linux distro (tin hat linux) that generated false gpg keys in the background inbetween or while generating your real keys. I have an idea of having an entire RNG circuit inside my computer enclosure or a separate (hopefully identical) chip just encrypting non-stop that just generates noise like that.
But having built all that shielding, I wouldn’t want to move and have to do it again! I’m sure you’re the same way…And the antennas in the attic wouldn’t work and not having phone service inside wouldn’t be cool for something like a party…But positive aspects of it is in my view cleanliness and neighbors can’t touch each other’s wifi networks (which modern soundcards and scripts and the protocol itself makes so easy to attack/disrupt). Just doing a room or having the tents mentioned on here seem like the most handy/practical.
RE: Again floating idea of building a secure chip and in turn computer
–It really needs to be funded so it can be a person’s job instead of a side hobby, if we want it done in our lifetimes. We need to accept that such an effort will be targeted, and so all aspects of it would need to be covered by at least 2 people, preferably everyone understands and can check important aspects. This needs to happen, but I can’t personally put it together at the moment until I get my computers back under my control (still a highly frustrating ongoing battle, simple recovery CD’s DON’T work), build up some funds and get some more knowledge and equipment. Also, if it ever happens, the people involved need to be above the petty non-sense grown men and women do to this day, like clique-making and social chemistry to prevent a breakdown that is speculated w/ Truecrypt (unhappy devs). Some people are going to fight for their ideas/designs and may destroy the project that way.
Nick P
I’m not educated enough on internals of how this is handled on sound cards to say if they’re at risk of this.
–Just met someone who actually hand made his own Morse decoder, w/o a modern soundcard, so he had to write ASM to take in the data, use a DAC, etc. and write a program to decode that digitized data into letters. I was extremely impressed when he told me, I may try to get him to show me what he did.
Wael • June 15, 2014 9:02 PM
@Figureitout,
Do you know of a free copy and paste site where I can upload an image and share it with the group here? You used one before (the picture with the pumpkin)
Wael • June 15, 2014 9:34 PM
@Clive Robinson,
I’m with you on the “subversion by soundwave” there is –or should be– a big chunk missing between the waveform out of the transducer and excutable code in main memory.
Thanks for the elaboration, you said in one sentence what I was trying to say in pages. The problem is we (or at least I am) speculating how such an exploit can take place according to the descriptions given by Ruiu’s claims. And this is just the start of it. When we find how such an exploit is initiated, then we’ll have to talk about the transport. Is it a TCP/IP on an acoustic transport, etc… That’s why I think I’ll stop talking about this thread until some other revelations are shared. I’ll do the same for the OpenSSL thread. If we keep speculating we’ll give other’s ideas, and that’s not very responsible, I think.
Buck • June 15, 2014 10:03 PM
@Nick P, Wael, et al.
Still think it had nice subversion potential due to both few vendors and the fact that few worry about such chips.
…
That the microphone chip gets the audio of the room makes it an even better idea to subvert it. If it has onboard software, one can always do more with it later.
Since it would seem that RobertT is no longer with us, please allow me to hammer in his point further! Seeing as there’s only one (possibly two) major manufacturers of sound cards, there are certainly at least hundreds of humans in the process that would be quite capable of injecting innate procedures into the audio processing stack that would allow for this sort of remote takeover… Each of them are as vulnerable to the traditional blackmail/extortion/threats as the rest of us. :-\
65535 • June 16, 2014 12:59 AM
I am at the bottom of the thread. I will make my comments short.
“…we are seeing perhaps the integrated Panopticon…” -tyco bass
If you are referring to the “Stingray” used by local police to bypass the search warrant system I think you are correct.
You are seeing NSA base station impersonators that resemble older (disclosed), but, updated and miniaturized versions of “find and finish” gear on US citizens. Just take a look at, Candygram, Tripwire, Cyclone Hx9, EBSR, Genesis, Nebula, Typhon HX, Waterwitch, and the Stellarwind and FeedTrough programs.
It’s clear that military grade spy equipment is being used against US citizens on US soil without oversight.
“This article seems to infer Pentagon generals were determined to get Ed Snowden back to the good ol’ USA…” –Bob S.
Yes, I agree.
But, Snowden has a good sense of survival. He took one of the two major countries airliners that the US would be afraid to force down. But, Evo Morales was not so lucky.
http://www.theguardian.com/commentisfree/2013/jul/04/forcing-down-morales-plane-air-piracy
“Both the hack and their “solution” made Slashdot….[the] M.O. for hackers is the internal database is compromised.” – Nick P
If you are correct, which seems to be the case, then there is a high possibly that insiders (disgruntled employees) helped in the attacks (both PF Chang, and Target).
If these companies were using virtual servers housed in one to three physical boxes then a persistent “badbios” style of implant could have been used. I understand that Target was using virtual servers at their stores (the OS brand I will not name). They could have been pawned from the inside with a script.
[the audio air-gap jump]
Nick P, Clive, and Wael, I was looking through the Ant catalog and those devices are old in “internet years.” I would expect the NSA or other TLA’s to have developed an acoustic method of jumping air-gaps to some degree.
I think that the initial implant of said acoustic air-gap is most likely done by electronic means or a black bag job. Either way the acoustic air-gap jump is going to have to exposed and mitigated.
Moderator • June 16, 2014 1:42 AM
@Figureitout,
I’m already walking on thin ice here
Yes, you are. Stop testing this boundary or I will ban you.
Wael • June 16, 2014 1:43 AM
@Figureitout,
Thanks for the links! I hate it when you’re asked to sign in with your “Social Media” accounts… Why can’t they just let us choose a username / password? Do they have to track everything? Be careful with the thin ice, hate to see you disappear — but I still can’t wait for Halloween 🙂
@Benni, @Rick,
Here is a picture of sourcetree with OpenSSL source. From there you can track a lot of information and revert commits you don’t need. Will take some time to learn, but no rush…
@Mike the goat,
Be nice, I know you have a keen eye for these things. I made sure I am not sitting in a library 😉
Clive Robinson • June 16, 2014 3:00 AM
@ Wael, Nick P,
At the top of this page is a comment by Ismar, the first link he gives is based on a Times of Israel artical, which makes some claims that a mobile smart phone application can if it gets within a few feet of a computer, infect it with a virus (or that’s the way it’s written).
The claims are extrodinaly similar to the unknown vector we are talking about, which may or may not be via sound or RF generated by the smart phone. The ToI article is thin on information, but says Professor Yuval Elovici and members of the BGU Cyber-Lab briefed President Shimon Peres about the threat (implying that it was a practical demonstration he and the Students demonstrated…). The lab has pedigree if you remember back to Xmas they had found significant issues with Samsungs Knox security container,
http://in.bgu.ac.il/en/Pages/news/samsung_breach.aspx
Some think this current attack is by TAO techniques,
http://securityaffairs.co/wordpress/25782/hacking/air-gap-network-hacking.html
However this does not hang well with the ToI article, in part because it requires an initial implant and secondly because it only gives access to what the target system user types and views.
Other jouralists have done a little more digging and conclude that it is a TEMPEST style received eminations attack,
http://www.scmagazineuk.com/air-gapped-pcs-compromised-with-mobile-malware/article/355492/
Or possibly the so called HIJACK or TEAPOT attacks which were known to be an issue back in the days of Ronnie “RayGun” and “Mad Maggie the handbag snatcher” which is why she put in place a ban on the early Mobile Phones from secure areas (any one else remember the “dead rat” phone from Motorola? 🙂
It would apear that the Prof is Director of DT (think T-Mobile etc) laboratories at the BGU, and has an interesting relationship to the IDF as he is also Director of Cyber-Spark that aims to bring links to the students, startups, and selected corps with the IDF over cyber security. One startup he has an interest in is FortScale which appears to use his work on cyber threat signiture analytics, others include, the JVP $1m prize winning Titanium Core Ltd and Genieo Innovations Ltd.
Some of his methods appear to be the same as I’ve advicated in the C-v-P idea, where CPUs and the processes on them are analysed by the calls they make, other monitorable signitures and by halting the CPU and examining it’s state, registers and memory by a hypervisor. He gave a talk on this recently at Stanford,
http://www.stanford.edu/class/ee380/Abstracts/140212.html
(I wonder if he or his students read this blog 😉
He has been described as Israel’s premier cyber security expert with strong links at all levels within the Israeli government and his name has been linked in the past to Stuxnet, partly because he was one of the few prior to it rearing it’s head to give very strong warnings about such attacks on infrastructure and comparing them in magnitude to nuclear strikes.
He has a home page at,
Jacob • June 16, 2014 3:57 AM
@ Clive
Just to throw another speculative hint into the cauldron, the Stuxnet authors used the Realtek cert to sign their load – and I assume that they could have just the same subverted the audio codec of the Realtek onboard audio hardware (which exists in the majority of motherboards) via the USB trick, in order to facilitate later, if required, an air gap attack.
From Microsoft blog at the time:
“These drivers are signed with a digital certificate belonging to a well-known hardware manufacturer called Realtek Semiconductor Corp., which is unusual because it would imply that the malware authors somehow had access to Realtek’s private key”
Mike the goat • June 16, 2014 8:02 AM
Nick: I guess you could take the Apple Rosetta approach and implement an x86 emulator so that people can still run their legacy code. Longsoon is interesting and I am really interested in what the Chinese are actually up to.
I agree that we have to knock out any ideas of hardware level x86 backwards compatibility to move forward. A complete clean slate; a new architecture; new instruction set. A complete re-write of the rule book, so to speak – and I like the idea of a RISC philosophy. Some would argue that you are just shifting the burden from one spot to another, but I would rather have a more complicated compiler, for example, at the expense of a chip with a radically reduced instruction set. It makes sense to me, anyway – I know some would argue the reverse is necessary to provide a secure environment.
In any case, you’d want to go out of your way to maintain trust and integrity in the whole process. This might include video documentation of everything, complete documentation and microcode relase, having actual people stand by the product rather than an anonymous corporate conglomerate and finally you need multiple levels of verification, along with physical security during the whole fabrication process and ideally you’d want production to be done in as politically neutral place as possible. I don’t think that even with your previously discussed technical safeguards along with social/geopolitical safeguards that you’d ever reach absolute assuredness but it’d be a lot better than what we have available at the moment. Some of my aforementioned safeguards may not be all that useful technically, but they show the community that we are serious about producing a processor you can count on. Of course, there may be errata and vulnerabilities that result from such bugs, but the important thing people must know is that we aren’t deliberately subverting their hardware behind their backs. Re 500 million?! That’s a hell of a figure. It makes me dispair to think that only an established player or a company with state backing (China cough) would have the cash to actually make what we’re discussing happen. Which is why we are stuck with the abysmal situation we’re in at the moment.
Gerard: I can understand why you asked that question, particularly after I said that I was leaning toward something RISCy. I quite liked the original Acorn architecture but if you look at what ARM is now licensing as Cortex-A8 it is quite a departure caused I believe by ARM Holdings bending to the will of their largest market – smartphones and low cost embedded devices. I know that they are trying to fix some of the issues with their “TrustZone” etc. Oh, and there’s the fact that I just don’t like the platform, but that’s not a good answer, is it? 🙂
As an off-topic aside, isn’t it curious that Microsoft mandates that tablets running their Win8/RT have a locked bootloader yet doesn’t require it for their x86 Win8 counterparts?
Jacob: I’m interested in a commercial system – medium scale production. I have my own interim solution to this trust deficit, and that is through the use of old hardware and careful segregation.
Figureitout: Re ‘active’ shielding, as you called it – isn’t such a bad idea and I believe it has been used in the past as a countermeasure. Essentially you have two RF shielded layers with a void in the middle where you inject your jamming signals.
Wael re your screenshot: hey, I ain’t saying anything … and be nice? I’m always nice! Nice is my middle name. (Hint to NSA-guy: my name is not Nice, nor do I reside in Nice, although I have heard it is very nice this time of year. Bahaha!)
Mike the goat • June 16, 2014 8:05 AM
Wael: isn’t it terrible that the first thing I did was look at the JFIF header of the image to see if there was any compromising info (author details, etc) rather than study the actual content?
AlanS • June 16, 2014 9:07 AM
@Buck
Yes, but how? The capabilities are increasing but, in the long term, mostly in favor of corporations and states. Individuals lose privacy and on the other side secrecy increases. This is the question Bruce appears to ask over and over. How do you resist the skewing of the visible/invisibility relationship and by extension the power relationship? Increase the cost? Polluting the data stream? Passing new laws?
Nick P • June 16, 2014 11:21 AM
@ Clive Robinson
It’s interesting, but different than what we discuss. We are talking about code injection via wireless capabilities. This is an eavesdropping technique that uses emanation attacks. They get that application on a mobile phone by infecting the phone with a virus through a spearfishing SMS message prompting a download. Old EMSEC advice of EM shielding and banning cell phones would defeat this attack. As we’ve discussed, this advice is rarely followed or known in most organizations. So, it’s quite a nice attack vector.
re Elovici
Seems to be a smart guy. Most of his work is on anonymity schemes and identifying malware. That those people know EMSEC enough to mount an attack also speaks well for them. Of course, Israel is one of the top nations in both human and electronic spying capabilities. I’d expect no less from a “well-connected” Comp Sci professor over there. 😉
@ 65535
I guarantee you Target’s INFOSEC isn’t that good. Malicious insiders (or contractors) would be an easy possibility. I can only speculate on PF Chang’s that they probably don’t do much better. However, one commenter on Kreb’s mentioned that their response to switch to the manual method happened very quickly. The commenter said it implied a backup plan and speedy implementation of it. That might indicate whoever is handing such stuff is at least doing what due diligence they can within the organization.
Re acoustic method. NSA has many methods. They have radio tech embedded in some of their implants for C&C networks. They might have acoustic, too. That the recent academic papers describe such things mean we must assume NSA’s engineers went ahead and built it too. It’s not hard at all compared to much of what’s in the TAO catalog. Of course, like I told Wael, it’s not as big a threat if you have an IOMMU isolating it from rest of system memory. And if your architecture is POLA-enforcing in general (eg microkernel).
@ Mike the Goat
The emulator approach was what I was hinting at. Transmeta did it with Crusoe, Loongson does it with custom x86-on-MIPS instructions, and one can argue VIA does it [very well] in microcode. VIA always impressed me for hanging in the x86 market so long despite tiny market share. The Loongson processor is exactly what it looks like: China’s own processor to complement their own OS and software stacks. They figure they can trust something most if they build it themselves. There’s also I.P. and national pride benefits. Look at this Wikipedia article to see the specs of each release. It’s quite amazing how much they improve each one seeing as they have less experience than the competition.
re trust
The EAL6-7 development processes give an idea of how much one must worry about to make something work with malicious developers. The simplification of it is to have many parties with knowledge of domain, a mutual suspicion encouring strong review, a duplication of tools like SCM to spot to aid integrity, and a ‘design for verification’ philosophy for each component of the system. This can work on hardware HDL, microcode, firmware, and software. There’s also vettable tools, either open or academic, that can synethize some HDL’s.
Discussions with RobertT show the fabbing aspects of this aren’t worth exploring, though. The whole process is a black box full of exotic, ever-changing technology and people of unknown trustworthiness. With the amount of custom, esoteric work going into each project, the reviewers wouldn’t even know what a subversion was if they were staring at it. RobertT said that, for this reason, having outsiders secure the fabbing process is laughable. That he figured the design itself, or fabbers design database, is the best target is reason enough to focus most efforts there.
So, looking at our insider’s advice, I tried to mentally narrow things down to figure out what most critical part of process was. I decided the production, transportation, and application of the masks is it. Those turn the materials into the circuits. RobertT said mask production is usually outsourced by fab. It’s also as esoteric as the rest. So, my potential solution is to get a collaboration (public/private) to fund a secure mask making organization and process for a process node that will be useful for a while. They can license the tech, under thorough review by experts, from an existing mask maker maybe with incentive of giving generous royalties per device produced. The people and location are carefully picked for combination of brains and trustworthiness. The process is quite open to inspection. Company would partner with a fab to provide basic security measures to ensure proper masks are used. (There’s more but I’m summarizing key points here.)
Sound like a hell of a lot of work that leads to problems in market competitiveness? Yep. That’s why I’m minimizing my mental effort on that problem and working on the others. Not sure economics will let us secure the chip production process. It’s also the best target for a very capable TLA given constant consolidation.
“That’s a hell of a figure. It makes me dispair to think that only an established player or a company with state backing (China cough) would have the cash to actually make what we’re discussing happen. Which is why we are stuck with the abysmal situation we’re in at the moment.”
The full process, yes. If we trust the production, then the chip design and ASIC’s can be made for a few million if done right. Adapteva proved that with their Epiphany line’s development.
Incredulous • June 16, 2014 12:09 PM
When one must talk about serious crimes dispassionately, isn’t something lost in the message? Doesn’t it reprogram the writer and the reader to feel less passionately about those crimes? Isn’t it a method of control in a loose Foucauldian sense — I say loose because I read Foucault years ago.
I am a little amused by the abstraction and the concern about whether the concept of “Panopticon” fits perfectly. The essence is a situation where people who experience constant surveillance introject the controlling and censoring eye. Not a very abstract concept any more.
Thought and reason are certainly good ideas. But logic requires true axioms for true conclusions and an absolute source for moral axioms is not available. And argument conceals more than it reveals if it does not penetrate the existential state of the participants: The anxiety, the fear, the anger, the astonishment of finding oneself actually living in one of the dystopian novels we read in our youth.
Benni • June 16, 2014 3:47 PM
cryptome has published the new spiegel articles on the nsa
http://cryptome.org/2014/06/nsa-der-spiegel-14-0616.pdf
15 pages stuff….
Clive Robinson • June 16, 2014 4:17 PM
@ Nick P,
It’s interesting, but different than what we discuss. We are talking about code injection via wireless capabilities.
That is, an unmodified computer has the capabiliy of turning an energy wave be it EM or achostic into executable code.
From the article it says,
- Once the malware is on the phone, it scans for electromagnetic waves which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server.
Which from my and others reading is the same issue of an energy wave being turned into executable “virus” code on an otherwise unmodified computer.
Now either it’s “lost in translation” between what the students have done and the journalist typing up, which I hope is the case, or somebody is neglecting to mention another stage (such as TAO type implants on selected computers) or the fact somebody has basicaly subverted a chip set and IO software usec on every computer / server currently out there (which limits it to just one or two chip sets).
If it is this latter option then we have a serious problem to solve, because it would be the key to fully ubiquitous surveillance. Now as others have noted there is a lot hidden behined ufei etc, and I could realisticaly see Intel and MS doing this at the behest of the entertainment IP holders or even TLAs. But it brings the problem of the Chinese motherboard manufacturers or far eastern chip manufacturers having control ahead of anybody else…
And as I said in my comment to Wael, there is way to much that has to hapen for EM or achostic waves to be turned into executable code. Thus it could not be anything other than thoroughly planed and implemented from the get go… So either it’s FUD or we have a near unsolvable issue.
nope • June 16, 2014 5:10 PM
One of the NSA slides specifically mentioned the north bride chips, and remember all the problems with those and USB….
It is quite likely that both of the standard bios chip makers are compromised , and the their flash tools just don’t write over that portion of the bios image, or the badBios portion is just labeled as “legacy” code….
Think about just how many board and chip level paths have had major incompatabilies, and those are just with integrated components.
Ask Dell what those alone cost them, and think about all those homebuilts that had serious issues in the early 00’s. I went thru 3 motherboards trying to get a tower build to work, and it was a USB/PCI/bridge problem in all of them
Is quite easy to imagine that an audio driver has a line of code to look for piezo speaker feedback, that would trigger a call to a bridge chip to attenuate a signal, that in reality is launching a preloaded sequence to record and run a script or DOM.
Benni • June 16, 2014 6:03 PM
In these new spiegel articles, it is revealed that the Snowden data lists all american surveillance stations in Germany since 1917.
Over the years, the Americans had 150 of them in Germany, but they often closed and were opened up somewhere else, upgraded with new technology.
The files say that the German BND was not very interesting to the NSA, because in earliest days, the Americans monitored whom they wanted to, whereas the BND imposed restrictions on itself. Even though the services were partners from the very beginning in 1962.
During the year 2000, this changed. Now BND had massively upgraded its technology.
Since 2005, NSA agents worked as integral part of a BND operation called “orion”, side by side with BND agents.
Then, the Spiegel articles reveal the existence of a new secret US agency, which was born: JSA.
It is a merger of BND and NSA, with its sign showing the NSA eagle and a german flag….
“JSA is a joint NSA/BND organization whose mission is Sigint development and collection of digital network communications and international communications traffic.”
NSA is especially proud of the BND since it shares not only information on military targets but also on civilians in Afghanistan …
BND agents tried to impress at NSA on their surveillance capabilities on China and North Korea. And NSA is happy that BND shares with them its surveillance of the foreign ministry two other countries.
Also, BND shares its monitoring of the internet telephony of an entire country in the near east. Furthermore, BND has unique capabilities in transcribing African languages.
During the world cup 2006, NSA analysts participated in a demonstration of BND tools. The equipment, the NSA analysts noted in a protocol, had more capabilities than their own.
At that time, BND worked to sniff on social networks, in order to detect patterns or anomalies. The Americans noted: “Visitors impressed by Software Demos”
The partners can exchange intelligence almost in real time. Among them contents of encrypted voice communications from mobiles, warnings, but also “target packages”, which means some sort of drone meat.
Some time ago, an employee of a telco discovered the devices of program wharpdrive. Then, covert agents working in the company had to place an appropriate legend in order to explain the device. And NSA had to get a team on the task to re install this thing. They had help from BND. During a visit of BND agents in Forth Meade were instructed as follows:
“Thank the friends from Pullach for their help in the trilateral program. BND has the leading role in wharpdrive. The NSA is only there for technical support”
Wharpdrive is, according to the Snowden files, a program that enables “unconventional special access” to internet fibers. NSA says that these BND operations take place under risky circumstances and that they allowed inimitable access to very interesting targets.
DER SPIEGEL also notes that general Alexander is officially invited as a speaker by the german telecommunication company Deutsche Telekom for their upcoming conference “24 hours 2014” in Munich.
Wikileaks revealed some time ago that Deutsche Telekom is the hardware provider of the BND.
Yes, the BND seems to be such important to the NSA that an NSA boss holds speeches for BND’s network provider.
David C. • June 16, 2014 7:29 PM
I dont know how widely known this is but I think you can make a 56 bit assumption which will give you 16 bits of key at every round of AES-128.
How do you do this?
Assume the key state consists of 4 32 bit words at each round i, w(i,1), w(i,2), w(i,3), w(i,4) where each w(i,j) j=1..4 is 4 bytes of key. In order to obtain the bytes w(i+1,j) you take a non-linear function of word w(i,4) and add it to w(i,1) to get w(i+1,1). To obtain w(i+1,2)=w(i+1,1)+w(i,2), w(i+1,3)=w(i+1,2)+w(i,3), w(i+1,4)=w(i+1,3)+w(i,4) etc.
So assume 4 bits per word at level 1 (byte slice 1 for example) and then 4 bits of output of the nonlinear function applied to word w(i,4). This gives 16 bits + (4*10) bits of assumption=56 bits. This gives you 16 bits at each round of aes-128.
I am not sure how to turn this into a full attack just yet but I think it is interesting that for such a small assumption you can obtain 1 bit per key byte at every round. This I think is a minimum requirement to attack AES-128.
Does anyone have any ideas on how to turn this into an attack?
Wael • June 16, 2014 11:56 PM
@Mike the goat,
isn’t it terrible that the first thing I did was look at the
Not really, was expected from a caprine hacker like you. That’s the reason I asked you to be “nice”.
Nice is my middle name… my name is not Nice, nor do I reside in Nice…
Nice! :)… Don’t mess with spooks— they are not easily amused 😉
Say, what did you digest the other day:
“c5236b05327b551ffc4c08c0a2361477db81d0a6602471aefacb40e62b4bb60a”?
I give up.
@Clive Robinson,
I wonder if he or his students read this blog
I have no way of telling, but chances are high. I realize that your question is rhetoric…
@ 65535,
I think that the initial implant of said acoustic air-gap is most likely done by electronic means or a black bag job.
Yes, agreed.
@Buck,
there are certainly at least hundreds of humans in the process that would be quite capable of injecting innate procedures into the audio processing stack that would allow for this sort of remote takeover.
And would be hard to keep a secret as well, unless the functionality is in the hardware, and glue logic and firmware comes from elsewhere with a limited number of people “in the know”. I mean, if every peepingTom, Dickhead, and dirtyHarry knew about it, it wouldn’t be a well guarded secret — if true 😉
Figureitout • June 17, 2014 12:11 AM
Moderator
–Knew I shouldn’t have posted it, bah. I used to go way too far for a laugh…If someone decides to be an ass and falsifies my identity and posts absolute garbage then can you at least check before you ban my name? It’s amazing this hasn’t already happened…
Wael RE: social media
–Block it or scrap your social media accounts…I lost contact w/ a lot of people (regaining some of my international contacts) but became more mentally stronger than I ever thought I was capable of. And I seek out friends you actually meet in real life. Caved on 1 social media network for employment purposes only (which had javascript running and made 2 copies of a document automatically when I only posted 1…hmm…). And I don’t want nor need another UN/PW to keep track of, just let me use your service and don’t give the data away if you want some money for it…And BTW, it was an underground computer lab like I said before (you’re always welcome to join me as I really like the place and spend a lot of time there); from there you could definitely work out some meta-data that would point straight to me. Did you receive my message?
Mike the goat
–When I get the chance to test my idea (anyone got a nice amplifier for a poor college student? lol, Dayton Hamfest here I come..), I expect a side benefit…finding holes in the shield b/c my house and likely some neighbors houses will look like a strobe-light discotheque…
RE: your vision of a new processor
–Agreed, it needs to be open so hopefully we can catch anyone hired to subvert it and expose their face and fake name to the world and kicked off of any serious security projects forever. So many kinks to be worked out, it needs to be talked out over time and likely repeated when the material gets too large and spread out. It’s kind of exciting b/c no one’s really tried this before and we’re all kidding ourselves if we don’t (feel secure buying a computer these days from the store…?). There’s quite a large list of people to consult, but we don’t need consultants. We need money (that may not be returned but we don’t want to run a scam and have nothing to deliver), facilities, equipment, expertise, and DO-ers that have ridden the pony-show before so we can get some real progress and show it’s possible. These first efforts will likely have all kinds of flaws like any other security product (and there’ll be plenty of people just itching to poke a hole in it just b/c…). I’m giving a time-frame of 10 years, if I don’t see anything in that time period then I’ll get more cynical than I already am.
Nick P
Discussions with RobertT show the fabbing aspects of this aren’t worth exploring, though.
–Again that is one opinion. He already said he wanted nothing to do w/ the project and has avoided most discussions b/c he’s scared of “birdies” tweeting in his head or something and any project will be a failure and that only like ~100 people in the world are capable of verifying a chip in ways we’re expecting; but then saying it’s impossible at the nano-scales we’re making chips these days which is stupid in my opinion, but that’s just me. Nonsense, as if other people couldn’t learn what they know (and document the knowledge as you go); just takes years to accumulate that experience. Bull, just plays into an engineer’s ego and ensuring future employment. If no one else learns then the fab’s will just shutdown and fall apart, we need to trust someone then and have a “trump card” who checks his/her work at a random time. We’re going to have to play tricks to catch these shenanigans.
Wael • June 17, 2014 1:28 AM
@Figureitout,
It’s amazing this hasn’t already happened
You bring up a good point. Maybe we can think of a way to fix the identity spoofing issue you are concerned about. Perhaps a mapping between the poster name and a secret that gets agreed on upon registration. Also, how about this, do you remember the SnapChat thread? You know SnapChat gives the sender control on how long the message lives. You can do that as well with posts on Blogs, say for off-color comments. Suppose you want to post something you wouldn’t be comfortable having archived for a long time, then you can have a field that specifies how long the post lives before it self destructs, or allow for a self-destruct trigger when a certain person reads your post.
And BTW, it was an underground computer lab like I said before
I know — will not talk about it anymore. I prefer to talk in the open, because I believe in this:
“If you are afraid, don’t say. If you say, don’t be afraid” — I know the translation is horrible, but it’s close enough. It basically means if you are scared to talk about a subject, don’t talk about it. If you talked about a subject that would normally have scared you, then don’t be scared and stand your grounds — being scared at that point is useless. private communication channels give you a false sense of privacy and “courage”.
Clive Robinson • June 17, 2014 2:21 AM
@ Figureitout, Wael,
It’s already happened a couple of times.
It appears my name is far from unique and atleast five people involved with ICT at various levels share it in the UK alone, and I’ve personaly met some of them at shows and confrences.
Well I was reading through the hundred last comments one day to check I’d not missed a comment / reply on an older thread when my name came up against a comment I’d not made so I simply flagged it up.
On another occasion somebody decided to do an “I’m Sparticus” moment that others joined in on.
That said somebody has posted as just “Clive” on a number of occasions who is not me.
I also spotted an early link spamer who was taking parts of comments from other people and posting them again as their own. The main reason I spotted it the first time was they replayed a paragraph from Nick P, that was fairly unique in style. It surprised Nick who awarded it a “nice catch” 🙂
So for those that wonder yes I do read most of the comments, it tends to be only where there are 75 or more comments in 12hours or I’m traveling or doing odd hours that I don’t. And NO I’m not Bruce or the Moderator as some have –only half– jokingly suggested.
koita nehaloti • June 17, 2014 4:11 AM
Re: Write only systems and public keys
Can we have a camera that uses write-only files or write-only filesystem for storing photos? I mean it needs to have a firmware that encrypts pictures with a public key. The secret key of that public key is somewhere else. I know that at least canon camera firmware can be replaced with custom versions. Is that kind of encryption too much for camera’s puny computer?
Also we should have laws that require all locally logging GPS trackers and locally logging audio spy devices to have write-only files or filesystems to prevent unauthorized parties from stealing that data.
Uses of locally logging Gps trackers where encryption is or may be useful include: keeping a diary of one self’s movements and cat’s movements, spying, and making a record for later studying and for history books, of massive military operations by attaching loggers to helmets, jeeps, tanks etc. Why cats? Logs of targeted person’s cat’s in and out movement times may give knowledge that help attacks or just help plain old burglary to anyone.
To prevent GPS spoofing, GPS transmissions should be certified with a public key generated in the satellite while in orbit, and the private key staying in the satellite in orbit, never leaving space.
Chris • June 17, 2014 5:47 AM
Hi, reading about the Israelis that infects a PC from a mobile, I at least think of two possibilities:
– Bluetooth
– WLAN perhaps using Wake On Lan
So, anyways has anyone been investigating:
-SMS Type0 and how they can be prevented since it seems to have some weird specs and attack vectors
Also have a quetion regarding Femtocell,does anyone know of any other tools for detecting them
part from Femtocatcher and Android IMSI Catcher Detector.
//Chris
Mike the goat • June 17, 2014 5:57 AM
Chris: it’s difficult to do anything about the phone acking class zero SMS’s without modifying the baseband but I know that some devices when debugging is enabled log all SMS interaction. You could perhaps write a small daemon that kept an eye out and simply enabled aircraft mode upon receipt of one, seeing as they are pretty much exclusively used for malicious purposes (such as generating traffic to more effectively radio-locate a target).
Mike the goat • June 17, 2014 6:11 AM
Benni: I found it interesting that one of the documents stated that Germany was both a partner and a potential target. They didn’t bother to make those distinctions with the UK, AU, CA, etc. so I do wonder how such a relationship exists when clearly there are trust issues between the BND and NSA.
Nick: I can’t add anymore to your excellent analysis, other than to perhaps bring up the possibility of adapting existing tech to suit our purposes. Let’s pretend that we have a relatively unencumbered and (we believe) trustworthy architecture; for the sake of argument, let’s assume that we now have a warehouse filled with tens of thousands of these processors. We now need to organize motherboards. Even if our hypothetical already-in-warehouse silicon was a SoC we’d still need to fab boards to contain whatever isn’t integrated, which I assume would still be significant. It is a hell of a project, but I think with the right people and of course financial support (perhaps this would be a candidate for public equity funding as clearly this is way beyond the realm of crowdsourcing in the Kickstarter sense?) it could be done.
Chris • June 17, 2014 6:28 AM
Hi Mike the Goat and the rest.
– So thanks for answering about the SMS 0, yeah its littlebit annoying and I am doing some experimenting right now…
Also forgot to add the link to the page for the IMSI Catcher Detector
since it has some nice information and links etc…
https://github.com/SecUpwN/Android-IMSI-Catcher-Detector
//Chris
Benni • June 17, 2014 8:47 AM
@Mike the goat:
There are no issues with the BND. BND is NSA’s partner.
But certainly, the Dagger Complex or the Special Collection Service at the Berlin embassy are not Bad Aibling where BND and NSA work together, but these stations are operated by NSA alone.
And from these stations which only NSA can access, they then monitor Angela Merkel.
I guess with the BND it is similar. In a recent lawsuit it came out that BND monitors the communications of 196 countries, including UK and USA.
Certainly the BND does not want to share what he does in the US with the NSA…
These agencies simply have separate groups. Some are working together closely, while other groups work against each other.
Benni • June 17, 2014 9:28 AM
The german newspaper Süddeutsche has provided a funny picture showing which countries are “at least partially” monitored by BND.
It is in the print version of the magazine only, but the newspaper also posted this picture on twitter:
https://twitter.com/SZ_Investigativ/status/478419159387095040/photo/1
In the print version, there is also an interview with Berthold Huber, a member of the G10 comission that controls the BND. (this is not to be confused with the parlamentarian control comission of the BND. The G10 meets more often and has better control abilities. In comparison, the G10 is something like the national security council).
First qustion: What is the difference between NSA and BND.
Huber: Not much.
Benni • June 17, 2014 9:30 AM
I forgot: In the picture above, the countries monitored by BND are painted in red.
Jacob • June 17, 2014 10:03 AM
Benni, the BND coverage map you pointed to shows that the vast majority of the countries in the world are covered – but N. Korea is one of the few that are not. I wonder why.
Benni • June 17, 2014 10:23 AM
I should precise:
This map shows whose communication between germany and another country are monitored.
Because North Korea has no internet fiber, you can not monitor the broad communication between germany and north korea. BND can not open letters that easily as it can snoop on emails.
But you can savely bet that those germans working as “diplomats” have some connection to the BND.
The united states do not have an embassy in North Korea. But germany has:
http://de.wikipedia.org/wiki/Deutsche_Botschaft_Pj%C3%B6ngjang
And that is why BND tried to impress at visits in Forth Meade with its access and knowledge on North Korea….
Nick P • June 17, 2014 10:47 AM
@ Clive Robinson
re EM injection
Yeah, I misread that part of the article. My bad. Your two possible explanations of FUD or subversion are good. If there’s no subversion, then there is still a technical possibility. Remember the active EMSEC attack on the RNG that weakened it? I wonder if blasting some EM waves at a system can have any other effects on its internal state. Effects that allow some kind of code injection, probably via a different vector. This might especially be true if the machine supports some kind of wireless and it was just turned off. I’m not saying I think that’s what’s going on. I just think the potential of such attacks hasn’t been investigated thoroughly enough by public institutions.
@ Buck
“Industrial scaled distributed rainbow tables..?”
Closest thing I know of is Elcomsoft’s product.
@ Figureitout
re RobertT’s view
“He already said he wanted nothing to do w/ the project and has avoided most discussions”
He contributed a ton to discussions over the years. He just doesn’t like repeating himself. He’s also got a demandind day job doing what we’re talking about. People like him come and go here. I’m grateful for what time they give us.
“that only like ~100 people in the world are capable of verifying a chip in ways we’re expecting”
Most people in his field are over 40 because they can’t find younger people who can do the job. That’s saying something. Most of it isn’t in books and can only be learned with experience. Mistakes cost a few million each at ASIC time. The companies capable of reverse engineering the chips I can count on one hand. So, he’s right about how rare the skills are to verify something down to the gates at an advanced process node. And that limits our opportunities.
” just takes years to accumulate that experience”
Closer to a decade most chip designers say. I’ve seen many make that claim. The only chips I see the younger crowds doing are pretty simple chips that aren’t integrated into a SOC. (read: useless in practice without other components) Those doing more complex work are typically supported by at least one experienced designer. The typical target is also FPGA because they’re way easier to build on than real silicon. So, even for just making chips work the odds are against newcomers for accomplishing a whole lot. And you guys wanted both function and strong verification of no subversion on top of it. His skepticism is warranted.
@ Clive Robinson
re names
“It appears my name is far from unique and atleast five people involved with ICT at various levels share it in the UK alone, and I’ve personaly met some of them at shows and confrences.”
So I’ve noticed in the past…
” The main reason I spotted it the first time was they replayed a paragraph from Nick P, that was fairly unique in style. It surprised Nick who awarded it a “nice catch” :-)”
Yeah I said “wth?”
On a related note: I also was about to join Wilder’s Security Forums in some discussions until I noticed a guy “from Schneier’s blog” that wrote like me. He used about the same style. The key difference was he was a total asshole rather than an occasional dick. 😉 The whole forum was pouncing on the dude for his behavior. He also regularly used Bruce’s style of doing hyperlinks in his paragraphs. I do it occasionally, as it’s a useful technique, but not as often as him. The guy was cocky, not contributing much, referencing Schneier’s blog/work, and having a writing style too similar to mine. Hence, I never joined the forum as I figured that guy instilled plenty of hate in anyone that would reference this blog or write similar to him. I’d have to convince them he wasn’t me. And worst: I know all the regulars here over the years and have no idea who the hell that was! For all their cockiness, they sure weren’t contributing
here so much. For such reasons, I occasionally feel the need for a strong identity scheme on the web.
@ koita
You skipped past the requirements and immediately went into how to meet them. We need to know the exact use case you want, plus the concerns in it you’re addressing. Then we can comment on various design elements for the camera.
@ mike the goat
I’ve outlined something like this before. If you trust the people, then it’s much easier. 😉 Trying to remember the steps. First, someone helps design a board around the components. Second, the board design is sent to a company that can produce a bunch for us. The components are all ordered and arrive in the warehouse. There’s a sampling room that receives randomly selected chips to perform tests on external behavior. The chips are put on the board by humans or robots [designed by college robotics students]. The boards are connected in a structure that can hold a bunch of them while performing automated acceptance tests on them. Initial, signed firmware is also loaded on them in that process. The boards are packaged in a standard way. Tamper evident seals are used on the packages. Mass orders are packaged differently to save materials.
Yes, such an operation costs something. The cost would be space, equipment, and labor. These can be pretty cheap especially if you do it in a semi-rural area near Interstates and a major shipping hub. Space and equipment might be kept low by doing a deal with a warehouse to lease off a section, plus load/unload the occasional truck. A nonprofit company would handle all of this to charge it at cost and avoid taxes. Accounting, corporate governance, etc is done by the organization designing the main chips. One of my old ideas for initial finance, which is charity if we’re being honest, is to get a person or institution representing a potential buyer of the boards to do it. The potential customer will get their boards first, at cost, and with first rate service. The funder will know they’re getting top quality/security goods, getting a great deal, and doing some charity all at once. My attempt at a win-win deal for this sort of thing.
Clive Robinson • June 17, 2014 11:52 AM
@ Mike the Goat, Nick P and others,
[L]et’s assume that we now have a warehouse filled with tens of thousands of these processors. We now need to organize motherboards. Even if our hypothetica already-in-warehouse silicon was a SoC we’d still need to fab boards to contain whatever isn’t integrated, which I assume would still be significant.
I had a long serious think about this issue a number of years ago and I mentioned it as part of C-v-P as my prototyping method.
Essentialy you could consider it a “micro-blade” solution although I’d thought it up as a prototyping system years before any one coined “blade” as a marketing term.
Thus I put the prototype prisons on their own little boards that stacked together vertically and plugged horizontaly between an IO back plane and a hypervisor back plane. With ten identical boards forming a stack of eight prisons, one board to act as the hypervisor and main memory and streams “letter box” control and the other to do low level IO control and buffereing etc.
The boards contained three main chips the CPU chip (a 16bit single chip microcontroler), the MMU chip (an 8bit fast microcontroler in the prototypes as low cost not speed was desirable) and the streams leterbox chip (another micro controler) and a PLD to act as a jtag interface chip. Thus were fairly cheap and easily testable. The back plane boards contained most of the other chips but again were fairly easily testable. The 8 prison stacks were connected together via cheap 10M network chips and a switch to the “warden” system and main IO to disks etc which was a *nix PC.
Not fast but as an “idears test” prototype, easy to test debug etc etc.
One advantage is the boards have a minimum of inter connects and thus were initialy plain double sided boards without plated through holes. Later boards were four layer with power and ground on the inner two layers. Such boards are cheap and easy to source and easily assembled to make the individual micro blades, which are again cheap to test etc.
If I was doing it again I would stick with the physical architecture and have high performance micro-blade cards and update the bus speeds and use serial busses in star-switch config not parallel shared busses except to local shared memory blocks.
If you have a look on the net there are others building home supper computers this way and their efforts would be well worth a look see.
Nick P • June 17, 2014 1:17 PM
I previously posted a link to my essay in Jack Ganssle’s Embedded Muse on WCET analysis and advantages of I/O coprocessors. I just finished some investigation of the issue that might solve it (or nearly so). Here’s the report I emailed Jack:
Scratchpad Memory: A simple solution to the verification and timing analysis problems?
Ok, Round 2 of this WCET stuff. One problem I have with caching is it’s effect on system correctness and timing arguments. These affect your field just as much as mine. My ideal on-chip memory has fine-grained control, predictability, plenty of space, and uses minimal chip resources. Looking into this stuff more I rediscovered an old technique that embedded guys probably know well: scratchpad memory. I used to love this stuff but forgot it after I had to exclusively work with cached architectures. It met every single requirement on my list minus maybe space compared to some COTS offerings with ridiculous cache sizes. So, I decided to look for empirical evidence for or against it in the problem domain.
Quick tangent: {First thing I ran into was Playstation 2 SoC in my old archives. Developers found its scratchpad handy for minimizing unpredictable delays and accelerating I/O. This made me consider scratchpad’s in my I/O coprocessors for that reason as the I/O programs are tiny and use predictable amounts of internal memory. So that’s another thought for you on I/O coprocessors as quite a few cheap chips have scratchpad. }
I looked into academic work to see if I could find any comparisons of scratchpad and cache, esp involving WCET analysis. What I found confirmed my suspicions: scratchpad memory is what you people need. And before anyone gripes about manual memory management, I’ll quickly add that the tools (i.e. compiler) can handle that for you. The two papers supporting this assertion, one on scratchpad advantages & one on timing comparison, are attached.
So, that problem is knocked out. Automated analysis tools and SoC’s must be developed to put it to use, of course. Next insurmountable embedded issue, please? 😉
Links for the attached files in case you forward them:
Scratchpad Memory- A Design Alternative for Cache
On-chip memory in Embedded Systems 2002 Banakar et al
http://robertdick.org/aeos/reading/banakar-scratchpad.pdf
Scratchpad memories vs locked caches in hard real-time systems – a quantative comparison 2007 Puaut and Pais
http://www.irisa.fr/alf/downloads/puaut/papers/date07.pdf
Benni • June 17, 2014 4:08 PM
Here is an article of a greek newspaper that explains how the german surveillance looks like from the viewpoint of other countries.
http://en.protothema.gr/german-big-brother-germany-monitors-greeks-through-internet/
I think, de-cix must gather more customers. Clearly 500 telcos are not enough.
North Korea, and some regions in central africa, must immediately be connected to de-cix. If alone for evading the nsa. If they come and connect to de cix, the americans are guaranteed not to be the first to receive the data. If that is not an advertisement, I do not know.
Even russia got on board recently:
https://www.de-cix.net/news-events/latest-news/news/article/welcome-wellcomm-from-russia-at-de-cix/
The arabs:
https://www.de-cix.net/news-events/latest-news/news/article/first-arabic-content-at-uae-ix/
And the americans:
https://www.de-cix.net/news-events/latest-news/news/article/10-networks-live-and-peering-at-de-cix-new-york/
Therefore, Kongo and North Korea must step up now.
For a true german agency
https://twitter.com/SZ_Investigativ/status/478419159387095040/photo/1
the world is not enough
https://www.youtube.com/watch?v=DpiJtmRLjhY
I know what to show
And what to conceal
I know when to talk
And I know when to touch
No-one ever died from wanting to much
The world is not enough
But it is such a perfect place to start…my love
And if you’re strong enough
Together we can take the world apart…my love
People like us
Know how to survive
There’s no point in living
If you can’t feel the life
We know when to kiss
And we know when to kill
If we can’t have it all
Then nobody will
The world is not enough
No nowhere near enough…
Clive Robinson • June 17, 2014 5:06 PM
@ Nick P,
Yeah, I misread that part of the article.
Don’t feel bad about it most other tech journos and accademics have as well when you scan around.
Also check my original thought on it as out right FUD, so I’m just as bad 😉
It was when I sat and thought about it, there were two distinct wordings the first that it setup a network connection the second that it used it to install the virus code. I thought a journo making one error ok but two in the same specific way… that’s not mishearing the source, thats either the sources words or a frame up.
I then thought “hang on this was demoed to the Israeli premia” generaly the Israeli premiers have been part of the IDF at officer or staff level and would not willingly sit through a TEMPEST demo, because unlike most other premiers and presidents in the world they would already know alot about TEMPEST HIJACK/TEAPOT.
And thats when I got a little itchy feeling at the back of my neck and my gut started hopping on one leg, it was trying to tell me something. So I looked up the Prof, and he has senior contacts not just within the Israeli Gov but IDF as well and he’s pulling very interesting gigs as well… The fact he’s working indirectly with DT (german telco) thats got very strong BND links made me even more itchy…
He’s up on spook tech and methods and source techniques, it’s even more unlikely he would embarrise himself and the premier over 70s or earlier Van Ekc etc style attacks unless he’d found a new twist to it.
So what could the twist be, my first thought was using the phone as a spectrum analyser and remote analysis tool, which would be of interest to an Israeli premier. But I kept thinking about what if those two mistakes that “I’m assuming” the journo made, what if they are not mistakes…
Then that would realy be something of interest, and I started thinking about how you would get a waveform to be a valid program and realised the odds were to extream for an accident, so it would probably be deliberate.
And that makes me feel nervous because it’s very far from being impossible based on recent revelations.
Now it could still be FUD or implant, but it’s far from impossible that it is in every modern PC… As I’ve indicated in the past active fault injection on an EM carrier is not impossible, because I played with it successfully in the 80s.
Jacob • June 17, 2014 5:56 PM
Clive,
Prof. Elovici does not “work inderectly with DT” – he works directly (not as an employee, but as a research arm to the Corp.)- specifically in big data and cyber security areas:
http://tlabs.bgu.ac.il/index.php/the-news/137-deutsche-telekom-innovation-laboratories-at-bgu-dedicates-expanded-offices
Nick P • June 17, 2014 7:40 PM
@ Clive
So what do you think about scratchpad’s over caches for better efficiency and easier timing analysis?
Clive Robinson • June 17, 2014 11:44 PM
@ Nick P,
So what do you think about scratchpad’s over caches for better efficiency and easier timing analysis?
I’ve not yet read the papers you link to so my perspective is based to an extent on my experiance which has been a bit ecclectic at times.
I’m not keen on caches from a security aspect, they also don’t offer much in systems which have small memory footprint apps where there is no or little task switching involved. Further the logic around caches is generaly silicon realestate and thus power hungry in comparison and the memory itself tends by usage to be more power hungry than ordinary RAM usage.
Obviously the purpose, both caches and scratchpads serve is to keep the memory phisicaly as close to the ALU as possible to minimise speed of transmission issues. However that purpose is also served by the internal register file which is usually atleast dual ported which offers a very much faster performance.
Dual/multi ported memory has been used in DSP chips and stack based systems where the size is generaly quite limited for various reasons but speed of access the over riding concern. And this has also given rise to the idea of a rolling scratchpad, where the internal dual ported memory is treated as a large circular buffer, and the ALU access is via a sliding window that follows the hardware register loading. Whilst ideal for DSP systems it can also work extreamly well for other algorithms that get used in parallel processing. Also if you remember back a few weeks ago we discussed non linear access to memory which also used the idea of a current window into memory using short addressing and would work well with a rolling window scratchpad or even register file as what is effectivly a stack based on a circular buffer. It would also simplify and reduce the size of a RISC core.
What also effects the efficiency of local memory/registers is the architecture type of the CPU, CISC and RISC systems are sufficiently different as are Harvard and von Newman sytems such that they need different solutions which is a problem Intel sleep walked into, by assuming they could dump one architecture type for another and consumers would follow, but the market decided otherwise due to the software investment.
However less obvious is transistor size is an issue as well, the number of active devices in a given area of silicon realestate is very much dictated by the power they need to operate and thus if to dense and rapidly switching “thermal death” is assured in quick order.
Thus whilst the current does go down with transistor size the number of transistors goes up in relation to area thus the power requirment per given area goes up as an inverse power law to transistor size.
Traditionaly due to the way memory is usually sequentialy accessed it is treated as a “freebie” as far as thermal issues of silicon realstate is concerned, because only a fraction of the transistors are switching state at any one point in time, thus the majority of linearly sequentialy accessed memory is in effect “dark silicon”. The same is not as true for conventional cache systems, thus there are power issues with the memory type and it’s addressing logic to be considered as well.
So perhaps the question should include register files, sliding windows or other types of scratch pad as well as CPU architecture and tranistor size effects 😉
Where caches have strengths over local scratchpad memory is in systems where there are hundreds if not thousands of processess/threads running, due to certain statistical advantages in the way that many/most of the threads and to a lesser extent processess are written. As it is a statistical process designed for one generalised type of usage it might be very wrong for another type of usage and actually make things considerably worse (and yes it’s been seen to do this which accounts for some of the ideas of hybrid multiple level cache systems to reduce some of the issues).
However the statistics for simple cache systems are often “felt” to apply to all OSs and Apps, by a “hit or miss” process. Where a little thought would consigne the “fealing” quickly into the myth catagory, it usually does not (possibly due to marketing litriture).
But where there is a real issue this causes, OSs and to a lesser extent Apps are “optomised to the architecture” of the underlying system. Which unfortunatly gives rise to a “chicken or egg” problem that skitters off helter skelter style into an ever tightening downward spiral of an evolutionary culdesac, which can be hard if not impossible to climb out of.
As I’ve said before imperative computing is rapidly aproaching it’s end of shelf life as it’s hit the buffers due to physics which even cache systems can not avoid. It is why we are seeing multiple CPU cores on chips, with time these will increase in number and will become simple Harvard RISC cores with lots of local memory possibly of a sliding or non linear window of possibly multiport .register arangment. Whatever is used the chances are that security will be a long way down the requirments list…
Mike the goat • June 18, 2014 12:05 AM
Chris: I noticed the IMSI catcher software referenced Pagget’s excellent DEFCON presentation on MiTMing GSM. It was an excellent talk and he did a great job at explaining the fundamentals to the uninitiated.
Benni: Of course, I have no doubt that the agencies work together to achieve common goals. It just struck me as interesting that of all the FVEY countries, only DE was mentioned as being a potential target as well as an ally.
Nick re elcomsoft – they make great stuff; we investigated using their software to break a heap of DES crypt()’ed passwords we obtained when we acquired another small ISP and our system just wouldn’t tolerate DES encrypted passwords (and was closed source, and thus it was non-negotiatiable – had to be either cleartext, MD5 or SHA1).I am very much on board with the idea of producing a semi-trustworthy computer. I agree that some concessions will need to be made and we probably won’t have the luxury of custom fab. I guess it will likely be a matter of picking a chip that is already on the market. If we use it in an unconventional manner – like, for example, having a few ARM processors on a board, with a supervisor allocating tasks between the cores – then any subverted mechanisms already on the silicon are unlikely to be effective. I guess we just have to play the numbers, and design a mainboard that at the very least carves up the resources and perhaps – if we take a leaf out of the aerospace industry – even have something like a MIPS core and an ARM core (for example), with workload divided between them. This isn’t impossible to do, and the bulk of the work could be done in software/our firmware.
KnottWhittingley • June 18, 2014 12:17 AM
Incredulous,
For what it’s worth, IMO if you’re the person who has been morphing through a gazillion jokey and/or pointed names (like “Today’s Big Lie,”) I think “Incredulous” would be a good name to stick with.
I’m one of the people who finds it very annoying when somebody frequently morphs their “name,” because it makes it hard to follow a conversation you’re interested in, or to ignore one you’re not. (And sometimes I go through these threads more than once, interested in one conversation in one pass, and another in another pass. Often I just check recent stuff for particularly interesting and easily digestible tidbits, and go back to trace whole conversations later.)
“Incredulous” seems like a very good name for you, if I get where you’re coming from, and a very nice play on “Skeptical”.
Please do stick with that. It’s plenty good enough.
Wael • June 18, 2014 2:59 AM
@Mike the goat, @Nick P, @Clive Robinson,
even have something like a MIPS core and an ARM core (for example), with workload divided between them. This isn’t impossible to do, and the bulk of the work could be done in software/our firmware.
I toyed with this idea a while back and was part of a team that formed a stealth startup a few years ago. I even gave the name “emuvisor” to the type of hypervisor that handled the functionality. The hardware resembled what you described a little. Was a superset of what QEMU did. The idea was pitched to three well known chip / system manufacturers. They liked the idea. One of them wanted us to work for them instead, the other wanted to see a prototype, the third was interested but wanted to see a proof of concept. Eventually the team had internal differences and we parted ways. Some of the companies took parts of the idea and implemented them… Maybe you can take a look at QEMU and use some of it’s functionality. If I have time, maybe I’ll share a diagram of what the “emuvisor” did, and what the hardware looked like. Was one if the reasons I engaged with @Clive Robinson and @Nick P a while back. I told @Clive Robinson at the time:
You touched on another area of interest to me. I am surprised that you have come very close to what I had in mind – I will bring that up sometime for discussion in the future. It has to do with knowns / unknowns, hypervisors, controls, and simplicity. I just have to wait for the correct thread to inject it in.
And that was a little over two years ago (June 3rd, 2012). Amazing how time goes by. Two years later, you brought up the “correct thread” 🙂 Probably someone with more money and resources will end up doing it…
I must be tired! When I was typing my email in the E Mail Address box, I typed “xxx@Nick P.com “… Lol – glad I caught it… Almost spawned an invisible sockpuppet!
Clive Robinson • June 18, 2014 5:44 AM
@ Wael,
Yes it is two years ago, funny how time flys irrespective of how much fun you have (see my last piece of advise to bitsplitter over his authentication scheam on the same page).
For those reading along Wael asked me about my rough rule of thumb about “Efficiency -v- Security” which is similar to the more common “Usability -v- Security”, neither are absolutes –ie you can build a usable system that is secure– but indicate what happens if the designer does not have the required skill set, which unfortunatly appears to be the majority case… you can read more at,
https://www.schneier.com/blog/archives/2012/06/friday_squid_bl_329.html#c775980
But as normal you will have to hunt back for comments that lead up to it on EmSec / TEMPEST design rules, and the C-v-P saga, unless @Nick P is kind enough to pull the refs out of his “link farm” 😉
Oh the page I’ve posted to also has a post about work done at the UKs Camb labs a out Side Channel Analysis on encrypted memory between supposadly secure FPGA devices that is worth a read.
Wael • June 18, 2014 6:00 AM
@Clive Robinson,
Yup. I think you scared him away 🙂
Finally getting sleepy… I get very goofy late at night, so I better wait until I am fresh, because right now I am thinking limericks and poetry, and I better post nothing I regret tomorrow – it’s already tomorrow 4:00AM …
Nick P • June 18, 2014 7:20 AM
@ Clive
I thought the internal registers were extremely limited in number vs caches and such. And that’s one of the reasons the latter are included. The largest number of registers I’ve seen on a high-speed processor was around 200. Let’s say 256 x 128-bit at highest to give us 32.8 kbit’s. Scratchpad is regularly in hundreds of kbytes and cache approaches 80MB in some processors. Most information on register files indicate they have to be tiny to get their level of performance. Scratchpads can have more depth.
Far as optimized for architecture, remember that I’m assuming the number of secure architectures will be limited. Most OS’s are only optimized for under half a dozen processors with any real effort because that’s what’s left. Far as secure systems, I can count the number of viable options on one hand. So, that puts an upper limit on how much optimization will be needed. And I’m probably going to focus on one in practice. Eventually.
re CvP discussion
Not sure if it’s the one you’re talking about but this is the heading and link I saved a long time ago:
“I teach Wael how to make secure reference monitors. He, Clive and I have many enlightening discussions from that point. ”
http://www.schneier.com/blog/archives/2012/06/friday_squid_bl_329.html#c776618
He’s come a long way since then haha. Well, so have I: from building secure software to building secure hardware to secure the software. What’s next for me? Finding out I need to devise new molecules to protect the hardware? Did you say tamper-resistant computing? Shush, I must not think of such complicated things while I’ve yet to get the processor layer done. 😉
@ Mike the Goat
They’ll compromise that if the number is small and you’re just relying on numbers. That’s why my voter schemes use different ISA’s from different fabs with potentially different loyalties for extra insurance. And steps to ensure functional equivalence on each one for a given piece of code without any extra work on each application by developer. The voter part can be manual/visual or a simple device depending on needs. It’s also why I’ve considered DSP’s (per Clive) and GPU’s (per RobertT) to do these CPU-type jobs as they’re unlikely to be subverted. And I’ve even put stuff on Playstation 2’s (per a crazy guy) for such reasons. These later options often aren’t efficient at all but they work well as an extra check.
If that’s too much resources for the use case, then dividing up the work isn’t a good solution: it’s a costly delay at best. RobertT suggested financing pro’s building whatever it is on cutting edge process node tech to make their job hard. I’ll add to that obscuring what the chip is for by staging a fake SOC description and contract to cover real purpose. Then, shipping security for a batch is a must. The peripherals can all be untrusted in the design so we’re good there past clever EMSEC attacks on the board from peripherals.
@ Wael
“When I was typing my email in the E Mail Address box, I typed “xxx@Nick P.com “”
Obsession is the root of many psychological problems, Wael.
“Yup. I think you scared him away :)”
Is that what you thought? Gentlemen, that brings me to my next point. 😉
re Qemu thing
I mostly see that being done with verification. I’ve never seen it done for production code. I’d have gone a different route and used LLVM. It’s specifically designed to have one bytecode that can be transformed into many others with high performance. I’d just make a safety critical argument for the byte code and the generators for code/cosimulation. Then, voila, endless programs certified from LLVM bytecode with minimal verification of actual, processor code. 🙂
Note: The Sandia ASSET framework and CompCert compiler were more complex than my proposal. And they were built and proven in production. So, my proposal is probably doable with less resources. A formal semantics for LLVM bytecode is already done, for instance.
Mike the goat (horn equipped) • June 18, 2014 7:51 AM
Nick – I will respond more verbosely when I get home, but I can think of a way that a diverse multicore system could be made to work, even if performance concessions have to be made. If you had all the tricky stuff hidden by a virtualization/emulation layer you could have tasks allocated unpredictably to one of the processors. No matter how that is implemented you’d also want an onboard fast RNG made with discrete components, and ideally we could have a way to signal crypto/’important’ code execution so as to tell the hypervisor to sacrifice performance and ‘chunk’ the job across the diverse cores in smaller chunks than standard execution.
I can see conceptually how it would work. You’d obviously need a fast interconnect between what will essentially be multiple SoCs and I imagine this too would not be without risk particularly in regard to compromising emanations. Perhaps the case could be shielded as a quick and dirty way to at least minimize the problem.
I guess my idea most closely resembles what Clive has already detailed. I am thinking along the lines of some of the early mainframes – several daughter boards housing processors connecting to a main board which aggregates everything and an abstraction layer to present a “normal” machine to software.
The more I think about it the more I realize how impractical the idea may be, and the various weaknesses that we would actually be adding by using such a design. I guess the problem is that we might be security guys, we might be able to code ourselves out of trouble in high level languages like C – hell, some of the older folk may have a decent grasp of x86 assembler but we are not silicon fabricators (exception being RobertT)…. So unfortunately we are all kinda flying blind here.
Mike the goat (horn equipped) • June 18, 2014 7:59 AM
Nick – BTW completely agree that the true purpose of any consignment must be disguised. If we use essentially off the shelf components but in a vastly different way than the manufacturers intended then we dramatically reduce the risk.
I guess we could also consider countermeasures. A nice big block of C4 wired up to the intrusion switch might be a bit much though ;-).
Incredulous • June 18, 2014 9:15 AM
@KnottWhittingley
Amazingly enough, I am not yet the only holdout on this blog who feels some passion about these issues. I may be the only one left who actually sees how this blog itself is mirroring the problems at hand. This is not the blog it was six months ago, and not in good ways, in my opinion. But it is an interesting case study in control and its effects. That is why noodling about the Panopticon IN THE ABSTRACT really makes me scratch my head.
To be clear: I have been Incredulous and nobody else for a while. I don’t know who Big Lie and other passionate posters are, but I appreciate them and miss their disappeared brethren.
I only switched handles in the middle of thread once, to make a point, and since it is so confusing to people or their scrapers I have been relying on other rhetorical devices. Besides that I have changed id after weeks of use and only between threads and after a period of inactivity. I don’t see the point of making surveillance too easy. I realize some people are here professionally and wish to build up a reputation under a consistent name and they are a different case.
How long will there be room for different cases, here and in the world?
Benni • June 18, 2014 9:37 AM
Now they are up, a full set with dozens of new Snowden slides from DER SPIEGEL:
http://www.spiegel.de/netzwelt/web/snowdens-deutschland-akte-alle-dokumente-als-pdf-a-975885.html
@Nick:
“Benni: Of course, I have no doubt that the agencies work together to achieve common goals. It just struck me as interesting that of all the FVEY countries, only DE was mentioned as being a potential target as well as an ally.”
This is because germany exports almost as many goods as the much larger country US. The relations of germany and russia are of high national interest for any US government. Russia has oil and gas. It would be preferable for the US, if for example germany, the largest economy in Europe, gets Canadian or American gas instead of Russian gas. This is the opinion of Condi Rice:
http://www.youtube.com/watch?v=OU1t3t4Bq-Q
An agency that even spies on comparably unimportant brazillian energy companies can not leave out germany as a target.
Clive Robinson • June 18, 2014 11:03 AM
@ Wael,
Either you are to tired to read the clock or in danger of falling in the Pacific, if it’s 4AM where you are and mid day in London 😉
As someone once said “insomnia is a harsh mistress”…
The trouble at the moment at my current latitude is though not quite the land of the midnight sun, it’s certainly quite light most of the night, and the temp this PM at nearly 27C is about one third as much as would be normal for this time of year, which bodes well for the soft fruit and jam making 😛 just have to watch out for “the lobster look” which I’ve seen on one or two young lassies with the “traditional” red hair up on Arthur’s Seat when it’s this warm.
Wael • June 18, 2014 11:31 AM
@Clive Robinson,
Not too tired to read the clock! I am in Pacific Time Zone at the moment. I am submitting this reply at 9:31AM Pacific Time Zone. You never seize to side-channel attack me, eh? Pulling a timing attack on me now? Oh, don’t forget to add the post update delay offset 🙂
@Nick P,
No worries, it doesn’t bother me. Good advice, though 😉 ALmost made me smile. For the record, I was referring to
(see my last piece of advise to bitsplitter over his authentication scheam on the same page).
Wael • June 18, 2014 12:06 PM
@Clive Robinson,
it’s certainly quite light most of the night,
Of course!The sun never sets on the British Empire. But it rises every morning. The sky
must get awfully crowded. — Steven Wright
<
blockquote>
As someone once said “insomnia is a harsh mistress
That someone wouldn’t be you?
and my reply
I’ll need a few more cups of coffee before I am able to decode the rest of your comments!
@Nick P,
Someday we’ll have a nice chat about LLVM. At the moment, it’s performance is suboptimal, and I am ready to ditch FreeBSD for that reason… Too bad, was a good OS.
Anura • June 18, 2014 12:18 PM
I wish I had latitude as an excuse for my insomnia – I’m at around 34 degrees North, and my insomina persists during Winter Solstice. I was in Alaska for Summer Solstice last year; I got through a lot of reading on those nights.
Benni • June 18, 2014 12:50 PM
Here is the JSA sign with the NSA eagle in front of the german flag: http://www.spiegel.de/media/media-34026.pdf The mission of JSA, which is a merger of BND and NSA, is to monitor all global communications. However, this NSA slide shows that the BND has a very different technique for analyzing the collected content.
http://www.spiegel.de/media/media-34025.pdf
While the NSA uses automated tools first, in order to protect the privacy, BND uses humans who read the emails first. NSA writes:
“Where NSA primarily relies on equipment for selection and analyst minimization for privacy protection, the BND relies on analysts to manually scan traffic for selection and then equipment to filter data for privacy protection. Full use of NSA DNI processing systems and analysts methodologies at JSA will be key to influencing the BND to allter their stratigic DNI processing approach”
I think this will not happen. German toroughness and precision means that german agents can not rely on some unprecise automata. What if some automated program misses an email that describes an imminent terror attack? Certainly, algorithms do not have the quality to decide whether an email describes any content of interest to the BND, which has to monitor emails in order to investigate terrorism, weapon deals, drug trade, organized crime, and everything else that the german government is interested in.
Therefore BND agents must read all emails personally.
Dear NSA, in Deutschland, we work gründlich. Deutsche Gründlichkeit. Yes, the same thing which made the precisely executed holocaust possible, by exterminating every jew one by one after carefully designed lists and plans. The same deutsche Gründlichkeit, that is repsonsible for the precision and durability of our machines that we develop and export.
The same deutsche Gründlichkeit means that BND agents must read, or in your words, “collect” all emails personally.
Of course terrorism is an international problem. It could be, that there are terrorists from america.
For that reason, De-Cix, http://nyc.de-cix.net/ recently has opened a node in New York. By german law, BND can monitor up to 20% of the network capacity of De-Cix. And the technology of De-Cix is such that 20% of the capacity is its current maximum load.
German agents not only need to read the emails from Somalia.
No, german precision means: German agents have to read american emails too, since terrorism is a worldwide problem. And we want to be gründlich.
And this is why BND asked for 300 additional million euro. Accoring to former articles in Spiegel, this was for analyzing social networs in real time. But according to the recent articles, BND had the technology for this since 2006.
Now its analysts what the BND needs.
There are simply to few BND analysts. Today, BND is so understaffed, its agents simply can not read every american email. But that means: thousands of american terrorists could slip through BND’s system unnoticed. This is a severe security problem.
Somewhere in Thule, Greenland • June 18, 2014 2:08 PM
Wunderbar.
Exactly what we need. Some gründlich nazi mentality to add to the surveillance mix.
Benni • June 18, 2014 2:20 PM
One should note that the agents reading all emails is not because the BND is technically backward:
At one of their monitoring sites (and BND has many of these) BND collects 62.000 emails per day. Of course they also monitor communication via mobile phones (GSM). NSA agents were impressed by the Software demos from BND:
“In some ways these tools have features that outperform US sigint capabilities”.
http://www.spiegel.de/media/media-34037.pdf
With that, they ment the unique capability of BND tools to select an area, and then immediately an agent can listen to all the phone calls coming from there.
Also BND seems to have unique algorithms in place for analyzing patterns that they get from phone metadata. They apparently take data from mobiles in order to find out who communicates with whom, or which people stay together in groups and so on. And their algorithms for that are better than the NSA ones.
Benni • June 18, 2014 2:37 PM
That BND had something to do with Nazis (the first BND boss was an ex Nazi) and the BND even was responsible for a secret nazi army, was published by Spiegel some weeks ago: http://goo.gl/Adfw4x
However, the term deutsche Gründlichkeit, or German thoroughness is a typical part of the culture here. Its like some tool.You can use it for better or worse. You can use it to investigate a murder, or you can use it to develop and construct some magnificient machinery.
But you can also use it do create the best tanks, the best poison gas, the best extermination plan for an unwanted population,
or you can use it to monitor VERY PRECISELY the communication all around the world. Certainly, the automated reports that come out of XKeyscore are much less reliable than the reports coming from the BND agents who insist to personally read emails from almost all states in the world:
https://twitter.com/SZ_Investigativ/status/478419159387095040
And now the articles in DER SPIEGEL keep coming and coming, now with details for every active NSA station in germany….
http://goo.gl/HHwV5J
http://goo.gl/7Jntpe
http://goo.gl/QhjuOX
http://goo.gl/p8Xn9q
http://goo.gl/uMrn5a
http://goo.gl/XFwSAM
Nick P • June 18, 2014 2:55 PM
@ Incredulous
The rule is limiting like some of the others. Even I butted heads with the Moderator plenty in the past and promote strong individualism. Yet I mellowed out as the rules overall effect has been to promote useful discussions without the flamewars, trolling, and other Slashdot-like issues that reduce quality.
This has been the case for the 7 years I’ve been here. It’s helpful for readers as they don’t wade through pages of nonsense from seemingly hundreds of different people to find the one thoughtful comment or the one they were going to reply to. It’s helpful to writers by pushing their efforts in a beneficial direction. Things have heated up a bit Post-Snowden, but the rules are partly there to keep passion from drowning out reason.
So the rules will probably stay. As the expression goes: “If it ain’t broke, don’t fix it.” And this blog more than works: it’s produced more solutions to major issues than many others combined.
Anura • June 18, 2014 3:16 PM
So photo IDs have been in the news again; although I don’t want to get into that particular debate (LGBT rights), I’m curious if there is a better alternative to photos for identification. Here are the problems I see:
1) A lot of people look alike (beyond identical twins), and appearances change over time. Facial hair, hair styles, skin tone, and even makeup. This makes photos, especially head-on photos with direct lighting a very poor method of identifying people
2) As people move more and more online, photo IDs become more and more irrelevant. There is a clear need to provide a clear way to confirm one’s identity online, and things like SSNs have shown to be a very very bad way to do that, although it seems to be the most common.
3) The most thorough online identification asks a series of questions about your financial history, e.g. who do you have an auto loan with, what was your last address, etc. which is not only time consuming, but it seems insufficient as well.
4) Remembering a strong symmetric secret is difficult, and even more problematic is if that secret is transmitted, then it can be stolen.
Short of everyone having an asymmetric keypair implanted into their body, is there a good, secure way to identify people, both online and offline? Or should we just look for a way to minimize the damage done by identity theft?
Benni • June 18, 2014 3:34 PM
technically interesting is this here:
Benni • June 18, 2014 6:13 PM
new english spiegel article:
Nick P • June 18, 2014 6:24 PM
@ Wael
“Someday we’ll have a nice chat about LLVM. At the moment, it’s performance is suboptimal, and I am ready to ditch FreeBSD for that reason… Too bad, was a good OS.”
It might have to do with the fact that GCC has been built on since 1987, often with sponsorship, while LLVM came into existence in 2000 with sponsored development starting in 2003. It’s not quite a baby in the IT world, but it’s far from grown up. Give them time.
OpenBSD team’s reaction to GPL 3’d GCC was more unusual: they’re continuing to maintain an out of date GCC version with security fixes. LLVM or not, having something easier to maintain than GCC with a permissible license makes a lot of sense for BSD teams.
Wael • June 18, 2014 6:41 PM
@Nick P,
True. Apple uses LLVM as well. It’s also a paradym shift of sorts, and needs some time, I agree. I can also stick with pre FreeBSD 10, until LLVM becomes more attractive. Remember, I had additional concerns, too.
Mike the goat • June 18, 2014 11:02 PM
Nick re gcc license: I guess the gpl is both a blessing and a curse. I know that I have had to base several of my closed source projects (car wash change machine, town information kiosk, car park ticket dispenser, etc.) on NetBSD rather than Linux despite development probably being easier. Sure, requiring source release helps ensure that any improvements eventually get released and go upstream but ultimately it is a real pain for anyone who wants to make a commercial offering where releasing source may ultimately put your IP at risk. I know some people feel strongly about this, but at least for embedded applications the changes made to, say the kernel by the embedded developers to make it work on their specific blend of oddball hardware probably aren’t all that useful for the rest of the world anyway.
LLVM sounds interesting but haven’t bothered investigating. Is there a significant performance difference between, say gcc?
Mike the goat • June 18, 2014 11:06 PM
Incredulous: I have to agree with Nick – I’ve fallen afoul of the moderator a few times, and personally haven’t felt that it was perhaps a little overzealous but I think what you have to remember is that we are guests on Bruce’s blog and that he (and his moderation team) have the right to administer their forum in whatever way they see fit. I think that the mod/s do a good job of keeping on top of things, most importantly the spam which appears to be culled off pretty quickly despite the pace of the blogspam being quite unrelenting. I guess it’s noble that they have continued to keep the blog open for anyone to post to without user/password authentication, and the tight moderation probably forces people to maintain at least a semblance of professionalism when posting.
Nick P • June 19, 2014 12:29 AM
@ Mike
LLVM’s performance? Depends on who you ask or what benchmarks you look at. Jury’s still out on that to me as the tests Ive seen often involve little differences that might skew the results. That it’s used for production desktop, server, and embedded code says it’s probably good enough for most people.
Oh yeah, the cool thing about it isnt compiling C++ code: it’s the framework itself. It’s designed to easily extend with new optimizations, compile and runtime. It does this with a type preserving bytecode that can be (interpreted?), JIT’d, compiled to native code, or an experimental mix (eg optimizing live code). It was mostly used by compiler researchers before Apple sponsored it for commercial use.
That’s my best summary of the project.
Gerard van Vooren • June 19, 2014 1:30 AM
@Mike and Nick P
LLVM is the default compiler these days for all the BSD’s including Minix3. The compiler options are compatible with GCC so for the userspace applications it has been a drop-in replacement on these platforms. CLANG/LLVM does give better error/warning messages but most of all it is better structured, as Nick P said.
Mike the goat • June 19, 2014 6:05 AM
Gerard: shows how much attention I’ve been showing to the c compiler. Seems I have been using clang as my compiler on my FreeBSD box and not even noticing it. Guess it is a testament to how well they’ve made it a drop-in replacement as all flags worked as I would have expected them to work in traditional gcc…
Nick P • June 19, 2014 12:34 PM
@ Mike, Wael
Now that’s interesting that Mike used FreeBSD post-GCC without noticing the difference. Wael was griping about the performance of FreeBSD under LLVM. Contradictory experiences. One thing I recall hearing about original switch to LLVM was they did it in an update to a new version. Those updates have been changing a lot more than the compiler. I’m not entirely certain anything about performance, good or bad, can be attributed directly to LLVM unless we could test it on two feature-identical FreeBSD codebases. Or codebases of something simpler with many features and ease of real-world measurement.
Note: I simply don’t do microbenchmarks as everything there is “nearly as good as C.” Yeah, that’s why those scripting and functional languages took over the embedded, OS-developement and HPC worlds. (rolls eyes)
@ Wael
I saw your security concerns. I’m sure things will be found. Things are still being found about how GCC handles things. Even GCC’s exception system was turned into an interpreter for malicious code I believe. The switch away from GCC should have benefits in the long run as GCC is so complex I couldn’t do a thorough security analysis and many couldn’t even extend it without great work. LLVM is both better structured and designed for “lifetime program analysis.” Small projects have built onto it power analysis, thread safety checking, and so on.
Such a system should have long-term benefits for security. Although, current situation is indeed unknown without more review.
Wael • June 19, 2014 7:44 PM
@Nick P
Such a system should have long-term benefits for security. Although, current situation is indeed unknown without more review.
Perhaps my perception is physchlogical, I’ll need to look more into LLVM before I come to a conclusion. The performance degradation maybe related to the virtual machine properties I ran it on, I was not comparing apple to apple. Security concerns need more time to study… I do admire your balanced opinion.
Claire • June 19, 2014 8:03 PM
At least 32,000 servers broadcast admin passwords in the clear, advisory warns
Exploiting bug in Supermicro hardware is as easy as connecting to port 49152.
http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/
https://isc.sans.edu/diary/New+Supermicro+IPMIBMC+Vulnerability/18285
Figureitout • June 19, 2014 11:36 PM
Wael
do you remember the SnapChat thread?
–I do not, I don’t have the means to carry on a “snapchat” convo either, and don’t really want to (I know it’s popular)…Likewise most people don’t want to set up an antenna and buy a radio and carry on a convo or even exchange pictures/video (how do you think satellite TV works..?)–which a truly immense amount of data would need to be stored, at least all the legal ham bands 24/7–to log the convo’s (or microphones and recording devices in each home AKA your smartphone).
And I’m not all that worried about someone spoofing me and getting me banned, I’ll just move on and be a reader. It’s one of the beauties of Bruce’s blog, the minimal amount of authentication that’s needed to post a comment; emphasizes that increasingly worthless word “trust” to not be a spammer or a troll… I was disappointed when he added all the social media buttons (I just felt like it was clutter and anyone can link; just creates more disgusting data).
Clive Robinson
–Now that you bring it up, I do remember that little blip actually w/o looking it up, and you took it a step further and described the attack attached to the malicious link. I got hit w/ a malicious link on here before but I didn’t know how it worked…defeated IT security at my school…thankfully it got deleted hopefully before too many people clicked…
Nick P RE: Wilders
–Was the name “phkhgh” or “Encrypted Bytes”? Recently found a good pretty good configuration setup for a windows box there but it’s NSA’s publicized standards…
RE: secure chip project that has lots of issues to get off the ground
–Hearing about not being able to find younger people w/ the skills is very frustrating for me and surely others my age, there aren’t many jobs to get that experience and there’s so many massive companies that have sucked up each market to make it hard to go out and start your own business. I really lucked out recently, am having a blast and learning bunch (not making much, but it’s the experience I want), hopefully I can keep it going.
Other than doing it right, which is a professional, funded, open effort to make a batch of chips and then put icing on the cake and ensure secure HAND-delivery to customers. Otherwise I’ll just keep making 8-bit microcontroller computers (I need the experience and need to build at least 3 computers before I really contribute) and educating others as well as I can.
Mike the goat RE: shields one more time
–Figured I’d tell you before the next “topic du jour” takes over. Guess what I got to see today..? A tiny shielded room! Bought from a what used to be a pretty large engineering company. Never noticed it where I was working and we don’t use it at the moment, but it looked like it wasn’t copper (the door edges did though) and it was a double-shield w/ a piece of plywood in the middle as an insulator. Power and lighting came in shielded cables and big shielded inverter boxes. Was looking too hard at how to build one to ask some questions; looking forward to coming up w/ excuses to test it. :p
Aspie
–Sorry to hear the attacks continue, I really hope it has nothing to do w/ me. Take the computers offline and if you can leave them locked away w/ no power. Lots of my computers are crippled now and out of commission…I just don’t know how deep these infections went and it’s killing me…Can’t reinstall important drivers like a BIOS one or a “chipset” one, encrypted hidden volumes remain on harddrives (the “disk wiping” in windows reinstall was laughably weak and a complete joke), the BIOS on each of them is slightly different but one is REALLY messed up. Bunch of crap in the tmp folder and this pc has been offline; admin acct’s remain. It’s just so much but I’m not scraping them. I just don’t know how to probe while keeping whatever it is away from the probing computer! Getting truthful info rather than just leading me no where…
BTW next time I post an email (hopefully not again to take up bandwidth) I’ll exchange additional email addresses, radio frequencies and times, and my personal cell # (not private comms so not concerned). So there hopefully won’t be further contact issues.
Wael • June 20, 2014 1:48 AM
@Figureitout,
It was this thread. I don’t use SnapChat, I don’t use any instant messaging apps either (icq, messenger, yahoo,…) What I meant is add a feature to the blog to give posters control on what they post. My interest in RF was with me since childhood. I was intrigued with EM, and building single transistor miniature transmitters… In a previous life, long ago, I was a Microwave Engineer, but didn’t enjoy it. Too much paper work and conformance to Mil standards…. It’s better as a hobby. I have interest in scanners these days. I’m not worried about someone spoofing my name either, I am sure the moderator will be able to tell. How else would he catch a stinking sockpuppet of a banned person? As far as logging is concerned, free space point to point (I mistakingly called it line to line on a previous post, because I was also thinking line of sight, but @Iain Moffat corrected me) is almost immune to logging by third parties if done right.
Was also thinking about the BadBIOS thread again, and thought if I were to design it, it would work as follows: computer starts, and after a while if no network connections are detected, then the assumption is it is used for “something of interest”, and perhaps is air gaped. A component hidden somewhere in the deep bowels of firmware will start exploring the environment around the computer. It can start by emitting an ultrasonic wave broadcast: “hello, anybody there?”. Another computer may respond over the same transport: “yes! I am here, who are you?”. They’ll exchange some information (model, properties, configuration, OS, etc). This “discovery operation” will continue until it reaches a computer connected to the internet, and the information will be sent to a C&C center saying: this location has x number of air gaped computers, better pay attention to it. Perhaps at a later time, commands can be sent to the networked computer to exfilterate contents from the “isolated computers”…. If that doesn’t work, then physical presence in person or a minivan with some Tempest equipment will park next to the area, with a man in the driver’s seat reading a news paper ;). Another scenario, in case none of the computers are on the internet, is to have some spy with equipment sensitive enough to receive and transmit commands to those computers over a distance using the same ultrasonic transport, or a different one 😉
Incredulous • June 20, 2014 12:09 PM
@ Nick P “The rule is limiting like some of the others. ”
Ah, but there’s the rub (or at least one rub): There are no explicit rules on the blog. My request for them was rebuffed. Very Kafkaesque, in my opinion. I assume most have read Kafka and his protagonists’ struggles with anonymous authorities who find them guilty of violating unspecified Laws.
Even reddit’s “Be excellent to each other” provides more guidance: Inveigh against third parties at will, but be civil in response to other members. A pretty good compromise, in my opinion.
I understand that the change in atmosphere (I can’t call something so ambiguous a “policy”) may serve the very small group of members who remain and who enjoy using the blog for quite specialized and erudite conversations that cover a small part of the realm of security. I find little that I can actualize in these discussions, and I suspect that would be the case for 99% of the blog’s previous audience, who, for that, and other reasons, have made themselves scarce.
As for passion drowning out reason…
(I have to say that your statement makes me sad beyond my ability to express at the moment. That you also choose to denigrate the contributions of so many others that have different things to say, and support their suppression, also makes me sad and once again bewildered how intelligent people come to such different conclusions.)
… I believe that what we have now is reason drowning out Reason. There is nothing that can be reasoned about without axioms. In non-abstract realms reason must look elsewhere for the basic axioms to reason with, and it does, whether we want to acknowledge the source of our axioms or not. To not feel angry about injustice is not Reasonable, nor is it neutral or objective. It is numbness or complicity or cowardice or something else, perhaps, but nothing I can imagine championing.
In any case, I do appreciate Benni and others who continue injecting more general content into the blog. And, Nick P, I do appreciate your response. Although my reply may sound harsh, I do respect the courage and effort and thought behind your “putting pen to paper”, as it were.
@Mike the goat
Thank you as well for your response, but your reference to “professionalism” gives me the chills. So many crimes have been committed under that flag, and you use of it contains many unexamined assumptions. Are social concerns unprofessional? Is feeling unprofessional? You may value certain blog posts more than others, but is that really a reason to get rid of the rest?
For me, what this now most interesting about this blog is that it is a microcosm of what is happening in the world. We suspect that we are monitored. We now have an anonymous authority judging our input with unclear criteria for punishment. We are seeing how threatening or disturbing discourse is suppressed when it could just as easily be ignored as it had been for quite a while. There are unknown corporate pressures.
I think it is very interesting and could really lead to fruitful analysis, well beyond a cold inspection of Foucault and company in the abstract. I was hoping that people would engage at that level. It could be very illuminating.
And to be clear: I am not here to be a pain in the ass. I am suggesting a line of inquiry.
I have loved and participated on this blog for about two years. I have used different names in a serial fashion, not to screw with people, but as another layer of defence of my anonymity.
Bruce is one of the few heroes that I have. Snowden tops the list, and Chelsea Manning is not far behind. Bruce created this great space with no tracking and no censorship. He has put his name and body on the line for privacy. I love the blog content and I really loved the interplay in the comments, even when I was only lurking. Thinking one’s own thoughts without testing them against their opponents is sterile and leads to self-deception.
I admit that I am surprised by the change of atmosphere and frankly I think something is up. Is it a canary? Or does Bruce have to bend to outside pressure?
I have lived my life lighter and lighter so I can walk away whenever I need to. Most people have undeniable economic needs. That is the basis of the new control. It is corporate driven and economic: Toe the line or you won’t be employed. It doesn’t require state repression, but it is just as effective.
Incredulous • June 20, 2014 12:40 PM
@Moderator
I am not sure what is happening. I am getting a comment refused message but then the comment shows up. This leads to my double posting.
Is there a new level of moderation? It would be helpful to know whether a comment has been accepted for moderation versus being rejected for a technical issue versus being blocked. I am not sure if it is feasible.
In any case, I apologize for the double post.
Mike the goat • June 20, 2014 1:25 PM
Nick: now, to be fair I did jump from FreeBSD 6 right up to 9.2 and then recently 10.0-RELEASE. Not sure when these changes took place… all I do know is that every time I have authored a Makefile I’ve used flags I knew worked in vanilla gcc, and it “just worked”(tm) – not even a ‘warning’ (well, maybe one or two, mainly related to my crappy code and quickly rectified). Side note: anyone else get annoyed when compiling something from the ports collection and you get a see of compiler warnings?
Gerard: interestingly enough I recently installed MINIX 3 as I wanted to experiment with modifying the IPv4 stack of an OS to use 64bit addresses and figured that MINIX3 was an easy candidate as the stack is implemented as a userspace process. The latter made me believe that it would be easier to debug, but after a bit of uncomfortable mucking around with MINIX I decided to hack up the NetBSD kernel, which was much more successful although ultimately it was only an exercise in academic “how hard can it be??”; clearly the gods of the Internet decided a long time ago that IPv6 was fated to be the new kid on the block. Personally, I think we could probably safely stick with IPv4 for a lot longer if they shake away some of those /8 allocations to corporations. I know with firewalls etc ‘darkness’ of an area of a netblock doesn’t necessarily mean anything anymore but I am certain that a lot of address space is wasted, particularly by these organizations who retained what used to be class A allocations.
Figureitout: a tiny shielded room, huh? I believe I have seen the exact same Faradayesque contraption and ponder as to whether they were produced commercially for academic institutions at one point. The ones I’ve seen have an aged, perhaps 1970s look about them and appear to be some brass/copper looking alloy and have about as much room inside as an old fashioned phone boxes they used to have years ago in the colder areas that sort of closed behind you to keep the snow out and I guess try and keep you from freezing while you made your call. I notice the very few that remain are more like the highway help phones and don’t have any enclosure at all anymore, probably due to social factors (a polite way of saying that drug deals often went down in them and they were a popular sleeping spot for those without a permanent place of residence). Wow, I am getting good at being P.C. – I might even start using crazy euphemisms soon to avoid a societally objectionable word ;-).
Incredulous: The point I was trying to drive home was that this isn’t our blog, and as such we have to accept the terms of the blog’s owner (Bruce) and the person/s he has selected to moderate it. It is, after all, Bruce’s personal website. Whether or not I agree with it is kind of irrelevant – it’s not my call, and nor is it yours. Not trying to be a d*ck, and I do see how you could come to the conclusion that a blog discussing liberties and government subversion being moderated appears contradictory. That said, it’s the best place on the net for discussing sec related issues and is relatively free of the slashdot ‘experts’ and trolls, in that actual meaningful discussions actually take place.
Incredulous • June 20, 2014 2:32 PM
@ Mike the goat
“This is Bruce’s personal website…”
Everything is owned by somebody, right? It is part of my point. No government repression is required to suppress any challenging viewpoints. Economics does it. Nobody except billionaires can create a complete infrastructure to get their viewpoint exposed. Anybody else needs an ISP, search engines, publishers, printers, media exposure, etc., all privately owned, to have their voice heard. And your apparent belief in private ownership trumping all suggests that each entity should feel free to shape or censor the content however they like. Which means no freedom of speech ultimately. Which I think is troubling.
Anyhow, I don’t associate this with Bruce. I don’t think he is in a position to do what he would prefer. It is the only explanation that makes sense to me.
And certainly there are no storm troopers marching around this blog. It could be much worse. It is far from the epitome of the problem as we approach in my opinion a new totalitarian era. But our experience here is at hand. If these issues are invisible to us here, if we don’t feel the shiver of repression’s ghost passing over us as these changes occur, if we can’t “share” our concerns or lack thereof here, in a relatively safe place, I am afraid that we will not ask the questions in more extreme and scary instances.
And in any case, I am not here to cause a ruckus but just to probe why I see this and seemingly no one else does. I respect the blog. As far as I can see I am following its inchoate rules. I am not even militating any more for the rules to change.
What I am asking is: Does anybody see what I see? How does it feel to you to see people kicked off? Do you feel cowed? Can you still express yourself?
So far I count two votes for “It feels just fine.” And one sub-vote for ownership trumping expression. And of course my vote is: “It feels creepy.”
Moderator • June 20, 2014 2:34 PM
Incredulous,
That happens when a comment is submitted twice. The first goes through, the second gets caught as a duplicate. If you try to post it again, you either get another error message, or if there was any change, two copies wind up published. Unfortunately, the error messages for duplicates is the same as if you had tripped a spam filter. Crappy nonspecific error reporting is a longstanding annoyance with Movable Type and definitely on the list to fix, but it’s a long list.
For the rest —
First, as I think Nick was implying above, your perception of a drastic change in policy in the recent past is really not accurate. Mostly what you’re seeing is me having to pay a lot closer attention because the situation with Skeptical had gotten so bad. Blog comments have always been intended to be a debate, not a mud-slinging match. (Actually, I shouldn’t say always, because I don’t know what ideas about comments Bruce had when he started the blog, if any — things were so much quieter then. But a lot longer than two years.) And it’s also been the case that while abuse directed toward people who are actually here is more serious, you can also be warned for abusing people who aren’t here, which if unchecked tends to degrade the conversation and lead to flamewars with people who don’t agree with you. Or else it just drives them away, creating an echo chamber in which only people who agree can stand to post.
That’s what this is about: having a good conversation and one that a variety of people can and will participate in. You see the small number of people tossed out (“disappeared brethren,” if you insist) but you don’t see the people who never start commenting if the atmosphere gets toxic. Or who don’t even read comments because it’s not really that much fun for most of us to wade through pages of abuse, even when it’s not aimed directly at you.
Commenting is communication, not just self-expression. Communicating in a way that is considerate to other people — and to your host — is not a capitulation to the surveillance state, nor does it require you to be a Vulcan.
I actually have zero interest in “professionalism,” which, as far as I can tell, is the idea that people in suits are supposed to act better. As for corporate pressure, I’m not even sure what that would be. There are no advertisers here and if Bruce’s employers have ever had an opinion about comments on this blog, their views never made it to me. I do not know what the NSA or any other government agency thinks about Bruce’s comment section either, though I could probably guess.
As for rules, there is no list of specific rules for the blog because I simply don’t think it is possible to list all the possible ways to damage or degrade a conversation. Anyway, long lists of rules are rarely read except by trolls, who are way better rules lawyers than anyone else. Short statements of moderation policy that are prominently displayed are a good idea in principle, but very hard to get right, and worse than useless if you get them wrong, so that hasn’t happened, yet, at least.
Incredulous • June 20, 2014 2:50 PM
@ Mike the Goat
P.S. I can’t say I have read all the content and I skip spam and what appears to be garbage with little effort and it doesn’t register. The moderator suppressing totally empty trolling does not trouble me, meaning posts that are simply crude insults without any backing or elaboration. I don’t remember those as ever being common.
It is the suppression of long time posters with passionate and confrontational views that disturbs me. When I pipe up the invitation to go somewhere else echoes the reactionary “If you don’t agree with the country why are you living here?”, which also disturbs me. And the sudden disappearance of many politically oriented posters disappoints me.
But I do see promising content in this weeks comments. Maybe I am overreacting.
Nietzsche warned about too much thinking on your own (except for possibly the elite, in which I don’t claim ownership.)
Ultimately, I am just testing my perceptions with the community. Frankly it is the best community I know of in which to raise these questions. Despite my concerns it is the first site I check each day and I value this blog highly.
Incredulous • June 20, 2014 3:00 PM
@ Moderator
Thank you for your considerate response and your tolerance of my impassioned concerns. Your and others’ response to my concerns does help me look back upon my own ideas and see their limitations. I appreciate your effort in helping me get a better sense of the situation.
Mike the goat (horn equipped) • June 20, 2014 3:08 PM
Incredulous: I don’t disagree with everything that you’re saying. The main point I was driving at is that blogs aren’t a democracy and the moderator and site owner can pretty much do as they please. Does that stifle some controversial discussion? You’re right – it probably does. I know I have deliberately altered my language on several political postings to ensure I didn’t run afoul of the moderator, so self-censorship definitely takes place.
I haven’t perceived any change in “vibe” over the past few months. I guess the mod has been a bit more zealous than usual but he/she has explained their reasons in the post above. I guess you can’t have an internet discussion board that is high quality SNR without some moderation. I recall some of my favorite open newsgroups being diluted to uselessness by radically off topic conversations, unsolicited advertising and just jerks cross posting anything and everything. Anyway I’ve said my piece and I don’t think I can contribute anymore than the aforementioned thoughts. I share your concerns for freedom of expression &c but trust this blog and the people that run it, in as much as I haven’t had any reason to think to the contrary.
Anura • June 20, 2014 3:58 PM
I really hope apple calls their smartwatch the iWatch, because we need a good punchline for NSA jokes.
Buck • June 20, 2014 4:38 PM
@AlanS
Yes, but how?
I do not know how, but if history is any indicator, there’s no stopping it – it’s inevitable! Seems as though I’m not the only one who holds this thought too:
The open source revolution is coming and it will conquer the 1% – ex CIA spy (June 19, 2014)
The collective buying power of the five billion poor is four times that of the one billion rich according to the late Harvard business thinker Prof C. K. Prahalad – open source everything is about the five billion poor coming together to reclaim their collective wealth and mobilise it to transform their lives. There is zero chance of the revolution being put down. Public agency is emergent, and the ability of the public to literally put any bank or corporation out of business overnight is looming. To paraphrase Abe Lincoln, you cannot screw all of the people all of the time. We’re there. All we lack is a major precipitant – our Tunisian fruit seller. When it happens the revolution will be deep and lasting.
(The Guardian published this very fascinating & interesting interview yesterday with Robert David Steele, former Marine, CIA case officer, and US co-founder of the US Marine Corps intelligence activity. I’m certain that almost all readers of this blog will find this article quite informative, intriguing, and thought provoking!)
Figureitout • June 20, 2014 7:56 PM
Wael
–Appreciate the sincere response. I feel like everyone has their little “thing” they get obsessed w/, be it a topic or subject or a particular object; you can see it peek thru w/ just about everyone. Mine is seeing (read: trying to envision) signals and measuring signals. Just caught wind of a $25,000 spectrum analyzer that was absolutely insane what it could do.
RE: bowels of firmware
–I’m afraid that’s where whatever this is, is residing. The amount of code I’d have to verify is impossible, it takes me a while to trace code and I double/triple/quadruple check it. And I’m afraid it is not ultrasonic; but just a twist on the usual suspects…
Mike the goat
–Yeah it looks like a freezer on the outside, that’s why I just initially glossed over it (though I don’t know why this place would have a freezer besides… :p). Went back for round 2 and man I could really make use of this thing; would be a sweet programming space so I can just relax. Nice solid door, legit latch. 120db insertion loss, frequency range of 150 KHz to 10 GHz…that covers the bands I’m worried about most.
RE: Minix3
–Planning on trying it on the oldest computer I got (which is sad as it has a 12 GB HDD…). Opened up that old computer’s disk drive (it was my grandma’s) and out came a walmart internet connect disk…what the hell grandma?! lol
Wael • June 20, 2014 8:32 PM
@Figureitout,
I feel like everyone has their little “thing” they get obsessed w/
Some have many “little things”. One of mine is I don’t like to leave topics “open” – I like to see closure.
@Mike the goat,
Re: Startrek.. A little OT, but relevant to a discussion on this thread…
This is another example of taking ideas from SciFi shows. Same can apply to security. Watch some TV shows, and you’ll likely see some ideas taken from shows as well[1].
Alright, won’t insult your inteligence,This sentence was a feeble attempt to make the post security-relevant…
Mike the goat • June 23, 2014 4:30 PM
Wael: I agree – the tablet computer concept most probably did originate in science fiction, if not Star Trek specifically. If I recall from the original series Ahura (sp??) was always handing it over to Kirk almost like the courier companies do now when they want you to sign for a package. 🙂
Subscribe to comments on this entry
Leave a comment
← "Erotica Written By Someone With An Appropriate Sense of Privacy" Falsifying Evidence on a Smart Phone →
Sidebar photo of Bruce Schneier by Joe MacInnis.
AlanS • June 13, 2014 5:34 PM
The word “panopticon” keeps cropping up in discussions of the NSA (it also appears elsewhere e.g. in discussions of World Cup soccer security). Here are some appearances from the last week or so:
In the Guardian last week: Snowden showed us just how big the panopticon really was, Now it’s up to us;
Benjamin Wittes writing on Lawfare earlier this week: Why Does the Omniscient Panopticon Tolerate Glenn Greenwald? (I usually disagree with Wittes but in this case I think he asks a good question);
And the Reset the Net website, which states “The NSA is exploiting weak links in Internet security to spy on the entire world, twisting the Internet we love into something it was never meant to be: a panopticon.” And here’s an older example from Ars Technica last year, which comes with a nice image of a Cuban prison (more on that below) Building a panopticon: The evolution of the NSA’s XKeyscore.
In most places where the term appears it seems to be used as a slogan (it is just put out there, sometimes just in the title, and not discussed) and, as such, its use is disconnected from any understanding of Bentham’s original idea of the panopticon or Foucault’s analysis of panopticism. So here are some thoughts (rant, if you like) on the current use of the word panopticon and why it has a rather limited use as a metaphor for making sense of NSA surveillance.
There are certainly related elements going on here but by itself the panopticon is a weak metaphor for understanding NSA surveillance and other types of modern surveillance. In the literal meaning of the word, pan-optikón, NSA surveillance is all-seeing (actually much more so than Bentham’s idea of the panoticon would have been in practice) but is it functioning in a way that is disciplinary, as Bentham’s Panoptcon was envisioned or as Foucault perceives panoptic practices to function? Panoptic surveillance isn’t secret. Look at the photo of the Cuban prison at the top of the Ars article or the photo of the US prison published in Discipline and Punish. The surveillance works because the prisoners are aware of the surveillance (or possible surveillance–they don’t know when they are being watched). The panoptic mechanism also acts on those being watched to structure their behavior in accordance with a norm—-the discipline part. Ironically, none of these aspects was a feature of the NSA programs until Snowden blew the whistle. The NSA programs were secret and in fact the NSA argues that their exposure compromised their functioning. If these programs have taken on, to some degree, a panoptic functionality (see, for example, the First Unitarian v. NSA lawsuit), they do so as a result of their exposure. Note also that panoptic all-seeingness is limited to structured and constructed spaces (e.g. prisons, factories, schools, barracks). This is not the case with NSA surveillance (or Google’s ‘data collection and analytics’ for that matter). The architectural metaphor isn’t particularly enlightening when the surveillance involves infinitely extensible communications networks and massive online databases. There is no confinement, far from it. Roam where you will. Moreover, persons, in the direct and immediate sense, are for the most part, not what is being observed or operated on. It’s the endless bits that populations emanate which are collected, assembled and sieved for particular qualities, values or combinations. And much of those bits are coughed up ‘voluntarily’, in the sense anyway that one isn’t in a prison-guard/prisoner, teacher/student, sergeant-major/recruit type of relationship; one is often ‘incentivised’; and one probably has a rather limited awareness of the many ways the bits are being aggregated and used.
Also problematic is that Foucault’s analysis of panopticism (one chapter in Discipline and Punish) is taken out of context of the rest of his work. Many writings in the social sciences (which are themselves born from surveillance practices), including the field of surveillance studies, take their cue from Foucault’s writings on disciplinary surveillance, elaborating or critiquing the notion of panopticism in attempts to theorize modern surveillance practices. However, in his lectures in 1978 and 1979, following the English publication of Discipline and Punish (original French version 1975, English translation 1977), Foucault states that “security mechanisms”, not disciplinary mechanisms (although they are still present), are the main means by which power functions in neo-liberal states. However, these lectures were not widely available to English readers until 2007 and 2008, so many of the writings on panopticism misunderstand its significance in the larger context of Foucault’s own work and overlook the significance of the 1978 and 1979 lectures for making sense of modern surveillance practices.