Schneier on Security

Nick P • July 19, 2014 11:21 AM

@ Figureitout

Most points I agree on. So, I’ll focus on the others.

re double agent

If they had evidence, it might not be enough to be newsworthy or believable given their low trust rating. They might also not have evidence due to incompetence. So, this argument isn’t a defense. Of course, we have to assume he’s not a double by default until proven otherwise so he’s looking good here.

re backdoor

He’s wrong on this. VPN’s, port knocking, and basic authentication are backdoors. Implemented well, they tend to work fine at allowing only the permitted people in without others gaining access. NSA’s RNG corruption was exemplarly in this as well. Besides, major TLA’s haven’t had a problem compromising most non-backdoored systems with 0-days so we’ve continuously assumed they’d break most COTS systems anyway. A well-protected and audited backdoor would just be a risk to most of them on a typical system, while a significant obstacle on a more secure system.

A side issue of this is BULLRUN. The NSA couldn’t get more overt access that their mission requires. People said no to backdoors. So, what did they do? They came up with covert programs like BULLRUN to insert (a) backdoors and (b) software vulnerabilities in COTS software. They’ve apparently had a lot of success with this. Unlike an vetted L.E. mechanism, the covert backdoors range from unknown quality to easy to hack. The latter comes from the fact that they often maintain deniability by inserting the very types of common vulnerabilities our enemies find with ease. So, if anything, our security in proprietary U.S. products is better off if they have a high assurance access method than them lying that they don’t backdoor and secretly putting in whatever garbage TAO comes up with. Life’s ironies, eh?

Note: People are still free to use non-proprietary software in this case and deal with the legal risk themselves. Or wrap proprietary communications in assured, OSS VPN’s. Or crypto-seal communications before transporting or storing them via proprietary software. Many compromises can be made without significantly reducing security for people who care about it.

re SDR

Yes, it has a ton of potential for both indie communications projects and security with careful transmissions. It’s exciting stuff. That the military themselves are treating it like it’s the wave of the future should clue people in. There’s already quite a few security analysis, too.

Nick P • July 19, 2014 10:47 PM

@ Wael

The Matrix is actually inspired by this thought-provoking anime. It’s one of the few often enjoyed by those that don’t watch much anime. The Wachowski Brothers just screened that to the financiers and basically said “we want to do this live action with CG and top notch actors.” Was highly successful in that it brought the philosophy and digital physics genre’s to a mainstream audience, causing many to start asking the hard questions. And, of course, it inspired the rebel/hacker in us all… until majority of Americans saw the next TV show or movie, anyway.

Nick P • July 20, 2014 1:31 PM

@ Benni

I recommend you never cite or even read InfoWars again. It’s run by a guy whose self-serving fake information is distracting from real issues enough that alternative news sites are even blasting him:

http://www.projectcensored.org/disinfo-wars-alex-jones-war-mind/

(Note: It’s got a nice background on him and list of a subset of his lies that didn’t prove out despite his “inside sources.”)

I’d be interested in seeing such information on Tor if you have it from a reputable source. Your credibility here is good. Sites like InfoWars will weaken it so I warn you.

Nick P • July 20, 2014 3:36 PM

@ sena

Iain beat me to it saying QubesOS is about what you’re asking for. There’s also commercial solutions from Green Hills, VxWorks, LynuxWorks, General Dynamics, Sirrix, and more that do this. However, the reality of their security is they provide an isolation mechanism and aren’t targeted much. It’s similar situation to how Mac’s rarely had viruses. So, essentially you just use the easiest option for running a web browser isolated from your main system. It can be a LiveCD, a virtual machine, a specialized platform like Qubes, a browser sandbox such as Sandboxie, or a hardened browser on an old PowerMac (non-Intel processor).

Nick P • July 20, 2014 10:03 PM

@ Chris Abbott

C is one of the worst things you can do for safety. I show why language choice impacts security greatly here. Ada, the Wirth languages (eg Pascal/Oberon/Modula), PL/S, Java, and the ML family are all much safer. Each of these have been used to write system code with good performance. All but ML have been used in OS’s. (examples) The best option is to use something like Ada, Free Pascal, or Active Oberon. Secure runtimes or FFI’s can be made if they’re a concern, along with modifications to their compilers to prevent/contain common attacks.

If it sounds like work guess what: building real world and secure apps in C is more work. A least the work you put into a safe, high performance language will keep paying off, eh? 😉

Nick P • July 20, 2014 10:20 PM

@ Chris

re encrypted communications

I’m going to try to answer your question but the post is a bit confusing. Could you clarify what the use case is, what security goal your wanting to achieve, and elaborate on the design?

A preliminary answer to what I think you’re asking is you can do such a design. The simplest version was one of my earlier secure computing strategies: several cheap computers with controlled interfaces and a KVM. A very isolated computer handles the sensitive information. The other computer just stores or transports it in encrypted form. They communicate over a simple interface where the isolated computer checks all incoming data, assuming it’s not trustworthy. The TEMPEST companies just started making something similar, with the addition of TEMPEST hardware and vaults of course.

The software version of this is seen in MILS and other separation kernel architectures. Google Nizza security architecture by TU Dresden. They built prototypes like eCommerce that are on a LiveCD. They use a trusted GUI subsystem (Nitpicker) to ensure you know what you’re looking at and it’s the only thing getting your input. They then split the system into security critical components running directly on microkernel (low TCB) and non-critical components running in a user-mode virtualized Linux. The microkernel uses address spaces to separate them in memory, then allows more specific communication via IPC. So, if you don’t want something to touch your data, you just ensure it’s in a different partition. If you want smallest TCB, you code component directly on top of microkerenl. And L4Linux are very lightweight, fast containers. Btw, OC.L4 is the security-oriented one, Perseus Security Architecture (Turaya kernel) is Nizza-like, Nova microhypervisor is similar, and Genode project builds on this model a bit too. Separation kernel protection profile that Green Hills INTEGRITY-178B is certified against defines many good requirements and features, as well.

There is a middle option in hardware, though. These leverage functionality between processor and devices/memory to compartmentalize things. Air Force’s HAIPE prototype uses FPGA’s in front of memory to encrypt it differently per Xen VM and control I/O access as well. SecureME, SecureCore, Aegis, etc encrypt and integrity check anything that leaves the processor considering the whole system untrustworthy. They then provide a way to do controlled sharing. Then, the good old segmented and capability systems I’ve been posting can do that at the processor level just by limiting access to specific memory locations.

So, there’s many proven systems, prototypes, and designs on paper to do this sort of thing. Believe it or not, we’re experiencing no shortage of solutions. The only shortage is in effort of commercial and open source developers applying the solutions we have. 😉

Nick P • July 21, 2014 11:34 AM

@ Wael

I bet you do. What you don’t realize is that my operatives already subverted your tools to (a) neutralize your subversions once they’re in my hands and (b) automatically send copies of your intellectual property to me so I can patent them first. Now you’re wishing you didn’t get into the subverted KVM business, eh? 😛

@ Incredulous

Go has nice attributes. I didn’t include it because I wasn’t sure how minimal its runtime can be made. Can it be used for OS software? It’s funny you mention ALGOL because Go is ALGOL. It seems like I wasn’t the only one trying to use old IT to solve modern problems. 😉

@ Mike the goat

re languages

Pascal is a fine choice. Perl… will not enter my repositories. I used to love coding in it until I had to work on 3rd party code. This helped me understand why it’s called a “write-only language.” Perl was henceforth banned from projects where the code might require human understanding later on. It was replaced by Python and 4GL’s. Then, everyone lived happily ever after.

re Jones

I try not to listen to anything designed to mess up my mind. It’s why I also stopped watching mainstream news. Jones has been accused of being a disinformation agent, before. This was in a video someone put on YouTube of a so-far-successful protest about some issue. Then, Jones shows up with a megaphone standing next to them shouting all kinds of crazy stuff. People stopped showing any interesting in the group and the police got more interested in getting rid of them. The effect is a good protest is turned upside down by the “help” of Jones.

He tends to corrupt any topic he touches. Add that he does sometimes have inside sources to sprinkle interesting stuff in between his BS and disinformation artist seems possible. He also might just be doing it himself for money and notoriety. Who knows.

Nick P • July 21, 2014 10:49 PM

Breakthrough silicon scanning discovers backdoor in military chip (2012)

http://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf

“Abstract. This paper is a short summary of the first real world de-
tection of a backdoor in a military grade FPGA. Using an innovative
patented technique we were able to detect and analyse in the first doc-
umented case of its kind, a backdoor inserted into the Actel/Microsemi
ProASIC3 chips for accessing FPGA configuration. The backdoor was
found amongst additional JTAG functionality and exists on the silicon
itself, it was not present in any firmware loaded onto the chip. Using
Pipeline Emission Analysis (PEA), our pioneered technique, we were
able to extract the secret key to activate the backdoor, as well as other
security keys such as the AES and the Passkey. This way an attacker
can extract all the configuration data from the chip, reprogram crypto
and access keys, modify low-level silicon features, access unencrypted
configuration bitstream or permanently damage the device. Clearly this
means the device is wide open to intellectual property (IP) theft, fraud,
re-programming as well as reverse engineering of the design which allows
the introduction of a new backdoor or Trojan. Most concerning, it is
not possible to patch the backdoor in chips already deployed, meaning
those using this family of chips have to accept the fact they can be easily
compromised or will have to be physically replaced after a redesign of
the silicon itself.”

Well, that’s interesting ain’t it?

Nick P • July 22, 2014 9:07 AM

@ Figureitout

“I basically have you had some bad experiences, you were recruited, you then eventually went to do your own thing consulting. What I’m thinking is either you’re “one of them” or you’ve lost hope/got older and allow LI backdoors or, in a twist, you say you agree w/ those backdoors to just reduce risk and further attacks on you. ”

Lol. No. Only the consulting part is accurate. I’ve also turned down a lot of money and jobs to (a) avoid aiding evil and (b) focus on high security, backdoor free design of the whole stack. So much lost revenue that I keep a boring steady job outside INFOSEC to pay bills. My previous posts here over the years were about systems that could be trustworthy even with malicious developers on the team and TLA’s on the attack. Numerous designs even exploited jurisdiction and citizenship to cause TLA’s problems. I’m also known to reconsider my views on occasion and explore new avenues of getting things done. My posts, past to present, are consistent with this.

First time considering lawful intercept was in Lavabit case when judge was considering turning down FBI’s device if Levison had a working alternative. I was shocked as I’ve never seen it happen and it would limit FBI. Seeing as the Constitution itself grants them warranted search, I realized Feds and courts wouldn’t tolerate unsearchable computers. Whole services were shutting down or silently being backdoored. And so I started a tangent exploring how to make a secure, auditable backdoor. I noticed it was the same as all the others I built for remote management. A feature user’s often ask for although they’re worried about “backdoors.” 😉

re Dr. Skorobogatov

Sounds good. I hate stuck-up people myself. Friendly, smart researchers are probably better for our field as people might pay more attention to them. Not to mention they’re more pleasant to work with.

@ Clive Robinson

“The problem is whilst the LI may be regarded by most as a “read only” or “push” interface, underneath at the business end it won’t be it will in all probability have “Universal write privilege” along with the “Universal read privilege”…”

It can be limited all the way to the bottom. The main problem I see is the endpoints are insecure or complex enough, as you pointed out, that there might be endruns around the security. So, my plan would call for continuing clean-slate security efforts and put this in as a feature. That way the L.I. system could be restricted a great degree. I also think one could use a programming or scripting language for L.I. plugins that ensured certain information policies were followed: read-only for this account; read-write for a set of accounts; write only on this port. An interpreter, written in a safe language on the safe platform, would process the L.I. commands while checking them (before or during execution) against the security policy.

The other way is to use a regular platform, but a secure coprocessor for L.I. The L.I. system is restricted similar to above. It talks to main system through controlled interface. So, it might have universal read and write at lowest levels, yet system and software security measures transform that into POLA per application. The main system (or I/O connection) might also limit the coprocessor to just the areas storing data. It couldn’t access internal OS stuff or the code of the platform. Well, we might give it read access so they can do a check to ensure the system hasn’t been covertly modified, but universal read is removed before the L.I. app runs. Might even build it into a network coprocessor like I’ve had in other designs.

So, while not easy, it seems we can at the minimum let these things collect data without subverting our system and with certain limits placed on them. Limiting accounts should be quite easy. More complex functionality takes more complex type systems, policies, etc. Yet, it can be implemented on the same secure hardware/software systems that already exist in prototype or limited production.

“I was wondering if somebody might pick up on this over in the GCHQ Catalogue page, but they didn’t. ”

You must’ve missed my comment listing each tool that could be used specifically against democracies. 😛

@ Benni

Finding backdoors is good for our security, but chip making isn’t profitable. There’s a reason companies are selling them off all the time. It highly competitive and capital intensive, with each advance doubling the fab cost. Even an older fab takes tens of millions to keep running with fewer sales (due to obsolete tech) every year. My conversations with RobertT indicate that the sweet spot is the companies making masks that convert a design document into what turns silicon into chips. Those companies manage the riskiest part, might be easier to secure, and might be easier to subsidize.

There’s still the risk of I.P. having hidden functionality engineers aren’t smart enough to find because they lack the skills and nobody is teaching them outside the top companies. I’ve always said a Manhattan Project for secure computing is in order. It’s more clear than ever that solving each aspect would cost billions in labor and materials. Only large governments or the wealthiest private parties could even consider it. That’s how bad things are for defenders.

@ AnonymousBloke

“I have worked in these industries for well over fifteen years. Everyone I worked with in sec research or crypto-privacy were well familiar with these concepts, these threats and risks.

And, I have seen different people take these things in different ways. Some are obviously and constantly super paranoid. Some are aware of these factors, but are not. In not a few cases, you don’t just have to worry about one nation or one organization, either.”

Sounds reasonable. I try not to be paranoid: I just know the devices are insecure, that anything I put in them might be intercepted, and simply don’t worry. I just keep working on better things instead.

Nick P • July 22, 2014 9:24 PM

@ Gerard

I skimmed through some of the Go documentation. Interesting language design. One thing that caught my eye is that it’s “gobs” implementation (think simpler Protocol Buffers) that serializes data structures uses unsafe methods for speed. The documentation says it uses unsafe methods for that I/O for default, but safe methods can be enabled albeit with performance loss. Makes me wonder where else they made that tradeoff. And does the TLS include anything like that?

Nick P • July 23, 2014 10:33 AM

@ Gerard, Clive

It’s funny that I made the above comment about Java developers then stumbled upon this blog post in my email:

http://nsainsbury.svbtle.com/java-developers

He illustrates their problem quite well. I’ve tried repeatedly to get past these obstacles but it was too much a mental drain. It’s why I push structured programming with OOP merely for encapsulation of state. Why replace a few chapters of readable, effective code with 60+ of over-architected BS? (shrugs)

Nick P • July 23, 2014 11:42 AM

@ Buck

LOL. That was great. Thanks for the link (and warning). Good to know there’s still people out there producing hammers. Their work isn’t on major news sites every day. Yet, their hammers exist, work, and improve every year.

Nick P • July 24, 2014 12:05 PM

@ Wael

Clive and I have the same view on what security is far as computers. It’s just a policy about what the system should or shouldn’t do in a given circumstance. It’s high level, though. The policy has to be broken down into rules that a machine can implement in some way. So, “can’t get hacked” might become “only runs authorized code.” At that point, you can look at how code is loaded into the system and determine if it meets the policy. You might add some kind of signature check into the loader. You might notice malicious data becoming code. This might make a rule about code and data being treated differently, with the latter not becoming the former without authorization. That might lead to a tagging or capability scheme. You might see covert data leaks from memory reuse. This leads to a rule saying new memory must be zeroized before use (or old memory after use). And so on.

So, you need the right rules and mechanisms to implement the security policy. You also need correctness arguments for the machine components, including those mechanisms. The best (only?) example right now is Rockwell Collin’s EAL7+ CPU verification. It’s basic specs are here. Notice how they combine rigorous, layer-by-layer development with a security policy reducable to rules and mechanisms.

Nick P • July 24, 2014 11:18 PM

@ AnonymousBloke, BJP

I’m going add something to your discussion about Iraq, intelligence failure, etc. I did a lot of research on behalf of others when they were drumming up support for the war. There were accusations that they were creating a false pretext for war. That’s a real conspiracy that’s played out in our country at least 8 times off the top of my head, although most people would only recognize Vietnam on that list. We’ve invaded a ridiculous amount of countries which posed no threat to us. Afterward, we have bases and personnel there along with U.S. companies getting rich off their economies and resources. It’s called imperialism, although they use words like “freedom” a lot. Double Medal of Honor winner Gen. Butler warned us thoroughly so we have no excuse. So, I decided to look into things especially as I was considering a government position at the time.

I’ll just summarize a few points. Numerous analysts at DOD and CIA claimed publicly that they were being forced to pull information from old records (eg 1980’s) about Sadaam gathering WMD’s, then put them in modern-dated reports. I found much photographic evidence relied on blurry, black and white satellite photos despite their having high-res, color ones over the area. In one case, the report came from a satellite that was down for maintenance at the time per FOIA request. They labeled firefighting equipment as mobile production facilities despite the company that sold and serviced it publicly saying otherwise. They were accused of trying to pay off independent media outlets, outed Plame after a damaging story came out, and put some other journalists critiquing the evidence on the Do Not Fly list. Government web sites even had photos of Bush speaking to a bunch of soldiers that were the same 5-6 copied and pasted to provide an illusion of early support. I verified that one myself using several techniques to great personal amusement at the shoddy work.

This isn’t intelligence failure: it’s a massive disinformation operation. (Intelligence success?) Attacks on reporters, fake videos, fake satellite pics, analysts ordered to fake reports, and so on. All these kinds of claims and issues skyrocketed during just this time for just the purpose of getting us in Iraq. And this was despite the 9/11 commission’s findings saying 9/11 was funded by a large element in Saudia Arabia, then performed by mostly Saudis led by a Saudi. They even had a confession by an operative who thought he was talking to Saudi’s that would jailbreak him. Hard to imagine a President looking for payback then walking hand in hand with the Saudi leader, then hitting two countries that had nothing to do with it. Unless he and his partners had different motivations.

And that brings us to the real reason we went to Iraq: the plan to do so they wrote a long time ago. As I read it long ago, I said this is an idiotic and imperialist plan that will only cause us huge problems. The most likely outcome is accomplishing almost nothing in Iraq while anti-Americanism will go through the roof resulting in real problems. Turns out I was too optimistic. Looking back on the document, notable targets in their 90’s plan were Iraq, Iran, and Syria. So, 9/11 happens, everyone is scared, and they quickly drop “btw, Sadaam was involved in this stuff.” Then, there’s all this shoddy evidence for WMD’s along with analysts claiming they’re forced to lie. The situation is pretty clear to me: a group wanting to dominate the Middle East with military might got into power, was lucky enough to have their “new Pearl Harbor” they were hoping for*, and then leveraged it to do what they planned to do. And many policy recommendations in the document became U.S. foreign policy, on top of that.

*The document says their plans will be a slow, uphill battle unless “a catalyzing event” were to occur like “a new Pearl Harbor.” The conspiracy nuts go wild over that one, but I’m just calling them opportunists.

So, in summary, my research into the invasion of Iraq was that it was planned in the 90’s, leveraged post-9/11 fear, used a stunning amount of [shoddy] disinformation, and only had a little to do with terrorism. This is somewhat to mostly true for Afghanistan, as well. The result of these acts of treason by individuals in the Bush-Cheney Administration were the following: over 20,000 American soldiers dead with many more maimed or suffering PTSD for life; over 200,000 innocent Iraqi’s dead with violence and social problems at all time high; destabilization and rampant anti-Americanism in Middle East worst than ever before; over $300 billion dollars in short term; $1-6 trillion in long-term costs. That’s worst than everything terrorists have thrown at us in our entire existence. And even worse, the criminals that did this profited off of it and continue to do so as they live free.

Like INFOSEC taught me, the inside threat is the greatest. There are real conspiracies that happen in government. There are political factions whose agenda demands global dominance and “total war.” They believe it’s absolutely necessary for our survival and will do anything they can to achieve this. Faking evidence to start some of these wars isn’t any worse than all the other pretext-ed wars we’ve been in. So, you can bet they did it and that totally reframes discussions about “intelligence failures.” If intelligence agencies are being used against the American people, the only failure is the people to hold them accountable and throw the guilty parties in prison for treason. I predicted if it didn’t happen, we’d see even more military action in Middle East and efforts to dominate the internet (mentioned in early documents). Snowden leaks (and public’s apathy) haven’t led me to feel better about that prediction.

Nick P • July 25, 2014 12:26 PM

@ AnonymousBloke

“I did not really care, because I knew the chaos that would cause would suit my aims.”

I respect your honesty. I’ll say that.

“Consider, for a moment — no one made money from Iraq. Quite the contrary. It cost enormous amounts of money.”

That’s far from the truth. The defence contractors made billions in profit. Dick Cheney’s company Haliburton got large sums in no bid contracts. The banks loaning money for the war will make billions in interest. Congress’ stock portfolio did nice during that time period so some of them might have benefited if investing in defense industry knowing about upcoming war. DOD also “lost” tens of billions in cash that you bet somebody found. The only people that lost money are the taxpayers and anyone that bet against the war.

“This whole “blood for oil” thing was bullshit. Cry wolf.”

And ExxonMobil got a huge oil deal via the new government. They’ll make billions a year. Even Warren Buffet thinks it’s a gold mine as he bought 8.8 million shares in one of the companies. There’s also been generals and spooks admit it was about oil. After all, as one CIA analyst said, if you don’t have it your army ceases to move. Imperialists can’t have that, eh?

That said, oil wasn’t the reason we went there. Their written plan was dominating the world, esp with military. There were people over there that didn’t go along with their foreign policy goals. So, we dealt with them in a way that sends a message to the next country that resists. Taking their profitable resources was just… icing on the cake. And a war spoil stakeholders were expecting, I’ll add.

“No… whomever or WHATever is behind this Evil Crap… is far more diabolical then any of that… :-)”

Which brings me to this statement. We come from different directions, but I agree with this statement. I figured out a lot of the names on the list. No point in sharing them. Only a strong push by majority of Americans could defeat that group of people. And that group controls the (23?) corporations that own all the major media companies which inform Americans. It looks like a brilliant and sad checkmate to me.

@ BJP

re Iraq/Intel

“I don’t doubt one bit that they receive orders to produce fraud out of whole cloth. Nor do I doubt one bit that they have saved thousands or millions of their citizens’ lives.”

Same here.

“I do believe, or at least hope, that enough of them are true patriots who do believe in the principles that established their nations, governments, and constitutions such that they would push back against efforts to have them engage in parallel construction against their citizens or otherwise break the law.”

The problem is that compartmentalization works against that. They don’t have to be involved. These machines can be aimed at people, collect info on them automatically, and only the most committed allowed to pull intelligence. This would be explained as assessing inside threats in the country. After all, as you pointed out, they live in a bubble and it affects the mind. Those who are taking the illegal action would be a much smaller group even less likely to speak out about it. Covert ops community, esp CIA, have always been like that. The existence of parallel construction as a major technique at FBI and DEA means they could also use them when framing someone.

So, the secrecy and command structures allow for abuse to both happen and go undetected longer.

“If the decision making apparatus of the US elected to go to war in Iraq, they will go to war in Iraq. If they produced disinformation to aid that effort, oh well — it limited press inquiry, it wasn’t the proximal cause.”

That’s the key problem I have. A nation thinking it’s in their best interest to go to war and doing so makes sense. This is a republic, though. The Congress and President are supposed to be united on this sort of thing. Especially seeing that one controls the budget and one the military. However, a select few in the executive branch used disinformation on the people that elected them and on Congress. This deception led to a war that was not beneficial as the short-term profits weren’t worth the long-term debt. Also, using the military against Congress and the American people violated the Posse Comitatus Act. It’s the highest form of treason in a democracy. This is the kind of situation that should be punished severely by Congress, the courts, and/or individual citizens (citizens arrest of treason? haha).

“Compare this with what we have now — a US media in bed with Obama that won’t question a thing he does. He doesn’t need to produce disinformation via the intel community to go to war, he just does it, as in Libya, and the media bends over backwards to justify it and paint any opposed as racist.”

I don’t think he’s worse: just different. Bush/Cheney were hard charging warlords who made people pay for questioning them. Obama is the Loki-like sophist that gives supposed friends a huge while slowly slipping the knife in, leveraging both his image and race to keep people from even attempting questions. Obama also built on previous administrations surveillance state, extending the useful (to them) parts and changing others such as from conventional forces to more drones and spec ops. (Last point I like, actually, but not what they’re doing with it.) So, it’s just a new scumbag taking the reins of the system, building its power, playing by the rules of the hidden power structure, and doing his own thing on the side.

The solution is voting for men and women of integrity whose past record indicates standing by what they say/believe no matter what. Other issues can sort themselves out over time from there. Vote for the other kind, you get Bush and Obama.

“The threat I see is the system-of-systems that sprung up free of intelligent design. Defense contractors addicted to growth. Politicians addicted to campaign funds. Civil servants addicted to the hope of a pension. Congress addicted to fooling the public into team A vs team B. Public addicted to fearing the “other” team will destroy the country if they happen to catch the presidency or SCOTUS seats or the house or senate. Living in constant low-grade panic as adrenaline junkies propped up by five hour energy and smoothed over by American Idol.”

Good assessment. It seems that way. Yet, there are groups at the heads of each of these that meet publicly with secret discussions. They also seem to have each others’ back on a number of things and occasionally know the future with their investment decisions. I think the system’s structure might’ve started (still is) an emergent phenomenon, but it became an oligopoly-like thing were those benefiting influence it in a way beneficial to all of them. And then they compete from there. That’s been my theory a few years. More a cartel of cartels than a secret group of puppet masters. The end result is no less terrifying to anyone outside the group of beneficiaries.

Nick P • July 25, 2014 1:22 PM

@ Wael, Clive

re Limmericks

LMAO

@ Wael

re language security

“What I am thinking is along these lines: the factors are: syntax, ease of learning, effects of teams working with different skill sets on a given project, characteristics of the language, memory management, sandboxing, shared libraries, OS effects, HW contributions, tool chain effects, multi-language projects, etc… ”

It’s a nice start. Idk about linearly modeling it. The closest thing is to look at how a machine code and OS implement each feature. Look at invariants that are supposed to hold, known problems, and brainstorm it in general. The language cannot be separated from a given OS or ISA: each implementation must be re-analyzed because its transformation of the language often will affect the security properties. It might be as simple as whether it internally uses a stack or registers. (Hint: one can overflow into code accidentally.) Not considering the concrete along with the abstract is a mistake too many formal methodists made in both languages and protocols, resulting in many security vulnerabilities.

In short: you’re in for some pain unless the language and machine are quite simple. Now you know why I’ve looked at Wirth languages more than Ada recently, eh? 😉

@ Mike the goat
(re comment to Figureitout)

Yes, a large chunk of it is avoiding breaching NDA’s and angering (or tipping off) TLA’s. The mantra is anything you say can and will be used against you as a confession in a court of law. Or at a black site, these days. So, how to say without saying? I’m not philosophy major so I just water it down, modify identifying details, and also keep statute of limitations in mind. Much of what I said that was black hat was 7-10 years ago so SOL applies. Goal is to communicate knowledge or wisdom that helps others accomplish something while allowing myself a little pride or recognition. Getting totally accurate specifics out isn’t important to me given such details could theoretically get me fined, imprisoned, tortured, or killed [depending on the offended party]. I’m a Harbinger, not a historian. 😉

@ Gerard van Vooren

Good analysis of Go vs C. It seems to be a good language with a few faults. Oh well on the last part as its intended audience aims for “good enough” software Mr Pragma, you, and I discussed previously. A language that’s productive, performing, supported, and safer than the status quo. Go seems to deliver on that. Ada is best option for safe/secure system software, but it hasn’t gotten widespread attention. Best thing about Go is it’s getting used. 😉

@ all re languages

Dr Dobb’s article on the Pike language
http://www.drdobbs.com/open-source/pike-programming-language/240168647

I think it deserves a mention in these discussions. Many good things people say about Go have been true in Pike starting in 1994. Some of its features are about safety, some about practicality. It’s already been used in high performance web applications. I only avoided it because I didn’t want to security assess another runtime, compiler, etc. after I had done quite a few language security assessments. Yet, someone just thinking about language design or trying new ones for non-security reasons might enjoy it.

Nick P • July 26, 2014 12:58 AM

@ Figureitout

“Alright. You see why I would be nervous including you on a security project if you can’t say who all you’ve worked w/ or what kind of projects..? You can dig up my @55 all you want, I’m honest now.”

I can see it. It’s a common mistake. Your opponents are organizations that have massive capabilities in terms of beating security and influencing people/companies to do their bidding. It’s best to assume everyone working on a project they oppose might be compromised. So, as I’ve said here for years, don’t worry about whether you can trust the individuals or not. YOU CAN’T! You can’t know for sure, anyway. Hence, the long time INFOSEC maxim of “trust, but verify.”

So, how does this apply to you and I in projects? For years I’ve pushed high assurance security development methods like EAL6+ security engineering. These methods are designed to produce a secure system despite some developers being malicious. The way they work is to take a rigorous approach to specifying what the system does, how its protection works, how it implements it, how that’s verified, and so on. Then, one or more independent evaluators check the process, design, source, documentation, and so on. So, you don’t have to trust the people at all: you just have (what you hope is) independent, knowledgeable parties check what is produced. So, you’re not having to judge me as much as what I produce and I’d say far as stuff on paper I’m one of high assurance security’s more prolific peer-reviewed authors.

If it was code or design, I’d absolutely insist you run it past all kinds of people with a proven track record. That’s if it’s open, anyway. Otherwise, it would be limited to people who would sign and follow an NDA, but who would be allowed to assert a type of vulnerability was found in the product with a certain effect. They’d also independently produce, test, and sign the object code as in any high assurance evaluation. So, yet again, anyone worrying about how much they trust me when they can look right at my solutions are worrying about the wrong thing.

It would be different if I sent you a computer with a note, “I prepared this especially for you. It’s secure. Use it so nobody hacks you.” If you shuddered and smashed it onto concrete, I’d understand. The irony, though, is whatever COTS system you used in place of it would probably open you up to more attackers than me. And still be easy to compromise for anyone with my (or NSA’s) skill. Your concern would at least be warranted in that case as you couldn’t review what you were asked to trust. Leads back to my overall point: rigorous review by people you trust is the most important (and almost the only) good metric to go with. Whether you know the designer less so.

” I voted (last time until system isn’t a joke) for Ron Paul even when he dropped out but was still on the ballet lol…”

Good for you. He was the guy I was backing too. I tried to get him some votes. The reason I pushed for him was that he (a) does what he says he will and (b) has balls of steel (source: Bill Maher not joking). I explained to other voters that voting for dirty or half-assed politicians means you have no clue what they will do once in office. And it’s usually bad. I don’t agree with plenty of Paul’s ideas, yet he’s taking a good approach to a few huge problems nobody else will touch (eg military industrial complex, NAFTA, The Fed). It makes most sense to vote for a guy that will provably try his best to solve these problems and who hasn’t backed down under pressure/threats. His track record of down-voting a bunch of bad stuff means he’s ideal person to give veto power too.

Sadly, I couldn’t convince my fellow Americans. Of those commoners who aimed to accomplish something for their country, they seem to fall into three camps: those who gripe that their guy didn’t win, those that gripe their winner betrayed them with false promises, and those that make excuses for the failures/evils of their winning choice. There are apathetic, elites, faithful, and businesspeople who like the situation. (shrugs) And the world continues doing more of the same…

Nick P • July 27, 2014 12:56 AM

@ Wael

It was one of the many quotes in the excellent opening of the Why We Fight documentary. And yes he paid the price. For what I can never be sure, though.

Nick P • August 1, 2014 12:44 AM

@ AnonymousBloke

You write as if you’re one of the organizations or individuals on my list of elites. Yet, you’re writing style and words suggest you’re clearly not one of them: merely writing a post from what you think is their perspective. You no doubt could have some stake in their schemes, like stock or a job working for them. Yet, you’re most likely yet another piece they move on the board just like all the rest. Another asset to use to accomplish a goal or generate a return. I’ll focus on your portrayal of them rather than you, though, as pure speculation isn’t my thing. 😉

The picture you paint of them is somewhat accurate. It applies to the majority of the group. They do want stability, focus on capital/ROI, and do whatever it takes to preserve/expand what benefits them. They’re very powerful, well-educated, and practical. The group typically uses a fait accompli strategy to do things piece by piece over the long term. I’ve often said it’s the best strategy to use against a democracy and it works very well due to their media control. This group is certainly an opponent, although not as worrying as another faction in it.

The Citigroup leaked memos showed what concern these people. Chief among them were voter revolt, inflation, instability in the Middle East, and regulation. Pushing politicians (and voters) in certain directions is their main strategy in all cases. However, certain factions of them sometimes get too much control and push in dangerous directions. The faction that promoted the wars in Iraq and Afghanastan showed they can’t be trusted to manage the Middle Eastern part of the problem. There’s been much better proposals by elite-funded think tanks on how to address those problems without massive blowback. The dominant elite faction of the time caused about as many problems for elites’ overall strategy as they did the rest of us. It’s good to see that group lost power and others advocating more targeted efforts with less blowback potential are now in control.

The other instance I’ll note is the crisis in 2008. This was another scheme by the financial portion of the elites to cash in big. It was actually one of the best things that ever happened to this country as it provides unequivocal evidence against them on many fronts should the public ever actually look at such evidence. Mainly, it showed that even the elites focused on stability and ROI couldn’t be trusted to act in their best interest. They risked the entire financial system that they depended on to squeze money out of a scheme. The bailout was originally downvoted and even mighty Meryl Lynch tanked. The whole lot of them got very close to loosing everything they achieved before they lucked out being successful with a backup scheme. (Part luck, part skill I’ll give them…)

“Our aims are final and reasonable. We do not need politics. We can use them to our ends. We are that confident on… the ends.”

“We are your parents. Look, trust “Heaven” for once. Or not.”

So, such pronouncements of the elites make shouldn’t be trusted. They’re willing to risk themselves and us just for a particular scheme when they’re already rolling in cash and power from more stable schemes. They also aren’t immune to certain factions getting in control causing more blowback than anyone cares to deal with. It took groups like them 50 years to tied up their imperialism in Vietnam, 20-30 years to tie up OBL/Sadaam loose ends, and their most recent scheme expanded currency-related liabilities so much it threatens the financial elite specifically. Democracies might be better off with elites around whose selfish benefit is tied to stability and an improving status quo. I’ll admit that. The current round of elites are showing they don’t measure up, though.

The good news is that they’re not invinceable. A number of their factions have stayed taking a beating in Europe despite the financial/regulation factions almost totally succeeding in their schemes over there (eg European Union). Additionally, the financial elite’s 2008 actions (along with Wikileaks) inspired Iceland to show other democracies how it’s done: they jailed the bankers and their politicians; put new people in office; passed laws voiding the debt; seized banking infrastructure; passed strongest press protections in the world as early warning system for next elite scheme.

Powerful elites in America and Europe failed to prevent this despite their power and the money on the line. Leaked NSA slides indicate they couldn’t coerce their cooperation either. Both were surprising as even I brainstormed leverage on them and the kind DOD/NSA could think of themselves. Yet, DOD, State, NSA, and the financial elites all failed here. Elite-dominated media promoted the view that their anti-capitalist actions would cause their country to collapse. Many years later, they’re doing better than every country in their class and still independent far as I can tell.

Lesson to learn: the elites are very good at what they do, but they can be beaten by an active democractic population. The main reasons they win in most Western countries is a combination of apathy and easy distraction in people. Neither of those two traits are a skill on elites’ part. So, they could be beaten here albeit with considerable effort. The best strategy I’ve heard starts with local governments to create obstacles for them, lets that pile up a bit, and slowly moves those people into federal positions as they leave likeminded individuals in the local ones. This strategy has actually worked on a number of hotbutton issues that weren’t related to elites. It might work on them, as well.

“Believe me, we have enough power to ensure our aims are met.”

Many critical issues they want gone (and are pushing plans for) are still here. They’ve failed so far. Some of these for decades straight. Their power obviously isn’t as great as they’d lead us to believe. All the empires that came before them fell and many of their elites did as well. These are more sophisticated. Yet, history isn’t on their side and their own reckless behavior sure isn’t helping. They’ll be beaten or collapse due to their own schemes.

Nick P • August 1, 2014 1:14 PM

@ Wael

“I’ve been observing you for a while. You were coherent, what happened to you?”

I agree. He went from talking like a reasonable person to rambling like a person not on meds. So, I’m done with the thread. 😉