Friday Squid Blogging: Te Papa Museum Gets a Second Colossal Squid

That’s two more than I have. They’re hoping it’s a male.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on August 15, 2014 at 4:33 PM107 Comments


Buck August 15, 2014 4:36 PM

Any legal muckrakers wanna have a go at this one? It’s looking likely to me that this convenient little DecryptCryptoLocker service is operating in opposition of the law… (See also: this blog post)

USDOJ: U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator (June 2, 2014)

In addition to the disruption operation against Gameover Zeus, the Justice Department led a separate multi-national action to disrupt the malware known as Cryptolocker (sometimes written as “CryptoLocker”), which began appearing about September 2013 and is also a highly sophisticated malware that uses cryptographic key pairs to encrypt the computer files of its victims.

The law enforcement actions against Cryptolocker are the result of an ongoing criminal investigation by the FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom and Ukraine.

Is this legal under the Privacy Act of 1974, for instance?

Overview of the Privacy Act of 1974 (2012 – U.S. Department of Justice)

Conditions of Disclosure to Third Parties

A. The “No Disclosure Without Consent” Rule

“No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [subject to 12 exceptions].” 5 U.S.C. § 552a(b).

… By my reading, this could have possibly been allowed under the “routine use” exemption …

3. 5 U.S.C. § 552a(b)(3) (routine uses)

“for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D).”


Subsection (e)(4)(D) requires Federal Register publication of “each routine use of the records contained in the system, including the categories of users and the purpose of such use.”

Subsection (a)(7) defines the term “routine use” to mean “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.”

But, that would have required an advanced notice to be published in the Federal Register… I’m not sure who would have standing to sue, it seems that they are treating this as a separate case from the Zeus botnet prosecution. I do know if I were a competitor of FireEye or Fox-IT, I’d be fuming mad at the DOJ/FBI… It’s a good thing their service is provided free of charge, but you can’t say there’s no value in this kind of free publicity!

Surely using procured ‘evidence’ to provide an unfair competitive business advantage to some select corporations is breaking some other law(s) too… RICO, perhaps??

Markus Ottela August 15, 2014 4:54 PM

Tinfoil Chat 0.4.7:
Pidgin enabled, OTP encrypted instant messaging w/ open circuit design HWRNG for key generation + HW data diodes for end point security.

The project has come a long way since I last posted here about it, in January. For most parts I consider it functional and I’m taking a break from active development. Bugs and security updates will of course be fixed, if found.

@. August 15, 2014 5:21 PM

I discovered Syncthing, which is open source, p2p, encrypted, self-hostable, (almost) people-compatible way to sync files without loading them into someones cloud. Now what it needs is people who dig into its protocol and try to attack it broken so that it would be as awesome as I hope it is. (And also a bit of usability tuning.)

When Snowden happened, I was hoping for this exact thing to be built so I hope for it to be a success. Please find it awesome!

Nick P August 15, 2014 6:35 PM

@ Markus

That paper was awesome! I’ve only skimmed it as Im very busy this week. Yet, I see a number of tech iques from my own designs Ive posted here: physical separation, non-DMA medium, offloading networking out of the TCB, etc. Curious if my work was any inspiration for this system.

Regardless, you’re doing a large number of things right at once. You’ve also attempted to address many requirements for High Robustness. I really enjoyed your paper as it’s the first high assurance secure system design I’ve seen outside industry in a long time.

Welcome to our elite subfield of INFOSEC. 🙂

Note: You should patent this stuff immediately just to make sure nobody else does. License it free non-commercial and OEM commercial at a low price to recover patent costs + fund development. Or free license it both ways. Might even get charitable funding for the patent since you’ll be giving it away.

@ Clive Robinson

Give his paper a look to find assess good and bad of it. Ill be giving it review (and enhancements) later on when I have time.

sena kavote August 15, 2014 6:57 PM

Cheri processor

Seems that we can safely open any file in OS that runs on cheri, because it can’t have buffer overflows. We can have javascript on by default. More convenient than using live DVD or virtualization with short runs.

Since it’s open source, could it be that intel or AMD puts 2 or 4 cores on the side of their processor on the same chip, so that we can use cheri like a “hardware accelerated emulator”? Maybe Nvidia could put cheri with it’s graphics processor?

Having cheri on a special add-on card inside a desktop computer, just like graphics cards, or as an extra feature of graphics cards, would have the upside that existing x86 would be usable at the same time. With similar user interface, cheri could also be in an external box connected by ethernet to the main computer, streaming video of web browsing and inspecting files.

Having a cheri box that I can plug my monitor, mouse etc. is lower priority. Cheri laptop, tablet or phone is much lower priority at least for me.

Maybe cheri emulator software on x86 (that hopefully is used like virtualbox) would be fast enough for light web browsing with low quality video? That would be good enough reason to use freeBSD at least in it’s pcBSD form, if cheri Linux support has not come by then.

OpenVMS operating system

I have mild curiosity about it. I would like to see a review from some youtube OS reviewer, just like a review of HP-UX, because to a Ubuntu, debian, manjaro, opensuse and windows user like me, VMS and HP-UX seem mythical and weird things that I have only seen little info, rumors and ads about.

If VMS is closed source, claims about security are suspect. But I guess it does not matter much if it runs missiles, power plants and others systems that have no outside communication.

Wesley Parish August 15, 2014 7:29 PM

@sena kavote

I want to see HP open the earlier VAX-only VMS source trees under the GPL v3 for a number of reasons, amongst them the vital one of inhibiting the growth of the software patent fraud industry, and keeping it from metastasizing overseas. (I also want Microsoft to open the MS DOS 1.x to 7.x, MS OS/2 1.x, MS Windows 1.x to Millennium, and Winnt 3.x to 4.x source trees plus equally old and obsolete software development and office productivity software source trees; likewise I’d appreciate IBM doing the same for the IBM OS/2 1.x to 4.x source trees. All under the GPL v3 as a sort of software patent truce, given that the GPL v3 contains some very appropriate provisions concerning the software patent fraud industry.)

I may be pushing a truckload of **** up a hill, but I may get there in the end.

Nick P August 15, 2014 11:28 PM

@ sena kavote

You brought up two great systems. I’ll address each.

CHERI Processor

I included it in my huge release of papers to help solve NSA surveillance crisis. The other DARPA program is SAFE at Both great work building on simple, useful primitives.

I like that you’re brainstorming. The problem is you’re looking at it backwards: CHERI should be the main processor, with the others the coprocessors for acceleration or legacy apps. CHERI supports legacy FreeBSD, of course, but legacy to most of us is Windows, x86, COBOL, IBM, etc. The whole point of DARPA’s clean slate program is that the system must be secure from the bottom up. Processor is in the TCB, so it must be able to handle any malicious data that hits it. So, if you go with CHERI, it should be the main CPU orchestrating the others so your foundation is quite secure. There’s secure I/O and distributed system requirements in that, too.

Note: It can be a coprocessor for security-sensitive tasks or a dedicate application that your main system interacts with. The risk is that your main CPU/system gets hacked, then can go around the coprocessor or trick you into thinking its using it. There are workarounds to some of this but I’m sure you can see how the situation’s security gets unclear pretty quick.

Btw, CHERI implements the capability security model. If you’re interested, do read this free ebook on capability-based computers of the past. There were many built that did the enforcement at the hardware with all key details given in the book. A few were commercial products. IBM’s is the only survivor with IBM i being its successor and even running apps made for first system. Many good ideas in that book. Also, CHERI is made by same school that made CAP, one of the early capability systems. Boosts my confidence in them.


OpenVMS was a more secure system than many competitors. It’s not hackerproof or totally secure as is often claimed. Its security comes from a combination of things. The system had a security kernel in it to meet Orange Book security requirements. That have it some features over the competition back in the day, which main competitors today meet or exceed. The permission system was very thorough compared to Windows or UNIX, letting you restrict all sorts of things. Win/UNIX might not have caught up on that yet. The system doesn’t include a ton of outside-facing software turned on by default. It’s cross-language development capabilities let you optionally write components in safer languages like Ada to integrate easily into less safe apps (or vice versa). It had built-in support for transactions. It’s commands were English and its DCL was done sensibly, reducing admin-driven issues. And finally, the OS and processor were very unpopular among hackers. That last point is real reason why it saw around 26 reported vulnerabilities when Windows had hundreds to thousands.

Note: Hoffman Labs claims isolation, rareness, and primitiveness are main causes of security.

These customer testimonials during 35 year anniversary say plenty about its quality, performance, and contributions to IT in general. DEC’s engineers built an amazing system that HP eventually EOL’d so they could promote NonStop (my theory at least). The good news is they just licensed it to a company that intends to keep it alive, maybe porting it to Intel Xeon. The main solution right now is Charon’s virtualization software. The main way to experiment is to get a hobbyist license or to buy a used OpenVMS server off eBay. AlphaServers are the best for quality, while Itaniums will perform faster. Just make sure it says OpenVMS is “installed” instead of “supported.” And buy a book on it, too, as it’s from another era and it’s better to have a good guide on those systems.

Running OpenVMS through static/dynamic analysis suites, removing insecure legacy stuff still in it, and porting it to an architecture like CHERI would produce one of the best server OS’s imaginable. Everything that made it great plus the bottom-up security of new architectures. Performance would be less than it currently is. Yet, it was the golden standard in clustering so that shouldn’t be much of a problem.

@ Wesley Parish

You’re wish is my command:

It has a link to “VMS Internals and Data Structures” among other books. Together, especially with other books/papers on it, describe all the capabilities of a VMS system. Should help quite a bit in a patent case if your system just copies VMS. Oldest one is 1991 so any older patents should be expired. The best trick is probably to take information like this, then do a clean slate design a la FreeVMS. One would code it carefully using modern tools and knowledge of secure coding. End result should be ridiculously robust. Developers could remove the warts and true design flaws while they were at it, along with using any unencumbered modern improvements.

The donation part isn’t going to happen. It’s not in their interest. You can still buy the stuff, though, with some people putting that to creative use. My favorite example is the Linux user who switched to Windows 3.1 on all his devices.

Anonymous Coward August 15, 2014 11:58 PM

For those that didn’t see it, more information with regard to the TrueCrypt situation.

The retirement page posted to sourceforge includes a secret message that looks very convincingly like a canary.

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

The first letters, read in Latin: UTI NSA IM CU SI

“If one wants to use the NSA”

Douglas McClendon August 16, 2014 1:13 AM

New product announced by Kanguru, “BadUSB-invulnerable” USB3 flash drives, the one I just pre-ordered, almost cough sanely priced at $30+shipping for 8G. Claims read/write “up-to” 85/230MB/s (presumed at max 128G version).

For a decade now I’ve been a more or less tinfoil hatter, with a view to LiveCD/DVD/USB linux distros being highly valuable for security intensive situations (for otherwise mere mortal users). Obviously there are superpower scale attacks that aren’t stopped by immutable boot media, but… immutable boot media makes me a feel a bit warmer and fuzzier anyway. (and Snowden’s use of tails seems to possibly be some vindication of the idea)

It’s really set off my tinfoil hattedness how for the last decade the idea of secured usbstick firmware seemed to be ignored until the recent BadUSB publicity. I sit bewildered as I read Corbet@LWN casually allude to how firmwares until recently haven’t been a part of the security models in use… I tend to believe superpower twisting of arms quid-pro-quoing with lazy/profiteering manufacturers. Anyway, I invite people to explain to me why I was a fool to pay a premium to these folks. I had been using an older kanguru with “physical” write protect switch, however the prior link clearly suggests that despite that bit of marketing appealing to my paranoia, the firmware was just as writable as an old school floppy disk was by a malicious reader-hardware that didn’t respect it’s request to not be written to.

If I’m not just on the wrong security track, I wonder what the cost would be to deliver a usbstick product with an open source firmware? Despite Kanguru paying a good deal of attention to the BadUSB threat surface, they still wave their hands with their ‘invulnerable’ device because it only accepts signed rsa2048 firmwares. I.e. by definition US govt, and other sufficiently cyber-powerful actors can create valid firmwares. What I’d like to see is an old school firmware flash jumper in the form of a paper-clip to pinhole, in addition to a “physical”(?) write protect switch. And physical data action LED (i.e. somehow electrically the LED is not just side controlled by the mcu/firmware, but rather in line with the data traces/lines.

Am I on the wrong track?

Clive Robinson August 16, 2014 4:25 AM

@ Douglas McClendon,

i.e. somehow electrically the LED is not just side controlled by the mcu/firmware, but rather in line with the data traces/line

LEDs controled by data lines is not a good idea as it hemorages data unless you take quite a few precautions, lookup Optical TEMPEST/ EmSec.

Required August 16, 2014 6:18 AM

This is probably off topic, but, there were several articles before the Blackhat convention that mentioned that there is an inherent flaw in the USB protocol that allows users to transfer modified firmware from on usb device to another.

“Wired Magazine”

I haven’t heard anything about this since before Blackhat. Has anyone heard anything more about this or is it a dead issue?

(If you have this page open on your screen and walk around the room, do Bruce Schneier’s eyes follow you around the room? shivers)

Benni August 16, 2014 8:52 AM

Now it gets interesting.

the german secret service BND says it tapped Hillary Clinton and minister Kerry’s phone “accidentially” in its large surveillance network in the middle east. Kerry was talking over an unencrypted line with palestinians. Clinton was caught talking from her aeroplane while flying over the middle east (she did not need to land there or stay there for longer to get caught by BND). So once you make a phonecall to the middle east (especially over the palestinian areas or turkey, which BND was ordered to monitor) you can be sure that there is some friendly BND agent in the line reading the transcription…..

The transcripts were given to the BND president, who then ordered the CIA double agent, to destroy them. So the CIA has the BND transcript. Kerry even showed it to the german foreign minister.

But now the NSA agents say to Spiegel; “the phone of the US foreign minister is encrypted with the same method as the one of the US president. NSA still wonders how BND could decrypt Hillary’s phone, since if BND can do this it also would be able to monitor president Obama…..

Benni August 16, 2014 8:59 AM

By the way, I really think that this new reportings from Appelbaum and Poitras over Hacienda, Mugshot, Olympia, ORB should get its own thread

where they report that NSA/GCHQ and others are breaking into thousands of computers worldwide just to use them as plattforms for their attacks.

“Figure 8 points to a particular role that HACIENDA plays in the spy club’s infrastructure, namely the expansion of their covert infrastructure. The top secret documents seen by Heise describe the LANDMARK program, a program by the Canadian spy agency CSEC which is used to expand covert infrastructure (Figure 17).

The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad. For example, in February 2010 twentyfour spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22).”

“Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state adversaries indiscriminately attacking network infrastructure and breaking into services.

Such an adversary needs little reason for an attack beyond gaining access and is supported by a multi-billion dollar budget, immunity from prosecution, and compelled collaboration by companies from Five Eyes countries. As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level.
In particular, citizens of countries outside of the Five Eyes have, as a result of these programs, greatly reduced security, privacy, integrity and resilience capabilities.”

Herman August 16, 2014 10:42 AM

An alternative to Syncthing is Restroshare. It is more mature and featureful, but I like the simplicity of Syncthing. It just does one thing – synchronization of a folder full of files.

Clive Robinson August 16, 2014 11:12 AM

OFF Topic :

On playing with Google today I came across my first

    Some results may have been removed under data protection law in Europe. Learn more Searches related to brett glass

The reason for looking for “Brett Glass” was in relation to “bikesheding” that comes up in this more relevant item,

From the little I could discover in the EU let’s hope that the old saw about “Speak of the devil and he’s sure to appear” does not apply.

DB August 16, 2014 11:17 AM

@Douglas McClendon

IMO you are not on the wrong track in general thinking about this… I have investigated for a couple hours about creating my own open source “USB stick”… The problem is controlling a large amount of flash memory. It seems that it’s quite complicated, requires wear leveling, and all sorts of things… and not a lot of fully open source for that part of it…


As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level.

I agree. It totally mystifies me why it seems that most network/system administrators stick their head in the sand about this.. Let me be clear: we are all… every single one of us… exposed to every APT out there, and the consequences will continue to get more and more dire the longer we don’t do something about it and deal with it. We can’t just say “oh well, that’s too hard, let’s ignore that!”–the other side certainly has never said things like that about attacking everything with a power plug!

Gerard van Vooren August 16, 2014 11:21 AM

@ Benni

If you play with fire you can get burned. Still this is not comparable with the NSA deliberately and targeted wire tap the phone of Merkel.

But it is good that this kind of news is being broad casted. It shows that the concerns of Snowden are legit.

I cannot believe the news… what a sensation.

NobodySpecial August 16, 2014 11:41 AM

I believe Google is doing this for all names used in the search to highlight its objection to the Eu’s ‘right to be forgotten’ legislation – whether an entry has been removed or not

They do not do this for ‘celebs’ because of the number of searches. So if you want to know if you are really famous see if Google issue a warning!

Clive Robinson August 16, 2014 12:12 PM

@ NobodySpecial,

You may be right a search on my (quite common now) name pulls up the same message. But then again one of the fifty or so other “Clive Robinsons” out there could have a quite shady past, you never know.

What I do know is one or two readers here thought I have a shady past –including being a Klingon– long long before the EU said digital amnesia is OK so maybe somebody has done it on my behalf or maybe I did but can not remember 😉

Nick P August 16, 2014 12:37 PM

@ ismar

Thanks for the link. It’s good advice. It’s similar to what I recommended Figureitout do because it works pretty well. The rest of the article is a bit questionable, like the claims about Ellsberg. That SecureDrop can’t be trusted and spooks will try to infiltrate the news organizations are strong points. It’s actually a long-known fact that CIA has embedded people in major news organizations. They’ve done it for decades. One must assume the other agencies will.

His best point on that stuff, though, is that the online platforms play to NSA’s strength: SIGINT. It’s actually laughable when you think about it. Let me word it as such:

“A secretive, multi-billion dollar organization was revealed to be able to hack almost any commercial router, PC, OS, or major protocol. They’re also doing blanket surveillance of the Internet backbone. Major email, social media, and file sharing providers cooperate with them. They also have legal techniques to force information out. We need a way for leakers to tell us about their dastardly plans without getting caught…

…so we’re going to build an Internet-connected, COTS powered service operating in one of their legal jurisdictions that people can send us files to via their PC’s.”

Good Luck With That…®

Benni August 16, 2014 1:02 PM

@Gerard van Vooren:

“If you play with fire you can get burned. Still this is not comparable with the NSA deliberately and targeted wire tap the phone of Merkel.”

No, this is worse that with Merkel’s phone. BND here caught all phone conversations from an aeroplane accidentially, and accidentially all phone conversations to palestinians…..

If you target a politician deliberately, as the NSA did with Merkel’s phone, then this is way better than just creating a net where every phone call in an entire region is monitored, where you by accident find some politician….

This finding just receals that, when it comes to bulk surveillance of phone calls, BND is up to date, and on par with NSA.

If you believe the information that BND intercepted these calls “accidentially”. BND typically lies. And saying “well that was just an accident” could be a rather stupid excuse.
NSA agents still wonder how BND could intercept Hillary, since normally, these politicians talk over NSA encrypted lines. The question is whether Hillary accidentially switched over to an un-encrypted phone (woman on the phone… completely out of control), or whether BND can indeed crack NSA encryption on the fly, or if BND placed Bugs in Hillary’s blackberry to achive this.

There was this statement of the german government, when a parlamentarian asked them whether BND is able to “decrypt encrypted communication like ssh”. The answer was, “the technology of BND is capable of this, depending on the encryption strength”

MrC August 16, 2014 1:58 PM

I think you’re barking up the wrong tree with 5 U.S.C. § 552a(b), for at least three reasons:

First, that statute only applies to government agencies. Perhaps I’m missing some facts here, but I’m not seeing the agency action in the ongoing operation of this DecryptCryptoLocker thingy. Are you implying that FireEye/Fox-IT are somehow government agencies? Or are you implying that the DoJ was the party that obtained the private keys, and then violated § 552a(b) when it turned them over to FireEye/Fox-IT? If the latter, that leads into my next point…

Second, the word “record” in the statute does not mean what it means in normal conversation. It’s defined for purposes of the statute in § 552a(a)(4). The phrase that should jump out at you immediately is “about an individual.” The private keys (which, as best I can tell is the only thing that’s getting disclosed by anyone to anyone in this DecryptCryptoLocker thingy) are not about any individual. So they’re not “records.” So the statute doesn’t apply.

Third, insofar as you’re looking at the disclosure of the private key from FireEye/Fox-IT to the website user as the potential violation, the submission of the file by the user would be a “written request.” (Electronic communications are generally considered “written.”)

Putting points 1 & 2 together into a series of questions:
(i) Precisely which government agency are we talking about?
(ii) Precisely what piece of information does that agency have about specific individuals?
(iii) Precisely who are they giving that piece of information to, and how?
A (silly) sample answer would be “(i) The IRS (ii) has the results of pregnancy tests for the US Olympic curling team, which they are (iii) disclosing to the good people of Albuquerque by broadcasting it on 103.7 FM smooth jazz radio.” If you can’t formulate an answer to those questions with that degree of specificity, then there’s probably not a § 552a(b) violation going on.

Douglas McClendon August 16, 2014 3:10 PM


Yes, I guess one would have to take precautions with the LED activity, i.e. sufficiently damped and averaged, and that may be more trouble than its worth for the first pass. Alternately, a Google-Ara-ish detatchable activity LED module would be awesome, making it an optional info-leak the user may deem worth the risk/benefit.


my previous comment was about that issue. I put up the link to Kanguru because they are, sadly the exception, of a usb device manufacturer directly taking that threat surface at least superficially seriously. (I’d say more than superficially if they were open sourcing their firmware and/or documenting how the “owner” of the device can create their own alternate signed firmware build to run).


those problems of complexity seem like almost nothing compared to the example of open source kernels. And of course with open source, if you can get a deployable solution of any sort (e.g. with no wear-leveling support), then it becomes trivial for the wider audience to crowdsource the more complex features. What I’m really wondering is if the establishment will dig in their heels about things analagous to patented codecs implemented in e.g. graphics card firmwares, or threat-to-society RF jamming issues in e.g. wifi firmwares. I would hope the usb flashdisk firmwares could at least be pure open source. Though I would guess if asked point blank Kanguru would spin a tail about their firmware code being valuable IP that they can’t afford to expose to competitors. Though I imagine that would be smokescreen for keeping the land of usb device firmware in the realm of mystic voodoo which equates to government control. But I digress…

Buck August 16, 2014 3:24 PM


Thank you for the well informed reply! I guess the keys probably can’t be said to be about any individuals (well, unless there’s an alternative definition of ‘about’ that I’m not aware of ;-)… Any idea which trees might be more fruitful for barking at?

How about a hypothetical scenario involving the recent seizure of Silk Road servers and bitcoins – Instead of auctioning off the ill-gotten gains, could the Feds have simply handed them over to, say Google, for being such a good partner over the years? I can’t imagine that being legal, but you know what they say… IANAL!

Clive Robinson August 16, 2014 3:56 PM

@ Nick P, Ismar,

Prior to the Ed Snowden revelations, various people on this blog had done the technical side thinking and realised it was possible for the NSA et al to bug every phone call and even get the 5% of internet traffic that is not spam or video downloads.

But though our technical minds were not in doubt our human minds still believed that we would be conspiracy nuts if we gave it credence that the NSA et al actualy were doing it even when the million square foot MDS showed technically they could store it all virtually indefinitely if they wanted to, we were effectivly still in denial.

Well the revelations showed our technical not human sides were right but it still sits uneasily in our minds, we want to believe we can be secure and anonymous on the Internet so we can pass TLA and above secrets to journalists. But our technical side knows that even if we tried we would not realy be successful the odds are truly stacked against us with electronic comms that most of us have access to.

Which is the message the link is giving.

With regards Spooks infiltrating newspapers, that is actually quite funny. Basicaly Intel Analysts are investicative journalists, only unlike their journalist friends they don’t have to worry about the various liable and slander laws no matter what they say they won’t get sued. And as we know from the Manning revelations, they realy do go out on the hyperbole to fill their column inches to Washington. So much so it’s realy at best behind the back gossip digging the dirt as make work to keep their jobs.

As for the secrets being lies, yes it fits in with what we know of such agency behaviour, the truth has to be kept secret lest other “home truths” become obvious, and morality becomes an issue.

Again we have seen with our technical side that Pub Keys could be broken quite easily in embedded systems like routers due to simple design flaws. Yet our human side wanted to believe it was not possible, and the NSA did not want to kill the goose that laid the golden eggs so yes they lied to their own staff to keep the secret. So the likes of Duncan Cambell got to hear from confidential sources those lies, as truths the sources believed, because the paper they had seen had “Top Secret” across it and you needed extra clearence to be told the lies, thus the truth remained concealed.

At the end of the day what we again know technicaly is true, old school trade craft works, and works well, and will continue to do so till such a time as there is a CCTV camera observing any and all moves people make. We are not there yet but it’s comming to a street pole near you real soon now so you can be marketed to 24×7.

65535 August 16, 2014 4:19 PM

@ Benni

“…a particular role that HACIENDA plays in the spy club’s infrastructure, namely the expansion of their covert infrastructure…”

This is just reconnaissance tool to increase NSA’s bot net for spreading persistent viruses. I would guess that other countries such as China and Russia have begun to retaliate with their own bot nets against the USA/Five eyes players.

Does the NSA realize they have drastically accelerated the on going cyber war? The big corporations that are in bed with the NSA will not suffer (Google and so on). It’s the little guy running a small business, with a limited IT budget and with 30 windows boxes that will be attacked – probably ruined.

This type of overt cyber war hurts the small business the most. At least NSA could have warned us to harden our system before they launched this cyber war.

China has about 1.1 billion people. I would guess if things get hot then a large number of them will be recruited to hack American computer systems – that number of people could double or triple the number of NSA cyber warriors [the same goes for the Russians].

The Chinese have access to Zmap and a pile of viruses [And, they are not stupid]. For all we know they may start making virus filled thumb drives/SSD and so on and sell them to us – we are huge customer of their products!

The Chinese could easily rip a lot of small businesses apart [those small businesses that don’t have the resources to harden systems or were unaware of the on going cyber war].

It is no wonder why the Chinese kicked Google out and built their own service [too may spies in Google]. This situation stinks like an open sewer hole. I think this will end badly.

sena kavote August 16, 2014 4:47 PM


If cheri is inside x86 processor chip as a new feature, or inside extra (video) card that is inserted to a PCI slot or similar slot, or embedded to the motherboard as extra processor, with a x86 processor, then maybe we should be able to choose from a BIOS setting what processors should be on, and if both are on, which processor should be the main processor and which should be the co-processor. This choice depends on the OS.

Besides better security, I believe cheri needs less energy than x86 because cheri is less powerful and RISC type, so if for some time period computer is needed only for some light task, it is better to boot to OS that works with only cheri, regardless of security concerns.

usb sticks

Area of the stick’s controller chip that does writing should get it’s energy from a separate wire that can be disconnected with a switch. Also, some water dropping on the wrong place should not be able to make that connection when writing is supposed to be off, at least not if the stick works at all or does anything besides giving an error message about wetness.

No need to worry about managing wear leveling in hardware. Need for wear leveling depends on situation and use. Sometime it would be ok if storage capacity just shrinks because of too much writing, if performance is better. OS or user can be informed if some write to some block is the last write there.
We need option to adjust wear leveling on usb sticks, for both security and performance reasons. Software driver for managing wear leveling wont take much computing. Something like this exists for some form of flash eeprom, but maybe not for usb sticks.

Read indicator light should be green and write indicator red. Energy of those LEDs should go through a capacitor so no data leakage. Flash should be at minimum 3 second scale because too fast flashing would be annoying in darkness.

It is possible that the number of writes depends on temperature and also that waiting weeks or years reduces some wear because electrons on the wrong places drift away. Waiting can also erase data if electrons on the right places drift away.

Given that hydrogen molecules and helium atoms drift inside any Earth-ly material, putting usb sticks in helium or hydrogen atmosphere might have some good or bad effects on them…

Ukraine war

Ukraine has a war front line in an area with widespread internet and cell phone use. No front line before this war have been in so well developed area. IT researchers need to track how this war and crisis affects internet there and also in Crimea. (If squids in Black sea were in danger because of this war, squid researchers would need to track that.)

NSA would like to put malware on every router and server on the rebel areas, and maybe on Ukraine government computers too. Russia would like to do that for most of Ukraine, but maybe not in core rebel areas and Crimea. How likely is it that Russia tries to put malware on a server that NSA already has put it’s malware, or vice versa? What happens then?

How to make a computer (network) look like a honeypot or honeynet when it’s not?

If attacker or his malware can see signs of honeypot, how to put up false signs? What can be done by ordinary user without programming, by distro maintainer/ microsoft / apple, by Linux kernel team or by third party software provider?

Tempest with monitor

If flat color areas had some small artificial “noise” / “static” i.e random variation of the 3 color values, would that cause some difficulty with using radio leakage, at least if the monitor connection is digital?

DB August 16, 2014 5:28 PM

@Douglas McClendon

The “USB device firmware” part of it is not mystic voodoo… there are lots of open source USB stacks… for example, LUFA is one for the Atmel microcontrollers.

The problem is managing lots and lots of NAND Flash, level wearing, etc… But if you want to create a very basic “usb stick” right now with just a couple K of space, you could do it in a few lines of code, using LUFA and this Atmega32u4 Breakout Board. But if you go to Megs, or even heaven forbid, Gigs… it’s a real problem.

Benni August 16, 2014 6:03 PM

was this already mentioned at this blog?

Where Hacking team used youtube to distribute malware?

@sena kavote
Regarding Ukraine:

Well it all started when large gas fields in western ukraine were found. In 2013, Yakunovitch made the contract with chevron, to exploit the field with 7 billion dollar investments, and he said that this should render Ukraine independent of russian gas until 2020.

In 2009, the Ukrainian environmental ministry announced that they have found the largest shale gas reservoir that men have discovered in the world. This reservoir is in the Donezk area, at the same spot where these rebels now are…

Germany is currently creating technology to get massive amounts of energy from windmills on the ocean. The german government says that in 2050, the amount of electrical they get from this will be so huge that they can use it to generate heat, and become completely independent of russian gas.

So russia is facing the loss of most of its gas customers.

At the same time, Ukraine even could want to get incorporated into Nato. For russia this is a strategic problem. Nato has encircled russia with a missile defense system. It makes not much sense that this is deployed against iran, since it would become known if that country tests large intercontinental missiles. One reason for bringing this system up could be that there is a danger of a terrorist in chechnya, going to a russian rocket base, and firing a shot. Or there are other countries near russia that developed short range missiles who would want to attack western countries. The problem with this nato system is that it would also forbid russian missiles to start if the nato did not allow this previously.

Now many parts of russias intercontinental weapons, the motors of its army ships, and the motors of its helicpoters are made in ukraine.

If Ukraine gets into nato, then russia can a) not start any missile without nato allowing it, and b) russia would get much of its military gear from nato. At that point, it could basically “surrender” and it would be forced into nato since there would not be any alternatives left…

Nato does not take instabile countries as its members. That is one reason why russia tries to destabilize Ukraine.

And it wants to take most of Ukraines oil and gas fields, since russia has to fear to be cut off from its main financial income, with ukraine replacing russia as gas exporter for europe.

Even without the ukrainian gas fields, the technology that is currently developed in germany implies a severe reduction in gas imports. The only way to get around this for russia would be to get every friendly help from europe it can get to develop its industrial society. It should have tried to get contracts with the ukrainian gas fields in a peaceful manner through bidding.

It seems russias government has chosen the short sighted, aggressive path instead (following the example in georgia where russia staged a war and invented the non recognized state abchasia, with which rosneft then made its oil contracts two years later). Now russia will face sanctions, lose any part of the largest gas fields in the world, lose the service for many of its atomic weapons and army gear, and in 2050, it has to face that europe will not want its gas anymore…

As from an IT perspective, the war in Ukraine shows that one does not need any surveillance.

Nato has its disguised warships there, they are equipped with rockets, as a disguise, but they do not shoot. Instead these ships probably have huge signals intelligence antennas, probably monitoring every radio call…

But why need this, when russian agents put their gps coordinates on instagram:
or when they tell to social media that they shoot down an aeroplane: or when they just tell everyone on youtube from where they get their “1200 fighters along with 150 vehicles from which 30 are tanks”…..

The spying business comes from the middle age, where people rarely communicated, and decisions were made in silent castles, without connection to the world around.

Recently, the rules for the resolution of commercial satellites were lifted. It can be assumed that we will get real live streams of the world in 50 years or so. Perhaps in 50 years, tank movements can then be watched by everyone in realtime on google maps.

The secret services were not able to predict the invasion at crimea. As they were not able to predict 9/11 or the collapse of the GDR.

So at the moment, the only real use of these secret services for governments is their ability to monitor battle fields in real time from their spy satellites.

And soon even this ability will become obsolete. As did their monitoring of phone calls, that apparently can well be replaced by watching youtube and reading twitter….

Sancho_P August 16, 2014 6:39 PM

But our technical side knows that even if we tried we would not really be successful the odds are truly stacked against us with electronic comms that most of us have access to.” – Clive Robinson

I feel the important part here is “that most of us have access to” because we tend to think about private email / chat / social comms first, but exactly this is the part where we probably would have a chance to react.
However, we do not have a chance with phone calls, financial transactions, stylish device and PC use in general, just to name a few things where big organizations are involved.

I could encrypt and strip the metadata from my emails to my grandma, but when I use my credit card at the liquor shop I’m screwed.
That would not be the problem, anyway.

But I can not anymore donate to EFF or buy one of Bruce’s books online without fear of collecting points in a certain database.
That’s the problem:
These points are so transparent that I can not see them, let alone fight them.
So I may lose my contract with gov, being strip searched or denied from boarding an aircraft or whatever.

Nick P August 16, 2014 7:22 PM

@ Benni

Nice, simple analysis of the economic reasons for the situation in Ukraine.

@ DB

The problem is simpler if you split the system into trusted and untrusted. The trusted part connects to the host system, has the USB stack, etc. The untrusted part connects to flash and manages it, possibly with proprietary code. The I/O interface between them, along with an internal protocol, helps secure the interaction. This is simple far as hardware requirements, esp if minimalist processors are used in a SOC.

The thing can be made more secure by leveraging cryptochip research. A number of projects I’ve posted here make everything external to chip untrusted, including memory, by using crypto for confidentiality and integrity. The trusted chip might include onboard crypto that it applies to data before sending it to flash. So, that stuff is now not only isolated from main system: it can’t undetectably mess with the data, either.

So it’s not hard. It’s just more profitable for industry’s non-security engineers to throw FIPS-2 crypto acceleration on regular USB sticks and sell them as secure storage.

DB August 16, 2014 8:55 PM

@ Nick P

You have a good point. Adding encryption to the links I gave above could encrypt data before it goes into the “untrusted” flash controller… that way even if the flash controller is compromised, at least the data couldn’t be read in the clear by it…

This is only a one-step-ahead-of-the-enemy solution though, because as soon as something like this became popular enough, the NSA would use their fab to create a new version of the “trusted” chip that was itself compromised but otherwise looked the same and interdict them all in transit… we need really verifiably secure hardware to be the next step after that, otherwise there’s no trusted place anywhere at all. The machine-to-human interface will always be the weak point no matter what you do if you can’t ever trust hardware.

(by the way, I’m not declaring the NSA my enemy, they’ve declared every soul in the world their enemy)

Benni August 16, 2014 9:52 PM

german officials begin to use weaseley language:

Merkel said: Spying among friends, this is unacceptable.

Now german officials say:

“In recent years we never said that such statements can be applied to all Nato countries”. “Turkey is not comparable to France, Great Britain or the US.” “Additionally it is known that Turkey tries to achive political goals over turkish clubs and associations in germany…” (implying that turkey would have its own spies in germany….

And then we have conserative german parlamentarians who say: “automatic deletion of accidentially monitored phone calls from politicians, this would be way too nice”….

Meanwhile, the german federal tv says in its news that Hillary and Kerry would not be single exceptions but BND “accidentially” monitored several american politicians when they went into its large surveillance network….

Perhaps they should announce that “from now on, Kerry is no longer monitored, but that exception does not hold for any other politician in america or elsewhere”

By the way, the russians installed a large unserwater cable to connect russia with crimea.

the german computermagazine c’t writes that before this, crimean internet connection to russia went over Ukraine, then to De-Cix in Frankfurt germany and finally to russia…..

(as admitted by the german government in an answer to a parlamentarian, all providers with a foreign bridge head have to “provide a complete copy of all communications to BND and it was admitted by de-cix that it is among these)….

Crimea, de-cix, russia, that was fine trafficshaping by BND…..

If the russians now cut that route then BND does not get its fulltake anymore from Crimea.

However, the germans have submarines that can dive in waters of only 17 metres depth. Unfortunately, these submarines have no equipment to tap fibers, like this american submarine Jimmy Carter. Perhaps NSA wants to help their colleagues some equipment….

Buck August 16, 2014 11:08 PM


YES! :-\

This is only a one-step-ahead-of-the-enemy solution though, because as soon as something like this became popular enough, the NSA would use their fab to create a new version of the “trusted” chip that was itself compromised but otherwise looked the same and interdict them all in transit…

This is why Snowden’s stance is obviously bloviation, or at best; founded in a fantasy land…

In the end, Snowden thinks we should put our faith in technology – not politicians. “We have the means and we have the technology to end mass surveillance without any legislative action at all, without any policy changes.” The answer, he says, is robust encryption. “By basically adopting changes like making encryption a universal standard – where all communications are encrypted by default – we can end mass surveillance not just in the United States but around the world.”

Fortunately, real world solutions exist that don’t depend on money! 😀 Technology won’t save humanity, but people can!!

SchneieronSecurityFan August 17, 2014 1:10 AM

Video of the BadUSB briefing from Black Hat USA 2014 posted on Black Hat’s YouTube page:

Here’s the BadUSB presenters’ website (It’s down as of this writing.):

The Black Hat USA 2014 archives page with many presentation notes:

DB August 17, 2014 1:58 AM


We should not have “faith” in either politicians nor in technology. Democracy and freedom are founded on distrust not on blind faith in an almighty leader.

Things must be open and verifiable, both government and technology, otherwise it does not belong in a free society.

Clive Robinson August 17, 2014 8:02 AM

@ Figureitout, Nick P,

Chatting to an even longer toothed friend over lunchtime about thinks past and present amongst which was using “old languages” and “old processors” for “new security” and they mentioned Tack (The Amsterdam Compiler Kit), which I’ve either not heard of or more likely forgotten.

Any way have a look at,

It looks fairly interesting from several perspectives.

Ukrainian August 17, 2014 9:13 AM

@sena kavote

re: Ukraine war

IT researchers need to track how this war and crisis affects internet there

We have had a massive influx of dross pro-russian propaganda on forums & other www resources alike here. Crude and obvious, at the same time naughty and very obnoxious, trying to propagate their ideas, to deceive and disinform, to smear someone they don’t like etc.

Some people got arrested for spreading pro-russian ideas via the Net and allegedly coordinating these efforts. Folks say they got caught because of absolutely non-existent OPSEC i. e. doing that over social media sites using their real names. This may be hearsay.

NSA would like to put malware on every router and server on the rebel areas, and maybe on Ukraine government computers too.

I recall a heatmap from NSA slides regarding some programme. Unfortunately, there was a mark on Kiev. I’d assume they have already done that.

How likely is it that Russia tries to put malware on a server that NSA already has put it’s malware, or vice versa? What happens then?

They may try to take each other out from the server if they are pillocks but I’d assume the best strategy is to quietly sit there and sift whatever you may need.

Nick P August 17, 2014 12:14 PM

@ Clive

Thanks for sharing it. It even targets C + two of the better than C languages I’ve mentioned.

golgotha August 17, 2014 12:45 PM

Russia trying to beat the 5 Eyes at their own game in Tor?

Is Russia trying to:

A. Throw a spanner in the works for NSA’s Tor correlation attacks?
B. Deanonymize Russian bloggers?
C. Dip their toes in global mass surveillance?
D. All of the above?

The alternative is that these are all bona fide Tor nodes (not government-run malicious nodes), but I doubt they’ve all cropped out spontaneously in the last week or so out of a sudden awakening and collective goodness of volunteers’ hearts.

MrC August 17, 2014 12:46 PM

Re: More fruitful barking:
I’m not sure which trees you mean to be barking up, or why. So perhaps a general theory of barking will suffice? An analysis that proceeds “I don’t like this guy -> He must be doing something illegal -> Let’s figure out what it is” is usually not fruitful. For one thing, it’s too imprecise, unless you attempt the unwieldy task of cataloging and analyzing each individual thing “this guy” has ever done. For another thing, when you start that way, it’s far too easy to see things through tinted glasses that skew your analysis. A much better approach is to start with a particular ACT that feels unfair or wrong and see if that act violated any laws. (Example: “The Ferguson PD are a bunch of racist bastards,” while perhaps true, is not a useful starting point for legal analysis. “Officers X, Y, and Z of the Ferguson PD (i) punched and kicked Henry Davis, then (ii) charged him with ‘property damage’ for bleeding on their uniforms,” is a useful starting point that can lead to a potentially winnable lawsuit.) So, what is it about this DecryptCryptoLocker thing — in specific, who did what — that bothers you?

Re: bitcoins:
I don’t feel comfortable making any sort of predictions about the outcome when law collides with bitcoins. There’s no precedents, bitcoins are too new, and the bench is too geriatric. A court might treat them like currency, non-currency property, mere bitstrings, contraband, evidence, who knows. More than likely, different courts will come to inconsistent results before a consensus emerges. Your guess is as good as mine.

@Markus Ottela
That’s clever. I have four questions:
1. Why stop at Pigdin? It seems like this model could drive just about any form of communication, even full-on video chat.
2. The manual says that you need to copy keys from TxM to RxM. Why is this done by USB pendrive rather than another data diode?
3. Let’s assume that I have some data on a potentially compromised machine (TxR or NH or an entirely different machine) that I want to copy to TxM in order to send to someone else via TFC. What is the safest way to do that? Given the whole BadUSB business, USB pendrives seem like a terrible idea. My (probably uninformed) intuition is that a non-rewritable optical disk (e.g. DVD) is probably best. Thoughts?
4. Following from #3, might it be possible to design some sort of open hardware device to accomplish that task?

Benni August 17, 2014 12:54 PM


“We have had a massive influx of dross pro-russian propaganda on forums & other www resources alike here. Crude and obvious, at the same time naughty and very obnoxious, trying to propagate their ideas, to deceive and disinform, to smear someone they don’t like etc.”

In german forums and comment sections of news sites this is the same.

It is completely stupid propaganda, sometimes one thinks that these sockpuppets do not have brains. Spiegel online has a facebook page there. On every Ukraine posting it gets masses of comments. But Ukrainians do similar things. Look at the facebook page of poor angela merkel:

now the comments are more intelligent than before, where it was flooded with comparisons of merkel and nazis

In 2011 the guardian revealed that the united states have a sockpuppet software that generates pro american comments in social media and comment sections and forums:

the russians apparently thought, “hey, that is good” and then sueddeutsche revealed that these pro russian comments which appear on all german forums massively, are being made by paid propaganda companies paid by fsb and kremlin.

This means that the internet, these days, is not only getting militarized in secrecy from various intelligence agencies, but it is also used for psychological warfare in the open, as a plattform to massively spread propaganda, from many countries. With deliberate “leaks” on youtube, intelligence agencies even have used the internet to destroy political careers:

When tymoshenko here says that she wants to kill russians with atomic bombs, one should imagine these fsb analysts hearing this, knowing that ukraine repairs russian intercontinental weapons:

But of course they cut off the transcript then, nevertheless at the end of the recording it still comes clear that tymoshenko just said this in anger, and the ukrainian politicians in the phonecall really just agreed that they want to go to international court, which is an entirely different thing than throwing atomic bombs…

So the internet is even used by intelligence services to destroy unwanted politicians….

NSA whistleblower Binney says that these american generals, Petraeus and Allen, criticised Obama for his belief that the terrorists would have been defeated after the death of Osama bin Laden. This was part of Obamas election strategy. Binney says that then suddenly the NSA databases were searched for compromising emails. These mails then were leaked and the unwanted generals were fired:

This is not the internet anymore that I like.

You say something on the phone or in an email and then this is used by worldwide agencies to destroy your career….

Newspapers are flooded with propaganda made from paid agents..

And intelligence agencies try to get into as many computers of innocents as they can (see the comment above on Haicienda), just in order to find a host from where they can attack their real targets.

They hack into civillian infrastructure (see the snowden interview at wired)

And on top of that they develop systems that can attack computers automatically (see the snowden interview on wired about monstermind)….

Clive Robinson August 17, 2014 1:09 PM

OFF Topic :

This may not be of interest to many but it shows the sort of security problems high end SatCom systems suffer from,

Essentialy an attacker gets full admin access to the systems with minimal low skill effort. Imagine that it’s a high end router equivalent to visualize the problem.

And these SatCom systems are used on all passenger aircraft and ships and likewise cargo carrying craft. Some of the information would be considered highly confidential as it could reveal quite a lot of commercialy sensitive data amongst other things.

Ukrainian August 17, 2014 1:33 PM


It is completely stupid propaganda, sometimes one thinks that these sockpuppets do not have brains.

Exactly. Word is, their secondary goal is to keep people occupied with their nonsense. As long as they can keep the discussion meaningless, they get paid. This situation be
comes very ugly on loosely-moderated forums.

But Ukrainians do similar things.

I don’t 🙂 I’ll peek at your link later as I cannot open it right now; something’s not okay with DNS today.

but it is also used for psychological warfare in the open, as a plattform to massively spread propaganda, from many countries.


And intelligence agencies try to get into as many computers of innocents as they can (see the comment above on Haicienda), just in order to find a host from where they can attack their real targets.

This one is particularly dross. What if their unwitting “proxy” gets caught? Blame the

Buck August 17, 2014 1:42 PM


Having global corporations with connections to LEO agencies padding their bottom lines with overt criminal activity is both corrupt and dangerous on many levels (but I’ll leave that as an exercise for the reader).
So, no, I can’t cite any specific acts, laws, or statutes that have been violated; all I can do is try to assure you that I’m not just hunting for someone to sue… As a citizen, I am deeply concerned for how these issues could affect me and my fellow citizens in the future, and I think it’s a violation of the very premise of establishing a ‘justice enforcement’ arm in the free world!

Skeptical August 17, 2014 1:52 PM

@Benni – regarding the Ukraine, I think you have some things right, some things wrong, and some important things absent.

I agree that the importance of eastern Ukraine to the Ukrainian Government is, in part, no doubt due to the economic significance of the region. This includes not only natural gas fields (though we’ll see how they turn out), but also heavy industry.

The importance of Ukraine to Russia is only partially captured by implications for the natural gas market in Europe. Most of the importance of Ukraine to Russia is a result of history: certain influential Russians, including Putin, regard the collapse of the Soviet Union as a monstrous defeat enabled by the mistakes of weak leadership; they view Ukraine as properly part of Russia, and former Soviet republics generally as areas that Russia rightly ought dominate and control.

It is that history, and the attachment Putin and others have to it, that help explain why they have undertaken such a disastrous strategy in Ukraine (Russian domestic politics explains most of the rest).

The importance of Ukraine to other former Soviet republics is as a signal: how far will Russia push to dominate them, and how far will Europe and the US go to prevent it?

The importance of Ukraine to the US, and Europe, is complex, fostered partly in concern that Eastern European nations develop into stable democracies, which will have a long-term stabilizing (and wealth enhancing) effect on Europe, fostered partly in the concern that democratic self-government is in fact the right of the people in these nations, and fostered partly in the concern that it would be dangerous and destabilizing to allow an authoritarian Russian government to pick up the mantle of Soviet aggression.

This all makes disputes over these countries particularly dangerous, since it involves the clashing of principles for which compromise is difficult to find. The only saving grace, at present, is the massive imbalance of power between the United States and Russia. Were it otherwise, Ukraine could be the tinder that lit the world aflame.

You mention missile defense, but I don’t think that is a driving issue. The US has largely accommodated Russia’s concerns on the matter, and the handful of sites it has desired to create could not defeat the quantity of Russian missiles. Moreover the concern that Iran will be able, in the near future, to credibly threaten a missile launch against European targets is quite real, and it would change the nature of regional politics in the Middle East for the worse.

65535 August 17, 2014 1:57 PM

@ Benni

“was this already mentioned at this blog?

Good link.

Now that “Finfisher/Finspy” is spread across the globe how do we combat it?

As far as I can tell only about 3% to 5% of all websites use encryption. Other than Tor or a live usb/cd version of Tails what should the average Joe do?

Would adding and IP spoofer help [browser plugin]? Would adding a user agent changer help [another browser plugin]? Any thoughts on “Deep Freeze” to revert to a fresh system?

@ Nick P

“@ Benni”
“Nice, simple analysis of the economic reasons for the situation in Ukraine.”

[I agree. The economics of the situation look clear.]

“@ DB”
“The problem is simpler if you split the system into trusted and untrusted. The trusted part connects to the host system, has the USB stack, etc. The untrusted part connects to flash and manages it, possibly with proprietary code.” –Nick P

[Yes, but it looks like we are running out of time given the FinSpy propagation. What stop-gap measures would you suggest until your secure project is finished?]

Benni August 17, 2014 2:17 PM

@Leon Wolfeson “On people talking about secure clients for sharing –

Please include as a baseline the functionality from WASTE”

You certainly do not advertise a software that was not updated in sourceforge since 2007:

No, using such old code is completely ill advised with respect to security.

An actively developed system is retroshare it can do filesharing, voip, email and chat and has this security model:

it encrypts everything. But the direct connections to your friends are not anonymous, though. Friends can connect in retroshare by sending each other their public pgp key via email. So if you add there a spy as your friend, he will see your ip and get you. But retroshare can be made anonymous, or at least some sort of anonymous, when you run retroshare over tor. there are tutorials on the net how to torify this.

Tor can be de-anonymized by attackers sitting on internet exchange points (aka NSA). But for that, these adversaries need several weeks:

So if you want to do filesharing and set the cost for NSA very high, use retroshare over tor. If they ever de-anonymize your tor system, then they are still sitting on their funny pgp encrypted files.

Another system that allows secure filesharing is gnunet:

gnunet is anonymous on its own, so it does not have to be run over tor.

But last time I checked gnunet was still somewhat developmental. I had to use a gentoo overlay, and that ebuild for gnunet did not even compile…
On windows, gnunet installs some java files but I did not find any startable gui…..

Gnunet seems to have more extensive documentation, where the retroshare code is often poorly documented, although it is good written…..

It can be expected, given the recent news that both projects are upgraded soon.

In fact, the next retroshare version will have a tor option, from what can be read in the forums…

Similarly, gnunet will probably get better interfaces, installers, and will get into the usual distros….

Figureitout August 17, 2014 3:16 PM

Clive Robinson RE: TACK
–Yeah, looks useful (for Z80), thank you. Tanenbaum has really done a lot, I believe the OS class at our school uses his book, looking forward to it. And weirdly, I trust an academic, though he got a big grant for Minix3, more than gov’t agency or private company. But yeah I’m going to have to leverage some outside tools (hence I’m trying to now get some decent assurance (I know there’s still some code running that I want to kill) on computers I’m going to use for programming and design), Aspie for instance needed to make a compiler (which he’s probably already done), but I really don’t get it. Anytime I look into it, get confused real quick. The conversion and the physics still send my mind for a real trip. Don’t think I’ll ever understand it how I want.

Markus Ottela
–Yeah and last time you posted it here, I said “Good job”. Way to go getting a deliverable and putting it up for critique. And the data diode is something I want to implement on my end. Have the link saved for when I have time to try it.

Gerard van Vooren August 17, 2014 4:07 PM

@ Figureitout

About the grant for Minix3. Yes they got 2.5M Euro. Now Benni is saying that the German government want to spend 250M Euro for securing their internal communications.

Somehow these two numbers don’t match. A couple of years ago it was said that redeveloping the Linux kernel from scratch, all 15M LOC, would cost roughly 500M US dollar.

Microkernels such as being used in Minix3 are more logical when being used for real large code bases. Although Linus disagrees with that claim.

All I am saying is that you have to look at the bigger picture. A 2.5M Euro grant is big, but not that big. Especially when you think that when the requirements are the development of a reliable OS, not even a secure one (but these two criteria are related), with the goal to become mainstream.

Figureitout August 17, 2014 4:49 PM

Gerard van Vooren
–True true. I’d have to at least meet him (and not just small talk either) before I can say w/ any confidence at all he’s trustworthy. But from what I’ve seen and read, I don’t have much to not trust and he has similar goals to lots of people here.

Gerard van Vooren August 17, 2014 5:13 PM

@ Figureitout

I was not talking about trust. I have absolutely no reason to not trust Andy Tanenbaum who was until recently a professor at the Open University in Amsterdam or the other members of the Minix3 development team.

Benni August 17, 2014 5:46 PM

this gets off topic, but this nonsense what skeptical says here is easy to debunk:

“The importance of Ukraine to Russia is only partially captured by implications for the natural gas market in Europe. Most of the importance of Ukraine to Russia is a result of history: certain influential Russians, including Putin, regard the collapse of the Soviet Union as a monstrous defeat enabled by the mistakes of weak leadership; they view Ukraine as properly part of Russia, and former Soviet republics generally as areas that Russia rightly ought dominate and control.”

That is history bla bla….

Putin has a phd, which is mainly a copy of someone else’s thesis. But it is not in history, but in mining of natural resources (how to properly mine coal, oil, gas and so on). Somewhere his hobby collecting “geological cards” was mentioned…

Please note Putin’s own words. He said “The collapse of the Soviet Union was the largest geopolitical catastrophe”….

He does not say “social catastrophe” or just “political catastrophe”. So this is not just about politics (as a mere influence sphere would be). It is about geology and politics. And from the perspective of russia, it certainly IS a catastrophe that with the blink of an eye, large oil and gas fields, including one of the pipelines that controls most of the worldwide oil resources (that is this line in georgia), where just next to russias border now. Today oil ang das make up russias income. And Putin also said that he thinks the primary function of the state is that it should prevent people to get poor. So yes, if you loose most of your income resources with a blink of an eye, that is a catastrophe, at least from the view of someone who did his phd in natural resources, like putin. Would it not have collapsed, the soviet union would control the world’s largest shale gas field, the worlds most important pipeline and so on….

It was the same with georgia. An independent european commission found georgia to be the initial aggressor.
But it also noted that russia overreacted. After its intervention, russia then recognized “abchasia”. One year later, rosneft was exploring the 2500 square kilometres large oil field in “abchasia”… so much on russias interest in history or some nonsense:

If russia would not have “over reacted”, that contract would have been given to an american oil company, because at that time, a corrupt US president, george w. bush, a former oil company employee, was in charge, and bush massively invested in the military and government of georgia…..

It should be noted that I think oil fields should at best be explored by domestic oil companies, not by some foreign company from far away, which bribes politicians with financial support, in order to create the necessary social network for buying an oil field.

That behavior of america probably was not of the russians liking. For similar reasons, russia strongly opposed Bush’s intervention in Iraq. Formerly, Iraq used to be a russian oil trade partner.

This american intervention to secure Iraq’s oil fields made russia very sceptic of NATO. Whereas Putin asked the american president, to further stay in Afghanistan, the russians probably see many NATO operations very skeptical and view it sometimes like an armed helper force which tries to “secure” oil fields in Iraq, or Libya, and in a way which brings these countries close to failure. This seems to have some truth because recently, Libya authorities said at some UN panel that libya was becoming a failed state…

However, russia does not see the nato entirely as some threat. In 2009, russian officials said that russia itself could once join nato: In 2000, even Putin himself said so:

It makes not much sense to say you want, someday, be part of Nato, and on the other hand, claim to see Nato as a threat and to fear Nato warships close to your border at the black sea.

Russia recently bought helicopter carriers from France. Such ships must be serviced, which russia can not do properly. It makes no sense, to buy warships and their service from an enemy.

The fact that Ukraine, which serviced the intercontinental rockets of Russia might join Nato, could of course, have raised concerns in russia, as with any nuclear power whose strategic missiles suddenly would get manufactured by another military block.

But since russia even started to buy its war ships from nato, this is a bit unconvincing. Why be in sorrow from Nato ships at your border, when you just buy some of them?

If one recognizes this, then, suddenly, the gas fields at crimea remain as the only reason for russias recent behavior.

The russians probably fear to loose any part in the economic opportunities that these large shale gas fields in eastern europe represent. And they think that the nato ships in the black sea are helping americas oil companies with that.

Many of these gas fields are at Crimea and in the sea of Azov. With the annexion of Crimea, Rosneft overtook them all.

Russia also announced sanctions to the republic Moldowa some years ago in 2012. But why? Well they said:

“Russia told impoverished Moldova yesterday (12 September) to choose between low-priced gas from Russia and its pledge to adopt European energy liberalisation measures opposed by Moscow, which is girding for a conflict with Europe over natural gas.” The energy minister from russia said: “First of all, we propose that Moldova denounce the protocol on entering the Europe energy community agreement. This is a precondition for us to discuss the issue of gas price cuts and the relief of debt, which at the moment amounts to $4.1 billion [€3.17 billion],” Russian Energy Minister”

By liberating the energy market in Moldowa, foreign companies from us and europe could buy Moldowan energy companies. Thereby they would put russia further out of the european energy market, because in Moldowa, there is shale gas too, and oil, and much of it, if you see at these presentations:

“Canyon will begin to develop the East Valeni Field in 2014”

Apparently, the russians carefully studied their geological cards. This is not just simple aggression, of people who want to dominate their surroundings. What the russians are doing here is that they just react in the most stupid way when they have to fear to loose all their current income, which is currently from oil and gas.

Putin’s eurasian union contains Kazakhstan. There too, are large gas and oil fields:

Figureitout August 17, 2014 5:57 PM

Gerard van Vooren
–Oh yeah. Not going to get semantic about what is and is not secure (or reliable). But it’s impossible; holes everywhere. Throwing money at idiots doesn’t necessarily make something better too. Have to choose an OS based on risks and used for different purposes.

And who wants to be the guy after $500M say, “This OS is secure now guys!”. Not me.

Markus Ottela August 17, 2014 6:53 PM

@ Nick P

I stumbled upon the concept of waterfall security through though experiments on how to securely use amnesic live systems to eliminate persistent malware while at the same time retaining the ability to save data from internet, work on it and keep it private. TFC’s three-device layout with one-way data channels came shortly after that (I drew the initial schematic back in spring 2011): Original design intended to use FETs for signal reproduction on receiving computer (I thought I was the first one to come up with such).

I recall first reading about “data diodes” in comments here at, it’s very likely the post was by you or Clive. The next Google search on “RS-232 data diode” led to the final implementation: Having waded through huge amount of news articles and papers on leaks and infosec in general, comments at this blog haven’t received as much attention as they probably should have had. I’ll be sure to scan the site and read related posts and see if I can find things to improve. I’d be more than grateful I you’d be willing to review the paper.

I’ll have to see where I can acquire funding for the patent and which portions of the system can be patented if any. Inability to control sharing the circuit designs or to prevent people from building these transparent devices and use them with general purpose computers makes it impossible to prohibit use of the tool. AFAIK the pre-existing source code can not be taken down even if someone else decided to patent the system first. Anyone who understands the trust-no-one approach of TFC understands they should never acquire commercial data diodes or HWRNG as it includes the risk of interdiction during shipping and subpoena-induced factory-level compromise.


  1. True, VoIP or video chat can also be implemented. Data rate of serial port however isn’t fast enough. With as negligible budget as this project has been developed on, faster data diodes hasn’t been a possibility: Ethernet-to-fiber converters might allow UDP packet transfer but without things such as faraday rotators, unidirectionality of data transmission might not be as trustworthy as LED + photodiode assembly recommended by D. Jones. Using COTS parts has less probability of hardware compromise. I’m all for extending features of TFC; IM was easiest implementation for this PoC.

  2. For OTP to be functional, you want to preshare a lot of key material to compensate the cost of time and effort required by f2f meeting. Transferring a 100MB keyfile in encrypted form over USB2 pendrive takes 1..60 seconds for terminal commands plus 4..60 seconds for file transfers. Transmission of keyfile in plaintext over 9600 baud/s (1.2KB/s) data diode takes more than 23 hours. The implementation would be more feasible with high speed data diodes.

  3. Let me know if TxR has a special meaning or if it’s a typo so I can see if it affects the reply:
    You should organize your computing, document creation, camera unloading etc. to fit the cascading waterfall allegory since day 1. Anything on the networking / NH terrace and below should never be transferred to TxM terrace or higher, at least in digital format: We should never think we can detect malware before it is able to compromise the entire analysing system. You can forward a received text file or image to another contact via TFC by printing it from RxM (note that printers might store plaintext information indefinitely) and copy it to TxM with scanner (same problem as printer) and maybe convert a document to text using OCR software: I think we can safely assume printing adds enough noise to prevent additional data transmission (unless printer adds something like the yellow dots and scanner is factory-compromised to look for the covert channel).

  4. We’re after all talking about automating a loop that connects RxM to TxM. A single vulnerability in such system would render the entire setup insecure. IMO, an open source printer and scanner hardware has highest potential for success. Note that this process should never utilize digital format (What happens when malware on RxM writes sends an exploit to TxM using QR code?) Additionally, I’d say any hard wired, open circuit design logic for exploit code detection would be outdated far too quickly to have actual effect on security.

Skeptical August 17, 2014 9:31 PM

@Benni: Putin has a phd, which is mainly a copy of someone else’s thesis. But it is not in history, but in mining of natural resources (how to properly mine coal, oil, gas and so on). Somewhere his hobby collecting “geological cards” was mentioned…

Please note Putin’s own words. He said “The collapse of the Soviet Union was the largest geopolitical catastrophe”….

He does not say “social catastrophe” or just “political catastrophe”. So this is not just about politics (as a mere influence sphere would be). It is about geology and politics.

“Geopolitics” refers to global politics. It has nothing to do with geology.

As to Russia’s views on Ukraine, I recommend this 2008 State Department cable which describes in some detail Russian concerns.

As to the viability of Ukrainian shale gas, I recommend this article.

Understand that shale gas is expensive to extract (which can make it unprofitable if gas prices are cheap) and early estimates often do not pan out. Here is The New York Times characterizing Poland’s experience:

Large reserves of the gas discovered two years ago were initially projected to meet Poland’s energy needs for 300 years, but estimates have since been slashed by more than 80 percent. International energy giants like Exxon Mobil and Talisman Energy of Canada have scaled back their investments after disappointing early attempts at extraction. And competition from other fossil fuels, like abundant coal supplies, has made it unprofitable to tap many of the country’s new energy fields.

Moreover, even the most optimistic projections for Ukrainian natural gas extraction are at a fraction of what Russia produces and sells. Ukraine hopes to extract in total, by 2030, what would amount to a tiny percentage of the natural gas Russia transports in pipelines through Ukraine each year.

The problem with Russia’s dependence on its oil and natural gas exports is simply that these are increasingly global markets. Ukraine’s importance in that scheme is extremely minor.

I’m afraid that the problem in Ukraine has relatively little to do with economics. If it did, finding a resolution would be far less difficult.

As to Russia’s view on NATO, it opposed NATO’s expansion in the 1990s and it continues to oppose it today. There’s nothing sanguine about the way that the Russian Government today looks at NATO expansion east.

Chris Abbott August 17, 2014 10:43 PM


Do you think BND possibly has someway to defeat cryptographic primitives like AES? I guess they could have used unencrypted lines, but both of them? In areas like the Middle East? It seems odd to me…


On every news site I go to anywhere, the Soviets have a ton of ridiculous propaganda in the comments section. The stuff they write is just over the top too. One state owned Russian media outlet reported that MH17 was actually Flight 370 and that the US Air Force captured the plane, brought it to Amsterdam and filled it with dead bodies, and then timed it to blow up over Donetsk just to make the Russians look bad. Seriously, if anyone believes this, then I understand why we have stupid warning labels.


I agree 100%. This is about Russia’s fear of NATO. What I don’t understand is why Russia feels NATO is such a terrible threat. They can’t possibly think that NATO is going to invade Russia. I’m thinking this is about nationalism. Russia’s national pride is at stake, and they’ve long wanted to have more influence in the world than The West. You’re right about the fact that this is about more than economics, and the fact is, that makes it incredibly more dangerous and incredibly more difficult to stop, because for them, it’s personal.

MrC August 17, 2014 11:02 PM

OK, I think I’m getting a slightly better picture of what bothers you about this business. Please tell me if I’m somewhere close to the mark. The aspects of this DecryptCryptoLocker that bother you are (1) Private corporations were “deputized” to take part in LEO activity; (2) Both government and corporate actors gained access without permission to other people’s computers (definitely the bad guys’ computers, possibly also already-compromised computers belonging to victims); and (3) the private corporations are now profiting (at least reputationally) from this activity.

As a blue-sky exercise in barking up trees, I’m going to focus on item #2. The biggest hurdle to finding a law that was broken is the fact the the target computers, and probably the gov/corporate actors too, were outside the US. Although the US government thinks it can pass laws that apply to conduct outside the US, and at least in some instances has the muscle to enforce them, it generally refrains from doing so. Only laws that explicitly say they apply extraterritorially do so, and there aren’t very many of them. 18 U.S.C. § 1030 is one of the few that do. (See § 1030(e)(2)(B).) Right off the bat, we can see that the government actors are off the hook — § 1030(f). But what about their corporate pals? Well, it looks like their actions fall within the literal scope of § 1030(a)(5). If we interpret the definition of “protected computer” (§ 1030(e)(2)(B)) literally but perversely, then the C&C servers are “protected computers” since they (negatively) affect interstate (by crippling victims’ ability to participate in commerce when their data gets locked down). Likewise, if we stick literally to the definitions of “damage” and “loss” (§ 1030(e)(8) and (11)), while ignoring the fact that the “protected computer” is doing something totally illicit, then the corporate actors did cause “damage” and “loss” (unless they just broke in and plucked data, then left it for the government types to press the big red button). So there you go. The obvious pushback is, “that may be what Congress literally wrote, but it’s not what they meant.” As a practical matter, the US Attorney who has jurisdiction over this is surely going to decline to prosecute, even if the matter is brought to his or her attention. Section 1030(g) gives the owners of the C&C servers that got wrecked the right to bring a private suit, but they’re wanted criminals, so that’s also unlikely to happen.

@Markus Ottela

Yes, by “TxR” I meant “RxM.” My apologies.

Returning to my third question, what if it’s large binary data. Hypothetically, let’s say that I’m a world-renowned journalist who has just received very important leaked documents via, let’s say, e-mail. Now they’re sitting on NH and I want to send them out via TFC. (Alternatively, I received them via TFC and now they’re sitting on RxM and I want to send them out via TFC.) What’s the safest (i.e., least dangerous) method of getting that large binary data onto TxM? (I recognize that any method of doing this is going to entail some risk. On the other hand, if the universe of messages I can send is limited to those messages I can type (or scan), that’s a pretty serious — maybe even fatal — functional limitation.)

Nick P August 17, 2014 11:14 PM

@ Markus Ottela

I appreciate the clarifications.

” Inability to control sharing the circuit designs or to prevent people from building these transparent devices and use them with general purpose computers makes it impossible to prohibit use of the tool. ”

Sort of. It’s like copyright infringement: you can do it, but might get caught and convicted. I’m sure your tool would be extra easy to identify because it’s probably the only Pidgin system they can’t hack. 😉 There might also be traffic analysis patterns. So, patents remain a legal attack on the system potentially.

re your program

I’ve only read the paper so far. Here’s a few suggestions for you based on what I see in it.

  1. The ability to see what you’re typing as you type it is quite useful. Yet, there’s no link between keyboard-equipped system and receiver in the paper. This could be implemented with an extra one-way link between sender and receiver. Alternatively, the network-connected computer could send a copy to the receiver like it does over the Internet. The extra physical link has better performance and availability characteristics.
  2. I get the reason for OTP’s but it’s unnecessary. Far as we can tell from academia and Snowden leaks, even mighty NSA can’t take down a good symmetric cipher so long as you implement it right. You should include an option to use that instead. A 256-bit stream cipher or block cipher in regular counter mode gives you plenty of security. Additionally, you can just preshare the key once for each party: a master key others are derived from using a shared nonce. If the ciphers concern you, you can use a number of them in parallel for encryption, key generation, integrity, etc. I’ve did this in a number of designs many years ago (inspired by DES->3DES) and there’s still nothing resembling a break in academic literature. Works best if ciphers are internally totally different from one another.

Note: This also reduces storage requirements of the device. That allows more devices to be used such as cheap microcontroller boards and old PC’s/servers predating NSA subversion program.

  1. Protection of one-time pad. You recommend encrypting keyfiles. I’ll go further with specifics. I’ve always protected OTP’s by generating the master key with a combo of an on-device secret (eg firmware/OS/app) and a password. Combining with an on-device secret has a number of benefits, but the main reason is insurance against bad passwords. This same rule applies to the buddy’s PSK’s if you do No 2 on my list. On-device secret or not, that whole master key list gets strongly encrypted with a key tied to a password at the least.
  2. RNG. You did good work trying to handle RNG right. Good news is our crypto-RNG’s are really good so long as their seed is truly random. Your use-case, if combined with symmetric crypto, doesn’t actually use much in terms of random numbers. I even have a no tech method that generates good seeds from cards or dice. Hash that, iterate over it a bunch, and plug it into a CRNG. Iterate the CRNG about 20 times just to get its internal state further detached from the key value. (I do this with almost all my crypto.) Now, you can generate all the random numbers you need without much trouble. And, like in No 3, you can store the CRNG state in an encrypted file.

Most important recommendation is getting a PSK symmetric crypto option for your app. Big, one-time pads just kill user take up. I know from experience as virtually nobody was interested in that option in my designs and only two (snake oil) companies claimed any success in the marketplace.

Nick P August 17, 2014 11:24 PM

@ Figureitout

“And who wants to be the guy after $500M say, “This OS is secure now guys!”. Not me.”

Give me $500 million and the ending will be, “This whole platform is secure now guys!”

Solaris 10 took almost $300 million to develop with commercial best practices. Academics made medium-high robustness versions of UNIX back in the day on grant money. Orange Book A1 platforms cost $15-25 mil to develop. seL4 was around $5 mil. The custom chips are anywhere from $1 to $30 mil. I’m sure I could stretch $500 mil pretty far.

Buck August 17, 2014 11:33 PM


Pretty much just your number (3) that is disconcerting to me… It’s a slippery slope my friends, and at the bottom there’s a criminally immune privatized police force and prosecutors who’s motives are purely profit-driven in lieu of real public safety.

Figureitout August 18, 2014 12:47 AM

Nick P
Give me $500 million and the ending will be, “This whole platform is secure now guys!”
–Ok…So you’ve got a plan for dealing w/ active attacks. You’ve got a mobile-powered-shielded lab that people can code/work in. You’ve got a system in place to run background checks on volunteers/employees. You’ve got supply chain networks set up for tiny parts and the way more critical chips.

You and me, others…we’re not talking “commercial best practices”, we’re talking nearly impossible to subvert. You’re ready to take that on, now?

For physical premises, if you go “static”, then there needs to be at least 100ft. or so of pebbles to make loud noises in all directions for approaches. All floors are deliberately “squeaky”, so no movement can happen w/o noise. There’s at least one dedicated person whose sole job is to go around testing and setting up sensors for physical intrusions.

Lawyers cover our legal asses and everyone on board keeps a low profile and pays taxes/etc.

Traps are laid for intruders and we all have more than one way of getting in contact (custom encrypted wireless links).

I could go on, but you have all this set up; in addition to the actual technology and the science and math and experiments somewhat proving its security.

You’ve got all that ready. Ok…..

Cervisia August 18, 2014 6:10 AM

TFC’s RNG uses a von Neumann debiaser, but I cannot see any proof (or even a plausible argument) that the avalanche noise is generated by a Bernoulli process.

Timothy (TRiG) August 18, 2014 6:34 AM

Qualys SSL Labs give this site’s SSL implementation an F rating, with the message “This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.”

How worried should we be?


Gerard van Vooren August 18, 2014 6:52 AM

@ Timothy (TRiG)

“How worried should we be?”

That is a funny remark. According to The Intercept [1] you can get hacked by just watching a youtube video. With software from Hacking Team and FinFisher there is nothing preventing them (our governments) to provide malware.

With bugs galore the best thing is not to use the internet at all. Does that answering your question?


Benni August 18, 2014 8:25 AM


The embassy cable you cite, proves exactly my point. The russians say:
“Additionally, the GOR and experts continue to claim that Ukrainian NATO membership would have a major impact on Russia’s defense industry,”

They do not want their strategic intercontinental missiles serviced by NATO which would be the case if Ukraine, where this is done, joined NATO. I do not know how the US would react, if they would service their intercontinental missiles in, say, mexico, which also would deliver important parts of these missiles, and then mexico would join a russian or other foreign military coalition…

Regarding your links to shale gas, well the statement of ukrainians president yakunowitch was this:

“through the large scale projects with Shell and Chevron, Ukraine will be able to become independent from foreign gas imports by 2020, and if optimistic estimations are true, we can even export our ressources”

This is a danger for russia, not because it has not much gas itself, but because it has to fear to loose its most important customer.

In contrast the link from skeptical almost looks like a conspiracy theory. Shell said it is suspending its projects because of the war in Ukraine, and the article provided from skeptical then speculates that the true reason for this would be that the gas deposits turned out not to be valuable. This is nonsense. The separatists have placed themselves exactly on these shale gas deposits in Slaviansk, Donezk and Luhansk. If shell would have been there and met the separatists, the workers would have been captured and the separatists would have claimed their expertise for themselves. Shell had to go temporarily, because it would have been a target.

However, in fact the real danger for russian gas exports (and other countries exporting gas) comes not even from the shale gas, this is true, but from this project here

and that are only the planned windmills at the german coast. the complete list at the north sea is there The word “Leistung(MW)” means the output of electrical power in mega watts. Some of these parks with wind mills are planned to have an average output of 9000 mega watts, this is the amount of around 6 atomic power plants. And there are hundreds of these parks planned.

In germany it is a bit delayed because the first german park went offline. The reason is that the mills delivered so much energy that the transformer simply exploded: (In fact it was this challenge that prevented offshore wind parks before. You need systems which can transform an enormous amount of electrical energy that is constantly changing over time, depending on the wind, into a reliable consistent current. This is difficult if you have an average output of 6 nuclear plants…)

With so much electrical power you can connect a motor, and a machine that puts heat from a colder reservoir to a hotter (a heath pump), meaning that you convert electrical energy into heath, and that is what gas was formerly used for.

The german government has funded this study, saying that in 2050, germany will have no need anymore to import any russian gas because of these windmills, if they come online as planned.

This is the beginning of the post oil and gas society. And one has to look how russia will react to that, when it looses virtually all its gas exports. The same goes true for other gas exporters. And for countries exporting oil as well. You can drive cars with this amount of electrical energy.

I do not know how countries like Saudi Arabia will react, when all people are driving cars like this Tesla-S with electrical power becoming cheapest form of energy. And this will probably happen. Once the european windparks are online and there is enough experience gained, they will export this technology to other countries as well.

Benni August 18, 2014 9:46 AM

This should be interesting for Edward Snowden:

The germans captured a hacker, who robbed 40 million dollars from US banks.

In the US the hacker is facing a sentence of 250 years. Now the hacker’s lawyers go to germany’s highest court to prevent the extradition to the United States. They say that germany’s highest court has argued before that german authorities have to be extremely cautious with extraditions to the US, because of the known low juridical standards in america, and since a sentence of e.g. 250 years would be against human rights….

If the german government is not even allowed to extradite someone who robbed 40 millions of a bank to the United States, then extradition of Snowden, should he touch german ground, is entirely off the table, given that extraditions because of political crimes are forbidden by german law.

Nick P August 18, 2014 10:54 AM

@ Benni

It actually doesn’t mean anything. They’ll merely argue Snowden’s case should be treated differently for (nonsense here) reasons. The real reason they would extradite him is they want to be on good terms with U.S. intelligence, also hoping to join Five Eye’s. These reasons have nothing to do with law and they’ll continue to try to twist law to their advantage.

Benni August 18, 2014 10:58 AM

Here is an interesting comment about FinFisher:

“33,2 GB from the hacked files are encrypted with a pgp key from “”. Apparently this is an employee from FinFisher. But according to Wikileaks, Vervis GmBH has licensed surveillance software 2010 from Gamma International. Vervis Comint Services GMBH are based in Rosenheim, this is only 10 kilometers away from Bad Aibling, where BND operates its large listening station. Finfisher itself is developed by GammaGroup international which has its headquaters in Munich, only 10 suburb train minutes away from Pullach, where BND has its headquaters. Are the FinFisher GMBH as well as the companies licensing this technology really front companies of the BND? That BND owns numerous front companies from which it earns money is long known….”

Yep that definitely sounds like BND. Offering spyware to Bahrain, with BND backdoors included, would enable BND to get data on Bahrain dissidents, possibly islamists, and if the Finfisher software is backdoored well enough, BND would have an entry door to hack Bahrein…

BND similarly went to selling products before. I have explained before how BND tried to sell its partially stolen database software to europol:

You want to buy the “Langenscheidt t1” translator software?

that was the only product sold by the BND company GMS, which acquired the language software metal from siemens. That way BND could let GMS be swallowed by Learnout and Hauspie, which they then over-hyped at the stock market so that BND could get its hands on the american language companies dictaphone and dragon….
In this link there is even a video where learnout admits of working for BND

So the BND selling the surveillance software FinFisher to Bahrein, that would be quite the typical BND style of operations….

Hacking team is an italian company. With BND even running the management of crypto hardware manufacturers in switzerland for introducing backdoors it would not be a surprise when they also run italian malware manufacturers. But today there is no information confirming this. Although distributing malware over youtube would be of their liking…..

Nick P August 18, 2014 11:46 AM

@ Figureitout

“-Ok…So you’ve got…”

No, that’s all nonsense. I’d just design the chips, boards, security critical software, reference implementation that’s useful, interdiction-free shipping method (or proof that it can’t be), and guides + tools on physical security. This suffices to beat all low grade attackers and many high grade attackers. Targeted operations by local, ultra-powerful opponents? They’re not going to win that battle as few can. Wasted efforts like those are outside the threat profile.

(Although, I got stuff for dealing with them if we’re talking service-oriented architecture or tamper-resistant embedded. Still no guarantees on that.)

Wesley Parish August 18, 2014 9:36 PM


I do not know how the US would react, if they would service their intercontinental missiles in, say, mexico, which also would deliver important parts of these missiles, and then mexico would join a russian or other foreign military coalition…

I may have played a part in something like this a brief while ago (geologically speaking, of course :). It was the early 2000s and New Zealand’s then-Labour government had cancelled an order for the hiring of some F-16 Fighting Falcons for the strike arm of the RNZAF. After a while I got sick and tired of the constant back-and-forward arguing that New Zealand absolutely had to have a strike component to its air force, and I sat down and worked my way through various possibilities … for example, if the RNZAF did need a strike component for New Zealand’s self-defense, it needed to be a maritime strike aircraft: in other words, it needed range, performance both high and low, load-carrying capacity and above all else, range. The F-16 struck out on range, and its load-carrying capacity wasn’t as great as some other options.

The F-15E and the Su32/34 and the Blackburn Buccaneer were all that remained standing, in my little private study of the options, but the Buccaneer was no longer available anywhere. The F-15E would be more expensive than the Su32/34, so I wrote an Open Letter to the then leader of the Opposition, who was likely to be listening to the pro-strikefighter voices, advising him that the Su32/34 was the best possible option. I also spread this Open Letter around, and the Russians took it seriously enough to actually offer the RNZAF some of their Su27s, and we never heard another word about the RNZAF’s (supposedly) urgent need of strike aircraft. (I figured out that the Pentagonal ergo hidden voices who would’ve been trying to orchestrate the RNZAF hiring of these expensive paperweights, would’ve followed my arguments and come to precisely the same conclusions, whereupon they in shock would’ve turned themselves in for reprogramming. 🙂

That’s me, amateur geopolitician. 🙂

Figureitout August 18, 2014 9:55 PM

Nick P
–Is it? I hate to think about it, I really do; it’s boring and most especially distracting and worthless! And the attacks are just simple facts of reality. To disregard it is naive and dangerous IMO. Why?–B/c why would you work so hard on something, only to have either stolen or subverted by a simple physical attack? And when you know it happened it’s very disturbing and could wreck the project itself and cause false problems (ie. attacks made to look like errors/glitches, leading to less secure work-a-rounds).

Though I don’t see it very likely to happen, I’m still pushing for another go at a “secure computer”, the entire thing. I’ll only step up and really give it a shot way later when I have some funds built up and another good 20-30 years personal training (assuming all our computers aren’t overtly rooted and something worse than UEFI is forced on us). I think still doing this brainstorming here is good: being spread out, try things, collect thoughts; w/o risking a full compromise yet and having a well thoughtout plan if it ever goes live (for the love of pete please…).

To build on your post here, I’ll try to clarify some thoughts and continue formulating a plan w/ regards to overall system.

Instead of 2 layers, use 4. I know, we could keep going, but hear me out. First, we use as many ISP’s in the area possible; potentially making some valuable contacts w/ some network engineers favorable to the cause. Next, modems given by ISP’s need to be mitigated as I’ve witnessed SAME DAY compromise of them when we got a new internet connection.

1st layer is solely VM’s used for surfing web, but the connection is only touching the web via a network of “repeater” routers that function as a mini-mixer network and constantly change IP/MAC address.

[How to do this (a homebrew system at least), I’m still thinking about something involving a few RasPi’s. I’m also thinking on an email forwarding scheme so I can give Aspie an email again once and for all.]

If compromised, reboot. If thorougly compromised, server is decommissioned for some time and relegated to “time out” and dedicated disk only machines for diagnosis.

All files from 1st layer go thru a guard to 2nd layer. Next layer is local LAN and local server for document backups and research (potentially email or a separate layer). Again dedicated computers for accessing this network, and another guard is implemented for 3rd layer which is work computer that may need files from the internet.

The 3rd layer is where I start getting nervous. These will be work (AKA programming/flashing) computers. Using a guard may or may not be best, other file transfer methods like the handy USB/CD/DVD ones may suffice.

The final and 4th layer is homebase. Just thinking about making “homebase”, is making me nervous. This is an RF-shielded collection of embedded chips running code that we have THOROUGHLY looked over and are one-time-programmable and store things like crypto keys, internal security protocols, and IP in an EEPROM that only prints to a screen and is physically transcribed on a single sheet of paper on glass and wiped after use. Other chips and potentially LED’s and simple annoying speakers connected via a relay line indicate any power use. Homebase cannot be compromised and a protocol like this needs to be followed religiously and seriously. No joking in homebase.

That’s my high level thoughts on the “network” aspect of things. Implementing it is another story.

RE: interdiction-free shipping
–Curious what you’re thinking? As I’m talking global shipping routes, most computer products have been all over SE Asia before they come here via either barge or plane. I’m thinking a boat would be best to get to a port, and drive; rather than dealing w/ aviation laws. My really old friend (who I haven’t seen) became a pilot and I have a family friend who’s a pilot; you can just go flying usually. Of course it’s regulated pretty well, but there was some nice freedom to it I believe. Having a trans-national private plane would be very nice for getting components, if someone were to take it that far…

Figureitout August 18, 2014 10:57 PM

Is it possible to physically destroy a microcontroller with software?

I would say yes, though I’d hope the code would be saved somewhere to see just how bad it is. I’ve written a buffer overflow in like sub-20 lines of C w/ no memory management, so I could probably do it w/ one of my epic f*ckups; oh the failure was bitter. :p

Interesting discussion on /r/netsec, main way was rewriting important parts of flash until it wears out, but that may be outside question of “not bricking it”. I’ve witnessed mostly “non-software” ways like shorting pins and frickin’ lightning strikes(!), but I really wonder specifically how the SATA controller failed on a computer; as I don’t accept “meh, just a bad hardware”.

Clive Robinson August 19, 2014 3:17 AM

@ Figureritout,

Is it possible to physically destroy a microcontroller with software?

Yes, it’s actually quite hard stoping it in the first place…

A little bit of history, back when the Comodor PET computer was new sombody discovered that using the BASIC peek/poke instructions it was possible to make certain IO ports destroy themselves as well as taking out part of the power supply or supply traces on the PCB.

Such “bus crashes” had an earlier history back with bitslice processors and trying to “run to fast” or what we would now call “over clocking”. If two or more bi-directional ports on a bus both become outputs, and the states of their pins are opposite then current will flow in great quantity from the PSU into the chip supply lines through the output buffer of one port back into the output buffer of the other port back through the chip supply lines to the PSU. With the result that things will heat up and in time melt like a fuse…

The thing is that you could have the logic run where both the buffers where on as output for a very very short time, apparently without problem. But the damage was being done bit by bit and just like an old fashioned incandescent light bulb you know that eventually it will burn out. This is unfortunatly true for some hard disk chips from some years ago where “Chinese knock off parts” got into the supply chain.

But there is another problem which can cause bus contention problems, one of which is metastability in the likes of latches if these control bus buffers –and they do– then the potential to fuse a chip is there waiting to happen.

Then there is the question of SoCs and other multifunction chips where output pins are shared between different functions. If these are not properly delt with then incorrect sequencing by software could cause the chips to fuse. Obviously the more you overload the function on external pins the more likely this is to happen and with “Chinese knock offs” becoming more prevelent in the supply chain the chances of it happening are higher.

Then there is the question of updatable microcode actually in the CPU it’s self, a change here could make internal registers bus clash easily as well…

As I said ‘it’s actually quite hard to stopping it in the first place’.

Scott "SFITCS" Ferguson August 19, 2014 3:51 AM

I always “believed” this was deliberate gibberish (not Latin):-

Lorem ipsum dolor sit amet, consecteteur adipiscing elit. A. Ipsum ac felis ullamcorper pharetra, vivamus litora hac. Ullamcorper. Cursus class blandit malesuada taciti a adipiscing hac, fames elementum viverra. Tortor sagittis elementum est erat phasellus magnis, adipiscing. Etiam donec mus curae class, tempor curae adipiscing. Ac, platea at ve eu tortor etiam diam, posuere eget, a odio parturient. Diam porttitor tempor velit lobortis magna a turpis donec eni. Urna nam lorem nostra at ultrices.

…. and that Google Translate was not a Delphic Oracle that knows all about geopolitical intrigues, and the NSA.

Apparently I’m wrong.

And there I was imagining that Google Translate “learned” translations from user editing.

Must. Burn. Witches. Now.

indisputable proof – according to, um, experts(?):-

Lorem ipsum dolor sit amet consecteteur high school. A. He played football and tours, live on the beach. Notebook. Course class scientists advising silently from this downturn, famine cartoon element. Macro shooting element is the boat was great, Colorado. Well, until we take care of the class, this time taking care of the customer. Also, the street or the EU but also sophisticated platform, Fusion, from hatred of the industry. Officials say the airline can choose from a large selection of tickets until ome. Parameters for lorem look at our basketball.

(sigh) mutter, any sufficiently advanced technology is indistinguishable from magic (more so if you’re a journalist).

Winter August 19, 2014 5:14 AM

Electrical grounding is enough to divulge your keys:

Get Your Hands Off My Laptop:
Physical Side-Channel Key-Extraction Attacks On PCs

We demonstrated physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels and are based on the observation that the “ground” electric potential in many computers fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer’s chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables.

Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).

Andrew_K August 19, 2014 6:16 AM

A quick tought on the BND wiretapping Clinton thing.

Why was NSA able to wiretap Merkel? Because she got lazy and did not use her crypotphone when talking to her party.
It was not chancellor Merkel who has been wiretapped, it was party leader Merkel.

Keeping this in mind, it seems possible that current U.S. politicians may have more than one phone they may use to communicate with — well, party, family and so on. For unclassified communication, that is. Relevations just say that these persons have been wiretapped. Not in which role or context.

It just seems more plausible that a person gets lazy than BND cracking NSA’s finest free-to-deploy encryption on the fly.

So yes, there may be a recording of Hillary Clinton telling Bill that she’ll be home late today.

Clive Robinson August 19, 2014 8:29 AM

@ Winter,

Now you know why TEMPEST requirments are so hot on “earthing” and preventing “circulating ground currents” often by multiple galvanic isolation and balanced feeds for power, general signals (both red and black) and even for RF signals to antennas and other non TEMPEST equipment.

In essense any ground current will effect the ground currents of any other equipment attached to the earth point or “node”. Thus signals will cross modulate each other and if the currents are high enough and the circuit they are in visable to RF then the effective changing impeadence will cause an incidental RF signal to be amplitude modulated when it’s reradiated from the circuit.

There are various “TEMPEST” related words that supposadly cover these efects amoung which are “HIJACK” and “TEAPOT”.

The effects have been known since before 1850 one way or another and their military use was well established in WWI where field telephone conversations could be picked up on the otherside of nomans land simply by connecting onto barbed wire with a sensitive earphone.

Winter August 19, 2014 8:37 AM

@Clive Robinson
”Now you know why TEMPEST requirments are so hot on “earthing” and preventing “circulating ground currents””

I know. As a student, I worked in a relatively lab where they had driven a 30m copper pipe into the ground water table to get independent earthing. However, I had to work in a different room and had months of grounding problems 🙁 (loops etc)

What I find much more interesting is how the GPG people leveled CPU use in their libraries to fix this (because that is what I expect they did).

There seem to be a lot of arguments against this particular set-up (old hardware, specially crafted keys and crypttexts), but I understood from Bruce that attacks only get better.

Clive Robinson August 19, 2014 9:55 AM

@ Benni,

I don’t know if you have seen this or not,

But I’d advise treating it with a degree of suspicion due to it’s source.

However on a historical note natural resources have been used as political tools for thousands of years over such things as “water rights” and China is known to currently use access to the likes of rare earth metals for political as well as economic control.

As I have said for several years on this and a couple of other blogs, “energy” is the new currency and as far as politics go the new “water” for controling other nations and peoples. And yes I’ve predicted that people will go to war just to deny it’s control to others rather than cead past power bases.

Iain Moffat August 19, 2014 6:46 PM

@Clive and Figureitout

According to one of my university lecturers who was an early user the Motorola M6800 had an instruction that caused latchup and potential failure due to overheating which was 9D hex in chips made before mid 1974 – the instruction survives in an undocumented address bus test mode as mentioned in Byte Vol 2 no. 12 p46 in 1977.

So it is possible to have a device self-destruct if the silicon allows it by design (or design error) – in CMOS if both the N and P channel devices in a pair are turned on it will present a low impedance / high current path between the supply rails through the IC. It would be fairly easy to do in full custom layout by misusing the larger transistors used for I/O I think, but fairly obvious in a die photo because they are large.


Benni August 19, 2014 8:23 PM

The US Nuclear Regulatory Commission was hacked

And in fact this seems to be one of the rare cases where hacking was a reasonable thing.

This comission is responsible for creating reports of nuclear accidents.
And one is interested in these especially, if one buys US nuclear reactors.

In fact china is currently buying large amounts of american nuclear reactors:

“China seen buying Westinghouse reactors for $24 billion nuclear
energy projects”

Nuclear accidents are often kept secret by plant owners. The chinese apparently have doubts on the official reports on safety of these reactors and so they hack into the authority that monitors the accidents of these plants.

The sad thing is that this is a very reasonable concern.

Currently two belgian reactors are offlinbecause the steal of their reactor pressure vessels had severe defects. The belgish investigation comission found that the reason for these defects were problems that occured during production of these vessels.

The problematic thing is that these reactors were assembled according to american standards. 18 reactors in America and Europe were manufactured in the same way.

However, their operators seem to have a another idea of security. Therefore they do not shut these plants down in these countries

Apparently, in america, it is quite OK if a nuclear reactor is manufactured in a way that it will develop, after 30 years of regular use, thousands of fissures (that is why the belgian plants have been shot down)…..

If I would be a government who wanted to buy reactors from an american company, I would hack into the nuclear regulatory comission too, just to ensure that I am not being lied at by the manufacturers, when it comes to safety issues.

And I urge the government, or who ever hacked into the US Nuclear Regulatory Commission, to release all data on nuclear accidents and safety issues of US nuclear plants in full to the public on the internet.

Any data regarding safety problems of nuclear power plants should be in public domain. Only if the people living around these plants are knowing exactly how secure they are, can they chose to move somewhere else if a reactor has permanent accidents.

Markus Ottela August 19, 2014 10:43 PM


TFC can’t perform magic and isn’t intended for large file transmission. If you want to do the file transmission with OTP encryption while keeping the key secure, all you can do is damage control:

  1. Limit the amount of exfiltratable keyfiles: Have a separate, purpose-dedicated device ($35 for RPi). Let’s say there’s 700MB of leaks. Copy 1 GB of OTP key material from original TxM to a new microSD card (AFAIK it’s firmware is harder to compromise than USB).
  2. Start the new RPi, copy keyfile on it, remove the microSD.
  3. Copy GPG encrypted files from NH to new RPi with another microSD card and decrypt them.
  4. Generate 300MB of padding and encrypt the plaintext to generate a 1GB ciphertext file.
  5. Copy the ciphertext using a third, 1GB microSD card to NH and send it over Tor (prefferrably via TAILS session).

  6. Physically destroy all microSD cards and the temporary RPi.

This way minimal amount of OTP key material has minimal chance of ending up in NH, and malware on RxM has minimal effect on original system.
There might be more secure and/or easier ways, I’ll have to give this more thought.

For RxM received data, you can also try to throttle content through low-capacity removable drives or data diode to intermediary computer for content scan before moving it to TxM. Again, using a dedicated TxM can minimize the risk of stolen keys and persistence of malware. Additionally, capturing content and amount of data going through data diode using “dumb” unpredictable devices (security through obscurity) might have a chance to detect malware.

TFC is intended for communication, not for file transfer.
There’s been a time in our lives journalists used faxes to transmit documents. TFC can serve as secure backend for such implementation but transferring binary from RxM to TxM defeats the purpose of the trilateral design.

@ Nick P

  1. I admit I should have mentioned this not only in the manual: The NH does send copy of messages to the local RxM where it’s displayed after authentication and decrpytion. shows you what has been sent and shows the full conversation.
  2. Like I wrote, 256-bit AES is secure even against Grover’s quantum algorithm. The main reasons for OTP were easy implementation, auditability, security over obesity and equal inconveniences of f2f key exchange and HWRNG key generation.

AES doesn’t concern me as a cipher, but since security of Linux OS depends on subpoena vulnerable certificates, one of the weakest links for mass compromise is pre-compromised TxM side OS: Where as covert steganographic channel could smuggle AES key over 256 messages or less, OTP requires constant leaking of large amount of key data.

However, the separated encryption and decryption devices are the best way I can think of how to implement AES. Lack of loop back from RxM to TxM would require manual typing of the nonce (or DH key exchange values) so most practical way would be to replace OTP with list of pre-shared AES keys, changed on message basis or alternatively generate limited sets of pseudo random symmetric keys from a list of HWRNG generated seeds.

I agree the reduced requirements for key storage space is a huge benefit. I will have to study secure implementation of AES before I will go about adding it. OTP should remain as an option since my guess is some users would rather have the certainty: This is why unconditionally secure authentication will also be implemented in the future.

  1. TFC can’t prevent users from choosing bad passwords for full-disk-encryption, or mating hardware in insecure ways. My experience is users can learn high-entropy passwords if there is will, and entropy can further be added with 2FA devices such as Yubikey or USB rubber ducky.

It isn’t per se. Slow enough sample rate should make the process memoryless and while the probability of each “trial” or electron jump over PN-junction isn’t mathematically constant, the bias or frequency shouldn’t deviate notably or predictably over the time it takes to generate a single keyfile: avalanche breakdown mechanism isn’t destructive. I’ve a lot to learn and understand on this issue so I can’t say for sure. I’ll look into further whitening if there is a problem. My understanding is VN is commonly used with HWRNG implementations and all measurements I did increased entropy after VN whitening. If you have any suggestions how to improve the design I’m more than willing to learn.

Nick P August 20, 2014 12:27 AM

@ Markus

” isn’t intended for large file transmission”

You’re better off keeping the design simple and being honest about its limitations. We already have designs that can assure file transmission and they have very different assumptions than your use case. Adding this feature to your design is actually possible, but would be a mistake. So, your response was quite wise. 🙂

re feedback while typing

Thanks for clarifying. Good to know it’s there. I actually thought the feature existed simply because I imagined your first experience typing without feedback would be plenty motivating to add the feature.

re OTP

OTP’s implementation is easy, but not simple or very usable. It’s not simple because now you’re getting your users to make more trips and use more complex (risky) devices for storage. Even simple embedded devices can store AES keys. Quite a few of them, actually.

“AES doesn’t concern me as a cipher, but since security of Linux OS depends on subpoena vulnerable certificates”

You realize that any vulnerability in a Linux system running AES might mess up a Linux system running OTP, right? You’ve cleverly considered how much effort it might take to leak the key. What you’re ignoring is that, if it’s a big enough problem, they’ll instead leak what it takes to identify and punish the individual. Even doing this to a few will scare vast majority away from your tool.

I’ll focus on the technical instead of legal or “extrajudicial,” though. The problem you mention mainly applies to using a mainstream, binary, unreviewed Linux. You’re application in the transmit phase is so simple you don’t need to use Linux: you can use a RTOS, a microkernel + drivers, an Oberon System with security checks added, an OSKit-style thing + app code in safe language, etc. Some RTOS’s allow you to include just what you need. Software such as SVA-OS, SecVisor, or CCured increases assurance of your existing OS/legacy code. There are also a number of projects that decompose the system into user-mode components and are usable for a limited project. Genode, Minix, OC.L4, OKL4, EROS, etc. come to mind. A few of the L4 systems actually include a way to use Linux device drivers, which is quite convenient for hardware support. So, the question you must ask is “is there a strategy out there for that device that largely eliminates this risk?” I’m pretty sure there is with some effort.

Both Bruce and I have often pushed that an OTP strategy will fail for more human and logistical reasons. Starting with it, including it as an option, etc is perfectly fine. It works, it’s provably secure, it’s easy to build, and some use cases might go through massive headaches for the assurance. I’m just saying have something compact and secure as an option to increase takeup. Takeup is more important than security here as the people might get hacked with AES + your design, but they will get hacked without strong designs like yours that they avoided due to the burden of managing OTP. Even the paranoid settled on things like PGP and remailers back in the day despite OTP being available, so what do you think your design’s long-term odds are? 😉

“so most practical way would be to replace OTP with list of pre-shared AES keys, changed on message basis or alternatively generate limited sets of pseudo random symmetric keys from a list of HWRNG generated seeds.”

Basically, they exchange keys one time. These are precious keys to be protected as much as possible. Standard, symmetric crypto techniques and TRNG’s/CRNG’s can produce the session (eg per message) keys either from these or authenticated with these. You can go overkill a bit like using extra algorithms, using extra rounds, including specific ciphers to use in the key exchange, and so on.

“I will have to study secure implementation of AES before I will go about adding it.”

It doesn’t just have to be AES. I mentioned it because it’s standardized with a ton of implementations from desktop to server to mobile. You can use whatever you want for the symmetric encryption. In one design, I first applied Salsa20 to ignore the shape of the data, then AES in counter mode hardware accelerated, and then IDEA because it caused NSA so much headaches for years. In another, I did a 3DES-like construction, but with AES. In another, I cascaded eSTREAM ciphers. I wasn’t worried about the specifics, though, as they rarely beat the ciphers if they’re well design, well implemented, and have rounds approaching 20. They usually beat ciphers if they’re utterly horrible or new attacks are invented (hence using three with differing structure).

So, I’d recommend you start by looking at D. J. Bernstein’s work. Bernstein was a thorn in the side of the NSA. His legal battles + Zimmerman’s legal battles helped us get good crypto. He’s great at both crypto and secure coding. His homepage is a gold mine. Also, look up his NaCl project where he’s implemented his algorithms and some standard ones with even covert timing channel prevention with clever coding tricks. Both accessible here. Definitely look at others’ work but his will teach you plenty while giving you high-quality code you can immediately use. And, of course, I’m just promoting his symmetric crypto work as we both seems to believe that public key crypto can’t be trusted against NSA. Symmetric, whether OTP or algorithms, has fewer long-term risks while being easier to implement with high performance on a wide variety of devices.

“3. TFC can’t prevent users from choosing bad passwords for full-disk-encryption, or mating hardware in insecure ways. My experience is users can learn high-entropy passwords if there is will, and entropy can further be added with 2FA devices such as Yubikey or USB rubber ducky.”

Don’t rely on it. Even security experts get lazy on passwords at times. Many people who care about security and use your system will get annoyed that they have to put a ridiculously long password into it. They’ll say “Couldn’t the designer have done something like other security engineers that let me do less work?” It’s an honest question that’s true enough: I gave you a method that would’ve given the user a better experience while allowing security to be at least as strong as your approach. A subset of your users will be people trying to maintain private communications, offering something of value worth protecting, and yet too annoyed to make a good enough password due to what they think is unnecessary work. You should consider adding insurance for such users as it’s minimal work and their own contributions might be worth it.

Note: There’s the added benefit that the device itself (or a good hack of it) is necessary to decrypt previous communications. This can help in situations involving coercion of the person. If it can’t be hacked easily, your device will result in people being harassed, imprisoned, tortured, or killed. Remember that when making design decisions for security against TLA’s if only so your designs will keep it to the minimum.

Figureitout August 20, 2014 12:44 AM

Clive Robinson
Yes, it’s actually quite hard stoping it in the first place…
–Yikes…so from simple [malicious/highly ignorant-based] design I’ve seen that re-arranging pins on a PCB is an easy way to at least damage the chip on first power up. This would cause weirdness in power (vice-versa of lower volts and higher amps). Very rare due to protections, but unfortunately plausible. Have seen transformers on ethernet connectors (used for power too) take care of a pin-shorting problem though, no more blown chips w/ screw driver or multi-meter probes at least…

Solved (well I actually don’t know precisely what was happening) a problem by simply un-declaring a pin that shouldn’t have been…That was it! Christ, such simple thing again can cause me so much pain…Overthought the problem and lo-and-behold someone smarter than me already took care of the problem deeper in the chip. Caused a set jump-point to either hold high or low. Then just need to know about signal being inverted in code.

RE: failing HDD controllers (RAID/SATA/etc I don’t care)
–Would piss me off if the failure was hardware-based, as it’s such an important peripheral interfacing potentially 600GB-1TB of data. I got burned yet again by cheap Chinese sh*t, kinda pissing me off. Straight out the box, the cover of a USB hub is broken and the solder job was done by someone who really doesn’t GAF. They will pay. And if it’s some of these scams of cheap power supplies it could actually KILL you, those evil people should fry.

Still can get around the failed controller via USB-HDD’s and I heard PCI-SATA solutions. Heard the connector could be bad (of course, could be anything…); or reflashed code that’s deliberately causing a fail.

RE: pinmuxing
–I believe that’s what you mean by bi-directional ports? I mean, the concept is cool, but it strikes me as a very insecure design method (yet handy and saves pins for sure). The “Build your own Z80” book I was planning on using, does pinmuxing; don’t think that’s the way to go. I’d prefer to think “1-way” data and power flow unless someone forces me to make that compromise.

RE: metastability && bit-by-bit destruction
–Sure will make for fun problems…Sometimes I don’t even know if I’m witnessing it on a ‘scope or it’s just an imperfect connection as I’m probing…probably both. :/

Iain Moffat
–Hmm interesting…would suck to find that out the hard way then think you’re a terrible programmer…It’s something that worries me about Z80 undocumented instructions. Just the fear of the unknowns..

For some of these newer chips, I’m less worried.

Scott "SFITCS" Ferguson August 20, 2014 6:11 AM


Just in case it’s of interest –
Passport officers are no better at identifying a fake passport photo than the average person, a new study reveals.


Australia has not relied on visual verification of passport authenticity for many years. One level of passport inspection is for an officer to visually compare the cryptographically verified authentic passport photo with your face.

From 24 October 2005, eligible applicants for new or renewed passports will be issued with the ePassport.

Australia’s ePassport uses just one physical trait – the face. The information needed to generate the facial biometric information comes from the photograph supplied with the passport application. The Department of Foreign Affairs and Trade digitises the photograph you supply with your application. The digitised photo is stored in the passports database and in a computer chip in your ePassport. Using biometric technology, the passport photo can be digitally compared with another facial image to check that the two images are of the same person. The passport photo is used for identity verification and fraud detection.

NOTE: that the introduction of the E-passport was part of the central passport production scheme. One of the motivations was to prevent the fraudulent issuing of real Australian passports by other countries. coughUS Mafia witness program relocated to the Gold Coastcough coughIrish Oranges to Perthcough coughMossad travel programcough etc

Kind regards

name.withheld.for.obvious.reasons August 20, 2014 1:31 PM

@ CallMeLateForSupper
It is only a matter of time and DoD will ban book, yeah both bound and paperbacks. Oddly enough I don’t think they’ll start burning witches–besides burning witches with more witches hardly makes one wise in the ways of science.

Benni August 20, 2014 7:58 PM

How the BND keeps the german parlamentarian control comission in the loop:

Herr Ströbele, wussten Sie, dass die Türkei ein Aufklärungsziel des Bundesnachrichtendienstes ist?

Mr Stöbele, did you know that turkey is a target of BND intelligence?

Ströbele: On the contrary. We were always told in the parlamentarian control comission: “We do not do such things. One does not spy on friends”….

BND moves from Pullach in Bavaria to a new home in Berlin. What that means?

Well that means that BND is keeping its old home and moves into the new home at the same time. The plans are to employ large numbers of staff in its old home, and computers, to store information on worldwide and german communication, to hack into computers and to crack encryption at the old BND place…..

name.withheld.for.obvious.reasons August 22, 2014 12:18 PM

Too impatient to wait for Bruce’s squid(s)?

There are some inconsistencies in policy and law permitting the TLA’s to violate, wholesale, the citizenry including the 1st, 4th, 5th, 6th, and 10th amendment to the Constitution within the Bill of Rights.

1.) Authorities granted granted the President under law; the National Security Act of 1947, the Patriot Act (Amended 2008), FISA Amendments Act (2008), Protect America Act (2007), and EO 12333 are cited by legal experts, DoJ, and the FISC with varying levels of application. For example, specific programs operate under the authority of EO 12333 and/or the FAA.

2.) The use of EO to assert statutory authority over civilian activity and possibly has no precedent in U.S. history.

3.) The continued use of the AUMF to promulgated the use of the military in ALL operations domestically represents the illegitimate application of law in granting authorities and privileges to the executive. This is well documented in the federalist papers by both Hamilton and Madison. And, Constitution authority includes enumerated scope of power extended under the color of the Law of War.

4.) Citizen’s are subject to authorities derived from EO 12333 and PPD 20. PPD 20 stands out in contrast to other authorities granted outside of congressional mandate.

An example of the discontinuous or non-linear mapping of law and authority is as follows: the use of deadly force to suppress terrorism domestically is covered in the AUMF, as determined by the Executive. The law does not specify the subjugation of the 5th amendment (due process) anywhere in law. Primacy in law begins with the Constitution, the AUMF is subordinate to it, not superior.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.